Firebox III

Hardware Guide

Firebox 500, Firebox 700, Firebox 1000, Firebox 2500,

Firebox 4500

Copyright and Patent Information

Copyright© 1998 - 2003 WatchGuard Technologies, Inc. All rights reserved.

AppLock, AppLock/Web, Designing peace of mind, Firebox, Firebox 1000,

Firebox 2500, Firebox 4500, Firebox II, Firebox II Plus, Firebox II

FastVPN, Firebox III, Firebox SOHO, Firebox SOHO 6, Firebox SOHO 6tc,

Firebox SOHO|tc, Firebox V100, Firebox V80, Firebox V60, Firebox V10,

LiveSecurity, LockSolid, RapidStream, RapidCore, ServerLock,

WatchGuard, WatchGuard Technologies, Inc., DVCP technology, Enforcer/

MUVPN, FireChip, HackAdmin, HostWatch, Make Security Your Strength,

RapidCare, SchoolMate, ServiceWatch, Smart Security. Simply Done.,

Vcontroller, VPNforce, The W-G logo are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other courtries.

Printed in the United States of America.

Part No: 1200188

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

ii

Limited Hardware Warranty

This Limited Hardware Warranty (the “Warranty”) applies to the enclosed

WatchGuard hardware product (the “Product”). BY USING THE

PRODUCT, YOU AGREE TO THE TERMS HEREOF. If you do not agree to these terms, please return this package, along with proof of purchase, to the authorized dealer from which you purchased it for a full refund. WatchGuard

Technologies, Inc. (”WatchGuard”) and you agree as follows:

1. Limited Warranty. WatchGuard warrants that upon delivery and for one

(1) year thereafter (the “Warranty Period”): (a) the Product will be free from material defects in materials and workmanship, and (b) the Product, when properly installed and used for its intended purpose and in its intended operating environment, will perform substantially in accordance with

WatchGuard applicable specifications.

This warranty does not apply to any Product that has been: (i) altered, repaired or modified by any party other than WatchGuard; or (ii) damaged

Hardware Guide

Limited Hardware Warranty or destroyed by accidents, power spikes or similar events or by any intentional, reckless or negligent acts or omissions of any party. You may have additional warranties with respect to the Product from the manufacturers of Product components. However, you agree not to look to

WatchGuard for, and hereby release WatchGuard from any liability for, performance of, enforcement of, or damages or other relief on account of, any such warranties or any breach thereof.

2. Remedies. If any Product does not comply with the WatchGuard warranties set forth in Section 1 above, WatchGuard will, at its option, either (a) repair the Product, or (b) replace the Product; provided, that you will be responsible for returning the Product to the place of purchase and for all costs of shipping and handling. Repair or replacement of the Product shall not extend the Warranty Period. Any Product, component, part or other item replaced by WatchGuard becomes the property of WatchGuard .

WatchGuard shall not be responsible for return of or damage to any software, firmware, information or data contained in, stored on, or integrated with any returned Products.

3. Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND

LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH

IN PARAGRAPHS 1 AND 2 ABOVE ARE EXCLUSIVE AND IN

SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND

RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND

LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS

AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD,

EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH

RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE PRODUCT

(INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE,

ANY IMPLIED WARRANTY ARISING FROM COURSE OF

PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY

WARRANTY OF NONINFRINGEMENT, ANY WARRANTY OF

UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION,

LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT

ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR

IMPUTED) OR FAULT OF WATCHGUARD OR FROM PRODUCT

LIABILITY, STRICT LIABILITY OR OTHER THEORY, AND ANY

OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR

DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY,THE

PRODUCT).

4. Limitation of Liability. WATCHGUARD TECHNOLOGIES’ LIABILITY

(WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT

(INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND

STRICT LIABILITY AND FAULT) OR OTHER THEORY) WITH REGARD

TO ANY PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE

PRICE PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE

EVEN IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY. iii

iv

IN NO EVENT WILL WATCHGUARD TECHNOLOGIES BE LIABLE TO

YOU OR ANY THIRD PARTY (WHETHER ARISING IN CONTRACT

(INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR

IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT) OR

OTHER THEORY) FOR COST OF COVER OR FOR ANY INDIRECT,

SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES

(INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, BUSINESS,

OR DATA) ARISING OUT OF OR IN CONNECTION WITH THIS

WARRANTY OR THE USE OF OR INABILITY TO USE THE PRODUCT,

EVEN IF WATCHGUARD TECHNOLOGIES HAS BEEN ADVISED OF

THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN

IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY.

5. Miscellaneous Provisions. This Warranty will be governed by the laws of the state of Washington, U.S.A., without reference to its choice of law rules.

The provisions of the 1980 United Nations Convention on Contracts for the

International Sales of Goods, as amended, shall not apply. You agree not to directly or indirectly transfer the Product or associated documentation to any country to which such transfer would be prohibited by the U.S. Export laws and regulations. If any provision of this Warranty is found to be invalid or unenforceable, then the remainder shall have full force and effect and the invalid provision shall be modified or partially enforced to the maximum extent permitted by law to effectuate the purpose of this Warranty. This is the entire agreement between WatchGuard and you relating to the Product, and supersedes any prior purchase order, communications, advertising or representations concerning the Product AND BY USING THE PRODUCT

YOU AGREE TO THESE TERMS. No change or modification of this

Agreement will be valid unless it is in writing, and is signed by WatchGuard.

FCC Certification

FCC Certification

This device has been tested and found to comply with limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions:

Hardware Guide v

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause undesired operation.

CE Notice

The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the

Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European

Union (EU).

Industry Canada

This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment

Regulations.

Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada.

vi

Taiwanese Notice

Taiwanese Notice

VCCI Notice Class A ITE

Hardware Guide vii

viii

Contents

Limited Hardware Warranty

FCC Certification

............................................... ii

............................................................. v

CE Notice

....................................................................... vi

Industry Canada

.............................................................. vi

Taiwanese Notice

........................................................... vii

VCCI Notice Class A ITE

................................................. vii

Hardware Requirements

...................................................1

Hardware Description

.......................................................2

Firebox III front view (all models except Model 500 and 700) .3

Firebox III front view (Model 500 and 700) ..........................5

Firebox III rear view (all models except Model 500 and 700) ...6

Firebox III rear view (Model 500 and 700) ...........................8

Physical specifications (All models except

Model 500 and 700) ...............................................9

Physical specifications (Model 500 and 700)

Cross-over cabling

........................9

.......................................................10

Hardware Guide ix

x

Hardware Guide

The WatchGuard Firebox III is a specially designed and optimized security appliance. Solid-state architecture removes the risk of hard-drive failure and disk crashes. Three independent network interfaces allow you to separate your protected office network from the Internet while providing you an optional public interface for hosting Web, email, or FTP servers. Each network interface is independently monitored and visually displayed on the front of the Firebox.

Easily installed into your network, the rack-mountable

Firebox plugs in at the Internet connection of your offices to implement security policies and protection.

For information on installing the Firebox, see the Firebox QuickStart Poster or the “Getting Started” chapter in the WatchGuard Firebox System User Guide .

Hardware Requirements

WatchGuard recommends physically installing a Firebox III under the following conditions:

Hardware Guide 1

• Securely rack-mounted

• Placed in a dry, temperature-controlled environment from —10 to +70 degrees Celsius (14 to +158 degrees

Fahrenheit).

• Placed in a secured environment, such as a locked LAN room, or similar space, to prevent physical compromise by unprivileged personnel

• Connected to conditioned power to prevent damage caused by power spikes and other power fluctuations

The following minimum hardware requirements pertain to the management station–the computer that administers the Firebox. This computer runs the Firebox System Manager software, which provides access to WatchGuard Firebox System applications.

Hardware feature Minimum requirements (management station)

CPU

Memory

Hard disk space

CD-ROM drive

Pentium II

Same as for operating system.

Recommended:

64 MB for Windows NT 4.0

64 MB for Windows 2000 Professional

256 MB for Windows 2000 Server

25 MB to install all WatchGuard modules

15 MB minimum for log file

Additional space as required for log files

Additional space as required for multiple configuration files

One CD-ROM drive to install WatchGuard from its

CD-ROM distribution disk

Hardware Description

The Firebox III has indicator lights on the front and connections on the back.

2

Hardware Description

Firebox III front view (all models except

Model 500 and 700)

Indicators for the Firebox III Model 1000, Model 2500, and

Model 4500 are on a central back-lit indicator panel. The following photograph shows the entire front view.

The photograph below shows a close-up of the indicator panel. From the left, the indicators are as described on the next page.

Hardware Guide

Disarm

Red light indicates the Firebox detected an error, shut down its interfaces, and will not forward any packets. Reboot the Firebox.

3

4

Armed

Green light indicates the Firebox has been booted and is running.

Sys A

Indicates that the Firebox is running from its primary user-defined configuration.

Sys B

Indicates that the Firebox is running from the readonly factory default system area.

Power

Indicates that the Firebox is currently powered up.

Security Triangle Display

Indicates traffic between Firebox interfaces. Green arrows briefly light to indicate allowed traffic between two interfaces in the direction of the arrows. A red light at a triangle corner indicates that the Firebox is denying packets at that interface.

Traffic

A stack of lights that functions as a meter to indicate levels of traffic volume through the

Firebox. Low volume indicators are green, while high volume indicators are yellow. The display updates three times per second. The scale is exponential: the first light represents 64 packets/ second, the second light represents 128 packets/ second, increasing to the eighth light which represents 8,192 packets/second.

Load

A stack of lights that functions as a meter to indicate the system load average. The system load average is the average number of processes running (not including those in wait states) during the last minute. Low average indicators are green, while high average indicators are yellow. The display updates three times per second. The scale is exponential with each successive light representing a doubling of the load average. The first light

Hardware Description represents a load average of 0.15. The most significant load factor on a Firebox is the number of proxies running.

Firebox III front view (Model 500 and 700)

Firebox III Model 500 and 700 indicators are on a central back-lit indicator panel. The following photograph shows the entire front view.

The following photograph shows a close-up of the indicator panel. From the left, the indicators are as described below.

Hardware Guide 5

6

Disarm

Red light indicates the Firebox detected an error, shut down its interfaces, and will not forward any packets.

Armed

Green light indicates the Firebox has been booted and is running.

Sys A

Indicates that the Firebox is running from its primary user-defined configuration.

Sys B

Indicates that the Firebox is running from the readonly factory default system area.

Power

Indicates that the Firebox is currently powered up.

Security Triangle Display

Indicates traffic between Firebox interfaces. Green arrows briefly light to indicate allowed traffic between two interfaces in the direction of the arrows. A red light at a triangle corner indicates that the Firebox is denying packets at that interface.

Firebox III rear view (all models except

Model 500 and 700)

The rear view of the Firebox III Model 1000, Model 2500, and Model 4500 contains ports and jacks for connectivity as well as a power switch. From the left, rear panel features are as described on the next page:

Hardware Description

Hardware Guide

AC Receptacle

Accepts the detachable AC power cord supplied with the Firebox.

Power Switch

Turns the Firebox on or off.

PCI Expansion Slot

Reserved for future use.

Factory Default

This button is active only during the boot process.

To boot the Firebox to SYS B, press this button and hold it down for 20-60 seconds (or until you see the

Sys B light come on).

Console Port

Connects to the management station or modem through a serial cable supplied with the Firebox using PPP.

.

Ethernet Ports

(Shown on the previous page) Indicators for each network interface display link status, card speed, and activity. The network interface cards (NICs) are auto-sensing and adapt to wire speed automatically. The speed indicator lights when

7

there is a good physical connection to the Firebox.

When the card runs at 10Mbit, the speed indicator is yellow. When the card runs at 100 Mbit, the speed indicator is green. The amber traffic indicator blinks when traffic is passing through the

Firebox.

Firebox III rear view (Model 500 and 700)

The rear view of the Firebox III Model 500 and 700 contains ports and jacks for connectivity as well as a power switch.

From the left, rear panel features are as described below:

8

AC Receptacle

Accepts the detachable AC power cord supplied with the Firebox.

Power Switch

Turns the Firebox on or off.

Factory Default

This button is active only during the boot process.

To boot the Firebox to SYS B, press this button and hold it down for 20-60 seconds (or until you see the

Sys B light come on).

Hardware Description

Console Port

Connects to the management station or modem through a serial cable supplied with the Firebox using PPP.

Ethernet Jacks

Indicators for each network interface display link status, card speed, and activity. The network interface connections (NICs) are auto-sensing and adapt to wire speed automatically. The speed indicator lights when there is a good physical connection to the Firebox. When the card runs at

10Mbit, the speed indicator is yellow. When the card runs at 100 Mbit, the speed indicator is green.

The amber traffic indicator blinks when traffic is passing through the Firebox.

Physical specifications (All models except

Model 500 and 700)

• Three RJ-45 10/100Tx Ethernet interfaces

• 1 DB-9 serial port

• PCI expansion option

• 500 MHz AMD K6-III processor

300 MHz AMD K6-II processor (model 1000 only)

• 64-MB SDRAM (model 1000)

128-MB SDRAM (model 2500)

264-MB SDRAM (model 4500)

• 8-MB flash disk

• 100-240 VAC Autosensing, 50/60 Hz

• Height: 2.85”; Width: 15.5 “; Depth: 10.5”

Physical specifications (Model 500 and 700)

• Three RJ-45 10/100Tx Ethernet interfaces

• 1 DB-9 serial port

Hardware Guide 9

10

• 233 MHz AMD K6-II processor

• 64-MB SDRAM

• 8-MB flash disk

• 100-240 VAC Autosensing, 50/60 Hz

• Height: 2.85”; Width: 15.5 “; Depth: 10.5”

Cross-over cabling

To connect a Firebox to a hub or switch, use a standard, straight-through cable. However, if you plan to connect a

Firebox directly to a router, either purchase or build a cross-over cable for RJ-45 (Cat5) wire.

The tables below provide pin-out descriptions for both a straight-through and a RJ-45 (Cat5) cross-over cable.

Pin Number Pin Number

1 (Transmit Plus) 1 (Transmit Plus)

2 (Transmit -) 2 (Transmit -)

3 (Receive Plus) 3 (Receive Plus)

6 (Receive -) 6 (Receive -)

4,5,7,8 Not Used

Pin Number Pin Number

1 (Transmit Plus) 3 (Receive Plus)

2 (Transmit -) 6 (Receive -)

3 (Receive Plus) 1 (Transmit Plus)

6 (Receive -) 2 (Transmit -)

4,5,7,8 Not Used