1. Software
  2. Software manuals
  3. Watchguard
  4. Fireware

WatchGuard Fireware v8.0 Configuration Guide


Add to my manuals
252 Pages

advertisement

WatchGuard Fireware v8.0 Configuration Guide | Manualzz 
WatchGuard®System Manager
Fireware Configuration Guide
WatchGuard Fireware Pro v8.0
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Complete copyright, trademark, patent, and licensing
information can be found in the WatchGuard System
Manager User Guide. A copy of this book is automatically
installed into a subfolder of the installation directory
called Documentation. You can also find it online at:
http://www.watchguard.com/help/documentation/
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Guide Version: 8.0-050411
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
[email protected]
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ii
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com.
WatchGuard System Manager
Contents
PART I Introduction to Fireware Pro
CHAPTER 1 Introduction
...........................................................................3
Fireware Features and Tools ..................................................................3
Fireware User Interface ........................................................................4
Policy Manager window ........................................................................5
Firebox System Manager window ...........................................................6
CHAPTER 2 Monitoring Firebox Status
.....................................................9
Starting Firebox System Manager ..........................................................9
Connecting to a Firebox .......................................................................9
Opening Firebox System Manager ........................................................10
Firebox System Manager Menus and Toolbar ........................................10
Setting refresh interval and pausing the display ......................................12
Seeing Basic Firebox and Network Status ............................................12
Using the Security Traffic Display .........................................................13
Monitoring status information .............................................................13
Setting the center interface ................................................................13
Monitoring traffic, load, and status .......................................................14
Firebox and VPN tunnel status .............................................................14
Monitoring Firebox Traffic ....................................................................16
Setting the maximum number of log messages .......................................16
Using color for your log messages ........................................................17
Copying log messages .......................................................................17
Learning more about a traffic log message .............................................17
Clearing the ARP Cache ......................................................................18
Using the Performance Console ..........................................................18
Types of counters .............................................................................18
Defining counters .............................................................................19
Fireware Configuration Guide
iii
...........................................................21
Viewing Bandwidth Usage ...................................................................21
Viewing Number of Connections by Policy .............................................22
Viewing Information About Firebox Status ............................................24
Status Report ..................................................................................24
Authentication List ............................................................................25
Blocked Sites ...................................................................................26
Security Services ..............................................................................27
Using HostWatch ...............................................................................28
The HostWatch window ......................................................................28
Controlling the HostWatch window .......................................................29
Changing HostWatch view properties ....................................................30
Adding a blocked site from HostWatch ..................................................30
Pausing the HostWatch Display ............................................................30
Viewing the performance graph
CHAPTER 3 Setting Up Your Firebox
.......................................................31
Working with Licenses ........................................................................31
Adding licenses ................................................................................32
Deleting a license .............................................................................32
Seeing the active features ..................................................................33
Seeing the properties of a license ........................................................34
Downloading a license key ..................................................................34
Working with Aliases ..........................................................................34
Creating an alias ..............................................................................35
Using Logging ....................................................................................35
Categories of log messages ................................................................36
Designating log servers for a Firebox ....................................................36
Adding a log server ...........................................................................37
Setting log server priority ...................................................................37
Activating Syslog logging ....................................................................38
Enabling advanced diagnostics ............................................................38
Using Global Settings .........................................................................39
VPN ...............................................................................................40
ICMP error handling ..........................................................................40
TCP SYN checking .............................................................................41
TCP maximum segment size adjustment ...............................................41
Setting NTP Servers ...........................................................................42
Working with SNMP ............................................................................42
Using MIBs ......................................................................................43
PART II Protecting Your Network
CHAPTER 5 Basic Firebox Configuration
Opening a Configuration File
iv
.................................................47
...............................................................47
WatchGuard System Manager
Opening a working configuration file .....................................................47
Opening a local configuration file .........................................................48
Making a new configuration file ...........................................................49
Saving a Configuration File
.................................................................49
Saving a configuration to the Firebox ....................................................49
Saving a configuration to a local hard drive ............................................50
Changing the Firebox passphrases ......................................................50
Setting the Time Zone ........................................................................51
Setting a Firebox Friendly Name ..........................................................51
Creating Schedules ............................................................................52
CHAPTER 6 Network Setup and Configuration
........................................55
Making a New Configuration File .........................................................55
Configuring the external interface ........................................................58
Adding Secondary Networks ................................................................60
Adding WINS and DNS Server Addresses .............................................61
Configuring Routes .............................................................................62
Adding a network route ......................................................................62
Adding a host route ...........................................................................63
Setting Firebox Interface Speed and Duplex .........................................63
CHAPTER 7 Configuring Policies
.............................................................65
Creating Policies for your Network .......................................................65
Adding Policies ..................................................................................66
Changing the Policy Manager View .......................................................66
Adding a policy ................................................................................67
Making a custom policy template .........................................................68
Adding more than one policy of the same type ........................................69
Deleting a policy ...............................................................................69
Configuring Policy Properties ...............................................................70
Setting access rules, sources, and destinations .......................................70
Setting logging properties ...................................................................71
Configuring static NAT .......................................................................73
Setting advanced properties ................................................................74
Setting Policy Precedence ...................................................................75
Using automatic order .......................................................................75
Setting precedence manually ..............................................................77
CHAPTER 8 Configuring Proxied Policies
................................................79
Defining Rules ...................................................................................79
Adding rulesets ................................................................................80
Using advanced rules view ..................................................................81
Customizing Logging and Notification for proxy rules .............................82
Configuring log messages and notification for a proxy policy ......................82
Fireware Configuration Guide
v
Configuring log messages and alarms for a proxy rule ..............................82
Using dialog boxes for alarms, log messages, and notification ....................82
Configuring the SMTP Proxy
................................................................83
Configuring general settings ................................................................84
Configuring ESMTP parameters ............................................................85
Configuring authentication rules ..........................................................86
Defining content type rules .................................................................87
Defining file name rules .....................................................................87
Configuring the Mail From and Mail To rules ...........................................87
Defining header rules ........................................................................87
Defining antivirus responses ...............................................................87
Changing the deny message ...............................................................88
Configuring the IPS (Intrusion Prevention System) ....................................88
Configuring proxy and antivirus alarms for SMTP .....................................89
Configuring the FTP Proxy
...................................................................89
Configuring general settings ................................................................90
Defining commands rules for FTP .........................................................90
Setting download rules for FTP ............................................................90
Setting upload rules for FTP ................................................................91
Enabling intrusion prevention for FTP ....................................................91
Configuring proxy alarms for FTP .........................................................91
Configuring the HTTP Proxy .................................................................91
Configuring settings for HTTP requests .................................................92
Configuring general settings for HTTP responses ......................................94
Setting header fields for HTTP responses ...............................................94
Setting content types for HTTP responses ..............................................94
Setting cookies for HTTP responses ......................................................94
Setting HTTP body content types ..........................................................95
Changing the deny message ...............................................................95
Configuring intrusion prevention for HTTP ...............................................96
Defining proxy alarms for HTTP ............................................................96
Configuring the DNS Proxy ..................................................................96
Configuring general settings for the DNS proxy ........................................97
Configuring DNS OPcodes ...................................................................97
Configuring DNS query types ...............................................................98
Configuring DNS query names .............................................................99
Enabling intrusion prevention for the DNS proxy ......................................99
Configuring DNS proxy alarms .............................................................99
Configuring the TCP Proxy ...................................................................99
Configuring general settings for the TCP proxy ........................................99
Enabling intrusion prevention for the TCP proxy .....................................100
CHAPTER 9 Working with Firewall NAT
..................................................101
Using Dynamic NAT ..........................................................................102
Adding global dynamic NAT entries .....................................................102
vi
WatchGuard System Manager
Reordering dynamic NAT entries ........................................................103
Policy-based dynamic NAT entries ......................................................103
Using 1-to-1 NAT
..............................................................................103
Configuring Global 1-to-1 NAT ............................................................104
Configuring policy-based 1-to-1 NAT ....................................................105
Configuring static NAT for a policy ......................................................105
CHAPTER 10 Implementing Authentication
...........................................107
How User Authentication Works ........................................................107
Using authentication from the external network ....................................107
Using authentication through a gateway Firebox to another Firebox ...........108
Authentication server types ..............................................................108
Using a backup authentication server .................................................108
Configuring the Firebox as an Authentication Server ...........................108
Setting up the Firebox as an authentication server .................................109
Configuring RADIUS Server Authentication .........................................110
Configuring SecurID Authentication ....................................................112
Configuring LDAP Authentication .......................................................113
Configuring Active Directory Authentication .......................................115
Configuring a Policy with User Authentication .....................................116
CHAPTER 11 Firewall Intrusion Detection and Prevention
....................119
Using Default Packet Handling Options ..............................................119
Spoofing attacks ............................................................................120
IP source route attacks ....................................................................120
“Ping of death” attacks ....................................................................120
Port space and address space attacks ................................................120
Flood attacks .................................................................................121
Unhandled Packets .........................................................................121
Distributed denial of service attacks ...................................................121
Setting Blocked Sites .......................................................................121
Blocking a site permanently ..............................................................122
Using an external list of blocked sites .................................................122
Creating exceptions to the Blocked Sites list .........................................122
Setting logging and notification parameters .........................................123
Blocking sites temporarily with policy settings ......................................124
Blocking Ports .................................................................................124
Blocking a port permanently .............................................................125
Automatically blocking IP addresses that try to use blocked ports .............125
Setting logging and notification for blocked ports ..................................126
CHAPTER 12 Using Signature-Based Security Services
........................127
Installing the Software Licenses ........................................................127
Configuring Gateway AntiVirus for E-mail ............................................128
Fireware Configuration Guide
vii
Configuring Gateway AntiVirus for E-mail in the SMTP Proxy .................129
Adding an SMTP Proxy with AntiVirus ..................................................130
Using Gateway AntiVirus for E-mail with more than one proxy ...................131
Getting Gateway AntiVirus for E-mail Status and Updates ....................131
Seeing service status ......................................................................131
Updating signatures manually ...........................................................132
Updating the antivirus software .........................................................132
Monitoring Gateway AntiVirus for E-mail .............................................133
Configuring Gateway AntiVirus for E-mail to record log messages ..............133
Configuring the Signature-Based Intrusion Prevention Service ..............134
Configuring Intrusion Prevention Service in a Proxy .............................134
Adding a proxy with Intrusion Prevention Service ...................................134
Using advanced HTTP proxy features ...................................................136
Getting Intrusion Prevention Service Status and Updates ....................137
Seeing service status ......................................................................137
Updating signatures manually ...........................................................138
PART III Using Virtual Private Networks
CHAPTER 14 Introduction to VPNs
.......................................................141
Tunneling Protocols ..........................................................................142
IPSec ...........................................................................................142
PPTP ...........................................................................................142
Encryption ....................................................................................142
Selecting an encryption and data integrity method ................................143
Authentication ...............................................................................143
Extended authentication ...................................................................143
Selecting an authentication method ....................................................143
IP Addressing ..................................................................................143
Internet Key Exchange (IKE) ..............................................................144
NAT and VPNs ..................................................................................144
Access Control ................................................................................144
Network Topology .............................................................................145
Meshed networks ...........................................................................145
......................................................................................... Hub-and-spoke networks 146
Tunneling Methods ...........................................................................147
WatchGuard VPN Solutions ...............................................................147
RUVPN with PPTP ...........................................................................148
Mobile User VPN .............................................................................148
Branch Office Virtual Private Network (BOVPN) .....................................148
VPN Scenarios .................................................................................149
Large company with branch offices: System Manager .............................150
viii
WatchGuard System Manager
Small company with telecommuters: MUVPN ........................................150
Company with remote employees: MUVPN with extended authentication ....151
CHAPTER 15 Configuring BOVPN with Manual IPSec
............................153
Before You Start ..............................................................................153
Configuring a Gateway ......................................................................153
Adding a gateway ...........................................................................153
Editing and deleting a gateway ..........................................................156
Making a Manual Tunnel ...................................................................156
Editing and deleting a tunnel .............................................................159
Making a Tunnel Policy .....................................................................160
CHAPTER 10 Configuring IPSec Tunnels
...............................................161
Management Server .........................................................................161
WatchGuard Management Server Passphrases ..................................162
Setting Up the Management Server ...................................................163
Adding Devices ................................................................................164
Updating a device’s settings ..............................................................165
Configuring a Firebox as a Managed Firebox Client (Dynamic Devices only) 165
Adding Policy Templates ...................................................................166
Get the current templates from a device ..............................................166
Make a new policy template .............................................................166
Adding resources to a policy template .................................................167
Adding Security Templates ................................................................167
Making Tunnels Between Devices ......................................................167
Drag-and-drop tunnel procedure .........................................................168
Using the Add VPN Wizard without drag-and-drop ..................................168
Editing a Tunnel ...............................................................................168
Removing Tunnels and Devices .........................................................169
Removing a tunnel ..........................................................................169
Removing a device ..........................................................................169
CHAPTER 11 Configuring RUVPN with PPTP
..........................................171
Configuration Checklist .....................................................................171
Encryption levels ............................................................................171
Configuring WINS and DNS Servers ...................................................172
Adding New Users to Authentication Groups ......................................173
Configuring Services to Allow Incoming RUVPN Traffic .........................174
By individual policy .........................................................................174
Using the Any policies ......................................................................174
Enabling RUVPN with PPTP ................................................................175
Enabling extended authentication ......................................................175
Adding IP Addresses for RUVPN Sessions ..........................................175
Fireware Configuration Guide
ix
Preparing the Client Computers
.........................................................176
Installing MSDUN and Service Packs ...................................................176
Creating and Connecting a PPTP RUVPN on Windows XP .....................177
Creating and Connecting a PPTP RUVPN on Windows 2000 .................177
Running RUVPN and accessing the Internet ..........................................178
Making outbound PPTP connections from behind a Firebox .....................178
PART IV Increasing the Protection
CHAPTER 13 Advanced Networking
......................................................181
About Multiple WAN Support .............................................................181
Configuring multiple WAN support ......................................................182
Creating QoS Actions .......................................................................183
Using QoS in a multiple WAN environment ...........................................185
Dynamic Routing ..............................................................................185
Using RIP ........................................................................................185
RIP Version 1 .................................................................................186
RIP Version 2 .................................................................................188
Using OSPF .....................................................................................190
OSPF Daemon Configuration .............................................................190
Configuring Fireware to use OSPF .......................................................193
Using BGP .......................................................................................194
CHAPTER 14 Controlling Web Site Access
Getting Started with WebBlocker
Adding a WebBlocker Action to a
Configuring a WebBlocker action
Scheduling a WebBlocker Action
...........................................201
.......................................................201
Policy ..............................................202
.......................................................202
........................................................207
CHAPTER 15 High Availability
...............................................................209
High Availability Requirements ..........................................................209
Installing High Availability .................................................................210
Configuring High Availability ..............................................................210
Manually Controlling HA ....................................................................211
Backing up an HA configuration .........................................................212
Upgrading Software in an HA Configuration ........................................212
Using HA with Signature-based Security Services ...............................212
Packet Filter Policies ........................................................................213
Any ..............................................................................................213
AOL .............................................................................................213
archie ..........................................................................................214
auth .............................................................................................214
Citrix ICA ......................................................................................214
x
WatchGuard System Manager
Clarent-gateway ..............................................................................214
Clarent-command ...........................................................................215
CU-SeeMe .....................................................................................215
DHCP-Server/Client .........................................................................215
DNS .............................................................................................216
Entrust .........................................................................................216
finger ...........................................................................................216
FTP ..............................................................................................216
Gopher .........................................................................................216
GRE .............................................................................................217
HTTP ............................................................................................217
HTTPS ..........................................................................................217
HBCI ............................................................................................217
IDENT ...........................................................................................217
IGMP ...........................................................................................218
IKE ..............................................................................................218
IMAP ............................................................................................218
IPSec ...........................................................................................218
IRC ..............................................................................................218
Intel Video Phone ...........................................................................219
Kerberos v 4 and Kerberos v 5 ..........................................................219
LDAP ...........................................................................................219
LDAP-SSL ......................................................................................219
Lotus Notes ...................................................................................220
MSSQL-Monitor ..............................................................................220
MSSQL-Server ................................................................................220
MS Win Media ...............................................................................220
NetMeeting ...................................................................................220
NFS .............................................................................................220
NNTP ...........................................................................................221
NTP .............................................................................................221
OSPF ...........................................................................................221
pcAnywhere ...................................................................................221
ping .............................................................................................221
POP2 and POP3 .............................................................................222
PPTP ............................................................................................222
RADIUS and RADIUS-RFC ..................................................................222
RADIUS-Accounting and RADIUS-ACCT-RFC ...........................................222
RDP .............................................................................................223
RIP ..............................................................................................223
RSH .............................................................................................223
RealPlayer G2 ................................................................................223
Rlogin ..........................................................................................223
SecurID ........................................................................................224
SMB (Windows Networking) ..............................................................224
Fireware Configuration Guide
xi
SMTP ...........................................................................................224
SNMP ..........................................................................................224
SNMP-Trap ....................................................................................224
SQL*Net .......................................................................................225
SQL-Server ....................................................................................225
ssh ..............................................................................................225
Sun RPC .......................................................................................225
syslog ..........................................................................................225
TACACS ........................................................................................226
TACACS+ .......................................................................................226
TCP .............................................................................................226
TCP-UDP .......................................................................................226
UDP .............................................................................................226
telnet ...........................................................................................227
Timbuktu ......................................................................................227
Time ............................................................................................227
traceroute .....................................................................................227
UUCP ...........................................................................................227
WAIS ...........................................................................................228
WinFrame .....................................................................................228
WG-Auth .......................................................................................228
WG-Firebox-Mgmt ...........................................................................228
WG-Logging ...................................................................................229
WG-Mgmt-Server ............................................................................229
WG-SmallOffice-Mgmt ......................................................................229
WG-WebBlocker .............................................................................229
whois ...........................................................................................229
X11 .............................................................................................229
Yahoo Messenger ............................................................................230
Proxied Policies ...............................................................................230
DNS .............................................................................................230
FTP ..............................................................................................230
HTTP ............................................................................................230
SMTP ...........................................................................................231
TCP Proxy .....................................................................................231
xii
WatchGuard System Manager
PART I
Introduction to Fireware Pro
Fireware Configuration Guide
1
2
WatchGuard System Manager
CHAPTER 1
Introduction
WatchGuard® Fireware™ Pro is the next generation of security appliance software available from WatchGuard. Appliance software is a software application that is kept in the memory of your firewall hardware.
The Firebox uses the appliance software with a configuration file to operate.
Your organization’s security policy is a set of rules that define how you protect your computer network
and the information that passes through it. Fireware Pro appliance software has advanced features to
manage security policies for the most complex networks.
Fireware Features and Tools
WatchGuard® Fireware™ Pro includes many features to improve your network security.
Policy Manager for Fireware
Policy Manager gives you one user interface for basic firewall configuration tasks. Policy Manager
includes a full set of preconfigured packet filters and proxies. For example, to apply a packet filter for all
Telnet traffic, you add a Telnet packet filter. You can also make a custom packet filter for which you set
the ports, protocols, and other parameters. Careful configuration of IPS options can stop attacks such as
SYN Flood attacks, spoofing attacks, and port or address space probes.
Firebox System Manager
Firebox® System Manager gives you one interface to monitor all components of your Firebox. From Firebox System Manager, you can monitor the current condition of the Firebox or connect directly to get an
update on its configuration.
Network Address Translation
Network address translation (NAT) is a term used for one or more methods of IP address and port translation. Network administrators frequently use NAT to increase the number of computers which can to operate off one public IP address. It also hides the private IP addresses of computers on your network.
Fireware Configuration Guide
3
Fireware User Interface
Firebox and third-party authentication servers
With Fireware, there are five methods to do authentication: Firebox, RADIUS, SecurID, LDAP, and Active
Directory.
Signature-based intrusion detection and prevention
When a new intrusion attack is identified, the qualities that make the virus or attack unique are identified
and recorded. These features are known as the signature. WatchGuard® Gateway AntiVirus for E-mail™
and Signature-Based Intrusion Prevention Service use these signatures to find viruses and intrusion
attacks. The Intrusion Prevention Service operates with all WatchGuard proxies. Gateway AntiVirus for Email operates with the SMTP Proxy.
VPN creation and management
Fireware technology makes it easier to configure, manage, and monitor many IPSec VPN tunnels to
branch offices and end users.
Advanced networking features
Fireware lets you configure a maximum of four Firebox interfaces as external, or WAN, interfaces. You can
control the flow of traffic through more than one WAN interface to balance the volume of outgoing traffic. The QoS feature in Fireware lets you set priority and bandwidth restrictions on each policy. The Firebox can also use the dynamic route protocols RIP, OSPF, and BGP. These protocols allow network devices
to update route tables dynamically.
Web traffic control
The WebBlocker feature uses the HTTP Proxy to apply a filter to Web traffic. You can set the hours in the
day that users can get access to the Web. You can also set categories of Web sites that users cannot
browse to.
High availability
High Availability supplies stateful failover for firewall and VPN connections. With High Availability, you
can have one Firebox operating in standby mode while the other Firebox continues to operate. The
standby Firebox automatically takes over firewall operations if the primary Firebox is unable to communicate with the Internet.
Fireware User Interface
The primary components of the Fireware user interface are Policy Manager and Firebox System Manager.
4
WatchGuard System Manager
Fireware User Interface
Policy Manager window
Policy Manager includes menus you use to manage your Firebox and build your configuration file. The
major menus and their options are as follows.
File menu
• Create a new configuration file
• Open a configuration file
• Save a configuration file to disk or to the Firebox
• Back up a Firebox
• Restore a Firebox
• Update the firmware on the Firebox
• Change passphrases
Edit menu
• Change, add, and delete policies
Setup menu
• Give the Firebox model, name, location, contact, and time zone
• View, add, and download licenses
• Add, edit, or remove aliases
• Set up log hosts
• Use internal and third-party authentication servers
• Create actions: a procedure to follow when a data stream matches an applicable specification
• Configure intrusion detection and prevention settings
• Blocked sites and blocked ports settings
• Update signatures and engine settings for signature-based intrusion prevention
• Enable Network Time Protocol and add NTP servers
• Enable SNMP traps and add SNMP management stations
• Configure global settings for the Firebox
Fireware Configuration Guide
5
Fireware User Interface
Network menu
• Configure Firebox interfaces
• Configure dynamic NAT and 1-to-1 NAT
• View and add routes
• Configure dynamic routing using the RIP, OSPF, and BGP protocols
• Configure High Availability
VPN menu
• View and add gateways
• View and configure tunnels; change authentication, encryption, and advanced IPSec settings
• Add remote users using PPTP or MUVPN
• Enable the Firebox as a managed client
Firebox System Manager window
You use Firebox System Manager to see:
• Status of the Firebox interfaces and the traffic that goes through the interfaces
• Status of VPN tunnels and management certificates
• Real-time graphs of Firebox bandwidth use or of the connections on specified ports
• Status of any other security services you use on your Firebox
View menu
• See the certificates on the Firebox
• See the license on the Firebox
6
WatchGuard System Manager
Fireware User Interface
• Open the communication log file
Tools menu
• Open Policy Manager with the configuration of the Firebox
• Open HostWatch and connect to the Firebox
• Monitor the performance aspects of the Firebox
• Synchronize the time of the Firebox with the system time
• Clear the ARP cache of the Firebox
• Clear the alarms on the Firebox
• Configure High Availability options
• Change the status and configuration passphrases
Fireware Configuration Guide
7
Fireware User Interface
8
WatchGuard System Manager
CHAPTER 2
Monitoring Firebox Status
WatchGuard® Firebox® System Manager gives you one interface to monitor all components of your Firebox and the work it does. From the Firebox System Manager window, you can monitor the current condition of the Firebox, or connect to the Firebox directly to update its configuration. You can see:
• Status of the Firebox interfaces and the traffic that is going through the interfaces
• Status of VPN tunnels and management certificates
• Real-time graphs of Firebox bandwidth use or of the connections on specified ports
• Status of any other security services you use on your Firebox
Starting Firebox System Manager
Before you start using Firebox® System Manager, you must add a Firebox to WatchGuard® System Manager.
Connecting to a Firebox
1
From WatchGuard System Manager, click the Connect to Device icon.
Or, you can select File > Connect To > Device.
The Connect to Firebox dialog box appears.
2
Use the Firebox drop-down list to select a Firebox.
You can also type the IP address or name of the Firebox.
3
4
Type the Firebox status (read-only) passphrase.
Click OK.
The Firebox appears in the WatchGuard System Manager window.
Fireware Configuration Guide
9
Firebox System Manager Menus and Toolbar
Opening Firebox System Manager
1
From WatchGuard System Manager, select the Device tab.
2
Select a Firebox to examine with Firebox System Manager.
3
Click the Firebox System Manager icon.
Firebox System Manager appears. Then it connects to the Firebox to get information about the status
and configuration.
Firebox System Manager Menus and Toolbar
Firebox® System Manager commands are in the menus at the top of the window. The most common tasks
are also available as buttons on the toolbar. The following tables tell what the menus and toolbar buttons
do.
10
WatchGuard System Manager
Firebox System Manager Menus and Toolbar
Firebox System Manager Menus
Menu
Command
Function
File
Settings
Changes how Firebox System Manager shows
status information in the displays.
Disconnect
Disconnects from the current Firebox.
Connect
Connects to a Firebox.
Reset
Resets Firebox System Manager statistics.
Reboot
Starts the current Firebox again.
Shutdown
Stops the Firebox.
Close
Closes the Firebox System Manager window.
Certificates
Lists the certificates on the Firebox.
Licenses
Lists the current licenses on the Firebox.
Communication Log
Opens the communication log.
Policy Manager
Opens Policy Manager with the configuration of
the current Firebox.
HostWatch
Opens HostWatch connected to current Firebox.
Graphs
Shows graphs of performance aspects of the
Firebox.
Synchronize Time
Synchronizes the time of the Firebox with the
system time.
Clear ARP Cache
Empties the ARP cache of the current Firebox.
Clear Alarm
Empties the alarm list on the current Firebox
High Availability
Configures High Availability options.
Change Passphrases
Changes the status and configuration
passphrases.
Firebox System
Manager Help
Opens the online help files for this application.
About
Shows version and copyright information.
View
Tools
Help
Firebox System Manager Toolbar
Icon
Function
Starts the display again. This icon appears only
when you are not connected to a Firebox.
Stops the display. This icon appears only when
you are connected to a Firebox.
Shows the management and VPN certificates
kept on the Firebox.
Shows the licenses registered and installed for
this Firebox.
Starts Policy Manager. Use Policy Manager to
make or change a configuration file.
Starts HostWatch, which shows connections for
this Firebox.
Fireware Configuration Guide
11
Seeing Basic Firebox and Network Status
Icon
Function
Opens the Performance Console where you can
configure graphs that show Firebox status.
Opens the Communication Log dialog box to show
connections between Firebox System Manager
and the Firebox.
Setting refresh interval and pausing the display
All tabs on Firebox System Manager have, at the bottom of the screen, a drop-down list for setting the
refresh interval, and a button to pause the display:
Refresh Interval
The refresh interval is the time between refreshes. You can change the interval of time (in
seconds) that Firebox System Manager gets the Firebox information and sends updates to
the user interface.
You must balance how frequently you get information and the load on the Firebox. Be sure
to check the refresh interval on each tab. When a tab is getting new information for its
display, the text “Refreshing...” appears adjacent to the Refresh Interval drop-down list. A
shorter time interval gives a more accurate display, but makes more load on the Firebox.
From Firebox System Manager, use the Refresh Interval drop-down list to select a new
interval. Select the duration between window refreshes for the bandwidth meter. You can
select 5 seconds, 10 seconds, 30 seconds, 60 seconds, 2 minutes, or 5 minutes. You can also
type a custom value into this box.
Pause/Continue
You can click the Pause button to temporarily stop Firebox System Manager from refreshing
this window. After you click the Pause button, this button changes to a Continue button.
Click Continue to continue refreshing the window.
Seeing Basic Firebox and Network Status
The Front Panel tab of Firebox® System Manager shows basic information about your Firebox, your network, and network traffic.
12
WatchGuard System Manager
Seeing Basic Firebox and Network Status
Using the Security Traffic Display
Firebox System Manager initially has a group of indicator lights to show the direction and volume of the
traffic between the Firebox interfaces. The display can be a triangle (below left) or a star (below center
and right).
Triangle display
If a Firebox has only three interfaces configured, each node of the triangle is one interface. If
a Firebox has more than three interfaces, each node of the triangle represents one type of
interface. For example, if you have six configured interfaces with one external, one trusted,
and four optional interfaces, the “All-Optional” node in the triangle represents all four of the
optional interfaces.
Star display
The star display shows all traffic in and out of the center interface. An arrow moving from
the center interface to a node interface shows that traffic is flowing through the Firebox
coming in through the center interface and going out through the node interface. For
example, if eth1 is at the center and eth2 is at a node, a green arrow shows that traffic
flowed from eth1 to eth2. There are two star displays — one for a Firebox X Core with 6
interfaces and one for Firebox X Peak with 10 interfaces.
To change the display, right-click it and select Triangle Mode or Star Mode.
Monitoring status information
The points of the star and triangle show the traffic that flows through the interfaces. Each point shows
incoming and outgoing connections with different arrows. When traffic flows between the two interfaces,
the arrows come on in the direction of the traffic.
In the star figure, the location where the points come together can show one of two conditions:
• Red (deny)—The Firebox denies a connection on that interface.
• Green (allow)—There is traffic between this interface and a different interface (but not the center)
of the star. When there is traffic between this interface and the center, the point between these
interfaces shows as green arrows.
In the triangle, the network traffic shows in the points of the triangle. The points show only the idle or
deny condition. One exception is when there is a large quantity of VPN tunnel switching traffic. “Tunnel
switching” traffic refers to packets being sent through a VPN to a Firebox configured as the default gateway for the VPN network. In this case, the Firebox System Manager traffic level indicator can show very
high traffic, but you do not see moving green lights as tunnel switching traffic comes in and goes out of
the same interface.
Setting the center interface
If you use the star figure, you can customize which interface appears in its center. Click the interface
name or its point. The interface then moves to the center of the star. All the other interfaces move in a
clockwise direction. Moving an interface to the center of the star allows you to see all traffic between that
interface and all other interfaces. The default display shows the external interface in the center.
Fireware Configuration Guide
13
Seeing Basic Firebox and Network Status
Monitoring traffic, load, and status
Below the Security Traffic Display are the traffic volume indicator, processor load indicator, and basic status information (Detail).
The two bar graphs show the traffic volume and the Firebox capacity.
Firebox and VPN tunnel status
The section in Firebox System Manager to the right side of the front panel shows:
• The status of the Firebox
• The branch office VPN tunnels
• The mobile user and PPTP VPN tunnels
Firebox Status
In the Firebox Status section, you see:
• Status of the High Availability feature. When it has a correct configuration and is available, the IP
address of the standby Firebox appears. If High Availability is installed, but there is no network
connection to the secondary Firebox, “Not Responding” appears.
• The IP address of each Firebox interface and the configuration mode of the external interface.
• Status of the CA (root) certificate and the IPSec (client) certificate.
If you expand the entries in the Firebox System Manager main window, you can see:
• IP address and netmask of each configured interface
• The Media Access Control (MAC) address of each interface
• Number of packets sent and received since the last Firebox restart
• End date and time of CA and IPSec certificates
14
WatchGuard System Manager
Seeing Basic Firebox and Network Status
• CA fingerprint. Use this to find man-in-the-middle attacks
• Status of the physical link (a dark icon indicates the connection is down)
Branch Office VPN Tunnels
Below the Firebox Status section is a section on BOVPN tunnels. There are two types of IPSec BOVPN
tunnels: tunnels created manually and tunnels created with the Management Server. The figure below
shows an expanded entry for a BOVPN tunnel.
The information that shows, from the top to the bottom, is:
• The tunnel name, the IP address of the destination IPSec device (a different Firebox, Firebox X
Edge, SOHO), and the tunnel type. If the tunnel was created by the Management Server, the IP
address refers to the full remote network address.
• The volume of data sent and received on the tunnel in bytes and packets.
• The time before the key expires and when the tunnel must be set up again. This appears as a time
limit or as the volume of bytes. If you configure a VPN tunnel to expire using time and volume
limits, the two expiration values appear.
• Authentication and encryption settings set for the tunnel.
• Routing policies for the tunnel.
Mobile User VPN Tunnels
After the branch office VPN tunnels are entries for Mobile User VPN tunnels. The entry shows the same
information as for Branch Office VPN. This includes the tunnel name, destination IP address, tunnel type,
packet information, key expiration date, authentication, and encryption data.
PPTP User VPN Tunnels
For PPTP User VPN tunnels, Firebox System Manager shows only the quantity of sent and received packets. The volume of bytes and total volume of bytes are not applicable to PPTP tunnels.
Expanding and closing tree views
To expand a part of the display, click the plus sign (+) adjacent to the entry, or double-click the name of
the entry. To close a part, click the minus sign (–) adjacent to the entry. When no plus or minus sign
shows, no more information is available.
Fireware Configuration Guide
15
Monitoring Firebox Traffic
Monitoring Firebox Traffic
To see Firebox® log messages, click the Traffic Monitor tab.
Setting the maximum number of log messages
You can change the maximum number of log messages that you can keep and see on Traffic Monitor.
When you get to the maximum number, the new log messages replace the first entries. A high value in
this field puts a large load on your management system if you have a slow processor or a small quantity
of RAM. If it is necessary to examine a large volume of log messages, we recommend that you use Log
Viewer.
1
From Firebox System Manager, select File > Settings.
The Settings dialog box appears.
2
Use the Maximum Log Messages drop-down list to change the number of log messages that
appear in Traffic Monitor. Click OK.
The value you type gives the number of log messages in thousands.
16
WatchGuard System Manager
Monitoring Firebox Traffic
Using color for your log messages
In Traffic Monitor, you can make log messages appear in different colors that refer to the types of information they show.
1
From Firebox System Manager, select File > Settings. Click the Traffic Monitor tab.
2
To enable the display of colors, select the Show Logs in Color check box.
3
On the Alarm, Traffic Allowed, Traffic Denied, Event, or Debug tab, click the field to appear in
a color.
The Text Color field on the right side of the tabs shows the color in use for the field.
4
To change the color, click the color control adjacent to Text Color. Select a color. Click OK to
close the color control dialog box. Click OK again to close the Settings dialog box.
The information in this field appears in the new color on Traffic Monitor. A sample of how Traffic Monitor will look
appears at the bottom of the dialog box.
5
You can also select a background color for the traffic monitor. Click the color control arrow
adjacent to Background Color. Select a color. Click OK to close the color control dialog box.
Click OK again to close the Settings dialog box.
You can cancel the changes you make in this dialog box. Click Restore Defaults.
Copying log messages
To make a copy of a log message and paste it in a different tool, right-click the message and select Copy
Selection. If you select Copy All, Firebox System Manager copies all the log messages. Open the other
tool and paste the message or messages.
To copy more than one, but not all messages, bring up the file using Log Viewer and use the Log Viewer
copy function, as described in the WatchGuard® System Manager User Guide.
Learning more about a traffic log message
To learn more about a traffic log message, you can:
Fireware Configuration Guide
17
Clearing the ARP Cache
Copy the IP address of the source or destination
Make a copy of the source or destination IP address of a traffic log message, and paste it
into a different software application. To copy the source IP address, right-click the message,
and select Source IP Address > Copy Source IP Address. To copy the destination IP address,
right-click the message, and select Destination IP Address > Copy Destination IP Address.
Ping the source or destination
To ping the source or destination IP address of a traffic log message, do this: Right-click the
message, and select Source IP Address > Ping or Destination IP Address > Ping. A pop-up
window shows the results.
Trace the route to the source or destination
To use a traceroute command to the source or destination IP address of a traffic log
message, do this: Right-click the message, and select Source IP Address > Trace Route or
Destination IP Address > Trace Route. A pop-up window shows you the results of the
traceroute.
Temporarily block the IP address of the source or destination
To temporarily block all traffic from a source or destination IP address of a traffic log
message, do this: Right-click the message, select Source IP Address > Block: [IP address] or
Destination IP Address > Block: [IP address]. The length of the time an IP address is
temporarily blocked by this command is set in Policy Manager. To use this command you
must give the configuration password.
Clearing the ARP Cache
The ARP (Address Resolution Protocol) cache on the Firebox® keeps the hardware addresses (also known
as MAC addresses) of TCP/IP hosts. Before an ARP request starts, the system makes sure a hardware
address is in the cache. You must clear the ARP cache on the Firebox when your network has a drop-in
configuration.
1
From Firebox System Manager, select Tools > Clear ARP Cache.
2
Type the Firebox configuration passphrase.
3
Click OK.
This flushes the cache entries.
Using the Performance Console
The Performance Console is a Firebox® utility that you use to prepare graphs that show how various parts
of the Firebox are functioning. To gather the information you define counters that identify the information that is used in preparing the graph.
Types of counters
You can monitor these types of performance counters:
System Information
Show how the CPU is used.
18
WatchGuard System Manager
Using the Performance Console
Interfaces
Monitor and report on the activities of selected interfaces. For example, you can set up a
counter that monitors the number of packets received by a specific interface.
Policies
Monitor and report on the activities of selected policies. For example, you can set up a
counter that monitors the number of packets that a specific policy examines.
VPN Peers
Monitor and report on the activities of selected VPN policies.
Tunnels
Monitor and report on the activities of selected VPN tunnels.
Defining counters
To define a counter for any of the categories:
1
From Firebox System Manager, select the Performance Console icon.
The Performance Console window appears.
1
From the Performance Console window, expand one of the counter categories listed under Available
Counters.
Click the + sign adjacent to the category name to see the counters available in that category. When you click a
counter, the Counter Configuration fields automatically refresh, related to the counter you select.
Fireware Configuration Guide
19
Using the Performance Console
2
From the Chart Window drop-down list, select New Window if the graph is to be shown in a
new window. Or, select the name of an open window to add the graph to a window that is open.
3
From the Poll Interval drop-down list, select a time interval between 5 and 60 seconds.
This is the frequency that Performance Console checks for updated information from the Firebox.
4
Add configuration information specific to the selected counter. These fields show automatically
when you select specified counters.
- Type — Use the drop-down list to select the type of graph to create.
- Interface — Use the drop-down list to select the interface to graph data for.
- Policy — Use the drop-down list to select a policy from your Firebox configuration to graph
data for.
- Peer IP — Use the drop-down list to select the IP address of a VPN endpoint to graph data
for.
- Tunnel ID — Use the drop-down list to select the name of a VPN tunnel to graph data for.
5
Click Add Chart to start the real-time graphing of this counter.
Note
This performance graph shows CPU usage. You create graphs for other functions in the same way.
To edit the polling interval of an active counter:
1
Select the counter name in the Active Counters dialog box in the lower-right corner of the
Performance Console window.
2
Use the Poll every drop-down list to select a new polling interval.
3
Click Apply.
The real-time chart window updates with the new polling interval.
20
WatchGuard System Manager
Viewing Bandwidth Usage
To remove an active counter:
1
Select the counter name in the Active Counters dialog box in the lower-right corner of the
Performance Console window.
2
Click Remove.
Viewing the performance graph
Graphs are shown in a real-time chart window. You can show one graph in each window, or show many
graphs in one window. Graphs scale dynamically to fit the data.
Click Stop Monitoring to stop the Performance Console from collecting data for this counter. You can
stop monitoring to save system resources and restart it again later.
Click Close to close the chart window. The data in the chart will not be saved.
Viewing Bandwidth Usage
Select the Bandwidth Meter tab to see the real-time bandwidth for all the Firebox® interfaces. If you
click any place on the chart, you can get more detailed information in a pop-up window about bandwidth use at this point in time.
Fireware Configuration Guide
21
Viewing Number of Connections by Policy
To change the way the bandwidth is displayed:
1
From Firebox System Manager, select File > Settings. Click the Bandwidth Meter tab.
2
Do one or more of the steps in the following sections.
Changing the scale of the bandwidth display
You can change the scale of the Bandwidth Meter tab. Use the Graph Scale drop-down list to select the
value that is the best match for the speed of your network. You can also set a custom scale. Type the
value in kilobits for each second in the Custom Scale text box.
Adding and removing lines in the bandwidth display
• To add a line to the Bandwidth Meter tab, select the interface from the Hide list in the Color
Settings section. Use the Text Color control to select a color for the line. Click Add. The interface
name appears in the Show list with the color you selected.
• To remove a line from the Bandwidth Meter tab, select the interface from the Show list in the
Color Settings section. Click Remove. The interface name appears in the Hide list.
Changing colors in the bandwidth display
You can also change the colors of the display of the Bandwidth Meter tab. Use the Background and Grid
Line color control boxes to select a new color.
Changing how interfaces appear in the bandwidth display
One option is to change how the interface names appear on the left side of the Bandwidth Meter tab.
The names can show as a list. The display can also show an interface name adjacent to the line it identifies. Use the Show the interface text as a drop-down list to select List or Tags.
Viewing Number of Connections by Policy
Select the Service Watch tab of Firebox® System Manager to see a graph of the configured policies on a
network. The Y axis (vertical) shows the number of connections. The X axis (horizontal) shows the time. If
22
WatchGuard System Manager
Viewing Number of Connections by Policy
you click any place on the chart, you can get more detailed information in a pop-up window about policy
use at this point in time.
1
To change the way the policies are displayed, select File > Settings. Click the Service Watch tab.
2
Do one or more of the steps in the following sections.
Changing the scale of the policies display
You can change the scale of the Service Watch tab. Use the Graph Scale drop-down list to select the
value that is the best match for the volume of traffic on your network. You can also set a custom scale.
Type the number of connections in the Custom Scale text box.
Adding and removing lines in the policies display
• To add a line to the Service Watch tab, select the policy from the Hide list in the Color Settings
section. Use the Text Color control to select a color for the line. Click Add. The interface name
appears in the Show list with the color you selected.
• To remove a line from the Service Watch tab, select the policy from the Show list in the Color
Settings section. Click Remove. The interface name appears in the Hide list.
Fireware Configuration Guide
23
Viewing Information About Firebox Status
Changing colors in the policies display
You can change the colors of the display of the Service Watch tab. Use the Background and Grid Line
color control boxes to select a new color.
Changing how policy names appear in the policies display
You can change how the policy names appear on the left side of the Service Watch tab. The names can
show as a list. The tab can also show an interface name adjacent to the line it identifies. Use the Show
the policy labels as a drop-down list to select List or Tags.
Showing connections by policy or rule
The Service Watch tab can show the number of connections by policy or rule. The policy setting lets you
put together more than one rule into a single line. Use the Show connections by drop-down list to select
a display setting.
Viewing Information About Firebox Status
There are four tabs that tell about Firebox® status and configuration: Status Report, Authentication List,
Blocked Sites, and Security Services.
Status Report
The Status Report tab provides statistics about Firebox traffic.
The Firebox Status Report contains this information:
Uptime and version information
The Firebox uptime, the WatchGuard® Firebox System software version, the Firebox model,
and appliance software version. There is also a list of the status and version of the product
components operating on the Firebox.
24
WatchGuard System Manager
Viewing Information About Firebox Status
Log hosts
The IP addresses of the log host or hosts.
Logging options
Logging options configured with either the Quick Setup Wizard or Policy Manager.
Memory and load average
Statistics on the memory usage (shown in bytes of memory) and load average of the
currently running Firebox.
Processes
The process ID, the name of the process, and the status of the process, as shown in the figure
on the next page. (These codes appear under the column marked “S.”)
Network configuration
Information about the network cards in the Firebox: the interface name, its hardware and
software addresses, and its netmask. The display also includes local routing information and
IP aliases.
Blocked Sites list
The current manually blocked sites and any current exceptions. Temporarily blocked site
entries appear on the Blocked Sites tab.
Interfaces
Each network interface appears in this section, along with information about what type of
interface it is configured as (external, trusted, or optional), its status and packet count.
Routes
The Firebox kernel routing table. You use these routes to find which interface the Firebox
uses for each destination address.
ARP table
The ARP table on the Firebox. The ARP table is used to match IP addresses to hardware
addresses.
Dynamic Routing
This shows which, if any, dynamic routing components are in use on the Firebox.
Refresh interval
This is the rate at which this display updates the information.
Support
Click Support to open the Support Logs dialog box. This is where you set the location to
which you save the diagnostic log file. You save a support log in tarzipped (*.tgz) format.
You create this file for troubleshooting, when requested by your support representative.
Authentication List
The Authentication List tab of Firebox System Manager gives the IP addresses and user names of all the
persons that are authenticated to the Firebox. If you use DHCP, an IP address can appear as a different
user name when the computer starts again.
Fireware Configuration Guide
25
Viewing Information About Firebox Status
You can sort users by IP address or user name by clicking the column header. You can also remove an
authenticated user from the list by right-clicking their user name and closing their authenticated session.
Blocked Sites
The Blocked Sites List tab of Firebox System Manager shows the IP addresses of all the external IP
addresses that are temporarily blocked. Many events can cause the Firebox to add an IP address to the
Blocked Sites tab: a port space probe, a spoofing attack, an address space probe, or an event you configure.
Adjacent to each IP address is the time when it comes off the Blocked Sites tab. You can use the Blocked
Sites dialog box in Policy Manager to adjust the length of time that an IP address stays on the list.
Adding and removing sites
The Blocked Sites tab is in continuous refresh mode if the Continue button on the toolbar is
enabled. Add allows you to temporarily add a site to the blocked sites list. Click Change Expiration to change the time at which this site is deleted from the list. Delete removes the site from
the blocked sites list.
If you open the Firebox with the status passphrase, you must type the configuration passphrase before
you can remove a site from the list.
26
WatchGuard System Manager
Viewing Information About Firebox Status
Security Services
The Security Services tab lists information about the Gateway AntiVirus and Intrusion Prevention services.
Gateway AntiVirus
This area of the dialog box gives information about the Gateway AntiVirus for E-mail feature.
Activity since last restart
- Files scanned: Number of files that have been scanned for viruses since the last Firebox
restart.
- Viruses found: Number of viruses found in scanned files since the last Firebox restart.
- Viruses cleaned: Number of files removed that were infected by viruses since the last
Firebox restart.
Signatures
- Installed version: Version number of the installed signatures.
- Last update: Date of the last signature update.
- Version available: Whether a newer version of the signatures is available.
- Server URL: URL that the Firebox visits to see if updates are available, and the URL that
updates are downloaded from.
- History: Click to show a list of all of the historical signature updates.
- Update: Click to update your virus signatures. This button is active only if a newer version
of the virus signatures is available.
Intrusion Prevention Service
This area of the dialog box gives information about the Signature-Based Intrusion Prevention Service feature.
Activity since last restart
Fireware Configuration Guide
27
Using HostWatch
- Scans performed: Number of files that have been scanned for viruses since the last Firebox
restart.
- Intrusions detected: Number of viruses found in scanned files since the last Firebox restart.
- Intrusions prevented: Number of files removed that were infected by viruses since the last
Firebox restart.
Signatures
- Installed version: Version number of the installed signatures.
- Last update: Date of the last signature update.
- Version available: If a newer version of the signatures is available.
- Server URL: URL that the Firebox visits to see if updates are available, and the URL that
updates are downloaded from.
- History: Click to show a list of all of the historical signature updates.
- Update: Click this button to update your intrusion prevention signatures. This button is
active only if a newer version of the intrusion prevention signatures is available.
Using HostWatch
HostWatch is a graphic user interface that shows the network connections between the trusted and external networks. HostWatch also gives information about users, connections, and network address translation (NAT).
The line that connects the source host and the destination host uses a color that shows the type of connection. You can change these colors. The default colors are:
• Red — The Firebox® denies the connection.
• Blue — The connection uses a proxy.
• Green — The Firebox uses NAT for the connection.
• Black
Icons that show the type of service appear adjacent to the server entries for HTTP, Telnet, SMTP, and FTP.
Domain name server (DNS) resolution does not occur immediately when you first start HostWatch. When
HostWatch is configured do DNS resolution, it replaces the IP addresses with the host or user names. If
the Firebox cannot identify the host or user name, the IP address stays in the HostWatch window.
Using DNS resolution with HostWatch can cause the management station to send a large number of NetBIOS packets (UDP 137) through the Firebox. To only method of preventing this is to turn off NetBIOS
over TCP/IP in Windows.
To start HostWatch, click the HostWatch icon in Firebox System Manager.
The HostWatch window
The top part of the HostWatch window has two sides. You can set the interface for the left side. The right
side represents all other interfaces. HostWatch shows the connections to and from the interface configured on the left side. To select an interface, right-click the current interface name. Select the new interface.
Double-click an item on one of the sides to get the Connections For dialog box. The dialog box shows
information about the connection, and includes the IP addresses, port number, time, connection type,
and direction.
28
WatchGuard System Manager
Using HostWatch
While the top part of the window only shows connections to and from the selected interface, the bottom
part of the HostWatch window shows all connections to and from all interfaces. The information is shown
in a table with the ports and the time the connection was created.
Controlling the HostWatch window
You can change the HostWatch window to show only the necessary items. You can use this feature to
monitor specified hosts, ports, or users.
1
From HostWatch, select View > Filter.
Fireware Configuration Guide
29
Using HostWatch
2
Click the tab to monitor: Policy List, External Hosts, Other Hosts, Ports, or Authenticated
Users.
3
On the tab for each item you do not want to see, clear the check boxes in the dialog box.
4
On the tab for each item you do want to see, type the IP address, port number, or user name to
monitor. Click Add.
Do this for each item that HostWatch must monitor.
5
Click OK.
Changing HostWatch view properties
You can change how HostWatch shows information. For example, HostWatch can show host names as an
alternative to addresses.
1
From HostWatch, select View > Settings.
2
Use the Display tab to change how the hosts appear in the HostWatch window.
3
Use the Line Color tab to change the colors of the lines between NAT, proxy, blocked, and
normal connections.
4
Click OK to close the Settings dialog box.
Adding a blocked site from HostWatch
To add an IP address to the blocked sites list from HostWatch, right-click on the connection and use the
pop-up window to select the IP address from the connection to add to the blocked sites list. You must set
the time for the IP address to be blocked, and give the configuration passphrase.
Pausing the HostWatch Display
You can use the Pause and Continue icons on the toolbar to temporarily stop and then restart the display.
Or, use File > Pause and File > Continue.
30
WatchGuard System Manager
CHAPTER 3
Setting Up Your Firebox
To operate correctly, your Firebox® must have the information necessary to apply your security policy to
the traffic that goes through your network. Policy Manager gives you one user interface to configure your
security policy. This chapter shows you how to:
• Add, delete and view licenses
• Use aliases
• Set up a log host
• Configure logging
• Configure Firebox global settings
• Set up the Firebox to use an NTP server
• Configure the Firebox for SNMP
Working with Licenses
You increase the functionality of your Firebox® when you purchase an option and add the license key to
the configuration file. When you get a new key, make sure to follow the instructions that come with the
key. These instructions send you to a URL where you will see prompts to enter the key and the serial number from your Firebox. The Web site will create the license key that you will paste into Policy Manager as
described in this section.
Fireware Configuration Guide
31
Working with Licenses
Adding licenses
1
From Policy Manager, select Setup > Licensed Features.
The Firebox License Keys dialog box appears. This dialog box shows the licenses that are available.
2
Click Add.
The Add Firebox License Key dialog box appears.
3
4
Click Import and browse to the location of the license file.
You can also paste the contents of the license file into the dialog box.
Click OK two times.
At this time, the features are available on the management station. In many conditions, new dialog boxes and
menu commands to configure the feature appear in Policy Manager.
5
Save the configuration to the Firebox.
The feature does not operate on the Firebox until you save the configuration file to the Firebox.
Deleting a license
1
From Policy Manager, select Setup > Licensed Features.
The Firebox License Keys dialog box appears.
32
WatchGuard System Manager
Working with Licenses
2
Expand Licenses, select the license ID you want to remove, and click Remove.
3
Click OK.
4
Save the configuration to the Firebox.
Seeing the active features
To see a list of all features for which licenses have been entered, select the license key and click Active
Features. The Active Features dialog box shows each feature along with its capacity and expiration.
Fireware Configuration Guide
33
Working with Aliases
Seeing the properties of a license
To see the properties of a license, select the license key and click Properties. The License Properties dialog box shows the serial number of the Firebox this license applies to, along with its ID and name, the
Firebox model and version number, and the features available for the Firebox.
Downloading a license key
If your license file is not current, you can download a copy of any license file from the Firebox to your
management station. To download license keys from a Firebox, select the license key and click Download.
A dialog box appears for you to type the status passphrase of the Firebox.
Working with Aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it is
easier to create a security policy because the Firebox® allows you to use aliases when you create policies.
There are some default aliases included in Policy Manager for your use, including:
Any-Trusted
This is an alias for all Firebox interfaces of type “trusted” (as defined in Policy Manager >
Network > Configuration), and any network accessible through these interfaces.
Any-External
This is an alias for all Firebox interfaces of type “external” (as defined in Policy Manager >
Network > Configuration), and any network accessible through these interfaces.
Any-Optional
This is an alias for all Firebox interfaces of type “optional” (as defined in Policy Manager >
Network > Configuration), and any network accessible through these interfaces.
Using an alias is different from using user authentication. With user authentication, you can monitor a
connection with a name and not as an IP address. The person authenticates with a user name and a password to get access to Internet tools, for example HTTP or FTP. For more information about user authentication, see “How User Authentication Works” on page 107.
34
WatchGuard System Manager
Using Logging
Creating an alias
1
From Policy Manager, select Setup > Aliases.
The Aliases dialog box appears.
2
Click Add.
The Add Alias dialog box appears.
3
In the Alias Name text box, type a unique name to identify the alias.
This name appears in lists when you configure a security policy.
4
Click Add to add an IP address, subnet, interface, or a different alias to the list of alias members.
The member appears in the list of Alias Members.
5
Click OK two times.
Using Logging
The WatchGuard® System Manager installation utility can install Policy Manager and the WatchGuard Log
Server on the same computer. Or, you can also install the Log Server on one or more other computers. You
use Policy Manager and the Log Server to set up and manage logging.
Use Policy Manager to:
- Add the log hosts.
Fireware Configuration Guide
35
Using Logging
- Change the configuration of policies and packet handling
- Save the configuration file to the Firebox®
Use WatchGuard Log Server to:
- Select the global logging and the notification configuration for the host
- Set the log encryption key on the local log server.
Categories of log messages
The Firebox sends four types of log messages: Traffic, Alarm, Event, and Diagnostic.
Traffic logs
The Firebox sends traffic logs as it applies packet filter and proxy rules to traffic that goes through the
Firebox.
Alarm logs
Alarm logs are sent when an event occurs that causes the Firebox to do an action in response to an event.
When the alarm condition occurs, the Firebox sends an alarm log to Traffic Monitor and log server and
causes the specified action to occur.
Some alarms are set in your Firebox configuration. For example, you can use Policy Manager to configure
an alarm when a specified threshold occurs. Other alarms are set in a default configuration. The Firebox
sends an alarm log when a network connection on one of the Firebox interfaces goes down. You cannot
change this in your configuration.
There are eight categories of alarm logs: System, IPS, AV, Policy, Proxy, Counter, Denial of service, and
Traffic.
Event logs
Event logs are created because of Firebox user actions. Events that cause event logs include:
• Firebox start up/shut down
• Firebox and VPN authentication
• Process start up/shut down
• Problems with the Firebox hardware components
• Any task done by the Firebox administrator
Diagnostic logs
Diagnostic (debug) logs are log messages with more information sent by the Firebox that you can use to
help troubleshoot problems. There are 27 different product components that can send diagnostic logs.
Designating log servers for a Firebox
It is recommended that you have a minimum of one log server to use WatchGuard System Manager. You
can select a different primary log server and more than one backup log server.
To set a log server:
1
From Policy Manager, select Setup > Logging.
The Logging Setup dialog box appears.
36
WatchGuard System Manager
Using Logging
2
Select the log server or servers you want to use. Click the Send log messages to the log servers
at these IP addresses check box.
Adding a log server
1
From Policy Manager, select Setup > Logging.
The Logging Setup dialog box appears.
2
Click Configure. Click Add. Type the IP address and the log server encryption key. The permitted
range for the encryption key is 8–32 characters.
3
Click OK.
Setting log server priority
If the Firebox cannot connect to the log server with the highest priority, it connects to the subsequent log
server in the priority list. If the Firebox checks each log server in the list and cannot connect, it will try to
connect to the first log server in the list again. You can create a priority list for log servers.
1
From Policy Manager, select Setup > Logging.
The Logging Setup dialog box appears.
2
Click Configure.
The Configure Log Servers dialog box appears.
3
Select a log host in the Configure Log Servers dialog box. Use the Up and Down buttons to
change order.
Fireware Configuration Guide
37
Using Logging
Activating Syslog logging
You can configure the Firebox to send log information to a Syslog server. A Firebox can send log messages to a log server and a Syslog server at the same time, or send logs to one or the other. Syslog logging
is not encrypted. Do not select a host on the external interface as the Syslog server because this is not
secure.
1
From Policy Manager, select Setup > Logging.
The Logging Setup dialog box appears.
2
Select the Send Log Messages to the Syslog server at this IP address check box.
3
Type the IP address of the Syslog server.
4
Click Configure.
The Configure Syslog dialog box appears.
5
For each type of log message, select the Syslog facility to assign. For information on types of log
messages, see “Categories of log messages” on page 36.
The Syslog facility refers to one of the fields in the Syslog packet and to the file the Syslog is sent to. You can use
Local0 for high priority Syslog messages, such as alarms. You can use Local1- Local 7 to assign priorities for other
types of log messages (with lower numbers having greater priority).
6
Click OK.
7
Save your changes to the Firebox.
Enabling advanced diagnostics
You can select the level of diagnostic logging to write to your log file or to Traffic Monitor. We do not
recommend that you set the logging level to the highest level unless a technical support representative
requests it to troubleshoot a problem. It can cause the log file to fill up very quickly.
1
From Policy Manager, select Setup > Logging.
The Logging Setup dialog box appears.
38
WatchGuard System Manager
Using Global Settings
2
Click Advanced Diagnostics.
The Advanced Diagnostics dialog box appears.
3
Select a category from the left side of the screen.
A description of the category appears in the Description box.
4
Use the slider below Settings to set the level of information that a log of each category will
include in its log message. When the lowest level is set, diagnostic messages for that category are
turned off.
5
To show diagnostic messages in Traffic Manager, select the Display diagnostics messages in
Traffic Monitor check box.
6
To have the Firebox collect a packet trace for IKE packets, select the Enable IKE packet tracing
to Firebox internal storage check box. To see the packet trace information the Firebox collects,
open Firebox System Manager and click the Status tab. Click Support to have Firebox System
Manager get the packet trace information from the Firebox.
Using Global Settings
In Policy Manager you select settings that control the actions of many Firebox® features with the Global
Settings tool.
You set basic parameters for:
• VPN
• ICMP error handling
• TCP SYN checking
Fireware Configuration Guide
39
Using Global Settings
• TCP maximum size adjustment
1
From Policy Manager, select Setup > Global Settings.
The Global Settings dialog box appears.
2
Configure the different categories of global settings as shown in the sections below.
VPN
The global VPN settings are:
Ignore DF for IPSec
Ignore the setting of the Don’t Fragment bit in the IP header.
IPSec pass through
If a user must make IPSec connections to a Firebox from behind a different Firebox, you
must enable the IPSec passthrough setting. For example, if mobile employees are at a
customer location that has a Firebox, they can make IPSec connections to their network
using IPSec. For the local Firebox to correctly allow the outgoing IPSec connection, you
must add an IPSec policy to Policy Manager.
ICMP error handling
Internet Control Message Protocol (ICMP) is used to control errors during connections. It is used for two
types of operations:
• To tell about error conditions.
• To probe a network to find general characteristics about the network.
The Firebox sends an ICMP error message each time an event occurs that matches one of the selected
parameters. The global ICMP error handling parameters and their descriptions are:
Fragmentation req (PMTU)
The IP datagram must be fragmented, but this is prevented because the Don’t Fragment bit
in the IP header is set.
40
WatchGuard System Manager
Using Global Settings
Time exceeded
The datagram was dropped because the Time to Live field expired.
Network unreachable
The datagram could not get to the network.
Host unreachable
The datagram could not get to the host.
Port unreachable
The datagram could not get to the port.
Protocol unreachable
The protocol piece of the datagram could not be delivered.
TCP SYN checking
The global TCP SYN checking setting is:
Enable TCP SYN checking
This feature makes sure that the TCP three-way handshake is done before the Firebox allows
a data connection to be made.
TCP maximum segment size adjustment
The TCP segment can be set to a specified size for a connection that must have more TCP overhead (like
PPPoE, ESP, AH, and so on). If this size is not correctly configured, users cannot get access to some Web
sites. The global TCP maximum segment size adjustment settings are:
Auto adjustment
The Firebox examines all maximum segment size (MSS) negotiations and changes the MSS
value to the applicable one.
No adjustment
The Firebox does not change the MSS.
Limit to
You set a size adjustment limit.
Fireware Configuration Guide
41
Setting NTP Servers
Setting NTP Servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. NTP operates on TCP
and UDP port 123. The Firebox® can synchronize its clock to an internet NTP server to help you keep all
devices on your network synchronized to the same time.
1
From Policy Manager, select Setup > NTP.
2
Select Enable NTP and type the IP addresses of the NTP servers to use. The Firebox can use up to
three NTP servers.
3
Click OK.
Working with SNMP
Simple Network Management Protocol (SNMP) is a set of protocols for managing networks. SNMP uses
management information bases (MIBs) that have management information that is available from network
devices. With Fireware appliance software, the Firebox supports SNMPv1 and SNMPv2c.
You can configure the Firebox® as an SNMP device. It can then receive SNMP polls from an SNMP server.
42
1
From Policy Manager, select Setup > SNMP.
2
Type the IP address of the SNMP server and click Add.
WatchGuard System Manager
Working with SNMP
3
To enable the Firebox to send SNMP traps, select Enable SNMP Trap. You must also edit the
policy that will trigger a trap. Open a policy configuration for edit and select the Properties tab.
Click Logging and select the check box Enable SNMP Trap.
An SNMP trap is an event notification the Firebox sends to the SNMP management system. The trap identifies
when a condition occurs, such as a value that is more than its predefined threshold.
4
Type the Community String the Firebox must use when connecting to the SNMP server.
The community string is like a user ID or password that allows access to the statistics of a device. This community
string must be included with all SNMP requests. If the community string is correct, the device gives the requested
information. If the community string is not correct, the device discards the request and does not respond.
5
Click OK.
Using MIBs
WatchGuard System Manager with Fireware appliance software supports two types of Management Information Bases (MIBs):
• Public MIBs, including IETF standards and MIB2
• Private MIBs, such as those created by WatchGuard
You can download these MIBs from the LiveSecurity Web site. You can see the MIBs easily if you use a
MIB browser (such as HP OpenView or MG-Soft’s MIB browser). The Firebox supports these read-only
object MIBs:
- RFC1155-SMI
- SNMPv2-SMI
- RFC1213-MIB
- RAPID-MIB
- RAPID-SYSTEM-CONFIG-MIB
Fireware Configuration Guide
43
Working with SNMP
44
WatchGuard System Manager
PART I
Protecting Your Network
Fireware Configuration Guide
45
46
WatchGuard System Manager
CHAPTER 5
Basic Firebox Configuration
After your Firebox® is installed on your network and operating with a basic configuration file, you can
begin to add custom configuration settings to meet the needs of your organization. This chapter shows
you how to do some basic configuration and maintenance tasks. Some of these tasks you will do over and
over again as you work with your Firebox. Other tasks you will only do one time.
These basic configuration tasks include:
• Open a configuration file on a local computer or from the Firebox
• Save a configuration file to a local computer or the Firebox
• Change the Firebox passphrases
• Set the Firebox time zone
• Give the Firebox a name to use (instead of an IP address)
• Set basic schedules to use in your policies later
Opening a Configuration File
Policy Manager for Fireware is a software tool that lets you make, change, and save configuration files. A
configuration file, with the extension.cfg, contains all configuration data, options, addresses, and other
information that makes up your Firebox® security policy. When you use Policy Manager, you see a version
of your configuration file that is easy to examine and change.
When you work with a configuration file, you can:
• Open the working configuration file on your Firebox
• Open a configuration file stored on your local hard drive
• Make a new configuration file
Opening a working configuration file
A common task for a network administrator is to make a change to your current security policy. For
example, your business purchases a new software application, and you need to open a port and protocols
to a server at a vendor location. For this task, you must modify your configuration file with Policy Manager.
Fireware Configuration Guide
47
Opening a Configuration File
Using WatchGuard System Manager
1
From the Windows desktop, click Start > Programs > WatchGuard System Manager 8 >
WatchGuard System Manager.
WatchGuard System Manager 8 is the default name of the folder for the Start menu icons. You can change this
folder name during installation.
2
From WatchGuard System Manager, select File > Connect To > Device.
Or,
click the Connect to Device icon on the WatchGuard System Manager toolbar. The Connect to Firebox
dialog box appears.
3
Use the drop-down list to select your Firebox, or type its trusted IP address. Type the status
passphrase. Click OK.
The device appears in the WatchGuard System Manager Device tab.
4
Select the Firebox on the Device tab. Then, select Tools > Policy Manager.
Or,
click the Policy Manager icon on the WatchGuard System Manager toolbar. Policy Manager opens, and it
loads the configuration file in use on the selected Firebox.
Using Policy Manager
1
From Policy Manager, click File > Open > Firebox.
The Open Firebox dialog box appears.
If you get an error that the connection could not be established, try again.
2
From the Firebox Address or Name drop-down list, select a Firebox.
You can also type the IP address or host name.
3
In the Passphrase text box, type the Firebox status (read-only) passphrase.
Use the status passphrase here. You must use the configuration passphrase to save a new configuration to the
Firebox.
4
Click OK.
Policy Manager opens the configuration file and displays the settings.
Opening a local configuration file
Some network administrators find it useful to save more than one version of a Firebox configuration file.
For example, if you have a new security policy to implement, you might want to save the old configuration file to a local hard drive first. Then if you do not like the new configuration, you can restore the old
48
WatchGuard System Manager
Saving a Configuration File
version. You can open configuration files that are on any network drive to which your management station can connect.
1
From Policy Manager, select File > Open > Configuration File.
Or,
click the Open File icon on the Policy Manager toolbar. A standard Windows open file dialog box appears.
2
Use the Open dialog box to locate and to select the configuration file. Click Open.
Policy Manager opens the configuration file and displays the settings.
Making a new configuration file
The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use
this as the base for all your configuration files. You can also use Policy Manager to make a new configuration file with only the default configuration properties.
1
From Policy Manager, select File > New.
The Select Firebox Model and Name dialog box appears.
2
Use the Model drop-down list to select your Firebox model. Because there are features that match
each model, it is important that you select the same model as your hardware device.
3
4
Type a name for the Firebox.
Click OK.
Policy Manager makes a new configuration with the file name <name>.xml, where <name> is the name you gave
the Firebox.
Saving a Configuration File
After you make a new configuration file or change an existing configuration file, you can save it directly
to the Firebox®. You can also save it to a local hard disk.
Saving a configuration to the Firebox
1
From Policy Manager, click File > Save > To Firebox.
The Save to Firebox dialog box appears.
2
From the Firebox Address or Name drop-down list, select a Firebox.
When you type an IP address, type all the numbers and the periods. Do not use the TAB key or arrow key.
3
Type the Firebox configuration passphrase. You must use the configuration passphrase to save a file
to the Firebox.
4
Click OK.
Fireware Configuration Guide
49
Changing the Firebox passphrases
Saving a configuration to a local hard drive
1
From Policy Manager, click File > Save > As File.
You can also use CTRL-S. A standard Windows save file dialog box appears.
2
Type the name of the file.
The default procedure is to save the file to the WatchGuard® directory. You can also browse to any folder to which
you can connect from the management station. For better security, we recommend that you save the files in a safe
folder with no access to other users.
3
Click Save.
The configuration file saves to the local hard drive.
Changing the Firebox passphrases
A Firebox® uses two passphrases:
• Status passphrase
The read-only password that allows access to the Firebox
• Configuration passphrase
The read-write password that allows an administrator full access to the Firebox
To create a secure passphrase, we recommend that you:
• Do not use a word from standard dictionaries, even if you use it in a different sequence or in a
different language. Make a new acronym that only you know.
• Do not use a name. It is easy for an attacker to find a business name, familiar name, or the name
of a famous person.
• Use a selection of uppercase and lowercase characters, numbers, and special characters (for
example, Im4e@tiN9).
An additional security measure is to change the Firebox passphrases at regular intervals. To do this, you
must have the configuration passphrase.
1
From Policy Manager, open the configuration file on the Firebox.
For more information, see “Opening a working configuration file,” on page 47.
2
Click File > Change Passphrases.
An Open Firebox dialog box appears.
3
From the Firebox drop-down list, select a Firebox or type the IP address of the Firebox. Type the
Firebox configuration (read/write) passphrase. Click OK.
The Change Passphrases dialog box appears.
4
50
Type and confirm the new status (read-only) and configuration (read/write) passphrases. The status
passphrase must be different from the configuration passphrase.
WatchGuard System Manager
Setting the Time Zone
5
Click OK.
The new flash image and the new passphrases save to the Firebox. The Firebox automatically starts again.
Setting the Time Zone
The Firebox® time zone controls the date and time that appear in the log file and on tools that include
LogViewer, Historical Reports, and WebBlocker. You should set the Firebox time zone to the time zone for
the physical location of the Firebox. This time zone setting allows for the time to appear correctly in the
log messages. The Firebox system time is set to Greenwich Mean Time (GMT) by default.
1
From Policy Manager, click Setup > System.
The Device Configuration dialog box appears.
2
Select a time zone from the drop-down list. Click OK.
Setting a Firebox Friendly Name
You can give the Firebox® a special name to use in your log files and reports. If you do not do this procedure, the log files and reports use the IP address of the Firebox external interface. Many customers use a
Fully Qualified Domain Name if they register such a name with the DNS system. You must give the Firebox a special name if you use the Management Server to configure VPN tunnels and certificates with the
Firebox.
1
From Policy Manager, click Setup > System.
The Device Configuration dialog box appears.
2
In the Name text box, type the special name you want for the Firebox. Click OK.
You can use all characters but spaces and slashes (/ or \).
Fireware Configuration Guide
51
Creating Schedules
Creating Schedules
You can use schedules to automate certain Firebox® actions such as WebBlocker routines. You can create
a schedule for each day of the week or a different schedule for certain days. You can then use these
schedules in policies that you create.
1
From Policy Manager, select Setup > Actions > Schedules.
The Schedules dialog box appears.
2
Click Add.
The New Schedule dialog box appears.
3
Type a schedule name and description. The schedule name appears in the Schedule dialog box. You
should make it easy to recognize.
4
From the Mode drop-down list, select the time increment for the schedule: one hour, 30 minutes, or
15 minutes.
The chart on the left of the New Schedule dialog box reflects your entry in the drop-down list.
52
5
The chart in the dialog box shows days of the week along the x-axis (horizontal) and increments of
the day on the y-axis (vertical). Click cells in the chart to switch them between operational hours
(when the policy is active) and nonoperational hours (when the policy is not in effect).
6
Click OK to close the New Schedule dialog box. Click Close to close the Schedules dialog box.
WatchGuard System Manager
Creating Schedules
To edit an existing schedule, select the schedule name in the Schedule dialog box and click Edit.
To create a new schedule from an existing one, select the schedule name and click Clone.
Fireware Configuration Guide
53
Creating Schedules
54
WatchGuard System Manager
CHAPTER 6
Network Setup and Configuration
When you install the Firebox® in your network and complete the QuickSetup Wizard, you have a basic
configuration file. You then use Policy Manager to make a new configuration file or to change the one
you made with the QuickSetup Wizard.
If you are new to network security, we recommend that you do all the procedures in this chapter to make
sure you configure all the components of your network. In this chapter, you learn how to use Policy Manager to:
• Make a new configuration file
• Configure the Firebox interfaces
• Add a secondary network
• Add DNS and WINS server information
• Configure network and host routes
Making a New Configuration File
The first step to start a new configuration file is to connect to a Firebox® and open Policy Manager. There
are two methods to do this.
Connecting to the Firebox from WSM
1
From WatchGuard® System Manager, select File > Connect To > Device.
Or,
click the Connect to Device icon on the WatchGuard System Manager toolbar. The Connect to Firebox
dialog box appears.
2
Use the drop-down list to select your Firebox, or type its trusted IP address. Type the status
passphrase. Click OK.
The device appears in the WatchGuard System Manager Device tab.
3
Select the Firebox on the Device tab. Then, select Tools > Policy Manager.
Or,
Click the Policy Manager icon on the WatchGuard System Manager toolbar. Policy Manager opens, and
it opens the configuration file in use on the selected Firebox.
Fireware Configuration Guide
55
Making a New Configuration File
Connecting to the Firebox from Policy Manager
1
From WatchGuard System Manager, select Tools > Policy Manager.
Or,
click the Policy Manager icon on the WatchGuard System Manager toolbar. The Policy Manager dialog
box appears.
2
Use the Firebox drop-down list to select the model of Firebox to which you are connected. Click OK.
The new configuration file contains the default parameters for the specified Firebox model.
Note
We recommend that you save the configuration file frequently. Select File > Save > As File.Changing
Firebox Interface IP Addresses
1
From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2
Select the interface you want to configure. Click Configure.
The Interface Settings dialog box appears.
3
56
(Optional) Type a description of the interface in the Interface Description field.
WatchGuard System Manager
Making a New Configuration File
4
You can change the interface type from the Interface Type drop-down list.
5
You can change the interface IP address. Type the IP address in slash notation.
When you type an IP addresses, type all the numbers and the periods. Do not use the TAB or arrow key.
6
If you are configuring a trusted or optional interface, select Disable DHCP, DHCP Server, or DHCP
Relay.
See “Configuring the Firebox as a DHCP server” for the DHCP server option, and see “Configuring a DHCP relay” on
page 58 for the DHCP relay option. If you are configuring the external interface, see “Configuring the external
interface” on page 58.
7
Click OK.
Configuring the Firebox as a DHCP server
Dynamic Host Configuration Protocol (DHCP) is an Internet Protocol that makes it easier to control a
large network. A computer you configure as the DHCP server automatically gives IP addresses to the computers on your network. You set the range of addresses. You can configure the Firebox® as a DHCP server
for networks behind the firewall.
If you have a configured DHCP server, we recommend that you continue to use that server for DHCP.
1
Select Network > Configuration.
The Network Configuration dialog box appears.
2
3
4
Select the trusted or an optional interface.
Click Configure and select DHCP Server.
To add an IP address range, click Add and type the first and last IP addresses.
You can configure a maximum of six address ranges.
Fireware Configuration Guide
57
Making a New Configuration File
5
Use the arrow buttons to change the Default Lease Time.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the
time is near its limit, the client transmits data to the DHCP server to get a new lease.
Configuring a DHCP relay
One method to get IP addresses for the computers on the Firebox trusted or on an optional network (or
through a VPN tunnel) is to use a DHCP server on a different network. The Firebox can send a DHCP
request to a DHCP server at a different location for the DHCP client. It gives the reply to the computers
on the Firebox trusted or optional network. This option lets computers in more than one office use the
same network address range.
1
Select Network > Configuration.
The Network Configuration dialog box appears.
2
3
4
Select the trusted or an optional interface.
5
Click OK. You must restart the Firebox to complete the change.
Click Configure and click DHCP Relay.
Type the IP address of the DHCP server in the related field. If necessary, make sure to add a route to
the DHCP server.
Configuring the external interface
The Firebox can get a dynamic IP address for the external interface with Dynamic Host Configuration
Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). With DHCP, the Firebox uses a DHCP
server which is controlled by your Internet Service Provider (ISP) to get an IP address, gateway, and netmask. With PPPoE, the Firebox makes a PPPoE protocol connection to the PPPoE server of your ISP. Fireware Pro supports unnumbered and static PPPoE. This connection automatically configures your IP
address, gateway, and netmask. If you configure your external interface using DHCP or PPPoE, you cannot add external secondary networks or use external aliases in Policy Manager.
Note
If you configure more than one interface as an external interface, only the lowest-order external
interface can serve as an IKE gateway or an IPSec tunnel endpoint. If this interface is down, all IPSec
tunnels to and from the Firebox will be removed.
Using a static IP address
1
58
From the Interface Settings dialog box, select Static.
WatchGuard System Manager
Making a New Configuration File
2
3
4
Type the IP address of the default gateway.
(Optional) Configure aliases. For more information, see “Working with Aliases” on page 34.
Click OK.
Using PPPoE
1
2
From the Interface Settings dialog box, select PPPoE.
3
4
Select one of the two options:
- Get an IP address automatically
- Use IP address (supplied by your network administrator).
If you selected Use IP Address, enter the IP address in the text box to the right.
Type the User Name and Password. You must type the password two times.
5
Click Property to configure PPPoE parameters.
The PPPoE parameters dialog box appears. Your ISP can tell you if it is necessary to change the timeout or LCP
values.
6
Use the radio buttons to select when the Firebox connects with the PPPoE server.
- Always On — The Firebox keeps a constant PPPoE connection. It is not necessary that network
traffic go through the external interface.
- Dial-on-Demand — The Firebox connects t o the PPPoE server only when it gets a request to
send traffic to an IP address on the external interface.
7
In the PPPoE initialization time field, use the arrows to set the time allowed to start a PPPoE
connection.
8
In the LCP echo failure field, use the arrows to set the number of failed LCP echo requests allowed
before the PPPoE connection is closed.
9
In the LCP echo timeout field, use the arrows to set the length of time in seconds that the response
to each echo timeout must be received.
Using DHCP
1
2
From the Interface Settings dialog box, select DHCP.
In the Host ID text box, type the name of the DHCP server.
Fireware Configuration Guide
59
Adding Secondary Networks
Note
If you configure more than one external interface on a Firebox, map the Fully Qualified Domain Name
to the external interface IP address of the lowest order.
Using more than one external interface
You can configure a Firebox with a maximum of four external interfaces, but VPN tunnels only go
through the lowest-order external interface. When you add the Firebox to the Management Server, all of
the IP address properties must match the properties of the lowest-order interface. For example, if the
interface uses a static IP address, you must configure the Management Server with the same IP address as
the lowest-order external interface.
The default configuration sets eth0 as the lowest-order external interface. If you change the interface
type, a different interface can be the lowest-order external interface. For example, if you change eth0
from an external interface to a trusted or optional interface. The interface you set as external becomes
the lowest-order interface.
Adding Secondary Networks
When you add a secondary network, you make a route from an IP address from the secondary network to
the IP address of the Firebox® interface. Thus, you make (or add) an IP alias to the interface. This IP alias
is the default gateway for all the computers on the secondary network. The secondary network also tells
the Firebox that there is one more network on the Firebox interface.
To use Policy Manager to configure a secondary network:
1
Select Network > Configuration.
The Network Configuration dialog box appears.
60
WatchGuard System Manager
Adding WINS and DNS Server Addresses
2
Select the interface for the secondary network and click Configure.
The Interface Settings dialog box appears.
3
Click Secondary Networks.
The Secondary Networks dialog box appears.
4
Click Add. Type an unassigned IP address from the secondary network.
When you type IP addresses, type all the numbers and the stops. Do not use the TAB or arrow key.
5
Click OK. Click OK again.
Note
Be careful to add secondary network addresses correctly. Policy Manager does not tell you if the
address is correct. WatchGuard® recommends that you do not enter a subnet on one interface that is a
component of a larger network on a different interface. If you do this, spoofing can occur and the
network cannot operate correctly.
Adding WINS and DNS Server Addresses
A number of the features of the Firebox® must have shared Windows Internet Name Server (WINS) and
Domain Name System (DNS) server addresses. These features include DHCP and Remote User VPN. Access
to these servers must be available from the trusted interface of the Firebox.
Fireware Configuration Guide
61
Configuring Routes
Make sure that you use only an internal WINS and DNS server for DHCP and Remote User VPN. This helps
to make sure that you do not make policies which have configuration properties that prevent users from
connecting to the DNS server.
1
From Policy Manager, select Network > Configuration. Click the WINS/DNS tab.
The WINS/DNS tab appears.
2
Type the primary and secondary addresses for the WINS and DNS servers. If necessary, type a domain
name for the DNS server.
Configuring Routes
A route is the sequence of devices through which network traffic must go to get from its source to its
destination. A router is the device in a route that finds the subsequent network point through which to
send the network traffic to its destination. Each router is connected to a minimum of two networks. A
packet can go through a number of network points with routers before it gets to its destination.
The Firebox® lets you create static routes to send traffic from its interfaces to a router. The router can
then send the traffic to the applicable destination in the specified route.
The WatchGuard® Users Forum is also a good source of data about network routes and routers. Use your
LiveSecurity service to find information.
Adding a network route
Add a network route if you have a full network behind a router on your local network. Type the network
IP address, with slash notation.
1
From Policy Manager, select Network > Routes.
The Setup Routes dialog box appears.
62
WatchGuard System Manager
Setting Firebox Interface Speed and Duplex
2
Click Add.
The Add Route dialog box appears.
3
4
Select Network IP from the drop-down list.
In the Route To text box, type the IP address. Use slash notation.
For example, type 10.10.1.0/24.
5
In the Gateway text box, type the IP address of the router.
Make sure that you enter an IP address that is on one of the same networks as the Firebox.
6
Click OK to close the Add Route dialog box.
The Setup Routes dialog box shows the configured network route.
7
Click OK again to close the Setup Routes dialog box.
Adding a host route
Add a host route if there is only one host behind the router or you want traffic to go to only one host.
Type the IP address of that specified host, with no slash notation.
1
From Policy Manager, select Network > Routes.
The Setup Routes dialog box appears.
2
Click Add.
The Add Route dialog box appears.
3
4
5
Select Host IP from the drop-down list.
In the Route To text box, type the host IP address.
In the Gateway text box, type the IP address of the router.
Make sure that you enter an IP address that is on one of the same networks as the Firebox.
6
Click OK to close the Add Route dialog box.
The Setup Routes dialog box shows the configured host route.
7
Click OK again to close the Setup Routes dialog box.
Setting Firebox Interface Speed and Duplex
You can set the speed and duplex parameters for Firebox® interfaces to automatic or manual configuration. WatchGuard® recommends you set the speed and duplex parameters to match the device the Firebox
is connecting to. Use manual when you must override the automatic Firebox interface parameters to
operate with other devices on your network.
1
Select Network > Configuration. Click the interface you want to configure.
Fireware Configuration Guide
63
Setting Firebox Interface Speed and Duplex
2
Click Advanced Settings.
The Advanced Settings dialog box appears.
3
From the MTU spin control, select the maximum packet size, in bytes, that can be transmitted
through the interface.
A typical value is 1,500 bytes.
64
4
From the Link Speed drop-down list, select Auto Negotiate or one of the half-duplex or full-duplex
speeds.
5
Click OK to close the Advanced Settings dialog box. Click OK again to close the Network
Configuration dialog box.
WatchGuard System Manager
CHAPTER 7
Configuring Policies
In Policy Manager, there are two categories of policies: packet filters and proxies.
A packet filter examines each packet’s IP header and is the most basic feature of a firewall. It controls the
network traffic into and out of your Firebox®. If the packet header information is valid, then the firewall
allows the packet. If the packet header information is not valid, the Firebox drops the packet. It can also
record a log message or send an error message to the source.
A proxy uses the same procedure to examine the header information as a packet filter, but it also examines the content. If the content does not match the criteria you set, it denies the packet. A proxy operates
at the application layer, while a packet filter operates at the network and transport protocol layer. When
you activate a proxy, the Firebox:
• Removes all the network data
• Examines the contents for RFC compliance and content type
• Adds the network data again
• Sends the packet to its destination
A proxy uses more resources and bandwidth then a packet filter. But, a proxy catches dangerous content
types that a packet filter cannot.
In this guide, we refer to packet filters and proxies together as policies. Unless we tell you differently, the
procedures refer to both proxies and packet filters.
Policy Manager shows each packet filter and proxy as an icon. The traffic is allowed or denied, and you
can configure the source and destination. You also set rules for logging and notification and configure
the ports, protocols, and other parameters of the packet filter or proxy.
WatchGuard® Fireware includes many pre-configured packet filters and proxies. For example, if you want
a packet filter for all Telnet traffic, you add a Telnet packet filter. You can also make a custom packet filter for which you set the ports, protocols, and other parameters.
Creating Policies for your Network
The security policy of your organization is a set of rules that define how you protect your computer network and the information that goes through it. The Firebox® denies all packets that are not specially
approved. This security policy helps to protect your network from:
Fireware Configuration Guide
65
Adding Policies
• Attacks using new or different IP protocols
• Unknown applications
When you configure the Firebox with the Quick Setup Wizard, you set only the basic packet filters (DNS
client, FTP, and TCP outgoing proxy) and interface IP addresses. If you have more software applications
and network traffic for the Firebox to route, you must:
• Configure the policies on the Firebox to let necessary traffic through
• Set the approved hosts and properties for each policy
• Balance the requirement to protect your network against the requirements of your users to get
access to external resources
We recommend that you set limits on outgoing access when you configure your Firebox.
Adding Policies
You add policies with Policy Manager. Policy Manager shows icons or listings to identify the policies that
you configure on the Firebox®. For each policy you can:
• Set allowed traffic sources and destinations
• Make filter rules and policies
• Enable or disable the policy
• Configure properties such as QoS, NAT, schedules, and logging
Changing the Policy Manager View
Policy Manager has two views: Large Icons and Details. The Large Icons view shows each policy as an
icon. To change to the Large Icons view, select Large Icons from the View menu.
Large Icons View
66
WatchGuard System Manager
Adding Policies
To change to the Details view, select Details from the View menu. In the Details view, each policy is a
row. You can see configuration information such as source and destination and logging and notification
parameters.
Details View
Adding a policy
You use Policy Manager to add a packet filter or proxy to your configuration. To add a policy:
1
In Policy Manager, right-click an empty location and select New Policy.
You can also select Edit > Add Policies. The Policies dialog box appears.
2
Click the plus (+) sign on the left side of the folder to expand the Packet Filters or Proxies folders.
A list of packet filters or proxies appears.
3
Single-click the name of the policy to add.
When you select a policy, the policy icon appears in the area below the New, Edit, and Remove buttons. Also, the
Details box shows the basic information about the policy.
4
Click Add.
The New Policy Properties dialog box appears.
5
You are able to change the name of the policy here. This information appears in the Policy Manager
Details view. If you want to change the name, type a new name in the Name text box.
6
Click OK to close the Properties dialog box.
You can add more than one policy while the Policies dialog box is open.
Fireware Configuration Guide
67
Adding Policies
7
Click Close.
The new policy appears in Policy Manager. You can now set policy properties, as described in “Configuring Policy
Properties” on page 70.
Making a custom policy template
Policy Manager includes many packet filter policy templates. You can also make a custom policy template.
A template includes ports and protocols that identify one type of network traffic. It could be necessary to
make a customer policy template if you add a new software application behind your firewall.
1
In Policy Manager, right-click and select New Policy.
You can also select Edit > Add Policies. The Policies dialog box appears.
2
Click New.
The New Policy Template dialog box appears.
3
In the Name text box, type the name of the policy template.
This name must not be the same as names in the list in the Add Policy dialog box. The name appears in Policy
Manager as the policy type. It helps you to find the policy when you want to change or remove it.
4
In the Description text box, type a description of the policy.
This appears in the Details section when you click the policy name in the list of User Filters.
5
Select the type of policy: Packet Filter or Proxy.
The Proxy option provides these options:
- DNS
- FTP
- HTTP
- TCP
- SMTP
6
To add protocols for this policy, click Add.
The Add Protocol dialog box appears.
68
WatchGuard System Manager
Adding Policies
7
8
From the Type drop-down list, select Single Port or Port Range.
From the Protocol drop-down list, select the protocol for this new policy. For more information about
network protocols, see the Reference Guide or online help system. When you select Single Port, you
can select:
- TCP
- UDP
- GRE
- IP
- AH
- ESP
- ICMP
- IGMP
- OSPF
- Any
When you select Port Range, you can select TCP or UDP.
9
From the Server Port drop-down list, select the client port for this new policy. If you selected Port
Range, select a starting server port and an ending server port.
10 Click OK.
Policy Manager adds the values to the New Policy Template dialog box. Make sure that the name, information, and
configuration of this policy are correct. If necessary, click Add to configure more ports for this policy. Do the Add
Port procedure again and again until you configure all ports for the policy.
11 Click OK.
The Add Policy dialog box appears with the new policy in the Custom folder.
Adding more than one policy of the same type
If your security policy lets you, you can add the same policy more than one time. For example, you can
set a limit on the Web access for most users, while you give full Web access to your management. To do
this, you make two different policies with different properties for outgoing traffic:
1
2
Add the first policy.
Change the name of the policy to give the function in your security policy and add the related
information.
In the example of the different policies given before, you can name the first policy “restricted_web_access.”
3
Click OK. The Properties dialog box of the policy appears. Set the properties as described in
“Configuring Policy Properties” on page 70.
4
5
Add the second policy.
Click OK. The Properties dialog box of the policy appears. Set the properties.
Deleting a policy
As your security policy changes, it is sometimes necessary to remove one or more policies. To remove a
policy, you first remove it from Policy Manager. Then you save the new policy to the Firebox.
1
2
From Policy Manager, click the icon of the policy.
Right-click and select Delete.
You can also select Edit > Delete Policy.
3
4
When asked to confirm, click Yes.
Save the configuration to the Firebox and start the Firebox again. Select File > Save > To Firebox.
Type the configuration passphrase. Select the Save to Firebox check box. Click Save.
Fireware Configuration Guide
69
Configuring Policy Properties
Configuring Policy Properties
If you added a policy and want to change its properties, double-click the policy icon to open the Edit
Policy Properties dialog box.
Setting access rules, sources, and destinations
You use the Policy tab to configure access rules for a given policy.
The Policy tab shows:
• If traffic using this policy is allowed or denied.
• Who uses this policy to start a connection with the users, hosts, and networks reachable through
the Firebox®.
• The destinations for the traffic for this policy.
On the From list, you add the computers and networks that can send (or cannot send) network traffic
with this policy. On the To list, you add computers and networks to which the Firebox routes traffic if it
matches the policy specifications. For example, you could configure a ping packet filter to allow traffic
from all computers on the external network to one Web server on your optional network.
You can use the following settings to determine how traffic is handled:
Allowed
The Firebox allows traffic using this policy if it obeys the rules you set for source and destination.
Denied
The Firebox denies all traffic that matches this policy. You can configure it to record a log
message when a computer tries to use this policy. It can also automatically add a computer or
network that tries to start a connection with this policy to the Blocked Sites list (configured on
the Properties tab).
Denied (send reset)
The Firebox denies all traffic that matches this policy. It can also automatically add a computer
or network that tries to start a connection with this policy to the Blocked Sites list (configured on
70
WatchGuard System Manager
Configuring Policy Properties
the Properties tab). The Firebox also sends a reset (RST) packet to tell the client that the session
is refused and closed. This is usually because the port is blocked.
1
2
3
From the Policy tab, specify whether connections are Allowed, Denied, or Denied (send reset).
4
If you selected Add Other, from the Choose Type drop-down list, select the host range, host IP, or
network IP to add. In the Value text box, type the correct address, range, or IP. Click OK.
To add members for the policy, click Add for the From or the To member list.
Use the Add Address dialog box to add a network, IP address, or specified user to a policy. Click either
Add User or Add Other.
The member or address appears in the Selected Members and Addresses list.
5
If you selected Add User, select the type of user or group, select the authentication server, and
whether you are adding a user or group.
6
Click OK.
Setting logging properties
Use the Properties tab of the Policy Properties dialog box to set logging properties for a policy. You can
configure the Firebox to make a log entry when a policy denies packets. You can also set up notification
when packets are allowed or denied.
1
From the Properties tab, click Logging.
The Logging and Notification dialog box appears.
2
Set the parameters and notification:
Fireware Configuration Guide
71
Configuring Policy Properties
Enter it in the log
When you enable this check box, the Firebox sends a log message when it sees traffic of the type
selected in the Category list. Domain name resolution on the Firebox can slow the time for the
Firebox to send the log message to the log file. The default configuration of all policies is for the
Firebox to send a log message when it denies a packet.
Send SNMP Trap
When you enable this check box, the Firebox sends an event notification to the SNMP
management system. The trap identifies the occurrence of a condition such as a threshold that
has exceeded its predetermined value.
Send notification
When you enable this check box, the Firebox sends a notification when it sees traffic of the type
select in the Category list. You set the notification parameters with the Log Server. For more
information on the Log Server, refer to the WatchGuard System Manager Configuration Guide.
You can configure the Firebox to do one of these actions:
- E-mail The Firebox sends an e-mail message when the event occurs. Set the e-mail address in
the Notification tab of the Log Server user interface.
- Pop-up Window The Firebox makes a dialog box appear on the management station when
the event occurs.
You can control the time of notification, together with the Repeat Count. For information how
to use the Launch Interval and Repeat Count settings, see the next section.
Setting Launch Interval and Repeat Count
You can control the time of the notification, together with the Repeat Count, as follows:
Launch Interval
The minimum time (in minutes) between different notifications. This parameter prevents multiple
notifications in a short time for the same event.
Repeat Count
This counts how frequently an event occurs. When this gets to the selected value, a special repeat
notifier starts. This notifier makes a repeat log entry about that specified notification.
Notification starts again after this number of events.
Here is an example of how to use these two values. The values are set up as follows:
• Launch interval = 5 minutes
• Repeat count = 4
A port space probe starts at 10:00 a.m. and continues each minute. This starts the logging and notification mechanisms. These are the times and the actions that occur:
1 10:00—Initial port space probe (first event)
2 10:01—First notification starts (one event)
3 10:06—Second notification starts (reports five events)
4 10:11—Third notification starts (reports five events)
5 10:16—Fourth notification starts (reports five events)
The launch interval controls the time intervals between the events 1, 2, 3, 4, and 5. This was set to 5 minutes. Multiply the repeat count by the launch interval. This is the time interval an event must continue to
start the repeat notifier.
If the policy you configured is a proxy, a Proxy drop-down list appears along with the View/Edit Proxy
and Clone Proxy icons. For information on how to use these options, see the “Configuring Proxied Policies” chapter in this guide.
72
WatchGuard System Manager
Configuring Policy Properties
Note
A single policy manages either allowed or denied traffic, but not both. If you want to log both
allowed and denied traffic, you must use different policies for each.
Configuring static NAT
Static NAT is also known as port forwarding. Static NAT is a port-to-host NAT. A host sends a packet
from the external network to a specified public address and port. Static NAT changes this address to an
address and port behind the firewall. For more information on NAT, see the “Working with Firewall NAT”
chapter in this guide.
Because of how static NAT operates, it is available only for policies that use a specified port, which
includes TCP and UDP. A policy that has another protocol cannot use incoming static NAT. And the NAT
button in the Properties dialog box of the policy does not work. You also cannot use Static NAT with the
Any policy.
1
2
In Policy Manager, double-click the policy icon.
From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must let incoming traffic through.
3
Below the To list, click Add.
The Add Address dialog box appears.
4
Click NAT.
The Add Static NAT dialog box appears.
Note
Mail servers must use the correct external address of the Firebox for incoming NAT. If not, mail
problems can occur.
5
6
From the External IP Address drop-down list, select the “public” address to use for this policy.
Type the internal IP address.
The internal IP address is the destination on the trusted network.
7
If necessary, select the Set internal port to different port than service check box.
You usually do not use this feature. It enables you to change the packet destination not only to a specified internal
host but also to a different port. If you select the check box, type the different port number or use the arrow
buttons in the Internal Port box.
8
Click OK to close the Add Static NAT dialog box.
The static NAT route appears in the Members and Addresses list.
9
Click OK to close the Add Address dialog box. Click OK to close the Properties dialog box of the
policy.
Fireware Configuration Guide
73
Configuring Policy Properties
Setting advanced properties
You use the Advanced tab of the Edit Policy Properties dialog box to set the schedule, implement Quality of Service (QoS) settings, apply NAT rules, implement ICMP error handling for this policy, and implement a custom idle timeout.
Setting a schedule
You can set an operating schedule for the policy. You can use the schedule templates in the drop-down
list or create a custom schedule. For information, see “Creating Schedules” on page 52.
Note that schedules can be shared by more than one policy.
Applying a Quality of Service (QoS) action
You can assign a Quality of Service action to the policy. Use the button on the far right to create a new
QoS action. After you create a new QoS action, it appears in the QoS drop-down list. For more information, see “Creating QoS Actions” on page 183.
Note that these actions can be shared by more than one policy.
Applying NAT rules
You can apply Network Address Translation (NAT) rules to a policy:
1-to-1 NAT
With this type of NAT, the Firebox uses private and public IP ranges that you set, as described in
“Using 1-to-1 NAT” on page 103.
Dynamic NAT
With this type of NAT, the Firebox maps private IP addresses to public IP addresses. Select Use
global table if you want to use the dynamic NAT rules set for the Firebox. Select All traffic in
this policy if you want to apply NAT to all traffic in this policy.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
74
WatchGuard System Manager
Setting Policy Precedence
Setting ICMP error handling
You can set the ICMP error handling settings associated with the policy.
From the drop-down list, select:
Use global setting
Use the global ICMP error handling setting set for the Firebox. For information on this global
setting, see “ICMP error handling” on page 40.
Specify setting
Specify a setting that overrides the global setting. Click ICMP Setting. From the ICMP Error
Handling Settings dialog box, select the check boxes to configure individual settings. For
information on these settings, see “ICMP error handling” on page 40.
Setting a custom idle timeout
To set an idle time-out, click Specify Custom Idle Timeout and click the arrows to set the number of
seconds before time-out. This setting overrides the idle time-out of the policy.
Setting Policy Precedence
Precedence is the sequence in which the Firebox® examines network traffic and applies a policy rule. The
Firebox routes the traffic using the rules for the first policy that the traffic matches. Fireware Policy Manager automatically sorts policies from the most detailed to the most general. You can also manually set
the precedence.
Using automatic order
Fireware Policy Manager automatically sorts policies from the most detailed to the most general. Each
time you add a policy, Policy Manager compares the new rule with all the rules in your configuration file.
To set the precedence, Policy Manager uses these criteria:
1
2
3
4
5
6
7
Protocols set for the policy type
Traffic rules of the To field
Traffic rules of the From field
Firewall action
Schedule
Alphanumeric sequence based on policy type
Alphanumeric sequence based on policy name
Fireware Configuration Guide
75
Setting Policy Precedence
Comparing policy type
Policy Manager uses these criteria in sequence to compare two policies until it finds that the policies are
equal or that one is more detailed than the other:
1
An Any policy always has the lowest precedence. For more information about the Any policy, see
“Any” on page 213.
2
Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller number
has higher precedence.
3
Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller
number has higher precedence.
4
Count the number of unique ports for TCP and UDP protocols. The policy with the smaller number
has higher precedence.
5
Score the protocols based on their IP protocol value. The policy with the smaller score has higher
precedence.
If Policy Manager cannot set the precedence when it compares the policy type, it examines traffic rules.
Comparing traffic rules
Policy Manager uses these criteria in sequence to compare the most general traffic rule of one policy with
the most general traffic rule of a second policy. It assigns higher precedence to the policy with the most
detailed traffic rule. The list of traffic rules from most detailed to the most general:
1
2
3
4
5
6
7
8
9
Host address
IP address range (smaller than the subnet being compared to)
Subnet
IP address range (larger than the subnet being compared to)
Authentication user
Authentication group
Interface, Firebox
Any-External, Any-Trusted, Any-Optional
Any
For example, compare these two policies:
HTTP-1
From: Trusted, user1
HTTP-2
From: 10.0.0.1, Any-Trusted
“Trusted” is the most general entry for HTTP-1. “Any-Trusted” is the most general entry for HTTP-2.
Because “Trusted” is within “Any-Trusted,” HTTP-1 is the more detailed traffic rule. This is correct despite
the fact that HTTP-2 includes an IP address.
If Policy Manager cannot set the precedence when it compares the traffic rules, it examines the firewall
actions.
Comparing firewall actions
Policy Manager compares the firewall actions of two policies to set precedence. Precedence of firewall
actions from highest to lowest is:
1
76
Denied or Denied (send reset)
WatchGuard System Manager
Setting Policy Precedence
2
3
Allowed Proxy
Allowed Filter
If Policy Manager cannot set the precedence when it compares the firewall actions, it examines the schedules.
Comparing schedules
Policy Manager compares the schedules of two policies to set precedence. Precedence of schedules from
highest to lowest is:
1
2
3
Always off
Sometimes on
Always on
If the Policy Manager cannot set the precedence when it compares the schedules, it examines the policy
names.
Comparing type and names
If the two policies do not match any other precedence criteria, Policy Manager sorts the policies in alphanumeric sequence. First it uses the policy type. Then it uses the policy name. Because no two policies can
be the same type and have the same name, this is the last criteria for precedence.
Setting precedence manually
To switch to manual-order mode, select View > Auto-order mode so that the check disappears. You are
asked to confirm whether you want to switch to auto-order mode.
To change the order of policies:
• Select the policy whose order you want to change. Click either the up or down arrow on the far
right side of the Policy Manager toolbar.
or
• Select the policy whose order you want to change and drag it to its new location.
Fireware Configuration Guide
77
Setting Policy Precedence
78
WatchGuard System Manager
CHAPTER 8
Configuring Proxied Policies
Proxy filters do much more than packet filters. A proxy examines the contents of a packet, not only the
header. As a result, the proxy finds forbidden content hidden or embedded in the data payload. For example, an SMTP proxy examines all incoming SMTP packets (e-mail) to find forbidden content, such as executable programs or files written in scripting languages. Attackers frequently use these methods to send
computer viruses. The SMTP proxy knows these content types are not allowed, while a packet filter cannot detect the unauthorized content in the packet’s data payload.
WatchGuard proxies also look for application protocol anomalies and stop packets that are not made correctly. If an SMTP packet is not made correctly or contains unexpected content, it cannot go through the
Firebox.
Proxy policies operate at the application, network, and transport protocol levels. Packet filter policies
operate at only the network and transport protocol level. In other words, a proxy gets each packet,
removes the network layer, and examines its payload. The proxy then puts the network information back
on the packet and sends it to its destination on your trusted and optional networks. This adds more work
for your firewall for the same volume of network traffic. But a proxy uses methods that packet filters cannot to catch dangerous packets.
Defining Rules
A ruleset is a group of rules based on one feature of a proxy. When you configure a proxy, you can see the
rulesets for that proxy in the Categories list. The rulesets you see change when you change the proxy
action on the Properties tab of a proxy configuration window.
A proxy can have more than one proxy action associated with it. For example, you can use one ruleset for
packets sent to an e-mail server protected by the Firebox and a different ruleset to apply to e-mail messages being sent out through the Firebox to the Internet. You can use the existing proxy actions, or clone
an existing proxy action to create a new proxy action.
A rule includes a type of content, pattern, or expression and the action the Firebox® does when a component of the packet’s content matches a rule. Rules also include settings for when the Firebox sends alarms
or if it sends events to the log file.
For most proxy features, the Firebox has a preinstalled ruleset. But you can edit the rules in a ruleset to
change the action for the rules. You can also add your own rules.
Fireware Configuration Guide
79
Defining Rules
The fields you use for these rule definitions look the same for each category of ruleset. The simple view is
shown below. You can also select Change View to see the advanced view.
Use the advanced view to improve the matching function of a proxy. In advanced view, you can configure
exact match and Perl-compatible regular expressions. In simple view, you can configure wildcard pattern
matching with simple regular expressions.
Adding rulesets
From the simple view, do these steps to add new rules:
1
In the Pattern text box, type a pattern that uses simple regular expression syntax.
The wildcard for zero or more than one characters is “*”.
The wildcard for one character is “?”.
2
Click Add.
The new rule appears in the Rules box.
3
In Actions to take section, the If matched drop-down list sets the action to do if the contents of a
packet match one of the rules in the list. The None matched drop-down list sets the action to do if
the contents of a packet do not match a rule in the list. Below is a list of all possible actions. The
actions Strip and Lock apply only to signature-based intrusion prevention actions.
Allow
Allows the connection.
Deny
Denies a specific request but keeps the connection if possible.
Drop
Denies the specific request and drops the connection.
Block
Denies the request, drops the connection, and adds the source host to the Blocked Sites list. For
more information on blocked sites, see “Setting Blocked Sites” on page 135.
Strip
Removes an attachment from a packet and discards it. The other parts of the packet are sent
through the Firebox to its destination.
Lock
Locks an attachment, and wraps it so that it cannot be opened by the user. Only the
administrator can unlock the file.
80
WatchGuard System Manager
Defining Rules
4
An alarm is a mechanism to tell users when a proxy rule applies to network traffic. Use the Alarm
check box to configure an alarm for this event. To set the options for the alarm, select Proxy Alarm
from the Categories list on the left side of a Proxy Configuration window. You can send an SNMP
trap, send e-mail, or open a pop-up window.
5
Use the Log check box to write a traffic log for this event.
Using advanced rules view
To see a detailed view of the current rules, click Change View. The advanced view shows the action for
each rule. It also has buttons you can use to edit, clone (use an existing rule definition to start a new
one), delete, or reset rules. To go back to the simple view, click Change View again. You cannot go back
to simple view if the enabled rules have different action, alarm, and log settings. In this case, you must
continue to use the advanced view.
Changing the precedence of rules
The Firebox uses these guidelines to apply rules:
• It does the rules in sequence from the top to the bottom of the window.
• When a filtered item matches a rule, the Firebox does the related traffic action.
• Content can match more than one of the rules or the default rule, but only the first rule is used.
• The Firebox uses the default rule if no other rule applies. It is always the last rule that the Firebox
applies to the content.
To change the sequence of rules, you must use the advanced view:
1
2
Click Change View to see the advanced view of created rules.
Select a rule to move up or down in the list. Click the Up or Down button to move the rule up or
down in the list.
Fireware Configuration Guide
81
Customizing Logging and Notification for proxy rules
Customizing Logging and Notification for proxy rules
An alarm, log message, or notification is a mechanism to tell a network administrator about network traffic that does not match the criteria for allowed traffic. For example, if traffic is more than a threshold
value, you can configure the Firebox to send you an e-mail message. You can set alarm, log message, and
notification properties for each packet filter and proxy policy. You can also set alarm and log message
properties for a proxy rule.
Configuring log messages and notification for a proxy policy
1
2
Double-click the policy icon to open the Policy Properties dialog box.
Click the Properties tab. Click Logging.
The Logging and Notification dialog box appears.
3
Set the parameters to agree with the requirements of your security policy.
Configuring log messages and alarms for a proxy rule
1
2
3
Double-click the policy icon to open the Policy Properties dialog box.
Click the Properties tab. From the Proxy drop-down list, select the proxy action to configure.
Select Proxy Alarms from the Category list. For more information about the parameters, see the
subsequent section.
There are more log messages and notification options available with signature-based intrusion prevention services.
These options are examined in the chapter “Using Signature-Based Security Services.”
Using dialog boxes for alarms, log messages, and notification
The dialog boxes for alarms, log messages, and notification in proxy definitions have most or all of these
fields:
Enter it in the log
When you enable this check box, the Firebox® sends a traffic log message to the Log Server when
this event occurs. The default configuration of all policies is for the Firebox to send a log
message when it denies a packet.
Send SNMP Trap
When you enable this check box, the Firebox sends an event notification to the SNMP
management system. The SNMP trap shows when the traffic matches a condition such as a
property that is more than its threshold value. Note that the bindings section in the SNMP trap is
blank if the trap occurs when SNMP starts or stops, such as with a reset, restart, or failover.
Send notification
When you enable this check box, the Log Server sends a notification when this event occurs. You
can configure the Log Server to do one of these actions:
82
WatchGuard System Manager
Configuring the SMTP Proxy
- E-mail The Log Server sends an e-mail message when the event occurs. Set the e-mail address
in the Notification tab of the Log Server user interface.
- Pop-up Window The Log Server makes a dialog box appear on the management station when
the event occurs.
Setting Launch Interval and Repeat Count
You can control the time of the notification, together with the Repeat Count, as follows:
Launch Interval
The minimum time (in minutes) between different notifications. This parameter prevents more
than one notification in a short time for the same event.
Repeat Count
This counts how frequently an event occurs. When this gets to the selected value, a special repeat
notifier starts. This notifier makes a repeat log message about that specified notification.
Notification starts again after this number of events.
Here is an example of how to use these two values. The values are set up as follows:
• Launch interval = 5 minutes
• Repeat count = 4
A port space probe starts at 10:00 AM and continues each minute. This starts the log and notification
mechanisms. These are the times and the actions that occur:
1
2
3
4
5
10:00—Initial port space probe (first event)
10:01—First notification starts (one event)
10:06—Second notification starts (reports five events)
10:11—Third notification starts (reports five events)
10:16—Fourth notification starts (reports five events)
The launch interval controls the time intervals between the events 1, 2, 3, 4, and 5. This was set to 5 minutes. Multiply the repeat count by the launch interval. This is the time interval an event must continue to
start the repeat notifier.
Configuring the SMTP Proxy
You use the SMTP proxy to block suspicious e-mail messages and e-mail content. The proxy scans SMTP
messages for a number of filtered parameters, and compares them against the rules set in the proxy configuration. To configure the SMTP proxy:
1
Add the SMTP proxy to Policy Manager. To learn how to add policies to Policy Manager, see “Adding
Policies” on page 66.
2
Double-click the SMTP icon and select the Properties tab.
The Edit Policy Properties dialog box appears and shows the General Settings information.
3
In the Proxy drop-down list, select to configure SMTP-Incoming or SMTP-Outgoing.
You can also clone a proxy action to create a new proxy action.
Fireware Configuration Guide
83
Configuring the SMTP Proxy
4
Click the View/Edit Proxy icon.
Configuring general settings
You use the General Settings fields to configure basic SMTP proxy parameters such as idle time-out and
message limits.
Idle timeout
You can set the length of time an incoming SMTP connection can idle before the connection is
timed out. The default value is 600 seconds (10 minutes). For no time-out, clear the Set the
timeout to check box.
84
WatchGuard System Manager
Configuring the SMTP Proxy
Maximum e-mail recipients
With the Set the maximum e-mail recipients to check box, you can set the maximum number
of e-mail recipients to which a message can be sent. The Firebox counts and allows the specified
number of addresses through, then drops the other addresses. For example, if you use the default
value of 50 and there is a message for 52 addresses, the first 50 addresses get the e-mail message.
The last two addresses do not get a copy of the message. A distribution list appears as one SMTP
e-mail address (for example, [email protected]). The Firebox counts this as one address.
You can use this feature to decrease spam e-mail because spam usually includes a large recipient
list. Be careful when you do this because you can also deny legitimate e-mail.
Maximum e-mail size
With the Set the maximum e-mail size to check box, you can set the maximum length of an
incoming SMTP message. Most e-mail is sent as 7-bit ASCII text. The exceptions are Binary
MIME and 8-bit MIME. 8-bit MIME content (for example, MIME attachments) is encoded with
standard algorithms (Base64 or quote-printable encoding) to enable them to be sent through 7bit e-mail systems. Encoding can increase the length of files by as much as one third. To allow
messages as large as 1000 bytes, you must set this field to a minimum of 1334 bytes to make
sure all e-mail gets through. The default value is 3,000,000 bytes (3 million bytes).
Maximum e-mail line length
With the Set the maximum e-mail line length to check box, you can set the maximum line
length for lines in an SMTP message. Very long line lengths can cause buffer overflows on some
e-mail systems. Most e-mail clients and systems send short line lengths, but some Web-based email systems send very long lines. The default value is 1024.
Hide E-mail Server
Select the Message ID and Server Replies check boxes to replace MIME boundary and SMTP
greeting strings in e-mail messages. These are used by hackers to identify the SMTP server vendor
and version.
Send a log message
Select the Send a log message check box to send a log message for each connection request
through SMTP. For Historical Reports to create accurate reports on SMTP traffic, you must select
this check box.
Greeting rules
The proxy examines the initial HELO/EHLO responses during the SMTP session initialization. The
default rules for the SMTP-Incoming proxy action make sure that packets with greetings that are
too long, or include characters that are not correct or expected, are denied.
Configuring ESMTP parameters
You use the ESMTP Settings fields to set the filtering for ESMTP content. Although SMTP is widely
accepted and widely used, some parts of the Internet community have found a need to extend SMTP to
Fireware Configuration Guide
85
Configuring the SMTP Proxy
allow more functionality. ESMTP gives a method for functional extensions to SMTP, and for clients who
support extended features to know each other.
1
From the Categories section, select ESMTP parameters.
Allow BDAT/CHUNKING
Select to allow BDAT/CHUNKING. This enable large messages to be sent more easily through
SMTP connections.
Allow ETRN (Remote Message Queue Starting)
This is an extension to SMTP that allows an SMTP client and server to interact to start the
exchange of message queues for a given host.
Allow 8-Bit MIME
Select to allow 8-bit MIME, if the client and host give support to the extension. The 8-bit MIME
extension allows a client and host to exchange messages made up of text that has octets which
are not of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) that uses SMTP.
Allow Binary MIME
Select to allow the Binary MIME extension, if the sender and receiver accept it. Binary MIME
prevents the overhead of base64 and quoted-printable encoding of binary objects sent that use
the MIME message format with SMTP. WatchGuard does not recommend you select this option
as it can be a security risk.
Configuring authentication rules
This ruleset allows a number of ESMTP authentication types. The default rule denies all other authentication types. The RFC that tells about the SMTP authentication extension is RFC 2554.
1
2
86
From the Categories section, select Authentication.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
WatchGuard System Manager
Configuring the SMTP Proxy
Defining content type rules
You use the ruleset for the SMTP-Incoming proxy action to set values for incoming SMTP content filtering. You use the ruleset for the SMTP-Outgoing proxy action to set values for outgoing SMTP content filtering.
1
2
From the Categories section, select Content Types.
Do the steps used to create rules. For more information, see “Defining Rulesets” on page 79.
Defining file name rules
You use the ruleset for the SMTP-Incoming proxy action to put limits on file names for incoming e-mail
attachments. You use the ruleset for the SMTP-Outgoing proxy action to put limits on file names for outgoing e-mail attachments.
1
2
From the Categories section, select Filenames.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Configuring the Mail From and Mail To rules
The Mail From ruleset can put limits on e-mail to only allow e-mail into your network from specified
senders. The default configuration is to allow e-mail from all senders.
The Mail To ruleset can put limits on e-mail to only allow e-mail out of your network to specified recipients. The default configuration allows e-mail to a recipient out of your network.
You can also use the Rewrite As feature included in this rule configuration dialog box to have the Firebox
change the From and To components of your e-mail address to a different value. This feature is also
known as “SMTP masquerading.”
1
2
From the Categories section, select Mail From or Mail To.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Defining header rules
Header rulesets allow you to set values for incoming or outgoing SMTP header filtering.
1
2
From the Categories section, select Headers.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Defining antivirus responses
The fields on this dialog box set the actions necessary if a virus is found in an e-mail message. It also sets
actions for when an e-mail message contains an attachment that is too large or that the Firebox cannot
scan.
1
2
From the Categories section, select Antivirus.
For Virus found, Attachment too large, and Unable to Scan use these settings:
Action
Allow - Allows the connection.
Lock - Locks the file so it cannot be opened by the recipient.
Strip - Content is dropped. All applicable filtered content is removed and dropped, but the
remainder of the message is allowed through, subject to more proxy filtering.
Drop - Denies the specific request and drops the connection.
Block - Denies the request, drops the connection, and adds the originating host to the Blocked
Sites list. For more information on blocked sites, see “Setting Blocked Sites” on page 135.
Alarm
Select the check box to use an alarm for this event.
Fireware Configuration Guide
87
Configuring the SMTP Proxy
Log
Select the check box to write this event to the log file.
Changing the deny message
The Firebox® gives a default deny message that replaces the denied content. You can replace that deny
message with one that you write. You can write a custom deny message with standard HTML. The first
line of the deny message is a section of the HTTP header. There must be an empty line between the first
line and the body of the message.
1
2
From the Categories section, select Deny Message.
Type the deny message in the deny message box. You can use these variables:
%(type)%
Puts the type of content that was denied.
%(filename)%
Puts the file name of the denied content.
%(action)%
Puts the name of the action taken: lock, strip, and so on.
%(reason)%
Puts the cause for the Firebox to deny the content.
%(recovery)%
Allows you to set the text to fill this sentence: “Your network administrator %(recovery)% this
attachment.
%(virus)%
Puts the name or status of a virus, for Gateway AntiVirus for E-mail™ users only.
Configuring the IPS (Intrusion Prevention System)
Hackers use many methods to attack computers on the Internet. The function of these attacks is to cause
damage to your network, get sensitive information, or use your computers to attack other networks.
These attacks are known as intrusions.
WatchGuard® System Manager supplies a number of tools to protect your network against attack. For
more information, see “Using Signature-Based Security Services” on page 127. The SMTP proxy operates
with Gateway AntiVirus for E-mail and the Intrusion Prevention Service.
1
From the Categories section, select Intrusion Prevention.
2
3
To enable intrusion prevention, select the Enable Intrusion Prevention check box.
In the Actions section, use the drop-down lists to select the Firebox action for each severity level.
Allow
You allow a packet so it can get to its recipient, even if the content matches a signature.
88
WatchGuard System Manager
Configuring the FTP Proxy
Deny
You deny a packet to stop the packet and send a deny message to the sender.
Drop
You drop a packet to stop the packet silently, and not tell the sender.
Block
You block a message to drop the packet, and to add the IP address that the packet started from
to the Blocked Sites list.
Note
If you set the configuration to allow packets for one of these three severity levels, your configuration
is less secure.
4
To configure log messages and notification for each severity level, click Logging and Notification.
For information on fields in the Logging and Notification dialog box, see “Using dialog boxes for
alarms, log messages, and notification” on page 82.
Configuring proxy and antivirus alarms for SMTP
You can set the action the Firebox does when proxy or antivirus (AV) alarm events occur:
1
2
From the Categories section, select Proxy and AV Alarms.
For information on fields in the Proxy/AV Alarm Configuration section, see “Using dialog boxes for
alarms, log messages, and notification” on page 82.
Configuring the FTP Proxy
File Transfer Protocol (FTP) is the protocol used to move files on the Internet. Like SMTP and HTTP, FTP
uses TCP/IP protocols to enable data transfer. You usually use FTP to download a file from a server that
uses the Internet or to upload a file to a server.
1
2
3
4
5
6
Add the FTP proxy to Policy Manager. To learn how to add policies to Policy Manager, see “Adding
Policies” on page 66.
Double-click the FTP icon and select the Policy tab.
Select Allowed from the FTP proxy connections are drop-down list.
Select the Properties tab.
In the Proxy drop-down list, select to configure the proxy action for FTP-Client or FTP-Server.
Click the View/Edit Proxy icon.
Fireware Configuration Guide
89
Configuring the FTP Proxy
Configuring general settings
You use the General fields to configure basic FTP parameters including maximum user name length.
1
From the Categories section, select General.
2
To set limits for FTP parameters, select the applicable check boxes. These settings help to protect your
network from buffer overflow attacks. If you set a check box to 0 bytes, the Firebox does not use the
parameter. Use the arrows to set the limits:
Maximum user name length
Sets a maximum length for user names on FTP sites.
Maximum password length
Sets a maximum length for passwords used to log into FTP sites.
Maximum file name length
Sets the maximum file name length for files to upload or download.
Maximum command line length
Sets the maximum length for command lines used on FTP sites.
3
To create a log message for each FTP request, select the Send a log message for each connection
request check box.
Defining commands rules for FTP
FTP has a number of commands to manage files. You can write rules to put limits on some FTP commands. Use FTP-Server to put limits on commands that can be used on an FTP server protected by the
Firebox. Use FTP-Client to put limits on commands that users protected by the Firebox can use when it
connects to external FTP servers. The default configuration of the FTP-Client is to allow all FTP commands.
1
2
From the Categories section, select Commands.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting download rules for FTP
Download rules control the file names, extensions, or URL paths that users can use FTP to download. Use
the FTP-Server proxy action to control download rules for an FTP server protected by the Firebox. Use the
90
WatchGuard System Manager
Configuring the HTTP Proxy
FTP-Client proxy action to set download rules for users connecting to external FTP servers. To add download rulesets:
1
2
From the Categories section, select Download.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting upload rules for FTP
Upload rulesets control the file names, extensions, or URL paths that users can use FTP to upload. Use the
FTP-Server proxy action to control upload rules for an FTP server protected by the Firebox. Use the FTPClient proxy action to set upload rules for users connecting to external FTP servers. The default configuration of the FTP-Client is to allow all files to be uploaded. To create upload rulesets:
1
2
From the Categories section, select Upload.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Enabling intrusion prevention for FTP
You can use the FTP proxy to enable and configure the WatchGuard Intrusion Prevention System. For
information on how to this, see the procedure for SMTP in “Configuring the IPS (Intrusion Prevention
System)” on page 88.
Configuring proxy alarms for FTP
An alarm is a mechanism to tell a network administrator when network traffic matches criteria for suspicious traffic or content. When an alarm event occurs, the Firebox does an action that you configure. For
example, you can set a threshold value for file length. If the file is larger than the threshold value, the
Firebox can send a log message to the Log Server.
1
2
From the Categories section, select Proxy Alarms.
For information on fields in the Proxy Alarm Configuration section, see “Using dialog boxes for
alarms, log messages, and notification” on page 82.
Configuring the HTTP Proxy
The HTTP proxy is a high performance content filter. It examines Web traffic to identify suspicious content which can be a virus, spyware, or other type of attack. It can also protect your Web server from
attacks from the external network. You can configure the HTTP proxy to:
• Only allow content that matches RFC requirements for Web server and clients
• Select which types of MIME content the Firebox allows into your network
• Block Java, ActiveX, and other code types
• Examine the HTTP header to make sure it is not from a known source of suspicious content
1
Add the HTTP proxy to Policy Manager. To learn how to add policies to Policy Manager, see“Adding
Policies” on page 66.
2
3
Select the Properties tab.
4
Click the View/Edit Proxy icon.
In the Proxy drop-down list, select to configure the HTTP-Client or HTTP-Server proxy action. Use
the HTTP-Server proxy action (or an incoming proxy action you create based on the HTTP-Server
proxy action) to protect a Web server. Use HTTP-Client, or an outgoing proxy action, to filter HTTP
requests from users behind the Firebox.
You can also clone a proxy action to create a new proxy action.
Fireware Configuration Guide
91
Configuring the HTTP Proxy
Configuring settings for HTTP requests
You can configure general settings for HTTP requests. You can also see and edit the HTTP request rulesets
included in a proxy action. To get access to these settings, click HTTP Request in the Categories list on
the left of the proxy configuration.
Configuring general settings for HTTP requests
You use the General Settings fields to configure basic HTTP parameters such as idle time-out and URL
length.
Idle Timeout
Controls how long the HTTP proxy waits for the Web client to make a request for something
from the external Web server after it starts a TCP/IP connection or after the earlier request, if
there was one, for the same connection. If it goes longer than the setting, the HTTP proxy closes
the connection. The default value is 600 seconds.
URL Length
Sets the maximum length of the path component of a URL. This does not include the “http:\\” or
host name. Control of the URL length can help to prevent buffer overflow attacks.
Send a log message for each HTTP connection request
Creates a traffic log message for each request. This option creates a large log file, but this
information is very important if your firewall is attacked.
Setting HTTP request methods
Most browser HTTP requests are in one of two categories: GET and POST operations. Browsers usually use
GET operations to download objects such as a graphic, HTML data, or Flash data. More than one GET is
usually sent by a client computer for each page, because Web pages usually contain many different elements. The elements are put together to make a page that appears as one page to the end user.
Browsers usually use POST operations to send data to a Web site. Many Web pages get information from
the end user such as location, e-mail address, and name. If you enable the POST command, the Firebox
92
WatchGuard System Manager
Configuring the HTTP Proxy
denies all POST operations to Web servers on the external network. This features prevents your users from
sending information to a Web site on the external network.
The HTTP proxy supports request methods: GET, POST, HEAD, OPTIONS, PUT, and DELETE. If you configure a rule to allow other request methods, you get an error with the text: “Method unsupported.”
1
2
From the Categories section, select Request Methods.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting HTTP request URL paths
You use URL path rules to filter the content of the host, path, and query-string components of a URL.
Here are examples of how to block content using HTTP request URL paths:
• To block all pages that have the host name www.test.com, type the pattern:
www.test.com*
• To block all paths containing the word “sex”, on all Web sites: *sex*
• To block URL paths ending in “*.test”, on all Web sites: *.test
Note
Usually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex
pattern using full regular expression syntax and the advanced view of a ruleset. It is easier and gives
better results to filter based on header or body content type than it is to filter by URL path.
1
2
From the Categories section, select URL paths.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting HTTP request header fields
This ruleset supplies content filtering for the full HTTP header. By default, the Firebox uses exact matching rules to strip Via and From headers, and allows all other headers. This ruleset matches against the full
header, not only the name. Thus, to match all values of a header, type the pattern: “[header name]:*”. To
match only some values of a header, replace the * wildcard with a pattern. If your pattern does not start
with a * wildcard, include one space between the colon and the pattern when typing in the Pattern text
box. For example, type: [header name]: [pattern] and not [header name]:[pattern].
Note that the default rules do not strip the Referer header, but do include a disabled rule to strip this
header. To enable the rule, select Advanced View. Some Web browsers and software applications must use
the Referer header to operate correctly.
1
2
From the Categories section, select Header Fields.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting HTTP request authorization
This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a Web
server starts a “WWW-Authenticate” challenge, it sends information about which authentication methods
it can use. The proxy puts limits on the type of authentication sent in a request. It uses only the authentication methods that the Web server accepts. With a default configuration, the Firebox allows Basic,
Digest, NTLM, and Passport1.4 authentication, and strips all other authentication.
1
2
From the Categories section, select Authorization.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Fireware Configuration Guide
93
Configuring the HTTP Proxy
Configuring general settings for HTTP responses
You use the General Settings fields to configure basic HTTP parameters such as idle time-out and limits
for line and total length. If you set a check box to 0 bytes, the Firebox does not check the parameter.
1
2
From the Categories section, select General Settings.
To set limits for HTTP parameters, select the applicable check boxes. Use the arrows to set the limits:
Idle timeout
Controls how long the Firebox HTTP proxy waits for the Web server to send the Web page. The
default value is 600 seconds.
Maximum line length
Controls the maximum allowed length of a line of characters in the HTTP response headers. Use
this property to protect your computers from buffer overflow exploits.
Maximum total length
Controls the maximum length of the HTTP response headers. If the total header length is more
than this limit, the HTTP response is denied. The default value is 0 (no limit).
Setting header fields for HTTP responses
This property controls which HTTP response header fields the Firebox allows. RFC 2616 includes many of
the HTTP response headers that are allowed in the default configuration. For more information, see:
http://www.ietf.org/rfc/rfc2616.txt
1
2
From the Categories section, select Header Fields.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Setting content types for HTTP responses
When a Web server sends HTTP traffic, it usually adds a MIME type to the response. The HTTP header on
the data stream contains this MIME type. It is added before the data is sent.
This ruleset sets rules for looking for content type (MIME type) in HTTP response headers. By default the
Firebox allows some safe content types, and denies MIME content that has no specified content type.
Some Web servers supply incorrect MIME types to get around content rules.
1
2
From the Categories section, select Content Types.
Do the steps used to create rulesets. For more information, see “Defining Rules” on page 79.
Setting cookies for HTTP responses
HTTP cookies are small files of alphanumeric text put by Web servers on Web clients. Cookies monitor the
page a Web client is on to enable the Web server to send more pages in the correct sequence. Web servers
also use cookies to collect information about an end user. Many Web sites use cookies for authentication
and other legitimate functions and cannot operate correctly without cookies.
This ruleset gives you control of the cookies in HTTP responses. You can configure rules to strip cookies,
based on your network requirements. The default rule for the HTTP-Server and HTTP-Client proxy action
allows all cookies.
The Cookies ruleset looks for packets based on the domain associated with the cookie. The domain can be
specified in the cookie. If there is no domain in the cookie, the proxy uses the host name in the first
request. Thus, to block all cookies for nosy-adware-site.com, add a rule with the pattern: “*.nosy-adwaresite.com”.
1
2
94
From the Categories section on the left, select Cookies.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
WatchGuard System Manager
Configuring the HTTP Proxy
Setting HTTP body content types
This ruleset gives you control of the content in an HTTP response. The Firebox is configured to deny Java
applets, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default proxy action for outgoing HTTP requests (HTTP-Client) allows all other response body content types. WatchGuard recommends
that you examine the file types that are used in your organization and allow only those file types that are
necessary for your network.
1
2
From the Categories section, select Body Content Types.
Do the steps used to create rules. For more information, see “Defining Rules” on page 79.
Changing the deny message
The Firebox gives a default deny message that replaces the content that is denied. You can replace that
deny message with one that you write. You can customize the deny message with standard HTML. The
first line of the deny message is a component of the HTTP header. There must be an empty line between
the first line and the body of the message.
1
From the Categories section, select Deny Message.
2
Type the deny message in the deny message box. You can use these variables:
%(method)%
Puts the request method from the denied request.
%(reason)%
Puts the reason the Firebox denied the content.
%(transaction)%
Puts “Request” or “Response” to show which side of the transaction caused the packet to be
denied.
%(url-host)%
Puts the server host name from the denied URL. If no host name was included, the IP address of
the server is given.
%(url-path)%
Puts the path component of the denied URL.
Fireware Configuration Guide
95
Configuring the DNS Proxy
Configuring intrusion prevention for HTTP
You can use the HTTP proxy to enable and configure the WatchGuard® Intrusion Prevention Service. The
HTTP proxy and the TCP proxy each include options to prevent Instant Messaging (IM) and Peer to Peer
(P2P) use. These options can give more protection against new P2P and IM services.
If you use the TCP proxy and the HTTP proxy, you must be sure to configure actions for IM and P2P in
the two proxies to apply actions to all IM and P2P traffic.
1
From the Categories section, select Intrusion Prevention.
2
To enable intrusion prevention that uses the HTTP proxy, select the Enable Intrusion Prevention
check box.
3
For information on the settings in this dialog box, see the“Using advanced HTTP proxy features” on
page 136.
Defining proxy alarms for HTTP
Use these settings to set criteria for a notification event:
1
2
From the Categories section, select Proxy Alarms.
Do the steps in “Using dialog boxes for alarms, log messages, and notification” on page 82.
Configuring the DNS Proxy
With the Domain Name System (DNS), you can get access to a Web site with an easy-to-remember “dotcom” name. DNS finds the Internet domain name (for example WatchGuard.com) and changes it to an IP
address. The DNS proxy protects your DNS servers from TSIG, NXT, and other DNS attacks. To add the
DNS proxy to your Firebox® configuration:
96
1
Add the DNS proxy to Policy Manager. To learn how to add policies to Policy Manager, see
“Adding Policies” on page 66.
2
3
Double-click the DNS icon and select the Policy tab.
Select Allowed from the DNS proxy connections are drop-down list.
WatchGuard System Manager
Configuring the DNS Proxy
4
5
6
Select the Properties tab.
In the Proxy drop-down list, select to configure the NS-Outgoing or DNS-Incoming proxy action.
Click the View/Edit Proxy icon.
You can also clone an existing proxy action to create a new proxy action.
Configuring general settings for the DNS proxy
The general settings for the DNS Proxy include two protocol anomaly detection rules
Not of class Internet
Select the action to do when the proxy examines DNS traffic that is not of the Internet (IN) class.
The default action is to deny this traffic. WatchGuard recommends that you do not change this
default action. Use the Alarm check box to use an alarm for this event. Use the Log check box to
write this event to the log file.
Badly formatted query
Select the action when the proxy examines DNS traffic that does not use the correct format. Use
the Alarm check box to use an alarm for this event. Use the Log check box to write this event to
the event log file.
Send a log message for each connection request
Select this check box to record a log message for each DNS connection request. Note that this
creates a large number of log messages and traffic.
Configuring DNS OPcodes
DNS OPcodes are commands given to the DNS server that tell it to do some action, such as a query
(Query), an inverse query (IQuery), or a server status request (STATUS). You can allow, deny, drop, or block
specified DNS OPcodes.
1
2
From the Categories section, select OPCodes.
For the rules listed, select the Enabled check box to enable a rule. Clear the Enabled check box to
disable a rule.
Note
If you use Active Directory and your Active Directory configuration requires dynamic updates, you
must allow DNS OPcodes in your DNS-Incoming proxy action rules. This is a security risk, but can be
necessary for Active Directory to operate correctly.
Fireware Configuration Guide
97
Configuring the DNS Proxy
Adding a new OPcodes rule
1
Click Add.
The New OPCodes Rule dialog box appears.
2
Type a name for the rule.
Rules can have no more than 31 characters.
3
DNS OPcodes have an integer value. Use the arrows to set the OPCode value.
For more information on the integer values of DNS OPcodes, see RFC 1035.
4
Set an action for the rule and configure to send an alarm or enter the event in the log file. For more
information, see “Adding rules” on page 80.
Configuring DNS query types
A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or a custom
type of query operation (such as an AXFR Full zone transfer). You can allow, deny, drop, or block specified
DNS query types.
1
From the Categories section, select Query Types.
2
To enable a rule, select the Enabled check box adjacent to the action and name of the rule.
Adding a new query types rule
1
To add a new query types rule, click Add.
The New Query Types Rule dialog box appears.
2
Type a name for the rule.
Rules can have no more than 31 characters.
3
DNS query types have a resource record (RR) value. Use the arrows to set the value.
For more information on the values of DNS query types, see RFC 1035.
4
98
Set an action for the rule and configure to send an alarm or enter the event in the log file. For more
information, see “Defining Rules” on page 79.
WatchGuard System Manager
Configuring the TCP Proxy
Configuring DNS query names
A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name
(FQDN).
1
From the Categories section, select Query Names.
2
To add more names, do the steps used to create rules. For more information, see “Defining Rules” on
page 79.
Enabling intrusion prevention for the DNS proxy
You can use the DNS proxy to enable and configure the WatchGuard® Intrusion Prevention System.
1
2
From the Categories section, select Intrusion Prevention.
To enable intrusion prevention, select the Enable Intrusion Prevention check box.
Configuring DNS proxy alarms
Use these settings to set criteria for a notification event:
1
2
From the Categories section, select Proxy Alarms.
Do the procedure in “Using dialog boxes for alarms, log messages, and notification” on page 82.
Configuring the TCP Proxy
Transmission Control Protocol (TCP) is the primary protocol in TCP/IP networks. The IP protocol controls
packets while TCP enables hosts to start connections and to send and receive data. A TCP proxy monitors
TCP handshaking to see if a TCP session is legitimate.
Configuring general settings for the TCP proxy
HTTP Proxy
Select the HTTP proxy action to use for TCP connections. The TCP proxy applies the HTTP proxy
ruleset to all traffic that it identifies as HTTP traffic.
Fireware Configuration Guide
99
Configuring the TCP Proxy
Send a log message for each connection request
Select this check box to record a log message for all TCP connection requests. This feature creates
a large number of log messages and traffic.
Enabling intrusion prevention for the TCP proxy
You can use the TCP proxy to enable and configure the WatchGuard Intrusion Prevention System.
1
2
100
From the Categories section, select Intrusion Prevention.
To enable intrusion prevention, select the Enable Intrusion Prevention check box.
WatchGuard System Manager
CHAPTER 9
Working with Firewall NAT
Network Address Translation (NAT) was originally designed as one of several solutions for organizations
that could not obtain enough registered IP network numbers from Internet Address Registrars for their
growing population of hosts and networks.
NAT is generically used to describe any of the several forms of IP address and port translation. Its primary
purposes are to stretch the number of computers able to work off of a publicly routable IP address, and to
hide the private IP addresses of hosts on your LAN.
At its most basic level, NAT changes the address of a packet from one value to a different value. The type
of NAT refers to how NAT changes the network address:
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The Firebox can apply its public IP address
to the outgoing packets for all connections or for specified services. This hides the real IP
address of the computer that is the source of the packet from the external network. Dynamic
NAT is generally useful for hiding addresses of internal hosts when they access public
services.
1-to-1 NAT
The Firebox uses private and public IP ranges that you set for NAT. With 1-to-1 NAT, you
bind a public address for each Web and other (DNS, mail) server to the private address you
assigned to each server located on your trusted or optional networks. 1-to-1 NAT is useful
for giving public hosts access to internal servers.
Static NAT for a policy
Also known as port forwarding, you define static NAT when you define policies, as described
in “Configuring Policies,” on page 65. Static NAT is a port-to-host NAT. A host sends a
packet from the external network to a port on an external interface. Static NAT changes this
address to an address and port behind the firewall.
Select the type of NAT that is best for you after you identify the problem you have. Problems can include
address security or a small number of public IP addresses. NAT can be applied as a global setting, or as a
setting in a policy. Note, however, that global NAT settings do not apply to BOVPN or MUVPN policies.
Fireware Configuration Guide
101
Using Dynamic NAT
Using Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outbound
connection to the public IP address of the Firebox. Outside the Firebox, you only see the IP address of the
Firebox on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for the internal hosts that use the Internet, because it can hide hosts on your network.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With Fireware, dynamic NAT is enabled by default. Policy-based dynamic NAT is always enabled, but you can override the global setting in individual policies.
Adding global dynamic NAT entries
The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the
external network. The default entries are:
• 192.168.0.0/16 - Any-External
• 172.16.0.0/12 - Any-External
• 10.0.0.0/8 - Any-External
These are the private networks given by RFC 1918. To enable dynamic NAT for private IP addresses other
than these, you must add an entry for them. The Firebox applies the dynamic NAT rules in the sequence
that they appear in the Dynamic NAT Entries list. WatchGuard recommends that you put the entries in a
sequence equivalent to the volume of traffic.
1
From Policy Manager, select Network > Firewall NAT.
The Firewall NAT Setup dialog box appears.
2
On the Dynamic NAT tab of the Firewall NAT Setup dialog box, click Add.
The Add Dynamic NAT dialog box appears.
102
WatchGuard System Manager
Using 1-to-1 NAT
3
Use the From drop-down list to select the source of the outgoing packets.
For example, use the trusted host alias to enable NAT from all of the trusted network. For more information on
built-in Firebox aliases, refer to “Configuring the Firebox as an Authentication Server” on page 108.
4
Use the To drop-down list to select the destination of the outgoing packets.
5
To add a host or a network IP address, click the Add Device button. Use the drop-down list
to select the address type. Type the IP address or the range. You must type a network
address in slash notation.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.
6
Click OK.
The new entry appears in the Dynamic NAT Entries list.
Reordering dynamic NAT entries
To change the sequence of the dynamic NAT entries, select the entry to change. Then click Up or Down.
You cannot change a dynamic NAT entry. If a change is necessary, you must erase the entry with Remove.
Use Add to enter it again.
Policy-based dynamic NAT entries
With this type of NAT, the Firebox uses the primary IP address of the outgoing interface (trusted or
optional) for the outgoing packets for this policy. Each policy has dynamic NAT enabled by default, using
the global dynamic NAT table. To use dynamic NAT for all traffic in one policy only:
1
From Policy Manager, right-click the policy to configure policy-based NAT for and select Edit.
The Edit Policy Properties window appears.
2
Click the Advanced tab.
3
Select All traffic in this policy if you want to apply NAT to all traffic in this policy.
4
Click OK. Save the change to the Firebox.
Disabling policy-based dynamic NAT
1
From Policy Manager, right-click a policy and select Edit.
The Edit Policy Properties window appears.
2
Click the Advanced tab.
3
Clear the check box in front of Dynamic NAT to turn NAT off for the traffic this policy controls.
4
Click OK. Save the change to the Firebox.
Using 1-to-1 NAT
1-to-1 NAT uses a NAT policy that changes and routes all incoming and outgoing packets sent from one
range of addresses to a different range of addresses. You can configure many different 1-to-1 NAT
addresses.
You frequently use 1-to-1 NAT to route public IP addresses to internal servers. On those servers, you do
not have to change the IP address. You can also use 1-to-1 NAT for VPN tunnels when the IP addresses of
the remote network are the same as the local network. The local network addresses change to a range
that is not the same as the remote addresses, and a VPN tunnel can connect. Both gateways must be configured in this way.
A 1-to-1 NAT rule always takes precedence over dynamic NAT.
In each NAT policy you are able to configure four items. You can also specify a single host, a range of
hosts, or a subnet.
Fireware Configuration Guide
103
Using 1-to-1 NAT
Interface
The name of the Firebox Ethernet interface where the 1-to-1 NAT action is applied. The 1to-1 NAT action is applied when packets from the real base travel through this interface or
when packets from the NAT base travel through this interface.
NAT base
An IP address not assigned to a Firebox Ethernet interface that corresponds to the Real Base
IP address. The NAT Base IP address you type is associated with the real base IP address you
type, and it is the first in a range of IP addresses. The other NAT base IP addresses in the
range go up by one in the last octet until the “Number of hosts to NAT” is reached. The NAT
base IP address is the address that the real base IP address changes to when the 1-to-1 NAT
is applied. When packets with a NAT Base IP address go through the Interface, the 1-to-1
action is applied.
Real base
The IP address assigned to the physical Ethernet interface of the computer that uses 1-to-1
NAT. The real base IP address you type is associated with the NAT Base address you type, and
it is the first IP address in a range of IP addresses. The other real base IP addresses in the
range go up by one in the last octet until the “Number of hosts to NAT” is reached. When
packets from a computer with a real base address go through the Interface specified, the 1to-1 action is applied.
Number of hosts to NAT (for ranges only)
The number of subsequent NAT Base and Real Base IP addresses that 1-to-1 NAT associates
together. The number of IP addresses to which the 1-to-1 NAT applies. The first real base IP
address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second
real base IP address in the range is translated to the second NAT base IP address when 1-to1 NAT is applied. This is repeated until the “Number of hosts to NAT” is reached.
You set a NAT policy in a “from” and “to” range of IP addresses. For example, consider this policy:
210.199.6.1–192.168.69.1:254 (NAT base to real base range)
All the traffic that is sent to hosts between 210.199.6.1 and 210.199.6.254 changes to the related IP
address between 192.168.69.1 and 192.168.69.254.
There is a 1-to-1 address change from each NAT address to the destination (real) IP address: 210.199.6.1
becomes 192.168.69.1.
Configuring Global 1-to-1 NAT
1
104
From Policy Manager, click Setup > Firewall NAT. Click the 1-to-1 NAT tab.
WatchGuard System Manager
Using 1-to-1 NAT
2
Click Add.
The 1-1 Mapping dialog box appears.
3
In the Map Type drop-down list, select Single IP, IP range, or IP subnet to specify whether you
want to map to a single host, a range of hosts, or a subnet.
4
In the NAT base text box, type the address for the NAT range to see externally.
5
Complete all the information. Click OK.
6
Repeat steps 2 - 4 for each 1-to-1 NAT entry. When you are done, click OK to close the Firewall
NAT Setup dialog box. Save the change to the Firebox.
Configuring policy-based 1-to-1 NAT
With this type of NAT, the Firebox uses the private and public IP ranges that you set when configuring
global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is enabled in the default
configuration of each policy. If a policy has both 1-to-1 and Dynamic NAT enabled, 1-to-1 NAT has precedence.
Disabling policy-based 1-to-1 NAT
1
From Policy Manager, right-click a policy and select Edit.
2
The Edit Policy Properties window appears.
3
Click the Advanced tab.
4
Clear the 1-to-1 NAT check box to turn NAT off for the traffic this policy controls.
5
Click OK. Save the change to the Firebox.
Configuring static NAT for a policy
Because of how static NAT operates, it is available only for policies that use a specified port, which
includes TCP and UDP. A policy that has another protocol cannot use incoming static NAT. And the NAT
button in the Properties dialog box of the policy does not work. You also cannot use Static NAT with the
Any policy.
1
2
Double-click a policy icon in the Policies Arena.
From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must let incoming traffic through.
3
Below the To list, click Add.
The Add Address dialog box appears.
Fireware Configuration Guide
105
Using 1-to-1 NAT
4
Click NAT.
The Add Static NAT dialog box appears.
Note
Mail servers must use the correct external address of the Firebox for incoming NAT. If not, mail
problems can occur.
5
6
From the External IP Address drop-down list, select the “public” address to use for this service.
Type the internal IP address.
The internal IP address is the destination on the trusted or optional network.
7
If necessary, select the Set internal port to different port than this policy check box.
You usually do not use this feature. It enables you to change the packet destination not only to a specified internal
host but also to a different port. If you select the check box, type the different port number or use the arrow
buttons in the Internal Port box.
8
Click OK to close the Add Static NAT dialog box.
The static NAT route appears in the Members and Addresses list.
9
106
Click OK to close the Add Address dialog box. Click OK to close the Properties dialog box of the
service.
WatchGuard System Manager
CHAPTER 10
Implementing Authentication
With user authentication you can see user names when you monitor the connections through the Firebox®. This gives you more information than if you can see only the IP addresses in the connection. The IP
address or the computer that the person uses is not important. While the user is authenticated, all the
connections that the user starts from the IP address also transmit the session name. This lets you monitor
not only the computers from which the connections start, but also the user.
The Firebox allows you to create policies with groups and user names. A person can use more than one
computer or IP address with the same user name. Monitor by user name:
• If you use the Dynamic Host Configuration Protocol (DHCP), because the IP address of a computer
can change.
• If many different users can use the same IP address in a day.
In these cases, authentication gives you more information about the activities of the people in your organization.
How User Authentication Works
A special HTTPS server operates on the Firebox® to accept authentication requests. To authenticate, a
user must connect to the authentication Web page on the Firebox. The address is:
https://IP address of a Firebox interface:4100/
An authentication Web page appears. The user must type a user name and password. The page sends the
name and password to the authentication server using a challenge and response protocol (known as PAP).
When the user is authenticated, the user is then allowed to use the approved network resources. The user
can close the browser window. The user is authenticated for two hours after the last connection to a network resource for which authentication is necessary.
To stop an authentication session before the two-hour timeout, click the Logout button on the authentication Web page. If the window is closed, you must open it again to disconnect. To prevent an account
from authenticating, you must disable the account on the authentication server.
Using authentication from the external network
The primary function of the authentication tool is for outgoing traffic. You can also use it for incoming
network traffic. When you have an account on the Firebox, you can always do external authentication.
Fireware Configuration Guide
107
Configuring the Firebox as an Authentication Server
For example, you can type this address in your browser at home:
https://public IP address of a Firebox interface:4100/
After authentication, you can get access to the services that are configured on the Firebox (FTP, Telnet).
Use this procedure to let a remote user authenticate from the external interface. This gives the user access
to resources through the Firebox.
1
In Policy Manager, double-click the WatchGuard® authentication policy icon (WG-Auth). This policy
appears after you add a user or group to a policy configuration.
2
On the Policy tab, select Allowed.
3
Below the From box, click Add.
4
Click Add User, and then type the IP addresses of the remote users that have approval to
authenticate externally.
Using authentication through a gateway Firebox to another Firebox
To send an authentication request through a gateway Firebox to a different Firebox, you must add a policy allowing the authentication traffic on the gateway Firebox. On the gateway Firebox, use Policy Manager to add the WG-Auth policy. This policy controls traffic on TCP port 4100. Configure the policy to
allow traffic to the IP address of the destination Firebox.
Authentication server types
With Fireware, there are five methods to do authentication:
• Firebox
• RADIUS
• SecurID
• LDAP
• Active Directory
You can configure one or more authentication server types for a Firebox. Authentication to different
server types is almost the same for the user. For the Firebox administrator, the difference is that the user
database can be on the Firebox or on a dedicated authentication server.
When you use an authentication server, you configure it with the instructions from its manufacturer. You
install the server with access to the Firebox and put it behind the Firebox for security.
Using a backup authentication server
You can configure a backup authentication server with any type of third-party authentication. If the Firebox cannot connect to the primary authentication server (after three attempts), it connects to the backup
authentication server. If the Firebox cannot connect to the backup authentication server, it waits ten
minutes, and then tries to connect to the primary authentication server again. This cycle continues until
a connection can be made.
Configuring the Firebox as an Authentication Server
If you do not use a third-party authentication server, you can use the Firebox® as an authentication
server. This procedure divides your company into groups and users for authentication. Assign members to
groups because of tasks, functions, or access requirements. For example, you can have an accounting
group, a marketing group, and a research and development group. You can also have a new persons
group, with limits on Internet access.
108
WatchGuard System Manager
Configuring the Firebox as an Authentication Server
In a group, you set the authentication procedure for the users, the type of system they use, and the information to which they have access. A user can be a network or a computer. If your company changes, you
can add or remove users or systems from groups.
Use Policy Manager to:
• Add, change, or erase the groups in the configuration
• Add or change the users in a group
Setting up the Firebox as an authentication server
1
From Policy Manager, select Setup > Authentication Servers.
The Authentication Servers dialog box appears. The default configuration enables the Firebox authentication
server.
2
To add a new user group, click Add below the User Groups list.
The Add Firebox Group dialog box appears.
3
Type the name of the group. Click OK.
Fireware Configuration Guide
109
Configuring RADIUS Server Authentication
4
To add a new user, click Add below the Users list.
The Setup Firebox User dialog box appears.
5
Type the name and the passphrase that the user will use to authenticate to the Firebox.
When this passphrase is set, you cannot see the passphrase in plain text again. If the passphrase is lost, you must
set a new passphrase.
6
To add the user to a group, select the group name in the Available list. Click the double arrow
that points to the left side to move the name to the Member list.
You can also double-click the Group name.
7
After you add the user to selected groups, click OK.
The user adds to the User list. You can then add more users.
8
To close the Setup Firebox User dialog box, click OK.
The Firebox Users tab appears with a list of the new users.
9
After you add all necessary users and groups, click OK.
At this time, you can use the users and groups to configure policies and authentication.
Configuring RADIUS Server Authentication
Remote Authentication Dial-In User Service (RADIUS) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users,
remote access servers, and VPN gateways in one database.
The authentication messages to and from the RADIUS server always use an authentication key. This
authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key,
hackers cannot get to the authentication messages. Note that the key is sent, and not a password, during
authentication. For Web authentication RADIUS gives support only to PAP (not CHAP) authentication.
For authentication using PPTP, RADIUS gives support only to MSCHAPv2.
To use RADIUS server authentication with the Firebox®, you must:
• Add the IP address of the Firebox to the RADIUS server, as explained in the RADIUS
documentation.
• Enable and specify the RADIUS server in your Firebox configuration.
• Add RADIUS user and/or group names into the policies in Policy Manager.
110
WatchGuard System Manager
Configuring RADIUS Server Authentication
To enable RADIUS Server Authentication:
1
From Policy Manager, select Setup > Authentication Servers. Click the RADIUS Server tab.
The RADIUS configuration appears.
2
3
Type the IP address of the RADIUS server.
Make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers may use port 1645.
4
Type the “shared secret” between the Firebox and the RADIUS server.
The shared secret is case-sensitive and must be the same on the Firebox and the RADIUS server.
5
Select the time-out value.
This sets the time the Firebox waits for a response from the authentication server before it tries to connect again.
6
Set the number of retry attempts.
This is the number of times the Firebox tries to connect to the authentication server (using the time-out specified
above) before it reports a failed connection for one authentication attempt.
7
Select the group attribute.
The group attribute value is used to set which attribute carries the User Group information. When the RADIUS
server sends a message to the Firebox that a user is authenticated, it also sends a User Group string, for example
“engineerGroup” or “financeGroup”. This information is then used for access control.
8
Type the IP address and the port of the backup RADIUS server. The shared secret must be on the
primary and backup RADIUS server.
9
Click OK.
Fireware Configuration Guide
111
Configuring SecurID Authentication
Configuring SecurID Authentication
To operate SecurID authentication, you must configure RADIUS and ACE/Server servers correctly. The
users must also have an approved SecurID token and a PIN (personal identification number). Refer to the
SecurID instructions for more information.
Note
Do not use Steel Belted RADIUS with SecurID. Use the RADIUS software application with RSA
SecurID software.
1
From Policy Manager, select Setup > Authentication Servers. Select the SecurID Server tab.
2
Type the IP address of the SecurID server.
3
Type or accept the port number for SecurID authentication.
The default number is 1812.
4
Type the secret shared between the Firebox® and SecurID server.
The shared secret is case-sensitive and must be the same on the Firebox and SecurID server.
5
Select the time-out value.
This sets the time the Firebox waits for a response from the authentication server before it tries to connect again.
6
Set the number of retry attempts.
This is the number of times the Firebox tries to connect to the authentication server (using the time-out specified
above) before it reports a failed connection for one authentication attempt.
7
Select the group attribute.
The group attribute value is used to set which attribute carries the User Group information. When the SecurID
server sends a message to the Firebox that a user is authenticated, it also sends a User Group string, for example
“engineerGroup” or “financeGroup”. This information is then used for access control.
8
112
Type the IP address and the port of the backup SecurID server. The shared secret must be on the
primary and backup SecurID server.
WatchGuard System Manager
Configuring LDAP Authentication
9
Click OK.
Configuring LDAP Authentication
You can use an LDAP authentication server to authenticate your users to the Firebox®. You must configure both the Firebox and the LDAP server.
1
From Policy Manager, select Setup > Authentication Servers. Select the LDAP tab.
2
Select the Enable LDAP Server check box.
3
Type the IP address of the primary LDAP server for the Firebox to contact with authentication
requests.
4
Select the TCP port number for the Firebox to use to connect to the LDAP server. The default
port number is 389.
5
Select the Search Base.
Supply an LDAP search base to identify the organizational unit to search for authentication matches.
6
Select the Group String.
The attribute string that is used to hold user group information on the LDAP server.
7
If necessary, change the time-out value. This is the time the Firebox waits for a response from the
authentication server.
8
Add information for a backup LDAP Server, if you have one.
9
To configure MUVPN users to get authentication information from the LDAP Server, click the
Optional Settings button. You can enter MUVPN client information in the user properties of your
LDAP Server, such as the IP address, subnet mask, or DNS and WINS servers. Then, you can map these
Fireware Configuration Guide
113
Configuring LDAP Authentication
fields to the fields listed in Optional Settings. When the MUVPN user initiates a VPN tunnel though
the Firebox, the Firebox sets the IP address, subnet mask, or DNS and WINS servers for the user
with the information contained in the LDAP user properties.
IP Attribute String
Type the name of the LDAP user property field name that contains the IP address
assignment.
Netmask Attribute String
Type the name of the LDAP user property field name that contains the subnet mask
assignment.
DNS Attribute String
Type the name of the LDAP user property field name that contains the DNS server IP address.
WINS Attribute String
Type the name of the LDAP user property field name that contains the WINS server IP
address.
Lease Time Attribute String
Type the name of the LDAP user property field name that contains the total time allowed for
the MUVPN connection session.
Idle Timeout Attribute String
Type the name of the LDAP user property field name that contains the idle timeout
assignment.
114
WatchGuard System Manager
Configuring Active Directory Authentication
Configuring Active Directory Authentication
You can use an Active Directory authentication server to authenticate your users to the Firebox. You must
configure both the Firebox® and the Active Directory server.
1
From Policy Manager, select Setup > Authentication Servers. Select the Active Directory tab
2
Select the Enable Active Directory Server check box.
3
Type the IP address of the primary Active Directory server for the Firebox to contact with
authentication requests.
4
Select the TCP port number for the Firebox to use to connect to the Active Directory server. The
default port number is 389.
5
Select the Search Base. The standard format for the search base setting is: cn=common
name,dc=first part of distinguished server name,dc=any part of the distinguished server name
appearing after a “dot”. For example, if your server name is HQ_main, type
“cn=users,dc=HQ,dc=main”.
You set a search base to put limits on the directories on the authentication server the Firebox searches in for an
authentication match.
6
Select the Group String.
The attribute string that is used to hold user group information on the Active Directory server.
7
If necessary, change the time-out value. This is the time the Firebox waits for a response from the
authentication server.
8
Add information for a backup Active Directory Server, if you have one.
9
To configure MUVPN users to get authentication information from the Active Directory Server,
click the Optional Settings button. You can enter MUVPN client information in the user
properties of your Active Directory Server, such as the IP address, subnet mask, or DNS and WINS
Fireware Configuration Guide
115
Configuring a Policy with User Authentication
servers. Then, you can map these fields to the fields listed in Optional Settings. When the
MUVPN user initiates a VPN tunnel though the Firebox, the Firebox sets the IP address, subnet
mask, or DNS and WINs servers for the user with the information contained in the Active
Directory user properties.
IP Attribute String
Type the name of the Active Directory user property field name that contains the IP address
assignment.
Netmask Attribute String
Type the name of the Active Directory user property field name that contains the subnet
mask assignment.
DNS Attribute String
Type the name of the Active Directory user property field name that contains the DNS server
IP address.
WINS Attribute String
Type the name of the Active Directory user property field name that contains the WINS server
IP address.
Lease Time Attribute String
Type the name of the Active Directory user property field name that contains the lease time
assignment.
Idle Timeout Attribute String
Type the name of the Active Directory user property field name that contains the idle
timeout assignment.
Configuring a Policy with User Authentication
After you have configured the Firebox® to use an authentication server, you can start to use user names
when creating policies in Policy Manager. One method you can use is to put a limit on all policies that
connections are allowed only for authenticated users. This is useful when you use DHCP on your network.
1
2
Create a group on your third-party authentication server that contains all the user accounts.
In Policy Manager, add or open your Outgoing policy. Under the From field, click Add User.
The Add User or Group dialog box appears.
116
3
Use the Choose Type drop-down list to select firewall, MUVPN, or PPTP authentication.
4
Use the Auth Server drop-down list to select the type of authentication server to use.
5
Use the User/Group drop-down list to configure a user or a group.
6
Type the user or group name you created on the authentication server. Click OK.
WatchGuard System Manager
Configuring a Policy with User Authentication
7
Configure the From fields on all policies in Policy Manager the same way.
8
After you add a user or group to a policy configuration, use the WG-Auth policy that appears in
Policy Manager to control access to the authentication Web page.
Fireware Configuration Guide
117
Configuring a Policy with User Authentication
118
WatchGuard System Manager
CHAPTER 11
Firewall Intrusion Detection and
Prevention
WatchGuard® Fireware and the policies you create in Policy Manager give you strict control over access to
your network. A strict access policy helps to keep hackers out of your network. But, there are other types
of attacks that a strict policy cannot defeat. Careful configuration of the Firebox® default packet handling options can stop attacks such as SYN flood attacks, spoofing attacks, and port or address space
probes.
With default packet handling, a firewall examines the source and destination of each packet it receives. It
looks at the IP address and port number and monitors the packets to look for patterns that show your
network is at risk. If there is a risk, you can set the Firebox to automatically block against the possible
attack. This proactive method of intrusion detection keeps attackers out of your network. You can also
purchase an upgrade to your Firebox to use signature-based intrusion prevention. For more information,
see the chapter “Signature-Based Intrusion Detection and Prevention” in this Configuration Guide.
Using Default Packet Handling Options
The firewall examines the source and destination of each packet it receives. It looks at the IP address and
the port number. The firewall also monitors the packets to look for patterns that can show that your network is at risk.
Default packet handling:
• Rejects a packet that can be a security risk
• Can automatically block all traffic to and from a source IP address
• Adds an event to the log file
• Sends an SNMP trap to the SNMP management server
• Sends a notification of possible security risks
You set all default packet handling options using the Default Packet Handling dialog box.
1
From Policy Manager, select Setup > Intrusion Prevention > Default Packet Handling.
or,
Click the Default Packet Handling icon on the Policy Manager toolbar.
The Default Packet Handling dialog box appears.
Fireware Configuration Guide
119
Using Default Packet Handling Options
2
Select the check box for the traffic patterns you want to prevent, as explained in the sections that
follow. The default configuration sends a log message when one of these events occur. To configure
an SNMP trap or notification for default packet handling, click Logging.
Spoofing attacks
One procedure that attackers use to get access to your network is to make an “electronic false identity.”
With this “IP spoofing” procedure, the attacker sends a TCP/IP packet that uses a different IP address
than the originating host.
With IP spoofing enabled, the Firebox® checks to make sure that the source IP address of a packet is from
a network on that interface.
To protect against spoofing attacks, select the Drop Spoofing Attacks check box from the Default Packet
Handling dialog box.
IP source route attacks
Attackers use IP source route attacks to send an IP packet to find the route that the packet moves
through the network. The attacker can then see the response to the packets and get information about
the operating system of the target computer or network.
To protect against IP source route attacks, select the Drop IP Source Route check box from the Default
Packet Handling dialog box.
“Ping of death” attacks
“Ping of death” is a denial of service (DoS) attack. It is caused by an attacker that sends an IP packet that
is larger than the 65,535 bytes allowed by the IP protocol. This causes some operating systems to crash or
restart.
To protect against ping of death attacks, the Drop Ping of Death feature is always enabled. You cannot
disable this feature.
Port space and address space attacks
Attackers use probes to find information on networks and its hosts. Port space probes examine a host to
find the services that it uses. Address space probes examine a network to see which hosts are on that network.
To protect against port space and address space attacks, select the Block Port Space Probes and the
Block Address Space Probes check boxes from the Default Packet Handling dialog box. You then use the
arrows to select the maximum allowed number of IP address or port probes for each source IP address.
120
WatchGuard System Manager
Setting Blocked Sites
Flood attacks
One type of attack that we see frequently is a flood attack. Attackers send a very high volume of traffic to
a system so it cannot examine and allow permitted network traffic. For example, an ICMP flood attack
occurs when a system receives sufficient ICMP ping commands that it uses all of its resources to send
reply commands. The Firebox can protect against these types of flood attacks:
• IPSec flood attacks
• IKE flood attacks
• ICMP flood attacks
• SYN flood attacks
• UDP flood attacks
Flood attacks are also known as Denial of Service (DoS) attacks. You can use the Default Packet Handling
dialog box to configure the Firebox to protect against these attacks. Select the check boxes for the flood
attacks you want to drop. You then use the arrows to select the maximum allowed number of packets
each second.
Unhandled Packets
An “unhandled” packet is a packet that does not match any rule created in Policy Manager. The Firebox
always denies the packet, but you can select to always automatically block the source. This adds the IP
address that sent the packet to the temporary blocked sites list. You can also send a TCP reset or ICMP
error back to the client when an unhandled packet is received by the Firebox.
Distributed denial of service attacks
Distributed Denial of Service (DDoS) attacks are almost the same as flood attacks. But, with a DD0S the
ICMP ping commands come from many computers. You can use the Default Packet Handling dialog box
to configure the Firebox to protect against DDoS attacks. Use the arrow keys to set the maximum allowed
number of connections that your servers and clients can get each second.
Setting Blocked Sites
The Blocked Sites feature helps to prevent network traffic from systems you know or think are dangerous
or a security risk. After you identify the source of suspicious traffic, you block all the connections with
that IP address. You can also configure the Firebox to send a log message each time the source tries to
connect to your network. From the log file, you identify the services that they use to attack.
A blocked site is an IP address that cannot make a connection through the Firebox. If a packet comes
from a system that is blocked, it does not get through the Firebox®.
There are two different types of blocked IP addresses:
• Permanently blocked sites — on a list in the configuration file that you set manually.
• Auto-blocked sites — The IP addresses that the Firebox adds or removes on a temporary blocked
site list. The Firebox uses the packet handling rules, which are specified for each service. For
example, you configure the Firebox to block the IP addresses that try to connect to a blocked port.
These addresses are then blocked for a specified time.
You can use a list of temporarily blocked sites with log messages to help you make a decision about which
IP addresses to block permanently.
Fireware Configuration Guide
121
Setting Blocked Sites
Blocking a site permanently
You use Policy Manager to permanently block a host that you know is a security risk. For example, a university computer that hackers use frequently is a good host to block.
1
From Policy Manager, select Setup > Intrusion Prevention > Blocked Sites.
The Blocked Sites Configuration dialog box appears.
2
Click Add.
The Add Site dialog box appears.
3
Use the Choose Type drop-down list to select a member type. The selections are Host IP Address,
Network IP Address or Host Range.
4
Type the member value.
The member type shows whether this is an IP address or a range of IP addresses. When you type an IP address, type
all the numbers and the period.
5
Select OK.
The new site appears in the Blocked Sites list.
Using an external list of blocked sites
You can make a list of blocked sites in an external file. This file must be a .txt file. To add an external
file to your blocked sites list:
1
2
In the Blocked Sites Configuration dialog box, select Import.
Find the file. Double-click it, or select it and select Open.
The sites in the file appear in the Blocked Sites list.
Creating exceptions to the Blocked Sites list
A host that is a blocked sites exception does not appear in the list of automatically blocked sites. The
automatic rules do not apply for this host.
1
2
3
From Policy Manager, select Setup > Intrusion Prevention > Blocked Sites.
4
Type the member value.
Click the Blocked Sites Exceptions tab. Click Add.
Use the Choose Type drop-down list to select a member type. The selections are Host IP Address,
Network IP Address or Host Range.
The member type shows whether this is an IP address or a range of IP addresses. When you type an IP address, type
all the numbers and the period. Do not use the TAB or the arrow key.
5
122
Select OK.
WatchGuard System Manager
Setting Blocked Sites
Setting logging and notification parameters
You can configure the Firebox to make a log entry when a host tries to use a blocked site. You can also
set up notification for when a host tries to get access to a blocked site.
1
From the Blocked Sites dialog box, select Logging.
The Logging and Notification dialog box appears.
2
Set the parameters and notification to comply with your security policy:
Enter it in the log
When you enable this check box, the Firebox sends a log message when a packet is denied
because of your blocked port configuration. The default configuration of all services is for the
Firebox to send a log message when it denies a packet.
Send SNMP trap
When you enable this check box, the Firebox sends an event notification to the SNMP
management system. The SNMP trap makes sure that traffic matches allowed values. An example
of a criteria it examines is a threshold limit.
Send notification
When you enable this check box, the Firebox sends a notification when a packet is denied
because of your blocked port configuration. You can configure the Firebox to do one of these
actions:
- E-mail The Firebox sends an e-mail message when the event occurs. Set the e-mail address in
the Notification tab of the Log Server user interface.
- Pop-up Window The Firebox makes a dialog box appear on the management station when
the event occurs.
Setting Launch Interval and Repeat Count
You can control the time of the notification, together with the Repeat Count, as follows:
Launch Interval
The minimum time (in minutes) between different notifications. This parameter prevents more
than one notification in a short time for the same event.
Repeat Count
This counts how frequently an event occurs. When this gets to the selected value, a special repeat
notifier starts. This notifier makes a repeat log entry about that specified notification.
Notification starts again after this number of events.
Here is an example of how to use these two values. The values are set up as follows:
Fireware Configuration Guide
123
Blocking Ports
• Launch interval = 5 minutes
• Repeat count = 4
A port space probe starts at 10:00 a.m. and continues each minute. This starts the logging and notification mechanisms. These are the times and the actions that occur:
1 10:00—Initial port space probe (first event)
2 10:01—First notification starts (one event)
3 10:06—Second notification starts (reports five events)
4 10:11—Third notification starts (reports five events)
5 10:16—Fourth notification starts (reports five events)
The launch interval controls the time intervals between the events 1, 2, 3, 4, and 5. This was set to 5 minutes. Multiply the repeat count by the launch interval. This is the time interval an event must continue to
start the repeat notifier.
Blocking sites temporarily with policy settings
You can use the policy configuration to block sites that try to use a denied service:
1
From Policy Manager, double-click the policy icon.
The Properties dialog box appears.
2
3
On the Policy tab, make sure you set the Connections Are drop-down list to Denied.
On the Properties tab, select the check box Automatically block sites that attempt to connect.
Blocking Ports
You can block the ports that you know can be used to attack your network. This stops specified external
network services. If you block a port, you override all the service configurations.
You can block a port because:
• Blocked Ports protect your most sensitive services. The feature helps protect you from errors in your
Firebox® configuration.
• Probes against sensitive services can make independent log entries.
With the default configuration, the Firebox blocks some destination ports. This gives a basic configuration that you usually do not have to change. It blocks TCP and UDP packets for these ports:
X Window System (ports 6000-6005)
The X Window System (or X-Windows) client connection is not encrypted and is dangerous to use
on the Internet.
X Font Server (port 7100)
Many versions of X-Windows operate X Font Servers. The X Font Servers operate as the super-user
on some hosts.
NFS (port 2049)
NFS (Network File System) is a frequently used TCP/IP service where many users use the same
files on a network. But, the new versions have important authentication and security problems.
To supply NFS on the Internet can be very dangerous.
Note
The portmapper frequently uses the port 2049 for NFS. If you use NFS, make sure that NFS uses
the port 2049 on all your systems.
124
WatchGuard System Manager
Blocking Ports
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many attackers
probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC services are
easy to attack through the Internet.
port 8000
Many vendors use this port, and there are many security problems related to it.
port 1
The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult for
the tools that examine ports.
port 0
This port is always blocked by the Firebox. You cannot add this port to the blocked ports list. You
cannot allow traffic on port 0 through the Firebox.
Note
If you must allow traffic through for the types of software applications that use recommended
blocked ports, we recommend that you allow the traffic only through an IPSec VPN tunnel or get
access to the port using ssh for more security.
Avoiding problems with blocked ports
You can have a problem because of blocked ports. You must be very careful if you block port numbers
greater than 1023. Clients frequently use these source port numbers.
Blocking a port permanently
1
From Policy Manager, select Setup > Intrusion Prevention > Blocked Ports.
The Blocked Ports dialog box appears.
2
Type the port number. Click Add.
The new port number appears in the Blocked Ports list.
Automatically blocking IP addresses that try to use blocked ports
You can configure the Firebox to automatically block an external host that tries to get access to a blocked
port. In the Blocked Ports dialog box, select the Automatically block sites that try to use blocked ports
check box.
Fireware Configuration Guide
125
Blocking Ports
Setting logging and notification for blocked ports
You can configure the Firebox to make a log entry when a host tries to use a blocked port. You can also
set up notification or set the Firebox to send an SNMP trap to an SNMP management server when a host
tries to get access to a blocked port.
To set logging and notification parameters for blocked ports, use the same procedure as the one for
blocked sites, as described in “Setting logging and notification parameters” on page 123.
126
WatchGuard System Manager
CHAPTER 12
Using Signature-Based Security
Services
Hackers use many methods to attack computers on the Internet. These attacks are created to cause damage to your network, get sensitive information, or use your computers to attack other networks. These
attacks are known as intrusions.
WatchGuard® supplies Signature-Based Intrusion Prevention Service and Gateway AntiVirus for E-mail™
that can identify and stop possible intrusion attacks. The Intrusion Prevention Service operates with all
WatchGuard proxies. WatchGuard Gateway AntiVirus for E-mail operates with the SMTP proxy.
When a new intrusion attack is found, the features that make the virus or attack unique are identified and
recorded. These features are known as the signature. Gateway AntiVirus for E-mail and Signature-Based
Intrusion Prevention Service use these signatures to find viruses and intrusion attacks.
New viruses and intrusion methods appear on the Internet frequently. To make sure that Gateway AntiVirus for E-mail and the Intrusion Prevention Service give your network the best protection, you must
update the signatures frequently. You can configure the Firebox® to update signatures automatically from
WatchGuard. You can also update signatures manually on your Firebox. These updates are made available
when new viruses and attacks are identified.
Note
You must keep signatures current to get the best protection from Gateway AntiVirus for E-mail and
Intrusion Prevention Service. New virus and intrusion threats appear frequently. WatchGuard cannot
guarantee that the product can stop all viruses or intrusions, or prevent damage to your systems or
networks from a virus or intrusion attack.
Installing the Software Licenses
To install Gateway AntiVirus for E-mail™ or Intrusion Prevention Service, you must have:
• A license key for each feature
Fireware Configuration Guide
127
Configuring Gateway AntiVirus for E-mail
• An SMTP e-mail server behind the Firebox®, for Gateway AntiVirus for E-Mail
1
From Policy Manager, select Setup > Licensed Features.
The Licensed Features dialog box appears.
2
3
Click Add.
In the Add/Import License Keys dialog box, type or paste your license key. You can click Browse to
find it on your computer or network. Click OK.
The license key appears on the Licensed Features dialog box.
Note
The Gateway AntiVirus for E-mail and Intrusion Prevention Service products are available only for
Firebox X devices. These products do not operate on Firebox X Edge devices.
Configuring Gateway AntiVirus for E-mail
WatchGuard® Gateway AntiVirus for E-mail™ stops viruses before they get to computers on your network.
Gateway AntiVirus for E-mail uses the WatchGuard SMTP proxy. When you enable Gateway AntiVirus for
E-mail, the SMTP proxy looks at e-mail messages, finds viruses, and removes them.
Note
Gateway AntiVirus for E-mail with the SMTP proxy examines e-mail for viruses. If your organization
does not use SMTP to get e-mail, Gateway AntiVirus for E-mail does not give virus protection.
Gateway AntiVirus for E-mail finds viruses encoded with frequently used e-mail attachment methods.
These include base64, binary, 7-bit, and 8-bit encoding. Gateway AntiVirus for E-mail does not find
viruses in uuencoded or binhex-encoded messages; the Firebox® strips these types of messages.
Before you use Gateway AntiVirus for E-mail in an SMTP proxy policy, you must configure the feature. To
do this:
1
2
From WatchGuard System Manager, select the Firebox that will use Gateway AntiVirus for E-mail.
Select Tools > Policy Manager.
Or,
you can click the Policy Manager icon on the WatchGuard System Manger toolbar.
128
WatchGuard System Manager
Configuring Gateway AntiVirus for E-mail in the SMTP Proxy
3
From Policy Manager, select Setup > AntiVirus.
The AntiVirus dialog box appears.
4
5
To enable automatic virus signature updates, select the Automatic update check box.
6
To scan inside compressed attachments, select the Uncompress archives check box. Select or type
the number of compression levels to scan.
On the Engine Settings tab, set the maximum file size to scan.
Compressed attachments that cannot be scanned include files that use a type of compression that we do not
support such as a password-protected Zip files.
7
8
9
Click OK.
Select File > Save > To Firebox.
Type your configuration passphrase and click OK.
Configuring Gateway AntiVirus for E-mail in the SMTP Proxy
You use Gateway AntiVirus for E-mail™ to find and stop viruses with the SMTP proxy. The Firebox® uses
the SMTP proxy to examine e-mail messages.
This chapter gives you the basic procedure to add an SMTP proxy, and the procedure for configuring
Gateway AntiVirus for E-mail. For full configuration information for the SMTP proxy, see “Configuring
the SMTP Proxy” on page 83.
Fireware Configuration Guide
129
Configuring Gateway AntiVirus for E-mail in the SMTP Proxy
Adding an SMTP Proxy with AntiVirus
To add an SMTP proxy and configure Gateway AntiVirus for E-mail:
1
2
3
4
5
Start Policy Manager.
6
Click the Properties tab. In the Proxy area, select the proxy configuration to use.
Select Edit > Add Policies, open the Proxies folder, and select SMTP-Proxy.
Click Add.
Type a name for the policy.
Configure the From and To destination information to make the proxy allow traffic between two
destinations.
Default configurations are included for you to select from.
7
8
9
Click the View/Edit icon to see the proxy configuration.
10
11
12
13
In the Actions to Take section, select AV Scan from the drop-down list adjacent to None Matched.
In the Categories section, expand Attachments, and then click Content Types.
In the Actions to Take section at the bottom of the dialog box, select AV Scan from the drop-down
list adjacent to If Matched.
In the Categories section, expand Attachments, and then click Filenames.
Do steps 9 and 10 for the Filenames category.
Under Categories, click Antivirus..
There are three antivirus responses that Gateway AntiVirus can have:
• Attachments that have viruses in them.
• Attachments that are too large for the antivirus service to scan.
• Attachments that the antivirus service cannot scan for other causes.
130
WatchGuard System Manager
Getting Gateway AntiVirus for E-mail Status and Updates
Note
You can configure the maximum size for attachments by configuring engine settings in Policy
Manager. Go to Setup > AntiVirus, and click the Engine Settings tab.
You can select from five actions for attachments.
Allow
Allow the attachment to go to the recipient, even if the content contains a virus.
Lock
Lock the attachment. This is a good option for files that are too large for Gateway AntiVirus or
that cannot be scanned by the Firebox. A file that is locked cannot be opened easily by the user.
Only the administrator can unlock the file. The administrator can use a different antivirus tool to
scan the file and examine the content of the attachment.
Strip
Strip the attachment to remove it from the message and delete it.
Drop
Drop the attachment to stop the message and drop the connection. No information is sent to the
source of the message.
Block
Block a message to drop the attachment, and to add the IP address of the sender to the Blocked
Sites list.
Note
If you set the configuration to Allow attachments, your configuration is less secure.
14 When you have configured the antivirus settings for the proxy, click OK.
If you have made changes to a preconfigured proxy definition, you must save the new configuration with a
different name. Type a name for the proxy definition and click OK.
15 Click OK to close the Add Policy dialog box.
16 Save the configuration to the Firebox. Select File > Save > To Firebox.
17 Click OK to save the file to the Firebox.
Using Gateway AntiVirus for E-mail with more than one proxy
You can use more than one SMTP Proxy to find and remove viruses for different servers in your organization.
Each proxy that uses Gateway AntiVirus for E-mail is configured with options that are special to that
proxy. For example, you can use different proxy antivirus configurations for e-mail that is for different
servers or different destinations. You can strip attachments that are too large to scan for some users, and
allow the same attachments for other users.
Getting Gateway AntiVirus for E-mail Status and Updates
You can see the status and get updates for Gateway AntiVirus for E-mail™ on the Security Services tab in
Firebox® System Manager. For more information on this tab, see “Security Services” on page 27.
Seeing service status
Gateway AntiVirus for E-mail status shows you whether protection is active. You can also see information
about the virus scanner, virus signature versions, and when the signatures were updated.
Fireware Configuration Guide
131
Getting Gateway AntiVirus for E-mail Status and Updates
To see service status:
1
From WatchGuard® System Manager, select the Firebox. Select Tools > Firebox System Manager.
You can also click the Firebox System Manager icon on the WatchGuard System Manager toolbar.
2
Click the Security Services tab.
The window shows the status of the installed security services. Licenses for these features must be
installed to see status information.
Updating signatures manually
Gateway AntiVirus for E-mail can be configured to update signatures automatically. You can also update
signatures manually. If the signatures are not current, you are not protected from the latest viruses and
attacks.
To update the services manually:
1
2
Start Firebox System Manager.
Click the Security Services tab.
Security service status appears.
3
Click Update for the service you want to update. You must type your configuration passphrase.
The Firebox downloads the most recent available signature update for Gateway AntiVirus for E-mail. You see
information about the update in Traffic Monitor.
If no updates are available, the Update button is not active.
Updating the antivirus software
Because there are new types of attacks all the time, you must regularly update your antivirus software.
When it is necessary, WatchGuard releases updates to the antivirus database and to the antivirus software.
When we release an update, you get an e-mail from LiveSecurity. You have access to all updates while
your Gateway Antivirus subscription is active.
To download software updates, log in to your LiveSecurity® account at:
www.watchguard.com/support
132
WatchGuard System Manager
Monitoring Gateway AntiVirus for E-mail
Monitoring Gateway AntiVirus for E-mail
You can use your WatchGuard tools to monitor Gateway AntiVirus for E-mail™. These include: Firebox
System Manager, Historical Reports, and LogViewer.
Configuring Gateway AntiVirus for E-mail to record log messages
Gateway AntiVirus for E-mail can record log messages for all of the three antivirus responses.
To record log messages:
1
2
Start Policy Manager. Double-click the SMTP Proxy icon.
Click the Properties tab.
The Properties tab appears.
3
In the Proxy area, click the Show/Edit icon.
The Proxy configuration appears.
4
To record log messages, select the Log check box for the antivirus response. If you do not want to
record log messages for an antivirus response, clear the Log check box for that antivirus response.
5
To create an alarm for an antivirus response, select the Alarm check box for that antivirus response. If
you do not want an alarm for an antivirus response, clear the Alarm check box for that antivirus
response.
6
Click OK.
If you are editing a preconfigured proxy configuration, Policy Manager requests that you save the proxy with a
new name. Type a name and click OK.
7
Click OK to close the SMTP Proxy Configuration dialog box.
Note
The Proxy and A/V alarms must be configured for notification to occur. See “Customizing Logging and
Notification for proxy rules” on page 82.
Fireware Configuration Guide
133
Configuring the Signature-Based Intrusion Prevention Service
Configuring the Signature-Based Intrusion Prevention Service
Before you use the Signature-Based Intrusion Prevention Service in a proxy policy, you must configure the
feature. To do this:
1
2
From WatchGuard® System Manager, select the Firebox® that uses the service.
Select Tools > Policy Manager.
You can also click the Policy Manager icon on the WatchGuard System Manager toolbar.
3
From Policy Manager, select Setup > Intrusion Prevention > IPS Signature.
The IPS Signature dialog box appears.
4
To get automatic updates to the Intrusion Prevention signatures, select the Automatic update check
box.
5
6
7
8
9
Select or type the frequency of updates, in minutes.
Select or type the number of times to try to connect to the server.
Click OK.
Select File > Save > To Firebox.
Click OK.
Configuring Intrusion Prevention Service in a Proxy
You use Intrusion Prevention Service to find and stop attacks with the WatchGuard® proxies. The Firebox®
Intrusion Prevention Service examines DNS, FTP, HTTP, and SMTP traffic, and also other TCP-based traffic using the TCP proxy.
Adding a proxy with Intrusion Prevention Service
To add a proxy and configure Signature-Based Intrusion Prevention Service:
1
2
3
4
5
Start Policy Manager.
6
Click the Properties tab. In the Proxy drop-down list, select the proxy configuration to use.
Select Edit > Add Policies, expand the Proxies folder, and select the proxy to add.
Click Add.
Type a name for the policy.
Configure the From and To destination information to make the proxy allow traffic between two
destinations.
Some proxies include one default configuration. Some proxies include different default configurations for
incoming and outgoing directions. Other proxies include default configurations for client and server.
134
WatchGuard System Manager
Configuring Intrusion Prevention Service in a Proxy
7
Click the View/Edit icon to see the proxy configuration. In the Categories section, click Intrusion
Prevention.
8
9
To enable intrusion prevention for this proxy, select the Enable Intrusion Prevention check box.
For most proxies, you can configure actions for three intrusion severity levels: High, Medium, and
Low. For more information on intrusion levels, see “About intrusion severity levels” on page 136.
Each severity level has four actions:
Allow
You allow a packet to go to the recipient, even if the content matches a signature.
Deny
You deny a packet to stop the packet and send a deny message to the sender.
Drop
You drop a packet to stop the packet without sending a notification to the sender.
Block
You block the message, drop the packet, and add the IP address that the packet started from to
the temporary blocked sites list.
Note
If you set the configuration to allow packets for one of these three severity levels, your configuration
is less secure.
10 When you have configured the intrusion prevention settings for the proxy, click OK.
If you have made changes to a preconfigured proxy definition, Policy Manager requests that you save the new
configuration with a different name. Type a name for the proxy definition and click OK.
11
12
13
14
Click OK to close the New Policy Properties dialog box.
Save the configuration to the Firebox. Select File > Save > To Firebox.
Type the configuration passphrase in the Save Firebox dialog box.
Click OK to save the file to the Firebox.
Fireware Configuration Guide
135
Configuring Intrusion Prevention Service in a Proxy
About intrusion severity levels
The three intrusion severity levels look for the following:
High
Vulnerabilities that allow remote access or execution of code, such as buffer overflows, remote
command execution, password disclosure, backdoors, and security bypass.
Medium
Vulnerabilities that allow access, disclose source code to attackers, and deny access to legitimate
users. Examples are directory traversal, file/source disclosure, DoS, SQL injection, and cross-site
scripting.
Low
Vulnerabilities that do not allow the attacker to directly get access, but allow the attacker to get
information that can be used in an attack. For example, an attacker can send a command that
gets information about the operating system, IP addresses, or network path of a network.
Signatures that get access to software applications with vulnerabilities (such as signatures that do
not have very specific content) also get this level of severity.
Some signatures that would usually be in the High or Medium level are put in lower levels if their content
is not very detailed. They are also put in lower levels if they have a wide scope that could cause false positives.
Using advanced HTTP proxy features
The HTTP proxy uses more intrusion prevention features for stronger protection.
Signatures
These options allow you to configure the proxy to use a more accurate list of signatures for HTTP client
or HTTP server software applications.
136
WatchGuard System Manager
Getting Intrusion Prevention Service Status and Updates
Client
This set of signatures protects HTTP clients from attacks.
Server
This set of signatures protects HTTP servers from attacks.
Common to both endpoints
Select this check box to use signatures that can protect an HTTP client and an HTTP server.
Preventing Instant Messaging (IM) and Peer to Peer (P2P) use
The HTTP Proxy and the TCP proxy include options to prevent Instant Messaging (IM) and Peer to Peer
(P2P) use. These options can give more protection against new P2P and IM features and services.
The Intrusion Prevention Service finds these types of IM services. This includes their Web versions:
• MSN Messenger
• Yahoo Messenger
• AOL Instant Messenger (AIM)
• ICQ
The Intrusion Prevention Service finds these types of P2P services:
• Napster
• GNUtella
• Kazaa
• Morpheus
• BitTorrent
• eDonkey2000 (ed2k)
• IRC
• Phatbot
These options are given for IM and P2P signatures:
Detect IM (Instant Messaging) with action
Select this check box to enable a set of signatures that detect Instant Messaging traffic. You can
then use the action Allow, Drop, Deny, or Block.
Detect P2P (Peer to Peer) with action
Select this check box to enable a set of signatures that detect Peer to Peer traffic. You can then
use the action Allow, Drop, Deny, or Block.
Getting Intrusion Prevention Service Status and Updates
You can see the status and get updates for Intrusion Prevention Service on the Security Services tab in
Firebox® System Manager. For more information on this tab, see “Security Services” on page 27.
Seeing service status
Intrusion Prevention Service status shows you whether protection is active. You can also see information
about the signature versions.
Fireware Configuration Guide
137
Getting Intrusion Prevention Service Status and Updates
To see service status:
1
From WatchGuard® System Manager, select the Firebox. Select Tools > Firebox System Manager.
You can also click the Firebox System Manager icon on the WatchGuard System Manager toolbar.
2
Click the Security Services tab.
The window shows the status for the installed security services. Licenses for these features must be installed to see
status information.
3
Click History to see the date, version, and status of the signature updates that have occurred.
Updating signatures manually
Intrusion Prevention Service can be configured to update signatures automatically. You can also update
signatures manually. If the signatures are not current, you are not protected from the latest viruses and
attacks.
To update the services manually:
1
2
Start Firebox System Manager.
Click the Security Services tab.
Security service status appears.
3
Click Update for the service to update.
The Firebox downloads the most recent available signature update. You see information about the update in Traffic
Monitor.
If there are no updates available, the Update button is not active.
138
WatchGuard System Manager
PART I
Using Virtual Private Networks
Fireware Configuration Guide
139
140
WatchGuard System Manager
CHAPTER 14
Introduction to VPNs
The Internet is a public network. On this system of computers and networks, one computer can get information from other computers. It is possible for a person to read unsecured data packets that you send on
the Internet. To send secure data on the Internet between offices, networks, and users, you must use
stronger security.
Fireware Configuration Guide
141
Tunneling Protocols
Virtual private networks (VPNs) use encryption technology to decrease security risks, and to secure private
information on the public Internet. A virtual private network lets data flow safely across the Internet
between two networks. VPN tunnels can also secure connections between a host and a network.
The networks and hosts at the endpoints of a VPN can be corporate headquarters, branch offices, and
remote users.
VPN tunnels use authentication, which examines the sender and the recipient. If the authentication information is correct, the data is decrypted. Only the sender and the recipient of the message can read it
clearly.
For more information on VPN technology, see the online information at:
http://www.watchguard.com/support
The WatchGuard® Support Web site contains links to documentation, basic FAQs, advanced FAQs, and
the WatchGuard User’s Forum. You must log in to the Support Web Site to use some features.
Tunneling Protocols
Tunnels allow users to send data in secure packets across a network that is not secure, usually the Internet. A tunnel is a group of security protocols, encryption algorithms, and rules. The tunnel uses this information to send secure traffic from one endpoint to the other. A tunnel allows users to connect to
resources and computers from other networks.
Tunneling protocols supply the infrastructure and set how the data transmission on the tunnel occurs.
The two tunneling protocols that WatchGuard® uses are Internet Protocol Security (IPSec) and Point-toPoint-Tunneling Protocol (PPTP).
IPSec
You use the IPSec protocol to examine IP packets and make sure they are authenticated. IPSec includes
security features such as very strong authentication to protect the privacy of the information that you
transmit on the Internet. IPSec is a standard that works with many systems from different manufacturers.
IPSec includes two protocols that protect data integrity and confidentiality. The AH (Authentication
Header) protocol is the solution for data integrity. The ESP (Encapsulated Security Payload) protocol gives
data integrity and confidentiality.
PPTP
Point to Point Tunneling Protocol (PPTP) is a standard for VPN security that can be used with many systems from different manufacturers. PPTP allows tunnels to corporate networks and to other PPTPenabled systems. PPTP is not as secure as IPSec and cannot secure two networks. PPTP can only secure
one IP address with one other IP address or with a network. PPTP supplies an inexpensive tunnel alternative to a corporate network that is easier to use than IPSec.
Encryption
On a network that is not secure, hackers can find transmitted packets very easily. VPN tunnels use encryption to keep this data secure.
The length of the encryption key, together with the algorithm used, set the encryption strength for the
VPN. A longer key gives better encryption and more security. The level of encryption is set to give the performance and security that is necessary for the organization. Stronger encryption usually gives a higher
level of security, but can have a negative effect on performance.
Basic encryption allows sufficient security with good throughput for tunnels that do not transmit sensitive data. For administrative connections and for connections where privacy is critical, we recommend
strong encryption.
142
WatchGuard System Manager
IP Addressing
The host or the IPSec device that sends a packet through the tunnel encrypts the packet. The recipient at
the other end of the tunnel decrypts the packet. Therefore, the two endpoints must agree on all the tunnel parameters. This includes the encryption and authentication algorithms, the hosts or networks allowed
to send data across the tunnel, the time period for calculating a new key, and other parameters.
Selecting an encryption and data integrity method
Think of security and performance when you select the encryption and data integrity algorithms to use.
We recommend AES, the strongest of the encryption types, for sensitive data. Fireware Pro uses AES 256
as the default encryption algorithm.
Data integrity makes sure that the data a VPN endpoint receives is not changed as it is sent. We give support to two types of data authentication. The first type is 128-bit Message Digest 5 (MD5-HMAC). The
second type is 160-bit Secure Hash Algorithm (SHA1-HMAC).
Authentication
An important part of security for a virtual private network (VPN) is to make sure that the sender and
recipient are authenticated. There are two methods, passphrase authentication (also called a shared secret)
and digital certificates. A shared secret is a passphrase that is the same for the two ends of the tunnel.
Digital certificates use public key cryptography to identify and authenticate the end gateways. You can
use certificates for authentication for any VPN tunnel you create with your WatchGuard Management
Server. For more information on the certificates, see the WatchGuard® System Manager User Guide.
Extended authentication
Authentication for a remote user can occur through a database that is stored on the Firebox, or through
an external authentication server. An example of an external authentication server is the Remote Authentication Dial-In User Service (RADIUS). An authentication server is a safe third party that authenticates
other systems on a network. With Mobile User VPN, the remote user must type a user name and password
each time a VPN is started.
Selecting an authentication method
A primary part of a VPN is its method of user authentication. When you use shared secrets safely, you
must make sure that you:
• Make users select strong passwords.
• Change passwords frequently.
When you use RUVPN with PPTP or Mobile User VPN, it is especially important to use strong passwords.
When you put the security of VPN endpoints at risk, you can put the security of the network at risk. If, for
example, a person steals a laptop computer and finds the password, that person has direct access to the
network.
Digital certificates are electronic records that identify the user. For more information about certificates,
see the WatchGuard System Manager User Guide. The Certificate Authority (CA), a safe third party, manages the certificates. In the WatchGuard System Manager, you can configure a Firebox to operate as a CA.
This type of authentication can be safer than shared secrets.
IP Addressing
Correct use of the IP address is important when you make a VPN tunnel. It is best if the private IP
addresses of the computers at one side of the VPN tunnel are not the same as the private IP addresses you
use at the other side of the VPN tunnel. If you have branch offices, use subnets at each location that are
different from the primary office network. If it is possible, use subnets that are almost the same as the
Firebox® subnet when you set up a branch office.
Fireware Configuration Guide
143
Internet Key Exchange (IKE)
For example, if the primary Firebox network uses 192.168.100.0/24, then for the branch offices use
192.168.101.0/24, 192.168.102.0/24, and so on. This prevents new problems if you expand your network,
and it helps you remember the IP addresses at your branch offices.
For Mobile User VPN and RUVPN tunnels, the Firebox gives each remote user a virtual IP address. The
easiest method to give virtual IP addresses is to give virtual IP addresses that come from the primary network but are not used for any other computer. You cannot use the same virtual IP address for RUVPN and
for Mobile User VPN remote users. You also cannot use a virtual IP address that can be on a computer at
a different location on the primary network.
If your primary network does not have sufficient IP addresses to do this, the safest procedure is to install
a “placeholder” secondary network. Select a range of addresses for it and use an IP address from that
range for the virtual IP address.
This lets you select from a range of addresses. There is no interference from these addresses with real host
addresses in use behind the Firebox. If you use this procedure for RUVPN virtual IP addresses, you must
configure the client computer to use the default gateway on the remote network, or you must manually
add routes after the VPN tunnel is connected. This is not necessary for the MUVPN client computer.
Internet Key Exchange (IKE)
As the number of VPN tunnels in your network increases, it can get more difficult to manage the large
number of session keys that are used by the tunnels. Keys must be replaced frequently for stronger security.
Internet Key Exchange (IKE) is the key management protocol IPSec uses. IKE automates the procedure to
negotiate and replace keys. IKE includes a security protocol, the Internet Security Association, and Key
Management Protocol (ISAKMP). This protocol uses a two-phase procedure to create an IPSec tunnel.
During Phase 1, two gateways create a safe, authenticated channel for communication. Phase 2 includes
an interchange of keys to find out how to encrypt the data between the two.
Diffie-Hellman is an algorithm that IKE uses to make keys that are necessary for data encryption. DiffieHellman groups are collections of parameters. These groups let two peer systems interchange and agree
on a session key. Group 1 is a 768-bit group, and group 2 is a 1024-bit group. Group 2 is more secure
than group 1, but uses more processor time to make the keys.
NAT and VPNs
If you use NAT between two VPN gateways, you must use ESP (not AH) as the authentication protocol
when creating VPN tunnels between the devices.
If you send IPSec or PPTP traffic through a Firebox (IPSec or PPTP pass-through), the Firebox can use
NAT when sending the traffic.
Access Control
VPN tunnels give users access to resources on your computer network. Think which type of access is
applicable for a given type of user. For example, you can give a group of contract employees access to
only one network and your sales people access to all the networks.
144
WatchGuard System Manager
Network Topology
Different VPN technologies can also set your level of trust. Branch office VPNs have a firewall device at
the two ends of the tunnel. They are more safe than Mobile User VPN and RUVPN, which have protection
at only one end.
Network Topology
You can configure the VPN for support of meshed and hub-and-spoke configurations. The topology that
you select sets the types and number of connections that occur. It also sets the flow of data and the flow
of traffic.
Meshed networks
In a fully meshed topology, all servers are connected together to make a web. Each device is only one step
from each other VPN unit. Traffic can go between each unit of the VPN, if necessary.
Fully Meshed Network
This topology is the most error resistant. If a VPN unit goes down, only the connection to the trusted network of that unit is down. But, this topology is more work to set up. Each VPN unit must have a VPN
tunnel configured to each other unit. There can be possible routing problems if it is not done carefully.
The largest problem that you get with fully meshed networks is one of control. Because each unit in the
network must connect with each other unit, the number of necessary tunnels becomes large quickly. The
number of tunnels that are necessary for this configuration is the same as the square of the number of
devices:
[(number of devices) x (number of devices)] -1 ÷ 2 = number of tunnels]
When all the VPN units are WatchGuard® devices, WatchGuard System Manager can make the quantity of
work much less. The Management Server contains all the information for all the tunnels. With WatchGuard System Manager, you make a VPN tunnel between two devices in three steps using a drag-anddrop method.
You can monitor the security of the full system from more than one location, each with a Firebox®. Larger
companies use this configuration with important branch offices, each using a higher capacity Firebox.
Smaller offices and remote users connect with MUVPN, RUVPN, Firebox X Edge, or SOHO 6 devices.
Networks that are not fully meshed have only the necessary inter-spoke VPN tunnels. Refer to the figure
below. Thus the flow through the network is better than fully meshed networks. The limits in all meshed
networks are:
- The number of VPN tunnels that the firewall CPU can operate.
- The number of VPN tunnels allowed by the VPN license on the unit.
Fireware Configuration Guide
145
Network Topology
Partially Meshed Network
Hub-and-spoke networks
In a hub-and-spoke configuration all VPN tunnels stop at one firewall. Smaller companies frequently use
this configuration with a primary Firebox. Many distributed remote users connect with Mobile User VPN,
RUVPN, Firebox X Edge, or SOHO 6 devices to this configuration. Each remote device or remote user
makes a VPN tunnel only to the primary Firebox.
In a simple hub-and-spoke configuration, each remote location can only send and receive data through a
VPN tunnel to the network behind the master server. But, a VPN tunnel to the master server, the primary
hub, can also be configured to send and receive data to a different remote VPN location (tunnel switching). The intensity of traffic in hub-and-spoke can be high if the master server sends packets from one
remote location to a different remote location. Or, the traffic intensity can be low in a simple hub-andspoke, where the remote locations can only send data through a VPN tunnel to the primary hub location.
The master server is the one point where all VPN tunnels can fail, so it can be a problem. If the master
server goes down, you cannot connect any VPN tunnels to the remote locations.
The flow through a simple hub-and-spoke system is far more clear than through a meshed system. You
can control the number of tunnels better. Refer to the sum that follows:
[(number of devices) – 1 = number of tunnels]
If it is necessary to have more spoke capacity, you expand the hub location. But, because all traffic goes
through the hub, it is necessary to have much bandwidth for this installation.
146
WatchGuard System Manager
Tunneling Methods
Hub and Spoke Network
Tunneling Methods
Split tunneling is when a remote user or endpoint has access to the Internet on the same computer as the
VPN connection. But, this user does not put the Internet traffic through the tunnel. The remote user
browses directly through the ISP. This makes the system vulnerable, because Internet traffic is not filtered
or encrypted.
This dangerous configuration is less vulnerable when all of the Internet traffic of the remote user goes
through a VPN tunnel to the Firebox®. From the Firebox, the traffic is then sent back out to the Internet
(tunnel switching). With this configuration the Firebox examines all traffic and gives better security.
When you use tunnel switching, a Dynamic NAT policy must include the outgoing traffic from the remote
network. In Policy Manager, add a policy at Setup > NAT. This allows the remote users to browse the
Internet when they send all traffic to the Firebox.
Split tunneling decreases security, but does increase performance. If you use split tunneling, remote users
must have personal firewalls for computers behind the VPN endpoint.
WatchGuard VPN Solutions
WatchGuard® System Manager includes this software to create tunnels:
• Remote User VPN (RUVPN) with PPTP
• Mobile User VPN (MUVPN) with IPSec
• Branch Office VPN (BOVPN) with IPSec, which uses Policy Manager to manually configure the
tunnel settings
Fireware Configuration Guide
147
WatchGuard VPN Solutions
• Branch Office VPN (BOVPN) with IPSec, which uses WatchGuard System Manager to automatically
configure the tunnel settings.
WatchGuard includes different types of encryption for the different types of VPN tunnels you can create.
Branch Office VPN allows Data Encryption Service (DES) with a 56-bit encryption key for basic encryption, 112-bit key for medium encryption, and a 168-bit encryption key (3DES) for strong encryption. It
also allows the Advanced Encryption Standard (AES), a block data encryption method, using 128-bit,
192-bit, or 256-bit encryption.
RUVPN with PPTP
RUVPN allows remote users or mobile users to connect to the Firebox® network with PPTP. RUVPN with
PPTP allows RC4 40 bit or 128 bit keys.
The basic WatchGuard System Manager package includes RUVPN with PPTP. It allows 50 users, and all
levels of encryption. For information on how to create RUVPN with PPTP tunnels, see the chapter “Configuring RUVPN with PPTP,” on page 171 in this guide.
Mobile User VPN
Note
For information on how to configure and use MUVPN, see the MUVPN Administrator Guide.
Mobile User VPN is an optional software component available for all Firebox models. Remote users are
mobile employees who must have corporate network access. MUVPN creates an IPSec tunnel between a
remote host that is not secure and your corporate network. Remote users connect to the Internet with a
standard Internet dial-up or broadband connection, and then they use the MUVPN software to make a
secure connection to the network or networks protected by the Firebox®. With MUVPN, only one Firebox
is necessary to create the tunnel.
MUVPN uses IPSec with DES or 3DES to encrypt incoming traffic, and MD5 or SHA-1 to authenticate
data packets. You configure a security policy and supply it along with the MUVPN software to each
remote user. The security policy is an encrypted file with the extension wgx. When the software is
installed on the computers of the remote users, they can safely connect to the corporate network. MUVPN
users can change their security policies, or you can give them read-only security policies.
Branch Office Virtual Private Network (BOVPN)
Many companies have offices in more than one location. Offices frequently use data from other locations,
or have access to shared databases.
Because branch office communications include sensitive company data, information interchanges must
be secure. When you use WatchGuard Branch Office VPN (BOVPN), you can connect two or more locations across the Internet without decreasing security. WatchGuard BOVPN supplies an encrypted tunnel
between two networks or between a Firebox and an IPSec-compliant device. You can use WatchGuard
System Manager or Policy Manager to configure BOVPN.
WatchGuard allows certificate-based authentication for BOVPN tunnels. When you use certificate-based
authentication for BOVPN, the two VPN endpoints must be WatchGuard Fireboxes. You cannot use certificate-based authentication for BOVPN with SOHO 6 or Firebox X Edge devices. To use this functionality,
you must configure a Management Server and a certificate authority. For more information, see “Configuring IPSec Tunnels,” on page 161. For instructions on how to use Policy Manager to manually configure
a BOVPN tunnel, see “Configuring BOVPN with Manual IPSec,” on page 153.
BOVPN with Policy Manager
When you build a tunnel with Policy Manager, the Firebox uses IPSec to make encrypted tunnels with
another IPSec-compliant security appliance. One of the two endpoints must have a public static IP
address. Use BOVPN with Policy Manager if:
148
WatchGuard System Manager
VPN Scenarios
• You make tunnels between a Firebox and a non-WatchGuard, IPSec-compliant unit.
• You give different routing policies to different tunnels.
• Not all types of traffic go through the tunnel.
BOVPN with IPSec is available with the medium encryption level of DES (56-bit), or the stronger encryption levels of two DES (112-bit) or 3DES (168-bit). BOVPN is also available with AES at the 112-bit, 192bit, and 256-bit encryption levels. AES with 256-bit encryption is the most secure.
You can create different VPN tunnels for different types of traffic on your network. For example, you can
use a VPN tunnel with DES encryption for traffic from your sales team. At the same time use a VPN tunnel with stronger, 3DES encryption for all data from your finance department.
BOVPN with Manual IPSec
BOVPN with WatchGuard System Manager
With WatchGuard System Manager, you can make fully authenticated and encrypted IPSec tunnels with a
drag-and-drop or menu interface. System Manager uses the Management Server to safely transmit IPSec
VPN configuration information between Fireboxes. When you use the Management Server, you set each
configuration parameter of the VPN. The Management Server stores this information.
Use BOVPN with WatchGuard System Manager if:
• You make tunnels between two or more Fireboxes.
• You give different routing policies to different tunnels.
• Client units have dynamic or static IP addresses.
• You have a large number of tunnels to make.
With WatchGuard System Manager you can configure, manage, and monitor all WatchGuard devices
across a company. You can configure VPN tunnels between two remote devices easily, using the default
settings that System Manager gives you. You do not have to know about the Internet security of branch
offices and remote users. Remote devices connect to the Management Server, and System Manager does
all the work. If you use certificates for tunnel authentication, you can configure the Management Server
as a certificate authority to create certificates automatically.
VPN Scenarios
This section gives three different types of companies and the VPN solutions that best fit each one.
Fireware Configuration Guide
149
VPN Scenarios
Large company with branch offices: System Manager
Large Company with VPNs to Branch Offices
Gallatin Corporation has a head office with approximately 300 users in Los Angeles. It has branch offices
of around 100 users each in Sacramento, San Diego, and Irvine. All locations have high-speed Internet
access and employees at all locations must have secure connections to all other locations.
This company uses Fireboxes® at each location and WatchGuard® System Manager to connect the locations to each other. Each office connects to all other offices. All users at each office have access to the
shared records at all the other locations. The Management Server is behind the Firebox at the main office,
and the Fireboxes at the branch offices are Managed Firebox Clients. When a service stop occurs with
Gallatin’s Internet service provider, it makes the Firebox at headquarters unavailable. But the tunnels in
the other locations stay active.
Small company with telecommuters: MUVPN
River Rock Press is a small publishing house in a specialty market. It has an office with six employees in
Portland, Oregon and five editors who are in other cities. The head office uses a Firebox X Edge as a firewall and as a VPN gateway. The five editors each use a Mobile User VPN client to make a secure connection to the Information Center in Portland. The editors can always safely interchange information if their
computers are connected to the Internet.
150
WatchGuard System Manager
VPN Scenarios
Small Company with Telecommuters Using Mobile User VPN
Company with remote employees: MUVPN with extended authentication
BizMentors, Inc. has 35 trainers to give courses in business-related topics at the locations of client companies. The 75 salespeople of BizMentors must have current information on the schedules of the trainers,
to prevent conflicts.
A database in the data center of BizMentors keeps this information current. The data center uses a Firebox and each salesperson uses an MUVPN client to get access to the inventory and price database. To
authenticate all remote users, BizMentors uses a RADIUS authentication server.
Usually, you must enter the ID and password information on the Firebox and on the authentication server.
But when you use extended authentication, all IDs and passwords are sent to the authentication server.
You do not have to put them in the Firebox. All salespersons can log in to the corporate network with the
ID and password they usually use when inside the network. The Firebox sends the ID and password to the
authentication server, and the authentication server does the authentication of the VPN user credentials.
Fireware Configuration Guide
151
VPN Scenarios
Small Company Using Extended Authentication
152
WatchGuard System Manager
CHAPTER 15
Configuring BOVPN with Manual
IPSec
You use Branch Office VPN (BOVPN) with Manual IPSec to make encrypted tunnels between a Firebox®
and an IPSec-compliant security device. This device can protect a branch office or a different remote
location
BOVPN with Manual IPSec is available with DES (56-bit), 3DES (168-bit), AES 128, AES 192, and AES 256
encryption.
Before You Start
You must have the this information to use BOVPN with Manual IPSec:
• Policy endpoints — IP addresses of special hosts or networks that operate on the tunnel
• Encryption method (the two ends of the tunnel must use the same encryption method)
• Authentication method
Configuring a Gateway
A gateway is a connection point for one or more tunnels. The gateway standard connection method
becomes the standard connection method for tunnels made with the device at the other end of the tunnel. An example is ISAKMP automated key negotiation.
Adding a gateway
To start IPSec tunnel negotiation, one peer must connect to the other. To do this, you can use an IP
address or a DNS name. If the peer is dynamic, select "Any" for the peer ID type.
Fireware Configuration Guide
153
Configuring a Gateway
To configure this, set the ID type of the remote gateway to Domain Name. Set the name of the peer to
the fully qualified domain name. Set the DNS server of the Firebox® to one that can identify the name,
usually an internal DNS server.
1
From Policy Manager, click VPN > Branch Office Gateways.
The Gateways dialog box appears.
2
To add a gateway, click Add.
The New Gateway dialog box appears.
3
Type the gateway name in the Gateway Name text box.
This name identifies the gateway only in the Policy Manager.
4
From the Gateway IP drop-down list, select IP Address or Any.
If the gateway address is a static IP address, enter it adjacent to the Gateway IP drop-down list.
5
From the Remote Gateway Settings ID Type drop-down list, select IP Address, Domain Name, User
Domain Name, or X.500 Name.
Use the domain name as the identification if the Firebox uses DHCP or PPPoE for its external IP address. This
information is in the Firebox configuration. The Firebox uses IP Address and Domain Name to find the VPN
endpoint. User name is a label that you use to identify the user at the VPN endpoint.
154
WatchGuard System Manager
Configuring a Gateway
6
Configure the Local Settings. In the local ID Type text box, select IP address, Domain Name, or User
Domain Name. If you select IP address, you can select the IP address from the drop-down list. All
configured Firebox interface IP addresses are shown.
7
Click Pre-Shared Key or Firebox Certificate to identify the authentication procedure to use. If you
select Pre-Shared Key, type the shared key.
You must use the same pre-shared key at the remote device.
Note
You must start the Certificate Authority if you select to authenticate with certificates. For information
on this, see the Certificate Authority information in the WatchGuard® System Manager User Guide.
Also, if you use certificates you must use the WatchGuard Log Server for log messages. We do not
support third-party certificates.
8
You can use the preconfigured Phase 1 settings, or you can change the settings.
Phase 1 applies to the initial phase of the IKE negotiation. It contains authentication, session negotiation, and key
change information.
9 From the Authentication drop-down list, select the type of authentication: SHA1 or MD5.
10 From the Encryption drop-down list, select the type of encryption: DES or 3DES.
11 From the Mode drop-down list, select Main or Aggressive mode.
Main Mode protects the identities of the VPN endpoints during negotiation, and is more secure than Aggressive
Mode. Main Mode also supports Diffie-Hellman group 2. But, Main Mode must send more messages between
endpoints, and is slower than Aggressive Mode.
12 To change the Diffie-Hellman group settings and other advanced Phase 1 settings, click Advanced.
The Phase1 Advanced Settings dialog box appears.
13 To change the SA (security association) life, type a number in the SA Life field, and select Hour or
Minute from the drop-down list.
14 From the Key Group drop-down list, select the Diffie-Hellman group. WatchGuard supports groups 1
and 2.
Diffie-Hellman refers to a mathematical procedure to safely negotiate secret keys across a public medium.
Diffie-Hellman groups are sets of properties that you use to get this. Group 2 is more safe than group 1, but
uses more time to make the keys.
Note
Diffie-Hellman Group 2 is supported only in Aggressive Mode.
15 Select the NAT Traversal check box to enable NAT traversal if the tunnel is used for NAT devices.
Type a keep-alive to keep the NAT Traversal connection open.
NAT Traversal, or UDP Encapsulation, allows traffic to get to the correct destinations. This continues to operate
when the addresses are changed by NAT or when a router on the path between endpoints does not route IP 50
(ESP) or 51 (AH).
16 Select the IKE Keep-alive check box to send IKE keep-alive messages through the tunnel, and keep
the tunnel open. Type a message interval.
Fireware Configuration Guide
155
Making a Manual Tunnel
17 Use the Max failures field to set the maximum number of times the Firebox tries to negotiate an IKE
Phase 2.
18 Click OK when advanced configuration is complete.
19 Click OK to save the gateway.
20 Close the Gateways dialog box.
Editing and deleting a gateway
To change a gateway, select VPN > Branch Office Gateways. You can also right-click on a tunnel icon in
the BOVPN tab of Policy Manager, and select Gateway Property.
1
Select the gateway and click Edit.
The Edit Gateway dialog box appears.
2
Make the changes and click OK.
To remove a gateway from the Gateways dialog box, select the gateway and click Remove.
Making a Manual Tunnel
Use this method to configure a manual tunnel using a gateway with the Internet Security Association and
Key Management Protocol (ISAKMP) key negotiation type. ISAKMP is a protocol to authenticate network
traffic between two devices. This procedure includes the information on how the devices control security,
including encryption. It also includes how to make the keys that you use to change the encrypted data
into text.
1
From Policy Manager, select VPN > Branch Office Tunnels.
The Branch Office IPSec Tunnels dialog box appears.
156
WatchGuard System Manager
Making a Manual Tunnel
2
Click Add.
The New Tunnel dialog box appears.
3
4
Type a tunnel name.
Select a remote gateway to connect with this tunnel. The gateways you have added to your
configuration show in this drop-down list.
To edit a gateway, select the name and click the Edit button. To create a new Gateway, click the New button.
Edit
New
5
Select the IKE Phase 2 proposal for the tunnel from the Proposal drop-down list. The list contains
predefined phase 2 security proposals.
6
If you using a predefined phase 2 proposal, and not creating or editing a phase 2 proposal, go to Step
13.
You can edit a phase 2 proposal that you created, but you cannot edit a predefined proposal. You
must add a new one. To edit a phase 2 proposal that you created, select the name and click the Edit
button. To create a new proposal, click the New button.
The Phase2 Proposal dialog box appears.
7
Type a name for the new proposal.
Fireware Configuration Guide
157
Making a Manual Tunnel
8
From the Type drop-down list, select ESP or AH as the proposal method.
ESP is authentication with encryption. AH is authentication only. Also, ESP authentication does not include the IP
header, while AH does. The use of AH is rare.
9 From the Authentication drop-down list, select SHA1, MD5, or None for the authentication method.
10 (ESP only) From the Encryption drop-down list, select the encryption method.
The options are DES, 3DES, and AES 128, 192, or 256 bit which appear in the list from the most simple and least
secure to most complex and most secure.
11 You can make the key expire after a quantity of time or a quantity of traffic. To enable key
expiration, select the Force Key Expiration check box.
12 Select a quantity of time and a number of bytes after which the key expires. The key expires when the
time selected or the number of bytes occurs.
13 Click OK to close the Phase2 Proposal dialog box.
14 Select the PFS check box to enable Perfect Forward Secrecy (PFS). If you enable PFS, select the DiffieHellman group.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not
made from a previous key. If a previous key is compromised after a session, your new session keys are secure. DiffieHellman Group 1 uses a 768-bit group to create the new key exchange, and Diffie-Hellman Group 2 uses a 1024bit group.
15 Click Advanced to configure advanced settings.
In this dialog box, you can configure the tunnel to use Any for the policy or for the address. Click OK when you are
done.
158
WatchGuard System Manager
Making a Manual Tunnel
16 Below Addresses, click Add to add a pair of addresses that use the tunnel.
The Local-Remote Pair Settings dialog box appears.
17 Select the local address from the Local drop-down list.
You can also click the button adjacent to the field to use an IP address, network address, or a range of IP addresses.
18 Add the remote network address. Click the button adjacent to the field to open the Add Address
dialog box.
19 Select the type of address from the Choose Type drop-down list.
Select Host IP (one IP address), Network IP (a network IP address with the mask in slash notation), or Host Range (a
range of IP addresses).
20 Type the values in the fields. Click OK.
21 Select the direction for tunnel.
22 You can enable NAT for the tunnel.
The options that you can select for NAT are different for different types of addresses and different tunnel
directions. For 1:1 NAT, type the address to change with NAT in the field.
Dynamic NAT is also available through the VPN. You must set a unidirectional tunnel from LAN1 to LAN2 where
you want all LAN1 to connect to LAN2 servers but only appear as one IP address on LAN2. You must then enable
Dynamic NAT in the phase 2 settings of the LAN2 Firebox.
23 Click OK after you configure the pair.
24 When you complete tunnel configuration, click OK.
Editing and deleting a tunnel
To change a tunnel, select VPN > Branch Office Tunnels. You can also right-click on a tunnel icon in the
BOVPN tab of Policy Manager, and select Tunnel Property.
1
Select the tunnel and click Edit.
The Edit Tunnel dialog box appears.
2 Make the changes and click OK.
To delete a tunnel from the Branch Office IPSec Tunnels dialog box, select the tunnel and click Remove.
Fireware Configuration Guide
159
Making a Tunnel Policy
Making a Tunnel Policy
Tunnel policies are sets of rules for tunnel connections.
The default configuration includes the “Any” policy. This allows all traffic to use the tunnel. You can
delete this policy. Then, create a custom VPN policy to select the ports you allow or to use a proxy for the
traffic.
1
2
3
From Policy Manager, click the Branch Office VPN tab.
Select the tunnel to which you want to add policies from the Show menu.
Right-click in Policy Manager and select New Policy.
If you have not selected a BOVPN tunnel from the Show menu, a dialog box appears with a prompt for you to
select a tunnel. Select the tunnel and click OK.
4
Configure policies. For more information, see “Creating Policies for your Network” on page 65.
Address information for BOVPN policies is different from standard Firebox policies. You configure the addresses
with the Local-Remote Pairs dialog box.
Allow VPN connections for specified policies
To let traffic through from VPN connections only for specified policies, add and configure each policy. It
can be necessary to delete the “Any” policy to create the necessary restrictions.
160
WatchGuard System Manager
CHAPTER 10
Configuring IPSec Tunnels
WatchGuard® System Manager supplies speed and reliability when you create IPSec VPN tunnels through
drag-and-drop tunnels, an automatic wizard, and the use of templates. You can make fully authenticated
and encrypted IPSec tunnels in minutes. You can be sure that they operate with other tunnels and security policies.
From the same interface, you can control and monitor the VPN tunnels. For more information on how to
monitor tunnels, see “Monitoring Your Network” in the WatchGuard System Manager User Guide.
System Manager also allows you to safely manage Firebox® X Edge devices from a distance. For more
information, see “Managing the Firebox X Edge and Firebox SOHO 6” in the WatchGuard System Manager User Guide.
Steps in making VPNs
• Configure a WatchGuard Management Server and Certificate Authority (CA)
• Add Fireboxes or Firebox X Edge or SOHO devices to the Management Server
• (Dynamic devices only) Configure the Firebox as a Managed Client
• Make policy templates to configure which networks can connect through VPN tunnels
• Make security templates to set the encryption type and authentication type
• Make tunnels between the devices
Management Server
The WatchGuard® Management Server software is installed on your management station or a different
computer. This server replaces the DVCP server that operated on the Firebox® X in other software versions.
Use the Management Server to:
• Start and stop the Management/CA server
• Set the Management/Certificate Authority (CA) Server passphrases
• Set the Management Server license key
• Configure the Management/CA Server to record diagnostic log messages
• Set the CA domain name
Fireware Configuration Guide
161
WatchGuard Management Server Passphrases
• Set the CRL IP address for publication
• Set the CRL publication period
• Set the time the client certificate is good
• Set the time the root certificate is good
WatchGuard Management Server Passphrases
The WatchGuard® Management Server uses a number of passwords to protect sensitive information on
the disk or to secure data with client systems. After you install the WatchGuard Management Server software, you must use the Configuration Wizard to configure the Management/CA server. This wizard
prompts for these passwords:
• Master encryption key
• Management Server passphrase
The Management Server passphrase and other automatically created passphrases are in a passphrase file.
Master encryption key
The first passphrase that the Configuration Wizard prompts for is the master encryption key. This password is used to protect all the passphrases in the passphrase file.
The master encryption key is used to encrypt all other passphrases that are on the disk. This prevents a
person with access to this disk (such as on a backup tape) from getting the passphrases. The passphrases
can be used to get access to other sensitive data on the disk.
Select and secure the master encryption key carefully. Use best practices when you select the passphrases.
In particular, do not use the same string for the master encryption key and the management server passphrase.
You use the master encryption key when you:
• Migrate the management server data to a new system
• Restore a lost or corrupt master key file
• Change the master encryption key
The master encryption key is not used frequently. We recommend that you write it down and lock it in a
secure location.
Management Server passphrase
The second password that the Configuration Wizard prompts for is the Management Server passphrase.
This passphrase is used frequently by the administrator, because it is the one needed to connect to the
Management Server using the WatchGuard System Manager application.
Password and key files
The Management Server passphrase and all the automatically created passphrases are in a passphrase file.
The passphrase data in this file is protected by the master encryption key. The master encryption key is
not on the disk. An encryption key is created from the master encryption key and the key data is on the
disk.
The default locations for the password file and encryption key are:
• C:\Documents and Settings\WatchGuard\wgauth\wgauth.ini
• C:\Documents and Settings\WatchGuard\wgauth\wgauth.key
162
WatchGuard System Manager
Setting Up the Management Server
Note that these files are used by the Management Server software and must not be modified directly by
an administrator.
Microsoft SysKey utility
The password file is protected by the master key. This key is protected by an encryption key, which is protected by the Windows system key.
Windows operating systems use a system key to protect the Security Accounts Management (SAM) database. This is a database of the Windows accounts and passwords on the computer. By default, the system
key data is hidden in the registry. The system is protected, and the system key is created from the registry
during the startup procedure. Although the system key data is on the disk, it is not easy to get.
If you want a more secure system, you can remove the system key data from the registry so that this sensitive data does not reside on the system at all.
You can use the SysKey utility to:
• Move the system key to a floppy disk
• Make the administrator type a password at start time
• Move the system key from the floppy disk to the system
If you move the startup key to a floppy disk, then that disk must be inserted in the drive for the system to
start. If you make the administrator type a startup password, the administrator must type in the password
each time the system starts.
To configure SysKey options, click Start > Run, type syskey, and click OK.
Setting Up the Management Server
The Management Server Setup Wizard creates a new Management Server on your workstation. It can
migrate a Management Server that is installed on a Firebox® to a new Management Server on a workstation. To move a Management Server off a Firebox, see the Migration Guide.
If you change the IP address of the Management Server computer, you must remove the Management
Server and install it again.
This procedure shows the steps you must follow to successfully set up a new Management Server. Follow
this procedure if you do not have a Management Server at this time.
1
Right-click the Management Server icon in the WatchGuard toolbar on the Windows taskbar.
2
3
4
Select Start Service.
The Management Server Setup Wizard starts. Click Next.
A master encryption key is necessary to control access to the WatchGuard management station. Type
a passphrase that has a minimum of eight characters and then type it again to confirm. Click Next.
Make sure you keep this passphrase.
5
Type the passphrase to manage the WatchGuard® Management Server. Click Next.
Type a passphrase that has a minimum of eight characters and then type it again to confirm.
6
Type the IP address and passphrases for your gateway Firebox. Click Next.
The gateway Firebox protects the management server from the Internet.
7
Type the license key for the Management Server. Click Next.
Fireware Configuration Guide
163
Adding Devices
8
Type the name of your organization. Click Next.
An information screen that lists the information for your server appears.
9
Click Next.
The wizard configures the server.
10 Click Finish.
Adding Devices
You must manually add devices to your Management Server configuration.
Note
You must use this procedure to add all devices. A device with a dynamic IP address must also be
configured as a Managed Client from Policy Manager for the device.
1
Open WatchGuard System Manager and select File > Connect to > Server.
Type the passphrase to connect to your Management Server.
2
3
4
From the VPN tab, select Server > Insert Device.
The WatchGuard® Device Wizard appears.
Click Next.
Type a display name for the device.
This is a name that you select. It is not the same as the DNS name of the device.
5
From the Device Type drop-down list, select the device type and address method.
A dynamic device must have a dynamic DNS client name.
6
For a static IP address, type the host name or IP address. For a dynamic IP address, type the client
name.
The host name is the DNS name, not the display name that you created in step 3.
7
8
9
Type the status and configuration passphrases.
If you use a device type with a dynamic IP address, type the shared secret. Click Next.
Type a WINS or DNS server IP address and the domain for your configuration. Click Next.
If you do not use DNS or WINS servers, ignore this page, and click Next.
The wizard shows the Contact Information page.
10 Select or add a contact record. This record gives the contact information for this Firebox. Click Next.
The information on this page is optional.
11 The wizard then shows a page that gives the subsequent steps. Click Next.
When completed, the wizard shows the message New Device Successfully Changed.
12 Click Close.
The wizard uploads the new configuration to the Management Server and exits.
Note
If traffic is heavy, the WatchGuard Device Wizard cannot connect because of SSL timeout. Try again
later when the system has less load.
164
WatchGuard System Manager
Configuring a Firebox as a Managed Firebox Client (Dynamic Devices only)
Updating a device’s settings
You can use the Device Properties dialog box to configure the adjustments of a selected device again.
1
From the VPN tab, right-click a device and select Properties.
The Device Properties dialog box appears.
2
3
Change the properties as necessary.
Click OK.
Configuring a Firebox as a Managed Firebox Client (Dynamic Devices
only)
To allow WatchGuard System Manager to manage a Firebox, Edge, or SOHO with a dynamic IP address,
you must enable it as a managed Firebox client. The instructions here give you the steps to configure a
Firebox III or Firebox X as a managed Firebox client. To configure a Firebox X Edge or Firebox SOHO as a
managed Firebox client, refer to your Edge or SOHO User Guide for information about using the device
with managed VPN.
From the Policy Manager for a Firebox III or Firebox X device:
1
2
3
4
Select VPN > Managed Client.
5
6
To add management servers that the client can connect to, click Add.
Select the check box Enable this Firebox as a Managed Client.
In the Firebox Name field, give the name of the Firebox.
To log messages for the Managed Client, select the check box Enable diagnostic log messages for
the Managed Client. (WatchGuard recommends this option only to do troubleshooting).
Type the IP address. Type the shared secret. Click OK.
Fireware Configuration Guide
165
Adding Policy Templates
7
Start the Firebox again.
The Firebox connects to the Management Server.
Adding Policy Templates
For a VPN, you can configure (and put a limit to) the networks that have access through the tunnel. You
can make a VPN between two hosts or between more networks. To configure the networks available
through a given VPN device, you make policy templates. By default, WSM adds and applies a network
policy template that gives access to the network behind the VPN device, if the device has a static IP
address.
Get the current templates from a device
Before you add more policy templates, get the current templates from the device. This is most important
for dynamic devices because the Firebox automatically adds a network policy template for static devices
Before you update a device, make sure that it is configured as a managed Firebox client.
1
2
3
In WatchGuard System Manager, select a managed client and click Server > Update Device.
Select Download Trusted and Optional Network Policies.
Click OK.
Make a new policy template
To make a policy template, on the VPN tab:
1
Select the device for which to configure a policy template.
2 Right-click and select Insert Policy or click the Insert Policy Template icon.
The Device Policy dialog box for that device appears.
3
4
Type a policy name.
5
Add, edit, or delete resources from the tunnel policy. Click Add to add an IP address or a network
address to the tunnel policy. Click Edit to edit a resource that you have selected in the list. Click
Remove to delete a resource you have selected in the list.
6
Click OK.
Select the actions for this policy. A policy can secure, block, or bypass resources. Use secure if the
tunnel resource is encrypted and shared with tunnel clients. Use bypass if the resource is shared with
tunnel users, but it is not encrypted. This traffic "bypasses" the IPSec routing policy. Use block if the
tunnel clients cannot have access to the resource.
The policy template is configured and is available in the VPN configuration area.
166
WatchGuard System Manager
Adding Security Templates
Adding resources to a policy template
1
From the Device Policy dialog box, click Add.
The Resource dialog box appears, see the figure that follows.
2
Select the type of resource and give its IP or network address. Click OK.
Adding Security Templates
A security template gives the encryption type and authentication type for a tunnel.
Default security templates are supplied for the available encryption types. You can also make new templates. Security templates make it easy to set the encryption type and authentication type with the tunnel
from the Configuration Wizard.
To make a policy template, on the VPN tab:
1 Right-click in the window, and select Insert Security Template or click the Insert
Security Template icon (shown at the right side).
The Security Template dialog box appears.
2
3
Type the template name. Select the authentication and encryption method.
To get end dates for a key, select the related check box, and then give kilobytes, hours, or the two.
If you give two values, the key stops at the event that comes first.
The security template is configured. You can select it in the VPN Wizard when you make a VPN tunnel with that
device.
4
Click OK.
Making Tunnels Between Devices
You can configure a tunnel with the drag-and-drop procedure or the Add VPN Wizard.
Fireware Configuration Guide
167
Editing a Tunnel
Drag-and-drop tunnel procedure
To use the drag-and-drop tunnel procedure, dynamic Fireboxes and Firebox X Edge or SOHO devices must
have networks that are configured before you can use this procedure. You must also get the policies from
any new dynamic devices before you configure drag-and-drop tunnels (use the procedure “Get the current templates from a device” on page 166 to do this).
On the VPN tab:
1
Click the device name of one of the tunnel endpoints. Drag-and-drop it to the device name of the
other tunnel endpoint.
This starts the Add VPN Wizard.
2
3
Click Next to show the next screen.
4
For each device, select a policy template from the drop-down list.
The gateway devices screen shows the two endpoint devices you selected with drag-and-drop, and
the policy templates that the tunnel uses. If necessary, select the devices for the endpoints of the
tunnel.
The policy template configures the resources available through the tunnel. Resources can be a network or a host.
The drop-down list shows the policy templates that you added to WatchGuard System Manager.
5
Click Next.
The wizard shows the Security Policy dialog box.
6
Select the security template applicable for the type of security and type of authentication to use for
this tunnel.
The list shows the templates you added to the Management server.
7
Click Next.
The wizard shows the configuration.
8
Select the check box Restart devices now to download VPN configuration. Click Finish to start the
devices again and deploy the VPN tunnel.
Using the Add VPN Wizard without drag-and-drop
To create tunnels using the Add VPN Wizard without drag-and-drop:
1
From the VPN tab, select Server > Create a new VPN or click the Create New VPN icon.
This starts the Add VPN Wizard.
2
Click Next.
The wizard shows two lists that each show all the devices registered in the Management Server.
3
4
Select a device from each list box to be the endpoints of the tunnel you make.
Select the policy templates for the end of the tunnel of each device.
The list shows the templates added to the Management Server.
5
Click Next.
The wizard shows the Security Template dialog box.
6
Select the applicable security template for this VPN. Click Next.
The wizard shows the configuration.
7
Select the check box Restart devices now to download VPN configuration. Click Finish to start the
devices again and deploy the VPN tunnel.
Editing a Tunnel
You can see all your tunnels on the VPN tab of WatchGuard® System Manager. System Manager lets you
change the tunnel name, security template, endpoints, and the policy used.
168
WatchGuard System Manager
Removing Tunnels and Devices
On the VPN tab:
1
2
3
Expand the tree to show the device and its policy to change.
Select the tunnel to change.
Right-click and select Properties.
The Tunnel Properties dialog box appears.
4
Click OK to save the change.
When the tunnel is renegotiated, the changes are applied.
Removing Tunnels and Devices
To remove a device from WatchGuard® System Manager, you must first remove the tunnels for which that
device is an endpoint.
Removing a tunnel
1
2
3
4
5
From System Manager, click the VPN tab.
Expand the Managed VPNs folder to show the tunnel to remove.
Right-click the tunnel.
Select Remove. Click Yes to confirm
If necessary, give a start again command to the devices from this removal. Click Yes.
Removing a device
1
From System Manager, click the Device or VPN tab.
The Device tab (left side figure below) or the VPN tab (right side figure below) appears.
2
3
4
Device tab (left side) and VPN tab (right side)
If you use the VPN tab, expand the Devices folder to show the device to remove.
Right-click the device.
Select Remove. Click Yes to confirm.
Fireware Configuration Guide
169
Removing Tunnels and Devices
170
WatchGuard System Manager
CHAPTER 11
Configuring RUVPN with PPTP
Remote User Virtual Private Networking (RUVPN) uses Point-to-Point Tunneling Protocol (PPTP) to make
a secure connection. It supports as many as 50 users at the same time for each Firebox and operates with
each type of Firebox® encryption. RUVPN users can authenticate to the Firebox or to a RADIUS authentication server. You must configure the Firebox and the remote host computers of the remote user.
Configuration Checklist
Before you configure a Firebox® to use RUVPN, record this information:
• The IP addresses for the remote client during RUVPN sessions. These IP addresses cannot be
addresses that the network behind the Firebox uses. The safest procedure to give addresses for
RUVPN users is to install a “placeholder” secondary network with a range of IP addresses. Then,
select an IP address from that network range. For example, create a new subnet as a secondary
network on your trusted network 10.10.0.0/24. Select 10.10.0.0/27 for your range of PPTP
addresses. For more information, see “IP Addressing” on page 143.
• The IP addresses of the DNS and WINS servers that resolve IP addresses to host alias names.
• The user names and passwords of users that are approved to connect to the Firebox with RUVPN.
Encryption levels
Because of export limits on high encryption software, WatchGuard Firebox products are put on the installation CD-ROM with only base encryption.
For RUVPN with PPTP, you can select to use 128-bit encryption or 40-bit encryption. U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong encryption patch from
Microsoft for other versions of Windows. The Firebox always tries to use 128-bit encryption first. It uses
(if enabled) 40-bit encryption if the client cannot use the 128-bit encrypted connection.
For information on how to enable the drop to 40-bit, see “Enabling RUVPN with PPTP” on page 175.
If you do not live in the U.S. and you must have strong encryption on your LiveSecurity Service account,
send an e-mail to [email protected] and include in it:
• Your LiveSecurity Service key number
• Date of purchase
• Name of your company
Fireware Configuration Guide
171
Configuring WINS and DNS Servers
• Company mailing address
• Telephone number and name
• E-mail address to reply to
If you live in the U.S., you must download the strong encryption software from your archive page in the
LiveSecurity Service Web site. Go to www.watchguard.com, click Support, log into your LiveSecurity Service account, and then click Latest Software.
Then, uninstall the initial encryption software, and install the strong encryption software from the downloaded file.
Note
To keep your current Firebox configuration, do not use the Quick Setup Wizard when you install the
new software. Open System Manager, connect to the Firebox, and save your configuration file.
Configurations with a different encryption version are compatible.
Configuring WINS and DNS Servers
RUVPN clients use shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server
addresses. DNS changes host names into IP addresses, while WINS changes NetBIOS names to IP
addresses. The trusted interface of the Firebox® must have access to these servers.
Make sure that you use an internal DNS server. Do not use external DNS servers.
1
From Policy Manager, click Network > Configuration. Click the WINS/DNS tab.
The information for the WINS and DNS servers appears.
2
172
In the IP address boxes, type the addresses for the WINS and DNS servers. You can type three
addresses for DNS servers, and two addresses for WINS servers. Type a domain name for the DNS
server.
WatchGuard System Manager
Adding New Users to Authentication Groups
Adding New Users to Authentication Groups
To get access to Internet services (such as outgoing HTTP or outgoing FTP), the remote user gives a user
name and password as authenticating data. WatchGuard® System Manager software uses this information
to authenticate the user to the Firebox®.
For more information on Firebox groups, see “Implementing Authentication,” on page 107.
1
From Policy Manager, click Setup > Authentication Servers.
The Authentication Servers dialog box appears.
2
3
Click the Firebox tab.
To add a new user, click the Add button below the Users list.
The Setup Firebox User dialog box appears.
4
Type a user name and passphrase for the new user. Type the passphrase again to confirm it.
The new user is put on the Users list. The Authentication Servers dialog box stays open and you can add more users.
5
To close the Authentication Servers dialog box, click OK.
You can use the users and groups to configure the services. Refer to the next section.
Fireware Configuration Guide
173
Configuring Services to Allow Incoming RUVPN Traffic
Configuring Services to Allow Incoming RUVPN Traffic
RUVPN users have no access privileges through a Firebox®. You must add user names or the full PPTPUsers group to policies. This gives remote users access to machines behind the Firebox.
WatchGuard® recommends two procedures to configure the policies for RUVPN traffic: individual policies,
or the Any policy. It is best to configure individual policies to control RUVPN traffic. The Any policy opens
a hole through the Firebox. This lets all the traffic flow between hosts without applying firewall rules and
is a security risk.
By individual policy
In Policy Manager, double-click a policy to enable for your VPN users. It is a good idea to create a new
policy specially for PPTP traffic and keep it separate from your other firewall policies. To set the properties:
For an incoming policy:
- Allowed
- From: PPTP users or groups
- To: trusted, optional, network or host IP address, or alias
For an outgoing policy:
- Allowed
- From: trusted, optional, network or host IP address, or alias
- To: PPTP users or groups
Using the Any policies
Add Any policies with these properties:
Incoming policy:
- Allowed
- From: PPTP users or groups
- To: trusted, optional, network or host IP address, or alias
174
WatchGuard System Manager
Enabling RUVPN with PPTP
Outgoing policy:
- Allowed
- From: trusted, optional, network or host IP address, or alias
- To: PPTP users or groups
Make sure that you save your configuration file to the Firebox after you make these changes.
Note
To use WebBlocker to control the access of remote users, add PPTP users or groups to a proxy
policy that controls WebBlocker, such as HTTP-Proxy. Use this type of policy with any packet filter
or proxy policy as an alternative to the Any policy.
Enabling RUVPN with PPTP
To configure RUVPN with PPTP you must enable the feature. RUVPN with PPTP adds the WatchGuard®
PPTP policy icon to Policy Manager. This sets default properties for PPTP connections and for the traffic
that flows to and from them. WatchGuard recommends you do not change the default properties of the
WatchGuard PPTP service.
1
From Policy Manager, click VPN > Remote Users. Click the PPTP tab.
2
Select the Activate Remote User check box.
3
If necessary, select the Enable Drop from 128-bit to 40-bit check box.
Usually, only customers outside the United States use this check box.
Enabling extended authentication
RUVPN with extended authentication lets users authenticate to a RADIUS authentication server as an
alternative to the Firebox®. For more information on extended authentication, see “Extended authentication” on page 143.
1
Select the Use RADIUS Authentication to authenticate remote users check box. Refer to the figure
in the previous section.
2
Configure the RADIUS server in the Authentication Servers dialog box. Refer to “Implementing
Authentication,” on page 107.
3
On the RADIUS server, create a PPTP-Users group and add names or groups of PPTP users.
Adding IP Addresses for RUVPN Sessions
RUVPN with PPTP gives support to 50 users at the same time, although you can configure a much larger
number of client computers. The Firebox® gives an open IP address to each incoming RUVPN user from a
group of available addresses. This goes on until all the addresses are in use. After a user closes a session,
the address is put back in the available group. The subsequent user who logs in gets this address.
Fireware Configuration Guide
175
Preparing the Client Computers
For more information about how to get IP addresses for RUVPN clients, see “IP Addressing” on page 143.
You must configure a minimum of two IP addresses.
From the PPTP tab on the Remote Users Configuration dialog box:
1
Click Add.
The Add Address dialog box appears.
2
From the Choose Type drop-down list, select Host IP (for a single IP address) or Host Range (for
a range of IP addresses.
You can configure 50 addresses. If you select a range of IP addresses that is larger than 50 addresses, RUVPN with
PPTP uses the first 50 addresses in the range.
3
In the Value text box, type the host IP address. If you chose Host Range, type the first and last
IP address in the range. Click OK.
Type IP addresses that are not in use which the Firebox can give to clients during RUVPN with PPTP sessions. The IP
address appears in the list of addresses available to remote clients.
4
Do the procedure again to configure all the addresses for use with RUVPN with PPTP.
Preparing the Client Computers
You must first prepare each computer that you use as an RUVPN with PPTP remote host, with:
• Internet service provider (ISP) account
• Public IP address.
Then, do these procedures using the instructions in the next sections:
• Install the necessary version of Microsoft Dial-Up Networking and the necessary service packs
• Prepare the operating system for VPN connections
• Install a VPN adapter (not necessary for all operating systems).
Installing MSDUN and Service Packs
It can be necessary to install these options for correct configuration of RUVPN:
• MSDUN (Microsoft Dial-Up Networking) upgrades
• other extensions
• service packs.
For RUVPN with PPTP, it is necessary to install these upgrades::
176
Encryption
Platform
Application
Base
Windows NT
40-bit SP4
WatchGuard System Manager
Creating and Connecting a PPTP RUVPN on Windows XP
Encryption
Platform
Application
Strong
Windows NT
128-bit SP4
Base
Windows 2000
40-bit SP2*
Strong
Windows 2000
128-bit SP2
*40-bit encryption is the default for Windows 2000. If you
upgrade from Windows 98, with strong encryption, Windows
2000 will automatically set strong encryption for the new
installation.
To install these upgrades or service packs, go to the Microsoft Download Center Web site at:
http://www.microsoft.com/downloads/search.asp
Creating and Connecting a PPTP RUVPN on Windows XP
To prepare a Windows XP remote host, you must configure the network connection.
From the Windows Desktop of the client computer:
1
Click Start > Control Panel > Network Connections.
The Network Connection wizard appears.
2
Click Create a new connection from the menu on the left. The New Connection Wizard starts.
Click Next.
3
Click Connect to the network at my workplace. Click Next.
4
Click Virtual Private Network Connection. Click Next.
5
Give the new connection a name, such as “Connect with RUVPN.” Click Next.
6
Select to not dial (for a broadband connection), or to automatically dial (for a modem
connection) this connection. Click Next.
The wizard includes this screen if you are using Windows XP SP2. Not all Windows XP users see this screen.
7
Type the host name or IP address of the Firebox® external interface. Click Next.
8
Select who can use this connection profile. Click Next.
9
Select Add a shortcut to this connection to my desktop. Click Finish.
10 To connect using your new VPN connection, first make an Internet connection through a dial-up
network, or directly through a LAN or WAN.
11 Double-click the shortcut to the new connection on your desktop.
Or, select Control Panel > Network Connections and look under the Virtual Private Network list for the connection
you created.
12 Type the user name and password for the connection.
This information was given when you added the user to the pptp_users group. See “Adding New Users to
Authentication Groups” on page 173.
13 Click Connect.
Creating and Connecting a PPTP RUVPN on Windows 2000
To prepare a Windows 2000 remote host, you must configure the network connection.
Fireware Configuration Guide
177
Creating and Connecting a PPTP RUVPN on Windows 2000
From the Windows Desktop of the client computer:
1
Click Start > Settings > Network Connections > Create a New Connection.
The New Connection wizard appears.
2
Click Next.
3
Select Connect to the network at my workplace. Click Next.
4
Click Virtual Private Network connection.
5
Give the new connection a name, such as “Connect with RUVPN.” Click Next.
6
Select to not dial (for a broadband connection), or to automatically dial (for a modem
connection) this connection. Click Next.
7
Type the host name or IP address of the Firebox® external interface. Click Next.
8
Select Add a shortcut to this connection to my desktop. Click Finish.
9
To connect using your new VPN connection, first make an Internet connection through a dial-up
network, or directly through a LAN or WAN.
10 Double-click the shortcut to the new connection on your desktop.
Or, select Control Panel > Network Connections and look under the Virtual Private Network list for the connection
you created.
11 Type the user name and password for the connection.
This information was given when you added the user to the pptp_users group. See “Adding New Users to
Authentication Groups” on page 173.
12 Click Connect.
Running RUVPN and accessing the Internet
You can enable remote users to get access to the Internet through a RUVPN tunnel. But this option has
an effect on security. See “Tunneling Methods” on page 147.
1
When you set up your connection on the client computer, use the Advanced TCP/IP Settings dialog
box to select the Use default gateway on remote network check box.
To open the Advanced TCP/IP Settings dialog box on Windows XP or Windows 2000, right-click the VPN
connection in Control Panel > Network Connections. Select Properties and click on the Network tab. Find Internet
Protocol in the list box and click Properties. On the General tab, click Advanced.
2
Make sure that the IP addresses you have added to the PPTP address pool are included in your
dynamic NAT configuration. To make sure, from Policy Manager select Network > NAT.
3
Edit your policy configuration to allow connections from PPTP-Users through the external
interface. If you use WebBlocker to control remote user Web access, add PPTP-Users to the
policy that controls WebBlocker (like HTTP-Proxy).
Making outbound PPTP connections from behind a Firebox
If necessary, you can make a PPTP connection to a Firebox from behind a different Firebox. For example,
a remote user goes to a customer office that has a Firebox. The user can make PPTP connections to their
network with PPTP. For the local Firebox to correctly use the outgoing PPTP connection, add the PPTP
policy and allow PPTP to Any-External. (For information on enabling policies, see the “Configuring Policies” chapter of this guide.)
178
WatchGuard System Manager
PART I
Increasing the Protection
Fireware Configuration Guide
179
180
WatchGuard System Manager
CHAPTER 13
Advanced Networking
With Fireware appliance software, you get access to an advanced set of networking features. These features are designed to give the Firebox® administrator more control and greater efficiency with a very large
or high-traffic network. Advanced networking features include:
Multiple WAN Support
Fireware enables you to configure up to four Firebox interfaces as external, or WAN, interfaces.
You can control the flow of traffic through multiple WAN interfaces to share the load of
outgoing traffic.
Quality of Service (QoS)
Fireware’s QoS feature lets you set priority queues, bandwidth restrictions, and connection rate
limits on individual policies.
Dynamic routing
In addition to static routing, the Firebox can use the dynamic routing protocols RIP versions 1
and 2, OSPF version 2, and BGP version 4. These routing protocols allow for the dynamic
modifying of routing tables.
About Multiple WAN Support
Fireware™ appliance software gives you the option to configure multiple external interfaces (up to four),
each on a different subnet. This allows you to connect the Firebox® to more than one Internet Service
Provider (ISP). When you configure multiple external interfaces, you have two options to control which
interface outgoing packets use. The options are:
Multi-WAN in round robin order
If you select “round robin” order, you can share the load of outgoing traffic among external
interfaces like this:
- The first host, with IP address x.x.x.x, sends an HTTP request to the Internet. The packets in
this session are sent through the lowest number external interface.
- The second host, with IP address y.y.y.y, sends an HTTP request to the Internet. The packets in
this session are sent through the external interface with the second higher number.
Fireware Configuration Guide
181
About Multiple WAN Support
- The third host, with IP address z.z.z.z, sends an HTTP request to the Internet. The packets in
this session are sent through the lowest number external interface (if there are only two
external interfaces configured) or the third higher number external interface.
- As each IP address initiates a session, the Firebox cycles through external interfaces using the
pattern shown above.
Multi-WAN in backup order
If you select this option, the lowest number external interface configured in your list becomes the
primary external interface. All other external interfaces are backup external interfaces. The
Firebox sends all outgoing traffic to the primary external interface. If the primary external
interface is not active, the Firebox sends traffic to the first backup interface. This interface then
becomes the primary external interface. The Firebox sends new outgoing connections to the new
primary interface. Existing connections continue to use the interface they used before.
As soon as you configure a second external interface, multiple WAN support is automatically enabled
with Multi-WAN in round robin order set as the default. After multiple WAN support is enabled, the Firebox automatically uses “Any-External” in place of the “External” alias each time it is used in Policy Manager.
Note that:
• You cannot use 1-to-1 NAT in a multiple WAN configuration.
• Multiple WAN support does not apply to branch office or Mobile User VPN traffic. Branch office
and Mobile User VPN traffic always uses the first external interface configured for the Firebox.
PPTP user VPN operates correctly in a multiple WAN configuration.
• The Multiple WAN feature does not operate correctly if the Firebox with Multiple WAN enabled is a
VPN endpoint in a VPN tunnel created and managed by the Management Server.
Configuring multiple WAN support
1
From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2
182
Select the interface to configure as external and click Configure. Add an interface description and
select External from the Interface Type drop-down list
WatchGuard System Manager
Creating QoS Actions
3
Type the IP address and default gateway for the interface. Click OK.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.
After you configure a second external interface, multiple WAN configuration options appear in the Network
Configuration dialog box.
4
Select the method to use to control the flow of outgoing traffic through your multiple external
interfaces. Use Multi-WAN in round robin order to send traffic sessions through the external
interfaces in sequence. Use Multi-WAN in backup order to set your first external interface as primary
and subsequent external interfaces as backup interfaces.
5
Click OK. Save your changes to the Firebox.
Creating QoS Actions
In a large network with many host computers, the volume of data that moves through the firewall can be
very large. When the traffic is too much for the network, data packets are dropped. It can be necessary for
a business to make traffic such as data exchanges between corporate and branch offices a higher priority
than low-priority such as Web surfing/browsing.
With Fireware Pro, you can set Quality of Service (QoS) actions and apply them to policies to make sure
that bandwidth for important traffic is always available.
You can also define an alarm to occur when network capacity is exceeded according to the QoS action’s
parameters. You can configure the alarm to make the Firebox® send an event notification to the SNMP
Fireware Configuration Guide
183
Creating QoS Actions
management system, or to send a notification in the form of e-mail or a pop-up window on the management station.
1
From Policy Manager, select Setup > Actions > QoS.
The QoS Actions dialog box appears.
2
Click Add.
The New QoS dialog box appears.
3
4
Type the name and description of the QoS action.
Select the Priority to normal or high to give traffic priority treatment.
These categories are often known as queues.
5
Use the Maximum Bandwidth drop-down list to change or remove the bandwidth limits for this
action.
Use No Limits to remove bandwidth restrictions for important traffic, or select a maximum kilobytes per second
bandwidth to allocate a part of the total available bandwidth for less important traffic.
6
Use the Connection Rate drop-down list to control the number of connections per second for this
QoS action.
The default configuration puts no limits on the connection rate. If you select Custom, you can type the maximum
connection rate for this QoS action to control the rate of bandwidth use for any traffic.
7
184
If you want to set an alarm when the bandwidth or connection rate is exceeded, select the Alarm
when capacity exceeded check box. Use this alarm to determine whether a policy has a need for
more bandwidth. Click Notification and set the notification parameters, as described in “Setting
logging and notification parameters” on page 123.
WatchGuard System Manager
Dynamic Routing
8
Click OK.
The new action appears in the QoS Actions dialog box.
Using QoS in a multiple WAN environment
When a QoS action is applied on a multiple WAN policy with multiple WAN set up in round robin mode,
the maximum bandwidth and connection rate settings in the QoS action control the total throughput and
connection rate across all interfaces. This includes all external interfaces that are configured to route traffic, including external interfaces that are down.
When a QoS action is applied on a multiple WAN policy with multiple WAN set up in backup mode, the
maximum bandwidth and connection rate settings in the QoS action control the throughput and connection rate across the one external interface that is currently sending packets.
Dynamic Routing
A routing protocol is the language a router speaks with other routers to share information about the status of network routing tables. With static routing, routing tables are set and do not change. If a router on
the remote-path fails, a packet cannot get to its destination.
Dynamic routing lets routing tables in routers change as the routes change. If the best path to a destination cannot be used, dynamic routing protocols change routing tables when necessary to keep your network traffic moving. Fireware gives support to RIP v1 and v2, OSPF, and BGP v4 dynamic routing
protocols.
Routing daemon configuration files
To use any of the dynamic routing protocols with Fireware, you must import or type a dynamic routing
configuration file for the routing daemon you choose. This configuration file includes information such
as a password and log file name. You can find configuration templates for each of the routing protocols
in the FAQ:
https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp
You can find a list of supported configuration commands for each routing protocol in the sections below.
The command sections below appear in the order they must go in an operating configuration file.
Notes about configuration files:
• The “!” and the “#” characters are comment characters. If the first character of the word is one of
the comment characters, then the rest of the line is ignored as a comment. If the comment
character is not the first character of the word, it is interpreted as a command.
• Usually, a command can be negated by placing the word “no” at the beginning of the line. For
example: “no network 10.0.0.0/24 area 0.0.0.0”, disables the backbone area on the specified
network.
Using RIP
RIP (Routing Information Protocol) is used to manage router information in a self-contained network,
such as a corporate LAN or a private wide area network. With RIP, a gateway host sends its routing table
to the closest router each 30 seconds. This router, in turn, sends its routing table to the next closest
router. This goes on until all hosts in the network have the same routing tables.
Fireware Configuration Guide
185
Using RIP
RIP is best for small networks. This is because the transmission of the full routing table each 30 seconds
can put a large traffic load on the network, and because RIP tables are limited to 16 hops. OSPF is a better alternative for larger networks.
RIP Version 1
RIP V1 uses a UDP broadcast over port 520 to send updates to routing tables. To create or modify a routing configuration file, here is a table of supported routing commands. The sections must appear in the
configuration file in the same order they appear in this table. You can also use the sample RIP configuration file found in the FAQ:
https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp
Section
Command
Description
Set simple password or MD5 authentication on an interface
interface eth[N]
Begin section to set
authentication type for interface
ip rip authentication string [PASSWORD]
Set RIP authentication password
key chain [KEY-CHAIN]
Set MD5 key chain name
key [INTEGER]
Set MD5 key number
key-string [AUTH-KEY]
Set MD5 authentication key
interface eth[N]
Begin section to set
authentication type for interface
ip rip authentication mode md5
Use MD5 authentication
ip rip authentication mode key-chain [KEY-CHAIN]
Set MD5 authentication keychain
Configure RIP routing daemon
router rip
Enable RIP daemon
version [1|2]
Set RIP version to 1 or 2 (default
version 2)
ip rip send version [1|2]
Set RIP to send version 1 or 2
ip rip receive version [1|2]
Set RIP to receive version 1 or 2
no ip split-horizon
Disable split-horizon; enabled by
default
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIP peers and inject OSPF or BGP routes to RIP routing table
186
default-information originate
Share route of last resort (default
route) with RIP peers
redistribute kernel
Redistribute firewall static routes
to RIP peers
redistribute connected
Redistribute routes from all
interfaces to RIP peers
WatchGuard System Manager
Using RIP
redistribute connected routemap [MAPNAME]
Redistribute routes from all
interfaces to RIP peers, with a
route map filter (mapname)
redistribute ospf
Redistribute routes from OSPF to
RIP
redistribute ospf route-map
[MAPNAME]
Redistribute routes from OSPF to
RIP, with a route map filter
(mapname)
redistribute bgp
Redistribute routes from BGP to
RIP
redistribute bgp route-map [MAPNAME]
Redistribute routes from BGP to
RIP, with a route map filter
(mapname)
Configure route redistribution filters with route maps and access lists
access-list [PERMIT | DENY] [LISTNAME] [A.B.C.D/M | ANY]
Create an access list to only
allow or deny redistribution of
an IP address or of any
route-map [MAPNAME] permit [N]
Create a route map with a name
and allow with a priority of N
match ip address [LISTNAME]
Configuring Fireware to use RIP v1
1
From Policy Manager, select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2
3
Click Enable Dynamic Routing and Enable RIP.
Click Import to import a routing daemon configuration file, or type your configuration file in the text
box.
If you click Import, you can browse to the location of the RIP daemon configuration template. It is located in
C:\Documents and Settings\My Documents\My WatchGuard.
4
Click OK.
Fireware Configuration Guide
187
Using RIP
Allowing RIP v1 traffic through the Firebox
You must add and configure a policy to allow RIP broadcasts from the router to the network broadcast IP
address. You must also add the IP address of the Firebox interface to the To field.
1
From Policy Manager, select Edit > Add Policies. From the list of packet filters, select RIP. Click Add.
The New Policy Properties window appears for RIP.
2
In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router using RIP to the Firebox® interface it connects to. You must also add the
network broadcast IP address.
3
Click OK.
RIP Version 2
RIP v2 uses multicast to send routing table updates. To create or modify a routing configuration file, refer
to the table of supported RIP routing commands in the section RIP Version 1. Any command that uses a
network IP address must include the subnet mask or RIP v2 will not operate. The sections must appear in
the configuration file in the same order they appear in this table.
188
WatchGuard System Manager
Using RIP
Configuring Fireware to use RIP v2
1
In Policy Manager, select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2
3
Click Enable Dynamic Routing and Enable RIP.
Click Import to import a routing daemon configuration file, or type your configuration parameters in
the text box.
If you click Import, you can browse to the location of the RIP daemon configuration file. It is located in
C:\Documents and Settings\My Documents\My WatchGuard.
4
Click OK.
Allowing RIP v2 traffic through the Firebox
You must add and configure a policy to allow RIP v2 multicasts from the routers that have RIP v2 enabled
to the reserved multicast IP address for RIP v2.
1
From Policy Manager, select Edit > Add Policies. From the list of packet filters, select RIP. Click Add.
The New Policy Properties window appears for RIP.
Fireware Configuration Guide
189
Using OSPF
2
In the New Policy Properties window, configure the policy to allow traffic from the IP or network
address of the router using RIP to the multicast address 224.0.0.9.
3
Click OK.
Using OSPF
OSPF (Open Shortest Path First) is a router protocol used in larger networks. With OSPF, a host that sees a
change to its routing table or that detects a change in the network immediately sends a multicast update
to all other hosts in the network. OSPF is different than RIP because:
• OSPF sends only the part of the routing table that has changed out in its transmission. RIP sends
the full routing table each time.
• OSPF sends a multicast only when its information has changed. RIP sends the routing table each
30 seconds.
OSPF Daemon Configuration
To create or modify a routing configuration file, here is a catalog of supported routing commands. The
sections must appear in the configuration file in the same order they appear in this table. You can also
use the sample OSPF configuration file found in the FAQ:
https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp
Section
Command
Description
Configure Interface
190
ip ospf authentication-key [PASSWORD]
Set OSPF authentication
password
interface eth[N]
Begin section to set properties
for interface
WatchGuard System Manager
Using OSPF
ip ospf message-digest-key [KEY-ID] md5 [KEY]
Set MD5 authentication key ID
and key
ip ospf cost [1-65535]
Set link cost for the interface
(see OSP Interface Cost table
below)
ip ospf hello-interval [1-65535]
Set interval to send hello
packets; default is 10 seconds
ip ospf dead-interval [1-65535]
Set interval after last hello from
a neighbor before declaring it
down; default is 40 seconds
ip ospf retransmit-interval [1-65535]
Set interval between link-state
advertisements (LSA)
retransmissions; default is 5
seconds
ip ospf transmit-delay [1-3600]
Set time required to send LSA
update; default is 1 second
ip ospf priority [0-255]
Set router priority; high value
increases eligibility to become
the designated router (DR)
Configure OSPF Routing Daemon
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
Set router ID for OSPF manually;
router will determine its own ID
if not set
ospf rfc 1583compatibility
Enable RFC 1583 compatibility
(can lead to routing loops)
ospf abr-type [cisco|ibm|shortcut|standard]
More information about this
command can be found in draftietf-abr-alt-o5.txt
passive interface eth[N]
Disable OSPF announcement on
interface eth[N]
auto-cost reference bandwidth [0-429495]
Set global cost (see OSPF cost
table below); do not use with “ip
ospf [COST]” command
timers spf [0-4294967295][0-4294967295]
Set SPF schedule delay and hold
time
Enable OSPF on a Network
*The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area [Z]
Announce OSPF on network
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone Area or Other Areas
*The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a
classful network for the area
(range and interface network
and mask settings should match)
area [Z] virtual-link [W.X.Y.Z]
Set virtual link neighbor for area
0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
Fireware Configuration Guide
191
Using OSPF
area [Z] authentication
Enable simple password
authentication for area 0.0.0.Z
area [Z] authentication message-digest
Enable MD5 authentication for
area 0.0.0.Z
Redistribute OSPF Routes
default-information originate
Share route of last resort (default
route) with OSPF
default-information originate metrics [0-16777214]
Share route of last resort (default
route) with OSPF
default-information originate always
Share route of last resort (default
route) with OSPF
default-information originate always metrics [0-16777214]
Share route of last resort (default
route) with OSPF
redistribute connected
Redistribute routes from all
interfaces to OSPF
redistribute connected metrics
Redistribute routes from all
interfaces to OSPF
Configure Route Redistribution with Access Lists and Route Maps
access-list [LISTNAME] permit [A.B.C.D/M]
Create an access list to allow
distribution of A.B.C.D/M
access-list [LISTNAME] deny any
Restrict distribution of any route
map not specified above
route-map [MAPNAME] permit [N]
Create a route map with name
[MAPNAME] and allow with a
priority of [N]
match ip address [LISTNAME]
OSPF Interface Cost Table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors such
as interface link speed, the number of hops between points, and other metrics. By default, OSPF uses the
actual link speed of a device to calculate the total cost of a route. You can set the interface cost manually
to help maximize efficiency if, for example, your gigabyte-based firewall is connected to a 100M router.
Use the numbers in the OSPF Interface Cost table to manually set the interface cost to a value different
than the actual interface cost.
192
Interface Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface Cost
Ethernet
1G
100M
1
Ethernet
100M
10M
10
Ethernet
10M
1M
100
Modem
2M
200K
500
Modem
1M
100K
1000
Modem
500K
50K
2000
Modem
250K
25K
4000
Modem
125K
12500
8000
Modem
62500
6250
16000
WatchGuard System Manager
Using OSPF
Interface Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface Cost
Serial
115200
9216
10850
Serial
57600
4608
21700
Serial
38400
3072
32550
Serial
19200
1636
61120
Serial
9600
768
65535
Configuring Fireware to use OSPF
1
From Policy Manager, select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2
3
4
Click the OSPF tab.
Click Enable Dynamic Routing and Enable OSPF.
Click Import to import a routing daemon configuration file, or type your configuration parameters in
the text box.
If you click Import, you can browse to the location of the OSPF daemon configuration file. It is located in
C:\Documents and Settings\My Documents\My WatchGuard.
5
Click OK.
Allowing OSPF traffic through the Firebox
You must add and configure a policy to allow OSPF multicasts from the routers that have OSPF enabled
to the reserved multicast addresses for OSPF.
1
From Policy Manager, select Edit > Add Policies. From the list of packet filters, select OSPF. Click
Add.
The New Policy Properties window appears for OSPF.
Fireware Configuration Guide
193
Using BGP
2
In the New Policy Properties window, configure the policy to allow traffic from the IP or network
address of the router using OSPF to the IP addresses 224.0.0.5 and 224.0.0.6.
3
Click OK.
Using BGP
The Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used by gateway hosts to
exchange routing information. BGP is the routing protocol used on the Internet. BGP uses route parameters or “attributes” to define routing policies and create a stable routing environment.
Hosts using BGP use TCP to send updated router table information when one host finds a change. The
host sends only the part of the routing table that has the change. BGP uses classless interdomain routing
(CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in Fireware is
set at 32K.
The size of the typical WatchGuard® customer wide area network (WAN) is best suited for OSPF dynamic
routing. A WAN can also use external border gateway protocol (EBGP) when more than one gateway to
the Internet is available. EBGP allows you to take full advantage of the redundancy possible with a multihomed network.
To participate in EBGP with an ISP you must have an autonomous system number (ASN). You must get
an ASN from one of the regional registries in the table below. After you are assigned your own ASN you
must contact each ISP to obtain their AS numbers and other necessary information.
194
Region
Registry Name
Web Site
North America
ARIN
www.arin.net
Europe
RIPE NCC
www.ripe.net
Asia Pacific
APNIC
www.apnic.net
WatchGuard System Manager
Using BGP
Region
Registry Name
Web Site
Latin America
LACNIC
www.lacnic.net
Africa
AfriNIC
www.afrinic.net
BGP Daemon Configuration
To create or modify a routing configuration file, here is a catalog of supported routing commands. The
sections must appear in the configuration file in the same order they appear in this table. You can also
use the sample BGP configuration file found in the FAQ:
https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp
Section
Command
Description
Configure BGP Routing Daemon
router bgp [ASN]
Enable BGP daemon and set
Autonomous System Number
(ASN); this is supplied by your
ISP
network [A.B.C.D/M]
Announce BGP on network
A.B.C.D/M
no network [A.B.C.D/M]
Disable BGP announcements on
network A.B.C.D/M
Set Neighbor Properties
neighbor [A.B.C.D] remote-as [ASN]
Set neighbor as member of
remote ASN
neighbor [A.B.C.D] ebgp-multihop
Set neighbor on another network
using EBGP multi-hop
neighbor [A.B.C.D] version 4+
Set BGP version (4, 4+, 4-) for
communication with neighbor;
default is 4
neighbor [A.B.C.D] update-source [WORD]
Set the BGP session to use a
specific interface for TCP
connections
neighbor [A.B.C.D] default-originate
Announce default route to BGP
neighbor [A.B.C.D]
neighbor [A.B.C.D] port 189
Set custom TCP port to
communicate with BGP neighbor
[A.B.C.D]
neighbor [A.B.C.D] send-community
Set peer send-community
neighbor [A.B.C.D] weight 1000
Set a default weight for
neighbor’s [A.B.C.D] routes
neighbor [A.B.C.D] maximum-prefix [NUMBER]
Set maximum number of prefixes
allowed from this neighbor
Community Lists
ip community-list [<1-99>|<100-199>] permit AA:NN
Specify community to accept.
Autonomous system number and
network number separated by a
colon are entered as the new
community format.
Peer Filtering
Fireware Configuration Guide
195
Using BGP
Section
Command
Description
neighbor [A.B.C.D] distribute-list [LISTNAME] [IN|OUT]
Set distribute list and direction
for peer
neighbor [A.B.C.D] prefix-list [LISTNAME] [IN|OUT]
To apply a prefix list to be
matched to incoming
advertisements or outgoing
advertisements to that neighbor
neighbor [A.B.C.D] filter-list [LISTNAME] [IN|OUT]
To match an autonomous system
path access list to incoming
routes or outgoing routes
neighbor [A.B.C.D] route-map [MAPNAME] [IN|OUT]
To apply a route map to
incoming or outgoing routes
Redistribute Routes to BGP
redistribute kernel
Redistribute static routes to BGP
redistribute rip
Redistribute RIP routes to BGP
redistribute ospf
Redistribute OSPF routes to BGP
Route Reflection
bgp cluster-id A.B.C.D
To configure the cluster ID if the
BGP cluster has more than one
route reflector
neighbor [W.X.Y.Z] route-reflector-client
To configure the router as a BGP
route reflector and configure the
specified neighbor as its client
Access Lists and IP Prefix Lists
196
ip prefix-list PRELIST permit A.B.C.D/E
Set prefix list
access-list NAME [deny|allow] A.B.C.D/E
Set access list
route-map [MAPNAME] permit [N]
In conjunction with the “match”
and “set” commands, this defines
the conditions and actions for
redistributing routes
match ip address prefix-list [LISTNAME]
Matches the specified access_list
set community [A:B]
Set the BGP community
attribute
match community [N]
Matches the specified
community_list
set local-preference [N]
Sets the preference value for the
autonomous system path
WatchGuard System Manager
Using BGP
Configuring Fireware to use BGP
1
From Policy Manager, select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2
3
4
Click the BGP tab.
Click Enable Dynamic Routing and Enable BGP.
Click Import to import a routing daemon configuration file, or type your configuration parameters in
the text box.
If you click Import, you can browse to the location of the BGP daemon configuration file. It is located in
C:\Documents and Settings\My Documents\My WatchGuard.
5
6
Click Select a BGP Configuration file.
Click OK.
Allowing BGP traffic through the Firebox
You must add a policy to allow BGP traffic to the Firebox from the approved networks. These networks
must be the same networks you defined in your BGP configuration file.
1
From Policy Manager, select Edit > Add Policies. Click New to create a new policy.
Fireware Configuration Guide
197
Using BGP
198
2
Give and name and a description for your new BGP policy.
3
Click Add and set the BGP policy to be a single-port, TCP policy on port 179.
4
5
Click OK, then click Add to add the new policy to Policy Manager.
In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router using BGP to the Firebox® interface it connects to.
WatchGuard System Manager
Using BGP
6
Click OK.
Fireware Configuration Guide
199
Using BGP
200
WatchGuard System Manager
CHAPTER 14
Controlling Web Site Access
The WebBlocker feature of WatchGuard® System Manager uses the HTTP proxy to control Web traffic.
You can select the exact hours in the day that users can browse the Web. You can also select categories of
Web sites that users cannot go to. With WebBlocker, it is also possible to have MUVPN and RUVPN users
send their traffic through the outgoing HTTP proxy to apply the WebBlocker rules to these users.
Getting Started with WebBlocker
You can install the WebBlocker server on your WatchGuard® management station when you first do the
setup for WatchGuard System Manager. You can also install the WebBlocker Server software on a different
computer using the same method as installing the System Manager software, but you select only the
WebBlocker Server component.
Note
If you install one of the WSM servers on a computer with a personal firewall other than Windows
Firewall, you must open the ports for the servers to connect through the firewall. To allow connections
to the WebBlocker server, open UDP port 5003. It is not necessary to change your configuration if you
use the Microsoft Windows firewall. See the WatchGuard System Manager User Guide for more
information.
It is also necessary to download the WebBlocker database.
1
2
Right-click the WebBlocker Server icon in the toolbar at the bottom of the screen.
Select Get Full Database.
The Download WebBlocker Database dialog box appears.
Fireware Configuration Guide
201
Adding a WebBlocker Action to a Policy
3
Select Download to download the new database.
Note
The WebBlocker database has more than 70 MB of data. Your connection speed sets the download
speed which can be more than 30 minutes. Make sure the hard disk drive has a minimum of 80 MB of
free space.
You can use the WebBlocker utility at any time to:
• Download a new version of the database.
• Get an incremental update of the database.
• See the database status.
• Start or stop the server.
Adding a WebBlocker Action to a Policy
You can configure a WebBlocker action for each policy that uses the HTTP proxy. Or, you can use the
same WebBlocker action in each policy that uses the HTTP proxy. After you create an action, you can use
it again and again.
Configuring a WebBlocker action
1
202
From Policy Manager, right-click a policy that uses the HTTP proxy, such as the HTTP proxy policy or
the Outgoing policy. Select Edit.
WatchGuard System Manager
Adding a WebBlocker Action to a Policy
2
Click the Properties tab and select the View/Edit Proxy icon adjacent to the proxy name.
3
Select the View/Edit HTTP proxy icon to the right of the HTTP Proxy name.
The HTTP Proxy Configuration dialog box appears.
Fireware Configuration Guide
203
Adding a WebBlocker Action to a Policy
4
If you have configured a WebBlocker action, you can apply it to this policy by selecting the action
name from the WebBlocker drop-down menu. To create a new action, click the New/Clone icon.
The New WebBlocker Configuration window appears.
204
WatchGuard System Manager
Adding a WebBlocker Action to a Policy
Adding WebBlocker Server information
1
To add a server, click Add.
The Add WebBlocker Server dialog box appears.
2
Type the server IP address and select a port. Click OK.
Allowing WebBlocker server bypass
Outgoing HTTP traffic is automatically denied when the WebBlocker Server does not respond. To let all
outgoing HTTP traffic through when a WebBlocker Server cannot be found, select Allow WebBlocker
Server Bypass on the Server tab. This applies to all HTTP proxy actions that use this WebBlocker action.
Selecting WebBlocker categories
The WebBlocker database contains 14 categories of Web sites that you can block. For more information
on WebBlocker categories, see the Reference Guide.
1
From the New WebBlocker Configuration dialog box, click the Categories tab.
2
Select the category or categories you want to block. Click OK.
Fireware Configuration Guide
205
Adding a WebBlocker Action to a Policy
Defining WebBlocker exceptions
You can override a WebBlocker action with an exception. You can add a Web site that is allowed or
denied as an exception to the WebBlocker categories. The Web sites you add apply only to the HTTP traffic. They are not related to the Blocked Sites list.
The exceptions are a list of URL patterns, not IP addresses. The URL patterns do not include the leading
"http://".
The host in the URL can be the hostname specified in the HTTP request, or the IP address of the server.
Network addresses are not supported at this time, though you can use subnets in a pattern (for example,
10.0.0.*).
To match a URL path on all Web sites, the pattern must have a leading “*/”.
For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: 10.0.0.1:8080. You can also use a wildcard for the port -- for example,10.0.0.1:* -- but, note this
does not apply to port 80.
You must use a pattern for the path. To match a full Web site, end the pattern with” /* “-- for example:
10.0.0.1/* or somesite.com/*. If you add a rule in Simple View, Policy Manager automatically adds /* to all
patterns you type. If it becomes necessary to create a rule without the “/*” at the end, you must create the
rule in Advanced View.
You can also give exceptions using any part of a URL. You can set a port number, path name, or string
that must be blocked for a special Web site. For example, if it is necessary to block only www.sharedspace.com/~dave because it has inappropriate photographs, you type “www.sharedspace.com/~dave/*” to
block that directory of sharedspace.com. This gives the users the ability to browse to www.sharedspace.com/~julia, which contains content on increased production.
To block URLs containing the word “sex” in the path, you can type “*/*sex*”. To block URLs containing
“sex” in the path or the hostname, type “*sex*”.
You can block ports in a URL. For example, look at the URL http://www.hackerz.com/warez/
index.html:8080. This URL has the browser use the HTTP protocol on TCP port 8080 instead of the
default method that uses TCP 80. You can block the port by matching *8080.
1
206
To define exceptions to the WebBlocker categories, click the Exceptions tab.
WatchGuard System Manager
Scheduling a WebBlocker Action
2
Type the pattern you want to identify as an exception in the Pattern text box. By default, this pattern
creates an exception that is allowed through the Firebox®. To add an exception to deny a pattern you
must use the advanced rule options. Click Add.
To see the advanced exception rule setup, click Change View.
3
4
Click the Log check box if you want a log message when an exception is allowed through the Firebox.
Click OK.
Scheduling a WebBlocker Action
You can set an operating schedule for the policy. You can use the predefined settings in the drop-down
list or create custom schedules. You use these time periods to set rules for when to block different Web
sites. For example, you can block sports Web sites during usual business hours of operation, but allow
users to browse at lunch time, evenings, and weekends.
To set a schedule for a policy, open the policy to edit it, and click the Advanced tab. Select a schedule
from the drop-down list, or click the New/Clone icon to make a new schedule. To do this, you must configure two HTTP policies, one with a schedule. Each policy uses one of the HTTP proxy actions. Each of
these HTTP proxy actions points to one of at least two WebBlocker actions. For more information, see
“Creating Schedules” on page 52.
Fireware Configuration Guide
207
Scheduling a WebBlocker Action
208
WatchGuard System Manager
CHAPTER 15
High Availability
High Availability (HA) refers to the ability of a network to operate when a hardware or software failure
occurs. When you add redundancy to your network, you remove single points of failure.
The WatchGuard® High Availability feature enables the installation of two Firebox® devices in a failover
configuration. The configuration includes one Firebox known as the primary device and the other known
as the secondary device. One of these devices is always in active mode and the other in standby mode.
These two Fireboxes are known as “peers.” They constantly send messages to each other to communicate
their status.
When a failover event occurs, the standby system becomes active. After a Firebox becomes active, it stays
active until it goes offline and the standby Firebox starts as the active unit.
High Availability Requirements
Here are the requirements for the High Availability feature:
• You must have one High Availability license for each HA pair. We recommend that you use the
Firebox® with the maximum license features and capacities as the primary HA device.
• The two Fireboxes in an HA configuration must be the same model and must use the same
software version. If the software versions are different, you must upgrade the Firebox with the
older version so that it matches the other Firebox. The Firebox with the older software must have
its own license for the upgraded software.
• The two Fireboxes must be connected to your network in the same method. For example, the
external interfaces of each must be connected to the same hub or switch.
• You can configure the High Availability connection on either the eth5 port or on eth5 and eth4.
We recommend that you connect the ports after you configure them. (Each port can be used as a
trusted or external interface if it is not used for HA.)
• HA does not operate correctly if one of the Fireboxes in the HA pair is a VPN endpoint in a VPN
tunnel created and managed by the Management Server.
Note
High availability requires an interface or interfaces dedicated specifically for HA. The HA
interface supports only host-to-host traffic and not network traffic.
Fireware Configuration Guide
209
Installing High Availability
Installing High Availability
When you buy the High Availability upgrade, you receive a certificate. Use the instructions on the certificate to go to the LiveSecurity® Service web site and activate your upgrade. After you activate the upgrade,
you get a High Availability license key. You must add a unique High Availability license key to the primary
Firebox in the High Availability pair. Each Firebox® in the pair must have the same version of WatchGuard
System Manager software and firmware.
You must add all the license keys for the primary Firebox X and the secondary Firebox X to the configuration file for the primary Firebox. This allows each Firebox in the pair to use all of the options you have
when it becomes the active Firebox. Thus, for each upgrade you enable, you enter the license key into the
configuration file for the primary Firebox.
If you use IPSec VPN tunnels that use a VPN certificate for authentication, the secondary Firebox must
get its own IPSec VPN certificate. Only the Management Server certificate is copied from the primary Firebox to the secondary Firebox when a failover occurs.
Configuring High Availability
1
From Policy Manager, select Network > High Availability.
The High Availability dialog box appears.
2
Select the Enable High Availability check box.
3
Select the HA1 check box for the interface to enable for High Availability.
4
In the Primary Box IP text box, you can change the default IP address. This IP address should be
from a reserved or unassigned network. This becomes the permanent IP address for that interface.
5
In the Secondary Box IP text box, type an IP address from the same subnet as the interface with
High Availability enabled on the active Firebox®.
6
Select the HA2 check box to enable the HA2 interface.
The HA2 interface is optional.
210
WatchGuard System Manager
Manually Controlling HA
7
Use the arrows adjacent to Group ID to identify this HA group on the network. If you use more
than one HA pair on the same network, this number must be different for each pair.
8
Select the All Traffic radio button to encrypt all HA traffic between the Fireboxes. This is usually
not necessary, and uses more resources.
9
Select the Sensitive Info Only radio button to encrypt only sensitive information that is sent in
HA traffic between the Fireboxes. This protects passwords and other sensitive information.
10 (If you selected the All Traffic radio button in step 9) In the Shared Secret field, type a shared
secret to encrypt HA traffic between the Fireboxes. Type the shared secret again in the Confirm
field.
11 Save this configuration to the active Firebox.
12 Close Policy Manager.
13 Use a crossover cable to connect the HA1 interface (eth5) on one Firebox to the HA1 interface on
the other Firebox. If HA2 (eth4) is enabled, connect both HA2 interfaces as well.
14 Put the secondary unit in safe mode. To do this, turn the Firebox off, and then turn it back on
while you hold down the up arrow button on the Firebox front panel.
Up arrow button
15 Start Firebox System Manager and connect to the primary Firebox.
16 Select Tools > HA > Synchronize Configuration. When prompted, type the Read/Write
passphrase.
You see a message that says High Availability is enabled.
Manually Controlling HA
Although High Availability operations usually occur automatically, you can do some of the functions
manually.
Forcing a failover
You can cause a forced failover. The standby system becomes the active one immediately.
From Firebox® System Manager, select Tools > HA > Force Failover.
Synchronizing the configuration
You must synchronize the configuration when one Firebox configuration has changed while the other is
disconnected from the HA peer or powered down.
From Firebox System Manager, select Tools > HA > Synchronize Configuration.
Fireware Configuration Guide
211
Upgrading Software in an HA Configuration
Restarting the peer
When you communicate to an HA configuration, you communicate only to the active Firebox. To restart
the peer, you must submit the command from the active Firebox:
From Firebox System Manager, select Tools > HA > Restart Peer.
Note
When the Firebox is in a high CPU or traffic condition and you use Firebox System Manager to
control HA operations, you can get an incorrect “time-out” message. In this case, the operation
could have completed, and it is possible the time-out message is not correct.
Backing up an HA configuration
When a Firebox is in a High Availability pair, you can only back up the flash image of the Firebox when it
is the active Firebox. This is because the backup image includes the system and policy information, certificates, and licenses that do not exist on the secondary Firebox until failover. To create a backup image
(.fbi) of the active Firebox:
1
From Policy Manager, select File > Save > To Firebox.
2
Type the configuration passphrase. Click OK.
3
Select Make backup of current flash image before saving. Type a strong encryption key that is
easy to remember.
4
Continue the operation and make sure the backup is saved to the Backup Image location.
Upgrading Software in an HA Configuration
If you install the software on the active Firebox®, the standby Firebox in the HA configuration does not
automatically upgrade. You must upgrade each Firebox separately. Upgrade the active Firebox first. When
it restarts, the standby becomes the active Firebox. You can then upgrade that Firebox. You cannot
upgrade the software on a Firebox that is currently in standby mode.
For information on how to perform an upgrade, see the Migration Guide.
Using HA with Signature-based Security Services
Gateway AntiVirus for E-mail™ and Intrusion Prevention Service (IPS) signature databases do not automatically synchronize between active and standby HA devices.
If the antivirus and IPS features are enabled and an event occurs that causes the standby Firebox® to
become active, this device can have a version of the AV and IPS signature databases that is not current
(especially if it was in standby mode for a long time). Until an update of the database occurs, there is
some time when a new virus or IPS attack can bypass the Firebox.
To minimize this problem, keep the automatic signature update intervals for Gateway AntiVirus for E-mail
and Intrusion Prevention Service enabled and short. If possible, force a manual signature update on the
new active Firebox immediately after the failover occurs.
212
WatchGuard System Manager
APPENDIX A
Types of Policies
This chapter gives a list of the pre-defined policies included with Fireware appliance software, their protocols, and their ports. It also gives special information that could have an effect on the security of some
policies.
In this chapter, policies are divided into two groups—policies that are controlled by a packet filter and policies that are controlled by a proxy.
Packet Filter Policies
Packet filter policies examine the source and destination headers of each packet. Packets are allowed or
denied based on whether the headers appear to be coming from and going to trusted addresses.
Any
Use an Any policy only to allow all traffic between two specified trusted IP or network addresses. Configuring an Any policy opens a “hole” through the Firebox®, and allows all traffic to flow freely between
specified hosts. WatchGuard® recommends that the Any policy be used only for traffic through a VPN.
The Any policy is different from other policies. For example, if you allow FTP only to a specified host, all
other FTP sessions to other hosts are denied by that policy (unless you have also configured other FTP
policies). The Any policy does not deny like other policies.
You also cannot use an Any policy unless specified IP addresses, network addresses, host aliases, group
names, or user names are used in the From or To lists. If not, the Any policy does not operate.
Characteristics
• Protocol: Any
• Port Number: any port
AOL
The America Online proprietary protocol allows access to AOL through a TCP/IP network. The AOL client
must be specially configured to use TCP/IP and not a modem.
Characteristics
• Protocol: TCP
Fireware Configuration Guide
213
Packet Filter Policies
• Port Number(s): 5190
archie
archie is a search protocol used to find files on FTP servers. WatchGuard recommends that you use the
available web interfaces to archie. A current list of archie servers is available through anonymous FTP
from:
ftp://microlib.cc.utexas.edu/microlib/mac/info/archie-servers.txt
External hosts can be spoofed. The Firebox cannot make sure that these packets were sent from the correct location. You can configure your Firebox to add the source IP address to the Blocked Sites List when
an incoming archie connection is denied. You can use all of the usual log options with archie.
Characteristics
• Protocol: UDP
• Port Number(s): 1525
auth
The Authentication Server protocol (AUTH) has a new name. It is now called the Identification Protocol
(IDENT). Refer to IDENT for more information about this policy.
Citrix ICA
Citrix ICA is a protocol used by Citrix for its software applications, including the Winframe product. Winframe gives access to Windows from different types of clients. Citrix uses TCP port 1494 for its ICA protocol. Citrix MPS 3.0 uses Session Reliability by default. This changes the ICA protocol to use TCP 2598. If
you use Citrix MPS, you must add a policy for TCP port 2598.
Adding the Citrix ICA policy could put your network security at risk because it allows traffic through the
firewall without authentication. In addition, your Winframe server can receive denial-of-service attacks.
WatchGuard recommends using VPN options to give more security for ICA connections. You can use all of
the usual log options with WinFrame.
Characteristics
• Protocol: TCP
• Port Number(s): 1494
For more information on adding the Citrix ICA policy, refer to the Advanced FAQs in the Knowledge Base.
Go to www.watchguard.com/support and log in to the LiveSecurity Service.
Clarent-gateway
Clarent Corporation supplies IP telephone technology to mainstream carriers and service providers. Clarent
products allow voice-over-IP between Clarent gateways across the Internet. This policy gives support to
the Clarent v3.0 product and later.
Clarent products use two sets of ports, one for gateway-to-gateway communications (UDP ports 4040,
4045, and 5010) and one for gateway-to-command center communications (UDP ports 5001 and 5002).
Use the Clarent-command policy for the gateway-to-command center communications.
Allow incoming connections only from specified external gateways to your gateway or command center.
Clarent also gives support for the use of PCAnywhere for management. Refer to the PCAnywhere policy
notes for more information.
Adding the Clarent-gateway policy could put network security at risk because it allows traffic inside the
firewall based only on network address. This is not a trusted method of authentication. In addition, your
Clarent server could receive denial-of-service attacks in this configuration. Where possible, WatchGuard
recommends using VPN options to give more security for Clarent-gateway connections.
214
WatchGuard System Manager
Packet Filter Policies
Characteristics
• Protocol: UDP
• Port Number(s): 4040, 4045, 5010
Clarent-command
Clarent Corporation supplies IP telephone technology to mainstream carriers and service providers. Clarent
products allow voice-over-IP between Clarent gateways across the Internet. This policy gives support to
the Clarent v3.0 product and later.
Clarent products use two sets of ports, one for gateway-to-gateway communications (UDP ports 4040,
4045, and 5010) and one for gateway-to-command center communications (UDP ports 5001 and 5002).
Use the Clarent-command policy for the gateway-to-command center communications.
Allow incoming connections only from specified external gateways to your gateway or command center.
Clarent also gives support for the use of PCAnywhere for management. Refer to the PCAnywhere policy
notes for more information.
Adding the Clarent-command policy could put network security at risk because it allows traffic inside the
firewall based only on network address. This is not a trusted method of authentication. In addition, your
Clarent server could receive denial-of-service attacks in this configuration. Where possible, WatchGuard
recommends using VPN options to give more security for Clarent-command connections.
Characteristics:
• Protocol: UDP
• Port Numbers(s): 5001, 5002
CU-SeeMe
CU-SeeMe is a software application used to do video conferencing through the Internet. For CU-SeeMe to
operate through the Firebox, you must make sure that you are not on a network using outgoing dynamic
NAT. Configure the CU-SeeMe policy for incoming and outgoing access.
The CU-SeeMe protocol makes you configure this policy for incoming and outgoing. The CU-SeeMe policy uses the correct ports to allow the use of CU-SeeMe versions 2.X and 3.X. CU-SeeMe Version 2.X operates on UDP port 7648. Version 3.X operates on UDP port 7648, UDP port 24032 (for H.323 conferences),
and TCP port 7648 (video conference directories).
Characteristics
• Protocol: TCP and UDP
• Port Numbers(s): UDP 7648, UDP 24032, TCP 7648
DHCP-Server/Client
Dynamic Host Configuration Protocol (DHCP) gives a means of allocating dynamic IP addresses to devices
on a network.
Characteristics
• Policy Name: DHCP-Server or DHCP-Client
• Protocol: TCP
• DHCP-Server Port Number(s): 68
• DHCP-Client Port Number(s): 67
Fireware Configuration Guide
215
Packet Filter Policies
DNS
Domain Name Service (DNS) matches host names to IP addresses. A DNS policy is enabled in the default
configuration. The DNS policy allows UDP DNS traffic, as well as TCP zone transfers to occur as specified.
All of the usual log options can be used with DNS.
Characteristics
• Protocol: Multi: TCP (for server-server zone transfers) and UDP (for client-server lookups)
• Port Number(s): TCP 53 and UDP 53
Entrust
The Entrust Authority Public Key distribution protocol passes public keys to a trusted third-party organization for verification.
Characteristics
• Protocol: TCP
• Port Number(s): 709, 710
finger
finger is a protocol used to get information about users on a given host. It is easy for a hacker to use this
information against you. WatchGuard does not recommend putting finger servers on the trusted interface.
Characteristics
• Protocol: TCP
• Port Number(s): 79
FTP
File Transfer Protocol (FTP) is used to move files across the Internet. Using an FTP packet filter will not
apply the FTP proxy rule set to any traffic. To proxy FTP traffic, use the FTP proxy policy. WatchGuard
recommends that incoming FTP be allowed only to public FTP servers located behind the Firebox.
External hosts can be spoofed. WatchGuard cannot verify that these packets were actually sent from the
correct location. You can configure the Firebox to add the source IP address to the Blocked Sites List
whenever an incoming FTP connection is denied. The packet filter and proxy policy included in WatchGuard Policy Manager handle the data channel for active and passive FTP sessions. All of the usual log
options can be used with FTP.
Characteristics
• Protocol: TCP
• Port Number(s): 21
Gopher
Gopher is a data-retrieval protocol developed at the University of Minnesota. Gopher is not frequently
used, as most users use HTML.
Characteristics
• Protocol: TCP
• Port Number(s): 70, but servers can be configured to use other ports
216
WatchGuard System Manager
Packet Filter Policies
GRE
Generic Routing Encapsultation Protocol (GRE) is used together with Point-to-Point Tunneling Protocol
(PPTP) to create virtual private networks between clients or between clients and servers.
Characteristics
• Protocol: GRE
• Protocol number: 47
HTTP
Using a HTTP packet filter will not result in applying the HTTP proxy rule set to any traffic. To proxy
HTTP traffic, use the HTTP proxy policy. WatchGuard recommends that incoming HTTP be allowed only
to public HTTP servers located behind the Firebox.
External hosts can be spoofed. WatchGuard cannot verify that these packets were actually sent from the
correct location. You can configure the Firebox to add the source IP address to the Blocked Sites List
whenever an incoming HTTP connection is denied. All of the usual log options can be used with HTTP.
Characteristics
• Protocol: TCP
• Port Number(s): 80
HTTPS
HTTPS is a secure and encrypted version of the HTTP protocol. The client and the web server set up an
encrypted session on TCP port 443. Because this session is encrypted, the proxy cannot examine packet
contents using a proxy. This policy uses a packet filter to examine the connection.
Note
The HTTPS policy is needed only if you are hosting an HTTPS server, or if you do not have an HTTP, TCP,
TCP-UDP, or TCP-Proxy policy in your configuration.
Characteristics
• Protocol: TCP
• Port Number(s): 443
HBCI
The Home Banking Computer Interface (HBCI) is a standard created for bank customers and manufacturers of banking products.
Characteristics
• Protocol: TCP
• Port Number(s): 3000
IDENT
The Identification Protocol (IDENT) is a protocol used to match TCP connections to a user name. It is
used most frequently by large public SMTP and FTP servers. It is used for logs, but you cannot trust the
information it gives, as attackers can change their servers to have them send back incorrect information.
IDENT uses “fake” information to hide internal user information.
When using SMTP with incoming static NAT, you must add IDENT to your Policy Manager. Configure
IDENT to allow traffic to the Firebox. This enables mail messages to flow from behind the Firebox to the
Fireware Configuration Guide
217
Packet Filter Policies
many SMTP servers on the Internet that use IDENT to identify other mail servers’ identities, and allows
these servers to return messages through the Firebox to their senders.
If you are not using dynamic NAT, allow IDENT to the IP address of your e-mail server.
WatchGuard recommends that IDENT policies be allowed to and from the Firebox, but know that hackers
can use IDENT to collect user names.
Characteristics
• Protocol: TCP
• Port Number(s): 113
IGMP
The Internet Group Management Protocol (IGMP) is the standard for IP multicasting on the Internet. It is
used to control host memberships in multicast groups on a single network.
Characteristics
• Protocol: IGMP
IKE
The Internet Key Exchange Protocol is a standard protocol for key management.
Characteristics
• Protocol: UDP
• Port Number(s): 4500 and 500
IMAP
Internet Mail Access Protocol (IMAP) is a method of getting e-mail or bulletin board messages on a
remote e-mail server as if the messages were local. You can get access to e-mail stored on an IMAP server
from many locations (such as home, work, or laptop) without moving messages.
Characteristics
• Protocol: TCP
• Port Number(s): 143
IPSec
Internet Protocol Security (IPSec) is a framework for a set of protocols for security at the network or
packet layer of network communications. It is a VPN tunneling protocol with encryption.
Characteristics
• Protocol: UDP, ESP, and AH protocols
• Port Number(s): UDP 500 and UDP 4500
IRC
Internet Relay Chat (IRC) is a system for Internet chatting. To use IRC you must have an IRC client and
Internet access. The IRC client is a software application on your computer that sends and receives messages to and from an IRC server. The IRC server makes sure that all messages are sent to all users in the
chat session.
Characteristics
• Protocol: TCP
218
WatchGuard System Manager
Packet Filter Policies
• Port Number(s): 6667
Intel Video Phone
Intel Video Phone is a real-time multimedia application based on H.323. H.323 is an international standard for conferencing over TCP/IP networks. This policy does not filter for dangerous content. It does not
support QoS or rsvp protocol, and it does not support NAT.
Characteristics
• Protocol: TCP
• Port Number(s): 1720, 522
Kerberos v 4 and Kerberos v 5
The Kerberos network authentication protocol is an authentication system developed by the Massachusetts Institute of Technology (MIT). Kerberos enables two computers to exchange private information
across an open network using authentication for security (but no encryption).
Characteristics
• Protocol: TCP and UDP
• Kerberos v 4 Port Numbers(s): UDP 750
• Kerberos v 5 Port Number(s): TCP 88 and UDP 88
L2TP
Layer 2 Tunneling Protocol (L2TP) is an extension to the PPP protocol that enables ISPs to operate virtual
private networks.
Characteristics
• Protocol: UDP
• Port Number(s): 1701
LDAP
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for using online directory services. The protocol operates with Internet transport protocols, such as TCP. You can use LDAP to get
access to stand-alone directory servers or X.500 directories.
Characteristics
• Protocol: TCP
• Port Number(s): 389
LDAP-SSL
Lightweight Directory Access Protocol over TLS/SSL (LDAP-SSL) is used with Windows 2000 to give more
security when accessing Active Directory.
Characteristics
• Protocol: TCP
• Port Number(s): 636
Fireware Configuration Guide
219
Packet Filter Policies
Lotus Notes
Lotus Notes is a client/server platform for conferencing, databases, e-mail, and creating and using documents. Adding this policy enables the proprietary Lotus Notes protocol. Because the protocol uses encapsulation and tunneling, and gives access to internal data, WatchGuard does not recommend adding the
Lotus Notes policy for addresses out of the trusted network.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 1352, UDP 1352
MSSQL-Monitor
Microsoft SQL Monitor is used to monitor Microsoft SQL databases.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 1434, UDP 1434
MSSQL-Server
Microsoft SQL Server is usually used to make a remote connection to a Microsoft SQL database.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 1433, UDP 1433
MS Win Media
Microsoft Windows Media Server is a proprietary protocol developed by Microsoft to supply unicast
streams. It enables bidirectional connections that enable users to go forward, go back, or pause the playback of unicast streams.
Characteristics
• Protocol: TCP
• Port Number(s): 1755, 80
NetMeeting
NetMeeting is a product developed by Microsoft Corporation that enables groups to teleconference across
the Internet. It is included with Microsoft’s Internet Explorer web browser. This policy is based on the
H.323 protocol and does not filter for dangerous content. It does not support QoS or rsvp protocol, and
it does not support NAT.
Characteristics
• Protocol: TCP
• Port Number(s): 1720, 389
NFS
The Network File System (NFS) protocol is a client server software application created by Sun Microsystems to allow all network users to get access to shared files kept on computers of different types.
Characteristics
• Protocol: TCP and UDP
220
WatchGuard System Manager
Packet Filter Policies
• Port Number(s): TCP 2049, UDP 2049
NNTP
Network News Transfer Protocol (NNTP) is used to transmit Usenet news articles.
The best procedure to use NNTP is to set internal hosts to internal news servers, and external hosts to
news feeds. In most conditions NNTP must be enabled in two directions. If you are operating a public
newsfeed, you must allow NNTP connections from all external hosts. WatchGuard cannot make sure that
these packets were sent from the correct location.
You can configure the Firebox to add the source IP address to the Blocked Sites List when an incoming
NNTP connection is denied. All of the usual log options can be used with NNTP.
Characteristics
• Protocol: TCP
• Port Number(s): 119
NTP
Network Time Protocol (NTP) is a protocol built on TCP/IP that controls local timekeeping. It synchronizes computer clocks with other clocks located on the Internet.
Characteristics
• Protocol: UDP, TCP
• Port Number(s): TCP 123 and UDP 123
OSPF
Open Shortest Path First (OSPF) is a routing protocol developed for IP networks based on the link-state
algorithm. OSPF is quickly replacing the use of RIP on the Internet because it gives smaller, more frequent updates to routing tables and makes networks more stable.
Characteristics
• Protocol: OSPF
• Protocol number: 89
pcAnywhere
pcAnywhere is a software application used to get remote access to Windows computers. To enable this
protocol, add the PCAnywhere policy. Then, allow access from the hosts on the Internet that must get
access to internal pcAnywhere servers, and to the internal pcAnywhere servers.
pcAnywhere is not a very secure policy and can put network security at risk, because it allows traffic
through the firewall without authentication. Also, your pcAnywhere server can receive denial of service
attacks. WatchGuard recommends using VPN options to give more security.
Characteristics
• Protocol: UDP and TCP
• Port Number(s): UDP 22, UDP 5632, TCP 5631, TCP 65301
ping
You can use ping to confirm whether a host can be found and is operating and on the network. To find
DOS-based or Windows-based traceroute packets, configure a ping policy.
Enabling outgoing ping is a good tool for troubleshooting. WatchGuard does not recommend you enable
ping connections incoming to your trusted network.
Fireware Configuration Guide
221
Packet Filter Policies
Characteristics
• Protocol: ICMP
• Protocol number: 1
POP2 and POP3
POP2 and POP3 (Post Office Protocol) are e-mail transport protocols, usually used to get a user’s e-mail
from a POP server.
Characteristics
• Protocol: TCP
• Port Number(s): 109 (POP2), and 110 (POP3)
PPTP
PPTP is a VPN tunnel protocol with encryption. It uses one TCP port (for negotiation and authentication
of a VPN connection) and one IP protocol (for data transfer) to connect the two peers in a VPN. Configure the PPTP policy to allow access from Internet hosts to an internal network PPTP server. PPTP cannot
get access to hosts’ static NAT because NAT cannot forward IP protocols. Because this policy enables a
tunnel to the PPTP server and the Firebox cannot examine packets in the tunnel, use of this policy must
be controlled. Be sure to use the most current version of PPTP.
Characteristics
• Protocol: TCP
• PPTP Negotiation Port Number(s): 1723
• Protocol: IP
• Protocol number: 47 (GRE)
RADIUS and RADIUS-RFC
The Remote Authentication Dial-In User Service (RADIUS) supplies remote users with secure access to corporate networks. RADIUS is a client-server system that keeps authentication information for users, remote
access servers, and VPN gateways in a central user database that is available to all servers. Authentication
for the network occurs from one location. RADIUS uses an authentication key that identifies an authentication request to the RADIUS client
In RFC 2865, the server port used by RADIUS changed from port 1645 to 1812. Make sure you select the
policy that matches your implementation.
Characteristics
• Protocol: UDP
• RADIUS policy Port Number(s): UDP 1645
• RADIUS-RFC policy Port Number(s): UDP 1812
RADIUS-Accounting and RADIUS-ACCT-RFC
The Remote Authentication Dial-In User Service (RADIUS) Accounting policy supplies accounting information to administrators of networks that use RADIUS authentication. RADIUS is a client-server system
that keeps authentication information for users, remote access servers, and VPN gateways in a central user
database that is available to all servers. The RADIUS server is also notified when the authenticated session
starts and stops. This information can be helpful for accounting.
In RFC 2866, the server port used by RADIUS changed from port 1646 to 1813. Make sure you select the
policy that matches your implementation.
222
WatchGuard System Manager
Packet Filter Policies
Characteristics
• Protocol: TCP
• RADIUS-Accounting policy Port Number(s): UDP1646
• RADIUS-ACCT-RFC policy Port Number(s): UDP 1813
RDP
The Microsoft Remote Desktop Protocol (RDP) supplies remote display and input abilities over network
connections for Windows software applications operating on a server.
Characteristics
• Protocol: TCP
• Port Number(s): 3389
RIP
RIP is a routing protocol that came before IP. It is used to automatically create routing tables for local
routers. Because it has no direction, it is almost the same as DNS in configuration. Enable RIP only if your
Internet service provider makes you operate a routing daemon.
Incorrect or deceptive routing information can cause problems with local networks, can cause service
denial problems, and can put the local network at risk. Enable this policy only if necessary.
Characteristics
• Protocol: UDP
• Port Number(s): 520
RSH
Remote Shell (RSH) is used to get access to the command line of a remote host computer. WatchGuard
does not recommend you allow any RSH incoming through the Firebox without the use of a VPN.
Characteristics
• Protocol: TCP
• Port Number(s): 514
RealPlayer G2
Media streaming protocol v7 and v8
Characteristics
• Protocol: TCP
• Port Number(s): 554, 80
Rlogin
Remote login (RLogin) is a UNIX command that allows an approved user to log in to other UNIX computers on a network. After the login, the user can do all the operations the host has approved, such as read,
edit, or delete files. For security reasons, WatchGuard recommends you do not allow incoming Rlogin
through the Firebox.
Characteristics
• Protocol: TCP
• Port Number(s): 513
Fireware Configuration Guide
223
Packet Filter Policies
SecurID
RSA SecurID Two-Factor Authentication give more security to the user authentication procedure. Created
by Security Dynamics Technologies, Inc., it uses SecurID tokens to generate codes and ACE/Server software to process the codes.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 5510, UDP 5500
SMB (Windows Networking)
Windows uses Server Message Block (SMB) is used to share files, computers, printers, and other network
resources.
If you set up replication, you can see many tries to use the port mapper service on port 135. When this
fails, SMB begins to use port 42. Refer to the RFC for DCE, and the DCE-RPC proxy sections for more
instructions.
Note
Allowing SMB through the Firebox is not secure and WatchGuard does not recommend it, unless used
through a VPN connection. These configuration settings are to be used only if there is no other
alternative, and policy settings must specify internal and external hosts.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): UDP 137, UDP 138, TCP 139, TCP 445, UDP 445
SMTP
The SMTP packet filter policy allows SMTP traffic (e-mail) without using the SMTP proxy.
Characteristics
• Protocol: TCP
• Port Number(s): 25
SNMP
Simple Network Management Protocol (SNMP) is used to collect information about and configure remote
computers. This can be dangerous. Many Internet attacks use SNMP.
Characteristics
• Protocols: UDP
• Port Number(s): 161
Because SNMP can cause changes in a network if enabled, carefully review alternatives and record logs
for all connections.
SNMP-Trap
Simple Network Management Protocol (SNMP) traps are notification messages that an SNMP agent (for
example, a router) sends to a network management station. These messages usually report an important
event that must be examined.
224
WatchGuard System Manager
Packet Filter Policies
Characteristics
• Protocols: UDP
• Port Number(s):162
SQL*Net
Oracle uses one port for its sql*net software. By default, this port is 1526/tcp or port 1521/tcp. Or, change
the port by editing the tnsnames.ora file. To allow sql*net through the Firebox, set up a policy for the
port that your sql*net server is using, with a protocol of tcp, and a client port of ignore. Then set up
incoming access from the allowed external hosts to the sql*net server.
Characteristics
• Protocols: TCP
• Port Number(s): 1521, 1526
SQL-Server
The SQL-Server policy is used to give access to Sybase Central and SQL Advantage software.
Characteristics
• Protocols: TCP
• Port Number(s): 10000
ssh
Secure Shell (ssh) is a free software application that allows remote login, command control, and the
movement of files between computers. It gives strong authentication and secure (encrypted) connections.
WatchGuard recommends the use of ssh because it is more secure than more vulnerable protocols such as
telnet, rssh, and rlogin.
If you use ssh, you must also use its strong authentication mechanisms. Strong encryption mechanisms
are available for U.S. customers, Canadian customers, and customers who are allowed by the U.S. government to use strong encryption. To get strong encryption (128 bit, 3DES) or IPSec, send e-mail to WatchGuard Technical Support.
UNIX versions are available from www.ssh.com, and information on versions for Windows can be found at
F-Secure (http://www.f-secure.com).
Characteristics
• Protocol: TCP
• Port Number(s): 22
Sun RPC
Sun Remote Procedure Call (Sun RPC) was developed by Sun Microsystems for connections between clients and servers in the Sun network file system.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 111, UDP 111
syslog
syslog is a policy used to record operating system events on UNIX hosts. Syslog data is usually enabled on
a firewall to collect data from a host outside the firewall.
Fireware Configuration Guide
225
Packet Filter Policies
The syslog port is blocked in the default Firebox configuration. To allow one log host to collect logs from
more than one Firebox:
• Remove port 514 from the Blocked Ports list
• Add the WatchGuard Logging policy to Policy Manager
Note
It is possible for hackers to fill syslogs with log entries. If the syslog is full, it is more difficult to see an
attack. Also, the disk frequently fills up and the attack is not recorded. Thus, it is usually not secure to
allow syslog traffic through the Firebox.
Characteristics
• Protocol: UDP
• Port Number(s): 514
TACACS
TACACS user authentication is a system that uses user accounts to authenticate users into a dial-up
modem pool. This removes the need to keep copies of accounts on a UNIX system. TACACS does not support TACACS+ or RADIUS.
Characteristics
• Protocol: UDP
• Port Number(s): 49
TACACS+
TACACS+ user authentication is a system that uses user accounts to authenticate users into a dial-up
modem pool. This eliminates the need to keep copies of accounts on a UNIX system. TACAS+ supports
RADIUS.
Characteristics
• Protocol: TCP
• Port Number(s): 49
TCP
This policy serves as the default policy for all TCP connections, and other policies override it. TCP connections that do not match specified policies in Policy Manager do not complete unless TCP-UDP, TCP, or
the TCP Proxy are also configured in Policy Manager. This policy does not enable FTP which operates only
with an FTP policy.
TCP-UDP
This policy serves as the default policy for all TCP and UDP connections, and other policies override it.
Connections that do not match specified policies in Policy Manager do not complete unless TCP-UDP,
TCP and UDP, or the TCP Proxy are also configured in Policy Manager. This policy does not enable active
mode FTP which operates only with an FTP policy.
UDP
This policy serves as the default policy for all UDP connections, and other policies override it. UDP connections that do not match specified policies in Policy Manager do not complete unless UDP, TCP-UDP,
or the TCP Proxy are also configured in Policy Manager.
226
WatchGuard System Manager
Packet Filter Policies
telnet
The telnet policy is used to log in to a remote computer. It is almost the same as using dial-up access, but
the connection is made across a network.
Characteristics
• Protocol: TCP
• Port Number(s): 23
Timbuktu
Timbuktu Pro is a remote control and file transfer software used to get access to Windows computers. The
protocol uses TCP port 1417 and UDP port 407. Add the Timbuktu policy and allow incoming access from
the hosts on the Internet that must get access to internal Timbuktu servers, and to the internal Timbuktu
servers.
Timbuktu is not a very secure software application and can put network security at risk. It allows traffic
inside the firewall without authentication. In addition, the Timbuktu server can receive denial of service
attacks. WatchGuard recommends using VPN options for more security.
Characteristics
• Protocols: TCP, UDP
• Port Number(s): UDP 407, TCP 1417
Time
The Time policy is almost the same as NTP. It is used to synchronize clocks between hosts on a network.
Time is usually less accurate and less efficient than NTP across a WAN. WatchGuard recommends using
NTP.
Characteristics
• Protocols: TCP, UDP
• Port Number(s): TCP 37, UDP 37
traceroute
traceroute is a software application that creates maps of networks. It is used for network troubleshooting,
network route troubleshooting, and finding the Internet service provider of a site. The WatchGuard traceroute policy controls UNIX-based UDP-style traceroute only. For a DOS-based or Windows-based traceroute packet filter, use the ping policy (see “ping” on page 42).
traceroute uses ICMP and UDP packets to create paths across networks. It uses the UDP TTL field to send
back packets from each router and computer between a source and a destination. Allowing traceroute
incoming to a network can enable a hacker to create a map of your private network. But, outgoing traceroute is good for troubleshooting.
Characteristics
• Protocols: UDP
• Port Number(s): 33401-65535
UUCP
Unix-to-Unix Copy (UUCP) is a Unix tool and protocol that enables one computer to send files to another
computer. This tool is not used frequently, as users more frequently use FTP, SMTP, and NNTP to transfer
files.
Fireware Configuration Guide
227
Packet Filter Policies
Characteristics
• Protocols: TCP
• Port Number(s): 540
WAIS
Wide Area Information Services (WAIS) is a protocol for finding documents on the Internet. Thinking
Machines Incorporated first developed WAIS. Some web sites use WAIS to look for searchable indices, but
it is not used frequently.
WAIS is created on the ANSI Z39.50 search protocol, and the words Z39.50 and WAIS refer to the same
technology.
Characteristics
• Protocol: TCP
• Port Number(s): 210, but servers can be (and frequently are) configured on other ports, much like
HTTP servers
WinFrame
Citrix ICA is a protocol used by Citrix for its software applications, including the Winframe product. Winframe gives access to Windows from different types of clients. Citrix uses TCP port 1494 for its ICA protocol. Citrix MPS 3.0 uses Session Reliability by default. This changes the ICA protocol to use TCP 2598. If
you use Citrix MPS, you must add a policy for TCP port 2598.
Adding a WinFrame policy could put your network security at risk because it allows traffic through the
firewall without authentication. In addition, your Winframe server can receive denial-of-service attacks.
WatchGuard recommends using VPN options to give more security for ICA connections. You can use all of
the usual log options with WinFrame.
Characteristics
• Protocol: TCP
• Port Number(s): 1494
For more information on adding the Citrix WinFrame policy, refer to the Advanced FAQs in the Knowledge Base. Go to www.watchguard.com/support and log in to the LiveSecurity Service.
WG-Auth
The WatchGuard Authenticaton policy allows users to authenticate to the Firebox.
Characteristics
• Protocol: TCP
• Port Number(s): 4100
WG-Firebox-Mgmt
The WatchGuard Firebox Management policy allows configuration and monitoring connections to be
made to the Firebox. WatchGuard recommends allowing this policy only to the Management Station. The
policy is usually set up on the trusted interface.
Characteristics
• Protocol: TCP
• Port Number(s): 4103, 4105, 4117, 4118
228
WatchGuard System Manager
Packet Filter Policies
WG-Logging
The WatchGuard Logging policy is necessary only if a second Firebox must get access to a log host on the
trusted interface of a Firebox. If there is only one Firebox, this policy is not necessary.
Characteristics
• Protocol: TCP
• Port Number(s): 4107, 4115
WG-Mgmt-Server
When you use the WatchGuard Management Server Setup wizard to configure a Management Server, the
wizard automatically adds this policy to the gateway Firebox. It controls incoming connections to the
Management Server.
Characteristics
• Protocol: TCP
• Port Number(s): 4110, 4112, 4113
WG-SmallOffice-Mgmt
The WatchGuard Small Office Management policy allows you to make a secure connection to SOHO and
Edge Fireboxes from the WatchGuard Firebox System.
Characteristics
• Protocol: TCP
• Port Number(s): TCP 4109
WG-WebBlocker
The WatchGuard WebBlocker policy allows connections to the WebBlocker server.
Characteristics
• Protocol: TCP, UDP
• Port Number(s): TCP 5003, UDP 5003
whois
The whois protocol gives information about the administrator of web sites and networks. It is frequently
used to find the administrator of a different web site.
To filter whois traffic, add a whois policy allowing connections to the whois server (such as rs.internic.net).
Characteristics
• Protocol: TCP
• Port Number(s): 43
X11
The X Windows System Protocol has components that are used to create graphic desktops, including windows, colors, displays, and screens. X11 also supplies a flow of events showing the interaction between a
user and a computer input device (such as a mouse, keyboard, and so on).
Fireware Configuration Guide
229
Proxied Policies
Characteristics
• Protocol: TCP
• Port Number(s): 6000-6063
Yahoo Messenger
The Yahoo Messenger Protocol is a tool for instant messaging.
Characteristics
• Protocol: TCP
• Port Number(s): 5050, 80
Proxied Policies
This section reviews the proxied policies supplied by the WatchGuard® Firebox® System. A proxy policy
opens packets, strips out forbidden data types in the packet content, and assembles the packets again
using the source and destination headers of the proxy.
Configuring and activating proxies is done the same way you add packet filtering policies.
DNS
Domain Name Service (DNS) matches host names to IP addresses. The DNS proxy policy examines the
contents of DNS packets to help protect your DNS servers from hackers. It puts limits on the type of operations allowed in a DNS query and can look for specified patterns in query names.
Characteristics
• Protocol: TCP and UDP
• Port Number(s): TCP 53 and UDP 53
FTP
FTP is File Transfer Protocol. FTP is used to move files across the Internet.
Characteristics
• Protocol: TCP
• Port Number(s): 20 (command channel), 21 (data channel)
HTTP
HTTP is the Hypertext Transfer Protocol used by the World Wide Web to move information around the
Internet.
Note
The WatchGuard policy “HTTP Proxy” is not the same as an HTTP caching proxy. An HTTP caching proxy
controls the caching of Web data. If you use an external caching proxy, you must enable (by adding
policies) any outgoing policies that are necessary for your organization. If you do not, outgoing TCP
connections do not operate correctly.
Characteristics
• Protocol: TCP
230
WatchGuard System Manager
Proxied Policies
• Port Number(s): 80 (but servers can operate on any port, a common alternative is 8080, and Secure
Socket Layer (SSL) connections are usually served on port 443)
SMTP
Simple Mail Transfer Protocol (SMTP) is the Internet standard protocol for transmitting and receiving email. Usually SMTP servers are public servers.
You must add an auth policy to Policy Manager when using incoming static NAT with SMTP (see “auth”
on page 32). Configure auth to allow incoming auth to the Firebox. This enables outgoing mail messages
to flow freely from behind the Firebox to the many SMTP servers on the Internet that use auth. It allows
these servers to send messages back through the Firebox to the senders.
Logging incoming SMTP is recommended, but this can cause a large quantity of logs. To not use the
SMTP proxy but have SMTP operate correctly, create a new policy in Policy Manager using TCP protocol
and port 25.
Characteristics
• Protocol: TCP
• Port Number(s): 25
TCP Proxy
The TCP Proxy policy gives configuration options for HTTP on port 80 and adds a rule allowing TCP connections from networks behind the Firebox to networks external to the Firebox by default. The TCP Proxy
rule makes sure that all HTTP traffic from behind the Firebox on all ports is proxied with the HTTP proxy
rules.
WatchGuard recommends that you allow HTTP only to any public HTTP servers kept behind the Firebox.
External hosts can be spoofed. WatchGuard cannot make sure that these packets were sent from the correct location.
Configure WatchGuard to add the source IP address to the Blocked Sites List when an HTTP connection
to a host behind your Firebox is denied. Configure the parameters and MIME types the same as you do for
the HTTP Proxy.
Fireware Configuration Guide
231
Proxied Policies
232
WatchGuard System Manager
Index
Symbols
.cfg file. See configuration file
Numerics
1-1 Mapping dialog box 105
1-to-1 NAT. See NAT, 1-to-1
3DES 143
A
active connections on Firebox, viewing 28
Add Address dialog box 73, 105, 176
Add Route dialog box 63
Add Static NAT dialog box 73, 106
Advanced dialog box 59
AH
described 142
aliases
described 34
ANSI Z39.50 228
Any 213
Any service 213
and RUVPN 174
AOL service 213
Archie service 214
ARP cache, flushing 18
attacks, spoofing. See spoofing attacks.
AUTH 214
auth (ident) service 214
Authentication 228
authentication
and ssh 225
defining groups for 108
described 34, 107, 143
for VPNs, viewing 15
from external interface 108
from outside Firebox 107
selecting method for 143
Fireware Configuration Guide
authentication servers
described 143
RADIUS 110
SecurID on RADIUS server 112
types 108
types supported 175
B
Bandwidth Meter tab 21
bandwidth usage, viewing 21
blocked ports
avoiding problems with legitimate users 125
default 124
permanent 125
reasons for 124
Blocked Ports list 125
blocked services
rcp 125
rlogin 125
RPC portmapper 125
rsh 125
X Font server 124
X Window 124
blocked sites
auto-blocked 121
blocking with service settings 124
described 121
dynamic 124
exceptions to 122
permanent 121, 122
storing in external file 122
temporary 124
Blocked Sites list
exceptions to 122
viewing 26
BOVPN
and certificate-based authentication 148
creating tunnel policies 160
described 148
BOVPN with a Management Server
creating tunnels 168
BOVPN with Manual IPSec
233
adding gateways 153
configuring a gateway 153
configuring a tunnel with manual security 156
described 148, 153
encryption levels 149, 153
Phase 1 settings 155
specifying authentication method 155
specifying encryption 155
using certificates 155
BOVPN with VPN Manager
adding devices to 164
adding policy templates 166
adding security templates 167
creating tunnels 168
defining Firebox as DVCP client 165
described 149
editing tunnels 168
removing devices and tunnels 169
scenario 150
branch office VPN. See BOVPN
C
certificate authority
described 143
certificates
described 143
viewing CA fingerprint 15
viewing expiration date and time of 14
viewing status of 14
Citrix ICA 214, 228
Clarent-command service 215
Clarent-gateway service 214
configuration file
and Policy Manager 47
opening 47
saving 49
saving to Firebox 49
saving to local drive 50
configuring High Availability 210
Connect to Firebox dialog box 9
CU-SeeMe service 215
D
default gateways
viewing IP address of 14
default packet handling
blocking address space probes 120
blocking port space probes 120
blocking spoofing attacks 120
Details button 67
Device Policy dialog box 166, 167
devices
adding to VPN Manager 164
dynamic 164
removing from VPN Manager 169
DHCP 57
DHCP server
default lease time for 58
described 57
not using Firebox as 57
setting up Firebox as 57
DHCP support on external interface 58
DHCP-Server service 215
234
dialog boxes
1-1 Mapping 105
Add Address 73, 105, 176
Advanced 59
Connect to Firebox 9
Device Policy 166
Firebox Name 51
Network Configuration 56, 60
New Service 68
Resource 167
Security Policy 168
Security Template 167, 168
service Properties 67, 124
Services 67, 68
Setup Firebox User 110, 173
Setup Routes 62
Tunnel Properties 169
WebBlocker Utility 201
Diffie-Hellman
described 144
groups 144, 155
DNS Proxy service 230
DNS server addresses 61
DNS servers, configuring 172
DNS service 216
DVCP
and VPN Manager 149
DVCP clients
defining Fireboxes as 165
dynamic NAT. See NAT, dynamic
dynamically blocked sites 124
E
EDGE
creating tunnels for dynamic 168
encryption
activating strong 171
and RUVPN with PPTP 171
levels of 142
encryption for VPNs, viewing 15
Entrust 216
Entrust service 216
ESP
described 142
extended authentication
defining groups for 175
described 143
external interface
dynamic addressing on 58
F
finger service 216
Firebox interfaces
viewing IP addresses of 14
Firebox Name dialog box 51
Firebox passphrases. See passphrases
Firebox System Manager
front panel 14
starting 9
Fireboxes
as CAs 143
configuring for RUVPN with PPTP 171
connecting to 9
WatchGuard System Manager
defining as a DHCP server 57
defining as DVCP clients 165
designating log hosts 36
friendly names in log files, reports 51
opening configuration file 47
resetting pass phrase 50
saving configuration file to 49
setting time zone for 51
viewing active connections on 28
viewing bandwidth usage 21
viewing everyone authenticated to 25
FTP packet filter service 216
FTP Proxy service 230
FTP servers, and archie service 214
fully meshed topology 145
G
gateways
adding 153
configuring 153
described 153
gopher service 216
GRE service 217
groups
assigning users to 110
for authentication 108
H
HBCI service 217
High Availability 14
configuring 210
Historical Reports
time zone 51
host routes, configuring 63
hosts
viewing in HostWatch 29
HostWatch
choosing colors for display 30
described 28
display 28
modifying view properties 30
setting display properties 29
starting 28
viewing authenticated users 29
viewing hosts 29
viewing ports 29
HTTP caching proxy 230
HTTP packet filter service 217
HTTP Proxy service 230
HTTP service 230
HTTPS service 217
hub-and-spoke configuration 146
described 144
phase 1,2 144
IKE service 218
IMAP service 218
Intel video phone service 219
Internet
accessing through PPTP tunnel 178
Internet Key Exchange. See IKE
Internet Security Association and Key Management
Protocol. See ISAKMP
IP addresses
default gateways 14
entering for RUVPN with PPTP 175
netmask 14
WINS/DNS servers 62
IP alias 60
IPSec
benefits of 142
described 142
IPSec service 218
IRC service 218
ISAKMP
and Diffie-Hellman groups 155
described 144, 156
K
Kerberos v 4 service 219
Kerberos v 5 service 219
L
L2TP service 219
Large Icons button 66
launch interval, setting 72, 83, 123
LDAP service 219
LDAP-SSL service 219
log files
setting Firebox names used in 51
log hosts
adding 37
designating for Firebox 36
log messages
copying deny messages 17
issuing ping or traceroute on deny messages 17
Logging 229
logging
enabling Syslog 38
for blocked ports 123, 124, 126
logging and notification
defining for services 82
designating log hosts 36
LogViewer
time zone 51
Lotus Notes service 220
I
IDENT 214
ident (auth) service 217
IGMP service 218
IKE
and Diffie-Hellman group 155
and Phase 1 settings 155
Fireware Configuration Guide
M
MAC address of interfaces, viewing 14
mail servers
and NAT 73, 106
main menu button 18
235
Management Server 229
Managing SOHOs and Edges 229
manual security, configuring tunnels with 156
MD5-HMAC 143
Media Server 220
meshed topology 145
Microsoft SysKey Utility 163
Mobile User VPN. See MUVPN
monitoring
active connections on Firebox 28
probes 19
MS Win Media 220
MSDUN, and RUVPN 176
MSSQL-Monitor service 220
MSSQL-Server service 220
MUVPN
and WINS/DNS server addresses 61
authentication for 148
described 148
encryption levels for 148
making outbound connections behind Firebox 40
scenario 150
with extended authentication 151
N
NAT
1-to-1
described 101, 103
using 103
and mail servers 73, 106
and tunnel switching 147
and VPNs 144
dynamic
described 101, 102
static
configuring a service for 73, 101
types of 101
NAT Setup dialog box 102
netmask, viewing address of 14
NetMeeting service 220
network address translation. See NAT
Network Configuration dialog box 56, 60
Network Connection wizard 177, 178
Network File System 124
Network File System (NFS) service 220
network routes. See routes
network topology
described 145
fully meshed 145
hub-and-spoke 146
partially meshed 145
New Service dialog box 68
NNTP service 221
notification
bringing up popup window as 72, 83, 123
for blocked ports 123, 126
setting launch interval 72, 83, 123
setting repeat count 72, 83, 123
NTP service 221
P
packet filter 65
packet handling, default. See default packet handling
packets
viewing number sent and received 14
partially meshed networks 145
passphrases
management server passphrase
described 162
resetting for Firebox 50
tips for creating 50
password authentication 143
passwords
and security of VPN endpoints 143
described 143
location 162
master password
decribed 162
uses of 162
pcAnywhere service 221
permanently blocked sites 122
Phase 1
described 144
settings 155
Phase 2
described 144
ping command for source of deny messages 18
ping service 221
Policy Manager
as view of configuration file 47
described 47
displaying detailed view 67
displaying Large Icons view 66
opening a configuration file 47
services displayed in 66
using to create configuration file 55
policy templates
adding 166
adding resources to 167
POP2 service 222
POP3 service 222
popup window, as notification 72, 83, 123
ports
0 125
1 125
1000-1999 125
111 125
513 125
514 125
additional. See three-port upgrade
speed and duplex settings 63
viewing in HostWatch 29
PPPoE support on external interface 58, 59
PPTP 142
PPTP service 222
PPTP. See also RUVPN with PPTP
probes
defining 19
processor load indicator 14
proxy
definition 65
proxy services 230
O
OSPF service 221
236
WatchGuard System Manager
R
RADIUS Accounting 222
RADIUS server authentication 110
rcp service 125
RealPlayer G2 service 223
Remote User VPN. See RUVPN with PPTP
repeat count, setting 72, 83, 123
reports
setting Firebox names used in 51
Resource dialog box 167
RIP service 223
Rlogin service 223
rlogin service 125
routes
configuring 62
described 62
host 63
network 62
RPC portmapper 125
rsh service 125, 223
RUVPN with PPTP
accessing the Internet with 178
activating 175
and MSDUN 176
and the Any service 174
and WINS/DNS server addresses 61
configuration checklist 171
configuring services to allow 174
configuring shared servers for 172
described 148, 171
encryption levels 171
entering IP addresses for 175
IP addressing 171
preparing client computers for 176
preparing Windows 2000 remote host 177
preparing Windows XP remote host 177
running 178
S
Save dialog box 50
secondary networks
adding 60
secure shell (ssh) service 225
SecurID authentication 112
SecurID service 224
security policy
opening configuration file 47
Security Policy dialog box 168
Security Template dialog box 167, 168
security templates, adding 167
security traffic display
selecting center interface 13
switch between 3 port and 6 port 13
viewing Firebox status using 13
Select Probe window 19
service Properties dialog box 67, 124
service properties, using to block sites 124
services
adding 67
adding several of same type 69
Any 213
AOL 213
Archie 214
Fireware Configuration Guide
archie 214
auth (ident) 214
Citrix ICA 214
Clarent-command 215
Clarent-gateway 214
configuring for incoming static NAT 73, 101
configuring to allow RUVPN traffic 174
creating new 68
CU-SeeMe 215
customizing logging and notification 82
deleting 69
DHCP-Server 215
displayed in Policy Manager 66
DNS 216
DNS Proxy 230
Entrust 216
finger 216
FTP packet filter 216
FTP Proxy 230
gopher 216
GRE 217
HBCI 217
HTTP 230
HTTP packet filter 217
HTTP Proxy 230
HTTPS 217
icons for 66
ident (auth) 217
IGMP 218
IKE 218
IMAP 218
Intel video phone 219
IPSec 218
IRC 218
Kerberos v 4 219
Kerberos v 5 219
L2TP 219
LDAP 219
LDAP-SSL 219
Lotus Notes 220
MSSQL-Monitor 220
MSSQL-Server 220
NetMeeting 220
Network File System (NFS) 220
NNTP 221
NTP 221
OSPF 221
PCAnywhere 214, 215
pcAnywhere 221
ping 221
POP2 222
POP3 222
PPTP 222
proxied 230
rcp 125
RealPlayer G2 223
RIP 223
Rlogin 223
rlogin 125
RPC portmapper 125
rsh 125, 223
SecurID 224
SMB 224
SMTP 231
SMTP packet filter 224
SMTP Proxy 231
SNMP 224
SNMP-Trap 224
SQL*Net 225
SQL-Server 225
237
ssh 225
Sun RPC 225
syslog 225
TACACS 226
TACACS+ 226
TCP Proxy 231
TCP-UDP 226
telnet 227
Timbuktu 227
Time 227
traceroute 227
types 213
UDP 226
UUCP 227
viewing number of connections by 22
WAIS 228
well-known 213
WG-Auth 228
WG-Logging 229
WG-Mgmt-Server 229
WG-SmallOffice-Mgmt 229
WG-WebBlocker 229
whois 229
WinFrame 228
X Font service 124
X Window 124
X11 229
Yahoo Messenger 230
Services Arena
described 66
Services dialog box 67, 68
Setup Firebox User dialog box 110, 173
Setup Routes dialog box 62, 63
SHA-HMAC 143
shared secrets 143
Simple Mail Transfer Protocol 231
Simple Network Management Protocol (SNMP) 224
sites, blocked. See blocked sites.
SMB service 224
SMTP packet filter service 224
SMTP Proxy service 231
SMTP service
described 231
with static incoming NAT 217
SNMP service 224
SNMP-Trap service 224
SOHO
creating tunnels for dynamic 168
split tunneling
with PPTP, enabling 178
spoofing attacks
described 120
SQL*Net service 225
SQL-Server service 225
ssh service 225
Star Mode 13
static NAT 218
Steel Belted RADIUS 112
Sun Remote Procedure Call service 225
Sun RPC service 225
Syslog color 17
Syslog logging
enabling 38
syslog service 225
System Manager
authentication list 25
Blocked Sites list 26
238
monitoring tunnels in 15
ServiceWatch tab 22
viewing bandwidth usage 21
T
TACACS service 226
TACACS+ service 226
TCP connections 226
TCP Proxy service 231
TCPmux service 125
TCP-UDP service 226
telnet 227
telnet service 227
the Any policy 213
Thinking Machines Incorporated 228
third-party authentication server. See authentication
or name of third-party server
Timbuktu service 227
Time service 227
time zone for Firebox, setting 51
traceroute command for source of deny messages 18
traceroute service 227
traffic
viewing using security traffic display 13
traffic log messages
copying 17
issuing ping or traceroute command for 17
Traffic Monitor
copying messages in 17
issuing ping and traceroute command in 17
limiting messages 16
traffic volume indicator 14
Triangle Mode 13
TripleDES 143
tunnel policies
creating 160
described 160
Tunnel Properties dialog box 169
tunnel switching 147
tunneling protocols 142
tunnels
and gateways 153
configuring with manual security 156
creating with Add VPN Wizard 168
creating with VPN Manager 161, 168
drag-and-drop creation 168
editing 168
monitoring 15
removing from VPN Manager 169
viewing status of 14
types of services 213
U
UDP service 226
Unix-to-Unix Copy service 227
users, viewing in HostWatch 29
UUCP service 227
WatchGuard System Manager
V
VPN Manager
adding devices 164
and authentication via certificates 149
and DVCP 149
described 149, 161
VPNs
access control for 144
and 1-to-1 NAT 103
and NAT 144
authentication methods for 143
design considerations 143, 145, 146
network topology 145
scenarios 149
VPNs, and Any service 213
W
WAIS service 228
WatchGuard Management Server
functions 161
replacing DVCP server 161
setup wizard 163
WatchGuard PPTP policy icon 175
Web sites, filtering 4, 201
WebBlocker 229
creating exceptions for 206
described 4, 201
prerequisites 201
scheduling hours 207
time zone 51
WebBlocker utility 201
WebBlocker Utility dialog box 201
well-known services 213
WG-Auth service 228
WG-Logging service 229
WG-Mgmt-Server service 229
WG-SmallOffice-Mgmt service 229
WG-WebBlocker service 229
whois service 229
Wide Area Information Services (WAIS) 228
Windows 2000
preparing for RUVPN with PPTP 177
Windows networking 224
Windows XP
preparing for RUVPN with PPTP 177
Winframe 214
Winframe service 228
WINS server addresses 61
WINS servers, configuring 172
X
X Font server 124
X Window 124
X11 service 229
Y
Yahoo Messenger service 230
Fireware Configuration Guide
239
240
WatchGuard System Manager

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Watchguard Fireware v8.1 Configuration Guide

Watchguard

Fireware

  • Configuration Guide
WatchGuard WSM v8.3 User Guide

 

WSM

  • User guide
Watchguard WSM v9.0 User guide

Watchguard

WSM

  • User guide
Watchguard WSM v9.1 User guide

Watchguard

WSM

  • User guide
WatchGuard WFS v8.1 Configuration Guide

 

WFS

  • Configuration Guide
WatchGuard WFS v9.0 Configuration Guide

 

WFS

  • Configuration Guide
WatchGuard Fireware v8.2 Configuration Guide

 

Fireware

  • Configuration Guide
WatchGuard Legacy Firebox X Core & Peak v7.3 User Guide

 

Legacy Firebox X Core & Peak

  • User guide
WatchGuard WFS to Fireware Pro Migration v8.1 Guide

 

WFS to Fireware Pro Migration

  • Guide
WatchGuard Legacy Firebox X Core & Peak v7.3 Guide

 

Legacy Firebox X Core & Peak

  • Guide
WatchGuard WSM v10.0 User Guide

 

WSM

  • User guide

advertisement