Anda di halaman 1dari 1516

Fireware XTM Web UI 11.

9
User Guide
Fireware XTM
Web UI
11.9 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTMWeb UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTMWeb UI Help systemis updated. The Help systemalso includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTMWeb UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any formor by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 5/12/2014
Copyright, Trademark, and Patent Information
Copyright 19982014 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM
line combines firewall, VPN, GAV, IPS, spamblocking and
URL filtering to protect your network fromspam, viruses,
malware, and intrusions. The new XCS line offers email and
web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized
security ranging fromsmall businesses to enterprises with
10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to
maximize security without sacrificing efficiency and
productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Fireware XTM Web UI 11.9 User Guide 1
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTMDevice and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTMComponents 14
WatchGuard SystemManager 14
WatchGuard Server Center 15
Fireware XTMWeb UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTMon an XTMv Device 18
XTMv Device Limitations 18
Virtual Switch Configuration 18
Hyper-VVirtual Adapter Configuration 19
XTMv Device Installation 19
FIPS Support in Fireware XTM 20
About FIPSMode 20
FIPS Mode Operation and Constraints 20
Service and Support 21
About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTMDevice Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 34
Connect to Fireware XTMWeb UI froman External Network 36
About Fireware XTMWeb UI 37
Limitations of Fireware XTMWeb UI 38
Complete Your Installation 39
Customize Your Security Policy 39
About LiveSecurity Service 39
Additional Installation Topics 40
Connect to an XTMDevice with Firefox 40
Identify Your Network Settings 41
Set Your Computer to Connect to Your XTMDevice 43
Disable the HTTP Proxy in the Browser 45
Configuration and Management Basics 47
About Basic Configuration and Management Tasks 47
Make a Backup of the XTMDevice Image 47
Restore an XTMDevice Backup Image 49
Use a USB Drive for SystemBackup and Restore 50
About the USB Drive 50
Save a Backup Image to a Connected USB Drive 50
iv Fireware XTMWeb UI
User Guide v
Restore a Backup Image froma Connected USB Drive 51
Automatically Restore a Backup Image froma USB Drive 51
USB Drive Directory Structure 54
Save a Backup Image to a USB Drive Connected to Your Computer 55
Use a USBDrive to Save a Support Snapshot 55
Reset a Device 57
Start an XTMDevice in Safe Mode 57
Reset a Firebox T10, XTM2 Series or XTM33 to Factory-Default Settings 57
Reset an XTMv VMto Factory-Default Settings 58
Run the Setup Wizard 58
About Factory-Default Settings 59
About Feature Keys 61
See Features Available with the Current Feature Key 61
Get a Feature Key for Your XTMDevice 63
Manually Add a Feature Key to Your XTMDevice 67
Enable Automatic Feature Key Synchronization 70
Restart Your Firebox or XTMDevice 71
Restart the XTMDevice Locally 71
Restart the XTMDevice Remotely 71
Enable NTP and Add NTP Servers 72
Set the Time Zone and Basic Device Properties 73
About SNMP 74
SNMP Polls and Traps 74
Enable SNMP Polling 75
Enable SNMP Management Stations and Traps 76
About Management Information Bases (MIBs) 79
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 80
Create a Secure Passphrase, Encryption Key, or Shared Key 80
Device Default Account Passphrases 82
User Passphrases 82
Server Passphrases 82
Encryption Keys and Shared Keys 83
Define Device Global Settings 84
Change the Web UI Port 85
Automatic Reboot 86
Device Feedback 86
Define ICMP Error Handling Global Settings 87
Configure TCP Settings 88
Enable or Disable Traffic Management and QoS 89
Manage Traffic Flow 90
About WatchGuard Servers 90
Manage an XTMDevice Froma Remote Location 92
Configure an XTMDevice as a Managed Device 94
Edit the WatchGuard Policy 94
Set Up the Managed Device 95
Configure a Deployed Remote Device for a Management Tunnel over SSL 97
Upgrade to a New Version of Fireware XTM 99
Install the Upgrade on Your Management Computer 99
Upgrade the XTMDevice 99
Downgrade Fireware XTMOS 101
Use a Saved Backup Image to Downgrade 101
Downgrade Without a Backup Image 101
Use the Web UI to Downgrade fromFireware XTMOS v11.7 or Higher 103
Download or Show the XTMDevice Configuration 105
Download the Configuration File 105
Show the XTMConfiguration Report 105
About Upgrade Options 107
Subscription Services Upgrades 107
Appliance and Software Upgrades 108
How to Apply an Upgrade 108
About Subscription Services Expiration and Renewal 108
Subscription Renewal Reminders 109
Feature Key Compliance 109
Security Service Expiration Behavior 109
vi Fireware XTMWeb UI
User Guide vii
LiveSecurity Service 111
Synchronize Subscription Renewals 111
Renew Subscription Services 112
Subscription Services Status and Manual Signatures Updates 112
RemoteConfig and RapidDeploy 114
About RemoteConfig and RapidDeploy 115
RemoteConfig 115
RapidDeploy 115
Automatic Configuration Download 115
Use RemoteConfig 116
Use RapidDeploy 129
Use a USB Drive to Configure Interface Settings 135
Network Setup and Configuration 139
About Network Interface Setup 139
Network Modes 140
Interface Types 141
Wireless Interfaces 141
About Private IPAddresses 142
About IPv6 Support 142
Mixed Routing Mode 144
Configure an External Interface 144
Configure a Trusted or Optional Interface 153
Configure the DHCPv6 Address Pool 163
Configure DHCPv6 Reservations 163
Enable Rapid Commit 163
Configure IPv6 Address Lifetimes 163
Configure a CustomInterface 166
About the Dynamic DNS Service 167
Configure Dynamic DNS 168
Drop-In Mode 169
Use Drop-In Mode for Network Interface Configuration 170
Configure Related Hosts 170
Configure DHCP in Drop-In Mode 172
Bridge Mode 175
Enable Bridge Mode 177
Allow Management Access froma VLAN 177
Common Interface Settings 178
Disable an Interface 179
Configure DHCPRelay 179
Restrict Network Traffic by MAC Address 179
Add WINS and DNS Server Addresses 180
Add a Secondary Network IPAddress 182
About Advanced Interface Settings 185
Network Interface Card (NIC)Settings 185
Set DF Bit for IPSec 188
PMTU Setting for IPSec 188
Use Static MAC Address Binding 189
Find the MAC Address of a Computer 190
About LAN Bridges 190
Create a Network Bridge Configuration 190
Assign a Network Interface to a Bridge 193
About Routing 194
Add a Static Route 194
Add Static ARPEntries 199
About Virtual Local Area Networks (VLANs) 200
VLAN Requirements and Restrictions 200
About Tagging 201
About VLANIDNumbers 201
Define a New VLAN 201
Assign Interfaces to a VLAN 206
About Link Aggregation 207
Requirements and Limitations 207
Link Aggregation Modes 207
Configure Link Aggregation 209
viii Fireware XTMWeb UI
User Guide ix
Monitor Link Aggregation Interfaces 215
Network Setup Examples 216
Configure Two VLANs on the Same Interface 216
Configure One VLAN Bridged Across Two Interfaces 220
Use the Broadband Extend or 3GExtend Wireless Bridge 224
Multi-WAN 227
About Using Multiple External Interfaces 227
Multi-WAN Requirements and Conditions 227
Multi-WAN and DNS 228
About Multi-WAN Options 229
Round-Robin Order 229
Failover 229
Interface Overflow 230
Routing Table 230
Modem(XTM2 Series, 3 Series or 5 Series only) 231
Configure Round-Robin 232
Before You Begin 232
Configure the Interfaces 232
Find How to Assign Weights to Interfaces 233
Configure Failover 233
Before You Begin 233
Configure the Interfaces 233
Configure Interface Overflow 235
Before You Begin 235
Configure the Interfaces 235
Configure Routing Table 236
Before You Begin 236
Routing Table mode and load balancing 236
Configure the Interfaces 236
About the XTMDevice Route Table 237
When to Use Multi-WAN Methods and Routing 237
Configure ModemFailover 238
Enable ModemFailover 238
Account Settings 239
DNS Settings 241
Dial-Up Settings 242
Advanced Settings 242
Link Monitor Settings 243
About Advanced Multi-WAN Settings 244
Set a Global Sticky Connection Duration 244
Set the Failback Action 245
Set Notification Settings 246
About WAN Interface Status 246
Time Needed for the XTMDevice to Update its Route Table 246
Define a Link Monitor Host 246
Network Address Translation (NAT) 249
About Network Address Translation 249
Types of NAT 250
About Dynamic NAT 250
Add Network Dynamic NAT Rules 252
Configure Policy-Based Dynamic NAT 255
About Dynamic NATSource IPAddresses 258
About 1-to-1 NAT 260
About 1-to-1 NAT and VPNs 261
Configure Firewall 1-to-1 NAT 261
Configure Policy-Based 1-to-1 NAT 264
Configure NAT Loopback with Static NAT 266
Add a Policy for NATLoopback to the Server 267
NAT Loopback and 1-to-1 NAT 268
About SNAT 271
Configure Static NAT 271
Configure Server Load Balancing 275
1-to-1 NAT Example 282
Wireless Device Setup 285
x Fireware XTMWeb UI
User Guide xi
About Wireless Device Configuration 285
Wireless Settings in Fireware XTMOS v11.8.x and v11.9.x 285
Enable Wireless 286
Wireless Device Configuration Options 287
Wireless Device Configuration Options (Fireware XTMOS v11.9 and Later) 287
Wireless Device Configuration Options (Fireware XTMOSv11.8.x and Older) 288
Before You Begin 289
About Wireless Configuration Settings 291
Enable/Disable SSID Broadcasts 292
Change the SSID 292
Log Authentication Events 292
Change the Fragmentation Threshold 292
Change the RTS Threshold 293
About Wireless Security Settings 293
Set the Wireless Authentication Method 294
Use a RADIUS Server for Wireless Authentication 295
Use the XTMDevice as an Authentication Server for Wireless Authentication 296
Set the Encryption Level 298
Enable Wireless Connections (Fireware XTMOS v11.9.x and Later) 300
Enable Wireless Connections (Fireware XTMOS v11.8.x and Older) 304
Enable a Wireless Guest Network (Fireware XTMOSv11.9.x and Later) 306
Wireless Guest and Policies 309
Enable a Wireless Guest Network (Fireware XTMOS v11.8.x and Older) 309
Enable a Hotspot on a Wireless Access Point 313
Configure Your External Interface as a Wireless Interface 314
Configure the Primary External Interface as a Wireless Interface 314
Configure a BOVPN tunnel for additional security 316
About Wireless Radio Settings 317
Country is Set Automatically 318
Select the Band and Wireless Mode 319
Select the Channel 320
Monitor Wireless Access Points and Clients 321
Configure the Wireless Card on Your Computer 322
Rogue Access Point Detection 322
Enable Rogue Access Point Detection 323
Add an XTMWireless Device as a Trusted Access Point 328
Find the Wireless MACAddress of a Trusted Access Point 331
Rogue Access Point Scan Results 331
WatchGuard AP Device Setup 332
Wireless Access Point Types 332
About AP Device Configuration 333
SSIDConfiguration 333
APDevice Configuration 334
WatchGuard AP Device Requirements and Limitations 335
Requirements 335
Limitations 335
Plan your Wireless APDevice Deployment 336
Wireless Site Survey 337
Wireless Modes and Channels 339
Wireless Signal Strength and Noise Levels 342
Wireless Environmental Factors 343
Wireless Placement 344
WatchGuard AP Device Deployment Overview 346
Deploy APDevices Without VLANTagging 347
Deploy APDevices With VLANTagging Enabled 350
Configure VLANs for WatchGuard AP Devices 353
When to Enable VLANTagging in SSIDs 353
ConfigureVLANs on the XTMDevice 354
Configure VLANs on a Managed Switch 354
About APStation Isolation 356
Station Isolation for a Single AP Device 356
Station Isolation for Multiple AP Devices 356
Example Station Isolation and Roaming 357
About APDevice Activation 360
xii Fireware XTMWeb UI
User Guide xiii
Automatic Activation 360
Manual Activation 360
About APDevice Passphrases 361
Pairing Passphrase 361
WatchGuard APPassphrase 361
Passphrases and Pairing 361
Resolve a Passphrase Mismatch 362
Configure AP Devices in the Gateway Wireless Controller 363
Enable the Gateway Wireless Controller 363
Set the Diagnostic Log Level 364
Configure WatchGuard APDevice SSIDs 365
Configure SSIDSecurity Settings 367
WatchGuard AP Device Discovery and Pairing 371
Configure APDevice Settings 373
Configure AP Device Radio Settings 378
Configure Gateway Wireless Controller Settings 382
Configure MACAccess Control 386
Unpair an AP Device 388
Monitor AP Device Status 389
See APConnection Status and Uptime 389
See AP Radio Frequency and Channel 390
See the APActivation Status 390
See APDevice Network Statistics 391
See Log Messages on an APDevice 392
Flash the Power LED on the APDevice 392
Restart Wireless on the APDevice 392
Reboot an AP Device 392
Upgrade an APDevice 393
Performa Site Survey 394
Monitor Wireless Clients 396
View Wireless Deployment Maps 397
Wireless Deployment Maps Overview 397
Use Maps for APDevice Placement 398
See Wireless Channel Conflicts 400
Find Unauthorized Access Points 404
Enable a Hotspot on an AP Device 404
Reset the WatchGuard AP Device 405
Reset the WatchGuard APDevice with the Reset Button 405
Reset the WatchGuard AP Device fromthe Access Point Web UI 406
Unpair the WatchGuard AP Device 406
Update APDevice Firmware 407
See the Current Firmware Version 407
Options for APDevice Firmware Updates 407
Add an HTTPSPolicy for Access Point Web UI Connections 408
Use the WatchGuard Access Point Web UI 408
Connect to the WatchGuard Access Point Web UI 409
Verify the Current AP Device Settings 410
Manage Network Settings 411
Change the Access Point Passphrase 412
Upgrade the AP Device Firmware 412
Save or Revert Configuration Changes 413
WatchGuard APDevice Deployment Examples 414
APDevice Deployment with a Single SSID 414
APDevice Deployment with Simple Roaming 415
APDevice Deployment with VLANs 416
Dynamic Routing 419
About Dynamic Routing 419
Dynamic Routing Protocols 419
Dynamic Routing Policies 420
Monitor Dynamic Routing 420
About Routing Daemon Configuration Files 420
About Routing Information Protocol (RIP and RIPng) 421
Configure IPv4 Routing with RIP 422
Configure IPv6 Routing with RIPng 428
xiv Fireware XTMWeb UI
User Guide xv
About Open Shortest Path First (OSPF and OSPFv3) Protocol 434
Configure IPv4 Routing with OSPF 435
Configure IPv6 Routing with OSPFv3 442
OSPF Interface Cost Table 447
About Border Gateway Protocol (BGP) 448
Configure IPv4 and IPv6 Routing with BGP 448
BGP Commands 451
Sample BGP Routing Configuration File 455
FireCluster 458
About WatchGuard FireCluster 458
FireCluster Device Roles 460
Use the Web UI with a FireCluster 461
Web UI for the Cluster Master 461
Web UI for the Backup Master 462
FireCluster Backup, Restore, and Upgrade in the Web UI 462
Authentication 465
About User Authentication 465
User Authentication Steps 466
Manage Authenticated Users 468
Use Authentication to Restrict Incoming Traffic 469
Use Authentication Through a Gateway Firebox 471
About the WatchGuard Authentication (WG-Auth) Policy 471
Set Global Firewall Authentication Values 471
Specify Firewall Authentication Settings 471
Set Global Authentication Timeouts 472
Allow Unlimited Concurrent Login Sessions 473
Limit Login Sessions 473
Specify the Default Authentication Server in the Authentication Portal 475
Automatically Redirect Users to the Authentication Portal 475
Use a CustomDefault Start Page 476
Set Management Session Timeouts 476
About Single Sign-On (SSO) 477
The WatchGuard SSOSolution 477
Example Network Configurations for SSO 481
Choose Your SSOComponents 483
Before You Begin 484
Set Up SSO 484
Install the WatchGuard Single Sign-On (SSO) Agent 484
Configure the SSOAgent 486
Use Telnet to Debug the SSOAgent 496
Install the WatchGuard Single Sign-On (SSO) Client 500
Install the WatchGuard SSOExchange Monitor 501
Enable Single Sign-On (SSO) 503
About SSOLog Files 506
Install and Configure the Terminal Services Agent 508
About Single Sign-On for Terminal Services 509
Before You Begin 510
Install the Terminal Services Agent 510
Configure the Terminal Services Agent 511
Configure Terminal Services Settings 515
Authentication Server Types 517
About Third-Party Authentication Servers 517
Use a Backup Authentication Server 517
Configure Your XTMDevice as an Authentication Server 518
Types of Firebox Authentication 518
Define a New User for Firebox Authentication 522
Define a New Group for Firebox Authentication 526
Customize the AuthenticationPortal Page 527
Configure RADIUS Server Authentication 530
Authentication Key 530
RADIUSAuthentication Methods 530
Before You Begin 530
Use RADIUSServer Authentication with Your XTMDevice 530
How RADIUS Server Authentication Works 533
xvi Fireware XTMWeb UI
User Guide xvii
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users 537
WPA and WPA2 Enterprise Authentication 540
Configure VASCOServer Authentication 540
Configure SecurID Authentication 543
Configure LDAP Authentication 546
About LDAP Optional Settings 550
Test the Connection to the Server 550
Configure Active Directory Authentication 551
Add an Active Directory Authentication Domain and Server 551
About Active Directory Optional Settings 555
Test the Connection to the Server 555
Edit an Existing Active Directory Domain 556
Delete an Active Directory Domain 556
Find Your Active Directory Search Base 556
Change the Default Port for the Active Directory Server 558
Use Active Directory or LDAP Optional Settings 558
Before You Begin 559
Specify Active Directory or LDAP Optional Settings 559
Use a Local User Account for Authentication 564
Use Authorized Users and Groups in Policies 564
Define Users and Groups for Firebox Authentication 564
Define Users and Groups for Third-Party Authentication 564
Allow Unlimited Concurrent Login Sessions 566
Limit Login Sessions 566
Add Users and Groups to Policy Definitions 566
Enable a Hotspot 567
Configure User Timeout Settings 570
Select the Hotspot Type 570
Configure the Hotspot CustomPage 571
Connect to a Hotspot 574
See Hotspot Connections 575
About Hotspot External Guest Authentication 577
Before You Begin 577
Configuration 578
External Guest Authentication Example 578
Configure a Web Server for Hotspot External Guest Authentication 581
Configure the Hotspot for External Guest Authentication 588
Troubleshoot Hotspot External Guest Authentication 590
Policies 593
About Policies 593
Packet Filter and Proxy Policies 593
Add Policies to Your XTMdevice 594
About the Policies Pages 595
About the Outgoing Policy 597
Add Policies to Your Configuration 598
Use Policy Checker to Find a Policy 598
Add a Policy fromthe List of Templates 599
Disable or Delete a Policy 600
Use Policy Checker to Find a Policy 601
Read the Results 602
About Policy Tags and Filters 605
Create and Apply Policy Tags 605
Remove Policy Tags FromPolicies 608
Modify Policy Tags 610
Create and Apply a Filter 610
Modify a Filter 611
About Aliases 613
Alias Members 613
Create an Alias 615
About Policy Precedence 619
Automatic Policy Order 619
Policy Specificity and Protocols 619
Traffic Rules 620
Firewall Actions 620
xviii Fireware XTMWeb UI
User Guide xix
Schedules 621
Policy Types and Names 621
Set Precedence Manually 621
Create Schedules for XTMDevice Actions 622
Set an Operating Schedule 623
About CustomPolicies 624
Create or Edit a CustomPolicy Template 624
About Policy Properties 627
Settings Tab 628
Application Control Tab 628
Traffic Management Tab 628
Scheduling Tab 628
Advanced Tab 629
Proxy Settings 629
Set Access Rules for a Policy 629
Configure Policy-Based Routing 631
Set a CustomIdle Timeout 635
Set ICMP Error Handling 636
Apply NAT Rules 636
Set the Sticky Connection Duration for a Policy 636
Proxy Settings 639
About Proxy Policies and ALGs 639
Proxy Configuration 640
Add a Proxy Policy to Your Configuration 640
About Proxy Actions 643
Set the Proxy Action in a Proxy Policy 643
Clone, Edit, or Delete Proxy Actions 644
Proxy and AV Alarms 649
About Rules and Rulesets 650
About Working with Rules and Rulesets 650
Configure Rulesets 651
Add, Change, or Delete Rules 651
Cut and Paste Rule Definitions 653
Change the Order of Rules 653
Change the Default Rule 654
About Regular Expressions 656
About the DNS-Proxy 660
Settings Tab 661
Application Control Tab 661
Traffic Management Tab 661
Proxy Action Tab 662
Scheduling Tab 662
Advanced Tab 663
DNS-Proxy: General Settings 664
DNS-Proxy: OPcodes 665
DNS-Proxy: Query Types 668
DNS-Proxy: Query Names 671
DNS-Proxy: Proxy Alarm 673
About MX (Mail eXchange) Records 675
About the FTP-Proxy 677
Settings Tab 678
Application Control Tab 678
Traffic Management Tab 678
Proxy Action Tab 679
Scheduling Tab 679
Advanced Tab 680
FTP-Proxy: General Settings 681
FTP-Proxy: Commands 683
FTP-Proxy: Content 684
FTP-Proxy: Data Loss Prevention 684
FTP-Proxy: Proxy and AV Alarms 684
FTP-Proxy: APTBlocker 685
About the H.323-ALG 687
VoIPComponents 687
xx Fireware XTMWeb UI
User Guide xxi
ALGFunctions 687
Settings Tab 689
Application Control Tab 689
Traffic Management Tab 689
Proxy Action Tab 690
Scheduling Tab 690
Advanced Tab 691
H.323-ALG: General Settings 691
H.323-ALG: Access Control 694
H.323-ALG: Denied Codecs 697
About the HTTP-Proxy 699
Settings Tab 700
Application Control Tab 700
Traffic Management Tab 700
Proxy Action Tab 701
Scheduling Tab 701
Advanced Tab 702
HTTP Request: General Settings 703
HTTP Request: Request Methods 706
HTTP Request: URL Paths 709
HTTP Request: Header Fields 709
HTTP Request: Authorization 710
HTTP Response: General Settings 711
HTTP Response: Header Fields 712
HTTP Response: Content Types 713
HTTP Response: Cookies 715
HTTP Response: Body Content Types 716
HTTP-Proxy: Exceptions 716
HTTP-Proxy: Deny Message 718
HTTP-Proxy: Data Loss Prevention 720
HTTP-Proxy: Proxy and AV Alarms 720
HTTP-Proxy: APTBlocker 721
Enable Windows Updates Through the HTTP-Proxy 722
Use a Caching Proxy Server 723
About the HTTPS-Proxy 725
Settings Tab 726
Application Control Tab 726
Traffic Management Tab 726
Proxy Action Tab 727
Scheduling Tab 727
Advanced Tab 728
HTTPS-Proxy: General Settings 729
HTTPS-Proxy: Content Inspection 731
HTTPS-Proxy: Certificate Names 734
HTTPS-Proxy: Proxy Alarm 734
About the POP3-Proxy 736
Settings Tab 737
Application Control Tab 737
Traffic Management Tab 737
Proxy Action Tab 738
Scheduling Tab 738
Advanced Tab 739
POP3-Proxy: General Settings 740
POP3-Proxy: Authentication 742
POP3-Proxy: Content Types 743
POP3-Proxy: Filenames 745
POP3-Proxy: Headers 747
POP3-Proxy: Deny Message 747
POP3-Proxy: Proxy and AV Alarms 749
About the SIP-ALG 750
VoIPComponents 750
Instant Messaging Support 750
ALGFunctions 751
Settings Tab 752
xxii Fireware XTMWeb UI
User Guide xxiii
Application Control Tab 752
Traffic Management Tab 752
Proxy Action Tab 753
Scheduling Tab 753
Advanced Tab 754
SIP-ALG: General Settings 755
SIP-ALG: Access Control 758
SIP-ALG: Denied Codecs 760
About the SMTP-Proxy 763
Settings Tab 764
Application Control Tab 764
Traffic Management Tab 764
Proxy Action Tab 765
Scheduling Tab 765
Advanced Tab 766
SMTP-Proxy: General Settings 767
SMTP-Proxy: Greeting Rules 771
SMTP-Proxy: ESMTP Settings 774
SMTP-Proxy: TLS Encryption 776
SMTP-Proxy: Authentication 779
SMTP-Proxy: Content Types 782
SMTP-Proxy: Filenames 786
SMTP-Proxy: Mail From/Rcpt To 788
SMTP-Proxy: Headers 790
SMTP-Proxy: Deny Message 790
SMTP-Proxy: Data Loss Prevention 792
SMTP-Proxy: Proxy and AV Alarms 792
SMTP-Proxy: APTBlocker 793
Configure the SMTP-Proxy to Quarantine Email 794
Protect Your SMTP Server fromEmail Relaying 795
About the TCP-UDP-Proxy 796
Settings Tab 797
Application Control Tab 797
Traffic Management Tab 797
Proxy Action Tab 798
Scheduling Tab 798
Advanced Tab 799
TCP-UDP-Proxy: General Settings 799
Traffic Management and QoS 803
About Traffic Management and QoS 803
Enable Traffic Management and QoS 803
OSCompatibility 804
Guarantee Bandwidth 805
Restrict Bandwidth 805
QoS Marking 805
Traffic priority 806
Set Outgoing Interface Bandwidth 807
Set Connection Rate Limits 808
About QoS Marking 808
Before You Begin 808
QoS Markingfor Interfaces and Policies 808
QoS Marking and IPSec Traffic 809
Enable QoS Marking for an Interface 809
Enable QoS Marking or Prioritization Settings for a Policy 810
Get Started with Traffic Management 813
Determine Available Bandwidth 813
Determine the Sumof Your Bandwidth 813
Traffic Management and OSCompatibility 813
About Traffic Management in Fireware XTMv11.9 and Higher 814
Define a Traffic Management Action in v11.9 814
Add Traffic Management Actions to a Policy 817
Use Traffic Management with Application Control 821
Monitor Bandwidth by Traffic Management Action 824
About Traffic Management in Fireware XTMv11.8.x and Lower 827
xxiv Fireware XTMWeb UI
User Guide xxv
Define a Traffic Management Action in v11.8.x and Lower 827
Add a Traffic Management Action to a Policy 828
Traffic Management Examples 831
Default Threat Protection 833
About Default Threat Protection 833
About Default Packet Handling Options 834
Configure Default Packet Handling 834
About Spoofing Attacks 836
About IP Source Route Attacks 838
About Port Space and Address Space Probes 840
About Flood Attacks 842
About Unhandled Packets 844
About Distributed Denial-of-Service Attacks 847
About Blocked Sites 849
Permanently Blocked Sites 849
Auto-Blocked Sites/Temporary Blocked Sites List 850
Blocked Site Exceptions 850
See and Manage the Blocked Sites List 850
Block a Site Permanently 850
Create Blocked Site Exceptions 851
Block Sites Temporarily with Policy Settings 852
Change the Duration that Sites are Auto-Blocked 854
About Blocked Ports 854
Default Blocked Ports 855
Block a Port 857
Role-Based Administration 859
About Role-Based Administration 859
Roles and Role Policies 860
Audit Trail 860
Manage Users and Roles on Your Device 861
Add a New Device User 862
Edit a Device User 863
Delete a Device User 863
Audit Device Management User Activity 863
Logging and Notification 865
About Logging, Log Files, and Notification 865
About Log Messages 865
Log Servers 865
Logging and Notification in Applications and Servers 866
SystemStatus Traffic Monitor 866
Types of Log Messages 866
Send Log Messages to a WatchGuard Log Server 867
Add, Edit, or Change the Priority of Log Servers 868
Include Performance Statistics in Log Messages 871
Configure Syslog Server Settings 873
Set the Diagnostic Log Level 878
Monitor Hardware Health 880
Configure Logging and Notification for a Policy 881
Set Logging and Notification Preferences 882
Monitor Your Device 885
About the Dashboard and SystemStatus Pages 885
The Dashboard 885
SystemStatus Pages 887
Front Panel 889
Widgets 889
Top Panels 890
Subscription Services 890
FireWatch 891
See Connection Details 892
Delete a Connection 895
Block a Site 896
Refresh FireWatch Data 896
Interfaces 896
Review Interface Bandwidth 897
xxvi Fireware XTMWeb UI
User Guide xxvii
Review Interface Details 898
Release or Renew a DHCP Lease 899
Traffic Monitor 900
Sort and Filter Traffic Monitor Log Messages 902
Change the Display 902
Pause and Restart the Display 903
View APT Threat Information 903
View APT Threat Information 904
WatchGuard AP Device and Wireless Client Connections (Gateway Wireless Controller) 906
Summary 908
Access Points 910
Wireless Clients 912
Use Gateway Wireless Controller Maps 914
ARP Table 921
Authentication List 922
Blocked Sites 923
Add or Edit Temporary Blocked Sites 924
Checksum 924
Components List 925
DHCP Leases 926
Diagnostics 928
Run a Basic Diagnostics Command 930
Use Command Arguments 930
Find the IPAddress for a Host Name 930
Download a PCAP File 931
Run a VPN Diagnostic Report 934
Download a Diagnostic Log File 935
Dynamic DNS 936
Hotspot Clients 937
LiveSecurity 937
Processes 938
Routes 938
Server Connection 940
Test the Server Connection 941
Read the Server Connection Results 943
Traffic Management 943
Users and Roles 947
View Connected Users 947
Log Off Users 948
VPN Statistics 948
Rogue AP Detection 950
Wireless Statistics 950
Certificates 953
About Certificates 953
Use Multiple Certificates to Establish Trust 954
How the XTMDevice Uses Certificates 954
Certificate Lifetimes and CRLs 955
Certificate Authorities and Signing Requests 955
Certificate Authorities Trusted by the XTMDevice 956
Manage XTMDevice Certificates 968
Create a CSR with OpenSSL 972
Use OpenSSL to Generate a CSR 972
Sign a Certificate with Microsoft CA 972
Send the Certificate Request 973
Issue the Certificate 973
Download the Certificate 973
Use Certificates for the HTTPS-Proxy 974
Protect a Private HTTPSServer 974
Examine Content fromExternal HTTPS Servers 975
Import the Certificates on Client Devices 977
Troubleshoot Problems with HTTPSContent Inspection 977
Certificates for Branch Office VPN (BOVPN) Tunnel Authentication 977
Verify the Certificate 978
Verify VPN Certificates with an LDAP Server 978
xxviii Fireware XTMWeb UI
User Guide xxix
Certificates for Mobile VPN With IPSec Tunnel Authentication 979
Verify VPNCertificates with an LDAP Server 980
Certificates for Mobile VPN with L2TP Tunnel Authentication 981
Verify VPNCertificates with an LDAP Server 981
Configure the Web Server Certificate for Firebox Authentication 982
Import a Certificate on a Client Device 984
Import a PEMFormat Certificate with Windows 7 984
Virtual Private Networks (VPNs) 987
Introduction to VPNs 987
Branch Office VPN 987
Mobile VPN 988
About IPSec VPNs 988
About IPSec Algorithms and Protocols 988
About IPSec VPN Negotiations 992
About IPSec VPN Tunnel Authentication Methods 995
Configure Phase 1 and Phase 2 Settings 996
About Mobile VPNs 997
Select a Mobile VPN 997
Internet Access Options for Mobile VPN Users 1002
Mobile VPN Setup Overview 1003
Virtual IPAddresses and Mobile VPNs 1004
DNS and Mobile VPNs 1005
VPNTunnel Capacity and Licensing 1006
Find Your XTMDevice Tunnel Capacity 1006
VPN License Enforcement 1006
Branch Office VPNs 1009
What You Need to Create a Manual BOVPN 1009
About Manual Branch Office VPN Tunnels 1010
What You Need to Create a VPN 1010
BOVPNTunnel Configuration Options 1011
One-Way Tunnels 1011
VPN Failover 1011
Global VPN Settings 1012
BOVPNTunnel Status 1013
Rekey BOVPNTunnels 1013
Sample VPN Address Information Table 1014
Quick Start Set Up a VPNTunnel between Two Firebox or XTMDevices 1016
Branch Office VPNTerminology 1019
Configure Gateways 1021
Define Gateway Endpoints 1023
Configure Mode and Transforms (Phase 1 Settings) 1027
Edit and Delete Gateways 1033
Disable Automatic Tunnel Startup 1033
If Your XTMDevice is Behind a Device That Does NAT 1033
Make Tunnels Between Gateway Endpoints 1035
Define a Tunnel 1035
Add Routes for a Tunnel 1037
Configure Phase 2 Settings 1038
Add a Phase 2 Proposal 1039
Change Order of Tunnels 1042
About BOVPNVirtual Interfaces 1043
BOVPNVirtual Interface Configuration Scenarios 1044
Metric-based VPN Failover and Failback 1044
BOVPNVirtual Interface with Dynamic Routing 1045
BOVPNVirtual Interface with Policy-Based Routing 1046
Configure a BOVPN Virtual Interface 1049
Configure VPNRoutes 1052
Assign BOVPNVirtual Interface IPAddresses 1055
Configure BOVPNVirtual Interface Multicast Settings 1057
Disable or Enable a Branch Office VPN 1058
Disable or Enable a BOVPN Gateway 1058
Disable or Enable a BOVPN Virtual Interface 1058
About Global VPN Settings 1059
Enable IPSec Pass-through 1059
xxx Fireware XTMWeb UI
User Guide xxxi
Enable TOS for IPSec 1060
Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used1060
Disable or Enable the Built-in IPSec Policy 1061
Remove VPNRoutes for a BOVPN Virtual Interface 1061
Enable LDAP Server for Certificate Verification 1062
BOVPNNotification 1062
Configure Inbound IPSec Pass-through with SNAT 1062
Disable the Built-in IPSec Policy 1063
Add IPSec Policies 1063
Configure a Branch Office VPN for Failover froma Leased Line 1064
Requirements 1064
Configuration Overview 1064
How Failover to the Branch Office VPN Operates 1065
Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel 1066
Configure the Endpoint Where All Traffic Must Appear to Come froma Single Address
(Site A) 1066
Configure the Endpoint that Expects All Traffic to Come froma Single IPAddress (Site B)1069
Use 1-to-1 NATThrough a Branch Office VPN Tunnel 1071
1-to-1 NAT and VPNs 1071
Other Reasons to Use 1-to-1 NAT Through a VPN 1071
Alternative to Using NAT 1072
How to Set Up the VPN 1073
Example 1073
Define a Route for All Internet-Bound Traffic 1078
Configure the BOVPN Tunnel on the Remote XTMDevice 1078
Configure the BOVPN Tunnel on the Central XTMDevice 1079
Add a Dynamic NATEntry on the Central XTMDevice 1080
Mobile VPN Traffic Through a Branch Office VPN Tunnel 1082
Configure Mobile VPN Client Routes 1082
Configure Manual Branch Office VPN Routes 1083
Configure BOVPN Virtual Interface Routes 1084
Configure Policies to Allow the Connection 1084
Enable Multicast Routing Through a Branch Office VPN Tunnel 1086
About Helper Addresses 1086
Enable an XTMDevice to Send Multicast Traffic Through a Tunnel 1087
Enable an XTMDevice to Receive Multicast Traffic Through a Tunnel 1090
Enable an XTMDevice to Send Multicast Traffic Through a BOVPNVirtual Interface 1090
Enable an XTMDevice to Receive Multicast Traffic Through a BOVPNVirtual Interface 1091
Enable Broadcast Routing Through a Branch Office VPN Tunnel 1092
Enable Broadcast Routing for the Local XTMdevice 1093
Configure Broadcast Routing for the XTMDevice at the Other End of the Tunnel 1095
Configure Name Resolution Through a Branch Office VPN Tunnel 1095
Methods of Name Resolution Through a Branch Office VPN Tunnel 1095
Select the Best Method for Your Network 1095
Configure WINS or DNS for Name Resolution 1096
Use WINSand DNSServers for Client Computers 1096
Configure an LMHOSTS File to Provide Name Resolution 1096
Edit an LMHOSTS File 1097
Configure VPN Failover 1098
Define Multiple Gateway Pairs 1099
Configure VPNModemFailover 1103
Before You Begin 1103
Branch Office VPNConfiguration Requirements 1103
Configure a Branch Office VPNGateway for ModemFailover 1104
Configure a Branch Office VPNVirtual Interface for ModemFailover 1107
Configure the Gateway on the Remote Device 1107
Configure Tunnels 1108
About ModemFailover 1108
VPN ModemFailover and Multi-WAN 1109
Example 1 Single WANat Both Sites 1109
Example 2 Multi-WAN at the Small Office 1110
Example 3 Multi-WAN at the Central Office 1110
Multi-WAN at Both Sites 1111
See VPN Statistics 1111
Rekey BOVPN Tunnels 1112
xxxii Fireware XTMWeb UI
User Guide xxxiii
Related Questions About Branch Office VPN Set Up 1112
Why do I Need a Static External Address? 1112
How do I Get a Static External IP Address? 1112
How do I Troubleshoot the Connection? 1112
Why is Ping not Working? 1112
Troubleshoot Branch Office VPNTunnels 1113
Use the VPN Diagnostic Report 1113
Filter Branch Office VPN Log Messages 1114
Improve Branch Office VPN Tunnel Availability 1116
BOVPN Virtual Interface Examples 1120
BOVPNVirtual Interface with Dynamic Routing 1121
BOVPNVirtual Interface with Metric-Based Failover 1131
Mobile VPN with PPTP 1139
About Mobile VPN with PPTP 1139
Mobile VPN with PPTP Requirements 1139
Encryption Levels 1140
Configure Mobile VPN with PPTP 1140
Authentication 1141
Encryption Settings 1141
Add to the IP Address Pool 1141
Advanced Tab Settings 1142
Configure PPTPPolicies 1144
Configure WINS and DNS Servers 1144
Add New Users to the PPTP-Users Group 1146
Configure Policies to Allow Mobile VPN with PPTP Traffic 1147
Configure Policies to Allow Mobile VPN with PPTP Traffic 1148
Allow PPTP Users to Access a Trusted Network 1148
Use Other Groups or Users in a PPTP Policy 1149
Options for Internet Access Through a Mobile VPN with PPTP Tunnel 1149
Default-Route VPN 1149
Split Tunnel VPN 1150
Default-Route VPN Setup for Mobile VPN with PPTP 1150
Split Tunnel VPN Setup for Mobile VPN with PPTP 1150
Prepare Client Computers for PPTP 1152
Create and Connect a PPTP Mobile VPN for Windows 8 1152
Create and Connect a PPTP Mobile VPN for Windows 7 1153
Create and Connect a PPTP Mobile VPN for Windows Vista 1154
Create and Connect a PPTP Mobile VPN for Windows XP 1155
Make Outbound PPTP Connections fromBehind an XTMDevice 1156
Mobile VPN with IPSec 1157
About Mobile VPN with IPSec 1157
Configure a Mobile VPN with IPSec Connection 1158
SystemRequirements 1158
Options for Internet Access Through a Mobile VPN with IPSec Tunnel 1160
About Mobile VPN Client Configuration Files 1160
Configure the XTMDevice for Mobile VPN with IPSec 1161
Add Users to a Firebox Mobile VPN Group 1168
Modify an Existing Mobile VPN with IPSec Group Profile 1171
Configure WINS and DNS Servers 1182
Lock Down an End User Profile 1183
Generate Mobile VPN with IPSec Configuration Files 1184
Configure Policies to Filter Mobile VPN Traffic 1185
Distribute the Software and Profiles 1187
Additional Mobile VPN Topics 1189
Configure Mobile VPN with IPSec to a Dynamic IPAddress 1191
About the XTMIPSec Mobile VPNClient 1193
Client Requirements 1193
Install the IPSec Mobile VPN Client Software 1193
Connect and Disconnect the Mobile VPN Client 1198
See Mobile VPN Log Messages 1201
Secure Your Computer with the Mobile VPN Firewall 1202
End-User Instructions for WatchGuard IPSec Mobile VPN Client Installation 1204
About the Shrew Soft VPNClient 1214
Shrew Soft VPNClient Limitations 1214
xxxiv Fireware XTMWeb UI
User Guide xxxv
Shrew Soft VPNEnd-User Profile 1215
Install the Shrew Soft VPN Client Software 1215
Import Certificates to the Shrew Soft VPN Client 1216
Use the Shrew Soft VPN Client to Connect 1218
Troubleshoot the Shrew Soft VPN Client 1220
About the WatchGuard Mobile VPNApp 1221
WatchGuard Mobile VPNApp for Android 1221
WatchGuard Mobile VPNApp for iOS 1222
Mobile VPNApp End-User Profile 1222
Use the Mac OS X or iOSNative IPSec VPN Client 1223
Configure the XTMDevice 1223
Configure the VPN Client on an iOS Device 1229
Configure the VPNClient on a Mac OSX Device 1230
Use Mobile VPN with IPSec with an AndroidDevice 1231
Configure the XTMDevice 1232
Configure the WatchGuard Mobile VPN App 1236
Configure the Native Android 4.x VPNClient 1237
Mobile VPN with SSL 1241
About Mobile VPN with SSL 1241
Configure the XTMDevice for Mobile VPN with SSL 1241
Before You Begin 1242
Configure Connection Settings 1243
Configure the Networking and IP Address Pool Settings 1244
Configure Authentication Settings 1245
Configure Advanced Settings for Mobile VPN with SSL 1249
Configure Policies to Control Mobile VPN with SSL Client Access 1251
Choose the Port and Protocol for Mobile VPN with SSL 1253
Options for Internet Access Through a Mobile VPN with SSL Tunnel 1255
Name Resolution for Mobile VPN with SSL 1256
Configure the External Authentication Server 1258
Install and Connect the Mobile VPN with SSL Client 1259
Client Computer Requirements 1259
Download the Client Software 1259
Install the Client Software 1261
Connect to Your Private Network 1262
Other Connection Options 1263
Mobile VPN with SSL Client Controls 1264
Manually Distribute and Install the Mobile VPN with SSL Client Software and
Configuration File 1264
Uninstall the Mobile VPN with SSL Client 1266
Use Mobile VPN with SSL with an OpenVPN Client 1267
Requirements 1267
Download the Mobile VPN with SSL Client Profile 1268
Import the Client Profile 1269
Mobile VPN with L2TP 1270
About Mobile VPN with L2TP 1271
Client Compatibility 1271
Authentication Server Compatibility 1271
Licensing 1271
Options for Internet Access Through a Mobile VPN with L2TP Tunnel 1272
Default-Route VPN 1272
Split Tunnel VPN 1272
Default-Route VPN Setup for Mobile VPN with L2TP 1272
Split Tunnel VPN Setup for Mobile VPN with L2TP 1273
About L2TPUser Authentication 1275
Use the WatchGuard L2TPSetup Wizard 1276
Before you Begin 1276
Start the L2TP Setup Wizard 1276
Edit the Mobile VPNwith L2TPConfiguration 1281
Edit the Virtual IPAddress Pool 1282
Edit Network Settings 1282
Edit Authentication Settings 1283
Edit L2TP IPSec Settings 1285
Configure Mobile Clients 1289
Add an L2TPIPSec Phase 1 Transform 1289
xxxvi Fireware XTMWeb UI
User Guide xxxvii
Configure L2TPIPSec Phase 1 Advanced Settings 1291
Add an L2TP IPSec Phase 2 Proposal 1292
About L2TPPolicies 1294
Configure WINS and DNS Servers 1294
Configure Client Devices for Mobile VPN with L2TP 1296
Configure and Use L2TPon Windows 8 1296
Configure and Use L2TPon Windows 7 1298
Configure and Use L2TPon Windows XP 1300
Configure and Use L2TPon Mac OSX 1302
Configure and Use L2TP on Android 1304
About L2TP Connections froman iOSDevice 1305
Configure Mobile VPN with L2TPfor Use with iOS Devices 1306
Generate and Distribute the L2TPMobile Client Profile 1309
Import the L2TPConfiguration to the iOSVPNClient 1311
Manually Configure L2TPon an iOS Device 1312
Connect froman L2TPVPN Client 1313
WebBlocker 1315
About WebBlocker 1315
WebBlocker Server Options 1315
WebBlocker and Policies 1316
WebBlocker Licensing 1316
Install a Local WebBlocker Server 1316
Get Started with WebBlocker 1317
WebBlocker Server Options 1317
Create a WebBlocker Profile 1317
Configure the HTTP-Proxy and HTTPS-Proxy Policies 1319
Apply a WebBlocker Profile to HTTP and HTTPS Proxy Actions 1319
Configure WebBlocker Servers 1320
Change Categories to Block 1322
About WebBlocker Websense Categories 1326
See How Websense Categorizes a Site 1326
Request a Websense Category Change 1326
About WebBlocker SurfControl Categories 1327
See How SurfControl Categorizes a Site 1327
Request a SurfControl Category Change 1328
About WebBlocker Exceptions 1329
Define the Action for Sites that do not Match Exceptions 1329
Components of Exception Rules 1330
Exceptions with Part of a URL 1330
Add WebBlocker Exceptions 1330
Define Advanced WebBlocker Options 1334
Local Override 1335
Cache Size 1335
Server Timeout 1335
License Bypass 1336
Diagnostic Log Level 1336
About the WebBlocker Cache 1337
Use WebBlocker Local Override 1337
Define WebBlocker Alarms 1338
About WebBlocker Subscription Services Expiration 1339
spamBlocker 1341
About spamBlocker 1341
spamBlocker Requirements 1342
spamBlocker Actions, Tags, and Categories 1342
Configure spamBlocker 1345
Before You Begin 1345
Configure spamBlocker for an SMTP or POP3 Proxy Action 1345
About spamBlocker Exceptions 1348
Configure Virus Outbreak Detection Actions 1350
Configure spamBlocker to Quarantine Email 1352
About Using spamBlocker with Multiple Proxies 1352
Configure Global spamBlocker Settings 1352
Use an HTTP Proxy Server for spamBlocker 1354
Add Trusted Email Forwarders to Improve SpamScore Accuracy 1354
xxxviii Fireware XTMWeb UI
User Guide xxxix
Enable and Set Parameters for Virus Outbreak Detection (VOD) 1355
About spamBlocker Proactive Patterns 1357
About spamBlocker Scan Limits 1357
Create Rules for Your Email Reader 1357
Send Spamto an Outlook Folder 1358
Monitor spamBlocker Statistics 1359
Report False Positives or Missed Spam 1359
Send Feedback to CYREN 1359
Report Feedback About a Confidential Message 1360
Find the Category a Message is Assigned To 1360
Reputation Enabled Defense 1361
About Reputation Enabled Defense 1361
Reputation Thresholds 1361
Reputation Scores 1362
Reputation Lookups 1362
Reputation Enabled Defense Feedback 1363
Configure Reputation Enabled Defense 1363
Before You Begin 1364
Configure Reputation Enabled Defense for a Proxy Action 1365
Configure the Reputation Thresholds 1366
Send Gateway AV Scan Results to WatchGuard 1366
Gateway AntiVirus 1369
About Gateway AntiVirus 1369
Install and Upgrade Gateway AV 1370
About Gateway AntiVirus and Proxy Policies 1370
Configure the Gateway AntiVirus Service 1371
Before You Begin 1371
Configure the Gateway AntiVirus Service 1372
Configure Gateway AntiVirus Actions 1372
Configure Gateway AntiVirus to Quarantine Email 1377
About Gateway AntiVirus Scan Limits 1377
Update Gateway AntiVirus Settings 1378
If you Use a Third-Party Antivirus Client 1378
Configure Gateway AV Decompression Settings 1378
Configure the Gateway AV Update Server 1379
APTBlocker 1382
About APTBlocker 1382
Supported Proxy Policies 1383
Supported File Types 1383
APT Threat Levels 1383
Enable and Configure APTBlocker 1385
APT Blocker and Other Security Services 1385
APTBlocker and Gateway AntiVirus 1385
APTBlocker and Reputation Enabled Defense (RED) 1385
APTBlocker and WebBlocker 1386
Configure APTBlocker 1386
APTBlocker and NTP 1387
Enable APTBlocker and Configure APTBlocker Actions 1387
Configure Other APTBlocker Settings 1388
Enable or Disable APT Blocker for a Proxy Policy 1388
Configure APT Blocker Notification 1390
Monitor APTBlocker Activity 1390
Intrusion Prevention Service 1393
About Intrusion Prevention Service 1393
IPSThreat Levels 1393
Add the IPS Upgrade 1394
Keep IPSSignatures Updated 1394
See IPSStatus 1394
Configure Intrusion Prevention 1394
Enable IPSand Configure IPSActions 1394
Configure Other IPSSettings 1396
Disable or Enable IPS for a Policy 1396
Configure the IPS Update Server 1397
Configure Automatic Signature Updates 1397
xl Fireware XTMWeb UI
User Guide xli
Connect to the Update Server Through an HTTP Proxy Server 1398
Block Access fromthe Trusted Network to the Update Server 1399
Update Signatures Manually 1399
Show IPSSignature Information 1400
See IPS Signatures 1400
Search, Sort and Filter the IPS Signatures 1401
Add an IPSException 1401
Configure IPS Exceptions 1402
Find the IPSSignature ID 1402
Add an IPS Signature Exception 1402
Configure IPSNotification 1404
Look Up IPSSignatures on the Security Portal 1404
Application Control 1407
About Application Control 1407
Application Control Deny Message 1407
Add the Application Control Upgrade 1408
Keep Application Control Signatures Updated 1408
Application Control Begin with Monitoring 1409
Monitor Application Use 1409
Application Control Reports 1410
Policy Guidelines for Application Control 1412
Global Application Control Action 1413
Configure Application Control Actions 1413
Add or Edit Application Control Actions 1414
Remove Configured Applications Froman Application Control Action 1417
Apply an Application Control Action to a Policy 1418
Clone an Application Control Action 1418
Remove Application Control Actions 1419
Use Application Categories 1420
Configure Application Control for Policies 1422
Enable Application Control in a Policy 1423
Get Information About Applications 1424
Configure the Application Control Update Server 1425
Configure Signature Updates 1425
Connect to the Update Server Through an HTTP Proxy Server 1426
Block Access fromthe Trusted Network to the Update Server 1427
Update Signatures Manually 1427
Application Control and Proxies 1427
Application Control and WebBlocker 1428
Manage SSLApplications 1428
Manage Evasive Applications 1428
BlockUser Logins to Skype 1429
Manage Applications that Use Multiple Protocols 1430
Example:Block FlashGet 1430
File Transfer Applications and Protocols 1431
Monitor Downloads and File Transfers 1433
Manage Facebook Applications 1434
Application Control Policy Examples 1436
Allow an Application For a Group of Users 1436
Block Applications During Business Hours 1437
Data Loss Prevention 1439
About Data Loss Prevention 1440
DLPText Extraction and File Types 1440
Add the DLP Upgrade 1442
About DLPand Proxy Policies 1442
About DLPFalse Positives 1442
Configure Data Loss Prevention 1443
Enable DLP and Configure DLP Sensors 1443
Configure other DLPSettings 1443
Configure DLPCustomRule 1444
Add a CustomRule 1444
Add a CustomRule to a DLPSensor 1445
Configure DLPSensors 1447
DLPand Device Performance 1447
xlii Fireware XTMWeb UI
User Guide xliii
Rules 1447
Actions 1448
Settings 1449
Sensor Types 1449
Add a Sensor 1449
Clone a Sensor 1452
Edit a Sensor 1452
Add or Edit Sensor Actions 1454
Reorder Sensor Actions 1455
Configure Sensor Scan Settings 1456
Delete a Sensor 1456
Configure DLPScan Settings 1457
About DLP Scan Limits 1459
Configure DLPfor Policies 1460
Enable DLPSensors for Policies 1460
Selectthe DLPSensor in a Proxy Action 1461
Configure the DLP Update Server 1462
Configure Signature Updates 1462
Connect to the Update Server Through an HTTP Proxy Server 1463
Block Access fromthe Trusted Network to the Update Server 1463
Update Signatures Manually 1463
Monitor DLPActivity 1464
Look Up DLPRules on the Security Portal 1465
Quarantine Server 1467
About the Quarantine Server 1467
Configure the XTMDevice to Quarantine Email 1468
Define the Quarantine Server Location on the XTMDevice 1468
User Management of Quarantined Messages 1470
Manage Quarantined Messages 1470
Change Quarantine Notification Settings 1471
User Guide xliv
User Guide 1
1
Introduction to Network
Security
About Networks and Network Security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the
world connected through the Internet. Computers on the same network can work together and share
data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers
hold no important information, or that a hacker is not interested in their computers. This is not correct. A
hacker can use your computer as a platformto attack other computers or networks. Information from
your organization, including personal information about users, employees, or customers, is also
valuable to hackers.
Your XTMdevice and LiveSecurity subscription can help you prevent these attacks. A good network
security policy, or a set of access rules for users and resources, can also help you find and prevent
attacks to your computer or network. We recommend that you configure your XTMdevice to match
your security policy, and think about threats fromboth inside and outside your organization.
About Internet Connections
ISPs (Internet service providers) are companies that give access to the Internet through network
connections. The rate at which a network connection can send data is known as bandwidth: for
example, 3 megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem, DSL (Digital Subscriber Line), or fiber, is
known as a broadband connection. Broadband connections are much faster than dial-up connections.
The bandwidth of a dial-up connection is less than .1 Mbps, while a cable modemcan be 5 Mbps or
more. The bandwidth of a fiber optic connection is even higher.
Typical speeds for cable modems are usually lower than the maximumspeeds, because each
computer in a neighborhood is a member of a LAN. Each computer in that LAN uses some of the
bandwidth. Because of this shared-mediumsystem, cable modemconnections can become slow
when more users are on the network.
DSL connections supply constant bandwidth, but they are usually slower than cable modem
connections. Also, the bandwidth is only constant between your home or office and the DSL central
office. The DSL central office cannot guarantee a good connection to a web site or network.
How Information Travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the
Internet address of the destination. The packets that make up a connection can use different routes
through the Internet. When they all get to their destination, they are assembled back into the original
order. To make sure that the packets get to the destination, address information is added to the
packets.
About Protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the
grammar of the language that computers use when they speak to each other across a network. The
standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the
usual language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User DatagramProtocol). TCP/IP is the basic protocol
used by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your XTMdevice. For more information
on TCP/IP, see Find Your TCP/IP Properties on page 42.
Introduction to Network Security
2 Fireware XTMWeb UI
Introduction to Network Security
User Guide 3
About IP Addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the
Internet to send data to a different computer, it must know the address of that computer. A computer
address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP
addresses, which enable other devices on the Internet to find and interact with them.
Fireware XTMsupports both IPv4 and IPv6 addresses. IPv6 addresses are supported only when the
XTMdevice is configured in mixed routing mode.
For more information about Fireware XTMsupport for IPv6, see About IPv6 Support.
IPv4 Addresses
An IPv4address consists of four octets (8-bit binary number sequences) expressed in decimalformat
and separated by periods. Each number between the periods must be within the range of 0 and 255.
Some examples of IPv4addresses are:
n 206.253.208.100
n 4.2.2.2
n 10.0.4.1
Private Addresses and Gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x
and 192.168.x.x are reserved for private IPaddresses. Computers on the Internet cannot use these
addresses. If your computer is on a private network, you connect to the Internet through a gateway
device that has a public IPaddress.
Usually, the default gateway is the router that is between your network and the Internet. After you
install the XTMdevice on your network, it becomes the default gateway for all computers connected to
its trusted or optional interfaces.
About Subnet Masks
Because of security and performance considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have
IP addresses whose first three octets are 10.0.1 would belong to the same subnet.
The subnet mask for a network IP address, or netmask, is a series of bits that mask sections of the IP
address that identify which parts of the IPaddress are for the network and which parts are for the host.
A subnet mask can be written in the same way as an IPaddress, or in slash or CIDR notation.
IPv6 Addresses
IPv6 increases the IPaddress size fromthe 32 bits found in IPv4 to 128 bits. This allows for a more
structured hierarchy in addresses, and supports a much larger total number of addresses.
IPv6 Address Format
An IPv6 address contains eight groups of 16-bit hexadecimal values, separated by colons (:). The
hexadecimal digits are not case-sensitive. Some examples of IPv6 addresses are:
n 2561:1900:4545:0003:0200:F8FF:FE21:67CF
n 2260:F3A4:32CB:715D:5D11:D837:FC76:12FC
n FE80:0000:0000:0000:2045:FAEB:33AF:8374
The first four groups of 16-bit hexadecimal values represent the network. The last four groups of 16-bit
hexadecimal values are the interface ID that uniquely identifies each networked device. This value is
usually derived fromthe MACaddress of the device.
Shorten an IPv6 Address
There are two ways you can shorten the notation of an IPv6 address:
n Remove leading zeros In each 16-bit hexadecimal address group, you can remove the
leading zeros. For example, these two IPv6 addresses are equivalent:
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2561:1900:4545:3:200:F8FF:FE21:67CF
n Remove groups of zeros If an IPv6 address contains adjacent groups of 16-bit
hexadecimal values that are all zeros (0000), you can replace one group of adjacent blocks of
zeros with two colons (::). For example, these two IPv6 addresses are equivalent:
FE80:0000:0000:0000:2045:FAEB:33AF:8374
FE80::2045:FAEB:33AF:8374
You can use two colons (::) only once in an IPv6 address to represent adjacent groups with all
zeros.
IPv6 Prefix
The IPv6 prefix indicates the subnet associated with an IPv6 address. The prefix is expressed as a
slash (/) followed by the prefix size, which is a decimal number between 1 and 128. The prefix size
indicates how many bits of the address make up the network identifier prefix. Examples of IPv6
prefixes are:
n /64 The prefix used for a single subnet
n /48 Prefix used for a site that could have multiple subnets
Introduction to Network Security
4 Fireware XTMWeb UI
Introduction to Network Security
User Guide 5
About Slash Notation
Your XTMdevice uses slash notation, also known as CIDR (Classless Inter-Domain Routing)
notation, for many purposes, such as policy configuration. You use slash notation differently for IPv4
and IPv6 addresses.
IPv4
Slash notation is a compact way to show or write an IPv4 subnet mask. When you use slash notation,
you write the IPaddress, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each 1 in the subnet mask. The total is the subnet mask number.
For example, to write the IPv4address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation:
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each 1in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IPaddress, a forward slash (/), and then the number fromStep 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
Network Mask Slash Equivalent
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
IPv6
In IPv6, slash notation is used to represent the network identifier prefix for an IPv6 network. The prefix
is expressed as a slash (/) followed by the prefix size, which is a decimal number between 1 and 128.
The CIDRnotation works exactly the same as with IPv4, which means if you have a /48, that means
the first 48 bits of the address are the prefix.
This table shows common IPv6 network prefixes and the number of IPv6 subnets and IPv6 addresses
they support.
Prefix Number of Subnets
/64 1 IPv6 subnet with up to 18,446,744,073,709,551,616 IPv6 host addresses
/56 256 /64 subnets
/48 65,536 /64 subnets
A network site that is assigned a /48 prefix can use prefixes in the range /49 to /64 to define valid
subnets.
About Entering Addresses
IPv4 Addresses
When you type IPv4 addresses in the Quick Setup Wizard or dialog boxes, type the digits and
decimals in the correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your
cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try
to put your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then
type 1.10. Press the slash (/) key to move to the netmask.
IPv6 Addresses
When you type IPv6 addresses in a text box, simply type the IPaddress with the colons to separate
each group of numbers in the address. To shorten an IPaddress, you can remove leading zeros in each
group of numbers and you can use a double colon (::) to replace adjacent groups of zeros in the
address.
For more information about IPv6 addresses, see About IP Addresses.
Static and Dynamic IP Addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address
can be static or dynamic.
Introduction to Network Security
6 Fireware XTMWeb UI
Introduction to Network Security
User Guide 7
Static IP Addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP
server, or other Internet resource that must have an address that cannot change, you can get a static
IP address fromyour ISP. A static IP address is usually more expensive than a dynamic IP address,
and some ISPs do not supply static IP addresses. You must configure a static IP address manually.
Dynamic IP Addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is
not in use, it can be automatically assigned to a different device. Dynamic IP addresses are assigned
using either DHCP or PPPoE.
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use
to get IP addresses and other information such as the default gateway. When you connect to the
Internet, a computer configured as a DHCP server at the ISP automatically assigns you an IP address.
It could be the same IP address you had before, or it could be a new one. When you close an Internet
connection that uses a dynamic IP address, the ISP can assign that IP address to a different
customer.
You can configure your XTMdevice as a DHCP server for networks behind the device. You assign a
range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds
some of the features of Ethernet and PPP to a standard dial-up connection. This network protocol
allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure
with DSL modemand cable modemproducts.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the
Internet, the equivalent to a telephone directory is the DNS(Domain Name System). DNS is a network
of servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS
takes the friendly domain name you type when you want to see a particular web site, such as
www.example.com, and finds the equivalent IP address, such as 203.0.113.2. Network devices need
the actual IPaddress to find the web site, but domain names are much easier for users to type and
remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server
in their network that responds to DNS requests. You can also use a DNS server on your external
network, such as a DNS server provided by your ISP (Internet Service Provider.)
About Firewalls
A network security device, such as a firewall, separates your internal networks fromexternal network
connections to decrease the risk of an external attack. The figure below shows how a firewall protects
the computers on a trusted network fromthe Internet.
Firewalls use access policies to identify and filter different types of information. They can also control
which policies or ports the protected computers can use on the Internet (outbound access). For
example, many firewalls have sample security policies that allow only specified traffic types. Users
can select the policy that is best for them. Other firewalls, such as XTMdevices, allow the user to
customize these policies.
For more information, see About Services and Policies on page 9 and About Ports on page 10.
Introduction to Network Security
8 Fireware XTMWeb UI
Introduction to Network Security
User Guide 9
Firewalls can be in the formof hardware or software. A firewall protects private networks from
unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by
the firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific
rule to allow the connection. To deploy this type of firewall, you must have detailed information about
the network applications required to meet needs of your organization. Other firewalls allow all network
connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is
not as secure.
About Services and Policies
You use a service to send different types of data (such as email, files, or commands) fromone
computer to another across a network or to a different network. These services use protocols.
Frequently used Internet services are:
n World Wide Web access uses Hypertext Transfer Protocol (HTTP)
n Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3)
n File transfer uses File Transfer Protocol (FTP)
n Resolve a domain name to an Internet address uses Domain Name Service (DNS)
n Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your XTMdevice configuration. Each
policy you add can also add a security risk. To send and receive data, you must open a door in your
computer, which puts your network at risk. We recommend that you add only the policies that are
necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the companys public web server on the optional
interface of the XTMdevice. He or she routinely administers the web server with a Remote Desktop
connection. At the same time, he or she wants to make sure that no other network users can use the
Remote Desktop Protocol terminal services through the XTMdevice. The network administrator would
add a policy that allows RDP connections only fromthe IP address of his or her own desktop computer
to the IP address of the public web server.
When you configure your XTMdevice with the Quick Setup Wizard, the wizard adds only limited
outgoing connectivity. If you have more software applications and network traffic for your XTMdevice
to examine, you must:
n Configure the policies on your XTMdevice to pass through necessary traffic
n Set the approved hosts and properties for each policy
n Balance the requirement to protect your network against the requirements of your users to get
access to external resources
About Ports
Although computers have hardware ports you use as connection points, ports are also numbers used
to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are
where programs transmit data. If an IP address is like a street address, a port number is like an
apartment unit number or building number within that street address. When a computer sends traffic
over the Internet to a server or another computer, it uses an IP address to identify the server or remote
computer, and a port number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a
connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests fromthe HTTP server, such as an image, it closes the
connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer
Protocol). Some protocols, such as SMTP, have ports with assigned numbers. Other programs are
assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers
Authority) keeps a list of well-known ports. You can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your XTMdevice configuration have a port number between 0 and 1024, but
possible port numbers can be from0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the
protocol identified with that port to create connections to other computers. However, an open port is a
security risk. To protect against risks created by open ports, you can block ports used by hackers to
attack your network. For more information, see About Blocked Ports on page 854.
The XTM Device and Your Network
Your XTMdevice is a powerful network security device that controls all traffic between the external
network and the trusted network. If computers with mixed trust connect to your network, you can also
configure an optional network interface that is separate fromthe trusted network. You can then
configure the firewall on your device to stop all suspicious traffic fromthe external network to your
Introduction to Network Security
10 Fireware XTMWeb UI
Introduction to Network Security
User Guide 11
trusted and optional networks. If you route all traffic for the mixed trust computers through your optional
network, you can increase the security for those connections to add more flexibility to your security
solution. For example, customers frequently use the optional network for their remote users or for
public servers such as a web server or an email server.
Some customers who purchase an XTMdevice do not know a lot about computer networks or network
security. Fireware XTMWeb UI (web-based user interface), provides many self-help tools for these
customers. Advanced customers can use the advanced integration and multiple WAN support features
of the Fireware XTMOS with a Pro upgrade to connect an XTMdevice to a larger wide area network.
The XTMdevice connects to a cable modem, DSL modem, or ISDN router.
You can use the Web UI to safely manage your network security settings fromdifferent locations at
any time. This gives you more time and resources to use on other components of your business.
Introduction to Network Security
User Guide 12
User Guide 13
2
Introduction to Fireware XTM
About Fireware XTM
Fireware XTMgives you an easy and efficient way to view, manage, and monitor each XTMdevice in
your network. The Fireware XTMsolution includes four software applications:
n WatchGuard SystemManager (WSM)
n Fireware XTMWeb UI
n Fireware XTMCommand Line Interface (CLI)
n WatchGuard Server Center
You can use one or more of the Fireware XTMapplications to configure your network for your
organization. For example, if you have only one XTM2 Series device, you can performmost
configuration tasks with Fireware XTMWeb UI or Fireware XTMCommand Line Interface. However,
for more advanced logging and reporting features, you must use WatchGuard Server Center. If you
manage more than one XTMdevice, or if you have purchased Fireware XTMwith a Pro upgrade, we
recommend that you use WatchGuard SystemManager (WSM). If you choose to manage and monitor
your configuration with Fireware XTMWeb UI, there are some features that you cannot configure.
For more information about these limitations, see Limitations of Fireware XTMWeb UI on page 38.
For more information on how to connect to your XTMdevice with WatchGuard SystemManager or
Fireware XTMCommand Line Interface, see the Help or User Guide for those products. You can view
and download the most current documentation for these products on the Fireware XTMProduct
Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
Fireware XTM Components
To start WatchGuard SystemManager or WatchGuard Server Center fromyour Windows desktop,
select the shortcut fromthe Start Menu. You can also start WatchGuard Server Center froman icon in
the SystemTray. Fromthese applications, you can launch other tools that help you manage your
network. For example, fromWatchGuard SystemManager (WSM), you can launch Policy Manager or
HostWatch.
WatchGuard System Manager
WatchGuard SystemManager (WSM) is the primary application for network management with your
XTMdevice. You can use WSMto manage many different XTMdevices, even those that use different
software versions. WSMincludes a comprehensive suite of tools to help you monitor and control
network traffic.
Policy Manager
You can use Policy Manager to configure your firewall. Policy Manager includes a full set of pre-
configured packet filters, proxy policies, and application layer gateways (ALGs). You can also
make a custompacket filter, proxy policy, or ALGin which you set the ports, protocols, and
other options. Other features of Policy Manager help you to stop network intrusion attempts,
such as SYN Flood attacks, spoofing attacks, and port or address space probes.
Firebox SystemManager (FSM)
Firebox SystemManager gives you one interface to monitor all components of your XTM
device. FromFSM, you can see the real-time status of your XTMdevice and its configuration.
Introduction to Fireware XTM
14 Fireware XTMWeb UI
Introduction to Fireware XTM
User Guide 15
HostWatch
HostWatch is a real-time connection monitor that shows network traffic between different XTM
device interfaces. HostWatch also shows information about users, connections, ports, and
services.
Log Manager
Log Manager is the WatchGuard WebCenter tool you use to see log file data collected fromyour
WatchGuard servers and your XTMdevices.
Report Manager
Report Manager is the WatchGuard WebCenter tool you use to see Available Reports and to
generate On-Demand reports of the data collected fromyour Log Servers for all your XTM
devices.
CA Manager
The Certificate Authority (CA) Manager shows a complete list of security certificates installed
on your management computer with Fireware XTM. You can use this application to import,
configure, and generate certificates for use with VPN tunnels and other authentication
purposes.
WatchGuard Server Center
WatchGuard Server Center is the application where you configure and monitor all your WatchGuard
servers.
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels using a simple drag-and-
drop function. The basic functions of the Management Server are:
n Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
n VPN tunnel configuration management
n Management for multiple XTMdevices
Log Server
The Log Server collects log messages fromeach XTMdevice. These log messages are
encrypted when they are sent to the Log Server. The log message format is XML (plain text).
The information collected fromfirewall devices includes these log messages: traffic, event,
alarm, debug (diagnostic), and statistic.
Report Server
The Report Server periodically consolidates data collected by your Log Servers fromyour XTM
devices, and then periodically generates reports. Once the data is on the Report Server, you
can use Report Manager to generate and see reports.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker suspects to be
email spam, or emails that are suspected to have a virus.
For more information, see About the Quarantine Server on page 1467.
WebBlocker Server
The WebBlocker Server operates with the XTMdevice HTTP proxy to deny user access to
specified categories of web sites. When you configure your XTMdevice, you specify the
categories of web sites to allow or block.
For more information on WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1315.
Fireware XTM Web UI and Command Line Interface
Fireware XTMWeb UI and the Command Line Interface are alternative management solutions that can
performmost of the same tasks as WatchGuard SystemManager and Policy Manager. Some
advanced configuration options and features are not available in Fireware XTMWeb UI or the
Command Line Interface.
For more information, see About Fireware XTMWeb UI on page 37.
Introduction to Fireware XTM
16 Fireware XTMWeb UI
Introduction to Fireware XTM
User Guide 17
Fireware XTMwith a Pro Upgrade
The Pro upgrade to Fireware XTMprovides several advanced features for experienced customers,
such as server load balancing and additional SSLVPNtunnels. The features available with a Pro
upgrade depend on the type and model of your XTMdevice.
The Fireware Pro upgrade is not available for Firebox T10 devices.
If you have an XTM330,5 Series (models 515, 525, 535, 545), 8 Series, 1050,1520, 2050, or 2520
device, your device has Fireware XTMwith a Pro upgrade by default. If you have an XTM2 Series or 5
Series (models 505, 510, 520, 530) device, you can purchase Fireware XTMwith a Pro upgrade for
your device.
Feature
XTM 2
Series
(Pro)
1
XTM3
Series and
330 (Pro)
1
XTM 5
Series
(Pro)
1
XTM 8 Series, 800 Series, 1050,
1500 Series, 2050, and 2500 Series,
XTMv (Pro)
FireCluster 2
MaximumVLANs
Dynamic Routing
(OSPFand BGP)
Policy-Based
Routing
Server Load
Balancing
Maximum
SSLVPNTunnels
Multi-
WANFailover
Multi-WANLoad
Balancing
1
To purchase Fireware XTMwith a Pro upgrade for an XTM2 or 5 Series device, contact your local
reseller.
2
The FireCluster feature is available for XTM25 and XTM26 (active/passive only for wireless
models).
Fireware XTM on an XTMv Device
A WatchGuard XTMv device runs as a virtual machine in a VMware ESXi or Microsoft Hyper-V
environment. It does not run on WatchGuard XTMdevice hardware. You can use Fireware XTMWeb
UI, WatchGuard SystemManager, and Fireware XTMCommand Line Interface (CLI) to configure and
monitor your WatchGuard XTMv device. Though you can use any of these programs to change an
XTMv device configuration file, there are several Fireware XTMfeatures you cannot use on a
WatchGuard XTMv device.
XTMv Device Limitations
These features are not supported on WatchGuard XTMv devices:
n Active/active FireCluster in an ESXi environment
n FireCluster in a Hyper-V environment
n Bridge mode network configuration
n Hardware diagnostics The CLIdiagnose hardware command
n Connect a USB drive to automatically create a support snapshot
n Connect a USB drive to automatically restore a saved backup image
n Use the device front panel buttons to start the device in safe mode or recovery mode
You can use the CLI command restore factory-default to start the device with factory default
settings.
n Features that require the switch be configured in promiscuous mode are not supported for XTMv
on Hyper-V
For information about CLI commands, see the Fireware XTMCommand Line Interface Reference on
the XTMDocumentation page at http://www.watchguard.com/help/documentation/xtm.asp.
Virtual Switch Configuration
To work correctly, some Fireware XTMnetworking features require that you configure the virtual
switch on your network in promiscuous mode. These features are:
n Drop-in mode network configuration
n Network bridge
n Mobile VPN with SSL with the Bridged VPN Traffic setting
To use these features on an XTMv device in an ESXi environment, configure the vSwitch to operate in
promiscuous mode.
Virtual switches in Microsoft Hyper-V do not support promiscuous mode, so these features are not
supported in a Hyper-V environment.
To use multiple VLANs on a single interface on an XTMv device in an ESXi environment, configure the
VSwitch for the XTMv VLAN interface to use VLANID4095 (All).
FireCluster vSwitch Configuration
There are additional switch requirements for an active/passive FireCluster in an ESXi environment:
Introduction to Fireware XTM
18 Fireware XTMWeb UI
Introduction to Fireware XTM
User Guide 19
n Configure the vSwitch that connects to the FireCluster management interface to operate in
promiscuous mode
n Configure any vSwitch that connects to a FireCluster external interface to accept MACaddress
changes
For detailed steps to set up two XTMv devices as a FireCluster, see the WatchGuard XTMv Setup
Guide available on theXTMDocumentation page at
http://www.watchguard.com/help/documentation/xtm.asp.
Hyper-VVirtual Adapter Configuration
Hyper-V supports two types of virtual adapters:
n Network adapters (Hyper-V supports a maximumof 8)
n Legacy network adapters (Hyper-V supports a maximumof 4)
Though all XTMv editions support a maximumof 10 interfaces, the maximumnumber of interfaces you
can configure for an XTMv virtual machine in a Hyper-V environment is eight, because that is the
maximumnumber of network adapters Hyper-Vsupports. XTMv does not support the use of legacy
network adapters.
XTMv Device Installation
You must deploy the XTMv device in the ESXi or Hyper-V environment before you can configure the
XTMv virtual machine.
For detailed steps to set up an XTMv device, see the WatchGuard XTMv Setup Guide available on
theXTMDocumentation page at http://www.watchguard.com/help/documentation/xtm.asp.
FIPS Support in Fireware XTM
The Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements
for cryptographic modules.
WatchGuard XTMdevices are designed meet the overall requirements for FIPS 140-2 Level 2 security,
when configured in a FIPS-compliant manner.
About FIPSMode
You must use the Command Line Interface (CLI) to enable FIPS mode on an XTMdevice. When the
XTMdevice operates in FIPS mode, each time the device is powered on, it runs a set of self-tests
required by the FIPS 140-2 specification. If any of the tests fail, the XTMdevice writes a message to
the log file and shuts down.
For more information about the CLI commands, see the Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
If you start the device in safe mode or recovery mode, the device does not operate in FIPSmode.
FIPS Mode Operation and Constraints
The XTMdevice does not operate in FIPS mode by default.
To use your XTMdevice in FIPS mode:
n Type the CLI command fips enable to enable FIPS mode operation.
n Configure the Admin and Status administrative accounts to use passwords with a minimumof 8
characters.
n When you configure VPN tunnels, you must choose only FIPS-approved authentication and
encryption algorithms (SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, AES-256).
n When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE
Phase 1 negotiation. Use a minimumof 1024-bits for all RSA keys.
n Do not use a certificate that uses MD5, or any certificate that does not meet the requirements of
the FIPS 140-2 standard.
n Do not configure FireCluster for high availability.
n Do not use Mobile VPN with PPTP.
n Do not use PPPoE.
n Do not use WatchGuard SystemManager to manage the XTMdevice.
n For access to Fireware XTMWeb UI, the web browser must be configured to use only TLS 1.0
and FIPS approved cipher suites.
n For network access to the CLI, telnet and SSH clients must use SSH V2.0 protocol.
To determine if the XTMdevice has FIPS mode enabled, type the CLI command show fips.
When you use an XTMdevice in FIPSmode, your use of the device is subject to these limitations. We
recommend that you consider your requirements carefully before you decide to operate your
XTMdevice in FIPSmode. In some environments you could be required to use a FIPS-compliant
device, but you might not have to configure the device in a FIPS-compliant manner.
Introduction to Fireware XTM
20 Fireware XTMWeb UI
User Guide 21
3
Service and Support
About WatchGuard Support
WatchGuard knows just how important support is when you must secure your network with limited
resources. Our customers require greater knowledge and assistance in a world where security is
critical. LiveSecurity Service gives you the backup you need, with a subscription that supports you
as soon as you register your XTMdevice.
LiveSecurity Service
Your XTMdevice includes a subscription to our ground-breaking LiveSecurity Service, which
automatically activates when you activate your product. As soon as you activate, your LiveSecurity
Service subscription gives you access to a support and maintenance programunmatched in the
industry.
LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included
with each XTMdevice. Your subscription also provides advance hardware replacement to
minimize downtime in case of a hardware failure. If you experience a hardware failure, and a
certified WatchGuard technician approves your RMA, WatchGuard will ship a replacement unit
to you before you have to send back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and
functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help:
n For LiveSecurity subscriptions, representatives are available from6am- 6pmMonday
through Friday your local time zone.
n For LiveSecurity Plus subscriptions, representatives are available 24/7, 365 days a year.
n Online user forums are moderated by senior support engineers.
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced
instructional videos, interactive online training courses, and online tools specifically designed to
answer questions you may have about network security in general or the technical aspects of
installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the
Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you
specifically what you can do to address each new menace. You can customize your alert
preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium
support service gives expanded hours of coverage and faster response times for around-the-clock
remote support assistance. You can purchase LiveSecurity Service Gold for an individual device or as
an account level subscription.
Service and Support
22 Fireware XTMWeb UI
Service and Support
User Guide 23
Service Expiration
To secure your organization, we recommend that you keep your LiveSecurity subscription active.
When your subscription expires, you lose up-to-the-minute security warnings and regular software
updates. This loss can put your network at risk. Damage to your network is much more expensive than
a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement
fee.
Service and Support
User Guide 24
User Guide 25
4
Getting Started
Before You Begin
Before you begin the installation process, make sure you complete the tasks described in the
subsequent sections.
In these installation instructions, we assume your XTMdevice has one trusted, one
external, and one optional interface configured. To configure additional interfaces on
your device, use the configuration tools and procedures described in the Network
Setup and Configuration topics.
Verify Basic Components
Make sure that you have these items:
n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
n A WatchGuard XTMdevice
n A serial cable (blue)
n One crossover Ethernet cable (red)
n One straight Ethernet cable (green)
n Power cable or AC power adapter
Get an XTM Device Feature Key
To enable all of the features on your XTMdevice, you must register the device on the WatchGuard web
site and get your feature key. If you register your XTMdevice before you use the Quick Setup Wizard,
you can paste a copy of your feature key in the wizard. The wizard then applies it to your device. If you
do not paste your feature key into the wizard, you can still finish the wizard. Until you add your feature
key, the XTMdevice allows only one connection to an external network, such as the Internet.
You also get a new feature key to enable optional products or services when you purchase them. After
you register your XTMdevice or any new feature, you can synchronize your XTMdevice feature key
with the feature keys kept in your registration profile on the WatchGuard web site. You can use
Fireware XTMWeb UI at any time to get your feature key.
To learn how to activate your XTMdevice and get a feature key, see Get a Feature Key for Your
XTMDevice on page 63.
Gather Network Addresses
We recommend that you record your network information before and after you configure your XTM
device. Use the first table below for your network IP addresses before you put the device into
operation. For information about how to identify your network IP addresses, see Identify Your Network
Settings on page 41.
WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash
Notation on page 5. For more information on IP addresses, see About IP Addresses on page 3.
Table 1: Network IP addresses without the XTM device
Wide Area Network _____._____._____._____ / ____
Default Gateway _____._____._____._____
Local Area Network _____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable) _____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the XTMdevice into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
Getting Started
26 Fireware XTMWeb UI
Getting Started
User Guide 27
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized
zone). You can use optional interfaces to create zones in the network with different levels of
access.
Table 2: Network IP addresses with the XTM device
Default Gateway _____._____._____._____
External Interface _____._____._____._____/ ____
Trusted Interface _____._____._____._____ / ____
Optional Interface _____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Select a Firewall Configuration Mode
You must decide how you want to connect the XTMdevice to your network before you run the Quick
Setup Wizard. The way you connect the device controls the interface configuration. When you connect
the device, you select the configuration moderouted or drop-inthat is best suited to your current
network.
Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:
n You have already assigned a large number of static IP addresses and do not want to change
your network configuration.
n You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses.
This table and the descriptions below the table show three conditions that can help you to select a
firewall configuration mode.
Mixed Routing Mode Drop-in Mode
All of the XTMdevice interfaces are on different
networks.
All of the XTMdevice interfaces are on
the same network and have the same IP
address.
Trusted and optional interfaces must be on different
networks. Each interface has an IP address on its
network.
The computers on the trusted or optional
interfaces can have a public IP address.
Use static NAT (network address translation) to map
public addresses to private addresses behind the
trusted or optional interfaces.
NAT is not necessary because the
computers that have public access have
public IP addresses.
For more information about drop-in mode, see Drop-In Mode on page 169.
For more information about mixed routing mode, see Mixed Routing Mode on page 144.
The XTMdevice also supports a third configuration mode called bridge mode. This mode is less
commonly used. For more information about bridge mode, see Bridge Mode on page 175.
You can use the Web Setup Wizard or the WSMQuick Setup Wizard to create your
initial configuration. When you run the Web Setup Wizard, the firewall configuration is
automatically set to mixed routing mode. When you run the WSMQuick Setup
Wizard, you can configure the device in mixed routing mode or drop-in mode.
You can now start the Quick Setup Wizard. For more information, see About the Quick Setup Wizard
on page 28.
About the Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTMdevice. The device
uses this basic configuration file when it starts for the first time. This enables it to operate as a basic
firewall. You can use this same procedure at any time to reset the device to a new basic configuration.
This is helpful for systemrecovery.
When you configure your XTMdevice with the Quick Setup Wizard, you set only the basic policies
(TCP and UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you
have more software applications and network traffic for the device to examine, you must:
n Configure the policies on the XTMdevice to let the necessary traffic through
n Set the approved hosts and properties for each policy
n Balance the requirement to protect your network against the requirements of your users to
connect to external resources
For instructions to run the wizard froma web browser, see Run the Web Setup Wizard on page 29.
Getting Started
28 Fireware XTMWeb UI
Getting Started
User Guide 29
Run the Web Setup Wizard
You can use the Web Setup Wizard to set up a basic configuration on any WatchGuard Firebox or XTM
device. The Web Setup Wizard automatically configures the XTMdevice for mixed routing mode.
For a video demonstration of the Web Setup Wizard, see the Web Setup Wizard
video tutorial (30 minutes).
To use the Web Setup Wizard, you must make a direct network connection to the Firebox or XTM
device and use a web browser to start the wizard. When you connect to the device, it uses DHCP to
send a new IP address to your computer.
Before you start the Web Setup Wizard, make sure you:
n Activate your device on the WatchGuard web site
n Save a copy of your XTMdevice feature key in a text file on your computer
Start the Web Setup Wizard
1. Connect your computer to interface number 1 of your XTMdevice with an Ethernet cable. This
is the trusted interface.
2. Use the green Ethernet cable that ships with your device (or any Ethernet cable)to connect
interface 0 to a router or network that provides Internet access. This is the external interface.
The external interface automatically uses DHCPto request an IPaddress on the network it
connects to.
3. Connect the power cord to the XTMdevice power input and to a power source.
4. Start the XTMdevice in factory default mode. This is also known as safe mode. A new device
automatically starts in this mode.
For more information, see Reset a Device on page 57.
5. Make sure your computer is configured to accept a DHCP-assigned IP address.
If your computer uses Windows 7:
n In the Windows Start menu, select Control Panel > Network and Internet > Network
and Sharing >Change Adapter Settings >Local Area Connection.
n Click Properties.
n Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
n Make sure Obtain an IP Address Automatically is selected.
For more detailed instructions, see Identify Your Network Settings on page 41.
5. If your browser uses an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser.
For more information, see Disable the HTTP Proxy in the Browser on page 45.
6. Open a web browser and type https://10.0.1.1:8080 to connect to the device.
This opens a secure HTTP connection between your management computer and the XTM
device.
The Web Setup Wizard starts automatically.
7. Log in with the default administrator account credentials:
Username: admin
Passphrase:readwrite
Getting Started
30 Fireware XTMWeb UI
Getting Started
User Guide 31
8. Complete the subsequent screens of the wizard.
The Web Setup Wizard includes the steps to set up the device with a basic configuration. Click
More Information on any wizard page to see more information about how to complete the
current step.
If you leave the Web Setup Wizard idle for 15 minutes or more, you must go back to
Step 3 and start again.
The Web Setup Wizard helps you to complete these steps:
Select a configuration type
Select whether to create a new configuration or restore a configuration froma saved
backup image.
License agreement
Accept the End-User License Agreement.
Configure the External Interface
Select and configure the method you want your device to use to set an external IP address.
The choices are:
n DHCP Type the DHCP identification as supplied by your ISP.
n PPPoE Type the PPPoE information as supplied by your ISP.
n Static Type the static IP address and gateway IPaddress, as supplied by your
ISP.
For more information about these methods, see Configure an External Interface.
Configure the DNSand WINSServers (Optional)
Configure the Domain DNSand WINS server addresses you want the XTMdevice to use.
Configure the Trusted Interface
Type the IP address of the trusted interface. (Optional) If you want the XTMdevice to
assign IP addresses to computers that connect to the trusted network, you can enable the
DHCPserver and assign a range of IPaddresses on the same subnet as the interface
IPaddress.
Create passphrases for your device
Set new passphrases for the status (read only)and admin (read/write) built-in user
accounts.
Enable remote management (Optional)
Enable remote management if you want to manage this device fromthe external interface.
Add contact information for your device
You can type a device name, location, and contact information to save management
information for this device. By default, the device name is set to the model number of your
device. We recommend that you choose a unique name that you can use to easily identify
this device, especially if you use remote management. The location and contact
information are optional.
Set the Time Zone
Select the time zone where the XTMdevice is located.
Retrieve Feature Key, Apply Feature Key, Feature key options
The wizard can use one of three methods to apply a feature key to your device:
Automatic Activation If the device already has a feature key, or if the device has been
previously activated, the wizard automatically retrieves the device feature key fromthe
WatchGuard web site. If automatic activation is successful, the wizard does not show a
page for the activation step.
OnlineActivation If the device has not yet been activated, you can use Online
Activation in the wizard to activate the device in your account on the WatchGuard web site.
The device then automatically retrieves and applies the feature key to the device. To use
Online Activation, your device must have a connection to the Internet.
Manual Activation If you previously activated your device and have a copy of the
feature key on your computer, you can choose to skip online activation, and instead paste
the text of the feature key into the wizard.
If the XTMdevice does not have an Internet connection when you run the wizard, you can
also choose to skip activation entirely and apply the feature key later. For more information
about how to apply the feature key outside the wizard, see Get a Feature Key for Your
XTMDevice.
Getting Started
32 Fireware XTMWeb UI
Getting Started
User Guide 33
Device functionality is limited until you apply a feature key. Without a feature key, the
device allows only one user to access the Internet.
Completion
After you review and apply your configuration settings, the XTMdevice saves the
configuration to the device.
After the Wizard Finishes
After you complete the wizard, the device is set up with a basic configuration that allows outbound
TCP, UDP, and ping, traffic, and blocks all unrequested traffic fromthe external network. You can log
in to the Fireware XTMWeb UI using the user name admin, and the configuration passphrase you set
in the Wizard.
If you change the IP address of the trusted interface, you must change your network
settings to make sure your IP address matches the subnet of the trusted network
before you connect to the device. If you use DHCP, restart your computer. Or you
can use the ipconfig/release and ipconfig/renew commands on your computer to
force it to request a new IPaddress. If you use static addressing, see Use a Static IP
Address on page 44.
You can use Fireware XTMWeb UI to expand or change the configuration for your device.
n For information about how to complete the installation of your device after the Web Setup
Wizard is finished, see Complete Your Installation on page 39.
n For information about how to connect to Fireware XTMWeb UI, see Connect to Fireware
XTMWeb UI on page 34.
If You Have Problems with the Wizard
If you leave the Web Setup Wizard idle for 15 minutes or more, the wizard times out, and you must use
the same steps to log in and start it again.
For other problems with the wizard, it can help to clear the browser cache before you try again. To clear
the cache in Internet Explorer select Tools > Internet Options > Delete >History.
Connect to Fireware XTMWeb UI
To connect to Fireware XTMWeb UI, you use a web browser to go to the IP address of the Firebox or
XTMdevice trusted or optional interface over the correct port number. Connections to the Web UI are
always encrypted with HTTPS; the same high-strength encryption used by banking and shopping web
sites. When you type the URL in your browser, make sure to type https at the start of the URL, not
http.
By default, the port used for the Web UI is 8080. The URL to connect to the Web UI in your browser is:
https://<Firebox-IP-address>:8080
<Firebox-IP-address> is the IP address assigned to the trusted or optional interface on your device.
When you make this connection, the browser loads the Log In page. The default URL for a
WatchGuard Firebox or XTMdevice is:
https://10.0.1.1:8080
You can change the IP address of the trusted network to a different IP address. For more information,
see Common Interface Settings on page 178.
For example, to use the default URLto connect to your device:
1. Open your web browser and go to https://10.0.1.1:8080.
A security certificate notification appears in the browser.
2. When you see the certificate warning, click Continue to this website (Internet Explorer) or
Add Exception (Firefox).
This warning appears because the certificate the XTMdevice uses is signed by the
WatchGuard Certificate Authority, which is not in the list of trusted authorities on your browser.
This warning appears each time you connect to the XTMdevice unless you
permanently accept the certificate, or generate and import a certificate for the device
to use. For more information, see About Certificates on page 953.
3. In the User Name text box, type the user name.
Getting Started
34 Fireware XTMWeb UI
Getting Started
User Guide 35
4. In the Passphrase text box, type the passphrase.
n If you specify the User Name admin, type the Configuration (read-write) passphrase.
n If you specify the User Name status, type the Status (read-only)passphrase.
5. Fromthe Authentication Server drop-down list, select the authentication server for the user
you specified.
n If you specify the User Name admin or status, select Firebox-DB.
n If you specify another User Name, select the authentication server where that user account
is located.
6. Click Log in.
By default, the XTMdevice configuration only allows connections to Fireware
XTMWeb UI fromthe trusted and optional networks. To change the configuration to
allow connections to the Web UI fromthe external network, see Connect to Fireware
XTMWeb UI froman External Network on page 36.
Connect to Fireware XTMWeb UI from an
External Network
The Fireware XTMdevice configuration has a policy called WatchGuard Web UI. This policy controls
which XTMdevice interfaces can connect to Fireware XTMWeb UI. By default, this policy only allows
connections fromAny-Trusted and Any-Optional networks. If you want to allow access to the Web
UI fromthe external network, you must edit the WatchGuard Web UI policy and add Any-External to
the From list.
In Fireware XTMWeb UI:
1. Select Firewall >Firewall Policies.
2. Double-click the WatchGuard Web UI policy to edit it.
3. Select the Policy tab.
4. In the From section, click Add.
5. Select Any-External.
6. Click OK.
7. Click Save.
Getting Started
36 Fireware XTMWeb UI
Getting Started
User Guide 37
About Fireware XTMWeb UI
With Fireware XTMWeb UI, you can monitor and manage any device that runs Fireware XTMOS. You
do not have to install any extra software on your computer. The only software you must have is a
browser with support for Adobe Flash Player v9 or later.
Because there is no software to install, you can use the Web UI fromany computer that has TCP/IP
connectivity and a supported browser. This means you can administer your XTMdevice froma
computer with Windows, Linux, Mac OS, or any other platform, as long as it has a supported browser
with Adobe Flash Player v9 or later and network connectivity.
The Web UI is a real-time management tool. This means that when you use the Web UI to make
changes to a device, the changes you make generally take effect immediately. With the Web UI, you
do not build a list of many changes in a locally-stored configuration file that are later sent to the device
all at once. This is different fromFireware XTMPolicy Manager, which is an off-line configuration tool.
Changes you make to a locally-stored configuration file with Policy Manager do not take effect until you
save the configuration file to the device.
You must complete the Quick Setup Wizard before you can see Fireware XTMWeb
UI. For more information, see Run the Web Setup Wizard on page 29. You must also
use an account with full administrative access privileges to see and change the
configuration pages.
At the left side of Fireware XTMWeb UI is the main menu navigation bar that you use to select a set of
configuration pages.
All items in the navigation bar contain secondary menu items that you use to configure the properties of
that feature.
n To see these secondary menu items, select a top level menu item.
For example, if you select Authentication, these secondary menu items appear: Servers,
Settings, Users and Groups, WebServer Certificate, Single Sign-On, and Terminal
Services.
n To hide the secondary menu items, select the top level menu itemagain.
The first itemin the navigation bar is the Dashboard. The Dashboard menu includes two pages:
n System
n Subscription Services
When you first connect to Fireware XTMWeb UI, the System page automatically appears. To return to
the System page fromanother place in the Web UI, select Dashboard >System.
Limitations of Fireware XTM Web UI
You can use Fireware XTMWeb UI, WatchGuard SystemManager, and Fireware XTMCommand
Line Interface (CLI) to configure and monitor your Fireware XTMdevice. When you want to change a
device configuration file, you can use any of these programs. There are, however, several device
configuration changes you cannot make with Fireware XTMWeb UI.
Some of the tasks you can complete in Policy Manager, but not with the Web UI include:
n Export a certificate or see details about a certificate (You can only import certificates)
n Change the logging of default packet handling options
n Manually get the Mobile VPN with SSL configuration file
n Get the encrypted (.wgx) Mobile VPN with IPSec end-user client configuration (You can only
get the equivalent, but unencrypted, .ini file)
n Edit the name of a policy
n Add a customaddress to a policy
n Use a host name (DNS lookup) to add an IP address to a policy
n Use role-based administration (also known as role-based access control, or RBAC)
n Edit the FireCluster configuration settings
n Add or edit a secondary PPPoE interface
The group of applications that comes with WatchGuard SystemManager includes many other tools for
monitoring and reporting. Some of the functions provided by HostWatch, Log and Report Manager, and
WSMare also not available in the Web UI.
To use some Fireware XTMfeatures related to WatchGuard servers, you must install WatchGuard
Server Center. You do not have to use WatchGuard SystemManager to install WatchGuard Server
Center. You can use WatchGuard Server Center to configure these WatchGuard servers:
n Management Server
n Log Server
n Report Server
n Quarantine Server
n WebBlocker Server
Getting Started
38 Fireware XTMWeb UI
Getting Started
User Guide 39
To learn how to configure features not supported by the Web UI or how to use WatchGuard Server
Center, see the Fireware XTMWatchGuard SystemManager Help at
http://www.watchguard.com/help/documentation.
To learn more about the CLI, see the WatchGuard Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
Complete Your Installation
After you are finished with the Web Setup Wizard , you must complete the installation of your XTM
device on your network.
1. Put the XTMdevice in its permanent physical location.
2. Make sure the gateway of management computer and the rest of the trusted network is the IP
address of the trusted interface of your XTMdevice.
3. To connect to your XTMdevice with Fireware XTMWeb UI, open a web browser and type:
https://10.0.1.1:8080. This is the default IPaddress of the trusted interface.
For more information, see Connect to Fireware XTMWeb UI on page 34.
4. If you use a routed configuration, make sure you change the default gateway on all the
computers that connect to your XTMdevice to match the IP address of the XTMdevice trusted
interface.
5. Customize your configuration as necessary for the security purposes of your business.
For more information, see the subsequent Customize your security policy section.
Customize Your Security Policy
Your security policy controls who can get into and out of your network, and where they can go in your
network. The configuration file of your XTMdevice manages the security policies.
When you completed the Quick Setup Wizard, the configuration file that you made was only a basic
configuration. You can modify this configuration to align your security policy with the business and
security requirements of your company. You can add packet filter and proxy policies to set what you let
in and out of your network. Each policy can have an effect on your network. The policies that increase
your network security can decrease access to your network. And the policies that increase access to
your network can put the security of your network at risk. For more information on policies, see About
Policies on page 593.
For a new installation, we recommend that you use only packet filter policies until all your systems
operate correctly. As necessary, you can add proxy policies.
About LiveSecurity Service
Your XTMdevice includes a subscription to LiveSecurity Service. Your subscription:
n Makes sure that you get the newest network protection with the newest software upgrades
n Gives solutions to your problems with full technical support resources
n Prevents service interruptions with messages and configuration help for the newest security
problems
n Helps you to find out more about network security through training resources
n Extends your network security with software and other features
n Extends your hardware warranty with advanced replacement
For more information about LiveSecurity Service, see About WatchGuard Support on page 21.
Additional Installation Topics
Connect to an XTM Device with Firefox
Web browsers use certificates to ensure that the device on the other side of an HTTPS connection is
the device you expect. Users see a warning when a certificate is self-signed, or when there is a
mismatch between the requested IP address or host name and the IP address or host name in the
certificate. By default, your XTMdevice uses a self-signed certificate that you can use to set up your
network quickly. However, when users connect to the XTMdevice with a web browser, a Secure
Connection Failed warning message appears.
To avoid this warning message, we recommend that you add a valid certificate signed by a CA
(Certificate Authority) to your configuration. This CA certificate can also be used to improve the
security of VPN authentication. For more information on the use of certificates with XTMdevices, see
About Certificates on page 953.
If you continue to use the default self-signed certificate, you can add an exception for the XTMdevice
on each client computer. Current versions of most Web browsers provide a link in the warning
message that the user can click to allow the connection.
Actions that require an exception include:
n About User Authentication
n Install and Connect the Mobile VPN with SSL Client
n Run the Web Setup Wizard
n Connect to Fireware XTMWeb UI
Common URLs that require an exception include:
https://IP address or host name of an XTM device interface:8080
https://IP address or host name of an XTM device interface:4100
https://IP address or host name of an XTM device:4100/sslvpn.html
Add a Certificate Exception to Mozilla Firefox
If you add an exception in Firefox for the XTMdevice certificate, the warning message does not appear
on subsequent connections. You must add a separate exception for each IP address, host name, and
port used to connect to the XTMdevice. For example, an exception that uses a host name does not
operate properly if you connect with an IP address. Similarly, an exception that specifies port 4100
does not apply to a connection where no port is specified.
Getting Started
40 Fireware XTMWeb UI
Getting Started
User Guide 41
A certificate exception does not make your computer less secure. All network traffic
between your computer and the XTMdevice remains securely encrypted with SSL.
In Firefox, you can add certificate exceptions in the advanced options.
1. In Firefox, select Firefox > Options >Options.
The Options dialog box appears.
2. Select Advanced.
3. Click the Encryption tab, then click View Certificates.
The Certificate Manager dialog box opens.
4. Click the Servers tab, then click Add Exception.
5. In the Location text box, type the URL to connect to the XTMdevice. The most common URLs
are listed above.
6. Click Get Certificate.
7. When the certificate information appears in the Certificate Status area, click Confirm
Security Exception.
8. Click OK.
9. To add more exceptions, repeat Steps 47.
Identify Your Network Settings
To configure your XTMdevice, you must know some information about your network. You can use this
section to learn how to identify your network settings.
For an overview of network basics, see About Networks and Network Security on page 1.
Network Addressing Requirements
Before you can begin installation, you must know how your computer gets an IP address. Your Internet
Service Provider (ISP) or corporate network administrator can give you this information. Use the same
method to connect the XTMdevice to the Internet that you use for your computer. For example, if you
connect your computer directly to the Internet with a broadband connection, you can put the XTM
device between your computer and the Internet and use the network configuration fromyour computer
to configure the XTMdevice external interface.
You can use a static IP address, DHCP, or PPPoE to configure the XTMdevice external interface. For
more information about network addressing, see Configure an External Interface on page 144.
Your computer must have a web browser. You use the web browser to configure and manage the XTM
device. Your computer must have an IP address on the same network as the XTMdevice.
In the factory default configuration, the XTMdevice assigns your computer an IP address with DHCP
(Dynamic Host Configuration Protocol). You can set your computer to use DHCP and then you can
connect to the device to manage it. You can also give your computer a static IP address that is on the
same network as the trusted IP address of the XTMdevice. For more information, see Set Your
Computer to Connect to Your XTMDevice on page 43.
Find Your TCP/IP Properties
To learn about the properties of your network, look at the TCP/IP properties of your computer or any
other computer on the network. You must have this information to install your XTMdevice:
n IP address
n Subnet mask
n Default gateway
n Whether your computer has a static or dynamic IP address
n IP addresses of primary and secondary DNS servers
If your ISP assigns your computer an IP address that starts with 10, 192.168, or
172.16 to 172.31, then your ISP uses NAT (Network Address Translation) and your
IP address is private. We recommend that you get a public IP address for your XTM
device external IP address. If you use a private IP address, you can have problems
with some features, such as virtual private networking.
To find the TCP/IP properties for your computer operating system, use the instructions in the
subsequent sections .
Find Your TCP/IP Properties on Microsoft Windows XP, Windows 2003, and
Windows 7
1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Microsoft Windows 8.
1. On the Windows 8 Start page, type command .
2. In the Apps search results list, click Command Prompt.
The Command Prompt dialog box appears.
3. At the command prompt, type ipconfig /all and press Enter.
4. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Macintosh OS X 10.x
1. Select the Apple menu > System Preferences, or select the icon fromthe Dock.
The System Preferences dialog box appears.
2. Click the Network icon.
The Network preference pane appears.
3. Select the network adapter you use to connect to the Internet.
4. Write down the values that you see for the network adapter.
Getting Started
42 Fireware XTMWeb UI
Getting Started
User Guide 43
Find Your TCP/IP Properties on Other Operating Systems (Unix, Linux)
1. Read your operating systemguide to find the TCP/IP settings.
2. Write down the values that you see for the primary network adapter.
Find PPPoE Settings
Many ISPs use Point to Point Protocol over Ethernet (PPPoE) because it is easy to use with a dial-up
infrastructure. If your ISP uses PPPoE to assign IP addresses, you must get this information:
n Login name
n Domain (optional)
n Password
Set Your Computer to Connect to Your XTM Device
Before you can use the Web Setup Wizard, you must configure your computer to connect to your XTM
device. You can set your network interface card to use a static IP address, or use DHCP to get an IP
address automatically.
Use DHCP
If your computer does not use the Windows XP operating system, read the operating systemhelp for
instructions on how to set your computer to use DHCP.
To configure a computer with Windows XP to use DHCP:
1. Select Start > Control Panel.
The Control Panel window appears.
2. Double-click Network Connections.
3. Double-click Local Area Connection.
The Local Area Connection Status window appears.
4. Click Properties.
The Local Area Connection Properties window appears.
5. Double-click Internet Protocol (TCP/IP).
The Internet Protocol (TCP/IP) Properties dialog box appears.
6. Select Obtain an IP address automatically and Obtain DNS server address automatically.
7. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
8. Click OK to close the Local Area Network Connection Properties dialog box.
9. Close the Local Area Connection Status, Network Connections, and Control Panel
windows.
Your computer is ready to connect to the XTM device.
10. When the XTMdevice is ready, open a web browser.
11. In the browser address bar, type the IPaddress of your XTMdevice and press Enter.
12. If a security certificate warning appears, accept the certificate.
The Quick Setup Wizard starts.
The default IPaddress for a WatchGuard XTMdevice is https://10.0.1.1/.
13. Run the Web Setup Wizard.
Use a Static IP Address
If your computer does not use the Windows XP operating system, read the operating systemhelp for
instructions on how to set your computer to use a static IP address. You must select an IP address on
the same subnet as the trusted network.
To configure a computer with Windows XP to use a static IP address:
1. Select Start > Control Panel.
The Control Panel window appears.
2. Double-click Network Connections.
3. Double-click Local Area Connection.
The Local Area Connection Status window appears.
4. Click Properties.
The Local Area Connection Properties window appears.
5. Double-click Internet Protocol (TCP/IP).
The Internet Protocol (TCP/IP) Properties dialog box appears.
6. Select Use the following IP address.
7. In the IP address field, type an IP address on the same network as the XTMdevice trusted
interface.
For example, you can set the IP address on your computer to 10.0.1.2.
The default IP address for the XTMdevice trusted interface is 10.0.1.1.
8. In the Subnet Mask field, type 255.255.255.0.
9. In the Default Gateway field, type the IP address of the XTMdevice trusted interface,
10.0.1.1.
10. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
11. Click OK to close the Local Area Network Connection Properties dialog box.
12. Close the Local Area Connection Status, Network Connections, and Control Panel
windows.
Your computer is ready to connect to the XTM device.
13. When the XTMdevice is ready, open a web browser.
14. In the browser address bar, type the IPaddress of your XTMdevice and press Enter.
The default IPaddress for a WatchGuard XTMdevice is https://10.0.1.1/.
15. If a security certificate warning appears, accept the certificate.
The Quick Setup Wizard starts.
16. Run the Web Setup Wizard.
Getting Started
44 Fireware XTMWeb UI
Getting Started
User Guide 45
Disable the HTTP Proxy in the Browser
Many web browsers are configured to use an HTTP proxy server to increase the download speed of
web pages. To manage or configure the XTMdevice with the Web UI, your browser must connect
directly to the device. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser. You can enable the HTTP proxy server setting in your browser again after you
set up the XTMdevice.
Use these instructions to disable the HTTP proxy in Mozilla Firefox or Internet Explorer. For other
browsers, use the browser Help systemto find the necessary information. Many browsers
automatically disable the HTTP proxy feature.
Disable the HTTP proxy in Internet Explorer 7.x, or 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
The Internet Options dialog box appears.
3. Select the Connections tab.
4. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
5. Clear the Use a proxy server for your LAN check box.
6. Click OK to close the Local Area Network (LAN) Settings dialog box.
7. Click OK to close the Internet Options dialog box.
Disable the HTTP proxy in Firefox 3.x
1. Open Firefox.
2. Select Tools > Options.
The Options dialog box appears.
3. Click Advanced.
4. Select the Network tab.
5. Click Settings.
6. Click Connection Settings.
The Connection Settings dialog box appears.
7. For Firefox 2.x, make sure the Direct Connection to the Internet option is selected.
For Firefox 3.x, make sure the No proxy option is selected.
8. Click OK to close the Connection Settings dialog box.
9. Click OKto close the Options dialog box.
Getting Started
User Guide 46
User Guide 47
5
Configuration and Management
Basics
About Basic Configuration and Management
Tasks
After your XTMdevice is installed on your network and is set up with a basic configuration file, you can
start to add customconfiguration settings. The topics in this section help you complete these basic
management and maintenance tasks.
Make a Backup of the XTM Device Image
An XTMdevice backup image is an encrypted and saved copy of the flash disk image fromthe XTM
device flash disk. It includes the XTMdevice OS, configuration file, feature keys, Device Management
users, passphrases, DHCPleases, and certificates. The backup image also includes any event
notification settings that you configured in Traffic Monitor. You can save a backup image to your
computer, to a directory on your network, or to other connected storage device.
The backup image is unique to each device and includes the serial number, certificates, and private
keys unique to that device.
Do not restore a backup image created fromone XTMdevice to a different XTM
device, even if both devices are the same model.
To use the Web UI to restore the backup image to a FireCluster, you must have a
unique backup image for each device, and you must restore the backup master first.
For more information, see Use the Web UI with a FireCluster.
We recommend that you regularly make backup files of the XTMdevice image. We also recommend
that you create a backup image of the XTMdevice before you make significant changes to your
configuration file, or before you upgrade your XTMdevice or its OS. You can use Fireware XTMWeb
UIto make a backup of your device image.
1. Select System > Backup Image.
2. Type and confirman encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
3. Click Backup.
4. Select a location to save the backup image file and type a filename.
The backup image is saved to the location you specify.
Configuration and Management Basics
48 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 49
Restore an XTM Device Backup Image
You can use Fireware XTMWeb UI to restore a previously created backup image to your XTMdevice.
You can only restore a backup image that came fromthe same device.
For more information about Centralized Management and how to update a Fully Managed device, see
Fireware XTMWatchGuard SystemManager Help.
Do not try to restore a backup image created froma different XTMdevice. Each
backup image is unique to a single device; it includes the serial number, certificates,
and private keys for that device.
To use the Web UI to restore the backup image to a FireCluster, you must have a
unique backup image for each device, and you must restore the backup master first.
For more information, see Use the Web UI with a FireCluster.
After the backup image is successfully restored, the device must reboot.
To restore the backup image:
1. Select System > Restore Image.
2. Click Browse.
3. Select the location and file name of the saved backup image file created for this device. Click
Open.
4. Click Restore.
5. Type the encryption key you used when you created the backup image.
The XTM device restores the backup image. It restarts and uses the backup image.
Wait for two minutes before you connect to the XTMdevice again.
If you cannot successfully restore your XTMdevice image, you can reset the XTMdevice. Depending
on the XTMdevice model you have, you can reset an XTMdevice to its factory-default settings or
rerun the Quick Setup Wizard to create a new configuration.
For more information, see Reset a Device on page 57.
Use a USB Drive for System Backup and Restore
A WatchGuard XTMdevice backup image is a copy of the flash disk image fromthe XTMdevice that
is encrypted and saved. The backup image file includes the XTMdevice OS, configuration file, feature
key, and certificates.
For XTMdevices, you can attach a USB drive or storage device to the USB port on the XTMdevice for
systembackup and restore procedures. When you save a systembackup image to a connected USB
drive, you can restore your XTMdevice to a known state more quickly.
About the USB Drive
The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than
one partition, Fireware XTMonly uses the first partition. Each systembackup image can be 70 MB or
larger. We recommend you use a USB drive large enough to store several backup images.
Save a Backup Image to a Connected USB Drive
For this procedure, a USB drive must be connected to your XTMdevice.
1. Select System > USB Drive.
The Backup/Restore to USB drive page appears.
2. In the New backup file section, type a Filename for the backup image.
3. Type and confirman Encryption Key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
4. Click Save to USB Drive.
The saved image appears on the list of Available device backup images after the save is complete.
Configuration and Management Basics
50 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 51
Restore a Backup Image from a Connected USB Drive
For this procedure, a USB drive must be connected to your XTMdevice.
1. Select System > USB Drive.
The Backup/Restore to USB Drive page appears.
2. Fromthe Available backup images list, select a backup image file to restore.
3. Click Restore Selected Image.
4. Type the Encryption key you used when you created the backup image.
5. Click OK.
The XTM device restores the backup image. It restarts and uses the backup image.
Automatically Restore a Backup Image from a USB Drive
If a USB drive (storage device) is connected to a WatchGuard Firebox or XTMdevice in recovery
mode, the device can automatically restore a previously backed up image fromthe USB drive. To use
the auto-restore feature, you must first select a backup image on the USB drive as the one you want to
use for the restore process. You must use Fireware XTMWeb UI, Firebox SystemManager, or
Fireware XTMcommand line interface to select this backup image. This feature is not supported on
XTMv devices.
Do not use a backup image created froma different Firebox or XTMdevice for auto-
restore. The backup image is unique to a single device, and includes the serial
number, certificates, and private keys unique to that device.
Select the Backup Image to Auto-Restore
1. Select System > USB Drive.
The Backup/Restore to USB Drive page appears. The saved backup image files appear in a list at
the top of the page.
2. Fromthe Available backup images list, select a backup image file.
3. Click Use Selected Image for Auto-Restore.
4. Type the Encryption key used to create the backup image. Click OK.
The XTM device saves a copy of the selected backup image on the USB drive.
If you had a previous auto-restore image saved, the auto-restore.fxi file is replaced with a copy of the
backup image you selected.
If your XTMdevice has used a version of the Fireware XTMOS lower than v11.3, you
must update the recovery mode software image on the device to v11.3 for the auto-
restore feature to operate. See the Fireware XTM11.3 Release Notes for upgrade
instructions.
Auto-Restore the Backup Image for an XTM Device with an LCD Display
For an XTMdevice with an LCD display, use the arrow buttons near the LCD for this procedure.
1. Connect the USB drive with the auto-restore image to a USB interface on the XTMdevice.
2. Power off the XTMdevice.
3. Press and hold the up arrow on the device front panel while you power on the device.
4. Continue to hold down the up arrow button until Recovery Mode starting appears on the LCD
display.
The device restores the backup image from the USB drive, and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image for this XTMdevice model family, the
device does not reboot and is instead started in recovery mode. If you restart the device again, it uses
your current configuration. When the device is in recovery mode, you can use the WSMQuick Setup
Wizard to create a new basic configuration.
Configuration and Management Basics
52 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 53
Auto-Restore the Backup Image for a Firebox T10, XTM 33 or XTM 2
Series Device
1. Attach the USB drive with the auto-restore image to a USB interface on the XTM2 Series
device.
2. Disconnect the power supply.
3. Press and hold the Reset button on the back of the device.
4. Continue to hold down the Reset button and connect the power supply.
5. After 10 seconds, release the Reset button.
The device restores the backup image from the USB drive and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image, the auto-restore fails and the device does
not reboot. If the auto-restore process is not successful, you must disconnect and reconnect the power
supply to start the device with factory-default settings.
For information about factory default settings, see About Factory-Default Settings.
USB Drive Directory Structure
The USB drive contains directories for backup images, configuration files, feature key, certificates and
diagnostics information for your XTMdevice.
When you save a backup image to a USB drive, the file is saved in a directory on the USB drive with
the same name as the serial number of your XTMdevice. This means that you can store backup
images for more than one XTMdevice on the same USB drive. When you restore a backup image, the
software automatically retrieves the list of backup images stored in the directory associated with that
device.
For each device, the directory structure on the USB device is as follows, where sn is replaced by the
serial number of the XTMdevice:
\sn\flash-images\
\sn\configs\
\sn\feature-keys\
\sn\certs\
The backup images for a device is saved in the \sn\flash-images directory. The backup image file
saved in the flash-images directory contains the Fireware XTMOS, the device configuration, feature
keys, and certificates. The \configs, \feature-keys and \certs subdirectories are not used for any
USB drive backup and restore operations. You can use these to store additional feature keys,
configuration files, and certificates for each device.
There is also one directory at the root level of the directory structure which is used to store the
designated auto-restore backup image.
\auto-restore\
When you designate a backup image to use for automatic restore, a copy of the selected backup image
file is encrypted and stored in the \auto-restore directory with the file name auto-restore.fxi. You
can have only one auto-restore image saved on each USB drive.
You must use the System > USB Drive command to create an auto-restore image. If you manually
copy and rename a backup image and store it in this directory, the automatic restore process does not
operate correctly.
There is also another directory at the root level of the directory structure which is used to store the
support snapshot that can be used by WatchGuard technical support to help diagnose issues with your
XTMdevice.
\wgdiag\
For more information about the support snapshot, see Use a USBDrive to Save a Support Snapshot
on page 55.
Configuration and Management Basics
54 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 55
Save a Backup Image to a USB Drive Connected to Your
Computer
You can use Fireware XTMWeb UI to save a backup image to a USB drive or storage device
connected to your computer. If you save the configuration files for multiple devices to the same USB
drive, you can attach the USB drive to any of those XTMdevices for recovery.
If you use the System > USB Drive command to do this, the files are automatically saved in the
proper directory on the USB drive. If you use the System > Backup Image command, or if you use
Windows or another operating systemto manually copy configuration files to the USB device, you
must manually create the correct serial number and flash-image directories for each device (if they do
not already exist).
Before You Begin
Before you begin, it important that you understand the USB Drive Directory Structure used by the USB
backup and restore feature. If you do not save the backup image in the correct location, the device
cannot find it when you attach the USB drive to the device.
Save the Backup Image
To save a backup image to a USB drive connected to your computer, follow the steps in Make a
Backup of the XTMDevice Image. When you select the location to save the file, select the drive letter
of the USB drive attached to your computer. If you want the backup image you save to be recognized
by the XTMdevice when you attach the USB drive, make sure to save the backup in the \flash-
images folder, in the directory that is named with the serial number of your XTMdevice.
For example, if your XTMdevice serial number is 70A10003C0A3D, save the backup image file to this
location on the USB drive:
\70A10003C0A3D\flash-images\
Designate a Backup Image for Auto-restore
To designate a backup image for use with the auto-restore feature, you must connect the USB drive to
the device and designate the backup image to use for auto-restore, as described in Use a USB Drive
for SystemBackup and Restore. If you manually save a backup image to the auto-restore directory,
the automatic restore process does not operate correctly.
Use a USBDrive to Save a Support Snapshot
A support snapshot is a file that contains a recent copy of your device configuration, log files, and other
information that can help WatchGuard technical support troubleshoot issues with your device. To use
the support snapshot feature, your device must use Fireware XTMv11.4 or later.
This feature is not supported on XTMv devices.
If you connect a USB drive to one of the XTMdevice USB interfaces, the XTMdevice automatically
generates a new support snapshot and saves the snapshot to the USBdrive as an encrypted file. This
happens automatically when the device is powered on and a USBdrive is connected to the device.
Any time you connect a USB drive, the XTMdevice automatically saves a current support snapshot in
the \wgdiag directory on the USB drive.
When the XTMdevice detects a connected USB drive, it automatically completes these actions:
n If the \wgdiag directory does not exist on the USB drive, the XTMdevice creates it.
n If the \wgdiag directory already exists on the USB drive, the XTMdevice deletes and recreates
it.
n The XTMdevice saves the new support snapshot in the \wgdiag directory with the filename
support1.tgz.
Each time you connect the USB drive or restart the XTMdevice, any files in the \wgdiag directory are
removed and a new support snapshot is saved.
If you want to keep a support snapshot, you can either rename the \wgdiag directory
on the USBdrive or copy the support1.tgz file fromthe USB drive to your computer
before you reconnect the USB drive to the XTMdevice.
Status messages about USB diagnostics file generation appear as Info level messages in the log file.
These log messages contain the text USBDiagnostic. For XTMdevices that have an LCDdisplay,
messages also appear on the LCD while the USBdiagnostic file is written, and when a USB drive is
connected or removed.
By default, the XTMdevice saves only a single support snapshot per USBdrive when the USB drive is
first detected. You can use the usb diagnostic command in the Command Line Interface to enable
the XTMdevice to automatically save multiple support snapshots to the USBdrive periodically while
the device is in operation. If the XTMdevice is configured to save multiple support snapshots, the
number at the end of the file name is incrementally increased each time a new snapshot is saved, so
that you can see a sequence of support snapshots. For example, the file names for the first two
support snapshots would be support1.tgz and support2.tgz. If enabled, the USB diagnostics
stores a maximumof 48 support snapshots on the USBdrive.
For more information about how to use the usb diagnostic command, see the Fireware
XTMCommand Line Interface Reference.
Configuration and Management Basics
56 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 57
Reset a Device
If your Firebox or XTMdevice has a configuration problem, or you just want to create a new
configuration file for your XTMdevice, you can reset the device to its factory-default settings. For
example, if you do not know the configuration passphrase, or if a power interruption causes damage to
the Fireware XTMOS, you can use the Quick Setup Wizard to build your configuration again or restore
a saved configuration.
After you performthis reset procedure:
n The XTMdevice is reset to factory-default settings
n The installed feature key is not removed
n All the Device Management accounts you added are removed, and only the default user
accounts are available, with the default passphrases
n Fireware XTMWeb UI automatically starts the Web Setup Wizard when you connect to the
XTMdevice
n The XTMdevice is discoverable by the Quick Setup Wizard
For a description of the factory-default settings, see About Factory-Default Settings on page 59.
Start an XTM Device in Safe Mode
To restore the factory-default settings for a WatchGuard XTMdevice with an LCDdisplay, you must
start the XTMdevice in safe mode.
1. Power off the XTMdevice.
2. Press the down arrow on the device front panel while you power on the XTMdevice.
3. Continue to press the down arrow button until the message Safe Mode Starting appears on
the LCD display.
When the device is started in safe mode, the LCD display shows the model number followed by the
word safe. When you start a device in safe mode:
n The device temporarily uses the factory-default network and security settings.
n The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
n Your current configuration is deleted only when you save a new configuration file to the
XTMdevice. If you restart the XTMdevice before you save a new configuration, the device
uses your current configuration.
Reset a Firebox T10, XTM 2 Series or XTM33 to Factory-Default
Settings
When you reset a Firebox T10. XTM2 Series, or XTM33 device, the original configuration settings are
replaced by the factory-default settings. The current feature key is removed.
To reset the device to factory-default settings:
1. Disconnect the power supply.
2. Press and hold the Reset button on the back of the device.
3. Continue to press the Reset button and reconnect the power supply.
4. If the Attn indicator begins to flash, you can release the Reset button. Do not disconnect the
power.
It takes between 30 and 60 seconds for the Attn indicator to flash. For some devices, the Attn
indicator does not flash.
5. If the Attn indicator does not flash, continue to press the Reset button until the Attn indicator is
lit. Then release the Reset button.
It can take between two and four minutes to complete this step, depending you your device model.
6. After the Attn light stays lit and does not flash, disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Make sure that you complete all of the steps. You must complete Steps 6 and 7 to
restart your device again before you can connect to it.
Reset an XTMv VMto Factory-Default Settings
For an XTMv VM(virtual machine), you cannot use the physical hardware to start the virtual machine in
safe mode. Instead, to reset the virtual machine to factory-default settings, you must use the Fireware
XTMCLI command restore factory-default.
To reset an XTMv VMon ESXi:
1. Log in to the vSphere client.
2. Select the XTMv VMfromthe inventory.
3. Select the Summary tab.
4. Click Open Console.
5. Log in with the admin account credentials.
6. Type the command restore factory-default.
To reset an XTMv VMon Hyper-V:
1. Log in to the Hyper-V server.
2. Right click the XTMvVM.
3. Fromthe drop-down menu, select Connect.
4. Log in with the admin account credentials.
5. Type the command restore factory-default.
For more information about how to use the command line interface, see the Fireware XTMCommand
Line Interface Reference.
Run the Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard or Web Setup
Wizard to create a basic configuration or restore a saved backup image.
For more information, see About the Quick Setup Wizard on page 28.
Configuration and Management Basics
58 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 59
About Factory-Default Settings
The termfactory-default settings refers to the configuration on the XTMdevice when you first receive it
before you make any changes. You can also reset the XTMdevice to factory-default settings as
described in Reset a Device on page 57.
The default network and configuration properties for the XTMdevice are:
Trusted network
Interface 1 (Eth1) is configured as a trusted interface.
The default IP address for the trusted network interface is 10.0.1.1 with a subnet mask of
255.255.255.0.
The default IP address and port for the Fireware XTMWeb UI is https://10.0.1.1:8080.
The XTMdevice is configured to give IP addresses to computers on the trusted network through
DHCP. By default, these IP addresses can be from10.0.1.2 to 10.0.1.254.
External network
Interface 0 (Eth0) is configured as an external interface.
The XTMdevice is configured to get an IP address with DHCP.
Optional network
The optional network is disabled.
Default Device Administrator (read/write)user account credentials
User name:admin
Passphrase:readwrite
Default Device Monitor (read-only) user account credentials
User name: status
Passphrase: readonly
Firewall settings
All incoming traffic is denied. The outgoing policy allows all outgoing traffic. Ping requests
received fromthe external network are denied.
SystemSecurity
Each Firebox or XTMdevice has two default Device Management user accounts that you can
use to manage and monitor your device:
n admin Device Administrator role with read-write access
n status Device Monitor role with read-only access.
When you first run the Quick Setup Wizard to configure the device, you set the passphrases for
these two user accounts. After you complete the Quick Setup Wizard, you can log in to
Fireware XTMWeb UI with either the admin or status user account. For full Device
Administrator access, log in with the admin user name and passphrase. For read-only access,
log in with the status user name and passphrase.
By default, the XTMdevice is set up for local management fromthe trusted network only.
Additional configuration changes must be made to allow administration fromthe external
network.
Upgrade Options
To enable upgrade options such as WebBlocker, spamBlocker, and Gateway AV/IPS, you
must paste or import the feature key that enables these features into the configuration page, or
use the Get Feature Key option to activate upgrade options. If you start the XTMdevice in safe
mode, you do not have to import the feature key again.
Configuration and Management Basics
60 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 61
About Feature Keys
A feature key is a license that enables you to use a set of features on your XTMdevice. You increase
the functionality of your device when you purchase an option or upgrade and get a new feature key.
When you purchase a new feature for your XTMdevice, you must activate the new feature on the
WatchGuard web site, and add the feature key your XTMdevice. For more information, see Get a
Feature Key for Your XTMDevice.
See Features Available with the Current Feature Key
Your XTMdevice always has one currently active feature key. To see the features available with this
feature key:
1. Connect to Fireware XTMWeb UI.
2. Select System > Feature Key.
The Feature Key page appears.
The Summary section includes:
n The device model number and serial number
n The licensed software edition (Fireware XTMor Fireware XTMPro)
n A signature that uniquely identifies the feature key
n For some feature keys, an expiration date for the entire feature key
Configuration and Management Basics
62 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 63
If an expiration date appears in the Summary section, this is the date that the key
expires. When the feature key expires, some licensed features and capacities revert
back to the values they had before the feature key was applied, and the XTMdevice
allows only one connection to the external network.
The Features section shows:
n A list of available features
n Whether the feature is enabled
n Value assigned to the feature such as the number of VLANinterfaces allowed
n Expiration date of the feature, if any
n Current status on expiration, such as how many days remain before the feature expires
The Retrieve Feature Key section provides two options to update the feature key on the device.
Click Get Feature Key to download the latest feature key for your device fromyour account on
the WatchGuard web site. For more information, see Get a Feature Key for Your XTMDevice
Select the Enable automatic feature key synchronization check box to enable the device to
automatically synchronize the feature key with the WatchGuard web site. For more information,
see Enable Automatic Feature Key Synchronization
Get a Feature Key for Your XTMDevice
When you purchase a new feature or upgrade for your XTMdevice, or when you renew a subscription
service, you must activate a license key on the WatchGuard web site. When you activate the license
key, you select which registered device to apply the key to. Then the WatchGuard web site generates
a new feature key that enables the activated feature for the device you selected. The feature is enabled
on the device after you add the updated feature key to the device.
Activate the License Key for a Feature
To activate a license key and get the feature key for the activated feature:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number or license key for the product or service. Make sure to include any
hyphens.
Use the serial number to register a new XTMdevice, and the license key to register add-on
features.
5. Click Continue.
The Choose Product to Upgrade page appears.
6. In the drop-down list, select the device to upgrade or renew.
If you added a device name when you registered your XTMdevice, that name appears in the
list.
7. Click Activate.
The Retrieve and Apply Key page appears.
8. Copy the contents of the feature key to a text file and save it on your computer.
9. Click Finish.
Even though the XTMdevice can download the feature key fromthe WatchGuard
web site, it is a good idea to save the feature key contents to a local file, in case you
need to manually add the feature key to the XTMdevice when the device does not
have Internet access.
Add the Current Feature Key To The XTMDevice
You can use Fireware XTMWeb UI or Firebox SystemManager to retrieve the current feature key from
the WatchGuard web site and add it directly to your XTMdevice. Or, you can log in to the WatchGuard
web site to download a current feature key to a file.
To use Fireware XTMWeb UIto retrieve the current feature key:
1. Connect to Fireware XTMWeb UI.
The Fireware XTMWeb UIDashboard appears.
2. Select System > Feature Key.
The Feature Key Summary page appears.
Configuration and Management Basics
64 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 65
3. Click Get Feature Key.
Your feature key is downloaded from LiveSecurity and automatically updated on your XTM device.
If you are connected to your device through your Management Server, you do not have to provide
the Configuration passphrase.
To manually retrieve the current feature key fromthe WatchGuard web site:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click My Products.
4. In the list of products, select your device.
5. Use the on-screen instructions to download and save a local copy of the feature key to a file.
6. To manually add the feature key to the XTMdevice, see Manually Add a Feature Key to Your
XTMDevice.
Configuration and Management Basics
66 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 67
Manually Add a Feature Key to Your XTM Device
If you purchase a new option or upgrade your XTMdevice, you can use Fireware XTMWeb UI to
manually add a new feature key to enable the new features. Before you install the new feature key, you
must completely remove the old feature key.
To manually update the feature key on your XTMdevice froma local file:
1. Select System > Feature Key.
The Firebox Feature Key Summary page appears.
The features that are available with this feature key appear on this page.
2. To remove the current feature key, click Remove.
All feature key information is cleared from the page.
3. Click Update Feature Key.
The Add Firebox Feature Key page appears.
Configuration and Management Basics
68 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 69
4. Copy the text of the feature key file and paste it in the text box.
5. Click OK.
The Feature Key page reappears with the new feature key information.
Remove a Feature Key
1. Select System > Feature Key.
The Firebox Feature Key page appears.
2. Click Remove Feature Key.
A confirmation dialog box appears.
3. Click Yes to confirmthat you want to remove the Feature Key.
All feature key information is cleared from the page.
Enable Automatic Feature Key Synchronization
By default, your XTMdevice does not automatically update the feature key when features expire. You
can optionally enable automatic feature key synchronization. This enables the device to automatically
download the latest feature key fromyour account on the WatchGuard web site when a feature is
expired or about to expire.
When you enable automatic feature key synchronization:
n The XTMdevice immediately checks the expiration dates in the feature key, and continues to
check once per day.
n If any feature is expired, or will expire within three days, the XTMdevice automatically
downloads the latest feature key fromWatchGuard once per day, until it successfully
downloads a feature key that does not have expired features.
n In a FireCluster, the cluster master synchronizes the feature keys for all cluster members.
n If the XTMdevice attempts to synchronize the feature key and fails to retrieve a feature key
fromthe WatchGuard server, the device sends an error to the log file. The error log includes
information about the type of failure.
To enable automatic feature key synchronization:
1. Connect to Fireware XTMWeb UI.
2. Select System > Feature Key.
The Feature Key page appears.
3. Select the Enable automatic feature key synchronization check box to enable the device to
automatically synchronize the feature key with the WatchGuard web site.
Configuration and Management Basics
70 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 71
Restart Your Firebox or XTM Device
You can use Fireware XTMWeb UI to restart your Firebox or XTMdevice froma computer on the
trusted network. If you enable external access, you can also restart the XTMdevice froma computer
on the Internet. You can set the time of day at which your XTMdevice reboots automatically.
Restart the XTM Device Locally
To restart the XTMdevice locally, you can use Fireware XTMWeb UI or you can power cycle the
device.
Reboot from Fireware XTMWeb UI
To reboot the XTMdevice fromFireware XTMWeb UI, you must log in with read-write access.
1. Select Dashboard >Front Panel.
2. In the System section, click Reboot.
Power Cycle
On the XTM2 Series:
1. Disconnect the 2 Series device power supply.
2. Wait for a minimumof 10 seconds.
3. Connect the power supply again.
On the XTM5 Series, 8 Series and XTM1050:
1. Use the power switch to power off the device.
2. Wait for a minimumof 10 seconds.
3. Power on the device.
Restart the XTM Device Remotely
Before you can connect to your XTMdevice to manage or restart it froma remote computer external to
the XTMdevice, you must first configure the XTMdevice to allow management fromthe external
network.
For more information, see Manage an XTMDevice Froma Remote Location on page 92.
To restart the XTMdevice remotely fromFireware XTMWeb UI:
1. Select Dashboard > Front Panel.
2. In the System section, click Reboot.
Enable NTP and Add NTP Servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. Your XTMdevice
can use NTP to get the correct time automatically fromNTP servers on the Internet. Because the XTM
device uses the time fromits systemclock for each log message it generates, the time must be set
correctly. You can change the NTP server that the XTMdevice uses. You can also add more
NTPservers or delete existing ones, or you can set the time manually.
To use NTP, your XTMdevice configuration must allow DNS. DNS is allowed in the default
configuration by the Outgoing policy. You must also configure DNS servers for the external interface
before you configure NTP.
1. Select System >NTP.
The NTP Setting page appears.
2. Select the Enable NTP check box.
3. To add an NTPserver, select Host IPor Host namein the Choose Type drop-down list, then
type the IPaddress or host name of the NTPserver you want to use in the adjacent text box.
You can configure up to three NTP servers.
4. To delete a server, select the server entry and click Remove.
5. Click Save.
Configuration and Management Basics
72 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 73
Set the Time Zone and Basic Device Properties
When you run the Web Setup Wizard, you set the time zone and other basic device properties.
To change the basic device properties:
1. Connect to Fireware XTMWeb UI.
2. Select System > Information.
The Information page appears.
3. Configure these options:
Model
The XTMdevice model number, as determined by Quick Setup Wizard.If you add a new
feature key to the XTMdevice with a model upgrade, the XTMdevice model in the device
configuration is automatically updated.
Name
The friendly name of the XTMdevice. You can give the XTMdevice a friendly name that
appears in your log files and reports. Otherwise, the log files and reports use the IP address
of the XTMdevice external interface. Many customers use a Fully Qualified Domain Name
as the friendly name if they register such a name with the DNS system. You must give the
XTMdevice a friendly name if you use the Management Server to configure VPN tunnels
and certificates.
Location, Contact
Type any information that could be helpful to identify and maintain the XTMdevice. These
fields are filled in by the Quick Setup Wizard if you entered this information there.
Time zone
Select the time zone for the physical location of the XTMdevice. The time zone setting
controls the date and time that appear in the log file and in tools such as WatchGuard
WebCenter and WebBlocker.
4. Click Save.
About SNMP
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP
uses management information bases (MIBs) to define what information and events are monitored. You
must set up a separate software application, often called an event viewer or MIB browser, to collect
and manage SNMP data.
There are two types of MIBs: standard and enterprise. Standard MIBs are definitions of network and
hardware events used by many different devices. Enterprise MIBs are used to give information about
events that are specific to a single manufacturer.
Your XTMdevice supports these MIBs:
Standard MIBs Enterprise MIBs
IF-MIB IPSEC-ISAKMP-IKE-DOI-TC
IP-MIB WATCHGUARD-CLIENT-MIB
RFC1155 SMI-MIB WATCHGUARD-INFO-SYSTEM-MIB
RFC1213-MIB WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
SNMPv2-MIB WATCHGUARD-IPSEC-SA-MON-MIB-EXT
SNMPv2-SMI WATCHGUARD-IPSEC-TUNNEL-MIB
TCP-MIB WATCHGUARD-POLICY-MIB
UDP-MIB WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
SNMP Polls and Traps
You can configure your XTMdevice to accept SNMP polls froman SNMP server. The XTMdevice
reports information to the SNMP server, such as the traffic count fromeach interface, device uptime,
the number of TCP packets received and sent, and when each network interface on the XTMdevice
was last modified.
An SNMP trap is an event notification your XTMdevice sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTMdevice can send a trap for any policy in Policy Manager. A trap is sent only once,
and the receiver does not send any acknowledgment when it gets the trap.
An SNMP informrequest is similar to a trap, but the receiver sends a response. If your XTMdevice
does not get a response, it sends the informrequest again until the SNMP manager sends a response.
Configuration and Management Basics
74 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 75
Enable SNMP Polling
You can configure your XTMdevice to accept SNMP polls froman SNMP server. Your XTMdevice
reports information to the SNMP server such as the traffic count fromeach interface, device uptime,
the number of TCP packets received and sent, and when each network interface was last modified.
1. Select System > SNMP.
The SNMP page appears.
2. To enable SNMP, fromthe Version drop-down list, select v1/v2c or v3.
3. If you selected v1/v2c type the Community String the SNMP server uses when it contacts the
XTMdevice.
The community string is like a user ID or password that allows access to the statistics of a
device.
If you selected v3, type the User Name the SNMP server uses when it contacts the XTM
device.
4. If you selected v3 and your SNMP server uses authentication, fromthe Authentication
Protocol drop-down list, select MD5 or SHA1.
In the adjacent Password and Confirm text boxes, type the authentication password.
5. If you selected v3 and your SNMP server uses encryption, fromthe Privacy Protocol drop-
down list, select DES.
In the adjacent Password and Confirm text boxes, type the encryption password.
6. Click Save.
To enable your XTMdevice to receive SNMP polls, you must also add an SNMP packet filter policy.
1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. Fromthe Packet Filters drop-down list, select SNMP. Click Add Policy.
The Policy Configuration page appears.
4. In the From section, click Add.
The Add Member dialog box appears.
5. Fromthe Member type drop-down list, select Host IP.
6. In the Member type text box, type the IP address of your SNMP server. Click OK.
The IP address of the SNMP server appears in the From list.
7. Fromthe From list, select Any-Trusted. Click Remove.
8. In the To section, click Add.
The Add Member dialog box appears.
9. Fromthe drop-down list, select Firebox. Click OK.
Firebox appears in the To list.
10. Fromthe To list, select Any-External. Click Remove.
11. Click Save.
Enable SNMP Management Stations and Traps
An SNMP trap is an event notification your XTMdevice sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTMdevice can send a trap for any policy.
An SNMP informrequest is similar to a trap, but the receiver sends a response. If your XTMdevice
does not get a response, it sends the informrequest again until the SNMP manager sends a response.
A trap is sent only once, and the receiver does not send any acknowledgement when it gets the trap.
An informrequest is more reliable than a trap because your XTMdevice knows whether the inform
request was received. However, informrequests consume more resources. They are held in memory
Configuration and Management Basics
76 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 77
until the sender gets a response. If an informrequest must be sent more than once, the retries increase
traffic. Because each sent receipt increases the amount of memory in use on the router and the amount
of network traffic, we recommend that you consider whether it is necessary to send a receipt for every
SNMP notification.
To enable SNMP informrequests, you must use SNMPv2 or SNMPv3. SNMPv1 supports only traps,
not informrequests.
Configure SNMP Management Stations
1. Select System >SNMP.
The SNMP page appears.
2. Fromthe SNMP Traps drop-down list, select a trap or inform.
SNMPv1 supports only traps, not informrequests.
Configuration and Management Basics
78 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 79
3. In the SNMPManagement Stations text box, type the IP address of your SNMPserver. Click
Add.
The IP address appears in the SNMP Management Stations list.
4. To remove a server fromthe list, select the entry and click Remove.
5. Click Save.
Add an SNMP Policy
To enable your XTMdevice to receive SNMPpolls, you must also add an SNMP policy.
1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. Fromthe Packet Filters drop-down list, select SNMP. Click Add Policy.
The Policy Configuration page appears.
4. In the Name text box, type a name for the policy.
5. Select the Enable check box.
6. In the From section, click Add.
The Add Member dialog box appears.
7. Fromthe Member type drop-down list, select Host IP.
8. In the text box, type the IPaddress of your SNMPserver. Click OK.
9. Fromthe From list, select Any-Trusted. Click Remove.
10. In the To section, click Add.
The Add Member dialog box appears.
11. Fromthe drop-down list, select Firebox. Click OK.
12. Fromthe To list, select Any-External. Click Remove.
13. Click Save.
Send an SNMP Trap for a Policy
Your XTMdevice can send an SNMP trap when traffic is filtered by a policy. You must have at least
one SNMPmanagement station configured to enable SNMPtraps.
1. Select Firewall >Firewall Policies.
2. Click a policy.
Or, select a policy check box and fromthe Action drop-down list, select Edit Policy.
The Policy Configuration page appears.
3. Select the Settings tab.
4. In the Logging section, select the Send SNMPTrap check box.
5. Click Save.
About Management Information Bases (MIBs)
Fireware XTMsupports two types of Management Information Bases (MIBs).
Standard MIBs
Standard MIBs are definitions of network and hardware events used by many different devices.
Your XTMdevice supports these standard MIBs:
n IF-MIB
n IP-MIB
n RFC1155 SMI-MIB
n RFC1213-MIB
n SNMPv2-MIB
n SNMPv2-SMI
n TCP-MIB
n UDP-MIB
These MIBs include information about standard network information, such as IP addresses and
network interface settings.
Enterprise MIBs
Enterprise MIBs are used to give information about events that are specific to a single
manufacturer. Your XTMdevice supports these enterprise MIBs:
n IPSEC-ISAKMP-IKE-DOI-TC
n WATCHGUARD-CLIENT-MIB
n WATCHGUARD-INFO-SYSTEM-MIB
n WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
n WATCHGUARD-IPSEC-SA-MON-MIB-EXT
n WATCHGUARD-IPSEC-TUNNEL-MIB
n WATCHGUARD-POLICY-MIB
n WATCHGUARD-PRODUCTS-MIB
n WATCHGUARD-SMI
n WATCHGUARD-SYSTEM-CONFIG-MIB
n WATCHGUARD-SYSTEM-STATISTICS-MIB
These MIBs include more specific information about device hardware.
If you want to install all MIBs, you must run the Fireware XTMOS installer for all XTMmodels you use.
You can find the Fireware XTMOS installer on the WatchGuard Portal.
About WatchGuard Passphrases, Encryption Keys,
and Shared Keys
As part of your network security solution, you use passphrases, encryption keys, and shared keys.
This topic includes information about most of the passphrases, encryption keys, and shared keys you
use for WatchGuard products. It does not include information about third-party passwords or
passphrases. Information about restrictions for passphrases, encryption keys, and shared keys is also
included in the related procedures.
Create a Secure Passphrase, Encryption Key, or Shared Key
To create a secure passphrase, encryption key, or shared key, we recommend that you:
n Use a combination of uppercase and lowercase ASCII characters, numbers, and special
characters (for example, Im4e@tiN9).
n Do not use a word fromstandard dictionaries, even if you use it in a different sequence or in a
different language.
n Do not use a name. It is easy for an attacker to find a business name, familiar name, or the
name of a famous person.
Configuration and Management Basics
80 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 81
As an additional security measure, we recommend that you change your passphrases, encryption
keys, and shared keys at regular intervals.
Device Default Account Passphrases
A Firebox or XTMdevice has two built-in user accounts and passphrases that you can use to connect
to your device:
Status passphrase
The built-in read-only password or passphrase that allows access to the device with the status
user account. The status user account is assigned the Device Monitor role. When you log in
with the status user account, you can review your configuration, but you cannot save changes
to the XTMdevice.
Configuration passphrase
The built-in read-write password or passphrase that allows an administrator full access to the
device with the admin user account. The admin user account is assigned the Device
Administrator role. You must use this passphrase to save configuration changes to your
device,or to change your device passphrases, if you do not create additional Device
Administrator user accounts.
Each of these passphrases must be at least 8 characters.
User Passphrases
You can create user names and passphrases to use with Firebox authentication and role-based
administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple
text again. If the passphrase is lost, you must set a new passphrase. The allowed range for this
passphrase is 832 characters.
User Passphrases for role-based administration
After you set this user passphrase, it does not appear again in the User and Group Properties
dialog box. If the passphrase is lost, you must set a new passphrase. This passphrase must be
at least 8 characters.
Server Passphrases
Administrator passphrase
The Administrator passphrase is used to control access to the WatchGuard Server Center. You
also use this passphrase when you connect to your Management Server fromWatchGuard
SystemManager (WSM). This passphrase must be at least 8 characters. The Administrator
passphrase is associated with the user name admin.
Configuration and Management Basics
82 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 83
Authentication server shared secret
The shared secret is the key the XTMdevice and the authentication server use to secure the
authentication information that passes between them. The shared secret is case-sensitive and
must be the same on the XTMdevice and the authentication server. RADIUS, SecurID, and
VASCOauthentication servers all use a shared key.
Encryption Keys and Shared Keys
Log Server encryption key
The encryption key is used to create a secure connection between the XTMdevice and the Log
Servers, and to avoid man-in-the-middle attacks. The allowed range for the encryption key is 8
32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your XTMdevice configuration.
When you restore a backup file, you must use the encryption key you selected when you
created the configuration backup file. If you lose or forget this encryption key, you cannot
restore the backup file. The encryption key must be at least 8 characters, and cannot be more
than 15 characters.
VPN shared key
The shared key is a passphrase used by two devices to encrypt and decrypt the data that goes
through the tunnel. The two devices use the same passphrase. If the devices do not have the
same passphrase, they cannot encrypt and decrypt the data correctly.
Define Device Global Settings
FromFireware XTMWeb UI, you can specify the settings that control the actions of many Firebox or
XTMdevice features. You can configure the basic parameters for:
n ICMP error handling
n TCP SYN checking
n TCP connection idle timeout
n TCP maximumsize adjustment
n Traffic management and QoS
n Web UI port
n External console connections through the serial port
n Automatic device reboot
To configure the global settings:
1. Select System >Global Settings.
The Global Settings dialog box appears.
2. On the General tab, configure settings for these global categories, as described in the
subsequent sections:
n Web UIPort
n Automatic Reboot
n Device Feedback
Configuration and Management Basics
84 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 85
3. On the Networking tab, configure settings for these global categories, as described in the
subsequent sections:
n ICMP Error Handling
n TCPSettings
n Traffic Management and QoS
n Traffic Flow
4. Click Save.
Change the Web UI Port
By default, Fireware XTMWeb UI uses port 8080.
To change the default port:
1. In the Web UI Port text box, type or select a different port number.
2. Use the new port to connect to Fireware XTMWeb UI and test the connection with the new
port.
Automatic Reboot
You can schedule your XTMdevice to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
1. Select the Schedule time for reboot check box.
2. In the adjacent drop-down list, select Daily to reboot at the same time every day or select a day
of the week for a weekly reboot.
3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format)
that you want the reboot to start.
Device Feedback
When you create a new configuration file for your XTMdevice, or upgrade your XTMdevice to Fireware
XTMOS v11.7.3 or higher, by default, your XTMdevice is configured to send feedback to
WatchGuard. This feedback helps WatchGuard to improve products and features. It includes
information about how your device is used and issues you encounter with your XTMdevice, but does
not include any information about your company or any company data that is sent through the XTM
device. Because of this, your device data is anonymous. All device feedback that is sent to
WatchGuard is encrypted.
This feature is only available for XTMdevices that run Fireware XTMv11.7.3 or
higher.
WatchGuard uses the information fromthe device feedback data to understand the geographic
distribution of Fireware XTMOS versions. The data WatchGuard collects includes summarized
information about which features and services are used on XTMdevices, about threats that are
intercepted, and about device health and performance. This information helps WatchGuard to better
determine which areas of the product to enhance to provide the most benefits to customers and users.
When device feedback is enabled, feedback is sent to WatchGuard once every six days and each time
the device reboots.
Device feedback includes this information:
n Device details
o
XTMdevice serial number
o
Fireware XTMOS version and build number
o
Firebox or XTMdevice model
o
Device uptime since the last restart
Configuration and Management Basics
86 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 87
n Device sizing details
o
Count of policies
o
Number of enabled interfaces
o
Number of BOVPN tunnels
o
Number of VLANs
o
Configuration file size
n Performance details
o
Maximumnumber of sessions
o
Maximumnumber of proxy connections
o
MaximumCPU usage
o
Maximummemory usage
n Feature usage details
o
Whether the device is under Centralized Management and the management mode for the
device
o
The number of Access Points (AP) configured on the device
o
The authentication options configured on the device
o
Whether the device is a member of a FireCluster and in Active/Active or Active/Passive
mode
o
Whether VoIP security feature is enabled
o
Whether Intrusion Prevention Service (IPS) is enabled
o
The logging options configured on the device
n Security Services details
o
Intrusion Prevention Service (IPS)
o
Gateway AntiVirus (GAV)
o
WebBlocker
o
spamBlocker
o
Data Loss Prevention (DLP)
o
APT Blocker
n Access Point details
o
Whether the Gateway Wireless Controller is enabled
o
The number of AP devices configured on the device
o
The number of SSIDs configured on the device
o
Whether the Wireless Hotspot is enabled
Use of the device feedback feature is entirely voluntary. You can disable it at any time.
To disable device feedback:
Clear the Send device feedback to WatchGuard check box.
Define ICMP Error Handling Global Settings
Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:
n Tell client hosts about error conditions
n Probe a network to find general characteristics about the network
The XTMdevice sends an ICMP error message each time an event occurs that matches one of the
parameters you selected. These messages are good tools to use when you troubleshoot problems, but
can also decrease security because they expose information about your network. If you deny these
ICMP messages, you can increase security if you prevent network probes, but this can also cause
timeout delays for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The XTMdevice uses
these messages to find the MTU path.
Time Exceeded
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these
messages when a route loop occurs.
Network Unreachable
Select this check box to allow ICMP Network Unreachable messages. A router usually sends
these messages when a network link is broken.
Host Unreachable
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends
these messages when it cannot use a host or service.
Port Unreachable
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually
sends these messages when a network service is not available or is not allowed.
Protocol Unreachable
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMPsettings for a specific policy, fromFireware XTMWeb UI:
1. Select Firewall >Firewall Policies.
2. Double-click the policy to edit it.
The Policy Edit page appears.
3. Select the Advanced tab.
4. Select the Use policy-based ICMP error handling check box.
5. Select only the check boxes for the settings you want to enable.
6. Click Save.
Configure TCP Settings
Enable TCP SYN checking
To enable TCP SYN checking to make sure that the TCP three-way handshake is completed
before the XTMdevice allows a data connection, select this option.
Configuration and Management Basics
88 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 89
TCP connection idle timeout
The amount of time that the TCP connection can be idle before a connection timeout occurs.
Specify a value in seconds, minutes, hours, or days. The default setting is 1 hour.
You can also configure a customidle timeout for an individual policy. For more information, see
Set a CustomIdle Timeout on page 635.
If you configure this global idle timeout setting and also enable a customidle timeout for a
policy, the customidle timeout setting takes precedence over the global idle timeout setting for
only that policy.
TCP maximumsegment size control
The TCP segment can be set to a specified size for a connection that must have more TCP/IP
layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured,
users cannot get access to some web sites.
The global TCP maximumsegment size adjustment settings are:
n Auto AdjustmentThis option enables the XTMdevice to examine all maximum
segment size (MSS) negotiations and changes the MSS value to the applicable one.
n No AdjustmentThe XTMdevice does not change the MSS value.
n Limit toType or select a size adjustment limit.
Enable or Disable Traffic Management and QoS
For performance testing or network debugging purposes, you can disable the Traffic Management and
QoS features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
Manage Traffic Flow
By default, your XTMdevice does not close active connections when you modify a static NATaction
used by a policy. You can override this default setting and enable your XTMdevice to close any active
connections through a policy that uses an SNAT action that you modify.
To override the default Traffic Flow setting and enable this feature, in the Traffic Flowsection:
Select the When an SNAT action changes, clear active connections that use that SNAT
action check box.
About WatchGuard Servers
When you install the WatchGuard SystemManager software, you can choose to install one or more of
the WatchGuard servers. You can also run the installation programand select to install only one or
more of the servers, without WatchGuard SystemManager. When you install a server, the
WatchGuard Server Center programis automatically installed. WatchGuard Server Center is a single
application you can use to set up and configure all your WatchGuard SystemManager servers. You
can also use WatchGuard Server Center to backup and restore your Management Server.
When you use Fireware XTMWeb UI to manage your XTMdevices, you can choose to also use
WatchGuard servers and WatchGuard Server Center. For more information about WatchGuard
SystemManager, WatchGuard servers, and WatchGuard Server Center, see the Fireware
XTMWatchGuard SystemManager v11.x Help and the Fireware XTMWatchGuard SystemManager
v11.x User Guide.
The five WatchGuard servers are:
n Management Server
n Log Server
n Report Server
n Quarantine Server
n WebBlocker Server
For more information about WatchGuard SystemManager and WatchGuard servers, see the Fireware
XTMWatchGuard SystemManager v11.x Help or v11.x User Guide.
Configuration and Management Basics
90 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 91
Each server has a specific function:
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels with a simple drag-and-drop
function. The basic functions of the Management Server are:
n Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
n VPN tunnel configuration management
n Management for multiple XTMdevices
For more information about the Management Server, see the Fireware XTMWatchGuard
SystemManager v11.x Help or v11.x User Guide.
Log Server
The Log Server collects log messages fromeach XTMdevice and stores themin a PostgreSQL
database. The log messages are encrypted when they are sent to the Log Server. The log
message format is XML (plain text). The types of log message that the Log Server collects
include traffic log messages, event log messages, alarms, and diagnostic messages. You can
view the log messages fromyour XTMdevices with FSMTraffic Monitor and in Log and Report
Manager.
For more information about Log Servers, see the Fireware XTMWatchGuard SystemManager
v11.x Help or v11.x User Guide.
For more information about how to view log messages, see Traffic Monitor on page 900.
Report Server
The Report Server periodically consolidates data collected by your Log Servers fromyour XTM
devices, and stores themin a PostgreSQL database. The Report Server then generates the
reports you specify. When the data is on the Report Server, you can review it with Log and
Report Manager.
For more information about the Report Server, see the Fireware XTMWatchGuard System
Manager v11.x Help or v11.x User Guide.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker identifies as
possible spam.
For more information on the Quarantine Server, see About the Quarantine Server on page 1467.
WebBlocker Server
The WebBlocker Server operates with the HTTP-proxy to deny user access to specified
categories of web sites. When you configure an XTMdevice, you set the web site categories
you want to allow or block.
For more information about WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1315.
Manage an XTM Device From a Remote Location
When you configure an XTMdevice with the Quick Setup Wizard, the WatchGuard policy is created
automatically. This policy allows you to connect to and administer the XTMdevice fromany computer
on the trusted or optional networks. To manage the XTMdevice froma remote location (any location
external to the XTMdevice), then you must modify the WatchGuard policy to allow administrative
connections fromthe IP address of your remote location.
The WatchGuard policy controls access to the XTMdevice on these TCP ports: 4105, 4117, 4118.
When you allow connections in the WatchGuard policy, you allow connections to each of these ports.
Before you modify the WatchGuard policy, we recommend that you consider connecting to the XTM
device with a VPN. This greatly increases the security of the connection. If this is not possible, we
recommend that you allow access fromthe external network to only certain authorized users and to the
smallest number of computers possible. For example, your configuration is more secure if you allow
connections froma single computer instead of fromthe alias Any-External.
1. Select Firewall >Firewall Policies.
2. Click the WatchGuard policy.
Or, select the WatchGuard policy and fromthe Action drop-down list, select Edit Policy.
The Firewall Policies/Edit page appears.
3. In the From section, click Add.
The Add Member dialog box appears.
Configuration and Management Basics
92 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 93
4. To add the IP address of the external computer that connects to the XTMdevice, fromthe
Member type drop-down list, select Host IP, and click OK. Type the IPaddress.
5. To give access to an authorized user, fromthe Member Type drop-down list, select Alias.
For information about how to create an alias, see Create an Alias on page 615.
Configure an XTM Device as a Managed Device
If your XTMdevice has a dynamic IPaddress, or if the Management Server cannot connect to it for
another reason, you can configure the XTMdevice as a managed device before you add it to the
Management Server.
If your Management Server is not behind a gateway Firebox, you must configure the firewall that is
between the Management Server and the Internet to allow connections to the Management Server
public IPaddress over TCP ports 4110, 4112, and 4113.
Edit the WatchGuard Policy
1. Select Firewall > Firewall Policies.
The Firewall policies page appears.
2. Double-click the WatchGuard policy to open it.
The Policy Configuration page for the WatchGuard policy appears.
3. In the Connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Member dialog box appears.
Configuration and Management Basics
94 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 95
5. In the Member Type drop-down list, select Host IP.
6. In the Member type text box, type the IP address of the external interface of the gateway
Firebox.
If you do not have a gateway Firebox that protects the Management Server fromthe Internet,
type the static IP address of your Management Server.
7. Click OK to close the Add Member dialog box.
8. Make sure the To section includes an entry of either Firebox or Any.
9. Click Save.
You can now add the device to your Management Server configuration. When you add this XTMdevice
to the Management Server configuration, the Management Server automatically connects to the static
IP address and configures the XTMdevice as a managed device.
Set Up the Managed Device
(Optional) If your XTMdevice has a dynamic IPaddress, or if the Management Server cannot find the
IP address of the XTMdevice for any reason, you can use this procedure to prepare your XTMdevice
to be managed by the Management Server.
The XTMdevice that protects your Management Server (the gateway Firebox) automatically monitors
all ports used by the Management Server and forwards any connection on these ports to the configured
Management Server. When you use the Management Server Setup Wizard, the wizard adds a WG-
Mgmt-Server policy to your configuration to handle these connections. If you did not use the
Management Server Setup Wizard on the Management Server, or if you skipped the Gateway Firebox
step in the wizard, you must manually add the WG-Mgmt-Server policy to the configuration of your
gateway Firebox. When you add this policy, communication to the Management Server over TCP ports
4110, 4112, and 4113 is automatically allowed.
If your Management Server is not behind a gateway Firebox, make sure to configure the firewall that is
between the Management Server and the Internet to allow connections to the Management Server
public IPaddress over TCP ports 4110, 4112, and 4113.
1. Select System > Managed Device.
The Managed Device page appears.
2. To set up an XTMdevice as a managed device, select the Centralized Management check
box.
3. In the Managed Device Name text box, type the name you want to give the XTMdevice when
you add it to the Management Server configuration.
This name is case-sensitive and must match the name you use when you add the device to the
Management Server configuration. This can also be the IPaddress of the device.
4. In the Management Server IPAddress(es) list, select the public IP address of the
Management Server.
Or, if the Management Server is behind a gateway Firebox, select the public IP address of the
gateway Firebox for the Management Server.
5. To add a Management Server IP address, type the IP address in the text box and click Add.
6. In the Shared Secret and Confirm text boxes, type the shared secret.
The shared secret you type here must match the shared secret you type when you add the
device to the Management Server configuration.
Configuration and Management Basics
96 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 97
7. Copy the text of your Management Server CA certificate file and paste it in the Management
Server CACertificate text box.
8. Click Save.
When you save the configuration to the XTMdevice, the XTMdevice is enabled as a managed device.
The managed XTMdevice tries to connect to the IP address of the Management Server on TCP port
4110. Management connections are allowed fromthe Management Server to this managed XTM
device.
You can now add the device to your Management Server configuration. For more information, see the
WatchGuard SystemManager Help or User Guide.
You can also use WSMto configure the management mode for your device. For more information, see
the WatchGuard SystemManager Help or User Guide.
After you have configured your XTMdevice as a managed device, if your device is in a remote location
behind a third-party NATgateway, you can configure a Management Tunnel to enable contact with the
XTMdevice. For more information about Management Tunnels, see the WatchGuard SystemManager
Help.
Configure a Deployed Remote Device for a Management
Tunnel over SSL
To enable a Management Tunnel over SSL for a remote Firebox or XTMdevice that is already deployed
to a remote location behind a third-party NAT device, you can connect directly to the remote device to
manually configure the Managed Device Settings for the remote device. This option is useful when
the remote Firebox or XTMdevice cannot contact the Management Server through the Management
Tunnel over SSL because the connection is blocked by the third-party NAT device.
Before you complete the steps in this procedure to configure your remote device for a Management
Tunnel over SSL, you must add your device to the Management Server. For more information, see the
Configure Management Tunnels topic in the WatchGuard SystemManager Help.
To configure the remote device for a Management Tunnel over SSL:
1. Select System > Managed Device Settings.
2. Make sure the Centralized Management check box is selected.
3. Select the Management Tunnel tab.
4. Select the Use an SSL tunnel for remote management check box.
5. In the SSL Server text box, type the IP address of the OpenVPN server.
This is the IP address of your Management Tunnel Gateway device.
6. In the SSL Tunnel ID text box, type a unique name for the Management Tunnel over SSL.
7. In the SSL Tunnel Password text box, type the password for the Management Tunnel over
SSL.
8. Click Save.
You can also use Policy Manager or theWatchGuard Command Line Interface to configure the remote
XTMdevice for a Management Tunnel over SSL. For more information, see the WatchGuard System
Manager Help or the Command Line Interface Reference.
Configuration and Management Basics
98 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 99
Upgrade to a New Version of Fireware XTM
Periodically, WatchGuard makes new versions Fireware XTMOS available to XTMdevice users with
active LiveSecurity subscriptions. To upgrade fromone version of Fireware XTMOS to a new version
of Fireware XTMOS, use the procedures in the subsequent sections.
In Fireware XTMv11.7 and higher, if you use the Fireware XTMWeb UI upgrade
feature to downgrade the version of Fireware XTMOS, the downgrade process
resets the configuration to factory default settings. The downgrade process does not
change the device passphrases and does not remove the feature keys and
certificates.
Install the Upgrade on Your Management Computer
1. Download the updated Fireware XTMOSinstaller file fromthe WatchGuard Portal on the
WatchGuard web site at http://www.watchguard.com.
2. Start the installer file that you downloaded and follow the instructions in the installer to install the
Fireware XTMupgrade file on your management computer.
By default, the upgrade file is installed in one of these locations:
Windows 32-bit operating systems
C:\Program Files\Common Files\WatchGuard\resources\FirewareXTM\11.x
Windows 64-bit operating systems
C:\Program Files (x86)\Common Files\WatchGuard\resources\FirewareXTM\11.x
Upgrade the XTM Device
To use the Web UI to upgrade a member of a FireCluster, you must upgrade the
backup master first, and then upgrade the other cluster member to the same
OSversion. We recommend you use Policy Manager to upgrade a FireCluster, if
possible, because Policy Manager can automatically upgrade both cluster members
to the same OS version, in the correct order.
1. Select System >Backup Image to save a backup image of your XTMdevice.
For more information, see Make a Backup of the XTMDevice Image on page 47.
We recommend that you always create a backup image before you upgrade. You must have the
backup image and the associated encryption key if you want to downgrade the device to the
previous version and configuration in the future.
2. Select System >Upgrade OS.
The Upgrade OS page appears.
3. Click Browse to select the upgrade file fromthe directory where you installed it.
The name of the upgrade file appears on the Upgrade OS page. The file name ends with .sysa_dl.
4. Click Upgrade.
The upgrade procedure can take up to 15 minutes and automatically reboots the XTMdevice.
If your XTMdevice has been in operation for some time before you upgrade, you might have to restart
the device before you start the upgrade to clear the temporary memory.
Configuration and Management Basics
100 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 101
Downgrade Fireware XTMOS
Use these procedures to downgrade the version of Fireware XTMOS to an earlier version.
It is not necessary to downgrade WatchGuard SystemManager when you
downgrade Fireware XTMOS, because WatchGuard SystemManager can manage
XTMdevices that use earlier versions of Fireware XTMOS.
Use a Saved Backup Image to Downgrade
The recommended method to downgrade an XTMdevice to an older version of Fireware XTMOSis to
use the saved backup image that you created before the most recent Fireware XTMOSupgrade on the
device. If you have a backup image, there are two procedures you can use to downgrade an
XTMdevice to an earlier version of Fireware XTMOS:
Restore the full backup image you created for the device before the last Fireware XTMOSupgrade.
For more information, see Restore an XTMDevice Backup Image.
Use the USB backup file you created before the upgrade as your auto-restore image on a USB
drive.
For more information, see Automatically Restore a Backup Image froma USB Drive.
Downgrade Without a Backup Image
If you do not have a backup image for your XTMdevice, there are two other methods you can use to
downgrade Fireware XTMOS to an earlier version:
Use the Quick Setup Wizard in WatchGuard SystemManager to downgrade an XTMdevice in
recovery mode.
This downgrade requires that you create a new basic configuration. It removes the feature key
and certificates. After the downgrade, you can use Policy Manager to save a different
configuration file to the device.
For more information, see the WatchGuard SystemManager Help or User Guide.
Use the Upgrade feature in the Fireware XTMWeb UI to install an older version of Fireware
XTMOS.
Use this method only to downgrade a device fromFireware XTMOSv11.7 or later. Because
newer features are not all compatible with older OSversions, this downgrade procedure resets
the configuration to factory-default settings. It does not change the device passphrases and
does not remove the feature keys and certificates.
If you use the Web UI Upgrade feature to downgrade, the device configuration is
reset to factory-default settings.
For more information, see Use the Web UI to Downgrade fromFireware XTMOS v11.7 or
Higher.
Configuration and Management Basics
102 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 103
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or
Higher
You can use the upgrade feature in the Fireware XTMWeb UI to downgrade the device to an earlier
version.
In Fireware XTMv11.7 and higher, if you use the Fireware XTMWeb UI upgrade
feature to downgrade the version of Fireware XTMOS, the downgrade process
resets the configuration to factory default settings. The downgrade process does not
change the device passphrases and does not remove the feature keys and
certificates.
If you have a saved backup image, the recommended method to downgrade an XTMdevice to an
earlier version of Fireware XTMOS is to restore the XTMdevice backup image. For more information,
see Downgrade Fireware XTMOS.
Do not use this procedure to downgrade a device that currently runs a version of Fireware XTMOS
lower than v11.7. If you want to downgrade a device that currently uses Fireware XTMOSv11.6.x or
lower to an earlier version and do not have a backup image, you can use the WSMQuick Setup Wizard
and recovery mode to downgrade the device. For more information, see the WatchGuard System
Manager Help or User Guide.
Step 1 Install the Older Version of Fireware XTMOS
If you do not already have it, install the older version of Fireware XTMOS on your management
computer
1. Download the older version of Fireware XTMOSinstaller file fromthe WatchGuard Portal on the
WatchGuard web site at http://www.watchguard.com.
2. Install the Fireware XTMOS file on your management computer.
By default, the file is installed in the C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.x folder.
Step 2 Use the Upgrade Feature in Fireware XTMWeb UI to
Downgrade
1. Select System >Upgrade OS.
The Upgrade OS page appears.
2. Click Browse to select the downgrade file fromthe folder where you installed it.
The name of the file appears on the Upgrade OS page. The file name ends with .sysa_dl.
3. Click Upgrade.
After the file upload is complete, a warning appears stating that if you continue, the configuration will
be downgraded, and reset to the factory default configuration.
4. Click Yes to continue with the downgrade.
After the downgrade, the network and security settings are reset to factory default settings, but the
admin and status management account passphrases are not reset. You must connect to the device on
Eth1, with the default IPaddress 10.0.1.1 to manage it. For more information about the factory default
settings, see About Factory-Default Settings.
Configuration and Management Basics
104 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 105
Download or Show the XTMDevice Configuration
Fromthe Fireware XTMWeb UI, you can download the complete XTMdevice configuration to a file
that can be opened by Policy Manager, or you can generate an XTMConfiguration Report to browse
and print most configuration settings froma single browser page.
For more information about how to download the configuration file, see Download the Configuration
File.
For more information about the XTMConfiguration Report, see Show the XTMConfiguration Report.
You can also download a diagnostic log file (support.tgz) that includes packet trace information about
your XTMdevice.
For more information, see Download a Diagnostic Log File.
Download the Configuration File
Fromthe Fireware XTMWeb UI, you can download your XTMdevice configuration to a compressed
file. This can be useful if you want to open the same configuration file in Fireware XTMPolicy Manager
but are unable to connect to the device fromPolicy Manager. This can also be useful if you want to
send your configuration file to a WatchGuard technical support representative.
1. Select System > Configuration File.
2. Click Download the Configuration File.
The Select location for download dialog box appears.
3. Select a location to save the configuration file.
The configuration file is saved in a compressed (.tgz) file format. Before you can use this file with
Fireware XTMPolicy Manager, you must extract the zipped file to a folder on your computer.
For more information about Policy Manager see the WatchGuard SystemManager Help.
See Also
Show the XTMConfiguration Report
Show the XTMConfiguration Report
Fromthe Fireware XTMWeb UI, you can generate an XTMConfiguration Report to show many
XTMdevice configuration settings in an easy to read, printable format. The XTMConfiguration Report
opens in a separate browser window.
The XTMConfiguration Report gives you an overview of your device configuration. It can be a useful
tool if you want to review your security policy implementation with your organizations management
team. While it includes configuration information for many Fireware XTMfeatures, it does not include
all configuration details. For example, it does not include:
n FireCluster
n Multi-WAN details
n Dynamic routing
n Wireless
n IPv6, secondary networks, MACaccess control, PPPoE, DHCP client, DHCPserver, and
advanced interface settings
n Some policy and proxy settings such as policy based routing, IPS, Application Control, logging,
and notification
n Proxy action configuration details
To see the XTMConfiguration Report, you must configure your browser to allow
popups for Fireware XTMWeb UI.
To show the XTMConfiguration Report:
1. Select System > Configuration File.
2. Click XTM Configuration Report.
The XTMConfiguration Report opens in a new browser window or tab.
The XTMConfiguration Report is divided into five main sections:
n Network Network configuration settings
n Setup Systemconfiguration, aliases, logging, NTP, SNMP, and global settings
n Firewall Policy Firewall policies and proxy action settings
n VPN Branch Office VPN and Mobile VPN settings
n Subscription ServicesSubscription services settings
To move to a section of the report, click a section link in the Contents list.
To print the XTMConfiguration Report, click [Print] at the top-right corner of the page.
Configuration and Management Basics
106 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 107
About Upgrade Options
You can add upgrades to your XTMdevice to enable additional subscription services, features, and
capacity.
For a list of available upgrade options, see www.watchguard.com/products/options.asp.
Subscription Services Upgrades
Application Control
Enables you to monitor and control the use of applications on your network.
For more information, see About Application Control.
WebBlocker
Enables you to control access to web content based on content categories.
For more information, see About WebBlocker on page 1315.
spamBlocker
Enables you to filter spamand bulk email.
For more information, see About spamBlocker on page 1341.
Intrusion Prevention Service (IPS)
Enables you to prevent intrusion attempts by hackers.
For more information, see About Intrusion Prevention Service.
Gateway AntiVirus
Enables you to identify and block known spyware and viruses.
For more information, see About Gateway AntiVirus on page 1369.
Reputation Enabled Defense
Enables you to control access to web sites based on their reputation score.
For more information, see About Reputation Enabled Defense.
Data Loss Prevention
Enables you to detect, monitor, and prevent accidental unauthorized transmission of
confidential information outside your network or across network boundaries.
For more information, see About Data Loss Prevention.
Appliance and Software Upgrades
Pro
The Pro upgrade to Fireware XTMprovides several advanced features for experienced
customers, such as server load balancing and additional SSLVPNtunnels. The features
available with a Pro upgrade depend on the type and model of your XTMdevice.
For more information, see Fireware XTMwith a Pro Upgrade on page 17.
Model upgrades
For some XTMdevice models, you can purchase a license key to upgrade the device to a higher
model in the same product family. A model upgrade gives your XTMdevice the same functions
as a higher model.
To compare the features and capabilities of different XTMdevice models, go to
http://www.watchguard.com/products/compare.asp.
How to Apply an Upgrade
When you purchase an upgrade, you register the upgrade on the WatchGuard LiveSecurity web site.
Then you download a feature key that enables the upgrade on your XTMdevice.
For information about feature keys, see About Feature Keys on page 61.
About Subscription Services Expiration and
Renewal
The XTMsubscription services need regular updates to operate effectively. The subscription services
are:
n Gateway AntiVirus
n Intrusion Prevention Service
n WebBlocker
n spamBlocker
n Reputation Enabled Defense
n Application Control
n Data Loss Prevention
n APTBlocker
In addition, an initial LiveSecurity subscription is activated when you register your product. Your
LiveSecurity subscription gives you access to technical support, software updates, and feature
enhancements. It also extends the hardware warranty of your WatchGuard device and provides
advance hardware replacement.
We recommend that you renew your subscription services before they expire. WatchGuard charges a
reinstatement fee for any subscriptions that are allowed to lapse.
Configuration and Management Basics
108 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 109
Subscription Renewal Reminders
The Firebox or XTMdevice sends you reminders to renew your subscriptions. When you save a
configuration to your Firebox or XTMdevice, Policy Manager warns you if a subscription will expire.
These warnings appear 60 days before, 30 days before, 15 days before, and one day before the
expiration date.
You can also use Firebox SystemManager to monitor your subscription services. If a subscription
service is about to expire or is expired, a warning appears on the front panel of Firebox System
Manager and Renew Now appears at the upper-right corner of the window. Click Renew Nowto go to
the LiveSecurity Service web site to renew the subscription.
In the Fireware XTMWeb UI, you can see the subscription service expiration dates in the License
Information section of the System page.
Feature Key Compliance
When you save a configuration to the device fromPolicy Manager (File >Save >To Firebox), Policy
Manager checks to see if any configured services are expired. You cannot save any configuration
changes fromPolicy Manager to the Firebox or XTMdevice when a configured subscription service is
expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box
appears, with a list of all configured services that are expired. You must either add a feature key with a
later expiration date for the expired services, or you must select each service and click Disable to
disable the service. After you disable the expired services, Policy Manager saves the updated
configuration to the device.
If the LiveSecurity subscription on your device is expired, you can save configuration changes to the
device, but you cannot upgrade or reinstall any version of Fireware XTMOSon the device.
Security Service Expiration Behavior
When a subscription service expires, that service does not operate, and the configuration options are
disabled. The specific expiration behaviors for each subscription service are described below.
Gateway AntiVirus
When the Gateway AntiVirus subscription expires:
n Gateway AntiVirus signature updates stop immediately.
n Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a
Gateway AV scan when Gateway AV is enabled but expired, the device takes the same action
as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error
is also sent to the log file.
n Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to
disable Gateway AntiVirus for a policy that has it enabled.
n Gateway AntiVirus configuration options are disabled in the Fireware XTMWeb UI.
Intrusion Prevention Service (IPS)
When the IPS subscription expires:
n IPS signature updates stop immediately.
n IPSstops detecting and blocking intrusions immediately.
n For Fireware XTMv11.0 - v11.3.x, if the device attempts an IPSscan when IPS is enabled but
expired, the device allows the content and sends a scan error to the log file.
n For Fireware XTMv11.4 and later, IPS configuration options are disabled in Policy Manager
n For Fireware XTMv11.0 - v11.3.x, IPSconfiguration options are disabled in Policy Manager,
except for the ability to disable IPSfor a policy that has it enabled.
n IPSconfiguration options are disabled in the Fireware XTMWeb UI.
WebBlocker
When the WebBlocker subscription expires:
n Updates to the WebBlocker Server stop immediately.
n WebBlocker stops scanning web content immediately.
n The License Bypass setting in the WebBlocker configuration controls whether policies that
have WebBlocker enabled allow or deny access to all web sites when WebBlocker is expired.
By default, policies that have WebBlocker enabled deny access to all web sites when the
WebBlocker service is expired.
If your WebBlocker subscription expires, and you did not change the default License Bypass
setting before the service expired, WebBlocker blocks access to all web sites. You cannot
change the License Bypass setting after the service has expired. If your service is expired and
WebBlocker blocks access to all web sites, you must either disable WebBlocker for each policy
that had it enabled, or renew the WebBlocker service and import an updated feature key.
n WebBlocker configuration options are disabled in Policy Manager, except for the ability to
disable WebBlocker for a policy that has it enabled.
n WebBlocker configuration options are disabled in the Fireware XTMWeb UI.
spamBlocker
When the spamBlocker subscription expires:
n spamBlocker stops blocking spamimmediately.
n spamBlocker configuration options are disabled in Policy Manager, except for the ability to
disable spamBlocker for a policy that has it enabled.
n spamBlocker configuration options are disabled in the Fireware XTMWeb UI.
Reputation Enabled Defense
When the Reputation Enabled Defense subscription expires:
n Reputation Enabled Defense stops checking reputation immediately.
n Reputation Enabled Defense configuration options are disabled in Policy Manager, except for
Configuration and Management Basics
110 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 111
the ability to disable Reputation Enabled Defense for a policy that has it enabled.
n Reputation Enabled Defense configuration options are disabled in the Fireware XTMWeb UI.
Application Control
When the Application Control subscription expires:
n Application Control signature updates stop immediately.
n Application Control stops identifying and blocking applications immediately.
n Application Control configuration options are disabled in Policy Manager.
n Application Control configuration options are disabled in the Fireware XTMWeb UI.
Data Loss Prevention (DLP)
When the DLP subscription expires:
n DLP signature updates stop immediately.
n DLP stops identifying DLP violations immediately.
n DLP configuration options are disabled in Policy Manager.
n DLP configuration options are disabled in the Fireware XTMWebUI.
APTBlocker
When the APTBlocker subscription expires:
n APTBlocker stops detecting and blocking APTmalware immediately.
n APTBlocker configuration options are disabled in Policy Manager.
n APTBlocker configuration options are disabled in the Fireware XTMWebUI.
LiveSecurity Service
When the LiveSecurity subscription expires:
n You cannot upgrade or reinstall Fireware XTMOSon your device, even if it is a Fireware
XTMOSversion that was released before the LiveSecurity expiration date.
n WatchGuard does not provide telephone and web-based support, software updates and
enhancements, or hardware replacement (RMA).
n All other functionality, including Fireware XTMPro upgrade features, VPN features, logging,
and management functions, continue to operate.
n You can manage your device and save configuration changes to your device fromPolicy
Manager or the Web UI.
n You can save a backup image of your configuration fromPolicy Manager or the Web UI.
Synchronize Subscription Renewals
If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a
customrenewal quote that synchronizes the renewal dates for multiple subscription services. Contact
WatchGuard or your WatchGuard reseller for details.
Renew Subscription Services
WatchGuard subscription services must get regular updates to operate effectively.
To see the expiration date of your subscription services, fromFireware XTMWeb UI, select System
>Feature Key. The Expiration column shows when the subscription expires. You can also see the
number of days until each service expires on the systemDashboard. Select Dashboard >System to
see the systemDashboard.
When you renew the security subscription, you must update the feature key on the XTMdevice. To
update the feature key, fromFireware XTMWeb UI, select System > Feature Key.
For more information about feature keys, see About Feature Keys on page 61.
Subscription Services Status and Manual
Signatures Updates
The Gateway AntiVirus, Intrusion Prevention Service, Application Control, and Data Loss Prevention
security services use a frequently-updated set of signatures to identify the latest viruses, threats, and
applications. You can configure these services to update signatures automatically. For information
about signature update settings see:
n Configure the Gateway AV Update Server
n Configure the IPS Update Server
n Configure the Application Control Update Server
n Configure the DLP Update Server
You can also update signatures manually. If the signatures on the XTMdevice are not current, you are
not protected fromthe latest viruses and intrusions.
The Subscription Services status page shows statistics about the subscription services activity, and
shows the status of signature updates. For each signature-based service, you can see the current
signature version installed and whether a newer version of signatures is available.
To see the status of Subscription Services:
1. Connect to Fireware XTMWeb UI for your device.
2. Select Dashboard > Subscription Services.
The Subscription Services status page appears.
Configuration and Management Basics
112 Fireware XTMWeb UI
Configuration and Management Basics
User Guide 113
3. To manually update signatures for a service, click Update for each service you want to update.
The XTM device downloads the most recent available signature update.
For more information about the statistics on this page, see About the Dashboard and SystemStatus
Pages on page 885.
5
RemoteConfig and RapidDeploy
RemoteConfig and RapidDeploy
114 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 115
About RemoteConfig and RapidDeploy
RemoteConfig and RapidDeploy are two methods you can use to set up an XTMdevice in a remote
location where you might not have trained IT staff present to help with the initial configuration of your
XTMdevice. Both the RemoteConfig and RapidDeploy methods enable you to send your XTMdevices
to remote locations around the world, before you have configured each device.
RemoteConfig
RemoteConfig enables you to remotely configure a single XTMdevice that has been activated on the
WatchGuard web site. You can use RemoteConfig to remotely configure a new XTMdevice, or a
device that has been reset to factory default settings.
To use RemoteConfig, you must use Policy Manager to create a configuration file for the device. You
can then upload that configuration file to the Product Details page for that XTMdevice on the
WatchGuard web site.
For more information about RemoteConfig, see Use RemoteConfig .
RapidDeploy
RapidDeploy enables you to remotely configure multiple XTMdevices for management by a
WatchGuard Management Server. You can use RapidDeploy for XTMdevices that have never been
activated or for devices that have already been activated, but must either be activated again or
assigned to another Management Server.
To use RapidDeploy, you must register your Management Server with the WatchGuard Deployment
Center, and then connect to the WatchGuard Deployment Center fromyour WatchGuard Management
Server. In the WatchGuard Deployment Center, you add information for your Management Servers and
the XTMdevices you want to activate remotely.
For more information about RapidDeploy, see About RapidDeploy in the WatchGuard System
Manager Help.
Automatic Configuration Download
To complete either of these automated configuration processes, a remote user must connect the XTM
device to power and to the Internet. The XTMdevice automatically contacts a WatchGuard server to
download a configuration file, if one is available. The XTMdevice checks for the availability of a
RemoteConfig or RapidDeploy configuration file. Because the RemoteConfig process takes priority
over the RapidDeploy process, if you activate a device with RapidDeploy, and also upload a
RemoteConfig configuration file for the same device, the device downloads the RemoteConfig file and
does not complete the RapidDeploy process.
Use RemoteConfig
RemoteConfig is a quick and efficient way to automatically configure an XTMdevice in a remote
location without the need to have trained IT staff present at the remote site. Before the XTMdevice is
connected to the network at the remote site, you create and upload a device configuration file to the
Product Details page on the WatchGuard web site. When the XTMdevice is powered on with factory
default settings, it automatically connects to your account on the WatchGuard web site to download its
configuration.
For a RemoteConfig video demonstration, see the WatchGuard XTM:Remote
Config video tutorial (13 minutes).
Requirements for RemoteConfig:
n The remote XTMdevice must be manufactured with Fireware XTMv11.6.3 or later, and must
use factory default settings. XTMdevices that support RemoteConfig have a small Ready
sticker on the outer carton.
n You must have WatchGuard SystemManager to create or edit the configuration file.
n If the device uses a version of Fireware XTMlower than v11.7.3 Update 1, the network where
you connect the remote XTMdevice must use DHCPto dynamically assign an IPaddress to
the external interface of the device. For more information, see Connect the Remote
XTMDevice.
XTMdevices originally manufactured with a version of Fireware XTMOS lower than
v11.6.3 do not support RemoteConfig, even if you upgrade the device to use a newer
version of Fireware XTMOS.
RemoteConfig is a four step process:
1. Activate the XTMdevice and any add-on features on the WatchGuard web site.
For more information, see Get a Feature Key for Your XTMDevice.
2. Use Policy Manager to create a configuration file for the XTMdevice.
For more information, see Create a RemoteConfig File.
3. Upload the configuration file to the RemoteConfig section of the Product Details page for this
device, and set the device passphrases.
For more information, see Manage Your RemoteConfig File.
4. Connect the device at the remote site.
n For a new XTMdevice, connect the XTMdevice to power and to a network with Internet
access.
n For a previously configured XTMdevice, reset the device to factory default settings.
For more information, see Connect the Remote XTMDevice.
RemoteConfig and RapidDeploy
116 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 117
Any time a device that supports RemoteConfig starts with factory default settings, the device
automatically tries to download the RemoteConfig file, feature key, and passphrases.
RemoteConfig File Version Requirements
Each Fireware XTMdevice configuration file has a version number associated with it. For an XTM
device to use a RemoteConfig file, the version of the configuration file must be higher than 11.4.0, but
not higher than the version of Fireware XTMOS installed on the device.
The remote XTMdevice rejects a RemoteConfig file if:
n The configuration file version is higher than the version of Fireware XTMOSinstalled on the
device.
n The configuration file version number is 11.4.0 or lower.
Before you create a configuration file, it is important to know the version of Fireware XTMOSinstalled
on the remote XTMdevice, and also to understand how the configuration file version is set in Policy
Manager.
Determine the Fireware XTMOS Version on the Remote XTM Device
At the top of the Product Details page, you can see the version of Fireware XTMOS installed on the
device when it was first manufactured by WatchGuard. This is the maximumconfiguration file version
that you can use for RemoteConfig when you configure a new XTMdevice for the first time.
If the remote XTMdevice has been upgraded to a newer version of Fireware XTMOS, you can upload
a RemoteConfig file with a version that is newer than the version shown on the Product Details page,
as long as the version is not higher than the version of Fireware XTMOS currently installed on the
remote XTMdevice.
If you are not sure what version of Fireware XTMis on a remote device, use a
configuration file with a version that is less than or equal to the version of Fireware
XTMOS manufactured on the device.
Howthe Configuration File Version Is Set
Policy Manager is a component of the WatchGuard SystemManager software you use to configure
XTMdevices. You can use Policy Manager to open the configuration file froman XTMdevice or to
create a new XTMdevice configuration file. When you use Policy Manager to create a new
configuration file, the initial configuration file version depends on which version of WatchGuard System
Manager (WSM) you used to create it.
n In WSMv11.7 and higher, Policy Manager sets the configuration file version to 11.7.0 by
default.
n In WSMv11.4.x - 11.6.x, Policy Manager sets the configuration file version to 11.4.0 by
default.
RemoteConfig and RapidDeploy
118 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 119
Version 11.4.0 configuration files are not supported for RemoteConfig.
When you open a configuration file in Policy Manager, the configuration file version appears in the
lower right corner of the Policy Manager window.
You cannot directly change the configuration file version in Policy Manager. To change a configuration
file version, you must use Policy Manager to save the configuration to a connected XTMdevice that
uses the version of Fireware XTMOS you want to set in the file. When you save a configuration file to
an XTMdevice, Policy Manager validates the configuration settings for the version of Fireware
XTMOS on the device, and updates the version in the configuration file to match the version on the
device.
Recommendations
We recommend that you upload a configuration file with a version that is 11.6.3 or higher for
RemoteConfig.
For a basic 11.6.3 configuration file that you can download and edit to create your
RemoteConfig file, see the article RemoteConfig Configuration File in the
WatchGuard Knowledge Base.
If the RemoteConfig file has a lower version than the version of Fireware XTMinstalled on the remote
XTMdevice, the remote XTMdevice automatically converts the configuration file to the correct version
as part of the RemoteConfig deployment process.
Create a RemoteConfig File
A RemoteConfig file is an XTMdevice configuration file that you create with Policy Manager. It is
exactly the same as any other device configuration file you create with Policy Manager, and is stored
as an XML file. To use a configuration file for RemoteConfig, the remote XTMdevice and configuration
file must meet three requirements.
n The remote XTMdevice must support RemoteConfig.
n The XTMdevice model in the configuration file must match the remote XTMdevice.
n The configuration file version must be higher than 11.4.0, but not higher than the version of
Fireware XTMOS installed on the remote XTMdevice.
For more information about how Policy Manager sets the configuration file version, see RemoteConfig
File Version Requirements.
Before You Begin
Before you begin, log in to your account on the WatchGuard web site, and go to the Product Details
page for the XTMdevice you want to remotely configure.
On the Product Details page:
1. In the Your RemoteConfig File section, make sure the XTMdevice supports RemoteConfig.
2. At the top of the page, check the version of Fireware XTMOSmanufactured on the device.
This determines the version requirement for the configuration file you upload.
3. If you want to configure add-on features, such as security services, activate the features and
download the device feature key. Policy Manager requires the feature key to enable
configuration of the licensed upgrades or services.
n To activate an add-on feature, click Activate a Product on the WatchGuard portal.
n To get the feature key, click Get your feature key on the Product Details page.
Create the Configuration File
Policy Manager is a component of the WatchGuard SystemManager software you use to configure
XTMdevices. You can use Policy Manager to open the configuration file froman XTMdevice or to
create a new XTMdevice configuration file. You might need to add a feature key to the configuration to
enable the configuration of licensed features. The feature key you use in the configuration file is not
included in the configuration file you upload to the WatchGuard web site for RemoteConfig.
To create a configuration file that meets the version requirements for RemoteConfig, we recommend
that you use a configuration file that has been previously saved to an XTMdevice that uses the same
version of Fireware XTMOS as the device you want to remotely configure. Then change the model
number, policies, and settings in the configuration file to the settings you want the remote XTMdevice
to use.
RemoteConfig and RapidDeploy
120 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 121
For a default 11.6.3 configuration file that you can download and edit to create your
RemoteConfig file, see the article RemoteConfig Configuration File in the
WatchGuard Knowledge Base.
To create a configuration file to use with RemoteConfig, you must use Policy Manager. For
instructions to create such a configuration file, see Create a RemoteConfig File in the WatchGuard
SystemManager Help.
Next, you can upload this file to the Product Details page for the device you want to remotely
configure.
For information about how to upload the file, see Manage Your RemoteConfig File.
Manage Your RemoteConfig File
After you have created a configuration file, you can upload it to the Product Details page for the device
in your account on the WatchGuard web site. Fromthe Product Details page you can also delete or
download a configuration file you have previously uploaded.
For instructions to create the configuration file, see Create a RemoteConfig File.
Upload the Configuration File
On the Product Details page, you can upload the configuration for the device. When you upload a
configuration file for a remote device, the file is called the RemoteConfig file. When you upload a
configuration file, the feature key you used to create the configuration file is not uploaded. WatchGuard
already has the correct feature key for the device, and sends the correct feature key to the remote
device when the device requests the configuration file.
Because the configuration file does not include the management passphrases, you must also set the
passphrases to use on the device when you upload the file.
After the remote device downloads the configuration file, the factory default
passphrases are changed to the passphrases you set when you upload the file. The
password reset occurs even if the device rejects the configuration file. For more
information, see Connect the Remote XTMDevice
To upload the RemoteConfig file:
1. Go to the Product Details page for the device.
2. In the Your RemoteConfig File section, click Upload.
A dialog box appears where you can choose the file and set the device management passphrases.
3. Click Choose File or Browse to select the configuration file to upload.
The button name depends on the browser you use.
4. Browse to and select the .xml file you created with Policy Manager.
5. Type and confirmthe passphrase you want the device to use for read-only administrative
access.
6. Type and confirmthe passphrase you want the device to use for read-write administrative
access.
7. Click Upload.
The file is uploaded and validated.
RemoteConfig and RapidDeploy
122 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 123
If the file you select is not a valid XMLconfiguration file, or if the model number in the
configuration file does not match this product, an error message appears, and the file
is not uploaded. Make sure that you select a valid XML configuration file for this
device model.
After you upload a configuration file, the YourRemoteConfig File section of the Product Details
page shows the name of the configuration file you uploaded, and whether or not the XTMdevice has
contacted WatchGuard to request the file.
After the XTMdevice requests the file, the right column shows the date and time that the file was sent
to the XTMdevice, and the IPaddress and Fireware XTMOSversion of the device it was sent to.
The RemoteConfig file is stored on the WatchGuard site for two years fromthe date you upload it,
unless you delete it. Any time the XTMdevice starts with factory default settings, it automatically
contacts WatchGuard to retrieve this configuration file.
If a configuration file has already been uploaded, you can click Upload again to replace the previously
uploaded configuration file with a new configuration file.
Delete the Configuration File
Any time the device is reset to factory defaults, it automatically downloads and uses the
RemoteConfig file, if one is present on the Product Details page. If you do not want the XTMdevice to
use the RemoteConfig file when it is reset to factory defaults, you must remove the configuration file
fromthe Product Details page.
To delete a RemoteConfig file for a device:
1. Go to the Product Details page for the device.
2. In the My RemoteConfig File section, click Delete.
3. Click OK to confirmthat you want to delete the file.
Download the Configuration File
After you have uploaded a RemoteConfig file, you can download a local copy of the configuration file to
your computer. This does not send the file to the XTMdevice.
To download the configuration file:
1. Go to the Product Details page for the device.
2. In the My RemoteConfig File section, click Download.
To open the configuration file you downloaded, you must use Policy Manager.
Connect the Remote XTMDevice
After you upload a RemoteConfig file to the Product Details page, the XTMdevice can automatically
download the file.
External Interface IPAddress
To use RemoteConfig to set up an XTMdevice, the external interface (interface 0), must be able to
connect to the Internet. There are two methods the remote XTMdevice can use to get an external
IPaddress.
DHCP
For an XTMdevice with factory-default settings, interface 0 uses DHCPto request an IP
address for the external interface. For an XTMdevice to use RemoteConfig, the remote site
must have a DHCPserver that can assign an IPaddress to the external interface.
For a device that uses a version of Fireware XTMOS lower than v11.7.3 Update 1, this is the
only method to configure the external IPaddress.
Static or PPPoE
If the remote XTMdevice uses Fireware XTMOS v11.7.3 Update 1 or higher, and the remote
network does not have a DHCPserver, you can use a file on a USBdrive to configure the XTM
device to either use a static IP address or use PPPoE to get an IP address. To configure your
XTMdevice to use one of these options, you create a CSV (comma-separated values) file on a
USB drive, and then insert the USB drive in the XTMdevice before you power it on.
For more information, see Use a USB Drive to Configure Interface Settings.
Use RemoteConfig to Configure the Device
To use RemoteConfig for a new XTMdevice, someone must connect and power on the device at the
remote site:
1. Use the included green Ethernet cable to connect interface 0 to a switch or router that connects
to the Internet.
Step 1 in the Quick Start Guide that ships with the device includes a diagram that shows how to do
this.
2. If the device uses Fireware XTMOSv11.7.3 Update 1 or higher, and you have created a CSV
file to configure the external interface, connect the USBdrive to the XTMdevice.
3. Connect power to the device.
4. Power on the device.
The new XTMdevice starts with factory default settings.
RemoteConfig and RapidDeploy
124 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 125
To use RemoteConfig to configure an XTMdevice that has been previously
configured, you must reset the device to factory default settings. The steps to do this
depend on the XTMdevice model. For more information, see Reset a Device.
When the XTMdevice starts with factory default settings, it automatically uses DHCPto request an
IPaddress for interface 0. After the device receives an IP address, it tries to contact the WatchGuard
server to see if a RemoteConfig file is available. If a configuration file has been uploaded to the
Product Details page for the device, the XTMdevice automatically downloads the configuration file,
the device feature key, and passphrases.
The XTMdevice compares the configuration file version to the version of Fireware XTMthat is
installed, and takes action based on the result of that comparison:
Configuration File
Version XTM Device RemoteConfig Action
Matches the installed
version of Fireware
XTMOS
n The device uses the new configuration.
n The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
Is lower than installed
version of Fireware
XTMOS
n The device converts the new configuration file to match the
version of Fireware XTMOSon the device, and then uses the
new configuration.
n The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
Is higher than the
installed version of
Fireware XTMOS
n The device rejects the configuration file and continues to use
factory default settings.
n The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
Is 11.4.0 or lower n The device rejects the configuration file and continues to use
factory default settings.
n The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
If the XTMdevice does not find a RemoteConfig file to download, or if the device rejects the
configuration file, you can upload a new RemoteConfig file to the Product Details page. Then power
the XTMdevice off and then on again so the device retries to download the configuration file.
If the XTMdevice cannot connect to the WatchGuard site (for example, if the device is not assigned a
dynamic IPaddress, or the device is not connected to the Internet), the device keeps all factory default
settings.
Connect other Networks to the Device
After you use RemoteConfig to configure the remote device, someone at the remote site must use
Ethernet cables to connect the other configured XTMdevice interfaces to local network devices as
required for your network configuration.
See RemoteConfig Status
After the XTMdevice requests the configuration file, the Product Details page shows the IPaddress
the file was sent to, and the date and time the file was sent.
The status on the Product Details page tells you whether the device contacted WatchGuard to
retrieve the configuration file, but it does not tell you whether the configuration file was successfully
used to remotely configure the device.
Verify RemoteConfig Success
After you verify that the remote XTMdevice contacted WatchGuard, you can test connectivity through
the remote device, to determine whether the RemoteConfig file was successfully applied.
To verify that the device is using the configuration file:
Try to remotely connect to the device with WatchGuard SystemManager
If the WatchGuard policy in the configuration file allows management connections fromthe
external interface, you can use WatchGuard SystemManager to remotely connect to the
external interface IPaddress of the device.
Try to remotely connect to the Fireware XTMWeb UI
If the WatchGuard Web UI policy in the configuration file allows connections to the Web UI from
an external interface, you can use a web browser to connect to the Fireware XTMWeb UI.
By default, the port used for the Web UI is 8080. The URL to connect to the Web UI in your
browser is:
https://<xtm-ip-address>:8080
Where <xtm-ip-address> is the IP address assigned to the external interface.
Test whether users at the remote site can connect to the Internet
After someone at the remote site has connected the trusted and optional interfaces to the local
network, test whether a user can connect to the Internet.
n If users can successfully connect to the Internet, this shows that the RemoteConfig file
was successfully applied.
RemoteConfig and RapidDeploy
126 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 127
n If users cannot connect to the Internet, it does not necessarily mean that RemoteConfig
failed. It could also be caused by other issues, such as incorrect cabling, DHCP
configuration, or other configuration problems.
For your network configuration, there may be other methods you can use to test the configuration. For
example, you could test whether configured branch office VPN tunnels are functioning, or whether the
device accepts connections fromconfigured Mobile VPN users.
If you cannot verify that the RemoteConfig file was successfully applied, you can try to troubleshoot
the problem.
For more information, see Troubleshoot RemoteConfig.
Troubleshoot RemoteConfig
In the Product Details page, the RemoteConfig section shows whether the remote XTMdevice has
contacted the WatchGuard web site to look for a RemoteConfig file. After you upload a configuration
file, the RemoteConfig section shows either:
n The device has not yet contacted WatchGuard to request a configuration file
n The time and date that the device contacted WatchGuard to request a configuration file, the
IPaddress the request came from, and the version of Fireware XTMOS currently installed on
the device
If the Product Details page shows that the device has not contacted WatchGuard, and you have
already followed the instructions in Connect the Remote XTMDevice, make sure the network that the
XTMdevice external interface is connected to has Internet access.and the external interface of the
device is connected to a network that has a DHCPserver. If the external interface is not assigned an
IPaddress, the device cannot connect to the Internet.
Then, try again:
1. Restart the device with factory default settings.
n For a new XTMdevice, connect the XTMdevice to power and to a network with Internet
access.
n For a previously configured XTMdevice, reset the device to factory default settings.
2. Make sure the device has a reliable power source and Internet connection while the download
and configuration is in progress.
Troubleshoot the Configuration File Version
After the device has successfully downloaded the RemoteConfig file, the XTMdevice tries to use the
file to update the device configuration.
In the Product Details page, the RemoteConfig section shows whether the configuration file
downloaded by the device has a version that can be used for RemoteConfig.
Version
Status Example RemoteConfig Status Message
Configuration
file version is
compatible
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PMUTC.
Fireware XTM11.6.5 is installed. The configuration file was created for Fireware
XTM11.6.3.
Configuration
file version is
too low
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PMUTC.
Fireware XTM11.6.5 is installed. The configuration file was created for Fireware
XTM11.4.0. Configuration file versions 11.4 and earlier are not supported by
RemoteConfig.
Configuration
file version is
too high
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PMUTC.
Fireware XTM11.6.5 is installed. The configuration file was created for Fireware
XTM11.7.0. The configuration file version cannot be higher than the installed
version.
RemoteConfig and RapidDeploy
128 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 129
If you see a status message that indicates the configuration file version is too low or too high, this
means the remote device could not use the RemoteConfig file to update its configuration. To resolve a
configuration file problem, create and upload a configuration file that has a version higher than 11.4, but
not higher than the version of Fireware XTMcurrently installed on the device.
For more information about how to create a configuration file for a specific version of Fireware
XTMOS, see RemoteConfig File Version Requirements.
After you upload a new configuration file, restart the remote device with factory default settings. The
device automatically downloads the latest RemoteConfig file.
For more information, see Connect the Remote XTMDevice.
Use RapidDeploy
WatchGuard Deployment Center is the online web UI where you use the WatchGuard RapidDeploy
tool. RapidDeploy is a quick and efficient process you can use to deploy XTMdevices in remote
locations where you might not have trained IT staff present to help with the initial configuration of your
XTMdevice. With RapidDeploy, you can send your XTMdevices to remote locations around the world,
before you have configured each device. You can use RapidDeploy for XTMdevices that have never
been activated or for devices that have already been activated, but must either be activated again or
assigned to another Management Server.
To use RapidDeploy, you must have:
n One or more XTMdevices with Fireware XTMOS v11.6.3 or later
n One or more WatchGuard Management Servers v11.6.3 or later
The initial RapidDeploy procedure is a two-part process:
1. You add information to the WatchGuard Deployment Center for your Management Servers and
the XTMdevices you want to activate remotely.
2. A remote user connects each XTMdevice to power and to the Internet. Each XTMdevice
automatically contacts the Deployment Center for an initial, basic configuration file with
information about the Management Server, and then contacts the Management Server for
additional configuration.
This diagramof the RapidDeploy process illustrates the steps that occur at the different points in each
part of the process.
1 FromWatchGuard SystemManager, register your Management Server with the WatchGuard Portal. Log in to the
WatchGuard Deployment Center to verify your Management Server registration was successful.
2 In the Deployment Center, import your XTMdevice list CSVfile and activate the devices.
3 Connect the XTMdevice to power and to the Internet. The XTMdevice contacts the Deployment Center to
download a basic configuration file with the Management Server information.
4 The XTMdevice contacts the Management Server. The Management Server contacts the Deployment Center to
verify that the XTMdevice has been activated and assigned to it.
5 In the Deployment Center, verify the deployment status of each XTMdevice to see which devices have been sent
a basic configuration file.
After the RapidDeploy procedure is complete, and your XTMdevices have contacted your
Management Server, you must connect to the devices and complete the network configuration for each
device. You can follow the usual network configuration and Centralized Management processes to
configure the network settings, change to Fully Managed Mode, and apply a Device Configuration
Template to each XTMdevice.
For more information, see Common Interface Settings, About Centralized Management Modes, and
Apply Device Configuration Templates to Managed Devices in the WatchGuard SystemManager
Help.
Launch the Deployment Center
Fromthe WatchGuard Deployment Center, you can verify the status of your Management Server
registration and complete the RapidDeploy procedure to activate your XTMdevices.
To launch the Deployment Center fromWSM:
1. Open WSMand connect to your Management Server.
2. Select File > RapidDeploy >Deployment Center.
Or, fromthe Management Server page, in the RapidDeploy section, select Deployment
Center.
The WatchGuard Deployment Center launches in your default web browser.
RemoteConfig and RapidDeploy
130 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 131
Activate Your XTM Devices
Step 2 of the RapidDeploy process is to activate your XTMdevices. To complete activation, you
create and import a device list to the Deployment Center and then activate the XTMdevices in the
device list. The device list is a UTF-8 encoded CSV file in this format: XTMDevice Serial Number,
XTMDevice Friendly Name, Management Server IP Address.
Import a Device List
Fromthe Deployment Center, you can download a CSV file to use as a template for your device list. If
you open the template CSV file in a spreadsheet programsuch as Microsoft Excel or Apple Numbers,
you can simply replace the data in the list with the correct details for your XTMdevices and
Management Servers. Whether you use the template file or create your own CSV file, make sure that
the CSV file includes a header row. The template CSV file includes this header row: XTM Device
Serial Number,XTM Device Friendly Name,Management Server IP Address. Each device list
CSV file can only include 50 XTMdevices. If your Management Server has more than one IPaddress
in the Distribution IP Address list, make sure to use the first IP address in the list. In the CSV file
header row, the XTMDevice Friendly Name is the unique name that appears in the Device field in
WatchGuard SystemManager for each device. This name also identifies the device in your account on
the WatchGuard web site. You must use a different friendly name for each XTMdevice. You can
change the friendly name of an activated device on the Product Details page in the WatchGuard
Portal. For more information, see the My Products Help.
After you create your device list CSV file, you can import the device list in the Deployment Center and
use RapidDeploy to activate your XTMdevices. If you close the browser before the device list import
is complete, the device list and any error messages are cleared fromthe Deployment Center, and you
must start the import process again.
To download and create a CSV file:
1. Connect to the Deployment Center.
A. Open WSMand connect to your Management Server.
B. Select File > RapidDeploy >Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. In the Deployment Center, select RapidDeploy > Device Activation.
The Device Activation page appears.
3. Click the link to download the sample CSV file and save it to your computer with a descriptive
file name.
4. Open the CSV file and for each XTMdevice you want to activate with RapidDeploy, type the
serial number, device friendly name, and the IP address of the Management Server you want to
manage this device.
Before you import the device list, make sure that the Management Servers you specified in the CSV
file are registered in the Deployment Center. If you specify an incorrect Management Server IP
address or an unregistered Management Server for an XTMdevice, an error appears after the import
process is complete. For more information about how to verify that your Management Server is
registered, see Verify Management Server Registration on page 135.
Also make sure that you specify the correct Management Server for each XTMdevice included in the
CSV file. If you import a CSV file with an XTMdevice that was already assigned to a different
Management Server, the XTMdevice is registered again. A new deployment package is created for
that XTMdevice with the IPaddress of the new Management Server, and replaces the first deployment
package in the Deployment Center.
To import the device list, on the Device Activation page:
1. Click Browse and select the CSV file you created.
2. Click Import.
The device list is imported to the Deployment Center. If your device list includes a large number of
XTM devices, it can take some time to complete the import of the CSV file.
When the device list is imported, the Deployment Center checks the data included in the CSV file to
verify that the data is correct. If you have included an incorrect serial number for a device, or an IP
address for a Management Server that is not registered, you see an error when the file import is
complete.
If there are any problems in the device list CSV file you imported, an error list appears on the Device
Activation page. The error list includes the lines in the CSV file where the errors occurred and a
description of the errors. If your CSVfile has an error, you can fix the error and import the file again.
When the import is complete and successful, the device list appears on the Device Activation page.
You can review this list to make sure that all the necessary devices were imported.
Activate Devices
After you have successfully imported the device list CSV file, you can activate the XTMdevices
included in the device list.
1. Read the terms of the End User License Agreement.
2. Select the I accept the terms of the End User License Agreement check box.
3. Review the information in the XTMDevice List.
4. Click Activate.
The Deployment Center activates the XTMdevices in the Device List and any other XTM devices that
have not already been activated.
If you close the browser before activation is complete, the device list and any error messages
are cleared fromthe Deployment Center, and you must start the import process again.
When your XTMdevices have successfully completed the activation process, the Deployment Status
page appears with a list of all the XTMdevices you have deployed.
For more information about the Deployment Status page and the next steps to complete after your
XTMdevices are activated, see Review the Deployment Status of Your XTMDevices on page 133.
RemoteConfig and RapidDeploy
132 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 133
Review the Deployment Status of Your XTM Devices
After you have imported a device list and activated your XTMdevices, the Deployment Center
prepares a basic configuration file for each device that you activated with RapidDeploy. Each basic
configuration file includes:
n Management Server IP address and credentials
n Randomly generated Status and Configuration passphrases
n Randomly generated shared secret
n Policy to allow inbound traffic fromthe specified Management Server IPaddress
n Feature key for the XTMdevice
n Friendly name for the XTMdevice
By default, before a device contacts the Deployment Center to download a configuration file, the
device interfaces are configured to use DHCP to get an IP address. If you have an XTMdevice that
must have a static IP address, you can insert a USB drive with the static IP address information into
the XTMdevice before you power it on. Then, when you power on the XTMdevice, it uses a static
IPaddress to connect to the Deployment Center and download the configuration file. For more
information, see Use a USB Drive to Configure Interface Settings.
After an XTMdevice in factory default mode that you activated with RapidDeploy is powered on and
connected to the Internet, it contacts the Deployment Center to get its basic configuration file. The
basic configuration file is applied to the XTMdevice, and the device restarts. The XTMdevice then
contacts the Management Server specified in the basic configuration file, and is added to management
so that you can finish the configuration of the XTMdevice. We recommend that you first complete the
network configuration settings for the XTMdevice. After the network configuration settings for the
XTMdevice are completed, you can change the XTMdevice to Fully Managed Mode and apply one or
more configuration templates to the device.
For more information, see Common Interface Settings, About Centralized Management Modes, and
Apply Device Configuration Templates to Managed Devices in the WatchGuard SystemManager
Help.
The Deployment Center keeps a record of whether each device has contacted the Deployment Center,
and when the basic configuration file is sent to each XTMdevice.
To see the deployment status of your activated XTMdevices:
1. Connect to the Deployment Center.
A. Open WSMand connect to your Management Server.
B. Select File > RapidDeploy >Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. Select Status.
The Deployment Status page appears with a list of your activated XTM devices and the deployment
status of each device.
The Deployment Status column in the Deployment Status list shows the current status for each
device. If the XTMdevice has not yet contacted the Deployment Center to get the basic configuration
file, XTMdevice not yet deployed appears. If the XTMdevice has contacted the Deployment Center to
get the basic configuration file, the date the XTMdevice made contact appears with the IP address that
the XTMdevice used to contact the Deployment Center.
If a row in the Deployment Status list is shaded, the XTMdevice in that row was included in the CSV
file that you just imported, but had already been activated for the same Management Server. When an
XTMdevice is activated again, a new deployment package is created for the XTMdevice. Then, when
the XTMdevice contacts the Deployment Center, the new deployment package is sent to that
XTMdevice.
If the Deployment Status list is empty, you either do not have any activated XTMdevices, or your
activated XTMdevices contacted the Deployment Center for their basic configuration files more than
30 days ago.
XTMdevices that have been activated but have not contacted the Deployment Center for their
configuration files are included in the Deployment Status list for two years. After an XTMdevice
contacts the Deployment Center for a configuration file, that XTMdevice remains in the list for 30 days
fromthe date the configuration file is sent to the device.
If an activated XTMdevice tries to contact the Deployment Center, but cannot make contact, the XTM
device receives an error message and tries to contact the Deployment Center again. The XTMdevice
automatically continues to try to make contact with the Deployment Center at regularly diminished
intervals until it successfully makes contact and gets the basic configuration file. If the XTMdevice
contacts the Deployment Center, but cannot retrieve the basic configuration file, either because the
device has not yet been activated or because another error occurs, the XTMdevice does not try to
automatically contact the Deployment Center again. If this occurs, you must complete the device list
import and activation process in the Deployment Center, and then reset the XTMdevice and reconnect
the device to power and the Internet.
RemoteConfig and RapidDeploy
134 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 135
Verify Management Server Registration
After you have registered your Management Servers fromWatchGuard SystemManager, you can
verify that they were successfully registered. You can also remove Management Servers fromthe
Registered Management Servers list.
Before you import a device list CSV file, verify that all Management Servers included in the device list
appear in the Registered Management Servers list.
To verify the registration for a Management Server:
1. Connect to the Deployment Center.
A. Open WSMand connect to your Management Server.
B. Select File > RapidDeploy >Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. Select Management Servers.
The Registered Management Servers page appears with a list of your registered Management
Servers.
Cancel Registration for a Management Server
To cancel registration for a Management Server, you must remove it fromthe Registered
Management Servers list in the Deployment Center. You cannot cancel registration for a
Management Server fromWatchGuard SystemManager. Also, you cannot cancel registration for a
Management Server that is linked to XTMdevices that have been activated, but that have not already
contacted the Management Server.
On the Registered Management Servers page:
1. Review the list of registered Management Servers and find the Management Server to remove
fromthe list.
2. Adjacent to the Management Server, click Cancel Registration.
The registration for the selected Management Server is canceled and the Management Server is
removed from the list.
Use a USB Drive to Configure Interface Settings
When your XTMdevice uses the factory default configuration, the external interface of the device uses
DHCP to get an IPaddress. If your XTMdevice runs Fireware XTMOS v11.7.3 Update 1 or later and
cannot use DHCP to get an IP address, you can still connect to the Deployment Center to use
RapidDeploy, or to the MyProducts web page to use RemoteConfig, for your XTMdevice, but you
must use another method to assign an IPaddress to the external interface. You can use a USB drive to
configure the XTMdevice to either use a static IP address or use PPPoE to get an IP address. To
configure your XTMdevice to use one of these options, you create a CSV (comma-separated values)
file on a USB drive, and then insert the USB drive in the XTMdevice before you power it on.
The USB drive must support the vfat file systemand be writable.
Create the CSV File
You can create one CSV file with the interface settings for multiple XTMdevices. For each device, you
can specify either Static or PPPoE for the address type in a single line in the CSV file. The details that
you specify in the CSV file for each XTMdevice are not case sensitive.
You can use a programsuch as Microsoft Excel to create the CSV file with the customized interface
settings for your XTMdevices. When you use Microsoft Excel, or a similar program, to create the CSV
file, make sure to save the file as the CSV (Comma Delimited) (*.csv) file type so that the CSV file
has the correct encoding, particularly for any special characters in the file.
If you use a text editor to create the CSV file, you must separate each information element with a
comma and manually format the file for special characters. If you set the address type to PPPoE, and
the user name or password includes a comma or quotation marks, you must use two quotation marks
and put quotation marks around that user name or password. For example, "my,password" or
"my""password".
To create a CSV file with the interface settings for your XTMdevice:
1. Create a new CSV file with the name rapid_ip.csv.
2. In a single line or row, type this information for each XTMdevice:
n Serial number
n Interface number (for example, 0)
n Interface type ext (External)
External is the only available option.
n IP address type:
o
Static
o
PPPoE
n If you set the address type to Static, type this information:
o
IP address with subnet mask
o
Default gateway IP address
o
Primary DNS server IP address
o
Secondary DNS server IP address (optional)
n If you set the address type to PPPoE, type this information:
o
User name
o
Password
o
IP address (optional)
3. Save the file to the USB drive in the root directory of the first partition.
To use the same CSV file for more than one XTMdevice, repeat Steps 23 and add the information for
the other XTMdevices to the CSV file.
Here is an example of two lines in a CSV file. One line configures an XTMdevice to use to a static IP
address for the External interface, and the other configures a second XTMdevice to use PPPoE to get
an IP address:
70XX00777X777,0,ext,Static,69.164.168.168/24,69.164.168.254,202.106.0.20
80XX00888X888,0,ext,PPPoE,myname,mypassword,192.168.0.101
RemoteConfig and RapidDeploy
136 Fireware XTMWeb UI
RemoteConfig and RapidDeploy
User Guide 137
Use the USB Drive
After you have created the CSV file and saved it to the USB drive, the XTMdevice can get its external
interface settings fromthe connected USB drive.
Before you use the USBdrive, make sure that it is writable. If an error occurs when you try to use the
CSV file, a file that includes a description of the error is saved in the root directory on the USB drive.
The file name for this error file is rapid_ip.err.<serial number of the XTMdevice>. For example, rapid_
ip.err.70XX00777X777. If the USB drive is not writable, the error file cannot be saved to the USB
drive.
To use the USB drive to specify the interface configuration for a device:
1. Connect the power cord and interface cables to the XTMdevice, but do not power on the XTM
device.
2. Insert the USB drive with the CSV file into the USB port on the XTMdevice.
3. Power on the XTMdevice.
The XTMdevice gets the interface settings from the CSV file.
RemoteConfig and RapidDeploy
User Guide 138
User Guide 139
6
Network Setup and
Configuration
About Network Interface Setup
A primary component of your XTMdevice setup is the configuration of network interface IP addresses.
When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow
fromprotected devices to an outside network. You can use the procedures in this section to change the
configuration after you run the Quick Setup Wizard, or to add other components of your network to the
configuration. For example, you can set up an optional interface for public servers such as a web
server.
Your XTMdevice physically separates the networks on your Local Area Network (LAN) fromthose on
a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets fromnetworks
it protects to networks outside your organization. To do this, your device must know what networks are
connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the
event that you need to contact technical support. This information can help your technician resolve
your problemquickly.
Network Modes
Your XTMdevice supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your XTMdevice to send network traffic between a
wide variety of physical and virtual network interfaces. This is the default network mode, and
this mode offers the greatest amount of flexibility for different network configurations. However,
you must configure each interface separately, and you may have to change network settings for
each computer or client protected by your XTMdevice. The XTMdevice uses Network Address
Translation (NAT)to send information between network interfaces.
For more information, see About Network Address Translation on page 249.
The requirements for mixed routing mode are:
n All interfaces of the XTMdevice must be configured on different subnets. The minimum
configuration includes the external and trusted interfaces. You also can configure one or
more optional interfaces.
n All computers connected to the trusted and optional interfaces must have an IP address
fromthat network.
Drop-in mode
In a drop-in configuration, your XTMdevice is configured with the same IP address on all
interfaces. You can put your XTMdevice between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in
because your XTMdevice is dropped in to an existing network. Some network features, such as
bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
n Assign a static external IP address to the XTMdevice.
n Use one logical network for all interfaces.
n Not configure multi-WAN in Round-robin or Failover mode.
For more information, see Drop-In Mode on page 169.
Bridge mode
Bridge mode is a feature that allows you to place your XTMdevice between an existing network
and its gateway to filter or manage network traffic. When you enable this feature, your XTM
device processes and forwards all incoming network traffic to the gateway IP address you
specify. When the traffic arrives at the gateway, it appears to have been sent fromthe original
device. In this configuration, your XTMdevice cannot performseveral functions that require a
public and unique IP address. For example, you cannot configure an XTMdevice in bridge mode
to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode on page 175.
Network Setup and Configuration
140 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 141
Interface Types
You use four interface types to configure your network in mixed routing or drop-in mode:
External Interfaces
An external interface is used to connect your XTMdevice to a network outside your
organization. Often, an external interface is the method by which you connect your XTMdevice
to the Internet.
When you configure an external interface, you must choose the method your Internet service
provider (ISP) uses to give you an IP address for your XTMdevice. If you do not know the
method, get this information fromyour ISP or network administrator.
Trusted Interfaces
Trusted interfaces connect to the private LAN (local area network) or internal network of your
organization. A trusted interface usually provides connections for employees and secure
internal resources.
Optional Interfaces
Optional interfaces are mixed-trust or DMZ environments that are separate fromyour trusted
network. Examples of computers often found on an optional interface are public web servers,
FTP servers, and mail servers.
CustomInterfaces
Custominterfaces are connected to the internal network of your organization. You can use a
custominterface when you want to configure a security zone that is separate fromthe trusted or
optional security zones. For more information about custominterfaces, see Configure a Custom
Interface.
In mixed routing mode, you can also configure Bridge, VLAN, and Link Aggregation interfaces. Each of
these interface types must be in the External, Trusted, Optional, or Customsecurity zone. For more
information about settings that apply to all interface types, see Common Interface Settings on page
178.
For a Firebox T10, XTM2 Series, 3 Series, or 5 Series device, you can configure failover to an external
modem. For more information, see Configure ModemFailover on page 238.
When you configure the interfaces on your XTMdevice, you must use slash notation to denote the
subnet mask. For example, you would enter the IPv4 network range 192.168.0.0 subnet mask
255.255.255.0 as 192.168.0.0/24. A trusted interface with the IPv4 address of 10.0.1.1/16 has a
subnet mask of 255.255.0.0.
For more information on slash notation, see About Slash Notation on page 5.
Wireless Interfaces
After you enable at least one wireless access point on a Firebox or XTMwireless device that uses
Fireware XTMv11.9 or higher, the interface list includes three interfaces that correspond to the
wireless access points.
n ath1 Access point 1
n ath2 Access point 2
n ath3 Access Point 3
You cannot enable, disable, or edit the wireless interfaces fromthe Interfaces page. To edit a wireless
interface, select Network > Wireless.
For information about wireless interface configuration settings, see Enable Wireless Connections
(Fireware XTMOS v11.9.x and Later).
About Private IPAddresses
When you configure a trusted or optional interface, we recommend that you use an IP address in one of
the three IPaddress ranges reserved by the Internet Engineering Task Force (IETF) for private
networks on LANs.
n 192.168.0.0/16
n 172.16.0.0/12
n 10.0.0.0/8
By default, the XTMdevice enables dynamic NATfor outbound traffic fromaddresses in these ranges
to any external interface.
For more information about dynamic NAT, see About Dynamic NAT.
About IPv6 Support
Fireware XTMsupports many features for IPv6 traffic.
n IPv6 addressing You can add a static IPv6 address to the External, Trusted, Optional, or
Custominterfaces when the device is configured in mixed routing mode. This includes VLAN,
Bridge, and Link Aggregation interfaces.
For more information, see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted
or Optional Interface.
n IPv6 DNS servers You can use an IPv6 address to specify a DNS server.
n IPv6 static routes You can add an IPv6 host or network static route.
n IPv6 Dynamic routing (RIPng, OSPFv3, and BGP
n IPv6 BOVPN virtual interface routes You can add an IPv6 route through an IPv4 BOVPN
virtual interface
n IPv6 device management You can use the static IPv6 address to connect to Fireware
XTMWeb UI or the CLI for device management. You cannot use the static IPv6 address to
connect to the XTMdevice fromWatchGuard SystemManager.
n Diagnostic logging You can set the diagnostic log level for IPv6 advertisements.
For information about how to configure diagnostic log levels, see Set the Diagnostic Log Level.
n IPv6 Ping You can ping IPv6 addresses in Firebox SystemManager Diagnostic tasks.
n Packet filter policies You can use IPv6 addresses in packet filter policies.
n MAC access control Applies to both IPv6 and IPv4 traffic.
n Inspection of traffic received and sent by the same interface Applies to both IPv6 and IPv4
traffic.
n Blocked sites and exceptions You can use an IPv6 address to define a blocked site or
exception.
Network Setup and Configuration
142 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 143
n Blocked ports Applies to both IPv6 and IPv4 traffic.
n TCPSYN checking The TCPSYN checking setting in Global Settings applies to both IPv6
and IPv4 traffic.
n Application Control
n Intrusion Prevention Service
n DHCPv6
n FireCluster
n Flood attack prevention The Default Packet Handling settings to block flood attacks apply to
both IPv6 and IPv4 traffic.
n Authentication IPv6 addresses are supported for Firewall authentication.
All other networking and security features are not yet supported for IPv6 traffic. This includes:
n Proxy policies
n Authentication Single Sign-On, Terminal Services, VPN support, fully qualified domain
names for RADIUS and SecurID servers, automatic redirect of users to the Authentication page
n WebBlocker
n Gateway AV
n spamBlocker
n APTBlocker
n Reputation Enabled Defense
n Default packet handling other than flood protection
n Multi-WAN
n Server load balancing
n Traffic Management and QoS
n Drop-in mode
n Bridge mode
n NAT
n MAC/IP address binding
n Branch Office VPN
n Mobile VPN
n Wireless and modem
Any other feature not in the list of supported IPv6 features is not supported for IPv6 traffic.
WatchGuard continues to add more IPv6 support to Fireware XTMfor all XTMdevice models. For
more information about the WatchGuard IPv6 roadmap, see
http://www.watchguard.com/ipv6/index.asp.
Mixed Routing Mode
In mixed routing mode, you can configure your XTMdevice to send network traffic between many
different types of physical and virtual network interfaces. Mixed routing mode is the default network
mode. While most network and security features are available in this mode, you must carefully check
the configuration of each device connected to your XTMdevice to make sure that your network
operates correctly.
A basic network configuration in mixed routing mode uses at least two interfaces. For example, you
can connect an external interface to a cable modemor other Internet connection, and a trusted
interface to an internal router that connects internal members of your organization. Fromthat basic
configuration, you can add an optional network that protects servers but allows greater access from
external networks, configure VLANs, and other advanced features, or set additional options for
security like MAC address restrictions. You can also define how network traffic is sent between
interfaces.
To get started on interface configuration in mixed routing mode, see Common Interface Settings on
page 178.
It is easy to forget IP addresses and connection points on your network in mixed routing mode,
especially if you use VLANs (Virtual Local Area Networks), secondary networks, and other advanced
features. We recommend that you record basic information about your network and VPN configuration
in the event that you need to contact technical support. This information can help your technician
resolve your problemquickly.
Configure an External Interface
An external interface is used to connect your XTMdevice to a network outside your organization.
Often, an external interface is the method by which you connect your device to the Internet.
When you configure an external interface, you must choose the method your Internet service provider
(ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this
information fromyour ISP or network administrator. In addition to the IPv4 address, you can optionally
configure an IPv6 address.
For information about methods used to set and distribute IP addresses, see Static and Dynamic IP
Addresses on page 6.
For information about IPv6 configuration, see Enable IPv6 for an External Interface.
Network Setup and Configuration
144 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 145
Use a Static IPv4 Address
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an external interface. Click Edit.
3. Fromthe Configuration Mode drop-down list, select Static IP.
4. In the IP address text box, type the IP address of the interface.
5. In the Gateway text box, type the IP address of the default gateway.
6. Click Save.
Use PPPoE Authentication to get an IPv4 Address
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic
through the external interface. Fireware XTMsupports the PAP, EAP, CHAP, MS-CHAP and MS-
CHAPv2 PPPoE authentication methods.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an external interface. Click Configure.
3. Fromthe Configuration Mode drop-down list, select PPPoE.
4. Select an option:
n Obtain an IP address automatically
n Use this IP address (supplied by your Internet Service Provider)
5. If you selected Use this IP Address, in the adjacent text box, type the IP address.
6. Type the User Name and Password. Type the password again.
ISPs use the email address format for user names, such as user@example.com.
Network Setup and Configuration
146 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 147
7. To configure additional PPPoE options, click Advanced.
Your ISP can tell you if you must change the timeout or LCP values.
8. Select when the device connects to the PPPoE server:
n Always-on The XTMdevice keeps a constant PPPoE connection. It is not necessary for
network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text
box to set the number of seconds that PPPoE tries to initialize before it times out.
n Dial-on-demand The XTMdevice connects to the PPPoE server only when it gets a
request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can
stay connected when no traffic is sent.
If you do not select this option, you must manually restart the XTMdevice each time the
connection resets.
9. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq
tag in PPPoE discovery packets check box.
10. To use LCP echo requests to detect lost PPPoE connections, select the Use LCPecho
requests to detect lost PPPoE connections check box.
This is enabled by default.
11. In the LCP echo failure in text box, type or select the number of failed LCP echo requests
allowed before the PPPoE connection is considered inactive and closed.
12. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the
response to each echo timeout must be received.
13. To configure the XTMdevice to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
14. Fromthe Schedule time for auto restart drop-down list, select Daily to restart the connection
at the same time each day, or select a day of the week to restart weekly. Select the hour and
minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
15. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server.
Usually, this option is not used. Select it only if there is more than one access concentrator, or
you know that you must use a specified service name.
16. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator,
also known as a PPPoE server. Usually, this option is not used. Select it only if you know there
is more than one access concentrator.
17. In the Authentication retries text box, type or select the number of times that the XTMdevice
can try to make a connection.
The default value is three (3) connection attempts.
18. In the Authentication timeout text box, type a value for the amount of time between
connection attempt retries.
The default value is 20 seconds between each connection attempt.
19. If you configure the PPPoE settings to use a static IPaddress, you can select one of three
options for PPPoEIPaddress negotiation:
n Send PPPoE client static IPaddress during PPPoE negotiation This option
configures the XTMdevice to send the PPPoE client IP address to the PPPoE server during
PPPoE negotiation. This is the default setting.
n Don't send PPPoE client static IPaddress during PPPoE negotiation This option
configures the XTMdevice not to send the PPPoEclient IPaddress to the PPPoE server.
n Send and enforce PPPoE client static IPaddress during PPPoE negotiation This
option configures the XTMdevice to send the PPPoE client IPaddress to the
PPPoEserver, and use the configured IPaddress even if another IPaddress is obtained
fromthe PPPoE server. To use this option, the XTMdevice must use Fireware XTMv11.8.1
or higher.
20. To configure the XTMdevice to negotiate DNS with the PPPoE server, select the Negotiate
DNSwith PPPoE Server check box. This is enabled by default. Clear this check box if you do
not want the XTMdevice to negotiate DNS.
21. Click OK.
Network Setup and Configuration
148 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 149
Use DHCP to Get an IPv4 IPAddress
1. Fromthe Configuration Mode drop-down list, select DHCP.
2. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the
Client text box, type this information.
3. To specify a host name for identification, type it in the Host Name text box.
4. To manually assign an IP address to the external interface, type it in the Use this IP address
text box.
To configure the external interface to obtain an IP address automatically, clear the Use this IP
address text box.
5. To change the lease time, select the Lease Time check box and specify the value in the
adjacent text box and drop-down list.
IP addresses assigned by a DHCP server have an eight hour lease by default; each address is
valid for eight hours.
You can optionally enable the DHCPForce Renew option. This feature enables the XTMdevice to
handle a FORCERENEWmessage fromyour ISPor DHCPprovider. The DHCPserver sends a
FORCERENEWmessage to request that the DHCPclient renew it's leased IPaddress sooner than it
ordinarily would, based on the configured lease time. If your ISPor DHCPprovider requests that you
enable this option, they might also specify a shared key. The shared key is optional, but
recommended. If you specify a shared key, it must match the shared key in the
FORCERENEWmessage. If you do not specify a shared key, the XTMdevice responds to any
FORCERENEW message, whether a shared key is present or not.
The DHCPForce Renew option is supported in Fireware XTMv11.8.1 and higher.
To enable the XTMdevice to handle a DHCPFORCERENEW request:
1. Select the DHCPForce Renewcheck box.
2. (Optional)In the Shared Key text box, type the shared key.
The shared key is encrypted and stored in the configuration file.
Enable IPv6 for an External Interface
You can configure the external interface with an IPv6 address in addition to the IPv4 address. IPv6 is
not enabled on any interface by default. When you enable IPv6 for an external interface, you can
configure the interface with one or more static IPv6 addresses, and you can configure the interface to
use DHCP to get an IPv6 address. You can also enable IP address autoconfiguration.
Enable IPv6
To enable IPv6 for an external interface:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
Network Setup and Configuration
150 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 151
4. Select the Enable IPv6 check box.
Next you can add static IPv6 IPaddresses, enable the interface to use DHCPv6, or both.
Add a Static IPv6 Address
To add a static IPv6 address:
1. Adjacent to the Static IPv6 Addresses list, click Add.
The Add Static IPv6 Address dialog box appears.
2. Type the IPv6 IPaddress and the routing prefix size.
3. Click OK.
The IP address is added to the list
Use DHCPv6 to get an IPv6 Address
You can configure the interface to use DHCPv6 to get an IPaddress. To get IPv6 addresses froma
server, the DHCPv6 client can use a rapid two-message exchange (solicit, reply) or a four-message
exchange (solicit, advertise, request, reply). By default, the DHCPv6 client uses the four-message
exchange. To use the two-message exchange, enable the Rapid Commit option on the XTMdevice
and on the DHCPv6 server.
To enable DHCPv6 for the interface:
1. Select Enable DHCPv6 Client.
2. Select the Rapid Commit check box to use a rapid two-message exchange to get an IPv6
address.
Use IPv6Address Autoconfiguration
IPv6 address autoconfiguration enables the XTMdevice to automatically assign an IPv6 link-local
address to this interface. When you enable IPaddress autoconfiguration, the external interface is
automatically enabled to receive IPv6 router advertisements. With IPv6 address configuration enabled,
it is not necessary to specify a default gateway.
To enable IPv6 Address Autoconfiguration:
Select the IP Address Autoconfiguration check box in the IPv6 tab.
For more information about IPv6 stateless address autoconfiguration, see RFC 4862.
Configure the Default Gateway
When you enable IPv6 for an external interface, if you do not enable IPv6 address autoconfiguration,
you must specify the default IPv6 gateway.
To specify the default gateway:
In the Default Gateway text box, type the IPv6 address of the default gateway.
Network Setup and Configuration
152 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 153
Configure a Trusted or Optional Interface
A trusted or optional interface is used to connect your XTMdevice to a network inside your
organization.
If you change the configuration of the interface you are currently connected to, you
can lose your connection to the Web UI.
To configure a trusted or optional network interface:
1. Select Network > Interfaces.
The Network Interfaces dialog box appears.
2. Select an interface and click Configure.
The Interface Configuration dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. Fromthe Interface Type drop-down list, select Trusted or Optional.
6. In the IPAddress text box, type the IPv4address in slash notation. For information about
IPaddresses to use for trusted and optional networks, see About Private IPAddresses.
7. Configure other interface settings.
n For information about how to automatically assign IPv4addresses to clients that
connect to a trusted or optional interface, see Configure IPv4 DHCP in Mixed Routing
Mode on page 154 or Configure DHCPRelay on page 179.
n For information about how to use more than one IPv4address on a single physical
network interface, see Add a Secondary Network IPAddress on page 182.
n For information about how to configure an interface to use an IPv6 address, see Enable
IPv6 for a Trusted or Optional Interface.
8. Click Save.
Configure IPv4 DHCP in Mixed Routing Mode
DHCP (Dynamic Host Configuration Protocol) is a method to assign IP addresses automatically to
network clients. You can configure your XTMdevice as a DHCP server for the networks that it
protects. If you have a DHCP server, we recommend that you continue to use that server for DHCP.
These DHCPsettings apply to trusted and optional interfaces, and to VLAN, Bridge, and Link
Aggregation interfaces in the trusted and optional security zones.
If your XTMdevice is configured in drop-in mode, see Configure DHCP in Drop-In Mode.
Configure DHCP for IPv4
1. Select Network > Interfaces.
2. Select a trusted or an optional interface. Click Edit.
3. Select Use DHCP Server, or for the wireless guest network, select the Enable DHCP Server
on Wireless Guest Network check box.
4. To add a group of IP addresses to assign to users on this interface, in the Address Pool
section, click Add.
5. Specify starting and ending IP addresses on the same subnet, then click OK.
The address pool must belong either to the interfaces primary or secondary IP subnet.
You can configure a maximum of six address ranges. Address groups are used from first to last.
Addresses in each group are assigned by number, from lowest to highest.
Network Setup and Configuration
154 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 155
6. To change the default lease time for addresses in the DHCP address pool, select a different
option in the Lease Time drop-down list.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends data to the DHCP server to get a new
lease.
To modify or delete an address pool range:
1. In the Address Pool table select the entry.
2. Click Edit to edit the selected range.
3. Click Remove to remove the selected range.
Configure DHCPReservations
To reserve a specific IP address for a client:
1. In the Reserved Addresses section, type a name for the reservation, the IP address you want
to reserve, and the MAC address of the clients network card.
The DHCPreservation name cannot start or end with a dot (.) or dash (-), and cannot contain an
underscore (_).
2. Click Add.
To modify or delete a reservation:
1. In the Reserved Addresses table, select the reservation.
2. Click Edit to edit the selected reservation.
3. Click Remove to remove the selected reservation.
Configure DHCPOptions
There are three configurable DHCP options. Many VoIP phones use these DHCPoptions to download
their boot configuration. The DHCPoptions are:
n TFTP Server IP (Option 150) The IPaddress of the TFTP server where the DHCP client
can download the boot configuration.
n TFTP Server Name (Option 66) The name of the TFTPserver where the DHCPclient can
download the boot configuration. This option is supported only for devices that use Fireware
XTMv11.7.4 and higher.
n TFTP Boot Filename (Option 67) The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IPphones.
To configure these options in the DHCPOptions section:
1. In the TFTPServer IP text box, type the IP address of the TFTPserver.
2. In the TFTP Server Name text box, type the name of the TFTP server.
3. In the TFTPBoot Filename text box, type the name of the boot file on the TFTPserver.
Configure Per-Interface WINS/DNS
By default, when it is configured as a DHCP server your XTMdevice gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IP addresses, you can add a DNSserver for the
interface.
n To configure per-interface WINS/DNSsettings, select the DNS/WINS tab.
n To change the default DNS domain, in the Domain Nametext box type a domain name.
n To create a new DNS server entry, in the DNSServer text box, type an IP address, and click
Add.
n To create a new WINSserver entry, in the WINSServer text box, type an IPaddress and click
Add.
n To remove the selected server froma list, click Remove.
Enable IPv6 for a Trusted or Optional Interface
You can configure a trusted, optional, or custominterface with an IPv6 address in addition to the IPv4
address. IPv6 is not enabled on any interface by default. When you enable IPv6, you can configure the
interface with one or more static IPv6 addresses.You can also configure router advertisement of the
IPaddress prefix.
Network Setup and Configuration
156 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 157
Add a Static IPv6 IP Address
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select a trusted, optional, or custominterface. Click Edit.
3. Select the IPv6 tab.
4. Select the Enable IPv6 check box.
5. Click Add.
6. Type the IPv6 IP address and the routing prefix size.
7. To add the prefix for this IPaddress to the Prefix Advertisement list, select the Add Prefix
Advertisement check box.
You can select this option only if the prefix size is /64.
8. Click OK.
The IP address is added to the list
Configure Router Advertisement
When you enable IPv6 for a trusted, optional, or custominterface, you can enable the interface to send
Router Advertisement messages. When you enable Router Advertisement, the interface sends the
configured IP address prefixes in router advertisements on the local network. Router Advertisement is
used for IPv6 neighbor discovery and IPv6 address autoconfiguration.
The Router Advertisement settings appear in the Router Advertisement section of the IPv6 tab.
Network Setup and Configuration
158 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 159
Router Advertisement Settings
Select the Send Advertisement check box to enable the XTMdevice to send periodic router
advertisements and respond to router solicitations. If you select the Add Prefix Advertisement check
box for any IPv6 IP address, the Send Advertisement check box is automatically selected.
The Router Advertisement section has five other settings that appear in all router advertisement
messages:
n M Flag The managed address configuration flag. This flag indicates that host addresses are
available through DHCPv6. If the Mflag is selected, the Oflag is ignored, because DHCPv6
returns all available configuration information. The Mflag is disabled by default.
n O Flag The other stateful configuration flag. This flag indicates that other configuration
information is available through DHCPv6. Examples of such information include DNS-related
information, or information about other servers within the network. The Oflag is disabled by
default.
n Default Lifetime The lifetime associated with the default router. The default value is 30
minutes. The maximumis 150 minutes.
n Maximum Interval The maximumtime allowed between unsolicited multicast router
advertisements sent fromthe interface. It must be a value from4 to 1800 seconds. The default
value is 10 minutes.
n Minimum Interval The minimumtime allowed between unsolicited multicast router
advertisements sent fromthe interface. It must be a value from3 to 1350 seconds. The default
value is 200 seconds.
Add a Prefix Advertisement
To add a Prefix Advertisement prefix for a static IPv6 address:
In the Static IPv6 Addresses list, select the Add Prefix Advertisement check box adjacent
to a configured static IP address. You can also select this check box when you add the static
IPaddress. In either case, the prefix for the static IP address is added to the Prefix
Advertisement list.
For example, if the static IPaddress is 2001:db8::2/64, when you select Add Prefix
Advertisement, the prefix 2001:db8:: is added to the Prefix Advertisement list.
To add a Prefix Advertisement that is not associated with a static IPv6 address:
1. In the Router Advertisement section, select the Send Advertisement check box.
2. Click Add.
The Add Prefix Advertisement dialog box appears.
3. In the Prefix text box, type the IPv6 prefix.
The prefix must be a network IPaddress in the format x:x::/64.
4. (Optional) Change the other prefix advertisement settings:
n Valid Lifetime The length of time after the packet is sent that the prefix is valid for the
purpose of onlink determination.
n Preferred Lifetime The length of time after the packet is sent that addresses generated
fromthe prefix through stateless address autoconfiguration remain preferred.
n Onlink If enabled, a host can use this prefix to determine whether a destination is onlink
as opposed to reachable only through a router.
n Autonomous If enabled, a host can use this prefix for stateless autoconfiguration of the
link-local address.
5. Click OK.
Edit a Prefix Advertisement
1. To change the Autonomous and Online settings, select or clear the check box in the adjacent
column.
2. To edit other settings, select the Prefix Advertisement and click Edit.
Remove a Prefix Advertisement
1. To remove the prefix advertisement associated with a configured static IPaddress, clear the
Add Prefix Advertisement check box adjacent to the static IP address in the Static IPv6
Addresses table.
2. To remove any other prefix advertisement, select the prefix in the Prefix Advertisement list.
Then click Remove.
Configure IPv6 Connection Settings
When you enable IPv6 for an interface, you can configure IPv6 connection settings. The default values
are appropriate for most networks. We recommend that you do not change themunless your network
requires it. These settings appear in the IPv6 tab when you edit an interface.
1. In the Hop Limit text box, type or select the IPv6 hop limit.
The hop limit is the number of network segments a packet can travel over before it is discarded
Network Setup and Configuration
160 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 161
by a router.
The default value is 64.
2. In the DADTransmits text box, type or select the number of DAD (Duplication Address
Detection) transmits for this link.
The default value is 1. If you set this value to 0, duplicate address detection is not performed.
Configure an IPv6 DHCPServer
DHCPv6 is a method to assign IPv6 addresses automatically to network clients. When you enable
IPv6 for a trusted or optional interface, you can enable the DHCPv6 server on the interface, to assign
IPv6 addresses to clients that connect.
Before you can enable the DHCPv6 server, you must enable IPv6 for the interface. For more
information, see Enable IPv6 for a Trusted or Optional Interface.
You cannot use these special purpose IP addresses in the DHCPv6 configuration:
n IP addresses that start with 2002, unless bits 17-48 specify a valid IPv4 address
n IPaddresses that start with FE80, because this specifies a link local address
n IP addresses that start with FEC0, because this specifies a site local address
Configure DHCPv6 Server Settings
You can enable DHCPv6 for a trusted or optional interface that has IPv6 enabled.
1. Select Network > Interfaces.
2. Select a trusted or an optional interface. Click Edit.
3. Select the IPv6 tab.
4. Fromthe DHCP drop-down list, select Use DHCPServer.
The DHCP server configuration settings appear.
Network Setup and Configuration
162 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 163
Configure the DHCPv6 Address Pool
1. In the Address Pool section of the Settings tab, click Add.
Add Address Range dialog box appears.
2. In the Starting IPand Ending IP text boxes, type two IPv6addresses in the same prefix range
as an IPv6address configured for this interface.
3. Click OK.
Configure DHCPv6 Reservations
To reserve a specific IPaddress for a client:
1. In the Reserved Addresses section, click Add.
The Add Reserved IP by DUID dialog box appears.
2. In the Reserved IP text box, type the IPv6address to reserve.
3. In the Reservation Name text box, type a name for this reservation.
The reservation name cannot start or end with a dot (.) or hyphen (-), and cannot contain an
underscore. The maximum length of a reservation name is 64 characters.
4. In the DUID text box, type the DHCPv6 Client DUID.
5. Click OK.
Enable Rapid Commit
To get IPv6 addresses froma server, the DHCPv6 client can use a rapid two-message exchange
(solicit, reply) or a four-message exchange (solicit, advertise, request, reply). By default, the DHCPv6
client uses the four-message exchange. To use the two-message exchange, you must enable the
Rapid Commit option on the XTMdevice and on the client. Select the Rapid Commit check box to
enable the DHCPserver to use the rapid two-message exchange to assign an IPaddress.
Configure IPv6 Address Lifetimes
The IPv6 lifetime settings control the length of time an assigned IPv6 address remains valid and the
length of time the address is preferred. To change the default lifetime settings. change the values for
Valid Lifetime and Preferred Lifetime. The Valid Lifetime must be greater than or equal to the
Preferred Lifetime.
Configure Per-Interface DHCPv6 DNSServers
By default, when it is configured as a DHCPserver, your XTMdevice gives out the DNS and WINS
server information configured on the Network Configuration >WINS/DNS tab. To specify different
information for your device to assign when it gives out IPv6 addresses, you can add DNSservers in
the DHCPv6 settings for the interface.
To configure DNSservers:
1. In the DHCPsection, select the DNStab.
2. To change the default DNSdomain that the DHCPclient appends to unqualified host names, in
the Domain Name text box type a domain name.
3. In the text box below the DNS Servers list, type the IPv6 address of a DNS server.
4. Click Add.
You can add the IPaddresses of up to three DNS servers.
Configure DHCPv6 SIPServers
You can add the IPv6 addresses or domain name of SIP servers to your DHCPv6 server configuration.
This enables the DHCPv6 server to provide the SIPserver domain name or SIPserver IPaddresses to
SIPclients that request them. You can specify a SIPserver domain name, and up to three
IPaddresses.
To configure SIP servers:
1. In the DHCPsection, select the DNStab.
Network Setup and Configuration
164 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 165
2. To specify the SIPserver domain. type the domain name in the SIPDomain Name text box.
3. To specify a SIP server IPaddress, in the text box below the SIP Servers list, type the IPv6
address of a SIP server.
4. Click Add to add the IPaddress to the list.
Configure a Custom Interface
A custominterface enables you to define a customsecurity zone that is separate fromthe predefined
trusted, optional, and external zones. A custominterface is not a member of the built-in aliases Any-
Trusted, Any-Optional, or Any-External. Because a custominterface is not included in the built-in
aliases, traffic for a custominterface is not allowed through the XTMdevice unless you specifically
configure policies to allow it.
To configure a custominterface, the device must use Fireware XTMv11.9 or higher.
You can configure a physical interface, wireless interface, Bridge, VLAN, or Link Aggregation interface
as a custominterface. When you configure an interface as a custominterface, the network settings
you can configure are the same as for a trusted or optional interface.
These examples show how you can use a custominterface:
Example 1 Create a wireless guest network on an XTMwireless device
To enable a wireless network for guest users, you can configure an access point in the Custom
zone and use the wireless interface alias in policies that you want to handle traffic fromwireless
clients. For example, to set up Access Point 1 on an XTMwireless device as a guest network:
n In the Wireless Access Point 1 configuration, set the Interface Type to Custom, and
configure the network settings.
n Use the alias WG-Wireless-Access-Point1 in the policies you want to handle traffic for
connected wireless clients.
Example 2 Create a security zone with a level of trust different fromTrusted or Optional
If you already have trusted and optional networks, and you want to configure a third internal
security zone, you can configure one or more interfaces or wireless access points as Custom.
You can then add these custominterfaces to a new alias. Use the new alias in policies that you
want to handle traffic fromthis network.
For example, to create a Semi-Trusted security zone that includes both wired and wireless
networks:
n Configure interfaces 1 and 2 as Custom and configure the network settings.
n Configure Access Point 1 and Access Point 2 as Custom and configure the network
settings.
n Create a new alias, Semi-Trusted, that includes the two custominterfaces, and the two
customaccess points as members.
n Use the Semi-Trusted alias in policies you want to handle traffic for clients connected to
any of these networks.
For more information about aliases, see About Aliases.
To configure a physical interface as a customnetwork interface:
Network Setup and Configuration
166 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 167
1. Select Network > Interfaces.
The Network Interfaces dialog box appears.
2. Select an interface and click Configure.
The Interface Configuration dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network.
Make sure the name is unique among interface names, and is not used for any Mobile VPN
group names or tunnel names. You can use this alias with other features, such as proxy
policies, to manage network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. Fromthe Interface Type drop-down list, select Custom.
6. In the IPAddress text box, type the IPv4address in slash notation. For information about
IPaddresses to use for trusted and optional networks, see About Private IPAddresses.
7. Configure other interface settings.
n For information about how to automatically assign IPv4addresses to clients that
connect to a trusted or optional interface, see Configure IPv4 DHCP in Mixed Routing
Mode on page 154 or Configure DHCPRelay on page 179.
n For information about how to use more than one IPv4address on a single physical
network interface, see Add a Secondary Network IPAddress on page 182.
n For information about how to configure an interface to use an IPv6 address, see Enable
IPv6 for a Trusted or Optional Interface.
8. Click Save.
To configure a wireless, VLAN, Bridge, or Link Aggregation interface as a custominterface, set the
Interface Type to Custom, and configure all other settings as you would for a trusted or optional
interface.
After you configure an interface as a custominterface, you must configure policies to allow traffic to
and fromthe interface. You can edit the existing policies or create new policies that use the custom
interface name. Or, you can create a new alias that includes multiple custominterfaces, and then use
that customalias in policies. For more information about aliases, see About Aliases.
About the Dynamic DNS Service
You can register the external IP address of your XTMdevice with the dynamic Domain Name System
(DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your
domain name changes when your ISP gives your device a new IP address. This feature is available in
either mixed routing or drop-in network configuration mode.
If you use this feature, your XTMdevice gets the IP address of members.dyndns.org when it starts up.
It makes sure the IP address is correct every time it restarts and at an interval of every twenty days. If
you make any changes to your DynDNS configuration on your XTMdevice, or if you change the IP
address of the default gateway, it updates DynDNS.comimmediately.
For more information on the Dynamic DNS service or to create a DynDNS account, go to
http://www.dyndns.com.
WatchGuard is not affiliated with DynDNS.com.
Configure Dynamic DNS
1. Select Network > Dynamic DNS.
The Dynamic DNS client page appears.
2. Select a network interface, then click Configure.
The Dynamic DNS configuration page appears.
3. Select the Enable Dynamic DNS for interface check box.
4. Type the User Name , Password, and Domain name you used to set up your dynamic DNS
account.
5. Fromthe Server Type drop-down list, select the systemto use for Dynamic DNS:
n dyndns Sends updates for a Dynamic DNS host name. Use the dyndns option when
you have no control over your IP address (for example, it is not static, and it changes on a
regular basis).
n custom Sends updates for a customDNS host name. This option is frequently used by
businesses that pay to register their domain with dyndns.com.
For an explanation of each option, see http://www.dyndns.com/services/.
6. In the Options text box, type one or more of these options:
Network Setup and Configuration
168 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 169
n mx=mailexchanger& Specifies a Mail eXchanger (MX) for use with the hostname.
n backmx=YES|NO& Requests that the MX in the previous parameter is set up as a backup
MX (includes the host as an MX with a lower preference value).
n wildcard=ON|OFF|NOCHG& Enables or disables wildcards for this host (ON to enable).
n offline=YES|NO Sets the hostname to offline mode. One or more options can be
chained together with the ampersand character. For example:
&mx=backup.kunstlerandsons.com&backmx=YES&wildcard=ON
For more information, see http://www.dyndns.com/developers/specs/syntax.html.
7. In the Forced Update text box, you can set a time interval to force an update of the IP address.
8. Click Save.
Drop-In Mode
In a drop-in configuration, your XTMdevice is configured with the same IP address on all interfaces.
The drop-in configuration mode distributes the networks logical address range across all available
network interfaces. You can put your XTMdevice between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in mode because
your XTMdevice is dropped in to a previously configured network.
In drop-in mode:
n The same primary IP address is assigned to all interfaces on your XTMdevice (external,
trusted, optional, and custom).
n You can assign secondary networks on any interface.
n Dynamic routing (OSPF, BGP, or RIP) is not supported.
n Built-in wireless networking on Firebox or XTMwireless devices is not supported (Fireware
XTMv11.9 and higher).
n You can keep the same IP addresses and default gateways for hosts on your trusted and
optional networks, and add a secondary network address to the primary external interface so
your XTMdevice can correctly send traffic to the hosts on these networks.
n The public servers behind your XTMdevice can continue to use public IP addresses. Network
address translation (NAT)is not used to route traffic fromoutside your network to your public
servers.
The properties of a drop-in configuration are:
n You must assign and use a static IP address on the external interface.
n You use one logical network for all interfaces.
n You cannot configure more than one external interface when your XTMdevice is configured in
drop-in mode. Multi-WAN functionality is automatically disabled.
It is sometimes necessary to clear the ARP cache of each computer protected by the XTMdevice, but
this is not common.
If you move an IP address froma computer located behind one interface to a
computer located behind a different interface, it can take several minutes before
network traffic is sent to the new location. Your XTMdevice must update its internal
routing table before this traffic can pass. Traffic types that are affected include
logging, SNMP, and XTMdevice management connections.
You can configure your network interfaces with drop-in mode when you run the Quick Setup Wizard. If
you have already created a network configuration, you can use Policy Manager to switch to drop-in
mode. For more information, see Run the Web Setup Wizard on page 29.
Use Drop-In Mode for Network Interface Configuration
1. Select Network >Interfaces.
The Network Interfaces dialog box appears.
2. Fromthe Configure Interfaces in drop-down list, select Drop-In Mode.
3. In the IPAddress text box, type the IPaddress you want to use as the primary address for all
interfaces on your XTMdevice.
4. In the Gateway text box, type the IPaddress of the gateway. This IPaddress is automatically
added to the Related Hosts list.
5. Click Save.
Configure Related Hosts
In a drop-in or bridge configuration, the XTMdevice is configured with the same IP address on each
interface. Your XTMdevice automatically discovers new devices that are connected to these
interfaces and adds each new MACaddress to its internal routing table. If you want to configure device
connections manually, or if the Automatic Host Mapping feature does not operate correctly, you can
add a related hosts entry. A related hosts entry creates a static route between the host IPaddress and
one network interface. We recommend that you disable Automatic Host Mapping on interfaces for
which you create a related hosts entry.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Configure network interfaces in drop-in or bridge mode. Click Properties.
The Drop-In Mode Properties page appears.
3. Clear the check box for any interface for which you want to add a related hosts entry.
Network Setup and Configuration
170 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 171
4. In the Host text box, type the IP address of the device for which you want to build a static route
fromthe XTMdevice. Select the Interface fromthe adjacent drop-down list, then click Add.
Repeat this step to add additional devices.
5. At the top of the page, click Return.
6. Click Save.
Configure DHCP in Drop-In Mode
When you use drop-in mode for network configuration, you can optionally configure the XTMdevice as
a DHCP server for the networks it protects, or make the XTMdevice a DHCP relay agent. If you have
a configured DHCP server, we recommend that you continue to use that server for DHCP.
Use DHCP
When you use drop-in mode for network configuration, you can optionally configure the XTMdevice as
a DHCP server for networks it protects, or make the XTMdevice a DHCP relay agent. If you have a
configured DHCP server, we recommend that you continue to use that server for DHCP.
By default, your XTMdevice gives out the configure DNS/WINS server information when it is
configured as a DHCP server. You can configure DNS/WINS information on this page to override the
global configuration. For more information, see the instructions in Add WINS and DNS Server
Addresses on page 180.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. If your XTMdevice is not already configured in drop-in mode, fromthe Configure Interfaces in
drop-down list select Drop-In Mode.
3. Click Properties.
4. Select the DHCPSettings tab.
5. Fromthe drop-down list, select DHCPServer.
The DHCPconfiguration settings appear.
Network Setup and Configuration
172 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 173
6. To change the DHCPlease time, select a different option in theLeasing Time drop-down list.
7. To add an address pool fromwhich your XTMdevice can give out IP addresses, in the Address
Pool section:
nn Click Add.
n In the Starting IP and Ending IP text boxes, type a range of IP addresses that are on the
same subnet as the drop-in IP address.
You can configure a maximum of six address pools.
nn Click OK.
8. To reserve a specific IP address froman address pool for a device or client, in the Reserved
Addresses section:
n Click Add.
n Type a Reservation Name to identify the reservation.
n Type the Reserved IP address you want to reserve.
n Type the MAC address for the device.
n Click OK.
Repeat this step to add more DHCPreservations.
9. If necessary, Add WINS and DNS Server Addresses.
10. At the top of the page, click Return.
11. Click Save.
Configure DHCPOptions
There are three configurable DHCP options. Many VoIP phones use these DHCPoptions to download
their boot configuration. The DHCPoptions are:
n TFTP Server IP (Option 150) The IPaddress of the TFTP server where the DHCP client
can download the boot configuration.
n TFTP Server Name (Option 66) The name of the TFTPserver where the DHCPclient can
download the boot configuration. This option is supported only for devices that use Fireware
XTMv11.7.4 and higher.
n TFTP Boot Filename (Option 67) The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IPphones.
To configure these options in the DHCPOptions section:
1. In the TFTPServer IP text box, type the IP address of the TFTPserver.
2. In the TFTPServer Name text box, type the name of the TFTPserver.
3. In the TFTPBoot Filename text box, type the name of the boot file on the TFTPserver.
Use DHCPRelay
To configure DHCPrelay for an XTMdevice in drop-in mode:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Click Properties.
3. Select the DHCPSettings tab.
4. Fromthe drop-down list, select Use DHCPRelay.
5. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary.
6. At the top of the page, click Return.
7. Click Save.
Specify DHCP Settings for a Single Interface
You can specify different DHCP settings for each trusted or optional interface in your configuration. To
modify these settings:
1. On the Network > Interfaces page, select an interface.
2. Click Edit.
3. To use the same DHCPsettings that you configured for drop-in mode, select Use System
DHCPSetting.
To disable DHCP for clients on that network interface, select Disable DHCP.
To configure different DHCPoptions for clients on a secondary network, select Use
DHCPServer for Secondary Network.
To configure DHCPrelay for clients on a secondary network, select Use DHCPRelay for
Secondary Network. Specify the IPaddress of the DHCPserver to use for the secondary
network.
4. To add IPaddress pools, set the default lease time, and manage DNS/WINS servers, complete
Steps 36 of the Use DHCP section.
5. To configure DHCPoptions for a secondary network, complete the steps in the Configure
DHCPOptions section
6. Click OK.
Network Setup and Configuration
174 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 175
Bridge Mode
Bridge mode is a feature that allows you to install your XTMdevice between an existing network and
its gateway to filter or manage network traffic. When you enable this feature, your XTMdevice
processes and forwards all network traffic to other gateway devices. When the traffic arrives at a
gateway fromthe XTMdevice, it appears to have been sent fromthe original device.
To use bridge mode, you must specify an IP address that is used to manage your XTMdevice. The
device also uses this IPaddress to receive security services signature updates and to route traffic to
internal DNS, NTP, or WebBlocker servers. Because of this, make sure you assign an IPaddress that
is routable on the Internet.
In bridge mode, L2 and L3 headers are not changed. If you want traffic on the same physical interface
of an XTMdevice to pass through the device, you cannot use bridge mode. In this case, you must use
drop-in or mixed routing mode, and set the default gateway of those computers to be the XTMdevice
itself.
When you use bridge mode, your XTMdevice cannot complete some functions that require the device
to operate as a gateway. These functions include:
n Multi-WAN
n VLANs (Virtual Local Area Networks)
n Network bridges
n Static routes
n FireCluster
n Secondary networks
n DHCP server or DHCP relay
n Modemfailover
n 1-to-1, dynamic, or static NAT
n Dynamic routing (OSPF, BGP, or RIP)
n Any type of VPN for which the XTMdevice is an endpoint or gateway
n Some proxy functions, including HTTP Web Cache Server
n Authentication automatic redirect
n Management of an APdevice
If you have previously configured these features or services, they are disabled when you switch to
bridge mode. To use these features or services again, you must use a different network mode. If you
return to drop-in or mixed routing mode, you might have to configure some features again.
When you enable bridge mode, any interfaces with a previously configured network
bridge or VLAN are disabled. To use those interfaces, you must first change to either
drop-in or mixed routing mode, and configure the interface as External, Optional, or
Trusted, then return to bridge mode. Wireless features on XTMwireless devices
operate correctly in bridge mode.
When you configure your XTMdevice in Bridge Mode, the LCD display on your XTM
device shows the IP address of the bridged interfaces as 0.0.0.0. This is expected
behavior.
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
Network Setup and Configuration
176 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 177
Enable Bridge Mode
To configure the XTMdevice in bridge mode:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Fromthe Configure Interfaces In drop-down list, select Bridge Mode.
3. If you are prompted to disable interfaces, click Yes to disable the interfaces, or No to return to
your previous configuration.
4. Type the IP Address of your XTMdevice in slash notation.
For more information on slash notation, see About Slash Notation on page 5.
5. Type the Gateway IP address that receives all network traffic fromthe device.
6. Click Save.
Allow Management Access from a VLAN
When you configure an XTMdevice in bridge mode, you cannot configure VLANs on the XTMdevice.
But the XTMdevice can pass VLAN tagged traffic between 802.1Qbridges or switches. You can
optionally configure the XTMdevice to be managed froma VLAN that has a specified VLANtag.
To enable management froma VLAN for a device in bridge mode:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the Allow VLANtag for management access check box.
3. Type or select the VLANID you want to allow to connect to the device for management
access.
4. Click Save.
Common Interface Settings
When the XTMdevice is in mixed routing mode, you can configure it to send network traffic between a
wide variety of physical and virtual network interfaces. Mixed routing mode is the default network mode
and offers the greatest amount of flexibility for different network configurations. However, you must
configure each interface separately, and you might need to change network settings for each computer
or client protected by your XTMdevice.
For all of the supported network modes, you can configure common settings for each interface. The
interface configuration options available depend on the network mode and interface type.
To configure a network interface:
1. Select Network > Interfaces.
2. Select an interface and click Edit.
The Interface Configuration dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network and its own trust relationships.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. Fromthe Interface Type drop-down list, select the value of the interface type: External,
Trusted, Optional, Bridge, VLAN, Link Aggregation, or Disabled. Some interface types
have additional settings.
6. Configure the interface settings.
n To set the IP address of a trusted or optional interface, type the IPaddress in slash
notation.
n For information about IPaddresses to use for trusted and optional networks, see About
Private IPAddresses.
n For information about how to assign an IPv4address to an external interface for a
device in mixed routing mode, see Configure an External Interface on page 144.
n To automatically assign IPv4addresses to clients that connect to a trusted or optional
interface, see Configure IPv4 DHCP in Mixed Routing Mode on page 154 or Configure
DHCPRelay on page 179.
n To use more than one IPaddress on a single physical network interface, see Add a
Secondary Network IPAddress on page 182.
n To configure an interface to use an IPv6 address for a device in mixed routing mode,
see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted or Optional
Interface.
Network Setup and Configuration
178 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 179
n For information about how to configure a network bridge, see Create a Network Bridge
Configuration.
n For information about VLAN configuration, see Assign Interfaces to a VLAN.
n For more information about Link Aggregation, see About Link Aggregation.
n To disable an interface fromyour configuration, see Disable an Interface on page 179.
7. Click Save.
Disable an Interface
1. Select Network >Interfaces.
The Network Interfaces page appears.
2. Select the interface you want to disable. Click Edit.
The Interface Configuration page appears.
3. Fromthe Interface Type drop-down list, select Disabled. Click Save.
In the Network Interfaces page, the interface now appears as type Disabled.
Configure DHCPRelay
One way to get IPaddresses for the computers on the trusted or optional networks is to use a DHCP
server on a different network. You can use DHCP relay to get IPaddresses for the computers on the
trusted or optional network. With this feature, the XTMdevice sends DHCP requests to a server on a
different network.
If the DHCPserver you want to use is not on a network protected by your XTMdevice, you must set
up a branch office VPNtunnel between your XTMdevice and the network where the DHCP server is
for this feature to operate correctly.
To configure DHCPrelay:
1. Select Network >Interfaces.
The Network Interfaces page appears.
2. Select a trusted or an optional interface and click Configure.
3. Fromthe drop-down list at the bottomof the page, select Use DHCPRelay.
4. Type the IPaddress of the DHCPserver in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary. The DHCPserver can be on the network at the remote end of a
branch office VPN tunnel.
Restrict Network Traffic by MAC Address
You can use a list of MACaddresses to manage which devices are allowed to send traffic on the
network interface you specify. When you enable this feature, your XTMdevice checks the
MACaddress of each computer or device that connects to the specified interface. If the MACaddress
of that device is not on the MACAccess Control list for that interface, the device cannot send traffic.
This feature is especially helpful to prevent any unauthorized access to your network froma location
within your office. However, you must update the MACAddress Control list for each interface when a
new, authorized computer is added to the network.
If you choose to restrict access by MAC address, you must include the MAC
address for the computer you use to administer your XTMdevice.
To enable MACAccess Control for a network interface:
1. Select Network >Interfaces.
2. Select the interface on which you want to enable MACAccess Control, then click Edit.
3. Select the MACAccess Control tab.
4. Select the Restrict access by MAC address check box.
5. Click Add.
6. Type the MACaddress of the computer or device to give it access to the specified interface.
7. (Optional) Type a Name for the computer or device to identify it in the list.
8. Click OK.
Repeat steps 5 - 8 to add more computers or devices to the MACAccess Control list.
Add WINS and DNS Server Addresses
Your XTMdevice shares Windows Internet Name Server (WINS) and Domain Name System(DNS)
server IP addresses for some features. These features include DHCP and Mobile VPN. The WINS
and DNS servers must be accessible fromthe XTMdevice trusted interface.
This information is used for two purposes:
n The XTMdevice uses the DNS server to resolve names to IP addresses for IPSec VPNs and
for the spamBlocker, Gateway AV, and IPS features to operate correctly.
Network Setup and Configuration
180 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 181
n The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, and
by Mobile VPN users to resolve DNS queries.
Mobile VPN clients use only the first two DNSservers.
Make sure that you use only an internal WINS and DNS server for DHCP and Mobile VPN. This is to
make sure that you do not create policies with configuration properties that make it difficult for your
users to connect to the DNS server.
1. Select Network > Interfaces.
The Interfaces configuration page appears.
2. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
3. In the DNSServer or WINSServer text box, type the primary and secondary address for each
DNS or WINS server.
4. Click Add.
5. (Optional) Repeat Steps 23 to specify up to three DNS servers.
6. Click Save.
The XTMdevice uses the WINS and DNSservers that you configure here unless you configure a
different WINS/DNSserver elsewhere.
n You can specify different WINSand DNSservers in the Mobile VPN with SSL settings. For
more information, see Configure the XTMDevice for Mobile VPN with SSL.
n You can specify different WINSand DNSservers when you configure an interface to use the
XTMdevice as a DHCPserver. For more information, see Configure IPv4 DHCP in Mixed
Routing Mode.
Add a Secondary Network IPAddress
When you configure an XTMdevice interface, you can add secondary network IPaddresses to the
interface. Each IPaddress you add can be on the same subnet or on a different subnet fromthe
primary IPaddress of the interface.
Secondary network IP address on the same subnet
For an internal interface, you can use a secondary IP address on the same subnet if an internal
host must use that IPaddress as its default gateway.
For an external interface, a common reason to use a secondaryIP address on the same subnet
is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as
traffic froman SMTP server, must appear to come fromthe same secondary IPaddress, use
the policy-based dynamic NAT Set source IP option in an outgoing policy.
For an example of this type of configuration, see the configuration example Use NATfor Public
Access to Servers with Private IP Addresses, availableat
http://www.watchguard.com/help/configuration-examples/.
For more information about policy-based dynamic NAT, see Configure Policy-Based Dynamic
NAT.
Secondary network IP address on a different subnet
If the secondary IPaddress is on a different subnet fromthe primary IPaddress of the interface,
it tells the XTMdevice that there is one more network on the XTMdevice interface. When you
add a secondary network on a different subnet, the XTMdevice creates a route fromany IP
address on the secondary network to the IP address of the XTMdevice interface.
For an external interface, you would use a secondary network on a different subnet if your ISP
gives you multiple IPaddresses on different subnets, and the ISPgateway can route traffic to
and fromthe different subnets.
For a trusted or optional interface, you would define a secondary network on a different subnet
when you want to connect the interface to more than one internal network. An example is
described in the subsequent section.
If you configure an XTMdevice in drop-in mode, each XTMdevice interface uses the same
primary IP address. However, you probably use a different set of IP addresses on your trusted
network. You can add this private network as a secondary network to the trusted interface of
your XTMdevice.
For you to configure a secondary network IP address for an interface, your XTMdevice must use a
routed or drop-in network configuration. You can add secondary network IPaddresses to an external
interface of an XTMdevice even if that external interface is configured to get its primary IP address
through PPPoE or DHCP.
Network Setup and Configuration
182 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 183
Configure a Secondary Network
Use these steps to add a secondary network. In this example, the secondary network is on a trusted
interface.
To define a secondary network address, you must have an unused IP address on the secondary
network to assign to the XTMdevice interface.
To define a secondary network:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the interface for the secondary network and click Edit.
3. Select the Secondary tab.
4. Type an unassigned host IP address in slash notation fromthe secondary network. Click Add.
Repeat this step to add additional secondary networks.
5. Click Save.
Make sure to add secondary network addresses correctly. The XTMdevice does not
tell you if the address is correct. We recommend that you do not create a subnet as a
secondary network on one interface that is a component of a larger network on a
different interface. If you do this, the XTMdevice could identify this traffic as
spoofing a network that it expects to exist on another interface, and the network
could fail to operate correctly. The XTMdevice might not ARP to the same network
on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and
bridged VLANs).
Network Setup and Configuration
184 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 185
About Advanced Interface Settings
You can use several advanced settings for XTMdevice interfaces:
Network Interface Card (NIC)Settings
Configures the speed and duplex parameters for XTMdevice interfaces to automatic or manual
configuration. We recommend you keep the link speed configured for automatic negotiation. If
you use the manual configuration option, you must make sure the device the XTMdevice
connects to is also manually set to the same speed and duplex parameters as the XTMdevice.
Use the manual configuration option only when you must override the automatic XTMdevice
interface parameters to operate with other devices on your network.
Set Outgoing Interface Bandwidth
When you use Traffic Management settings to guarantee bandwidth to policies, this setting
makes sure that you do not guarantee more bandwidth than actually exists for an interface. This
setting also helps you make sure the sumof guaranteed bandwidth settings does not fill the link
such that non-guaranteed traffic cannot pass.
Enable QoS Marking for an Interface
Creates different classifications of service for different kinds of network traffic. You can set the
default marking behavior as traffic goes out of an interface. These settings can be overridden by
settings defined for a policy.
Set DF Bit for IPSec
Determines the setting of the Dont Fragment (DF) bit for IPSec.
PMTU Setting for IPSec
(External interfaces only) Controls the length of time that the XTMdevice lowers the MTU for an
IPSec VPN tunnel when it gets an ICMP Request to Fragment packet froma router with a lower
MTU setting on the Internet.
Use Static MAC Address Binding
Uses computer hardware (MAC) addresses to control access to an XTMdevice interface.
Network Interface Card (NIC)Settings
1. Select Network > Interfaces.
2. Select the interface you want to configure. Click Edit.
3. Click Advanced General Settings.
4. In the Link Speed drop-down list, select Auto Negotiate if you want the XTMdevice to select
the best network speed. You can also select one of the half-duplex or full-duplex speeds that
you know is compatible with your other network equipment.
Auto Negotiate is the default setting. We strongly recommend that you do not change this
setting unless instructed to do so by Technical Support. If you set the link speed manually and
other devices on your network do not support the speed you select, this can cause a conflict
that does not allow your XTMdevice interface to reconnect after failover.
5. In the MTU text box, specify the maximumpacket size, in bytes, that can be sent through the
interface. We recommend that you use the default, 1500 bytes, unless your network equipment
requires a different packet size.
You can set the MTUfrom a minimum of 68 to a maximum of 9000.
For XTM5 Series models, interface 0 supports a maximumMTUof 1500.
6. To change the MAC address of the external interface, select the Override MAC Address
check box and type the new MAC address.
For more information about MAC addresses, see the subsequent section.
7. Click Save.
About MAC Addresses
Some ISPs use a MAC address to identify the computers on their network. Each MAC address gets
one static IP address. If your ISP uses this method to identify your computer, then you must change
the MAC address of the XTMdevice external interface. Use the MAC address of the cable modem,
DSL modem, or router that connected directly to the ISP in your original configuration.
The MAC address must have these properties:
n The MAC address must use 12 hexadecimal characters. Hexadecimal characters have a value
between 0 and 9 or between a and f.
Network Setup and Configuration
186 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 187
n The MAC address must operate with:
o
One or more addresses on the external network.
o
The MAC address of the trusted network for the device.
o
The MAC address of the optional network for the device.
n The MAC address must not be set to 000000000000 or ffffffffffff.
If the Override MAC Address check box is not selected when the XTMdevice is restarted, the device
uses the default MAC address for the external network.
To avoid problems with MAC addresses, the XTMdevice makes sure that the MAC address you
assign to the external interface is unique on your network. If the XTMdevice finds a device that uses
the same MAC address, the XTMdevice changes back to the standard MAC address for the external
interface and starts again.
Set DF Bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for
the Dont Fragment (DF) bit for IPSec section.
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a
frame does not have the DF bits set, Fireware XTMdoes not set the DF bits and fragments the
packet if needed. If a frame is set to not be fragmented, Fireware XTMencapsulates the entire
frame and sets the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your XTMdevice to fragment the frame regardless of the original
bit setting. If a user must make IPSec connections to a XTMdevice frombehind a different
XTMdevice, you must clear this check box to enable the IPSec pass-through feature. For
example, if mobile employees are at a customer location that has a XTMdevice, they can make
IPSec connections to their network with IPSec. For your local XTMdevice to correctly allow the
outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH
header, regardless of the original bit setting.
PMTU Setting for IPSec
This advanced interface setting applies to external interfaces only.
The Path MaximumTransmission Unit (PMTU) setting controls the length of time that the XTMdevice
lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet froma
router with a lower MTU setting on the Internet.
We recommend that you keep the default setting. This can protect you froma router on the Internet
with a very low MTU setting.
Network Setup and Configuration
188 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 189
Use Static MAC Address Binding
You can control access to an interface on your XTMdevice by computer hardware (MAC) address.
This feature can protect your network fromARP poisoning attacks, in which hackers try to change the
MAC address of their computers to match a real device on your network. To use MAC address binding,
you must associate an IP address on the specified interface with a MAC address. If this feature is
enabled, a computer with a specified MAC address can send and receive information only if it uses the
associated IP address.
You can also use this feature to restrict all network traffic to devices that match the MAC and IP
addresses on this list. This is similar to the MAC access control feature.
For more information, see Restrict Network Traffic by MAC Address on page 179.
If you choose to restrict network access by MAC address binding, make sure that
you include the MAC address for the computer you use to administer your XTM
device.
To configure the static MAC address binding settings:
1. Select Network >Interfaces. Select an interface, then click Configure.
2. Select the Advanced tab.
3. Adjacent to the Static MAC/IP Address Binding table, click Add.
4. Type an IP address and MAC address pair. Click OK. Repeat this step to add additional pairs.
5. If you want this interface to pass only traffic that matches an entry in the Static MAC/IP
Address Binding list, select the Only allow traffic sent from or to these MAC/IP
addresses check box.
If you do not want to block traffic that does not match an entry in the list, clear this check box.
If you select the Only allow traffic sent from or to these MAC/IP addresses
check box, but do not add any entries to the table, the MAC/IP Address Binding
feature does not become active.
Find the MAC Address of a Computer
A MAC address is also known as a hardware address or an Ethernet address. It is a unique identifier
specific to the network card in the computer. A MAC address is usually shown in this form: XX-XX-XX-
XX-XX-XX, where each X is a digit or letter fromA to F. To find the MACaddress of a computer on your
network:
1. Fromthe command line of the computer whose MAC address you want to find, type ipconfig
/all (Windows) or ifconfig (OS X or Linux).
2. Look for the entry for the computers physical address. This value is the MAC or hardware
address for the computer.
About LAN Bridges
A local area network bridge logically combines multiple interfaces to operate as a single network, with
a single interface name and IP address. You configure the interface IP address and other interface
settings in the bridge configuration, and then configure interfaces as members of the bridge. A bridge
must include at least one interface, and can include any combination of physical, wireless, and link
aggregation interfaces.
You can configure a bridge in the trusted, optional, or customsecurity zone. The configuration settings
for a bridge are similar to the settings for any other trusted, optional, or customnetwork interface. For
example, you can configure DHCP to give IP addresses to clients on a bridge, or use the bridge name
as an alias in firewall policies.
To use a bridge you must assign one or more interfaces to type Bridge. Then you can Create a Network
Bridge Configuration
If you want to all of the XTMdevice interfaces to be on the same network, we recommend that you use
bridge mode for your network configuration.
Create a Network Bridge Configuration
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
Before You Begin
If you want to change the interface that you use to manage the device to a bridge, make sure the
device has at least one other interface that you can use to connect to with the Web UI for
management. If you want to use the web UI to change an interface to a bridge interface, you must
connect to a different interface to make this change.
Network Setup and Configuration
190 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 191
Do not change the interface that you are currently connected to with the web UI to a
bridge interface. This causes you to immediately lose the management connection to
the device.
Use these steps to change the trusted or optional interface you use for management to a bridge
interface:
1. Configure another trusted or optional interface to use as a temporary management interface.
2. Connect the management computer to the new interface, and log in to the Web UI.
3. Change the original management interface to a bridge interface, and configure a LAN bridge that
includes this interface.
4. Connect the management computer to the original management interface.
5. Disable the temporary management interface.
Step 3 is described in more detail in the subsequent sections.
Configure a Bridge Interface
Before you can configure a bridge in the Web UI, you must set one or more physical or wireless
interfaces to type Bridge.
To set a physical interface to type Bridge:
1. Select Network >Bridge.
The Bridge page appears. Bridge interfaces are listed at the top of the page.
2. To configure an interface as type Bridge, click Configure.
3. The network Interfaces page appears.
4. Select the interface you want to use as a bridged interface. We recommend that you select an
interface not currently in use.
If you change the interface you used to connect to the Web UI to a bridge interface,
you immediately lose your connection to the Web UI, and must use a different
configured interface to reconnect.
5. Click Configure.
6. Set the Interface Type to Bridge.
7. Repeat Steps 4 and 5 for each interface you want to bridge.
8. Click Save.
Before you can add a wireless access point (Access Point 1, Access Point 2, or Access Point 3) to a
bridge, you must first set the Interface Type in the wireless access point settings to Bridge. For more
information, see Enable Wireless Connections (Fireware XTMOS v11.9.x and Later).
Wireless interfaces are numbered ath1, ath2, and ath3. For more information about wireless interface
numbers, see About Network Interface Setup.
Create the Bridge
After you configure at least one bridge interface, you can create the bridge.
1. Select Network >Bridge.
The Bridge page appears.
2. Click Add.
3. On the Bridge Settings tab, type a Name and Description (optional) for the bridge
configuration.
Network Setup and Configuration
192 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 193
4. Select a Security Zone fromthe drop-down list and type an IP Address in slash notation for
the bridge.
The bridge is added to the alias of the security zone you specify.
5. To add network interfaces, select the check box adjacent to each network interface you want to
add to the bridge configuration.
6. To configure DHCPsettings, select the DHCPtab. Fromthe DHCPMode drop-down list,
select DHCPServer or DHCPRelay.
For more information on DHCPconfiguration, see Configure IPv4 DHCP in Mixed Routing
Mode on page 154 or Configure DHCPRelay on page 179.
7. If you want to add secondary networks to the bridge configuration, select the Secondary tab.
Type an IPaddress in slash notation and click Add.
For more information on secondary networks, see Add a Secondary Network IPAddress on
page 182.
8. To configure a bridge to use IPv6, select the IPv6 tab.
For information about IPv6 settings, see Enable IPv6 for a Trusted or Optional Interface.
9. Click Save.
Assign a Network Interface to a Bridge
To assign additional interfaces to an existing bridge, edit the bridge.
1. Select Network >Bridge.
The Bridge page appears.
2. Select a bridge configuration in the Bridge Settings list, then click Edit.
3. Select the check box next to each network interface that you want to add to the bridge.
4. Click Save.
About Routing
A route is the sequence of devices through which network traffic is sent. Each device in this sequence,
usually called a router, stores information about the networks it is connected to inside a route table.
This information is used to forward the network traffic to the next router in the route.
Your XTMdevice automatically updates its route table when you change network interface settings,
when a physical network connection fails, or when it is restarted. To update the route table at other
times, you must use dynamic routing or add a static route. Static routes can improve performance, but
if there is a change in the network structure or if a connection fails, network traffic cannot get to its
destination. Dynamic routing ensures that your network traffic can reach its destination, but it is more
difficult to set up.
Add a Static Route
A route is the sequence of devices through which network traffic must go to get fromits source to its
destination. A router is the device in a route that finds the subsequent network point through which to
send the network traffic to its destination. Each router is connected to a minimumof two networks. A
packet can go through a number of network points with routers before it gets to its destination.
You can create static routes to send traffic to specific hosts or networks. The router can then send the
traffic fromthe specified route to the correct destination. If you have a full network behind a router on
your local network, add a network route. If you do not add a route to a remote network, all traffic to that
network is sent to the XTMdevice default gateway.
Before you begin, you must understand the difference between a network route and a host route. A
network route is a route to a full network behind a router located on your local network. Use a host route
if there is only one host behind the router, or if you want traffic to go to only one host.
If you have configured a BOVPNvirtual interface, you can also add and edit VPN routes for a
BOVPNvirtual interface in the static routes table.
Add an IPv4 Static Route
To add a static route:
1. Select Network > Routes.
The Routes page appears.
2. Click Add.
The Route dialog box appears.
Network Setup and Configuration
194 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 195
3. Fromthe Route Type drop-down list, select Static Route.
4. Fromthe Destination Type drop-down list, select an option:
n Host IPv4Select this option if only one IPv4 host is behind the router or you want
traffic to go to only one host.
n Network IPv4 Select this option if you have a full IPv4 network behind a router on
your local network.
5. In the Route To text box, type the host address or network address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Gateway text box, type the IP address of the router.
Make sure that you type an IP address that is on one of the same networks as the XTMdevice.
7. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
8. Click OK to close the Route dialog box.
The configured network route appears in the Routes page.
9. Click Save to save the change to the configuration.
Add an IPv6 Static Route
When you add an IPv6 route, you can optionally specify which IPv6-enabled interface to use for the
route. Specify an interface if you want to control which interface is used in the route. For example:
n If more than one interface can reach the gateway, and you want to route traffic to the gateway
through a specific interface, select the interface that you want this route to use.
n If there are two gateways with the same IPv6 link local address on different connected
networks, select the interface that connects to the gateway you want to route to.
To add a static route:
1. Select Network > Routes.
The Routes page appears.
2. Click Add.
The Route dialog box appears.
3. Fromthe Route Type drop-down list, select Static Route.
4. Fromthe Destination Type drop-down list, select an option:
n Host IPv6Select this option if only one IPv6 host is behind the router or you want
traffic to go to only one host.
n Network IPv6 Select this option if you have a full IPv6 network behind a router on
your local network.
5. In the Route To text box, type the host address or network address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Gateway text box, type the IP address of the router.
Make sure that you type an IP address that is on one of the same networks as the XTMdevice.
7. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
8. If you want this route to use a specific interface, select the Specify interface check box. From
the adjacent drop-down list, select an IPv6-enabled interface that can access the specified
gateway.
9. Click OK to close the Route dialog box.
The configured network route appears in the Routes page.
10. Click Save to save the change to the configuration.
Add a BOVPN Virtual Interface Route
If you have configured a BOVPN virtual interface, you can also add and edit BOVPN virtual interface
routes here. This option is available only after you configure at least one BOVPN virtual interface. For
more information, see Configure a BOVPN Virtual Interface.
Network Setup and Configuration
196 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 197
IPv6 BOVPN virtual interface routes are 6in4 tunnel routes thatuse a GREtunnel within the IPSec
BOVPN tunnel. You can use an IPv6 BOVPN virtual interface route to send traffic between two IPv6
networks through an IPv4 BOVPN virtual interface tunnel. You cannot configure a BOVPN virtual
interface route for traffic between an IPv4 network and an IPv6 network.
IPv6 BOVPNvirtual interface routes are supported in Fireware XTMOSv11.9 and
higher.
To add a BOVPN virtual interface route:
1. Select Network > Routes.
The Routes page appears.
2. Click Add.
The Route dialog box appears.
3. Fromthe Route Type drop-down list, select BOVPNVirtual Interface Route.
4. Fromthe Choose Type drop-down list, select an option:
n Host IPv4Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 Select this option if you have a full IPv4 network behind a router on your
local network.
n Host IPv6Select this option if only one IPv6 host is behind the router or you want traffic
to go to only one host.
n Network IPv6 Select this option if you have a full IPv6 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
7. Fromthe Interface drop-down list, select the BOVPN virtual interface you want to use for this
route.
8. Click Save changes to close the Route dialog box.
The configured network route appears in the Routes page.
9. Click Save to save the change to the configuration.
The BOVPN virtual interface routes you configure here also appears in the VPN Routes tab in the
BOVPNvirtual interface configuration
If the XTMdevice is configured in drop-in mode, the route table on the XTMdevice
might or might not immediately show the correct interface for a static route after you
restart the device, or after you move the gateway associated with a static route to a
different interface. The XTMdevice cannot update the route table with the correct
interface for a static route until it receives network traffic through the gateway for that
static route. The XTMdevice updates the internal route table on demand when traffic
is received fromthe gateway.
Network Setup and Configuration
198 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 199
Add Static ARPEntries
Address Resolution Protocol (ARP) is a protocol that associates the IPaddress with the MACaddress
of a network device. A static ARP entry is a permanent entry in your ARPcache.
For example, it might be necessary to add static ARPentries for routers connected to an Active/Active
FireCluster.
To add a static ARP entry in theWeb UI, the Firebox or XTMdevice must use
Fireware XTMv11.9 or higher.
To add a static ARPentry for a network device:
1. Select Network >ARPEntries.
The Static ARPEntries dialog box appears.
2. Click Add.
The ARPEntry dialog box appears.
3. In the Interface drop-down list, select the interface that the device is connected to.
4. In the IP Address text box, type the IP address of the device.
5. In the MAC Address text box, type the MACaddress of the device.
6. Click OK.
The static ARPentry is added to the Static ARPEntries list.
To edit or remove a static ARPentry, select the static ARP entry in the table, and click Edit, or
Remove.
To see the ARPtable, select System Status >ARPTable.
About Virtual Local Area Networks (VLANs)
An 802.1QVLAN (virtual local area network) is a collection of computers on a LAN or LANs that are
grouped together in a single broadcast domain independent of their physical location. This enables you
to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can
share resources as if they were connected to the same LAN. You can also use VLANs to split a switch
into multiple segments. For example, suppose your company has full-time employees and contract
workers on the same LAN. You want to restrict the contract employees to a subset of the resources
used by the full-time employees. You also want to use a more restrictive security policy for the contract
workers. In this case, you split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping
instead of a physical one. This helps free IT staff fromthe restrictions of their existing network design
and cable infrastructure. VLANs make it easier to design, implement, and manage your network.
Because VLANs are software-based, you can quickly and easily adapt your network to additions,
relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in
the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which
means a reduction in router latency. You can configure your XTMdevice to act as a DHCPserver for
devices on the VLAN, or use DHCPrelay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones
correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by
policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in
the list of external interfaces when you configure policy-based routing.
VLAN Requirements and Restrictions
n The WatchGuard VLAN implementation does not support the spanning tree link management
protocol.
n If your XTMdevice is configured to use drop-in network mode, you cannot use VLANs.
n A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-
10, it cannot also send and receive VLAN traffic for any other VLAN at the same time.
n A VLAN interface cannot be configured to send and receive untagged traffic for an external
VLAN.
n A VLAN interface can be configured to send and receive tagged traffic for only one external
VLAN.
n Your multi-WANconfiguration settings are applied to VLANtraffic. However, it can be easier to
manage bandwidth when you use only physical interfaces in a multi-WANconfiguration.
n Your device model and license controls the number of VLANs you can create.
To see the number of VLANs you can add to your configuration, select System Status
>License.
Find the row labeled Total number of VLAN interfaces.
n We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
n All network segments you want to add to a VLAN must have IP addresses on the VLAN
network.
Network Setup and Configuration
200 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 201
n To use multiple VLANs on a single interface on an XTMv device in an ESXi environment,
configure the VSwitch for the XTMv VLAN interface to use VLANID4095 (All).
If you define VLANs, you can ignore messages with the text 802.1d unknown
version. These occur because the WatchGuard VLAN implementation does not
support spanning tree link management protocol.
About Tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert
tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags,
which add an extra four bytes to the Ethernet header, identify the frame as belonging to a specific
VLAN. Tagging is specified by the IEEE 802.1Qstandard.
The VLAN definition includes disposition of tagged and untagged data frames. You must specify
whether the VLAN receives tagged, untagged, or no data fromeach interface that is enabled. Your
XTMdevice can insert tags for packets that are sent to a VLAN-capable switch. Your device can also
remove tags frompackets that are sent to a network segment that belongs to a VLAN that has no
switch.
An XTMdevice interface can handle traffic for multiple tagged VLANs. This allows the interface to
function as a VLAN trunk. The XTMdevice supports the 802.1Qstandard.
About VLANIDNumbers
By default, on most new switches that are not configured, each interface belongs to VLAN number 1.
Because this VLAN exists on every interface of most switches by default, the possibility exists that
this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the
XTMdevice.
Define a New VLAN
Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as
described in About Virtual Local Area Networks (VLANs) on page 200.
Before you can create a VLANconfiguration, you must change at least one interface to be of type
VLAN.
1. Select Network > Interfaces.
2. Select the interface that is connected to your VLAN switch. Click Edit.
3. Fromthe Interface Type drop-down list, select VLAN.
4. Click Save.
When you define a new VLAN, you add an entry in the VLAN Settings table. To change the view of
this table:
n Click a column header to sort the table based on the values in that column.
n Sort the table in descending or ascending order.
The values in the Interfaces column show the physical interfaces that are members of this VLAN. The
interface number in bold is the interface that sends untagged data to that VLAN.
To create a new VLAN:
1. Select Network > VLAN.
The VLANpage appears, with a list of existing user-defined VLANs and their settings.
You can also configure network interfaces from the Interfaces list.
2. Click Add.
The VLANSettings page appears.
3. In the Name text box, type a name for the VLAN. The name cannot contain spaces.
4. (Optional) In the Description text box, type a description of the VLAN.
5. In the VLAN ID text box, or type or select a value for the VLAN.
6. In the Security Zone text box, select Trusted, Optional, Custom, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type
Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
7. In the IP Address text box, type the address of the VLAN gateway.
Network Setup and Configuration
202 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 203
Any computer in this new VLAN must use this IPaddress as its default gateway.
8. In the Select a VLANtag setting for each interface list, select one or more interfaces.
9. Fromthe Select Traffic drop-down list, select an option to apply to the selected interfaces:
n Tagged traffic The interface sends and receives tagged traffic.
n Untagged traffic The interface sends and receives untagged traffic.
n No traffic Remove the interface fromthis VLAN configuration.
Use DHCP on a VLAN
For a VLAN in the Trusted, Optional, or Customsecurity zone, you can configure the XTMdevice as a
DHCP server for the computers on your VLAN network.
1. Select the Network tab.
2. Fromthe DHCPMode drop-down list, select DHCPServer. If necessary, type your domain
name to supply it to the DHCPclients.
3. To add an IP address pool, type the first and last IPaddresses in the pool. Click Add.
You can configure a maximum of six address pools.
4. To reserve a specific IP address for a client, type the IPaddress, reservation name, and
MACaddress for the device. Click Add.
5. To change the default lease time, fromthe drop-down list at the top of the page, select a
different time interval.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends a request to the DHCP server to get a
new lease.
6. To add DNSor WINS servers to your DHCPconfiguration, type the server address in the text
box adjacent to the list. Click Add.
7. To delete a server fromthe list, select the server fromthe list and click Remove.
For more information about per-interface DNS/WINS and DHCPoptions, see Configure IPv4 DHCP in
Mixed Routing Mode.
Use DHCP Relay on a VLAN
1. On the Network tab, fromthe DHCP Mode drop-down list, select DHCPRelay.
2. Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if
necessary.
Apply Firewall Policies to Intra-VLANTraffic
You can configure more than one XTMdevice interface as a member of the same VLAN.To apply
firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intra-
VLAN traffic check box.
Intra-VLAN traffic is traffic froma VLAN that is destined for the same VLAN. When you enable this
feature, the XTMdevice applies policies to traffic that passes through the firewall between hosts that
are on the same VLAN. If you want to apply policies to intra-VLAN traffic, make sure that no alternate
path exists between the source and destination. The VLAN traffic must go through the XTMdevice in
order for firewall policies to apply.
For an external VLAN interface, this setting also applies to traffic frommobile VPN clients that connect
through that interface. You must enable this setting on an external VLAN interface if you want firewall
policies and NATto function for users who use a mobile VPN client to connect to the external VLAN
interface.
Intra-VLAN policies are applied by IPaddress, user, or alias. If the intra-VLAN traffic does not match
any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
Configure Network Settings for a VLAN on the External Interface
When you configure a VLAN on the external interface, you must configure how the VLAN gets the
external IPaddress.
1. On the VLANSettings tab, fromthe Security Zone drop-down list, select External.
2. Select the Network tab.
3. Fromthe Configuration Mode drop-down list, select Static IP, DHCP, or PPPoE.
4. Configure the network settings with the same method you use for other external interfaces.
For more information, see Configure an External Interface on page 144.
Network Setup and Configuration
204 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 205
If you configure an external VLAN interface to get an IPaddress through DHCP,you
can release or renew the VLAN interface IPaddress in Fireware XTMWeb UI on the
System Status >Interfaces page. For more information, see Interfaces on page
896.
Enable IPv6 on a VLAN
IPv6addresses for a VLAN interface are supported in Fireware XTMv11.9 and
higher.
To enable IPv6 on a VLAN interface:
1. Select the IPv6 tab.
2. Select the Enable IPv6 check box.
3. Configure the IPv6 network settings the same as you would for any other interface.
For information about how to configure the IPv6 settings, see
n Enable IPv6 for a Trusted or Optional Interface
n Enable IPv6 for an External Interface
Configure a VLANSecondary IPAddresses
Secondary IPaddresses for a VLAN interface are supported in Fireware XTMv11.8.1
and higher.
To configure a secondary IPv4 network for a VLANinterface:
1. Select the Secondary tab.
2. Type an unassigned host IP address in slash notation fromthe secondary network.
3. Click Add.
For more information about secondary interface IPaddresses, see Add a Secondary Network
IPAddress.
Before you can save this VLAN, you must Assign Interfaces to a VLAN on page 206.
Assign Interfaces to a VLAN
When you create a new VLAN, you specify the type of data it receives fromXTMdevice interfaces.
However, you can also make an interface a member of a VLAN that is currently defined, or remove an
interface froma VLAN.
You must change an interface type to VLAN before you can use it in a
VLANconfiguration.
To assign a network interface to a VLAN:
1. Select Network >VLAN.
The VLANpage appears.
2. Click Add, or select a VLANinterface and click Edit.
3. In the Select a VLANtag setting for each interface list, select one or more interfaces.
4. Fromthe Select Traffic drop-down list, select an option to apply to the selected interfaces:
n Tagged traffic The interface sends and receives tagged traffic.
n Untagged traffic The interface sends and receives untagged traffic.
n No traffic Remove the interface fromthis VLAN configuration.
5. Click Save.
Network Setup and Configuration
206 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 207
About Link Aggregation
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the cumulative
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure. When you use link aggregation, you connect the link aggregation interfaces to a
switch, and configure the connected switch to use the same link aggregation mode and link speed.
You can configure a link aggregation interface only on an XTMdevice configured in mixed routing
mode. A link aggregation interface can be configured as an External, Trusted, Optional, or Custom
interface, or as a member of a VLAN or Bridge interface. You can use a link aggregation interface in
most of the same ways that you use a physical interface. For example, you can use it in the
configuration of policies, multi-WAN, VPN, DHCP, and PPPoE.
Requirements and Limitations
n Link aggregation requires Fireware XTMwith a Pro upgrade.
n Link aggregation interfaces do not support Traffic Management, QoS, and some other advanced
interface settings.
n You cannot use a link aggregation interface with an active/active FireCluster, or on XTM21, 22,
23, or XTMv devices.
n You cannot use a link aggregation interface as an endpoint of a managed branch office VPN
tunnel.
n Dynamic link aggregation mode is not supported on XTM25, XTM26, and XTM33 devices.
Link Aggregation Modes
On a supported Fireware XTMdevice with Fireware XTMPro, you can configure a link aggregation
interface in one of three modes. For all modes, a member interface can be active only when the
member interface link status is up. Whether a member interface is active depends on both the link
status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the link aggregation interface can be active. The
physical interface used for traffic between any source and destination is selected based on Link
Aggregation Control Protocol (LACP), as described in the IEEE 802.3ad dynamic link
aggregation specification.
Static
All physical interfaces that are members of the link aggregation interface can be active. The
same physical interface is always used for traffic between a given source and destination based
on source/destination MAC address and source/destination IP address. This mode provides
load balancing and fault tolerance.
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time.
The other member interfaces in the link aggregation group become active only if the active
interface fails. This mode provides fault tolerance for connections to network switches that do
not support link aggregation.
To use dynamic or static link aggregation, you must also configure link aggregation on the connected
switch. To use Active-backup mode it is not necessary to enable link aggregation on your switches.
Network Setup and Configuration
208 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 209
Configure Link Aggregation
Each link aggregation interface can have one or more physical interface members. To specify a
physical interface on your XTMdevice for use in a link aggregation interface, you must first configure
the physical interfaces and select Link Aggregation as the interface type. You can then create the
link aggregation interface and add one or more physical interfaces of the link aggregation type as the
link aggregation members.
Configure Link Aggregation Members
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an interface and click Edit.
3. Fromthe Interface Type drop-down list, select Link Aggregation.
4. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects how this interface is used.
5. (Optional) In the Interface Description text box, type a description of the interface.
6. Click Save.
7. Repeat these steps for each interface that you want to configure as a member of a link
aggregation interface.
If you change an interface type fromExternal to Link Aggregation, any 1 to 1
NATrules previously associated with the external interface are automatically
removed.
Add a Link Aggregation Interface
1. Select Network > Link Aggregation.
The Link Aggregation page appears. The interfaces configured as type Link Aggregation are listed at
the top.
2. To configure additional link aggregation members, click Configure.
3. To add a new Link Aggregation interface, click Add.
The Link Aggregation settings page appears.
4. In the Name text box, type a name for this link aggregation configuration.
5. (Optional) In the Description text box, type a description for the link aggregation configuration
6. Fromthe Mode drop-down list, select the link aggregation mode to use. You can choose Static,
Dynamic, or Active-backup.
For information about link aggregation modes, see About Link Aggregation.
Network Setup and Configuration
210 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 211
If you choose Static or Dynamic mode, your connected switch or router must also
support and be configured to use the same mode.
7. In the Type drop-down list select the interface type.For a Link Aggregation interface, you can
set the type to Trusted, Optional, Custom, External, Bridge, or VLAN.
8. Configure the settings for the interface type you selected.
Configure the other settings the same way that you would configure them for any other interface.
For a Trusted, Optional, or Custominterface:
Type the IPv4 interface private IPaddress in slash notation. For more information about
private IP addresses, see About Private IPAddresses.
Select the Network tab. Configure the DHCPsettings. For more information about
DHCPsettings, see Configure IPv4 DHCP in Mixed Routing Mode on page 154 or
Configure DHCPRelay on page 179.
To enable and configure IPv6, select the IPv6 tab. For information about the IPv6 settings,
see Enable IPv6 for a Trusted or Optional Interface.
For an External interface:
Select the Network tab. Type a static IPv4address and default gateway, or configure the
external interface to use DHCPor PPPoE to get an IPaddress. For information about
external interface network settings, see Configure an External Interface.
To enable and configure IPv6, select the IPv6 tab. For information about the IPv6 settings,
see Enable IPv6 for an External Interface.
IPv6 on a link aggregation interface is supported in Fireware XTMv11.9 and higher.
For a Bridgeinterface:
Select the network bridge interface you want to add this link aggregation interface to. You
must assign this interface to a Bridge. For more information, see Assign a Network
Interface to a Bridge.
For a VLANinterface:
Select the tagged or untagged VLANs you want to add this link aggregation interface to.
You must assign this interface to a VLAN. For more information, see Assign Interfaces to a
VLAN.
9. To configure a secondary network on this interface, select the Secondary tab.
For information about how to configure a secondary network, see Add a Secondary Network
IPAddress on page 182.
10. To configure network interface card settings, select the Advanced tab.
The network interface settings apply to all physical interfaces assigned to this link aggregation
interface. For more information, see Network Interface Card (NIC)Settings.
Physical interfaces that are members of a link aggregation interface must support the
same link speed. On XTM505, 510, 520, or 530 devices, interface 0 (Eth0) supports
a lower maximumlink speed than the other interfaces. If you use Eth0 as a member
of a link aggregation interface on these models, you must set the Link Speed to 100
Mbps or lower in the link aggregation interface configuration and on the connected
network switches.
Unlike a physical interface configuration, you cannot configure Traffic Management, QoS, or
static MAC/IPaddress binding in the interface advanced settings. A link aggregation interface
does not support those features.
Connect Link Aggregation Interfaces to a Switch
If you configure a link aggregation interface to use dynamic or static link aggregation, you must . Then,
you can connect the cables fromthe member interfaces on the XTMdevice to the other network
device.
If the link aggregation interface uses Active-backup mode, you do not need to enable link aggregation
on your connected switches or routers.
For more information about link aggregation network modes, see About Link Aggregation.
Read the Link Aggregation Settings Table
After you configure link aggregation settings, you can see a summary of the settings for each link
aggregation configuration on the Link Aggregation page. Select Network >Link Aggregation.
Network Setup and Configuration
212 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 213
The columns show information about each link aggregation interface.
Name
The interface name. You can use this name in policies just as you would any other interface
name.
Type
The interface type. Link aggregation interfaces can be Trusted, External, Optional, Bridge or
VLAN.
IPv4Address
The interface IPv4 address. This column shows DHCPor PPPoE client for an external
interface configured to get an IP address froma DHCPor PPPoE server.
IPv6Address
The interface IPv6 address. This column shows DHCPor PPPoE client for an external
interface configured to get an IP address froma DHCPor PPPoE server.
Interfaces
The interface numbers of the physical interfaces that are members of this link aggregation
interface.
Edit or Remove a Link Aggregation Interface
Fromthe Link Aggregation page, you can edit or remove a link aggregation interface. When you remove
a link aggregation interface, the member interfaces are still set to type Link Aggregation, but they are
no longer assigned to any link aggregation interface.
To edit or delete a link aggregation configuration:
1. Select Network > Link Aggregation.
2. Select the interface you want to edit or delete.
n Click Configure to edit the selected link aggregation interface.
n Click Remove to delete the selected link aggregation interface.
Network Setup and Configuration
214 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 215
Monitor Link Aggregation Interfaces
Each link aggregation interface is identified by an interface number that starts with the prefix bond
followed by a number. Link aggregation interfaces are numbered consecutively in the order they were
added. For example, if you enable two link aggregation interfaces, the interface numbers are bond0 and
bond1.
Link aggregation interface numbers appear in the routes table, and in log messages.
To monitor the status of physical interfaces that are members of a link aggregation interface select
Dashboard >Interfaces. The Interfaces page shows the status for each physical interface, including
link aggregation members, but does not show the status of link aggregation interfaces.
To monitor the status of link aggregation interfaces, you must use Firebox SystemManager. For more
information, see the WatchGuard SystemManager Help or User Guide.
Network Setup Examples
Configure Two VLANs on the Same Interface
A network interface on a XTMdevice is a member of more than one VLAN when the switch that
connects to that interface carries traffic frommore than one VLAN. This example shows how to
connect one switch that is configured for two different VLANs to a single interface on the XTMdevice.
The subsequent diagramshows the configuration for this example.
In this example, computers on both VLANs connect to the same 802.1Qswitch, and the switch
connects to interface 3 on the XTMdevice.
The subsequent instructions show you how to configure these VLANs.
Configure Interface 3 as a VLAN Interface
1. Select Network > Interfaces.
2. Select interface number 3.
3. Click Edit.
Network Setup and Configuration
216 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 217
4. In the Interface Name (Alias) text box type vlan.
5. Fromthe Interface Type drop-down list, select VLAN.
6. Click Save.
Define the Two VLANs and Assign Them to the VLAN Interface
1. Select Network > VLAN.
2. Click Add.
3. In the Name text box, type a name for the VLAN. For this example, type VLAN10.
4. In the Description text box, type a description. For this example, type Accounting.
5. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10.
6. Fromthe Security Zone drop-down list, select the security zone. For this example, select
Trusted.
7. In the IP Address text box, type the IP address to use for the XTMdevice on this VLAN. For
this example, type 192.168.10.1/24.
8. In the interface list, select the interface called vlan.
9. Fromthe Select Traffic drop-down list, select Tagged traffic.
10. Click Save.
11. Click Add to add the second VLAN.
12. In the Name text box, type VLAN20.
13. In the Description text box, type Sales.
14. In the VLAN ID text box, type 20.
15. Fromthe Security Zone drop-down list, select Optional.
16. In the IP Address text box, type the IP address to use for the XTMdevice on this VLAN. For
this example, type 192.168.20.1/24.
17. In the interface list, select the interface called vlan.
18. Fromthe Select Traffic drop-down list, select Tagged traffic.
19. Click Save.
20. Both VLANS now appear in the list, and are configured to use the defined VLAN interface.
Network Setup and Configuration
218 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 219
Configure One VLAN Bridged Across Two Interfaces
You can configure a VLAN to bridge across two interfaces of the XTMdevice. You might want to bridge
one VLAN across two interfaces if your organization is spread across multiple locations. For example,
suppose your network is on the first and second floors in the same building. Some of the computers on
the first floor are in the same functional group as some of the computers on the second floor. You want
to group these computers into one broadcast domain so that they can easily share resources, such as
a dedicated file server for their LAN, host-based shared files, printers, and other network accessories.
This example shows how to connect two 802.1Qswitches so that both switches can send traffic from
the same VLAN to two interfaces on the same XTMdevice.
In this example, two 802.1Qswitches are connected to XTMdevice interfaces 3 and 4, and carry
traffic fromthe same VLAN.
Any computer in this new VLAN must use this IP address as its default gateway.
Configure Interfaces 3 and 4 as VLAN Interfaces
1. Select Network > Interfaces.
2. Select interface number 3. Click Edit.
Network Setup and Configuration
220 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 221
3. In the Interface Name (Alias) text box, type a name. For this example, typevlanfloor1.
4. Fromthe Interface Type drop-down list, select VLAN.
5. Click Save.
6. Repeat the same steps to configure Interface 4 as a VLAN interface called vlanfloor2.
Configure the VLAN
1. Select Network > VLAN.
2. Click Add.
3. In the Name text box, type a name for the VLAN. For this example, type VLAN10.
4. In the Description text box, type a description. For this example, type Accounting.
5. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10.
6. Fromthe Security Zone drop-down list, select the security zone. For this example, select
Trusted.
7. In the IP Address text box, type the IP address to use for the XTMdevice on this VLAN. For
this example, type 192.168.10.1/24.
8. In the list of interfaces, select both interfaces.
9. Fromthe Select Traffic drop-down list, select Tagged traffic.
10. Click Save.
Configure the Switches
Configure each of the switches that connect to interfaces 3 and 4 of the XTMdevice. Refer to the
instructions fromyour switch manufacturer for details about how to configure your switches.
Configure the Switch Interfaces Connected to the XTMDevice
The physical segment between the switch interface and the XTMdevice interface is a tagged data
segment. Traffic that flows over this segment must use 802.1QVLAN tagging.
Some switch manufacturers refer to an interface configured in this way as a trunk
port or a trunk interface.
On each switch, for the switch interface that connects to the XTMdevice:
Network Setup and Configuration
222 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 223
n Disable Spanning Tree Protocol.
n Configure the interface to be a member of VLAN10.
n Configure the interface to send traffic with the VLAN10 tag.
n If necessary for your switch, set the switch mode to trunk.
n If necessary for your switch, set the encapsulation mode to 802.1Q.
Configure the Other Switch Interfaces
The physical segments between each of the other switch interfaces and the computers (or other
networked devices) that connect to themare untagged data segments. Traffic that flows over these
segments does not have VLAN tags.
On each switch, for the switch interfaces that connect computers to the switch:
n Configure these switch interfaces to be members of VLAN10.
n Configure these switch interfaces to send untagged traffic for VLAN10.
Physically Connect All Devices
1. Use an Ethernet cable to connect XTMdevice interface 3 to the Switch A interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch A).
2. Use an Ethernet cable to connect the XTMdevice interface 4 to the Switch B interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch B).
3. Connect a computer to the interface on Switch A that you configured to send untagged traffic for
VLAN10.
4. Configure the network settings on the connected computer. The settings depend on whether
you configured the XTMdevice to act as a DHCP server for the computers on VLAN10 in Step
9 of Define the VLAN on the XTM Device.
n If you configured the XTMdevice to act as a DHCP server for the computers on VLAN10,
configure the computer to use DHCP to get an IP address automatically. See Step 9 in the
procedure Define the VLAN, above.
n If you did not configure the XTMdevice to act as a DHCP server for the computers on
VLAN10, configure the computer with an IP address in the VLAN subnet 192.168.10.x.
Use subnet mask 255.255.255.0 and set the default gateway on the computer to the XTM
device VLAN IP address 192.168.10.1
5. Repeat the previous two steps to connect a computer to Switch B.
Test the Connection
After you complete these steps, the computers connected to Switch A and Switch B can communicate
as if they were connected to the same physical local area network. To test this connection you can:
n Ping froma computer connected to Switch A to a computer connected to Switch B.
n Ping froma computer connected to Switch B to a computer connected to Switch A.
Use the Broadband Extend or 3G Extend Wireless Bridge
You can use the WatchGuard Broadband Extend USB or 3GExtend USB wireless bridge to add
cellular connectivity to your WatchGuard Firebox T10, XTM2 Series or 3 Series device. When you
connect the external interface of your XTMdevice to the wireless bridge, computers on your network
can connect wirelessly to the Internet through the cellular network.
To connect your Firebox or XTMdevice to the cellular network you need:
n An XTM2 Series, XTM3 Series, or Firebox T10 device
n A Broadband Extend USB (for 4G/3Gconnectivity) or a 3GExtend USB (for 3Gconnectivity)
n A compatible wireless broadband data card
Use the BroadbandExtend USB / Cradlepoint CBR450 Device
Follow these steps to use the Broadband Extend Cradlepoint cellular broadband adapter with your
Firebox or XTMdevice.
1. Use the instructions in the Cradlepoint CBA450 Setup Guide to set up the Cradlepoint device
and update the device firmware.
2. Configure the external interface on your XTMdevice to get its address with DHCP. To learn
how to configure your external interface, see Configure an External Interface on page 144.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the XTM
device.
4. Start (or restart) the XTMdevice.
When the device starts, it gets a DHCP address from the Cradlepoint device. After an IPaddress is
assigned, the device can connect to the Internet via the cellular broadband network.
The CBR450 supports a large number of popular 4G/3GUSBmodems. For a list of supported devices,
see http://www.cradlepoint.com/products/machine-to-machine-routers/cbr450-compact-broadband-
router-without-wifi.
Use the 3GExtend USB / Cradlepoint CBA250 Device
Follow these steps to use the 3GExtend Cradlepoint cellular broadband adapter with your Firebox or
XTMdevice.
1. Use the instructions in the Cradlepoint CBA250 Quick Start Guide to set up the Cradlepoint
device and update the device firmware. If you have a newer modemthat is not supported by the
firmware version that ships on the device, you must use different steps to upgrade your
firmware to the latest version:
n Download the latest firmware for the CBA250 to your computer fromthe Cradlepoint
support site at http://www.cradlepoint.com/support/cba250.
n Use these instructions to update your firmware:Updating the Firmware on your Cradlepoint
Router.
2. Configure the external interface on your Firebox or XTMdevice to get its address with DHCP.
To learn how to configure your external interface, see Configure an External Interface on page
144.
Network Setup and Configuration
224 Fireware XTMWeb UI
Network Setup and Configuration
User Guide 225
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the Firebox
or XTMdevice.
4. Start (or restart) the XTMdevice.
When the device starts, it gets a DHCP address from the Cradlepoint device. After an IPaddress is
assigned, the device can connect to the Internet via the cellular broadband network.
The CBA250 supports a large number of USB or ExpressCard broadband wireless modems. For a list
of supported devices, see http://www.cradlepoint.com/support./cba250.
Network Setup and Configuration
User Guide 226
User Guide 227
7
Multi-WAN
About Using Multiple External Interfaces
You can use your XTMdevice to create redundant support for the external interface. This is a helpful
option if you must have a constant Internet connection.
With the multi-WAN feature, you can configure multiple external interfaces, each on a different subnet.
This allows you to connect your XTMdevice to more than oneInternet Service Provider (ISP). When
you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multi-
WAN configuration options.
Conditions and requirements for multi-WAN use include:
n If you have a policy configured with an individual external interface alias in its configuration, you
must change the configuration to use the alias Any-External, or another alias you configure for
external interfaces. If you do not do this, some traffic could be denied by your firewall policies.
n Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound
traffic, you can ignore all multi-WAN settings.
n To override the multi-WAN configuration in any individual policy, enable policy-based routing for
that policy. For more information on policy-based routing, see Configure Policy-Based Routing
on page 631.
n Map your companys Fully Qualified Domain Name to the external interface IP address of the
lowest order. If you add a multi-WAN XTMdevice to your Management Server configuration,
you must use the lowest-ordered external interface to identify it when you add the device.
n To use multi-WAN, you must use mixed routing mode for your network configuration. This
feature does not operate in drop-in or bridge mode network configurations.
n To use the Interface Overflow method, you must have Fireware XTMwith a Pro upgrade. You
must also have a Fireware XTMPro license if you use the Round-robin method and configure
different weights for the XTMdevice external interfaces.
n To use multi-WAN options except modemfailover on an XTM2 Series device, you must have
Fireware XTMwith a Pro upgrade.
You can use one of four multi-WAN configuration options to manage your network traffic.
For configuration details and setup procedures, see the section for each option.
When you enable multi-WAN the XTMdevice monitors the status of each external interface. Make
sure that you define a link monitor host for each interface. We recommend that you configure two link
targets for each interface.
For more information, see About WAN Interface Status.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify
your DNS policies such that:
n The From list includes Firebox.
n The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover,
select Configure, and select all the interfaces that can reach the DNS server. The order does
not matter.
You must have Fireware XTMwith a Pro upgrade to use policy-based routing.
Multi-WAN
228 Fireware XTMWeb UI
Multi-WAN
User Guide 229
About Multi-WAN Options
When you configure multiple external interfaces, you have several options to control which interface an
outgoing packet uses.
XTM2 Series devices must have Fireware XTMwith a Pro upgrade to use any of the
multi-WAN methods except modemfailover. All other XTMdevices must have
Fireware XTMwith a Pro upgrade to use the weighted round robin or interface
overflow multi-WAN methods.
Round-Robin Order
When you configure multi-WAN with the Round-robin method, the XTMdevice looks at its internal
route table to check for specific static or dynamic routing information for each connection. The route
table includes dynamic routes as well as static routes you configure on the device. If no specified route
is found, the XTMdevice distributes the traffic load among its external interfaces. The XTMdevice
uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external
interfaces you specify in your round-robin configuration.
If you have Fireware XTMwith a Pro upgrade, you can assign a weight to each interface used in your
round-robin configuration. By default and for all Fireware XTMusers, each interface has a weight of 1.
The weight refers to the proportion of load that the XTMdevice sends through an interface. If you have
Fireware XTMPro and you assign a weight of 2 to an interface, you double the portion of traffic that will
go through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075Mbandwidth and want to
balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three
interfaces. Fireware XTMwill try to distribute connections so that 8/11, 2/11, and 1/11 of the total
traffic flows through each of the three interfaces.
For more information, see Configure Round-Robin on page 232.
Failover
When you use the failover method to route traffic through the XTMdevice external interfaces, you
select one external interface to be the primary external interface. Other external interfaces are backup
interfaces, and you set the order for the XTMdevice to use the backup interfaces. The XTMdevice
monitors the primary external interface. If it goes down, the XTMdevice sends all traffic to the next
external interface in its configuration. While the XTMdevice sends all traffic to the backup interface, it
continues to monitor the primary external interface. When the primary interface is active again, the
XTMdevice immediately starts to send all new connections through the primary external interface
again.
You control the action for the XTMdevice to take for existing connections; these connections can
failback immediately, or continue to use the backup interface until the connection is complete. Multi-
WAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed
connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only
when the physical interface is down or does not respond. FireCluster failover takes precedence over
multi-WAN failover.
For more information, see Configure Failover on page 233.
Interface Overflow
When you use the Interface Overflow multi-WAN configuration method, you select the order you want
the XTMdevice to send traffic through external interfaces and configure each interface with a
bandwidth threshold value. The XTMdevice starts to send traffic through the first external interface in
its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth
threshold you have set for that interface, the XTMdevice starts to send traffic to the next external
interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be
restricted to a specified bandwidth limit. To determine bandwidth, the XTMdevice examines the
amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the
interface bandwidth threshold for each interface, you must consider the needs of your network for this
interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical
and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered
by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the XTMdevice uses the ECMP (Equal Cost
MultiPath Protocol) routing algorithmto find the best path.
For more information, see Configure Interface Overflow on page 235.
Routing Table
When you select the Routing Table option for your multi-WAN configuration, the XTMdevice uses the
routes in its internal route table or routes it gets fromdynamic routing processes to send packets
through the correct external interface. To see whether a specific route exists for a packets destination,
the XTMdevice examines its route table fromthe top to the bottomof the list of routes. You can see
the list of routes in the route table on the Status tab of Firebox SystemManager. The Routing Table
option is the default multi-WAN option.
If the XTMdevice does not find a specified route, it selects the route to use based on source and
destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm
specified in:
http://www.ietf.org/rfc/rfc2992.txt
With ECMP, the XTMdevice uses an algorithmto decide which next-hop (path) to use to send each
packet. This algorithmdoes not consider current traffic load.
For more information, see When to Use Multi-WAN Methods and Routing on page 237.
Multi-WAN
230 Fireware XTMWeb UI
Multi-WAN
User Guide 231
Modem (XTM2 Series, 3 Series or 5 Series only)
You can connect an external modemto the USB port on your XTM2 Series or XTM33 device and use
that connection for failover when all other external interfaces are inactive.
For more information, see Configure ModemFailover on page 238.
Configure Round-Robin
Before You Begin
n To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 144.
n Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 227 and About Multi-
WAN Options on page 229.
Configure the Interfaces
1. Select Network >Multi-WAN.
2. Fromthe Multi-WANMode drop-down list, select Round Robin.
3. If you have Fireware XTMwith a Pro upgrade, you can modify the weight associated with each
interface. Choose an interface, then type or select a new value in the adjacent Weight field. The
default value is 1 for each interface.
For information on interface weight, see Find How to Assign Weights to Interfaces on page 233.
4. To assign an interface to the multi-WAN configuration, select an interface and click Configure.
5. Select the Participate in Multi-WANcheck box and click OK.
6. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 246.
7. Click Save.
Multi-WAN
232 Fireware XTMWeb UI
Multi-WAN
User Guide 233
Find How to Assign Weights to Interfaces
If you use Fireware XTMwith a Pro upgrade, you can assign a weight to each interface used in your
round-robin multi-WANconfiguration. By default, each interface has a weight of 1. The weight refers to
the proportion of load that the XTMdevice sends through an interface.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For
optimal load balancing, you might have to do a calculation to know the whole-number weight to assign
for each interface. Use a common multiplier so that the relative proportion of the bandwidth given by
each external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP
gives you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
n First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of
measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
n Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5
: .75] is the same ratio as [600 : 150 : 75]
n Find the greatest common divisor of the three numbers. In this case, 75 is the largest number
that evenly divides all three numbers 600, 150, and 75.
n Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You could use these numbers as weights in a round-robin multi-
WANconfiguration.
Configure Failover
Before You Begin
n To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 144.
n Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 227 and About Multi-
WAN Options on page 229.
Configure the Interfaces
1. Select Network >Multi-WAN.
2. In the Multi-WANMode drop-down list, select Failover.
3. Select an interface in the list and click Up or Down to set the order for failover. The first
interface in the list is the primary interface.
4. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 246.
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 244.
5. Click Save.
Multi-WAN
234 Fireware XTMWeb UI
Multi-WAN
User Guide 235
Configure Interface Overflow
Before You Begin
n To use the multiple WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 144.
n Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 227 and About Multi-
WAN Options on page 229.
Configure the Interfaces
1. Select Network >Multi-WAN.
2. Fromthe Multi-WANMode drop-down list, select Interface Overflow.
3. In the Threshold field for each interface, type or select the amount of network traffic in
megabits per second (Mbps) that the interface must carry before traffic is sent on other
interfaces.
4. To set the order of interface operation, select an interface in the table and click Up and Down to
change the order. The interfaces are used fromfirst to last in the list.
5. To complete your configuration, you must add information as described in About WAN Interface
Status on page 246.
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 244.
Configure Routing Table
Before You Begin
n To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 144.
n You must decide whether the Routing Table method is the correct multi-WAN method for your
needs. For more information, see When to Use Multi-WAN Methods and Routing on page 237
n Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 227 and About Multi-
WAN Options on page 229.
Routing Table mode and load balancing
It is important to note that the Routing Table option does not do load balancing on connections to the
Internet. The XTMdevice reads its internal route table fromtop to bottom. Static and dynamic routes
that specify a destination appear at the top of the route table and take precedence over default routes.
(A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in
the route table for a destination, the traffic to that destination is routed among the external interfaces of
the XTMdevice through the use of ECMP algorithms. This may or may not result in even distribution of
packets among multiple external interfaces.
Configure the Interfaces
1. Select Network >Multi-WAN.
2. In the Multi-WANMode drop-down list, select Routing Table.
3. To add interfaces to the multi-WANconfiguration, select an interface and click Configure.
4. Select the Participate in Multi-WANcheck box. Click OK.
5. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 246.
Multi-WAN
236 Fireware XTMWeb UI
Multi-WAN
User Guide 237
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 244.
About the XTM Device Route Table
When you select the Routing Table configuration option, it is a good idea to know how to look at the
routing table that is on your XTMdevice.
FromFireware XTMWeb UI:
Select System Status > Routes.
This shows the internal route table on your XTMdevice.
Routes in the internal route table on the XTMdevice include:
n Routes the XTMdevice learns fromdynamic routing processes running on the device (RIP,
OSPF, and BGP) if you enable dynamic routing
n Permanent network routes or host routes you add
n Routes the XTMdevice automatically creates based on the network configuration information
If your XTMdevice detects that an external interface is down, it removes any static or dynamic routes
that use that interface. This is true if the hosts specified in the Link Monitor become unresponsive and
if the physical Ethernet link is down.
For more information on interface status and route table updates, see About WAN Interface Status on
page 246.
When to Use Multi-WAN Methods and Routing
If you use dynamic routing, you can use either the Routing Table or Round-Robin multi-WAN
configuration method. Routes that use a gateway on an internal (optional or trusted) network are not
affected by the multi-WAN method you select.
When to Use the Routing Table Method
The Routing Table method is a good choice if:
n You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network
advertise routes to the XTMdevice so that the device can learn the best routes to external
locations.
n You must get access to an external site or external network through a specific route on an
external network. Examples include:
n You have a private circuit that uses a frame relay router on the external network.
n You want all traffic to an external location to always go through a specific XTMdevice
external interface.
The Routing Table method is the fastest way to load balance more than one route to the Internet. After
you enable this option, the ECMP algorithmmanages all connection decisions. No additional
configuration is necessary on the XTMdevice.
When to Use the Round-Robin Method
Load balancing traffic to the Internet using ECMP is based on connections, not bandwidth. Routes
configured statically or learned fromdynamic routing are used before the ECMP algorithm. If you have
Fireware XTMwith a Pro upgrade, the weighted round-robin option gives you options to send more
traffic through one external interface than another. At the same time, the round-robin algorithm
distributes traffic to each external interface based on bandwidth, not connections. This gives you more
control over how many bytes of data are sent through each ISP.
Configure Modem Failover
You can configure your Firebox T10, XTM2 Series, 3 Series, or 5 Series device to send traffic through
a modemwhen it cannot send traffic with any external interface.
Connect a serial or 3G/4Gmodemto the USBport on the Firebox or XTMdevice. To use a serial
modem, you must have a dial-up account with an ISP(Internet Service Provider).To use a 3G/4G
modem, the device must use Fireware XTMOSv11.7.3 or later and you must have a 3Gor 4Gdata
plan with a wireless service provider.
Modemfailover is supported for these 3G/4Gmodems:
n AT&TMobile Hotspot Elevate 4G(requires Fireware XTMv11.9 or higher)
n ZTE MF683 (T-Mobile Rocket 3.0 4G)
n Franklin U602 (Sprint 3G/4GPlug-in-Connect USB)
n Netgear 341U (requires Fireware XTMv11.8.3 or higher)
n Sierra Wireless AirCard 250U (Sprint 3G/4GUSB 250U)
n Sierra Wireless AirCard 313U (requires Fireware XTMv11.7.4 or higher)
n Sierra Wireless AirCard 320U (requires Fireware XTMv11.8.1 or higher)
n Verizon Wireless LTE USB551L (requires Fireware XTMv11.7.4 or higher)
Modemfailover is supported for these serial modems:
n ZoomFaxModem56K model 2949
n MultiTech 56K Data/Fax ModemInternational
n OMRON ME5614D2 Fax/Data Modem
n Hayes 56K V.90 serial fax modem
For XTM21, 22, and 23 devices, you must use an IOGEAR GUC323A USBto Serial RS-232 adapter
to connect the serial modemto the USB port on the XTMdevice.
Enable Modem Failover
1. Select Network > Modem.
The Modem page appears.
2. Select the Enable Modem for Failover when all External interfaces are down check box.
Multi-WAN
238 Fireware XTMWeb UI
Multi-WAN
User Guide 239
3. Complete the Account, DNS, Dial-Up, and Link Monitor settings, as described in the
subsequent sections.
4. Click Save.
Account Settings
In the Dial Up Account Settings section, you configure the settings your modemuses to connect.
Serial Modem
For a serial modem, all account settings are required.
1. Select the Account tab.
2. In the Telephone number text box, type the telephone number of your ISP.
3. If you have another number for your ISP, in the Alternate Telephone number text box, type
that number.
4. In the Account name text box, type your dial-up account name.
5. If you log in to your account with a domain name, in the Account domain text box, type the
domain name.
For example, msn.com.
6. In the Account password text box, type the password you use to connect to your dial-up
account.
3G/4G Modem
For a 3Gor 4Gmodem, the telephone number is the access number specified by your wireless service
provider. Examples of 3Gand 4Gaccess numbers are *99#, *99****1#, and #777. The settings for
account name, domain, and password are not required for all 3G/4Gmodems. To determine the
requirements for your modem, contact your wireless service provider.
1. Select the Account tab.
2. Select the Enable 3G/4G modem support check box.
If a Telephone number is not already specified, it is set to *99# by default.
3. If necessary, change the Telephone number to the access number required by your wireless
service provider.
4. If you have another access number for your wireless service provider, in the Alternate
Telephone number text box, type that number.
5. If necessary, type the Account name, Account domain, and Account password the modem
must use to connect to your account.
Enable Modem Failover Debug Log Messages
If you have problems with your connection, select the Enable modem and PPP debug trace check
box. When this option is selected, the Firebox or XTMdevice sends detailed log messages to the
event log file when a modemfailover occurs.
Multi-WAN
240 Fireware XTMWeb UI
Multi-WAN
User Guide 241
DNS Settings
If your ISPor wireless service provider does not provide DNS server information, or if you must use a
different DNS server, you can manually add the IP addresses for a DNS server to use after failover
occurs.
1. Select the DNS tab.
The DNS Settings page appears.
2. Select the Manually configure DNS server IP addresses check box.
3. In the Primary DNS server text box, type the IP address of the primary DNS server.
4. If you have a secondary DNS server, in the Secondary DNS server text box, type the IP
address for the secondary server.
5. In the MTUtext box, for compatibility purposes, you can set the MaximumTransmission Unit
(MTU) to a different value. Most users can keep the default setting.
Dial-Up Settings
1. Select the Dial Up tab.
The Dialing Options page appears.
2. In the Dial up timeout text box, type or select the number of seconds before a timeout occurs if
your modemdoes not connect. The default value is two (2)minutes.
3. In the Redial attempts text box, type or select the number of times the XTMdevice tries to
redial if your modemdoes not connect. The default value is three (3)connection attempts.
4. In the Inactivity Timeout text box, type or select the number of minutes to wait if no traffic goes
through the modembefore a timeout occurs. The default value is no timeout (0 minutes).
5. Fromthe Speaker volume drop-down list, select the speaker volume for your modem.
Advanced Settings
Some dial-up ISPs or wireless service providers require that you specify one or more PPP options in
order to connect. In China, for example, some ISPs require that you use the PPP option receive-all.
The receive-all option causes PPP to accept all control characters fromthe peer.
1. Select the Advanced tab.
2. In the PPP options text box, type the required PPP options.
To specify more than one PPP option, separate each option with a comma.
Multi-WAN
242 Fireware XTMWeb UI
Multi-WAN
User Guide 243
Link Monitor Settings
The Link Monitor is a tool you can use to verify the status of each external interface on your Firebox or
XTMdevice. When you configure the modemsettings on your Firebox or XTMdevice, you can set
options to test one or more external interfaces for an active connection. When an external interface
becomes active again, the device no longer sends traffic over the modem. Instead, it uses the
available external interface or interfaces. You can configure the Link Monitor to ping a site or device on
the external interface, create a TCPconnection with a site and port number you specify, or both. You
can also set the time interval between each connection test, and configure the number of times a test
must fail or succeed before an interface is activated or deactivated.
To configure the link monitor settings for an interface:
1. Select the Link Monitor tab.
The ping and TCPconnection options you set for each external interface appear.
2. Select an interface fromthe list and click Configure.
The Link Monitor dialog box appears.
3. To ping a location or device on the external network, select the Ping check box. In the adjacent
text box, type an IPaddress or host name.
4. To create a TCP connection to a location or device on the external network, select the
TCPcheck box. In the adjacent text box, type an IP address or host name.
(Optional) In the Port text box, type or select a port number.
The default port number is 80 (HTTP).
5. To require successful ping and TCP connections before an interface is marked as active, select
the Both Ping and TCPmust be successful check box.
6. To change the time interval between connection attempts, in the Probe interval text box, type
or select a different number.
The default setting is 15 seconds.
7. To change the number of failures that mark an interface as inactive, in the Deactivate after text
box, type or select a different number .
The default value is three (3) connection attempts.
8. To change the number of successful connections that mark an interface as active, in the
Reactivate after text box, type or select a different number.
The default value is three (3) connection attempts.
9. Click OK.
About Advanced Multi-WAN Settings
You can configure sticky connections, failback, and notification of multi-WAN events. Not all
configuration options are available for all multi-WAN configuration options. If a setting does not apply to
the multi-WAN configuration option you selected, those fields are not active.
To configure multi-WAN settings:
1. Select Network > Multi-WAN.
2. Select the Advanced Settings tab.
3. Configure Sticky Connection Duration, Failback for Active Connections and Notification
Settings as described in the subsequent sections.
4. Click Save.
Set a Global Sticky Connection Duration
A sticky connection is a connection that continues to use the same WAN interface for a defined period
of time. You can set sticky connection parameters if you use the Routing Table, Round-robin, or
Interface Overflow options for multi-WAN. Stickiness makes sure that, if a packet goes out through an
external interface, any future packets between the source and destination IP address pair use the
same external interface for a specified period of time. By default, sticky connections use the same
interface for 3 minutes.
If a policy definition contains a sticky connection setting, the policy setting is used instead of the global
setting.
To change the global sticky connection duration for a protocol or set of protocols:
1. In the text box for the protocol, type or select a number.
2. In the adjacent drop-down list, select a time duration.
Multi-WAN
244 Fireware XTMWeb UI
Multi-WAN
User Guide 245
If you set a sticky connection duration in a policy, you can override the global sticky connection
duration. For more information, see Set the Sticky Connection Duration for a Policy on page 636.
Set the Failback Action
You can set the action you want your XTMdevice to take when a failover event has occurred and the
primary external interface becomes active again. When this occurs, all new connections immediately
fail back to the primary external interface. You select the method you want to use for connections in
process at the time of failback.
In the Failback for Active Connections drop-down list:
n Immediate failback Select this option if you want the XTMdevice to immediately stop all
existing connections.
n Gradual failback Select this option if you want the XTMdevice to continue to use the
failover interface for existing connections until each connection is complete.
This failback setting also applies to any policy-based routing configuration you set to use failover
external interfaces.
Set Notification Settings
Log messages are always created for multi-WAN failover events.
To configure notification settings for multi-WAN failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
882.
About WAN Interface Status
You can choose the method and frequency you want the XTMdevice to use to check the status of
each WAN interface. If you do not configure a specified method for the XTMdevice to use, it pings the
interface default gateway to check interface status.
We recommend that you configure one or two link monitor hosts for each external interface. Select
targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site
that is critical to your business operations, such as a credit card processing site or business partner, it
may be worthwhile to ask the administrator at that site if they have a device that you can use as a
monitoring target to verify connectivity to their site.
Time Needed for the XTM Device to Update its Route Table
If a link monitor host does not respond, it can take from4060 seconds for the XTMdevice to update
its route table. When the same Link Monitor host starts to respond again, it can take from160
seconds for your XTMdevice to update its route table.
The update process is much faster when your XTMdevice detects a physical disconnect of the
Ethernet port. When this happens, the XTMdevice updates its route table immediately. When your
XTMdevice detects the Ethernet connection is back up, it updates its route table within 20 seconds.
Define a Link Monitor Host
1. Select Network >Multi-WAN.
2. Select the interface and click Configure.
The Link Monitor Details dialog box appears.
Multi-WAN
246 Fireware XTMWeb UI
Multi-WAN
User Guide 247
3. Select the check boxes for each link monitor method you want the XTMdevice to use to check
status of each external interface:
n Ping Add an IP address or domain name for the XTMdevice to ping to check for
interface status.
n TCP Add the IP address or domain name of a computer that the XTMdevice can
negotiate a TCP handshake with to check the status of the WAN interface.
n Both ping and TCP must be successful The interface is considered inactive unless
both a ping and TCP connection complete successfully.
If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused
by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster
failover occurs only when the physical interface is down or does not respond. If you add a
domain name for the XTMdevice to ping and any one of the external interfaces has a static IP
address, you must configure a DNS server, as described in Add WINS and DNS Server
Addresses on page 180.
4. To configure the frequency you want the XTMdevice to use to check the status of the interface,
type or select a Probe after setting.
The default setting is 15 seconds.
5. To change the number of consecutive probe failures that must occur before failover, type or
select a Deactivate after setting.
The default setting is three (3). After the selected number of failures, the XTM device starts to send
traffic through the next specified interface in the multi-WAN failover list.
6. To change the number of consecutive successful probes through an interface before an
interface that was inactive becomes active again, type or select a Reactivate after setting.
7. Repeat these steps for each external interface.
8. Click Save.
Multi-WAN
User Guide 248
User Guide 249
8
Network Address Translation
(NAT)
About Network Address Translation
Network Address Translation (NAT) is a termused to describe any of several forms of IPaddress and
port translation. At its most basic level, NAT changes the IP address of a packet fromone value to a
different value.
The primary purposes of NAT are to increase the number of computers that can operate off a single
publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use
NAT, the source IPaddress is changed on all the packets you send.
You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do
not apply to BOVPN policies.
If you have Fireware XTMwith a Pro upgrade, you can configure server load balancing as part of an
SNAT rule. The server load balancing feature is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers protected by your XTMdevice. With
server load balancing, you can have the XTMdevice control the number of sessions initiated to
multiple servers for each firewall policy you configure. The XTMdevice controls the load based on the
number of sessions in use on each server. The XTMdevice does not measure or compare the
bandwidth that is used by each server.
For more information on server load balancing, see Configure Server Load Balancing on page 275.
Types of NAT
The XTMdevice supports three different types of NAT. Your configuration can use more than one type
of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a
setting in a policy.
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The XTMdevice can apply its public IP
address to the outgoing packets for all connections or for specified services. This hides the real
IP address of the computer that is the source of the packet fromthe external network. Dynamic
NAT is generally used to hide the IP addresses of internal hosts when they get access to public
services.
For more information, see About Dynamic NAT on page 250.
Static NAT
Also known as port forwarding, you configure static NAT in an SNATaction and then use that
action when you configure policies. Static NAT is a port-to-host NAT. A host sends a packet
fromthe external network to a port on an external interface. Static NAT changes this IP address
to an IP address and port behind the firewall.
For more information, see Configure Static NAT on page 271.
1-to-1 NAT
1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a
different network. This type of NAT is often used to give external computers access to your
public, internal servers.
For more information, see About 1-to-1 NAT on page 260.
About Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an
outgoing connection to the public IP address of the XTMdevice. Outside the XTMdevice, you see only
the external interface IP address of the XTMdevice on outgoing packets.
Many computers can connect to the Internet fromone public IP address. Dynamic NAT gives more
security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your
network. With dynamic NAT, all connections must start frombehind the XTMdevice. Malicious hosts
cannot start connections to the computers behind the XTMdevice when the XTMdevice is configured
for dynamic NAT.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With
Fireware XTM, dynamic NAT is enabled by default for traffic fromall private IP addresses to the
external network. You can edit, delete or add network dynamic NAT rules. For more information, see
Add Network Dynamic NAT Rules
Network Address Translation (NAT)
250 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 251
By default, all policies use the network dynamic NATrules configured for the device. You can override
the network dynamic NAT setting in your individual policies. For more information, see Configure
Policy-Based Dynamic NAT.
You can set the source IPaddress for traffic that matches a dynamic NATrule or policy. For more
information, see About Dynamic NATSource IPAddresses.
Add Network Dynamic NAT Rules
The default configuration of dynamic NAT enables dynamic NAT fromall private IP addresses to the
external network. The default entries are:
n 192.168.0.0/16 Any-External
n 172.16.0.0/12 Any-External
n 10.0.0.0/8 Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task
Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private
IP addresses other than these, you must add dynamic NATrules for them. The XTMdevice applies the
dynamic NAT rules in the sequence that the entries appear in the Dynamic NAT list. We recommend
that you put the rules in a sequence that matches the volume of traffic the rules apply to.
By default, dynamic NAT rewrites the source IP address of packets to use the primary IP address of
the interface fromwhich the packet is sent. When you add a dynamic NAT rule, you can optionally
specify a different source IP address to use for packets that match that rule.
1. Select Network > NAT.
The NATsettings page appears.
2. In the Dynamic NATsection, click Add.
The Dynamic NATconfiguration page appears.
Network Address Translation (NAT)
252 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 253
3. In the Fromsection, click the Member type drop-down list to select the type of address to use
to specify the source of the outgoing packets: Host IP, Network IP, Host Range, or Alias.
4. In the Fromsection, belowthe Member type drop-down list, type the host IP address, network
IP address, or host IPaddress range, or select an alias in the drop-down list.
You must type a network address in slash notation.
For more information about built-in XTMdevice aliases, see About Aliases on page 613.
5. In the To section, click the Member Type drop-down list to select the type of address to use to
specify the destination of the outgoing packets.
6. In the To section, below the Member Type drop-down list, type the host IP address, network
IPaddress, or host IPaddress range, or select an alias in the drop-down list.
7. Select the Set source IP check box if you want to specify a different source IP address to use
for this rule. Type the source IPaddress to use in the adjacent text box.
If you set the source IP address, the XTMdevice changes the source IPaddress for packets
that match this rule to the source IP address you specify. The source IP address must be on the
same subnet as the primary or secondary IP address of the interface you specified as the To
location in the dynamic NATrule.
If you set the source IP address, and the To location in the network dynamic NATrule specifies
an alias, such as Any-External, that includes more than one interface, the source IPaddress is
used only for traffic that leaves an interface that has an IPaddress on the same subnet as the
source IPaddress.
For more information, see About Dynamic NATSource IPAddresses.
Delete a Dynamic NAT Rule
You cannot change an existing dynamic NAT rule. If you want to change an existing rule, you must
delete the rule and add a new one.
To delete a dynamic NAT rule:
1. Select the rule to delete.
2. Click Remove.
A warning message appears.
3. Click OK.
Network Address Translation (NAT)
254 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 255
Reorder Dynamic NAT Rules
To change the sequence of the dynamic NAT rules:
1. Select the rule to change.
2. Click Up or Down to move it in the list.
Configure Policy-Based Dynamic NAT
In policy-based dynamic NAT, the XTMdevice maps private IP addresses to public IP addresses.
Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless
you previously disabled it.
For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties
dialog box to make sure the policy is configured to allow traffic out through only one XTMdevice
interface.
1-to-1 NAT rules have higher precedence than dynamic NAT rules. Policy-based dynamic NAT has
higher precedence than network dynamic NAT.
To configure dynamic NATsettings in a policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
3. Fromthe Action drop-down list select,Edit Policy.
4. Click the Advanced tab.
5. Select the Dynamic NAT check box.
6. If you want to use the dynamic NAT rules set for the XTMdevice, select Use Network NAT
Settings.
This is the default setting.
7. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.
If you select All traffic in this policy, the XTMdevice changes the source IP address for each
packet handled by this policy to the primary IP address of the interface fromwhich the packet is
sent, or the source IP address configured in the network dynamic NAT settings. You can
optionally set a different dynamic NAT source IP address for traffic handled by this policy.
To set the source IP address in the policy:
1. Select the Set source IP check box.
2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This
source address must be on the same subnet as the primary or secondary IP address of the
interface you specified for outgoing traffic.
Network Address Translation (NAT)
256 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 257
When you select a source IP address, any traffic that uses this policy shows the specified
address fromyour public or external IP address range as the source. This is most often used to
force outgoing SMTP traffic to show the MX record address for your domain when the IP
address on the XTMdevice external interface is not the same as your MX record IP address.
We recommend that you do not use the Set source IP option if you have more than one
external interface configured on your XTMdevice. If you use the Set source IP option in a
policy, do not enable policy-based routing with failover in the policy settings.
For more information about dynamic NATsource IPaddressing options, see About Dynamic
NATSource IPAddresses.
Disable Policy-Based Dynamic NAT
Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a
policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
The Policies page appears.
3. Fromthe Action drop-down list select,Edit Policy.
4. Click the Advanced tab.
5. To disable NATfor the traffic controlled by this policy, clear the Dynamic NATcheck box.
About Dynamic NATSource IPAddresses
In the default dynamic NATconfiguration, the XTMdevice changes the source IP address for traffic
that goes out an external interface to the primary IP address of the external interface the traffic leaves.
You can optionally configure dynamic NAT to use a different source IP address. You can set the
dynamic NAT source IPaddress in a network NAT rule or in the NAT settings for a policy. When you
select a source IP address, dynamic NATuses the specified source IPaddress for any traffic that
matches the dynamic NAT rule or policy.
Whether you specify the source IP address in a network dynamic NATrule or in a policy, it is important
that the source IP address is on the same subnet as the primary or secondary IP address of the
interface fromwhich the traffic is sent. It is also important to make sure that the traffic the rule applies
to goes out through only one interface.
If the dynamic NAT source IPaddress is not on the same subnet as the primary or
secondary IPaddress of the outgoing interface for that traffic, the XTMdevice does
not change the source IPaddress for each packet to the source IP address specified
in the dynamic NATrule. Instead, it changes the source IP address to the primary IP
address of the interface fromwhich the packet is sent.
Set the Dynamic NAT Source IP Address in a Network Dynamic NATrule
If you have a WatchGuard XTM21, 22, or 23 device, this feature is not available for
your device.
If you want to set the source IPaddress for traffic that matches a dynamic NATrule, regardless of any
policies that apply to the traffic, add a network dynamic NATrule that specifies the source IP address.
The source IPaddress you specify must be on the same subnet as the primary or secondary
IPaddress of the interface the traffic leaves.
If the To location in the network dynamic NATrule specifies an alias, such as Any-External, that
includes more than one interface, the source IPaddress is used only for traffic that leaves an interface
that has an IPaddress on the same subnet as the source IPaddress.
For example, if:
n Your XTMdevice has two external interfaces, Eth0 (203.0.113.2), and Eth1 (192.0.2.2).
n You create a dynamic NATrule for all traffic to Any-External.
n In the dynamic NATrule, you set a source IPaddress of 203.0.113.80.
The result is:
n For traffic that leaves Eth0, the source IPaddress is the IPaddress in the dynamic NAT rule,
203.0.113.80.
Network Address Translation (NAT)
258 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 259
n For traffic that leaves Eth1, the source IPaddress is the Eth1 interface IPaddress, 192.0.2.2.
For more information, see Add Network Dynamic NAT Rules.
Set the Dynamic NAT Source IPAddress in a Policy
If you want to set the source IP address for traffic handled by a specific policy, configure the source IP
address in the network settings of the policy. The source IP address you specify must be on the same
subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the
policy.
We recommend that you do not use the Set source IP option in a policy if you have more than one
external interface configured on your XTMdevice. If you use the Set source IP option in a policy, do
not enable policy-based routing with failover in the policy settings.
For more information, see Configure Policy-Based Dynamic NAT.
About 1-to-1 NAT
When you enable 1-to-1 NAT, your XTMdevice changes the routes for all incoming and outgoing
packets sent fromone range of addresses to a different range of addresses. A 1-to-1 NAT rule always
has precedence over dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that
must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You
do not have to change the IP address of your internal servers. When you have a group of similar
servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for
the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of
their XTMdevice. These addresses are:
10.0.1.1
10.0.1.2
10.0.1.3
10.0.1.4
10.0.1.5
Company ABC selects five public IP addresses fromthe same network address as the external
interface of their XTMdevice, and creates DNS records for the email servers to resolve to.
These addresses are:
203.0.113.1
203.0.113.2
203.0.113.3
203.0.113.4
203.0.113.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static,
bi-directional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.1.1 <--> 203.0.113.1
10.0.1.2 <--> 203.0.113.2
10.0.1.3 <--> 203.0.113.3
10.0.1.4 <--> 203.0.113.4
10.0.1.5 <--> 203.0.113.5
When the 1-to-1 NAT rule is applied, your XTMdevice creates the bi-directional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NATalso
operates on traffic sent fromnetworks that your XTMdevice protects.
Network Address Translation (NAT)
260 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 261
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different
network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two
networks that use the same private network address. If the network range on the remote network is the
same as on the local network, you can configure the VPN to use 1-to-1 NAT.
n For a BOVPN virtual interface, you configure 1-to-1 NAT the same way as you would for any
other interface. You can select the BOVPNvirtual interface name as the interface for 1-to-1
NAT.
n For a branch office VPN tunnel that is not a BOVPN virtual interface, you must configure 1-to-1
NAT in the branch office VPN gateway and tunnel settings. For more information, see Use 1-to-
1 NATThrough a Branch Office VPN Tunnel on page 1071.
Configure Firewall 1-to-1 NAT
To configure 1-to-1 NATfor any interface:
1. Select Network > NAT.
The NATsettings page appears.
2. In the 1-to-1 NATsection, click Add.
The 1-to-1 NAT configuration page appears.
3. In the Map Type drop-down list, select Single IP (to map one host), IPrange (to map a range
of hosts), or IPsubnet (to map a subnet).
If you select IPrange or IP subnet, do not specify a subnet or range that includes more than
256 IP addresses. If you want to apply 1-to-1 NATto more than 256 IP addresse, you must
create more than one rule.
4. Configure the settings in the Configuration section.
For more information, see the subsequent Define a 1-to-1 NATrule section.
5. Click Save.
6. Add the NATIP addresses to the appropriate policies.
n For a policy that manages outgoing traffic, add the Real Base IPaddresses to the From
section of the policy configuration.
n For a policy that manages incoming traffic, add the NATBase IPaddresses to the To
section of the policy configuration.
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers
described in About 1-to-1 NAT on page 260, we must configure the SMTP policy to allow SMTP traffic.
To complete this configuration, you must change the policy settings to allow traffic fromthe external
network to the IPaddress range 10.1.1.110.1.1.5.
1. Add a new policy, or modify an existing policy.
2. Adjacent to the From list, click Add.
3. Select the alias Any-External and click OK.
4. Adjacent to the To list, click Add.
5. To add one IPaddress at a time, select Host IPfromthe drop-down list and type the IPaddress
in the adjacent text box. Click OK.
6. Repeat Steps 34 for each IP address in the NATaddress range.
To add several IPaddresses at once, select Host Range in the drop-down list. Type the first
and last IPaddresses fromthe NATBase range and click OK.
Network Address Translation (NAT)
262 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 263
To connect to a computer located on a different interface that uses 1-to-1 NAT, you
must use that computers public (NAT base) IP address. If this is a problem, you can
disable 1-to-1 NAT and use static NAT.
Define a 1-to-1 NAT Rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also
configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTMdevice applies 1-
to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is
applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a fromand a to range of IP
addresses. The NAT base is the first available IP address in the to range of addresses. The
NAT base IP address is the address that the real base IP address changes to when the 1-to-1
NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT
base. In our example above, the NAT base is 203.0.113.11.
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a fromand a to range of IP
addresses. The Real base is the first available IP address in the fromrange of addresses. It is
the IP address assigned to the physical Ethernet interface of the computer to which you will
apply the 1-to-1 NAT policy. When packets froma computer with a real base address go
through the specified interface, the 1-to-1 action is applied. In the example above, the Real base
is 10.0.1.11.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base
IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The
second real base IP address in the range is translated to the second NAT base IP address when
1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the
example above, the number of hosts to apply NAT to is 5.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.
1-to-1 NAT Through a Branch Office VPN
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the
same private network address. When you create a VPN tunnel, the networks at each end of the VPN
tunnel must have different network address ranges. If the network range on the remote network is the
same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select
the BOVPN virtual interface name in the 1-to-1 NATconfiguration, and add a 1-to-1 NAT rule as
described in the previous section.
For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NATin the
branch office VPN gateway and tunnel settings. To do this, you configure both gateways to use 1-to-1
NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel.
You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network
> NAT dialog box. For an example of this type of configuration, see Use 1-to-1 NATThrough a Branch
Office VPN Tunnel.
Configure Policy-Based 1-to-1 NAT
In policy-based 1-to-1 NAT, your XTMdevice uses the private and public IP ranges that you set when
you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is
enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT
policies, 1-to-1 NAT takes precedence.
Enable Policy-Based 1-to-1 NAT
Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable
it. If you have previously disabled policy-based 1-to-1 NAT, select the check box inStep 4 of the
subsequent procedure to enable it again.
Disable Policy-Based 1-to-1 NAT
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
3. Fromthe Action drop-down list selectEdit Policy .
4. Click the Advanced tab.
Network Address Translation (NAT)
264 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 265
5. Clear the 1-to-1 NAT check box to disable NAT for the traffic controlled by this policy.
6. Click Save.
Configure NAT Loopback with Static NAT
Fireware XTMincludes support for NATloopback. NATloopback allows a user on the trusted or
optional networks to get access to a public server that is on the same physical XTMdevice interface
by its public IP address or domain name. For NAT loopback connections, the XTMdevice changes the
source IP address to the IP address of the internal XTMdevice interface (the primary IP address for the
interface where the client and server both connect to the XTMdevice).
To understand how to configure NAT loopback when you use static NAT, we give this example:
Company ABC has an HTTP server on the XTMdevice trusted interface. The company uses static
NAT to map the public IP address to the internal server. The company wants to allow users on the
trusted network to use the public IPaddress or domain name to get access to this public server.
For this example, we assume:
n The trusted interface is configured with an IPaddress on the 10.0.1.0/24 network
n The HTTP server is physically connected to the trusted 10.0.1.0/24 network.
Network Address Translation (NAT)
266 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 267
Add a Policy for NATLoopback to the Server
In this example, to allow users on your trusted and optional networks to use the public IPaddress or
domain name to access a public server that is on the trusted network, you must create an SNATaction
and add it to an HTTPpolicy. The policy addresses could look like this:
The To section of the policy contains an SNATaction that defines a static NAT route fromthe public
IPaddress of the HTTPserver to the real IP address of that server.
For more information about static NAT, see Configure Static NAT on page 271.
If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT Loopback and 1-to-1
NAT on page 268.
NAT Loopback and 1-to-1 NAT
NATloopback allows a user on the trusted or optional networks to connect to a public server with its
public IP address or domain name if the server is on the same physical XTMdevice interface. If you
use 1-to-1 NAT to route traffic to servers on the internal network, use these instructions to configure
NATloopback frominternal users to those servers. If you do not use 1-to-1 NAT, see Configure NAT
Loopback with Static NAT on page 266.
To help you understand how to configure NAT loopback when you use 1-to-1 NAT, we give this
example:
Company ABC has an HTTP server on the XTMdevice trusted interface. The company uses a 1-to-1
NAT rule to map the public IP address to the internal server. The company wants to allow users on the
trusted interface to use the public IPaddress or domain name to access this public server.
For this example, we assume:
n A server with public IPaddress 203.0.113.5 is mapped with a 1-to-1 NATrule to a host on the
internal network.
In the 1-to-1 NATsection of the NATconfiguration page, select these options:
Interface External, NATBase 203.0.113.5, Real Base 10.0.1.5
n The trusted interface is configured with a primary network, 10.0.1.0/24
n The HTTP server is physically connected to the network on the trusted interface. The Real
Base address of that host is on the trusted interface.
n The trusted interface is also configured with a secondary network, 192.168.2.0/24.
For this example, to enable NATloopback for all users connected to the trusted interface, you must:
1. Make sure that there is a 1-to-1 NAT entry for each interface that traffic uses when internal
computers get access to the public IP address 203.0.113.5 with a NAT loopback connection.
Network Address Translation (NAT)
268 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 269
You must add one more 1-to1 NATmapping to apply to traffic that starts fromthe trusted
interface. The new 1-to-1 mapping is the same as the previous one, except that the Interface is
set to Trusted instead of External.
After you add the second 1-to-1 NAT entry, the 1-to-1 NAT section on the NAT page shows two
1-to-1 NATmappings: one for External and one for Trusted.
Interface External, NATBase 203.0.113.5, Real Base 10.0.1.5
Interface Trusted, NATBase 203.0.113.5, Real Base 10.0.1.5
2. Add a Dynamic NAT entry for every network on the interface that theserver is connected to.
The From field for the Dynamic NAT entry is the network IP address of the network fromwhich
computers get access to the 1-to-1 NAT IP address with NAT loopback.
The To field for the Dynamic NAT entry is the NAT base address in the 1-to-1 NAT mapping.
For this example, the trusted interface has two networks defined, and we want to allow users on
both networks to get access to the HTTPserver with the public IPaddress or host name of the
server. We must add two Dynamic NAT entries.
In the Dynamic NAT section of the NATconfiguration page, add:
10.0.1.0/24 - 203.0.113.5
192.168.2.0/24 - 203.0.113.5
3. Add a policy to allow users on your trusted network to use the public IPaddress or domain name
to get access to the public server on the trusted network. For this example:
From
Any-Trusted
To
203.0.113.5
The public IP address that users want to connect to is 203.0.113.5. This IPaddress is
configured as a secondary IP address on the external interface.
For more information about configuring static NAT, see Configure Static NAT on page 271.
For more information about how to configure 1-to-1 NAT, see Configure Firewall 1-to-1 NAT on page
261.
Network Address Translation (NAT)
270 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 271
About SNAT
An SNAT action is a user-defined action that includes static NAT or server load balancing members
which can be referenced by a policy. An SNAT action is a NAT mapping which replaces the original
destination IP address (and optionally, port) with a new destination. For a server load balancing SNAT
action, the original destination is mapped to multiple server IP addresses, which the XTMdevice can
load balance between.
You can create SNATactions and apply themto one or more policies in your configuration. To
reference an SNATobject in a policy, you add it to the To (destination) list in the policy. If you add a
server load balancing SNAT action to a policy, it must be the only destination in the policy.
For more information about static NAT and server load balancing, see Configure Static NAT and
Configure Server Load Balancing.
Configure Static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends
a packet froma network to a port on an external or optional interface, static NAT changes the
destination IP address to an IP address and port behind the firewall. If a software application uses
more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check
whether a proxy on your XTMdevice manages this kind of traffic. Static NATalso operates on traffic
sent fromnetworks that your XTMdevice protects.
You can configure static NATfor traffic sent to an external or optional XTMdevice interface. Static
NATfor an optional interface is supported in Fireware XTMOS v11.8.1 and higher.
When you use static NAT, traffic to an internal server can be addressed to an XTMdevice interface
IPaddress, instead of to the actual IPaddress of the server. For example, you can put your SMTP
email server behind your XTMdevice with a private IP address and configure static NAT in your SMTP
policy. Your XTMdevice then receives connections on port 25 and sends any SMTP traffic to the real
address of the SMTP server behind the XTMdevice.
Add a Static NATAction
Before you can configure a policy to use static NAT, you must define the static NAT action. After you
add a static NATaction, you can use it in one or more policies.
When you add a static NAT action, you can optionally specify a source IP address in the action. Then,
when traffic that matches the parameters in your static NAT action is received by your XTMdevice, it
changes the source IP address to the IP address that you specify. You can specify a different source
IPaddress for each SNAT member.
You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you
can change the packet destination to specify a different internal host and a different port.
To add a static NAT action:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Click Add.
The Add SNAT page appears.
3. In the Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. Select Static NAT.
This is the default selection.
6. Click Add.
The Add Member dialog box appears.
Network Address Translation (NAT)
272 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 273
7. Fromthe External/Optional IP Address drop-down list, select the IPaddress or alias of an
external or optional interface to use in this action.
For example, to you use static NAT for packets addressed to only one external IP address,
select that external IP address or alias. Or, to use static NAT for packets addressed to any
optional IP interface, select the Any-Optional alias.
8. To specify the source IP address for this static NATaction, select the Set source IP check
box. In the adjacent text box, type the source IP address.
9. In the Internal IP Address text box, type the destination on the trusted or optional network.
10. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
If you use anSNATaction in a policy that allows traffic other than TCPor UDP, the
internal port setting is not used for that traffic.
11. Click OK.
The static NAT route appears in the SNAT Members list.
12. To add another member to this action, click Add and repeat Steps 712.
13. Click Save.
The new SNAT action appears in the SNAT page.
Add a Static NAT Action to a Policy
After you create a static NATaction, you can add it to one or more policies.
1. Select Firewall > Firewall Policies.
2. Click the name of a policy to edit it.
3. Fromthe Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming traffic.
4. In the To section, click Add.
The Add Member dialog box appears.
5. Fromthe Member Type drop-down list, select Static NAT.
A list of the configured Static NAT Actions appears.
6. Select the static NATaction to add to this policy. Click OK.
The static NAT route appears in the To section of the policy configuration.
7. Click Save.
Edit or Remove a Static NATAction
To edit an SNATaction:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Select an SNATaction.
3. Click Edit.
The Edit SNATpage appears.
4. Modify the SNAT action.
When you edit an SNATaction, any changes you make apply to all policies that use that SNAT
action.
5. Click Save.
To remove an SNATaction:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Select an SNATaction.
3. Click Remove.
You cannot remove an SNATaction that is used by a policy. A confirmation dialog box appears.
4. Click OK to confirmthat you want to remove the SNAT action.
Change Static NATGlobal Settings
By default, the XTMdevice does not clear active connections when you modify a static NATaction.
You can change the global SNATsetting so that the XTMdevice clears active connections that use an
SNATaction you modify.
To change the global SNAT setting:
Network Address Translation (NAT)
274 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 275
1. Select System >Global Settings.
2. Select the Networking tab.
3. In the Traffic Flowsection, select the When an SNATaction changes, clear active
connections that use that SNAT action check box.
4. Click Save.
Configure Server Load Balancing
Server load balancing requires Fireware XTMwith a Pro upgrade, and is not
supported on Firebox T10, XTM2 Series, and XTM3 Series devices.
The server load balancing feature in Fireware XTMis designed to help you increase the scalability and
performance of a high-traffic network with multiple servers. With server load balancing, you can enable
the XTMdevice to control the number of sessions initiated to as many as 10 servers for each firewall
policy you configure. The XTMdevice controls the load based on the number of sessions in use on
each server. The XTMdevice does not measure or compare the bandwidth that is used by each server.
You configure server load balancing as an SNAT action. The XTMdevice can balance connections
among your servers with two different algorithms. When you configure server load balancing, you must
choose the algorithmfor the XTMdevice to apply.
Round-robin
If you select this option, the XTMdevice distributes incoming sessions among the servers you
specify in the policy in round-robin order. The first connection is sent to the first server specified
in your policy. The next connection is sent to the next server in your policy, and so on.
Least Connection
If you select this option, the XTMdevice sends each new session to the server in the list that
currently has the lowest number of open connections to the device. The XTMdevice cannot tell
how many connections the server has open on other interfaces.
You can add any number of servers to a server load balancing action. You can also add a weight to
each server to make sure that your most powerful servers are given the heaviest load. The weight
refers to the proportion of load that the XTMdevice sends to a server. By default, each server has a
weight of 1. If you assign a weight of 2 to a server, you double the number of sessions that the XTM
device sends to that server, compared to a server with a weight of 1.
You can optionally configure a source IP address in a server load balancing action. If you do not
configure a source IPaddress in the server load balancing action, the XTMdevice does not modify the
sender, or source IP address, of traffic sent to these devices. While the traffic is sent directly fromthe
XTMdevice, each device that is part of your server load balancing configuration sees the original
source IP address of the network traffic.
When you configure server load balancing, it is important to know:
n You can configure server load balancing for any policy to which you can apply static NAT.
n If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT
rules in the same policy.
n If you use server load balancing in an active/passive FireCluster configuration, real-time
synchronization does not occur between the cluster members when a failover event occurs.
When the passive backup master becomes the active cluster master, it sends connections to
all servers in the server load balancing list to see which servers are available. It then applies the
server load balancing algorithmto all available servers.
n If you use server load balancing for connections to a group of RDP servers, you must configure
the firewall on each RDP server to allow ICMP requests fromthe XTMdevice.
n You can configure a server load balancing SNATaction for traffic sent to an external or optional
XTMdevice interface. Static NATfor an optional interface requires Fireware XTMOS v11.8.1
and higher.
Network Address Translation (NAT)
276 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 277
Add a Server Load Balancing SNATAction
Before you can configure a policy to use server load balancing, you must define the server load
balancing details in an SNATaction. After you define a server load balancing SNATaction, you can
use it in one or more policies.
When you add a server load balancing SNAT action, you can choose to specify a source IP address in
the action. Then, when traffic that matches the parameters in your server load balancing SNAT action
passes through the policies that manage the traffic on your XTMdevice, the source IP address is
changed to the IP address that you specify. The same source IP address is used for all servers in the
server load balancing action.
You can also enable port address translation (PAT) in a server load balancing SNAT action. When you
enable PAT, you can change the packet destination to specify a different internal host and a different
port.
When you define the parameters for the SNAT action, sticky connections are always enabled. A sticky
connection is a connection that continues to use the same server for a defined period of time.
Stickiness makes sure that all packets between a source and destination IP address pair are sent to
the same server for the time period you specify. By default, the XTMdevice uses the default sticky
connection setting of 8 hours. You can change the setting to a different number of hours. When a new
connection fromthe same client is received, the expiration time of the connection is extended.
To add a server load balancing SNAT action:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Click Add.
The Add SNAT page appears.
3. In the Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. Select Server Load Balancing.
6. Fromthe External IP address drop-down list, select the external IP address or alias to use in
this server load balancing action.
For example, you can have the XTMdevice apply server load balancing for this action to
packets received on only one external IP address. Or, you can have the XTMdevice apply
server load balancing for packets received on any external IP address if you select the Any-
External alias.
Network Address Translation (NAT)
278 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 279
7. To specify the source IPaddress for this server load balancing action, select the Set source IP
check box. In the adjacent text box, type the source IP address.
8. Fromthe Method drop-down list, select the algorithmto use for server load balancing: Round-
robin or Least Connection.
9. Click Add to add the IP address of an internal server to this action.
The Add Member dialog box appears.
10. In the Internal IPAddress text box, type the IPaddress of the server to add.
11. In the Weight text box, type or select the weight for this server for load balancing.
12. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
If you use a server load balancing SNATaction in a policy that allows traffic that does
not have ports (traffic other than TCPor UDP), the internal port setting is not used for
that traffic.
13. Click OK.
The server appears in the Server Load Balance Members list .
14. To add another server to this action, click Add and repeat Steps 1014.
15. To set sticky connections for your internal servers, select the Enable sticky connection check
box. In the Enable sticky connection text box and drop-down list, specify the time period for
the sticky connection.
16. Click Save.
Add a Server Load Balancing SNATAction to a Policy
1. Select Firewall > Firewall Policies.
2. Select a policy
Or, add a new policy.
3. Fromthe Action drop-down list select,Edit Policy.
4. In the To section, click Add.
The Add Member dialog box appears.
5. Fromthe Member Type drop-down list, select Server Load Balancing.
The list of server load balancing actions appears.
6. Select a server load balancing action. Click OK.
The server load balancing action is added to the To section of the policy.
7. Click Save.
Network Address Translation (NAT)
280 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 281
Edit or Remove a Server Load Balancing SNATAction
To edit an SNATaction:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Select an SNATaction.
3. Click Edit.
The Edit SNATpage appears.
4. Modify the SNAT action.
When you edit an SNATaction, any changes you make apply to all policies that use that SNAT
action.
5. Click Save.
To remove an SNATaction:
1. Select Firewall >SNAT.
The SNAT page appears.
2. Select an SNATaction.
3. Click Remove.
You cannot remove an SNATaction that is used by a policy. A confirmation dialog box appears.
4. Click OK to confirmthat you want to remove the SNAT action.
1-to-1 NAT Example
When you enable 1-to-1 NAT, the XTMdevice changes and routes all incoming and outgoing packets
sent fromone range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must
each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP
addresses to the internal servers, and you do not have to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, consider this example:
A company has a group of three privately addressed servers behind an optional interface of their XTM
device. The addresses of these servers are:
10.0.2.11
10.0.2.12
10.0.2.13
The administrator selects three public IP addresses fromthe same network address as the external
interface of their XTMdevice, and creates DNS records for the servers to resolve to. These addresses
are:
203.0.113.11
203.0.113.12
203.0.113.13
Now the administrator configures a 1-to-1 NAT rule for the servers. The 1-to-1 NAT rule builds a static,
bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the XTMdevice creates the bidirectional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses.
Network Address Translation (NAT)
282 Fireware XTMWeb UI
Network Address Translation (NAT)
User Guide 283
For the instructions to define a 1-to-1 NAT rule, see Configure Firewall 1-to-1 NAT on page 261.
Network Address Translation (NAT)
User Guide 284
User Guide 285
9
Wireless Device Setup
About Wireless Device Configuration
When you enable the wireless feature of your Firebox or XTMwireless device, you can configure the
external interface to use wireless, or you can configure the device as a wireless access point for users
on specified networks. You can enable wireless clients to connect to the wireless device as part of the
trusted network or part of the optional network. You can also use a customnetwork to enable a
wireless guest services network for your device, or use bridge or VLAN networks in your wireless
configuration.
Wireless networking on Firebox or XTMwireless devices is not supported when the
device is in Drop-In mode (Fireware XTMOS v11.9 and later).
Before you set up wireless network access, see Before You Begin on page 289.
Before you can enable the wireless feature on your Firebox or XTMDevice , you must get the feature
key for your device. For more information, see About Feature Keys on page 61.
Wireless Settings in Fireware XTM OS v11.8.x and v11.9.x
Wireless functionality for Fireware XTMOSv11.8.x and older is different than for Fireware
XTMOSv11.9.x and later.
Enable Wireless to the Trusted and Optional Networks
For devices that run Fireware XTMOSv11.8.x or older, you can enable wireless settings for the
trusted or optional networks. For more information, see Enable Wireless Connections (Fireware
XTMOS v11.8.x and Older)
If your device runs Fireware XTMOS v11.9 and later, you can enable wireless settings for the trusted,
optional, VLAN, bridge, or customnetworks. For more information, see Enable Wireless Connections
(Fireware XTMOS v11.9.x and Later).
Enable a Wireless Guest Network
For devices that run Fireware XTMOS v11.8.x or older, a wireless access point is reserved for guest
wireless usage. For more information, see Enable a Wireless Guest Network (Fireware XTMOS
v11.8.x and Older).
In Fireware XTMv11.9 and later, this wireless access point is called Access Point 3. You can
configure any access point as a wireless guest network. For more information, see Enable a Wireless
Guest Network (Fireware XTMOSv11.9.x and Later).
Enable Wireless
To enable the wireless feature on your XTMdevice:
1. Select Network > Wireless.
The Wireless page appears.
2. Select the Enable Wireless check box.
3. Select a wireless configuration option:
Wireless Device Setup
286 Fireware XTMWeb UI
Wireless Device Setup
User Guide 287
Enable wireless client as external interface
Select this option to configure the external interface of the XTMwireless device to connect
to a wireless network. This is useful in areas with limited or no existing network
infrastructure.
For more information, see Configure Your External Interface as a Wireless Interface on
page 314.
Enable wireless access points
Select this option to configure the XTMwireless device as an access point for users on
specified networks.
For more information, see Wireless Device Configuration Options on page 287.
4. In the Radio Settings section, select your wireless radio settings.
For more information, see About Wireless Radio Settings on page 317.
5. To enable the device to scan for untrusted wireless access points, select the Enable rogue
access point detection check box.
For more information, see Enable Rogue Access Point Detection on page 323.
6. Click Save.
Wireless Device Configuration Options
The configuration procedure for wireless interfaces depends on the version of Fireware XTMOS that
runs on your Firebox or XTMdevice:
n For Fireware XTMOS v11.9 and later, see Wireless Device Configuration Options (Fireware
XTMOS v11.9 and Later)
n For Fireware XTMOS v11.8.x and older, see Wireless Device Configuration Options (Fireware
XTMOSv11.8.x and Older)
Wireless Device Configuration Options (Fireware XTMOS v11.9
and Later)
Any wireless Firebox or XTMdevice can be configured as a wireless access point with more than one
different security zone. You can enable wireless clients to connect to the wireless XTMdevice as part
of the trusted or optional network. You can also use a customnetwork to enable a wireless guest
services network for your XTMdevice, or use bridge or VLAN networks in your wireless configuration.
Before you enable the wireless Firebox or XTMdevice as a wireless access point, you must look
carefully at the wireless users who connect to the device, and then determine the level of access for
each type of user.
You can select fromthese options for wireless access:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your XTMdevice.
If you enable wireless access through a trusted interface, to allow access through the Firebox or
XTMdevice only for devices that you add to the Allowed MAC Address list, you can enable
and use the MAC restriction feature.
For more information, see Use Static MAC Address Binding on page 189.
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, wireless devices have full
access to all computers on the optional network, and full Internet access based on the rules you
configure for outgoing access on your wireless Firebox or XTMdevice.
Allow Wireless Connections on a Bridge or VLAN Interface
You can allow wireless connections through Bridge or VLAN interfaces to enable full access for
wireless users to those networks and any other network access based on your policy security
configuration.
Allow Wireless Guest Connections on a CustomInterface
Computers that connect to the customnetwork connect through the wireless Firebox or XTM
device to the Internet based on the rules you configure for outgoing access on your Firebox or
XTMdevice. The customzone is not part of any default policies. You can use the wireless
interface alias in policies that you configure for traffic fromwireless clients so they cannot
access trusted or optional networks.
For more information, see Enable a Wireless Guest Network (Fireware XTMOSv11.9.x and
Later) on page 306.
Before you set up wireless network access, see Before You Begin on page 289.
To allow wireless connections on an interface, see Enable Wireless Connections (Fireware XTMOS
v11.9.x and Later) on page 300.
Wireless Device Configuration Options (Fireware XTM
OSv11.8.x and Older)
Any Firebox or XTMwireless device can be configured as a wireless access point with three different
security zones. You can enable wireless clients to connect to the wireless device as part of the trusted
network or part of the optional network. You can also enable a wireless guest services network for
Firebox or XTMdevice users. Computers that connect to the guest network connect through the
wireless device, but do not have access to computers on the trusted or optional networks.
Before you enable the wireless Firebox or XTMdevice as a wireless access point, you must look
carefully at the wireless users who connect to the device and determine the level of access to enable
for each type of user. There are three types of wireless access you can allow:
Wireless Device Setup
288 Fireware XTMWeb UI
Wireless Device Setup
User Guide 289
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your Firebox or XTMdevice. If you enable
wireless access through a trusted interface, to allow access through the Firebox or XTMdevice
only for devices you add to the Allowed MAC Address list, you can enable and use the MAC
restriction feature.
For more information about how to restrict access by MAC addresses, see Use Static MAC
Address Binding on page 189.
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, those wireless devices
have full access to all computers on the optional network, and full Internet access based on the
rules you configure for outgoing access on your wireless Firebox or XTMdevice.
Allow Wireless Guest Connections Through the External Interface
Computers that connect to the wireless guest network connect through the wireless Firebox or
XTMdevice to the Internet based on the rules you configure for outgoing access on your XTM
device. These wireless-connected computers do not have access to computers on the trusted
or optional network.
For more information about how to configure a wireless guest network, see Enable a Wireless
Guest Network (Fireware XTMOS v11.8.x and Older) on page 309.
Before you set up wireless network access, see Before You Begin on page 289.
To allow wireless connections to your trusted or optional network, see Enable Wireless Connections
(Fireware XTMOS v11.8.x and Older) on page 304.
Before You Begin
WatchGuard XTMwireless devices adhere to 802.11n, 802.11b and 802.11g guidelines set by the
Institute of Electrical and Electronics Engineers (IEEE). When you install an XTMwireless device:
n Make sure that the wireless device is installed in a location more than 20 centimeters fromall
persons. This is an FCC requirement for low power transmitters.
n It is a good idea to install the wireless device away fromother antennas or transmitters to
decrease interference
n The default wireless authentication algorithmconfigured for each wireless security zone is not
the most secure authentication algorithm. If the wireless devices that connect to your XTM
wireless device support WPA2 authentication, we recommend that you increase the
authentication level to WPA2.
n A wireless client that connects to the XTMwireless device fromthe trusted or optional network
can be a part of any branch office VPN tunnels in which the local network component of the
Phase 2 settings includes optional or trusted network IP addresses. To control access to the
VPN tunnel, you can force XTMdevice users to authenticate.
Before you set up your wireless XTMdevice, it is also a good idea to consider environmental factors,
which apply to the installation of WatchGuard wireless devices. For example, you can use a wireless
site survey tool to better understand your current environment and existing wireless signals before you
add a new XTMwireless device. Based on the results of your site survey, and the requirements of your
wireless clients, you can plan which wireless modes and channels to use. You will also know more
about the level of wireless noise in your environment, and can consider other factors, such as the
position of walls, that can affect wireless signal range.
For more information, see:
n Wireless Site Survey
n Wireless Modes and Channels
n Wireless Signal Strength and Noise Levels
n Wireless Environmental Factors
Wireless Device Setup
290 Fireware XTMWeb UI
Wireless Device Setup
User Guide 291
About Wireless Configuration Settings
When you enable wireless access to a network, some configuration settings are defined the same way
for each of the security zones. These can be set to different values for each zone.
For information about the Broadcast SSID and respond to SSID queries setting, see
Enable/Disable SSID Broadcasts on page 292.
For information about setting the Network Name (SSID), see Change the SSID on page 292.
For information about the Log Authentication Events setting, see Log Authentication Events on page
292.
For information about the Fragmentation Threshold, see Change the Fragmentation Threshold on
page 292.
For information about the RTS Threshold, see Change the RTS Threshold on page 293.
For information about the Encryption (Authentication) setting, see Set the Wireless Authentication
Method on page 294.
For information about the Encryption algorithm setting, see Set the Encryption Level on page 298.
Enable/Disable SSID Broadcasts
Computers with wireless network cards send requests to see whether there are wireless access points
to which they can connect.
To configure an XTMdevice wireless interface to send and answer these requests, select the
Broadcast SSID and respond to SSID queries check box. For security, enable this option only
while you configure computers on your network to connect to the XTMwireless device. Disable this
option after all your clients are configured. If you use the wireless guest services feature, it can be
necessary to allow SSID broadcasts in standard operation.
Change the SSID
The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless
network froma client computer, the wireless network card in the computer must have the same SSID
as the WatchGuard wireless network to which the computer connects.
You must assign a unique SSID to each access point. To change the SSID, type a new name in the
Network Name (SSID)text box to uniquely identify your wireless network.
Log Authentication Events
An authentication event occurs when a wireless computer tries to connect to the wireless interface of a
WatchGuard XTMwireless device. To include these events in the log file, select the Log
Authentication Events check box.
Change the Fragmentation Threshold
Fireware XTMallows you to set the maximumframe size the XTMwireless device can send and not
fragment the frame. This is called the fragmentation threshold. This setting is rarely changed. The
default setting is the maximumframe size of 2346, which means that it will never fragment any frames
that it sends to wireless clients. This is best for most environments.
When to Change the Default Fragmentation Threshold
A collision happens when two devices that use the same mediumtransmit packets at exactly the
same time. The two packets can corrupt each other, and the result is a group of unreadable pieces of
data. If a packet results in a collision, the packet is discarded and it must be transmitted again. This
adds to the overhead on the network and can reduce the throughput or speed of the network.
Larger frames are more likely to collide with each other than smaller frames. To make the wireless
packets smaller, you lower the fragmentation threshold on the XTMwireless device. If you lower the
maximumframe size, it can reduce the number of repeat transmissions caused by collisions, and
lower the overhead caused by repeat transmissions.
Wireless Device Setup
292 Fireware XTMWeb UI
Wireless Device Setup
User Guide 293
Smaller frames introduce more overhead on the network. This is especially true on a wireless network,
because every fragmented frame sent fromone wireless device to another requires the receiving
device to acknowledge the frame. When packet error rates are high (more than five or ten percent
collisions or errors), you can help improve the performance of the wireless network if you lower the
fragmentation threshold. The time that is saved when you reduce repeat transmissions can be enough
to offset the extra overhead added with smaller packets. This can result in higher throughput.
If the rate of packet error is low and you lower the fragmentation threshold, wireless network
performance decreases. This occurs because when you lower the threshold, protocol overhead is
added and protocol efficiency is reduced.
If you want to experiment, start with the default maximum2346, and lower the threshold a small
amount at a time. To get the most benefit, you must monitor the network for packet errors at different
times of the day. Compare the effect that a lower threshold has on network performance when errors
are very high with the effect on performance when errors are moderately high.
In general, we recommend that you leave this setting at its default of 2346.
Change the Fragmentation Threshold
1. Select Network > Wireless.
2. To select the wireless network to configure, click Configure.
The wireless configuration settings for that wireless network appear.
3. To change the fragmentation threshold, in the Fragmentation Threshold text box, type or
select a value between 256 and 2346.
4. Click Return to Main Page.
5. Click Save.
Change the RTS Threshold
RTS/CTS (Request To Send / Clear To Send) helps prevent problems when wireless clients can
receive signals frommore than one wireless access point on the same channel. The problemis
sometimes known as hidden node.
We do not recommend that you change the default RTS threshold. When the RTS Threshold is set to
the default of 2346, RTS/CTS is disabled.
If you must change the RTS threshold, adjust it incrementally. Lower it a small amount at a time. After
each change, allow enough time to decide whether the change in network performance is positive
before you change it again. If you lower this value too much, you can introduce more latency into the
network, as Requests to Send are increased so much that the shared mediumis reserved more often
than necessary.
About Wireless Security Settings
WatchGuard XTMwireless devices use three security protocol standards to protect your wireless
network: WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol
standard can encrypt the transmissions on the wireless LAN between the computers and the access
points. They also can prevent unauthorized access to the wireless access point.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
Set the Wireless Authentication Method
Fromthe Encryption (Authentication) drop-down list in the wireless access point configuration,
select the level of authentication method for your wireless connections. The eight available
authentication methods, fromleast secure to most secure, are listed below. Select the most secure
authentication method that is supported by your wireless network clients.
Open System and Shared Key
The Open Systemand Shared Key authentication methods use WEPencryption. WEPis not as
secure as WPA2 and WPA (Wi-Fi Protected Access). We recommend you do not use these less
secure methods unless your wireless clients do not support WPA or WPA2.
n Open System Open Systemauthentication allows any user to authenticate to the access
point. This method can be used with no encryption or with WEP encryption.
n Shared Key In Shared Key authentication, only those wireless clients that have the shared
key can connect. Shared Key authentication can be used only with WEP encryption.
WPAand WPA2 with Pre-Shared Keys
WPA (PSK) and WPA2 (PSK)Wi-Fi Protected Access methods use pre-shared keys for
authentication. WPA(PSK) and WPA2 (PSK) are more secure than WEP shared key authentication.
When you choose one of these methods, you configure a pre-shared key that all wireless devices must
use to authenticate to the wireless access point.
The XTMwireless device supports three wireless authentication settings that use pre-shared keys:
n WPA ONLY (PSK) The XTMwireless device accepts connections fromwireless devices
configured to use WPA with pre-shared keys.
n WPA/WPA2 (PSK) The XTMwireless device accepts connections fromwireless devices
configured to use WPA or WPA2 with pre-shared keys.
n WPA2 ONLY (PSK) The XTMwireless device accepts connections fromwireless devices
configured to use WPA2 with pre-shared keys authentication. WPA2 implements the full
802.11i standard; it does not work with some older wireless network cards.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE802.1X standard for
network authentication. These authentication methods use the EAP(Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server or to
the XTMdevice (Firebox-DB). The WPA Enterprise and WPA2 Enterprise authentication methods are
more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of
a shared key.
Fireware XTMv11.4 and later supports three WPA and WPA2 Enterprise wireless authentication
methods:
Wireless Device Setup
294 Fireware XTMWeb UI
Wireless Device Setup
User Guide 295
n WPA Enterprise The XTMwireless device accepts connections fromwireless devices
configured to use WPA Enterprise authentication.
n WPA/WPA2 Enterprise The XTMwireless device accepts connections fromwireless
devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
n WPA2 Enterprise The XTMwireless device accepts connections fromwireless devices
configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard;
it does not work with some older wireless network cards.
For more information about these authentication methods, see WPA and WPA2 Enterprise
Authentication.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server or configure the XTMdevice as an authentication server.
For more information about how to configure the settings for these authentication methods, see
n Use a RADIUS Server for Wireless Authentication
n Use the XTMDevice as an Authentication Server for Wireless Authentication
Use a RADIUS Server for Wireless Authentication
If you select the WPA Enterprise,WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use a RADIUS server for wireless authentication.
To configure your wireless access point to use RADIUSauthentication:
1. Select Network >Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
4. Fromthe Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise, or WPA/WPA2 Enterprise.
The Encryption, Authentication server, and EAPauthentication timeout settings appear.
5. Fromthe Encryption algorithm drop-down list, select the encryption method. For more
information, see Set the Encryption Level.
6. Fromthe Authentication server drop-down list, select RADIUS.
The authentication and protocol configuration settings are disabled. You must configure these
settings on your RADIUS server.
7. In the EAPauthentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. Click Return to Main Page.
9. Click Save.
If you have not previously configured a RADIUS server, you are prompted to do this when you click
Save. For more information, see Configure RADIUS Server Authentication.
Use the XTMDevice as an Authentication Server for Wireless
Authentication
If you select the WPA Enterprise,WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use the XTMdevice as the authentication server for
wireless authentication.
Wireless Device Setup
296 Fireware XTMWeb UI
Wireless Device Setup
User Guide 297
1. Select Network >Wireless.
2. Click Configure adjacent to the required wireless interface.
3. Select the Wireless tab.
4. Fromthe Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise or WPA/WPA2 Enterprise.
5. Fromthe Encryption algorithm drop-down list, select the encryption method to use. For more
information, see Set the Encryption Level.
6. Fromthe Authentication server drop-down list, select Firebox-DB.
7. In the EAPauthentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. Fromthe EAPprotocol drop-down list, select the EAP protocol wireless clients must use to
connect to the access point.
n EAP-PEAP EAP Protected Extensible Authentication Protocol
n EAP-TTLS EAP Tunneled Transport Layer Security
n EAP-TLS EAP Transport Layer Security
9. Fromthe EAPtunnel protocol drop-down list, select the EAPtunnel protocol to use. The
available tunnel protocols depend on the selected EAPprotocol.
10. Fromthe Select Certificate drop-down list, select the certificate type to use for authentication.
n Default certificate signed by Firebox This is the default.
n Third party certificates Select froma list of installed third party certificates.
11. If you selected Third party certificates, select a certificate fromthe Certificate drop-down list.
12. If you want to use a certificate authority (CA) to validate the client certificate, select the
Validate client certificate check box and select a CA certificate fromthe CACertificate drop-
down list.
For more information about certificates, see About Certificates.
13. Click Return to Main Page.
14. Click Save.
To use this authentication method, you must configure your XTMdevice as an authentication server.
For more information, see Configure Your XTMDevice as an Authentication Server.
Set the Encryption Level
Fromthe Encryption algorithm drop-down list in the wireless access point configuration, select the
level of encryption for your wireless connections. The available selections change when you use
different authentication mechanisms. The Fireware XTMOS automatically creates a random
encryption key for you when a key is required. You can use this key or change it to a different key.
Each wireless client must use this same key when they connect to the XTMwireless device.
Encryption for Open System and Shared Key Authentication
Encryption options for Open Systemand Shared Key authentication are WEP 64-bit hexadecimal,
WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select Open System
authentication, you can also select Disabled.
1. If you use WEP encryption, in the Key text boxes, type hexadecimal or ASCII characters. Not
all wireless adapter drivers support ASCII characters. You can have a maximumof four keys,
numbered 1 - 4.
n A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters.
n A WEP 40-bit ASCII key must have 5 characters.
n A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters.
n A WEP 128-bit ASCII key must have 13 characters.
2. If you typed more than one key, in the Key Index text box, type the key number to use as the
default key.
Wireless Device Setup
298 Fireware XTMWeb UI
Wireless Device Setup
User Guide 299
The XTMwireless device can use only one wireless encryption key at a time. If you select a
key other than the first key in the list, you also must set your wireless client to use the same
key.
Encryption for WPA and WPA2 Authentication
The encryption options for Wi-Fi Protected Access (WPA and WPA2) authentication methods are:
n TKIP Use only TKIP (Temporal Key Integrity Protocol) for encryption. This option is not
available if you configure the Radio Settings to use a wireless mode that supports 802.11n.
n AES Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the XTMwireless device to accept
connections fromwireless clients configured to use TKIP or AES encryption. For 802.11n wireless
clients, we recommend you configure the wireless client to use AES encryption.
Enable Wireless Connections (Fireware XTMOS
v11.9.x and Later)
You can enable Access Point 1, Access Point 2, or Access Point 3 on your wireless XTMdevice for
any network type, and configure the wireless interfaces with the same type of settings as an internal
network interface.
The wireless interfaces appear on the network Interfaces page with these interface names:
Access Point Interface Name
Access Point 1 ath1
Access Point 2 ath2
Access Point 3 ath3
For more information about network interfaces, see About Network Interface Setup.
To enable wireless connections:
1. Select Network > Wireless.
The Wireless configuration page appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Access point 1 or Access point 2, or Access point 3, click Configure.
The Wireless Access Point configuration dialog box appears.
Wireless Device Setup
300 Fireware XTMWeb UI
Wireless Device Setup
User Guide 301
5. Fromthe Interface Type drop-down list, select an interface type for this Access Point interface.
n Trusted
n Optional
n Bridge
n VLAN
n Custom
6. Click OK.
7. Select the Wireless tab.
8. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
9. To send a log message each time a wireless computer tries to connect to the interface, select
the Log Authentication Events check box.
10. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client, select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the XTMdevice only allows the DHCP, DNS, IKE (UDPport 500),
and ESP packets over the wireless network. If you require wireless users to use the IPSec
Mobile VPN Client, it can increase the security for wireless clients if you do not select WPA or
WPA2 as the wireless authentication method.
11. In the Network name (SSID) text box, type a unique name for your wireless optional network,
or use the default name.
12. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 2562346.
WatchGuard recommends that you do not change this setting.
13. To change the RTSthreshold, in the RTSThreshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
Wireless Device Setup
302 Fireware XTMWeb UI
Wireless Device Setup
User Guide 303
14. Fromthe Encryption (Authentication) drop-down list, select the encryption and authentication
to enable for wireless connections to the optional interface.
WatchGuard recommends that you select WPA2 if the wireless devices in your network can
support WPA2.
15. Fromthe Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and specify the keys or passwords required for the type of encryption you
select.
If you select an encryption option with pre-shared keys, a randompre-shared key is generated
for you. You can use this key or type another key.
16. Save the configuration.
If you enable wireless connections to the trusted interface, WatchGuard recommends that you restrict
access by MAC address. This is to make sure users cannot connect to the wireless XTMdevice from
unauthorized computers that could contain viruses or spyware.
To enable MAC access control:
1. Select the MAC Access Control tab.
2. Configure the settings to restrict network traffic on an interface, as described in Restrict
Network Traffic by MAC Address on page 179.
Wireless and wired networks operate as if they are on the same local network.
Broadcast traffic, such as DHCP requests, can pass between wired and wireless
clients. If a DHCP server is active on the physical network, or if a wireless client is
configured as a DHCP server, then all wired and wireless clients on that network can
receive IP addresses fromthat DHCPserver.
Enable Wireless Connections (Fireware XTMOS
v11.8.x and Older)
For a wireless XTMdevice that runs Fireware XTMOS v11.8.x or older, you can enable Access Point
1 and Access Point 2 on your wireless device to bridge to a trusted or optional network.
To bridge Access Point 1 and Access Point 2 to the same network, the XTMdevice
must run Fireware XTMOS v11.8.1 or higher.
When you enable an access point on your wireless device to bridge to an interface, you must select
whether to use a trusted or an optional interface.
Trusted
Any wireless clients on the trusted network have full access to computers on the trusted
and optional networks, and access to the Internet as defined in the outgoing firewall rules
on your Firebox or XTMdevice.
If the wireless client sets the IP address on its wireless network card with DHCP, the
DHCP server on the trusted network of the XTMdevice must be active and configured.
Optional
Any wireless clients on the optional network have full access to computers on the optional
network, and access to the Internet as defined in the outgoing firewall rules on your XTM
device.
If the wireless client sets the IP address on its wireless network card with DHCP, the
DHCP server on the optional network of the Firebox or XTMdevice must be active and
configured.
To enable wireless connections to your trusted or optional network:
1. Select Network > Wireless.
The Wireless configuration page appears.
Wireless Device Setup
304 Fireware XTMWeb UI
Wireless Device Setup
User Guide 305
2. Select Enable wireless access points.
3. Adjacent to Access point 1 or Access point 2, click Configure.
The Wireless Access Point configuration dialog box appears.
4. Select the Enable wireless bridge to a Trusted or Optional interface check box.
5. Fromthe Enable wireless bridge to a Trusted or Optional interface drop-down list, select
an option:
n Trusted
n Optional
6. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
7. To send a log message each time a wireless computer tries to connect to the interface, select
the Log Authentication Events check box.
8. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client, select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the Firebox or XTMdevice only allows DHCP, DNS, IKE
(UDPport 500), and ESP packets over the wireless network. This can increase the security for
wireless clients if you do not select WPA or WPA2 as the wireless authentication method.
9. In the Network name (SSID) text box, type a unique name for your wireless optional network or
use the default name.
10. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 2562346.
WatchGuard recommends that you do not change this setting.
11. To change the RTSThreshold, in the RTSThreshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
12. Fromthe Encryption (Authentication) drop-down list, select the encryption and authentication
options to enable for wireless connections to the optional interface.
WatchGuard recommends that you use WPA2, if the wireless devices in your network can
support WPA2.
13. Fromthe Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords for the type of encryption you select.
If you select an encryption option with pre-shared keys, a randompre-shared key is generated
for you. You can use this key or type your own.
14. Save the configuration.
If you enable wireless connections to the trusted interface, you can also restrict access by MAC
address. This prevents users fromconnecting to the XTMwireless device fromunauthorized
computers that could contain viruses or spyware.
1. To enable MAC access control, select the MACAccess Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 179.
When you enable wireless connections to a trusted or optional interface, the wireless
and wired networks operate as if they are on the same local network. Broadcast
traffic, such as DHCP requests, can pass between wired and wireless clients. If a
DHCP server is active on the physical network, or if a wireless client is configured as
a DHCP server, then all wired and wireless clients on that network can receive IP
addresses fromthat DHCPserver.
To configure a wireless guest network with no access to the computers on your trusted or optional
networks, see Enable a Wireless Guest Network (Fireware XTMOS v11.8.x and Older) on page 309.
Enable a Wireless Guest Network (Fireware
XTMOSv11.9.x and Later)
To enable a wireless network for guest users, you can configure an access point in the customzone
and use the wireless interface alias when you configure the policies for traffic fromwireless clients.
For more information on the customzone, see Configure a CustomInterface.
To set up an access point on a wireless XTMdevice as a guest network:
1. Select Network > Wireless.
The Wireless Configuration page appears.
Wireless Device Setup
306 Fireware XTMWeb UI
Wireless Device Setup
User Guide 307
2. Select Enable wireless access points.
3. Adjacent to an access point, click Configure.
The Access Point Configuration dialog box appears.
4. Select the Enable Access Point x check box.
For example, if you selected access point 1, select the Enable Access Point 1 check box.
5. Fromthe Interface Type drop-down list, select Custom.
6. In the IPAddress text box, type the private IPaddress to use for the wireless guest network.
The IPaddress you specify must not already be in use on one of your network interfaces.
7. To configure the XTMdevice as a DHCP server when a wireless device tries to make a
connection, fromthe drop-down list, select DHCP Server.
8. Select the Wireless tab.
The Wireless settings appear with the security settings for the wireless guest network.
9. To make your wireless guest network name visible to guest users, select the Broadcast SSID
and respond to SSID queries check box.
10. To send a log message each time a wireless computer tries to connect to the guest wireless
network, select the Log Authentication Events check box.
11. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client , select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the XTMdevice only allows DHCP, DNS, IKE (UDPport 500),
and ESP packets over the wireless network. This can increase the security for wireless clients
if you do not select WPA or WPA2 as the wireless authentication method.
12. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
keep the default name.
13. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 2562346.
WatchGuard recommends that you do not change this setting.
14. To change the RTSThreshold, in the RTSThreshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
15. Fromthe Authentication drop-down list, select the type of authentication to enable for
connections to the wireless guest network.
Select the setting for the type of guest access you want to provide, and whether you want to
require your guests to enter a passphrase to use the network.
Wireless Device Setup
308 Fireware XTMWeb UI
Wireless Device Setup
User Guide 309
16. Fromthe Encryption / Authentication drop-down list, select the type of encryption to use for
the wireless connection and specify the keys or passwords required for the type of encryption
you select.
If you select an authentication option that uses pre-shared keys, a randompre-shared key is
generated for you. You can use this key or type a new key.
17. Click Return to Main Page.
18. Click Save.
You can also configure your wireless guest network as a hotspot. For more information, see Enable a
Hotspot on page 567.
Another configuration option you can select is to restrict access to the guest network by MACaddress.
1. To enable MAC access control, select the MACAccess Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 179.
Wireless Guest and Policies
You can use the Custominterface type for your wireless interface. Because a custominterface is not
included in the built-in aliases, traffic for a custominterface is not allowed through the Firebox or XTM
device unless you specifically configure policies to allow it. This is important for wireless guest
network security to make sure users cannot access a trusted or optional network.
For wireless guest policies, we recommend that you create a new alias named Any-Guest. You can
then use the Any-Guest alias in policies for your wireless guest network.
For more information, see Create an Alias.
Enable a Wireless Guest Network (Fireware
XTMOS v11.8.x and Older)
You can enable a wireless guest network to give a guest user wireless access to the Internet without
access to computers on your trusted and optional networks.
To set up a wireless guest network:
1. Select Network > Wireless.
The Wireless Configuration page appears.
2. Select Enable wireless access points.
3. Adjacent to Wireless guest, click Configure.
4. Select the Enable Wireless Guest Network check box.
Wireless connections are allowed through the XTMdevice to the Internet based on the rules you
have configured for outgoing access on your device. These computers have no access to
computers on the trusted or optional network.
5. In the IPAddress text box, type the private IPaddress to use for the wireless guest network.
The IPaddress you type must not already be in use on one of your network interfaces.
6. In the Subnet Mask text box, type the subnet mask.
The correct value is usually 255.255.255.0.
7. To configure the XTMdevice as a DHCP server when a wireless device tries to make a
connection, select the Enable DHCP Server on Wireless Guest Network check box.
8. To see the security settings for the wireless guest network, select the Wireless tab.
The Wireless settings appear.
Wireless Device Setup
310 Fireware XTMWeb UI
Wireless Device Setup
User Guide 311
9. To make your wireless guest network name visible to guest users, select the Broadcast SSID
and respond to SSID queries check box.
10. To send a log message to the log file each time a wireless computer tries to connect to the
guest wireless network, select the Log Authentication Events check box.
11. To allow wireless guest users to send traffic to each other, clear the Prohibit client to client
wireless network traffic check box.
12. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
use the default name.
13. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 2562346.
WatchGuard recommends that you do not change this setting.
14. To change the RTSThreshold, in the RTSThreshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
15. Fromthe Authentication drop-down list, select the type of authentication to enable for
connections to the wireless guest network.
Select the setting for the type of guest access you want to provide, and whether you want to
require your guests to enter a passphrase to use the network.
16. Fromthe Encryption / Authentication drop-down list, select the type of encryption to use for
the wireless connection and add the keys or passwords required for the type of encryption you
select.
If you select an authentication option that uses pre-shared keys, a randompre-shared key is
generated for you. You can use this key or type a new key.
17. Click Return to Main Page.
18. Click Save.
You can also configure your wireless guest network as a hotspot. For more information, see Enable a
Hotspot on page 567.
Another configuration option you can select is to restrict access to the guest network by MACaddress.
1. To enable MAC access control, select the MACAccess Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 179.
Wireless Device Setup
312 Fireware XTMWeb UI
Wireless Device Setup
User Guide 313
Enable a Hotspot on a Wireless Access Point
You can enable a hotspot for any of the enabled wireless networks on a wireless Firebox or
XTMdevice. When you enable a hotspot, you must select an interface for the hotspot. In the hotspot
configuration, there are three interface names that correspond to the three wireless access points you
can enable on the XTMwireless device:
Interface Name Wireless Access Point
WG-Wireless-Access-Point1 Access Point 1
WG-Wireless-Access-Point2 Access Point 2
WG-Wireless-Guest or WG-Wireless-Access-
Point3
Access Point 3 (Fireware XTMOS v11.9.x or
later)
Wireless Guest (Fireware XTMOS v11.8.x or
older)
In the hotspot configuration, only the enabled wireless access points appear in the list of interfaces you
can select.
Hotspot configuration settings for both wired and wireless XTMdevices are configured in the
Authentication settings for your XTMdevice.
For more information about how to configure a hotspot, see Enable a Hotspot on page 567.
Configure Your External Interface as a Wireless
Interface
In areas with limited or no existing network infrastructure, you can use your XTMwireless device to
provide secure network access. You must physically connect your network devices to the XTM
device. Then you configure your external interface to connect to a wireless access point that connects
to a larger network.
When the external interface is configured with a wireless connection, the XTM
wireless device can no longer be used as a wireless access point. To provide
wireless access for users, connect a wireless access point device to the XTM
wireless device.
Configure the Primary External Interface as a Wireless
Interface
1. Select Network > Wireless.
The Wireless Configuration page appears.
2. Select Enable wireless client as external interface.
3. Click Configure.
The external interface settings appear.
4. In the Configuration Mode drop-down list, select an option:
Static IP
To use a static IPaddress, select this option. Type the IPAddress, Subnet Mask, and
Default Gateway you use to connect to the wireless network.
Wireless Device Setup
314 Fireware XTMWeb UI
Wireless Device Setup
User Guide 315
DHCP
To configure the external interface as a DHCPclient, select this option. Configure the
DHCP client settings.
For more information about how to configure the external interface to use a static IPaddress or
DHCP, see Configure an External Interface on page 144.
5. Select the Wireless tab.
The wireless client configuration settings appear.
6. In the Network name (SSID) text box, type the name of the external wireless network this
device connects to.
7. In the Encryption (Authentication) drop-down list, select the encryption and authentication
method to use for the wireless connection. We recommend that you use WPA2 if the wireless
device you connect to supports it.
For more information about wireless authentication methods, see About Wireless Security
Settings on page 293.
8. In the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection. Add the passphrase or keys required for the type of encryption you select.
9. Click Save.
Configure a BOVPN tunnel for additional security
To create a wireless bridge and provide additional security, you can add a BOVPN tunnel between your
XTMdevice and the external gateway. You must set the mode to Aggressive Mode in the Phase 1
settings of your BOVPN configuration on both devices.
For information about how to set up a BOVPN tunnel, see About Manual Branch Office VPN Tunnels
on page 1010.
Wireless Device Setup
316 Fireware XTMWeb UI
Wireless Device Setup
User Guide 317
About Wireless Radio Settings
WatchGuard XTMwireless devices use radio frequency signals to send and receive traffic from
computers with wireless Ethernet adapters.
To view or change the radio settings:
1. Connect to Fireware XTMWeb UI.
2. Select Network > Wireless.
The Wireless page appears. The radio settings appear at the bottom of the page.
Country is Set Automatically
Due to regulatory requirements in different parts of the world, you cannot use all wireless radio settings
in every country. Each time you power on the XTMwireless device, the device contacts a WatchGuard
server to determine the country and the allowed wireless radio settings for that country. To do this, the
device must have an Internet connection. Once the country is determined, you can configure all
supported wireless radio settings that can be used in that country.
In the Wireless Configuration dialog box, the Country setting shows which country the device detects
it is in. You cannot change the Country setting. The available options for the other radio settings are
based on the regulatory requirements of the country the device detects it is located in.
If the XTMwireless device cannot connect to the WatchGuard server, the country is
unknown, and is shown as Default. In this case, you can only select fromthe limited
set of wireless radio settings that are allowed in all countries. The XTMwireless
device periodically continues to retry to connect to the WatchGuard server to
determine the country and allowed wireless radio settings.
If the XTMwireless device does not have a country set yet, or if the country is not up to date, you can
force the device to update the wireless country information.
To update the Wireless Radio Region:
1. Select System Status >Wireless Statistics.
2. Click Update Country Info.
The XTM wireless device contacts a WatchGuard server to determine the current operating region.
Wireless Device Setup
318 Fireware XTMWeb UI
Wireless Device Setup
User Guide 319
Select the Band and Wireless Mode
The WatchGuard XTMwireless device supports two different wireless bands, 2.4 GHz and 5 GHz.
The the band you select and the country determine the wireless modes available. Select the Band that
supports the wireless mode you want to use. Then select the mode fromthe Wireless mode drop-
down list.
The 2.4 GHz band supports these wireless modes:
802.11n,802.11g,802.11b
This is the default mode in the 2.4 GHz band, and is the recommended setting. This mode
allows the XTMwireless device to connect with devices that use 802.11n, 802.11g, or 802.11b.
802.11b,802.11g
This mode allows the XTMwireless device to connect to devices that use 802.11g or 802.11b.
802.11n,802.11g
This mode allows the XTMwireless device to connect to devices that use 802.11n or 802.11g.
This mode is supported only on XTMwireless devices that use Fireware XTMv11.8.3 or higher.
802.11b
This mode allows the XTMwireless device to connect only to devices that use 802.11b.
The 5 GHz band supports these wireless modes:
802.11a and 802.11n
This is the default mode in 5 GHz band. This mode allows the XTMwireless device to connect
to devices that use 802.11a or 802.11n.
802.11a ONLY
This mode allows the XTMwireless device to connect only to devices that use 802.11a.
If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower
devices tend to dominate the throughput because it can take much longer to send or
receive the same amount of data to devices that use a slower mode.
The 5 GHz band provides greater performance than the 2.4 GHz band, but is not compatible with all
wireless devices. Select the band and mode based on the wireless cards in the devices that will
connect to the XTMwireless device.
Select the Channel
The available channels depend on the country and the wireless mode you select. By default, the
Channel is set to Auto. When the channel is set to Auto, the XTMwireless device automatically
selects a quiet channel fromthe available list in the band you have selected. Or you can select a
specific channel fromthe Channel drop-down list.
Wireless Device Setup
320 Fireware XTMWeb UI
Wireless Device Setup
User Guide 321
Monitor Wireless Access Points and Clients
Fromthe Fireware XTMWeb UI, you can monitor statistics for the access points configured on your
XTMwireless device, and see statistics about connected wireless clients. You can also update the
country information for your wireless XTMdevice.
To see wireless statistics, select System Status >Wireless Statistics.
For more information about this systems status page, see Wireless Statistics
Configure the Wireless Card on Your Computer
These instructions are for the Windows XP with Service Pack 2 operating system. For installation
instructions for other operating systems, see your operating systemdocumentation or help files.
1. Select Start > Settings > Control Panel > Network Connections.
The Network Connections dialog box appears.
2. Right-click Wireless Network Connection and select Properties.
The Wireless Network Connection dialog box appears.
3. Select the Wireless Networks tab.
4. Below Preferred Networks, click Add.
The Wireless Network Properties dialog box appears.
5. Type the SSID in the Network Name (SSID) text box.
6. Select the network authentication and data encryption methods in the drop-down lists. If
necessary, clear The key is provided for me automatically check box and type the network
key two times.
7. Click OK to close the Wireless Network Properties dialog box.
8. Click View Wireless Networks.
All available wireless connections appear in the Available Networks text box.
9. Select the SSID of the wireless network and click Connect.
If the network uses encryption, type the network key twice in the Wireless Network Connection
dialog box and click Connect again.
10. Configure the wireless computer to use DHCP.
Rogue Access Point Detection
You can configure your XTMwireless device to detect (unknown) wireless access points that operate
in the same area. A rogue access point is any wireless access point within range of your network that
is not recognized as an authorized access point. When you enable rogue access point detection on
your XTMwireless device, the wireless radio in the device scans wireless channels to identify
unknown wireless access points. You can configure the scan to run continuously, or to run at a
scheduled interval and time of day.
When a rogue access point scan begins, the XTMwireless device scans the airwaves within range for
other radio broadcasts.The device scans for wireless access points in 802.11a, 802.11b, 802.11g, and
802.11n wireless modes on all available wireless channels for the country where the device is located.
The scan is not limited to the wireless mode and channel settings configured in the radio settings of
your device.
When the XTMwireless device detects the signal of another wireless access point, it compares the
characteristics of the access point to a list of trusted access points that you configure. If the
discovered access point does not match any trusted access point, the XTMdevice reports the device
as a potential rogue access point. You can configure the device to send an alarmwhen a rogue access
point is detected. If you enable logging, you can run a report of all scans and scan results.
Wireless Device Setup
322 Fireware XTMWeb UI
Wireless Device Setup
User Guide 323
Enable Rogue Access Point Detection
To configure rogue access point detection on your XTMwireless device, you need to know the
configuration of the other wireless access points on your network; this enables you to identify themas
trusted in your configuration. You can then set up a schedule for rogue access point detection scans.
Configure Rogue Access Point Detection
1. Select Network > Wireless.
The Wireless page appears.
2. Select the Enable rogue access point detection check box.
3. Adjacent to the Enable rogue access point detection check box, click Configure.
The Trusted Access Point Configuration page appears.
On the Access Points tab you can add information about all other trusted wireless access
points on your network so the rogue access point scan does not identify themas potential rogue
access points.
Add a Trusted Access Point
1. To add a trusted access point to the list, click Add.
The Trusted access point dialog box appears.
Wireless Device Setup
324 Fireware XTMWeb UI
Wireless Device Setup
User Guide 325
In the Trusted access point dialog box, provide as much information as you can to identify
your trusted access point. The more information you provide, the more likely it is that a rogue
access point detection scan can correctly identify a trusted access point.
2. In the Network name (SSID) text box, type the SSIDof the trusted access point.
3. In the MACaddress (Optional) text box, type the wireless MACaddress of the trusted access
point.
If your trusted access point is an XTMwireless device, see Find the Wireless MACAddress of
a Trusted Access Point.
4. Fromthe Channel drop-down list, select the channel used by the trusted access point. If the
trusted access point is a WatchGuard device and the Channel in the radio settings of that
trusted wireless device is set to Auto, select Any.
5. Fromthe Encryption drop-down list, select the encryption method used by the trusted access
point.
The WPAor WPA2 authentication and encryption settings that apply to the encryption method you
select are enabled.
6. If you select WPA or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
7. If you selected WPA2 or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
8. Click OK.
The trusted access point is added to the list of trusted access points.
For information about how to add an XTMwireless device as a trusted access point, see Add an
XTMWireless Device as a Trusted Access Point.
Edit or Remove a Trusted Access Point
To edit a trusted access point:
1. Select the access point in the list.
2. Click Edit.
3. Edit the information used to identify the trusted access point as described in the previous
section.
To remove a trusted access point, select the access point in the list and click Remove.
Configure Logging and Notification
You must enable logging to see information about rogue access point scans in a report. When you
enable logging, the log records the start and stop time, and the results of each scan. To enable logging,
select the Enable logging for reports check box.
You can also configure the device to notify you when a rogue access point is detected. To configure
notification:
1. Click the Notification tab.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
882.
Set the Scan Frequency
If you enable rogue access point detection on an XTMwireless device that is also configured as a
wireless access point, the device alternates between the two functions. When a rogue access point
scan is not in progress, the device operates as wireless access point. When a rogue access point scan
begins, the XTMdevice access point functionality is temporarily disabled, and wireless clients cannot
connect to the XTMwireless device until the scan completes. You cannot set the scan frequency to
Always scan if your device is also configured as a wireless access point.
If your XTMwireless device is configured to operate as a wireless client, the rogue access point scan
does not interrupt the wireless connection, but it does decrease the throughput of the wireless
connection while the scan is in progress.
Wireless Device Setup
326 Fireware XTMWeb UI
Wireless Device Setup
User Guide 327
To set the scan frequency:
1. In the Trusted Access Point Configuration dialog box, select the Schedules tab.
2. Select the scan frequency.
n Select Always scan to automatically scan for rogue access points every 15 minutes.
n Select Schedule a scan to scan on a periodic schedule.
3. If you selected Schedule a scan, select how often the scan should run (daily, weekly, or
monthly) and select the time of day to start the scan.
4. Click Return to Main Page.
5. Click Save.
If you have added information about some trusted access points but still need to collect information
about other trusted access points, you might not be ready to enable the rogue access point scan. To
disable rogue access point detection scans, in the Wireless Configuration page, clear the Enable
rogue access point detection check box. When you disable rogue access point detection, your
trusted access point information is saved, but the device does not scan for rogue access points.
Add an XTMWireless Device as a Trusted Access Point
If you have multiple wireless access points, you must add their information to the rogue access point
detection configuration's trusted access points list. The wireless settings you can select to identify a
trusted wireless access point are similar to the settings you use to configure an XTMwireless device
as a wireless access point. Use these steps to find the settings for your XTMwireless device so you
can add it to the trusted access point list.
Find the Settings for Your XTMTrusted Access Points
To find the required settings to identify a trusted access point:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. In the Radio Settings section, make a note of the Channel.
3. Click Configure adjacent to the enabled wireless access point name.
The Wireless settings for this access point appear.
Wireless Device Setup
328 Fireware XTMWeb UI
Wireless Device Setup
User Guide 329
4. Make a note of these settings:
n Network name (SSID)
n Encryption / Authentication
n Encryption algorithm
5. Find the wireless MACaddress. For an XTM2 Series wireless device, the wireless
MACaddress is six higher than the MACaddress of the Eth0 interface.
For more information, see Find the Wireless MACAddress of a Trusted Access Point.
An XTMwireless device can have up to three enabled wireless access points with different settings. If
the XTMwireless device has multiple enabled access points, repeat these steps to get the information
about each enabled access point. Repeat these steps for any other trusted access points on your
network.
Add the Trusted Access Points to the Trusted Access Point List
On the wireless device that performs the rogue access point scan:
1. Select Network >Wireless.
2. Select the Enable rogue access point detection check box.
3. Adjacent to Enable rogue access point detection, click Configure.
The list of trusted access points appears.
4. Click Add.
The Trusted Access Point dialog box appears.
5. Type or select the information to match the configuration of your trusted access point.
For more information about these settings, see Enable Rogue Access Point Detection.
The Encryption / Authentication setting in the wireless network configuration
corresponds to two settings (Encryption and Authentication) in the Trusted Access
Point configuration.
6. Click OK to add the trusted access point.
Repeat these steps to add other trusted wireless access points.
Wireless Device Setup
330 Fireware XTMWeb UI
Wireless Device Setup
User Guide 331
Find the Wireless MACAddress of a Trusted Access Point
When you enable rogue access point detection, you can specify the wireless MAC address of your
other trusted wireless access points so they can be identified as trusted.
For an XTM2 Series wireless device, the wireless MACaddress is six higher than the MACaddress of
the Eth0 interface. So, for example, if the Eth0 Interface on the 2 Series wireless device has a MAC
address of 00:90:7F:80:1A:61, the wireless MACaddress for that device is 00:90:7F:80:1A:67.
To see the Eth0 interface MACaddress, select Dashboard > Interfaces.
You can also see the wireless MACaddress of a WatchGuard wireless device in the Status Report in
Firebox SystemManager. For more information, see the WatchGuard SystemManager User Guide or
WatchGuard SystemManager Help.
Rogue Access Point Scan Results
You can see the results of a wireless rogue access detection point scan in the Rogue Access Point
Detection (Wireless Intrusion Detection System) page. This page displays a list of untrusted wireless
access points found by the most recent rogue access point detection scan. This list does not include
access points that match the trusted access points defined in your wireless rogue access point
detection configuration.
To see and update the list:
1. Select System Status >Rogue APDetection.
The Rogue Access PointDetectionsystem status page appears.
2. To start an immediate scan for rogue access points, click Scan now.
The wireless access point starts a rogue access point detection scan and updates the list of
untrusted access points.
If an access point that you trust appears on this list, it is because you have not yet added it as a trusted
access point. For information about how to add an access point to the trusted access point list, see
Enable Rogue Access Point Detection.
9
WatchGuard AP Device Setup
Wireless Access Point Types
WatchGuard offers two types of wireless devices that you can use separately or together to add
secure wireless access points to your network: a WatchGuard XTMwireless device and a
WatchGuard Access Point device.
AWatchGuard XTMwireless device
AWatchGuard Access Point device
The configuration options and setup procedures for these two types of access point devices are
different.
WatchGuard XTMwireless device
You can enable up to three wireless access points on a WatchGuard XTMwireless device. The
settings to configure a WatchGuard XTMwireless device are in the Network >Wireless menu.
For more information, see About Wireless Device Configuration.
WatchGuard AP Device Setup
332 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 333
WatchGuard Access Point (AP) device
You can connect multiple WatchGuard AP devices to the trusted or optional network of an
XTMdevice, and manage themfromany wired or wireless XTMdevice. You configure the
Gateway Access Controller on your XTMdevice to manage the WatchGuard AP devices.
The settings to configure WatchGuard AP devices are in the Network >Gateway Wireless
Controller menu.
For more information, see About AP Device Configuration.
About AP Device Configuration
Your WatchGuard Access Point(AP)device is an extension to your Firebox or XTMdevice. You can
connect one or more WatchGuard AP devices to your network to enable wireless access, expand the
wireless range of your network, and enable wireless access to different security zones in your network.
You configure and manage your AP devices through the Gateway Wireless Controller on your Firebox
or XTMdevice.
SSIDConfiguration
An SSID (Service Set Identifier) is the unique name you give to each wireless network. You can assign
more than one SSID to several different AP devices to accommodate different wireless configurations.
When you configure SSIDs for your WatchGuard AP devices, you can:
Assign the same SSIDto more than one AP device (for wireless roaming on the same SSID)
When you assign the same SSIDto more than one AP device, the range of that SSID is
extended. When a wireless client that is connected to an SSID moves to a different location on
your physical network, the wireless client can automatically connect to the AP device that has
the strongest signal for that SSID. This eliminates the need for users to manually reconnect
when they move their wireless devices around your office.
Assign more than one SSID to each AP device
You can also enable more than one SSID on each AP device. The number of SSIDs each
wireless AP device can support depends on the AP device model, and whether the device has
single or dual radios.
n AP100 / AP102 Has one radio and supports a maximumof 8 SSIDs
n AP200 Has two radios and supports a maximumof 16 SSIDs (eight per radio)
For each SSID, you configure the security and encryption settings that protect your network. For more
information, see Configure WatchGuard APDevice SSIDs.
When you configure the SSIDs for your APdevices, you can optionally enable VLAN tagging. If you
enable VLAN tagging for SSIDs on a WatchGuard APdevice, you must also enable VLANs on the
network that the AP device connects to.
Enable VLAN tagging on your APdevice SSIDs if you want to:
n Configure different firewall policies for SSIDs that connect to the same network
n Separate the traffic on the same physical network to different logical networks.
For more information, see Configure VLANs for WatchGuard AP Devices.
To support roaming for a wireless guest network, you might want to enable station isolation to make
sure wireless clients cannot directly send traffic to each other. This requires a VLAN, but does not
require VLAN tagging. For more information, see About APStation Isolation.
APDevice Configuration
In the Gateway Wireless Controller AP device settings, you configure the radio settings for each AP
device and set the SSIDseach APdevice uses.
For more information, see Configure APDevice Settings.
WatchGuard AP Device Setup
334 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 335
WatchGuard AP Device Requirements and
Limitations
Before you add a WatchGuard AP device to your network, it is important to understand the
requirements and limitations of the AP device.
Requirements
n The WatchGuard AP device must be managed by a WatchGuard XTMdevice that uses
Fireware XTMOS v11.7.2 or higher.
n The XTMdevice must be configured in mixed routing mode.
n The APdevice must connect to a trusted or optional network.
n The XTMdevice configuration must include a policy that allows NTP traffic fromthe APdevice
to the Internet. The AP device uses an NTPserver to set the correct local time.
The default Outgoing policy allows NTPtraffic fromthe trusted network. If you
remove or disable the Outgoing policy, or if your APdevice is connected to the
Optional network, you must add an NTPpolicy to allow outgoing NTP traffic fromthe
network the AP device connects to.
Limitations
n You cannot use the Fireware XTMCommand Line Interface to manage WatchGuard AP
devices.
n You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.
n You cannot locate WatchGuard APdevices behind a NATfirewall.
Plan your Wireless APDevice Deployment
Before you deploy WatchGuard APdevices on your network, you must research, design, and plan your
wireless network deployment to make sure it meets your requirements for coverage, signal strength,
data rates, and security.
We recommend that you review these sections for general wireless knowledge and guidelines for a
successful deployment.
Wireless Site Survey
Performa wireless site survey to analyze your current environment and wireless requirements.
For more information, see Wireless Site Survey.
Wireless Modes and Channels
Determine which wireless modes and channels you support for your wireless clients.
For more information, see Wireless Modes and Channels.
Wireless Signal Strength and Noise Levels
Understand wireless signal strength and signal-to-noise ratios.
For more information, see Wireless Signal Strength and Noise Levels.
Wireless Environment Factors
Identify environmental factors that can affect the range and performance of wireless networks.
For more information, see Wireless Environmental Factors.
WatchGuard APDevice Placement
Determine the best location and placement of your WatchGuard AP devices.
For more information, see Wireless Placement.
Wireless Deployment Maps
Use the Wireless Deployment Maps feature on the Gateway Wireless Controller to help deploy
your WatchGuard AP devices, check signal strength, and resolve channel conflicts.
For more information, see View Wireless Deployment Maps.
WatchGuard AP Device Setup
336 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 337
Wireless Site Survey
Before you deploy a new WatchGuard AP device, you can performa wireless site survey to analyze
your current environment and existing wireless signals. The wireless site survey helps you to identify
your specific requirements for your wireless network, and any external factors that could affect your
deployment.
Site survey results can help you determine this information:
n Number of wireless clients that must be supported
n Areas of coverage and number of AP devices required
n Best physical placement of AP devices
n Range fromclients to each AP device
n Minimumdata rates required for specific applications
n Wireless signal strength and potential sources of wireless noise and interference
n Environmental factors that affect wireless signals, such as building construction and materials
Typically, you begin a site survey with a physical walk-through of your environment. It is helpful to
have a floor plan of your facilities that shows your existing networking environment and a list of
requirements for your planned wireless networks. A visual inspection helps you to understand the
areas of coverage required, the physical limitations and barriers due to building construction, and
potential sources of wireless interference.
After you complete a physical inspection of your facilities, you must be able to visualize and
understand where the current wireless signals are located in your environment, and how they react to
your physical environment.
Many wireless site survey tools are available that enable you to map your environment and generate
wireless heat maps, which provide a visual representation of the wireless signals in your environment.
The heat map shows the strength and range of wireless access points, how their signals react to your
physical environment, and identifies any existing wireless interference.
To determine what wireless signals and interference already exist in your environment, you can
generate a heat map to help you plan your deployment scenario. You can use one of the many available
third-party wireless site survey tools. such as Ekahau HeatMapper. After you install your AP devices,
you can make another heat map of your environment to see if your current placement provides
adequate coverage and signal strength for your wireless network.
You can also use the Wireless Deployment Maps feature on the Gateway Wireless Controller to
provide a simulated physical view of your wireless network to help you place the APdevices in optimal
locations for maximumcoverage, and to detect channel conflicts with other wireless devices in your
area.
For more information on the wireless maps feature, see Use Gateway Wireless Controller Maps.
For more information on how to use the wireless maps feature for APdevice placement, see View
Wireless Deployment Maps.
WatchGuard AP Device Setup
338 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 339
Wireless Modes and Channels
WatchGuard AP wireless devices support two different wireless bands: 2.4 GHz and 5 GHz. The band
you select and the country you specify determine which wireless modes are available.
These wireless standards are supported:
802.11n 802.11g 802.11b 802.11a
Frequency Band 2.4GHz and 5GHz 2.4GHz 2.4GHz 5GHz
Data Rate 600Mbps 54Mbps 11Mbps 54Mbps
Channel Width 20 and 40MHz 20MHz 20MHz 20MHz
Indoor range 230 ft 125 ft 115 ft 115 ft
The 802.11n protocol is the latest wireless standard, and provides high data rates and performance in
the 5 GHz frequency band. It is only supported in the most recent types of wireless devices.
For maximumperformance, select only the 802.11n standard in the 5 GHz band. This selection
requires that all the wireless devices on your network support the 802.11n standard. For most
environments, you must support legacy wireless devices that do not support 802.11n. Because of this,
WatchGuard recommends that you configure your WatchGuard AP device to use the default mixed
mode 802.11b/g/n.
If you choose a wireless mode that supports more than one 802.11 standards, the
overall performance can be considerably impacted. This is in part because of
backward compatibility requirement when devices that use slower modes are
connected. The slower devices often use more of the available throughput because it
can take much longer to send or receive the same amount of data to devices that use
a slower mode.
Wireless Channels
A wireless channel is a specific division of frequencies within a specific wireless band. For example, in
the 2.4GHz band with a channel width of 20MHz, there are 14 defined channels spaced every 5MHz.
Channels 12 and 13 are available in countries outside of North America. Channel 14 is for Japan only
and is spaced at 12 MHz.
One wireless channel can overlap the frequency of another wireless channel. When you design and
deploy wireless networks, you must consider which channels you use for your wireless network. For
example, in the 2.4 GHz band, adjacent channels such as channel 3 and 4 have frequencies that
closely overlap, which can cause interference. In the 2.4 GHz band, channels 1, 6, and 11 are the most
commonly used channels. They do not overlap each other because of the space between their
frequencies. The 2.4GHz band is crowded because many other devices that operate on this band
(such as cordless phones, microwaves, monitors, and wireless headsets) also use the same
channels, and can cause wireless congestion.
In the 5GHz band, the full channel width is reserved and there is a very large selection of channels that
do not overlap. 802.11n also enables you to combine two 20MHz channels to forma 40MHz channel
for increased bandwidth.
In some regions, DFS (Dynamic Frequency Selection) channels operate in the 5GHz band. Because
DFS channels are used with radar, transmissions fromyour AP device stop if radar signals are
detected on that channel. Use can disable the use of DFS channels in your AP device configuration.
For outdoor model AP102, you can configure the device to only use outdoor channels.
Channel Selection
The WatchGuard AP device is configured by default to automatically select a wireless channel. When
you power on the WatchGuard AP device, it automatically scans the network and selects the wireless
channel with the least amount of interference.
The default channel width is configured as 20/40MHz. This mixed mode sets the radio to use 40MHz
channel width, but it also has additional transmission information, which enables it to be used in an
environment that includes 802.11a/b/g wireless access points.
WatchGuard AP Device Setup
340 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 341
Use Wireless Deployment Maps to Find Channel Conflicts
You can use the Wireless Deployment Maps feature in the Gateway Wireless Controller to help you
find wireless channel conflicts and optimize your wireless environment.
For more information on the wireless maps feature, see Use Gateway Wireless Controller Maps.
For more information on how to use the wireless maps feature to find and resolve channel conflicts,
see View Wireless Deployment Maps.
Wireless Signal Strength and Noise Levels
To make sure that all users in your environment receive a strong wireless signal, consider these
guidelines when you install your WatchGuard AP devices.
Signal Strength
The signal strength is the wireless signal power level received by the wireless client.
n Strong signal strength results in more reliable connections and higher speeds.
n Signal strength is represented in -dBmformat (0 to -100). This is the power ratio in decibels (dB)
of the measured power referenced to one milliwatt.
n The closer the value is to 0, the stronger the signal. For example, -41dBmis better signal
strength than -61dBm.
Noise Level
The noise level indicates the amount of background noise in your environment.
n If the noise level is too high, it can result in degraded strength and performance for your wireless
signal strength.
n Noise level is measured in -dBmformat (0 to -100). This is the power ratio in decibels (dB) of the
measured power referenced to one milliwatt.
n The closer the value to 0, the greater the noise level.
n Negative values indicate less background noise. For example, -96dBmis a lower noise level
than
-20dBm.
Signal to Noise Ratio
The signal-to-noise ratio (SNR) is the power ratio between the signalstrength and the noise level.
n This value is represented as a +dBmvalue.
n In general, you should have a minimumof +25dBmsignal-to-noise ratio. Lower values than
+25dBmresult in poor performance and speeds.
For example:
n If you have a -41dBmsignal strength, and a -50dBmnoise level, this results in a poor signal-to-
noise ratio of +9dBm.
n If you have a -41dBmsignal strength, and a -96dBmnoise level, this results in an excellent
signal-to-noise ratio of +55dBm.
WatchGuard AP Device Setup
342 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 343
Wireless Environmental Factors
There are several environmental factors that can affect the range and performance of wireless
networks.
Walls and ceilings
Walls and ceilings between the AP device and wireless clients can degrade signal strength.
Wireless signals can penetrate walls and other structures, but the rate of penetration is directly
related to the type of building materials, materials thickness, and the distance fromthe wireless
antenna.
Building materials
Metal and aluminumdoors, glass, concrete, and other types of building materials can have a
significantly negative effect on the signal strength of wireless signals.
EMI (Electro-magnetic interference)
EMI fromother electrical devices, such as microwaves, cordless phones, and wireless
headsets, can generate significant RF noise and degrade or disrupt wireless communications.
Distance
Wireless signals degrade quickly past their maximumrange. You must plan your network
carefully to provide adequate wireless coverage over the range you require in your environment.
Wireless Placement
For full wireless coverage and to make sure that all users in your environment receive a strong wireless
signal, consider these guidelines for the location and placement of your WatchGuard AP devices:
n Place your AP devices in a central location away fromany corners, walls, or other physical
obstructions to provide maximumsignal coverage.
n Place your AP devices in a high location to provide the overall best signal strength reception and
performance for your wireless network.
n Make sure you do not install an AP device in close proximity to any electronic devices that can
interfere with the signal, such as televisions, microwave ovens, cordless phones, air
conditioners, fans, or any other type of equipment that can cause signal interference.
n When you install more than one AP device, make sure to put enough space between themto
provide maximumcoverage for your wireless network area of availability. For wireless coverage
over many floors, you can stagger the placement of devices to cover both vertical and horizontal
space.
WatchGuard AP Device Setup
344 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 345
Use Wireless Deployment Maps for AP Device Placement
You can use the Wireless Deployment Maps feature on the Gateway Wireless Controller to provide a
simulated physical view of your wireless network to help you place the APdevices in optimal locations
for maximumcoverage.
For more information on the wireless maps feature, see Use Gateway Wireless Controller Maps.
For more information on how to use the wireless maps feature for APdevice placement, see View
Wireless Deployment Maps.
WatchGuard AP Device Deployment Overview
When you add one or more WatchGuard Access Point (AP) devices to your network, you manage and
configure the AP devices fromthe Gateway Wireless Controller on an XTMdevice. You do not have to
connect directly to the AP device to configure it.
To deploy any AP device on your XTMdevice network you must:
1. Enable the Gateway Wireless Controller on the XTMdevice.
2. Connect the APdevice to your network.
If your network has a DHCPserver, the APdevice automatically gets an IPaddress.
3. In the Gateway Wireless Controller, configure the SSIDs you want your AP device to use.
4. In the Gateway Wireless Controller, pair the APdevice with the XTMdevice.
5. In the Gateway Wireless Controller, configure the APdevice settings, and select the SSIDs to
use.
You can optionally enable VLAN tagging in the SSIDs for your APdevice. If you enable VLAN tagging,
you must configure the necessary VLANs on your XTMdevice. For information about when to enable
VLANtagging and how to configure VLANs, see Configure VLANs for WatchGuard AP Devices.
You can optionally enable the APdevice to use a tagged VLAN for management
connections fromthe XTMdevice. But you still must configure an untagged VLAN
that the XTMdevice can use to initially discover and connect to the APdevice.
The subsequent sections provide a more detailed overview of the steps to deploy an AP device with,
and without, VLANtagging enabled.
If the network you connect your APdevice to does not use DHCP, you can use the
Access Point web UI to manually assign a staticIPaddress to the APdevice before
you connect it to your network. For more information, see Use the WatchGuard
Access Point Web UI.
WatchGuard AP Device Setup
346 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 347
Deploy APDevices Without VLANTagging
To deploy an AP device without VLAN tagging, you must enable the Gateway Wireless Controller,
configure SSIDs on your XTMdevice, pair your AP device with your XTMdevice, and configure your
AP device.
Step 1 Enable the Gateway Wireless Controller
For the XTMdevice to discover and manage an APdevice, you must enable the Gateway Wireless
Controller on your XTMdevice.
1. Connect to Fireware XTMWeb UI for your XTMdevice.
2. Select Network >Gateway Wireless Controller .
The Gateway Wireless Controller page appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard APPassphrase that you want all your APdevices to use after they are
paired.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 363.
Step 2 Connect the APDevice
Select one of these options to connect the APdevice to your Trusted or Optional network. By default,
the APdevice automatically requests an IP address froma DHCP server on the local network.
Option 1 Connect the APdevice to an XTMdevice interface
If you have an available Trusted or Optional interface on your XTMdevice, you can connect the
AP device directly to one of those interfaces.
To configure an XTMdevice interface as a Trusted or Optional interface:
1. Select Network >Interfaces.
The Network Interfaces page appears.
2. Select a Trusted or Optional interface, and enable DHCP on that interface.
3. Connect the APdevice to the interface you configured.
For more information about interface configuration, see Common Interface Settings on page
178.
WatchGuard AP Device Setup
348 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 349
Option 2 Connect the APdevice to a switch
If you have a switch that connects to a Trusted or Optional interface on your XTMdevice, you
can connect the AP device to that switch. With this option, you do not have to change the
network settings on the XTMdevice interface.
Step 3 Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1. On the Gateway Wireless Controller page, select the SSIDs tab.
2. Click Add to add an SSID.
3. Configure the SSID(network name) and wireless security settings.
For more information, see Configure WatchGuard APDevice SSIDs on page 365.
Step 4 Pair the APDevice
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTMdevice. The power LED on the AP device alternates fromgreen to red
when the device is unpaired.
To discover an unpaired AP device and pair it with your XTMdevice:
1. On the Network > Gateway Wireless Controller page, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 371.
3. Fromthe Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
When the APdevice is paired, the power LED on the device will be green.
Step 5 Configure the APDevice
After you pair the APdevice with your XTMdevice, configure the AP devicesettings.
1. In the AP device settings, specify the settings for each radio on the APdevice.
2. Add the SSID you created in Step 3 to the SSID list.
For more information, see Configure AP Device Radio Settings on page 378.
For a configuration example that demonstrates this type of deployment, see APDevice Deployment
with a Single SSID on page 414.
Deploy APDevices With VLANTagging Enabled
To set up an APdevice with VLAN tagging enabled in the SSIDs, you must configure VLANs and
enable VLAN tagging in your SSIDs.
Step 1 Configure VLANs on the XTMdevice
To enable VLAN tagging in your SSIDs, you must configure VLANs and enable themon an
XTMdevice interface. The APdevice uses tagged VLANs to identify traffic for each SSID. The
XTMdevice uses an untagged VLAN to pair with the AP device.
To configure VLANs on the XTMdevice:
1. Add one VLAN for each SSID.
These VLANs are used for tagged VLAN traffic for each SSID.
2. Add one VLAN for management connections to the AP device.
This VLAN is used for untagged management connections to the AP device.
3. Enable DHCPserver or DHCPrelay for each VLAN.
4. Configure the XTMdevice interface to pass tagged traffic for the VLANs for each SSID.
5. Configure the XTMdevice to pass untagged traffic for the AP management VLAN.
For an example VLANconfiguration, see Configure VLANs for WatchGuard AP Devices on page 353.
Step 2 Enable the Gateway Wireless Controller
For the XTMdevice to discover and manage an APdevice, you must enable the Gateway Wireless
Controller.
1. Connect to Fireware XTMWeb UI for your XTMdevice.
2. Select Network >Gateway Wireless Controller .
The Gateway Wireless Controller page appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard APPassphrase that you want all your APdevices to use after they are
paired.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 363.
WatchGuard AP Device Setup
350 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 351
Step 3 Connect the APDevice
Select one of these options to connect the APdevice to your Trusted or Optional network. By default,
the APdevice automatically requests an IP address froma DHCP server on the local network.
If the network you connect your APdevice to does not use DHCP, you can use the Access Point web
UI for the AP device to manually assign a staticIPaddress to the APdevice before you connect it to
your network. For more information, see Use the WatchGuard Access Point Web UI.
Option 1 Connect the APdevice to an XTMdevice interface
You can connect the APdevice directly to the XTMdevice interface that you configured as a
VLAN interface in Step 1.
Option 2 Connect the APdevice to a 802.1Qswitch
You can connect the APdevice to an 802.1Qswitch that has the necessary VLANs configured.
To configure the VLANs on the switch:
1. Add VLANs to the switch with the same IDs as the VLANs you configured on the
XTMdevice.
2. Configure the switch interfaces that connect to the XTMdevice VLAN interface
and the AP device to:
n Send and receive tagged traffic for the VLANs assigned to each SSID.
n Send and received untagged traffic for the VLAN you use for APdevice
management.
For more information about VLANconfiguration, see Configure VLANs for WatchGuard AP
Devices on page 353.
Step 4 Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1. On the Network > Gateway Wireless Controller page, select the SSIDs tab.
2. Click Add to add an SSID.
3. Configure the SSID(network name) and wireless security settings.
4. In each SSID, enable VLAN tagging, and select the VLAN ID to use.
For more information, see Configure WatchGuard APDevice SSIDs on page 365.
Step 5 Pair the APDevice
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTMdevice. The power LED on the AP device alternates fromgreen to red
when the device is unpaired.
To discover an unpaired AP device and pair it with your XTMdevice:
1. On the Network > Gateway Wireless Controller page, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 371.
3. Fromthe Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
When the APdevice is paired, the power LED on the device will be green.
Step 6 Configure the APDevice
After you pair the APdevice, you can configure the AP devicesettings.
WatchGuard AP Device Setup
352 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 353
1. In the AP device settings, specify the settings for each radio on the APdevice.
2. Add the SSID you created in Step 4 to the SSID list.
For more information, see Configure AP Device Radio Settings on page 378.
For a configuration example that demonstrates this type of deployment, see APDevice Deployment
with VLANs.
Configure VLANs for WatchGuard AP Devices
If you enable VLAN tagging for SSIDs on a WatchGuard APdevice, or you enable management
VLANtagging for an APdevice, you must also enable VLANs on the network that the AP device
connects to.
By default, management traffic to the APdevice is untagged, so we recommend that you add an
untagged VLAN for management traffic, as described here. If you prefer to use a tagged VLAN for
management traffic, make sure that you configure the APdevice to tag management traffic, and set
the management VLAN ID in the Access Point configuration to the VLAN you want to use for
management traffic.
The tagged management VLANis used only after the APdevice is paired to the
APdevice. An unpaired AP device cannot respond to tagged VLANtraffic.
When to Enable VLANTagging in SSIDs
There are a couple of reasons you might want to enable VLAN tagging on your APSSIDs:
To configure different firewall policies for SSIDs that connect to the same network
If you configure multiple SSIDs for your AP devices and you want to set different firewall
policies for each SSID, you can enable VLANtagging in the SSID and then use the VLAN
IDassociated with each SSID in policies specific to each SSID. For example, you could add a
different HTTP packet filter policy for each SSID that specifies the VLANassociated with that
SSID.
To separate the traffic on the same physical network to different logical networks
If you have several APdevices connected to the same physical network, VLAN tagging gives
you the ability to separately examine traffic for the wireless clients connected to each SSID. For
example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the
VLANIDassociated with an SSID.
Or, you can set up all of your AP devices with one SSID for the trusted network and a different
SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to
separate the traffic for the wireless clients that connect to the trusted and optional networks.
ConfigureVLANs on the XTMDevice
To enable VLAN tagging in your APdevice SSIDs, you must configure VLANs on the XTMdevice
interface where you plan to connect your APdevices.
For the XTMdevice interface where you plan to connect your APdevice, set the Interface Type to
VLAN. Then, configure the VLANs to use for the AP device.
n Configure one VLAN for each SSID and one extra VLANfor management connections to the
APdevice.
n Configure the VLANs that each SSID uses to send tagged traffic to the VLANinterface.
n Configure a VLAN that the AP device management connection uses to send untagged traffic to
the VLANinterface.
n Enable DHCP server or DHCPrelay on each VLAN.
o
The APdevice gets an IP address fromthe DHCPserver on the VLANused for
management connections.
o
Wireless clients that connect to an SSIDget an IPaddress fromthe DHCP server on the
VLAN for that SSID.
For example, if you want to create two SSIDs that use VLAN tags, you can create three VLANs with
the VLANIDs 10, 20, and 30.
n VLANID10, in the Trusted zone For the SSIDfor wireless connections to the trusted
network
n VLANID 20, in the Optional zone For the SSID for wireless guest access to the Internet
n VLANID30, in the Trusted zone For management connections to the AP device
For information about how to create a VLAN, see Define a New VLAN.
For more information about how to configure the VLAN interface, see Assign Interfaces to a VLAN.
Configure VLANs on a Managed Switch
If you enable VLAN tagging and want to connect your APdevice to a managed switch, you must also
configure VLANs on the switch. The switch must support 802.1QVLANtagging.
WatchGuard AP Device Setup
354 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 355
On the switch, you must:
1. Add VLANs with the same IDs as the VLANs you configured on the XTMdevice.
2. Configure the switch interfaces that connect to the XTMdevice and the AP device to send and
receive tagged traffic for the VLANs assigned to each SSID.
3. Configurethe switch interfaces that connect to the XTMdevice and the APdevice to send and
receive tagged or untagged traffic for the AP device management .
n If management VLAN tagging is not enabled in the APdevice configuration, configure the
switch to send and received untagged traffic for the VLAN you use for APdevice
management.
n If management VLAN tagging is enabled for the AP device, configure the switch to send and
receive tagged traffic for the VLAN you use for AP device management.
For instructions to enable and configure the VLANs on your switch, see the documentation for your
switch.
If you have enabled VLAN tagging in the SSIDs on your APdevice, do not connect
your AP device to a switch that does not support 802.1QVLANtagging.
For a list of switches that WatchGuard has tested with the WatchGuard AP device, see the
WatchGuard Knowledge Base at http://customers.watchguard.com/.
About APStation Isolation
When you configure an SSIDfor your APdevice, you can optionally enable station isolation. The
station isolation setting enables you to control whether wireless clients can communicate directly to
each other through the AP device. Station isolation prevents direct traffic between wireless clients that
connect to the same SSID on the same radio. Station isolation does not prevent direct traffic between
wireless clients that connect to the SSID on different APdevices, or between wireless clients that
connect to different radios on an AP200device.
We recommend that you enable station isolation for SSIDs on AP devices that provide a wireless
guest network for wireless clients that do not trust each other.
Station Isolation for a Single AP Device
To enable station isolation on an AP device, select the Enable station isolation check box in the
SSID settings.
For more information, see Configure WatchGuard APDevice SSIDs.
Station Isolation for Multiple AP Devices
When station isolation is enabled on a single APdevice that uses the same SSID as another
APdevice, traffic can still pass between wireless clients that are connected to other AP devices. To
effectively implement station isolation for an SSID that is used by more than one AP device, you must
also make sure that all traffic between your AP devices goes through the XTMdevice. The XTMdevice
can then apply policies that support your station isolation settings to the traffic.
To implement station isolation for more than one AP device, you must:
1. Add a VLAN and configure it to apply firewall policies to intra-VLAN traffic.
To make sure that the same IPaddress pool is used for wireless clients that connect to the SSIDon
any APdevice, you must configure a VLAN. For wireless roaming to function correctly, all SSIDs
must be on the same network. When you configure the VLAN to apply policies to intra-VLAN traffic,
the XTMdevice applies firewall policies to the VLAN traffic from one interface with the destination of
the same VLAN on another interface.
2. For each APdevice, configure one VLAN interface to manage untagged VLAN traffic.
Or, you can enable management VLAN tagging in the APdevice configuration and select a VLAN ID
to use for management.
3. Configure the SSID settings to enable station isolation.
It is not necessary to enable VLAN tagging in the SSID settings if the VLAN interfaces are configured
to manage untagged traffic.
4. Connect each APdevice directly to a VLAN interface on the XTMdevice.
This ensures that all traffic between APdevices goes through the XTMdevice.
Because the default packet handling policy automatically denies traffic between AP devices on two
different interfaces, you do not have to create a policy to explicitly deny that traffic. For example, if you
configure a VLAN in the Optional security zone, the XTMdevice automatically denies packets
between the two interfaces as unhandled packets because they do not match any of the configured
firewall policies. To prevent traffic between APdevices, make sure that you do not add a policy that
allows traffic fromOptional to Optional.
WatchGuard AP Device Setup
356 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 357
You can also enable VLAN tagging in the SSID and configure the VLAN interfaces to
manage tagged traffic, but VLAN tagging is not required for station isolation. If you
enable VLAN tagging, you must configure two VLANs: one for tagged SSID traffic
and one for untagged management traffic. Or, you can enable one VLAN and
configure the APto enable management VLAN tagging for that VLAN in the AP
device configuration.
For more information, see Configure VLANs for WatchGuard AP Devices.
Example Station Isolation and Roaming
This example shows how to implement station isolation for a wireless guest network with two AP100
devices that use the same SSID.
Step 1 Configure the VLAN
First, configure the VLAN interfaces and VLANs for your AP devices.
1. Configure two XTMdevice interfaces as VLAN interfaces.
For example, the two VLAN interfaces could have these settings:
n Interface Names AP100-1 and AP100-2
n Interface Type VLAN
2. Create a VLANto use for traffic to an SSID.
For example, the VLAN could have these settings:
n Name AP100-Guest
n VLANID 20
n Security Zone Optional
n IPAddress 10.0.20.1/24
n VLAN tag settings Untagged traffic for VLAN interfaces AP100-1 and AP100-2
n Apply firewall policies to intra-VLAN traffic Enabled
n Network DHCPServer Address Pool: 10.0.20.10 to 10.0.20.100
For more information about how to configure a VLAN, see Define a New VLAN.
Step 2 Configure the SSID
Next, enable station isolation in the SSID settings.
1. Add or edit an SSID for your wireless guest network.
For this example, we named the SSID "AP100-Guest".
2. Select the Enable station isolation check box.
WatchGuard AP Device Setup
358 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 359
Because the AP-Guest VLAN in this example is an untagged VLAN, you do not have to enable VLAN
tagging in the SSID settings.
For more information about SSID configuration, see Configure WatchGuard APDevice SSIDs.
Step 3 Connect the APDevices to the VLAN Interfaces
After you configure the VLAN interfaces and SSID settings:
1. Connect the APdevices to the VLAN interfaces.
2. Discover and pair each AP device.
3. Configure both AP devices to use the SSID you configured.
For more information about discovery and pairing, see WatchGuard AP Device Discovery and Pairing.
About This Example
This configuration example prevents direct wireless traffic between wireless clients that connect to the
AP100-Guest SSID. The two main components of this configuration are:
n Station isolation The station isolation setting in the SSID makes sure that wireless clients
that connect to the same radio fromcannot connect directly to each other.
n VLAN The firewall and VLAN configuration make sure that traffic cannot pass between
wireless clients that connect to the AP100-Guest SSID on different APdevices.
This example shows how to configure station isolation for two AP devices. To add a third APdevice,
configure another VLAN interface to handle untagged VLAN traffic for the defined VLAN. Then,
connect the AP device to that VLAN interface and configure it to use the defined SSID.
About APDevice Activation
You must activate your WatchGuard AP device to start your LiveSecurity subscription. The
WatchGuard LiveSecurity subscription activates your hardware replacement warranty, enables you to
receive technical support, and provides access to the latest OS updates and product news.
Your APdevice can be activated automatically or you can activate it manually.
Automatic Activation
After you pair a WatchGuard APdevice with an XTMdevice, the XTMdevice automatically connects
to the WatchGuard web site and sends the information necessary to activate the AP device on the
same WatchGuard account where the XTMdevice was activated.
If automatic activation fails, the XTMdevice periodically tries to activate again. The activation status
of your APdevice does not affect the functionality of the AP device.
To check the activation status of your APdevice, log in to your WatchGuard account on the
WatchGuard web site. Your activated AP devices appear in the My Products list in your WatchGuard
account.
Manual Activation
If your APdevice has not been activated automatically and you want to activate it manually, you can
activate the AP device in your WatchGuard account just as you would activate an XTMdevice or add-
on feature.
To manually activate your WatchGuard APdevice:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number of the WatchGuard APdevice. Make sure to include any hyphens.
5. Click Continue.
6. Follow any remaining prompts to complete activation of your APdevice.
WatchGuard AP Device Setup
360 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 361
After activation is complete, the AP device appears in the My Products list in your WatchGuard
account.
About APDevice Passphrases
Each WatchGuard APdevice has a passphrase that is used for management connections to the
device. There are two passphrase settings in the Gateway Wireless Controller: the Pairing Passphrase
and the WatchGuard AP Passphrase.
Pairing Passphrase
The Pairing Passphrase is used for the initial pairing of the APdevice with your XTMdevice. The
Pairing Passphrase set on the Gateway Wireless Controller must match the passphrase set on the
APdevice. By default, the passphrase on an unpaired AP device is wgwap.
In the Gateway Wireless Controller, you must type the Pairing Passphrase:
n When you click Pair to pair an unpaired AP device to an XTMdevice.
n When you click Add to manually add an AP device configuration to the XTMdevice.
Unless you have connected to the APdevice with the Access Point web UI and changed the
APdevice passphrase, the Pairing Passphrase is always the APdefault passphrase, wgwap. If you
changed the passphrase on the AP device, type that passphrase in the Pairing Passphrase dialog box
when you pair the device.
If you type the wrong Pairing Passphrase when you try to pair the AP device and pairing fails, you can
change the Pairing Passphrase in the AP device settings. For more information, see Configure
APDevice Settings.
WatchGuard APPassphrase
The WatchGuard APpassphrase is used for management connections to a WatchGuard APdevice
after it has been paired with an XTMdevice. The Gateway Wireless Controller on the XTMdevice uses
the WatchGuard AP Passphrase when it connects to any paired APdevice. The WatchGuard
APpassphrase is also the passphrase you use to log into the Access Point web UI of a paired AP
device.
When you enable the Gateway Wireless Controller on the XTMdevice, you set the WatchGuard
APpassphrase. You can also change this passphrase in the Gateway Wireless Controller Settings
dialog box. For more information, see Configure Gateway Wireless Controller Settings.
Passphrases and Pairing
Although you configure two passphrases in the Gateway Wireless Controller settings, you use only
one passphrase for the APdevice. The passphrase you use depends on the state of the AP device.
n For an unpaired AP device, use the default passphrase, wgwap, unless you change it in the
Access Pointweb UI.
n For a paired AP device, use the WatchGuard APpassphrase that you configured in the
Gateway Wireless Controller settings.
When you first pair an APdevice with an XTMdevice, the XTMdevice uses the Pairing Passphrase to
log in to the APdevice. When the XTMdevice sends the AP device configuration to the paired AP
device, it changes the passphrase on the APdevice fromthe Pairing Passphrase to the WatchGuard
APpassphrase configured in the Gateway Wireless Controller settings.
When you unpair an APdevice froman XTMdevice, the XTMdevice resets the AP device to the
factory default settings. This changes the passphrase on the APdevice to the default AP passphrase,
wgwap.
When the Gateway Wireless Controller connects to a paired AP device, it can use one of three
passphrases to log in.This makes the communication between the two devices more resilient, and
allows the APdevice to automatically pair with the XTMdevice if the APdevice is reset.
1. By default, the Gateway Wireless Controller uses the WatchGuard APpassphrase to log in to
the APdevice.
2. If it cannot successfully log in with the WatchGuard APpassphrase, it tries the passphrase
used for the last successful connection to this AP device.
3. If it cannot successfully log in with the last used passphrase, it tries to log in with the Pairing
Passphrase.
If the XTMdevice uses anything other than the WatchGuard AP passphrase to log in, it resets the
passphrase on the AP device to the WatchGuard AP passphrase. If the XTMdevice cannot log in to a
paired AP device, the AP device status changes to Passphrase Mismatch.
Resolve a Passphrase Mismatch
The status of the APdevice appears in Fireware XTMWeb UI on the Dashboard >Gateway
Wireless Controller page.
If the APdevice status is Passphrase Mismatch, the Pairing Passphrase in the Gateway Wireless
Controller settings does not match the passphrase on the AP device.
To resolve a passphrase mismatch, if you know the passphrase on the AP device, change the Pairing
Passphrase in the AP device configuration on the Gateway Wireless Controller. For more information,
see Configure APDevice Settings.
If you do not know the passphrase on the AP device, to resolve a passphrase mismatch:
1. If the device is paired in the Gateway Access Controller, remove it fromthe list of paired AP
devices.
For more information, see Unpair an AP Device.
2. Press the reset button on the AP device to reset it to factory default settings.
For more information, see Reset the WatchGuard AP Device.
3. Discover and pair the AP device again. Use the default Pairing Passphrase, wgwap.
For more information, see WatchGuard AP Device Discovery and Pairing.
WatchGuard AP Device Setup
362 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 363
Configure AP Devices in the Gateway Wireless
Controller
To discover and manage the WatchGuard AP devicesyou add to your network, use the Gateway
Wireless Controller on your XTMdevice.
The Gateway Wireless Controller on your XTMdevice enables you to:
n Pair WatchGuard AP devices on your network with your XTMdevice
n Configure SSIDs and WatchGuard AP device settings
n Monitor the paired AP devices and wireless client connections
n Initiate a site survey fromthe WatchGuard AP device to detect other wireless access points
Enable the Gateway Wireless Controller
Before your XTMdevice can discover new WatchGuard AP devices on your network, you must enable
the Gateway Wireless Controller on your XTMdevice.
To enable the Gateway Wireless Controller:
1. Select Network >Gateway Wireless Controller.
2. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard APPassphrase dialog box appears.
3. In the PairingPassphrase text box, type the passphrase you want to use for management of
your WatchGuard AP devices after they are paired with your XTMdevice.
This is the passphrase that is used for management connections to each paired AP device.
4. Click Save.
When you enable the Gateway Wireless Controller, the WatchGuard Gateway Wireless Controller
policy is automatically added to the XTMdevice configuration. This policy allows traffic fromthe
trusted and optional networks to the XTMdevice over UDP port 2529.
After you enable the Gateway Wireless Controller on the XTMdevice, the XTMdevice can detect
connected WatchGuard APdevices on your trusted or optional network.
The APdevice can also be located on the customzone network (XTMv11.9 and
higher). To allow the Gateway Wireless Controller to discover an APdevice on a
customzone network, you must modify the WatchGuard Gateway Wireless
Controller policy to allow traffic fromthe customzone. For more information on the
customzone, see Configure a CustomInterface.
For more information, see:
n WatchGuard AP Device Discovery and Pairing
n Configure WatchGuard APDevice SSIDs
n Configure APDevice Settings
n Configure Gateway Wireless Controller Settings
Set the Diagnostic Log Level
To generate more detailed log messages for the Gateway Wireless Controller, you can change the
diagnostic log level setting.
To set the diagnostic log level for the Gateway Wireless Controller:
1. Select System >Diagnostic Log.
2. Fromthe Gateway Wireless Controller drop-down list, select the level of log message detail.
For more information about diagnostic logging, see Set the Diagnostic Log Level on page 878.
WatchGuard AP Device Setup
364 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 365
Configure WatchGuard APDevice SSIDs
Before you can assign an SSID to a WatchGuard AP device, you must add the SSID to the Gateway
Wireless Controller. You can also enable VLAN tagging on each SSID. If you enable VLAN tagging,
the SSID uses the VLAN ID you specify to connect to a VLAN that is configured on the network
between your AP device and XTMdevice.
For more information about when and how to use VLAN tagging with your APdevice, see Configure
VLANs for WatchGuard AP Devices.
Add an SSID
To add an SSID for your AP devices:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller page appears, with the SSID tab selected.
2. Click Add.
The SSIDconfiguration settings appear.
3. In the Network Name (SSID) text box, type the SSID name.
4. To specify that your AP devices do not broadcast the SSID name, clear the Broadcast SSID
and respond to SSID queries check box.
5. To specify that wireless clients connected to this SSIDcannot send traffic to each other
through the AP device, select the Enable station isolation check box. For more information,
see About APStation Isolation.
6. To use the MACAccess Control list for your AP devices, select the Use the MACAccess
Control list defined in the Gateway Wireless Controller Settings check box. For more
information, see Configure MACAccess Control on page 386.
7. To use tagged VLANs to separate the traffic between multiple SSIDs, select the Enable
VLANtagging check box.
8. If you enabled VLANtagging, in the VLAN ID text box, type or select the ID of the tagged
VLAN to use for this SSID.
If you enable VLANtagging and try to configure an SSID to use a VLAN ID that is not
configured on the XTMdevice, a warning message appears with the information that
the VLANID you configured in the SSID settings does not exist on the XTMdevice.
Make sure you configure a tagged VLAN for this SSID. In most network
configurations, you create the tagged VLAN for each SSID on the XTMdevice, and
one untagged VLAN for management connections to the AP device.
Add APDevice Radios
When you add an SSID, you can assign the SSID to one or more APdevice radios. For AP200
devices, which have two radios, you select each radio separately.
To assign an SSID to an APdevice radio:
In the Access Points with this SSID list, select the check boxes next to each APdevice radio
that you want to use this SSID.
You can also assign SSIDs to an APdevice radio when you edit the APdevice radio settings. For more
information, see Configure AP Device Radio Settings.
Configure Security Settings
To configure the wireless security settings for the SSID:
1. Select the Security tab.
2. Fromthe Security Mode drop-down list, select the security protocol to use for this SSID.
3. Complete the settings to configure the selected security protocol.
WatchGuard AP Device Setup
366 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 367
Configure SSIDSecurity Settings
When you add an SSID, you can configure security settings that determine how wireless clients must
connect to your AP devices. The wireless security mode is set to Disabled by default. In this mode,
the SSID operates as an open wireless network.
WatchGuard AP devices use two security protocol standards to protect your wireless network: WPA
(Wi-Fi Protected Access) and WPA2. Each protocol standard can encrypt the transmissions on the
wireless LAN between the computers and the AP devices. They also can prevent unauthorized access
to the WatchGuard APdevice.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
WPAand WPA2 with Pre-Shared Keys
The WPA (PSK) and WPA2 (PSK)Wi-Fi Protected Access methods use pre-shared keys for
authentication. When you choose one of these methods, you configure a pre-shared key that all
wireless devices must use to authenticate to the APdevice.
APdevices support three wireless authentication settings that use pre-shared keys:
n WPA only (PSK) The AP device accepts connections fromwireless devices configured to
use WPA with pre-shared keys.
n WPA2 only (PSK) The AP device accepts connections fromwireless devices configured to
use WPA2 with pre-shared keys. WPA2 implements the full 802.11i standard; it does not work
with some older wireless network cards.
n WPA/WPA2 (PSK) The APdevice accepts connections fromwireless devices configured
to use WPA or WPA2 with pre-shared keys.
To configure an APdevice SSID to use WPAor WPA2 with pre-shared keys:
1. In the Edit SSIDor Add SSID dialog box, select the Security tab.
2. Fromthe Security Mode drop-down list, select WPA (PSK), WPA2 (PSK)or WPA/WPA2
(PSK).
3. Fromthe Encryption drop-down list, select an encryption method:
n TKIP Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the AP device to accept
connections fromwireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, type or select the WPAgroup key
update interval.
We recommend you use the default setting of 3600 seconds.
5. In the Passphrase text box, type the passphrase that wireless clients must use to connect to
this SSID.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE802.1X standard for
network authentication. These authentication methods use the EAP(Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server. The
WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2
(PSK) because users authenticate with their own credentials instead of a shared key.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server.
WatchGuard APdevices support three WPA and WPA2 Enterprise wireless authentication methods:
n WPA Enterprise The AP device accepts connections fromwireless devices configured to
use WPA Enterprise authentication.
n WPA2 Enterprise The AP device accepts connections fromwireless devices configured to
use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard; it does not
work with some older wireless network cards.
n WPA/WPA2 Enterprise The AP device accepts connections fromwireless devices
configured to use WPA Enterprise or WPA2 Enterprise authentication.
To configure an APdevice SSID to use WPAor WPA2 with enterprise authentication:
1. In the Edit SSIDor Add SSID dialog box, select the Security tab.
WatchGuard AP Device Setup
368 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 369
2. Fromthe Security Mode drop-down list, select WPA Enterprise, WPA2 Enterpriseor
WPA/WPA2 Enterprise.
3. Fromthe Encryption drop-down list, select an encryption method:
n TKIP Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the AP device to accept
connections fromwireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, set the WPAgroup key update interval.
We recommend you use the default setting of 3600 seconds.
5. In the RADIUSServer text box, type the IPaddress of the RADIUSserver.
6. In the RADIUSPort text box, makesure that the port number the RADIUSserver uses for
authentication is correct.
The default port number is 1812. Some older RADIUS servers use port 1645.
7. In the RADIUSSecret text box, type the shared secret between the APdevice and the
RADIUSserver.
The shared secret is case-sensitive, and it must be the same in the SSID configuration as it is
on the RADIUSserver.
If you have aRADIUSaccounting server, you can enable RADIUSAccounting:
1. Select the Enable RADIUSAccounting check box.
2. In the RADIUSAccounting Server text box, type the IPaddress of the RADIUSaccounting
server.
3. In the RADIUSAccounting Port text box, makesure that the port number the
RADIUSaccounting server uses is correct.
The default port number is 1813.
4. In the RADIUSAccounting Secret text box, type the shared secret between the APdevice
and the RADIUSaccounting server.
5. In the Interim Accounting Interval text box, set the interimaccounting interval.
WatchGuard AP Device Setup
370 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 371
WatchGuard AP Device Discovery and Pairing
For the Gateway Wireless Controller on your XTMdevice to control a WatchGuard APdevice, the AP
device and the XTMdevice must be paired. For pairing to occur, you must first enable the Gateway
Wireless Controller on the XTMdevice. When the Gateway Wireless Controller is enabled, the
XTMdevice sends a discovery broadcast message to the trusted and optional networks.
The APdevice can also be located on the customzone network (XTMv11.9 and
higher). To allow the Gateway Wireless Controller to discover an APdevice on a
customzone network, you must modify the WatchGuard Gateway Wireless
Controller policy to allow traffic fromthe customzone. For more information on the
customzone, see Configure a CustomInterface.
After you connect a new APdevice to your trusted or optional network, the APdevice receives the
broadcast message and sends a response. When the XTMdevice receives a response froman
unpaired AP device, the discovered AP device appears in the Unpaired Access Points list in the
Gateway Wireless Controller.
An AP device discovered by the XTMdevice is not automatically paired with the XTMdevice. You
must pair the AP device with the XTMdevice in the Gateway Access Controller. This step makes sure
no one can add an unauthorized AP device to your network. The APdevice only accepts configuration
information fromthe XTMdevice it is paired with.
After the first time you pair a new AP device with an XTMdevice, the XTMdevice attempts to
automatically activate the XTMdevice on your account on the WatchGuard web site. For more
information, see About APDevice Activation.
Connect the APDevice
Before you can pair the APdevice with the XTMdevice, you must connect it to a trusted or optional
network.
If you connect the APdevice to a VLANinterface, make sure that you configure that interface to handle
untagged VLAN traffic. An unpaired APdevice cannot accept tagged VLAN traffic.
The power LED on the AP device alternates fromgreen to red when the device is unpaired.
By default, the APdevice is configured to use DHCPto get an IPaddress. Make
sure that you enable the DHCPServer for the XTMdevice interface that connects to
the APdevice, so that the APdevice can get an IPaddress.
Pair the APDevice to the XTMDevice
To pair an APdevice with an XTMdevice:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Access Points tab.
The list of AP devices that responded to the discovery broadcast appear in the Unpaired Access
Points list.
3. To start a scan for new, unpaired AP devices, click Refresh.
When an unpaired Access Point is found, it appears in the Unpaired Access Points list.
4. Fromthe Unpaired Access Points list, select an AP device to pair with your XTMdevice.
5. Click Pair.
The Pairing Passphrase dialog box appears.
6. In the Pairing Passphrase text box, type the current passphrase configured on the AP device.
The default passphrase is wgwap.
For more information about the Pairing Passphrase, see About APDevice Passphrases.
7. Click OK.
The Edit Access Point dialog box appears.
WatchGuard AP Device Setup
372 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 373
8. Configure the AP device settings.
For more information, see Configure APDevice Settings.
When the APdevice is paired, the power LED on the device will be green.
For information about how to monitor the status of your APdevices, see Monitor AP Device Status.
For information about how to unpair an APdevice, see Unpair an AP Device.
If your AP device is correctly connected but cannot be discovered, it may be
necessary to reset the APdevice to factory default settings. For more information,
see Reset the WatchGuard AP Device.
Configure APDevice Settings
Fromthe Gateway Wireless Controller on your Firebox or XTMdevice, you can edit the settings for any
AP devices that are paired with the Firebox or XTMdevice. You can also manually add new AP
devices.
When you save an AP device configuration to the Firebox or XTMdevice, the device
immediately sends the update to the affected APdevices. While the update is in
progress, the AP device status briefly changes to Updating. The update process can
take up to a minute to complete. While the update is in progress, wireless services
might be interrupted on the APdevice.
Edit an AP Device Configuration
When you pair an AP device with a Firebox or XTMdevice, you must configure the settings for the AP
device. Because some of the details about the AP device are automatically added to the AP device
configuration when it is paired, you edit the AP device settings to complete the initial configuration of
the AP device.
When you edit the AP device settings, you can change any of the settings except for the model and
serial number. The model and serial number are automatically set for paired AP devices and cannot be
edited.
There are two network settings you can select for an AP device:
DHCP
DHCP is the default selection.
Choose this option to configure the AP device to request a dynamically assigned IPaddress
froma DHCP server. If you choose this option, make sure that a DHCP server is configured on
the network that the AP device connects to. You can configure the XTMdevice as the DHCP
server when you configure the Firebox or XTMdevice interface that your AP device connects
to.
For a configuration example, see WatchGuard APDevice Deployment Examples.
Static
Select this option to assign the AP device a static IPaddress, subnet mask, and default
gateway. When you select Static, you must configure these settings:
n IPAddress The IPaddress to assign to the APdevice
n IP Subnet Mask The subnet mask
n Default Gateway The IP address of the default gateway
By default, the AP device uses the syslog server settings you configure in the common settings in the
Gateway Access Controller. When you edit the settings for an AP device, you can configure the AP
device to use a different syslog server. For more information about the syslog server settings for the
Gateway Wireless Controller, see Configure Gateway Wireless Controller Settings.
To configure the settings for a paired AP device:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab.
The list of Access Points that you can configure appear in the Access Points list.
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
WatchGuard AP Device Setup
374 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 375
4. (Optional) In the Name text box, type a new name for the AP device.
The default name is <AP device model number >_<AP device serial number>.
5. Adjacent to Network Settings, select an option to assign the AP device an IPaddress:
n DHCP
n Static
6. If you selected Static, type the IPAddress, Subnet Mask, and Default Gateway for your
APdevice.
7. (Optional) In the Location text box, type the location of the AP device on your network.
8. To override the Gateway Access Controller settings for syslog server logging:
a. Select the Send log messages to a syslog server check box.
b. In the Syslog server IPaddress text box, type the IP address of your syslog server.
9. To force your APdevice to use outdoor wireless channels, select the Use Outdoor Channels
only check box.
This option is enabled by default for AP102 outdoor wireless devices.
10. To make sure your APdevice does not use DFS (Dynamic Frequency Selection) channels in
the 5 GHz band in your region, select the Disable DFS Channels check box.
DFS channels are used with radar and your APdevice will stop transmitting if radar signals are
detected on that channel.
11. To disable the LEDs on your APdevice, select the Disable LEDs check box.
This option allows you to operate your AP device in stealth mode to hide the use of wireless
activity when the device is deployed in a location that requires additional security. For
information on how you can flash the power LED to help identify AP devices in stealth mode,
see Monitor AP Device Status.
12. To use a tagged VLAN for management connections to the APdevice:
a. Select the Enable Management VLANTagging check box.
b. In the Management VLANID text box, type the VLAN ID you want to use for
management. This must be a VLAN that is configured to handle tagged traffic to the
interface your APdevice connects to.
If you configure a management VLANIDin both the Gateway Wireless Controller
settings and the APdevice settings, the Firebox or XTMdevice uses the
management VLANIDspecified in the APdevice settings.
13. In the Radio 1 Settings and Radio 2 Settings sections, configure the settings for each AP
device radio: band, wireless mode, channel, and SSID.
For more information, see Configure AP Device Radio Settings.
Manually Add an AP Device Configuration
The Gateway Wireless Controller uses a UDPbroadcast to automatically discover connected AP
devices. The Gateway Wireless Controller cannot automatically discover an APdevice located
somewhere on your network where it cannot receive the broadcast. In these types of deployments, you
can instead connect to the APdevice to configure the network settings, and then add the APdevice to
the Gateway Wireless Controller, with the same network settings. The Firebox or XTMdevice can then
connect to the AP device to pair with it.
Some examples of examples of deployment scenarios where you must use manual configuration and
discovery are:
n The Firebox or XTMdevice and the APdevice are separated by a Layer 3 switch or router
n The Firebox or XTMdevice and the AP device are separated by a Branch Office VPN
For the Firebox or XTMdevice to discover an AP device, the network between the
APdevice and the Firebox or XTMdevice must include a route for the traffic between
the two devices.
To configure the network settings on the APdevice, use the WatchGuard Access Point web UI. For
information, see Use the WatchGuard Access Point Web UI.
To manually add an AP device to the Gateway Wireless Controller:
WatchGuard AP Device Setup
376 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 377
1. In Policy Manager, select Network >Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab
3. Click Add.
The Pairing Passphrase dialog box appears.
4. In the Pairing Passphrase text box, type the passphrase configured on the AP device.
The default passphrase on an APdevice is wgwap. If you changed the passphrase in the web
UI on the AP device, type that passphrase here.
For more information about the Pairing Passphrase, see About APDevice Passphrases.
5. Click OK.
The Add Access Point dialog box appears.
6. In the Name text box, type a name for this APdevice.
7. In the Model drop-down list, select the APdevice model.
8. In the Serial text box, type the serial number of the AP device.
9. Adjacent to Network Settings, select Static.
10. In the IPAddress text box, type the static IP address you configured on the AP device.
11. In the Subnet Mask text box, type the subnet mask you configured on the AP device.
12. In the Default Gateway text box, type the default gateway IP address you configured on the AP
device.
13. Configure the other AP device settings as described in the previous section.
Change the Pairing Passphrase
When you initially add an AP device to your configuration, you set the Pairing Passphrase. This
passphrase is only used when you first pair the AP device with the XTMdevice. If the first Pairing
Passphrase you typed did not match the passphrase on the AP device, you can change the
passphrase the XTMdevice uses to pair with the AP device.
To change the Pairing Passphrase:
1. On the Access Points tab, select an AP device and click Edit.
The settings for the AP device appear.
2. Adjacent to Pairing Passphrase, click Change.
The Change Pairing Passphrase dialog box appears.
3. In the Pairing Passphrase text box, type the correct, current passphrase on the APdevice.
The default passphrase for an AP device is wgwap.
4. To make the passphrase you type visible, select Show passphrase.
5. Click Save.
For more information about AP device passphrases, see About APDevice Passphrases.
Configure AP Device Radio Settings
When you configure your WatchGuard AP device, you specify the radio settings, which includes the
band, wireless mode, channel, and SSID settings.
To configure the radio settings:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Access Points tab.
The Access Points list appears.
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
4. Configure the radio settings as described in the subsequent sections.
Set the Band and Wireless Mode
WatchGuard AP devices support two wireless bands, 2.4GHz and 5GHz. The 5GHz band provides
greater performance than the 2.4GHz band, but is not compatible with all wireless devices. When you
specify the band and mode in the radio settings, make sure to select the correct options for the
wireless cards in the wireless client devices that connect to the AP device.
The configuration options for each radio depend on the AP device model.
AP100 / AP102
The AP100 and AP102 have one radio, Radio 1. You can configure Radio 1 to use either the
2.4GHz or 5GHz band.
WatchGuard AP Device Setup
378 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 379
AP200
The AP200 has two single-band radios, Radio 1 and Radio 2.
n Radio 1 always uses the 2.4GHz band.
n Radio 2 always uses the 5GHz band.
You configure the settings for each radio separately.
The wireless modes available for each radio depend on the wireless band the radio uses.
The 2.4GHz band supports five wireless modes:
802.11 B/G/N Mixed
This is the default mode in the 2.4 GHz band. This mode enables the radio to connect with
devices that use 802.11n, 802.11g, or 802.11b.
802.11 B
This enables the radio to connect only with devices that use 802.11b.
802.11 B/GMixed
This mode enables the radio to connect with devices that use 802.11b or 802.11g.
802.11 G
This enables the radio to connect only with devices that use 802.11g.
802.11 N only
This enables the radio to connect only with devices that use 802.11n.
The 5GHz band supports three wireless modes:
802.11 A/N Mixed
This is the default mode in the 5GHz band. This mode enables the radio to connect with devices
that use 802.11n or 802.11a.
802.11 A
This enables the radio to connect with devices that use 802.11a
802.11 N only
This enables the radio to connect with devices that use 802.11n.
If you choose a wireless mode that supports mixed 802.11 standards, the overall
performance of the radio can decrease. This reduction in performance is caused in
part by the backward compatibility settings in mixed modes that enable devices with
slower modes to connect to the AP device radio.
Configure the Preferred Channel
When you first pair or add an AP device, the Preferred Channel is set to Auto, and each radio
automatically selects an available quiet channel in the band you have chosen.
WatchGuard AP Device Setup
380 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 381
The location of the APdevice affects which channels an APdevice radio can use.
You configure the location of your APdevices in the Gateway Wireless Controller
settings. For more information, see Configure Gateway Wireless Controller Settings.
When you edit an AP device configuration, you can set the preferred channel for each radio. The
available channels are determined based on the band, wireless mode, channel HT mode, and the
configured location of the AP device.
To set a preferred channel for an APdevice radio, select a channel fromthe Preferred Channel drop-
down list.
The APdevice attempts to use the preferred channel you select. If there is some reason the preferred
channel cannot be used, the AP device automatically selects a different available channel in the
configured radio band.
Configure Channel Width Settings
You can configure each radio to use a 20 MHz or 40 MHz channel width. To set the channel width for
each radio, configure the Channel HT(High Throughput) Mode.
For each radio, select a setting for the Channel HT Mode:
20MHz
This mode sets the radio to use a 20MHz channel width. This is the default setting.
20/40MHz
This mode is available only when the Preferred Channel is set to Auto. This mode enables the
radio to use either a 20MHz or 40MHz channel width, based on the available channels.
40MHz
This mode sets the radio to use 40MHz channel width. This mode assumes that no other
802.11a/b/g access points use the same channel.
If you use a 40MHz channel mode, the Extension Channel controls whether the radio adds the extra
20MHz of channel width above or below the selected channel.
For each radio, select a setting for theExtension Channel:
Upper Channel
Adds the 20MHz channel width above the selected channel.
Lower Channel
Adds the 20MHz channel width below the selected channel.
Set the Data Transfer Rate
For each radio, you can optionally limit the speed at which wireless clients can send data. By default,
the data rate is set to Auto, which means that there is no limit.
To set the maximumdata transfer rate, select a rate fromthe Rate drop-down list. The actual client
receive (download) rate will be slightly less than this value.
The available rates you can select depend on the wireless mode the radio uses. Rates that start with
MCS correspond to the MCS(Modulation and Coding Scheme) index values defined in the IEEE
802.11n-2009 standard.
Each MCSoption has two associated rates:
n The first number is the maximumrate for 20 MHz Channel HTMode.
n The second number is the maximumrate for 40 MHz Channel HTMode.
Set the Transmit Power Level
For each radio, you can optionally set the maximumtransmit power to limit or expand the transmission
distance of your wireless signals. You can set the transmit power between 3dBmto 20dBm, or set the
value to Auto. The default (Auto) is 20dBm. The transmit power cannot exceed the regulatory limits set
by your region.
To set the transmit power:
Fromthe TXPower drop-down list, select a value.
Select the SSIDs
Each radio can support up to eight SSIDs. You can use the same SSID for more than one radio on one
or more AP devices. You can add up to eight SSIDs to each radio.
To add a configured SSID to a radio:
In the SSIDlist, select the check box adjacent to each SSID you want the radio to use.
If the SSID you want to add is not yet configured, you can add this AP device radio to the SSID when
you add the SSID.
For more information, see Configure WatchGuard APDevice SSIDs.
Configure Gateway Wireless Controller Settings
The Gateway Wireless Controller includes some settings that apply to all APdevices. These global
settings include:
n WatchGuard APPassphrase
n Firmware updates
n Syslog server settings
n Wireless Radio Region
n MACAccess Control
WatchGuard AP Device Setup
382 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 383
To configure the global Access Point settings on the Gateway Wireless Controller:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Settings tab.
The Settings page appears.
3. Configure the global AP device settings as described in the subsequent sections.
4. Click Save.
Change the WatchGuard APPassphrase
The WatchGuard AP Passphrase is used for all WatchGuard AP devices after they are paired with
your XTMdevice. The Gateway Wireless Controller uses this passphrase to establish connections
between the XTMdevice and the paired AP devices. This is also the passphrase you use to log in to
the Access Point web UI of a paired AP device. You set the WatchGuard AP passphrase when you
enabled the Gateway Wireless Controller.
To change the WatchGuard AP passphrase:
1. In the WatchGuard APPassphrase text box, type the passphrase to use for management of
all APdevices.
2. To make the passphrase you type visible, select Show passphrase.
Enable Automatic AP Device Firmware Updates
By default, the Gateway Access Controller is configured to automatically update the firmware on
WatchGuard AP devices when a new version is available. The XTMdevice receives AP device
firmware updates as part of a Fireware XTMOS update. If you update the Fireware XTMOS on your
XTMdevice, and that update contains new firmware for the APdevices, the default setting enables the
Gateway Wireless Controller to automatically update the firmware on all paired APdevices. If your
XTMdevice is paired to more than one APdevice, the Gateway Wireless Controller automatically
updates the APdevices one at a time. The Gateway Wireless Controller updates one AP device every
five minutes.
To disable automatic firmware updates:
Clear the Automatically update WatchGuard AP firmware when a new version is
available on the XTMdevice check box.
If you disable automatic firmware updates, you can manually update the firmware for
each APdevice. For more information, see Update APDevice Firmware.
Configure Syslog Settings
By default, each AP device automatically stores recent syslog log messages locally. You can see the
syslog messages stored on each AP device in Fireware XTMWeb UI. For more information about how
to see syslog messages for an AP device, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller) on page 906
You can also configure all your AP devices to send syslog messages to the same, external syslog
server. When you configure the syslog server in the Gateway Wireless Controller settings, all paired
AP devices send syslog messages to the specified server.
Before you configure the Gateway Wireless Controller settings for an external syslog server, make
sure the syslog server you specify is set up and your AP devices can connect to the IP address of the
syslog server.
To configure your AP devices to send log messages to an external syslog server:
1. Select the Send WatchGuard APlog messages to a syslog server check box.
2. In the Syslog server IPaddress text box, type the IPaddress of the syslog server.
Enable Management VLAN Tagging
You can optionally use a tagged VLAN for management connections to the APdevice. You can enable
VLAN tagging for each APdevice in the configuration for each APdevice, or you can enable it in the
Gateway Wireless Controller settings. If you want to use the same management VLANID for all paired
access points, it might be most convenient to set the VLANID in the Gateway Wireless Controller
settings.
WatchGuard AP Device Setup
384 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 385
If you enable management VLAN tagging in the Gateway Wireless Controller settings, you do not need
to enable management VLAN tagging for each APdevice. The XTMdevice uses the management
VLANIDspecified in the Gateway Wireless Controller settings for management traffic to all
APdevices, if management VLAN tagging is not enabled in the APdevice settings.
To enable management VLAN tagging for all APdevices:
1. Select the Enable Management VLANTagging check box.
2. In the Management VLANID text box, type the VLAN ID you want to use for management.
This must be a VLAN that is configured to handle tagged traffic to the interface your APdevices
connect to.
If you specify a management VLANID in the configuration settings for an AP device,
the XTMdevice uses the VLAN ID configured for the APdevice instead of the
VLANID specified in the Gateway Wireless Controller settings.
Set the Wireless Radio Region
WatchGuard AP devices automatically select the best radio channel to use fromthe allowed channels
in the region where the device is located. To use the correct radio channels, you must select the
location of your AP devices. All APdevices managed by the same XTMdevice use the same wireless
radio region.
To set the wireless radio region:
Fromthe Set the location of the WatchGuard APdevices drop-down list, select the country
where your APdevices are located.
Enable SSHAccess
Secure SSH access to wireless AP devices is used by WatchGuard Technical Support to help
troubleshoot issues with the AP device. Enable this option only if requested by technical support.
To allow SSHaccess on all APdevices, select the Enable SSHaccess on all WatchGuard APs
check box.
Configure MACAccess Control
In the MACAccess Control section, you can configure a list of denied or allowed MACaddresses for
your APdevices.
To configure a list of denied or allowed MACaddresses for your AP devices:
Fromthe Settings dialog box, select the MACAccess Control tab.
Configure MACAccess Control
You can configure the MACaccess control lists to allow or deny wireless client connections based on
the MACaddresses of the client devices. You can configure a list of denied and allowed
MACaddresses in the Gateway Wireless Controller. Then, you can configure each SSID to use one of
these lists to control wireless client access to your network.
We recommend that you limit the total number of denied and allowed MAC addresses
to 50 addresses to avoid performance issues.
There are two types of MACaccess control lists:
Denied MACAddresses
To make sure certain wireless clients cannot connect to your AP device, you can add the MAC
addresses of those wireless clients to the Denied MACAddresses list. If you configure an
SSID to use the Denied MACAddresses list, any wireless clients with MACaddresses that
are on this list are not allowed to connect to that SSID.
Allowed MACAddresses
To enable certain wireless clients to connect to your APdevice, you can add the
MACaddresses those wireless clients to the Allowed MACAddresses list. If you configure
an SSIDto use the Allowed MAC Addresses list, only wireless clients with MACaddresses
that are on this list can connect to that SSID.
Edit the MACAccess Control Lists
To configure the denied and allowed MAC address lists:
1. Select Network >Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Settings tab.
The MACAccess Control settings appear at the bottom.
To add denied MACaddresses:
WatchGuard AP Device Setup
386 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 387
1. In the Denied MACAddresses section, click Add.
The MACAddress dialog box appears.
2. In the MACaddress text box, type the MACaddress of a wireless client that you want to deny
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click Add.
The MACaddress is added to the Denied MACAddresses list.
To add allowed MACaddresses:
1. In the Allowed MACAddresses list section, click Add.
2. In the MACaddress text box, type the MACaddress of a wireless client that you want to allow
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click OK.
The MACaddress is added to the Allowed MACAddresses list.
To delete a MACaddress fromeither list, select the MACaddress and click Remove.
Enable an SSID to Use MACAccess Control
To configure an SSID to deny access based on the MACAccess Control settings, you must enable
MACAccess Control in the SSID settings.
Fromthe Gateway Wireless Controller:
1. On the SSIDs tab, select an SSID.
2. Click Edit.
3. Select the Use the MACAccess Control list defined in the Gateway Wireless Controller
Settings check box.
4. Fromthe drop-down list, select a list: Denied MACAddresses or Allowed MACAddresses.
5. Save the configuration file to the XTMdevice.
After you enable MACAccess Control for an SSID, the AP device uses the selected MACAccess
Control list to determine whether to allow wireless clients to connect to that SSID.
Unpair an AP Device
To unpair a WatchGuard APdevice froman XTMdevice, you remove the AP device fromthe Paired
Access Point list in the Gateway Wireless Controller. When you unpair an AP device, the AP device
restarts with factory default settings. The passphrase on the APdevice is reset to wgwap.
To unpair an APdevice fromyour XTMdevice:
1. Select Network >Gateway Wireless Controller.
2. Select the Access Points tab.
The list of paired Access Points appears in the list at the top of the Access Points tab.
3. Fromthe Access Points list, select the AP device to unpair.
Use the Control and/or Shift keys to select multiple APdevices at the same time.
4. Click Remove.
The selected Access Points are removed from the configuration.The XTMdevice resets the AP
device to factory default settings.
After you unpair the APdevice, it restarts with factory default settings. After the AP device restarts,
the Gateway Wireless Controller can discover it again as an unpaired AP device.
The power LED on the AP device alternates fromgreen to red when the device is unpaired.
WatchGuard AP Device Setup
388 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 389
Monitor AP Device Status
Fromthe Fireware XTMWeb UIDashboard, you can monitor, reboot, and upgrade the WatchGuard
AP devices managed by your Firebox or XTMdevice.
1. Select Dashboard >Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Summary tab.
The Summary panel shows a status summary for the APdevice, and the available firmware
version. The Top Panels show. real-time data about the traffic through the AP device. For more
information, see WatchGuard AP Device and Wireless Client Connections (Gateway Wireless
Controller).
3. Select the Access Points tab.
4. Monitor your AP devices as described in the subsequent sections.
See APConnection Status and Uptime
In the Status column, you can see the status of each paired APdevice.
n Online The APdevice is enabled and can communicate with the Firebox or XTMdevice.
n Offline The APdevice cannot be contacted by the Firebox or XTMdevice.
n Discovered The APdevice has been discovered by the Firebox or XTMdevice, but is not yet
online.
n Updating An update to the APdevice configuration is in progress.
n Passphrase Mismatch The passphrase on the AP device does not match the passphrase
on the Gateway Wireless Controller.
For information about how to resolve a passphrase mismatch, see About APDevice
Passphrases.
In the Uptime column, you can see how long an APdevice has been online.
For the Uptime to be correct, the Firebox or XTMdevice must have a policy that
allows NTP traffic fromthe APdevice to the Internet. For more information, see
WatchGuard AP Device Requirements and Limitations.
See AP Radio Frequency and Channel
In the Radio1 and Radio2 columns, you can see the frequency, channel, and transmit power used by
each AP device radio. If available, secondary channel information is also displayed.
Each radio automatically selects a quiet channel in the band you have selected. The channel that the
radio uses is determined based on the band, wireless mode, channel HTmode, and on the country you
specify in the Gateway Wireless Controller settings.
For more information about radio settings, see Configure AP Device Radio Settings.
See the APActivation Status
In the LiveSecurity column, you can see the activation status of each AP device.
n Activated The APdevice is activated.
n Not Activated The APdevice is not activated.
The XTMdevice automatically attempts to activate the APdevice to start the LiveSecurity
subscription and hardware warranty.
For more information about activation, see About APDevice Activation.
WatchGuard AP Device Setup
390 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 391
See APDevice Network Statistics
In the Sent, Received, and Total columns, you can see the number of kilobytes of data sent and
received by each APdevice since the last time it restarted.
The Network Statistics report shows a more detailed collection of raw network statistics information
fromthe selected AP device. This includes the Interface Statistics (names, MAC and/or IP addresses,
and traffic counters), the Routing Table, and the ARP Table for the AP device. This information can be
helpful when you troubleshoot.
To see network statistics for an AP device:
1. On the Access Points tab, select an APdevice.
2. Click Network Statistics
The Network Statistics page appears with statistics from the selected AP device.
3. To return to the main Gateway Wireless Controller page, click Return.
See Log Messages on an APDevice
By default, each WatchGuard AP device stores recent syslog log messages locally. If you configure
the APdevice to send syslog messages to an external syslog server, the recent syslog messages are
also available on the APdevice. You can see the syslog messages on each APdevice on the System
Status > Gateway Wireless Controller page.
To see syslog messages on the AP device:
1. On the Access Points tab, select an APdevice.
2. Click Log Messages.
The Log Messages page appears with log messages from the selected AP device.
3. To return to the main Gateway Wireless Controller page, click Return.
For the time stamp in the log messages on the AP device to be correct, the Firebox or
XTMdevice must have a policy that allows NTP traffic fromthe APdevice to the
Internet. For more information, see WatchGuard AP Device Requirements and
Limitations.
Flash the Power LED on the APDevice
You can flash the power LED on a specific APdevice to help with identification. This utility is useful if
you use the Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless
activity.
For more information on how to disable the LEDs on your APdevice, see Configure APDevice
Settings.
To flash the power LED on your AP device:
1. On the Access Points tab, select an AP device
2. Click Flash Power LED.
The power LED will flash green for several minutes.
Restart Wireless on the APDevice
When you restart the wireless interfaces on your APdevice, you do not have to reboot the device. This
is useful if you encounter wireless interference on the current wireless channel and want to use auto-
selection to switch to another channel.
To restart the wireless interfaces on your AP device:
1. On the Access Points tab, select an AP device
2. Click Restart Wireless.
Reboot an AP Device
To reboot an AP device:
WatchGuard AP Device Setup
392 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 393
1. On the Access Points tab, select an AP device
2. Click Reboot.
3. Click Yes to confirmthat you want to reboot the AP device.
While the AP device reboots, Offline appears in the Status column for the APdevice. When the
AP device reboot is complete, Online appears in the Status column.
Upgrade an APDevice
The Summary tab shows the version of AP device firmware that is available.
To upgrade the firmware on an APdevice to the currently available version:
1. On the Access Points tab, select an AP device
2. Click Upgrade.
3. Click Yes to confirmthat you want to upgrade the AP device.
While the AP device reboots, Offline appears in the Status column for the APdevice. When the
AP device reboot is complete, Online appears in the Status column.
Perform a Site Survey
You can use your APdevice to complete a site survey to detect other wireless access points that
operate in the same area. When you performa site survey, the radios in the AP device scan the
wireless channels to find other wireless access points. The site survey can detect all local wireless
access points. This includes other WatchGuard AP devices and WatchGuard XTMwireless devices.
You must configure an APdevice radio to use at least one SSID before that radio can performa site
survey.
When a site survey scan begins, the AP device scans the airwaves within range for other radio
broadcasts in the same radio band, on all available wireless channels. The scan is not limited to the
wireless mode and channel settings configured in the radio settings of your device. The AP200 can use
both radios to scan on the 2.4GHz and 5GHz radio bands. The AP100 scans on either the 2.4GHz or
5GHz band. The band used for the scan depends on which band the radio is configured to operate in.
The site survey does not interrupt wireless connectivity for connected wireless clients.
To start a site survey:
1. On the Access Points tab, select an APdevice.
2. Click Site Survey.
The Site Survey page appears and the APdevice begins the scan for other wireless access points. A
list of detected access points appears in the Site Survey page.
3. To return to the main Gateway Wireless Controller page, click Return.
For each detected wireless access point, the site survey report shows this information:
BSSID
The Basic Service Set Identifier is the MACaddress of the wireless access point.
SSID
This is the SSID for the access point. If an access point has more than one SSID, each SSID
appears as a separate itemin the site survey.
Channel
This is the wireless channel that the wireless access point uses. If available, secondary
channel information also appears.
Signal Level
This is the signal strength of the wireless access point.
WatchGuard AP Device Setup
394 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 395
Type
This is the wireless standard the wireless access point supports.
Security
This is the type of wireless security used by the wireless access point.
Mode
This is the operating mode of the wireless device.
Monitor Wireless Clients
On the Gateway Wireless Controller page, you can see a list of the wireless clients connected to
your WatchGuard APdevice. You can also disconnect a wireless client.
To see the connected wireless clients:
1. Select Dashboard > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Wireless Clients tab.
A list of connected wireless clients appears.
For more information about the Wireless Clients tab, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller).
To disconnect a wireless client froman APdevice:
1. Select a wireless client.
2. Click Disconnect Client.
To permanently deny a wireless client access to your WatchGuard APdevices, make a note of the
MACaddress before you disconnect the wireless client. You can then add that MACaddress for that
wireless client to the Denied MACaddress list in the MACAccess Control configuration. You must
also enable MACAccess Control in the SSID settings. For more information, see Configure
MACAccess Control.
WatchGuard AP Device Setup
396 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 397
View Wireless Deployment Maps
In the Fireware XTMWeb UI, you can use the Maps tab on the Dashboard > Gateway Wireless
Controller page to help you visualize your wireless network, determine where to place your
WatchGuard AP devices, and check for wireless conflicts so that you can optimize your wireless
environment.
For detailed information on how to use the wireless maps feature, see Use Gateway Wireless
Controller Maps.
We recommend you use firmware v1.2.9.1 and higher on your WatchGuard
APdevices for accurate map scanning.
Wireless Deployment Maps Overview
Fromthe Maps page , you can:
n View a 2D map of your wireless network.
n See the radio frequency, channel, transmit power, and SSID used by each radio.
n Check for wireless channel conflicts.
n Look for unauthorized access points.
You can select two views:
n Wireless Coverage Map Shows the location of your APdevices in relation to one another,
and shows the connection quality and any channel conflicts between your AP devices.
n Channel Conflict Map Shows the location of your AP devices and any other wireless
devices in the vicinity, shows the channel and bandwidth details for each device, and shows
any wireless channel conflicts between devices.
Use Maps for APDevice Placement
You can use the Wireless Coverage Map to provide a simulated physical view of your wireless network
to help you place the APdevices in optimal locations for maximumcoverage. After the initial scan, the
maps display the relative location of each WatchGuard APdevice. Because the Wireless Coverage
Map is a two-dimensional representation of your environment, AP devices on different floors in your
environment might appear to be positioned closely on the map even though they are physically distant.
What is most important is the strength of the connections and links between the AP devices.
In an ideal deployment, your AP devices should be deployed at a relatively uniformdistance to each
other, with solid or dashed green lines between the devices on the maps. The network should resemble
a mesh pattern where there are as many redundant links as possible between APdevices for
uninterrupted roaming for wireless clients.
For example, in this simple wireless network:
n There are three WatchGuard APdevices managed by this Gateway Wireless Controller.
n The APdevices are well positioned for maximumcoverage.
n Wireless users have no interruptions when they roamfromone AP device to another.
n The solid green lines indicate a strong wireless connection with no channel conflicts between
these APdevices.
No conflicts with other wireless devices in your environment are displayed in the
Wireless Coverage Map. This information is displayed in the Channel Conflict Map.
WatchGuard AP Device Setup
398 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 399
In the next example, the network is larger with more AP devices in the wireless network. There are
some channel conflicts between APdevices and connection links between some APdevices are
weak.
n There are seven WatchGuard AP devices managed by this Gateway Wireless Controller.
n AP 100 and AP 200 are physically close together, but have a significant level of channel
conflict.
n Remote 102 is connected with a weak signal, with no connection to the other AP devices. A
wireless user could lose connectivity if they roamed fromRemote 102 to Remote 100.
See Wireless Channel Conflicts
Use the Channel Conflict Map to see all wireless devices in the vicinity, and show any channel conflict
between devices. This map includes all wireless devices, even those not managed by your Gateway
Wireless Controller.
The color of the APdevice indicates the severity of the channel conflict. In this example, the two
AP100 devices have moderate channel conflict, and the AP200 device has significant channel conflict.
Other non-managed devices are shown in grey. The links between the AP devices are green that
indicates any wireless conflicts are with foreign devices, not with other WatchGuard AP devices in
your network.
WatchGuard AP Device Setup
400 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 401
To see more detailed information on connections to other wireless devices, including foreign devices
that are not other WatchGuard AP devices in your network, hover your mouse pointer over the AP200
device. The color and line detail indicate the severity of the conflict and signal loss.
To see more detailed information about the APdevice and any channel conflicts, right-click an AP
device and select View Details. The details includes a map and graph with channel conflict
information on nearby devices.
To see only the devices that have channel conflicts with your AP device, select the Show only
conflicting devices check box.
WatchGuard AP Device Setup
402 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 403
In the table, the Conflict column shows which devices have a channel conflict with the selected AP
device. You can use this information to adjust your wireless radio configuration to find an appropriate
wireless channel with the least interference.
For information about how to change your wireless radio configuration, see Configure AP Device Radio
Settings.
If your Preferred Channel selection is set to Auto, you can use the Restart Wireless option to restart
the wireless interfaces and allow the device to select an appropriate channel. When you restart the
wireless interfaces, the AP device does not reboot.
For more information on how to restart wireless interfaces, see Monitor AP Device Status.
Find Unauthorized Access Points
You can use the Wireless Deployment Maps to scan your network for all foreign wireless access
points that operate within range of your managed AP devices. Some of these unauthorized access
points could be rogue access points. A rogue access point is any wireless access point within range of
your network that is not recognized as an authorized access point. An unauthorized access point can
be installed by a malicious user, but it could also be a device installed by someone inside your
organization without consent. These access points are security risks to your wireless and wired
networks if they do not have proper security features enabled.
The wireless maps feature scans the airwaves on all wireless modes and channels within range for
other wireless devices.
In the Channel Conflict Map view, you can see all wireless devices and access points. This includes
the AP devices managed by your Gateway Wireless Controller, and all foreign SSIDs and any BSSIDs
(the MACaddress is displayed if SSIDbroadcast is disabled).
This map can help you find the relative location of any foreign device in relation to your other devices on
the network. You can also click any foreign device in the map and examine wireless details for that
device.
Enable a Hotspot on an AP Device
You can enable one SSIDon your WatchGuard AP device as a hotspot. You can enable a hotspot on
one SSID or network at a time.
When you enable the hotspot feature for an SSID, wireless clients see a hotspot splash screen page
when they connect to the SSID. You can configure the hotspot to require wireless clients to accept
terms and conditions. Or, you can configure an external hotspot authentication server that requires
wireless clients to provide information that can be validated before the wireless client is allowed to
connect to the network.
When you enable a hotspot for an APdevice SSID, the hotspot interface you select depends on how
you configure the SSIDand how your APdevices connect to the XTMdevice.
n If the SSIDhas VLAN tagging enabled, select the VLAN interface with the VLANID
configured in the SSID.
n If the SSIDdoes not have VLAN tagging enabled, and the APdevice is directly connected
to an XTMdevice interface, select the XTMdevice interface your APdevice is connected
to.
n If the SSIDdoes not have VLAN tagging enabled, but the APdevices that use the
SSIDconnect to XTMdevice VLAN interfaces that manage only untagged VLAN traffic,
select the untagged VLAN as the hotspot interface.
WatchGuard AP Device Setup
404 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 405
If you connect the APdevice to a switch but do not use VLAN tagging, you cannot
enable the hotspot only for traffic that goes through the AP device. If you enable the
hotspot for the XTMdevice interface the switch connects to, the hotspot is enabled
for all traffic through that XTMdevice interface.
To enable a hotspot for an AP device, configure the hotspot settings on the XTMdevice that is paired
with the AP device. For more information about how to configure a hotspot, see Enable a Hotspot.
Reset the WatchGuard AP Device
There are three ways to reset the WatchGuard AP device to factory default settings:
n Press the reset button on the APdevice.
n Reset the APdevice fromthe WatchGuard Access Point web UI.
n Unpair an AP device.
If you reset a paired WatchGuard AP device to factory default settings, the
XTMdevice attempts to use the pairing passphrase configured for the AP device in
the Gateway Wireless Controller to pair the device again and send the configuration
to the APdevice. If the pairing passphrase for this AP device on the Gateway
Wireless Controller is not set to the default, wgwap, the pairing fails and you get a
passphrase mismatch. For more information, see About APDevice Passphrases.
After you reset an AP device to factory default settings, the APpassphrase is set to the default
passphrase, wgwap.
An APdevice with factory default settings cannot accept tagged VLAN traffic. If you reset an AP
device that has management VLAN tagging enabled, the XTMdevice cannot automatically rediscover
and pair with the APdevice on the tagged VLAN. For more information, see WatchGuard AP Device
Discovery and Pairing.
Reset the WatchGuard APDevice with the Reset Button
To reset the AP device with the reset button on the APdevice:
1. With the APdevice powered on, press and hold the reset button.
2. After 12 seconds, release the reset button.
The APdevice resets.
When the device completes initialization, it is reset to the factory default settings.
Reset the WatchGuard AP Device from the Access Point Web
UI
To reset the AP device fromthe Access Point web UI:
1. Log in to the WatchGuard Access Point web UI.
2. Fromthe left navigation menu, select Status.
The Access Point Status page appears.
3. On the Access Point Status page, click Reset to Factory Defaults.
For more information about how to use the WatchGuard Access Point web UI, see Use the
WatchGuard Access Point Web UI.
Unpair the WatchGuard AP Device
When you unpair the AP device froman XTMdevice, the APdevice restarts with factory default
settings. The power LED on the AP device alternates fromgreen to red when the device is unpaired.
For more information, see Unpair an AP Device.
WatchGuard AP Device Setup
406 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 407
Update APDevice Firmware
AP device firmware images are included with the Fireware XTMOS installation, so that the XTM
device can update the firmware for paired AP devices.
See the Current Firmware Version
You can see information about the installed and available versions of APdevice firmware the Gateway
Wireless Controller dashboard. For more information, see Monitor AP Device Status.
n The Access Point Firmware Available section shows the version of Access Point firmware
that is available on the XTMdevice. This is the version of firmware the XTMdevice can install
on a paired AP device.
n In the Access Points tab, the Version column shows the currently installed firmware version
on each paired access point.
Options for APDevice Firmware Updates
There are several ways that you can upgrade the firmware on your AP devices:
Enable automatic firmware updates
You can configure the Gateway Wireless Controller to automatically firmware for all paired
APdevices whenever a new version is available on the XTMdevice. For more information, see
Configure Gateway Wireless Controller Settings.
Send a firmware update to a single APdevice
You can update the firmware for a single AP device fromthe Gateway Wireless Controller
dashboard. For more information, see Monitor AP Device Status.
Use the Access Point web UI on the APdevice
You can manually upgrade the firmware on an AP device fromthe Access Point web UI. Before
you can upgrade your AP device, you must download and save the firmware image to the
computer connected to your AP device. This is the only way to update firmware for an unpaired
APdevice. For more information, see Use the WatchGuard Access Point Web UI.
Add an HTTPSPolicy for Access Point Web UI
Connections
If the connection fromyour management computer to your AP device is routed through your
XTMdevice, to allow your management computer to log in to the WatchGuard Access Point web UI,
you might have to add an HTTPS packet filter policy to your XTMdevice configuration.
To allow connections to the APdevice on a VLAN fromany trusted network:
1. Add an HTTPS packet filter policy.
2. In the From list, add the alias Any-Trusted.
To allow connections to the Access Pointweb UI fromonly a specific network interface, add
that interface name to the From list.
3. In the To list, add the interface where your APdevice is connected. This could be a physical
interface or a VLANinterface.
n If you do not use VLAN tagging, add the XTMdevice interface that your AP device connects
to.
n If you use VLAN tagging, add the untagged VLAN you configured for management
connections to your AP devices.
Use the WatchGuard Access Point Web UI
To see basic information about your WatchGuard Access Point (AP) device and manage some of the
settings for the AP device, you can connect directly to the WatchGuard Access Point web UI. From
the Access Point web UI, you can:
WatchGuard AP Device Setup
408 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 409
n See the current configuration details for the AP device
n Manage the network settings for the AP device
n Change the AP device passphrase
n Upgrade the AP device firmware
n Save configuration changes or revert recent changes to the AP device
Because you manage the configuration, passphrases, and firmware updates for your paired
WatchGuard APdevice fromthe Gateway Wireless Controller on the XTMdevice, it is not often
necessary to use the WatchGuard Access Point web UI to directly manage the configuration of your
AP device.
Connect to the WatchGuard Access Point Web UI
Before you can connect your computer directly to the WatchGuard AP device for the first time, you
must change the network settings on your computer to enable your computer to get access to the AP
device. You can then connect to the AP device to manage the AP device settings. If you change the
network settings on the AP device and later want to connect directly to the AP device again, you must
configure your computer to use an IP address and gateway in the same network range as the IP
address you set for the APdevice.
Connect to an Access Point Directly Connected to Your Computer
To directly connect to the WatchGuard Access Point web UI on an APdevice that uses factory default
settings:
1. Configure your computer to use these network settings:
n IP address 192.168.1.2
n Subnet mask 255.255.255.0
n Gateway 192.168.1.1
2. Connect your computer directly to the AP device with an Ethernet cable.
3. Open a web browser and go to https://192.168.1.1.
The WatchGuard AccessPoint web UI login page appears.
4. In the Passphrase text box, type the passphrase for the AP device. The default passphrase is
wgwap.
5. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
Connect to an Access Point On Your Network
Depending on the location of your computer and the Access Point on the network, you might need to
add an HTTPS policy to allow connections to the AP device fromanother network. For more
information, see Add an HTTPSPolicy for Access Point Web UI Connections.
Before you begin, make sure you have the IPaddress of the AP device.
n The IP address of a paired AP device is available on the Gateway Wireless Controller System
Status page. For more information, see Monitor AP Device Status.
n The IPaddress of an unpaired AP device is available on the Access Points tab of the Gateway
Wireless Controller. For more information, see WatchGuard AP Device Discovery and Pairing.
To connect to the WatchGuard Access Point web UI for an AP device that is connected to your
XTMdevice:
1. Open a web browser and go to https://<APdevice IPaddress>.
The WatchGuard AccessPoint web UI login page appears.
2. In the Passphrase text box, type the passphrase for the AP device.
For a paired AP device, the passphrase is the WatchGuard APPassphrase configured in the
Gateway Wireless Controller settings on the XTMdevice. For more information, see Configure
Gateway Wireless Controller Settings.
3. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
Verify the Current AP Device Settings
On the Access Point Status page, you can verify the current network settings, model information,
firmware version, and serial number for the APdevice. You can also revert to the factory default
settings for your AP device.
When you connect to your AP device, the Access Point Status page is selected by default.
To go to the Access Point Status page and review the AP device settings:
1. Fromthe left navigation menu, select Status.
The Access Point Status page appears.
WatchGuard AP Device Setup
410 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 411
2. Review the current settings for your AP device.
To reset your AP device to the factory default settings:
On the Access Point Status page, click Reset to Factory Defaults.
Manage Network Settings
By default, your AP device uses DHCP to automatically receive an IPaddress fromyour network.
When you configure your APdevice, you can continue to use DHCP to automatically configure the
network settings, or you can use a static IPaddress and manually configure the network settings. To
help you easily identify the AP device, you can also specify a friendly device name for the AP device.
1. Fromthe left navigation menu, select Settings.
The Network Settings page appears.
2. Select an option:
n DHCP
n Static
3. If you select Static, in the IP Network Setting section, type the network configuration settings
for the AP device.
4. To specify a VLAN, in the VLANIDtext box, type the VLAN number.
5. To specify a friendly name for the APdevice, in the Device Name text box, type a name for the
AP device.
6. To enable SSH for technical support access, select the Enable Sshd text box.
7. Click Save.
Change the Access Point Passphrase
All AP devices use the same passphrase by default: wgwap. The passphrase is changed
automatically when you pair the AP device with an XTMdevice. We recommend that you do not use
the WatchGuard Access Point web UI to change the AP device passphrase. If you use the
WatchGuard Access Point web UI to change the AP device passphrase, you must use this as the
pairing passphrase for this AP device in the Gateway Wireless Controller on the XTMdevice. For more
information, see About APDevice Passphrases.
1. Fromthe left navigation menu, select Passphrase.
The Local passphrase page appears.
2. In the Current passphrase text box, type the current passphrase for your AP device.
If you have never changed the passphrase before, type the default passphrase, wgwap.
3. In the New passphrase and Confirm new passphrase text boxes, type the new passphrase
to use for the AP device.
4. Click Save.
Upgrade the AP Device Firmware
When you manage your WatchGuard AP device with the Gateway Access Controller on your
XTMdevice, by default, the firmware on your AP device is automatically updated when a new version
is available to the controller on the XTMdevice. You can also choose to manually upgrade the firmware
on your AP device fromthe Access Point web UI, if a firmware update for the AP device is available on
the WatchGuard Software Downloads page. Before you can upgrade your AP device to a new version
of firmware, you must have saved the firmware image to the computer connected to your AP device.
1. Fromthe left navigation menu, select Firmware Upgrade.
The Firmware Upgrade page appears.
WatchGuard AP Device Setup
412 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 413
2. Click Browse to select the firmware image file.
The firmware image file path appears in the Firmware Location text box.
3. Click Upgrade.
Do not interrupt the power to the APdevice while the firmware upgrade is in progress.
Interruption of power during a firmware upgrade can cause the APdevice to start in
failsafe mode. When the APdevice is in failsafe mode, the Access Point web UI
provides a single option that enables you to upgrade the device firmware. For more
details about APdevice failsafe mode and recovery, see the WatchGuard Knowledge
Base.
Save or Revert Configuration Changes
If you have made changes to the AP device configuration that have not yet been implemented, you can
choose to save your changes and apply themto the AP device, or revert the changes so they are not
applied to the AP device.
1. Fromthe left navigation menu, select Save/Reload:0.
The Save/Reload page appears.
2. To apply changes and save themto the AP device configuration, select a change fromthe
Unsaved changes list and click Save & Apply.
3. To revert a change, select a change fromthe Unsaved changes list and click Revert.
WatchGuard APDevice Deployment Examples
These examples provide configuration diagrams for the most common types of WatchGuard AP device
deployment scenarios.
WatchGuard AP device with a Single SSID
For a basic type of wireless deployment in a small office with simple requirements, you can
deploy one or more WatchGuard AP devices with a single SSID.
For a configuration example, see APDevice Deployment with a Single SSID.
WatchGuard AP devicewith Simple Roaming
To extend the range of an SSID over a larger physical area, you can assign the same SSIDto
multiple AP devices.
For a configuration example, see APDevice Deployment with Simple Roaming.
WatchGuard AP devicewith Single or Multiple SSIDs and VLANs for Policies
For a more complex environment with additional security and policy requirements for wireless
users, you can use one or more SSIDs for your wireless network with VLANs. VLANs enable
you to apply wireless security policies for each SSID on the XTMdevice, and separate network
traffic for each SSIDon a dedicated VLAN.
For a configuration example, see APDevice Deployment with VLANs.
APDevice Deployment with a Single SSID
For basic AP device installation, you deploy one WatchGuard AP devices with a single SSID. In this
simple deployment scenario, you do not have to configure VLANs or complex network settings. This
example is recommended for small office deployments where the requirement is to add secure,
wireless access to an existing LAN. The WatchGuard APdevice management traffic and wireless
SSIDtraffic all communicate across the same network.
If your environment is large enough to require more than one AP device for wider wireless coverage,
you can assign the same SSIDto multiple AP devices. When you assign the same SSIDto more than
one AP device, the range of that SSID is extended, which enables mobile users to roamfromone
APdevice coverage area to another. For more information, see APDevice Deployment with Simple
Roaming.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n Connect the AP device directly to your XTMdevice on a Trusted or Optional network interface.
WatchGuard AP Device Setup
414 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 415
n Connect the APdevice to a switch that is on a Trusted or Optional network.
APDevice Deployment with Simple Roaming
To extend the range of an SSID over a larger physical area, you can assign the same SSIDto multiple
AP devices. When a wireless user moves to a different location on your physical network, the wireless
client can automatically connect to a different AP device that has a stronger signal for that SSID. This
eliminates the need for users to manually reconnect when they move their wireless devices around
your office. Simple roaming relies on the wireless client to switch between wireless access points.
For this deployment scenario, you can connect each APdevice directly to a trusted XTMdevice
interface, or to a switch on the trusted network. As long as you connect all APdevices to interfaces in
the same network security zone, wireless clients that connect to the SSID can roambetween the AP
devices.
The diagrambelow shows three APdevices connected to the trusted network, two connected to a
switch, and one connected to a trusted interface on the XTMdevice. All APdevices use the same
SSID.
APDevice Deployment with VLANs
If you have a complex network environment with security and policy requirements for wireless users,
you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless
security policies to each SSID on the XTMdevice, and to separate network traffic for each SSIDon a
dedicated VLAN.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n Connect the AP device directly to the XTMdevice on a Trusted or Optional network configured
as a VLAN interface. You create VLANs on the XTMdevice for AP device management, and for
each wireless SSID.
WatchGuard AP Device Setup
416 Fireware XTMWeb UI
WatchGuard AP Device Setup
User Guide 417
n Connect the APdevice to a managed network switch configured with the VLAN information for
the related SSIDs. You can also configure the same VLANs on the XTMdevice, so that you can
use the VLANs in firewall policies for each SSID.
Required VLAN Types
To enable VLAN tagging in your APdevice SSIDs, there are two types of VLANs you must create:
n Tagged VLANs for SSIDs The AP device uses tagged VLANs to separate wireless traffic
fromeach SSID. You must create a tagged VLAN for each SSID you configure in your wireless
network.
n Untagged VLAN for APdevice management The Gateway Wireless Controller on the
XTMdevice discovers and manages all WatchGuard AP devices through a special
management connection. You must create a separate, untagged VLAN to use for management
connections to your AP devices. The APdevice management IPaddress cannot be an
IPaddress on a tagged VLAN.
If you enable management VLANtagging in the AP device configuration, the
XTMdevice can use a tagged VLAN for management connections to the AP device.
An untagged VLAN is still required for the initial connection to an APdevice that has
not yet been paired.
You can choose fromtwo different methods to set up VLANs based on where you connect the
APdevice to your network:
n Connect the APdevice directly to an XTM device To connect your APdevice directly to
your XTMdevice, you must set up VLANs on the XTMdevice interface that the APdevice
connects to.
a. On your XTMdevice, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTMdevice interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
n Connect the APdevice to a managed switch To connect your APdevice to a managed
switch, you set up VLANs on the managed switch interfaces and on the XTMdevice interface
that the switch connects to.
a. On your XTMdevice, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTMdevice interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
c. On the switch, configure the interfaces that connect to the XTMdevice and to the AP
device to send and receive tagged traffic for the VLANs for each of your SSIDs.
Configure the same interfaces on the switch to send and receive untagged traffic for
the AP device management VLAN.
For more information about when and how to configure VLANs for use with WatchGuard APdevices,
see Configure VLANs for WatchGuard AP Devices.
WatchGuard AP Device Setup
418 Fireware XTMWeb UI
User Guide 419
10
Dynamic Routing
About Dynamic Routing
A routing protocol is the language a router speaks with other routers to share information about the
status of network routing tables. With static routing, routing tables are set and do not change. If a router
on the remote path fails, a packet cannot get to its destination. Dynamic routing makes automatic
updates to route tables as the configuration of a network changes.
To use dynamic routing, the XTMdevice must be configured in mixed routing mode.
Dynamic Routing Protocols
Fireware XTMsupports the RIP v1, RIP v2, and RIPng protocols. Fireware XTMwith a Pro upgrade
supports the RIP v1, RIP v2, RIPng, OSPF, OSPFv3, and BGP v4 protocols.
n For IPv4 dynamic routing, you must use RIP, OSPF or BGP.
n For IPv6 dynamic routing, you must use RIPng, OSPFv3, or BGP.
IPv6 dynamic routing protocols and commands are supported in Fireware XTMv11.9
and higher.
For more information about each of the supported routing protocols, see:
n About Routing Information Protocol (RIP and RIPng)
n About Open Shortest Path First (OSPF and OSPFv3) Protocol
n About Border Gateway Protocol (BGP)
Fireware XTMuses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
Dynamic Routing Policies
When you enable a dynamic routing protocol, Fireware XTMWeb UI automatically adds the required
dynamic routing policy. The automatically added policies are called:
n DR-RIP-Allow
n DR-RIPng-Allow
n DR-OSPF-Allow
n DR-OSPFv3-Allow
n DR-BGP-Allow
Monitor Dynamic Routing
In the Fireware XTMWeb UI, select System Status >Routes to see the current static and dynamic
routes.
To troubleshoot dynamic routing, you can change the diagnostic log level setting for dynamic routing to
generate more log messages about dynamic routing traffic. You do this in the diagnostic log level
settings for the Networking category.
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.
About Routing Daemon Configuration Files
To use any of the dynamic routing protocols with Fireware XTM, you must type a dynamic routing
configuration file for the routing daemon you choose. This configuration file includes information such
as a password and log file name. To see sample configuration files for each of the routing protocols,
see these topics:
n Sample RIP Routing Configuration File
n Sample RIPng Routing Configuration File
n Sample OSPF Routing Configuration File
n Sample OSPFv3 Routing Configuration File
n Sample BGP Routing Configuration File
Notes about configuration files:
n The "!" and "#" characters are put before comments, which are lines of text in configuration files
that explain the function of subsequent commands. If the first character of a line is a comment
character, then the rest of the line is interpreted as a comment.
n You can use the word "no" at the beginning of the line to disable a command. For example: "no
network 10.0.0.0/24 area 0.0.0.0" disables the backbone area on the specified network.
Dynamic Routing
420 WatchGuard SystemManager
Dynamic Routing
User Guide 421
About Routing Information Protocol (RIP and
RIPng)
Routing Information Protocol (RIP) is used to manage router information in a self-contained network,
such as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the
closest router each 30 seconds. This router, then sends the contents of its routing tables to neighboring
routers.
RIP is best for small networks. This is because the transmission of the full routing table each 30
seconds can put a large traffic load on the network, and because RIP tables are limited to 15 hops.
OSPF is a better alternative for larger networks.
For IPv4 routing, there are two versions of RIP, RIP v1 and RIP v2. RIP v1 uses a UDP broadcast
over port 520 to send updates to routing tables. RIP v2 uses multicast to send routing table updates.
For information about RIPfor IPv4 routing, see:
n RIP Commands
n Configure IPv4 Routing with RIP
n Sample RIP Routing Configuration File
For IPv6 routing, use RIPng (next generation). RIPng uses UDP port 521 to send updates to routing
tables. For more information about RIPng for IPv6 routing, see:
n RIPng Commands
n Configure IPv6 Routing with RIPng
n Sample RIPng Routing Configuration File
Configure IPv4 Routing with RIP
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIP tab.
4. Select the Enable check box.
5. Copy and paste the text of your routing daemon configuration file in the window.
6. Click Save.
If necessary, Fireware XTMautomatically adds the required dynamic routing policy or enables an
existing RIP dynamic routing policy, if one exists.
When you enable RIP, the dynamic routing policy called DR-RIP-Allowis automatically created. You
can edit this policy to add authentication and restrict the policy to listen on only the correct interfaces.
The DR-RIP-Allowpolicy is configured to allow RIPmulticasts to the reserved multicast address for
RIP v2.
Dynamic Routing
422 WatchGuard SystemManager
Dynamic Routing
User Guide 423
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts fromthe network
broadcast IP address to the XTMdevice. For example, if your external interface IPaddress is
203.0.113.2/24, the RIP policy must allow traffic fromthe broadcast address 203.0.113.255 to the
XTMdevice.
After you configure the XTMdevice and the RIProuter, select System Status > Routes and verify
that the XTMdevice has received route updates fromthe RIP router.
RIP Commands
Fireware XTMuses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
The subsequent table is a catalog of supported routing commands for RIP v1 and RIP v2 that you can
use to create or modify a routing configuration file. If you use RIP v2, you must include the subnet
mask with any command that uses a network IP address or RIP v2 will not operate. The sections must
appear in the configuration file in the same order they appear in this table.
Section Command Description
Set simple password or MD5 authentication on an interface
interface eth [N] Begin section to set authentication
type for interface
ip rip authentication
string [PASSWORD]
Set RIP authentication password
key chain [KEY-
CHAIN]
Set MD5 key chain name
key [INTEGER] Set MD5 key number
key-string [AUTH-KEY] Set MD5 authentication key
ip rip authentication
mode md5
Use MD5 authentication
ip rip authentication
mode key-chain [KEY-
CHAIN]
Set MD5 authentication key-chain
Configure interfaces
ip rip send version [1/2] Set RIPto send version 1 or 2
ip rip receive version
[1/2]
Set RIPto receive version 1 or 2
no ip rip split-horizon Disable split-horizon; enabled by
default
Configure RIProuting daemon
router rip Enable RIPdaemon
version [1/2] Set RIP version to 1 or 2 (default
version 2)
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface
default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIPpeers and inject OSPF or BGP routes to
Dynamic Routing
424 WatchGuard SystemManager
Dynamic Routing
User Guide 425
Section Command Description
RIProuting table
default-information
originate
Share route of last resort (default
route) with RIPpeers
redistribute static Redistribute firewall static routes to
RIPpeers
redistribute connected Redistribute routes fromall interfaces
to RIPpeers
redistribute connected
route-map [MAPNAME]
Redistribute routes fromall interfaces
to RIPpeers, with a route map filter
(mapname)
redistribute ospf Redistribute routes fromOSPF to RIP
redistribute ospf route-
map [MAPNAME]
Redistribute routes fromOSPF to
RIP, with a route map filter
(mapname)
redistribute bgp Redistribute routes fromBGP to RIP
redistribute bgp route-
map [MAPNAME]
Redistribute routes fromBGP to RIP,
with a route map filter (mapname)
Configure route redistribution filters with route maps and access lists
access-list
[LISTNAME]
[PERMIT|DENY]
[A,B,C,D/M| ANY]
Create an access list to allow or deny
redistribution of only one IPaddress or
for all IPaddresses
route-map [MAPNAME]
permit [N]
Create a route map with a name and
allow with a priority of N
match ip address
[LISTNAME]
Sample RIP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
RIP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure MD5 authentication keychains.
! Set MD5 authentication key chain name (KEYCHAIN), key number (1),
! and authentication key string (AUTHKEY).
! key chain KEYCHAIN
! key 1
! key-string AUTHKEY
!! SECTION 2: Configure interface properties.
! Set authentication for interface (eth1).
! interface eth1
!
! Set RIP simple authentication password (SHAREDKEY).
! ip rip authentication string SHAREDKEY
!
! Set RIP MD5 authentication and MD5 keychain (KEYCHAIN).
! ip rip authentication mode md5
! ip rip authentication key-chain KEYCHAIN
!! SECTION 3: Configure global RIP daemon properties.
! Set RIP to send or received to version 1; default is version 2.
! ip rip send version 1
! ip rip receive version 1
!
! Enable RIP daemon. Must be enabled for all RIP configurations.
! router rip
!
! Set RIP version to 1; default is version 2.
! version 1
!
! Disable split-horizon to prevent routing loop. Default is enabled.
! no ip split-horizon
!! SECTION 4: Configure interfaces and networks.
! Disable RIP send and receive on interface (eth0).
! no network eth0
!
! Set RIP to receive-only on interface (eth2).
! passive-interface eth2
!
! Set RIP to receive-only on all interfaces.
Dynamic Routing
426 WatchGuard SystemManager
Dynamic Routing
User Guide 427
! passive-interface default
!
! Enable RIP broadcast (version 1) or multicast (version 2) on
! network (192.168.253.0/24)
! network 192.168.253.0/24
!
! Set unicast routing table updates to neighbor (192.168.253.254).
! neighbor 192.168.253.254
!! SECTION 5: Redistribute RIP routes to peers and inject OSPF or BGP
!! routes to RIP routing table.
! Share route of last resort (default route) from kernel routing table
! with RIP peers.
! default-information originate
!
! Redistribute firewall static routes to RIP peers.
! redistribute static
!
! Set route maps (MAPNAME) to restrict route redistribution in Section 6.
! Redistribute routes from all interfaces to RIP peers or with a route map
! filter (MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!
! Redistribute routes from OSPF to RIP or with a route map filter (MAPNAME).
! redistribute ospf !redistribute ospf route-map MAPNAME
!
! Redistribute routes from BGP to RIP or with a route map filter (MAPNAME).
! redistribute bgp !redistribute bgp route-map MAPNAME
!! SECTION 6: Configure route redistribution filters with route maps and
!! access lists.
! Create an access list to only allow redistribution of 172.16.30.0/24.
! access-list LISTNAME permit 172.16.30.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match ip address LISTNAME
Configure IPv6 Routing with RIPng
Use RIPng for dynamic routing between IPv6 networks.
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIPng tab.
4. Select the Enable check box.
5. Copy and paste the text of your routing daemon configuration file in the window.
6. Click Save.
If necessary, Fireware XTMautomatically adds the required dynamic routing policy or enables an
existing dynamic routing policy, if one exists.
When you enable RIPng, the dynamic routing policy called DR-RIPng-Allowis automatically created.
You can edit this policy to add authentication and restrict the policy to listen on only the correct
interfaces. The DR-RIPng-Allowpolicy is configured to allow RIPngmulticasts to the reserved
multicast address for RIPng, FF02::9.
Dynamic Routing
428 WatchGuard SystemManager
Dynamic Routing
User Guide 429
After you configure the XTMdevice and the RIPngrouter, select System Status > Routes and verify
that the XTMdevice has received route updates fromthe RIPng router.
RIPng Commands
Fireware XTMuses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of some of the supported routing commands that you can use in a RIPng
configuration. The sections must appear in the configuration file in the same order they appear in this
table.
Section Command Description
Configure interfaces
no ipv6 ripng split-
horizon
Disable split-horizon; enabled by default
Configure RIPngrouting daemon
router ripng Enable RIPng
Configure interfaces and networks
network eth[N] Enable RIPng on the specified interface
network
[A:B:C:D:E:F:G:H/M]
Enable RIPng on the specified network
passive-interface eth
[N]
Set the specified interface to passive mode
Distribute routes to RIPngpeers and inject OSPF or BGP routes to RIPngrouting table
route
[A:B:C:D:E:F:G:H/M]
Enable RIPng static route announcements for the specified
IPv6 network
distribute-list
[ACCESS-LIST]
(in|out) eth[N]
Enable RIPng to use the specified access list to filter the
RIPng path for the specified interface. The parameter in or out
specifies whether the access list applies to incoming or
outgoing packets on the specified interface.
distribute-list prefix
[PREFIX-LIST]
(in|out) eth[N]
Enable RIPng to use the specified prefix list to filter the RIPng
path. The parameter in or out specifies whether the prefix list
applies to incoming or outgoing packets on the specified
interface.
default-information
originate
Share route of last resort (default route) with RIPngpeers
default-metric
<METRIC>
Set the default metric value for redistributed routes. The metric
must be an integer from1 to 16.
redistribute static Redistribute firewall static routes to RIPngpeers
redistribute static
route-map
[MAPNAME]
Redistribute static routes, with a route map filter (mapname)
redistribute
connected
Redistribute routes fromall interfaces to RIPngpeers
redistribute
connected route-map
[MAPNAME]
Redistribute routes fromall interfaces to RIPngpeers, with a
route map filter (mapname)
Dynamic Routing
430 WatchGuard SystemManager
Dynamic Routing
User Guide 431
Section Command Description
redistribute ospf6 Redistribute routes fromOSPFv3 to RIPng
redistribute ospf6
route-map
[MAPNAME]
Redistribute routes fromOSPFv3 to RIPng, with a route map
filter (mapname)
redistribute bgp Redistribute routes fromBGP to RIPng
redistribute bgp route-
map [MAPNAME]
Redistribute routes fromBGP to RIPng, with a route map filter
(mapname)
Configure route redistribution filters with route maps and access lists
ipv6 access-list
[ACCESS-LIST]
[PERMIT|DENY]
[A,B,C,D/M| ANY]
Create an access list to allow or deny redistribution of only one
IPaddress or for all IPaddresses
ipv6 prefix-list
[PREFIX-LIST]
[PERMIT|DENY]
[A,B,C,D/M| ANY]
Create a prefix list with a name
route-map
[MAPNAME] permit
[N]
Create a route map with a name and allow with a priority of N
match interface eth
[N]
Match the specified interface
Sample RIPng Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
RIP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure global RIPng daemon properties.
!! Enable RIPng daemon. Must be enabled for all RIPng configurations.
! router ripng
!!! SECTION 2: Configure interfaces and networks.
! Enable RIPng on interface(eth0).
! network eth0
! ! Enable RIPng on network (2000::/64)
! network 2000::/64
! ! Set RIPng to receive-only on interface (eth2).
! passive-interface eth2
!! SECTION 3: Redistribute RIPng routes to peers and inject OSPFv3 or BGP routes to
RIPng routing table.
!! Share route of last resort (default route) from kernel routing table with RIPng
peers.
! default-information originate
!! Redistribute firewall static routes to RIPng peers.
! redistribute static
!! Set route maps (MAPNAME) to restrict route redistribution in Section 4.
! Redistribute routes from all interfaces to RIPng peers or with a route map filter
(MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!! Redistribute routes from OSPFv3 to RIPng or with a route map filter (MAPNAME).
! redistribute ospf6
! redistribute ospf6 route-map MAPNAME
!! Redistribute routes from BGP to RIPng or with a route map filter (MAPNAME).
! redistribute bgp
! redistribute bgp route-map MAPNAME
!! SECTION 4: Configure route redistribution filters with route maps and access
lists.
!!Filter networks in incoming routing updates
! distribute-list LISTNAME in
!! Create an ipv6 access list to only allow network 3000::/64.
! ipv6 access-list LISTNAME permit 3000::/64
Dynamic Routing
432 WatchGuard SystemManager
Dynamic Routing
User Guide 433
! ipv6 access-list LISTNAME deny any
!! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match interface eth1
About Open Shortest Path First (OSPF and
OSPFv3) Protocol
Support for this protocol is available only on Fireware XTMwith a Pro upgrade.
OSPF (Open Shortest Path First) is an interior routing protocol used in larger networks. With OSPF, a
router that sees a change to its routing table or that detects a change in the network immediately sends
a multicast update to all other routers in the network. OSPF is different fromRIP because:
n OSPF sends only the part of the routing table that has changed in its transmission. RIP sends
the full routing table each time.
n OSPF sends a multicast only when its information has changed. RIP sends the routing table
every 30 seconds.
Also, note the following about OSPF:
n If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
n All areas must be adjacent to the backbone area. If they are not, you must configure a virtual
link to the backbone area.
Fireware XTMsupports OSPFv2 for IPv4 dynamic routing, and OSPFv3 for IPv6 dynamic routing.
For more information about IPv4 routing with OSPFv2, see:
n Configure IPv4 Routing with OSPF
n OSPF Commands
n Sample OSPF Routing Configuration File
For more information about IPv6 routing with OSPF v3, see:
n Configure IPv6 Routing with OSPFv3
n OSPFv3 Commands
n Sample OSPFv3 Routing Configuration File
Dynamic Routing
434 WatchGuard SystemManager
Dynamic Routing
User Guide 435
Configure IPv4 Routing with OSPF
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPF tab.
4. Select the Enable check box.
5. Copy and paste your routing daemon configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 420.
To get started, you must have only two commands in your OSPF configuration file. These two
commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute
through the protocol>
area <area ID in x.x.x.x format, such as 0.0.0.0>
If you enable OSPF for a FireCluster, you must set the router-id in the OSPF
configuration to the interface IPaddress used by the cluster. This is to make sure
that the routing protocol does not try to use theFireCluster management IPaddress
as the router-id. Do not use the FireCluster management IPaddress or cluster
IPaddress as the router-id. To set the router-id, use the command ospf router-id
<ip-address> in your OSPFconfiguration.
6. Click Save.
If necessary, Fireware XTMautomatically adds the required dynamic routing policy or enables an
existing OSPF dynamic routing policy, if one exists.
For OSPF, the automatically created dynamic routing policy is called DR-OSPF-Allow. You can edit
this policy to add authentication and restrict the policy to listen on only the correct interfaces. The DR-
OSPF-Any policy is configured to allow OSPFmulticasts to the reserved multicast addresses for
OSPF.
After you configure the XTMdevice and the OSPFrouter, select System Status > Routes and verify
that the XTMdevice has received route updates fromthe OSPF router.
OSPF Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported routing commands for OSPF. The sections must appear in
the configuration file in the same order they appear in this table. You can also use the sample text
found in the Sample OSPF Routing Configuration File on page 439.
Dynamic Routing
436 WatchGuard SystemManager
Dynamic Routing
User Guide 437
Section Command Description
Configure Interface
interface eth[N] Begin section to set properties for interface
ip ospf authentication-key
[PASSWORD]
Set OSPF authentication password
ip ospf message-digest-key
[KEY-ID] md5 [KEY]
Set MD5 authentication key ID and key
ip ospf cost [1-65535] Set link cost for the interface (see OSP
Interface Cost table below)
ip ospf hello-interval [1-
65535]
Set interval to send hello packets; default is 10
seconds
ip ospf dead-interval [1-
65535]
Set interval after last hello froma neighbor
before declaring it down; default is 40 seconds
ip ospf retransmit-interval [1-
65535]
Set interval between link-state advertisements
(LSA) retransmissions; default is 5 seconds
ip ospf transmit-delay [1-
3600]
Set time required to send LSA update; default is
1 second
ip ospf priority [0-255] Set route priority; high value increases eligibility
to become the designated router (DR)
Configure OSPFRouting Daemon
router ospf Enable OSPFdaemon
ospf router-id [A.B.C.D] set router ID for OSPF manually; router
determines its own ID if not set
ospf rfc1583compatibility Enable RFC 1583 compatibility (can lead to
route loops)
ospf abr-type
[cisco|ibm|shortcut|standard]
More information about this command can be
found in draft-ietf-abr-o5.txt
passive-interface eth[N] Disable OSPF announcement on interface eth
[N]
auto-cost reference-
bandwidth[0-429495]
Set global cost (see OSPF cost table below); do
not use with "ip ospf [COST]" command
timers spf [0-4294967295][0-
4294967295]
Set OSPFschedule delay and hold time
Enable OSPF on a Network
*The "area" variable can be typed in two
Section Command Description
formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area
[Z]
Announce OSPF on network
A.B.C.D/Mfor area 0.0.0.Z
Configure Properties for Backbone area or Other Areas
The "area" variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M] Create area 0.0.0.Z and set a classful network
for the area (range and interface network and
mask setting should match)
area [Z] virtual-link
[W.X.Y.Z]
Set virtual link neighbor for area 0.0.0.Z
area [Z] stub Set area 0.0.0.Z as a stub
area [Z] stub no-summary
area [Z] authentication Enable simple password authentication for area
0.0.0.Z
area [Z] authentication
message-digest
Enable MD5 authentication for area 0.0.0.Z
Redistribute OSPFRoutes
default-information originate Share route of last resort (default route) with
OSPF
default-information originate
metric [0-16777214]
Share route of last resort (default route) with
OSPF, and add a metric used to generate the
default route
default-information originate
always
Always share the route of last resort (default
route)
default-information originate
always metric [0-16777214]
Always share the route of last resort (default
route), and add a metric used to generate the
default route
redistribute static Redistribute firewall static routes to OSPF
redistribute connected Redistribute routes fromall interfaces to OSPF
redistribute connected
metrics
Redistribute routes fromall interfaces to OSPF,
and a metric used for the action
Dynamic Routing
438 WatchGuard SystemManager
Dynamic Routing
User Guide 439
Section Command Description
Configure Route Redistribution with Access Lists and Route Maps
access-list [LISTNAME]
permit [A.B.C.D/M]
Create an access list to allow distribution of
A.B.C.D/M
access-lists [LISTNAME]
deny any
Restrict distribution of any route map not
specified above
route-map [MAPNAME]
permit [N]
Create a route map with name [MAPNAME] and
allow with a priority of [N]
match ip address
[LISTNAME]
Sample OSPF Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPF routing daemon. To use this configuration file as a base for your own configuration file, copy the
text into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
! interface eth1
!
! Set simple authentication password (SHAREDKEY).
! ip ospf authentication-key SHAREDKEY
!
! Set MD5 authentication key ID (10) and MD5 authentication key (AUTHKEY).
! ip ospf message-digest-key 10 md5 AUTHKEY
!
! Set link cost to 1000 (1-65535) on interface eth1.
! for OSPF link cost table.
! ip ospf cost 1000
!
! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ip ospf hello-interval 5
!
! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ip ospf dead-interval 15
!
! Set interval between link-state advertisements (LSA) retransmissions
! to 10 seconds (1-65535); default is 5 seconds.
! ip ospf retransmit-interval 10
!
! Set LSA update interval to 3 seconds (1-3600); default is 1 second.
! ip ospf transmit-delay 3
!
! Set high priority (0-255) to increase eligibility to become the
! designated router (DR).
! ip ospf priority 255
!! SECTION 2: Start OSFP and set daemon properties.
! Enable OSPF daemon. Must be enabled for all OSPF configurations.
! router ospf
!
! Set the router ID manually to 203.0.113.20. If not set, the firewall will
! set its own ID based on an interface IP address.
! ospf router-id 203.0.113.20
!
! Enable RFC 1583 compatibility (increases probability of routing loops).
! ospf rfc1583compatibility
!
! Set area border router (ABR) type to cisco, ibm, shortcut, or standard.
! More information about ABR types is in draft-ietf-ospf-abr-alt-05.txt.
! ospf abr-type cisco
!
! Disable OSPF announcement on interface eth0.
! passive interface eth0
!
! Set global cost to 1000 (0-429495).
! auto-cost reference bandwidth 1000
!
! Set SPF schedule delay to 25 (0-4294967295) seconds and hold time to
! 20 (0-4294967295) seconds; default is 5 and 10 seconds.
! timers spf 25 20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z
!! or Z notation.
! Announce OSPF on network 192.168.253.0/24 network for area 0.0.0.0.
! network 192.168.253.0/24 area 0.0.0.0
!
! Create area 0.0.0.1 and set a classful network range (172.16.254.0/24)
! for the area (range and interface network settings must match).
! area 0.0.0.1 range 172.16.254.0/24
!
! Set virtual link neighbor (172.16.254.1) for area 0.0.0.1.
! area 0.0.0.1 virtual-link 172.16.254.1
!
! Set area 0.0.0.1 as a stub on all routers in area 0.0.0.1.
! area 0.0.0.1 stub
!
! area 0.0.0.2 stub no-summary
!
! Enable simple password authentication for area 0.0.0.0.
Dynamic Routing
440 WatchGuard SystemManager
Dynamic Routing
User Guide 441
! area 0.0.0.0 authentication
!
! Enable MD5 authentication for area 0.0.0.1.
! area 0.0.0.1 authentication message-digest
!! SECTION 4: Redistribute OSPF routes
! Share route of last resort (default route) from kernel routing table
! with OSPF peers.
! default-information originate
!
! Redistribute static routes to OSPF.
! redistribute static
!
! Redistribute routes from all interfaces to OSPF.
! redistribute connected
! redistribute connected route-map
!!Redistribute routes from RIP and BGP to OSPF.
! redistribute rip
! redistribute bgp
!! SECTION 5: Configure route redistribution filters with access lists
!! and route maps.
! Create an access list to only allow redistribution of 10.0.2.0/24.
! access-list LISTNAME permit 10.0.2.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a
! priority of 10 (1-199).
! route-map MAPNAME permit 10
! match ip address LISTNAME
Configure IPv6 Routing with OSPFv3
Use OSPFv3 to configure dynamic routing for IPv6.
The OSPFv3 area and access-list commands are not supported.
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPFv3 tab.
4. Select the Enable check box.
5. Copy and paste your routing daemon configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 420.
6. Click Save.
If necessary, Fireware XTMautomatically adds the required dynamic routing policy or enables an
Dynamic Routing
442 WatchGuard SystemManager
Dynamic Routing
User Guide 443
existing OSPF dynamic routing policy, if one exists.
For OSPF, the automatically created dynamic routing policy is called DR-OSPFv3-Allow. You can
edit this policy to add authentication and restrict the policy to listen on only the correct interfaces. The
DR-OSPFv3-Allowpolicy is configured to allow OSPFmulticasts to the reserved multicast addresses
for OSPFv3, FF02::5 and FF02::6.
After you configure the XTMdevice and the OSPFrouter, select System Status > Routes and verify
that the XTMdevice has received route updates fromthe OSPF router.
OSPFv3 Commands
Fireware XTMuses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a list of some supported routing commands for OSPFv3. The sections must
appear in the configuration file in the same order they appear in this table. You can also use the sample
text found in the Sample OSPFv3 Routing Configuration File.
The OSPFv3 area and access-list commands are not supported.
Section Command Description
Configure Interface Properties
interface eth[N] Begin section to set properties for
interface
ipv6 ospf6 cost [1-
65535]
Set link cost for the interface (see
OSP Interface Cost table below)
ipv6 ospf6 hello-
interval [1-65535]
Set interval to send hello packets;
default is 10 seconds
ipv6 ospf6 dead-
interval [1-65535]
Set interval after last hello froma
neighbor before declaring it down;
default is 40 seconds
ipv6 ospf6 retransmit-
interval [1-65535]
Set interval between link-state
advertisements (LSA)
retransmissions; default is 5
seconds
ipv6 ospf6 transmit-
delay [1-3600]
Set time required to send LSA
update; default is 1 second
ipv6 ospf6 priority [0-
255]
Set route priority; high value
increases eligibility to become the
designated router (DR)
ipv6 ospf6 passive Disable OSPF announcement for
the interface
Configure OSPFv3Routing Daemon
router ospf6 Enable OSPF6daemon
router-id [A.B.C.D] set router ID for OSPF6 manually;
router determines its own ID if not
set
Set OSPF network and area properties.
*The "area" variable can be typed in two
formats: [W.X.Y.Z]; or as an integer [Z].
interface eth[N] area
[W.X.Y.Z]
Bind interface to area and send
OSPFv3packets
Redistribute OSPFRoutes
default-information
originate
Share route of last resort (default
route) with OSPF
default-information Share route of last resort (default
Dynamic Routing
444 WatchGuard SystemManager
Dynamic Routing
User Guide 445
Section Command Description
originate metric [0-
16777214]
route) with OSPF, and add a metric
used to generate the default route
default-information
originate always
Always share the route of last resort
(default route)
default-information
originate always
metric [0-16777214]
Always share the route of last resort
(default route), and add a metric
used to generate the default route
redistribute static Redistribute firewall static routes to
OSPFv3
redistribute connected Redistribute routes fromall
interfaces to OSPFv3
redistribute connected
route-map
[MAPNAME]
Redistribute routes fromall
interfaces to OSPFv3, , with a route
map filter (mapname)
Configure Route Redistribution with Access Lists and Route Maps
ipv6 prefix-list
[LISTNAME]
[PERMIT|DENY]
[A,B,C,D/M| ANY]
Create a prefix list to allow or deny
route redistribution
route-map
[MAPNAME] permit
[N]
Create a route map with name
[MAPNAME] and allow with a
priority of [N]
match ipv6 address
prefix-list
[LISTNAME]
Match the specified prefix-list
Sample OSPFv3 Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPFv3 routing daemon. To use this configuration file as a base for your own configuration file, copy
the text into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
! interface eth1
! ! Set link cost to 1000 (1-65535) on interface eth1.
! ipv6 ospf6 cost 1000
!! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ipv6 ospf6 hello-interval 5
! ! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ipv6 ospf6 dead-interval 15
! ! Set interval between link-state advertisements (LSA) retransmissions to 10
seconds (1-65535); default is 5 seconds.
! ipv6 ospf retransmit-interval 10
!! Set LSA update interval to 3 seconds (1-3600); default is 1 second.
! ipv6 ospf6 transmit-delay 3
! ! Set high priority (0-255) to increase eligibility to become the designated
router (DR).
! ipv6 ospf6 priority 255
! ! Disable OSPF announcement on interface eth0
! ipv6 ospf6 passive
!! SECTION 2: Start OSFPv3 and set daemon properties.
! Enable OSPFv3 daemon. Must be enabled for all OSPF configurations.
! router ospf6
!! Set the router ID manually to 100.100.100.20. If not set, the firewall will set
its own ID based on an interface IP address.
! router-id 100.100.100.20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z or Z
notation.
! Bind interface eth1 to area 0.0.0.0 and send OSPF packet.
! interface eth1 area 0.0.0.0
! ! Redistribute static routes to OSPFv3.
! redistribute static
! ! Redistribute routes from all interfaces to OSPFv3.
! redistribute connected
! redistribute connected route-map MAPNAME
!!Redistribute routes from RIPng and BGP to OSPFv3.
! redistribute ripng
! redistribute bgp
!! SECTION 4: Configure route redistribution filters with prefix-list route maps.
! Create an IPv6 prefix-list to only allow redistribution of 3000::/64.
! ipv6 prefix-list LISTNAME permit 3000::/64
! ipv6 prefix-list LISTNAME deny any
! ! Create a route map with name MAPNAME and allow with a priority of 10 (1-199).
! route-map MAPNAME permit 10
! match ipv6 address prefix-list LISTNAME
Dynamic Routing
446 WatchGuard SystemManager
Dynamic Routing
User Guide 447
OSPF Interface Cost Table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors
such as interface link speed, the number of hops between points, and other metrics. By default, OSPF
uses the actual link speed of a device to calculate the total cost of a route. You can set the interface
cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to
a 100Mrouter. Use the numbers in this table to manually set the interface cost to a value different than
the actual interface cost.
Interface
Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface
Cost
Ethernet 1G 128M 1
Ethernet 100M 12.5M 10
Ethernet 10M 1.25M 100
Modem 2M 256K 500
Modem 1M 128K 1000
Modem 500K 62.5K 2000
Modem 250K 31.25K 4000
Modem 125K 15625 8000
Modem 62500 7812 16000
Serial 115200 14400 10850
Serial 57600 7200 21700
Serial 38400 4800 32550
Serial 19200 2400 61120
Serial 9600 1200 65535
About Border Gateway Protocol (BGP)
Support for this protocol is available only in Fireware XTMwith a Pro upgrade.
Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups
of routers to share routing information. BGP uses route parameters or attributes to define routing
policies and create a stable routing environment. This protocol allows you to advertise more than one
path to and fromthe Internet to your network and resources, which gives you redundant paths and can
increase your uptime.
Hosts that use BGP use TCP to send updated routing table information when one host finds a change.
The host sends only the part of the routing table that has the change. BGP uses classless interdomain
routing (CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in
Fireware XTMis set at 32K.
The size of the typical WatchGuard customer wide area network (WAN) is best suited for OSPF
dynamic routing. A WAN can also use external border gateway protocol (EBGP) when more than one
gateway to the Internet is available. EBGP allows you to take full advantage of the redundancy
possible with a multi-homed network.
To participate in BGP with an ISP you must have a public autonomous systemnumber (ASN). You
must get an ASN fromone of the regional registries in the table below. After you are assigned your own
ASN, you must contact each ISP to get their ASNs and other necessary information.
Region Registry Name Web Site
North America RIN www.arin.net
Europe RIPE NCC www.ripe.net
Asia Pacific APNIC www.apnic.net
Latin America LACNIC www.lacnic.net
Africa AfriNIC www.afrinic.net
Configure IPv4 and IPv6 Routing with BGP
To participate in BGP with an ISP you must have a public autonomous systemnumber (ASN). For
more information, see About Border Gateway Protocol (BGP) on page 448. You can configure BGP to
do dynamic routing for both IPv4 and IPv6 networks.
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the BGP tab.
Dynamic Routing
448 WatchGuard SystemManager
Dynamic Routing
User Guide 449
4. Select the Enable check box.
5. Copy and paste your routing daemon configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 420.
To get started, you need only three commands in your BGP configuration file. These three
commands start the BGP process, set up a peer relationship with the ISP, and create a route for
a network to the Internet. You must use the commands in this order.
router BGP: BGP autonomous systemnumber supplied by your ISP
network: network IP address that you want to advertise a route to fromthe Internet
neighbor: <IP address of neighboring BGP router> remote-as <BGP autonomous number>
If you enable BGP for a FireCluster, you must set the router-id in the BGP
configuration to the IPaddress of the XTMdevice interface that connects to the
router. This is to make sure that the routing protocol does not try to use
theFireCluster management IPaddress as the router-id. Do not use the FireCluster
management IPaddress or cluster IPaddress as the router-id. To set the router-id,
use the command bgp router-id <ip-address> in your BGPconfiguration, where
ip-address is the IP address of the XTMdevice interface that connects to the
router.
6. Click Save.
If necessary, Fireware XTMautomatically adds the required dynamic routing policy or enables an
existing BGP dynamic routing policy, if one exists.
For BGP, the automatically created dynamic routing policy is called DR-BGP-Allow. You can edit this
policy to add authentication and restrict the policy to listen on only the correct interfaces.
After you configure the XTMdevice and the BGProuter, select System Status > Routes and verify
that the XTMdevice has received route updates fromthe BGProuter.
Dynamic Routing
450 WatchGuard SystemManager
Dynamic Routing
User Guide 451
BGP Commands
Fireware XTMuses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a list of some of the supported BGP routing commands. The sections must appear
in the configuration file in the same order they appear in this table.
Do not use BGP configuration parameters that you do not get fromyour ISP.
Section Command Description
Configure BGPRouting Daemon
router bgp [ASN] Enable BGP daemon and set autonomous system
number (ASN); this is supplied by your ISP.
bgp router-id [A.B.C.D] Configure the router ID.
network [A.B.C.D/M] Announce BGP on network: A.B.C.D/M, identifies the
subnet to advertise.
no network [A.B.C.D/M] Disable BGP announcements on network A.B.C.D/M
ipv6 bgp network
[A:B:C:D:E:F:G:H/M]
Announce BGP on network.
ipv6 bgp aggregate-prefix
[A:B:C:D:E:F:G:H/M]
Configure BGP aggregate entries.
timers bgp [keepalive]
[holdtime]
Set the BGPkeepalive time and the hold down time, in
seconds. The default keepalive time is 60 seconds, and
the default holdtime is 180 seconds. As a general rule,
the holdtime should be three times the keepalive time.
Set Neighbor Properties
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
remote-as [ASN]
Set neighbor as a member of remote ASN.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
ebgp-multihop
Set neighbor on another network using EBGPmulti-
hop.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
version [4|4-]
Set BGP version (4, 4-) for communication with
neighbor; default is 4.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
update-source [WORD]
Set the BGP session to use a specific interface for TCP
connections.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
default-originate
Announce default route to BGP neighbor [A,B,C,D].
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
port 189
Set customTCP port to communicate with BGP
neighbor [A,B,C,D].
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
send-community
Set peer send-community.
Dynamic Routing
452 WatchGuard SystemManager
Dynamic Routing
User Guide 453
Section Command Description
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
weight 1000
Set a default weight for neighbor's [A.B.C.D] routes.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
maximum-prefix [NUMBER]
Set maximumnumber of prefixes allowed fromthis
neighbor.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
timers connect [time]
Set the BGPconnection timer, in seconds.
Set IPv6 Address Family command mode
address-family ipv6 Enter the IPv6 address family command mode.
neighbor [A:B:C:D:E:F:G:H]
activate
The neighbor activate command must be used in the
address-family ipv6 mode.
network
[A:B:C:D:E:F:G:H/M]
This network statement here can replace the ipv6 bgp
network [A:B:C:D:E:F:G:H/M] command. This works
only within the address-family ipv6 mode.
exit-address-family Exit the IPv6 address family command mode.
Community Lists
ip community-list [<1-
99>|<100-199>] permit
AA:NN
Specify community to accept autonomous system
number and network number separated by a colon.
Peer Filtering
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
distribute-list [LISTNAME]
[IN|OUT]
Set distribute list and direction for peer.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
prefix-list [LISTNAME]
[IN|OUT]
To apply a prefix list to be matched to incoming
advertisements or outgoing advertisements to that
neighbor.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
filter-list [LISTNAME]
[IN|OUT]
To match an autonomous systempath access list to
incoming routes or outgoing routes.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
route-map [MAPNAME]
To apply a route map to incoming or outgoing routes.
Section Command Description
[IN|OUT]
Redistribute Routes to BGP
redistribute static Redistribute static routes to BGP
redistribute ripng Redistribute RIPngroutes to BGP
redistribute ospf6 Redistribute OSPFv3 routes to BGP
Route Reflection
bgp cluster-id A.B.C.D To configure the cluster ID if the BGP cluster has more
than one route reflector.
neighbor
[W.X.Y.Z|A:B:C:D:E:F:G:H]
route-reflector-client
To configure the router as a BGP route reflector and
configure the specified neighbor as its client.
Access Lists and IPPrefix Lists
ip prefix-lists [PRELIST]
permit A.B.C.D/E
Set IPv4 prefix list
ipv6 prefix-list [PRELIST]
[deny|permit]
[A:B:C:D:E:F:G:H/M|Any]
Set IPv6 prefix list
access-list NAME
[deny|permit] A.B.C.D/E
Set IPv4 access list
ipv6 access-list [NAME]
[deny|permit]
[A:B:C:D:E:F:G:H/M|Any]
Set IPv6 access list
route-map [MAPNAME]
[deny|permit] [N]
In conjunction with the "match" and "set" commands,
this defines the conditions and actions for redistributing
routes
match ip address prefix-list
[LISTNAME]
Match the specified access-list
set community [A:B] Set the BGP community attribute
match community [N] Match the specified community_list
set local-preference [N] Set the preference value for the autonomous system
path
Dynamic Routing
454 WatchGuard SystemManager
Dynamic Routing
User Guide 455
Sample BGP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
BGP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet your own business requirements.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
Sample 1 IPv4
!! SECTION 1: Start BGP daemon and announce network blocks to BGP neighbors
! Enable BGP and set local ASN to 100
! router bgp 100
! Announce local network 192.0.2.0/24 to all neighbors defined in section 2
! network 192.0.2.0/24
!! SECTION 2: Neighbor properties
! Set neighbor (192.0.2.1) as member of remote ASN (200)
! neighbor 192.0.2.1 remote-as 200
! Set neighbor (203.0.113.1) on another network using EBGP multi-hop
! neighbor 203.0.113.1 remote-as 300
! neighbor 203.0.113.1 ebgp-multihop
! Set BGP version (4, 4-) for communication with a neighbor; default is 4
! neighbor 192.0.2.1 version 4-
! Announce default route to BGP neighbor (192.0.2.1)
! neighbor 192.0.2.1 default-originate
! Set custom TCP port 189 to communicate with BGP neighbor (192.0.2.1). Default
port is TCP 179
! neighbor 192.0.2.1 port 189
! Set peer send-community
! neighbor 192.0.2.1 send-community
! Set a default weight for neighbors (192.0.2.1) routes
! neighbor 192.0.2.1 weight 1000
! Set maximum number of prefixes allowed from this neighbor
! neighbor 192.0.2.1 maximum-prefix NUMBER
!! SECTION 3: Set community lists
! ip community-list 70 permit 7000:80
!! SECTION 4: Announcement filtering
! Set distribute list and direction for peer
! neighbor 192.0.2.1 distribute-list LISTNAME [in|out] ! To apply a prefix list to
be matched to incoming or outgoing advertisements to that neighbor
! neighbor 192.0.2.1 prefix-list LISTNAME [in|out]
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 192.0.2.1 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 192.0.2.1 route-map MAPNAME [in|out]
!!SECTION5:Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute static
! Redistribute rip routes to BGP
! Redistribute rip
! Redistribute ospf routes to BGP
! Redistribute ospf
!!SECTION6:Route reflection
! Set cluster ID and firewall as a client of route reflector server 198.51.100.254
! bgp cluster-id A.B.C.D
! neighbor 198.51.100.254 route-reflector-client
!! SECTION 7: Access lists and IP prefix lists
! Set prefix list
! ip prefix-list PRELIST permit 10.0.0.0/8
! Set access list!access-list NAME deny 192.0.2.128/25
! access-list NAME permit 192.0.2.0/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ip address prefix-list LISTNAME
! set community 7000:80
Sample 2 IPv6
!! SECTION 1: Start BGP daemon and set BGP neighbors
! Enable BGP and set local ASN to 100
! router bgp 100
! set route id for bgp
! bgp route-id 1.1.1.1
! Set neighbor (2000::2) as member of remote ASN (200)
! neighbor 2000::2 remote-as 200
!! SECTION 2: Enter IPv6 Address Family command mode
! address-family ipv6
!! SECTION 3: Neighbor properties
! Activate Neighbor 2000::2
! neighbor 2000::2 activate
! Announce default route to BGP neighbor (2000::2)
! neighbor 2000::2 default-originate
!!SECTION 4: Announce network
! Announce local network 3344::/64 to all neighbors
! network 3344::/64
!! SECTION 5: Announcement filtering
! Set distribute list and direction for peer
! neighbor 2000::2 distribute-list LISTNAME [in|out]
! To apply a prefix list to be matched to incoming or outgoing advertisements to
that neighbor
! neighbor 2000::2 prefix-list PRELIST [in|out]
Dynamic Routing
456 WatchGuard SystemManager
Dynamic Routing
User Guide 457
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 2000::2 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 2000::2 route-map MAPNAME [in|out]
!! SECTION 6: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute static
! Redistribute ripng routes to BGP
! Redistribute ripng
! Redistribute ospfv3 routes to BGP
! Redistribute ospf6
!! SECTION 7: Exit IPv6 Address Family command mode
! exit-address-family
!! SECTION 8: Access lists and IP prefix lists
! Set prefix list
! ipv6 prefix-list PRELIST permit 3000::/64
! Set access list
! ipv6 access-list LISTNAME deny 4000::/64
! ipv6 access-list LISTNAME permit 4000::/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ipv6 address LISTNAME
Sample 3 IPv4 and IPv6
router bgp 65534
bgp router-id 10.15.1.1
timers bgp 5 15
network 10.15.2.0/24
ipv6 bgp network 1500::0/64
neighbor 172.16.255.2 remote-as 65535
neighbor 172.16.255.2 timers connect 5
neighbor fd00::25 remote-as 65535
neighbor fd00::25 timers connect 5
address-family ipv6
# network 1500::0/64 ### Note you can use this in place of the above ipv6 bgp
network command above
neighbor fd00::25 activate ### Note this neighbor activate command must be inside
the address-family ipv6 mode in order to work
exit-address-family
10
FireCluster
About WatchGuard FireCluster
You can use WatchGuard FireCluster to configure two XTMdevices as a cluster to increase network
performance and scalability.
To enable FireCluster or change the cluster configuration, you must use Policy Manager. For
information about how to configure a FireCluster, see the Fireware XTMWatchGuard SystemManager
Help at http://www.watchguard.com/help/documentation/.
After you have configured a cluster in Policy Manager, you can use the Fireware XTMWeb UI to
connect to it. You can use the Web UI to monitor the cluster and update policies and other
configuration settings, but you cannot use the Web UIto see or modify the FireCluster settings.
In Fireware v11.8.x and lower, you cannot use the Fireware XTMWeb UI with
devices configured as a FireCluster.
There are two configuration options available for a FireCluster: active/passive and active/active. To
add redundancy, choose an active/passive cluster. To add both redundancy and load sharing to your
network, select an active/active cluster.
When you enable FireCluster, you manage and monitor the two devices in the cluster as you would a
single device.
FireCluster
458 WatchGuard SystemManager
FireCluster
User Guide 459
FireCluster Device Roles
When you use the Fireware XTMweb UI to connect to devices configured as a cluster, it is important
to understand the cluster member roles.
Cluster master
The cluster master assigns network traffic flows to cluster members, and responds to all
requests fromexternal systems such as WatchGuard SystemManager, SNMP, DHCP, ARP,
routing protocols, and IKE. When you configure or modify the configuration of a FireCluster, you
save the configuration to the cluster master. Either cluster member can be the cluster master.
The first device in a cluster to power on becomes the cluster master.
Backup master
The backup master synchronizes all necessary information with the cluster master, so that it
can become the cluster master if the master fails. You cannot use the Fireware XTMWeb UI to
save configuration changes to the backup master.
The Fireware XTMWeb UI does not show the current status of the cluster members. To see the status
of cluster members, connect to the cluster with WatchGuard SystemManager or Firebox System
Manager. For information about how to monitor the status of FireCluster members, see the Fireware
XTMWatchGuard SystemManager Help at http://www.watchguard.com/help/documentation/.
FireCluster
460 WatchGuard SystemManager
FireCluster
User Guide 461
Use the Web UI with a FireCluster
You can use the Fireware XTMWeb UI to connect to a FireCluster or a cluster member. You can use
an interface IP address to connect to the Web UI, or you can use the management IP address of a
cluster member.
To connect to the FireCluster on an interface IP address:
https://<Firebox-IP-address>:8080
<Firebox-IP-address> is the IP address assigned to an interface.
To connect to an individual cluster member:
https://<cluster-member-management-ip-address>:8080
<cluster-member-management-IP-address> is the management IP address configured for a member
in the FireCluster settings.
You cannot use the Fireware XTMWeb UI to connect to a FireCluster that uses
Fireware XTMv11.8.x or lower.
Web UI for the Cluster Master
There are two ways to connect to the cluster master. You can connect to the management IP address
of the cluster master, or you can connect to an interface IPaddress. When you log in to the cluster
master with an account that has a Device Administrator role, you can use the Fireware XTMWeb UI to
make any type of configuration change that you could make to a non-clustered device. For example,
you can update the policies, services, VPN, network, and authentication settings. When you save
configuration changes to the cluster master, the changes are automatically synchronized with the
backup master.
You cannot use the Fireware XTMWeb UI to change the FireCluster configuration or perform
commands that affect the status of the cluster members. You cannot use the Fireware XTMWeb UI
to:
n Enable or disable a FireCluster or change FireCluster settings
n Edit the configuration of the cluster interface
n Force a FireCluster member to fail over
n Make a member join or leave a cluster
n Discover a cluster member
n Monitor cluster health
n Upgrade both members of a cluster
When you use an interface IP address to connect to a FireCluster, you automatically connect to the
current cluster master. The System widget in the Front Panel dashboard shows the member name
and serial number of the device that is the current cluster master.
When you connect to the cluster master or to an interface, most of the dashboard and systemstatus
page show combined statistics and information for both cluster members.
There are two pages that do not show combined information for both members.
n Dashboard > Traffic Monitor
n System Status >Traffic Management
These pages show information about traffic on the cluster master by default. To see information about
the other cluster member, select the cluster member name fromthe drop-down list near the top of the
page.
Web UI for the Backup Master
You can use the management IP address of the backup master to log into the Web UI of the backup
master device. When you connect to the backup master, the configuration is always read-only, and
you cannot save configuration changes. If you log in to the backup master with an account that has a
Device Administrator role, you can use these upgrade, backup, and restore options on the backup
master device:
n System >Upgrade OS Upgrade the Fireware XTMOS on the backup master
n System >Backup Image Save a backup image of the backup master
n System >Restore Image Restore a backup image to the backup master
n System >USBDrive Save or restore a backup image to a connected USBdrive
On the backup master, you can also use these functions on the Dashboards:
n Front Panel Reboot the backup master
n Subscription Services Update subscription services signatures on the backup master
When you connect to a backup master, the dashboards and systemstatus pages show information
only for that member, not for the entire cluster.
FireCluster Backup, Restore, and Upgrade in the Web UI
In the Fireware XTMWeb UI handles backup/restore and OSupgrade functions for each cluster
member individually.
You can use the Web UI to backup, restore, and upgrade cluster members, but we
recommend you use Policy Manager to do these functions, if possible. Policy
Manager automatically manages the backup, restore, and OS upgrades for all
members of the cluster.
To backup and restore a device image for FireCluster members in the Web UI:
n You must save a separate backup image fromeach cluster member.
n Use the backup image saved fromeach device to restore to each device. For example, do not
restore the backup image fromthe cluster master to both devices in the cluster.
FireCluster
462 WatchGuard SystemManager
FireCluster
User Guide 463
n Restore the backup image to the cluster backup master before you restore the backup image to
the cluster master.
n Make sure that the backup image you restore to each device uses the same OSversion.
To upgrade the Fireware XTMOSfor members of a FireCluster in the Web UI:
n Upgrade the OS on the backup master first.
n Make sure that you upgrade both cluster members to the same OS version.
FireCluster
User Guide 464
User Guide 465
11
Authentication
About User Authentication
User authentication is a process that finds whether a user is who he or she is declared to be and
verifies the privileges assigned to that user. On the XTMdevice, a user account has two parts: a user
name and a passphrase. Each user account is associated with an IP address. This combination of
user name, passphrase, and IP address helps the device administrator to monitor connections through
the device. With authentication, users can log in to the network fromany computer, but access only
the network ports and protocols for which they are authorized. The XTMdevice can then map the
connections that start froma particular IP address and also transmit the session name while the user is
authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is
useful in network environments where different users share a single computer or IP address.
You can configure your XTMdevice as a local authentication server, or use your existing Active
Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use
Firebox authentication over port 4100, account privileges can be based on user name. When you use
third-party authentication, account privileges for users that authenticate to the third-party
authentication servers are based on group membership.
If you have configured your XTMdevice with an IPv6 address, you can use the IPv6 address for
Firebox authentication over port 4100. You can also use your XTMdevice to make IPv6 connections to
clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address,
such as a RADIUS server.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP
address to help you authenticate and track user connections through the device. With the device, the
fundamental question that is asked and answered with each connection is, Should I allow traffic from
source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP
address of the user's computer must not change while the user is authenticated to the device.
In most environments, the relationship between an IP address and the user computer is stable enough
to use for authentication. For environments in which the association between the user and an IP
address is not consistent, such as kiosks or networks where applications are run froma terminal
server, we recommend that you use Terminal Services Agent for secure authentication. For more
information, see Install and Configure the Terminal Services Agent.
WatchGuard supports Authentication, Accounting, and Access control (AAA) in the firewall products,
based on a stable association between IP address and person.
The WatchGuard user authentication feature also supports authentication to an Active Directory
domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it
supports inactivity settings and session time limits. These controls restrict the amount of time an IP
address is allowed to pass traffic through the XTMdevice before users must supply their passwords
again (reauthenticate).
If you control SSOaccess with a white list and manage inactivity timeouts, session timeouts, and who
is allowed to authenticate, you can improve your control of authentication, accounting, and access
control.
To prevent a user fromauthenticating, you must disable the account for that user on the authentication
server.
User Authentication Steps
After you configure your XTMdevice as a local authentication server, the HTTPS server on the XTM
device accepts authentication requests. To authenticate, a user must connect to the authentication
portal web page on the XTMdevice.
1. Go to either:
https://[device interface IP address]:4100/
or
https://[device hostname]:4100
An authentication web page appears.
2. Type a user name and password.
3. Select the authentication server fromthe drop-down list, if more than one type of authentication
is configured.
The XTM device sends the name and password to the authentication server using PAP (Password
Authentication Protocol).
When authenticated, the user is allowed to use the approved network resources.
Authentication
466 Fireware XTMWeb UI
Authentication
User Guide 467
Because Fireware XTMuses a self-signed certificate by default for HTTPS, you see
a security warning fromyour web browser when you authenticate. You can safely
ignore this security warning. If you want to remove this warning, you can use a third-
party certificate or create a customcertificate that matches the IP address or domain
name used for authentication.
Manually Close an Authenticated Session
Users do not have to wait for the session timeout to close their authenticated sessions. They can
manually close their sessions before the timeout occurs. The Authentication web page must be open
for a user to close a session. If it is closed, the user must authenticate again to log out.
To close an authenticated session:
1. Go to the Authentication portal web page:
https://[device interface IP address]:4100/
or
https://[device host name]:4100
2. Click Logout.
If the Authentication portal web page is configured to automatically redirect to another
web page, the portal is redirected just a few seconds after you open it. Make sure you
logout before the page redirects.
Manage Authenticated Users
You can use Fireware XTMWeb UI to see a list of all the users authenticated to your XTMdevice and
close sessions for those users.
See Authenticated Users
To see the users authenticated to your XTMdevice:
1. Connect to Fireware XTMWeb UI.
2. Select System Status > Authentication List.
A list of all users authenticated to the Firebox appears.
Close a User Session
FromFireware XTMWeb UI:
1. Select System Status > Authentication List.
A list of all users authenticated to the Firebox appears.
2. Select one or more user names fromthe list.
3. Click Log off users.
Authentication
468 Fireware XTMWeb UI
Authentication
User Guide 469
Use Authentication to Restrict Incoming Traffic
One function of the authentication tool is to restrict outgoing traffic. You can also use it to restrict
incoming network traffic. When you have an account on the XTMdevice and the device has a public
external IPaddress, you can authenticate to the device froma computer external to the device.
For example, you can type this address in your web browser: https://<IP address of XTM device
external interface>:4100/.
After you authenticate, you can use the policies that are configured for you on the device.
To enable a remote user to authenticate fromthe external network:
1. Select Firewall > Firewall Policies.
The Firewall Polices Page appears.
2. Double-click the WatchGuard Authentication policy to edit it.
This policy appears after you add a user or group to a policy configuration.
The Edit page appears.
3. Fromthe Connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Member dialog box appears.
5. Member type drop-down list, select Alias.
6. Fromthe list of members, select Any.
7. Click OK.
Any appears in the From list.
8. In the To section, click Add.
9. Member type drop-down list, select Alias.
10. Fromthe list of members, select Firebox.
11. Click OK.
Firebox appears in the To list.
Authentication
470 Fireware XTMWeb UI
Authentication
User Guide 471
12. Click Save.
Use Authentication Through a Gateway Firebox
The gateway Firebox is the XTMdevice that you place in your network to protect your Management
Server fromthe Internet.
To send an authentication request through a gateway Firebox to a different device, you must have a
policy that allows the authentication traffic on the gateway device. If authentication traffic is denied on
the gateway device, add the WG-Auth policy. This policy controls traffic on TCP port 4100. You must
configure the policy to allow traffic to the IP address of the destination device.
About the WatchGuard Authentication (WG-Auth)
Policy
The WatchGuard Authentication (WG-Auth) policy is automatically added to your XTMdevice
configuration when you add the first policy that has a user or group name in the From list on the Policy
tab of the policy definition. The WG-Auth policy controls access to port 4100 on your XTMdevice. Your
users send authentication requests to the device through this port. For example, to authenticate to an
XTMdevice with an IP address of 10.10.10.10, your users type https://10.10.10.10:4100 in the
web browser address bar.
If you want to send an authentication request through a gateway device to a different device, you might
have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway device, you
must use Policy Manager to add the WG-Auth policy. Modify this policy to allow traffic to the IP
address of the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use
Authentication to Restrict Incoming Traffic on page 469.
Set Global Firewall Authentication Values
When you configure your global authentication settings, you can configure the global values for firewall
authentication, such as timeout values, user login session limits, and authentication page redirect
settings. You can also enable Single Sign-On (SSO), and configure settings for Terminal Services. For
more information, see the topics Enable Single Sign-On (SSO) and Configure Terminal Services
Settings.
If you configure user login session limits for individual users or groups, the limits set for a group and for
a user override the global setting.
If your device runs Fireware XTMv11.0v11.3.x, the Authentication Settings for
Terminal Services are not available.
Specify Firewall Authentication Settings
To configure Firewall Authentication settings:
1. Connect to Fireware XTMWeb UI.
2. Select Authentication > Settings.
The Authentication Settings page appears.
3. Configure authentication settings as described in the subsequent sections.
4. Click Save.
Set Global Authentication Timeouts
You can set the time period that users remain authenticated after they close their last authenticated
connection. This timeout is set either on the Authentication Settings page, or in the Firebox User
dialog box.
Authentication
472 Fireware XTMWeb UI
Authentication
User Guide 473
For more information about user authentication settings and the Firebox User dialog box, see Define
a New User for Firebox Authentication on page 522.
For users authenticated by third-party servers, the timeouts set on those servers also override the
global authentication timeouts.
Global authentication timeout values for Firewall Authentication do not override the individual user
authentication timeout settings for Mobile VPN with PPTP and Mobile VPN with L2TP users.
Session Timeout
The maximumlength of time the user can send traffic to the external network. If you set this
field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can
stay connected for any length of time.
Idle Timeout
The maximumlength of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the
session does not time out when idle and the user can stay idle for any length of time.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
On the Authentication Settings page:
Select Allow unlimited concurrent firewall authentication logins from the same account.
For Mobile VPNwith IPSec and Mobile VPN with SSL users, concurrent logins fromthe same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTMdevice that uses NAT. Mobile VPN with PPTP and Mobile VPN with
L2TP users do not have this restriction.
Limit Login Sessions
Fromthe Authentication Settings page, you can limit your users to a specific number of
authenticated sessions. If you select this option, you can specify the number of times your users can
use the same credentials to log in to one authentication server fromdifferent IP addresses. When a
user is authenticated and tries to authenticate again, you can select whether the first user session is
terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.
1. Select Limit concurrent user sessions to.
2. In the text box, type or select the number of allowed concurrent user sessions.
3. Fromthe drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
Authentication
474 Fireware XTMWeb UI
Authentication
User Guide 475
Specify the Default Authentication Server in the
Authentication Portal
When your users log in to the Authentication Portal, they must select which authentication server to
use for authentication. Users can select fromany of the authentication servers you have enabled. By
default, the first server in the list is Firebox-DB. You can change this setting so another enabled
authentication server is first in the list of authentication servers. This is helpful if you want your users to
authenticate with a server other than Firebox-DB.
To select the default authentication server:
Fromthe Default authentication server on the authentication page drop-down list, select an
authentication server.
For example, if you want your users to authenticate to your Active Directory server named
Home AD, select Home AD fromthe drop-down list.
Automatically Redirect Users to the Authentication Portal
If you require your users to authenticate before they can get access to the Internet, you can choose to
automatically send users who are not already authenticated to the authentication portal, or have them
manually navigate to the portal. This applies only to HTTP and HTTPS connections.
Automatically redirect users to the authentication page
When you select this check box, all users who have not yet authenticated are automatically
redirected to the authentication portal when they try to get access to the Internet. If you do not
select this check box, unauthenticated users must manually navigate to the authentication
portal to log in.
For more information about user authentication, see User Authentication Steps on page 466.
Redirect traffic sent to the IP address of the XTMdevice to this host name
Select this check box to specify a host name for the page where your users are redirected,
when you choose to automatically redirect users to the authentication portal. Type the host
name in the text box.
Make sure that the host name matches the Common Name (CN)fromthe web server
certificate. This host name must be specified in the DNS settings for your organization and the
value of the host name must be the IPaddress of your XTMdevice.
If you have users who must manually authenticate to the authentication portal, and you use SSO, you
can add an SSOexception for those users to reduce the amount of time it takes for themto
authenticate. For more information about SSOexceptions, see Enable Single Sign-On (SSO).
Use a Custom Default Start Page
When you select the Automatically redirect users to authentication page check box to require your
users to authenticate before they can get access to the Internet, the Authentication portal
automatically appears when a user opens a web browser. If you want the browser to go to a different
page after your users successfully log in, you can define a redirect.
Fromthe Authentication Settings page:
1. Select the Send a redirect to the browser after successful authentication check box.
2. In the text box, type the URLof the web site where users are redirected.
Set Management Session Timeouts
Use these options to set the time period that a user who is logged in with read/write privileges remains
authenticated before the XTMdevice terminates the session.
Session Timeout
The maximumlength of time the user can send traffic to the external network. If you select zero
(0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximumlength of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you select zero (0) seconds, minutes, hours, or days, the session
does not expire when the user is idle, and the user can stay idle for any length of time.
Authentication
476 Fireware XTMWeb UI
Authentication
User Guide 477
About Single Sign-On (SSO)
When users log on to the computers in your network, they must give a user name and password. If you
use Active Directory authentication on your XTMdevice to restrict outgoing network traffic to specified
users or groups, your users must also complete an additional step: they must manually log in again to
authenticate to the XTMdevice and get access to network resources or the Internet. To simplify the log
in process for your users, you can use Single Sign-On (SSO). With SSO, your users on the trusted or
optional networks provide their user credentials one time (when they log on to their computers) and are
automatically authenticated to your XTMdevice.
The WatchGuard SSO Solution
The WatchGuard SSOsolution includes these components:SSOAgent, the SSOClient, the Event
Log Monitor, and the Exchange Monitor.
About the SSO Agent
To use SSO, you install the SSOAgent on a server in your network. This server can be the domain
controller computer for your domain, or another domain member server in your network. When you
install the SSOAgent on the domain controller, it enables the SSOAgent to run as a domain user
account with Domain Admin privileges. With these privileges, when users try to authenticate to your
domain, the SSOAgent can query the SSOClient on the client computer, the Event Log Monitor, or the
Exchange Monitor for the correct user credentials, and provide those user credentials to your
XTMdevice. When you install the SSOAgent, make sure that it runs as a user with Domain Admin
privileges.
About the SSO Client
When you install the SSOClient software on your Windows or Mac OS X client computers, the SSO
Client receives the call fromthe SSOAgent and returns the user name, group membership information
and domain name for the user who is currently logged in to the computer.
About the Event Log Monitor
If you do not want to install the SSOClient on each client computer, you can instead install the Event
Log Monitor on a server in each domain in your network. This can be the domain controller or another
domain member server. You then configure the SSOAgent to get user login information fromthe Event
Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor collects
user login information fromthe Windows security event log files on each client computer. The Event
Log Monitor uses the login information to get the group membership information for each user fromthe
domain controller. It then stores the user credentials and user group information for each user. When
you install the Event Log Monitor, make sure that it runs as a user with Domain Admin privileges.
When the SSOAgent contacts the Event Log Monitor for user credentials, the Event Log Monitor
contacts the client computer over TCP port 445 to get the user logon credentials, retrieves the stored
user group membership information fromthe domain controller, and provides this information to the
SSOAgent. The Event Log Monitor continues to poll the client computer every five seconds to monitor
logon and logoff events, and connection abort issues. Any connection errors are recorded in the
eventlogmonitor.log file in the WatchGuard >Authentication Gateway directory on the server where
the Event Log Monitor is installed.
If you have one domain that you use for SSO, you can install the Event Log Monitor on the same server
or domain controller where you install the SSOAgent. If you have more than one domain, you must
install one instance of the Event Log Monitor in each domain, but you only install one instance of the
SSOAgent for your entire network. The Event Log Monitor does not have to be installed on the domain
controller computer; it can be installed on any domain member server in that domain. The Event Log
Monitor must run as a user account in the Domain Admins group so it can get the user credentials.
About the Exchange Monitor
For your users with computers that run Windows or Mac OS X, or your users with mobile devices that
run iOS, Android, or Windows mobile operating systems, you can use the Exchange Monitor to get
user credentials and login information for SSO. To use the Exchange Monitor to get user login
information, you must install the Exchange Monitor on the same server where your Microsoft
Exchange Server is installed. This Exchange Server must generate IIS and RPC client access log
messages. Because Microsoft Exchange is integrated with your Active Directory server, it can easily
get the user credentials fromthe IIS and RPC client access log messages in your user store. Then,
when a user successfully connects to the Exchange Server to download email, the Exchange Monitor
records the logon and logoff events for the user, and gives the event information to the SSOAgent.
Authentication
478 Fireware XTMWeb UI
Authentication
User Guide 479
When a client computer connects to a Microsoft Exchange server, the IIS service on the Exchange
server records a log entry of the user logon event. To get the credentials for your users for SSO, the
Exchange Monitor verifies the logon and logoff events with the IIS service and keeps a list of all
currently active users. The Exchange Monitor queries the IIS service every three seconds to make
sure user information is current. When the SSOAgent contacts the Exchange Monitor, it sends the
user information to the SSOAgent. If the user is listed as logged in to the Exchange server, the SSO
Agent notifies the XTMdevice that the user is currently logged in, and the user is authenticated. If the
user is not included in the list of logged in users, the SSOAgent notifies the XTMdevice that the user
is not found in the list of active users, and the user is not authenticated.
The SSOExchange Monitor is supported for use with only Microsoft Exchange 2003,
2007, or 2010.
For more information about how to configure the SSOAgent to use the Event Log Monitor and the
Exchange Monitor, see Configure the SSOAgent on page 486.
How SSO Works
For SSOto work, you must install the SSOAgent software. The SSOClient software is optional and is
installed on each client computer. The Event Log Monitor is optional, and is installed on a member
server or domain controller in each of your domains. The Exchange Monitor is also optional, and is
installed on the computer where your Microsoft Exchange Server is installed. When the SSOClient,
the Event Log Monitor, or the Exchange Monitor software is installed, and the SSOAgent contacts a
SSOcomponent for user credentials, either the SSOClient, Event Log Monitor, or Exchange Monitor
sends the correct user credentials and group membership information to the SSOAgent. When you
configure the settings for the SSOAgent, you can specify which SSOcomponent (SSOClient, Event
Log Monitor, or Exchange Monitor) the SSOAgent queries first. For SSOto work correctly, you must
either install the SSOClient on all your client computers, or use either the Event Log Monitor or
Exchange Monitor to get correct user information.
If the SSOClient, the Event Log Monitor, and the Exchange Monitor are not available, to get the user
credentials, the SSOAgent makes a NetWkstaUserEnumcall to the client computer over TCP port
445. It then uses the information it gets to authenticate the user for Single Sign-On. The SSOAgent
uses only the first answer it gets fromthe computer. It reports that user to the XTMdevice as the user
that is logged on. The XTMdevice checks the user information against all the defined policies for that
user and/or user group at one time. The SSOAgent caches this data for about 10 minutes by default,
so that a query does not have to be generated for every connection.
For examples of how the SSOAgent can contact the other SSOcomponents for user information, see
the Example Network Configurations for SSOsection.
SSO Component Compatibility
The components of the WatchGuard SSOsolution offer configuration flexibility to enable all of your
Windows, Mac OS X, and mobile users to have a seamless authentication experience. The options for
the SSOcomponents that you can use with your computers or mobile device platforms include:
SSO Component Windows Mac OS X iOS Android
SSOAgent
1
SSOClient
2
Event Log Monitor
Exchange Monitor
3
1
Though the SSOAgent can be used with all supported platforms, it must be installed only on a Windows server or your
domain controller.
2
The SSOClient is available in two versions: Windows and Mac OSX.
3
Though you can use Exchange Monitor for your users with Windows computers, we recommend that Exchange Monitor
only be used for users with Mac OSXor mobile devices.
Authentication
480 Fireware XTMWeb UI
Authentication
User Guide 481
Example Network Configurations for SSO
This first diagramshows one possible configuration for a network with a single domain. The SSO
Agent and the Event Log Monitor are installed on the domain controller, the Exchange Monitor is
installed on the Microsoft Exchange server, and the SSOClient is installed on the client computer.
With this configuration, you can specify whether the SSOAgent contacts the SSOClient, the Event
Log Monitor, or Exchange Monitor first.
For example, if you configure the SSOAgent to contact the SSOClient first, the Event Log Monitor
second, and the Exchange Monitor third, and the SSOClient is not available, the SSOAgent next
contacts the Event Log Monitor for the user credentials and group information. If the client computer is
a Mac OS X or mobile device, the SSOAgent contacts the Exchange Monitor for the user login and
logoff information.
The SSOAgent and the Event Log Monitor do not have to be installed on the domain controller. You
can also install both the SSOAgent and the Event Log Monitor on another computer on the same
domain, as long as they both run as a user account in the Domain Admins group.
The second diagramshows one possible configuration of a network with two domains. The SSOAgent
is installed on only one domain controller in your network, the SSOClient is installed on each client
computer, the Event Log Monitor is installed on a Windows member server in each domain in your
network, and the Exchange Monitor is installed on your Microsoft Exchange Server. With this
configuration, you can specify whether the SSOAgent contacts the SSOClients, the Event Log
Monitors, or the Exchange Monitor first.
For example, if you configure the SSOAgent to contact the SSOClient first, the Event Log Monitor
second, and the Exchange Monitor third, and the SSOClient is not available, the SSOAgent contacts
the Event Log Monitor that is in the same domain as the client computer and gets the user credentials
and group information. If the client computer is a Mac OS X or mobile device, the SSOAgent contacts
the Exchange Monitor for the user login and logoff information.
In your network environment, if more than one person uses the same computer, we recommend that
you either install the SSOClient software on each client computer, install the Event Log Monitor in
each domain, or install the Exchange Monitor on your Exchange server. Because there are access
control limitations if you do not use the SSOClient, Event Log Monitor, or Exchange Monitor, we
recommend that you do not use SSOwithout the SSOClient, the Event Log Monitor, or the Exchange
Monitor.
Authentication
482 Fireware XTMWeb UI
Authentication
User Guide 483
For example, if you configure SSOwithout the SSOClient, the Event Log Monitor, or the Exchange
Monitor, for services installed on a client computer (such as a centrally administered antivirus client)
that have been deployed so that users can log on with domain account credentials, the XTMdevice
gives all users access rights as defined by the first user that is logged on (and the groups of which that
user is a member), and not the credentials of the individual users that log on interactively. Also, all log
messages generated fromuser activity show the user name of the service account, and not the
individual user.
If you do not install the SSOClient, the Event Log Monitor, or the Exchange Monitor,
we recommend you do not use SSOfor environments where users log on to
computers with service or batch logons. When more than one user is associated with
an IP address, network permissions might not operate correctly. This can be a
security risk.
If you configure multiple Active Directory domains, you can choose to use either the SSOClient, the
Event Log Monitor, or the Exchange Monitor. For more information about how to configure the SSO
Client when you have multiple Active Directory domains, see Configure Active Directory
Authentication on page 551 and Install the WatchGuard Single Sign-On (SSO) Client on page 500.
If you enable Single Sign-On, you can also use Firewall authentication to log in to the Firewall
Authentication Portal page and authenticate with different user credentials. For more information, see
Firewall Authentication on page 519.
Single Sign-On (SSO) is configured separately for the Terminal Services Agent. For more information
about the Terminal Services Agent, see Install and Configure the Terminal Services Agent on page
508.
SSOis not supported for remote desktop sessions or for terminal sessions.
Choose Your SSO Components
Because the WatchGuard SSOsolution is so flexible, you have many choices available to you for your
various network access configurations. If, after you have reviewed the previous SSOComponent
Compatibility section, you are unsure which components to use for your network, WatchGuard
recommends these guidelines:
n For your users with Windows Install the SSOClient on each Windows computer, specify the
SSOClient as the primary contact, and specify the Event Log Monitor as the secondary
contact.
n For your users with Mac OS X or mobile devices Install the SSOClient on each Mac OS X
computer, specify the SSOClient as the primary contact, and specify the Exchange Monitor as
the secondary contact.
For more information about how to set the contact priority for your SSOcomponents, see the Configure
Clientless SSOsection in Configure the SSOAgent on page 486.
Before You Begin
Before you configure SSOfor your network, verify that your network configuration meets these
prerequisites:
n You must have an Active Directory server configured on a trusted or optional network.
n Your XTMdevice must be configured to use Active Directory authentication.
n Each user must have an account set up on the Active Directory server.
n Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If
users log on to an account that exists only on their local computers, their credentials are not
checked and the XTMdevice does not recognize that they are logged in.
n Make sure that TCP port 445 (port for SMB) is open on the client computers.
n Make sure that TCP port 4116 is open on the client computers where you install the SSOClient.
n Make sure that TCP port 4114 is open on the server where you install the SSOAgent.
n Make sure that TCP port 4135 is open on the server where you install the Event Log Monitor.
n Make sure that TCPport 4136 is open on the server where you install the Exchange Monitor.
n Make sure that the Microsoft .NETFramework (v2.04.5 or higher) is installed on the server
where you install the SSOAgent and Exchange Monitor.
n Make sure that all computers fromwhich users authenticate with SSOare members of the
domain with unbroken trust relationships.
n Make sure the SSOAgent, the Event Log Monitor, and the Exchange Monitor run as a user
account in the Domain Admins group.
Set Up SSO
To use SSO, you must install the SSOAgent software. We recommend that you also use either the
Event Log Monitor, Exchange Monitor, or the SSOClient. Though you can use SSOwith only the SSO
Agent, you increase your security and access control when you also use the SSOClient, the Event
Log Monitor, or the Exchange Monitor.
To set up SSO, follow these steps:
1. Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (ELMis optional).
2. Install the WatchGuard Single Sign-On (SSO) Client (optional, but recommended).
3. Install the WatchGuard SSOExchange Monitor (optional).
4. Enable Single Sign-On (SSO).
Install the WatchGuard Single Sign-On (SSO) Agent
To use Single Sign-On (SSO), you must install the WatchGuard Authentication Gateway, which
includes two components: the SSOAgent (mandatory) and the Event Log Monitor (optional).
The SSOAgent is a service that receives requests for Firebox authentication and checks user status
with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway
on the computer where you install the SSOAgent software. This computer must have the Microsoft
.NETFramework v2.04.5 or later installed. You must install the SSOAgent to use Single Sign-On.
Authentication
484 Fireware XTMWeb UI
Authentication
User Guide 485
The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do
not install the SSOClient on all of your client computers, we recommend that you install the Event Log
Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address (the client
computer) for the user name and domain name that was used to log in. Based on the user name
information, the Event Log Monitor gets the information about which users belong to which user
groups, and sends that information to the SSOAgent. This enables the SSOAgent to correctly identify
a user and make sure that each user can only log on fromone computer at a time.
If you have more than one domain, install the SSOAgent on only one domain member server or domain
controller in your network, and install the Event Log Monitor on one member server or domain controller
in each of your domains. The SSOAgent then contacts each Event Log Monitor to get information for
the users on that domain.
When you run the installer to install only the Event Log Monitor, make sure to clear the check box for
the SSOAgent component.
To install an additional WatchGuard Authentication Gateway component on a computer where you
have already installed one component, run the installer again and select the check boxes for both the
new component you want to install and for the previously installed component. If you do not select the
check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSOAgent and you want to add the Event Log Monitor,
run the installer again and make sure that both SSOAgent and the Event Log Monitor check boxes are
selected. If you clear the check box for the SSOAgent, it is uninstalled.
Download the SSOAgent Software
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles &Software tab.
The Articles &Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTMdevice.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTMdevice model.
The Software Downloads page for the device you selected appears.
8. Download the WatchGuard Single Sign-On Agent software and save the file to a convenient
location.
Before You Install
The WatchGuard Authentication Gateway service must run as a user who is a member of the Domain
Admins group. We recommend that you create a new user account for this purpose and then add the
new user to the Domain Admins group. For the service to operate correctly, make sure you configure
this Domain Admin user account with a password that never expires.
Before you start the SSOAgent installer, make sure that the .NET Framework v2.04.5 or later is
installed on the server where you intend to install the WatchGuard Authentication Gateway. If the
correct version of the .NET Framework is not installed, the SSOAgent cannot run correctly.
Install the SSOAgent and the Event Log Monitor
If you have more than one domain, make sure to install the SSOAgent on only one server in your
network and the Event Log Monitor on one server in each of your domains.
1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup
Wizard.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page and complete the wizard.
3. On the Select Components page, make sure to select the check box for each component to
install:
n Single Sign-On Agent
n Event Log Monitor
4. On the Domain User Login page, make sure to type the user name in the form: domain\user
name. Do not include the .comor .net part of the domain name.
For example, if your domain name is example.comand you use the domain account ssoagent,
type example\ssoagent.
You can also use the UPN formof the user name: username@example.com. If you use the UPN
formof the user name, you must include the .comor .net part of the domain name.
5. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSOAgent and Event Log Monitor. For more information, see Configure the SSOAgent on page
486.
Configure the SSO Agent
If you use multiple Active Directory domains, you must specify the domains to use for SSO(Single
Sign-On). After you have installed the SSOAgent, you can specify the domains to use for
authentication and synchronize the domain configuration with the SSOAgent. You can also specify
options to use SSOwithout the SSOClient. This is known as clientless SSO. You configure settings
for clientless SSOwhen you configure the SSOAgent. To configure the SSOAgent settings, you must
have administrator privileges on the computer where the SSOAgent is installed.
When you first launch the SSOAgent, it generates the Users.xml and AdInfos.xml configuration files.
These configuration files are encrypted and store the domain configuration details you specify when
you configure the SSOAgent.
Authentication
486 Fireware XTMWeb UI
Authentication
User Guide 487
The SSOAgent has two default accounts, administrator and status, that you can use to log in to the
SSOAgent. To make changes to the SSOAgent configuration, you must log in with the administrator
credentials. After you log in for the first time, we recommend you change the passwords for the default
accounts.
The default credentials (username/password) for these accounts are:
n Administrator admin/readwrite
n Status status/readonly
For more information about Active Directory, see Configure Active Directory Authentication.
Log In to the SSO Agent Configuration Tool
1. Select Start >WatchGuard > WatchGuard SSOAgent Configuration Tool.
The SSOAgent Configuration Tool login dialog box appears.
2. In the User Name text box, type the administrator user name: admin.
3. In the Password text box, type the administrator password: readwrite.
The SSOAgent Configuration Tools dialog box appears.
4. Configure your SSOAgent as described in the subsequent sections.
Changes to the configuration are automatically saved.
Manage User Accounts and Passwords
After you log in for the first time, you can change the password for the default accounts. Because you
must log in with the administrator credentials to change the SSOAgent settings, make sure you
remember the password specified for the administrator account. You can also add new user accounts
and change the settings for existing user accounts. You can also use both the admin and status
accounts to open a telnet session to configure the SSOAgent.
For more information about how to use telnet with the SSOAgent, see Use Telnet to Debug the SSO
Agent.
Change a User Account Password
For the admin and status accounts, you can only change the password for the account; you cannot
change the user name.
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form dialog box appears.
2. Select the account to change.
For example, select admin.
3. Click Change Password.
The Change Password dialog box appears.
4. In the Password and Confirm Password text boxes, type the new password for this user
account.
5. Click OK.
Add a NewUser Account
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Click Add User.
The Add User dialog box appears.
3. In the User Name text box, type the name for this user account.
4. In the Password and Confirm Password text boxes, type the password for this user account.
5. Select an access option for this account:
n Read-Only
n Read-Write
6. Click OK.
Authentication
488 Fireware XTMWeb UI
Authentication
User Guide 489
Edit a User Account
When you edit a user account, you can change only the access option. You cannot change the user
name or password for the account. To change the user name, you must add a new user account and
delete the old user account.
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to change.
3. Click Edit User.
The Edit User dialog box appears.
4. Select a new access option for this account:
n Read-Only
n Read-Write
5. Click OK.
Delete a User Account
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to delete.
3. Click Delete User.
The Delete User dialog box appears.
4. Verify the User Name is for the account you want to delete.
5. Click OK.
Configure Domains for the SSO Agent
To configure your SSOAgent, you can add, edit, and delete information about your Active Directory
domains. When you add or edit a domain, you must specify a user account to use to search your
Active Directory server. We recommend that you create a specific user account on your server with
permissions to search the directory and with a password that never expires.
Add a Domain
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit > Add Domain.
The Add Domain dialog box appears.
2. In the Domain Name text box, type the name of the domain.
For example, type my-example.com.
The domain name of your Active Directory server is case-sensitive. Make sure you type the
domain name exactly as it appears on the Active Directory tab in the Authentication Server
settings on your XTMdevice. For more information, see Configure Active Directory
Authentication.
3. In the NetBIOS Domain Name text box, type the NetBios domain name for your domain.
To find the NetBios domain name:
1. On the Active Directory server for the domain, select Start > Administrative
Tools > Active Directory Domain and Trusts.
2. In the list of domains, right-click your domain and select Properties.
3. Find the Domain name (pre-Windows 2000) value. This is the NetBios
domain name for your domain.
4. In the IP Address of Domain Controller text box, type the IPaddress of the Active Directory
server for this domain.
To specify more than one IP address for the domain controller, separate the IP addresses with a
semicolon, without spaces.
5. In the Port text box, type the port to use to connect to this server.
The default setting is 389.
6. In the Searching User section, select an option:
n Distinguished Name (DN) (cn=ssouser,cn=users,dc=domain,dc=com)
n User Principal Name (UPN) (ssouser@domain.com
n Pre-Windows 2000 (netbiosDomain\ssouser)
7. In the text box, type the user information for the option you selected.
Make sure to specify a user who has permissions to search the directory on your Active
Directory server.
8. In the Password of Searching User and Confirm password text boxes, type the password
for the user you specified.
This password must match the password for this user account on your Active Directory server.
9. To add another domain, click OK & Add Next. Repeat Steps 28.
10. Click OK.
The domain name appears in the SSOAgent Configuration Tools list.
Edit a Domain
When you edit an SSOdomain, you can change all the settings except the domain name. If you want
to change the domain name, you must delete the domain and add a new domain with the correct name.
Fromthe SSO Agent Configuration Tools dialog box:
1. Select the domain to change.
2. Select Edit > Edit Domain.
The Edit Domain dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
Fromthe SSO Agent Configuration Tools dialog box:
1. Select the domain to delete.
2. Select Edit > Delete Domain.
Authentication
490 Fireware XTMWeb UI
Authentication
User Guide 491
A confirmation message appears.
3. Click Yes.
Configure Clientless SSO
If the SSOClient is not installed or is not available, you can configure the SSOAgent to use clientless
SSOto get user login information fromthe Event Log Monitors or Exchange Monitors. The Event Log
Monitors are also installed on one domain member server in each domain. The Exchange Monitor is
installed on the same computer where your Microsoft Exchange Server is installed.
If you use the Event Log Monitor, when a user tries to authenticate, the SSOAgent sends the
IPaddress of the client computer to the EventLog Monitor. The Event Log Monitor then uses this
information to query the client computer over TCP port 445 and retrieve the user credentials fromthe
Windows security event log file on the client computer. The Event Log Monitor gets the user
credentials fromthe client computer and contacts the domain controller to get the user group
information for the user. The Event Log Monitor then provides this information to the SSOAgent.
If you do not install the SSOClient on your user's computers, make sure the Event Log Monitor is the
first entry in the SSO Agent Contacts list. If you specify the SSOClient as the primary contact, but
the SSOClient is not available, the SSOAgent queries the Event Log Monitor next, but this can cause
a delay.
For users with devices that run Mac OS X 10.6 and higher, iOS, or Android platforms, you can use the
Exchange Monitor to get login information for those users. Because the Exchange Monitor is installed
on the same computer where your Microsoft Exchange Server is installed, the Exchange Monitor
tracks the domain accounts log on/log off actions for each user and notifies the SSOAgent in real-time
of these events.
After you install the SSOAgent, you must add the domain information of the domains where the Event
Log Monitors and Exchange Monitors are installed to the SSOAgent configuration in the Contact
Domains list. If you have only one domain and the SSOAgent is installed on the domain controller, or
if you have more than one domain and the Event Log Monitor and Exchange Monitor are on the same
domain as the SSOAgent, you do not have to specify the domain information for the domain controller
in the SSOAgent configuration Contact Domains list. If you have more than one Event Log Monitor or
Exchange Monitor in the Contact Domains list, the SSOAgent queries the first entry in the list for the
user credentials and group information. If the first Event Log Monitor or Exchange Monitor is not
available, the SSOAgent contacts the next monitor in the list. This process continues until the SSO
Agent finds an available monitor.
For more information about how to install the Event Log Monitor and Exchange Monitor, see Install the
WatchGuard Single Sign-On (SSO) Agent on page 484.
Before you configure and enable the settings for clientless SSO, you must make sure the client
computers on your domain have TCP 445 port open, or have File and printer sharing enabled, and have
the correct group policy configured to enable the Event Log Monitor to get information about user login
events. If this port is not open and the correct policy is not configured, the Event Log Monitor cannot
get group information and SSOdoes not work properly.
On your domain controller computer:
1. Open the Group Policy Object Editor and edit the Default Domain Policy.
2. Make sure the Audit Policy (Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit
logon events policies enabled.
3. At the command line, run the command gpupdate/force /boot.
When the command runs, this message string appears:
Updating Policy User Policy update has completed successfully. Computer
Policy update has completed successfully.
You can add, edit, and delete domain information for clientless SSO. For each domain name that you
add, you can specify more than one IPaddress for the domain controller. If the Event Log Monitor
cannot contact the domain controller at the first IPaddress, it tries to contact the domain controller at
the next IP address in the list.
Fromthe SSO Agent Configuration Tools dialog box:
1. Select Edit >Clientless SSO.
The Clientless SSOSettings dialog box appears.
2. In the SSO Agent Contacts list, select the check box for each contact for the SSOAgent:
n SSO Client
n Event Log Monitor
n Exchange Monitor
Authentication
492 Fireware XTMWeb UI
Authentication
User Guide 493
3. To change the order of the SSO Agent Contacts, select a contact and click Up or Down.
You cannot change the position of the Exchange Monitor.
4. Add, edit, or delete a contact domain, as described in the subsequent sections.
5. Click OKto save your settings.
Add a Contact Domain
You can specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for
user login information.
When you add a domain for the Exchange Monitor, you must specify the IP addresses and the session
check interval for the Microsoft Exchange server. The session check interval specifies the amount of
time before the Exchange Monitor logs off a user that does not appear in the IIS log messages on your
Exchange server as active. The default setting is 40 minutes. You must specify an interval of at least 5
minutes.
Add a Contact Domain for the Event Log Monitor
Fromthe Clientless SSO Settings dialog box:
1. Click Add.
The Domain Settings dialog box appears.
2. For the Type option, select Event Log Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Event Log
Monitor to contact for user credentials.
You must type the name in the format domain.com.
4. In the IPAddresses of Domain Controller text box, type the IPaddresses for the
domain.
To specify more than one IP address for the domain controller, separate the IP addresses
with a semicolon, without spaces.
5. Click OK.
The domain information you specified appears in the Contact Domains list.
Add a Contact Domain for the Exchange Monitor
Fromthe Clientless SSO Settings dialog box:
1. Click Add.
The Domain Settings dialog box appears.
2. For the Type option, select Exchange Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Exchange
Monitor to contact for user credentials.
You must type the name in the format domain.com.
4. In the IPAddresses of Microsoft Exchange Server text box, type the IPaddresses for
the domain.
To specify more than one IP address for the Exchange server, separate the IP addresses
with a semicolon, without spaces.
5. To change the Session Check Interval setting fromthe default setting of 40 minutes, type
or select a new interval.
6. Click OK.
The domain information you specified appears in the Contact Domains list.
Edit a Contact Domain
Fromthe Clientless SSO Settings dialog box:
1. Fromthe Contact Domains list, select the domain to change.
2. Click Edit.
The Event Log Monitor Settings dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
Fromthe Clientless SSO Settings dialog box:
1. Fromthe Contact Domains list, select the domain to delete.
2. Click Delete.
The domain is removed from the list.
Authentication
494 Fireware XTMWeb UI
Authentication
User Guide 495
Test the SSOPort Connection
To verify that the SSOAgent can contact the Event Log Monitor and the Exchange Monitor, you can
use the SSOPort Tester tool. With the SSOPort Tester tool, you can verify whether the SSOAgent
can contact a server at a single IP address, or servers at multiple IP addresses or a range of IP
addresses. To verify the connection for a single IP address or multiple IP addresses, rather than a
range of addresses, you import a plain text file that includes the IP addresses to test. You can also
specify the ports to test and the connection timeout interval.
Fromthe Clientless SSO Settings dialog box:
1. Click Test SSOPort.
The SSOPort Tester dialog box appears.
2. In the Specify IPAddresses section, select an option:
n IP Address Range
n Import IP Addresses
3. If you selected IP Address Range, in the IP Address Range text boxes, type the range of IP
addresses to test.
If you selected Import IP Addresses, click and navigate to select the plain text file with the list
of IPaddresses to test.
4. In the Ports text box, type the port numbers to test.
To test more than one port, type each port number, separated by a comma, without spaces.
5. Click Test.
The results of the port test appear in the SSOPort Tester window.
6. To save the test results in a log file, click Save log and specify the file name and location to
save the log file.
7. To stop the port tester tool process, click Quit.
Use Telnet to Debug the SSO Agent
To debug your SSOAgent, you can use Telnet to connect to the SSOAgent on TCP port 4114 and run
commands to review information in the connection cache. You can also enable advanced debug
options. A list of the commands you can use in Telnet is available in the Telnet Help and in the
subsequent Telnet Commands List section.
We recommend that you only use these commands with direction froma
WatchGuard support representative.
To connect to your SSOAgent with Telnet, you must use a user account that is defined in the SSO
Agent Configuration Tool User Management settings. For more information, see Configure the SSO
Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
Open Telnet and Run Commands
To run Telnet commands, you can either open Telnet on the computer where the SSOAgent is
installed, or use Telnet to make a remote connection to the SSOAgent over TCP port 4114. Make sure
that the SSOAgent service is started before you try to connect to it with Telnet.
1. Open a command prompt.
2. At the command prompt, type telnet <IP address of SSO Agent computer> 4114.
3. Press Enter on your keyboard.
The connection message appears.
4. To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears.
5. To run a command, type a command and press Enter on your keyboard.
Output for the command appears.
For more information about the commands you can use in Telnet, see the Telnet Commands List.
Enable Debug Logging
To send debug log messages to the log file, you must set the debug status to ON.
1. In the Telnet window, type set debug on.
2. Press Enter on your keyboard.
The message "41 OK (verbose = False, logToFile=True)" appears.
When you enable debug logging for the SSOAgent, debug log messages for the SSOClients
connected to the SSOAgent, and for the Event Log Monitor and Exchange Monitor, are also generated
and sent to separate log files. After the debug log messages have been sent to the log files, you can
view themto troubleshoot any issues.
For the SSOAgent:
Authentication
496 Fireware XTMWeb UI
Authentication
User Guide 497
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open the debug log file: wagsrvc.log
For the SSOClient:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Client
2. Open a debug log file: wgssoclient_logfile.log or wgssoclient_errorfile.log
For the Event Log Monitor:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open a debug log file: eventlogmonitor.log
For the Exchange Monitor:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open a debug log file: exchangemonitor.log
Make sure to disable debug logging when you are finished.
1. In the Telnet window, type set debug off.
2. Press Enter on your keyboard.
Telnet Commands List
This table includes commands that you can run to help you debug the SSOAgent.
Command Telnet Message Description
help Show help Shows the list of all Telnet commands.
login <user>
<password>
Login user. Quote if
space in
credentials.
Type the user credentials to use to log in to the SSO
Agent with Telnet.
logout Log out. Log out of the SSOAgent.
get user <IP> Show all users
logged in to <IP
address> address.
Ex: get user
192.168.203.107
Shows a list of all users logged in to the selected IP
address.
get timeout Show the current
timeout.
get status Show status about
the connections.
Shows connection information used to analyze the
overall load in your SSOenvironment.
get status detail Show connected
SSOclients,
pending, and
processing IPs.
Shows detailed connection information used to
analyze the overall load in your SSOenvironment.
get domain Show the current
domain filter.
Gets information about the current domain filters from
which the SSOAgent accepts authentication
attempts.
get version <IP> Show the SSO
component name,
version, and build
information for the
IP address.
Gets information about the SSOcomponents (SSO
Agent, SSOClient, Event Log Monitor) that are
installed at the specified IPaddress. The information
returned includes the version and build numbers for
each installed SSOcomponent.
get version all Show the SSO
component name,
version, and build
information for all
the monitored IP
addresses.
Gets information about the SSOcomponents (SSO
Client, Event Log Monitor) that are monitored by the
SSOAgent. The information returned includes the
version and build numbers for each installed SSO
component.
log off <ip> Kill the IPsession
on Firebox and clear
SSOEMinternal
cache
Ends the session of the specified IP address and
removes the active session details for that IP address
fromthe SSOExchange Monitor internal cache.
set domainfilter
on
Turn on domain
filter.
Permanently sets the domain filter to ON.
set domainfilter Turn off domain Permanently sets the domain filter to OFF.
Authentication
498 Fireware XTMWeb UI
Authentication
User Guide 499
Command Telnet Message Description
off filter.
set user Set artificial user
information (for
debugging).
Changes the user information in the debug log files to a
user name you select. This enables you to clearly track
user information when you review debug log
messages.
set debug on Save debug
messages to a file in
the same location
as the .exe.
Sets debug logging on the SSOAgent to ON. This
setting sends debug log messages to the log file,
which provides detailed information for
troubleshooting.
Log file location:
SSOAgent \Program
Files\WatchGuard\WatchGuard Authentication
Gateway\wagsrvc.log
SSOClient \Program
Files\WatchGuard\WatchGuard Authentication
Client\wgssoclient_logfile.log and wgssoclient_
errorfile.log
set debug
verbose
Enable additional
log messages.
Includes additional log messages in the debug log files.
set debug off Sets debug logging on the SSOAgent to OFF.
flush <ip> Clear cache of <ip>
address.
Deletes all authentication information about the
specified IPaddress fromthe SSOAgent cache.
flush all Clear cache of all
<ip> addresses.
Deletes all authentication information currently
available on the SSOAgent.
list Return list of all IP
in cache with
expiration.
Shows a list of all authentication information currently
available on the SSOAgent.
list config Return list of all
monitoring domain
configurations.
Shows a list of all domains the SSOAgent is
connected to.
Command Telnet Message Description
list user Return list of all
registered users.
Shows a list of all user accounts included in the SSO
Agent configuration.
list
eventlogmonitors
Return list of all
registered Event
Log Monitors.
Shows a list of all instances of the Event Log Monitor
and the version of each instance.
get log <IP> Get SSOClient logs
and dmp files (if
have) in zip format.
Download the SSOClient log files and DMP files in a
ZIP file fromthe specified IPaddress.
get log <xxx.txt> Same as "get log
<IP>', but support
multiple ip, full path
of txt required and
one ip each line in
the txt file.
eg: get log C:\my
test\ips.txt.
Download the SSOClient log files and DMP files in a
ZIP file fromeach IP address specified in the TXT file.
In the TXTfile, each SSOClient IP address must be
on a separate line and the full path to the log and dmp
files for each SSOClient must be specified.
quit Terminate the
connection.
Closes the Telnet connection to the SSOAgent.
Install the WatchGuard Single Sign-On (SSO) Client
As a part of the WatchGuard Single Sign-On (SSO) solution, you can install the WatchGuard
SSOClient. The SSOClient installs as a service that runs under the Local Systemaccount on a
workstation to verify the credentials of the user currently logged in to that computer. When a user tries
to authenticate, the SSOAgent sends a request to the SSOClient for the user's credentials. The SSO
Client then returns the credentials of the user who is logged in to the workstation.
The SSOClient listens on TCP port 4116. When you install the SSOClient, port 4116 is automatically
opened on the workstation firewall.
If you configure multiple Active Directory domains, your users must install the SSOClient. For more
information, see Configure Active Directory Authentication on page 551.
For your users with a Windows operating system, because the SSOClient installer is an MSI file, you
can choose to force users to automatically install it on your their computers when they log on to your
domain. You can use an Active Directory Group Policy to automatically install software when users log
on to your domain. For more information about software installation deployment for Active Directory
group policy objects, see the documentation for your operating system.
For your users with Mac OS X, before they can successfully use the SSOClient, they must make sure
their computers have joined the Active Directory server. For more information, see the documentation
for your Active Directory server.
Authentication
500 Fireware XTMWeb UI
Authentication
User Guide 501
Download the SSOClient Software
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. Select the Articles &Software tab.
4. Find the Software Downloads for your XTMdevice.
5. Download the WatchGuard Single Sign-On Client software installer file:
n For Windows computers WG-Authentication-Client.msi
n For Mac OS X computers WG-SSOCLIENT-MAC.dmg
6. Save the file to a convenient location.
Install the SSOClient
To install the SSOClient:
1. Double-click the SSOClient installer file you downloaded.
On some operating systems, you might need to type a local administrator password to run the
installer.
The Authentication Client Setup Wizard starts.
2. To install the software, follow the instructions on each page and complete the wizard.
3. To see which drives are available to install the client, and how much space is available on each
of these drives, click Disk Cost.
4. Click Close to exit the wizard.
When the SSOClient is installed on a Windows computer, after the wizard completes, the
WatchGuard Authentication Client service starts automatically. Each time the computer starts, the
service starts automatically.
The SSOClient for a Mac OS X computer has two components: ssodaemon.app and ssoclient.app.
After the wizard completes, ssodaemon.app and ssoclient.app start automatically. Each time the Mac
OS X computer starts, ssodaemon.app starts automatically. Then, when a user logs in to the computer
with credentials stored in your Active Directory server, ssoclient.app starts and the user can
authenticate with SSO.
Install the WatchGuard SSOExchange Monitor
The WatchGuard SSOExchange Monitor is an optional component of the WatchGuard SSOsolution
that you can install for users who do not have the SSOClient and who use computers with MacOS X
or mobile devices that run iOS, Android, or Windows mobile. The SSOExchange Monitor enables the
SSOAgent to get user logon and logoff information for those users.
To use the Exchange Monitor, you must install it on the same server where your Microsoft Exchange
server is installed. The Exchange Monitor can then review the IIS service logs on your Exchange
server to get logon and logoff information for your users. When the SSOAgent contacts the Exchange
Monitor to find out if a user who wants to authenticate has a current session, the Exchange Monitor
sends the logon and logoff information for the user to the SSOAgent. The SSOAgent can then allow or
deny the user a connection to the XTMdevice.
System Requirements
On the computer where you install the Exchange Monitor:
n Microsoft Exchange 2003, 2007, or 2010 must be installed and configured
n Microsoft .NETFramework (v2.04.5 or higher) must be installed
n TCPport 4136 must be open
n Microsoft Exchange IIS logging must be enabled
Download the SSOExchange Monitor Software
There are two installer file options for the SSOExchange Monitor. Make sure to select the correct
installer file for your server environment:
n 64-bit servers SSOExchangeMonitor_x64.exe
n 32-bit servers SSOExchangeMonitor_x86.exe
To download an installer file:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles &Software tab.
The Articles &Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTMdevice.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTMdevice model.
The Software Downloads page for the device you selected appears.
8. Download the correct WatchGuard Exchange Monitor installer file and save the file to a
convenient location.
Install the SSOExchange Monitor
On the server where your Microsoft Exchange server is installed:
1. Double-click SSOExchangeMonitor_x64.exe or SSOExchangeMonitor_x86.exe to start the
installer.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page of the installation wizard and
complete the wizard.
3. On the Domain User Credentials page, type the domain user credentials to use for the
Exchange Monitor.
In the Domain User Name text box, make sure to type the user name in the format:
domain\username. Do not include .comor .net with the domain name.
Authentication
502 Fireware XTMWeb UI
Authentication
User Guide 503
For example, if your domain is example.comand you use the domain account ssoagent, type
example\ssoagent.
You can also use the UPN formof the user name: username@example.com. If you use the UPN
formof the user name, you must include .comor .net with the domain name.
4. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSOAgent and Exchange Monitor. For more information, see Configure the SSOAgent on page
486.
Enable Single Sign-On (SSO)
Before you can configure SSO, you must:
n Configure your Active Directory server
n Install the WatchGuard Single Sign-On (SSO) Agent
n Install the WatchGuard Single Sign-On (SSO) Client (Optional)
n Install the WatchGuard SSOExchange Monitor (Optional)
If your device runs Fireware XTMv11.0v11.3.x, the Authentication Settings for
Terminal Services are not available.
Enable and Configure SSO
To enable and configure SSOfromFireware XTMWeb UI:
1. Select Authentication > Single Sign-On.
The Single Sign-On page appears.
2. Select the Enable Single Sign-On (SSO) with Active Directory check box.
3. In the SSO Agent IP address text box, type the IP address of your SSOAgent.
4. In the Cache data for text box, type or select the amount of time the SSOAgent caches data.
5. In the SSO Exceptions list, add or remove the IPaddresses or ranges to exclude fromSSO
queries.
For more information about SSOexceptions, see the Define SSOExceptions on page 504
section.
6. Click Save to save your changes.
Define SSO Exceptions
If your network includes devices with IPaddresses that do not require authentication, such as network
servers, print servers, or computers that are not part of the domain, or if you have users on your internal
network who must manually authenticate to the Authentication Portal, we recommend that you add
their IPaddresses to the SSOExceptions list. Each time a connection attempt occurs froman IP
address that is not in the SSOExceptions list, the XTMdevice contacts the SSOAgent to try to
associate the IPaddress with a user name. This takes about 10 seconds. You can use the SSO
Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and
enable users to authenticate and connect to your network without delay.
When you add an entry to the SSO Exceptions list, you can choose to add a host IPaddress, network
IP address, subnet, or a host range.
Authentication
504 Fireware XTMWeb UI
Authentication
User Guide 505
To add an entry to the SSO Exceptions list:
1. Click Add.
The Add IP Addresses dialog box appears.
2. Fromthe Choose Type drop-down list, select the type of entry to add to the SSOExceptions
list:
n Host IP
n Network IP
n Host Range
The text boxes that appear change based on the type you select.
2. Type the IP address for the type you selected.
If you selected the type Host Range, in the From and To text boxes, type the start and end
IPaddresses for the range.
3. (Optional) In the Description text box, type a description to include with this exception in the
SSO Exceptions list.
4. Click OK.
The IP address or range appears in the SSOExceptions list.
5. Click Save.
To remove an entry fromthe SSO Exceptions list:
1. Fromthe SSO Exceptions list, select an entry.
2. Click Remove.
The selected entry is removed from the SSOExceptions list.
3. Click Save.
About SSO Log Files
When you use Telnet to enable debug logging for the main components of your WatchGuard Single
Sign-On (SSO) solutionthe SSOAgent, Event Log Monitor, and Exchange Monitorthe SSO
components all generate log messages about the activity and events that occur at each component.
These log messages are saved in a log file in the installation folder where each component is installed.
To troubleshoot any problems with one of your SSOcomponents, you can open the log files and review
the events that occurred on that component.
For more information about how to enable debug logging for your SSOcomponents, see Use Telnet to
Debug the SSOAgent.
The default installation directory for the SSOcomponents is:
n 64-bit servers C:\Program Files(x86)\WatchGuard\WatchGuard Authentication
Gateway
n 32-bit servers C:\Program Files\WatchGuard\WatchGuard Authentication Gateway
The names of the log files for each SSOcomponent are:
n SSOAgent wagsrvc.log
n Event Log Monitor eventlogmonitor.log
n Exchange Monitor exchangemonitor.log
Each SSOcomponent maintains one log file that includes the most recent log messages generated by
that component. The size of the log file is limited to 10MB. When a log file reaches the maximumsize
of 10MB, it is compressed in GZIPformat to approximately 1MB in size, and moved to the appropriate
archive folder for that SSOcomponent. For each component, there can be a maximumof 30
compressed files in the archive folder. When the maximumof 30 files is reached and a new
compressed GZIPfile is added to the folder, the oldest GZIPfile is deleted to make roomfor the new
file.
In the installation directory for each component, you can find the GZIPfile in these archive folders:
n SSOAgent \agent_logs
n Event Log Monitor \elm_logs
n Exchange Monitor \em_logs
The name of each GZIP file uses this format: <log_file_name>_<createtime>_
<lastwritetime>.log.gz:
n SSOAgent wagsrvc_<createtime>_<lastwritetime>.log.gz
n Event Log Monitor eventlogmonitor_<createtime>_<lastwritetime>.log.gz
n Exchange Monitor exchangemonitor_<createtime>_<lastwritetime>.log.gz
When the SSOcomponent log file reaches the maximumsize of 10MB, if an error occurs that does not
allow the log file to be compressed, a backup log file is instead created. The log messages in the
original log file are then moved to the backup log file. The log messages in the backup log files are
deleted when they are replaced by the log messages in the main log file, when the main log file is again
10MB in size.
Backup log files are stored in the same directory where the main log files are stored: the location where
each SSOcomponent is installed. The names of the backup log files for each SSOcomponent are:
Authentication
506 Fireware XTMWeb UI
Authentication
User Guide 507
n SSOAgent wagsrvc.log.bak
n Event Log Monitor eventlogmonitor.log.bak
n Exchange Monitor exchangemonitor.log.bak
Install and Configure the Terminal Services Agent
When you have more than one user who connects to your Terminal Server or Citrix server and then
connects to your network or the Internet, it can be difficult to control the individual traffic flows from
these users based on their user names or group memberships. This is because when one user
authenticates to the XTMdevice, the XTMdevice maps that user to the IP address of the Terminal
Server or Citrix server. Then, when another user sends traffic fromthe Terminal Server or Citrix server
IP address, it appears to the XTMdevice that this traffic also came fromthe first user that
authenticated. There is no way for the XTMdevice to distinguish which of the several users who are
concurrently logged on to your Terminal Server or Citrix server generated any particular traffic.
If your device runs Fireware XTMv11.0v11.3.x, terminal services support is not
available and the configuration settings do not appear in the Web UI.
To make sure that your users are correctly identified, you must:
1. Install the WatchGuard Terminal Services Agent on your Terminal Server (2003, 2008, or 2012)
or Citrix server.
2. Configure your XTMdevice to authenticate users to the authentication portal over port 4100.
3. Enable Terminal Services settings in your XTMdevice configuration file.
After you complete these configuration settings, when each Terminal Server or Citrix server user
authenticates to your XTMdevice, the XTMdevice sends the Terminal Services Agent (TOAgent) a
user session ID for each user who logs in. The Terminal Services Agent monitors traffic generated by
individual users and reports the user session ID to the XTMdevice for each traffic flow generated by a
Terminal Server or Citrix server client. Your XTMdevice can then correctly identify each user and
apply the correct security policies to the traffic for each user, based on user or group names.
For more information about how to enable your XTMdevice to authenticate users over port 4100, see
Configure Your XTMDevice as an Authentication Server on page 518 and About the WatchGuard
Authentication (WG-Auth) Policy on page 471.
When you use the Terminal Services Agent, your XTMdevice can enforce policies based on user or
group names only for traffic that is authenticated. If traffic comes to the XTMdevice without session ID
information, the XTMdevice manages the traffic in the same way it manages any other traffic for which
it does not have the username mapped to an IP address. If there is a policy in your configuration file
that can process traffic fromthat IP address, the XTMdevice uses that policy to process the traffic. If
there is no policy that matches the source IP address of the traffic, the XTMdevice uses the unhandled
packet rules to process the traffic.
For more information about how to configure settings for unhandled packets, see About Unhandled
Packets on page 844.
If you use the Terminal Services Agent, your XTMdevice cannot automatically redirect users to the
authentication portal.
Authentication
508 Fireware XTMWeb UI
Authentication
User Guide 509
To enable your XTMdevice to correctly process systemrelated traffic fromthe Terminal Server or
Citrix server, the Terminal Services Agent uses a special user account named Backend-Service,
which is part of the Terminal Services Agent. The Terminal Services Agent identifies the traffic
generated by systemprocesses (instead of user traffic) with the Backend-Service user account. You
can add this user to the Authorized Users and Groups list in your XTMdevice configuration and then
use it in a policy to allow traffic to and fromyour server. For example, you can add a custompacket
filter policy that is similar to the default Outgoing policy. Configure the policy to use the TCP-UDP
protocol and allow traffic fromthe Backend-Service user account to Any-External.
For more information about how to add the Backend-Service user account to your XTMdevice
configuration, see Use Authorized Users and Groups in Policies on page 564. Make sure to select Any
fromthe Auth Server drop-down list.
For more information about how to add a policy, see Add Policies to Your Configuration on page 598.
Make sure the updates on your Terminal Server or Citrix server are scheduled to run as the system,
local service, or network service user account. The Terminal Services Agent recognizes these user
accounts as the Backend-Service account and allows the traffic. If you schedule updates to run as a
different user account, that user must manually authenticate to the application portal for the server to
receive the updates. If that user is not authenticated to the authentication portal, the traffic is not
allowed and the server does not receive the update.
The Terminal Services Agent cannot control ICMP, NetBIOS, or DNS traffic. It also does not control
traffic to port 4100 for Firebox Authentication. To control these types of traffic, you must add specific
policies to your XTMdevice configuration file to allow the traffic.
Terminal services support is not available if your XTMdevice is in bridge mode or is a
member of an active/active FireCluster.
About Single Sign-On for Terminal Services
Terminal services also supports Single Sign-On (SSO) with the Terminal Services Agent. When a user
logs in to the domain, the Terminal Services Agent collects the user information (user credentials, user
groups, and domain name) fromthe Windows user logon event and sends it to the XTMdevice. The
XTMdevice then creates the authentication session for the user and sends the user session ID to the
Terminal Services Agent, so the user does not have to manually authenticate to the Authentication
Portal. When the user logs off, the Terminal Services Agent automatically sends the logoff information
to the XTMdevice, and the XTMdevice closes the authenticated session for that user.
Terminal Services SSOenables your users to log in once and automatically have access to your
network without additional authentication steps. With SSOfor terminal services, users do not have to
manually authenticate to the Authentication Portal. Users who are logged in through terminal services
can, however, still manually authenticate with different user credentials. Manual authentication always
overrides SSOauthentication.
Before You Begin
Before you install the Terminal Services Agent on your Terminal Server or Citrix server, make sure
that:
n The server operating systemis Windows Server 2003 R2 or later
n Terminal services or remote desktop services is enabled on your server
n Ports 41314134 are open
Install the Terminal Services Agent
You can install the Terminal Services Agent on a Terminal Server or Citrix server with either a 32-bit or
a 64-bit operating system. There is one version of the Terminal Services Agent installer for both
operating systems.
To install the Terminal Services Agent on your server:
1. Log in to the WatchGuard web site and select the Articles & Software tab.
2. Find the Software Downloads for your XTMdevice.
3. Get the latest version of the TOAgent Installer and copy it to the server where you have
installed Terminal Services or a Citrix server.
4. Start the installer.
The TOAgent wizard appears.
5. To start the wizard, click Next.
6. Complete the wizard to install the Terminal Services Agent on your server.
7. Reboot your Terminal Server or Citrix server.
Authentication
510 Fireware XTMWeb UI
Authentication
User Guide 511
Configure the Terminal Services Agent
After you install the Terminal Services Agent on your Terminal Server or Citrix server, you can use the
TOSettings tool to configure the settings for the Terminal Services Agent.
1. Select Start > All programs > WatchGuard > TO Agent > Set Tool.
The TOAgent Settings dialog box appears, with the Destination Exception List tab selected.
2. To configure settings for the Terminal Services Agent, follow the instructions in the subsequent
sections.
3. Click Close.
Manage the Destination Exception List
Because it is not necessary for the Terminal Services Agent to monitor traffic that is not controlled by
the XTMdevice, you can specify one or more destination IPaddresses, or a range of destination IP
addresses, for traffic that you do not want the Terminal Services Agent to monitor. This is usually
traffic that does not go through your XTMdevice, such as traffic that does not include a user account
(to which authentication policies do not apply), traffic within your network intranet, or traffic to your
network printers.
You can add, edit, and delete destinations for traffic that you do not want the Terminal Services Agent
to monitor.
To add a destination:
1. Select the Destination Exception List tab.
2. Click Add.
The Add Destination Exception dialog box appears.
3. Fromthe Choose Type drop-down list, select an option:
n Host IP Address
n Network IP Address
n IP Address Range
4. If you select Host IP Address, type the IPAddress for the exception.
If you select Network IP Address, type the Network Address and Mask for the exception.
If you select IP Address Range, type the Range start IP address and Range end IPaddress
for the exception.
5. Click Add.
The information you specified appears in the Destination Exception List.
6. To add more addresses to the Destination Exception List, repeat Steps 47.
To edit a destination in the list:
1. Fromthe Destination Exception List, select a destination.
2. Click Edit.
The Destination Exception dialog box appears.
3. Update the details of the destination.
4. Click OK.
Authentication
512 Fireware XTMWeb UI
Authentication
User Guide 513
To delete a destination fromthe list:
1. Fromthe Destination Exception List, select a destination.
2. Click Delete.
The selected address is removed from the list.
Specify Programs for the Backend-Service User Account
The Terminal Services Agent identifies traffic generated by systemprocesses with the Backend-
Service user account. By default, this includes traffic fromSYSTEM, Network Service, and Local
Service programs. You can also specify other programs with the EXE file extension that you want the
Terminal Services Agent to associate with the Backend-Service account so that they are allowed
through your firewall. For example, clamwin.exe, SoftwareUpdate.exe, Safari.exe, or ieexplore.exe.
To specify the programs for the Terminal Services Agent to associate with the Backend-Service user
account:
1. Select the Backend-Service tab.
2. Click Add.
The Open dialog box appears.
3. Browse to select a programwith an EXE extension.
The path to the program appears in the Backend-Service list.
4. To remove a programfromthe Backend-Service list, select the programand click Delete.
The program path is removed from the list.
Set the Diagnostic Log Level and View Log Messages
You can configure the diagnostic log level for the Terminal Services Agent (TOAgent) and the TOSet
Tool applications. The log messages that are generated by each application are saved in a text file. To
see the log messages generated for the TOAgent or the TOSet Tool, you can open the log file for each
application fromthe Diagnostic Log Level tab.
1. Select the Diagnostic Log Level tab.
2. Fromthe Set the diagnostic log level for drop-down list, select an application:
n TOAgent (This is the Terminal Services Agent.)
n TO Set Tool
3. Move the Settings slider to set the diagnostic log level for the selected application.
4. To see the available log files for the selected application, click View Log.
A text file opens with the available log messages for the selected application.
5. To configure settings and view log messages for the other application, repeat Steps 24.
For detailed steps on how to complete the Terminal Services configuration for your XTMdevice, see
Configure Terminal Services Settings on page 515.
Authentication
514 Fireware XTMWeb UI
Authentication
User Guide 515
Configure Terminal Services Settings
To enable your users to authenticate to your XTMdevice over a Terminal Server or Citrix server, you
must configure the authentication settings for terminal services. When you configure these settings,
you set the maximumlength of time a session can be active and specify the IPaddress of your
Terminal Server or Citrix server. You can specify a maximumof 32 Terminal Services Agents in an
XTMdevice configuration.
If your device runs Fireware XTMv11.0v11.3.x, terminal services is not available
and the configuration settings do not appear in Policy Manager.
When you configure the Terminal Services settings, if your users authenticate to your XTMdevice, the
XTMdevice reports the actual IPaddress of each user who logs in. This enables your XTMdevice to
correctly identify each user who logs in to your network, so the correct security policies can be applied
to each user's traffic.
You can use any of your configured authentication server methods (for example, Firebox
authentication, Active Directory, or RADIUS) with terminal services. To use Single Sign-On with
terminal services, you must use an Active Directory server.
To configure Authentication Settings for terminal services:
1. Select Authentication >Terminal Services.
The Terminal Services page appears.
2. Select the Enable Terminal Services Support check box.
The terminal services settings are enabled.
3. In the Session Timeout text box, type the maximumlength of time in seconds that the user
can send traffic to the external network.
If you select zero (0) seconds, the session does not expire and the user can stay connected for
any length of time.
4. To add a Terminal Server or Citrix server to the Agent IP list list, in the text box, type the
IPaddress of the server and click Add.
You can add a maximum of 32 Terminal Servers or Citrix servers to the list.
The IPaddress appears in the Terminal Services Agent IPs List list.
5. To remove a server IPaddress fromthe Agent IP list list, select an IPaddress in the list and
click Remove.
6. Click Save.
Authentication
516 Fireware XTMWeb UI
Authentication
User Guide 517
Authentication Server Types
The Fireware XTMOS supports six authentication methods:
n XTMDevice Authentication
n RADIUS Server Authentication
n VASCOServer Authentication
n SecurID Authentication
n LDAP Authentication
n Active Directory Authentication
You can configure one or more authentication server types for an XTMdevice. If you use more than
one type of authentication server, users must select the authentication server type froma drop-down
list when they authenticate.
About Third-Party Authentication Servers
If you use a third-party authentication server, you do not have to keep a separate user database on the
XTMdevice. You can configure a third-party server, install the authentication server with access to
your XTMdevice, and put the server behind the device for security. You then configure the device to
forward user authentication requests to that server. If you create a user group on the XTMdevice that
authenticates to a third-party server, make sure you create a group on the server that has the same
name as the user group on the device.
For detailed information about how to configure an XTMdevice for use with third-party authentication
servers, see:
n Configure RADIUS Server Authentication
n Configure VASCOServer Authentication
n Configure SecurID Authentication
n Configure LDAP Authentication
n Configure Active Directory Authentication
Use a Backup Authentication Server
You can configure a primary and a backup authentication server with any of the third-party
authentication server types. If the XTMdevice cannot connect to the primary authentication server
after three attempts, the primary server is marked as inactive and an alarmmessage is generated. The
device then connects to the backup authentication server.
If the XTMdevice cannot connect to the backup authentication server, it waits ten minutes, and then
tries to connect to the primary authentication server again. The inactive server is marked as active
after the specified time interval is reached.
For detailed procedures to configure primary and backup authentication servers, see the configuration
topic for your third-party authentication server.
Configure Your XTM Device as an Authentication
Server
If you do not use a third-party authentication server, you can use your XTMdevice as an authentication
server, also known as Firebox authentication. When you configure Firebox authentication, you create
users accounts for each user in your company, and then divide these users into groups for
authentication. When you assign users to groups, make sure to associate themby their tasks and the
information they use. For example, you can have an accounting group, a marketing group, and a
research and development group. You can also have a new employee group with more controlled
access to the Internet.
When you create a group, you set the authentication procedure for the users, the systemtype, and the
information they can access. A user can be a network or one computer. If your company changes, you
can add or remove users fromyour groups.
The Firebox authentication server is enabled by default. You do not have to enable it before you add
users and groups.
For detailed instructions to add users and groups, see Define a New User for Firebox Authentication on
page 522 and Define a New Group for Firebox Authentication on page 526.
After you add users and groups, the users you added can connect to the Authentication Portal froma
web browser on a computer or smart phone and authenticate over port 4100 to get access to your
network. For more information about how to use Firebox authentication, see Firewall Authentication.
Types of Firebox Authentication
You can configure your XTMdevice to authenticate users with four different types of authentication:
n Firewall Authentication
n Mobile VPN with PPTP Connections
n Mobile VPN with IPSec Connections
n Mobile VPN with SSL Connections
n Mobile VPN with L2TP Connections
When authentication is successful, the XTMdevice links these items:
n User name
n Firebox User group (or groups) of which the user is a member
n IP address of the computer used to authenticate
n Virtual IP address of the computer used to connect with Mobile VPN
Authentication
518 Fireware XTMWeb UI
Authentication
User Guide 519
Firewall Authentication
To enable your users to authenticate, you create user accounts and groups. When a user connects to
the authentication portal with a web browser on a computer or smart phone and authenticates to the
XTMdevice, the user credentials and computer IP address are used to find whether a policy applies to
the traffic that the computer sends and receives.
To create a Firebox user account:
1. Define a New User for Firebox Authentication.
2. Define a New Group for Firebox Authentication and put the new user in that group.
3. Create a policy that allows traffic only to or froma list of Firebox user names or groups.
This policy is applied only if a packet comes fromor goes to the IP address of the authenticated
user.
After you have added a user to a group and created policies to manage the traffic for the user, the user
can open a web browser on a computer or smart phone to authenticate to the XTMdevice.
If you have configured the XTMdevice with an IPv4 or an IPv6 address, you can use either the IPv4 or
the IPv6 address to authenticate to the XTMdevice over port 4100.
To authenticate with an HTTPS connection to the XTMdevice over port 4100:
1. Open a web browser and go to https://<IP address of a XTM device interface>:4100/.
The login page appears.
2. Type the Username and Password.
3. Fromthe Domain drop-down list, select the domain to use for authentication.
This option only appears if you can choose from more than one domain.
4. Click Login.
If the credentials are valid, the user is authenticated.
Firewall authentication takes precedence over Single Sign-On, and replaces the user credentials and
IP address fromyour Single Sign-On session with the user credentials and IP address you select for
Firewall authentication. For more information about how to configure Single Sign-On, see About Single
Sign-On (SSO) on page 477.
Mobile VPN with IPSec Connections
When you configure your XTMdevice to host Mobile VPN with IPSec sessions, you create policies on
your device and then use the Mobile VPN with IPSec client to enable your users to access your
network. After the XTMdevice is configured, eachclient computer must be configured with the Mobile
VPN with IPSec client software.
When the user's computer is correctly configured, the user makes the Mobile VPN connection. If the
credentials used for authentication match an entry in the Firebox User database, and if the user is in
the Mobile VPN group you create, the Mobile VPN session is authenticated.
To set up authentication for Mobile VPNwith IPSec:
1. Configure a Mobile VPN with IPSec Connection.
2. Install the IPSec Mobile VPN Client Software.
Mobile VPN with PPTP Connections
When you activate Mobile VPNwith PPTP on your XTMdevice, users included in the Mobile VPNwith
PPTP group can use the PPTP feature included in their computer operating systemto make a PPTP
connection to the device.
Because the XTMdevice allows the PPTP connection fromany Firebox user that gives the correct
credentials, it is important that you make a policy for PPTP sessions that includes only users you want
to allow to send traffic over the PPTP session. You can also add a group or individual user to a policy
that restricts access to resources behind the XTMdevice. The XTMdevice creates a pre-configured
group called PPTP-Users for this purpose.
To configure a Mobile VPN with PPTP connection:
1. Select VPN > Mobile VPNwith PPTP.
2. Select the Activate Mobile VPN with PPTP check box.
3. Make sure the Use Radius authentication for PPTPusers check box is not selected.
If this check box is selected, the RADIUS authentication server authenticates the PPTP
session.
If you clear this check box, the XTMdevice authenticates the PPTP session.
The XTMdevice checks to see whether the user name and password the user types in the VPN
connection dialog box match the user credentials in the Firebox User database that is a member
of the PPTP-Users group.
If the credentials supplied by the user match an account in the Firebox User database, the user is
authenticated for a PPTP session.
4. Create a policy that allows traffic only fromor to a list of Firebox user names or groups.
The XTM device does not look at this policy unless traffic comes from or goes to the IP address of the
authenticated user.
Mobile VPN with SSL Connections
You can configure the XTMdevice to host Mobile VPN with SSL sessions.When the XTMdevice is
configured with a Mobile VPNwith SSL connection, users included in the Mobile VPNwith SSL group
can install and use the Mobile VPN with SSL client software to make an SSL connection.
Because the XTMdevice allows the SSL connection fromany of your users who give the correct
credentials, it is important that you make a policy for SSL VPN sessions that includes only users you
want to allow to send traffic over SSL VPN. You can also add these users to a Firebox User Group and
make a policy that allows traffic only fromthis group. The XTMdevice creates a pre-configured group
called SSLVPN-Users for this purpose.
To configure a Mobile VPN with SSL connection:
1. Select VPN > Mobile VPN with SSL.
The Mobile VPN with SSL page appears.
2. Configure the XTMDevice for Mobile VPN with SSL.
Authentication
520 Fireware XTMWeb UI
Authentication
User Guide 521
Mobile VPN with L2TP Connections
You can configure the XTMdevice to host Mobile VPN with L2TP sessions.When the XTMdevice is
configured for Mobile VPNwith L2TP, users included in the Mobile VPNwith L2TP group can use an
L2TP client to make an L2TP connection.
Because the XTMdevice allows the L2TP connection fromany of your users who give the correct
credentials, it is important that you make sure that a policy for L2TP VPN sessions that includes only
users you want to allow to send traffic over the L2TP VPN is included in your configuration. You can
also add these users to a Firebox User Group and add a policy that allows traffic only fromthis group.
The XTMdevice creates a pre-configured group called L2TP-Users for this purpose.
To configure a Mobile VPN with L2TP connection:
1. Select VPN > Mobile VPN with L2TP.
The Mobile VPN with L2TP page appears.
2. Edit the Mobile VPNwith L2TPConfiguration.
Define a New User for Firebox Authentication
You can use Fireware XTMWeb UI to specify which users can authenticate to your XTMdevice. You
can also specify whether the user names you define in the Firebox Internal Database are case
sensitive. By default, case-sensitivity for user names is enabled. When case-sensitivity is enabled,
users must type their user names with the same capitalization you used when you defined the users in
the Firebox Users list.
1. Select Authentication > Servers.
The Authentication Servers page appears.
Authentication
522 Fireware XTMWeb UI
Authentication
User Guide 523
2. Fromthe Server list, select Firebox.
The Firebox page appears.
3. To disable case-sensitivity and enable your users to type their user names with any
capitalization, clear the Enable case-sensitivity for Firebox-DB user names check box.
4. In the Firebox Users section, click Add.
The Firebox User dialog box appears.
5. In the Name text box, type the user name for this user.
6. (Optional) In the Description text box, type a description of the new user.
7. Type and confirmthe Passphrase for the user.
When you set this passphrase, the characters are masked and it does not appear in
simple text again. If you lose the passphrase, you must set a new passphrase.
8. In the Session Timeout text box, type or select the maximumlength of time the user can send
traffic to the external network.
The minimumvalue for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
9. In the Idle Timeout text box, type or select the length of time the user can stay authenticated
when idle (not passing any traffic to the external network).
Authentication
524 Fireware XTMWeb UI
Authentication
User Guide 525
The minimumvalue for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
10. Select the Enable login limits for each user or group check box.
11. Select an option:
n Allow unlimited concurrent firewall authentication logins from the same account
n Limit concurrent user sessions to.
a. In the text box, type or select the number of allowed concurrent user sessions.
b. Fromthe drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
12. To add this user to an authentication group, in the Firebox Authentication Group list, select
the check box for each group to add this user to.
13. Click OK.
The new user appears in the Firebox Users list.
Define a New Group for Firebox Authentication
You can use Fireware XTMWeb UI to specify which user groups can authenticate to your XTMdevice.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Select the Firebox tab.
3. In the Groups section, click Add.
The Setup Firebox Group dialog box appears.
4. Type a name for the group.
5. (Optional) Type a description for the group.
6. Select the Enable login limits for each user or group check box.
7. Select an option:
n Allow unlimited concurrent firewall authentication logins from the same account
n Limit concurrent user sessions to.
a. In the text box, type or select the number of allowed concurrent user sessions.
b. Fromthe drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
8. To add a user to the group, in the Firebox Authentication Users list, select the check box for
that user.
9. After you add all necessary users to the group, click OK.
You can now configure policies and authentication with these users and groups, as described in Use
Authorized Users and Groups in Policies on page 564.
Authentication
526 Fireware XTMWeb UI
Authentication
User Guide 527
Customize the AuthenticationPortal Page
After you have configured the settings for Firewall Authentication on your XTMdevice, and enabled
users to authenticate to your XTMdevice over port 4100, you can customize the look and feel of the
AuthenticationPortal page. You can add your own logo, set the title of the page, enable users to create
a user account, specify a Welcome or Disclaimer message, and select the font and the colors for the
page.
You can customize these elements of the Authentication Portal page:
n Page Title Located at the top of the page
n User account registration URL Specify a URL to send users to so they can create a user
account.
n Welcome or Disclaimer Message Located below the page title
You can also require all users to accept the message before they can authenticate.
n Custom Logo Located at the top left of the page, adjacent to the page title
n Font and Font Size Select the font and font size for the text that appears on the page.
n Text Color The color for the text on the Authentication Portal page. The default color is
#000000 (black).
n Page Background Color The color to use for the background of the Authentication Portal
page. The default color is #FFFFFF (white).
n Panel Background Color The color to use for the background of the top and bottompanels
on the Authentication Portal page. The default color is #993333 (brick red).
n Form Background Color The color to use for the background of the text formon the
Authentication Portal page. The default color is #FFFFFF (white).
To customize the look and feel of the Authentication Portal page:
1. Select Authentication > Authentication Portal.
The Authentication Portal page appears.
2. Select the Customize the Authentication Portal page check box.
3. In the Page Title text box, type the page title text to appear at the top of the Authentication
Portal page.
4. To enable users to create a user account before they authenticate:
a. Select the Enable users to create a user account check box.
b. In the User account registration URL text box, type the URL for the web site where
users can create a new user account.
5. To add a message to the Authentication Portal page, select the Specify a Welcome or
Disclaimer message check box.
6. To force users to accept the message before they can authenticate, select the Force users to
accept the message check box.
7. In the Specify a Welcome or Disclaimer message text box, type the text for the message.
8. To replace the default WatchGuard logo with a customlogo:
a. Select the Select a custom logo check box.
The logo file must be a JPG, GIF, or PNGfile with a resolution of 200 x 65 pixels or less.
b. Click Upload Logo.
The Upload Logo page appears in a new tab or window.
c. Click Browse and select your customlogo file.
Authentication
528 Fireware XTMWeb UI
Authentication
User Guide 529
d. Click Upload.
The file is uploaded to your device and the Upload Logo page on the new tab or window
automatically closes.
e. After the file upload is complete, if the Upload Logo page does not automatically close,
click Close Window.
9. To customize the fonts for the Authentication Portal page:
n Font Fromthe Font drop-down list, select a font. If you do not specify a font, the
Authentication Portal page uses the default browser font for each user.
n Font Size Fromthe Font Size drop-down list, select the text size. The default text size
is Medium.
10. To change the default colors for any of the subsequent options, click and select another color
fromthe color palette.
Or, type the HTML color code in the Text Color text box.
n Text Color
n Page Background Color
n Panel Background Color
n Form Background Color
11. Click Preview Splash Screen.
A preview of the splash screen appears in a new browser window with the settings you configured,
except for the logo. Make sure your browser allows pop-up windows.
12. Close the preview browser window.
13. Click Save
Configure RADIUS Server Authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a
company network. RADIUS is a client/server systemthat keeps the authentication information for
users, remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUSauthentication, see How RADIUS Server Authentication Works on
page 533.
Authentication Key
The authentication messages to and fromthe RADIUS server use an authentication key, not a
password. This authentication key, or shared secret, must be the same on the RADIUS client and
server. Without this key, there is no communication between the client and server.
RADIUSAuthentication Methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password
Authentication Protocol) authentication.
For authentication with L2TP or PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-
Handshake Authentication Protocol version 2).
For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS
supports the EAP(Extensible Authentication Protocol) framework.
Before You Begin
Before you configure your XTMdevice to use your RADIUS authentication server, you must have this
information:
n Primary RADIUS server IP address and RADIUS port
n Secondary RADIUS server (optional) IP address and RADIUS port
n Shared secret Case-sensitive password that is the same on the XTMdevice and the
RADIUS server
n Authentication methods Set your RADIUS server to allow the authentication method your
XTMdevice uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2
Enterprise
Use RADIUSServer Authentication with Your XTM Device
To use RADIUS server authentication with your XTMdevice, you must:
n Add the IP address of the XTMdevice to the RADIUS server as described in the documentation
fromyour RADIUSvendor.
n Enable and specify the RADIUS server in your XTMdevice configuration.
n Add RADIUS user names or group names to your policies.
Authentication
530 Fireware XTMWeb UI
Authentication
User Guide 531
To enable and specify the RADIUS server(s) in your configuration, fromFireware XTMWeb UI:
1. Select the RADIUS tab.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Server list, select RADIUS.
The RADIUS server settings appear.
3. Select the Enable RADIUS Server check box.
4. In the IP Address text box, type the IP address of the RADIUS server.
5. In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645.
Authentication
532 Fireware XTMWeb UI
Authentication
User Guide 533
6. In the Passphrase text box, type the shared secret between the XTMdevice and the RADIUS
server.
The shared secret is case-sensitive, and it must be the same on the XTMdevice and the
RADIUS server.
7. In the Confirm text box, type the shared secret again.
8. Type or select the Timeout value.
The timeout value is the amount of time the XTMdevice waits for a response fromthe
authentication server before it tries to connect again.
9. In the Retries text box, type the number of times the XTMdevice tries to connect to the
authentication server (the timeout is specified above) before it reports a failed connection for
one authentication attempt.
10. In the Group Attribute text box, type an attribute value. The default group attribute is FilterID,
which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information.
You must configure the RADIUS server to include the Filter ID string with the user
authentication message it sends to the XTMdevice. For example, engineerGroup or
financeGroup. This information is then used for access control. The XTMdevice matches the
FilterID string to the group name configured in the XTMdevice policies.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. To change the duration, fromthe drop-down list, select Minutes or Hours.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts will not try this server until it is marked as active again.
12. To add a backup RADIUS server, in the Secondary Server Settings section, select the
Enable Secondary RADIUS Server check box.
13. Repeat Steps 411 to configure the backup server. Make sure the shared secret is the same on
the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server on page 517.
14. Click Save.
How RADIUS Server Authentication Works
RADIUS is a protocol that was originally designed to authenticate remote users to a dial-in access
server. RADIUS is now used in a wide range of authentication scenarios. RADIUS is a client-server
protocol, with the XTMdevice as the client and the RADIUS server as the server. (The RADIUS client
is sometimes called the Network Access Server or NAS.) When a user tries to authenticate, the XTM
device sends a message to the RADIUS server. If the RADIUS server is properly configured to have
the XTMdevice as a client, RADIUS sends an accept or reject message back to the XTMdevice (the
Network Access Server).
When the XTMdevice uses RADIUS for an authentication attempt:
1. The user tries to authenticate, either through a browser-based HTTPS connection to the XTM
device over port 4100, or through a connection using Mobile VPN with PPTP or IPSec. The
XTMdevice reads the user name and password.
2. The XTMdevice creates a message called an Access-Request message and sends it to the
RADIUS server. The XTMdevice uses the RADIUS shared secret in the message. The
password is always encrypted in the Access-Request message.
3. The RADIUS server makes sure that the Access-Request message is froma known client (the
XTMdevice). If the RADIUS server is not configured to accept the XTMdevice as a client, the
server discards the Access-Request message and does not send a message back.
4. If the XTMdevice is a client known to the RADIUS server and the shared secret is correct, the
server looks at the authentication method requested in the Access-Request message.
5. If the Access-Request message uses an allowed authentication method, the RADIUSserver
gets the user credentials fromthe message and looks for a match in a user database. If the user
name and password match an entry in the database, the RADIUS server can get additional
information about the user fromthe user database (such as remote access approval, group
membership, logon hours, and so on).
6. The RADIUS server checks to see whether it has an access policy or a profile in its
configuration that matches all the information it has about the user. If such a policy exists, the
server sends a response.
7. If any of the previous conditions fail, or if the RADIUS server has no matching policy, it sends
an Access-Reject message that shows authentication failure. The RADIUS transaction ends
and the user is denied access.
8. If the Access-Request message meets all the previous conditions, RADIUS sends an Access-
Accept message to the XTMdevice.
9. The RADIUS server uses the shared secret for any response it sends. If the shared secret does
not match, the XTMdevice rejects the RADIUS response.
To see diagnostic log messages for authentication, Set the Diagnostic Log Level and change
the log level for the Authentication category.
10. The XTMdevice reads the value of any FilterID attribute in the message. It connects the user
name with the FilterID attribute to put the user in a RADIUS group.
11. The RADIUS server can put a large amount of additional information in the Access-Accept
message. The XTMdevice ignores most of this information, such as the protocols the user is
allowed to use (such as PPP or SLIP), the ports the user can access, idle timeouts, and other
attributes.
12. The XTMdevice only requires the FilterID attribute (RADIUS attribute number 11). The FilterID
is a string of text that you configure the RADIUS server to include in the Access-Accept
message. This attribute is necessary for the XTMdevice to assign the user to a RADIUS group,
however, it can support some other Radius attributes such as Session-Timeout (RADIUS
attribute number 27) and Idle-Timeout (RADIUS attribute number 28).
For more information on RADIUS groups, see the subsequent section.
About RADIUS Groups
When you configure RADIUS authentication, you can set the Group Attribute number. Fireware XTM
reads the Group Attribute number fromFireware XTMWeb UI to tell which RADIUS attribute carries
RADIUS group information. Fireware XTMrecognizes only RADIUS attribute number 11, FilterID, as
the Group Attribute. When you configure the RADIUS server, do not change the Group Attribute
number fromits default value of 11.
Authentication
534 Fireware XTMWeb UI
Authentication
User Guide 535
When the XTMdevice gets the Access-Accept message fromRADIUS, it reads the value of the
FilterID attribute and uses this value to associate the user with a RADIUS group. (You must manually
configure the FilterID in your RADIUS configuration.) Thus, the value of the FilterID attribute is the
name of the RADIUS group where the XTMdevice puts the user.
The RADIUS groups you use in Fireware XTMWeb UI are not the same as the Windows groups
defined in your domain controller, or any other groups that exist in your domain user database. A
RADIUS group is only a logical group of users the XTMdevice uses. Make sure you carefully select
the FilterID text string. You can make the value of the FilterID match the name of a local group or
domain group in your organization, but this is not necessary. We recommend you use a descriptive
name that helps you remember how you defined your user groups.
Practical Use of RADIUS Groups
If your organization has many users to authenticate, you can make your XTMdevice policies easier to
manage if you configure RADIUS to send the same FilterID value for many users. The XTMdevice
puts those users into one logical group so you can easily administer user access. When you make a
policy in Fireware XTMWeb UI that allows only authenticated users to access a network resource,
you use the RADIUS Group name instead of adding a list of many individual users.
For example, when Mary authenticates, the FilterID string RADIUS sends is Sales, so the XTMdevice
puts Mary in the Sales RADIUS group for as long as she is authenticated. If users John and Alice
subsequently authenticate, and RADIUS puts the same FilterID value Sales in the Access-Accept
messages for John and Alice, then Mary, John, and Alice are all in the Sales group. You can make a
policy in Fireware XTMWebUI that allows the group Sales to access a resource.
You can configure RADIUS to return a different FilterID, such as IT Support, for the members of your
internal support organization. You can then make a different policy to allow IT Support users to access
resources.
For example, you might allow the Sales group to access the Internet using a Filtered-HTTP policy.
Then you can filter their web access with WebBlocker. A different policy in Policy Manager can allow
the IT Support users to access the Internet with the Unfiltered-HTTP policy, so that they access the
web without WebBlocker filtering. You use the RADIUS group name (or user names) in the From field
of a policy to show which group (or which users) can use the policy.
Timeout and Retry Values
An authentication failure occurs when no response is received fromthe primary RADIUS server. After
three authentication attempts fail, Fireware XTMuses the secondary RADIUS server. This process is
called failover.
This number of authentication attempts is not the same as the Retry number. You
cannot change the number of authentication attempts before failover occurs.
The XTMdevice sends an Access-Request message to the first RADIUS server in the list. If there is
no response, the XTMdevice waits the number of seconds set in the Timeout text box, and then it
sends another Access-Request. This continues for the number of times indicated in the Retry text box
(or until there is a valid response). If there is no valid response fromthe RADIUS server, or if the
RADIUS shared secret does not match, Fireware XTMcounts this as one failed authentication
attempt.
After three authentication attempts fail, Fireware XTMuses the secondary RADIUS server for the next
authentication attempt. If the secondary server also fails to respond after three authentication
attempts, Fireware XTMwaits for the Dead Time interval (10 minutes by default) to elapse. After the
Dead Time interval has elapsed, Fireware XTMtries to use the primary RADIUSserver again.
Authentication
536 Fireware XTMWeb UI
Authentication
User Guide 537
Configure RADIUS Server Authentication with Active Directory
Users and Groups For Mobile VPN Users
When you use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate users to your network,
you can use the user accounts fromyour Active Directory server database to authenticate users with
your RADIUSserver and the RADIUSprotocol. You must configure the Mobile VPN settings on your
XTMdevice to enable RADIUS authentication, configure your RADIUSserver to get user credentials
fromyour Active Directory database, and configure your Active Directory and RADIUSservers to
communicate with your XTMdevice.
Before You Begin
Before you configure your XTMdevice to use your Active Directory and RADIUS servers to
authenticate your Mobile VPN with L2TP or Mobile VPN with PPTP users, make sure that the settings
described in this section are configured on your RADIUS and Active Directory servers. Windows 2008
and 2003 Server are the supported RADIUS server platforms.
For complete instructions to configure your RADIUS server or Active Directory server, see the vendor
documentation for each server.
Configure NPS for a Windows 2008 Server
n In Windows 2008 Server Manager, make sure NPS is installed with a Network Policy and
Access Service role that uses the Network Policy Server role service.
n Add a New Radius Client to NPS that includes the IP address of your XTMdevice, uses the
RADIUS Standard vendor, and set a manual shared secret for the RADIUS client and
XTMdevice.
n Add a network policy with these settings:
o
Select the Active Directory user group that includes the users you want to authenticate with
Mobile VPN with L2TP or Mobile VPN with PPTP.
o
Specify Access granted as the access permissions for the policy, and do not specify an
EAP type.
o
Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the
value. Make sure to remove Framed Protocol and Service-Type fromthe Attributes list.
Configure IAS for a Windows 2003 Server
n On your Windows 2003 Server, make sure that the Internet Authentication Service (IAS)
networking service is installed.
n In the IAS console, add a new RADIUSclient for your XTMdevice that uses the device name
and IP address of your XTMdevice for the Friendly name and Client address. Make sure to
select the RADIUS Standard for the Client-Vendor value and set a shared secret for the
RADIUSclient and XTMdevice.
n Fromthe IAS console, add a customnew remote access policy with these settings:
o
Add the Windows-Group attribute to the policy.
o
Select the Active Directory user group that includes the users you want to authenticate with
Mobile VPN with L2TP or Mobile VPN withPPTP.
o
For the permissions setting, specify Grant remote access permission.
o
Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the
value.
Configure Active Directory Settings
When you configure these settings for your Active Directory server, you enable your RADIUS server to
contact your Active Directory server for the user credentials and group information stored in your
Active Directory database.
n In Active Directory Users and Computers on your Active Directory server, make sure that the
remote access permissions are configured to Allow access to users.
n Register NPS or IAS to your Active Directory server.
Enable Active Directory Behind a RADIUS Server Authentication for
Mobile VPN on Your XTMDevice
Before your users can use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate to your
network with their Active Directory credentials, you must enable your XTMdevice to use a RADIUS
server for Mobile VPN with L2TP or Mobile VPN with PPTP authentication.
Before you configure the Mobile VPN with L2TP or Mobile VPN with PPTP settings, make sure that
you have added your RADIUS server to the Authentication Servers list on your XTMdevice. The
RADIUS server must have the same IP address and shared secret that you specified when you
configured the NPS or IAS settings for your RADIUS server.
For more information about how to add a RADIUS authentication server, see Configure RADIUS
Server Authentication on page 530.
Configure Mobile VPN with L2TP Settings
By default, Firebox-DB is the selected server for authentication. When you configure Mobile VPN to
use your RADIUS server, you can use Firebox-DB for a secondary authentication database if the
RADIUS server is not available.
To enable RADIUSserver authentication for Mobile VPN with L2TP users:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
The Mobile VPNwith L2TPpage appears.
3. Select the Authentication tab.
4. In the Authentication Server list, select the check box for your RADIUS server.
5. If the RADIUS server is not the first server in the Authentication Server list, click Make
Default.
The RADIUS server moves to the top of the list.
6. To only use the RADIUS server for authentication, clear the Firebox-DB check box.
Authentication
538 Fireware XTMWeb UI
Authentication
User Guide 539
7. In the Authentication Users and Groups list, make sure the L2TP-Users group appears.
The Authentication Server can be Any or RADIUS.
8. Make any additional changes to the Mobile VPN with L2TP configuration.
For more information about how to configure the settings for Mobile VPN with L2TP, see Edit the
Mobile VPNwith L2TPConfiguration.
Configure Mobile VPN with PPTP Settings
To enable RADIUSserver authentication for Mobile VPN with PPTP users:
1. Select VPN > Mobile VPN with PPTP.
2. Select the Use RADIUS authentication for PPTPusers check box.
For more information about how to configure the settings for Mobile VPN with PPTP, see Configure
Mobile VPN with PPTP.
WPA and WPA2 Enterprise Authentication
To add another layer of security when your users connect to your wireless network, you can enable
enterprise authentication methods on your XTMwireless device. When you configure an enterprise
authentication method, the client must have the correct authentication method configured to
successfully connect to the XTMdevice. The XTMwireless device then sends authentication requests
to the configured authentication server (RADIUS server or Firebox-DB). If the authentication method
information is not correct, the user cannot connect to the device, and is not allowed access to your
network.
If your device runs Fireware XTMv11.0-v11.3.x, the authentication methods based
on the IEEE 802.1X standard are not available.
In Fireware XTMv11.4 and later, the available enterprise authentication methods are WPA Enterprise
and WPA2 Enterprise. These authentication methods are based on the IEEE 802.1X standard, which
uses the EAP (Extensible Authentication Protocol) framework to enable user authentication to an
external RADIUS server or to your XTMdevice (Firebox-DB). The WPA Enterprise and WPA2
Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users must first
have the correct authentication method configured, and then authenticate with their own enterprise
credentials instead of one shared key that is known by everyone who uses the wireless access point.
You can use the WPA Enterprise and WPA2 Enterprise authentication methods with XTMwireless
devices. For more information about how to configure your XTMwireless device to use enterprise
authentication, see Set the Wireless Authentication Method on page 294.
Configure VASCO Server Authentication
VASCOserver authentication uses the VACMAN Middleware software to authenticate remote users
on a company network through a RADIUS or web server environment. VASCOalso supports multiple
authentication server environments. The VASCOone-time password token systemenables you to
eliminate the weakest link in your security infrastructurethe use of static passwords.
To use VASCOserver authentication with your XTMdevice, you must:
n Add the IP address of the XTMdevice to the VACMAN Middleware server, as described in the
documentation fromyour VASCOvendor.
n Enable and specify the VACMAN Middleware server in your XTMdevice configuration.
n Add user names or group names to the policies in Policy Manager.
To configure VASCOserver authentication, use the RADIUSserver settings. The Authentication
Servers dialog box does not have a separate tab for VASCOservers.
FromFireware XTMWeb UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Server list, select RADIUS.
The RADIUS server settings appear.
Authentication
540 Fireware XTMWeb UI
Authentication
User Guide 541
3. To enable the VACMAN Middleware server, select the Enable RADIUS Server check box.
4. In the IP Address text box, type the IP address of the VACMAN Middleware server.
5. In the Port text box, make sure that the port number VASCOuses for authentication appears.
The default port number is 1812.
6. In the Passphrase text box, type the shared secret between the XTMdevice and the VACMAN
Middleware server.
The shared secret is case-sensitive, and it must be the same on the XTMdevice and the server.
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type the amount of time the XTMdevice waits for a response fromthe
authentication server before it tries to connect again.
9. In the Retries text box, type the number of times the XTMdevice tries to connect to the
authentication server before it reports a failed connection for one authentication attempt.
10. Type or select the Group Attribute value. The default group attribute is FilterID, which is
VASCOattribute 11.
The group attribute value is used to set which attribute carries the user group information. You
must configure the VASCOserver to include the Filter ID string with the user authentication
message it sends to the XTMdevice. For example, engineerGroup or financeGroup. This
information is then used for access control. The XTMdevice matches the FilterID string to the
group name configured in the XTMdevice policies.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. Select minutes or hours fromthe drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try to connect to this server until it is marked as
active again.
12. To add a backup VACMAN Middleware server, in the Secondary Server Settings section,
select the Enable Secondary RADIUS Server check box.
13. Repeat Steps 411 to configure the backup server. Make sure the shared secret is the same on
the primary and secondary VACMAN Middleware server.
For more information, see Use a Backup Authentication Server on page 517.
14. Click Save.
Authentication
542 Fireware XTMWeb UI
Authentication
User Guide 543
Configure SecurID Authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, and ACE/Server servers
correctly. The users must also have an approved SecurID token and a PIN (personal identification
number). Refer to the RSA SecurID documentation for more information.
FromFireware XTMWeb UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Servers list, selectSecurID.
The SecurID server settings appear.
3. Select the Enable SecurID Server check box.
4. In the IP Address text box, type the IP address of the SecurID server.
5. In the Port text box, type the port number to use for SecurID authentication.
The default number is 1812.
Authentication
544 Fireware XTMWeb UI
Authentication
User Guide 545
6. In the Passphrase text box, type the shared secret between the XTMdevice and the SecurID
server. The shared secret is case-sensitive and must be the same on the XTMdevice and the
SecurID server.
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type the amount of time that the XTMdevice waits for a response from
the authentication server before it tries to connect again.
9. In the Retries text box, type the number of times the XTMdevice tries to connect to the
authentication server before it reports a failed connection for one authentication attempt.
10. In the Group Attribute text box, type the group attribute value. We recommend that you do not
change this value.
The group attribute value is used to set the attribute that carries the user group information.
When the SecurID server sends a message to the XTMdevice that a user is authenticated, it
also sends a user group string. For example, engineerGroup or financeGroup. This information
is then used for access control.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. To change the duration, fromthe adjacent drop-down list, select Minutes or
Hours.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not use this server until it is marked as active again,
after the dead time value is reached.
12. To add a backup SecurID server, in the Secondary Server Settings section, select the Enable
Secondary SecurID Server check box.
13. Repeat Steps 411 to configure the backup server. Make sure the shared secret is the same on
the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server on page 517.
14. Click Save.
Configure LDAP Authentication
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate
your users with the XTMdevice. LDAP is an open-standard protocol for using online directory services,
and it operates with Internet transport protocols, such as TCP. Before you configure your XTMdevice
for LDAP authentication, make sure you check the documentation fromyour LDAP vendor to see if
your installation supports the memberOf (or equivalent) attribute. When you configure your primary and
backup LDAP server settings, you can select whether to specify the IP address or the DNS name of
your LDAPserver.
If your users authenticate with the LDAP authentication method, their distinguished names (DN) and
passwords are not encrypted. To use LDAP authentication and encrypt user credentials, you can
select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP
client on your XTMdevice and your LDAP server is secured by an SSL tunnel. When you enable this
option, you can also choose whether to enable the LDAPS client to validate the LDAP server
certificate, which prevents man-in-the-middle attacks. If you choose to use LDAPS and you specify
the DNSname of your server, make sure the search base you specify includes the DNS name of your
server. The standard LDAPS port is 636. For Active Directory Global Catalog queries, the SSL port is
3269.
When you configure the LDAPauthentication method, you set a search base to specify where in the
authentication server directories the XTMdevice can search for an authentication match. For example,
if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name
is example.com, your search base is ou=accounts,dc=example,dc=com.
If you also have user group objects are in another OU you refer to as groups,with your user accounts in
an OU (organizational unit) you refer to as accounts, and your domain name is example.com, your
search base is dc=example,dc=com.
If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more
than one OU, and find that the default Group String setting of memberOf does not return correct
group information for your users, you can instead configure the XTMdevice to use another group
attribute. To manage user groups, you can add the object classes member, memberUID, or
gidNumber. For more information about these object classes, see RFC 2256 and RFC 2307.
If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported
Certificate Authority (CA)certificate. If you select to validate the LDAP server certificate, you must
import the root CA certificate fromthe CA that signed the LDAP server certificate, so your XTMdevice
can use the CA certificate to validate the LDAP server certificate. When you import the CAcertificate,
make sure to select the IPSec, Web Server, Other option. For more information about how to import
certificates, see Manage XTMDevice Certificates on page 968.
PhoneFactor authentication is a multiple-factor authentication systemthat uses phone calls to
determine the identity of users. Because it uses more than one out-of-band method (phone calls, text
messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for
users and a single multiple-factor platformto manage.
If you use PhoneFactor authentication with your LDAP server, you can configure the timeout value in
the LDAPauthentication server settings to specify when out-of-bound PhoneFactor authentication
occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.
Authentication
546 Fireware XTMWeb UI
Authentication
User Guide 547
FromFireware XTMWeb UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Server list, select LDAP.
The LDAP server settings appear.
3. Select the Enable LDAPServer check box.
The LDAP server settings are enabled.
Authentication
548 Fireware XTMWeb UI
Authentication
User Guide 549
4. Fromthe IP Address/DNSName drop-down list, select whether to use the IP address or DNS
name to contact your primary LDAP server.
5. In the IP Address/DNSName text box, type the IP address or DNSname of the primary LDAP
server for the XTMdevice to contact with authentication requests.
The LDAP server can be located on any XTMdevice interface. You can also configure your
device to use an LDAP server on a remote network through a VPN tunnel.
6. In the Port text box, type the TCP port number for the XTMdevice to use to connect to the
LDAP server. The default port number is 389.
If you enable LDAPS, you must select port 636.
7. In the Timeout text box, type or select the number of seconds the device waits for a response
fromthe LDAP server before it closes the connection and tries to connect again.
8. In the Search Base text box, type the search base settings in the standard format:
ou=organizational unit,dc=first part of distinguished server name,dc=any part of the
distinguished server name that appears after the dot.
For example: ou=accounts,dc=example,dc=com
9. In the Group String text box, type the group string attribute.
The default attribute is memberOf.
This attribute string holds user group information on the LDAP server. On many LDAP servers,
the default group string is uniqueMember; on other servers, it is member. For user groups on an
OpenLDAP server without memberOf overlay support, you can also specify the attributes
member, memberUID, or gidNumber.
10. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
You can add any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com.
11. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
12. In the Login Attribute text box, select a LDAP login attribute to use for authentication fromthe
drop-down list.
The login attribute is the name used for the bind to the LDAP database. The default login
attribute is uid. If you use uid, the DN of Searching User and the Password of Searching
User text boxes can be empty.
13. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. To set the duration, fromthe adjacent drop-down list, select Minutes or
Hours .
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
14. To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
15. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No.
16. To verify the certificate of the LDAP server with the imported CAcertificate, select the Validate
server certificate check box.
17. To specify optional attributes for the primary LDAP server,complete the settings in the LDAP
Server Optional Settings section.
For more information about how to configure optional settings, see the subsequent section.
18. To add a backup LDAP server, select the Secondary tab, and select the Enable Secondary
LDAP Server check box.
19. Repeat Steps 316 to configure the backup server. Make sure the shared secret is the same on
the primary and backup LDAP servers.
For more information, see Use a Backup Authentication Server on page 517.
20. Click Save.
About LDAP Optional Settings
Fireware XTMcan get additional information fromthe directory server (LDAP or Active Directory) when
it reads the list of attributes in the servers search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes fromLDAP attributes associated with
individual user objects, you are not limited to the global settings in Fireware XTMWeb UI. You can set
these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 558.
Test the Connection to the Server
To make sure that your XTMdevice can connect to your LDAP server and successfully authenticate
your users, you can test the connection to your authentication server. You can also use this feature to
determine if a specific user is authenticated and to get authentication group information for that user.
You can test the connection to your authentication server fromthe Authentication Servers page for
your server, or you can navigate directly to the Server Connection page in Fireware XTMWeb UI.
To navigate to the Server Connection page fromthe Authentication Servers page:
1. Click Test Connection for LDAP and Active Directory.
The Server Connection page appears.
2. Follow the instructions in the Server Connection topic to test the connection to your server.
For instructions to navigate directly to the Server Connection page in Fireware XTMWeb UI, see
Server Connection on page 940.
Authentication
550 Fireware XTMWeb UI
Authentication
User Guide 551
Configure Active Directory Authentication
Active Directory is the Microsoft

Windows-based application of an LDAP directory structure. Active


Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It
keeps information and settings for an organization in a central, easy-to-access database. You can use
an Active Directory authentication server to enable your users to authenticate to the XTMdevice with
their current network credentials. You must configure both your XTMdevice and the Active Directory
server for Active Directory authentication to work correctly.
When you configure Active Directory authentication, you can specify one or more Active Directory
domains that your users can select when they authenticate. For each domain, you can add up to two
Active Directory servers: one primary server and one backup server. If the first server you add fails, the
second server is used to complete authentication requests. When you add an Active Directory server,
you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO) to enable
your users to select fromthe available Active Directory domains and authenticate, your users must
install the SSOclient. For more information, see About Single Sign-On (SSO) on page 477 and Install
the WatchGuard Single Sign-On (SSO) Client on page 500.
If your users authenticate with the Active Directory authentication method, their distinguished names
(DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user
credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic
between the LDAPS client on your XTMdevice and your Active Directory server is secured by an SSL
tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to
validate the Active Directory server certificate. If you choose to use LDAPS and you specify the
DNSname of your server, make sure the search base you specify includes the DNS name of your
server.
The Active Directory server can be located on any XTMdevice interface. You can also configure your
XTMdevice to use an Active Directory server available through a VPN tunnel.
PhoneFactor authentication is a multiple-factor authentication systemthat uses phone calls to
determine the identity of users. Because it uses more than one out-of-band method (phone calls, text
messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for
users and a single multiple-factor platformto manage.
If you use PhoneFactor authentication with your Active Directory server, you can configure the timeout
value in the Active Directory authentication server settings to specify when out-of-bound PhoneFactor
authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10
seconds.
Before you begin, make sure your users can successfully authenticate to your Active Directory server.
You can then use Fireware XTMWeb UIto configure your XTMdevice. You can add, edit, or delete the
Active Directory domains and servers defined in your configuration.
Add an Active Directory Authentication Domain and Server
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Server list, select Active Directory.
The Active Directory server settings appear.
3. Click Add.
The Add page appears.
Authentication
552 Fireware XTMWeb UI
Authentication
User Guide 553
4. In the Domain Name text box, type the domain name to use for this Active Directory server.
The domain name must include a domain suffix. For example, type example.com, not example.
5. Fromthe Primary drop-down list, select IPAddress or DNSName.
6. In the text box, type the IPaddress or DNSname of this Active Directory server.
7. In the Port text box, type the TCP port number for the device to use to connect to the Active
Directory server.
The default port number is 389. If you enable LDAPS, you must select port 636.
If your Active Directory server is a global catalog server, it can be useful to change the default
port. For more information, see Change the Default Port for the Active Directory Server on page
558.
4. In the Timeout text box, type or select the number of seconds the device waits for a response
fromthe Active Directory server before it closes the connection and tries to connect again.
5. To add another Active Directory server to this domain:
a. Fromthe Secondary (Optional) drop-down list, select IP Address or DNS Name.
b. In the text box, type the IP address or DNS name of the secondary Active Directory
server.
c. In the Port text box, specify the TCP port number for the device to use to connect to the
Active Directory server.
For more information, see Use a Backup Authentication Server on page 517.
6. In the Search Base text box, type the location in the directory to begin the search.
The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first
part of the distinguished server name>,dc=<any part of the distinguished server name that
appears after the dot>.
To limit the directories on the authentication server where the XTMdevice can search for an
authentication match, you can set a search base. We recommend that you set the search base
to the root of the domain. This enables you to find all users and all groups to which those users
belong.
For more information, see Find Your Active Directory Search Base on page 556.
7. In the Group String text box, type the attribute string that is used to hold user group information
on the Active Directory server. If you have not changed your Active Directory schema, the
group string is always memberOf.
8. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
If you keep the login attribute of sAMAccountName, you do not have to type anything in this text
box.
If you change the login attribute, you must add a value in the DN of Searching User text box.
You can use any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example, cn=Administrator,cn=Users,dc=example,dc=com.
9. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
Authentication
554 Fireware XTMWeb UI
Authentication
User Guide 555
10. Fromthe Login Attribute drop-down list, select an Active Directory login attribute to use for
authentication.
The login attribute is the name used for the bind to the Active Directory database. The default
login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify
a value for the DN of Searching User and Password of Searching User settings.
11. In the Dead Time text box, type a time after which an inactive server is marked as active again.
12. Fromthe Dead Time drop-down list, select Minutes or Hours to set the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
13. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS
check box.
14. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No.
15. To verify the certificate of the Active Directory server is valid, select the Validate server
certificate check box.
16. To specify optional attributes for the primary LDAP server, complete the Active Directory
Server Optional Settings section.
For more information about how to configure optional settings, see the subsequent section.
17. Click Save.
About Active Directory Optional Settings
Fireware XTMcan get additional information fromthe directory server (LDAP or Active Directory) when
it reads the list of attributes in the servers search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes fromLDAP attributes associated with
individual user objects, you are not limited to the global settings in Fireware XTMWeb UI. You can set
these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 558.
Test the Connection to the Server
To make sure that your XTMdevice can connect to your Active Directory server and successfully
authenticate your users, you can test the connection to your authentication server. You can also use
this feature to determine if a specific user is authenticated and to get authentication group information
for that user.
You can test the connection to your authentication server fromthe Authentication Servers page for
your server, or you can navigate directly to the Server Connection page in Fireware XTMWeb UI.
To navigate to the Server Connection page fromthe Authentication Servers page:
1. Click Test Connection for LDAP and Active Directory.
The Server Connection page appears.
2. Follow the instructions in the Server Connection topic to test the connection to your server.
For instructions to navigate directly to the Server Connection page in Fireware XTMWeb UI, see
Server Connection on page 940.
Edit an Existing Active Directory Domain
When you edit an Active Directory domain, you cannot change the details of the Active Directory
servers configured in the domain. Instead, you must add a new server. If there are two servers in the
list, you must remove one of the servers before you can add a new one.
Fromthe Authentication Servers page:
1. In the Active Directory domains list, select the server to change.
2. Click Edit.
The Active Directory / Edit page appears.
3. To add an IPaddress or DNSname to the server for this domain, follow the instructions in the
previous section.
4. Update the settings for your Active Directory server.
Delete an Active Directory Domain
Fromthe Authentication Servers page:
1. Fromthe Server list, select Active Directory.
The Active Directory page appears.
2. In the Active Directory domains list, select the domain to delete.
3. Click Remove.
A confirmation message appears.
4. Click Yes.
The server is removed from the list.
Find Your Active Directory Search Base
When you configure your XTMdevice to authenticate users with your Active Directory server, you add
a comma-delimited search base. The search base is the place the search starts in the Active Directory
hierarchical structure for user account entries. This can help to make the authentication procedure
faster.
Before you begin, you must have an operational Active Directory server that contains account
information for all users for whomyou want to configure authentication on the XTMdevice.
Authentication
556 Fireware XTMWeb UI
Authentication
User Guide 557
Fromyour Active Directory server:
1. Select Start > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers tree, find and select your domain name.
3. Expand the tree to find the path through your Active Directory hierarchy.
Domain name components have the format dc=domain name component, are appended to the
end of the search base string, and are also comma-delimited.
For each level in your domain name, you must include a separate domain name component in
your Active Directory search base. For example, if your domain name is prefix.example.com,
the domain name component in your search base is DC=prefix,DC=example,DC=com.
To make sure that the Active Directory search can find any user object in your domain, specify the root
of the domain. For example, if your domain name is kunstlerandsons.com, and you want the Active
Directory search to find any user object in the entire domain, the search base string to add is:
dc=kunstlerandsons,dc=com.
To limit the search to begin in a container beneath the root of the domain, you must specify the fully-
qualified name of the container in comma-delimited form. Start with the name of the base container and
progress to the root of the domain. For example, assume your domain in the tree looks like this after
you expand it:
Also assume that you want the Active Directory search to begin in the Sales container that appears in
the example. This enables the search to find any user object inside the Sales container, and inside any
containers in the Sales container.
The search base string to add in the XTMdevice configuration is:
ou=sales,ou=accounts,dc=kunstlerandsons,dc=com
The search string is not case-sensitive. When you type your search string, you can use either
uppercase or lowercase letters. Make sure that a comma separates each component in the search
base, without spaces between the components.
This search does not find user objects inside the Development or Admins containers, or inside the
Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, or Users containers.
DNof Searching User and Password of Searching User Fields
You must complete these fields only if you select an option for the Login Attribute that is different
fromthe default value, sAMAccountName. Most organizations that use Active Directory do not change
this. When you leave this field at the default sAMAccountName value, users supply their usual Active
Directory login names for their user names when they authenticate. This is the name you see in the
User logon name text box on the Account tab when you edit the user account in Active Directory
Users and Computers.
If you use a different value for the Login Attribute, a user who tries to authenticate gives a different
formof the user name. In this case, you must add Searching User credentials to your XTMdevice
configuration.
Change the Default Port for the Active Directory Server
If your WatchGuarddevice is configured to authenticate users with an Active Directory (AD)
authentication server, it connects to the Active Directory server on the standard LDAP port by default,
which is TCP port 389. If the Active Directory servers that you add to your WatchGuarddevice
configuration are set up to be Active Directory global catalog servers, you can tell the
WatchGuarddevice to use the global catalog portTCP port 3268to connect to the Active Directory
server.
A global catalog server is a domain controller that stores information about all objects in the forest. This
enables the applications to search Active Directory, but not have to refer to specific domain controllers
that store the requested data. If you have only one domain, Microsoft recommends that you configure
all domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuarddevice configuration is
also configured as a global catalog server, you can change the port the WatchGuarddevice uses to
connect to the Active Directory server to increase the speed of authentication requests. However, we
do not recommend that you create additional Active Directory global catalog servers just to speed up
authentication requests. The replication that occurs among multiple global catalog servers can use
significant bandwidth on your network.
Configure the XTM Device to Use the Global Catalog Port
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. In the Server list, select Active Directory.
The Active Directory page appears with the list of configured servers.
3. Select a server and click Edit.
4. In the Port text box, clear the contents and type 3268.
5. Click Save.
Find Out if Your Active Directory Server is Configured as a Global
Catalog Server
1. Select Start > Administrative Tools > Active Directory Sites and Services.
2. Expand the Sites tree and find the name of your Active Directory server.
3. Right-click NTDS Settings for your Active Directory server and select Properties.
If the Global Catalog check box is selected, the Active Directory server is configured to be a
global catalog.
Use Active Directory or LDAP Optional Settings
When Fireware XTMcontacts the directory server (Active Directory or LDAP) to search for
information, it can get additional information fromthe list of attributes in the search response returned
by the server. This enables you to use the directory server to assign extra parameters to the
Authentication
558 Fireware XTMWeb UI
Authentication
User Guide 559
authenticated user session, such as timeouts and Mobile VPN address assignments. Because the
data comes fromLDAP attributes associated with individual user objects, you can set these
parameters for each individual user and you are not limited to the global settings in Fireware XTMWeb
UI.
Before You Begin
To use these optional settings you must:
n Extend the directory schema to add new attributes for these items.
n Make the new attributes available to the object class that user accounts belong to.
n Give values to the attributes for the user objects that should use them.
Make sure you carefully plan and test your directory schema before you extend it to your directories.
Additions to the Active Directory schema, for example, are generally permanent and cannot be undone.
Use the Microsoft

web site to get resources to plan, test, and implement changes to an Active
Directory schema. Consult the documentation fromyour LDAP vendor before you extend the schema
for other directories.
Specify Active Directory or LDAP Optional Settings
You can use Fireware XTMWeb UIto specify the additional attributes Fireware XTMlooks for in the
search response fromthe directory server.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Fromthe Authentication Servers list, select LDAP or Active Directory and make sure the
server is enabled.
Authentication
560 Fireware XTMWeb UI
Authentication
User Guide 561
3. In the Optional Settings section, type the attributes to include in the directory search in the
string fields.
IP Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTMto use to assign a virtual IP address to the
Mobile VPN client. This must be a single-valued attribute and an IP address in decimal
format. The IP address must be within the pool of virtual IP addresses you specify when
you create the Mobile VPN Group.
If the XTMdevice does not see the IP attribute in the search response or if you do not
specify an attribute in Fireware XTMWeb UI, it assigns the Mobile VPN client a virtual IP
address fromthe virtual IP address pool you create when you make the Mobile VPN Group.
Netmask Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTMto use to assign a subnet mask to the
Mobile VPN clients virtual IP address. This must be a single-valued attribute and a subnet
mask in decimal format.
The Mobile VPN software automatically assigns a netmask if the XTMdevice does not see
the netmask attribute in the search response or if you do not specify one in Fireware XTM
Web UI.
DNS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTMuses to assign the Mobile VPN client one or
more DNS addresses for the duration of the Mobile VPN session. This can be a multi-
valued attribute and must be a normal dotted-decimal IP address. If the XTMdevice does
not see the DNS attribute in the search response, or if you do not specify an attribute in
Fireware XTMWeb UI, it uses the WINS addresses you enter when you Configure WINS
and DNS Servers.
WINS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTMshould use to assign the Mobile VPN client
one or more WINS addresses for the duration of the Mobile VPN session. This can be a
multi-valued attribute and must be a normal dotted-decimal IP address. If the XTMdevice
does not see the WINS attribute in the search response or if you do not specify an attribute
in Fireware XTMWeb UI, it uses the WINS addresses you enter when you Configure
WINS and DNS Servers.
Lease Time Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Authentication
562 Fireware XTMWeb UI
Authentication
User Guide 563
Type the name of the attribute for Fireware XTMto use to control the maximumduration a
user can stay authenticated (session timeout). After this amount of time, the user is
removed fromthe list of authenticated users. This must be a single-valued attribute.
Fireware XTMinterprets the attributes value as a decimal number of seconds. It interprets
a zero value as never time out.
Idle Timeout Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute Fireware XTMuses to control the amount of time a user can
stay authenticated when no traffic is passed to the XTMdevice fromthe user (idle timeout).
If no traffic passes to the device for this amount of time, the user is removed fromthe list of
authenticated users. This must be a single-valued attribute. Fireware XTMinterprets the
attributes value as a decimal number of seconds. It interprets a zero value as never time
out.
4. Click Save.
The attribute settings are saved.
Use a Local User Account for Authentication
Any user can authenticate as a Firewall user, PPTP user, or Mobile VPN user, and open a PPTP or
Mobile VPN tunnel if PPTP or Mobile VPN is enabled on the XTMdevice. However, after
authentication or a tunnel has been successfully established, users can send traffic through the VPN
tunnel only if the traffic is allowed by a policy on the XTMdevice. For example, a Mobile VPN-only user
can send traffic through a Mobile VPN tunnel. Even though the Mobile VPN-only user can authenticate
and open a PPTP tunnel, he or she cannot send traffic through that PPTPtunnel.
If you use Active Directory authentication and the group membership for a user does not match your
Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any
policy. If you see this error message, make sure that the user is in a group with the same name as your
Mobile VPN group.
Use Authorized Users and Groups in Policies
You can use specified user and group names when you create policies in Fireware XTMWeb UI. For
example, you can define policies that only allow connections for authenticated users, or you can limit
connections on a policy to particular users.
The termauthorized users and groups refers to users and groups that are allowed to access network
resources.
Define Users and Groups for Firebox Authentication
If you use your XTMdevice as an authentication server and want to define users and groups that
authenticate to the XTMdevice, see Define a New User for Firebox Authentication on page 522 and
Define a New Group for Firebox Authentication on page 526.
Define Users and Groups for Third-Party Authentication
You can use Fireware XTMWeb UIto define the users and groups to use for third-party authentication.
When you create a group, if you use more than one Active Directory domain for authentication, you
must specify the domain that you want users in the group to use to authenticate.
For both individual users and user groups, you can also enable login limits. When you enable unlimited
concurrent logins for a user or group, you allow more than one user or member of a group to
authenticate with the same user credentials at the same time, to one authentication server. This is
useful for guest accounts or in laboratory environments. When the second user logs in with the same
credentials, the first user authenticated with the credentials is automatically logged out. The other
option you can select for user and group login limits is to limit your users or members of a group to a
single authenticated session. If you select this option, your users cannot log in to one authentication
server fromdifferent IP addresses with the same credentials. When a user is authenticated, and tries
to authenticate again, you can select whether the first user session is terminated when the subsequent
session is authenticated, or if the subsequent session is rejected.
User and group names on your Active Directory server are case-sensitive. When you add an
authorized user or group to your XTMdevice, the user or group name must have the same
capitalization used in the name on the Active Directory server.
Authentication
564 Fireware XTMWeb UI
Authentication
User Guide 565
1. Create a group on your third-party authentication server that contains all the user accounts on
your system.
2. Select Authentication > Users and Groups.
The Authentication Users and Groups page appears.
3. Click Add.
The Add User or Group dialog box appears.
4. For the Type option, select Group or User.
5. Type a user or group name that you created on the authentication server.
The user or group name is case-sensitive and must match the capitalization used on the
authentication server.
6. (Optional) Type a description for the user or group.
7. Fromthe Authentication Server drop-down list, select your authentication server.
8. To enable login limits, select the Enable login limits for each user or group check box and
follow the instructions in the subsequent sections to select an option:
n Allow Unlimited Concurrent Login Sessions
n Limit Login Sessions
9. Click Add.
10. Click Save.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
Fromthe Define User or Group dialog box:
1. Select the Enable login limits for each user or group check box.
2. Select Allow unlimited concurrent firewall authentication logins from the same account.
For Mobile VPNwith IPSec and Mobile VPN with SSL users, concurrent logins fromthe same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTMdevice that uses NAT. Mobile VPN with PPTP and Mobile VPN with
L2TP users do not have this restriction.
Limit Login Sessions
Fromthe Authentication Settings page, you can limit your users to a specific number of
authenticated sessions. If you select this option, you can specify the number of times your users can
use the same credentials to log in to one authentication server fromdifferent IP addresses. When a
user is authenticated and tries to authenticate again, you can select whether the first user session is
terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.
Fromthe Define User or Group dialog box:
1. Select the Enable login limits for each user or group check box.
2. Select Limit concurrent user sessions to.
3. In the text box, type or select the number of allowed concurrent user sessions.
4. Fromthe drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
Add Users and Groups to Policy Definitions
Any user or group that you want to use in your policy definitions must be added as an authorized user.
All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically
added to the list of authorized users and groups on the Authorized Users and Groups dialog box.
You can add any users or groups fromthird-party authentication servers to the authorized user and
group list with the previous procedure. You are then ready to add users and groups to your policy
configuration.
Authentication
566 Fireware XTMWeb UI
Authentication
User Guide 567
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Select a policy fromthe list and click Action > Edit Policy.
Or, double-click a policy.
The Policy Configuration page appears.
3. Below the From list, click Add.
The Add Member dialog box appears.
4. Fromthe Member Type drop-down list, select Firewall User.
The list of available users appears.
If your user or group does not appear in the Groups list, see Define a New User for Firebox
Authentication on page 522, Define a New Group for Firebox Authentication on page 526, or the
previous Define users and groups for third-party authentication procedure, and add the user or
group.
5. Select a user and click OK.
After you add a user or group to a policy configuration, Fireware XTMWeb UI automatically adds a
WatchGuard Authentication policy to your XTMdevice configuration. Use this policy to control access
to the authentication portal web page. For instructions to edit this policy, see Use Authentication to
Restrict Incoming Traffic on page 469.
Enable a Hotspot
You can configure the guest network on your Firebox or XTMdevice as a hotspot to give Internet
connectivity to your visitors or customers. When you enable the hotspot feature, you have more control
over connections to your guest network. You can configure the hotspot feature for connections to either
a wireless or a wired guest network on your Firebox or XTMdevice. You can also configure the hotspot
feature for connections through a WatchGuard Access Point (AP) device.
When you configure your Firebox or XTMdevice as a hotspot, you can customize:
n A splash screen that users see when they connect
n The terms and conditions that users must accept before they can browse to a web site
n The maximumlength of time a user can be continuously connected
n The interface on the Firebox or XTMdevice on which the hotspot runs:
o
Any wireless interface (Access point 1, Access point 2, or a wireless guest network)
o
Any physical interface (trusted or optional interfaces only)
o
Any VLAN interface
o
Any bridge interface
If you configure the hotspot for connections through a WatchGuard AP device, the interface you select
for the hotspot depends on the interface configuration on the AP device.
n If you use VLAN tagging in your APdevice SSID configuration, you can enable a hotspot for
one SSID. Select the VLAN interface that corresponds to the VLAN ID that is set in the SSID
you select on the AP device.
n If you do not use VLANtagging in your SSIDconfiguration, select the interface on the Firebox or
XTMdevice that your AP device is connected to.
For more information about how to configure an SSID for a WatchGuard AP device, see Configure
WatchGuard APDevice SSIDs on page 365.
If you enable a hotspot on a wireless Firebox or XTMdevice, you can select one of these interfaces:
n WG-Wireless-Access-Point1 This is the Access Point 1 interface in the Firebox or
XTMdevice wireless settings.
n WG-Wireless-Access-Point2 This is the Access Point 2 interface in the Firebox or
XTMdevice wireless settings.
n WG-Wireless-Guest This is the Wireless guest interface in the Firebox or XTMdevice
wireless settings.
When you enable the hotspot feature, the Allow Hotspot-Users policy is automatically created. This
policy allows connections fromthe guest interface to your external interfaces. This gives hotspot users
access to the Internet without access to computers on your trusted and optional networks.
If your hotspot is for a wireless network connection, before you set up a wireless hotspot, you must
configure the settings for your wireless guest network as described in Enable a Wireless Guest
Network (Fireware XTMOS v11.8.x and Older).
To enable the hotspot:
1. Select Authentication > Hotspot.
2. Select the Enable Hotspot check box and select an interface fromthe drop-down list.
You cannot select an External physical interface for a hotspot.
Authentication
568 Fireware XTMWeb UI
Authentication
User Guide 569
3. Complete the configuration settings as described in the subsequent sections.
Configure User Timeout Settings
You can configure timeout settings to limit the amount of time that users can continuously use your
hotspot. When the timeout period expires, the user is disconnected. When users are disconnected,
they lose all Internet connectivity, but are still connected to the network. The hotspot splash screen
reappears and the users must accept the Terms and Conditions again before they can continue to use
the hotspot. You can also specify the amount of time users are locked out of the hotspot after their
sessions expire.
1. In the Session timeout text box and drop-down list, type or select the maximumamount of
time a user can remain continuously connected to your hotspot, and select the unit of time.
If the Session timeout is set to 0 (the default value), guest users are not disconnected after a
specified time interval.
2. In the Idle timeout text box and drop-down list, type or select the amount of time that a user
must be idle for the connection to time out, and select the unit of time.
If the Idle timeout is set to 0, users are not disconnected if they do not send or receive traffic.
3. In the User locked out text box and drop-down list, type or select the amount of time a user
cannot connect to the hotspot again after the hotspot session times out.
If the User locked out value is set to 0, users are not locked out of the hotspot.
Select the Hotspot Type
Select a hotspot type to specify how your Firebox or XTMdevice manages the initial user connection
to your hotspot.
There are two hotspot types:
CustomPage
For a CustomPage hotspot, when a user connects to the hotspot URL, the Firebox or XTM
device shows the hotspot splash screen that you configure on the Firebox or XTMdevice. The
user must accept the terms and conditions you specify in order to use the hotspot. Custom
Page is the most common hotspot type, and is the default type.
External Guest Authentication
For an External Guest Authentication hotspot, when a user connects to the hotspot URL, the
Firebox or XTMdevice redirects the user to a URL on an external web server that you set up.
You configure the page on the external web server to performuser authentication, or collect any
user information you want fromhotspot users. After the hotspot user attempts to authenticate
on the external web server, the web server returns a result that tells the Firebox or XTMdevice
whether to allow the user to use the hotspot.
To specify the type of hotspot:
1. Fromthe Hotspot Type drop-down list, select the hotspot type.
2. Complete the configuration settings for the type of hotspot you selected:
n Configure the Hotspot CustomPage on page 571
n Configure the Hotspot for External Guest Authentication on page 588
Authentication
570 Fireware XTMWeb UI
Authentication
User Guide 571
Configure the Hotspot Custom Page
If you selected the Custom Page hotspot type, when users connect to your hotspot, the hotspot
customsplash page that you configure appears. This is a web page that shows the terms and
conditions users must agree to before they can use the hotspot. You can configure the text that
appears on the splash page and the appearance of the page. You can also redirect hotspot users to a
specified web page after they accept the terms and conditions.
You can customize these elements of the hotspot custompage:
n Page Title Located at the top of the page
n Welcome Message Located below the page title
n Logo Located at the top left of the page, adjacent to the page title
n Terms and Conditions This text appears in a scrolling text box in the center of the page.
Each hotspot user must select the I have read and accept the terms and conditions check
box below this text to accept your terms and conditions before they can use your hotspot.
n Redirected URL Specify a URL to send users to after they accept the terms and conditions.
n Font and Size Select the font and font size for the text that appears on the page.
n Text color The color for the hotspot splash screen text. The default color is #000000 (black).
n Background color The color for the hotspot splash screen background. The default color is
#FFFFFF (white).
When you select the Custom Page hotspot type, you must configure the settings for the Page title
and the Terms and Conditions. All other settings are optional.
Before you begin, you must Enable a Hotspot.
To configure the CustomPage settings for your hotspot, on the Hotspot page:
1. Fromthe Hotspot Type drop-down list, select Custom Page.
2. In the Page title text box, type the title text to appear at the top of the custompage.
Authentication
572 Fireware XTMWeb UI
Authentication
User Guide 573
3. To include a welcome message, select the Welcome message check box and in the text box,
type the text to appear at the top of the page.
4. (Optional) To use a customlogo on the splash screen:
a. Select the Use a custom logo if available check box.
b. Click Upload Logo.
The Upload Logo page appears in a new tab or window.
c. Click Browse and select your customlogo file.
The logo file must be in .jpg, .gif or .png format. We recommend that the image be no larger
than 90 x 50 pixels (width x height), or 50 kB.
d. Click Upload.
The file is uploaded to your device and the Upload Logo page on the new tab or window
automatically closes.
e. After the file upload is complete, if the Upload Logo page does not automatically close,
click Close Window.
5. In the Terms and Conditions text box, type or paste the text your users must agree to before
they can use the hotspot. The maximumlength is 20,000 characters.
6. To automatically redirect users to a web site after they accept the Terms and Conditions, in the
Redirected URL text box, type the URL of the web site.
7. (Optional) To customize the fonts for your splash screen Welcome page:
n Font Fromthe Font drop-down list, select a font.
If you do not specify a font, the Welcome page uses the default browser font for each user.
n Size Fromthe Size drop-down list, select the text size.
The default text size is Medium.
8. (Optional) To change the default colors for any of the subsequent options, click and select
another color fromthe color palette.
Or, type the HTML color code in the text box.
n Text Color
n Background Color
9. Click Preview Splash Screen.
A preview of the splash screen appears in a new browser window. Make sure your browser allows
pop-up windows.
10. Close the preview browser window.
11. Click Save
Connect to a Hotspot
If you selected the Custom Page hotspot type, you can connect to the hotspot to review the splash
screen settings.
If you selected the External Guest Authentication hotspot type, the connection steps are different,
and depend on how you configure the external web server. For more information, see About Hotspot
External Guest Authentication.
To review the hotspot splash screen:
1. Connect to your guest network with the SSID and other settings that you configured for the
guest network.
To connect to a wireless guest network, you must use a wireless client.
2. In a web browser, browse to any web site.
The hotspot splash screen appears in the browser.
Authentication
574 Fireware XTMWeb UI
Authentication
User Guide 575
3. Select the I have read and accept the terms and conditions check box.
4. Click Continue.
The browser displays the original URL you requested. Or, if the hotspot is configured to automatically
redirect the browser to a URL, the browser goes to the web site.
The content and appearance of the hotspot splash screen can be configured with the hotspot settings
for your guest network.
The URL of the hotspot splash screen is http://<IP address of the guest
network>:4106/hotspot.
See Hotspot Connections
When you enable the hotspot feature, you can see information about the number of clients that are
connected to the hotspot. You can also disconnect clients.
To see the list of connected hotspot clients:
1. Connect to Fireware XTMWeb UI for your XTMdevice.
2. Select System Status > Hotspot Clients.
The Hotspot Clients page appears, with the IP address and MAC address displayed for each
connected client.
To disconnect a client fromthe hotspot, on the Hotspot Clients page:
1. Select one or more connected hotspot clients.
2. Click Disconnect.
For more information, see Hotspot Clients on page 937.
Authentication
576 Fireware XTMWeb UI
Authentication
User Guide 577
About Hotspot External Guest Authentication
If you have a WatchGuard XTM21, 22, or 23 device, this feature is not available for
your device.
When you enable a hotspot for your wired or wireless guest network, you can select the External
Guest Authentication hotspot type. With this hotspot type, the XTMdevice sends new hotspot users
to an external web server for authentication. External Guest Authentication is not related to other types
of user authentication supported by the XTMdevice.
Use this hotspot type if you want to automatically connect new hotspot users to an external web server
that collects and verifies authentication credentials or other information for the hotspot user. Based on
the information the user provides, the external web server sends an access decision to the XTM
device. The XTMdevice then either allows or denies the user access to the hotspot.
This feature is described in terms of authentication, but it does not require the
external web server to do user authentication. You can create an authentication page
on your web server to ask hotspot users for any information that you want to use as
criteria for access to your hotspot.
Before You Begin
Before you configure the external web server and enable external guest authentication on the
XTMdevice, you must select the shared secret, authentication URL, and authentication failure URL to
use. These settings affect the configuration of the external web server and the hotspot configuration on
the XTMdevice.
Shared Secret
The shared secret is used to generate and validate a checksumincluded with the access
decision. The external web server uses the shared secret to calculate a checksumit includes
with the access decision sent to the XTMdevice. The XTMdevice uses the shared secret to
verify the checksumreceived with the access decision. The shared secret must be between 1
and 32 characters.
Authentication URL
This is the URL on the external web server of the web page where a hotspot user authenticates.
In the XTMhotspot configuration, the Authentication URLmust begin with https:// or http:// and
must use the IPaddress of the web server, rather than a domain name.
Authentication Failure URL
This is the URLon the external web server of the web page the hotspot user sees if external
guest authentication is not successful. In the XTMhotspot configuration, the Authentication
Failure URLmust begin with https:// or http:// and must use the IPaddress of the web server,
rather than a domain name.
Configuration
Because configuration of the web server requires web programming, we recommend that you configure
the web server first. A link to a code example is included in the setup instructions for the web server.
After you set up the web server, configure the XTMhotspot for External Guest Authentication.
For details about the configuration requirements and procedures, see:
n Configure a Web Server for Hotspot External Guest Authentication
n Configure the Hotspot for External Guest Authentication
After you have configured your web server and hotspot, you can test external guest authentication on
your hotspot and review the log messages to identify any errors. For more information, see
Troubleshoot Hotspot External Guest Authentication.
For an example of the script on the external web server, see the WatchGuard Knowledge Base at
http://customers.watchguard.com/.
External Guest Authentication Example
Communication between the XTMdevice and the external authentication server occurs through the
hotspot client browser. The XTMdevice and authentication server use the parameters specified in the
URLs to allow the communication. This example provides some example URLs that show at a high
level how external authentication operates. For more details and a description of all the parameters in
each URL, see Configure a Web Server for Hotspot External Guest Authentication.
The URLs in this example are based on these configuration settings and assumptions:
n WatchGuard XTMdevice:
o
Guest Network IPaddress 10.0.3.1
o
Optional interface IP address 10.0.2.1
Authentication
578 Fireware XTMWeb UI
Authentication
User Guide 579
n External Web Server:
o
IPaddress 10.0.2.80
o
Authentication URL http://10.0.2.80:8080/auth.html
o
Authentication Failure URL http://10.0.2.80:8080/failure.html
n Hotspot user:
o
MAC address 9C:4E:36:30:2D:26
o
The hotspot user initially tries to connect to http://www.google.com.
Step 1 Hotspot User Authenticates
When a user initially tries to get access to a web site, the XTMdevice receives an HTTPrequest from
the hotspot user. The XTMdevice checks the MACaddress to see if this user already has a current
hotspot session. If there is already a hotspot session for this MAC address, the XTMdevice allows or
denies the traffic based on the firewall policy configuration. If this is a new MAC address, to send the
access request URL to the external web server, the XTMdevice sends a redirect to the hotspot client
browser.
Example access request URL:
http://10.0.2.80:8080/auth.html?xtm=http://10.0.3.1:4106/wgcgi.cgi&action=hot
spot_auth
&ts=1344238620&sn=70AB02716F745&mac=9C:4E:36:30:2D:26&redirect=http://www.goo
gle.com/
The authentication page on the external web server appears in the hotspot user's browser. The hotspot
user provides the information required to authenticate.
Step 2 External Web Server Sends the Access Decision
After the external web server authenticates the hotspot user, it sends the access decision URL to the
XTMdevice through the hotspot client browser.
Example access decision URL:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth&ts=1344238620&success=1
&sig=a05d352951986e5fbf939920b260a6be3a9fffd3&redirect=http://www.google.com/
In this URL:
n Success=1 means that the access decision fromthe web server was to allow access to this
URL.
n The URL specified in the redirect section of the access decision URL is the URL the hotspot
user originally requested.
n The external web server could optionally replace this with a different URL.
Step 3 XTMDevice Allows or Denies Access
The XTMdevice reads the access decision (success=1 or success=0) and verifies the checksum. If
success=1 and the checksumverification is successful, the XTMdevice creates a hotspot session for
the client and redirects the client to the URLspecified in the access decision URL. If success=0 or any
authentication error is detected, the XTMdevice redirects the client to the authentication failure URL.
In this example, authentication is successful, so the browser goes to the originally requested site,
http://www.google.com.
If authentication fails or if access was denied, the browser goes to the authentication failure URL.
Example failure URL:
http://10.0.2.80:8080/failure.html?error=510&sn=70A70272B454E&mac=9C:4E:36:30
:2D:26
Authentication
580 Fireware XTMWeb UI
Authentication
User Guide 581
Configure a Web Server for Hotspot External Guest
Authentication
Use these guidelines to configure a web server for hotspot external guest authentication. The web
server can be located on any network connected to the XTMdevice. We recommend that you install
the web server in the same part of your network as your other public servers.
External Authentication Process
This diagramsummarizes the main steps in the interaction between the client browser, the XTM
device, and the external web server.
The steps in the external authentication process are:
1. A hotspot user tries to browse to a web page.
2. If this is a new hotspot user, the XTMdevice redirects the client browser to the Authentication
URL on the external web server.
This URLincludes a query string that contains the access request.
3. The browser sends the access request to the external web server.
4. The external web server sends the Authentication page to the browser.
5. The hotspot user types the requested authentication information and submits the formto the
external web server.
6. The external web server processes the authentication information and sends an HTML page
that contains the decision URLto the browser.
7. The browser sends the access decision to the XTMdevice.
The access decision URL contains the access decision, a checksum, and a redirect URL.
8. The XTMdevice reads the access decision, verifies the checksum, and sends the redirect URL
to the hotspot user's browser.
Based on the outcome of the external authentication process, the redirect URL can be:
n The original URL the user browsed to, if the external web server sent the original redirect
URL.
n A different redirect URL,if the external web server sent a different redirect URL.
n The authentication failure URL, if authentication failed or access was denied.
9. The external web server sends a logoff URL to the XTMdevice to end the user hotspot session.
The main steps in this external authentication process are more fully described in the subsequent
sections.
Requirements
You can write the web programin Perl, Python, PHP, or any other language. For reference, we provide
a code example written in Python. The code example is attached to the Knowledge Base article Code
Example for Wireless Hotspot External Authentication.
On the web server, you must create three web pages to work with this feature:
n Authentication Page Receives the authentication information fromthe hotspot user.
n Result Page Returns the authentication result and redirects the client browser to send the
access decision to the XTMdevice.
n Authentication Failure Page Shows error information if there is an error, or if access is
denied.
These pages are described in the subsequent sections.
For the web server to successfully communicate with your XTMdevice, you must make sure that the
web server can get access to the XTMdevice.
Authentication Page
The web server must send the authentication page to the hotspot client when it receives an access
request URLfromthe XTMdevice.
The web programmust save all the information that comes in the access request URL, described in
Interaction Step 2. It can use the timestamp and MACaddress parameters as a key or can use a file
name to save this data. After the client finishes authentication, the web programfor the Result Page
must retrieve this data fromthe saved request and use it together with the shared secret to calculate a
hash checksum.
This example shows the format of an access request URL:
Authentication
582 Fireware XTMWeb UI
Authentication
User Guide 583
http://10.0.2.80:8080/auth.html?xtm=http://10.0.3.1:4106/wgcgi.cgi
&action=hotspot_auth&ts=1344238620&sn=70AB02716F745&mac=9C:4E:36:30:2D:26
&redirect=http://www.google.com/
The access request URL includes these parameters:
xtm The URL on the XTMdevice where the external web server must send the access
decision.
action The action type. The value is always hotspot_auth.
ts The time stamp for the request.
sn The serial number of the XTMdevice.
mac The MAC address of the client.
redirect The original URL the hotspot user tried to browse to.
You define the details of the authentication process. The XTMdevice must know only the access
decision and other parameters required to verify the integrity of the interaction.
Result Page
After the hotspot user provides the requested authentication information, the web programmust
determine whether to allow access, based on the information provided by the hotspot user, and any
access criteria you specify. The web programmust combine all the required parameters into one URL,
and include it in a web page that it sends to the client browser, as described in Interaction Step 6. This
URL is called the access decision URL.
This example shows the format of the access decision URL:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth&ts=1344238620&success=1&
sess_timeout=1200&idle_
timeout=600&&sig=a05d352951986e5fbf939920b260a6be3a9fffd3&
redirect=http://www.google.com/
The access decision URLbegins with the URL specified in the xtmparameter in the access request
URL.
The access decision URL must include all of these parameters:
action
The action type. The value must be hotspot_auth.
success
The decision about hotspot access. Set the value to 1 to allow the user to get access the
hotspot, or 0 to not allow access.
sess_timeout
The session timeout value for the user hotspot connection. Specify the amount of time in
seconds that a user can be connected to the hotspot for each session. Set the value to 1 to use
the Session Timeout setting configured on the XTMdevice. Set the value to 0 to disable the
session timeout value. When you set the value to 0, the user connection to the hotspot does not
timeout.
idle_timeout
The idle timeout value for the user hotspot connection. Specify the amount of time in seconds
that a user session connection to the hotspot can be idle before the session is disconnected.
Set the value to -1 to use the default Idle Timeout setting configured on the XTMdevice. Set the
value to 0 to disable the idle timeout value. When you set the value to 0, the user connection to
the hotspot does not expire when there is no traffic between the user client and the hotspot.
sig
A hex encoded string in lower case. It is a SHA1 checksumbased on the values of ts, sn, mac,
success, sess_timeout, idle_timeout, and the shared secret. The shared secret you use to
calculate the hash checksummust match the shared secret configured in the hotspot settings
on the XTMdevice.
The formula to calculate the checksumvalue isHash = SHA1(ts + sn + mac + success +
sess-timeout + idle_timeout + shared_secret). The XTMdevice uses the checksumto
validate the integrity of the interaction between the client browser and the external web server.
redirect
The redirect URLyou want the XTMdevice to send to the hotspot user after successful
authentication. To redirect the browser to the original URLthe user requested, use the value
originally received in the access request URL. To redirect users to a different URL, specify that
URL in this parameter.
In Interaction Step 6, the web page sends the access decision URL to the XTMdevice. This page also
causes the client browser to send the access decision to the XTMdevice in order to check the integrity
of the interaction and create a hotspot session for the client on the XTMhotspot.
This web page can use a hyperlink to send the whole decision URL or it can use a <form> to send a
message that contains all the fields in the authentication decision URL.
Example of hyperlink:
<a href="http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth
&ts=1344238620&success=1&sess_timeout=1200&idle_timeout=600&
sig=a05d352951986e5fbf939920b260a6be3a9fffd3&redirect=http://www.google.com/"
>Connect</a>
Example of form:
<form action="http://10.0.3.1:4106/wgcgi.cgi" method="post">
<fieldset>
<input type="submit" name="Connect" value="Connect" title="Connect" />
<input type="hidden" name="action" value="hotspot_auth" />
<input type="hidden" name="ts" value="1344238620" />
Authentication
584 Fireware XTMWeb UI
Authentication
User Guide 585
<input type="hidden" name="success" value="1" />
<input type="hidden" name="sess_timeout" value="1200" />
<input type="hidden" name="idle_timeout" value="600" />
<input type="hidden" name="sig"
value="a05d352951986e5fbf939920b260a6be3a9fffd3" />
<input type="hidden" name="redirect" value="http://www.google.com/" />
</fieldset>
</form>
Authentication Failure Page
After Interaction Step 7, if the XTMdevice detects any error in the authentication process, for example
a URL parameter error, create session error, or invalid checksum, the XTMdevice redirects the client
browser to the failure page of the external web server in Interaction Step 8.
The XTMdevice constructs the failure URL with an error code to indicate why the authentication did
not succeed. You can use these as the basis for messages to the user on the authentication failure
page.
This example shows the format of the failure URL:
http://10.0.2.80:8080/failure.html?error=510&sn=70A70272B454E
&mac=9C:4E:36:30:2D:28
The failure URLincludes these parameters:
n error The error number that indicates the reason for failure.
n sn The serial number of the XTMdevice.
n mac The MAC address of the client.
The XTMdevice can set the error parameter to one of these error numbers:
Error Reason for Failure
510 Invalid authentication result or signature
511 Invalid CGI parameter
512 Create hotspot session failed
513 Internal error
514 External authentication failed (success=0)
You can configure the authentication failure page on the external web server to show different
messages to the hotspot user based on the error code.
Logoff URL
If the external web server must log off a specified client, it sends a logoff URL to the XTMdevice that
includes the MAC address of the client to log off. Each logoff URL can log off only one client at a time.
For the XTMdevice to be able to successfully log off a client, the external web server must include
these specific details in the logoff URL:
action
The action type. The value must always be hotspot_logoff.
mac
The MAC address of the client to log off. The web server can use the same MAC address used
in the access request URL.
sig
A hex encoded string in lower case. It is a SHA1 checksumbased on the macvalue and the
shared secret. The shared secret you specify in the sig to calculate the hash checksummust
match the shared secret configured in the hotspot settings on the XTMdevice.
The formula to calculate the checksumvalue issig = SHA1(mac + secret). The XTMdevice
uses the checksumvalue to identify the external web server. This enables the XTMdevice to
only allow logoff requests fromlegitimate sources, and to make sure logoff requests from
malicious sources are denied.
The external web server uses these parameters to generate the logoff URL in this format:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_logoff&mac=9C:4E:36:30:2D:26
&sig=03349009b213b701871b936007cd92bc0eb94376
When the XTMdevice receives the logoff URL fromthe external web server, it sends one of these
responses:
Success or failure of the user hotspot session log off
<?xml version="1.0"?>
<authentication>
<logoff_list>
<logoff>
<session_id>12</session_id>
<success>1</success>
</logoff>
</logoff_list>
</authentication>
A <success> value of 0 means the logoff attempt failed. A <success> value of 1 means the
logoff attempt succeeded.
The user hotspot session was not found
<?xml version="1.0"?>
<authentication>
<logoff_list/>
</authentication>
Authentication
586 Fireware XTMWeb UI
Authentication
User Guide 587
This message appears if the session already timed out or was deleted.
An internal error occurred
<?xml version=\"1.0\"?>
<authentication>
<internal_error/>
</authentication>
You can review the error messages to see if there is a problemwith the logoff URL settings and adjust
themas necessary.
Configure the Hotspot for External Guest Authentication
After you configure your external web server for external guest authentication, you can configure the
hotspot on the XTMdevice to use the web server for hotspot authentication.
Before you begin, you must Enable a Hotspot.
To configure the External Guest Authentication settings for your hotspot:
1. On the Hotspot Configuration page, select the Enable Hotspot check box.
2. Fromthe Hotspot Type drop-down list, select External Guest Authentication.
The External Guest Authentication settings appear.
3. In the Shared Secret and Confirm text boxes, type the shared secret.
This must be the same shared secret the external web server uses to create the checksum value it
sends with the access decision.
4. In the Authentication URL text box, type the URL of the authentication page on the external
web server.
The Authentication URLmust begin with https:// or http:// and must specify the IPaddress
of the web server, not a domain name.
For example, http://10.0.2.80:8080/auth.html.
Authentication
588 Fireware XTMWeb UI
Authentication
User Guide 589
5. In the Authentication Failure URLtext box, type the URL of the authentication failure page on
the external web server.
The Authentication Failure URL must begin with https:// or http:// and must specify the
IPaddress of the web server, not a domain name.
For example, http://10.0.2.80:8080/failure.html.
When you enable external guest authentication, these policies are automatically created:
n Allow External Web Server Allows TCP connections fromusers on the guest network to
the external web server IP address and the port you use for hotspot external guest
authentication.
n Allow Hotspot Session Mgmt Allows connections fromthe external web server IPaddress
to the XTMdevice.
n Allow Hotspot-Users Allows connections fromthe hotspot to addresses external to the
XTMdevice.
Troubleshoot Hotspot External Guest Authentication
After the external web server and the XTMdevice are configured for external guest authentication, you
can use log messages on the XTMdevice to look at any errors that occur. This list shows log message
examples for a few of the more common error types and the possible cause and resolution for each.
Error type: missing a parameter in the decision URL
Log message example
Nov 2 18:20:32 2012 Firebox local3.err wgcgi[23924]: Hotspot auth failed, errcode=511
Possible cause
Missing parameter in the access decision URL.
Solution
Make sure the decision URLcontains all the required parameters.
For information about required parameters, see Configure a Web Server for Hotspot External
Guest Authentication.
Error type:client request not found in the appliance
Log message example
Nov 2 18:28:14 2012 Firebox local3.err admd[1456]: Hotspot client request not found
Possible causes
Request timeout The hotspot user must provide the authentication information within five
minutes. Otherwise, the request times out and is deleted.
Timestamp (parameter ts in the decision URL) is invalid The XTMdevice uses the
timestamp and MAC address of the client to retrieve the client access request. If the ts
parameter is invalid, it cannot find the request.
Request has been used After an access request is retrieved by the XTMdevice, it is deleted.
Do not send the same request multiple times.
Solution
Retype the original URL in the client web browser to get access to the Internet again in order to
create a new access request on the XTMdevice.
Error type: hash checksumis invalid
Log message example
Nov 2 18:43:52 2012 Firebox local3.err admd[1456]: Hash is invalid for this hotspot client
Possible causes
Parameter success in the decision URL is not 1 If parameter success does not equal to 1,
authentication fails.
Authentication
590 Fireware XTMWeb UI
Authentication
User Guide 591
Parameter sig in the decision URL is invalid If the checksumgenerated by the web server
does not match the checksumgenerated by the XTMdevice, authentication fails.
Solution
Check the hash checksumcalculation. It must be a hex encoded string in lower case.
For the formula to calculate the hash checksum, see Configure a Web Server for Hotspot
External Guest Authentication.
Authentication
User Guide 592
User Guide 593
12
Policies
About Policies
The security policy of your organization is a set of definitions to protect your computer network and the
information that goes through it. The XTMdevice denies all packets that are not specifically allowed.
When you add a policy to your XTMdevice configuration file, you add a set of rules that tell the XTM
device to allow or deny traffic based upon factors such as source and destination of the packet or the
TCP/IP port or protocol used for the packet.
As an example of how a policy could be used, suppose the network administrator of a company wants
to log in remotely to a web server protected by the XTMdevice. The network administrator manages
the web server with a Remote Desktop connection. At the same time, the network administrator wants
to make sure that no other network users can use Remote Desktop. To create this setup, the network
administrator adds a policy that allows RDP connections only fromthe IP address of the network
administrator's desktop computer to the IP address of the web server.
A policy can also give the XTMdevice more instructions on how to handle the packet. For example,
you can define logging and notification settings that apply to the traffic, or use NAT (Network Address
Translation) to change the source IPaddress and port of network traffic.
Packet Filter and Proxy Policies
Your XTMdevice uses two categories of policies to filter network traffic: packet filters and proxies. A
packet filter examines each packets IP and TCP/UDP header. If the packet header information is
legitimate, then the XTMdevice allows the packet. Otherwise, the XTMdevice drops the packet.
A proxy examines both the header information and the content of each packet to make sure that
connections are secure. This is also called deep packet inspection. If the packet header information is
legitimate and the content of the packet is not considered a threat, then the XTMdevice allows the
packet. Otherwise, the XTMdevice drops the packet.
Add Policies to Your XTM device
The XTMdevice includes many pre-configured packet filters and proxies that you can add to your
configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet
policy that you can modify for your network configuration. You can also make a custompolicy for
which you set the ports, protocols, and other parameters.
When you configure the XTMdevice with the Quick Setup Wizard, the wizard adds several packet
filters: Outgoing (TCP-UDP), FTP, ping, and up to two WatchGuard management policies. If you have
more software applications and network traffic for the XTMdevice to examine, you must:
n Configure the policies on your XTMdevice to let the necessary traffic through
n Set the approved hosts and properties for each policy
n Balance the requirement to protect your network against the requirements of your users to get
access to external resources
We recommend that you set limits on outgoing access when you configure your XTMdevice.
In all documentation, we refer to both packet filters and proxies as policies.
Information on policies refers to both packet filters and proxies unless otherwise
specified.
Policies
594 Fireware XTMWeb UI
Policies
User Guide 595
About the Policies Pages
The policies included in your current XTMdevice configuration appear on the Firewall Policies and
Mobile VPN Policies pages. Fromthese pages you can see configuration information, such as
source and destination addresses, assigned ports, policy-based routing, and application control
settings, as well as whether notification, scheduling, and QoS/Traffic Management are configured. You
can also add, edit, and delete policies on these pages.
By default, Fireware XTMWeb UI sorts policies fromthe most specific to the most general. The order
determines how traffic flows through the policies.
For more information about how to add policies, see Add Policies to Your Configuration on page 598.
This information appears for each policy:
Order
The order in which the policies are sorted, and how traffic flows through the policies. Policies
are automatically sorted fromthe most specific to the most general. To manually select the
order in which the policies are applied, you can switch to Manual-Order Mode. When the Policy
List is in Manual-Order Mode, you can sort the policy list by column.
To switch to Manual-Order Mode and change the policy order:
1. Click Disable policy Auto-Order mode.
A confirmation message appears.
2. Click Yes to enable Manual-Order Mode.
3. Select one or more policies in the list and click Move Up or Move Down.
4. Click Save PolicyOrder.
For more information on policy order, see About Policy Precedence.
Action
The action taken by the policy for traffic that matches the policy definition. The symbols in this
column also indicate whether the policy is a packet filter policy or a proxy policy, and the
settings that are configured for the policy:
n Packet filter policy; traffic is allowed
n Packet filter policy; traffic is denied
n Disabled packet filter policy
n Proxy policy; traffic is allowed
n Proxy policy; traffic is denied
n Disabled proxy policy
n Application Control is configured
n Traffic Management/ QoS is configured
n Scheduling is configured
n Loggingis enabled
n Notification is enabled
Policy Name
Name of the policy, as defined in the Name text box on the Policy Configuration page.
Type
The protocol that the policy manages. Packet filters include the protocol name only. Proxies
include the protocol name and -proxy. ALGs include the protocol name and -ALG.
From
The source addresses for this policy.
To
The destination addresses for this policy.
Port
Protocols and ports used by the policy.
PBR
The interface numbers that are used for failover in the policy-based routing settings for the
policy.
Application Control
The Application Control action enabled for the policy.
Policies
596 Fireware XTMWeb UI
Policies
User Guide 597
For more information, see Enable Application Control in a Policy.
Tags
The policy tag that is applied to the policy. To filter the policies in the policy list by the applied
policy tags, click and apply a policy filter.
For more information, see About Policy Tags and Filters on page 605.
About the Outgoing Policy
The Outgoing policy is a packet filter policy that is automatically added to your XTMdevice
configuration when you run the Quick Setup Wizard to set up your device and create a basic device
configuration file. The Outgoing policy allows all TCP and UDPconnections fromany trusted or
optional source on your network to any external network. Because it is a packet filter policy, not a
proxy policy, the Outgoing policy does not filter content when it examines the traffic through your XTM
device.
If you remove the Outgoing policy fromyour device configuration file, you must add policies to your
configuration that allow outbound traffic. You can either add a separate policy for each type of traffic
that you want to allow out through your firewall, or you can add the TCP-UDP packet filter or TCP-
UDP-proxy policy.
For more information about the TCP-UDP proxy, see About the TCP-UDP-Proxy.
Add Policies to Your Configuration
To add a firewall or Mobile VPN policy:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
The Policies page you selected appears.
2. Click Add Policy.
3. In the Policy Name text box, type a name for the policy.
4. For a Mobile VPN policy, fromthe Select a group drop-down list, select an existing Mobile
VPN group.
5. Select a policy type:
n Packet Filter
n Proxies
n Custom
6. For a packet filter, fromthe Packet Filter drop-down list, select a policy type.
For a proxy, fromthe first drop-down list, select a proxy, and fromthe second drop-down list,
select a proxy action.
For a custompolicy, fromthe Custom drop-down list, select a policy or click Add to create a
new custompolicy.
For more information, see Create or Edit a CustomPolicy Template
7. Click Add Policy
8. Define the settings for the policy.
9. Click Save.
For more information about Mobile VPN Policies, see Configure Policies to Filter Mobile VPN Traffic
on page 1185.
The XTMdevice includes a default definition for each policy included in the XTMdevice configuration
file. The default definition consists of settings that are appropriate for most installations. However, you
can modify themfor your particular business purposes, or if you want to include special policy
properties such as Traffic Management actions and operating schedules.
After you add a policy to your configuration, you define rules to:
n Set allowed traffic sources and destinations
n Make filter rules
n Enable or disable the policy
n Configure properties such as Traffic Management, NAT, and logging
For more information on policy configuration, see About Policy Properties on page 627.
Use Policy Checker to Find a Policy
To determine how your XTMdevice manages traffic for a particular protocol between a source and
destination you specify, you can use Policy Checker in Fireware XTMWeb UI.
For more information about Policy Checker, see Use Policy Checker to Find a Policy on page 601.
Policies
598 Fireware XTMWeb UI
Policies
User Guide 599
Add a Policy from the List of Templates
Your XTMdevice includes a default definition for each policy included in the XTMdevice configuration.
The default definition settings are appropriate for most installations, however, you can modify themto
include special policy properties, such as QoS actions and operating schedules.
On the Add Firewall Policy page
1. Select a policy type: Packet Filter, Proxies, or Custom.
2. Fromthe adjacent drop-down lists, select a policy.
3. If you select a proxy, fromthe second drop-down list, select the proxy action.
4. To change the name of the policy, in the Name text box, type a new name.
5. Click Add Policy.
The Add page appears.
6. Configure the access rules and other settings for the policy.
7. Click Save.
For more information on policy properties, see About Policy Properties on page 627.
For more information about how to add Mobile VPN Policies, see Configure Policies to Filter Mobile
VPN Traffic on page 1185.
For more information about how to configure proxy actions, see About Proxy Actions.
For more information about how to configure a schedule for a policy, see Set an Operating Schedule on
page 623.
For more information about how to configure application control actions, see Configure Application
Control Actions.
When you configure the access rules for your policy, you can choose to use an alias. For more
information about aliases, see About Aliases on page 613 and Create an Alias on page 615.
Disable or Delete a Policy
As your network security requirements change, you can disable or delete the policies in your
configuration.
To disable a policy:
1. Select Firewall >Firewall Policies or Firewall >Mobile VPNPolicies.
2. Double-click the policy.
Or, select the policy and fromthe Action drop-down list, select Edit Policy.
3. Clear the Enable check box.
4. Click Save.
Delete a Policy
To delete a policy:
1. Select Firewall >Firewall Policies or Firewall >Mobile VPNPolicies.
2. Select the policy and fromthe Action drop-down list, select Delete Policies.
A confirmation message appears.
3. Click Yes.
Your configuration changes are saved automatically.
Policies
600 Fireware XTMWeb UI
Policies
User Guide 601
Use Policy Checker to Find a Policy
You can use Policy Checker to determine how your XTMdevice manages traffic for a particular
protocol between a source and destination you specify. This can be a useful troubleshooting tool if your
XTMdevice allows or denies traffic unexpectedly, or if you want to make sure your policies manage
traffic the way you expect. Based on the parameters you specify, Policy Checker sends a test packet
through your XTMdevice to see how the device manages the packet. If there is a policy that manages
the traffic, Policy Checker highlights that policy in the Firewall Policies list.
When you run Policy Checker, you must specify these parameters:
n An interface Any active device interface (physical, VLAN, or bridge), or SSL-VPN, Any-
BOVPN, Any-MUVPN, or PPTP
n A protocol Ping, TCP, or UDP
n Source and destination IP address
n Source and destination port Only applies if you select TCP or UDP as the Protocol
The results can include any of these details:
n Policy type
n Policy name
n An action
n An interface
n Source or destination NAT IP address
n Source or destination NAT port
You cannot use Policy Checker in Fireware XTMWeb UIfor a FireCluster. Instead,
use the policy-check command in the Command Line Interface. For more
information, see the Command Line Interface Reference.
To run Policy Checker:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Click Show policy checker.
The policy checker section appears.
3. Fromthe Interface drop-down list, select an active interface on your XTMdevice.
4. Fromthe Protocol drop-down list, select an option: Ping, TCP, or UDP.
5. In the Source IP text box, type the source IPaddress for the traffic.
6. In the Destination IPtext box, type the destination IP address for the traffic.
7. If you selected TCP or UDP for the Protocol, in the Source Port text box, type or select the
port for the traffic source.
If you selected Ping as the Protocol, the port text box is disabled.
8. If you selected TCP or UDP for the Protocol, in the Destination Port text box, type or select
the port for the traffic destination.
If you selected Ping as the Protocol, the port text box is disabled.
9. Click Run policy checker.
The results appear in the Results section.
Read the Results
If the packet was managed by a policy, the policy details appear in the Results section, and the policy
is highlighted in the Firewall Policies list.
If the packet was not managed by a policy, but by another means (such as a hostile site match), that
information appears in the Results section, but nothing is highlighted in the Firewall Policies list.
The only elements that always include a value in the Results section are the Name and Type
elements. Values for all other elements are only present if their values are established.
Policies
602 Fireware XTMWeb UI
Policies
User Guide 603
Element Value Description
Type Policy The packet was allowed or denied by a policy.
Security The packet was dropped by something other than a policy
(for example, a blocked site match) and a security
measure was triggered.
Inconclusive There was an error in the interpretation of the disposition of
the packet.
Name Depends on
the Type
value
If the type was Policy, the name of the policy appears.
Not all configured policies are exposed. If the policy name
is unfamiliar, you can examine the configuration file for
more information about the policy.
If the type was Security, the security function appears (for
example, Blocked Sites). The set of supported security
functions can be different fromone release to the next.
n ICMP Flood Attack
n IKE Flood Attack
n IPSec Flood Attack
n TCP SYN Flood Attack
n UDP Flood Attack
n TCP SYN check
n Broadcast
n DNS forward inactive
n FWSPEED license
n Blocked Ports
n Blocked Sites
n Blocked connection The packet matched an
existing connection that was blocked by a policy.
n Unit not activated
n DDoS Client Quota
n DDoS Server Quota
n User count exceeded
n IP source route
n Spoofing Attack
n Wireless Guest
n Wireless MVPN
n MAC Access Control
n MAC/IP Address Binding
If the type was Inconclusive the name is Unspecified.
Action Allow The packet was allowed.
Deny The packet was denied. This is always the result when the
type is Security.
Element Value Description
Interface Interface
name
The egress interface. This is the user-defined name (for
example, External), not the systemname (for example,
eth0).
Source NATIP IP address The IP address to which the original source IP address
was changed by NAT.
Source NATPort TCP/UDP
port
The TCP or UDP port to which the original source port was
changed by NAT.
Destination NATIP IP address The IP address to which the original destination IP
address was changed by NAT.
DestinationNATPort TCP/UDP
port
The TCP or UDP port to which the original destination port
was changed by NAT.
Policies
604 Fireware XTMWeb UI
Policies
User Guide 605
About Policy Tags and Filters
A policy tag is a label you can apply to your Firewall and Mobile VPN with IPSec policies to help you
organize your policies into easy to manage groups. You can apply more than one policy tag to a policy
and apply any policy tag to many policies. A policy filter uses the policy tags you have applied to your
policies to specify which policies appear in the policy lists on the Firewall and Mobile VPNwith
IPSec pages.
When you create a policy tag or filter, you must use some combination of these characters in the policy
tag or filter name:
n Uppercase and lowercase letters
n Numerals
n Special characters: -, space, _, +, /, *
You can use the procedures in the subsequent sections to create and apply policy tags and filters in a
single XTMdevice configuration file or a v11.7 or later Device Configuration Template. For more
information about templates, see the topic Create Device Configuration Templates in the WatchGuard
SystemManager Help.
Create and Apply Policy Tags
To create a new policy tag, you can either select a policy and create a tag for that policy, or you can
create a tag and then apply it to one or more policies. You can select a color for each policy tag to make
it easy to identify the policy tag when it appears in the Tags column. This is particularly helpful when
you apply more than one policy tag to a single policy. When you create a policy tag, it is added to the
Tags List in the Manage Policy Tags dialog box in alphabetical order.
You can apply a policy tag fromthe policy list or when you define the properties in the policy
configuration. If you apply more than one policy tag to a policy, the tags appear in alphabetical order in
the Tags column of the policy list and in the Tags list of the policy properties. Capitalized tags appear
in the list before lowercase tags.
Create and Apply a Policy Tag from the Policy List
To create a policy tag and apply it to policies:
1. On the Firewall or Mobile VPNwith IPSec page, select one or more policies in the policy list.
2. Select Action > Add Tag to Policy > New.
The New Policy Tag dialog box appears.
3. In the Name text box, type a descriptive name for the tag.
4. To specify a color for this policy tag, select a color fromthe palette.
5. Click OK.
The tag is applied to the policies you selected and appears in the Tags column for those policies.
The tag also appears in the Manage Policy Tags Tag List.
Add a Policy Tag to the Tag List
To create policy tags that you can apply to policies at a later time, you can add new tags to the Tag
List in the Manage Policy Tags dialog box.
To add a tag to the Tag List:
1. Select Action > Manage Tags .
The Manage Policy Tags page appears.
2. Click Add.
The New Policy Tag dialog box appears.
3. In the Name text box, type a descriptive name for the policy tag.
4. To specify a color for the policy tag, click the color palette and select a color.
5. Click OK.
The policy tag appears in the Tags list.
You can now apply the new tag to any policy.
To apply a policy tag that you have already created to one or more policies:
1. In the policy list, select one or more policies.
2. Select Action > Add Tag to Policy and select a tag.
The tag is applied to the policies you selected and appears in the Tags column for those policies.
Apply a Policy Tag in the Policy
1. Add a new policy or edit a policy in the policy list.
2. Select the Settings tab.
Policies
606 Fireware XTMWeb UI
Policies
User Guide 607
3. In the Tags section, click Edit.
The Select Policy Tags dialog box appears.
4. To apply a tag to the policy, fromthe Available list, select a policy tag and click <<.
The tag is moved from the Available list to the Tagged list.
Remove Policy Tags From Policies
There are two methods you can use to remove a policy tag froma policy: you can remove one or more
policy tags froma single policy, or you can delete a policy tag to remove it fromall the policies to which
it is applied. When you remove a policy tag froma single policy, the tag remains in the Tag List so you
can use the tag again later. When you delete a policy tag, it is deleted both fromthe Tag List and from
any policies to which it was applied. You cannot use a template to delete a policy tag froma policy in a
device configuration file.
To remove a single policy tag froma policy:
1. In the policy list, select the check box for a policy.
2. Select Action > Remove Tags from Policy and select the policy tag to remove.
The selected policy tag is removed from the policy and the Tags column.
Policies
608 Fireware XTMWeb UI
Policies
User Guide 609
To remove all policy tags froma policy:
1. In the policy list, select one ore more policies.
2. Select Action >Remove Tag from Policy > All.
All policy tags are removed from the selected policies and the Tags column.
To permanently remove a policy tag fromthe Tag List and all policies:
1. Select Action >Manage Tags.
The Manage Policy Tags dialog box appears.
2. Fromthe Tags list, select a policy tag and click Remove.
3. Click Save.
The selected policy tag is removed from the Tags list and from each policy to which the tag was
applied. The policy tag name is also removed from the Tags column in the policies list.
To remove a policy tag froma policy:
1. Add a new policy or edit a policy in the policy list.
2. Select the Settings tab.
3. Below the Tags list, click Edit.
The Select Policy Tags dialog box appears.
4. To remove a policy tag fromthe policy, fromthe Tagged list, select a policy tag and click >>
The tag is moved from the Tagged list to the Available list.
Modify Policy Tags
After you have created a policy tag, you can change the name or the color of the tag. When you modify
a policy tag, the changes that you make automatically appear in all the policies to which the policy tag
is applied.
To change a policy tag:
1. Select Action >Manage Tags .
The Manage Policy Tags dialog box appears.
2. Fromthe Tags list, select a policy tag.
3. Click Edit.
The Policy Tag dialog box appears.
4. In the Name text box, type a new descriptive name for the policy tag.
5. Fromthe color palette, select a new color for the policy tag.
6. Click OK.
The changes you made to the policy tag appear in the Tags list.
7. Click Save.
Create and Apply a Filter
After you have created and applied policy tags to your policies, you can use the tags to filter the policy
list and select which policies appear in the policy list. The criteria included in your filters is based on
both AND and OR operators.
After you apply a filter, you can sort the policy list by column to further refine your view of the policies
that appear in the policy list. You can also name and save the filters you create so you can apply the
filter again at any time. Because saved filters are stored in your XTMdevice configuration file, all saved
filters are available whether you manage the XTMdevice with Policy Manger or Fireware XTMWeb UI.
When you apply a filter to the policy list, the filter remains applied to the list until you manually clear it.
If you do not remove a filter before you exit the policy list, that filter is still applied when you next
connect to the XTMdevice and view the policy list. To make sure that all of your policies appear in the
policy list when you next open the configuration file, we recommend that you always clear all filters
fromthe policy list before you exit the policy list.
To create and apply a filter:
8. Fromthe Filter drop-down list, select Create New Filter.
The Policy Filter dialog box appears.
Policies
610 Fireware XTMWeb UI
Policies
User Guide 611
9. In the Name text box, type a descriptive name for this filter.
10. Select a filter option:
n Match All Only policies that include all the specified policy tags appear in the filtered
policy list. This is the default option.
n Match Any Any policy that includes any of the specified policy tags appear in the filtered
policy list.
11. Select the policy tags to include in the filter.
12. Click OK.
The selected filter is applied to the list.
13. To clear all filters fromthe policy list, fromthe Filter drop-down list, select None.
All filters are removed from the policy list.
Modify a Filter
You can change the policy tags and filter options that are included in a filter. You can also change the
name of a filter. When you change the name of the filter, the name is automatically updated in the
Filters list and in all policies to which the filter is applied.
To change the filter, name, options, and the tags in a filter:
1. Fromthe Filter drop-down list, select Manage Filter.
The Manage Filters page appears.
2. Fromthe Filters list, select the filter to modify.
3. Click Edit.
The Policy Filter dialog box appears.
4. Change the filter parameters.
5. ClickOK.
The modified filter appears in the Filters list.
6. Click Save.
Policies
612 Fireware XTMWeb UI
Policies
User Guide 613
About Aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it
is easy to create a security policy because the XTMdevice allows you to use aliases when you create
policies.
Default aliases in Fireware XTMWeb UI include:
n Any Any source or destination aliases that correspond to XTMdevice interfaces, such as
Trusted or External.
n Firebox An alias for all XTMdevice interfaces.
n Any-Trusted An alias for all XTMdevice interfaces configured as Trusted interfaces, and
any network you can get access to through these interfaces.
n Any-External An alias for all XTMdevice interfaces configured as External, and any network
you can get access to through these interfaces.
n Any-Optional Aliases for all XTMdevice interfaces configured as Optional, and any network
you can get access to through these interfaces.
n Any-BOVPN An alias for any BOVPN (IPSec) tunnel.
When you use the BOVPN Policy wizard to create a policy to allow traffic through a BOVPN
tunnel, the wizard automatically creates .in and .out aliases for the incoming and outgoing
tunnels.
n WG-Wireless-Access-Point1 An alias for wireless Access point 1 on a wireless
XTMdevice.
n WG-Wireless-Access-Point2 An alias for wireless Access point 2 on a wireless
XTMdevice.
n WG-Wireless-Access-Point3 An alias for wireless Access point 3 on a wireless
XTMdevice.
n WG-Wireless-Guest An alias for wireless Access point 3 on a wireless XTMdevice that is
used for a guest wireless network (Fireware XTMv11.8.x and lower).
Alias names are different fromuser or group names used in user authentication. With user
authentication, you can monitor a connection with a name and not as an IP address. The person
authenticates with a user name and a password to get access to Internet protocols.
For more information about user authentication, see About User Authentication on page 465.
You can also create and apply aliases when you use Centralized Management for your XTMdevice
and apply a Device Configuration Template to a device. If you apply a template to an XTMdevice that
runs Fireware XTMOS v11.7 or later, and the template includes an alias name that is already used by
an interface on the device, because you cannot have duplicate alias names in any configuration file,
the alias name does not appear correctly in the Aliases list after the template is applied.
Alias Members
You can add these objects to an alias:
n Host IP address
n Network IP address
n A range of host IP addresses
n DNS name for a host
n Tunnel address Defined by a user or group, address, and name of the tunnel
n Customaddress Defined by a user or group, address, and XTMdevice interface
n Another alias
n An authorized user or group
Policies
614 Fireware XTMWeb UI
Policies
User Guide 615
Create an Alias
You can create an alias to use with your security policies to help you more easily identify a group of
hosts, users, or networks.
To create an alias:
1. Select Firewall > Aliases.
The Aliases page appears.
2. Click Add.
The Aliases / Add page appears.
3. In the Name text box, type a unique name to identify the alias.
This name appears in lists when you configure a security policy.
4. In the Description text box, type a description of the alias.
5. Add alias members to the alias, as described in the subsequent sections.
6. Click Save.
Add an Address, Address Range, DNS Name, User, Group, or Another
Alias to the Alias
1. On the Aliases / Add page, click Add.
The Add Member dialog box appears.
2. Fromthe Member type drop-down list, select the type of member you want to add.
3. Type the address or name in the Member Type text box, or select the user or group.
4. Click OK.
The new member appears in the Alias Members list.
5. To add more members, repeat Steps 14.
Policies
616 Fireware XTMWeb UI
Policies
User Guide 617
Edit an Alias
You can edit user-defined aliases fromthe Aliases page.
To edit an alias fromthe Aliases page:
1. Select Firewall > Aliases.
The Aliases page appears.
2. Fromthe Aliases list, select the user-defined alias to change.
3. Click Edit.
The Edit Alias page appears.
4. To add a member to the Alias Members list, click Add.
For more information, see the previous sections.
To remove a member fromthe Alias Members list, select the entry and click Remove.
5. Click Save.
Policies
618 Fireware XTMWeb UI
Policies
User Guide 619
About Policy Precedence
Precedence is the sequence in which the XTMdevice examines network traffic and applies a policy
rule. The XTMdevice automatically sorts policies fromthe most detailed to the most general. It
compares the information in the packet to the list of rules in the first policy. The first rule in the list to
match the conditions of the packet is applied to the packet. If the detail level in two policies is equal, a
proxy policy always takes precedence over a packet filter policy.
Automatic Policy Order
The XTMdevice automatically gives the highest precedence to the most specific policies and the
lowest to the least specific. The XTMdevice examines specificity of the subsequent criteria in the
following order. If it cannot determine the precedence fromthe first criterion, it moves to the second,
and so on.
1. Policy specificity
2. Protocols set for the policy type
3. Traffic rules of the To list
4. Traffic rules of the From list
5. Firewall action (Allowed, Denied, or Denied (send reset)) applied to the policies
6. Schedules applied to the policies
7. Alphanumeric sequence based on policy type
8. Alphanumeric sequence based on policy name
The subsequent sections include more details about what the XTMdevice does within these eight
steps.
Policy Specificity and Protocols
The XTMdevice uses these criteria in sequence to compare two policies until it finds that the policies
are equal, or that one is more detailed than the other.
1. An Any policy always has the lowest precedence.
2. Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller
number has higher precedence.
3. Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller
number has higher precedence.
4. Add up the number of unique TCP and UDP ports. The policy with the smaller number has
higher precedence.
5. Score the protocols based on their IP protocol value. The policy with the smaller score has
higher precedence.
If the XTMdevice cannot set the precedence when it compares the policy specificity and protocols, it
examines traffic rules.
Traffic Rules
The XTMdevice uses these criteria in sequence to compare the most general traffic rule of one policy
with the most general traffic rule of a second policy. It assigns higher precedence to the policy with the
most detailed traffic rule.
1. Host address
2. IP address range (smaller than the subnet being compared to)
3. Subnet
4. IP address range (larger than the subnet being compared to)
5. Authentication user name
6. Authentication group
7. Interface, XTMdevice
8. Any-External, Any-Trusted, Any-Optional
9. Any
For example, compare these two policies:
(HTTP-1) From: Trusted, user1
(HTTP-2) From: 10.0.0.1, Any-Trusted
Trusted is the most general entry for HTTP-1. Any-Trusted is the most general entry for HTTP-2.
Because Trusted is included in the Any-Trusted alias, HTTP-1 is the more detailed traffic rule. This is
correct despite the fact that HTTP-2 includes an IP address, because the XTMdevice compares the
most general traffic rule of one policy to the most general traffic rule of the second policy to set
precedence.
If the XTMdevice cannot set the precedence when it compares the traffic rules, it examines the
firewall actions.
Firewall Actions
The XTMdevice compares the firewall actions of two policies to set precedence. Precedence of
firewall actions fromhighest to lowest is:
1. Denied or Denied (send reset)
2. Allowed proxy policy
3. Allowed packet-filter policy
If the XTMdevice cannot set the precedence when it compares the firewall actions, it examines the
schedules.
Policies
620 Fireware XTMWeb UI
Policies
User Guide 621
Schedules
The XTMdevice compares the schedules of two policies to set precedence. Precedence of schedules
fromhighest to lowest is:
1. Always off
2. Sometimes on
3. Always on
If the XTMdevice cannot set the precedence when it compares the schedules, it examines the policy
types and names.
Policy Types and Names
If the two policies do not match any other precedence criteria, the XTMdevice sorts the policies in
alphanumeric sequence. First, it uses the policy type. Then, it uses the policy name. Because no two
policies can be the same type and have the same name, this is the last criteria for precedence.
Set Precedence Manually
You can disable auto-order mode to change to manual-order mode and set the policy precedence for
your XTMdevice. When you change to manual-order mode, you can also sort the policy list by column.
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Below the policy list, click Disable policy Auto-Order mode.
A confirmation message appears.
3. Click Yes.
4. To change the order of a policy, select the check box for a policy and click Move Up or Move
Down to move it higher or lower in the list.
5. To sort the policy list by a column, click the column header.
6. Click Save Policy Order.
Create Schedules for XTM Device Actions
A schedule is a set of times for which a feature is active or disabled. You must use a schedule if you
want a policy or WebBlocker action to automatically become active or inactive at the times you
specify. You can apply a schedule you create to more than one policy or WebBlocker action if you want
those policies or actions to be active at the same times.
For example, an organization wants to restrict certain types of network traffic during normal business
hours. The network administrator could create a schedule that is active on weekdays, and set each
policy in the configuration to use the same schedule.
To create a schedule:
1. Select Firewall >Scheduling.
The Scheduling page appears.
2. To modify an existing schedule, select the schedule and click Edit.
The Schedule Settings page appears.
3. To create a new schedule, click Add.
The Add Schedule page appears.
Policies
622 Fireware XTMWeb UI
Policies
User Guide 623
4. For a new schedule, in the Name text box, type a descriptive name for the schedule.
You cannot modify the name of a saved schedule.
5. Fromthe drop-down list, select the time interval to see in the schedule: 15 minutes, 30
minutes, 1 hour.
6. Select the times for the schedule to operate for each day of the week.
7. To abandon your changes, reload the page, and return to the current settings in the configuration
file, click Restore.
8. Click Save.
Set an Operating Schedule
You can set an operating schedule for a policy so that the policy takes effect only at the times you
specify. Schedules can be shared by more than one policy.
To modify a policy schedule:
1. Select Firewall >Scheduling.
The Scheduling page appears.
2. In the Scheduling Policies list, select the check box for one or more policies.
3. Fromthe Select Action drop-down list, select a schedule to apply to the policies you selected.
4. To abandon your changes, reload the page, and return to the current settings in the configuration
file, click Restore.
5. Click Save.
About Custom Policies
To allow for a protocol that is not included by default as a XTMdevice configuration option, you must
define a customtraffic policy. You can add a custompolicy that uses:
n TCP ports
n UDP ports
n An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, and OSPF. You
identify an IP protocol that is not TCP or UDP with the IP protocol number.
To create a custompolicy, you must first create or edit a custompolicy template that specifies the
ports and protocols used by policies of that type. Then, you create one or more policies fromthat
template to set access rules, logging, QoS, and other settings.
Create or Edit a Custom Policy Template
To add specialized policies to your configuration files, you can create custompolicy templates. These
templates can be packet filter or proxy policies and use any available protocol. When you add a custom
policy template to your configuration file, make sure to specify a unique name for the policy. A unique
name helps you to find the policy when you want to change or remove it. This name must not be the
same as any other policy name in the policies list for your device.
FromFireware XTMWeb UI:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
The Policies page you selected appears.
2. Click Add Policy.
The Add Firewall Policy page appears.
Policies
624 Fireware XTMWeb UI
Policies
User Guide 625
3. In the Policy Name text box, type a name for the policy.
4. For the policy type, select Custom.
5. Fromthe Custom drop-down list, select a policy or click Add to create a new custompolicy
The Add Policy Template page appears.
6. In the Name text box, type a name for the custompolicy.
7. (Optional)In the Description text box, type a description of the policy.
This appears in the Details section when you click the policy name in the list of User Filters.
8. Select a type: Packet Filter or Proxy.
9. For a proxy, fromthe Proxy drop-down list, select a proxy type.
10. To add a protocol, click Add.
The Add Protocol dialog box appears.
11. Fromthe Type drop-down list, select an option: Single Port or Port Range.
12. Fromthe Protocol drop-down list, select the protocol to use for this policy.
If you select Single Port, you can select TCP, UDP, GRE, AH, ESP, ICMP, IGMP, OSP, IP,
or Any.
If you select Port Range, you can select TCP or UDP. The options below the drop-down list
change for each protocol.
Fireware XTMdoes not pass IGMP multicast traffic through the XTMdevice, or
between XTMdevice interfaces. It passes IGMP multicast traffic only between an
interface and the XTMdevice.
13. If you selected Single Port, in the Server Port text box, type the port number.
If you selected Port Range, in the Start Server Port and End Server Port text boxes, type the
server port range.
14. Click OK.
The protocol appears in the Protocols list.
15. To specify the idle timeout, select the Specify custom idle timeout check box and type the
timeout value in seconds.
16. Click Save.
The custompolicy name appears in the Add Firewall Policy page in the Customdrop-down list.
17. Click Add Policy.
You can now use the policy template you created to add one or more custompolicies to your
configuration. Use the same procedure as you would for a predefined policy.
Policies
626 Fireware XTMWeb UI
Policies
User Guide 627
About Policy Properties
Each policy type has a default definition, which consists of settings that are appropriate for most
organizations. However, you can modify policy settings for your particular business purposes, or add
other settings such as traffic management and operating schedules.
Mobile VPN policies are created and operate in the same way as firewall policies. You must, however,
specify a Mobile VPN group for the policy.
When you add a new policy to your configuration, the Firewall Polices / Add Firewall Policy page
automatically appears after you select the policy type and click Add Policy. To set properties for an
existing policy, on the Firewall Policies page, double-click the policy to open the Firewall Polices /
Edit page.
Settings Tab
On the Settings tab, you can set basic information about a policy, such as whether it allows or denies
traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server load
balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Set Access Rules for a Policy on page 629
n Configure Policy-Based Routing on page 631
n Configure Static NAT on page 271
n Configure Server Load Balancing on page 275
n Set Logging and Notification Preferences on page 882
n Block Sites Temporarily with Policy Settings on page 852
n Set a CustomIdle Timeout on page 635
n About Policy Tags and Filters
Application Control Tab
On the Application Control tab, you can select the Application Control action for the policy. You can
also create a new Application Control action. For more information about Application Control actions in
policies, see Enable Application Control in a Policy on page 1423.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Policies
628 Fireware XTMWeb UI
Policies
User Guide 629
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
Proxy policies have predefined rulesets that provide a good balance of security and accessibility for
most installations. If a default ruleset does not meet all of your business needs, you can add, delete, or
modify rules.
Each proxy policy has connection-specific settings that you can customize. To modify the settings and
rulesets for a proxy action fromthe proxy configuration, select the Proxy Action tab, and configure the
settings for the proxy action.
For more information, see About Rules and Rulesets on page 650 and the About topic for the specific
proxy type.
About the DNS-Proxy on page 660 About the POP3-Proxy on page 736
About the FTP-Proxy on page 677 About the SIP-ALGon page 750
About the H.323-ALGon page 687 About the SMTP-Proxy on page 763
About the HTTP-Proxy on page 699 About the TCP-UDP-Proxy on page 796
About the HTTPS-Proxy on page 725
Set Access Rules for a Policy
To configure access rules for a policy, select the Settingstab.
The Connections are drop-down list specifies whether traffic that matches the rules in the policy is
allowed or denied. To configure how traffic is managed, select one of these settings:
Allowed
The XTMdevice allows traffic that uses this policy if it matches the rules you set in the policy.
You can configure the policy to create a log message when network traffic matches the policy.
Denied
The XTMdevice denies all traffic that matches the rules in this policy and does not send a
notification to the device that sent the traffic. You can configure the policy to create a log
message when a computer tries to use this policy. The policy can also automatically add a
computer or network to the Blocked Sites list if it tries to start a connection with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
Denied (send reset)
The XTMdevice denies all traffic that matches the rules in this policy. You can configure it to
create a log message when a computer tries to use this policy. The policy can also
automatically add a computer or network to the Blocked Sites list if it tries to start a connection
with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
With this option, the XTMdevice sends a packet to tell the device which sent the network traffic
that the session is refused and the connection is closed. You can set a policy to return other
errors instead, which tell the device that the port, protocol, network, or host is unreachable. We
recommend that you use these options with caution to ensure that your network operates
correctly with other networks.
The Settings tab also includes:
n A From list (or source) that specifies who can send (or cannot send) network traffic with this
policy.
n A To list (or destination) that specifies who the XTMdevice can route traffic to if the traffic
matches (or does not match) the policy specifications.
For example, you could configure a ping packet filter to allow ping traffic fromall computers on the
external network to one web server on your optional network. However, when you open the destination
network to connections over the port or ports that the policy controls, you can make the network
vulnerable. Make sure you configure your policies carefully to avoid vulnerabilities.
To add members to your access specifications:
1. On the Settings tab, below the From or To list, click Add.
The Add Member dialog box appears.
Policies
630 Fireware XTMWeb UI
Policies
User Guide 631
The members list contains the members you can add to the From or To lists. A member can be
an alias, user, group, IP address, or range of IPaddresses.
2. Fromthe Member Type drop-down list, select the type of member you want to add.
The member list updates to show only members of the type you selected.
3. Fromthe member list, select a member.
4. Click OK.
The member appears in the member list on the Settings tab.
5. To add other members to the From or To list, repeat the previous steps.
6. Click Save.
The source and destination can be a host IP address, host range, host name, network address, user
name, alias, VPN tunnel, or any combination of those objects.
For more information on the aliases that appear in the From and To list, see About Aliases on page
613.
For more information about how to create a new alias or edit a user-defined alias, see Create an Alias
on page 615.
Configure Policy-Based Routing
To send network traffic, a router usually examines the destination address in the packet and looks at
the routing table to find the next-hop destination. In some cases, you want to send traffic to a different
path than the default route specified in the routing table. You can configure a policy with a specific
external interface to use for all outbound traffic that matches that policy. This technique is known as
policy-based routing. Policy-based routing takes precedence over other multi-WAN and virtual
BOVPNinterface settings.
Policy-based routing can be used when you have more than one external interface and have configured
your XTMdevice for multi-WAN or if you configure a virtual BOVPN interface. With policy-based
routing, you can make sure that all traffic for a policy always goes out through the same external
interface, even if your multi-WAN or virtual BOVPN interface configuration is set to send traffic in a
round-robin configuration. For example, if you want email to be routed through a particular interface,
you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.
To use policy-based routing, you must have Fireware XTMwith a Pro upgrade. You
must also configure at least two external interfaces.
Policy-Based Routing, Failover, and Failback
When you use policy-based routing with multi-WAN failover, you can specify whether traffic that
matches the policy uses another external interface when failover occurs. The default setting is to drop
traffic until the interface is available again.
Failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) also apply
to policy-based routing. If a failover event occurs, and the original interface later becomes available,
the XTMdevice can send active connections to the failover interface, or it can fail back to the original
interface. New connections are sent to the original interface.
If you select a virtual BOVPN interface for policy-based routing, the failover and failback settings are
not available.
Restrictions on Policy-Based Routing
n Policy-based routing is available only if multi-WAN is enabled or if you have configured a virtual
BOVPNinterface. When either of these features are enabled, the policy configuration
automatically includes fields to configure policy-based routing.
n By default, policy-based routing is not enabled.
n Policy-based routing does not apply to IPSec traffic.
n Policy-based routing can only use an external interface. You cannot specify an interface that is
configure for static NAT or 1-to-1 NAT, or any interface type other than external.
n The external interface you select must be a member of the alias or network that you set in the
To list for your policy.
Add Policy-Based Routing to a Policy
1. Select Firewall >Firewall Policies.
2. Select the check box for a policy and select Action >Edit Policy.
Or, double-click a policy.
The Edit page appears.
3. Select the Use policy-based routing check box.
Policies
632 Fireware XTMWeb UI
Policies
User Guide 633
4. To specify the interface to use to send outbound traffic that matches the policy, fromthe
adjacent drop-down list, select an external interface name.
5. (Optional) Configure policy-based routing with multi-WAN failover as described in the
subsequent section.
If you do not select Failover and the interface you set for this policy is becomes inactive, traffic is
dropped until the interface becomes available again. The Failover option is not available if you
select a virtual BOVPN interface for policy-based routing.
6. Click Save.
Configure Policy-Based Routing with Failover
You can set the interface you specified for this policy as the primary interface, and define other external
interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is
not active, traffic is sent to the backup interface or interfaces you specify.
1. On the Edit page for the policy, below the Use policy-based routing check box, select the
Use Failovercheck box.
2. In the subsequent list, select the check box for each interface you want to use in the failover
configuration.
3. To set the order for failover, select an itemin the list and click Move Up or Move Down.
The first interface in the list is the primary interface.
4. Click Save.
Policies
634 Fireware XTMWeb UI
Policies
User Guide 635
Set a Custom Idle Timeout
Idle timeout is the maximumlength of time that a connection can stay active when no traffic is sent
through the connection. You can configure the global idle timeout setting that applies to all policies.
You can also configure a customidle timeout setting for an individual policy.
For more information about how to configure the global idle timeout setting, see Define Device Global
Settings on page 84.
For an individual policy, you can enable and configure a customidle timeout that applies only to that
policy. You can then specify the length of time (in seconds) that can elapse before the XTMdevice
closes the connection. The default customidle timeout setting is 180 seconds (3 minutes).
If you configure the global idle timeout setting and also enable a customidle timeout for a policy, the
customidle timeout setting takes precedence over the global idle timeout setting.
To specify the customidle timeout value for a policy:
1. On the Firewall Policies / Edit page, select the Settingstab.
2. Select the Specify Custom Idle Timeout check box.
The idle timeout setting is enabled and the default value of 180 seconds appears in the adjacent text
box.
3. In the adjacent text box, type the number of seconds before a timeout occurs.
Set ICMP Error Handling
You can set the ICMP error handling settings associated with a policy. These settings override the
global ICMP error handling settings.
To change the ICMP error handling settings for the current policy:
1. Select the Advanced tab.
2. Select the Use policy based ICMP error handling check box.
3. Select one or more check boxes to override the global ICMP settings for that parameter.
For more information on global ICMPsettings, see Define Device Global Settings on page 84.
Apply NAT Rules
You can apply Network Address Translation (NAT) rules to a policy. You can select 1-to-1 NAT or
Dynamic NAT.
1. Add or edit a policy.
2. Select the Advanced tab.
3. Select one of the options described in the subsequent sections.
1-to-1 NAT
With this type of NAT, the XTMdevice uses private and public IP ranges that you set, as described in
About 1-to-1 NAT on page 260.
Dynamic NAT
With this type of NAT, the XTMdevice maps private IP addresses to public IP addresses. All policies
have dynamic NAT enabled by default.
Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the XTMdevice.
Select All traffic in this policy if you want to apply NAT to all traffic in this policy.
In the Set Source IP field, you can select a dynamic NAT source IP address for any policy that uses
dynamic NAT. This makes sure that any traffic that uses this policy shows a specified address from
your public or external IP address range as the source. This is helpful if you want to force outgoing
SMTP traffic to show your domains MX record address when the IP address on the XTMdevice
external interface is not the same as your MX record IP address.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
Set the Sticky Connection Duration for a Policy
The sticky connection setting for a policy overrides the global sticky connection setting. You must
enable multi-WAN to use this feature.
Policies
636 Fireware XTMWeb UI
Policies
User Guide 637
1. Add or edit a policy.
2. Select the Advanced tab.
3. To use the global multi-WAN sticky connection setting, clear the Override Multi-WAN sticky
connection setting check box.
4. To set a customsticky connection value for this policy, select the Enable sticky connection
check box.
5. In the Enable sticky connection text box, type the amount of time in minutes to maintain the
connection.
Policies
User Guide 638
User Guide 639
13
Proxy Settings
About Proxy Policies and ALGs
All WatchGuard policies are important tools for network security, whether they are packet filter
policies, proxy policies, or application layer gateways (ALGs). A packet filter examines each packets
IP and TCP/UDP header, a proxy monitors and scans whole connections, and an ALGprovides
transparent connection management in addition to proxy functionality. Proxy policies and ALGs
examine the commands used in the connection to make sure they are in the correct syntax and order,
and use deep packet inspection to make sure that connections are secure.
A proxy policy or ALGopens each packet in sequence, removes the network layer header, and
examines the packets payload. A proxy then rewrites the network information and sends the packet to
its destination, while an ALGrestores the original network information and forwards the packet. As a
result, a proxy or ALGcan find forbidden or malicious content hidden or embedded in the data payload.
For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content,
such as executable programs or files written in scripting languages. Attackers frequently use these
methods to send computer viruses. A proxy or ALGcan enforce a policy that forbids these content
types, while a packet filter cannot detect the unauthorized content in the packets data payload.
If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion
Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to
network traffic.
Proxy Configuration
Like packet filters, proxy policies include common options to manage network traffic, including traffic
management and scheduling features. However, proxy policies also include settings that are related to
the specified network protocol. These settings are configured with rulesets, or groups of options that
match a specified action. For example, you can configure rulesets to deny traffic fromindividual users
or devices, or allow VoIP(Voice over IP) traffic that matches the codecs you want. When you have set
all of the configuration options in a proxy, you can save that set of options as a user-defined proxy
action and use it with other proxies.
Fireware XTMsupports proxy policies for many common protocols, including DNS, FTP, H.323,
HTTP, HTTPS, POP3, SIP, SMTP, and TCP-UDP. For more information on a proxy policy, see the
section for that policy.
About the DNS-Proxy on page 660 About the POP3-Proxy on page 736
About the FTP-Proxy on page 677 About the SIP-ALGon page 750
About the H.323-ALGon page 687 About the SMTP-Proxy on page 763
About the HTTP-Proxy on page 699 About the TCP-UDP-Proxy on page 796
About the HTTPS-Proxy on page 725
Add a Proxy Policy to Your Configuration
When you add a proxy policy or ALG(application layer gateway) to your Fireware XTMconfiguration
file, you specify types of content that the XTMdevice must find as it examines network traffic. If the
content matches (or does not match) the criteria you set in the proxy or ALGdefinition, the traffic is
either allowed or denied, based on the criteria and settings you specify.
You can use the default settings of the proxy policy or ALG, or you can change these settings to match
network traffic in your organization. You can also create additional proxy policies or ALGs to manage
different parts of your network.
It is important to remember that a proxy policy or ALGrequires more processor power than a packet
filter. If you add a large number of proxy policies or ALGs to your configuration, network traffic speeds
might decrease. However, a proxy or ALGuses methods that packet filters cannot use to catch
dangerous packets. Each proxy policy includes several settings that you can adjust to create a
balance between your security and performance requirements.
You can use Fireware XTMWeb UI to add a proxy policy.
1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. In the Policy Name text box, type a name for the policy.
4. For the Select a policy type option, select Proxies.
5. Fromthe first drop-down list, select a proxy, and fromthe second drop-down list, select a proxy
action.
Proxy Settings
640 Fireware XTMWeb UI
Proxy Settings
User Guide 641
6. Click Add Policy.
The Firewall Policies / Add page appears.
For more information on the basic properties of all policies, see About Policy Properties on page 627.
Proxy Settings
642 Fireware XTMWeb UI
Proxy Settings
User Guide 643
Proxy policies and ALGs have default proxy action rulesets that provide a good balance of security and
accessibility for most installations. If a default proxy action ruleset does not match the network traffic
you want to examine, you can add a new proxy action, or clone an existing proxy action to modify the
rules. You cannot modify a default predefined proxy action. For more information, see About Rules and
Rulesets on page 650 and the About topic for the type of policy you added.
About the DNS-Proxy on page 660 About the POP3-Proxy on page 736
About the FTP-Proxy on page 677 About the SIP-ALGon page 750
About the H.323-ALGon page 687 About the SMTP-Proxy on page 763
About the HTTP-Proxy on page 699 About the TCP-UDP-Proxy on page 796
About the HTTPS-Proxy on page 725
About Proxy Actions
A proxy action is a specific group of settings, sources, or destinations for a type of proxy. Because
your configuration can include several proxy policies of the same type, each proxy policy uses a
different proxy action. Each proxy policy has predefined, or default, proxy actions for clients and
servers. For example, you can use one proxy action for packets sent to a POP3 server protected by
the XTMdevice, and a different proxy action to apply to email messages retrieved by POP3 clients.
You can clone, edit, and delete proxy actions in your XTMdevice configuration.
Fireware XTMproxy actions are divided into two categories: predefined proxy actions , and user-
defined proxy actions. The predefined proxy actions are configured to balance the accessibility
requirements of a typical company, with the need to protect your computer assets fromattacks. You
cannot change the settings of predefined proxy actions. Instead, you must clone (copy) the existing
predefined proxy action definition and save it as a new, user-defined proxy action. You cannot
configure subscription services, such as Gateway AntiVirus, for predefined proxy actions. For
example, if you want to change a setting in the POP3-Client proxy action, you must save it with a
different name, such as POP3-Client.1.
You can create many different proxy actions for either clients or servers, or for a specified type of proxy
policy. However, you can assign only one proxy action to each proxy policy. For example, a POP3
policy is linked to a POP3-Client proxy action. If you want to create a POP3 proxy action for a POP3
server, or an additional proxy action for POP3 clients, you must add new POP3 proxy policies to Policy
Manager that use those new proxy actions.
Set the Proxy Action in a Proxy Policy
To set the proxy action for a proxy policy when you add a new policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Click Add Policy.
The Select a policy type page appears.
3. Select Proxies.
4. Fromthe Proxies drop-down lists, select the proxy policy and proxy action for this policy.
5. Click Add Policy.
To change a proxy action for an existing proxy policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Select the proxy policy you want to change.
The Edit page appears.
3. Select the Proxy Action tab.
4. Fromthe Proxy Action drop-down list, select the proxy action to use with this policy.
5. Click Save.
Clone, Edit, or Delete Proxy Actions
To manage the proxy actions for your XTMdevice, you can clone, edit, and delete proxy actions. You
can clone, edit, or delete any user-defined proxy action. You cannot make changes to predefined proxy
actions, or delete them. You also cannot delete user-defined proxy actions that are used by a policy.
If you want to change the settings in a predefined proxy action, you can clone it and create a new, user-
defined proxy action with the same settings. You can then edit the proxy action to modify the settings
as necessary. If you choose to edit a predefined proxy action, you cannot save your changes. Instead,
you are prompted to clone the changes you have made to a new, user-defined proxy action.
When you edit a proxy action, you can change the rules and rulesets, and the associated actions. Each
proxy action includes proxy action rules, which are organized into categories. Some categories are
further subdivided into subcategories of rules.
The available categories of settings for each proxy action appear in an accordion list, with section
headers that are always visible. When you select the section header for a category, the category
section expands and the settings and rules for each category appear on the category panel. If the
category includes more than one subcategory of settings, a link bar navigation menu appears at the top
of the category panel.
For more information on the available proxy action settings for each proxy, see the About topic for that
proxy.
About the DNS-Proxy on page 660 About the POP3-Proxy on page 736
About the FTP-Proxy on page 677 About the SIP-ALGon page 750
About the H.323-ALGon page 687 About the SMTP-Proxy on page 763
About the HTTP-Proxy on page 699 About the TCP-UDP-Proxy on page 796
About the HTTPS-Proxy on page 725
Proxy Settings
644 Fireware XTMWeb UI
Proxy Settings
User Guide 645
Clone or Edit a Proxy Action
You can clone both predefined and user-defined proxy actions. But, you can only edit a user-defined
proxy action.
1. Select Firewall >Proxy Actions.
The Proxy Actions page appears.
2. Select the proxy action to clone or edit.
3. Click Clone or Edit.
If you selected to clone a proxy action, the Clone Proxy Action page appears.
If you selected to edit a proxy action, the Edit Proxy Action page appears.
Proxy Settings
646 Fireware XTMWeb UI
Proxy Settings
User Guide 647
4. Select a category tab to see the options for that category.
If the category you selected includes subcategories, a drop-down list expands to show the
available subcategories. Select a subcategory.
The content for the selected category appears. .
5. Edit the rules and settings for the proxy action for all the necessary categories.
6. Click Save.
You can also clone a proxy action when you edit the configuration of a proxy policy that uses a
predefined proxy action.
1. Fromthe Edit page for a proxy, select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select Clone the current proxy action.
The proxy action settings appear.
3. In the Name text box, type a new name for the proxy action.
4. Configure the settings for the proxy action.
5. Click Save.
Proxy Settings
648 Fireware XTMWeb UI
Proxy Settings
User Guide 649
Delete a Proxy Action
You cannot delete predefined proxy actions. You can only delete user-defined proxy actions that are
not used by a policy.
1. Select Firewall >Proxy Actions.
The Proxy Actions page appears.
2. Select the proxy action to delete.
3. Click Remove.
A confirmation dialog box appears.
4. To delete the proxy action, click Yes.
The proxy action is removed from your device configuration.
Proxy and AV Alarms
An alarmis an event that triggers a notification, which is a mechanismto tell a network administrator
about a condition in the network. In a proxy definition, an alarmmight occur when traffic matches, or
does not match, a rule in the proxy. An alarmmight also occur when the Actions to take selections are
set to an action other than Allow.
For example, the default definition of the FTP-proxy has a rule that denies the download of files whose
file types match any of these patterns: .cab, .com, .dll, .exe, and .zip. You can specify that an alarmis
generated whenever the XTMdevice takes the Deny action because of this rule.
For each proxy action, you can define what the XTMdevice does when an alarmoccurs.
AV alarmsettings are only available if Gateway AntiVirus applies to the proxy. Gateway AntiVirus is
available for the SMTP, POP3, HTTP, FTP, or TCP-UDP proxies. For all other proxies, you can only
configure the proxy alarmsettings.
Fromthe Proxy Actions > Edit page:
1. Select the Proxy and AVAlarms tab.
2. Configure the XTMdevice to send an SNMPtrap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up
window on the administrator's management computer.
For more information on the Proxy and AV alarms settings, see Set Logging and Notification
Preferences on page 882.
3. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About Rules and Rulesets
When you configure a proxy policy or ALG(application layer gateway), you must select a proxy action
to use. You can use either a predefined proxy action or create a new proxy action. Each proxy action
contains rules. Rules are sets of criteria to which a proxy compares traffic.
A rule consists of a type of content, pattern, or expression, and the action of the XTMdevice when a
component of the packets content matches that content, pattern, or expression. Rules also include
settings for when the XTMdevice sends alarms or creates a log entry. A ruleset is a group of rules
based on one feature of a proxy such as the content types or filenames of email attachments. The
process to create and modify rules is consistent for each type of proxy action.
Your XTMdevice configuration includes default sets of rules in each proxy actions used by each proxy
policy. Separate sets of rules are provided for clients and servers, to protect both your trusted users
and your public servers. You can use the default configuration for these rules, or you can customize
themfor your particular business purposes. You cannot modify or delete predefined proxy actions. If
you want to make changes to a predefined proxy action, you can clone it a new proxy action and then
make the necessary changes in the new proxy action.
About Working with Rules and Rulesets
When you edit a proxy action, you can see the list of rulesets that apply to that proxy action. You can
expand each ruleset to see and edit the rules for that proxy action.
Proxy Settings
650 Fireware XTMWeb UI
Proxy Settings
User Guide 651
WatchGuard provides a set of predefined rulesetsthat provide a good balance of security and
accessibility for most installations. If a default ruleset does not meet all of your business needs, you
can Add, Change, or Delete Rules.
Configure Rulesets
To configure rulesets for a proxy action:
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Double-click a proxy action to edit it.
The Proxy Actions / Edit page appears.
3. Add, Change, or Delete Rules.
Add, Change, or Delete Rules
When you configure rules, you can use wildcard pattern matches, exact matches, and Perl-compatible
regular expressions to identify content. When you add rules, you select the action for each rule, and
you can edit, clone (use an existing rule definition to create a new rule), delete, or reset rules.
For more information, see About Rules and Rulesets on page 650 and About Regular Expressions on
page 656.
When you configure a rule, you select the actions the proxy takes for each packet. Different actions
appear for different proxies or for different features of a particular proxy. This list includes all possible
actions:
Allow
Allows the connection.
Deny
Denies a specific request but keeps the connection if possible. Sends a response to the client.
Drop
Denies the specific request and drops the connection. Does not send a response to the sender.
The XTMdevice sends only a TCP reset packet to the client. The clients browser might display
The connection was reset or The page cannot be displayed but the browser does not tell the
user why.
Block
Denies the request, drops the connection, and blocks the site. For more information on blocked
sites, see About Blocked Sites on page 849.
All traffic fromthis site's IP address is denied for the amount of time specified in the Firewall >
Blocked Sites page on the Auto-Blocked tab. Use this action only if you want to stop all
traffic fromthe offender for this time.
Replace
Replaces the address in the To field with an address you specify.
For example, you can send all email that is addressed to user1@successco.comto
user1@successfulcompany.com.
For an outbound proxy action, you can also use this rule to standardize a domain name.
For example, you can send all email addressed to the success-co.net domain to the
successfulcompany.comdomain. So, email sent to user1@success-co.net is instead sent to
user1@successfulcompany.com.
Strip
Removes an attachment froma packet and discards it. The other parts of the packet are sent
through the XTMdevice to the intended destination.
Lock
Locks an attachment, and wraps it so that it cannot be opened by the user. Only the
administrator can unlock the file.
AV Scan
Scans the attachment for viruses. If you select this option, Gateway AntiVirus is enabled for the
policy.
Add Rules
For information on how to work with regular expressions, see About Regular Expressions on page 656.
1. On a Proxy Actions / Edit subcategory page, in the list of rules for a ruleset, click Add.
The Add Rule dialog box appears.
2. In the Rule Name text box, type the name of the rule.
This text box is blank when you add a rule, and cannot be changed when you edit a rule.
Proxy Settings
652 Fireware XTMWeb UI
Proxy Settings
User Guide 653
3. In the Match Type drop-down list, select an option:
n Exact Match Select when the contents of the packet must match the rule text exactly.
n Pattern Match Select when the contents of the packet must match a pattern of text, can
include wildcard characters.
n Regular Expression Select when the contents of the packet must match a pattern of
text with a regular expression.
4. In the Value text box, type the text of the rule.
If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question
mark (?) as wildcard characters.
5. In the Rule Actions section, in the Action drop-down list, select the action the proxy takes for
this rule.
6. To create an alarmfor this event, select the Alarm check box. An alarmtells users when a
proxy rule applies to network traffic.
7. To create a message for this event in the traffic log, select the Log check box.
Cut and Paste Rule Definitions
You can copy and paste content in text boxes fromone proxy definition to another. For example,
suppose you write a customdeny message for the POP3 proxy. You can select the deny message,
copy it, and paste it into the Deny Message text box for the SMTP proxy.
When you copy between proxy definitions, you must make sure the text box you copy fromis
compatible with the proxy you paste it into. You can copy rulesets only between proxies or categories
within these four groups. Other combinations are not compatible.
Content Types Filenames Addresses Authentication
HTTP Content Types FTP Download SMTP Mail From SMTP Authentication
SMTP Content Types FTP Upload SMTP Mail To POP3 Authentication
POP3 Content Types HTTP URL Paths
SMTP Filename
POP3 Filenames
Change the Order of Rules
The order that rules are listed in a proxy action category is the same as the order in which traffic is
compared to the rules. The proxy compares traffic to the first rule in the list and continues in sequence
fromtop to bottom. When traffic matches a rule, the XTMdevice performs the related action. It
performs no other actions, even if the traffic matches a rule later in the list.
To change the sequence of rules in a proxy action:
1. Select the rule to change.
2. Click Up or Down to move the rule up or down in the list.
Change the Default Rule
If traffic does not match any of the rules you have defined for a proxy category, the XTMdevice uses
the default rule. The action for the default rule appears in a drop-down list below the rule list.
To modify the default rule:
1. On the HTTP Proxy Action Settings page, fromthe HTTP Request drop-down list, select
Request Methods.
The Request Methods settings appear.
2. Fromthe Action to take if no rule above is matched drop-down list, select the default rule.
Proxy Settings
654 Fireware XTMWeb UI
Proxy Settings
User Guide 655
3. Select the adjacent Alarm check box to send an alarmfor the default rule.
4. Select the Log check box to save a log message for the default rule.
5. Click Save.
About Regular Expressions
A regular expression is a group of letters, numbers, and special characters used to match data. You
can use Perl-compatible regular expressions (PCRE) in your XTMdevice configuration to match
certain types of traffic in proxy actions. For example, you can use one regular expression to block
connections to some web sites and allow connections to other web sites. You can also deny SMTP
connections when the recipient is not a valid email address for your company. For example, if you want
to block parts of a web site that violate your companys Internet use policy, you can use a regular
expression in the URL Paths category of the HTTP proxy configuration.
General Guidelines
n Regular expressions in Firewareare case-sensitive When you create a regular expression,
you must be careful to match the case of the letters in your regular expression to the letters of
the text you want to match. You can change the regular expression to not be case-sensitive
when you put the (?i) modifier at the start of a group.
n Regular expressions in Fireware are different fromMS-DOS and Unix wildcard characters
When you change files using MS-DOS or the Windows Command Prompt, you can use ? or * to
match one or more characters in a file name. These simple wildcard characters do not operate
the same way in Fireware.
For more information on how wildcard characters operate in Fireware, see the subsequent
sections.
How to Build a Regular Expression
The most simple regular expression is made fromthe text you want to match. Letters, numbers, and
other printable characters all match the same letter, number, or character that you type. A regular
expression made fromletters and numbers can match only a character sequence that includes all of
those letters and numbers in order.
Example: fat matches fat, fatuous, and infatuated, as well as many other sequences.
Fireware accepts any character sequence that includes the regular expression. A
regular expression frequently matches more than one sequence. If you use a regular
expression as the source for a Deny rule, you can block some network traffic by
accident. We recommend that you fully test your regular expressions before you
save the configuration to your XTMdevice.
To match different sequences of characters at the same time, you must use a special character. The
most common special character is the period (.), which is similar to a wildcard. When you put a period
in a regular expression, it matches any character, space, or tab. The period does not match line breaks
(\r\n or \n).
Example: f..t matches foot, feet, f&#t, f -t, and f\t3t.
Proxy Settings
656 Fireware XTMWeb UI
Proxy Settings
User Guide 657
To match a special character, such as the period, you must add a backslash (\) before the character. If
you do not add a backslash to the special character, the rule may not operate correctly. It is not
necessary to add a second backslash if the character usually has a backslash, such as \t (tab stop).
You must add a backslash to each of these special characters to match the real character: ? . * | + $\ ^
() [
Example: \$9\.99 matches $9.99
Hexadecimal Characters
To match hexadecimal characters, use \x or %0x%. Hexadecimal characters are not affected by the
case-insensitive modifier.
Example: \x66 or %0x66% matches f, but cannot match F.
Repetition
To match a variable amount of characters, you must use a repetition modifier. You can apply the
modifier to a single character, or a group of characters. There are four types of repetition modifiers:
n Numbers inside curly braces (such as {2,4}) match as few as the first number, or as many as
the second number.
Example: 3{2,4} matches 33, 333, or 3333. It does not match 3 or 33333.
n The question mark (?) matches zero or one occurrence of the preceding character, class, or
group.
Example: me?et matches met and meet.
n The plus sign (+) matches one or more occurrences of the preceding character, class, or group.
Example: me+t matches met, meet, and meeeeeeeeet.
n The asterisk (*) matches zero or more occurrences of the preceding character, class, or group.
Example: me*t matches mt, met, meet, and meeeeeeeeet.
To apply modifiers to many characters at once, you must make a group. To group a sequence of
characters, put parentheses around the sequence.
Example: ba(na)* matches ba, bana, banana, and banananananana.
Character Classes
To match one character froma group, use square brackets instead of parentheses to create a
character class. You can apply repetition modifiers to the character class. The order of the characters
inside the class does not matter.
The only special characters inside a character class are the closing bracket (]), the backslash (\), the
caret (^), and the hyphen (-).
Example: gr[ae]y matches gray and grey.
To use a caret in the character class, do not make it the first character.
To use a hyphen in the character class, make it the first character.
A negated character class matches everything but the specified characters. Type a caret (^) at the
beginning of any character class to make it a negated character class.
Example: [Qq][^u] matches Qatar, but not question or Iraq.
Ranges
Character classes are often used with character ranges to select any letter or number. A range is two
letters or numbers, separated by a hyphen (-), that mark the start and finish of a character group. Any
character in the range can match. If you add a repetition modifier to a character class, the preceding
class is repeated.
Example: [1-3][0-9]{2} matches 100 and 399, as well as any number in between.
Some ranges that are used frequently have a shorthand notation. You can use shorthand character
classes inside or outside other character classes. A negated shorthand character class matches the
opposite of what the shorthand character class matches. The table below includes several common
shorthand character classes and their negated values.
ClassEquivalent to NegatedEquivalent to
\w Any letter or number [A-Za-z0-
9]
\W Not a letter or number
\s Any whitespace character [
\t\r\n]
\S Not whitespace
\d Any number [0-9] \D Not a number
Anchors
To match the beginning or end of a line, you must use an anchor. The caret (^) matches the beginning
of a line, and the dollar sign ($) matches the end of a line.
Example: ^am.*$matches ampere if ampere is the only word on the line. It does not match
dame.
You can use \b to match a word boundary, or \B to match any position that is not a word boundary.
There are three kinds of word boundaries:
n Before the first character in the character sequence, if the first character is a word character (\w)

n After the last character in the character sequence, if the last character is a word character (\w)
n Between a word character (\w) and a non-word character (\W)
Alternation
You can use alternation to match a single regular expression out of several possible regular
expressions. The alternation operator in a regular expression is the pipe character (|). It is similar to the
boolean operator OR.
Example: m(oo|a|e)n matches the first occurrence of moon, man, or men.
Proxy Settings
658 Fireware XTMWeb UI
Proxy Settings
User Guide 659
Common Regular Expressions
Match the PDF content type (MIME type)
^%PDF-
Match any valid IP address
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9] [0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?)
Match most email addresses
[A-Za-z0-9._-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}
About the DNS-Proxy
The Domain Name System(DNS) is a network systemof servers that translates numeric IP
addresses into readable, hierarchical Internet addresses, and vice versa. DNS enables your computer
network to understand, for example, that you want to reach the server at 200.253.208.100 when you
type a domain name into your browser, such as www.example.com. With Fireware XTM, you have two
methods to control DNS traffic: the DNS packet filter and the DNS-proxy policy. The DNS-proxy is
useful only if DNS requests are routed through your XTMdevice.
When you create a new configuration file, the file automatically includes an Outgoing packet filter
policy that allows all TCP and UDP connections fromyour trusted and optional networks to external.
This allows your users to connect to an external DNS server with the standard TCP 53 and UDP 53
ports. Because Outgoing is a packet filter, it is unable to protect against common UDP outgoing
trojans, DNS exploits, and other problems that occur when you open all outgoing UDP traffic fromyour
trusted networks. The DNS-proxy has features to protect your network fromthese threats. If you use
external DNS servers for your network, the DNS-Outgoing ruleset offers additional ways to control the
services available to your network community.
To add the DNS-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your Configuration
on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Proxy Settings
660 Fireware XTMWeb UI
Proxy Settings
User Guide 661
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use DNS.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the DNS-proxy, you can configure these categories of settings for a proxy action:
n DNS-Proxy: General Settings
n DNS-Proxy: OPcodes
n DNS-Proxy: Query Types
n DNS-Proxy: Query Names
n DNS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Proxy Settings
662 Fireware XTMWeb UI
Proxy Settings
User Guide 663
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
DNS-Proxy: General Settings
On the Proxy Action tab,General tab of the Edit page for a DNS-proxy action, you can change the
settings of the two protocol anomaly detection rules. We recommend that you do not change the
default rule settings. You can also select whether to create a traffic log message for each transaction.
Not of class Internet
Select the action when the proxy examines DNS traffic that is not of the Internet (IN) class. The
default action is to deny this traffic. We recommend that you do not change this default action.
Badly formatted query
Select the action when the proxy examines DNS traffic that does not use the correct format.
Alarm
An alarmis a mechanismto tell users when a proxy rule applies to network traffic.
Proxy Settings
664 Fireware XTMWeb UI
Proxy Settings
User Guide 665
To configure an alarmfor this event, select the Alarm check box.
To set the options for the alarm, expand the Proxy Action accordion. Alarmnotifications are
sent in an SNMP trap, email, or a pop-up window.
For more information about proxy alarms, see Proxy and AV Alarms.
For more information about notification messages, see Set Logging and Notification
Preferences.
Log
To send a log message to the traffic log for this event, select this check box.
Enable logging for reports
Select this check box to create a traffic log message for each transaction. This option creates a
large log file, but this information is very important if your firewall is attacked. If you do not
select this check box, detailed information about DNS-proxy connections does not appear in
your reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
DNS-Proxy: OPcodes
DNS OPcodes (operation codes) are commands given to the DNS server that tell it to do some action,
such as a query (Query), an inverse query (IQuery), or a server status request (STATUS). They
opSerate on items such as registers, values in memory, values stored on the stack, I/Oports, and the
bus. You can add, delete, or modify rules in the default ruleset. You can allow, deny, drop, or block
specified DNS OPcodes.
1. On the Proxy Action tab, select the OPCodes tab.
Proxy Settings
666 Fireware XTMWeb UI
Proxy Settings
User Guide 667
2. To enable a rule in the list, select the adjacent Enabled check box.
To disable a rule, clear the Enabled check box.
If you use Active Directory and your Active Directory configuration requires dynamic
updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules.
This is a security risk, but can be necessary for Active Directory to operate correctly.
Add a New OPcodes Rule
1. Click Add.
The New OPCodes Rule dialog box appears.
2. Type a name for the rule.
Rule names can have no more than 200 characters.
3. Click the arrows to set the OPCode value. DNS OPcodes have an integer value.
For more information on the integer values of DNS OPcodes, see RFC 1035.
Delete or Modify Rules
1. Add, delete, or modify rules, as described in Add, Change, or Delete Rules on page 651.
2. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
3. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
DNS-Proxy: Query Types
A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or as a
customtype of query operation (such as an AXFR Full zone transfer). You can add, delete, or modify
rules. You can allow, deny, drop, or block specified DNS query types.
1. On the Proxy Action tab, select the Query Types tab.
Proxy Settings
668 Fireware XTMWeb UI
Proxy Settings
User Guide 669
2. To enable a rule, select the Enabled check box adjacent to the action and name of the rule.
Add a New Query Types Rule
1. To add a new query types rule, click Add.
The New Query Types Rule dialog box appears.
2. Type a name for the rule.
Rules can have no more than 200 characters.
3. In the Query Type Value text box, type or select the resource record (RR) value for this DNS
query type.
For more information on the values of DNS query types, see RFC 1035.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
670 Fireware XTMWeb UI
Proxy Settings
User Guide 671
DNS-Proxy: Query Names
A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name
(FQDN). You can add, delete, or modify rules.
1. On the Proxy Action tab, select the Query Names tab.
Proxy Settings
672 Fireware XTMWeb UI
Proxy Settings
User Guide 673
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
DNS-Proxy: Proxy Alarm
You can configure how the DNS-proxy sends messages for alarmevents that occur through the DNS-
proxy. You can define the proxy to send an SNMPtrap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up window on
the management computer.
1. On the Edit page, Proxy Action tab, select the Proxy Alarm tab.
The Proxy Alarm settings appear.
2. Configure the notification settings for the DNS-proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
674 Fireware XTMWeb UI
Proxy Settings
User Guide 675
About MX (Mail eXchange) Records
An MX (Mail eXchange) record is a type of DNS record that gives one or more host names of the email
servers that are responsible for and authorized to receive email for a given domain. If the MX record
has more than one host name, each name has a number that tells which is the most preferred host and
which hosts to try next if the most preferred host is not available.
MX Lookup
When an email server sends email, it first does a DNS query for the MX record of the recipients
domain. When it gets the response, the sending email server knows the host names of authorized mail
exchangers for the recipients domain. To get the IP addresses associated with the MX host names, a
mail server does a second DNS lookup for the A record of the host name. The response gives the IP
address associated with the host name. This lets the sending server know what IP address to connect
to for message delivery.
Reverse MX Lookup
Many anti-spamsolutions, including those used by most major ISP networks and web mail providers
such as AOL, MSN, and Yahoo!, use a reverse MX lookup procedure. Different variations of the
reverse lookup are used, but the goals are the same: the receiving server wants to verify that the email
it receives does not come froma spoofed or forged sending address, and that the sending server is an
authorized mail exchanger for that domain.
To verify that the sending server is an authorized email server, the receiving email server tries to find
an MX record that correlates to the senders domain. If it cannot find one, it assumes that the email is
spamand rejects it.
The domain name that the receiving server looks up can be:
n Domain name in the email messages From: header
n Domain name in the email messages Reply-To: header
n Domain name the sending server uses as the FROMparameter of the MAIL command. (An
SMTP command is different froman email header. The sending server sends the MAIL FROM:
command to tell the receiving sender who the message is from.)
n Domain name returned froma DNS query of the connections source IP address. The receiving
server sometimes does a lookup for a PTR record associated with the IP address. A PTR DNS
record is a record that maps an IP address to a domain name (instead of a normal A record,
which maps a domain name to an IP address).
Before the receiving server continues the transaction, it makes a DNS query to see whether a valid MX
record for the senders domain exists. If the domain has no valid DNS MX record, then the sender is
not valid and the receiving server rejects it as a spamsource.
MX Records and Multi-WAN
Because outgoing connections frombehind your XTMdevice can show different source IP addresses
when your XTMdevice uses multi-WAN, you must make sure that your DNS records include MX
records for each external IP address that can show as the source when you send email. If the list of
host names in your domains MX record does not include one for each external XTMdevice interface, it
is possible that some remote email servers could drop your email messages.
For example, Company XYZ has an XTMdevice configured with multiple external interfaces. The XTM
device uses the Failover multi-WAN method. Company XYZs MX record includes only one host
name. This host name has a DNS A record that resolves to the IP address of the XTMdevice primary
external interface.
When Company XYZ sends an email to test@yahoo.com, the email goes out through the primary
external interface. The email request is received by one of Yahoos many email servers. That email
server does a reverse MX lookup to verify the identify of Company XYZ. The reverse MX lookup is
successful, and the email is sent.
If a WAN failover event occurs at the XTMdevice, all outgoing connections fromCompany XYZ start
to go out the secondary, backup external interface. In this case, when the Yahoo email server does a
reverse MX lookup, it does not find an IP address in Company XYZs MX and A records that matches,
and it rejects the email. To solve this problem, make sure that:
n The MX record has multiple host names, at least one for each external XTMdevice interface.
n At least one host name in the MX record has a DNS A record that maps to the IP address
assigned to each XTMdevice interface.
Add Another Host Name to an MXRecord
MX records are stored as part of your domains DNS records. For more information on how to set up
your MX records, contact your DNS host provider (if someone else hosts your domains DNS service)
or consult the documentation fromthe vendor of your DNS server software.
Proxy Settings
676 Fireware XTMWeb UI
Proxy Settings
User Guide 677
About the FTP-Proxy
FTP (File Transfer Protocol) is used to send files fromone computer to a different computer over a
TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps
files on the same network or on a different network. The FTP client can be in one of two modes for data
transfer: active or passive. In active mode, the server starts a connection to the client on source port
20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTP-
proxy monitors and scans these FTP connections between your users and the FTP servers they
connect to.
With an FTP-proxy policy, you can:
n Set the maximumuser name length, password length, file name length, and command line
length allowed through the proxy to help protect your network frombuffer overflow attacks.
n Control the type of files that the FTP-proxy allows for downloads and uploads.
The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than
port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP
proxy, see About the TCP-UDP-Proxy on page 796.
For detailed instructions on how to add the FTP-proxy to your XTMdevice configuration, see Add a
Proxy Policy to Your Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use FTP.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Settings
678 Fireware XTMWeb UI
Proxy Settings
User Guide 679
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the FTP-proxy, you can configure these categories of settings for a proxy action:
n FTP-Proxy: General Settings
n FTP-Proxy: Commands
n FTP-Proxy: Content
n FTP-Proxy: Data Loss Prevention
n FTP-Proxy: Proxy and AV Alarms
n FTP-Proxy: APTBlocker
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
680 Fireware XTMWeb UI
Proxy Settings
User Guide 681
FTP-Proxy: General Settings
In the General section of the Edit page for an FTP-proxy action, you can set basic FTP parameters
including maximumuser name length.
1. On the Proxy Action tab, select the General tab.
The General settings appear.
2. To set limits for FTP parameters, select the applicable check boxes. These settings help to
protect your network frombuffer overflow attacks.
Set the maximumuser name length to
Sets a maximumlength for user names on FTP sites.
Set the maximumpassword length to
Sets a maximumlength for passwords used to log in to FTP sites.
Set the maximumfile name length to
Sets the maximumfile name length for files to upload or download.
Set the maximumcommand line length to
Sets the maximumlength for command lines used on FTP sites.
Set the maximumnumber of failed logins per connection to
Allows you to limit the number of failed connection requests to your FTP site. This can
protect your site against brute force attacks.
3. In the text box for each setting, type or select the limit for the selected parameter.
4. For each setting, select or clear the Auto-block check box.
If someone tries to connect to an FTP site and exceeds a limit that you have selected to auto-
block, the computer that sent the commands is added to the temporary Blocked Sites List.
5. To create a log message for each transaction, select the Enable logging for reports check
box.
You must select this option to get detailed information on FTP traffic.
6. To specify the diagnostic log level for all proxy polices that use this proxy action, select the
Override the diagnostic log level for proxy policies that use this proxy action check box.
Fromthe Diagnostic log level for this proxy action drop-down list, select a log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
7. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
8. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
682 Fireware XTMWeb UI
Proxy Settings
User Guide 683
FTP-Proxy: Commands
There are a number of commands that FTP uses to manage files. You can configure rules to put limits
on some FTP commands.
To control the commands that can be used on an FTP server protected by your XTMdevice, you can
configure the FTP-Server proxy action. By default, the FTP-Server proxy action configuration allows
these commands:
ABOR* HELP* PASS* REST* STAT* USER*
APPE* LIST* PASV* RETR* STOR* XCUP*
CDUP* MKD* PORT* RMD* STOU* XCWD*
CWD* NLST* PWD* RNFR* SYST* XMKD*
DELE* NOOP* QUIT* RNTO* TYPE* XRMD*
The FTP-Server proxy action denies all other FTPcommands by default.
To put limits on the commands that users protected by the XTMdevice can use when they connect to
external FTP servers, modify the FTP-Client proxy action. The default configuration of the FTP-Client
is to allow all FTP commands.
You can add, delete, or modify rules. We recommend that you do not block these commands, because
they are necessary for the FTP protocol to work correctly:
Protocol
Command
Client
Command Description
USER n/a Sent with login name
PASS n/a Sent with password
PASV pasv Select passive mode for data transfer
SYST syst Print the server's operating systemand version. FTP clients use this
information to correctly interpret and show a display of server
responses.
To add, delete, or modify rules:
1. On the Proxy Action tab, select the Commands tab.
2. Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
FTP-Proxy: Content
You can control the type of files that the FTP-proxy allows for downloads and uploads. For example,
because many hackers use executable files to deploy viruses or worms on a computer, you could deny
requests for *.exe files. Or, if you do not want to let users upload Windows Media files to an FTP
server, you could add *.wma to the proxy definition and specify that these files are denied. Use the
asterisk (*) as a wildcard character.
To define rules for an FTP server protected by the XTMdevice, modify the FTP-Server proxy action.
To define rules for users who connect to external FTP servers, modify the FTP-Client proxy action.
1. On the Proxy Action tab , select the Upload or Download tab.
2. Add, delete, or modify rules, as described in Add, Change, or Delete Rules.
3. If you want uploaded files to be scanned for viruses by Gateway AntiVirus, fromthe Action to
take if no rule above is matched drop-down list, select AV Scan for one or more rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. When you are finished with your changes to this proxy action definition, click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
FTP-Proxy: Data Loss Prevention
To apply consistent settings for Data Loss Prevention (DLP) content inspection and extraction, you
can associate a DLP configuration with your FTP-proxy.
Fromthe Edit page for the FTP-proxy:
1. Select the Proxy Action tab.
2. Select the Data Loss Prevention tab.
3. Fromthe DLP Sensor drop-down list, select a configuration.
4. Click Save.
For more information, see About Data Loss Prevention on page 1440 and Configure Data Loss
Prevention on page 1443.
FTP-Proxy: Proxy and AV Alarms
You can configure how the FTP-proxy sends messages for alarmand antivirus events that occur
through the FTP-proxy. You can define the proxy to send an SNMPtrap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit Proxy Action page, select the Proxy Alarm category.
The Proxy Alarm settings appear.
Proxy Settings
684 Fireware XTMWeb UI
Proxy Settings
User Guide 685
2. Configure the notification settings for the FTP-proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
FTP-Proxy: APTBlocker
If you have purchased and enabled the APTBlocker feature on your Firebox or XTMdevice, you can
enable APTBlocker in the FTP-proxy to examine web traffic for APTmalware.
Fromthe Edit page for the FTP-proxy:
1. Select the Proxy Action tab.
2. Select the APTBlocker tab.
3. Select the Enable APTBlocker check box.
4. Click Save.
For more information, see About APTBlocker on page 1382 and Configure APTBlocker on page 1386.
Proxy Settings
686 Fireware XTMWeb UI
Proxy Settings
User Guide 687
About the H.323-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation
Protocol) ALG(Application Layer Gateway) to open the ports necessary to enable VoIP through your
XTMdevice. An ALGis created in the same way as a proxy policy and offers similar configuration
options. These ALGs have been created to work in a NAT environment to maintain security for
privately addressed conferencing equipment protected by your XTMdevice.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IPphones. You
can use both H.323 and SIP ALGs at the same time, if necessary. To determine which ALGto add,
consult the documentation for your VoIP devices or applications.
VoIPComponents
It is important to understand that you usually implement VoIP by using either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly, without the use of a proxy server to route their calls.
Host-based connections
Connections managed by a call management system(PBX). The call management systemcan
be self-hosted, or hosted by a third-party service provider.
With H.323, the key component of call management is known as a gatekeeper. A gatekeeper manages
VoIP calls for a group of users, and can be located on a network protected by your XTMdevice or at an
external location. For example, some VoIP providers host a gatekeeper on their network that you must
connect to before you can place a VoIP call. Other solutions require you to set up and maintain a
gatekeeper on your network.
Coordination of the many components of a VoIP installation can be a difficult task. We recommend you
make sure that VoIP connections work successfully before you add an H.323 or SIP ALG. This can
help you to troubleshoot any problems.
ALGFunctions
When you use an H.323-ALG, your XTMdevice:
n Routes traffic for VoIP applications
n Opens the ports necessary to make and receive calls, and to exchange audio and video media
n Makes sure that VoIP connections use standard H.323 protocols
n Generates log messages for auditing purposes
Many VoIPdevices and servers use NAT (Network Address Translation)to open and close ports
automatically. The H.323 and SIPALGs also performthis function. You must disable NAT on your
VoIPdevices if you configure an H.323 or SIPALG.
To change the ALGdefinition, fromthe Firewall Polices / Edit page, you can modify the definition.
.This page is separated into several tabs: Settings, Application Control, Traffic Management,
Proxy Action, Scheduling, and Advanced.
For more information on how to add a proxy to your configuration, see Add a Proxy Policy to Your
Configuration on page 640.
Proxy Settings
688 Fireware XTMWeb UI
Proxy Settings
User Guide 689
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use H.323.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the H.323-ALG, you can configure these categories of settings for a proxy action:
n H.323-ALG: General Settings
n H.323-ALG: Access Control
n H.323-ALG: Denied Codecs
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Proxy Settings
690 Fireware XTMWeb UI
Proxy Settings
User Guide 691
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
H.323-ALG: General Settings
On the Edit page for an H.323-ALG, on the Proxy Action tab, on the General tab, you can set
security and performance options for the H.323-ALG(Application Layer Gateway).
Enable directory harvesting protection
Select this check box to prevent attackers fromstealing user information from
VoIPgatekeepers protected by your XTMdevice. This option is enabled by default.
Proxy Settings
692 Fireware XTMWeb UI
Proxy Settings
User Guide 693
Set the maximumnumber of sessions allowed per call
Use this feature to restrict the maximumnumber of audio or video sessions that can be created
with a single VoIPcall. For example, if you set the number of maximumsessions to one and
participate in a VoIPcall with both audio and video, the second connection is dropped. The
default value is two sessions, and the maximumvalue is four sessions. The XTMdevice
creates a log message when it denies a media session above this number.
User agent information
To have outgoing H.323 traffic identify as a client you specify, in the Rewrite user agent as
text box, type a new user agent string. To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIPaudio, video, or data channel,
your XTMdevice closes that network connection. The default value is 180 seconds (three
minutes) and the maximumvalue is 3600 seconds (sixty minutes).
To specify a different time interval, in the Idle media channels text box, type or select the
amount of time in seconds.
Enable logging for reports
To send a log message for each connection request managed by the H.323-ALG, select this
check box. This option is necessary to create accurate reports on H.323 traffic.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
H.323-ALG: Access Control
On the Edit page for an H.323-ALG, on the Proxy Action tab, on the Access Control tab, you can
create a list of users who are allowed to send VoIPnetwork traffic.
Proxy Settings
694 Fireware XTMWeb UI
Proxy Settings
User Guide 695
Enable access control for VoIP
Select this check box to enable the access control feature. When enabled, the H.323-ALG
allows or restricts calls based on the options you set.
Default Settings
To enable all VoIPusers to start calls by default, select the Start VoIPcalls check box.
To enable all VoIPusers to receive calls by default, select the Receive VoIPcalls check box.
To create a log message for each H.323 VoIPconnection started or received, select the
adjacent Log check box.
Access Levels
To create an exception to the default settings you specified, in the Address of Record text
box, type the address that shows up in the TOand FROMheaders of the packet for the
exception. This is usually an H.323 address in the format user@domain, such as
myuser@example.com.
Fromthe Access Levels drop-down list, select an access level and click Add.
You can allow users to Start calls only, Receive calls only, Start and receive calls, or give
themNo VoIPaccess. These settings apply only to H.323 VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception name in the list.
Proxy Settings
696 Fireware XTMWeb UI
Proxy Settings
User Guide 697
H.323-ALG: Denied Codecs
You can use the H.323-ALGDenied Codecs feature to specify one or more VoIP voice, video, or data
transmission codecs to deny on your network. When an H.323 VoIP connection is opened that uses a
codec specified in this list, your XTMdevice reads the value fromthe H.323header in the "a=rtpmap"
field and strips the codec information fromthe connection negotiation.
The Denied Codecs list is empty by default. We recommend that you add a codec to this list if the
codec:
n Consumes too much bandwidth and causes excessive data usage across trunks or between
network elements
n Presents a security risk
n Is necessary for your VoIPsolution to operate correctly
For example, you might choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you might choose to deny the Speex codec because it is used by an
unauthorized VoIPapplication.
For a list of codecs and the name or text pattern associated with each codec, see
http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml. When you add a codec to the
Denied Codecs list, make sure to specify the value in the Encoding Name column for that codec.
To configure the denied codecs settings for an H.323-ALG:
1. On the Proxy Action tab, select the Denied Codecs tab.
The Denied Codecs settings appear.
2. To add a codec to the list, in the Denied Codecs text box, type the codec name or unique text
pattern in the text box.
Do not use wildcard characters or regular expression syntax. Codec patterns are case
sensitive.
3. Click Add
4. To delete a codec fromthe list, select the codec and click Remove.
5. To create a log message when your XTMdevice strips the codec information fromH.323traffic
that matches a codec in this list, select the Log each transaction that matches a denied
codec pattern check box.
6. Click Save.
Proxy Settings
698 Fireware XTMWeb UI
Proxy Settings
User Guide 699
About the HTTP-Proxy
Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The
HTTP client is usually a web browser. The HTTP server is a remote resource that stores HTML files,
images, and other content. When the HTTP client starts a request, it establishes a TCP (Transmission
Control Protocol) connection on Port 80. An HTTP server listens for requests on Port 80. When it
receives the request fromthe client, the server replies with the requested file, an error message, or
some other information.
The HTTP-proxy is a high-performance content filter. It examines Web traffic to identify suspicious
content that can be a virus or other type of intrusion. It can also protect your HTTP server fromattacks.
With an HTTP-proxy filter, you can:
n Adjust timeout and length limits of HTTP requests and responses to prevent poor network
performance, as well as several attacks.
n Customize the deny message that users see when they try to connect to a web site blocked by
the HTTP-proxy.
n Filter web content MIME types.
n Block specified path patterns and URLs.
n Deny cookies fromspecified web sites.
You can also use the HTTP-proxy with the WebBlocker security subscription. For more information,
see About WebBlocker on page 1315.
To enable your users to downloads Windows updates through the HTTP-proxy, you must change your
HTTP-proxy settings. For more information, see Enable Windows Updates Through the HTTP-Proxy.
The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other
than Port 80, the TCP/UDP proxy sends the traffic to the HTTP-proxy. For more information on the
TCP/UDP proxy, see About the TCP-UDP-Proxy on page 796.
To add the HTTP-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use HTTP.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Settings
700 Fireware XTMWeb UI
Proxy Settings
User Guide 701
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the HTTP-proxy, you can configure these categories of settings for a proxy action:
n HTTP Request: General Settings on page 703
n HTTP Request: Request Methods on page 706
n HTTP Request: URL Paths on page 709
n HTTP Request: Header Fields on page 709
n HTTP Request: Authorization on page 710
n HTTP Response: General Settings on page 711
n HTTP Response: Header Fields on page 712
n HTTP Response: Content Types on page 713
n HTTP Response: Cookies on page 715
n HTTP Response: Body Content Types on page 716
n Use a Caching Proxy Server on page 723
n HTTP-Proxy: Exceptions on page 716
n HTTP-Proxy: Data Loss Prevention
n HTTP-Proxy: Deny Message on page 718
n HTTP-Proxy: Proxy and AV Alarms on page 720
n HTTP-Proxy: APTBlocker
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
702 Fireware XTMWeb UI
Proxy Settings
User Guide 703
HTTP Request: General Settings
On the Edit page for an HTTP-proxy action, on the HTTP Request > General Settings page, you can
set basic HTTP parameters, such as idle time out and URL length.
Set the connection idle timeout to
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the
TCP socket in the amount of time you specify, select the Set the connection idle timeout to
check box. In the adjacent text box, type or select the number of minutes before the proxy times
out.
Because every open TCP session uses a small amount of memory on the XTMdevice, and
browsers and servers do not always close HTTP sessions cleanly, we recommend that you
keep this check box selected. This makes sure that stale TCP connections are closed and
helps the XTMdevice save memory. You can lower the timeout to five minutes and not reduce
performance standards.
Set the maximumURL path length to
To set the maximumnumber of characters allowed in a URL, select the Set the maximum
URL path link to check box.
In this area of the proxy, URL includes anything in the web address after the top-level-domain.
This includes the slash character but not the host name (www.myexample.comor
myexample.com). For example, the URL www.myexample.com/products counts nine
characters toward this limit because /products has nine characters.
The default value of 2048 is usually enough for any URL requested by a computer behind your
XTMdevice. A URL that is very long can indicate an attempt to compromise a web server. The
minimumlength is 15 bytes. We recommend that you keep this setting enabled with the default
settings. This helps protect against infected web clients on the networks that the HTTP-proxy
protects.
Allow range requests through unmodified
To allow range requests through the XTMdevice, select this check box. Range requests allow a
client to request subsets of the bytes in a web resource instead of the full content. For example,
if you want only some sections of a large Adobe file but not the whole file, the download occurs
more quickly and prevents the download of unnecessary pages if you can request only what you
need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a
range request makes it possible for any content to be split across range boundaries. The proxy
can fail to see a pattern it is looking for when the file spans two GET operations.
We recommend that you do not select this check box if the rules you add in the Body Content
Types section of the proxy are designed to identify byte signatures deep in a file, instead of just
in the file header.
To add a traffic log message when the proxy takes the action indicated in the check box for
range requests, select the Log this action check box.
Enable YouTube for Schools
To ensure that students are only able to get access to appropriate content on YouTube through
the school network, schools can enable the Education Filter. With this filter, YouTube content is
filtered to restrict access to any content on YouTube.comthat is not educational, and allow
unrestricted access to only educational content on YouTube for Schools.
To configure this feature, schools must first contact YouTube to get a unique School ID
code.Then select the Enable YouTube for Schools check box and type or paste the unique
School ID code in the School ID text box.
Proxy Settings
704 Fireware XTMWeb UI
Proxy Settings
User Guide 705
When you configure this option, the X-YouTube-Edu-Filter is added to the HTTP request as a
header rule and includes the School ID code in this format:
X-YouTube-Edu-Filter:<SchoolIDCode>
For example:
X-YouTube-Edu-Filter:ABCD1234567890abcdef
If this text does not appear in the HTTP request header, YouTube for Schools is not properly
enabled and content is not restricted.
Enforce safe search for major search engines such as Google, Bing, Yahoo and YouTube
To enable the HTTP-Client proxy action to enforce Safe Search for search engines, select the
Enforce safe search for major search engines such as Google, Bing, Yahoo and
YouTube check box.
Safe Search is a feature included in web browser search engines that enables users to specify
what level of potentially inappropriate content can be returned in search results. When you
enable Safe Search in the HTTP-Client proxy action, the strictest level of Safe Search rules are
enforced regardless of the settings configured in the client web browser search engines.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates
a large log file, but this information can be very important if your firewall is attacked. If you do
not select this check box, you do not see detailed information about HTTP-proxy connections in
reports.
To generate log messages for both Web Audit and WebBlocker reports, you must select this
option.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
HTTP Request: Request Methods
Most browser HTTP requests are in one of two categories: GET or POST operations. Browsers usually
use GET operations to download objects such as a graphic, HTML data, or Flash data. More than one
GET is usually sent by a client computer for each page, because web pages usually contain many
different elements. The elements are put together to make a page that appears as one page to the end
user.
Browsers usually use POST operations to send data to a web site. Many web pages get information
fromthe end user such as location, email address, and name. If you disable the POST command, the
XTMdevice denies all POST operations to web servers on the external network. This feature can
prevent your users fromsending information to a web site on the external network.
Web-based Distributed Authoring and Versioning (webDAV) is a set of HTTP extensions that allows
users to edit and manage files on remote web servers. WebDAV is compatible with Outlook Web
Access (OWA). If webDAV extensions are not enabled, the HTTP proxy supports these request
methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. For HTTP-Server, the proxy supports
these request methods by default: HEAD, GET, and POST. The proxy also includes these options
(disabled by default): OPTIONS, PUT, and DELETE.
1. On the Edit page for the proxy, select the Proxy Action tab.
The proxy action settings appear.
2. Fromthe HTTPRequest drop-down list, select Request Methods.
The Request Methods settings appear.
Proxy Settings
706 Fireware XTMWeb UI
Proxy Settings
User Guide 707
3. To enable your users to use these extensions, select the Enable webDAV check box.
Many extensions to the base webDAV protocol are also available. If you enable webDAV, from
the drop-down list, select whether you want to enable only the extensions described in RFC
2518 or if you want to include an additional set of extensions to maximize interoperability.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
708 Fireware XTMWeb UI
Proxy Settings
User Guide 709
HTTP Request: URL Paths
A URL (UniformResource Locator) identifies a resource on a remote server and gives the network
location on that server. The URL path is the string of information that comes after the top level domain
name. You can use the HTTP-proxy to block web sites that contain specified text in the URL path. You
can add, delete, or modify URL path patterns.
To use the HTTP request proxy action to block content based on patterns in URL paths, you must edit
the HTTP Request category of the HTTP proxy action and specify the URL path patterns for the
content you want to block. For example:
n To block all pages that have the host name www.example.net, type www.example.net/*.
n To block all paths containing the word sex on all web sites, type *sex*.
n To block URL paths ending in *.exe on all web sites, type *.exe.
If you filter URLs with the HTTP request URL path ruleset, you must configure a
complex pattern that uses full regular expression syntax fromthe advanced view of a
ruleset. It is easier and gives better results to filter based on header or body content
type than it is to filter by URL path.
To block web sites with specific text in the URL path:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPRequest drop-down list, select URL paths.
The URL Paths settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: Header Fields
This ruleset supplies content filtering for the full HTTP header. By default, the HTTP-proxy uses exact
matching rules to strip Via and Fromheaders, and allows all other headers. This ruleset matches the
full header, not only the name.
To match all values of a header, type the pattern: [header name]:*. To match only some values of a
header, replace the asterisk (*) wildcard with a pattern. If your pattern does not start with an asterisk (*)
wildcard, include one space between the colon and the pattern when you type in the Pattern text box.
For example, type: [header name]: [pattern], not [header name]:[pattern].
The default rules do not strip the Referer header, but do include a disabled rule to strip this header. To
enable the rule to strip the header, select Change View. Some web browsers and software
applications must use the Referer header to operate correctly.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPRequest drop-down list, select Header Fields.
The Header Fields settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: Authorization
This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a
web server starts a WWW-Authenticate challenge, it sends information about which authentication
methods it can use. The proxy puts limits on the type of authentication sent in a request. It uses only
the authentication methods that the web server accepts. With a default configuration, the XTMdevice
allows Basic, Digest, NTLM, and Passport1.4 authentication, and strips all other authentication. You
can add, delete, or modify rules in the default ruleset.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPRequest drop-down list, select Authorization.
The Authorization settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
710 Fireware XTMWeb UI
Proxy Settings
User Guide 711
HTTP Response: General Settings
On the General Settings page, you can configure basic HTTP parameters such as idle time out, and
limits for line and total length.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPResponse drop-down list, select General Settings.
The General Settings page appears.
3. To set limits for HTTP parameters, select the applicable check boxes. Type or select a value for
the limits.
Set the timeout to
Controls how long the HTTP proxy waits for the web server to send the web page. When a
user clicks a hyperlink or types a URLin a web browser, it sends an HTTP request to a
remote server to get the content. In most browsers, a message similar to Contacting site...,
appears in the status bar. If the remote server does not respond, the HTTP client continues
to send the request until it receives an answer or until the request times out. During this
time, the HTTP proxy continues to monitor the connection and uses valuable network
resources.
Set the maximumline length to
Controls the maximumallowed length of a line of characters in HTTP response headers.
Use this property to protect your computers frombuffer overflow exploits. Because URLs
for many commerce sites continue to increase in length over time, you may need to adjust
this value in the future.
Set the maximumtotal length to
Controls the maximumlength of HTTP response headers. If the total header length is more
than this limit, the HTTP response is denied.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Response: Header Fields
This ruleset controls which HTTP response header fields the XTMdevice allows. You can add, delete,
or modify rules. Many of the HTTP response headers that are allowed in the default configuration are
described in RFC 2616. For more information, see http://www.ietf.org/rfc/rfc2616.txt.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPResponse drop-down list, select Header Fields.
The Header Fields settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
712 Fireware XTMWeb UI
Proxy Settings
User Guide 713
HTTP Response: Content Types
When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet
header that shows what kind of content is in the packet. The HTTP header on the data streamcontains
this MIME type. It is added before the data is sent.
Certain kinds of content that users request fromweb sites can be a security threat to your network.
Other kinds of content can decrease the productivity of your users. By default, the XTMdevice allows
some safe content types, and denies MIME content that has no specified content type. The HTTP-
proxy includes a list of commonly used content types that you can add to the ruleset. You can also
add, delete, or modify the definitions.
The format of a MIME type is type/subtype. For example, if you wanted to allow JPEGimages, you
would add image/jpg to the proxy definition. You can also use the asterisk (*) as a wildcard. To allow
any image format, you add image/*.
For a list of current, registered MIME types, see http://www.iana.org/assignments/media-types.
Add, Delete, or Modify Content Types
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPResponse drop-down list, select Content Types.
The Content Types settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
714 Fireware XTMWeb UI
Proxy Settings
User Guide 715
Allow Web Sites with a Missing Content Type
By default, the XTMdevice denies MIME content that has no specified content type. In most cases,
we recommend that you keep this default setting. Sites that do not supply legitimate MIME types in
their HTTP responses do not follow RFC recommendations and could pose a security risk. However,
some organizations need their employees to get access to web sites that do not have a specified
content type.
You must make sure that you change the proxy action used by the correct policy or policies. You can
apply the change to any policy that uses an HTTP-Client proxy action. This could be an HTTP-proxy
policy, the Outgoing policy (which also applies an HTTP-Client proxy action), or the TCP-UDPpolicy.
To allow web sites with a missing content type:
1. In the Content Types list, select the Enabled check box adjacent to the Allow (none) rule.
2. Click Save.
HTTP Response: Cookies
HTTP cookies are small files of alphanumeric text that web servers put on web clients. Cookies
monitor the page a web client is on, to enable the web server to send more pages in the correct
sequence. Web servers also use cookies to collect information about an end user. Many web sites use
cookies for authentication and other legitimate functions, and cannot operate correctly without cookies.
The HTTP proxy gives you control of the cookies in HTTP responses. You can configure rules to strip
cookies, based on your network requirements. The default rule for the HTTP-Server and HTTP-Client
proxy action allows all cookies. You can add, delete, or modify rules.
The proxy looks for packets based on the domain associated with the cookie. The domain can be
specified in the cookie. If the cookie does not contain a domain, the proxy uses the host name in the
first request. For example, to block all cookies for nosy-adware-site.com, use the pattern: *.nosy-
adware-site.com. If you want to deny cookies fromall subdomains on a web site, use the wildcard
symbol (*) before and after the domain. For example, *example.com* blocks all subdomains of
example.com, such as images.example.comand mail.example.com.
Change Settings for Cookies
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPResponse drop-down list, select Cookies.
The Cookies settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Response: Body Content Types
This ruleset gives you control of the content in an HTTP response. The XTMdevice is configured to
deny Java bytecodes, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default
proxy action for outgoing HTTP requests (HTTP-Client) allows all other response body content types.
You can add, delete, or modify rules. We recommend that you examine the file types that are used in
your organization and allow only those file types that are necessary for your network.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe HTTPResponse drop-down list, select Body Content Types.
The Body Content Types settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: Exceptions
For certain web sites, you can use HTTP-proxy exceptions to bypass HTTP-proxy rules, but not
bypass the proxy framework. Traffic that matches HTTP-proxy exceptions is still handled by the
HTTP-proxy, but, when a match occurs, some proxy settings are not included.
Excluded Proxy Settings
These settings are not included:
n HTTPrequest Range requests, URL path length, all request methods, all URL paths,
request headers, authorization pattern matching
n HTTP response Response headers, content types, cookies, body content types
Request headers and response headers are parsed by the HTTP-proxy even when the traffic matches
the HTTP-proxy exception. If a parsing error does not occur, all headers are allowed. Antivirus
scanning and WebBlocker are not applied to traffic that matches an HTTP-proxy exception.
Included Proxy Settings
These settings are included:
n HTTPrequest Idle timeout
n HTTPresponse Idle timeout, maximumline length limit, maximumtotal length limit
All transfer-encoding parsing is still applied to allow the proxy to determine the encoding type. The
HTTP-proxy denies all invalid or malformed transfer encoding.
Proxy Settings
716 Fireware XTMWeb UI
Proxy Settings
User Guide 717
Define Exceptions
You can add host names or patterns as HTTP-proxy exceptions. For example, if you block all web
sites that end in .test but want to allow your users to go to the site www.example.test, you can add
www.example.test as an HTTP-proxy exception.
When you define exceptions, you specify the IP address or domain name of sites to allow. The domain
(or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu. Domain names
can also end in a country code, such as .de (Germany) or .jp (Japan).
To add a domain name, type the URL pattern without the leading http://. For example, to allow your
users to go to the Example web site, http://www.example.com, type www.example.com. If you want to
allow all subdomains that contain example.com, you can use the asterisk (*) as a wildcard character.
For example, to allow users to go to www.example.com, and support.example.comtype
*.example.com.
1. On the Edit Proxy Action page, select the HTTPProxy Exceptions tab.
The HTTP Proxy Exceptions settings appear.
2. In the text box, type the host name or host name pattern. Click Add.
3. Repeat this process to add more exceptions.
4. To add a traffic log message each time the HTTP-proxy takes an action on a proxy exception,
select the Log each transaction that matches an HTTP proxy exception check box.
5. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: Deny Message
When content is denied, the XTMdevice sends a default deny message that replaces the denied
content. You can change the text of that deny message. You can customize the deny message with
standard HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of
the deny message is a component of the HTTP header. You must include an empty line between the
first line and the body of the message.
You get a deny message in your web browser fromthe XTMdevice when you make a request that the
HTTP-proxy does not allow. You also get a deny message when your request is allowed, but the
HTTP-proxy denies the response fromthe remote web server. For example, if a user tries to download
an .exe file and you have blocked that file type, the user sees a deny message in the web browser. If
the user tries to download a web page that has an unknown content type and the proxy policy is
configured to block unknown MIME types, the user sees an error message in the web browser.
The default deny message text and html code appears in the Deny Message text box. To change this
to a custommessage, scroll to the <body> element of the message code and add any of these
variables:
%(transaction)%
Select Request or Response to show which side of the transaction caused the packet to be
denied.
This variable also appears in the <title>element of the deny message.
%(reason)%
Includes the reason the XTMdevice denied the content.
%(method)%
Includes the request method fromthe denied request.
%(url-host)%
Includes the server host name fromthe denied URL. If no host name was included, the IP
address of the server is included.
%(url-path)%
Includes the path component of the denied URL.
%(serial)%
Includes the serial number of the XTMdevice in the deny message.
%(firewall)%
Includes the XTMdevice name in the deny message.
When you change the Deny Message, make sure that the opening <html> and <body> tags and the
closing </body> and </html> tags are still included in the Deny Message. If the tags are not included,
the default Deny Message is displayed instead of the message you specify.
To configure the Deny Message:
Proxy Settings
718 Fireware XTMWeb UI
Proxy Settings
User Guide 719
1. On the Proxy Action tab, select the Deny Message tab.
The Deny Message settings appear.
2. In the Deny Message text box, type the deny message.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: Data Loss Prevention
To apply consistent settings for Data Loss Prevention (DLP) content inspection and extraction, you
can associate a DLP configuration with your HTTP-proxy.
Fromthe Edit page for the HTTP-proxy:
1. Select the Proxy Action tab.
2. Select the Data Loss Prevention tab.
3. Fromthe DLP Sensor drop-down list, select a configuration.
4. Click Save.
For more information, see About Data Loss Prevention on page 1440 and Configure Data Loss
Prevention on page 1443.
HTTP-Proxy: Proxy and AV Alarms
You can configure how the HTTP-proxy sends messages for alarmand antivirus events that occur
through the HTTP-proxy. You can define the proxy to send an SNMPtrap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit page for the proxy action, select the Proxy and AV Alarms tab.
The Proxy and AV Alarms settings appear.
Proxy Settings
720 Fireware XTMWeb UI
Proxy Settings
User Guide 721
2. Configure the notification settings for the HTTP-proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: APTBlocker
If you have purchased and enabled the APTBlocker feature on your Firebox or XTMdevice, you can
enable APTBlocker in the HTTP-proxy to examine web traffic for APTmalware.
Fromthe Edit page for the HTTP-proxy:
1. Select the Proxy Action tab.
2. Select the APTBlocker tab.
3. Select the Enable APTBlocker check box.
4. Click Save.
For more information, see About APTBlocker and Configure APTBlocker on page 1386.
Enable Windows Updates Through the HTTP-Proxy
Windows Update servers identify the content they deliver to a computer as a generic binary stream
(such as octet stream), which is blocked by the default HTTPproxy rules. To allow Windows updates
through the HTTP-proxy, you must edit your HTTP-Client proxy ruleset to add HTTP-proxy exceptions
for the Windows Update servers.
1. Make sure that your XTMdevice allows outgoing connections on port 443 and port 80.
These are the ports that computers use to contact the Windows Update servers.
2. On the Edit page of the proxy action, select the HTTPProxy Exceptions category.
3. In the text box, type or paste each of these domains, and click Add after each one:
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
ntservicepack.microsoft.com
support.microsoft.com/kb/885819
update.microsoft.com
windowsupdate.microsoft.com
wustat.windows.com
4. Click Save.
Proxy Settings
722 Fireware XTMWeb UI
Proxy Settings
User Guide 723
If You Still Cannot Download Windows Updates
If you have more than one HTTP-proxy policy, make sure that you add the HTTP exceptions to the
correct policy and proxy action.
Microsoft does not limit updates to only these domains. Examine your log messages for denied traffic
to a Microsoft-owned domain. Look for any traffic denied by the HTTP-proxy. The log message details
should include the domain. Add any new Microsoft domain to the HTTP-proxy exceptions list, and then
run Windows Update again.
Use a Caching Proxy Server
Because your users can look at the same web sites frequently, a caching proxy server increases the
traffic speed and decreases the traffic volume on the external Internet connections. Although the
HTTP-proxy on the XTMdevice does not cache content, you can use a caching proxy server with the
HTTPproxy. All XTMdevice proxy and WebBlocker rules continue to have the same effect.
The XTMdevice connection with a proxy server is the same as with a client. The XTMdevice changes
the GET function to: GET / HTTP/1.1 to GET www.mydomain.com/ HTTP/1.1 and sends it to a
caching proxy server. The proxy server moves this function to the web server in the GET function.
Use an External Caching Proxy Server
To set up your HTTP-proxy to work with an external caching proxy server:
1. Configure a proxy server, such as Microsoft Proxy Server 2.0.
2. Select Firewall >Proxy Actions.
3. Double-click the HTTP-Client proxy action used by your HTTP-proxy policy.
The Edit page appears.
4. Select the Use Web Cache Server tab.
The Use Web Cache Server page appears.
5. Select the Use external caching proxy server for HTTP traffic check box.
6. In the IPAddress and Port text boxes, type the IP address and port for the external caching
proxy server.
7. To change settings for another category in this proxy, see the topic for that category.
8. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Use an Internal Caching Proxy Server
You can also use an internal caching proxy server with your XTMdevice.
To use an internal caching proxy server:
1. Configure the HTTP-proxy action with the same settings as for an external proxy server.
2. In the same HTTP-proxy policy, allow all traffic fromthe users on your network whose web
requests you want to route through the caching proxy server.
3. Add an HTTP packet filter policy to your configuration.
4. Configure the HTTP packet filter policy to allow traffic fromthe IPaddress of your caching
proxy server to the Internet.
5. If necessary, manually move this policy up in your policy list so that it has a higher precedence
than your HTTP-proxy policy.
Proxy Settings
724 Fireware XTMWeb UI
Proxy Settings
User Guide 725
About the HTTPS-Proxy
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a
request/response protocol between clients and servers used for secure communications and
transactions. You can use the HTTPS-proxy to secure a web server protected by your XTMdevice, or
to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client
starts a request, it establishes a TCP(Transmission Control Protocol) connection on port 443. Most
HTTPS servers listen for requests on port 443.
HTTPSis more secure than HTTPbecause HTTPS uses a digital certificate to encrypt and decrypt
user page requests as well as the pages that are returned by the web server. Because HTTPS traffic is
encrypted, the XTMdevice must decrypt it before it can be examined. After it examines the content,
the XTMdevice encrypts the traffic with a certificate and sends it to the intended destination.
You can export the default certificate created by the XTMdevice for this feature, or import a certificate
for the XTMdevice to use instead. If you use the HTTPS-proxy to examine web traffic requested by
users on your network, we recommend that you export the default certificate and distribute it to each
user so that they do not receive browser warnings about untrusted certificates. If you use the HTTPS-
proxy to secure a web server that accepts requests froman external network, we recommend that you
import the existing web server certificate for the same reason.
When an HTTPS client or server uses a port other than port 443 in your organization, you can use the
TCP/UDPproxy to relay the traffic to the HTTPS-proxy. For information on the TCP/UDPproxy, see
About the TCP-UDP-Proxy on page 796.
To add the HTTPS-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use HTTPS.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Settings
726 Fireware XTMWeb UI
Proxy Settings
User Guide 727
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the HTTPS-proxy, you can configure these categories of settings for a proxy action:
n HTTPS-Proxy: General Settings
n HTTPS-Proxy: Content Inspection
n HTTPS-Proxy: Certificate Names
n HTTPS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
728 Fireware XTMWeb UI
Proxy Settings
User Guide 729
HTTPS-Proxy: General Settings
On the Edit proxy action page, on the General tab, you can configure basic HTTPS parameters such
as ,connection timeout, and logging settings.
Allow only SSL compliant traffic
This option is only available for XTMdevices that run Fireware XTMOS v11.8.1 or higher.
Select this option to enable your XTMdevice to only allow traffic that is compliant with these
SSL protocols:
n SSL_V2=0x200
n SSL_V3=0x300
n TLS_V1=0x301
n TLS_V11=0x302
n TLS_V12=0x303
If you select the Enable deep inspection of HTTPS content check box on the Content
Inspection page, this option is disabled.
When this option is not selected, if content inspection is not enabled, the HTTPS-proxy allows
any traffic over port 443 (the default port for the HTTPS-proxy). If this option is not selected and
content inspection is not enabled, and you create a customHTTPS-proxy that users another
TCP port for SSL traffic, the HTTPS-proxy allows all SSL traffic.
Connection Timeout
Configure these settings to specify how long the HTTPS-proxy waits for the web client to make
a request fromthe external web server after it starts a TCP/IP connection, or after an earlier
request for the same connection. If the time period exceeds this setting, the HTTPS-proxy
closes the connection.
To enable this feature, select the Connection timeout check box. In the adjacent text box,
type or select the number of minutes before the proxy times out.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option
increases the size of your log file, but this information is very important if your firewall is
attacked. If you do not select this check box, you do not see detailed information about HTTPS-
proxy connections in reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
Proxy Settings
730 Fireware XTMWeb UI
Proxy Settings
User Guide 731
HTTPS-Proxy: Content Inspection
You can enable and configure deep inspection of HTTPS content on the HTTPS Proxy Action
Configuration Content Inspection tab.
If your device runs Fireware XTMv11.0v11.3.x, the Content Inspection settings
for your device do not include the Allow SSLv2 (insecure) option.
Enable deep inspection of HTTPS content
When this check box is selected, the XTMdevice decrypts HTTPS traffic, encrypts the traffic
again with a new certificate, and then examines the content. The content is examined by the
HTTP-proxy policy that you choose on this page.
If you have other traffic that uses the HTTPS port, such as SSLVPNtraffic, we
recommend that you evaluate this option carefully. The HTTPS-proxy attempts to
examine all traffic on TCPport 443 in the same way. To ensure that other traffic
sources operate correctly, we recommend that you add those sources to the Bypass
List. See the subsequent section for more information.
By default, the certificate used to encrypt the traffic is generated automatically by the XTM
device. You can also upload your own certificate to use for this purpose. If you choose to upload
your own certificate, use your own internal CA to sign the certificate. If your users are on your
domain, and you use a certificate signed by your own internal CA, users can connect
successfully. If you use a certificate generated by a public CA, your users receive a warning in
their browsers. Public certificate authorities generate certificates that do not include properties
that allow the XTMdevice to operate as an intermediate CA.
If the original web site or your web server has a self-signed or invalid certificate, or if the
certificate was signed by a CA the XTMdevice does not recognize (such as a public third-party
CA), clients are presented with a browser certificate warning. Certificates that cannot be
properly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or
simply Invalid Certificate.
We recommend that you import the certificate you use, as well as any other certificates
necessary for the client to trust that certificate, on each client device. When a client does not
automatically trust the certificate used for the content inspection feature, the user sees a
warning in the browser, and services like Windows Update do not operate correctly.
Some third-party programs store private copies of necessary certificates and do not use the
operating systemcertificate store, or transmit other types of data over TCPport 443. These
programs include:
n Communications software, such as AOLInstant Messenger and Google Voice
n Remote desktop and presentation software, such as LiveMeeting and WebEx
n Financial and business software, such as ADP, iVantage, FedEx, and UPS
If these programs do not have a method to import trusted CAcertificates, they do not operate
correctly when content inspection is enabled. Contact your software vendor for more
information about certificate use or technical support, or add the IPaddresses of computers that
use this software to the Bypass list.
For more information, see Use Certificates for the HTTPS-Proxy, About Certificates on page
953 or Use Certificates for the HTTPS-Proxy on page 974.
Proxy Settings
732 Fireware XTMWeb UI
Proxy Settings
User Guide 733
Allow SSLv2 (insecure)
SSLv3, SSLv2, and TLSv1 are protocols used for HTTPS connections. SSLv2 is not as secure
as SSLv3 and TLSv1. By default, the HTTPS-proxy only allows connections that negotiate the
SSLv3 and TLSv1 protocols. If your users connect to client or server applications that only
support SSLv2, you can allow the HTTPS-proxy to use the SSLv2 protocol for connections to
these web sites.
To enable this option, select the Allow SSLv2 (insecure) check box. This option is disabled by
default.
Proxy Action
Select an HTTP-proxy policy for the XTMdevice to use when it inspects decrypted HTTPS
content.
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IPaddresses to the bypass list for content
inspection, traffic fromthose sites is filtered with the WebBlocker settings fromthe HTTPS-
proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1315.
Use OCSPto confirmthe validity of certificates
Select this check box to have the XTMdevice automatically check for certificate revocations
with OCSP(Online Certificate Status Protocol). When this feature is enabled, the XTMdevice
uses information in the certificate to contact an OCSPserver that keeps a record of the
certficate status. If the OCSPserver responds that the certificate has been revoked, the XTM
device disables the certificate.
If you select this option, there can be a delay of several seconds as the XTMdevice requests a
response fromthe OCSPserver. The XTMdevice keeps between 300 and 3000 OCSP
responses in a cache to improve performance for frequently visited web sites. The number of
responses stored in the cache is determined by your XTMdevice model.
This option implements a "loose" OCSPpolicy. If the OCSPserver cannot be contacted for any
reason and does not send a response, the XTMdevice will not disable the certificate or break
the certificate chain.
If a certificate cannot be validated, the certificate is invalid
When this option is selected, it enforces a "strict" OCSP policy. If an OCSPresponder does not
send a response to a revocation status request, the XTMdevice considers the original
certificate as invalid or revoked. This option can cause certificates to be considered invalid if
there is a routing error or a problemwith your network connection.
Bypass list
The XTMdevice does not inspect content sent to or fromIPaddresses on this list. To add a
web site or hostname, type the IPaddressin the text box and click Add.
When you enable content inspection, the HTTPproxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IPaddresses to the Bypass List for content
inspection, traffic fromthose sites is filtered with the WebBlocker settings fromthe HTTPS-
proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1315.
HTTPS-Proxy: Certificate Names
Certificate names are used to filter content for an entire site. The XTMdevice allows or denies access
to a site if the domain of an HTTPS certificate matches an entry in this list.
For example, if you want to deny traffic fromany site in the example.comdomain, add a Certificate
Names rule with the pattern *.example.comand set the If matched action to Deny.
1. On the Editproxy action page, select the Certificate Names tab.
The Certificate Names panel expands.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTPS-Proxy: Proxy Alarm
You can configure how the HTTPS-proxy sends messages for alarmevents that occur through the
HTTPS-proxy. You can define the proxy to send an SNMPtrap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit proxy action page, select the Proxy and AV Alarms tab.
The Proxy Alarm settings appear.
Proxy Settings
734 Fireware XTMWeb UI
Proxy Settings
User Guide 735
2. Configure the notification settings for the HTTPS-proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About the POP3-Proxy
POP3 (Post Office Protocol v.3) is a protocol that moves email messages froman email server to an
email client on a TCP connection over port 110. Most Internet-based email accounts use POP3. With
POP3, an email client contacts the email server and checks for any new email messages. If it finds a
new message, it downloads the email message to the local email client. After the message is received
by the email client, the connection is closed.
With a POP3-proxy filter you can:
n Adjust timeout and line length limits to make sure the POP3-proxy does not use too many
network resources, and to prevent some types of attacks.
n Customize the deny message that is sent to a user when content or attachments are stripped
froman email sent to that user.
n Filter content embedded in email with MIME types.
n Block specified path patterns and URLs.
To add the POP3-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Proxy Settings
736 Fireware XTMWeb UI
Proxy Settings
User Guide 737
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use POP3.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the POP3-proxy, you can configure these categories of settings for a proxy action:
n POP3-Proxy: General Settings
n POP3-Proxy: Authentication
n POP3-Proxy: Content Types
n POP3-Proxy: Filenames
n POP3-Proxy: Headers
n POP3-Proxy: Deny Message
n POP3-Proxy: Proxy and AV Alarms
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Proxy Settings
738 Fireware XTMWeb UI
Proxy Settings
User Guide 739
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
POP3-Proxy: General Settings
On the Edit page for a POP3-proxy action, on the Generaltab, you can adjust time out and line length
limits as well as other general parameters for the POP3-proxy.
Set the timeout to
To limit the number of minutes that the email client tries to open a connection to the email server
before the connection is closed, select this check box. In the adjacent text box, type or select
the number of minutes for the timeout value. This makes sure the proxy does not use too many
network resources when the POP3 server is slow or cannot be reached.
Set the maximumemail line length to
To prevent some types of buffer overflow attacks, select this check box. In the adjacent text
box, type or select the limit of the line length. Very long line lengths can cause buffer overflows
on some email systems. Most email clients and systems send relatively short lines, but some
web-based email systems send very long lines. However, it is unlikely that you will need to
change this setting unless it prevents access to legitimate mail.
Proxy Settings
740 Fireware XTMWeb UI
Proxy Settings
User Guide 741
Hide server replies
To replace the POP3 greeting strings in email messages, select this check box. These strings
can be used by hackers to identify the POP3 server vendor and version.
Allow uuencoded attachments
To enable the POP3-proxy to allow uuencoded attachments in email messages, select this
check box. Uuencode is an older programused to send binary files in ASCII text format over the
Internet. UUencoded attachments can be security risks because they appear as ASCII text
files, but can actually contain executable files.
Allow BinHex attachments
To enable the POP3-proxy to allow BinHex attachments in email messages, select this check
box. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file frombinary
format to ASCII text format.
Enable logging for reports
To enable the POP3-proxy to send a log message for each POP3 connection request, select
this check box. To use WatchGuard Reports to create reports of POP3 traffic, you must select
this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
POP3-Proxy: Authentication
A POP3 client must authenticate to a POP3 server before they exchange information. You can set the
types of authentication for the proxy to allow and the action to take for types that do not match the
criteria. You can add, delete, or modify rules.
1. On the Edit proxy action page, select the POP3 Protocol category.
The POP3 authentication rules appear.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
Proxy Settings
742 Fireware XTMWeb UI
Proxy Settings
User Guide 743
For more information on predefined proxy actions, see About Proxy Actions.
POP3-Proxy: Content Types
The headers for email messages include a Content Type header to show the MIME type of the email
and of any attachments. The content type or MIME type tells the computer the types of media the
message contains. Certain kinds of content embedded in email can be a security threat to your
network. Other kinds of content can decrease the productivity of your users.
You can enable the POP3-proxy to automatically detect the content type of an email message and any
attachments. If you do not enable this option, the POP3-proxy uses the value stated in the email
header, which clients sometimes set incorrectly. Because hackers often try to disguise executable
files as other content types, we recommend that you enable content type auto detection to make your
installation more secure.
For example, a .pdf file attached to an email might have a content type stated as application/octet-
stream. If you enable content type auto detection, the POP3-proxy recognizes the .pdf file and uses
the actual content type, application/pdf. If the proxy does not recognize the content type after it
examines the content, it uses the value stated in the email header, as it would if content type auto
detection were not enabled.
You can add, delete, or modify rules. You can also set values for content filtering and the action to take
for content types that do not match the criteria. For the POP3-Server proxy action, you set values for
incoming content filtering. For the POP3-Client action, you set values for outgoing content filtering.
When you specify the MIME type, make sure to use the format type/subtype. For example, if you want
to allow JPEGimages, you add image/jpg. You can also use the asterisk (*) as a wildcard. To allow
any image format, add image/* to the list.
To specify the content types for automatic detection:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe Attachments drop-down list, select Content Types.
The Content Types page appears.
3. To enable the POP3 proxy to examine content and determine the content type, select the
Enable content type auto detection check box.
If you do not select this option, the POP3 proxy uses the value stated in the email header.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
744 Fireware XTMWeb UI
Proxy Settings
User Guide 745
POP3-Proxy: Filenames
To put limits on file names for incoming email attachments, you can use the Filenames ruleset in a
POP3-Server proxy action. Or, you can use the ruleset for the POP3-Client proxy action to put limits on
file names for outgoing email attachments. You can add, delete, or modify rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe Attachments drop-down list, select Filenames.
The Filenames page appears.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
746 Fireware XTMWeb UI
Proxy Settings
User Guide 747
POP3-Proxy: Headers
The POP3-proxy examines email headers to find patterns common to forged email messages, as well
as those fromlegitimate senders. You can add, delete, or modify rules.
1. On the Edit page, select the Headers tab.
The Headers settings appear.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
POP3-Proxy: Deny Message
When content is denied, the XTMdevice sends a default deny message that replaces the denied
content. This message appears in a recipient's email message when the proxy blocks an email. You
can change the text of that deny message. The first line of the deny message is a section of the HTTP
header. You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(reason)%
Includes the reason the XTMdevice denied the content.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example, lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. On the Edit page, select the Deny Messages tab.
The Deny Message category expands.
2. In the Deny Message text box, type a customplain text message in standard HTML.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Proxy Settings
748 Fireware XTMWeb UI
Proxy Settings
User Guide 749
POP3-Proxy: Proxy and AV Alarms
You can configure how the POP3-proxy sends messages for alarmand antivirus events that occur
through the POP3-proxy. You can define the proxy to send an SNMPtrap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit page, select the Proxy Alarm tab.
The Proxy Alarm settings appear.
2. Configure the notification settings for the POP3-proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About the SIP-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or
H.323 ALG(Application Layer Gateway)to open the ports necessary to enable VoIP through your XTM
device. An ALGis created in the same way as a proxy policy and offers similar configuration options.
These ALGs have been created to work in a NAT environment to maintain security for privately-
addressed conferencing equipment behind the XTMdevice.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IPphones. You
can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALGyou need
to add, consult the documentation for your VoIP devices or applications.
For supported deployment configurations, see Example VoIPNetwork Diagrams.
VoIPComponents
It is important to understand that you usually implement VoIP with either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly without the use of a proxy server to route their calls.
Host-based connections
Connections managed by a call management system(PBX). The call management systemcan
be self-hosted, or hosted by a third-party service provider.
In the SIP standard, two key components of call management are the SIP Registrar and the SIP
Proxy. Together, these components manage connections hosted by the call management system. The
WatchGuard SIP-ALGopens and closes the ports necessary for SIP to operate. The WatchGuard SIP-
ALGsupports SIPtrunks. It can support both the SIP Registrar and the SIP Proxy when used with a
call management systemthat is external to the XTMdevice.
It can be difficult to coordinate the many components of a VoIP installation. We recommend you make
sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you
to troubleshoot any problems.
Instant Messaging Support
The SIP-ALGsupports page-based instant messaging (IM) as part of the default SIP protocol. You do
not have to complete any additional configuration steps to use IMwith the SIP-ALG.
Proxy Settings
750 Fireware XTMWeb UI
Proxy Settings
User Guide 751
ALGFunctions
When you use a SIP-ALG, your XTMdevice:
n Routes traffic for VoIP applications
n Opens the ports necessary to make and receive calls, and to exchange audio and video media
n Makes sure that VoIP connections use standard SIP protocols
n Generates log messages for auditing purposes
n Supports SIPpresence through the use of the SIPPublish method. This allows softphone users
to see peer status.
Many VoIPdevices and servers use NAT (Network Address Translation)to open and close ports
automatically. The H.323 and SIP-ALGs also performthis function. You must disable NAT on your
VoIPdevices if you configure an H.323 or SIP-ALG.
For instructions to add the SIP-ALGto your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use POP3.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Settings
752 Fireware XTMWeb UI
Proxy Settings
User Guide 753
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the SIP-ALG, you can configure these categories of settings for a proxy action:
n SIP-ALG: General Settings
n SIP-ALG: Access Control
n SIP-ALG: Denied Codecs
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
754 Fireware XTMWeb UI
Proxy Settings
User Guide 755
SIP-ALG: General Settings
In the General settings for the Edit page for a SIP-ALGaction, you can set security and performance
options for the SIP-ALG(Application Layer Gateway).
Enable header normalization
To deny malformed or extremely long SIPheaders, select this check box . While these headers
often indicate an attack on your XTMdevice, you can disable this option if necessary for your
VoIPsolution to operate correctly.
Enable topology hiding
This feature rewrites SIPand SDP (Session Description Protocol) headers to remove private
network information, such as IPaddresses. We recommend that you select this option unless
you have an existing VoIP gateway device that performs topology hiding.
Enable directory harvesting protection
To prevent attackers fromstealing user information fromVoIP gatekeepers protected by your
XTMdevice, select this check box. This option is enabled by default.
Set the maximumnumber of sessionsallowed per call
To restrict the maximumnumber of audio or video sessions that can be created with a single
VoIPcall, type or select a value in this text box.
For example, if you set the number of maximumsessions to one and participate in a VoIPcall
with both audio and video, the second connection is dropped. The default value is two sessions
and the maximumvalue is four sessions. The XTMdevice sends a log message when it denies
a media session above this number.
User agent information
To identify outgoing SIP traffic as a client you specify, type a new user agent string in the
Rewrite user agent as text box.
To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIPaudio, video, or data channel,
your XTMdevice closes that network connection. The default value is 180 seconds (three
minutes) and the maximumvalue is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Idle media
channels text box.
Registration expires after
Specify the elapsed time interval before the SIP-ALGrewrites the SIP registration value that
VoIP phones and PBX systems use to update their registration. The default value is 180
seconds (three minutes) and the maximumvalue is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Registration
expires after text box.
Enable logging for reports
To send a log message for each connection request managed by the SIP-ALG, select this
check box. To create accurate reports on SIP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
Proxy Settings
756 Fireware XTMWeb UI
Proxy Settings
User Guide 757
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
SIP-ALG: Access Control
On the Edit page for a SIP-ALGaction, in the Access Control settings, you can create a list of users
who are allowed to send VoIP network traffic.
Proxy Settings
758 Fireware XTMWeb UI
Proxy Settings
User Guide 759
Enable access control for VoIP
To enable the access control feature, select this check box. When enabled, the SIP-ALGallows
or restricts calls based on the options you set.
Default Settings
To allow all VoIPusers to start calls by default, select the Start VoIPcalls check box.
To allow all VoIPusers to receive calls by default, select the Receive VoIPcalls check box.
To create a log message for each SIP VoIPconnection that is started or received, select the
adjacent Log check box.
Access Levels
To create an exception to the default settings you specified, type the Address of Record (the
address that shows up in the TOand FROMheaders of the packet) for the exception. This is
usually a SIPaddress in the format user@domain, such as myuser@example.com.
Fromthe Access Level drop-down list, select an access level and click Add.
You can select whether to allow users to Start calls only, Receive calls only, Start and
receive calls, or give themNo VoIPaccess. These settings apply only to SIP VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception.
SIP-ALG: Denied Codecs
You can use the SIP-ALGDenied Codecs feature to specify one or more VoIP voice, video, or data
transmission codecs to deny on your network. When a SIP VoIP connection is opened that uses a
codec specified in this list, your XTMdevice reads the value fromthe SIPheader in the "a=rtpmap"
field and strips the codec information fromthe connection negotiation.
The Denied Codecs list is empty by default. We recommend that you add a codec to this list if the
codec:
n Consumes too much bandwidth and causes excessive data usage across trunks or between
network elements
n Presents a security risk
n Is necessary for your VoIPsolution to operate correctly
For example, you might choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you might choose to deny the Speex codec because it is used by an
unauthorized VoIPapplication.
For a list of codecs and the name or text pattern associated with each codec, see
http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml. When you add a codec to the
Denied Codecs list, make sure to specify the value in the Encoding Name column for that codec.
To configure the denied codecs settings for a SIP-ALG:
Proxy Settings
760 Fireware XTMWeb UI
Proxy Settings
User Guide 761
1. On the Edit page for the SIP-Client proxy action, select the Denied Codecs tab.
The Denied Codecs settings.
2. To add a codec to the list, in the Denied Codecs text box, type the codec name or unique text
pattern in the text box.
Do not use wildcard characters or regular expression syntax. Codec patterns are case
sensitive.
3. Click Add
4. To delete a codec fromthe list, select the codec and click Remove.
5. To create a log message when your XTMdevice strips the codec information fromSIPtraffic
that matches a codec in this list, select the Log each transaction that matches a denied
codec pattern check box.
6. Click Save.
Proxy Settings
762 Fireware XTMWeb UI
Proxy Settings
User Guide 763
About the SMTP-Proxy
SMTP (Simple Mail Transport Protocol) is a protocol used to send email messages between email
servers and also between email clients and email servers. It usually uses a TCP connection on Port
25. You can use the SMTP-proxy to control email messages and email content. The proxy scans
SMTP messages for a number of filtered parameters, and compares themagainst the rules in the proxy
configuration.
With an SMTP-proxy filter you can:
n Adjust timeout, maximumemail size, and line length limit to make sure the SMTP-proxy does
not use too many network resources and can prevent some types of attacks.
n Customize the deny message that users see when an email they try to receive is blocked.
n Filter content embedded in email with MIME types and name patterns.
n Limit the email addresses that email can be addressed to and automatically block email from
specific senders.
To add the SMTP-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
You can also configure subscription service settings for the SMTP-proxy. For more information, see:
n Configure spamBlocker
n Configure the Gateway AntiVirus Service
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use SMTP.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Settings
764 Fireware XTMWeb UI
Proxy Settings
User Guide 765
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the SMTP-proxy, you can configure these categories of settings for a proxy action:
n SMTP-Proxy: General Settings
n SMTP-Proxy: Greeting Rules
n SMTP-Proxy: TLS Encryption
n SMTP-Proxy: ESMTP Settings
n SMTP-Proxy: Authentication
n SMTP-Proxy: Content Types
n SMTP-Proxy: Filenames
n SMTP-Proxy: Mail From/Rcpt To
n SMTP-Proxy: Headers
n SMTP-Proxy: Deny Message
n SMTP-Proxy: Data Loss Prevention
n SMTP-Proxy: Proxy and AV Alarms
n SMTP-Proxy: APTBlocker
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
Proxy Settings
766 Fireware XTMWeb UI
Proxy Settings
User Guide 767
SMTP-Proxy: General Settings
In the General section of the Edit page for an SMTPproxy action, you can set basic SMTP-proxy
parameters such as idle timeout, message limits, and email message information.
Proxy Settings
768 Fireware XTMWeb UI
Proxy Settings
User Guide 769
Idle timeout
You can set the length of time an incoming SMTP connection can be idle before the connection
times out. The default value is 10 minutes.
Set the maximumemail recipients
To set the maximumnumber of email recipients to which a message can be sent, select this
check box. In the adjacent text box that appears, type or select the number of recipients.
The XTMdevice counts and allows the specified number of addresses through, and then drops
the other addresses. For example, if you set the value to 50 and there is a message for 52
addresses, the first 50 addresses get the email message. The last two addresses do not get a
copy of the message. The XTMdevice counts a distribution list as one SMTP email address (for
example, support@example.com). You can use this feature to decrease spamemail because
spamusually includes a large recipient list. When you enable this option, make sure you do not
also deny legitimate email.
Set the maximumaddress length to
To set the maximumlength of email addresses, select this check box. In the adjacent text box
that appears, type or select the maximumlength for an email address in bytes.
Set the maximumemail size to
To set the maximumlength of an incoming SMTP message, select this check box. In the
adjacent text box that appears, type or select the maximumsize for each email in kilobytes.
Most email is sent as 7-bit ASCII text. The exceptions are Binary MIME and 8-bit MIME. 8-bit
MIME content (for example, MIME attachments) is encoded with standard algorithms (Base64
or quote-printable encoding) to enable themto be sent through 7-bit email systems. Encoding
can increase the length of files by as much as one third. To allow messages as large as 10000
kilobytes, you must set this option to a minimumof 13340 kilobytes to make sure all email gets
through.
Set the maximumemail line length to
To set the maximumline length for lines in an SMTP message, select this check box. In the
adjacent text box that appears, type or select the length in bytes for each line in an email.
Very long line lengths can cause buffer overflows on some email systems. Most email clients
and systems send short line lengths, but some web-based email systems send very long lines.
Set the maximumemail header size to
To set the maximumsize of the email header in an SMTP message, select this check box. In
the adjacent text box that appears, type or select the maximumsize for each email header in
bytes.
Hide Email Server
You can replace MIME boundary and SMTP greeting strings in email messages.These are used
by hackers to identify the SMTP server vendor and version.
Select the Message ID and Server Replies check boxes.
If you have an email server and use the SMTP-Incoming proxy action, you can set the SMTP-
proxy to replace the domain that appears in your SMTP server banner with a domain name you
select. To do this, you must select the Server Replies and Rewrite Banner Domain check
boxes. In the Rewrite Banner Domain text box, type the domain name to use in your banner.
If you use the SMTP-Outgoing proxy action, you can set the SMTP-proxy to replace the domain
shown in the HELOor EHLOgreetings. A HELOor EHLOgreeting is the first part of an SMTP
transaction, when your email server announces itself to a receiving email server. To do this,
select the Rewrite HELO Domain check box. In the Rewrite HELO Domain text box, type
the domain name to use in your HELOor EHLOgreeting.
Allow uuencoded attachments
To enable the SMTP-proxy to allow uuencoded attachments to email messages, select this
check box. Uuencode is an older programused to send binary files in ASCII text format over the
Internet. UUencode attachments can be security risks because they appear as ASCII text files
but can actually contain executable files.
Allow BinHex attachments
To enable the SMTP-proxy to allow BinHex attachments to email messages, select this check
box. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file frombinary
to ASCII format.
Auto-block sources of invalid commands
To add senders of invalid SMTP commands to the Blocked Sites list, select this check box.
Invalid SMTP commands often indicate an attack on your SMTP server.
Send a log message when an SMTP command is denied
To send a log message for connection requests that are denied by the SMTP-proxy, select this
check box.
Enable logging for reports
To send a log message for each connection request through the SMTP-proxy, select this check
box. To create accurate reports on SMTP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
Proxy Settings
770 Fireware XTMWeb UI
Proxy Settings
User Guide 771
SMTP-Proxy: Greeting Rules
The proxy examines the initial HELO/EHLOresponses when the SMTP session is initialized. The
default rules for the SMTP-Incoming proxy action make sure that packets with greetings that are too
long, or include characters that are not correct or expected, are denied. You can add, delete, or modify
rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe General drop-down list, select Greeting Rules.
The Greeting Rules page appears.
Proxy Settings
772 Fireware XTMWeb UI
Proxy Settings
User Guide 773
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: ESMTP Settings
On the ESMTP Settings page, you can configure settings to filter ESMTP content. Although SMTP is
widely accepted and widely used, some parts of the Internet community want more functionality in
SMTP. ESMTP gives a method for functional extensions to SMTP, and to identify servers and clients
that support extended features.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe ESMTP drop-down list, select ESMTP Settings.
The ESMTP Settings page appears.
3. Configure these options:
Proxy Settings
774 Fireware XTMWeb UI
Proxy Settings
User Guide 775
Enable ESMTP
Select this check box to enable all fields. If you clear this check box, all other check boxes
on this page are disabled. When the options are disabled, the settings for each options are
saved. If this option is enabled again, all the settings are restored.
Allow BDAT/CHUNKING
Select this check box to allow BDAT/CHUNKING. This enables large messages to be
sent more easily through SMTP connections.
Allow ETRN (Remote Message Queue Starting)
This is an extension to SMTP that allows an SMTP client and server to interact to start the
exchange of message queues for a given host.
Allow 8-Bit MIME
Select this check box to allow transmission of 8-bit data messages. When this option is
disabled, messages encoded with 8-big MIME are denied by the SMTP-proxy. Enable this
option only if your email server has the ability to send 8-bit data transmissions.
Allow Binary MIME
Select to allow the Binary MIME extension, if the sender and receiver accept it. Binary
MIME prevents the overhead of base64 and quoted-printable encoding of binary objects
sent that use the MIME message format with SMTP. We do not recommend you select this
option as it can be a security risk.
Log denied ESMTP options
To create a log message for unknown ESMTP options that are stripped by the SMTP-
proxy, select this check box.
To disable this option, clear this check box.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: TLS Encryption
You can configure the SMTP-proxy to use TLS encryption to process email sent froma client email
server (the sender) to your SMTP server (the recipient). SMTP over TLS is a secure extension to the
SMTP service that allows an SMTP server and client to use TLS (transport-layer security) to provide
private, authenticated communication over the Internet. For SMTP, this usually involves the use of
STARTTLS keywords. TLS encryption settings for the SMTP-proxy have two configurable parts: when
to use encryption (sender or recipient channel) and how to encrypt (SSL or TLS protocol and certificate
type). You can use these settings to specify the encryption settings for incoming traffic (sender email),
for traffic fromyour SMTPserver (the recipient), or both.
About TLSEncryption
SSLv3, SSLv2, and TLSv1 are all protocols used for encrypted SMTP connections. SSLv2 is not as
secure as SSLv3 and TLSv1. When you enable TLS encryption, by default, the SMTP-proxy only
allows connections that negotiate the SSLv3 and TLSv1 protocols. You can, however, allow the
SMTP-proxy to use the SSLv2 protocol for connections to and fromSMTP clients or servers that
require the SSLv2 protocol.
About OCSP Options
You can also choose whether to use OCSP (Online Certificate Status Protocol) to validate certificates.
If you enable this option, your XTMdevice automatically uses OCSP to check for certificate
revocations. When this feature is enabled, the XTMdevice uses information in the certificate to
contact an OCSPserver that keeps a record of the certificate status. If the OCSPserver responds that
the certificate has been revoked, the XTMdevice disables the certificate. This process can cause a
delay of several seconds, while the XTMdevice requests a response fromthe OCSPserver. The XTM
device keeps between 300 and 3000 OCSP responses in a cache to improve performance for
frequently accessed hosts. The number of responses stored in the cache is determined by your XTM
device model.
When you use OCSP to validate certificates, you can also specify whether certificates that cannot be
validated are considered valid. If you specify that invalidated certificates are invalid, and if an
OCSPresponder does not send a response to a revocation status request, the XTMdevice considers
the original certificate as invalid or revoked. This option can cause certificates to be considered invalid
if there is a routing error or a problemwith your network connection.
About Encryption Rules
After you enable TLS encryption for your SMTPproxy action, you add rules to specify the sender and
recipient domains, and the required encryption details for each domain. When you add rules to the
Encryption Rules list, the rules are evaluated in order fromthe first rule to the last rule in the list. Make
sure to put your rules in an order that provides the most flexibility. For example, if you have more than
one SMTP server domain, put the rule for your primary SMTP server first in the list, with rules for any
backup SMTP servers lower in the list.
Proxy Settings
776 Fireware XTMWeb UI
Proxy Settings
User Guide 777
When you add encryption rules, you can create rules for specific sender and recipient domains. Or, to
create a global rule, you can use a wildcard character (*) for either the sender or recipient domain. You
can specify encryption rules for the sender channel, for the recipient channel, or both. This enables you
to set different encryption rules for specific domains that send email to your SMTP server. Each
encryption rule must be 200 bytes or less in length.
Sender Encryption
n Required The sender SMTP server must negotiate encryption with the XTMdevice.
n None The XTMdevice does not negotiate encryption with the sender SMTP servers.
n Optional The sender SMTP server can negotiate encryption with the receiver SMTP
server. TLSencryption is dependant on the encryption capabilities and settings of the
receiver SMTP server.
Recipient Encryption
n Required The XTMdevice must negotiate encryption with the recipient SMTP server.
n None The XTMdevice does not negotiate encryption with the recipient SMTP server.
n Preferred The XTMdevice tries to negotiate encryption with the recipient SMTP server.
n Allowed The XTMdevice uses the sender SMTP server behavior to negotiate
encryption with the recipient SMTP server.
If you do not want to add rules for more than one domain, you can set the Sender Encryption to
Optional, Recipient Encryption to Preferred, and use the wildcard character (*)for the domain
information. With these encryption settings, most email is safely sent to your SMTP server.
If your users connect to your network over a public Internet connection, we recommend that you select
Requiredfor the Sender Encryption setting. If your SMTP server does not support encryption, we
recommend that you select Optional, because email that is not encrypted can still be accepted.
If your users send email to your SMTP server through your protected corporate intranet, you have the
most flexibility if you set Sender Encryption to Optional and Recipient Encryption to None.
If you add a rule that always requires traffic froma sender domain to be encrypted, you can also
specify that a TLS protocol must be used for the recipient, sender, and body information in the email
message.
Configure TLSEncryption Settings
When you create a new configuration file, you must enable the deep inspection of SMTP with TLS
option in the SMTP proxy action before you can configure the settings for TLS encryption. If your
configuration file already has deep inspection of SMTP with TLS enabled, you can simply complete the
configuration settings for TLS encryption.
To enable TLSencryption and configure the rules for an SMTP proxy action:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe ESMTP drop-down list, select TLS Encryption.
The TLS Encryption page appears.
Proxy Settings
778 Fireware XTMWeb UI
Proxy Settings
User Guide 779
3. Select the Enable deep inspection of SMTP with TLS check box.
4. To enable the SMTP-proxy to use the SSLv2 protocol, select the Allow SSLv2 (insecure)
check box.
5. (Optional) Select the Use OCSP to validate certificates check box.
6. To specify how certificates that cannot be validated are processed, select the If a certificate
cannot be validated, the certificate is considered invalid check box.
7. To add encryption rules, in the Rules section, click Add.
A new encryption rule appears in the Encryption Rules list.
8. In the To Recipient Domain text box, type the domain name for your SMTP server and press
Enter on your keyboard.
9. To specify the domain that client traffic can come from, double-click the default From Sender
Domain value, *, type a new value in the text box, and press Enter on your keyboard.
To allow traffic fromany domain, keep the default value of *.
10. To change the Recipient Encryption value, click the default selection, Preferred, and select
an option fromthe drop-down list:
n Required
n None
n Preferred
n Allowed
11. To change the Sender Encryption value, click the default selection, Optionally Encrypted,
and select an option fromthe drop-down list:
n Required
n None
n Optional
12. To change the order that rules are applied, select a rule in the Encryption Rules list, and click
Up or Down.
13. To disable a rule in the list, clear the Enabled check box for that rule.
14. To delete a rule fromthe list, click Remove.
15. To require the TLS protocol to be used for encrypted sender traffic, select the When sender
encryption is required, TLS must be used for the sender, recipient, and body
information check box.
This option is only available if you configure a rule with a Sender Encryption setting of Always
Encrypted.
For more information about proxy action rules, see Add, Change, or Delete Rules.
16. To change settings for another category in this proxy action, see the topic for that category.
17. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Authentication
This ruleset allows these ESMTP authentication types: DIGEST- MD5, CRAM-MD5, PLAIN, LOGIN,
LOGIN (old style), NTLM, and GSSAPI. The default rule denies all other authentication types. The
RFC that tells about the SMTP authentication extension is RFC 2554. You can add, delete, or modify
rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe ESMTP drop-down list, select Authentication.
The Authentication page appears.
Proxy Settings
780 Fireware XTMWeb UI
Proxy Settings
User Guide 781
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Content Types
Certain kinds of content embedded in email can be a security threat to your network. Other kinds of
content can decrease the productivity of your users. You can use the ruleset for the SMTP-Incoming
proxy action to set values for incoming SMTP content filtering. You can use the ruleset for the SMTP-
Outgoing proxy action to set values for outgoing SMTP content filtering. The SMTP-proxy allows these
content types: text/*, image/*, multipart/*, and message/*. You can add, delete, or modify rules.
You can also configure the SMTP-proxy to automatically examine the content of email messages to
determine the content type. If you do not enable this option, the SMTP-proxy uses the value stated in
the email header, which clients sometimes set incorrectly. For example, an attached .pdf file might
have a content type stated as application/octet-stream. If you enable content type auto detection, the
SMTP-proxy recognizes the .pdf file and uses the actual content type, application/pdf. If the proxy
does not recognize the content type after it examines the content, it uses the value stated in the email
header, as it would if content type auto detection were not enabled. Because hackers often try to
disguise executable files as other content types, we recommend that you enable content type auto
detection to make your installation more secure.
Configure Rules
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe Attachments drop-down list, select Content Type Rules.
The Content Type Rules page appears.
Proxy Settings
782 Fireware XTMWeb UI
Proxy Settings
User Guide 783
3. To enable the SMTP-proxy to examine content to determine content type, select the Enable
content type auto detection check box.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Configure Body Encryption Settings
Your XTMdevice detects the body encryption settings in an email based on PGP MIME types. To
specify the encryption requirements for the body content of the email messages that are sent through
your network, you can configure the settings for Body Encryption. You can add rules to allow or deny
an email message based on the encryption criteria you specify. When you configure the rules for
encrypted content, you can specify the actions to take for messages froma particular email address to
a particular email address, or you can use wildcards to add global rules that apply to all email
messages. Rules are applied to email messages in the order you specify in the Encrypted Content
Rules list. Make sure to arrange the rules in your list in the best order for your organization.
Fromthe Content Types page:
1. Fromthe Attachments drop-down list, select Body Encryption.
The Body Encryption settings appear.
Proxy Settings
784 Fireware XTMWeb UI
Proxy Settings
User Guide 785
2. To add a new rule, click Add.
The Add Rule dialog box appears.
3. In the To Address text box, type a valid email address.
To use a wildcard, type *@*.
4. To set a specific From Address, in the From Address text box, type an email address.
5. To set the action the proxy takes for this rule, fromthe Action drop-down list, select an option:
n Required
n Allowed
n Denied
The default Action setting is Required.
6. Click OK.
The rule appears in the Body Encryption list.
7. To change the order of the rules in the list, select a rule and click Move Up or Move Down.
8. To disable a rule in the list, clear the Enabled check box.
SMTP-Proxy: Filenames
To put limits on file names for incoming email attachments, configure rules in the SMTP-Incoming
proxy action ruleset. To put limits on file names for outgoing email attachments, configure rules in the
SMTP-Outgoing proxy action ruleset. You can add, delete, or modify rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe Attachments drop-down list, select Filenames.
The Filenames page appears.
Proxy Settings
786 Fireware XTMWeb UI
Proxy Settings
User Guide 787
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Mail From/Rcpt To
You can use the Address: Mail From ruleset to put limits on email and to allow email into your
network only fromspecified senders. The default configuration is to allow email fromall senders. You
can add, delete, or modify rules.
The Address: Rcpt To ruleset can limit the email that goes out of your network to only specified
recipients. The default configuration allows email to all recipients out of your network. On an SMTP-
Incoming proxy action, you can use the Rcpt To ruleset to make sure your email server can not be
used for email relaying. For more information, see Protect Your SMTP Server fromEmail Relaying on
page 795.
You can also use the Replace option in a rule to configure the XTMdevice to change the Mail From
and Mail To components of your email address to a different value. This feature is also known as
SMTP masquerading.
Other options available in the Mail From and Rcpt To rulesets:
Block source-routed addresses
Select this check box to block a message when the sender address or recipient address
contains source routes. A source route identifies the path a message must take when it goes
fromhost to host. The route can identify which mail routers or backbone sites to use.
For example, @backbone.com:freddyb@example.commeans that the host named
Backbone.commust be used as a relay host to deliver mail to freddyb@example.com. By
default, this option is enabled for incoming SMTP packets and disabled for outgoing SMTP
packets.
Block 8-bit characters
Select this check box to block a message that has 8-bit characters in the sender user name or
recipient user name. This allows an accent on an alphabet character. By default, this option is
enabled for incoming SMTP packets and disabled for outgoing SMTP packets.
To configure the SMTPproxy to put limits on the email traffic through your network:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Fromthe Address drop-down list, select Mail From or Rcpt To.
The Mail From or Rcpt To settings page appears.
Proxy Settings
788 Fireware XTMWeb UI
Proxy Settings
User Guide 789
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Headers
Header rulesets allow you to set values for incoming or outgoing SMTP header filtering. You can add,
delete, or modify rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. Select the Headers tab.
The Headers settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Deny Message
When content is denied, the XTMdevice sends a default deny message that replaces the denied
content. This message appears in a recipients email message when the proxy blocks an email. You
can change the text of that deny message. The first line of the deny message is a section of the HTTP
header. You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(reason)%
Includes the reason the XTMdevice denied the content.
%(type)%
Includes the type of content that was denied.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example, lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. On the Edit page, select the Deny Messages tab.
The Deny Message category settings appear.
Proxy Settings
790 Fireware XTMWeb UI
Proxy Settings
User Guide 791
2. In the Deny Message text box, type a customplain text message in standard HTML.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Data Loss Prevention
To apply consistent settings for Data Loss Prevention (DLP) content inspection and extraction, you
can associate a DLP configuration with your SMTP-proxy.
Fromthe Edit page for the SMTP-proxy:
1. Select the Proxy Action tab.
2. Select the Data Loss Prevention tab.
3. Fromthe DLP Sensor drop-down list, select a configuration.
4. Click Save.
For more information, see About Data Loss Prevention on page 1440 and Configure Data Loss
Prevention on page 1443.
SMTP-Proxy: Proxy and AV Alarms
You can configure how the SMTP-proxy sends messages for alarmand antivirus events that occur
through the SMTP-proxy. You can define the proxy to send an SNMPtrap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit Proxy Action page, select the Proxy and AV Alarms category.
The Proxy an AV Alarm settings appear.
Proxy Settings
792 Fireware XTMWeb UI
Proxy Settings
User Guide 793
2. Configure the notification settings for the SMTP proxy action.
For more information, see Set Logging and Notification Preferences on page 882.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: APTBlocker
If you have purchased and enabled the APTBlocker feature on your Firebox or XTMdevice, you can
enable APTBlocker in the SMTP-proxy to examine web traffic for APTmalware.
Fromthe Edit page for the SMTP-proxy:
1. Select the Proxy Action tab.
2. Select the APTBlocker tab.
3. Select the Enable APTBlocker check box.
4. Click Save.
For more information, see About APTBlocker on page 1382 and Configure APTBlocker on page 1386.
Configure the SMTP-Proxy to Quarantine Email
The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanismfor any email
messages suspected or known to be spamor to contain viruses. This repository receives email
messages fromthe SMTP-proxy and filtered by spamBlocker.
To configure the SMTP-proxy to quarantine email:
1. Add the SMTP-proxy to your configuration.
2. Enable spamBlocker in the proxy definition.
Or, enable spamBlocker and select to enable it for the SMTP-proxy.
3. Configure the actions spamBlocker applies for different categories of email.
Make sure you select the Quarantine action for at least one of the categories.
For more information, see Configure spamBlocker on page 1345.
If the Quarantine Server is not already configured, when you select this action you are prompted
to configure it.
4. (Optional) Select the Quarantine action for email messages identified by Virus Outbreak
Detection as containing viruses.
For more information, see Configure Virus Outbreak Detection Actions on page 1350.
Proxy Settings
794 Fireware XTMWeb UI
Proxy Settings
User Guide 795
Protect Your SMTP Server from Email Relaying
Email relaying, also called mail spammingor open mail relay, is an intrusion in which a person uses
your email server, address, and other resources, to send large amounts of spamemail. This can cause
systemcrashes, equipment damage, and financial loss.
If you are not familiar with the issues involved with mail relaying, or are unsure whether your email
server is vulnerable to mail relaying, we recommend you research your own email server and learn its
potential vulnerabilities. The XTMdevice can give basic mail relay protection if you are unsure of how
to configure your email server. However, you find out how to use your email server to prevent email
relaying.
To protect your server, you change the settings of the SMTP-proxy policy that filters traffic fromthe
external network to your internal SMTP server to include your domain information. When you type your
domain, you can use the wildcard * character. Then, any email address that ends with @your-domain-
name is allowed. If your email server accepts email for more than one domain, you can add more
domains. For example, if you add both *@example.comand *@*.example.comto the list, your email
server will accept all email destined to the top-levelexample.comdomain and all email destined to sub-
domains of example.com. For example, rnd.example.com.
Before you start this procedure, you must know the names of all domains that your SMTP email server
receives email for.
1. Select Firewall > Proxy Actions.
2. Select the SMTP-proxy action for the SMTP-proxy policy that filters traffic fromthe external
network to an internal SMTP server. Click Edit.
3. Fromthe Address drop-down list, select Mail From or Rcpt To.
4. Fromthe Action to take if no rule above is matched drop-down list, select Deny.
Any email destined to an address other than the domains in the list is denied.
Another way to protect your server is to type a value in the Rewrite As text box in this dialog box. The
XTMdevice then changes the Fromand To components of your email address to a different value. This
feature is also known as SMTP masquerading.
About the TCP-UDP-Proxy
The TCP-UDP-proxy is a low precedence policy that allows all outbound TCP and UDP traffic from
networks protected by your XTMdevice. If you remove the Outgoing policy, and do not want to add a
separate policy for each type of traffic you want to allow out through your firewall, you can add the
TCP-UDP-proxy. This policy only allows outbound TCP and UDP traffic, but it also monitors that
traffic for HTTP, HTTPS, SIP, and FTP packets sent on non-standard ports. For the HTTP, HTTPS,
SIP, and FTP protocols, the TCP-UDPproxy relays the traffic to the correct proxy for each protocol.
To add the TCP-UDP-proxy to your XTMdevice configuration, see Add a Proxy Policy to Your
Configuration on page 640.
If you must change the proxy definition, fromthe Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
Proxy Settings
796 Fireware XTMWeb UI
Proxy Settings
User Guide 797
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n Connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 629.
n Use policy-based routing See Configure Policy-Based Routing on page 631.
n You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 271 and Configure Server Load Balancing on page 275.
n To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 882.
n If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use TCP-UDP.
For more information, see Block Sites Temporarily with Policy Settings on page 852.
n To change the idle timeout that is set by the XTMdevice or authentication server, see Set a
CustomIdle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. Fromthe Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to
a Policy on page 828.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. Fromthe Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create newand configure the settings
as described in the topic Define a Traffic Management Action in v11.8.x and Lower on page 827.
3. Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 643.
To configure the proxy action:
1. Select the Proxy Action tab.
2. Fromthe Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 643.
3. Click Save.
For the TCP-UDP-proxy, you can configure the general settings for a proxy action. For more
information, see TCP-UDP-Proxy: General Settings.
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. Fromthe Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create Newand configure the settings as described in the
topics Create Schedules for XTMDevice Actions and Set an Operating Schedule on page 623.
3. Click Save.
Proxy Settings
798 Fireware XTMWeb UI
Proxy Settings
User Guide 799
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n Apply NAT Rules on page 636
n Set the Sticky Connection Duration for a Policy on page 636
n Set ICMP Error Handling on page 636
n Enable QoS Marking or Prioritization Settings for a Policy on page 810
TCP-UDP-Proxy: General Settings
On the Edit page for a TCP-UDPproxy action, in the Proxy Action settings, you set basic parameters
for the TCP-UDP-proxy.
Proxy actions to redirect traffic
The TCP-UDP-proxy can pass HTTP, HTTPS, SIP, and FTP traffic to proxy policies that you
have already created when this traffic is sent over non-standard ports.
For each of these protocols, fromthe adjacent drop-down list, select the proxy policy to use to
manage this traffic.
If you do not want your XTMdevice to use a proxy policy to filter a protocol, select Allowor
Deny fromthe adjacent drop-down list.
Proxy Settings
800 Fireware XTMWeb UI
Proxy Settings
User Guide 801
To ensure that your XTMdevice operates correctly, you cannot select the Allow
option for the FTP protocol.
Enable logging for reports
To send a log message for each connection request through the TCP-UDP-proxy, select this
check box. To create accurate reports on TCP-UDP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
878.
Proxy Settings
User Guide 802
User Guide 803
14
Traffic Management and QoS
About Traffic Management and QoS
In a network with many computers, the volume of data that moves through the firewall can be very
large. You can use Traffic Management and Quality of Service (QoS) actions to prevent data loss for
important business applications, and to make sure mission-critical applications take priority over other
traffic.
Traffic Management and QoS provide a number of benefits. You can:
n Guarantee or limit bandwidth
n Control the rate at which the XTMdevice sends packets to the network
n Prioritize when to send packets to the network
To apply traffic management to policies, you define a Traffic Management Action. A Traffic
Management Action is a collection of settings that you can apply to one or more policy definitions. You
do not need to configure the traffic management settings separately in each policy. If you use
Application Control, you can also apply Traffic Management Actions to specific applications and
application categories. You can define additional Traffic Management Actions if you want to apply
different settings to different policies or applications.
Enable Traffic Management and QoS
For performance reasons, all Traffic Management and QoS features are disabled by default. You must
enable these features in Global Settings before you can use them.
1. Select System >Global Settings.
The Global Settings page appears.
2. Select the Networking tab.
3. Select the Enable all traffic management and QoS features check box.
4. Click Save.
OSCompatibility
The available Traffic Management configuration options depend on the version of Fireware XTMOS
your device uses.
For more information, see:
n About Traffic Management in Fireware XTMv11.9 and Higher
n About Traffic Management in Fireware XTMv11.8.x and Lower
Traffic Management and QoS
804 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 805
Guarantee Bandwidth
Bandwidth reservations can prevent connection timeouts. A traffic management queue with reserved
bandwidth and low priority can give bandwidth to real-time applications with higher priority when
necessary without disconnecting. Other traffic management queues can take advantage of unused
reserved bandwidth when it becomes available.
The Guaranteed Bandwidth setting in a Traffic Management Action enables you to set a minimum
bandwidth that you want to allocate to traffic controlled by the Traffic Management Action.
For example, suppose your company has an FTPserver on the external network and you want to
guarantee that FTPuploads always get at least 200 Kilobytes per second (Kbps) through the external
interface. You might also want to set a guaranteed bandwidth for FTPdownloads to make sure that the
connection has end-to-end guaranteed bandwidth. To do this, you create a Traffic Management Action
that guarantees a minimumof 200 Kbps, and then use this as the Forward action in the FTPpolicy that
handles traffic fromthe trusted network to the external network. This will allow ftp put at 200 Kbps. If
you want to allow ftp get at 200 Kbps, you must configure a second Traffic Management Action that
guarantees 200 Kbps and use it as the Reverse action in the FTP policy. To separately guarantee
traffic in each direction you must use two different Traffic Management Actions, because if a policy
uses the same Traffic Management Action for forward and reverse traffic, the action applies to the
combined bandwidth of traffic in both directions.
Restrict Bandwidth
To preserve the bandwidth that is available for other applications, you can restrict the amount of
bandwidth for certain traffic types or applications. A bandwidth restriction can discourage the use of
certain applications when users find that the speed of the applications performance is significantly
degraded.
The Maximum Bandwidth setting in a Traffic Management Action enables you to set a limit on the
amount of traffic allowed by the Traffic Management Action.
For example, suppose that you want to allow FTPdownloads but you want to limit the speed at which
users can download files. You can add a Traffic Management Action that has the MaximumBandwidth
set to a low amount, such as 100 Kbps. Then you can use this as the Reverse Action in the Traffic
Management settings in the outbound FTPpolicy. This can help discourage large FTP downloads
when users on the trusted network find the FTP experience is unsatisfactory.
QoS Marking
QoS marking creates different types of service for different kinds of outbound network traffic. When
you mark traffic, you change up to six bits on packet header fields defined for this purpose. Other
devices can make use of this marking and provide appropriate handling of a packet as it travels from
one point to another in a network.
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS
marking for a policy, all traffic that uses that policy is also marked.
Traffic priority
You can assign different levels of priority either to policies or for traffic on a particular interface. Traffic
prioritization at the firewall allows you to manage multiple type of service (ToS) queues and reserve the
highest priority for real-time or streaming data. A policy with high priority can take bandwidth away from
existing low priority connections when the link is congested so traffic must compete for bandwidth.
Traffic Management and QoS
806 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 807
Set Outgoing Interface Bandwidth
Some traffic management features require that you set a bandwidth limit for each network interface.
For example, you must configure the Outgoing Interface Bandwidth setting to use QoS marking and
prioritization.
After you set this limit, your XTMdevice completes basic prioritization tasks on network traffic to
prevent problems with too much traffic on the specified interface. Also, a warning appears in Fireware
XTMWeb UI if you allocate too much bandwidth as you create or adjust traffic management actions.
If you do not change the Outgoing Interface Bandwidth setting for any interface fromthe default
value of 0, it is set to the auto-negotiated link speed for that interface.
1. Select Firewall >Traffic Management.
The Traffic Management page appears.
2. Select the Interfaces tab.
3. Click the Bandwidth column adjacent to the interface name.
4. Type the amount of bandwidth provided by the network.
Use your Internet connection upload speed in kilobits or megabits per second (Kbps or Mbps).
Set your LAN interface bandwidth based on the current or maximumlink speed supported by the
devices in your LAN.
5. To change the speed unit, select an interface in the list, then click the adjacent speed unit and
select a different option in the drop-down list.
6. Click Save.
Set Connection Rate Limits
To improve network security, you can create a limit on a policy so that it only filters a specified number
of connections per second. If additional connections are attempted, the traffic is denied and a log
message is created.
1. Select Firewall >Firewall Policies or Firewall>MobileVPN Policies.
The Policies page appears.
2. Click the name of the policy you want to edit.
3. Select the Advanced tab.
4. Select the Specify Connection Rate check box.
5. In the adjacent text box, type or select the number of connections that this policy can process in
one second.
6. Click Save.
About QoS Marking
Todays networks often consist of many kinds of network traffic that compete for bandwidth. All traffic,
whether of prime importance or negligible importance, has an equal chance of reaching its destination
in a timely manner. Quality of Service (QoS) marking gives critical traffic preferential treatment to make
sure it is delivered quickly and reliably.
QoS functionality must be able to differentiate the various types of data streams that flow across your
network. It must then mark data packets. QoS marking creates different classifications of service for
different kinds of network traffic. When you mark traffic, you change up to six bits on packet header
fields defined for this purpose. The XTMdevice and other QoS-capable devices can use this marking
to provide appropriate handling of a packet as it travels fromone point to another in a network.
Fireware XTMsupports two types of QoS marking: IP Precedence marking (also known as Type of
Service) and Differentiated Service Code Point (DSCP) marking.
Before You Begin
n Make sure your LAN equipment supports QoS marking and handling. You may also need to
make sure your ISP supports QoS.
n The use of QoS procedures on a network requires extensive planning. You can first identify the
theoretical bandwidth available and then determine which network applications are high priority,
particularly sensitive to latency and jitter, or both.
QoS Markingfor Interfaces and Policies
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS
marking for a policy, all traffic that uses that policy is also marked. The QoS marking for a policy
overrides any QoS marking set on an interface.
Traffic Management and QoS
808 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 809
For example, suppose your XTMdevice receives QoS-marked traffic froma trusted network and sends
it to an external network. The trusted network already has QoS marking applied, but you want the
traffic to your executive teamto be given higher priority than other network traffic fromthe trusted
interface. First, set the QoS marking for the trusted interface to one value. Then, add a policy with QoS
marking set for the traffic to your executive teamwith a higher value.
QoS Marking and IPSec Traffic
If you want to apply QoS to IPsec traffic, you must create a specific firewall policy for the
corresponding IPsec policy and apply QoS marking to that policy.
You can also choose whether to preserve existing marking when a marked packed is encapsulated in
an IPSec header.
To preserve marking:
1. Select VPN > Global Settings.
The Global VPNSettings page appears.
2. Select the Enable TOS for IPSec check box.
3. Click Save.
All existing marking is preserved when the packet is encapsulated in an IPSec header.
To remove marking:
1. Select VPN > Global Settings.
The Global VPNSettings page appears.
2. Clear the Enable TOS for IPSec check box.
3. Click Save.
The TOS bits are reset and marking is not preserved.
Enable QoS Marking for an Interface
You can set the default marking behavior as traffic goes out of an interface. These settings can be
overridden by settings defined for a policy.
Before you can enable QoS marking for an interface, you must enable Traffic Management in the global
settings.
For more information, see About Traffic Management and QoS
To enable QoS marking for an interface:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the interface for which you want to enable QoS Marking. Click Edit.
The Interface Configuration page appears.
3. Click Advanced.
6. In the Marking Type drop-down list, select either DSCP or IP Precedence.
7. In the Marking Method drop-down list, select the marking method:
n Preserve Do not change the current value of the bit. The XTMdevice prioritizes the traffic
based on this value.
n Assign Assign the bit a new value.
8. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 056.
9. Select the Prioritize traffic based on QoS Marking check box.
10. Click Save.
Enable QoS Marking or Prioritization Settings for a Policy
In addition to marking the traffic that leaves a XTMdevice interface, you can also mark traffic on a per-
policy basis. The marking action you select is applied to all traffic that uses the policy. Multiple policies
that use the same marking actions have no effect on each other. XTMdevice interfaces can also have
their own QoS Marking settings. To use QoS Marking or prioritization settings for a policy, you must
override any per-interface QoS Marking settings.
1. Select Firewall >Firewall Policies or Firewall >MobileVPN Policies.
The Policies page appears.
2. Click the name of the policy you want to edit.
3. Select the Advanced tab.
4. To enable the other QoS and prioritization options, select the Override per-interface settings
check box.
5. Complete the settings as described in the subsequent sections.
6. Click Save.
Traffic Management and QoS
810 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 811
QoS Marking Settings
1. Fromthe Marking Type drop-down list, select either DSCP or IP Precedence.
2. Fromthe Marking Method drop-down list, select the marking method:
n Preserve Do not change the current value of the bit. The XTMdevice prioritizes the
traffic based on this value.
n Assign Assign the bit a new value.
3. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 056.
4. Fromthe Prioritize Traffic Based On drop-down list, select QoSMarking.
Prioritization Settings
Many different algorithms can be used to prioritize network traffic. Fireware XTMuses the strict priority
queuing method to prioritze traffic through your XTMdevice. Prioritization in Fireware XTMis applied
per policy and is equivalent to CoS (class of service) levels 07, where 0 is normal priority (default) and
7 is the highest priority. Level 5 is commonly used for streaming data such as VoIP or video
conferencing. Reserve levels 6 and 7 for policies that allow systemadministration connections to
make sure they are always available and avoid interference fromother high priority network traffic.Use
the Priority Levels table as a guideline when you assign priorities.
1. Fromthe Prioritize Traffic Based On drop-down list, select Custom Value.
2. Fromthe Value drop-down list, select a priority level.
Priority Levels
We recommend that you assign a priority higher than 5 only to network administration policies, such as
the WatchGuard policy or the WG-Mgmt-Server policy. Give high priority business traffic a priority of 5
or lower.
Priority Description
0 Routine (HTTP, FTP)
1 Priority
2 Immediate (DNS)
3 Flash (Telnet, SSH, RDP)
4 Flash Override
5 Critical (VoIP)
6 Internetwork Control (Remote router configuration)
7 Network Control (Firewall, router, switch management)
Traffic Management and QoS
812 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 813
Get Started with Traffic Management
Traffic Management enables you to set the maximumbandwidth available for different types of traffic,
and to guarantee a minimumamount of bandwidth for specific traffic flows. Both the maximum
bandwidth and guaranteed bandwidth apply only if the necessary bandwidth is available through the
interface that handles the traffic.
Before you implement Traffic Management, you must determine the available bandwidth, and decide
how much bandwidth you want to guarantee or limit for different types of network traffic.
Determine Available Bandwidth
To plan your traffic management implementation, you must know the available bandwidth of the
interface used for the policy or policies you want to guarantee bandwidth. For external interfaces, you
can contact your ISP (Internet Service Provider)to verify the service level agreement for bandwidth.
You can then use a speed test with online tools to verify this value. These tools can produce different
values depending on a number of variables. For other interfaces, you can assume the link speed on the
XTMdevice interface is the theoretical maximumbandwidth for that network. You must also consider
both the sending and receiving needs of an interface and set the threshold value based on these needs.
If your Internet connection is asymmetric, use the uplink bandwidth set by your ISPas the threshold
value.
Determine the Sum of Your Bandwidth
You must also determine the sumof the bandwidth you want to guarantee for all policies or applications
on a given interface. For example, on a 1500 Kbps external interface, you might want to reserve 600
Kbps for all the guaranteed bandwidth and use the remaining 900 Kbps for all other traffic.
Traffic Management and OSCompatibility
Traffic Management functions differently for different versions of Fireware XTMOS. Make sure you
understand how it works for the version you use. For more information about how Traffic Management
functions in each version of Fireware XTMOS, see:
n About Traffic Management in Fireware XTMv11.9 and Higher
n About Traffic Management in Fireware XTMv11.8.x and Lower
About Traffic Management in Fireware XTMv11.9
and Higher
In Fireware XTMv11.9 and higher, Traffic Management works differently than in previous versions.
n There are three Traffic Management Action types:
o
All Policies the action settings apply to the combined bandwidth of all policies that use
the action.
o
Per Policy the action settings apply individually to each policy that uses the action.
o
Per IPAddress the action settings apply individually to each source IPaddress for any
policy that uses the action.
n Traffic Managemen Actions are not tied to a specific XTMdevice interface.
n You can assign separate Traffic Management Actions for forward and reverse traffic handled by
a policy.
n You can apply Traffic Management Actions to applications and application categories, in
addition to policies.
n The Traffic Management SystemStatus page in the Fireware XTMWeb UI shows detailed
traffic management statistics.
If you upgrade a device fromFireware XTMOS v11.8.x or lower to Fireware
XTMv11.9, any existing Traffic Management Actions are removed fromthe
configuration. You must reconfigure Traffic Management after the upgrade.
The maximumnumber of configurable Traffic Management Actions depends on the device model.
n XTM2 Series, XTM3 Series, Firebox T10 100
n XTM5 Series, XTM8 Series, XTMv 300
n XTM800 Series and higher 500
For information about how to configure and monitor Traffic Management in Fireware XTMv11.9 or
higher, see:
n Define a Traffic Management Action in v11.9
n Add Traffic Management Actions to a Policy
n Use Traffic Management with Application Control
n Monitor Bandwidth by Traffic Management Action
Define a Traffic Management Action in v11.9
Traffic Management enables you to set the maximumbandwidth available for different types of traffic,
and to guarantee a minimumamount of bandwidth for specific traffic flows. Both of the maximum
bandwidth and guaranteed bandwidth apply only if the necessary bandwidth is available through the
interface that handles the traffic.
Traffic Management configuration is very flexible, and enables you to control traffic by policy,
application, traffic direction, and source IP address. For example, you can use Traffic Management
Actions to:
Traffic Management and QoS
814 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 815
n Limit bandwidth for HTTPfor all users on the trusted interface to the Internet
n Guarantee a specific user 10 Mbps bandwidth for HTTPtraffic
n Guarantee bandwidth for a specific application
n Limit bandwidth used by specific applications or application categories
n Limit the bandwidth for a group
n Limit the bandwidth used for FTPper source IPaddress
Before you implement Traffic Management, you must know the available bandwidth, and decide how
much bandwidth you want to guarantee or limit for different types of network traffic. For more
information, see Get Started with Traffic Management.
In the Traffic Management settings, 1 Kbps is equal to 1024 bits per second.
Traffic Management Action Types
The Traffic Management action type determines how the action is applied. There are three Traffic
Management action types:
All Policies
An All Policies action applies to the combined bandwidth of all policies that use it. If you create
an All Policies Traffic Management Action to set a maximumbandwidth of 10 Mbps and apply it
to an FTP and an HTTP policy, all connections handled by those policies share the 10Mbps
bandwidth maximum.
Per Policy
A Per Policy action applies individually to each policy that uses it. If you create a Per Policy
Traffic Management Action to set a maximumbandwidth of 10 Mbps and apply it to an FTP and
an HTTP policy, connections handled by each of those policies can use a maximumof 10Mbps.
Per IP Address
A Per IPAddress action applies individually to each source IP address for all policies that use
the action. If you create a Per IPAddress Traffic Management Action to set a maximum
bandwidth of 10 Mbps and apply it to an FTP and an HTTP policy, the connections fromeach
source IPaddress handled by those policies can use a maximumof 10 Mbps.
For a Per IPAddress action, you set the MaximumInstance, which is the maximumnumber of
source IPaddresses that the action can apply to. If the number of source IP addresses exceeds
the maximuminstance, some source IPaddresses begin to share the bandwidth settings in the
action.
When the number of concurrent source IP addresses that use a Traffic Management Action
exceeds the MaximumInstance for the action, a round-robin algorithmdetermines which source
IPaddresses share bandwidth. Recently connected source IPaddresses share bandwidth with
client IP addresses that have been connected longest. For example, if a Per IP Address action
has a MaximumInstance of 10, the eleventh source IP address shares bandwidth with the first
source IP address that used the action, the twelfth source IP address shares bandwidth with
the second source IP address that used the action, and so on.
Create or Modify a Traffic Management Action
To configure a Traffic Management Action:
1. Select Firewall >Traffic Management.
The Traffic Management page appears.
2. Select the Enable Traffic Management check box to enable Traffic Management.
3. Click Add to create a new Traffic Management Action.
Or, select an action and click Edit.
The Traffic Management Action Settings page appears.
4. Type a Name and a Description (optional) for the action. You use the action name to refer to
the action when you assign it to a policy.
5. Fromthe Type drop-down list, select the action type.
6. In the Maximum Bandwidth text box and the adjacent drop-down list, specify the maximum
bandwidth to allocate for traffic managed by this action.
7. In the Guaranteed Bandwidth text box and the adjacent drop-down list, specify the minimum
bandwidth you would like to guarantee for traffic managed by this action.
8. If this is a Per IP Address action, in the Maximum Instance text box, type the number of
source IPaddresses that can have separate bandwidth constraints.
9. Click Save.
After you add a Traffic Management Action, you can apply it to policies and applications.
Traffic Management and QoS
816 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 817
Add Traffic Management Actions to a Policy
You can use Traffic Management Actions to control traffic handled by each policy. In each policy, you
can configure two Traffic Management Actions:
Forward action
The Forward action applies to traffic that originates fromIPaddresses in the From list
configured in the policy (the source) to IPaddresses in the To list (the destination).
Reverse action
The Reverse action applies to traffic that originates fromIP addresses in the To list configured
in the policy (the destination) toIPaddresses in the policy From list (the source).
If the Reverse action is a Per IPAddress action, the action controls the bandwidth for traffic
received per IPaddress in the From list. For example, in an FTPpolicy that handles traffic from
Trusted to External, a Per IPAddress action used as the Reverse action controls the FTP
download speed for each source IP address on the Trusted network.
You can select a Forward action, a Reverse action, or both. If you configure a policy to use the same
Traffic Management Action as the Forward and Reverse action, the bandwidth settings in the Traffic
Management Action apply to the combined bandwidth of traffic in both directions.
To enable traffic Management in policies:
1. Select Firewall >Traffic Management.
The Traffic Management page appears.
2. To set the Forward Traffic Management Action:
n In the Traffic Management Policies list, select one or more policies.
n Frpmthe Select Forward Action drop-down list, select the action to apply to forward
traffic.
The Forward action for the selected policies is changed to the action you selected.
3. To set the Reverse Traffic Management Action:
n In the Traffic Management Policies list, select one or more policies.
n Fromthe Select Reverse Action drop-down list, select the action to apply to reverse
traffic.
The Reverse Action for the selected policies is set to the action you selected.
4. Click Save.
You can also set theTraffic Management Actions when you edit a policy:
1. Select Firewall >Firewall Policies.
2. Add or edit a policy.
3. Select the Traffic Management tab.
Traffic Management and QoS
818 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 819
4. Fromthe Forward Action (From >To) drop-down list, select an existing Traffic Management
Action to use for forward traffic.
Or, click Add to add a new Traffic Management Action for forward traffic.
Or, click Edit to edit the selected Traffic Management Action.
If you click Add or Edit, the Traffic Management Action Settings dialog box appears.
For information about Traffic Management Action settings, see Define a Traffic Management
Action in v11.9.
5. Fromthe Reverse Action (To >From) drop-down list, select an existing Traffic Management
Action to use for reverse traffic.
Or, click Add to add a new Traffic Management Action for reverse traffic.
Or, click Edit to edit the selected Traffic Management Action.
If you click Add or Edit, the Traffic Management Action Settings dialog box appears.
6. Click Save.
When you use the same Traffic Management Action for multiple policies, the maximumand minimum
bandwidth apply to traffic in the policies differently based on whether the action type is All Policies, Per
Policy, or Per IPAddress. For more information, see Define a Traffic Management Action in v11.9.
You can also set connection rate limits for a policy on the Advanced tab. For more information, see
Set Connection Rate Limits on page 808.
Traffic Management and QoS
820 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 821
Use Traffic Management with Application Control
You can use Application Control with Traffic Management to control bandwidth used by applications or
application categories. When you use Traffic Management in Application Control, the application traffic
is allowed, but is subject to the bandwidth settings in the Traffic Management action. If you apply a
Traffic Management action to an application category, the bandwidth settings are shared for all
applications in the category.
Traffic Management Actions in Application Control apply to application traffic in both directions for all
policies that use the Traffic Management Action.
The way that Traffic Management Actions apply to application traffic depends on the type of Traffic
Management Action.
All Policies
If you use an All Policies Traffic Management Action for an application or application category,
the bandwidth settings apply to the combined Forward and Reverse application traffic for all
policies that use it. If applied to an application category, the Traffic Management Action applies
to the total bandwidth used by all applications in the category for all policies.
Per Policy
If you use a Per Policy Traffic Management Action for an application or application category, the
bandwidth settings apply to the combined Forward and Reverse application traffic for each
policy that uses it. If applied to an application category, the Traffic Management Action applies
to the total bandwidth used by all applications in the category for each policy.
Per IPAddress
If you use a Per IPAddress Traffic Management Action for an application or application
category, the bandwidth settings apply to the combined Forward and Reverse application traffic
for each IPaddress that uses the application. If applied to an application category, the Traffic
Management Action applies to the total bandwidth used by each IPaddress for all applications
in the category for all policies.
To use Traffic Management Actions in Application Control, the device must use
Fireware XTMv11.9 or higher.
Before you can use Traffic Management with Application Control, you must first create the Traffic
Management Action. For more information, see Define a Traffic Management Action in v11.9.
To use a Traffic Management Action for an application:
1. Create or edit an Application Control Action. For more information, see Configure Application
Control Actions.
2. Select the application you want to control.
3. Click Edit.
4. Set the action for all behaviors or specific behaviors to Allow.
5. Select the Traffic Management check box.
6. Frpmthe adjacent drop-down list, select the Traffic Management action to use for allowed traffic
for this application.
To use a Traffic Management Action for an application category:
1. Create or edit an Application Control Action. For more information, see Define a Traffic
Management Action in v11.9.
2. On the Application Control Action Settings page, click Select by Categories.
The Actions by Category dialog box appears.
Traffic Management and QoS
822 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 823
3. Fromthe drop-down list for the application category, select the Traffic Management Action to
use for this application category.
After you enable configure an Application Control Action to use Traffic Management, make sure that
you enable policies that handle traffic for the applications to use the Application Control Action. For
more information, see Configure Application Control for Policies.
Monitor Bandwidth by Traffic Management Action
To see the bandwidth statistics for traffic managed by each Traffic Management Action, go to the
Traffic Management SystemStatus page. Here, you can see which policies and applications use each
action, and bandwidth statistics, such as the current bandwidth usage as a percentage of the
configured maximumfor the Traffic Management Action.
To see the Traffic Management statistics:
1. Select System Status >Traffic Management.
The Traffic Management status page appears.
The table at the bottomprovides a quick summary of current traffic statistics for the configured
Traffic Management Actions.
n The Action column shows whether the action applies to traffic for one or more policies or
Application Control Actions.
n The Usage column shows how much of the maximumbandwidth is currently used. It is the
Rate divided by the Maximum.
n The Rate column shows the current data rate for the traffic handled by each action.
n The Bytes column shows the current number of bytes for traffic handled by each action.
n The Drop Rate column shows the historical drop rate for packets handled by each action.
The Drop Rate statistic is an average percentage of packets dropped for all traffic handled
by the Traffic Management Action since it was created or last modified, or since the last
time the device rebooted.
Traffic Management and QoS
824 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 825
n The Minimum and Maximum columns show the Guaranteed Bandwidth and Maximum
Bandwidth configured for each action.
In Traffic Management statistics, 1 Kbps is equal to 1024 bits per second.
2. Select an action to see more information about it.
A dialog box shows a list of the policies and applications the action applies to, and the graph shows
the Rate for the selected action
For each policy an action applies to, the dialog box shows:
Direction
The traffic direction the action applies to. It can be:
n Forward The action is configured as the Forward Action in the policy.
n Reverse The action is configured as the Reverse Action in the policy.
n Both The action is configured as both the Forward Action and the Reverse Action in the
policy.
n None The action is not configured as either the Forward Action or the Reverse Action,
but is used in the Application Control Action used by the policy. For applications, the action
applies to traffic in both directions.
Application Control Action Name
The name of the Application Control Action the policy uses, if the Application Control
Action uses the Traffic Management Action. Below the Application Control Action Name, is
a list of applications the Traffic ManagementAaction applies to. If the action is used for an
application category, the application name is shown as [All Applications] followed by the
application category name. For applications, the action applies to application traffic in both
directions.
3. For a Per IPAddress Traffic Management Action, expand the action to see a list of client
instances and the bandwidth used by each instance. The number of instances is based on the
MaximumInstance configured in the action.
For more information about the Traffic Management SystemStatus page, see Traffic Management.
Traffic Management and QoS
826 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 827
About Traffic Management in Fireware
XTMv11.8.x and Lower
Traffic Management functionality in Fireware XTMv11.8.x and lower works differently than in Fireware
XTM11.9 and higher.
n Each Traffic Management action applies to outgoing traffic froma specific interface.
n Traffic Management Actions can apply only to policies.
n A Traffic Management Action applies to the combined bandwidth of all policies that use the
action.
For information about how to configure Traffic Management in Fireware XTMv11.8.x or lower:
n Define a Traffic Management Action in v11.8.x and Lower
n Add a Traffic Management Action to a Policy
Define a Traffic Management Action in v11.8.x and Lower
Traffic Management Actions can enforce bandwidth restrictions and guarantee a minimumamount of
bandwidth for one or more policies. Each Traffic Management Action can include settings for multiple
interfaces. For example, on a Traffic Management Action used with an HTTP policy for a small
organization, you can set the minimumguaranteed bandwidth of a trusted interface to 250 kbps and the
maximumbandwidth to 1000 kbps. This limits the speeds at which users can download files, but
makes sure that a small amount of bandwidth is always available for HTTPtraffic. You can then set
the minimumguaranteed bandwidth of an external interface to 150 kbps and the maximumbandwidth
to 300 kbps to manage upload speeds at the same time.
Before you implement Traffic Management, you must know the available bandwidth, and decide how
much bandwidth you want to guarantee or limit for different types of network traffic. For more
information, see Get Started with Traffic Management.
Traffic Management Actions in Fireware XTMv11.8.x
For devices that run Fireware XTMv11.8.x and lower, all policies that use a given Traffic Management
Action share its connection rate and bandwidth settings. When they are created, policies automatically
belong to the default Traffic Management Action, which enforces no restrictions or reservations. If you
create a Traffic Management Action to set a maximumbandwidth of 10 Mbps and apply it to an FTP
and an HTTP policy, all connections handled by those policies must share 10Mbps. If you later apply
the same Traffic Management Action to an SMTPpolicy, all three must share 10 Mbps. This also
applies to connection rate limits and guaranteed minimumbandwidth. Unused guaranteed bandwidth
reserved by one Traffic Management Action can be used by others.
Create or Modify a Traffic Management Action
1. Select Firewall >Traffic Management.
The Traffic Management page appears.
2. Select the Enable Traffic Management check box to enable Traffic Management.
3. Click Add to create a new Traffic Management Action.
Or, select an action and click Configure.
4. Type a Name and a Description (optional) for the action. You use the action name to refer to
the action when you assign it to a policy.
5. Click Add.
6. Fromthe Interface drop-down list, select an interface.
7. In the Minimum text box, type or select the minimumbandwidth for that interface.
8. In the Maximum text box, type or select the maximumbandwidth for that interface.
9. Click OK.
10. Repeat Steps 47 to add traffic limits for additional interfaces.
11. To remove an interface fromthe Traffic Management Action, select it and click Remove.
12. Click Save.
You can now apply this Traffic Management Action to one or more policies.
Add a Traffic Management Action to a Policy
After you Define a Traffic Management Action in v11.8.x and Lower, you can add it to policy
definitions. You can also add any existing traffic management actions to policy definitions.
1. Select Firewall >Traffic Management.
The Traffic Management page appears.
2. In the Traffic Management Policies list, select one or more policies.
Traffic Management and QoS
828 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 829
3. In the Select action drop-down list, select the traffic management action to apply to the
selected policies.
4. Click Save.
If you have a multi-WAN configuration, bandwidth limits are applied separately to
each interface.
Add a Traffic Management Action to Multiple Policies
When the same traffic management action is added to multiple policies, the maximumand minimum
bandwidth apply to each interface in your configuration. If two policies share an action that has a
maximumbandwidth of 100 kbps on a single interface, then all traffic on that interface that matches
those policies is limited to 100 kbps total.
If you have limited bandwidth on an interface used for several applications, each with unique ports, you
might need all the high priority connections to share one traffic management action. If you have lots of
bandwidth to spare, you could create separate traffic management actions for each application.
Traffic Management and QoS
830 Fireware XTMWeb UI
Traffic Management and QoS
User Guide 831
Traffic Management Examples
You can use different types of Traffic Management Actions to control the bandwidth used for different
types of traffic, users, and applications. Here are a few examples of how you can configure Traffic
Management with policies and Application Control.
Example 1 Set different bandwidth limits for HTTPupload and download
To set different limits for upload and download bandwidth, you can use two different Traffic
Management Actions in the same policy. For example, to limit HTTPtraffic for all users to 2 Mbps
maximumdownload bandwidth and 1 Mbps maximumupload bandwidth:
1. Add a Per Policy Traffic Management Action with Maximum1 Mbps.
2. Add a Per Policy Traffic Management Action with Maximum2 Mbps.
3. Configure an HTTP policy for traffic From: Trusted, To: Any-External.
4. In the HTTP policy:
n Set the Forward Action to the action with the 1 Mbps maximumto limit uploads
n Set the Reverse Action to the action with the 2 Mbps maximumto limit downloads
Example 2 Guarantee bandwidth for a user
To guarantee bandwidth for a specific user, you can use a Per Policy Traffic Management Action
in a policy for traffic fromthat user. For example, to guarantee 10 Mbps throughput for HTTP traffic
for the user bsmith:
1. Add a Per Policy Traffic Management Action with 10 Mbps Guaranteed bandwidth
2. Create an HTTP policy for traffic From: bsmith, To: Any-External.
3. Use the Traffic Management Action as both the Forward Action and Reverse Action in the
HTTP policy.
Example 3 Set maximumand guaranteed bandwidth per client for specific users
You can use a Per IPAddress Traffic Management Action in a policy to control the amount of
bandwidth used by each client IPaddress, for traffic handled by that policy. For example, to set a
guaranteed bandwidth of 500 Kbps and a maximumbandwidth of 2048 Kbps for User1, User2, and
User3:
1. Add a Per IP Address Traffic Management Action with the Maximumbandwidth set to 2048
Kbps, and the Guaranteed bandwidth set to 500 Kbps.
2. Create a policy for traffic From: User1, User2, and User3, To: Any-External.
3. Configure the policy to use the Traffic Management Action as both the Forward and
Reverse action.
Example 4 Limit or guarantee bandwidth used by an application
To guarantee or limit bandwidth used by specific applications, you can configure Application
Control to use a Traffic Management Action, and then configure policies to use Application
Control. For example, to limit the amount of bandwidth used for streaming media applications over
HTTP:
1. Add a Traffic Management Action that limits bandwidth.
2. In Application Control, configure the Streaming Media application category to use the
Traffic Management Action.
3. Configure the HTTPpolicy to use the Application Control Action.
Example 5 Limit overall bandwidth per client IPaddress, and limit bandwidth for specific
applications
To enforce different bandwidth limits for specific applications, you can use different Traffic
Management Actions in policies and in Application Control Actions for the same policy. For
example, to limit HTTP bandwidth for a group to 2 Mbps per user in the group, and also limit the
bandwidth used by streaming game applications to 100 Kbps per user:
1. Add a Per IPAddress Traffic Management Action, TM.2M, with 2 Mbps Maximum
bandwidth.
2. Create an HTTP policy for traffic fromthe group to Any-External.
3. Apply the traffic management Action TM.2Mas the forward and reverse action in the
HTTPpolicy.
4. Add a Per IPAddress Traffic Management Action, TM100K, with 100 Kbps Maximum
bandwidth.
5. Use the TM.100K action for the Games application category in Application Control.
6. Enable the HTTPpolicy for the group to use the Application Control Action.
Traffic Management and QoS
832 Fireware XTMWeb UI
User Guide 833
15
Default Threat Protection
About Default Threat Protection
WatchGuard Fireware XTMOS and the policies you create give you strict control over access to your
network. A strict access policy helps keep hackers out of your network. But, there are other types of
attacks that a strict policy cannot defeat. Careful configuration of default threat protection options for
the XTMdevice can stop threats such as SYN flood attacks, spoofing attacks, and port or address
space probes.
With default threat protection, a firewall examines the source and destination of each packet it
receives. It looks at the IP address and port number and monitors the packets to look for patterns that
show your network is at risk. If a risk exists, you can configure the XTMdevice to automatically block
a possible attack. This proactive method of intrusion detection and prevention keeps attackers out of
your network.
To configure default threat protection, see:
n About Default Packet Handling Options
n About Blocked Sites
n About Blocked Ports
You can also purchase an upgrade for your XTMdevice to use signature-based intrusion prevention.
For more information, see About Gateway AntiVirus on page 1369.
About Default Packet Handling Options
When your XTMdevice receives a packet, it examines the source and destination for the packet. It
looks at the IP address and the port number. The device also monitors the packets to look for patterns
that can show your network is at risk. This process is called default packet handling.
Default packet handling can:
n Reject a packet that could be a security risk, including packets that could be part of a spoofing
attack or SYN flood attack
n Automatically block all traffic to and froman IP address
n Add an event to the log file
n Send an SNMP trap to the SNMP management server
n Send a notification of possible security risks
Most default packet handling options are enabled in the default XTMdevice configuration. You can use
Fireware XTMWeb UI to change the thresholds at which the XTMdevice takes action. You can also
change the options selected for default packet handling.
The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP
flood attacks apply to both IPv4 and IPv6 traffic. All other options apply only to IPv4
traffic.
Configure Default Packet Handling
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
834 Fireware XTMWeb UI
Default Threat Protection
User Guide 835
2. Select the check boxes for the traffic patterns you want to take action against, as explained in
these topics:
n About Spoofing Attacks on page 836
n About IP Source Route Attacks on page 838
n About Port Space and Address Space Probes on page 840
n About Flood Attacks on page 842
n About Unhandled Packets on page 844
n About Distributed Denial-of-Service Attacks on page 847
About Spoofing Attacks
One method that attackers use to enter your network is to make an electronic false identity. This is an
IP spoofing method that attackers use to send a TCP/IP packet with a different IP address than the
computer that first sent it.
When anti-spoofing is enabled, the XTMdevice verifies the source IP address of a packet is froma
network on the specified interface.
The default configuration of the XTMdevice is to drop spoofing attacks. FromFireware XTMWeb UI,
you can change the settings for this feature:
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
836 Fireware XTMWeb UI
Default Threat Protection
User Guide 837
2. Select or clear the Drop Spoofing Attacks check box.
3. Click Save.
About IP Source Route Attacks
To find the route that packets take through your network, attackers use IP source route attacks. The
attacker sends an IP packet and uses the response fromyour network to get information about the
operating systemof the target computer or network device.
The default configuration of the XTMdevice is to drop IP source route attacks. FromFireware XTM
Web UI, you can change the settings for this feature.
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
838 Fireware XTMWeb UI
Default Threat Protection
User Guide 839
2. Select or clear the Drop IPSource Route check box.
3. Click Save.
About Port Space and Address Space Probes
Attackers frequently look for open ports as starting points to launch network attacks. A port space
probe is TCP or UDP traffic that is sent to a range of ports. These ports can be in sequence or random,
from0 to 65535. An address space probe is TCP or UDP traffic that is sent to a range of network
addresses. Port space probes examine a computer to find the services that it uses. Address space
probes examine a network to see which network devices are on that network.
For more information about ports, see About Ports on page 10.
How the XTM Device Identifies Network Probes
An address space probe is identified when a computer sends a specified number of packets to different
IP addresses assigned to an XTMdevice interface. To identify a port space probe, your XTMdevice
counts the number of packets sent fromone IP address to any XTMdevice interface IP address. The
addresses can include the primary IP addresses and any secondary IP addresses configured on the
interface. If the number of packets sent to different IP addresses or destination ports in one second is
larger than the number you select, the source IP address is added to the Blocked Sites list.
When the Block Port Space Probes and Block Address Space Probes check boxes are selected,
all incoming traffic on all interfaces is examined by the XTMdevice. You cannot disable these features
for specified IP addresses, specified XTMdevice interfaces, or different time periods.
To Protect Against Port Space and Address Space Probes
The default configuration of the XTMdevice blocks network probes. You can use Fireware XTMWeb
UIto change the settings for this feature, and change the maximumallowed number of address or port
probes per second for each source IP address (the default value is 10).
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
840 Fireware XTMWeb UI
Default Threat Protection
User Guide 841
2. Select or clear the Block Port Space Probes and the Block Address Space Probes check
boxes.
3. Type the maximumnumber of address or port probes to allow per second fromthe same IP
address. The default for each is 10 per second. This means that a source is blocked if it initiates
connections to 10 different ports or hosts within one second.
4. Click Save.
To block attackers more quickly, you can set the threshold for the maximumallowed number of
address or port probes per second to a lower value. If the number is set too low, the XTMdevice could
also deny legitimate network traffic . You are less likely to block legitimate network traffic if you use a
higher number, but the XTMdevice must send TCP reset packets for each connection it drops. This
uses bandwidth and resources on the XTMdevice and provides the attacker with information about
your firewall.
About Flood Attacks
In a flood attack, attackers send a very high volume of traffic to a systemso it cannot examine and
allow permitted network traffic. For example, an ICMP flood attack occurs when a systemreceives too
many ICMP ping commands and must use all of its resources to send reply commands. The XTM
device can protect against these types of flood attacks:
n IPSec
n IKE
n ICMP
n SYN
n UDP
Flood attacks are also known as Denial of Service (DoS) attacks. The default configuration of the XTM
device is to block flood attacks.
You can use Fireware XTMWeb UIto change the settings for this feature, or to change the maximum
allowed number of packets per second.
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
842 Fireware XTMWeb UI
Default Threat Protection
User Guide 843
2. Select or clear the Flood Attack check boxes.
3. Type the maximumallowed number of packets per second for each source IP address.
For example, if the setting is 1000, the XTMdevice blocks a source if it receives more than
1000 packets per second fromthat source.
4. Click Save.
About the SYN Flood Attack Setting
For SYN flood attacks, you can set the threshold at which the XTMdevice reports a possible SYN
flood attack, but no packets are dropped if only the number of packets you selected are received. At
twice the selected threshold, all SYN packets are dropped. At any level between the selected
threshold and twice that level, if the src_IP, dst_IP, and total_length values of a packet are the same
as the previous packet received, then it is always dropped. Otherwise, 25% of the new packets
received are dropped.
For example, you set the SYN flood attack threshold to 18 packets/sec. When the XTMdevice
receives 18 packets/sec, it reports a possible SYN flood attack to you, but does not drop any packets.
If the device receives 20 packets per second, it drops 25% of the received packets (5 packets). If the
device receives 36 or more packets, the last 18 or more are dropped.
About Unhandled Packets
An unhandled packet is a packet that does not match any policy rule. By default, the XTMdevice
always denies unhandled packets. FromFireware XTMWeb UI, you can change the device settings to
further protect your network.
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
844 Fireware XTMWeb UI
Default Threat Protection
User Guide 845
2. Select or clear the check boxes for these options:
Auto-block source of packets not handled
Select to automatically block the source of unhandled packets. The XTMdevice adds the
IP address that sent the packet to the temporary Blocked Sites list.
Send an error message to clients whose connections are disabled
Select to send a TCP reset or ICMP error back to the client when the XTMdevice receives
an unhandled packet.
Default Threat Protection
846 Fireware XTMWeb UI
Default Threat Protection
User Guide 847
About Distributed Denial-of-Service Attacks
Distributed Denial of Service (DDoS) attacks are very similar to flood attacks. In a DDoS attack, many
different clients and servers send connections to one computer systemto try to flood the system.
When a DDoS attack occurs, legitimate users cannot use the targeted system.
The default configuration of the XTMdevice is to block DDoS attacks. FromFireware XTMWeb UI,
you can change the settings for this feature, and change the maximumallowed number of connections
per second.
1. Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
Default Threat Protection
848 Fireware XTMWeb UI
Default Threat Protection
User Guide 849
2. Select or clear the Per Server Quota and Per Client Quota check boxes.
3. Set the Per Server Quota and the Per Client Quotalimits.
Per Server Quota
The Per Server Quota applies a limit to the number of connections per second fromany
external source to the XTMdevice external interface. This includes connections to internal
servers allowed by a static NATpolicy. The Per Server Quota is based on the number of
connection requests to any one destination IP address, regardless of the source IP
address. After the threshold is reached, the XTMdevice drops incoming connection
requests fromany host.
For example, when the Per Server Quota is set to the default value of 100, the XTMdevice
drops the 101st connection request received in a one second time frame fromany external
IP address. The source IP address is not added to the blocked sites list.
Per Client Quota
The Per Client Quota applies a limit to the number of outbound connections per second
fromany source protected by the XTMdevice to any destination. The Per Client Quota is
based on the number of connection requests fromany one source IPaddress, regardless of
the destination IPaddress.
For example, when the Per Client Quota is set to the default value of 100, the XTMdevice
drops the 101st connection request received in a one second time frame froman IP
address on the trusted or optional network to any destination IP address.
About Blocked Sites
A blocked site is an IP address that cannot make a connection through the XTMdevice. You tell the
XTMdevice to block specific sites you know, or think, are a security risk. After you find the source of
suspicious traffic, you can block all connections fromthat IP address. You can also configure the XTM
device to send a log message each time the source tries to connect to your network. Fromthe log file,
you can see the services that the sources use to launch attacks.
The XTMdevice denies all traffic froma blocked IP address. You can define two different types of
blocked IP addresses: permanent and auto-blocked.
Permanently Blocked Sites
Network traffic frompermanently blocked sites is always denied. These IP addresses are stored in the
Blocked Sites list and must be added manually. For example, you can add an IP address that
constantly tries to scan your network to the Blocked Sites list to prevent port scans fromthat site.
To block a site, see Block a Site Permanently on page 850.
Auto-Blocked Sites/Temporary Blocked Sites List
Packets fromauto-blocked sites are denied for the amount of time you specify. The XTMdevice uses
the packet handling rules specified for each policy to determine whether to block a site. For example, if
you create a policy that denies all traffic on port 23 (Telnet), any IP address that tries to send Telnet
traffic through that port is automatically blocked for the amount of time you specify.
To automatically block sites that send denied traffic, see Block Sites Temporarily with Policy Settings
on page 852.
You can also automatically block sites that are the source of packets that do not match any policy rule.
For more information, see About Unhandled Packets on page 844.
To manually add a temporary blocked site, on the Blocked Sites page. For more information, see
Blocked Sites on page 923.
Blocked Site Exceptions
If the XTMdevice blocks traffic froma site you believe to be safe, you can add the site to the Blocked
Site Exceptions list, so that traffic fromthat site is not blocked.
To add a blocked site exception, see Create Blocked Site Exceptions.
See and Manage the Blocked Sites List
To see a list of all sites currently on the blocked sites list, select System Status > Blocked Sites.
Fromthe Blocked Sites page you can see the current blocked sites, and you can add, edit, or remove
temporary blocked sites.
For more information, see Blocked Sites on page 923.
Block a Site Permanently
You can use Fireware XTMWeb UIto permanently add sites to the Blocked Sites list.
If you must block a network address or address range that includes one or more IP
addresses assigned to the XTMdevice, you must first add the XTMdevice IP
addresses to the Blocked Sites Exceptions list.
To add exceptions, see Create Blocked Site Exceptions on page 851.
1. Select Firewall > Blocked Sites.
Default Threat Protection
850 Fireware XTMWeb UI
Default Threat Protection
User Guide 851
2. Click Add.
The Add Sites dialog box appears.
3. Fromthe Choose Type drop-down list, select a method to identify the blocked site. You can
block an IPv4 or IPv6 host IP address, network IPaddress or host IPaddress range, or you can
block a site by host name.
4. In the adjacent text box, type the IP address, network IPaddress, host range, or host name to
block. If you block a host range, type the start and end IPaddresses for the range of
IPaddresses to block.
5. (Optional) In the Description text box, type a description of the blocked site.
6. Click OK.
7. Click Save.
Create Blocked Site Exceptions
When you add a site to the Blocked Site Exceptions list, traffic fromthat site is not blocked by the
Blocked Sites lists, and is not automatically blocked by features such as Default Threat Protection or
Block actions configured in a proxy policy.
If a site you add to the Blocked Sites Exceptions list is on the Auto Blocked list, the site remains
blocked until the Auto Blocked timeout expires for that site. For information about how to remove a
temporarily blocked site fromthe Blocked Sites list, see Blocked Sites.
To add a blocked site exception:
1. Select Firewall > Blocked Sites.
2. Click the Blocked Sites Exceptions tab.
3. Click Add.
The Add Sites dialog box appears.
4. Fromthe Choose Type drop-down list, select a method to identify the blocked site exception.
You can add an exception for an IPv4 or IPv6 host IP address, network IPaddress or host
IPaddress range, or you can add an exception by host name.
5. In the adjacent text box, type the IP address, network IPaddress, host range, or host name. If
the exception is for a host range, type the start and end IPaddresses for the range of
IPaddresses in the exception.
6. (Optional) In the Description text box, type a description of the blocked site exception.
7. Click OK.
8. Click Save.
You cannot remove an internal IP address or network address fromthe Blocked Sites
Exceptions list if the internal IP address is on the Blocked Sites list. Before you can
remove an internal IP address fromthe Blocked Sites Exceptions list, you must
remove the address range that includes the internal IP address fromthe Blocked
Sites list.
Block Sites Temporarily with Policy Settings
You can use Fireware XTMWeb UIto temporarily block sites that try to use a denied service. IP
addresses fromthe denied packets are added to the Temporary Blocked sites list for 20 minutes (by
default).
1. Select Firewall >Firewall Policies. Click on a policy to edit it.
The Firewall Policies/Edit page appears.
2. On the Settings tab, make sure you set the Connections are drop-down list to Denied or
Denied (send reset).
Default Threat Protection
852 Fireware XTMWeb UI
Default Threat Protection
User Guide 853
3. On the Settings tab, select the Auto-block sites that attempt to connect check box. By
default, IP addresses fromthe denied packets are added to the Temporary Blocked Sites list for
20 minutes.
Change the Duration that Sites are Auto-Blocked
To see a list of IP addresses that are auto-blocked by the XTMdevice, select System Status >
Blocked Sites. You can use the Temporary Blocked Sites list together and your log messages to help
you decide which IP addresses to block permanently.
You can use Fireware XTMWeb UIto enable the auto-block feature.
Select Firewall >Default Packet Handling.
For more information, see About Unhandled Packets on page 844.
You can also use policy settings to auto-block sites that try to use a denied service. For more
information, see Block Sites Temporarily with Policy Settings on page 852.
You can use Fireware XTMWeb UIto set the duration that sites are blocked automatically.
1. Select Firewall > Blocked Sites.
2. Select the Auto-Blocked tab.
3. To change the amount of time a site is auto-blocked, in the Duration for Auto-Blocked sites
text box, type or select the number of minutes to block a site. The default is 20 minutes.
4. Click Save.
About Blocked Ports
You can block the ports that you know can be used to attack your network. This stops specified
external network services. Blocking ports can protect your most sensitive services.
When you block a port, you override all of the rules in your policy definitions. To block a port, see Block
a Port on page 857.
Default Threat Protection
854 Fireware XTMWeb UI
Default Threat Protection
User Guide 855
Default Blocked Ports
In the default configuration, the XTMdevice blocks some destination ports. You usually do not need to
change this default configuration. TCP and UDP packets are blocked for these ports:
X Window System(ports 6000-6005)
The X Window System(or X-Windows) client connection is not encrypted and is dangerous to
use on the Internet.
X Font Server (port 7100)
Many versions of X Windows operate X Font Servers. The X Font Servers operate as the super-
user on some hosts.
NFS (port 2049)
NFS (Network File System) is a frequently used TCP/IP service where many users use the
same files on a network. New versions have important authentication and security problems. To
supply NFS on the Internet can be very dangerous.
The portmapper frequently uses port 2049 for NFS. If you use NFS, make sure that
NFS uses port 2049 on all your systems.
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many
attackers probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC
services are easy to attack through the Internet.
port 8000
Many vendors use this port, and many security problems are related to it.
port 1
The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult
for tools that examine ports.
port 0
This port is always blocked by the XTMdevice. You cannot allow traffic on port 0 through the
device.
If you must allow traffic through any of the default blocked ports to use the
associated software applications, we recommend that you allow the traffic only
through a VPN tunnel or use SSH (Secure Shell) with those ports.
Default Threat Protection
856 Fireware XTMWeb UI
Default Threat Protection
User Guide 857
Block a Port
You can use Fireware XTMWeb UIto add a port number to the Blocked Ports list.
Be very careful if you block port numbers higher than 1023. Clients frequently use
these source port numbers.
To add a port number to the Blocked Ports list:
1. Select Firewall > Blocked Ports.
2. In the text box below the Blocked Ports list, type the port number to block.
3. Click Add.
The new port number appears in the Blocked Ports list.
Block IP Addresses That Try to Use Blocked Ports
You can configure the XTMdevice to automatically block an external computer that tries to use a
blocked port. In the Blocked Ports page, select the Automatically block sites that try to use
blocked ports check box.
Default Threat Protection
User Guide 858
User Guide 859
16
Role-Based Administration
About Role-Based Administration
Role-based administration enables you to share the configuration and monitoring responsibilities for
your organization among several individuals. One or more senior administrators might have full
configuration privileges for all devices, while one or more junior administrators have less configuration
and monitoring authority or different areas of jurisdiction.
For example, one administrator might have complete configuration and monitoring authority over all of
the XTMdevices in an organization's Eastern region, but could only monitor the devices deployed in
the companys Central and Western regions. Another administrator could have full authority over the
Central region, but could only monitor Western and Eastern region devices.
For your centrally managed devices, you can use WatchGuard SystemManager (WSM) and
WatchGuard Server Center to create and implement the different administrator roles for your
organization. All the role-based administration settings you create are stored and managed on your
Management Server, so they are accessible with WSMor WatchGuard Server Center. When you
make a change to role-based administration with WSM, the change automatically appears in
WatchGuard Server Center.
You can also use role-based administration for your individual Firebox or XTMdevices. For a single
device, the device management users you create are stored and managed on the Firebox or XTM
device. When you add device management user accounts to a device, those user accounts are only
available on that device, and you must connect to that device to use or manage the user accounts.
Role-based administration is only available for managed Firebox or XTMdevices with
Fireware XTMv11.0 or later, and single Firebox or XTMdevices with Fireware XTM
v11.9 or later.
Roles and Role Policies
A role has two parts: a set of tasks and a set of devices on which these tasks can be performed. When
you configure user accounts on your Management Server for your centrally managed devices, every
administrator is assigned one or more roles, such as Super Administrator, Mobile User VPN
Administrator, or User Authentication Administrator. For role-based administration on an individual
Firebox or XTMdevice, only two roles are available: Device Administrator and Device Monitor.
For centrally managed devices, you can use the predefined roles on your WatchGuard System
Manager (WSM) Management Server for your own organization, or you can define customroles. These
roles are recognized by all the WSMtools and WatchGuard servers. For example, if you log in to WSM
with read/write permissions, and open Firebox SystemManager (FSM), you are not prompted for the
configuration passphrase because FSMrecognizes that you are logged in with sufficient permissions.
Role policies combine the sets of tasks and devices with the users who have the privileges to perform
those roles.
Audit Trail
To keep track of the actions performed by each administrator, WSMstores an audit trail of changes
made to a device. These changes are recorded in the Management Server log messages. WSMalso
has an audit trail that shows all changes made to the entire system, the administrator who made each
change, and when each change was made.
When you use role-based administration on your individual Firebox or XTMdevice, you can also see
which administrators made which changes to the device configuration. This information is available in
the log messages fromyour devices and in the Firebox Audit Trail reports for your devices, which you
can view in WatchGuard WebCenter or WatchGuard Dimension.
See Also
Role-Based Administration
860 Fireware XTMWeb UI
Role-Based Administration
User Guide 861
Manage Users and Roles on Your Device
You can use role-based administration on your Firebox or XTMdevice to share the configuration and
monitoring responsibilities for the device among several individuals in your organization. This enables
you to run audit reports to monitor which administrators make which changes in your device
configuration file.
Each device includes two roles that you can assign to the unique user accounts you add: Device
Administrator and Device Monitor. User accounts that are assigned the Device Administrator role can
connect to the device with read-write permissions to make changes to the device configuration file and
monitor the device. User accounts that are assigned the Device Monitor role can connect to the device
with read-only permissions to monitor the device. More than one user with Device Monitor privileges
can connect to a device at the same time, but, only one user with Device Administrator privileges can
connect to a device at any time.
Each Firebox or XTMdevice includes three default user accounts that cannot be deleted.
Default User
Account Description
Default
Passphrase
admin The default Device Administrator user account with read-
write permissions.
readwrite
status The default Device Monitor user account with read-only
permissions.
readonly
wg-support The user account for WatchGuard Support access to your
device. Disabled by default.
None
When you add new Device Management users to your Firebox or XTMdevice, the account information
for the users is stored in a separate file fromthe device configuration file. This means that if you must
restore an earlier version of your configuration file to your device, the user accounts you added are not
affected. If you restore the factory-default settings for your Firebox or XTMdevice, however, all the
Device Management user accounts you added are removed; only the default user accounts are
available, with the default passphrases restored.
You can use these authentication servers for Device Management user accounts on your device:
n Firebox-DB
n Active Directory
n LDAP
n RADIUS
For external authentication servers (not Firebox-DB), make sure to add the user account to the
authentication server before you add the user account to your device. The user account credentials
that you specify for the user account on your Firebox or XTMdevice are case-sensitive and must
match the user credentials as they are specified on the authentication server.
Add a New Device User
You can add a user account with the Device Administrator or Device Monitor role. To add a user
account froman authentication server other than Firebox-DB, you must have already configured the
settings on the Firebox or XTMdevice for that authentication server. Make sure that the user account
already exists on the authentication server. You must only specify a passphrase for the user accounts
that use the Firebox-DB authentication server. When you add a user account froman external
authentication server (such as your Active Directory server), the password specified for that user
account in the authentication server settings is used when the user logs in to the Firebox or XTM
device.
To add a new device user:
1. Select System > Users and Roles.
The Users and Roles page appears.
2. Click Add.
The Add User dialog box appears.
Role-Based Administration
862 Fireware XTMWeb UI
Role-Based Administration
User Guide 863
3. In the User Name text box, type the user name for the user account.
4. Fromthe Authentication Server drop-down list, select the authentication server for this user
account.
5. Fromthe Role drop-down list, select the role for this user account.
6. (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the
passphrase for this user account.
7. Click OK.
The user account appears in the Users and Roles list.
8. Click Save to commit your changes to the Firebox or XTMdevice.
Edit a Device User
When you edit a user account that you created on your Firebox or XTMdevice, you can change only
the role assigned to the user and the passphrase for users defined for the Firebox-DB authentication
server. You cannot change the user name or the authentication server settings. To change the user
name or the authentication server specified for a user account, you must remove the user fromthe
Manage Users and Roles list and then add the user account again with the correct settings.
For the admin and status user accounts, you can only change the passphrase. For the wg-support user
account, you can change the role and the passphrase.
To change the role or passphrase for a user account:
1. Fromthe Users and Roles list, select a user account.
2. Click Edit.
The Edit User dialog box appears.
3. Select a different authentication server or specify a new passphrase.
4. Click OK.
5. Click Save.
Delete a Device User
You can only delete the user accounts that you create on your Firebox or XTMdevice. The default user
accounts (admin, status, and wg-support) cannot be deleted.
To delete a user account:
1. Fromthe Users and Roles list, select a user account.
2. Click Remove.
A confirmation message appears.
3. Click Yes.
The user is deleted from the Users and Roles list.
4. Click Save.
Audit Device Management User Activity
To see which Device Management users have made changes to your Firebox or XTMdevice, you can
review an Audit Trail report. This report includes a detailed list of the audited configuration changes
made to your device.
Before you can see audit trail details in a report, you must configure your device to send audit trail log
messages to your WatchGuard Log Server or Dimension Log Server. In the Logging settings for your
device, select the Send log messages when the configuration for this Firebox is changed check
box.
For more information about how to configure your device to generate audit trail log messages, see
Include Performance Statistics in Log Messages on page 871.
For information about how to view an Audit Trail report in WatchGuard Dimension, see View Reports in
the WatchGuard Dimension Help.
Role-Based Administration
864 Fireware XTMWeb UI
User Guide 865
17
Logging and Notification
About Logging, Log Files, and Notification
An important feature of network security is to gather messages fromyour security systems, to
examine those records frequently, and to keep themin an archive for future reference. The
WatchGuard log message systemcreates log files with information about security related events that
you can review to monitor your network security and activity, identify security risks, and address them.
A log file is a list of events, along with information about those events. An event is one activity that
occurs on the XTMdevice. An example of an event is when the device denies a packet. Your XTM
device can also capture information about allowed events to give you a more complete picture of the
activity on your network.
The WatchGuard log message systemhas several components, which are described in the
subsequent sections.
About Log Messages
Your XTMdevice and WatchGuard servers can send log messages to your WatchGuard Log Server.
XTMdevices can also send log messages to a syslog server or keep logs locally on the XTMdevice.
You can choose to send log messages to one or both of these locations.
Log Servers
There are two methods to save log files with Fireware XTMWeb UI:
WatchGuard Log Server
This is a component of WatchGuard SystemManager (WSM). If you have a Firebox X Core,
Firebox X Peak, or Firebox X Edge e-Series device with Fireware XTM, or a WatchGuard XTM
2 Series, 3 Series, 5 Series, 8 Series, or 1050 device, you can configure a primary Log Server to
collect log messages for your device.
Syslog
This is a log interface developed for UNIX but also used on many other computer systems. If
you use a syslog host, you can set your XTMdevice to send log messages to your syslog
server. To find a syslog server compatible with your operating system, search the Internet for
"syslog daemon".
If your XTMdevice is configured to send log files to a WatchGuard Log Server and the connection fails,
the log files are not collected. You can configure your device to also send log messages to a syslog
host that is on the local trusted network to prevent the loss of log files.
For more information about sending log messages to a WatchGuard Log Server, see Send Log
Messages to a WatchGuard Log Server on page 867.
For more information about sending log messages to a syslog host, see Configure Syslog Server
Settings on page 873.
Logging and Notification in Applications and Servers
The Log Server can receive log messages fromyour XTMdevice or a WatchGuard server. After you
have configured your XTMdevice and Log Server, the device sends log messages to the Log Server.
You can enable logging in the various WSMapplications and policies that you have defined for your
XTMdevice to control the level of logs that you see. If you choose to send log messages fromanother
WatchGuard server to the Log Server, you must first enable logging on that server.
System Status Traffic Monitor
On the Fireware XTMWeb UI Traffic Monitor page, you see log messages fromyour XTMdevice as
they occur. On some networks, there can be a short delay as log messages are sent. Traffic Monitor
can help you troubleshoot network performance. For example, you can see which policies are used
most, or whether external interfaces are constantly used to their maximumcapacity.
For more information, see Traffic Monitor on page 900.
Types of Log Messages
Your XTMdevice sends several types of log messages for events that occur on the device. Each
message includes the message type in the text of the message. The log messages types are:
n Traffic
n Alarm
n Event
n Debug
n Statistic
Traffic Log Messages
The XTMdevice sends traffic log messages as it applies packet filter and proxy rules to traffic that
goes through the device.
Logging and Notification
866 Fireware XTMWeb UI
Logging and Notification
User Guide 867
Alarm Log Messages
Alarmlog messages are sent when an event occurs that triggers the XTMdevice to run a command.
When the alarmcondition is matched, the device sends an Alarmlog message to the Log Server or
syslog server, and then it does the specified action.
There are eight categories of Alarmlog messages:
n System
n IPS
n AV
n Policy
n Proxy
n Counter
n Denial of Service
n Traffic
The XTMdevice does not send more than 10 alarms in 15 minutes for the same conditions.
Event Log Messages
The XTMdevice sends event log messages because of user activity. Actions that can cause the XTM
device to send an event log message include:
n Device start up and shut down
n Device and VPN authentication
n Process start up and shut down
n Problems with the device hardware components
n Any task done by the device administrator
Debug Log Messages
Debug log messages include diagnostic information that you can use to help troubleshoot problems.
There are 27 different product components that can send debug log messages.
Statistic Log Messages
Statistic log messages include information about the performance of the XTMdevice. By default, the
device sends log messages about external interface performance and VPN bandwidth statistics to
your log file. You can use these logs to change your XTMdevice settings as necessary to improve
performance.
Send Log Messages to a WatchGuard Log Server
When you configure the Logging settings for your XTMdevice, you can select to send log messages to
a WatchGuard Log Server. This can be the WatchGuard Log Server that is a component of
WatchGuard SystemManager, or the Dimension Log Server that is a component of WatchGuard
Dimension. If you have either type of WatchGuard Log Server, you can configure a primary Log Server
and backup Log Servers to collect the log messages fromyour XTMdevices. You designate one Log
Server as the primary (Priority 1) and other Log Servers as backup servers.
If the XTMdevice cannot connect to the primary Log Server, it tries to connect to the next Log Server in
the priority list. If the XTMdevice examines each Log Server in the list and cannot connect, it tries to
connect to the first Log Server in the list again. When the primary Log Server is not available, and the
XTMdevice is connected to a backup Log Server, the XTMdevice tries to reconnect to the primary Log
Server every 6 minutes. This does not impact the XTMdevice connection to the backup Log Server
until the primary Log Server is available.
For more information about WatchGuard SystemManager Log Servers and instructions to configure
the Log Server to accept log messages, see the Fireware XTMWatchGuard SystemManager Help.
For more information about WatchGuard Dimension Log Servers, and instructions to configure your
Dimension Log Server, see the WatchGuard Dimension Help.
Add, Edit, or Change the Priority of Log Servers
To send log messages fromyour XTMdevice to a WatchGuard Log Server:
1. Select System > Logging.
The Logging page appears.
Logging and Notification
868 Fireware XTMWeb UI
Logging and Notification
User Guide 869
2. To send log messages to one or more WatchGuard Log Servers, select the Send log
messages to these WatchGuard Log Servers check box.
3. Click Add.
The Add WatchGuard Log Server dialog box appears.
4. In the Log Server Address text box, type the IP address of the primary Log Server.
5. In the Encryption Key text box, type the Log Server encryption key.
6. In the Confirm text box, type the encryption key again.
7. Click Add.
The information for the Log Server appears in the Log Server list.
8. Repeat Steps 36 to add more Log Servers to the Log Server list.
9. To change the priority of a Log Server in the list, select the check box for an IP address in the
list and click Up or Down.
The priority number changes as the IP address moves up or down in the list.
10. To remove a Log Server fromthe list, select the check box for the IP address of the Log Server
and click Remove.
11. Click Save.
Logging and Notification
870 Fireware XTMWeb UI
Logging and Notification
User Guide 871
Include Performance Statistics in Log Messages
When you configure logging on your Firebox or XTMdevice, you can select the details and
performance statistics to include in your log files.
1. Select System > Logging.
The Logging page appears.
2. In the Settings section, select the options for the log messages fromthis device:
n To store log messages on your XTMdevice, select the Send log message to Firebox
Internal storage check box.
n To include performance statistics in your log files, select the Send external interface and
VPN bandwidth statistics to log file check box.
Logging and Notification
872 Fireware XTMWeb UI
Logging and Notification
User Guide 873
n To send a log message when the XTMdevice configuration file is changed, select the Send
log messages when the configuration for this Firebox is changed check box.
n To send log messages about traffic sent by the XTMdevice, select the Enable logging for
traffic sent from this device check box.
n To enable the XTMdevice to collect a packet trace for IKE packets, select the Enable IKE
packet tracing to Firebox internal storage check box
3. Click Save.
Configure Syslog Server Settings
Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your
Firebox or XTMdevice can send log messages to a WatchGuard Log Server and a syslog server at the
same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We
recommend that you do not select a syslog host on the external interface.
You can configure your Firebox or XTMdevice to send log messages to a syslog server or a QRadar
server. Syslog log messages can be encoded in two log formats: syslog format or IBMLEEF format.
To send log messages to a syslog server, select the syslog log format. To send log messages to a
QRadar server, select the IBMLEEF format.
When you configure the syslog settings, you can specify which port to use for your server. For a syslog
server, you can configure the device to send the log message time stamp or device serial number to
the syslog server. For a QRadar server, you can configure the device to send the device serial number
or the syslog header to the QRadar server. For both server types, you can specify which syslog facility
to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet
and to the file syslog sends a log message to. The time stamp appears in the time zone specified on
your device.
When you configure the settings for the server, you specify the syslog facility to use for your log
messages. The syslog facility refers to one of the fields in the syslog packet and to the file where
syslog sends a log message. For high-priority syslog messages, such as alarms, select Local0. To
assign priorities for other types of log messages (lower numbers have greater priority), select Local1
Local7. For more information on logging facilities, see your syslog documentation.
Only log messages that include the msg-id field are sent to your QRadar server. These log message
types are included:
n Traffic
n Alarm(when the syslog header is included)
n Event (when the syslog header is included)
n Diagnostics (when the syslog header is included)
When you select to send log messages to your QRadar server, the log messages include the LEEF
header, with these details:
n LEEF version
n Vendor Name
n Product Name
n Product Version
n Event ID
For example:
n LEEF version LEEF: 1.0
n Vendor Name WatchGuard
n Product Name XTM
n Product Version 11.9.B444050
n Event ID 1AFF000B (message id)
If you select to include the syslog header in the log messages that you send to QRadar, the host name
and time stamp are not included in the log messages.
For information about the different types of messages, see Types of Log Messages on page 866.
Before you configure your device to send log messages to a syslog or QRadar server, you must have a
syslog or QRadar server configured, operational, and ready to receive log messages.
To configure your device to send log messages to a syslog or QRadar server:
1. Select System > Logging.
The Logging page appears.
2. In the Syslog Server section, select the Send log messages to the syslog server at this IP
address check box.
3. In the IPAddress text box, type the IP address for the syslog or QRadar server.
4. In the Port text box, the default syslog server port (514) appears. To change the server port,
type or select a different port for your server.
5. Fromthe Log Format drop-down list, select Syslog or IBM LEEF.
The details available to include in the log messages depend on the log format you select.
Logging and Notification
874 Fireware XTMWeb UI
Logging and Notification
User Guide 875
The Syslog Settings for the syslog log format.
The Syslog Settings for the IBMLEEFlog format.
6. To include the date and time that the event occurs on your XTMdevice in the log message
details, select the The time stamp check box.
Logging and Notification
876 Fireware XTMWeb UI
Logging and Notification
User Guide 877
7. (Syslog only) To include the serial number of the XTMdevice in the log message details, select
the The serial number of the device check box.
8. (QRadar only) To include the syslog header in the log message details, select the The syslog
header check box.
9. In the Syslog Settings section, for each type of log message, select a syslog facility fromthe
drop-down list.
If you select the IBMLEEF log format, you must select the The syslog header check box
before you can select the syslog facility for the log message types.
n For high-priority syslog messages, such as alarms, select Local0.
n To assign priorities for other types of log messages (lower numbers have greater priority),
select Local1Local7.
n To not send details for a message type, select NONE.
10. Click Save.
Because syslog traffic is not encrypted, syslog messages that are sent through the
Internet decrease the security of the trusted network. It is more secure if you put your
syslog host on your trusted network.
Set the Diagnostic Log Level
FromFireware XTMWeb UI you can select the level of diagnostic logging to write to your log file. We
do not recommend that you select the highest logging level unless a technical support representative
tells you to do so while you troubleshoot a problem. When you use the highest diagnostic log level, the
log file can fill up very quickly, and performance of the XTMdevice is often reduced.
1. Select System > Diagnostic Log.
The Diagnostic Log Level page appears.
Logging and Notification
878 Fireware XTMWeb UI
Logging and Notification
User Guide 879
2. Fromthe drop-down list for each category, select the level of detail to include in the log
message for that category:
n Off
n Error
n Warning
n Information
n Debug
When Off (the lowest level) is selected, diagnostic messages for that category are disabled.
4. Click Save.
Monitor Hardware Health
The hardware health monitor feature on your XTMdevice enables your XTMdevice to periodically
monitor its own health. The hardware areas that are monitored depend on your XTMdevice model and
include:
n CPU and systemfan speed
n CPU and systemtemperature
n Voltage
n Hardware crypto chip
n Replaceable power supply
n Hard disk (for devices with a hard disk)
Log messages are generated for the hardware health monitor feature when the Error Diagnostic Log
Level is selected for the Management category. When a failure in any of the specified hardware areas
is detected, the XTMdevice generates both a diagnostic and an alarmlog message, and sends an
email notification message. You cannot select which type of notification message you receive for a
hardware health monitor message; only the email notification option is available. If the hardware health
monitor detects an error in the XTMdevice voltage, a log message is generated, but a notification
message is not sent. If an alarmlog message is generated by the hardware health monitor, you can
see the log message on the Dashboard > Traffic Monitor page.
Each hardware health monitor log message includes hwmond in the text of the message, and specifies
which hardware area is out of range. For example:
Nov 1 19:27:43 2012 Firebox local3.err hwmond[803]: Warning:'Sys Fan1' is out
of valid range[1000.000000-15000.000000],current value 0.000000
In this example, the hardware monitor has discovered that a systemfan operation is outside the normal
range. The valid range is 100015,000, but the current value for the fan is 0.
To enable the XTMdevice to generate log messages for the hardware health monitor feature:
1. Select System > Diagnostic Log.
The Diagnostic Log Level page appears.
2. Slide the scroll bar to find the Management category.
3. Fromthe drop-down list for the category, select the Error level.
Logging and Notification
880 Fireware XTMWeb UI
Logging and Notification
User Guide 881
Configure Logging and Notification for a Policy
You can configure the logging and notification settings for each policy in your configuration. To see
information about a policy in your log files, you must enable logging for that policy.
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Add a policy, or double-click a policy.
The Policy Configuration page appears.
3. Select the Properties tab.
4. In the Logging section, set the parameters to match your security policy.
For information about the settings in the Logging section, see Set Logging and Notification
Preferences on page 882.
5. Click Save.
Set Logging and Notification Preferences
The settings for logging and notification are similar throughout the XTMdevice configuration. For each
place you define logging and notification preferences, most or all of the options described in this topic
are available.
Send Log message
When you select this check box, the XTMdevice sends a log message when an event occurs.
You can select to send log messages to a WatchGuard Log Server, Syslog server, or XTM
device internal storage. For detailed steps to select a destination for your log messages, see
Include Performance Statistics in Log Messages on page 871.
Send SNMP trap
When you select this check box, the XTMdevice sends an event notification to the SNMP
management system. Simple Network Management Protocol (SNMP) is a set of tools used to
monitor and manage networks. A SNMP trap is an event notification the XTMdevice sends to
the SNMP management systemwhen a specified condition occurs.
If you select the Send SNMP Trap check box and you have not yet configured
SNMP, a dialog box appears and asks you if you want to do this. Click Yes to go to
the SNMP Settings dialog box. You cannot send SNMP traps if you do not configure
SNMP.
For more information about SNMP, see About SNMP on page 74.
To enable SNMPtraps or informrequests, see Enable SNMP Management Stations and Traps
on page 76.
Logging and Notification
882 Fireware XTMWeb UI
Logging and Notification
User Guide 883
Send Notification
When you select this check box, the XTMdevice sends a notification when the event you
specified occurs. For example, when a policy allows a packet.
You can select how the XTMdevice sends the notification:
n Email The Log Server sends an email message when the event occurs.
n Pop-up WindowThe Log Server opens a dialog box when the event occurs.
Set the:
Launch Interval The minimumtime (in minutes) between different notifications. This
parameter prevents more than one notification in a short time for the same event.
Repeat Count This setting tracks how frequently an event occurs. When the number of
events reaches the selected value, a special repeat notification starts. This notification
creates a repeat log entry about that specified notification. Notification starts again after the
number of events you specify in this field occurs.
For example, set the Launch interval to 5 minutes and the Repeat count to 4. A port space
probe starts at 10:00 AM. and continues each minute. This starts the logging and notification
mechanisms.
These actions occur at these times:
n 10:00 Initial port space probe (first event)
n 10:01 First notification starts (one event)
n 10:06 Second notification starts (reports five events)
n 10:11 Third notification starts (reports five events)
n 10:16 Fourth notification starts (reports five events)
The launch interval controls the time intervals between each event (1, 2, 3, 4, and 5). This was
set to 5 minutes. Multiply the repeat count by the launch interval. This is the time interval an
event must continue to in order to start the repeat notification.
Logging and Notification
User Guide 884
User Guide 885
18
Monitor Your Device
About the Dashboard and System Status Pages
To monitor the status and activity on your Firebox or XTMdevice, you can use the Dashboard and
System Status pages.
The Dashboard
Fromthe Dashboard, you can see real-time information on these pages:
n Front Panel
The Front Panel page shows basic information about your XTMdevice, your network, and
network traffic.
The System, External Bandwidth, IPSec VPN, CPU, and Memory widgets refresh at the
interval you specify to show you the historical information about your XTMdevice.
Fromthe Top Panels, you can see real-time data about the currently active connections through
your XTMdevice. Top Panels include: Top Clients, Top Destinations, Top Policies, and
Destination Port.
n Subscription Services
The Subscription Services page shows:
o
Scanned, infected, and skipped traffic that is monitored by Gateway AntiVirus
o
Scanned, detected, and prevented traffic that is monitored by Intrusion Prevention Service
o
Signature version and update information for Gateway AntiVirus and Intrusion Prevention
Service
o
HTTPrequests and traffic that is denied by WebBlocker
o
Scanned, blocked, and quarantined content that is identified by Data Loss Prevention
o
Clean, confirmed, bulk, and suspect mail that is identified by spamBlocker
o
Good, bad, and inconclusive reputation score statistics for URLs checked by Reputation
Enabled Defense
For more information about manual signature updates, see Subscription Services Status and
Manual Signatures Updates on page 112.
n FireWatch
Monitor Your Device
886 Fireware XTMWeb UI
Monitor Your Device
User Guide 887
On the FireWatch page, you can see real-time, aggregate information about the traffic through
your XTMdevice. Some of the information you can see includes:
o
Top Users
o
Top Domains
o
Application Usage
o
Bandwidth Usage
o
Firewall Traffic
o
Security Service Activity
o
Device State
n Interfaces
On the Interfaces page, you can see current bandwidth and detail information for the active
interfaces on your device. This includes wireless interfaces configured for your AP devices. You
can also release or renew the DHCP lease on an IP address for any external interface with DHCP
enabled.
n Traffic Monitor
On the Traffic Monitor page, you can see log messages fromyour XTMdevice as they occur.
This can help you troubleshoot network performance. For example, you can see which policies are
used most, or whether external interfaces are constantly used to their maximumcapacity.
n Gateway Wireless Controller
On the Gateway Wireless Controller page, you can monitor the connection status and activity
on your WatchGuard AP devices. You can also monitor and manage the client connections to your
WatchGuard AP devices.
System Status Pages
The System Status pages include a list of monitoring categories. On these pages, you can monitor all
the components of your XTMdevice.
Fromthe System Status section, you can see real-time information on these pages:
n ARP Table
n Authentication List
n Blocked Sites
n Checksum
n Components List
n DHCP Leases
n Diagnostics
n Dynamic DNS
n Hotspot Clients
n LiveSecurity
n Processes
n Routes
n Server Connection
n Traffic Management
n Users and Roles
n VPN Statistics
n Rogue AP Detection
n Wireless Statistics
The System Status pages are set to refresh automatically every 30 seconds. You can change the
refresh interval to refresh more or less frequently. You can also pause or restart the page refresh.
1. To change the refresh interval, fromthe drop-down list at the top right of the page, select another
interval:
Monitor Your Device
888 Fireware XTMWeb UI
Monitor Your Device
User Guide 889
n 5 seconds
n 10 seconds
n 30 seconds
n 60 seconds
n 2 minutes
n 5 minutes
2. To force an immediate refresh, click .
Or, on some System Status pages, click and then click .
Front Panel
On the Front Panel page, you can see basic information about your XTMdevice, your network, and
network traffic.
The Front Panel page is separated into two parts: widgets and top panels. Widgets show specific,
historical information about your XTMdevice. Top panels show connection data for your device.
Widgets
The System, External Bandwidth, IPSec VPN, CPU, and Memory widgets refresh at the interval
you specify to show you the historical information about your XTMdevice. To get the most recent data,
select Last 20 Minutes.
n System This widget includes the XTMdevice name, model, and serial number; the Fireware
XTMOS version on the device; the systemtime, date, and uptime since the last restart; and the
Log Server where the device sends log messages.
n IPSec VPN This widget graph shows the usage statistics for IPSec VPN connections
through your XTMdevice.
n External Bandwidth This widget graph shows real-time throughput statistics for all the XTM
device interfaces in kilobytes. The Y axis (vertical) shows the cumulative throughput value of
kilobytes sent and received over an interface since the last time the device was powered on or
rebooted. The X axis (horizontal) shows the time interval included in the graph.
n CPU This widget graph shows CPUusage and average load over the selected period of
time.
n Memory This widget graph shows the usage of Linux kernel memory over a period of time.
If you have read-write configuration access to this XTMdevice, you can also reboot the device from
the System widget.
Top Panels
Fromthe Top Panels, you can see real-time data about the currently active connections through your
XTMdevice. Each panel shows the connection rate, number of bytes transferred through the
connection, and the number of hits.
The available top panels include:
n Top Clients Shows a list of the clients connected to the XTMdevice that use the most
bandwidth.
n Top Destinations Shows a list of the most frequently visited destinations for current
connections.
n Top Policies Shows a list of the policies that currently manage the most traffic.
n Destination Port Shows a list of the most frequently used ports for current connections to
the device.
To see more details about any of the information in a top panel, or to pivot on the details in a top panel,
click a detail in a top panel list. The information in the top panels is updated based on the new
selection.
Subscription Services
On the Subscription Services Dashboard page, you can see the recent Subscription Services
activity on your XTMdevice.
The Subscription Services page shows:
n Scanned, infected, and skipped traffic that is monitored by Gateway AntiVirus
n Scanned, detected, and prevented traffic that is monitored by Intrusion Prevention Service
n Signature version and update information for Gateway AntiVirus and Intrusion Prevention
Service
n Good, bad and inconclusive reputation score statistics for URLs checked by Reputation
Enabled Defense
n HTTPrequests and traffic that is denied by WebBlocker
Monitor Your Device
890 Fireware XTMWeb UI
Monitor Your Device
User Guide 891
n Clean, confirmed, bulk, and suspect mail that is identified by spamBlocker
n Scanned, blocked, and quarantined content that is identified by Data Loss Prevention.
For more information about manual signature updates, see Subscription Services Status and Manual
Signatures Updates on page 112.
FireWatch
FireWatch is a real-time, interactive report tool, available in Fireware XTMWeb UI, that groups,
aggregates, and filters statistics about the traffic through your XTMdevice in an easy-to-understand
form. FireWatch includes many options to pivot, refine, and filter information about your firewall traffic.
Some of the information you can see at a glance includes:
n Top Users
n Top Domains
n Application Usage
n Bandwidth Usage
n Firewall Traffic
n Security Service Activity
n Device State
You can use FireWatch to see:
n Who uses the most bandwidth on your network
n Which is the most popular site that users visit
n Which sites use the most bandwidth
n Which applications use the most bandwidth
n Which sites has a particular user visited
n Which applications are most used by a particular user
The FireWatch page is separated into tabs of data that is presented in a Treemap Visualization. The
treemap is a widget that proportionally sizes blocks in the display to represent the data for that tab. The
largest blocks on the tab represent the largest data users. The data is sorted by the tab you select and
the type you select fromthe drop-down list at the top right of the page.
FireWatch includes these tabs:
Source
On the Source tab, you can see all the user and host addresses where traffic through the
XTMdevice originates. You can pivot the data on the Bytes or Connections.
Destination
On the Destination tab, you can see all the addresses where the traffic through the XTMdevice
terminates. You can pivot the data on the Bytes or Connections.
Application
On the Application tab, you can see an aggregate view of all the applications currently in use.
You can view the data based on the number of connections.
Policy
On the Policy tab, you can see an aggregate view of all policies that are applied to the current
traffic through the XTMdevice. You can view the data based on the number of connections.
Interface (In)
On the Interface (In) tab, you can see all the connections through the active inbound interfaces
on the XTMdevice.
Interface (Out)
On the Interface (Out) tab, you can see all the connections through the active outbound
interfaces on the XTMdevice.
On each FireWatch tab, you can pivot the data on the Rate, Bytes, Connections, or Duration.
See Connection Details
On any FireWatch tab, you can see detailed information for any active connection. The number of
active connections for the data type you select appears at the top right of the FireWatch page,
adjacent to the data type selection drop-down list and refresh button.
To see details for active connections to your XTMdevice:
1. In the Dashboard section, select FireWatch.
The FireWatch page appears, with the Source tab selected by default.
2. Select a tab.
The current connections appear.
Monitor Your Device
892 Fireware XTMWeb UI
Monitor Your Device
User Guide 893
3. To change the type of data that appears in the selected tab, fromthe drop-down list at the top
right of the page, select an option:
n Rate
n Bytes
n Connections
n Duration
Not all options are available for all connection types.
The data in the display is updated based on the option you selected.
4. To see details about any itemin the treemap, place your cursor over the item.
The connection details dialog box appears.
5. To see all connections for an item, in the connection details dialog box, click View
connections.
The connections dialog box appears.
6. To update the list of connections, click Refresh.
The connections list is updated with the most recent data.
7. To filter the information that appears in the treemap by the selected connection, in the
connection details dialog box, click Filter.
The treemap data is updated based on the selected filter.
Monitor Your Device
894 Fireware XTMWeb UI
Monitor Your Device
User Guide 895
Delete a Connection
1. To delete a connection fromthe treemap, in the connection details dialog box, click Delete
connections.
The Delete Connections dialog box appears.
2. Verify that the details in the Delete Connections dialog box are correct.
3. In the Configuration Passphrase text box, type the configuration passphrase for the
XTMdevice.
4. Click Delete connections.
All connection data for the specified connection is removed from the treemap.
Block a Site
Fromthe Source or Destination tabs, you can temporarily add a connection that you have selected in
the treemap to the Blocked Sites list. The selected connection remains on the Blocked Sites list for the
amount of time that you specify.
For more information about the Blocked Sites list, see Blocked Sites on page 923.
To block a connection:
1. In the connection details dialog box, click Block Site.
The Block Site dialog box appears for the selected connection.
2. In the Timeout text box, type the length of time to keep the selected connection on the Blocked
Sites list.
3. in the Configuration Passphrase text box, type the read-write passphrase for the XTMdevice.
4. Click Block Site.
Refresh FireWatch Data
By default, the data in the FireWatch treemaps refresh dynamically at the optimumrate for the data
type on the selected tab. You can also manually refresh the data in the treemap.
To refresh the data in a treemap:
1. Select a tab and a sort method for the data.
2. Click .
The data in the treemap is updated and the display blocks refresh to display the new data.
Interfaces
On the Dashboard > Interfaces page, you can see the bandwidth used by each interface on your
Firebox or XTMdevice and detailed information about each interface. This includes wireless interfaces
configured for your AP devices.
Monitor Your Device
896 Fireware XTMWeb UI
Monitor Your Device
User Guide 897
Review Interface Bandwidth
On the Interfaces page, Bandwidth tab, you can review the bandwidth of incoming and outgoing
connections through each interface on the XTMdevice.
For each interface, these details are included:
Zone
The trust zone for this interface.
IP Address
The IP address for this interface.
Gateway
The gateway defined for this interface.
Netmask
The network mask configured for this interface.
MAC
The MAC address defined for this interface.
Sent
Total amount of bandwidth used (in KB) for traffic sent over this interface.
Received
Total amount of bandwidth used (in KB) for traffic received over this interface.
Review Interface Details
To see detailed information about the XTMdevice network interfaces:
1. Select Dashboard > Interfaces.
The Interfaces page appears with the Bandwidth tab selected by default.
2. Select the Detail tab.
Detailed information about each interface appears.
Link Status
If the interface is active, Up appears. If it is not active, Down appears.
Alias
The interface name.
Enabled
Includes whether each interface is enabled or disabled.
IPv4 Address
The IPv4address configured for each interface.
Netmask
Network mask for each interface.
Gateway
The gateway defined for each interface.
MACAddress
The MACaddress for each interface.
Name
The interface number.
Monitor Your Device
898 Fireware XTMWeb UI
Monitor Your Device
User Guide 899
Zone
The trust zone for each interface.
IPv6
The IPv6 address configured for the selected interface. When you select an interface, if
IPv6 is configured for that interface, information about the IPv6 configuration for that
interface appears in this text box.
Release or Renew a DHCP Lease
For any external interface with DHCP enabled, you can release or renew the DHCP lease on an IP
address. This includes external VLAN interfaces.
1. Select Dashboard > Interfaces.
The Interfaces page appears.
2. Select the Detail tab.
3. Select an external interface with DHCP enabled.
The DHCP Release and DHCP Renew buttons are enabled at the bottom of the page.
4. To release the DHCP lease for the selected interface, click DHCP Release.
5. To refresh the DHCP lease for the selected interface, click DHCP Renew.
For more information about the Dashboard pages, see About the Dashboard and SystemStatus
Pages on page 885.
Traffic Monitor
On the Traffic Monitor page, you can see log messages fromyour Firebox or XTMdevice as they
occur. On some networks, there can be a short delay as log messages are sent.
Traffic Monitor can help you troubleshoot network performance. For example, you can see which
policies are used most, or whether external interfaces are constantly used to their maximumcapacity.
1. Connect to Fireware XTMWeb UI for your device.
2. Select Dashboard > Traffic Monitor.
The Traffic Monitor page appears, with All logs selected.
If you connect to a FireCluster, the Traffic Monitor page includes a drop-down list to select which
cluster member log messages to view.
To choose which cluster member to see on the Traffic Monitor page:
Fromthe Member drop-down list, select a cluster member.
Monitor Your Device
900 Fireware XTMWeb UI
Monitor Your Device
User Guide 901
Sort and Filter Traffic Monitor Log Messages
You can use the Traffic Monitor buttons to sort the information that you see in the Traffic Monitor.
When you select a button, Traffic Monitor shows only log messages of the type you selected. You can
also use the filter text box to search the log messages and refine the data you see in Traffic Monitor.
To sort by message type, click a button:
n All Logs
n Traffic Logs
n AlarmLogs
n Event Logs
n Debug Logs
n Performance Statistics Logs
To filter log messages by specified details:
1. In the filter text box at the top of the page, type or select the information to search on.
You can type any value in the filter text box, or select a value fromthe drop-down list.
2. To remove the filter, click .
Change the Display
You can select whether the messages in the display appear in black and white, or in color.You can
also select all the messages in the display or clear all the messages fromthe display.
1. Click or Actions.
The button label changes from an icon to text based on the width of your browser window.
Monitor Your Device
902 Fireware XTMWeb UI
Monitor Your Device
User Guide 903
2. To change the color of the display, select an option:
n Do not show in color
n Show logs in color
3. To select all the log messages in the display, select Select All.
4. To clear all the log messages in the display, select Clear Traffic Monitor.
Pause and Restart the Display
FromTraffic Monitor, you can pause and restart the display of traffic in Traffic Monitor.
1. To pause the display of traffic, click .
2. To start the display of traffic again, click .
View APT Threat Information
If log messages fromAPT Blocker appear in Traffic Monitor, you can review the threat information to
see more details about the threat.
For more information, see View APT Threat Information.
View APT Threat Information
When you configure the APT Blocker threat actions on your Firebox or XTMdevice to send an alarmor
log message for a threat action, fromTraffic Monitor, you can see the log message information for the
APT threats detected by APT Blocker on your device.
For more information about how to configure APTBlocker threat actions, see Configure APTBlocker
on page 1386.
You can also view APT Blocker threat action log messages fromWatchGuard Dimension. APT
Blocker reports are only available in WatchGuard Dimension. For more information, see Dimension
Reports List in the WatchGuard Dimension Help.
APT Blocker threat information includes these details:
n File The name of the file that included the threat.
n Threat Level The level of the threat (High, Medium, or Low).
n Threat Summary A summary of the conditions found in the file that caused the threat
notification.
n File MD5 The MD5 file number.
n Threat ID The identification number assigned to the threat.
To view information about the APT Blocker threat actions on your device fromFireware XTMWeb UI:
1. Select Dashboard >Traffic Monitor.
The Traffic Monitor page appears.
2. Scroll to find an APT Blocker log message.
3. Click the APT log message.
The APT Threat Information dialog box appears.
Monitor Your Device
904 Fireware XTMWeb UI
Monitor Your Device
User Guide 905
WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller)
With the Gateway Wireless Controller, you can monitor the connection status and activity on your
WatchGuard AP devices. You can also monitor and manage the client connections to your
WatchGuard AP devices.
The Gateway Wireless Controller is only available for XTMdevices that run Fireware
XTMOS v11.7.2 and later.
To monitor the status of your AP device and wireless clients connected to the AP device:
1. Connect to Fireware XTMWeb UIfor the XTMdevice that manages your AP device.
2. Select Dashboard > Gateway Wireless Controller.
The Gateway Wireless Controller page appears, with the Summary tab selected.
Monitor Your Device
906 Fireware XTMWeb UI
Monitor Your Device
User Guide 907
3. Review the Summary details for the Gateway Wireless Controller, as described in the
Summary section.
4. To see the locations of all AP and wireless devices in the vicinity of your Firebox or XTM
device, select the Maps tab.
For more information about the Maps tab, see Use Gateway Wireless Controller Maps.
5. To review the status of the AP devices managed by this XTMdevice, select the Access Points
tab.
6. Complete any necessary tasks related to your APdevices as described in the Access Points
section.
7. To review the status of the clients connected to the AP device, select the Wireless Clients
tab.
8. Complete any necessary tasks related to the connected wireless clients as described in the
Wireless Clients section.
Summary
The Summary tab includes basic connection information for your AP devices and clients connected to
your AP devices, as well as a list of the top ten connections for each connection category. To see more
information for each connection category, you can click the header of each category widget. You can
also click any itemin any category widget to filter the data on the Summary tab on that item.
You can use the same method available on the Front Panel Dashboard page to see more details about
connections on the Gateway Wireless Controller Summary page. To see more details about any of the
information in a widget, or to pivot on the details in a widget, simply click a detail in that widget. The
information in the widget is updated based on the new selection.
For example, in the Access Points list, if you click AP1, all of the other widgets are filtered to show
only Top Users, Top SSIDs, and Top Manufacturers for AP1. You can then click the Top Users widget
header to see the full list of users on AP1.
Total Users
This is the number of clients that are currently connected to an AP device managed by this XTM
device. More detail about client connections is available on the Wireless Clients tab.
Total Bytes
The total amount of data in bytes sent and received by the connected clients.
Monitor Your Device
908 Fireware XTMWeb UI
Monitor Your Device
User Guide 909
Bytes Sent
The total amount of data in bytes sent by the connected clients.
Bytes Received
The total amount of data in bytes received by the connected clients.
Online Access Points
This is the number of AP devices managed by this XTMdevice that are currently online and
available for use.
Offline Access Points
This is the number of AP devices managed by this XTMdevice that are currently not online and
are unavailable for use.
Available SSIDs
This is the number of SSIDs currently configured on your APdevices. You can have many
SSIDs configured for each APdevice.
For more information about SSIDs for AP devices, see Configure WatchGuard APDevice
SSIDs.
Access Point Firmware Available
This section includes information about the versions of firmware available for your AP100 and
AP200 devices. You can use these versions of firmware to update the firmware on your AP
devices, if the version of firmware on your devices is outdated.
Top Users
This is the list of connected users that use the most bandwidth. For each user, the MAC
Address, bytes sent, bytes received, and total number of bytes appear.
Top Access Points by Bytes
This is the list of the connected AP devices that use the most bandwidth. For each AP device,
the name of the AP device, bytes sent, bytes received, total number of bytes, and number of
connected users appear.
Top Access Points by User
This is the list of the connected AP devices with the most connected users. For each AP
device, the name of the AP device, bytes sent, bytes received, total number of bytes, and
number of connected users appear.
Top SSID by Bytes
This is the list of the SSIDs that use the most bandwidth. For each SSID, the name of the AP
device, bytes sent, bytes received, total number of bytes, and number of connected users
appear.
Top SSID by Users
This is the list of the SSIDs with the most connected users. For each SSID, the name of the AP
device, bytes sent, bytes received, total number of bytes, and number of connected users
appear.
Top Manufacturers by Bytes
This is the list of the manufacturers for the connected AP devices that use the most bandwidth.
For each AP device, the name of the AP device, bytes sent, bytes received, total number of
bytes, and number of connected users appear.
Top Manufacturers by Users
This is the list of the manufacturers of the wireless interfaces on the connected AP devices with
the most connected users. This might not be the manufacturer of the AP device.
For each AP device, the name of the AP device, bytes sent, bytes received, total number of
bytes, and number of connected users appear.
Access Points
On the Access Points tab, you can see all of the AP devices that are managed by this XTMdevice.
For each AP device, this information appears:
Name
This is the unique, friendly name you assign to the AP device when you add or edit an Access
Point in the Gateway Wireless Controller configuration settings.
Status
In this column, the current status of each AP device paired with this XTMdevice appears.
n Online The APdevice is enabled and can communicate with the XTMdevice.
n Offline The APdevice cannot be contacted by the XTMdevice.
n Updating An update to the AP device configuration is in progress.
n Passphrase Mismatch The passphrase on the AP device does not match the
passphrase specified for the AP device on the Gateway Wireless Controller. This could
occur if you typed the passphrase incorrectly when you paired the APdevice with the
Gateway Wireless Controller, or if you reset the AP device passphrase fromthe AP device
Web UI and did not update the passphrase for the AP device in the Gateway Wireless
Controller configuration.
n Discovered The AP device has been discovered by the XTMdevice, but is not online.
SSIDs
This column shows the name of each SSID you have configured for the AP devices paired with
this XTMdevice.
For more information about SSIDs for AP devices, see Configure WatchGuard APDevice
SSIDs.
Monitor Your Device
910 Fireware XTMWeb UI
Monitor Your Device
User Guide 911
IP Address
This is the IPaddress assigned to the AP device.
Radio 1
This column shows the radio frequency and channel that the AP device Radio 1 uses.
For more information about radio settings, see Configure AP Device Radio Settings on page
378.
Radio 2
If your AP device has two radios, this column shows the radio frequency and channel that the
AP device Radio 2 uses.
For more information about which AP devices have dual radios, see About AP Device
Configuration on page 333.
Version
This is the firmware version on the AP device.
Model
This is the model number for the AP device.
For more information about the available APdevice models, see About AP Device
Configuration on page 333.
LiveSecurity
The LiveSecurity activation status for this AP device.
Uptime
The amount of time the APdevice has been online.
For each AP device in the Access Points list, you can complete these tasks:
Site Survey
To detect other active wireless access points in the same area, you can complete a site survey.
For more information about how to performa site survey, see the Performa Site Survey section
in the topic Monitor AP Device Status on page 389.
Log Messages
To see the syslog log messages generated by an AP device, select the AP device and click
Log Messages.
Network Statistics
To see a report of network statistics information fromthe AP device, click Network Statistics.
The network statistics report includes interface statistics (names, MAC and IP addresses, and
traffic counters), routing table details, and ARP table details for the AP device.
Flash Power LED
To make the power LEDon the AP device flash, click Flash Power LED.
The LED flashes for several minutes.
This is helpful when you need to identify a specific AP device, particularly if you use the
Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless
activity.
Restart Wireless
To restart the wireless interfaces on the APdevice, fromthe Access Points list, select the AP
device and click Restart Wireless.
All wireless interfaces on the selected AP device immediately restart.
This is helpful if there is wireless interference on the current wireless channel and you want to
use auto-selection to switch to another channel, but do not want to reboot the device.
Reboot
To restart an APdevice, fromthe Access Points list, select the AP device and click Reboot.
Offline appears in the Status column for an APdevice while it reboots. When the AP device
reboot is complete, Online appears in the Status column.
Upgrade
To upgrade the firmware on an AP device, fromthe Access Points list, select the AP device
and click Upgrade.
For more detailed procedures related to the tasks you can complete when you monitor your AP
devices, see Monitor AP Device Status.
Wireless Clients
On the Wireless Clients tab, you can see a list of the client devices that are connected to your AP
devices.
Filter By AP
To sort the list of connected client devices by the AP device that each client is connected to,
select an option fromthe Filter By AP drop-down list. The options include All and the name of
each APdevice paired with this XTMdevice.
Filter By SSID
To sort the list of connected client devices by the SSID that each client is connected to, select
an option fromthe Filter By SSID drop-down list. The options include All and the name of each
SSID that is configured on your AP devices paired with this XTMdevice.
MAC Address
This is the MAC address assigned to the client device.
SSID
This is the name of the SSID that the client is connected to.
Monitor Your Device
912 Fireware XTMWeb UI
Monitor Your Device
User Guide 913
Access Point
This is the name of the AP device that the client is connected to.
Radio
This column shows the radio channel on the AP device that is in use by the wireless client.
Sent
This is the amount of data that the client device has sent while connected to the AP device.
Received
This is the amount of data that the client device has received while connected to the AP device.
Last Activity
This is the date and time that the client device last sent or received data through the AP device.
Disconnect Client
To disconnect a client froman AP device, fromthe Wireless Clients list, select the client and
click Disconnect Client.
For more detailed procedures related to the tasks you can complete when you monitor Wireless
Clients, see Monitor Wireless Clients on page 396.
Use Gateway Wireless Controller Maps
The Wireless Deployment Map is a dynamic tool that you can use to help you visualize your wireless
environment, determine where to place your AP devices, and how to best configure themfor your
network environment. You can use the graphs and charts available in the map views to see the location
and coverage details (signal strength, wireless band, and SSIDs) for your AP devices. This can help
you find any channel or location conflicts and optimize your deployment scenario.
The Maps page includes two views: the Wireless Coverage Map and the Channel Conflict Map. The
Wireless Coverage Map shows the location of your Access Point devices to one another. The Channel
Conflict Map show the location of your Access Point devices and any other wireless devices in the
vicinity and shows the channel and bandwidth details for each device.
Before you use the Maps page to see your AP devices, make sure that all your AP devices are online
and the information for each AP device is current. If a change has occurred on an AP device since the
last scan of the area, a warning message appears for that device on the Maps page. You must scan
the AP devices again to get the most recent data. For more information, see the Scan the Area for
Devices section.
To see information on the Gateway Wireless Controller Maps page, the XTMdevice must first scan
the area for Access Point devices:
1. Select Dashboard > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Maps tab.
3. Click Display Maps.
The Gateway Wireless Controller scans the area for Access Points and the Wireless Deployment
Maps appear, with the Wireless Coverage Map selected by default.
Monitor Your Device
914 Fireware XTMWeb UI
Monitor Your Device
User Guide 915
Read the Maps
Your AP devices appear in the Wireless Deployment Maps represented by colored dots. The color of
the dots depends on the map view. Foreign access point devices that are not part of your deployment
appear in both maps as small, light blue dots.
Wireless Coverage Map View
On the Wireless Coverage Map, AP devices appear in their physical locations to one another. The
color of the AP device dot specifies whether it uses the band and SSID filters you specify.
Uses the selected band (All, 2.4 GHz, or 5 GHz) and SSID
Does not use the selected band and SSID
Foreign access points that are not part of your deployment
Channel Conflict Map View
The color of the dots on the Channel Conflict Map indicate whether there are any channel conflicts
between your AP devices and the other wireless access points in the area.
No channel conflicts
Moderate channel conflicts
Significant channel conflicts
Does not use the selected band and SSID
Foreign access points that are not part of your deployment
Links Between Access Points
The connector links between the AP devices and other wireless access points appear on both
Wireless Deployment Maps as lines with a pattern. The color of the line represents the channel conflict
between the access points. The length and pattern of the line represent the strength of the signal
between the access points.
Link Line Colors
No channel conflicts
Moderate channel conflicts
Significant channel conflicts
Link Line Patterns
Strong signal strength
Good signal strength
Monitor Your Device
916 Fireware XTMWeb UI
Monitor Your Device
User Guide 917
Weak signal strength
Use the Legend
To help you read the Wireless Deployment Maps, you can use the Legend that appears on both Maps
pages.
1. At the top of the Wireless Coverage Map or Channel Conflict Map pages, click Legend .
The Gateway Wireless Controller Maps dialog box appears.
2. Review the definitions of the Access Point icons and links.
Select a Radio Band View
To help you refine your view of the APdevices that appear on the Map page, you can select which
radio bands to include in the map: 2.4 GHz, 5 GHz, or both. The default view is to show all AP devices.
AP devices that are included in the radio band view appear with a colored dot and show colored line
links to other devices, as described in the previous sections. When you select an option to include only
one radio band in the map view, the other devices are not removed fromthe map. Instead, they appear
with a gray dot and do not show a colored line link to other devices.
Filter Maps by SSID
Another method you can use to help you further refine your view of the APdevices that appear on the
Maps pages, you can select which SSIDs to include in the maps. The default view is to show all AP
devices. AP devices that use the SSID you select appear with a colored dot and show colored line
links to other devices, as described in the previous sections. When you select an option to include only
one SSID in the map view, the other devices are not removed fromthe map. Instead, they appear with
a gray dot and do not show a colored line link to other devices.
To select the SSID to show on the Maps page:
1. Fromthe Show All SSIDs drop-down list, select one SSID.
The Maps page refreshes to only include devices that use the SSID you selected.
2. To include all available SSIDs in the maps, select Show all SSIDs.
Anchor Access Points
Because the views of the Maps page are dynamically generated, the devices that appear in the maps
move around based on their physical location, and can often overlap another device in the map. To
make it easier to see the connections and possible conflicts to other access points in the map, you can
anchor any AP device to a particular location on the map.
After you anchor your AP devices, the length of the link lines between the AP devices and foreign
access points does not indicate the signal strength between the devices.
Though you can use this feature for both Maps page display options, this is particularly helpful for the
Channel Conflict Map, because there can be many devices and SSIDs that overlap in the map.
To anchor your AP devices:
1. At the top of the Maps page, select the Sticky AccessPoints check box.
All access points on the maps are anchored to their current locations.
2. Select an AP device and drag it to another location on the map.
Move an Access Point
When many AP devices appear in your maps, it can be difficult to see the connections to the other
devices in the map. To make it easier to see the connections to an AP device, you can use your mouse
to grab the AP device and manually move it to another location on the map. If you have selected the
Sticky Access Points check box, when you move the AP device to another location on the map, it is
anchored to the new location.
When you hover your mouse over an AP device, the colored dot and text for the AP device expand so
you can better see the AP device and grab it.
See Access Point Information & Details
When you select an AP device on either of the maps, you can click the AP device to see information
about that AP device. The available information includes:
n Current Users Current number of connected users
n Bandwidth Usage Amount of bandwidth in use
n IP IP address of the AP device
n SSIDs SSIDs for the AP device
n Radio 1 Settings for Radio 1
n Radio 2 Settings for Radio 2
n Model AP device model number
n Serial Number AP device serial number
n Location Current location of the AP device
Monitor Your Device
918 Fireware XTMWeb UI
Monitor Your Device
User Guide 919
To see more detailed information about the selected AP device:
Click View Details.
The detailed page view for the selected AP device appears.
The details page for an AP device includes a smaller version of the map for the selected device, with
only the connections for that AP device.
Also included are all the details that appeared in the Information dialog box, as well as a table of the
bandwidth usage for each radio band (2.4 GHz and 5 GHz), and a table with the connection details for
all the wireless access points in the area.
Monitor Your Device
920 Fireware XTMWeb UI
Monitor Your Device
User Guide 921
To see information for only the wireless access points that have a channel conflict with the selected
AP device:
Select the Show only conflicting devices check box.
The information page updates to remove any devices that do not have a channel conflict with the AP
device.
If you find channel conflicts in your AP device configuration, and you want to change the configuration
for the AP device, you can click Configure this Access Point to go directly to the Network >
Gateway Wireless Controller page for the selected AP device.
For more information about how to configure your AP device, see Configure AP Devices in the
Gateway Wireless Controller on page 363.
To see information for another AP device fromthis information page, fromthe Access Points drop-
down list, select another AP device.
To return to the previous Wireless Deployment Map page:
Click All Access Points.
The previous map page appears.
Scan the Area for Devices
At the top right side of the Maps page, you can see the amount of time that has elapsed since your
Firebox or XTMdevice last scanned the area to locate your active AP devices and any other local,
foreign wireless devices. The information fromeach scan is cached in the map for 8 hours. To refresh
the location data that appears on the Maps page, you must manually scan the area again.
To complete a new scan of the area:
At the top right of the Maps page, click Rescan.
The Firebox or XTMdevice scans the area to find all the active AP devices and other local wireless
devices.
ARP Table
To see the ARPtable for the XTMdevice:
Select System Status >ARPTable.
The ARP Table page includes devices that have responded to an ARP (Address Resolution Protocol)
request fromthe XTMdevice:
IP Address
The IP address of the computer that responds to the ARP request.
Hardware Type
The type of Ethernet connection that the IP address uses to connect.
Flags
If the hardware address of the IP resolves, it is marked as valid. If it does not, it is marked as
invalid.
A valid hardware address can briefly appear as invalid while the XTMdevice waits
for a response for the ARP request.
HW Address
The MAC address of the network interface card that is associated with the IP address.
Device
The interface on the XTMdevice where the hardware address for that IP address was found.
The Linux kernel name for the interface is shown in parentheses.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Authentication List
The Authentication List page includes information about every user who is currently authenticated to
the XTMdevice.
To see the list of authenticated users for your XTMdevice:
1. Select System Status >Authentication List.
The Authentication List page appears.
Summary
The Summary section at the top of the page includes the number of users authenticated
with each authentication type, the number of management users logged in to the device,
and the total number of authenticated users.
Information about each authenticated user appears in these columns:
User
The name of the authenticated user.
Type
The type of user who authenticated:Firewall or Mobile User.
Auth Domain
The authentication server that authenticated the user.
Start Time
The amount of time since the user authenticated.
Monitor Your Device
922 Fireware XTMWeb UI
Monitor Your Device
User Guide 923
Last Activity
The amount of time since the last user activity.
IP Address
The internal IPaddress for the user. For mobile users, this is IPaddress the XTMdevice
assigns to them.
Login Limit
The amount of time the user can remain connected to the XTMdevice.
2. To sort the Authenticated Users list, click a column header.
3. To end a user session, select the user name and select Log off users.
For more information about authentication, see About User Authentication.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Blocked Sites
To see a list of IPaddresses currently blocked by the XTMdevice:
Select System Status >Blocked Sites.
The Blocked Sites page appears.
The Blocked Sites page includes a list of IP addresses currently on the Blocked Sites list, the reason
they were added to the list, and the expiration time (when the site is removed fromthe Blocked Sites
list).
For each blocked site, the Blocked Sites list includes this information:
Blocked IP
The IPv4 or IPv6 IPaddress of the blocked site.
Triggering Source
The source of the blocked site. Sites added on the System Status >Blocked Sites page are
shown as admin, while sites added fromthe Firewall >Blocked Sites page are shown as
configuration.
Reason
The reason the site was blocked.
Expiration
The amount of time that remains until the timeout period expires.
Blocked sites with a Reason of Static Blocked IP, and an Expiration of Never Expire are
permanently blocked. You cannot delete or edit a permanently blocked site fromthis page.
To add or remove a permanently blocked site, select Firewall > Blocked Sites. For more information,
see Block a Site Permanently on page 850.
Add or Edit Temporary Blocked Sites
On the Blocked Sites page, you can also add and remove temporarily blocked sites in the Blocked
Sites list, and change the expiration of those sites.
To add a temporary blocked site to the Blocked Sites list:
1. Click Add.
The Block Site dialog box appears.
2. In the IPv4or IPv6 address text box, type the IPv4 or IPv6 address of the site to block.
3. In the Timeout text box, specify the time in minutes that this site is to remain on the Blocked
Sites list.
4. Click Block Site.
To change the expiration for a temporarily blocked site:
1. Fromthe Blocked Sites list, select the site.
2. Click Change Expiration.
The Block Site dialog box appears.
3. In the Timeout text box, specify the time in minutes that this site is to remain on the Blocked
Sites list.
4. Click Block Site.
To remove a temporarily blocked site fromthe Blocked Sites list:
1. Fromthe Blocked Sites list, select the site.
2. Click Delete.
A confirmation message appears.
3. Click Yes.
The blocked site is removed from the list.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Checksum
To see the checksumof the OS (operating system) files currently installed on the XTMdevice:
Select System Status >Checksum.
Monitor Your Device
924 Fireware XTMWeb UI
Monitor Your Device
User Guide 925
The XTMdevice calculates the checksumfor the installed OS. It may take a few minutes for
the XTMdevice to complete the checksumcalculation. The checksumappears, with the date
and time that the checksumcalculation was completed.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Components List
To view a list of the software components installed on the XTMdevice:
Select System Status >Components List.
The Components List page includes a list of the software installed on the XTMdevice.
The software list includes these attributes:
n Name
n Version
n Build
n Date
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
DHCP Leases
To see a list of the active DHCP leases for the XTMdevice:
Select System Status >DHCPLeases.
The DHCPLeases page appears with information about the DHCP client leases.
DHCP lease information is separated into two lists: DHCPv4 and DHCPv6. The DHCPv4 list includes
information about leases for clients with IPv4 addresses. The DHCPv6 list includes information about
leases for clients with IPv6 addresses.
The DHCPv4 list includes:
Interface
The XTMdevice interface that the client is connected to.
IP Address
The IP address for the lease.
Host
The host name. If there is not an available host name, this itemis empty.
MACAddress
The MAC address associated with the lease.
Start Time
The time that the client requested the lease.
End Time
The time that the lease expires.
Hardware Type
The type of hardware.
The DHCPv6 list includes:
Interface
The XTMdevice interface that the client is connected to.
DUID
The DUID (DHCP Unique Identifier) used by the client to get an IP address fromthe
DHCPv6 server.
IAID
The IAID (Identity Association Identifier) assigned to the client.
IP Address
The IP address for the lease.
Monitor Your Device
926 Fireware XTMWeb UI
Monitor Your Device
User Guide 927
Start Time
The time that the client requested the lease.
End Time
The time that the lease expires.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Diagnostics
You can use the Fireware XTMWeb UIDiagnostic Tasks tool to find diagnostic information for your
XTMdevice, to learn more about a log message, or to review information in your device log messages
to help you debug problems on your network. You can ping the source or destination IP address, trace
the route to the source or destination IP address, look up DNSinformation for an IPaddress, or see
information about the packets transmitted across your network (TCP dump). You can also include
arguments in your task details to narrow the results.
You can also run a VPN Diagnostic Report to see configuration and status information for a VPN
gateway and the associated Branch Office VPNtunnels.
Fromthe Diagnostics pages, you can also download a diagnostic log file (support.tgz) that includes
packet trace information about your XTMdevice. For more information about how to download a
diagnostic file, see Download a Diagnostic Log File on page 935.
1. Connect to Fireware XTMWeb UIfor your device.
2. Select System Status >Diagnostics.
The Diagnostics page appears with the Network tab selected.
Monitor Your Device
928 Fireware XTMWeb UI
Monitor Your Device
User Guide 929
Run a Basic Diagnostics Command
1. Fromthe Task drop-down list, select a command:
n Ping
n traceroute
n DNSLookup
n TCP Dump
If you select Ping, traceroute, or DNSLookup, the Address text box appears.
If you select TCPDump, the Interface text box appears.
2. If you select Ping, traceroute, or DNSLookup, in the Address text box, type an IP address or
host name.
If you select TCP Dump, fromthe Interface drop-down list, select an interface.
3. Click Run Task.
The output of the command appears in the Results window and the Stop Task button appears.
4. To stop the diagnostic task, click Stop Task.
Use Command Arguments
1. Fromthe Task drop-down list, select a command:
n Ping
n traceroute
n DNSLookup
n TCP Dump
2. Select the Advanced Options check box.
The Arguments text box is enabled and the Address or Interface text box is disabled.
3. In the Arguments text box , type the command arguments.
To see the available arguments for a command, leave the Arguments text box blank.
4. Click Run Task.
The output of the command appears in the Results window and the Stop Task button appears.
5. To stop the diagnostic task, click Stop Task.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Find the IPAddress for a Host Name
Fromyour XTMdevice, you can use the DNSLookup task to find which IPaddress a host name
resolves to.
1. Fromthe Task drop-down list, select DNSLookup.
The Address text box appears.
2. In the Address text box, type the host name.
3. Click Run Task.
The IPaddress for the host name you specified appears in the Results list.
Monitor Your Device
930 Fireware XTMWeb UI
Monitor Your Device
User Guide 931
Download a PCAP File
Fromthe Diagnostic Tasks page, you can download a packet capture (PCAP) file to help you
diagnose problems with the traffic on your network. The PCAP file captures the results of the most
recent TCP dump task that you run so you can review the protocols found in the task results outside of
the Diagnostic Tasks page. If you do not save the TCP dump results to a PCAP file, the results of the
TCP dump task are cleared when you run a new diagnostic task.
When you enable the Advanced Options to include arguments in the TCP dump task, you must
always specify an interface. This can be a physical interface on the XTMdevice (such as, eth0), a Link
Aggregation interface (such as, bond0), a wireless interface (such as, ath0), or a VLAN interface (such
as, vlan10).
When you create the PCAP file with the TCP dump data, you choose whether to save the file or open
it. To open the PCAP file, you use a third-party application, such as Wireshark. You can then review
the protocols included in the file and resolve issues in your network configuration. The maximumsize
of the PCAP file is 30 MB. If your XTMdevice has limited memory, the size of the PCAP file is
constrained relative to the available memory available on your device.
To save the TCP dump data directly to a PCAPfile:
1. Select System Status > Diagnostics.
The Diagnostic Tasks page appears, with the Network tab selected.
2. Fromthe Task drop-down list, select TCPDump.
The Interface drop-down list appears.
3. Select the Advanced Options check box.
The Advanced options appear.
4. In the Arguments text box, type the parameters for the search. Parameters are case sensitive.
For example, to capture PCAP data for the default external interface, type -ieth0.
5. Select the Stream data to a file check box.
6. Click Run Task.
The task runs and the Stop Task button and Open or Save File dialog box appear.
Monitor Your Device
932 Fireware XTMWeb UI
Monitor Your Device
User Guide 933
7. Save or open the PCAP file.
If you choose to save the PCAP file, specify a location to save the file and a name for the file.
If you choose to open the PCAP file, select the third-party application to use to open the file.
8. ClickOK.
9. When the TCP dump has collected enough results, click Stop Task.
Run a VPN Diagnostic Report
To see configuration and status information for a VPN gateway and the associated Branch Office
VPNtunnels, you can run a VPNDiagnostic Report. When you run a report, the XTMdevice
temporarily increases the log level for the selected gateway.
On the Diagnostic Tasks page:
1. Select the VPN tab.
2. Fromthe Gateway drop-down list, select a VPN gateway.
3. In the Duration text box, type the number of seconds to run the VPN Diagnostic Report.
4. Click Start Report.
The diagnostic task starts.
Monitor Your Device
934 Fireware XTMWeb UI
Monitor Your Device
User Guide 935
The XTMdevice collects log messages for the duration you specified. When the task is completed,
details about the gateway and tunnel configuration and information about the status of any active
tunnels for the selected gateway appear in the Results section. The log level is then returned to the
previously set level.
For more information about diagnostic tasks for VPNs, see Use the VPN Diagnostic Report on page
1113.
Download a Diagnostic Log File
FromFireware XTMWeb UI, you can download a diagnostic log file (support.tgz) that includes packet
trace information about your XTMdevice. By default, the name of the diagnostic log file is [name of the
XTMdevice]_support.tgz. You can specify another name when you download the file.
Before you download the diagnostic log file, make sure that diagnostic logging is enabled on your
XTMdevice. For more information about how to enable diagnostic logging on your device, see Set the
Diagnostic Log Level on page 878.
To download a diagnostic log file with packet trace information the XTMdevice:
1. Select System Status > Diagnostics.
The Diagnostics page appears, with the Network tab selected.
2. Select the Diagnostics File tab.
The Diagnostics File page appears.
3. Click Download a Support Log File.
4. Select the location to save the diagnostics file.
The support log file is saved in tarzipped (*.tgz) format.
5. Click Save.
The support log file is saved to the specified location.
6. Review the details of the packet trace in the support log file.
7. Disable diagnostic logging.
Dynamic DNS
To view the dynamic DNSstatus information:
Select System Status >Dynamic DNS.
The Dynamic DNS page contains the Dynamic DNS status information, which includes these details:
Name
The interface name.
User
The Dynamic DNS account user name.
Domain
The domain for which Dynamic DNS is being provided.
System
The Dynamic DNS service type.
Address
The IPaddress associated with the domain.
IP
The current IPaddress of the interface.
Last
The last time the DNS was updated.
Next Date
The next time the DNSis scheduled to be updated.
State
The state of Dynamic DNS.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Monitor Your Device
936 Fireware XTMWeb UI
Monitor Your Device
User Guide 937
Hotspot Clients
When you enable the hotspot feature for your WatchGuard XTMdevice, you can see information about
the number of clients that are connected. You can also disconnect any connected clients fromthe
hotspot.
For more information about how to enable the hotspot feature, see Enable a Hotspot on page 567.
To see the wireless hotspot connections:
1. Connect to Fireware XTMWeb UI for your XTMdevice.
2. Select System Status >Hotspot Clients.
The IP address and MACaddress for each connected client appears for each hotspot client in the
list.
For more information about how to manage hotspot connections, see See Hotspot Connections on
page 575.
LiveSecurity
Fireware XTMWeb UI includes a page with the most recent alert notifications sent fromthe
WatchGuard LiveSecurity Service. LiveSecurity alerts give you information that applies to the
appliance, such as notification about available software updates.
To see alerts fromWatchGuard:
1. Select System Status > LiveSecurity.
2. To change the refresh interval for the page, select an option fromthe drop-down list:
n 5 seconds
n 10 seconds
n 30 seconds
n 60 seconds
n 2 minutes
n 5 minutes
3. To pause the page refresh, click .
4. To resume the page refresh, click .
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Processes
To see a list of processes that run on the XTMdevice:
1. Connect to Fireware XTMWeb UIfor your device.
2. Select System Status > Processes.
The Processes page appears.
The Processes page includes information about all processes that run on the XTMdevice.
PID
The Process ID is a unique number that shows when the process started,
Name
The name of the process.
CPU
The percentage of CPU time the process has used after the last device reboot.
Time
The time that the process has used after the last time the device was started.
State
The state of the process:
R Running
S Sleeping
D,Z Inactive
Real
The total number of kilobytes of physical memory the process uses.
Virtual
The total number of kilobytes of virtual memory the process uses.
Share
The total number of kilobytes of shared memory the process uses.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Routes
To see the routes table for the XTMdevice:
Select System Status >Routes.
Monitor Your Device
938 Fireware XTMWeb UI
Monitor Your Device
User Guide 939
The routes table includes this information about each route:
Destination
The network that the route was created for.
Interface
The interface associated with the route.
Gateway
The gateway that the network uses.
Flag
The flags set for each route.
Metric
The metric set for this route in the routing table.
Mask
The network mask for the route.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
Server Connection
To make sure that your XTMdevice can connect to your Active Directory or LDAP server and
successfully authenticate your users, you can test the connection to your authentication server from
Fireware XTMWeb UI. This is helpful both when you set up a new XTMdevice and when you
reconfigure your current device or authentication server. You can also use this feature to determine the
authentication status of a particular user in your authentication server database, and to get
authentication group information for that user.
To test the connection to your authentication server, you must only select the authentication server to
test. To find the authentication status for a user and get user group information for that user, you must
also select the authentication server, but the other information you must provide depends on how you
have configured your authentication server. If you specified the Searching User name and password in
your authentication server settings, you can provide less information on the Server Connection page
and still get both the user authentication status and user group information in the test results.
For more information about how to specify the Searching User credentials for your Active Directory or
LDAP server, see Configure Active Directory Authentication on page 551 and Configure LDAP
Authentication on page 546.
When you specify the Searching User credentials for your authentication server, you can choose
whether to specify only the username or to also specify the password. If you do not specify the
password for the Searching User, the Server Connection page Results section only includes the
authentication status and group information if you specify both the correct User Name and the correct
Password in the Authentication Server Connection section.
This table shows the results you see based on the Searching User credentials you set and the user
name and password details that you provide.
Monitor Your Device
940 Fireware XTMWeb UI
Monitor Your Device
User Guide 941
Searching
User
Credentials
User
Name Password Result
User name &
password
None None Authentication status not verified, group information
not retrieved
Yes None Authentication status not verified, group information
retrieved
Yes Incorrect Authentication status verified, group information
retrieved
Yes Yes Authentication status verified, group information
retrieved
None None None Authentication status not verified, group information
not retrieved
Yes None Authentication status not verified, group information
not retrieved
Yes Incorrect Authentication status not verified, group information
not retrieved
Yes Yes Authentication status verified, group information
retrieved
Test the Server Connection
You can test the connection to your authentication server fromthe Authentication Servers page for
your Active Directory or LDAP server, or you can navigate directly to the Server Connection page in
Fireware XTMWeb UI. When you test the connection, the results you receive depend on the
parameters you specified. This can include the connection status of the server, the authentication
status of the user you specified, and any group membership information for that user.
For instructions to navigate to the Server Connection page fromthe Authentication Servers page,
see the appropriate topic for your server:
n Configure Active Directory Authentication on page 551
n Configure LDAP Authentication on page 546
To navigate directly to the Server Connection page, fromFireware XTMWeb UI:
1. Select System Status > Server Connection.
The Authentication Server Connection page appears.
2. Fromthe Authentication Server drop-down list, select the server to test.
3. In the Username text box, type the name of a user account in your authentication server
database.
4. In the Password text box, type the password of the user you specified.
5. Click Test Connection.
The XTMdevice contacts the server you selected and returns results of the connection test in the
Results list.
Monitor Your Device
942 Fireware XTMWeb UI
Monitor Your Device
User Guide 943
Read the Server Connection Results
The details that appear in the Results list depend on the connection status of your server, the
authentication status of the user account you specified, and the user credentials you specified.
Results include:
Detail Result Description
Connect to
server
OK (Connected to
<server address>)
The connection test was successful and the device is
connected to the specified server.
Failed (Failed to connect
to <server address>)
The connection test was not successful and the
device is not connected to the specified server.
Log in (bind) OK (<user@server
domain> authenticated)
The specified user was found in the server database
and is currently authenticated to the specified server.
Failed (User
<user@server domain>
not authenticated
[<details of reason
authentication failed>])
The specified user was not found in the server
database and is not currently authenticated to the
specified server. Details of the reason for the failure
are also included.
Failed (Unknown) If the device could not connect the specified server
and determine whether the specified user is
authenticated, the connection test is not successful,
and the Log in (bind) result is Failed (Unknown).
Get group
membership
List of groups If the Log in (bind) result is OK, the specified user is
in the server database, and the Results list includes all
the groups of which the specified user is a member.
Empty If the Log in (bind) result is Failed or Unknown, the
specified user was not found in the server database
and no group membership details are sent to the
device.
Traffic Management
On the System Status >Traffic Management page, you can see the bandwidth statistics for the
traffic managed by traffic management actions configured on your Firebox or XTMdevice. The
statistics include details about which policies and applications use each Traffic Management action.
The current bandwidth usage also appears, and is shown as a percentage of the configured maximum
bandwidth for the Traffic Management action. In the statistics, 1 Kbps is equal to 1024 bits per second.
When you first select the Traffic Management page, statistical details do not appear until the Refresh
Interval value expires. As Fireware XTMWeb UI receives the Traffic Management data, it appears on
the Traffic Management chart and in the table below the chart.
To see Traffic Management statistics:
Select System Status >Traffic Management.
The statistics appear for each Traffic Management action that you have configured .
If you connect to a FireCluster, on the Traffic Management page, you can select which cluster
member to view.
To choose which cluster member to see on the Traffic Management page:
Fromthe Member drop-down list, select a cluster member.
Monitor Your Device
944 Fireware XTMWeb UI
Monitor Your Device
User Guide 945
The Traffic Management page includes a chart and table that show these statistics:
Action
The name of the Traffic Management action.
Usage
The amount of the maximumbandwidth that is currently in use. It is the Rate value divided by
the Maximum value.
Rate
The current data rate for traffic managed by this action.
Bytes
The current number of bytes for traffic managed by this action.
Packets
The total number of packets.
Drop Rate
The historical drop rate of packets managed by this action. The Drop Rate statistic in the
average percentage of packets dropped for all traffic managed by this action since it was
created, last modified, or the device was rebooted.
Minimum
The minimumguaranteed bandwidth configured for this action.
Maximum
The maximumbandwidth configured for this action.
To see more information for any Traffic Management action that appears in the table:
Fromthe table, select a Traffic Management action.
A dialog box appears with more information about that action.
The Traffic Management action information dialog box includes these details:
Direction
The traffic direction the action applies to:
n Forward The action is configured in the policy as the Forward Action.
n Reverse The action is configured in the policy as the Reverse Action.
n Both The action is configured in the policy as both the Forward Action and the
Reverse Action.
n None The action is not configured as either the Forward Action or the Reverse
Action, but is used in the Application Control action specified in the policy. For
applications, the action applies to traffic in both directions.
Monitor Your Device
946 Fireware XTMWeb UI
Monitor Your Device
User Guide 947
Application Control Action Name
The name of the Application Control action specified in the policy, if the Application Control
action uses the Traffic Management action.
Below the Application Control Action Name, the list of applications the Traffic
Management action applies to appears. If the action is used for an application category,
[All Applications] appears for the application name, followed by the application category
name. For applications, the action applies to application traffic in both directions.
For information about Traffic Management, see About Traffic Management and QoS on page 803.
For more information about the SystemStatus pages, see About the Dashboard and SystemStatus
Pages on page 885.
Users and Roles
On the Users and Roles page, you can see detailed information about the Device Management users
who are connected to your Firebox or XTMdevice. You can also log off the connected users with the
Device Monitor role. You cannot log off a user with the Device Administrator role.
View Connected Users
To see the list of users logged in to your device:
Select System Status > Users and Roles.
The Users and Roles page appears.
The Users and Roles list includes all of the users who are currently logged in to the device. For each
user, the list includes:
n User The user name assigned to the user account.
n Authentication Domain The name of the authentication server for the user account. For an
Active Directory server, the domain name appears.
n Role The Device Management role assigned to the user account: Device Administrator or
Device Monitor.
n Start Time The time the user logged in to the device.
n Last Activity The number of days and time that has elapsed since the user last connected to
the device.
n IP Address The IP address where the user connection originates.
Log Off Users
You can end the session for any Device Management user who is connected to your Firebox or
XTMdevice with the Device Monitor role. You cannot log off a user with the Device Administrator role.
If a user with the Device Administrator role is connected to your device and the user session is idle, to
log off that user, you must wait for the user connection session to timeout or reboot your device.
To log off a connected user, you must be connected to the device as a user with the Device
Administrator role.
On the Users and Roles page:
1. Fromthe Users and Roles list, select the check box for one or more users.
2. Click Log off users.
The selected users are logged off of the device.
For information about Device Management user accounts on your device, see Manage Users and
Roles on Your Device on page 861.
For more information about the System Status pages, see About the Dashboard and SystemStatus
Pages on page 885.
VPN Statistics
To see statistics about VPNtunnels:
1. Select System Status >VPNStatistics.
The traffic statistics for Branch Office VPN tunnels appear.
2. Select a tab to see traffic statistics for that tunnel type:
n Branch Office VPN
n Mobile VPN with IPSec
n Mobile VPN with L2TP
The VPNstatistics pages include the subsequent details. Not all details are available for each
VPN type.
Name
The tunnel name.
Local
The IP address at the local end of the tunnel.
Monitor Your Device
948 Fireware XTMWeb UI
Monitor Your Device
User Guide 949
Remote
The IP address at the remote end of the tunnel.
Gateway
(Branch Office VPN and Mobile VPN with IPSec only)
The gateway endpoints used by this tunnel.
Packets In
(Branch Office VPN and Mobile VPN with IPSec only)
The number of packets received through the tunnel.
Bytes In
The number of bytes received through the tunnel.
Packets Out
(Branch Office VPN and Mobile VPN with IPSec only)
The number of packets sent out through the tunnel.
Bytes Out
The number of bytes sent out through the tunnel.
Rekeys
(Branch Office VPN and Mobile VPN with IPSec only)
The number of rekeys for the tunnel.
Uptime
(Mobile VPN with L2TP only)
The amount of time the tunnel has been active.
State
(Mobile VPN with L2TP only)
The current status of the tunnel.
3. To force a BOVPNtunnel to rekey, on the Branch Office VPN tab, select a BOVPNtunnel and
click Rekey selected BOVPNtunnel.
For more information, see Rekey BOVPN Tunnels on page 1112.
4. To see additional statistical information for use when you troubleshoot VPNs, select the Debug
tab.
Use this feature when you troubleshoot a VPN problem with a technical support representative.
For more information about the SystemStatus pages, see About the Dashboard and SystemStatus
Pages on page 885.
Rogue AP Detection
On the Rogue AP Detection page, the results of the wireless rogue access point detection scans run
by your XTMdevice appear. The scan results include the list of untrusted wireless access points found
by the most recent access point detection scan. Any trusted access points that you have defined in
your wireless rogue access point detection configuration do not appear in this list.
You can review the results of the most recent detection scan, or you can run a new scan to get updated
results.
To see and update the list of rogue access points:
1. Select System Status >Rogue APDetection.
The Rogue Access PointDetection page appears.
2. To run a scan for rogue access points, click Scan now.
The wireless access point starts a rogue access point detection scan and updates the list of
untrusted access points.
For more information about the results that appear in the Rogue Access Point Detection list, see
Rogue Access Point Scan Results on page 331.
Wireless Statistics
To see statistics about your wireless network:
1. Select System Status > Wireless Statistics.
The Wireless Statistics page appears with a summary of wireless configuration settings, and the
Monitor Your Device
950 Fireware XTMWeb UI
Monitor Your Device
User Guide 951
Statistics tab selected.
2. To see connection information for connected Access Points and Wireless Clients, select the
Statistics tab.
3. To see the statistics for the device interfaces, select the Details tab.
The Wireless Statistics summary includes:
n Current Country
n Wireless mode
n Wireless band
n Wireless channel details
On the Statistics tab, this information appears for each connected device:
Access Points
n Name The name of the Access Point.
n Sent The total amount of data in bytes sent through the Access Point.
n Received The total amount of data in bytes received through the Access Point.
n Total The total amount of data in bytes sent and received through the Access Point.
n Users The number of clients that are currently connected to the Access Point.
Wireless Clients
For the Access Points connected to the XTMdevice, you can see the list of Wireless Clients
connected to the Access Point. You can select to include the clients for one or more Access Points in
the list.
Fromthe Access Point drop-down list, select an Access Point.
The
On the Details tab, this information appears for the connected devices:
n Wireless configuration information
n Interface statistics
n Keys
n Bit rates
n Frequencies
You can also update the wireless country information for this device fromthis page. The available
options for the wireless radio settings are based on the regulatory requirements of the country in which
the device detects that it is located.
To update the wireless country information:
Click Update Country Info.
The 2 Series device contacts a WatchGuard server to determine the current operating region.
For more information about radio settings on the WatchGuard XTMwireless device, see About
Wireless Radio Settings.
For more information about the SystemStatus pages, see About the Dashboard and SystemStatus
Pages on page 885.
Monitor Your Device
952 Fireware XTMWeb UI
User Guide 953
19
Certificates
About Certificates
Certificates match the identity of a person or organization with a method for others to verify that identity
and secure communications. They use an encryption method called a key pair, or two mathematically
related numbers called the private key and the public key. A certificate includes both a statement of
identity and a public key, and is signed by a private key.
The private key used to sign a certificate can be fromthe same key pair used to generate the
certificate, or froma different key pair. If the private key is fromthe same key pair used to create the
certificate, the result is called a self-signed certificate. If the private key is froma different key pair, the
result is a regular certificate. Certificates with private keys that can be used to sign other certificates
are called CA(Certificate Authority)Certificates. A certificate authority is an organization or application
that signs and revokes certificates.
If your organization has a PKI(public key infrastructure)set up, you can sign certificates as a CA
yourself. Most applications and devices automatically accept certificates fromprominent, trusted CAs.
Certificates that are not signed by prominent CAs, such as self-signed certificates, are not
automatically accepted by many servers or programs, and do not operate correctly with some Fireware
XTMfeatures.
Use Multiple Certificates to Establish Trust
Several certificates can be used together to create a chain of trust. For example, the CA certificate at
the start of the chain is froma prominent CA, and is used to sign another CAcertificate for a smaller
CA. That smaller CAcan then sign another CA certificate used by your organization. Finally, your
organization can use this CAcertificate to sign another certificate for use with theHTTPS proxy and
SMTP proxy content inspection features. However, to use that final certificate at the end of the chain
of trust, you must first import all of the certificates in the chain of trust in this order:
1. CAcertificate fromthe prominent CA (as type Other) CA certificate fromthe smaller CA(as
type Other)
2. CAcertificate fromthe organization (as type Other)
3. Certificate used to re-encryptproxy content after inspection (as type Proxy Authority)
It could also be necessary to import all of these certificates on each client device so that the last
certificate is also trusted by users.
How the XTM Device Uses Certificates
Your XTMdevice can use certificates for several purposes:
n Management session data is secured with a certificate.
n Branch Office VPN, Mobile VPN with IPSec, and Mobile VPN with L2TP tunnels can use
certificates for authentication.
n When content inspection is enabled, the some proxies use a certificate to re-encrypt incoming
traffic after it is decrypted for inspection.
n You can use a certificate with the proxy to protect a web server on your network.
n When a user authenticates with the XTMdevice for any purpose, such as a WebBlocker
override, the connection is secured with a certificate.
n When RADIUSor Firebox authentication is configured to use WPA Enterprise or WPA2
Enterprise authentication methods.
By default, your XTMdevice creates self-signed certificates to secure management session data and
authentication attempts for Fireware XTMWeb UI and for proxy content inspection. To make sure the
certificate used for content inspection is unique, its name includes the serial number of your device and
the time at which the certificate was created. Because these certificates are not signed by a trusted
CA, users on your network see warnings in their web browsers.
You have three options to remove this warning:
1. You can import certificates that are signed by a CA your organization trusts, such as a PKI you
have already set up for your organization, for use with these features. We recommend that you
use this option if possible.
2. You can create a custom, self-signed certificate that matches the name and location of your
organization.
3. You can use the default, self-signed certificate.
Certificates
954 Fireware XTMWeb UI
Certificates
User Guide 955
For the second and third options, you can ask network clients to accept these self-signed certificates
manually when they connect to the XTMdevice. Or, you can export the certificates and distribute them
with network management tools. You must have WatchGuard SystemManager installed to export
certificates.
Certificate Lifetimes and CRLs
Each certificate has a set lifetime when it is created. When the certificate reaches the end of that set
lifetime, the certificate expires and can no longer be used automatically. You can also remove
certificates manually with Firebox SystemManager (FSM).
Sometimes, certificates are revoked, or disabled before their lifetime expiration, by the CA. Your XTM
device keeps a current list of these revoked certificates, called the Certificate Revocation List (CRL),
to verify that certificates used for VPNauthentication are valid. If you have WatchGuard System
Manager installed, this list can be updated manually with Firebox SystemManager (FSM), or
automatically with information froma certificate. Each certificate includes a unique number used to
identify the certificate. If the unique number on a Web Server, BOVPN, Mobile VPNwith IPSec, or
Mobile VPNwith L2TP certificate matches an identifier fromits associated CRL, the XTMdevice
disables the certificate.
When content inspection is enabled on aproxy, the XTMdevice can check the OCSP(Online
Certificate Status Protocol)responder associated with the certificates used to sign the content. The
OCSPresponder sends the revocation status of the certificate. The XTMdevice accepts the
OCSPresponse if the response is signed by a certificate the XTMdevice trusts. If the OCSP response
is not signed by a certificate the XTMdevice trusts, or if the OCSPresponder does not send a
response, then you can configure the XTMdevice to accept or reject the original certificate.
For more information about OCSPoptions, see HTTPS-Proxy: Content Inspection on page 731.
Certificate Authorities and Signing Requests
To create a self-signed certificate, you put part of a cryptographic key pair in a certificate signing
request (CSR) and send the request to a CA. It is important that you use a new key pair for each CSR
you create. The CA issues a certificate after they receive the CSR and verify your identity. If you have
FSMor Management Server software installed, you can use these programs to create a CSR for your
XTMdevice. You can also use other tools, such as OpenSSL or the Microsoft CAServer that comes
with most Windows Server operating systems.
To create a certificate for use with the HTTPS-proxyand SMTP-proxy content inspection features, you
must create a CAcertificate that can re-sign other certificates. If you create a CSRwith Firebox
SystemManager and have it signed by a prominent CA, it cannot be used as a CA certificate.
If you do not have a PKIset up in your organization, we recommend that you choose a prominent CA to
sign the CSRs you use, except for the proxy CA certificate. If a prominent CA signs your certificates,
your certificates are automatically trusted by most users. WatchGuard has tested certificates signed
by VeriSign, Microsoft CAServer, Entrust, and RSA KEON. You can also import additional certificates
so that your XTMdevice trusts other CAs.
For a complete list of automatically trusted CAs, see Certificate Authorities Trusted by the XTM
Device on page 956.
Certificate Authorities Trusted by the XTM Device
By default, your XTMdevice trusts most of the same certificate authorities (CAs) as modern web
browsers. We recommend that you import certificates signed by a CA on this list for the HTTPS proxy
or Fireware XTMWeb UI, so that users do not see certificate warnings in their web browser when they
use those features. However, you can also import certificates fromother CAs so that your certificates
are trusted.
If you have installed WatchGuard SystemManager, a copy of each certificate is stored on your hard
drive at:
n Windows 8 and Windows 7 C:\ProgramData\WatchGuard\wgca\certs
n Windows XP C:\Documents and Settings\WatchGuard\wgauth\certs\README
Certificate Authority List
C=FR, O=Certplus, CN=Class 2 Primary CA
C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2,
OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network
O=eSign Australia, OU=Public Secure Services, CN=Primary Utility Root CA
C=ES, ST=Barcelona, L=Barcelona (see current address at
https://www.anf.es/address/), O=ANF Autoridad de Certificaci\xC3\xB3n, OU=ANF
Clase 1 CA/serialNumber=G63287510, CN=ANF Server CA
C=CH, O=SwissSign AG, CN=SwissSign Gold Root CA - G3
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification
Services Division, CN=Thawte Personal Premium CA/emailAddress=personal-
premium@thawte.com
C=FR, O=Dhimyotis, CN=Certigna
C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 2 CA 2007
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
O=Digital Signature Trust Co., CN=DST Root CA X3
C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-
Trust-Qual-03, CN=A-Trust-Qual-03
O=Cybertrust, Inc, CN=Cybertrust Global Root
C=US, O=AffirmTrust, CN=AffirmTrust Premium
C=FR, O=Certplus, CN=Class 1 Primary CA
C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte,
Inc. - For authorized use only, CN=thawte Primary Root CA
C=GB, O=Trustis Limited, OU=Trustis EVS Root CA
C=CN, O=UniTrust, CN=UCA Global Root
C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority
C=AT, O=A-Trust, OU=A-Trust-nQual-01, CN=A-Trust-nQual-01
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
Certification Authority
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 4 CA, CN=TC TrustCenter
Class 4 CA II
C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority - G2,
Certificates
956 Fireware XTMWeb UI
Certificates
User Guide 957
OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global
Certification Authority
C=FR, O=KEYNECTIS, OU=ROOT, CN=KEYNECTIS ROOT CA
C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2,
OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network
C=LT, O=Skaitmeninio sertifikavimo centras, OU=Certification Authority, CN=SSC
Root CA B
CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST
Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi
Hizmetleri A.\xC5\x9E. (c)Aral\xC4\xB1k 2007
C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA
Root
x500UniqueIdentifier=SEC-830101-9V9, L=Alvaro Obregon, ST=Distrito Federal,
C=MX/postalCode=01030/street=Insurgentes Sur 1940, CN=Autoridad Certificadora
Raiz de la Secretaria de Economia, OU=Direccion General de Normatividad
Mercantil, O=Secretaria de Economia/emailAddress=acrse@economia.gob.mx
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
Certification Authority
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 3 CA, CN=TC TrustCenter
Class 3 CA II
C=US, O=VISA, OU=Visa International Service Association, CN=Visa Information
Delivery Root CA
DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority
C=ES, O=Consejo General de la Abogacia NIF:Q-2863006I, CN=Autoridad de
Certificacion de la Abogacia
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority
C=ES, O=IZENPE S.A. - CIF A-01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8, L=Avda
del Mediterraneo Etorbidea 3 - 01010 Vitoria-Gasteiz,
CN=Izenpe.com/emailAddress=Info@izenpe.com
C=US, O=Symantec Corporation, CN=Symantec Root 2005 CA
CN=Microsoft Internet Authority, DC=com, DC=microsoft, DC=corp,DC=redmond,
CN=Microsoft Secure Server Authority
C=LT, O=Skaitmeninio sertifikavimo centras, OU=Certification Authority, CN=SSC
Root CA C
CN=ComSign CA, O=ComSign, C=IL
C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit\xC3\xA9 Racine
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Uzleti (Class B) Tanusitvanykiado
C=DK, O=TDC Internet, OU=TDC Internet Root CA
C=CH, O=SwissSign AG, CN=SwissSign Platinum Root CA - G3
C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte,
Inc. - For authorized use only, CN=thawte Primary Root CA
C=US, O=Wells Fargo, OU=Wells Fargo Certification Authority, CN=Wells Fargo Root
Certificate Authority
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
C=LV, OU=Sertifikacijas pakalpojumu dala, CN=E-ME SSI (RCA)
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
O=EUnet International, CN=EUnet International Root CA
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification
Services Division, CN=Thawte Personal Basic CA/emailAddress=personal-
basic@thawte.com
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
Certification Authority
C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11
DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority, C=US,
ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Product
Secure Communications PCA
CN=ComSign Secured CA, O=ComSign, C=IL
C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy
Validation Authority,
CN=http://www.valicert.com//emailAddress=info@valicert.com
DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority
C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1
C=BR, O=Serasa S.A., OU=Serasa CA III, CN=Serasa Certificate Authority III
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Product
Secure Communications PCA, emailAddress=pki@microsoft.com
C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES
C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK, emailAddress=pki@sk.ee
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification
Authority
C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-
Trust-nQual-03, CN=A-Trust-nQual-03
C=BR, O=Certisign Certificadora Digital Ltda., OU=Certisign - Autoridade
Certificadora - AC2
C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root
C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA
Root
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-
Assurance Secure Server CA
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority,
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server
CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign
C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte,
Inc. - For authorized use only, CN=thawte Primary Root CA
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
C=US, O=SecureTrust Corporation, CN=Secure Global CA
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Certificates
958 Fireware XTMWeb UI
Certificates
User Guide 959
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA Timestamping Certification
Authority, CN=IPS CA Timestamping Certification
Authority/emailAddress=ips@mail.ips.es
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC TrustCenter
Universal CA I
C=SI, O=ACNLB
C=US, O=U.S. Government, OU=ECA, CN=ECA Root CA
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification
Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-
freemail@thawte.com
C=FI, O=Sonera, CN=Sonera Class2 CA
C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA
CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=ANKARA, O=(c) 2005
T\xC3\x9CRKTRUST Bilgi\xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim
G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2007:PN
C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority
O=TeliaSonera, CN=TeliaSonera Root CA v1
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust
Global Root
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
C=CH, O=SwissSign, CN=SwissSign CA (RSA IK May 6 1999 18:00:58)
/emailAddress=ca@SwissSign.com
C=ES, O=IZENPE S.A., CN=Izenpe.com
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust
Global Root
C=US, O=Akamai Technologies Inc, CN=Akamai Subordinate CA 3
C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
C=MO, O=Macao Post, CN=Macao Post eSignTrust Root Certification Authority
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Certificate
Trust List PCA, DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority
C=CZ, O=\xC4\x8Cesk\xC3\xA1 po\xC5\xA1ta, s.p. [I\xC4\x8C 47114983],
CN=PostSignum Root QCA 2
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA CLASEA3 Certification
Authority, CN=IPS CA CLASEA3 Certification
Authority/emailAddress=ips@mail.ips.es
C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, OU=Sertifikacijas
pakalpojumi, CN=VAS Latvijas Pasts SSI(RCA)
C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate
Authority - G2
C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA3
CN=ComSign Advanced Security CA
C=si, O=state-institutions, OU=sigov-ca
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust
Global Root, CN=Microsoft Internet Authority
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only,
CN=GeoTrust Primary Certification Authority - G3
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA CLASEA1 Certification
Authority, CN=IPS CA CLASEA1 Certification
Authority/emailAddress=ips@mail.ips.es
C=US, O=America Online Inc., CN=America Online Root Certification Authority 1
C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
C=ZA, ST=Western Cape, L=Durbanville, O=Thawte, OU=Thawte Certification,
CN=Thawte Timestamping CA
C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global
Chambersign Root
C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2007
C=SI, O=Halcom, CN=Halcom CA PO 2
C=GB, O=ViaCode, OU=CA Data, OU=CA 1
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
C=ES, O=FNMT, OU=FNMT Clase 2 CA
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication and Email
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification
Authority
C=SI, O=Halcom, CN=Halcom CA FO
C=TR, O=Elektronik Bilgi Guvenligi A.S., CN=e-Guven Kok Elektronik Sertifika
Hizmet Saglayicisi
C=FR, O=NATIXIS, OU=0002 542044524, CN=CESAM
C=JP, O=LGPKI, OU=Application CA G2
C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
C=RO, O=certSIGN, OU=certSIGN ROOT CA
C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust
Global Root
C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE
WISeKey Global Root GA CA
C=US, O=Equifax, OU=Equifax Secure Certificate Authority
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority
C=EU, L=Madrid (see current address at www.camerfirma.com/address)
/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root -
2008
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G3
C=ES, O=Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988,
CN=ANCERT Certificados Notariales
Certificates
960 Fireware XTMWeb UI
Certificates
User Guide 961
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification
Services Division, CN=Thawte Premium Server CA/emailAddress=premium-
server@thawte.com
OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
C=KR, O=Government of Korea, OU=GPKI, CN=GPKIRootCA
O=RSA Security Inc, OU=RSA Security 2048 V3
O=Entrust.net, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), OU=(c)
2000 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Object
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA, CN=RapidSSL CA
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust
Global Root
O=Digital Signature Trust Co., CN=DST Root CA X4
C=TN, O=ANCE, OU=Certification & PKI, CN=Agence Nationale de Certification
Electronique/emailAddress=ance@certification.tn
C=US, O=AOL Time Warner Inc., OU=America Online Inc., CN=AOL Time Warner Root
Certification Authority 2
C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits
liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client
Certification Authority
C=US, O=Verizon Business, OU=OmniRoot, CN=Verizon Global Root CA
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
C=CN, O=CNNIC, CN=CNNIC ROOT
C=ES, O=Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988,
CN=ANCERT Certificados CGN
C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=
(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
CN=Autoridad de Certificacion Raiz del Estado Venezolano, C=VE, L=Caracas,
ST=Distrito Capital, O=Sistema Nacional de Certificacion Electronica,
OU=Superintendencia de Servicios de Certificacion
Electronica/emailAddress=acraiz@suscerte.gob.ve
C=ES, L=C/ Muntaner 244 Barcelona, CN=Autoridad de Certificacion Firmaprofesional
CIF A62634068/emailAddress=ca@firmaprofesional.com
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
C=US, O=AffirmTrust, CN=AffirmTrust Networking
C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification
Electronique/emailAddress=ance@certification.tn
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
C=HU, ST=Hungary, L=Budapest, O=NetLock Halozatbiztonsagi Kft.,
OU=Tanusitvanykiadok, CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
O=eSign Australia, OU=Public Secure Services, CN=eSign Imperito Primary Root CA
C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification
Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
C=US, O=Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference, OU=(c)
2006 Entrust, Inc., CN=Entrust Root Certification Authority
C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root
CA 1
C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
C=BR, O=Certisign Certificadora Digital Ltda., OU=Certisign - Autoridade
Certificadora - AC4
C=BR, O=Serasa S.A., OU=Serasa CA II, CN=Serasa Certificate Authority II
C=DE, ST=Baden-Wuerttemberg (BW), L=Stuttgart, O=Deutscher Sparkassen Verlag
GmbH, CN=S-TRUST Authentication and Encryption Root CA 2005:PN
C=us, O=U.S. Government, OU=FBCA, CN=Common Policy
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority,
C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c)
1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 2
C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA
Certification Authority
C=si, O=state-institutions, OU=sigen-ca
C=US, O=First Data Digital Certificates Inc., CN=First Data Digital Certificates
Inc. Certification Authority
C=BE, CN=Belgium Root CA
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC TrustCenter
Class 2 CA II
C=SE, O=Carelink, CN=SITHS CA v3
C=CZ, CN=I.CA - Qualified Certification Authority, 09/2009,
O=Prvn\xC3\xADcertifika\xC4\x8Dn\xC3\xAD autorita, a.s., OU=I.CA - Accredited
Provider of Certification Services
C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte,
Inc. - For authorized use only, CN=thawte Primary Root CA
CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=Ankara, O=T\xC3\x9CRKTRUST
Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi
Hizmetleri A.\xC5\x9E. (c)Kas\xC4\xB1m 2005
L=Alvaro Obregon, ST=Distrito Federal, C=MX/postalCode=01030/street=Insurgentes
Sur 1940, CN=Autoridad Certificadora Raiz de la Secretaria de Economia,
OU=Direccion General de Normatividad Mercantil, O=Secretaria de
Economia/emailAddress=acrse@economia.gob.mx
C=SI, O=POSTA, OU=POSTArCA
C=LT, O=Skaitmeninio sertifikavimo centras, OU=Certification Authority, CN=SSC
Root CA A
C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA
2009/emailAddress=info@e-szigno.hu
C=FI, O=Sonera, CN=Sonera Class1 CA
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
Certification Authority
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 2 Public Primary Certification
Authority - G3
C=US, O=America Online Inc., CN=America Online Root Certification Authority 2
C=DK, O=KMD, OU=Root CA, CN=KMD-CA Root
C=DK, O=TDC, CN=TDC OCES CA
C=PT, O=SCEE, CN=ECRaizEstado
CN=Autoridad de Certificacion Raiz del Estado Venezolano, C=VE, L=Caracas,
ST=Distrito Capital, O=Sistema Nacional de Certificacion Electronica,
Certificates
962 Fireware XTMWeb UI
Certificates
User Guide 963
OU=Superintendencia de Servicios de Certificacion
Electronica/emailAddress=acraiz@suscerte.gob.ve
C=ES, ST=Barcelona, L=Barcelona, O=Fundacion FESTE, CN=FESTE, Public Notary
Certs/emailAddress=feste@feste.org
C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Public
Notary Root
C=IT, O=SIA S.p.A., L=Milano, CN=SIA Secure Server CA
C=FR, O=Certplus, CN=Class 3 Primary CA
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2,
OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network
C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig
C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc.,
OU=http://certificates.starfieldtech.com/repository/, CN=Starfield Services
Root Certificate Authority
C=IT, O=SIA S.p.A., L=Milano, CN=SIA Secure Client CA
C=TW, O=Government Root Certification Authority
O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c)
1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=TR, L=Gebze - Kocaeli, O=T\xC3\xBCrkiye Bilimsel ve Teknolojik
Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK, OU=Ulusal Elektronik
ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE,
OU=Kamu Sertifikasyon Merkezi, CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k
Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 -
S\xC3\xBCr\xC3\xBCm 3
C=PL, O=TP Internet Sp. z o.o., OU=Centrum Certyfikacji Signet, CN=CC Signet -
RootCA
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root
Certificate Authority 2010
C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1
C=FR, O=Certeurope, OU=0002 434202180, CN=Certeurope Root CA 2
C=ES, ST=Barcelona, L=Barcelona, O=Fundacion FESTE, CN=FESTE, Verified
Certs/emailAddress=feste@feste.org
C=BR, O=Serasa S.A., OU=Serasa CA I, CN=Serasa Certificate Authority I
C=US, O=AffirmTrust, CN=AffirmTrust Commercial
C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. -
For authorized use only, CN=VeriSign Universal Root Certification Authority
C=JP, O=Japanese Government, OU=ApplicationCA
C=BE, O=Certipost s.a./n.v., CN=Certipost E-Trust Primary Normalised CA
OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft
Root Authority
C=US, O=Digital Signature Trust Co., OU=DSTCA E1
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=BG, O=InfoNotary PLC, DC=root-ca, CN=InfoNotary CSP Root, OU=InfoNotary CSP
Root/emailAddress=csp@infonotary.com
OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
C=ES, O=DIRECCION GENERAL DE LA POLICIA, OU=DNIE, CN=AC RAIZ DNIE
C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root
Certification Authority
C=KR, O=KISA, OU=Korea Certification Authority Central, CN=KISA RootCA 3
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA CLASE1 Certification
Authority, CN=IPS CA CLASE1 Certification
Authority/emailAddress=ips@mail.ips.es
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA2
C=US, O=Digital Signature Trust Co., OU=DSTCA E2
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC TrustCenter
Universal CA III
C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA
Root
O=Cisco Systems, CN=Cisco Root CA 2048
C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte,
Inc.- For authorized use only, CN=thawte Primary Root CA - G3
C=BE, O=Belgacom, OU=E-Trust, CN=Belgacom E-Trust Root CA for qualified
certificates
C=BR, O=ICP-Brasil, OU=Instituto Nacional de Tecnologia da Informacao - ITI,
CN=Autoridade Certificadora Raiz Brasileira v1
C=US, O=Apple Computer, Inc., OU=Apple Computer Certificate Authority, CN=Apple
Root Certificate Authority
C=AT, O=\x00A\x00-\x00T\x00r\x00u\x00s\x00t\x00 \x00G\x00e\x00s\x00.\x00
\x00f\x00\xFC\x00r\x00
\x00S\x00i\x00c\x00h\x00e\x00r\x00h\x00e\x00i\x00t\x00s\x00s\x00y\x00s\x00t\x
00e\x00m\x00e\x00 \x00i\x00m\x00 \x00e\x00l\x00e\x00k\x00t\x00r\x00.\x00
\x00D\x00a\x00t\x00e\x00n\x00v\x00e\x00r\x00k\x00e\x00h\x00r\x00\x00G\x00m\x0
0b\x00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01
C=CZ, CN=I.CA - Standard Certification Authority, 09/2009, O=Prvn\xC3\xAD
certifika\xC4\x8Dn\xC3\xAD autorita, a.s., OU=I.CA - Provider of
Certification Services
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
L=Bogota AV Calle 26 N 68D-35, C=CO, O=Entidad de Certificacion Digital Abierta
Certicamara S.A., CN=CERTICAMARA S.A.
C=US, O=AOL Time Warner Inc., OU=America Online Inc., CN=AOL Time Warner Root
Certification Authority 1
C=FR, O=CertiNomis, OU=AC Racine - Root CA, CN=CertiNomis
C=FR, O=Certplus, CN=Class 3TS Primary CA
C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org,
CN=Chambers of Commerce Root
C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA Chained CAs Certification
Certificates
964 Fireware XTMWeb UI
Certificates
User Guide 965
Authority, CN=IPS CA Chained CAs Certification
Authority/emailAddress=ips@mail.ips.es
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
O=WatchGuard, OU=Engineering
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA,
CN=ipsCA Main CA Root/emailAddress=main01@ipsca.com
C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield
Services Root Certificate Authority - G2
C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=MSN Content PCA
C=CO, O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara
S.A., CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
C=FI, L=Helsinki, O=Saunalahden Serveri Oy, CN=Saunalahden Serveri
CA/emailAddress=gold-certs@saunalahti.fi
C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted
Certificate Services
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA,
CN=ipsCA Global CA Root/emailAddress=global01@ipsca.com
C=CN, O=UniTrust, CN=UCA Root
C=IN, O=India PKI, CN=CCA India 2007
C=EU, L=Madrid (see current address at www.camerfirma.com/address)
/serialNumber=A82743287, O=AC Camerfirma S.A.,
CN=Global Chambersign Root - 2008
C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority
C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA1
C=CN, O=China Internet Network Information Center, CN=China Internet Network
Information Center EV Certificates Root
C=US, O=Wells Fargo, OU=Wells Fargo Certification Authority, CN=Wells Fargo Root
Certificate Authority
C=SG, O=Netrust Certificate Authority 1, OU=Netrust CA1
C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum
Trusted Network CA
C=PL, O=Unizeto Sp. z o.o., CN=Certum CA
C=JP, O=Japanese Government, OU=MPHPT, OU=MPHPT Certification Authority
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services,
CN=Echoworx Root CA2
C=CL, ST=Region Metropolitana, L=Santiago, O=E-CERTCHILE, OU=Autoridad
Certificadora/emailAddress=sclientes@ccs.cl, CN=E-CERT ROOT CA
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority
C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana
C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate
Services
C=BE, O=Belgacom, OU=E-Trust, CN=Belgacom E-Trust Root CA for normalised
certificates
C=FR, O=Certplus, CN=Class 3P Primary CA
C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Server/mail=infoca@kmd-ca.dk
C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-
Trust-Qual-02, CN=A-Trust-Qual-02
C=ES, O=IZENPE S.A., CN=Izenpe.com
C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root
C=US, O=America Online Inc., CN=America Online Root Certification Authority 1
C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public
Root Certificate Authority
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA
CN=EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, O=EBG
Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., C=TR
C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
C=NL, O=PTT Post, OU=KeyMail, CN=PTT Post Root CA/mail=ca@ptt-post.nl
C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 1
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority
C=FI, ST=Finland, O=Vaestorekisterikeskus CA, OU=Certification Authority
Services, OU=Varmennepalvelut, CN=VRK Gov. Root CA
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=
(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification
Authority
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 1 Public Primary Certification
Authority - G3
C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Certisign Certificadora Digital
Ltda., OU=Certisign Autoridade Certificadora AC3S
C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de
Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia
Entitats de Certificacio Catalanes, CN=EC-ACC
C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure
Certificate Services
C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy
Validation Authority,
CN=http://www.valicert.com//emailAddress=info@valicert.com
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
C=NL, O=DigiNotar, CN=DigiNotar Root CA/emailAddress=info@diginotar.nl
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC TrustCenter
Universal CA II
C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root
CA 2
C=AT, L=Vienna, ST=Austria, O=ARGE DATEN - Austrian Society for Data Protection,
OU=GLOBALTRUST Certification Service,
CN=GLOBALTRUST/emailAddress=info@globaltrust.info
C=HU, L=Budapest, O=NetLock Kft.,
OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services),
CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
C=ES, O=Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988,
CN=ANCERT Corporaciones de Derecho Publico
Certificates
966 Fireware XTMWeb UI
Certificates
User Guide 967
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
C=UY, O=ADMINISTRACION NACIONAL DE CORREOS, OU=SERVICIOS ELECTRONICOS, CN=Correo
Uruguayo - Root CA
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Minositett Kozjegyzoi (Class QA)
Tanusitvanykiado/emailAddress=info@netlock.hu
C=BE, CN=Belgium Root CA2
C=ES, O=Colegio de Registradores de la Propiedad y Mercantiles de Espa\xC3\xB1a,
OU=Certificado Propio, CN=Registradores de Espa\xC3\xB1a - CA Ra\xC3\xADz
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 3 Public Primary Certification
Authority - G5
C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1
C=ES, ST=Barcelona, L=Barcelona, O=IPS Internet publishing Services s.l.,
O=ips@mail.ips.es C.I.F. B-60929452, OU=IPS CA CLASE3 Certification
Authority, CN=IPS CA CLASE3 Certification
Authority/emailAddress=ips@mail.ips.es
C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
O=Entrust.net, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), OU=(c)
2000 Entrust.net Limited, CN=Entrust.net Client Certification Authority
C=US, O=Equifax Secure, OU=Equifax Secure eBusiness CA-2
C=BE, O=Certipost s.a./n.v., CN=Certipost E-Trust TOP Root CA
C=KR, O=Government of Korea, OU=GPKI, CN=Root CA
C=FI, L=Helsinki, O=Saunalahden Serveri Oy, CN=Saunalahden Serveri
CA/emailAddress=silver-certs@saunalahti.fi
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA
Certification Authority
C=es, O=Servicio de Certificacion del Colegio de Registradores (SCR),
OU=Certificado Propio, OU=Certificado Raiz, CN=Certificado de la Clave
Principal/street=Principe de Vergara 72 28006
Madrid/emailAddress=scr@registradores.org
C=GB, O=Trustis Limited, OU=Trustis FPS Root CA
C=BR, O=Certisign Certificadora Digital Ltda., OU=Certisign Autoridade
Certificadora AC1S
C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
C=IT, L=Milano, O=Actalis S.p.A./03358520967, CN=Actalis Authentication CA G1
C=KR, O=KISA, OU=Korea Certification Authority Central, CN=KISA RootCA 1
C=IE, O=An Post, OU=Post.Trust Ltd., CN=Post.Trust Root CA
C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
C=CH, O=SwissSign AG, CN=SwissSign Silver Root CA - G3
C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root
Certificate Authority - G2
C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1
CN=T\xC3\x9CRKTRUST Elektronik \xC4\xB0\xC5\x9Flem Hizmetleri, C=TR, L=Ankara,
O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim
G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005
CN=T\xC3\x9CRKTRUST Elektronik \xC4\xB0\xC5\x9Flem Hizmetleri, C=TR, L=ANKARA, O=
(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim
G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA
C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority - G2,
OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 3 Policy
Validation Authority,
CN=http://www.valicert.com//emailAddress=info@valicert.com
DC=rs, DC=posta, DC=ca, CN=Configuration, CN=Services, CN=Public Key Services,
CN=AIA, CN=Posta CA Root
C=BE, O=Certipost s.a./n.v., CN=Certipost E-Trust Primary Qualified CA
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Expressz (Class C) Tanusitvanykiado CN=Root Agency
C=US, O=Equifax, OU=Equifax Secure Certificate Authority
C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC TrustCenter
Class 2 CA II
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
C=CH, O=admin, OU=Services, OU=Certification Authorities, CN=AdminCA-CD-T01
C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust,
Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
O=eSign Australia, OU=Gatekeeper PKI, CN=Gatekeeper Root CA
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. -
For authorized use only, CN=VeriSign Class 4 Public Primary Certification
Authority - G3
Manage XTM Device Certificates
You can use Fireware XTMWeb UI to see and manage your XTMdevice certificates. This includes:
n See a list of the current XTMdevice certificates and their properties
n Import a certificate
n Select a web server certificate for Firebox authentication
n Select a certificate to use with a Branch Office VPN or Mobile User VPN
You must use Firebox SystemManager (FSM) to create certificate signing requests
(CSRs), import certificate revocation lists (CRLs), remove certificates, or delete
certificates.
For more information, see the WatchGuard SystemManager help system.
See Current Certificates
To see the current list of certificates:
1. Select System > Certificates.
The Certificates list appears, with all the certificates and certificate signing requests (CSRs).
The Certificates list includes:
n The status and type of the certificate.
n The algorithmused by the certificate.
n The subject name or identifier of the certificate.
By default, trusted CAcertificates are not included in this list.
Certificates
968 Fireware XTMWeb UI
Certificates
User Guide 969
2. To show all of the certificates fromtrusted CAs, select the Show Trusted CAs for Proxies
check box.
3. To hide the trusted CA certificates, clear the Show Trusted CAs for Proxies check box.
Import a Certificate from a File
You can import a certificate fromthe Windows clipboard or froma file on your local computer.
Certificates must be in PEM(Base 64) encoded format. Before you import a certificate to use with the
proxy content inspection feature, you must import each previous certificate in the chain of trust of the
type Other. This configures the XTMdevice to trust the certificate. You must import these certificates
fromfirst to last, or frommost prominent to least prominent, so the XTMdevice can properly connect
the certificates in the chain of trust.
If you want to import a CA certificate for your XTMdevice to use to validate other certificates when
they are imported and create a chain of trust, make sure to select the IPSec, Web Server, Other
category when you import the CA certificate and do not include the private key.
For more information, see About Certificates on page 953, Use Certificates for the HTTPS-Proxy on
page 974, and SMTP-Proxy: TLS Encryption.
1. Select System > Certificates.
The Certificates page appears.
2. Click Import Certificate.
3. Select the option that matches the function of the certificate:
n Proxy Authority (for deep packet inspection) Select this option if the certificate is for
an proxy policy that manages web traffic requested by users on trusted or optional networks
froma web server on an external network. A certificate you import for this purpose must be a
CAcertificate. Before you import the CAcertificate used to re-encrypt traffic with a proxy,
make sure the CAcertificate used to sign this certificate was imported with the Other
category.
n Proxy Server Select this option if the certificate is for a proxy policy that manages web
traffic requested by users on an external network froma web server protected by the XTM
device. Before you import the CAcertificate used to re-encrypt traffic froma web server,
make sure the CAcertificate used to sign this certificate was imported with the
Othercategory .
n Trusted CAfor Proxies Select this option for a certificate used to trust traffic that is not
re-encrypted by a proxy. For example, a root certificate or intermediate CA certificate used
to sign the certificate of an external web server.
Certificates
970 Fireware XTMWeb UI
Certificates
User Guide 971
n IPSec, Web Server, Other Select this option if:
o
The certificate is for authentication, is a device IPSec certificate, or is a CA certificate.
o
You want to import a CA certificate for your XTMdevice to use to validate other
certificates when they are imported and create a chain of trust. Make sure you do not
include the private key when you import the CAcertificate.
4. Copy and paste the contents of the certificate in the text box. If the certificate includes a private
key, type the password to decrypt the key.
5. Click Save.
The certificate is added to the XTM device.
Use a Web Server Certificate for Authentication
To use a third-party certificate for authentication, you must first import that certificate. See the previous
procedure for more information. If you use a customcertificate signed by the XTMdevice, we
recommend that you export the certificate and then import it on each client device that connects to the
XTMdevice.
1. Select Authentication > Web Server Certificate.
The Authentication Web Server Certificate page appears.
2. To use a previously imported third-party certificate, select Third party certificates and select
the certificate fromthe drop-down list.
Click Save and do not complete the other steps in this procedure.
3. To create a new certificate for XTMdevice authentication, select Custom certificate signed
by Firebox.
4. In the text box at the bottomof the dialog box, type the domain name or IP address of an
interface on your XTMdevice. Click Add.
When you have added all the domain names, click OK.
5. Type the Common name for your organization. This is usually your domain name.
Or, you can also type an Organization name and an Organization unit name (both optional)
to identify what part of your organization created the certificate.
6. Click Save.
Create a CSR with OpenSSL
To create a certificate, you first need to create a Certificate Signing Request (CSR). You can send the
CSR to a certification authority, or use it to create a self-signed certificate.
Use OpenSSL to Generate a CSR
OpenSSL is installed with most GNU/Linux distributions. To download the source code or a Windows
binary file, go to http://www.openssl.org/ and follow the installation instructions for your operating
system. You can use OpenSSL to convert certificates and certificate signing requests fromone format
to another. For more information, see the OpenSSL man page or online documentation.
1. Open a command line interface terminal.
2. To generate a private key file called privkey.pemin your current working directory, type openssl
genrsa -out privkey.pem 1024
3. Type openssl req -new -key privkey.pem -out request.csr
This command generates a CSR in the PEM format in your current working directory.
4. When you are prompted for the x509 Common Name attribute information, type your fully-
qualified domain name (FQDN). Use other information as appropriate.
5. Follow the instructions fromyour certificate authority to send the CSR.
To create a temporary, self-signed certificate until the CA returns your signed certificate:
1. Create a plain text file named extensions.txt.
2. Add this text to the file:
basicConstraints=CA:TRUE,pathlen:0
keyUsage=digitalSignature,keyEncipherment,keyCertSign,cRLSign
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
3. Open a command line interface terminal.
4. Type openssl x509 -req -days 30 -in request.csr -signkey privkey.pem -extfile
extensions.txt -out sscert.cert
This command creates a certificate inside your current directory that expires in 30 days with the private
key and CSR you created in the previous procedure.
You cannot use a self-signed certificate for VPN remote gateway authentication. We
recommend that you use certificates signed by a trusted Certificate Authority.
Sign a Certificate with Microsoft CA
Although you can create a self-signed certificate with Firebox SystemManager or other tools, you can
also create a certificate with the Microsoft Certificate Authority (CA).
Certificates
972 Fireware XTMWeb UI
Certificates
User Guide 973
Each certificate signing request (CSR) must be signed by a certificate authority (CA) before it can be
used for authentication. When you create a certificate with this procedure, you act as the CA and
digitally sign your own CSR. For compatibility reasons, however, we recommend that you instead
send your CSR to a widely known CA. The root certificates for these organizations are installed by
default with most major Internet browsers and XTMdevices, so you do not have to distribute the root
certificates yourself.
You can use most Windows Server operating systems to complete a CSR and create a certificate. The
subsequent instructions are for Windows Server 2003.
Send the Certificate Request
1. In your web browser address bar, type the IP address of the server where the Certification
Authority is installed, followed by certsrv.
For example: http://10.0.2.80/certsrv
2. Click the Request a Certificate link.
3. Click the Advanced certificate request link.
4. Click Submit a certificate.
5. Paste the contents of your CSR file into the Saved Request text box.
6. Click OK.
7. Close your web browser.
Issue the Certificate
1. Connect to the server where the Certification Authority is installed, if necessary.
2. Select Start > Control Panel > Administrative Tools > Certification Authority.
3. In the Certification Authority (Local) tree, select Your Domain Name > Pending
Requests.
4. Select the CSR in the right navigation pane.
5. In the Action menu, select All Tasks > Issue.
6. Close the Certification Authority window.
Download the Certificate
1. In your web browser address bar, type the IP address of the server where the Certification
Authority is installed, followed by certsrv.
2. Click the View the status of a pending certificate request link.
3. Select the certificate request with the time and date you submitted.
4. To choose the PKCS10 or PKCS7 format, select Base 64 encoded.
5. Click Download certificate to save the certificate on your hard drive.
Certification Authority is distributed with Windows Server 2003 as a component. If Certification
Authority is not installed in the Administrative Tools folder on your server, follow the instructions from
the manufacturer to install it.
Use Certificates for the HTTPS-Proxy
Many web sites use both the HTTPand HTTPS protocols to send information to users. While
HTTPtraffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic
requested by a user on your network, you must configure your XTMdevice to decrypt the information
and then encrypt it with a certificate signed by a CAthat each network user trusts. To create a
certificate for use with the HTTPS-proxycontent inspection features, you must create a CAcertificate
that can re-sign other certificates. If you create a CSRwith Firebox SystemManager and have it
signed by a prominent CA, it cannot be used as a CA certificate.
For more information about content inspection for the HTTPS-proxy, see HTTPS-Proxy: Content
Inspection on page 731.
By default, the XTMdevice re-encrypts the content it has inspected with an automatically generated
self-signed certificate. Users without a copy of this certificate see a certificate warning when they
connect to a secure web site with HTTPS. If the remote web site uses an expired certificate, or if that
certificate is signed by a CA (Certificate Authority)the XTMdevice does not recognize, the XTM
device re-signs the content as Fireware HTTPSProxy:Unrecognized Certificate or simply Invalid
Certificate.
This section includes information about how to export a certificate fromthe XTMdevice and import it
on a Microsoft Windows or Mac OSXsystemto operate with the HTTPS-proxy. To import the
certificate on other devices, operating systems, or applications, see the documentation fromtheir
manufacturers.
Protect a Private HTTPSServer
To protect an HTTPSserver on your network, you must first import the CAcertificate used to sign the
HTTPSserver certificate, and then import the HTTPSserver certificate with its associated private
key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself,
you must import each trusted certificate in sequence for this feature to operate correctly. After you
have imported all of the certificates, configure the HTTPS-proxy.
First, edit an HTTPS proxy action to enable deep content inspection of HTTPS content.
FromFireware XTMWeb UI:
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.
The Edit Proxy Action page appears for the proxy action you selected.
3. Select the Content Inspection tab.
4. Select the Enable deep inspection of HTTPScontent check box.
5. Fromthe Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS
content.
For example, HTTP-Client.
6. Clear the Use OCSP to confirm the validity of certificates check box.
7. In the Bypass List text box, type the IP address of a web site for which you do not want to
inspect traffic. Click Add.
8. (Optional) Repeat Step 7 to add more IPaddresses to the Bypass List.
Certificates
974 Fireware XTMWeb UI
Certificates
User Guide 975
9. Click Save.
If you edited a predefined proxy action, you must clone your changes to a new proxy action before
you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
10. In the Name text box, type a new name for the proxy action.
For example, type HTTPS-Client DCI.
11. Click Save.
The new proxy action appears in the Proxies list.
Next, add an HTTPS-proxy that uses the proxy action you added.
FromFireware XTMWeb UI:
1. Select Firewall >Firewall Policies.
The Firewall Policies page appears.
2. Click Add Policy.
The Select a Policy Type page appears.
3. Select the Proxies policy type.
4. Fromthe Proxies drop-down lists, select HTTPS-proxy and the proxy action you added.
For example, select HTTPS-Client DCI.
5. Click Add policy.
The Firewall Policies / Add page appears for the HTTPS-proxy.
6. Click Save.
For more information, see Manage XTMDevice Certificates on page 968.
Examine Content from External HTTPS Servers
If your organization already has a PKI (Public Key Infrastructure)set up with a trusted CA, then you
can import a certificate on the XTMdevice that is signed by your organization CA. If the CAcertificate
is not automatically trusted itself, you must import each previous certificate in the chain of trust for this
feature to operate correctly. If you attempt to use a certificate signed by a public third-party CA, your
users receive a certificate warning in their browsers. We recommend that you use a certificate signed
by your own internal CA.
For more information, see HTTPS-Proxy: Content Inspection and Manage XTMDevice Certificates on
page 968.
If you have other traffic that uses the HTTPS port, such as SSLVPNtraffic, we
recommend that you evaluate the content inspection feature carefully. The HTTPS-
proxy attempts to examine all traffic on TCPport 443 in the same way. To ensure
that other traffic sources operate correctly, we recommend that you add those
IPaddresses to the Bypass List.
For more information, see HTTPS-Proxy: Content Inspection on page 731.
Before you enable this feature, we recommend that you provide the certificate(s) used to sign HTTPS
traffic to all of the clients on your network. You can attach the certificates to an email with instructions,
or use network management software to install the certificates automatically. Also, we recommend
that you test the HTTPS-proxy with a small number of users to ensure that it operates correctly before
you apply the HTTPS-proxy to traffic on a large network.
If your organization does not have a PKI, you must copy the default or a customself-signed certificate
fromthe XTMdevice to each client device.
First, edit an HTTPS proxy action to enable deep content inspection of HTTPS content.
FromFireware XTMWeb UI:
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.
The Edit Proxy Action page appears for the proxy action you selected.
3. Select the Content Inspection tab.
4. Select the Enable deep inspection of HTTPScontent check box.
5. Fromthe Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS
content.
For example, HTTP-Client.
6. Specify the options for OCSPcertificate validation.
7. Click Save.
If you edited a predefined proxy action, you must clone your changes to a new proxy action before
you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
8. In the Name text box, type a new name for the proxy action.
9. Click OK.
The new proxy action appears in the Proxies list.
Next, add an HTTPS-proxy that uses the proxy action you added.
FromFireware XTMWeb UI:
1. Select Firewall >Firewall Policies.
The Firewall Policies page appears.
2. Click Add Policy.
The Add Firewall Policy page appears.
3. Select the Proxies policy type.
4. Fromthe Proxies drop-down list, select HTTPS-proxy and the proxy action you added.
For example, select HTTPS-Client DCI.
5. Click Add Policy.
The Add page appears for the HTTPS-proxy.
6. Click Save.
When you enable content inspection, the HTTPproxy action WebBlocker settings override the
HTTPSproxy WebBlocker settings. If you add IPaddresses to the Bypass list, traffic fromthose sites
is filtered with the WebBlocker settings fromthe HTTPS proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1315.
Certificates
976 Fireware XTMWeb UI
Certificates
User Guide 977
Import the Certificates on Client Devices
To use certificates you have installed on the XTMdevice with client devices, you must export the
certificates with Firebox SystemManager, then import the certificates on each client. You cannot
export a certificate fromyour XTMdevice with the Web UI.
For more information about how to import a certificate, see Import a Certificate on a Client Device on
page 984.
For more information about how to export a certificate with Firebox SystemManager, see Use
Certificates for the HTTPS-Proxy in the Fireware XTMWatchGuard SystemManager Help.
Troubleshoot Problems with HTTPSContent Inspection
The XTMdevice often creates log messages when there is a problemwith a certificate used for
HTTPS content inspection. We recommend that you check these log messages for more information.
If connections to remote web servers are often interrupted, check to make sure you have imported all
of the certificates necessary to trust the CA certificate used to re-encrypt the HTTPS content, as well
as the certificates necessary to trust the certificate fromthe original web server. You must import all of
these certificates on the XTMdevice and each client device for connections to be successful.
Certificates for Branch Office VPN (BOVPN)
Tunnel Authentication
When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a
pre-shared key (PSK) or a certificate imported and stored on the XTMdevice.
To use a certificate for BOVPN tunnel authentication:
1. Select VPN > Branch Office VPN.
2. In the Gateways section, click Add to create a new gateway.
Or, select an existing gateway and click Edit.
3. Select Use IPSec Firebox Certificate.
4. Select the certificate you want to use.
5. Set other parameters as necessary.
6. Click Save.
If you use a certificate for BOVPN authentication:
n You must first import the certificate.
For more information, see Manage XTMDevice Certificates on page 968.
n The certificate must be recognized as an IPSec-type certificate.
n Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both
endpoints must use either DSS or RSA. The algorithmfor certificates appears on the Branch
Office VPNpage in the Gateway list .
n If you do not have a third-party or self-signed certificate, you must use the certificate authority
on a WatchGuard Management Server.
Verify the Certificate
1. Select System > Certificates.
The Certificates page appears.
2. In the Type column, verify IPSec or IPSec/Web appears.
Verify VPN Certificates with an LDAP Server
You can use an LDAP server to automatically verify certificates used for VPN authentication if you
have access to the server. You must have LDAP account information provided by a third-party CA
service to use this feature.
1. Select VPN > Global Settings.
The Global VPN Settings page appears.
2. Select the Enable LDAP server for certificate verification check box.
3. In the Server text box, type the name or address of the LDAP server.
4. (Optional) Type the Port number.
Certificates
978 Fireware XTMWeb UI
Certificates
User Guide 979
5. Click Save.
Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is
requested.
Certificates for Mobile VPN With IPSec Tunnel
Authentication
When a Mobile VPN tunnel is created, the identity of each endpoint must be verified with a key. This
key can be a passphrase or pre-shared key (PSK) known by both endpoints, or a certificate fromthe
Management Server. Your XTMdevice must be a managed device to use a certificate for Mobile VPN
authentication. You must use WatchGuard SystemManager to configure your XTMdevice as a
managed device.
For more information, see the WatchGuard SystemManager Help.
To use certificates for a new Mobile VPN with IPSec tunnel:
1. Select VPN > Mobile VPN with IPSec.
2. Click Add.
3. Select the IPSec Tunnel tab.
4. In the IPSec Tunnel section, select Use a certificate.
5. In the CA IPAddress text box, type the IP address of your Management Server.
6. In the Timeout text box, type or select the time in seconds the Mobile VPNwith IPSec client
waits for a response fromthe certificate authority before it stops connection attempts. We
recommend you keep the default value.
7. Complete the Mobile VPN group configuration.
For more information, see Configure the XTMDevice for Mobile VPN with IPSec on page 1161.
To change an existing Mobile VPN tunnel to use certificates for authentication:
1. Select VPN > Mobile VPN with IPSec.
2. Select the Mobile VPN group you want to change. Click Edit.
3. Select the IPSec Tunnel tab.
4. In the IPSec Tunnel section, select Use a certificate.
5. In the CA IPAddress text box, type the IP address of your Management Server.
6. In the Timeout text box, type or select the time in seconds the Mobile VPNwith IPSec client
waits for a response fromthe certificate authority before it stops connection attempts. We
recommend you keep the default value.
7. Click Save.
When you use certificates, you must give each Mobile VPN user three files:
n The end-user profile (.wgx)
n The client certificate (.p12)
n The CA root certificate (.pem)
Copy all of the files to the same directory. When an Mobile VPN user imports the .wgx file, the root and
client certificates in the cacert.pemand the .p12 files are automatically loaded.
For more information on Mobile VPN with IPSec, see About Mobile VPN with IPSec on page 1157.
Verify VPNCertificates with an LDAP Server
You can use an LDAP server to automatically verify certificates used for VPN authentication if you
have access to the server. You must have LDAP account information provided by a third-party CA
service to use this feature.
1. Select VPN > Global Settings.
The Global VPN Settings page appears.
2. Select the Enable LDAP Server for certificate verification check box.
3. In the Server text box, type the name or IPaddress of the LDAP server.
4. (Optional) Type or select the Port number.
5. Click OK.
Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is
requested.
Certificates
980 Fireware XTMWeb UI
Certificates
User Guide 981
Certificates for Mobile VPN with L2TP Tunnel
Authentication
When a Mobile VPN with L2TP tunnel is created, the identity of each endpoint must be verified with a
key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, a third-party or
self-signed certificate, or a certificate fromthe Management Server. Your XTMdevice must be a
managed device to use a certificate fromthe Management Server for Mobile VPN authentication. You
must use WatchGuard SystemManager to configure your XTMdevice as a managed device.
For more information, see WatchGuard SystemManager Help.
To use a certificate for Mobile VPN with L2TP authentication:
n You must first import the certificate.
For more information, see Manage XTMDevice Certificates on page 968.
n The certificate must be recognized as an IPSec-type certificate.
n Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both
endpoints must use either DSS or RSA. The algorithmfor certificates appears on the Mobile
VPN with L2TP page, IPSec > Phase 1 Settings tab in the Credential Method list.
n If you do not have a third-party or self-signed certificate, you must use the certificate authority
on a WatchGuard Management Server.
To use a certificate for a new Mobile VPN with IPSec tunnel:
1. Select VPN > Mobile VPN with L2TP.
The Mobile VPN with L2TP page appears.
2. Click Run Wizard.
The WatchGuard L2TPSetup Wizard appears.
3. For instructions to complete the wizard, see Use the WatchGuard L2TPSetup Wizard on page
1276.
4. On the Select the tunnel authentication method page, select Use IPSec Firebox
Certificate and select an RSA certificate fromthe list.
5. Finish the wizard.
To change an existing Mobile VPN tunnel to use certificates for authentication:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
3. Select the IPSec tab.
4. Select Use IPSec Firebox Certificate and select an RSA certificate fromthe list.
5. Click Save.
For more information on Mobile VPN with L2TP, see About Mobile VPN with L2TP on page 1271.
Verify VPNCertificates with an LDAP Server
You can use an LDAP server to automatically verify certificates used for VPN authentication if you
have access to the server. You must have LDAP account information provided by a third-party CA
service to use this feature.
1. Select VPN > Global Settings.
The Global VPN Settings page appears.
2. Select the Enable LDAP Server for certificate verification check box.
3. In the Server text box, type the name or IPaddress of the LDAP server.
4. (Optional) Type or select the Port number.
5. Click OK.
Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is
requested.
Configure the Web Server Certificate for Firebox
Authentication
When users connect to your XTMdevice with a web browser, they often see a security warning. This
warning occurs because the default certificate is not trusted, or because the certificate does not match
the IP address or domain name used for authentication. You can use a third-party or self-signed
certificate that matches the IP address or domain name for user authentication. You must import that
certificate on each client browser or device to prevent the security warnings.
To configure the web server certificate for Firebox authentication:
1. Select Authentication >Web Server Certificate.
Certificates
982 Fireware XTMWeb UI
Certificates
User Guide 983
2. To use the default certificate, select Default certificate signed by Firebox and proceed to the
last step in this procedure.
3. To use a certificate you have previously imported, select Third-party certificates.
4. Select a certificate fromthe Third-party certificates drop-down list and proceed to the last step
in this procedure.
This certificate must be recognized as a Web certificate.
5. To create a customcertificate signed by your XTMdevice, select Custom certificate signed
by Firebox.
6. Type the Common Name for your organization. This is usually your domain name.
7. (Optional) You can also type an Organization Name and an Organization Unit Nameto
identify the part of your organization that created the certificate.
8. To create additional subject names, or interface IPaddresses for IPaddresses on which the
certificate is intended for use, in the Domain Names text box, type the domain name and click
Add.
The domain name appears in the Domain Names list.
9. Repeat Step 8 to add more domain names.
10. Click Save.
Import a Certificate on a Client Device
When you configure your XTMdevice to use a customor third-party certificate for authentication or
HTTPScontent inspection, you must import that certificate on each client in your network to prevent
security warnings. This also allows services like Windows Update to operate correctly. The
subsequent section includes an example of the steps required to import a PEMformat certificate on
Windows 7. For information about how to import a certificate on your client, see the vendor
documentation for your client.
If you normally use Fireware XTMWeb UI, you must install Firebox SystemManager
before you can export certificates.
You can also deploy certificates to your client devices through a group policy object (GPO) fromyour
Active Directory server. For more information, see Deploy Certificates by Using Group Policy on the
Windows Server pages of the Microsoft TechNet web site.
Import a PEMFormat Certificate with Windows 7
This process allows Internet Explorer, Windows Update, and other programs or services that use the
Windows certificate store on Microsoft Windows 7 to get access to the certificate.
1. In the Windows Start menu, in the Search programs and files text box, type mmc and press
Enter on your keyboard.
2. If a User Account Control dialog box appears, click Yes to open the Microsoft Management
Console.
A Management Console appears.
3. Select File > Add/Remove Snap-In.
The Add or Remove Snap-ins dialog box appears.
4. In the Available snap-ins list, select Certificates and click Add.
The Certificates snap-in dialog box appears.
5. Select Computer account and click Next.
The Select Computer dialog box appears.
6. Keep the default setting, Local computer, and click Finish.
Certificates (Local Computer)appears in the Selected snap-ins list.
7. Click OK.
The Certificates (Local Computer) module appears in the Console window.
8. In the Console Root tree, expand the Certificates (Local Computer) tree.
9. Expand the Trusted Root Certification Authorities object.
10. Under the Trusted Root Certification Authorities object, right-click Certificates and select
All Tasks >Import.
The Certificate Import Wizard appears.
11. Click Next.
The File to Import page appears.
12. Click Browse and select the HTTPS Proxy Authority CA certificate you previously exported.
Click Open.
Certificates
984 Fireware XTMWeb UI
Certificates
User Guide 985
The path to the file you selected appears in the File name text box in the wizard.
13. Click Next, then click Finish to complete the wizard.
Certificates
User Guide 986
User Guide 987
20
Virtual Private Networks (VPNs)
Introduction to VPNs
To move data safely between two private networks across an unprotected network, such as the
Internet, you can create a virtual private network (VPN). You can also use a VPN for a secure
connection between a host and a network. The networks and hosts at the endpoints of a VPN can be
corporate headquarters, branch offices, or remote users. VPNs use encryption to secure data, and
authentication to identify the sender and the recipient of the data. If the authentication information is
correct, the data is decrypted. Only the sender and the recipient of the message can read the data sent
through the VPN.
A VPN tunnel is the virtual path between the two private networks of the VPN. We refer to this path as
a tunnel because a tunneling protocol such as IPSec, SSL, L2TP, or PPTP is used to securely send
the data packets. A gateway or computer that uses a VPN uses this tunnel to send the data packets
across the public Internet to private IP addresses behind a VPN gateway.
Branch Office VPN
A Branch Office VPN (BOVPN) is an encrypted connection between two dedicated hardware devices.
It is used most frequently to make sure the network communications between networks at two offices
is secure. WatchGuard provides two methods to set up a BOVPN:
Manual BOVPN
You can use Policy Manager or Fireware XTMWeb UI to manually configure a BOVPN
between any two devices that support IPSec VPN protocols.
For more information, see About Manual Branch Office VPN Tunnels on page 1010.
Managed BOVPN
You can use WatchGuard SystemManager to set up a managed BOVPN between any two
managed Firebox or XTMdevices.
For more information, see the Fireware XTMWatchGuard SystemManager User Guide or Help
system.
All WatchGuard branch office VPNs use the IPSec protocol suite to secure the BOVPN tunnel. The
branch office VPN tunnel must connect to an external interface of the device at each end of the tunnel.
For more information about IPSec VPNs, see About IPSec VPNs on page 988.
Mobile VPN
A Mobile VPN is an encrypted connection between a dedicated hardware device and a laptop or
desktop computer. A Mobile VPN allows your employees who telecommute and travel to securely
connect to your corporate network. WatchGuard supports three types of Mobile VPNs:
n Mobile VPN with IPSec
n Mobile VPN with PPTP
n Mobile VPN with SSL
n Mobile VPN with L2TP
For a comparison of these Mobile VPN solutions, see Select a Mobile VPN.
About IPSec VPNs
WatchGuard Branch Office VPN, Mobile VPN with IPSec, and Mobile VPN with L2TP use the IPSec
protocol suite to establish virtual private networks between devices or mobile users. Before you
configure an IPSec VPN, especially if you configure a manual branch office VPNtunnel, it is helpful to
understand how IPSec VPNs work.
For more information, see:
n About IPSec Algorithms and Protocols
n About IPSec VPN Negotiations
n Configure Phase 1 and Phase 2 Settings
About IPSec Algorithms and Protocols
IPSec is a collection of cryptography-based services and security protocols that protect
communication between devices that send traffic through an untrusted network. Because IPSec is
built on a collection of widely known protocols and algorithms, you can create an IPSec VPN between
your XTMdevice and many other devices that support these standard protocols. The protocols and
algorithms used by IPSec are discussed in the subsequent sections.
Encryption Algorithms
Encryption algorithms protect the data so it cannot be read by a third-party while in transit. Fireware
XTMsupports three encryption algorithms:
n DES (Data Encryption Standard) Uses an encryption key that is 56 bits long. This is the
weakest of the three algorithms.
n 3DES (Triple-DES) An encryption algorithmbased on DES that uses DESto encrypt the
data three times.
Virtual Private Networks (VPNs)
988 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 989
n AES (Advanced Encryption Standard) The strongest encryption algorithmavailable. Fireware
XTMcan use AES encryption keys of these lengths: 128, 192, or 256 bits.
Authentication Algorithms
Authentication algorithms verify the data integrity and authenticity of a message. Fireware
XTMsupports three authentication algorithms:
HMAC-MD5 (Hash Message Authentication Code Message Digest Algorithm5)
MD5 produces a 128 bit (16 byte) message digest, which makes it faster than SHA1 or SHA2.
This is the least secure algorithm.
HMAC-SHA1 (Hash Message Authentication Code Secure Hash Algorithm1)
SHA1 produces a 160-bit (20 byte) message digest. Although slower than MD5, this larger
digest size makes it stronger against brute force attacks.
HMAC-SHA2 (Hash Message Authentication Code Secure Hash Algorithm2)
Fireware XTM11.8 and higher supports three variants of SHA2 with different message digest
lengths.
n SHA2-256 produces a 265 bit (32 byte)message digest
n SHA2-384 produces a 384 bit (48 byte) message digest
n SHA2-512 produces a 512 bit (64 byte)message digest
SHA2 is stronger than either SHA1 or MD5. Because SHA2 requires more computational
resources, it is supported only on XTMdevices with hardware cryptographic acceleration for
SHA2.
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820, 830,
1050, and 2050 devices. The hardware cryptographic acceleration in those models
does not support SHA2.
IKE Protocol
Defined in RFC2409, IKE(Internet Key Exchange) is a protocol used to set up security associations
for IPSec. These security associations establish shared session secrets fromwhich keys are derived
for encryption of tunneled data. IKEis also used to authenticate the two IPSec peers.
Diffie-Hellman Key Exchange Algorithm
The Diffie-Hellman (DH) key exchange algorithmis a method used to make a shared encryption key
available to two entities without an exchange of the key. The encryption key for the two devices is
used as a symmetric key for encrypting data. Only the two parties involved in the DH key exchange
can deduce the shared key, and the key is never sent over the wire.
A Diffie-Hellman key group is a group of integers used for the Diffie-Hellman key exchange. Fireware
XTMcan use DH groups 1, 2, 5, 14, 15, 19, and 20.
For more information, see About Diffie-Hellman Groups on page 1032.
Virtual Private Networks (VPNs)
990 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 991
AH
Defined in RFC 2402, AH (Authentication Header) is a protocol that you can use in manual
BOVPNPhase 2 VPN negotiations. To provide security, AHadds authentication information to the IP
datagram. Most VPN tunnels do not use AH because it does not provide encryption.
ESP
Defined in RFC 2406, ESP (Encapsulating Security Payload) provides authentication and encryption
of data. ESP takes the original payload of a data packet and replaces it with encrypted data. It adds
integrity checks to make sure that the data is not altered in transit, and that the data came fromthe
proper source. We recommend that you use ESPin BOVPN Phase 2 negotiations because ESP is
more secure than AH. Mobile VPN with IPSec always uses ESP.
About IPSec VPN Negotiations
The devices at either end of an IPSec VPN tunnel are IPSec peers. When two IPSec peers want to
make a VPN between them, they exchange a series of messages about encryption and authentication,
and attempt to agree on many different parameters. This process is known as VPN negotiations. One
device in the negotiation sequence is the initiator and the other device is the responder.
VPN negotiations happen in two distinct phases: Phase 1 and Phase 2.
Phase 1
The main purpose of Phase 1 is to set up a secure encrypted channel through which the two
peers can negotiate Phase 2. When Phase 1 finishes successfully, the peers quickly move on
to Phase 2 negotiations. If Phase 1 fails, the devices cannot begin Phase 2.
Phase 2
The purpose of Phase 2 negotiations is for the two peers to agree on a set of parameters that
define what traffic can go through the VPN, and how to encrypt and authenticate the traffic. This
agreement is called a Security Association.
The Phase 1 and Phase 2 configurations must match for the devices on either end of the tunnel.
Phase 1 Negotiations
In Phase 1 negotiations, the two peers exchange credentials. The devices identify each other and
negotiate to find a common set of Phase 1 settings to use. When Phase 1 negotiations are completed,
the two peers have a Phase 1 Security Association (SA). This SA is valid for only a certain amount of
time. After the Phase 1 SA expires, if the two peers must complete Phase 2 negotiations again, they
must also negotiate Phase 1 again.
Phase 1 negotiations include these steps:
1. The devices exchange credentials.
The credentials can be a certificate or a pre-shared key. Both gateway endpoints must use the
same credential method. If one peer uses a pre-shared key, the other peer must also use a pre-
shared key, and the keys must match. If one peer uses a certificate, the other peer must also
use a certificate.
2. The devices identify each other.
Each device provides a Phase 1 identifier, which can be an IPaddress, domain name, domain
information, or an X500 name. The VPN configuration on each peer contains the Phase 1
identifier of the local and the remote device, and the configurations must match.
3. The peers decide whether to use Main Mode or Aggressive Mode.
Phase 1 negotiations can use one of two different modes: Main Mode or Aggressive Mode. The
device that starts the IKE negotiations (the initiator) sends either a Main Mode proposal or an
Aggressive Mode proposal. The responder can reject the proposal if it is not configured to use
that mode. Aggressive Mode is less secure but faster than Main Mode.
Virtual Private Networks (VPNs)
992 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 993
When you use Aggressive mode, the number of exchanges between two endpoints is fewer
than it would be if you used Main Mode, and the exchange relies mainly on the ID types used in
the exchange by both appliances. Aggressive Mode does not ensure the identity of the peer.
Main Mode ensures the identity of both peers, but can only be used if both sides have a static IP
address.
4. The peers agree on Phase 1 parameters.
n Whether to use NATtraversal
n Whether to send IKEkeep-alive messages (supported between Firebox or XTMdevices
only)
n Whether to use Dead Peer Detection (RFC 3706)
5. The peers agree on Phase 1 Transformsettings.
Transformsettings include a set of authentication and encryption parameters, and the
maximumamount of time for the Phase 1 SA. The settings in the Phase 1 transformmust
exactly match a Phase 1 transformon the IKE peer, or IKE negotiations fail.
The items you can set in the transformare:
n Authentication The type of authentication (SHA1 or MD5).
n Encryption The type of encryption algorithm(DES, 3DES or AES).
n SA Life The amount of time until the Phase 1 Security Association expires.
n Key Group The Diffie-Hellman key group.
Phase 2 Negotiations
After the two IPSec peers complete Phase 1 negotiations, Phase 2 negotiations begin. Phase 2
negotiations is to establish the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of
traffic specifications that tell the device what traffic to send over the VPN, and how to encrypt and
authenticate that traffic. In Phase 2 negotiations, the two peers agree on a set of communication
parameters. When you configure the BOVPNtunnel in Policy Manager or in Fireware XTMWeb UI,
you specify the Phase 2 parameters.
Because the peers use the Phase 1 SA to secure the Phase 2 negotiations, and you define the Phase 1
SA settings in the BOVPNGateway settings, you must specify the gateway to use for each tunnel.
Phase 2 negotiations include these steps:
1. The peers use the Phase 1 SA to secure Phase 2 negotiations.
Phase 2 negotiations can only begin after Phase 1 SA has been established.
2. The peers exchange Phase 2 identifiers (IDs).
Phase 2 IDs are always sent as a pair in a Phase 2 proposal: one indicates which IP addresses
behind the local device can send traffic over the VPN, and the other indicates which IP
addresses behind the remote device can send traffic over the VPN. This is also known as a
tunnel route. You can specify the Phase 2 IDs for the local and remote peer as a host
IPaddress, a network IPaddress, or an IPaddress range.
3. The peers agree on whether to use Perfect Forward Secrecy (PFS).
PFS specifies how Phase 2 keys are derived. When PFS is selected, both IKEpeers must use
PFS, or Phase 2 rekeys fail. PFS guarantees that if an encryption key used to protect the data
transmission is compromised, an attacker can access only the data protected by that key, not
subsequent keys. If the peers agree to use PFS, they must also agree on the Diffie-Hellman
key group to use for PFS.
4. The peers agree on a Phase 2 proposal.
The Phase 2 proposal includes the IP addresses that can send traffic over the tunnel, and a
group of encryption and authentication parameters. Fireware XTMsends these parameters in a
Phase 2 proposal. The proposal includes the algorithmto use to authenticate data, the algorithm
to use to encrypt data, and how often to make new Phase 2 encryption keys.
The items you can set in a Phase 2 proposal include:
Type
For a manual BOVPN, you can select the type of protocol to use: Authentication Header
(AH) or Encapsulating Security Payload (ESP). ESP provides authentication and
encryption of the data. AH provides authentication without encryption. We recommend you
select ESP. Managed BOVPN and Mobile VPN with IPSec always use ESP.
Authentication
Authentication makes sure that the information received is exactly the same as the
information sent. You can use SHA or MD5 as the algorithmthe peers use to authenticate
IKEmessages fromeach other. SHA1 is more secure.
Encryption
Encryption keeps the data confidential. You can select DES, 3DES, or AES. AES is the
most secure.
Force Key Expiration
To make sure Phase 2 encryption keys change periodically, always enable key expiration.
The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use
to mount an attack on the key.
Virtual Private Networks (VPNs)
994 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 995
About IPSec VPN Tunnel Authentication Methods
There are two authentication methods you can use to establish a secure IPSec VPN tunnel. You must
select one of these IPSec VPN tunnel authentication methods when you configure branch office VPN,
Mobile VPN with IPSec, or Mobile VPN with L2TP.
Use a pre-shared key
Use a pre-shared key stored on both VPN endpoints to verify the identity of each endpoint.
Use a certificate
For branch office VPN and Mobile VPNwith L2TP, you use an IPSec certificate imported and
stored on the XTMdevice. The same certificate must also be imported to the other VPN
endpoint.
For Mobile VPNwith IPSec you use a certificate generated by a WatchGuard Management
Server.
For more information about how to use certificates for IPSec VPN tunnel authentication, see:
n Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
n Certificates for Mobile VPN With IPSec Tunnel Authentication
n Certificates for Mobile VPN with L2TP Tunnel Authentication
Configure Phase 1 and Phase 2 Settings
You configure Phase 1 and Phase 2 settings for each IPSec VPN you configure.
Branch Office VPN
For a manual Branch Office VPN (BOVPN), you configure Phase 1 settings when you define a Branch
Office gateway, and you configure Phase 2 settings when you define a Branch Office tunnel.
For more information about BOVPN Phase 1 and Phase 2 settings, see:
n Configure Gateways on page 1021
n Define a Tunnel on page 1035
Mobile VPN with IPSec
For Mobile VPN with IPSec, you configure the Phase 1 and Phase 2 settings when you add or edit a
Mobile VPN with IPSec configuration.
For more information, see:
n Configure the XTMDevice for Mobile VPN with IPSec
n Modify an Existing Mobile VPN with IPSec Group Profile
n Use the WatchGuard L2TPSetup Wizard
Use a Certificate for IPSec VPN Tunnel Authentication
When an IPSec tunnel is created, the IPSec protocol checks the identity of each endpoint with either a
pre-shared key (PSK) or a certificate imported and stored on the XTMdevice. You configure the tunnel
authentication method in the VPN Phase 1 settings.
For more information about how to use a certificate for tunnel authentication, see:
n Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
n Certificates for Mobile VPN With IPSec Tunnel Authentication
n Use Certificates for L2TP VPNTunnel Authentication
Virtual Private Networks (VPNs)
996 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 997
About Mobile VPNs
A Mobile VPN enables your employees who telecommute and travel to securely connect to your
corporate network. Fireware XTMsupports four types of remote user virtual private networks: Mobile
VPN with IPSec, Mobile VPN with SSL, Mobile VPN with L2TP, and Mobile VPN with PPTP.
When you use Mobile VPN, you first configure your XTMdevice and then configure the remote client
computers. You use Policy Manager or Fireware XTMWeb UI to configure the settings for each user or
group of users. For Mobile VPN with IPSec, Mobile VPN with SSL, and Mobile VPN with L2TP, you
use Policy Manager or the Web UIto create an end user profile configuration file that includes all the
settings necessary to connect to the XTMdevice. You can also configure your policies to allow or deny
traffic fromMobile VPN clients. Mobile VPN users authenticate either to the XTMdevice user
database or to an external authentication server.
Select a Mobile VPN
Fireware XTMsupports four types of Mobile VPN. Each type uses different ports, protocols, and
encryption algorithms.
Mobile VPN with PPTP
n PPTP (Point-to-Point Tunneling Protocol) Secures the tunnel between two endpoints
n TCP port 1723 Establishes the tunnel
n IP protocol 47 Encrypts the data
n Encryption algorithms 40 bit or 128 bit
Mobile VPN with IPSec
n IPSec (Internet Protocol Security) Secures the tunnel between two endpoints
n UDPport 500 (IKE)Establishes the tunnel
n UDPport 4500 (NAT Traversal) Used if the XTMdevice is configured for NAT
n IP protocol 50 (ESP) or IPProtocol 51 (AH) Encrypts the data
n Encryption algorithms DES, 3DES, or AES (128, 192, or 256 bit)
Mobile VPN with SSL
n SSL (Secure Sockets Layer) Secures the tunnel between two endpoints
n TCP port 443 or UDP port 443 Establishes the tunnel and encrypts the data
n Encryption algorithms Blowfish, DES, 3DES, or AES (128, 192, or 256 bit)
For Mobile VPN with SSL, you can choose a different port and protocol. For more
information, see Choose the Port and Protocol for Mobile VPN with SSL on page
1253
Mobile VPN with L2TP, with IPSec enabled
n IPSec (Internet Protocol Security) Secures the tunnel between two endpoints
n UDP port 500 (IKE) Establishes the IPSec security association (SA)
n IP protocol 50 (ESP) Establishes a secure channel
n L2TP v2 (Layer 2 Tunneling Protocol) Negotiates the tunnel between two endpoints
n UDPport 1701 Establishes the tunnel
n Encryption algorithms DES, 3DES, or AES (128, 192, or 256 bit)
The type of Mobile VPN you select largely depends on your existing infrastructure and your network
policy preferences. The XTMdevice can support all four types of mobile VPN simultaneously. A client
computer can be configured to use one or more methods. Some of the things to consider when you
select what type of Mobile VPN to use are described in the subsequent sections.
Virtual Private Networks (VPNs)
998 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 999
VPN Tunnel Capacity and Licensing
When you select a type of tunnel, make sure to consider the number of tunnels your device supports
and whether you can purchase an upgrade to increase the number of tunnels.
Mobile VPN Maximum VPN tunnels
Mobile VPN with
PPTP
50 tunnels
Mobile VPN with
IPSec
n Base and maximumtunnels vary byXTMdevice model.
n License purchase is required to enable the maximumnumber of tunnels.
n Client license is required to use the WatchGuard Mobile VPN with
IPSec client after the 30 day trial period
Mobile VPN with
SSL
n Base and maximumtunnels vary by XTMdevice model.
n Pro upgrade for the Fireware XTMOS is required for maximumSSL
VPN tunnels.
n To support more than one SSL VPN tunnel you must have a Pro
upgrade.
Mobile VPN with
L2TP
n Base and maximumtunnels vary byXTMdevice model.
n Pro upgrade for the Fireware XTMOS is required for maximumL2TP
VPN tunnels.
n To support more than one L2TP VPN tunnel you must have a Pro
upgrade.
For the base and maximumnumber of tunnels supported for Mobile VPN with IPSec and Mobile VPN
with SSL and Mobile VPN with L2TP, see the detailed specifications for your XTMdevice model.
You can see the maximumnumber of each type of VPN tunnel your device supports in the device
feature key. For more information, see VPNTunnel Capacity and Licensing.
Authentication Server Compatibility
When you select a Mobile VPN solution, make sure to choose a solution that supports the type of
authentication server you use.
Mobile VPN
XTM
device RADIUS
Vasco/
RADIUS SecurID LDAP
Active
Directory
WatchGuard IPSec Mobile
VPN Client for Windows
Yes Yes Yes Yes Yes Yes
Shrew Soft IPSec VPN
Client for Windows
Yes Yes No* No* Yes Yes
WatchGuard IPSec Mobile
VPN Client for Mac OSX
Yes Yes Yes Yes Yes Yes
Mobile VPN with IPSec for
Mac OSX or iOS native VPN
client
Yes No** No Yes No** No**
Mobile VPN with IPSec for
Android
Yes Yes Yes No Yes Yes
Mobile VPN with SSL Yes Yes Yes Yes Yes Yes
Mobile VPN with PPTP Yes Yes No No No Yes***
Mobile VPN with L2TP Yes Yes No No No Yes***
* The Shrew Soft IPSec VPN client does not support 2-factor authentication.
**RADIUS, LDAP, and Active Directory authentication methods are not supported for the iOSand
OSXnative VPN client, but may operate correctly.
*** Active Directory authentication for PPTP and L2TP is supported only through a RADIUSserver.
Other compatibility notes:
RADIUS
RADIUS server must return Filter-Id attribute (RADIUS attribute #11) in its Access-Accept
response. The value of the Filter-Id attribute must match the name of the correct group (PPTP-
Users or SSLVPN-Users, or the name of the group you define in the Mobile VPNwith SSL or
Mobile VPN with IPSec configuration).
Vasco RADIUS
The RADIUS Filter-Id attribute is currently not supported by Vasco. For a workaround, use the
Microsoft IAS RADIUS plug-in.
Client Configuration Steps and Operating System Compatibility
The configuration steps you must complete are different for each Mobile VPN solution. Each VPN
solution is also compatible with different operating systems.
Virtual Private Networks (VPNs)
1000 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 1001
Mobile VPN with PPTP
VPN Client Configuration
You do not install WatchGuard VPN client software. You must manually configure the network
settings on each client computer to set up a PPTPconnection.
Client OS
Compatible with Windows XP, Windows Vista, Windows 7, and Windows 8.
Mobile VPN with IPSec
VPN Client Configuration
To connect froma Windows computer, you must install the Shrew Soft VPN client or the
WatchGuard IPSec Mobile VPN Client and manually import the end user profile.
To connect froma Mac OSX computer, you can install the WatchGuard IPSec Mobile VPN
Client and manually import the end user profile. Or you can import the configuration file to the
native IPSec VPN client on Mac OSX.
To connect froman Androidor iOSdevice you can import the configuration file to the
WatchGuard Mobile VPN app.
Client OS
Windows
n The WatchGuard IPSec VPNClient for Windows is compatible with Windows XP SP2,
Windows Vista, Windows 7, and Windows 8
n The Shrew Soft client is compatible with Windows XP SP2 (32 bit), Windows Vista,
Windows 7, and Windows 8.
Mac OSX
n The WatchGuard IPSec VPN Client for Mac OSX is compatible with Mac OSX 10.7 and
10.8.
n Mobile VPN with IPSec supports the native VPN clients on Mac OSX 10.5, 10.6, 10.7 and
10.8.
Android and iOS
n The WatchGuard Mobile VPN app is compatible with Android 4.0.x and 4.1.x, and iOS5.x
and 6.x.
n Mobile VPN with IPSec also supports the native VPN clients in iOS10.6 and higher, and
Android 4.0 and 4.1.x.
Mobile VPN with SSL
VPN Client Configuration
You must install the WatchGuard Mobile VPN with SSL client and Mobile VPN with
SSLconfiguration file.
Client OS
Compatible with Windows XP SP2 (32 bit), Windows Vista, Windows Server 2003 (32 bit),
Windows 7, Windows 8, Mac OS X 10.5, 10.6, 10.7, 10.8, and 10.9.
Mobile VPN with L2TP
VPN Client Configuration
You do not install WatchGuard VPN client software. You must manually configure the network
settings on each client device to set up an L2TPconnection. Mobile VPN with L2TPis
compatible with any L2TP client that fully supports L2TP v2 as described in RFC 2661.
The WatchGuard Mobile VPN app for iOS can import a Mobile VPN with L2TP configuration file
to the native iOSVPN client.
Client OS
Any OS that supports an L2TPv2 connections.
Internet Access Options for Mobile VPN Users
For all types of Mobile VPN, you have two options for Internet access for your Mobile VPN users:
Force all client traffic through tunnel (default-route VPN)
The most secure option is to require that all remote user Internet traffic is routed through the
VPN tunnel to the XTMdevice. Then, the traffic is sent back out to the Internet. With this
configuration (known as default-route VPN), the XTMdevice is able to examine all traffic and
provide increased security, although it uses more processing power and bandwidth.
When you use default-route VPN with Mobile VPN for IPSec or Mobile VPNfor PPTP, a
dynamic NAT policy must include the outgoing traffic fromthe remote network. This enables
remote users to browse the Internet when they send all traffic to the XTMdevice.
Allow direct access to the Internet (split tunnel VPN)
Another configuration option is to enable split tunneling. With this option, your users can browse
the Internet, but Internet traffic is not sent through the VPN tunnel. Split tunneling improves
network performance, but decreases security because the policies you create are not applied to
the Internet traffic. If you use split tunneling, we recommend that each client computer have a
software firewall.
Virtual Private Networks (VPNs)
1002 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 1003
For information about how to configure these options for each type of Mobile VPN, see:
n Options for Internet Access Through a Mobile VPN with IPSec Tunnel
n Options for Internet Access Through a Mobile VPN with PPTP Tunnel
n Options for Internet Access Through a Mobile VPN with SSL Tunnel
n Options for Internet Access Through a Mobile VPN with L2TP Tunnel
Mobile VPN Setup Overview
When you set up Mobile VPN, you must first configure the XTMdevice and then configure the client
computers. Regardless of which type of Mobile VPN you choose, you must complete the same five
configuration steps. The details for each step are different for each type of VPN.
1. Activate Mobile VPN in Policy Manager.
2. Define VPN settings for the new tunnel.
3. Select and configure the method of authentication for Mobile VPN users.
4. Define policies and resources.
5. Configure the client computers.
n For Mobile VPNwith IPSec and Mobile VPNwith SSL, install the client software and
configuration file.
n For Mobile VPN with PPTP and Mobile VPN with L2TP, manually configure the PPTPor
L2TPconnection in the client computer network settings.
For more information about each type of Mobile VPN, see:
n About Mobile VPN with IPSec
n About Mobile VPN with PPTP
n About Mobile VPN with SSL
n About Mobile VPN with L2TP
Virtual IPAddresses and Mobile VPNs
When you configure each type of mobile VPN on the XTMdevice, you define a pool of virtual
IPaddresses. The XTMdevice assigns an IPaddress fromthe virtual IP address pool to each Mobile
VPN user, until all of the addresses are in use. When a user closes a VPN session, the IP address
used by that session becomes available again.
If you configure Mobile VPN with SSL to bridge to a local network, the virtual IP addresses must be on
the same subnet as the interface you want to bridge to. For all other Mobile VPN types, it is not
necessary for the virtual IP addresses to be on the same subnet as the trusted network. For all types of
Mobile VPNs, the IP addresses in the virtual IP address pool cannot be used for anything else on your
network.
If FireCluster is configured, you must add two virtual IP addresses for each Mobile
VPN user, and you must make sure the virtual IPaddress pool is not on the same
subnet as a primary cluster IP address.
To enable the maximumnumber of VPN connections, make sure that the virtual IPaddress pool
contains the same number of concurrent VPN users as the maximumnumber of VPN connections
your XTMdevice supports. The maximumnumber of supported VPN connection for each VPN type is
different for each type of VPN and for each XTMdevice model.
For more information about VPNtunnel licensing, see VPNTunnel Capacity and Licensing
If the virtual IP address pool in the mobile VPN configuration contains fewer IPaddresses than the
maximumnumber of mobile VPN connections supported by the device, the maximumnumber of VPN
connections is limited by the number of IP addresses in the virtual IPaddress pool.
Virtual Private Networks (VPNs)
1004 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 1005
DNS and Mobile VPNs
All network resources in an IPv4 network have an IP address, such as 10.0.2.25. DNS (Domain Name
System) allows users to get access to resources by name.
When a user attempts to get access to a device by a name, such as www.example.net, the client
computer sends a request to its configured DNS server, which returns the IP address associated with
that device name. A device name that is linked to one or more IP addresses is known as a hostname.
A hostname that includes the full domain path, such as mail.example.net, is called a FQDN (Fully
Qualified Domain Name). Some hostnames, such as mail, do not include the domain path.
How DNS Works Across a VPN
When a Mobile VPN client establishes a VPN tunnel to the XTMdevice, the XTMdevice assigns a
virtual IPaddress to the client computer. If a DNSserver is configured in the XTMdevice network or
Mobile VPNsettings, the XTMdevice also assigns the DNS server address to the VPN client on the
virtual adapter. For Mobile VPN with SSL connections, the XTMdevice can also assign the VPN client
a DNSdomain name suffix. You can configure the DNS domainname suffix in the Mobile VPN with
SSLadvanced settings.
The XTMdevice appends the DNS suffix, such as example.net, to DNS requests as the client system
attempts to look up a hostname. In most cases, DNS lookups with a hostname that does not include
the domain path will fail. Without the suffix, clients must use the FQDN mail.example.net to send
traffic to a resource.
VPNTunnel Capacity and Licensing
The maximumnumber of active VPN tunnels your XTMdevice supports depends on values in the
feature key for XTMdevice. The maximumnumber of supported tunnels is different for each XTM
device model.
Find Your XTMDevice Tunnel Capacity
To see the maximumnumber of VPNtunnels your XTMdevice supports:
1. Select System > Feature Key.
The Feature Key page appears.
2. In the Feature column, look for the VPN features.
3. For each VPN feature, the associated Value tells you the maximumnumber of active tunnels.
In the feature key, these features identify the licensed VPNlimits:
n Branch Office VPNTunnels The maximumnumber of active branch office VPNtunnel routes
and BOVPN virtual interfaces.
n SSLVPNUsers The maximumnumber of active Mobile VPN with SSLuser connections.
n FK_L2TP_USER The maximumnumber of active Mobile VPN with L2TP user connections.
n Mobile VPNUsers The maximumnumber of active Mobile VPN with IPSec user
connections.
There is no feature key line itemfor PPTPUsers. The maximumnumber of PPTPuser connections is
always 50.
VPN License Enforcement
The maximums in the feature key limit the number of each type of VPN tunnel that can be active at the
same time. The feature key does not limit the size of the mobile VPN virtual IPaddress pools or the
number of tunnel routes you can configure for branch office VPNs.
Mobile VPN Virtual IPAddress Pools
If configure a mobile VPNIP address pool with a higher number of IP addresses than the maximum
number in the feature key, you see a warning that the number of IP addresses in the virtual address
pool is higher than the maximumnumber of users in the feature key. You can still save the
configuration, but the address pool contains some IP addresses that will never be used.
The maximumnumber of concurrent active VPN connections is based on the value in the feature key,
not on the number of IP addresses in the virtual IP address pool.
For example, if your XTMdevice feature key allows a maximumof 55 Mobile VPN with L2TP
connections, and you configure the Mobile VPN with L2TP virtual IP address pool with 100 IP
addresses, only 55 Mobile VPNwith L2TP connections can be active at the same time.
Virtual Private Networks (VPNs)
1006 Fireware XTMWeb UI
Virtual Private Networks (VPNs)
User Guide 1007
About Branch Office VPNTunnel Routes
For license enforcement, an active BOVPN virtual interface counts as a single tunnel route, even if
multiple VPN routes are configured to use it. For a branch office VPN that is not configured as a
BOVPN virtual interface, each active VPN tunnel route counts as a tunnel route in use.
The feature key does not limit the number of tunnel routes you can configure, but it does limit the
number of tunnel routes that can be active at the same time.
For example, if your XTMdevice feature key allows a maximumof 50 tunnels, and you configure a total
of 60 tunnel routes, only 50 of the branch office VPN tunnel routes can be active at the same time.
Virtual Private Networks (VPNs)
User Guide 1008
User Guide 1009
21
Branch Office VPNs
What You Need to Create a Manual BOVPN
Before you configure a branch office VPN network on your XTMdevice, read these requirements:
n You must have two XTMdevices, or one XTMdevice and a second device that uses IPSec
standards. You must enable the VPN option on the other device if it is not already active.
n The two devices must each have an external interface with a connection to the Internet.
n The ISP for each VPN device must allow IPSec traffic on their networks.
Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your
Internet service to a level that supports VPN tunnels. Speak with a representative fromeach
ISP to make sure these ports and protocols are allowed:
o
UDPPort500 (Internet Key Exchange or IKE)
o
UDP Port 4500 (NAT traversal)
o
IP Protocol 50 (Encapsulating Security Payload or ESP)
n If the other side of the VPN tunnel is a XTMdevice and each device is under
management, you can use the Managed VPN option. Managed VPN is easier to
configure than Manual VPN. To use this option, you must get information fromthe
administrator of the XTMdevice on the other side of the VPN tunnel.
n You must know whether the IP address assigned to the external interface of your XTMdevice is
static or dynamic.
For more information about IP addresses, see About IP Addresses on page 3.
n Your XTMdevice model tells you the maximumnumber of VPN tunnels that you can create. If
your XTMdevice model can be upgraded, you can purchase a model upgrade that increases the
maximumnumber of supported VPN tunnels.
n If you connect two Microsoft Windows NT networks, they must be in the same Microsoft
Windows domain, or they must be trusted domains. This is a Microsoft Networking issue, and
not a limitation of the XTMdevice.
n If you want to use the DNS and WINS servers fromthe network on the other side of the VPN
tunnel, you must know the IP addresses of these servers.
The XTMdevice can give WINS and DNS IP addresses to the computers on its trusted network
if those computers get their IP addresses fromthe XTMdevice with DHCP.
n If you want to give the computers the IP addresses of WINS and DNS servers on the other side
of the VPN, you can type those addresses into the DHCP settings in the trusted network setup.
For information on how to configure the XTMdevice to distribute IP addresses with DHCP, see
Configure IPv4 DHCP in Mixed Routing Mode on page 154.
n You must know the network address of the private (trusted) networks behind your XTMdevice
and of the network behind the other VPN device, and their subnet masks.
n To configure a BOVPN virtual interface, both endpoints must be WatchGuard devices that use
Fireware XTMv11.8 or higher. For more information, see About BOVPNVirtual Interfaces.
The private IP addresses of the computers behind your XTMdevice cannot be the
same as the IP addresses of the computers on the other side of the VPN tunnel. If
your trusted network uses the same IP addresses as the office to which it will create
a VPN tunnel, then your network or the other network must change their IP address
arrangement to prevent IP address conflicts.
About Manual Branch Office VPN Tunnels
A VPN (Virtual Private Network) creates secure connections between computers or networks in
different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two
tunnel endpoints authenticate with each other. Data in the tunnel is encrypted so only the sender and
the recipient of the traffic can read it.
A Branch Office Virtual Private Network (BOVPN) enables organizations to deliver secure, encrypted
connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel
can be corporate headquarters, branch offices, remote users, or telecommuters. These
communications often contain the types of critical data exchanged inside a corporate firewall. In this
scenario, a BOVPN provides confidential connections between these offices. This streamlines
communication, reduces the cost of dedicated lines, and maintains security at each endpoint.
Manual BOVPN tunnels provide many additional tunnel options. Another type of tunnel is a managed
BOVPN tunnel,which is a BOVPN tunnel that you can create between your centrally managed
XTMdevices in WatchGuard SystemManager with a drag-and-drop procedure or a wizard. For
information about this type of tunnel, see the WatchGuard SystemManager Helpor User Guide.
What You Need to Create a VPN
In addition to the VPN requirements, to create a manual VPN tunnel:
n You must know whether the IP address assigned to the other VPN device is static or dynamic.
If the other VPN device has a dynamic IPaddress, your XTMdevice must find the other device
by domain name and the other device must use Dynamic DNS.
n You must know the shared key (passphrase) for the tunnel. The same shared key must be used
by each device.
n You must know the encryption method used for the tunnel (DES, 3DES, AES-128 bit, AES-192
bit, or AES-256 bit). The two VPN devices must use the same encryption method.
Branch Office VPNs
1010 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1011
n You must know the authentication method for each end of the tunnel (MD5 or SHA-1). The two
VPN devices must use the same authentication method.
For more information, see What You Need to Create a Manual BOVPN on page 1009.
We recommend that you write down your XTMdevice configuration and the related information for the
other device. See the Sample VPN Address Information Table on page 1014 to record this information.
BOVPNTunnel Configuration Options
There are two ways to configure a manual BOVPNtunnel. The method you choose determines how the
XTMdevice decides whether to send traffic through the tunnel.
Configure a BOVPNGateway and add BOVPN Tunnels
You can configure a BOVPNgateway and add one or more BOVPNtunnels that use that
gateway. This option enables you to set up a BOVPNtunnel between two WatchGuard
devices, or between a WatchGuard device and another device that uses the same gateway and
tunnel settings. When you use this configuration method, the XTMdevice always routes a
packet through the BOVPNtunnel if the source and destination of the packet match a
configured BOVPNtunnel.
For information about how to configure the gateway and tunnel settings, see
n Configure Gateways Configure the connection points on both the local and remote sides
of the tunnel.
n Define a Tunnel Configure the tunnel routes and security settings.
Configure a BOVPNVirtual Interface
For a WatchGuard devices that use Fireware XTMv11.8 or higher, you can configure a BOVPN
as a BOVPN virtual interface. When you use this configuration method, the XTMdevice routes
a packet through the tunnel based on the outgoing interface for the packet. You can select a
BOVPN virtual interface as a destination when you configure policies. The decision about
whether the XTMdevice sends traffic through the VPN tunnel is affected by static and dynamic
routes, and by policy-based routing.
For more information, see About BOVPNVirtual Interfaces.
One-Way Tunnels
If you want to create a VPN tunnel that allows information to flow in only one direction, you can
configure the tunnel to use outgoing dynamic NAT. This can be helpful when you make a tunnel to a
remote site where all VPN traffic comes fromone public IP address. For more information, see Set Up
Outgoing Dynamic NAT Through a Branch Office VPN Tunnel on page 1066.
VPN Failover
VPN tunnels automatically fail over to the backup WAN interface during a WAN failover. You can
configure BOVPN tunnels to fail over to a backup peer endpoint if the primary endpoint becomes
unavailable. To do this, you must define at least one backup endpoint, as described in Configure VPN
Failover on page 1098.
Global VPN Settings
Global VPN settings on your XTMdevice apply to all manual BOVPN tunnels, BOVPNvirtual
interfaces, managed BOVPN tunnels, and Mobile VPN tunnels. You can use these settings to:
n Enable IPSec pass-through
n Clear or maintain the settings of packets with Type of Service (TOS) bits set
n Enable the use of non-default routes to determine if IPSec is used
n Disable or enable the built-in IPSec policy
n Use an LDAP server to verify certificates
n Configure the XTMdevice to send a notification when a BOVPNtunnel is down
(BOVPNtunnels only)
To change these settings, fromFireware XTMWeb UI, select VPN >Global Settings. For more
information on these settings, see About Global VPN Settings on page 1059.
Branch Office VPNs
1012 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1013
BOVPNTunnel Status
To see the current status of BOVPNtunnels, in Fireware XTMWeb UI, select System Status >VPN
Statistics. For more information, see VPN Statistics on page 948.
Rekey BOVPNTunnels
If you do not want to wait for your BOVPN tunnel keys to expire, you can use Fireware XTMWeb UI to
immediately generate new keys for BOVPNtunnels. For more information, see Rekey BOVPN
Tunnels on page 1112.
Sample VPN Address Information Table
Branch Office VPNs
1014 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1015
Item Description
Assigned
by
External IP
Address
The IP address that identifies the IPSec-compatible device on the
Internet. ISP
Example:
Site A: 203.0.113.2
Site B: 198.51.100.2
ISP
Local Network
Address
An address used to identify a local network. These are the IP
addresses of the computers on each side that are allowed to send
traffic through the VPN tunnel. We recommend that you use an
address fromone of the reserved ranges:
10.0.0.0/8255.0.0.0
172.16.0.0/12255.240.0.0
192.168.0.0/16255.255.0.0
The numbers after the slashes indicate the subnet masks. /24
means that the subnet mask for the trusted network is
255.255.255.0.
For more information about slash notation, see About Slash
Notation on page 5.
Example:
Site A: 10.0.1.0/24
Site B: 10.50.1.0/24
You
Shared Key The shared key is a passphrase used by two IPSec-compatible
devices to encrypt and decrypt the data that goes through the VPN
tunnel. The two devices use the same passphrase. If the devices do
not have the same passphrase, they cannot encrypt and decrypt the
data correctly.
Use a passphrase that contains numbers, symbols, lowercase
letters, and uppercase letters for better security. For example,
Gu4c4mo!3 is better than guacamole.
Example:
Site A: OurShared/Secret
Site B: OurShared/Secret
You
Encryption
Method
DES uses 56-bit encryption. 3DES uses 168-bit encryption. AES
encryption is available at the 128-bit, 192-bit, and 256-bit levels.
AES-256 bit is the most secure encryption. The two devices must
use the same encryption method.
Example:
Site A: AES-256
You
Item Description
Assigned
by
Site B: AES-256
Authentication The two devices must use the same authentication method.
Example:
Site A: MD5 (or SHA-1)
Site B: MD5 (or SHA-1)
You
Quick Start Set Up a VPNTunnel between Two
Firebox or XTMDevices
A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and
a network, to exchange data across the Internet. This topic summarizes the steps required to set up a
BOVPN tunnel between two Firebox or XTMdevices that use Fireware XTMv11.x.
This topic does not provide details about what the different settings in the BOVPN dialog boxes mean
and the effects they can have on the tunnel that is built. For more detailed information about branch
office VPN settings, see:
n About Manual Branch Office VPN Tunnels
n Configure Gateways
n Make Tunnels Between Gateway Endpoints
This procedure describes how to set up a branch office VPN between two devices at Site A and Site B,
when both devices have static external IPaddresses. For information about how to set up a
BOVPNgateway to a device that uses a dynamic external IP address, see Define Gateway Endpoints
on page 1023.
Step 1 Collect IPaddresses and tunnel settings
If both devices have a static public IPaddress, you need to know this information before you
begin:
n Public IPaddress of each device This is the IPaddress that the peer gateway connects
to.
n Private IPaddresses for each device This is an address used to identify a local network.
These are the IP addresses of the computers on each device that are allowed to send
traffic through the VPN tunnel.
n Pre-shared key This is a passphrase used to encrypt and decrypt the data that goes
through the VPN tunnel.
Here is a checklist of the information you must collect:
Site A device
Site A External (Public) IP address: ______________________________
Site A Private IP addresses: _____________________________
Branch Office VPNs
1016 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1017
Site B device
Site B External (Public) IP address: ______________________________
Site B Private IP addresses: _____________________________
Common VPN settings
Pre-shared key: _____________________________
You must also decide what Phase 1 and Phase 2 settings to use. For a VPN between two Firebox
or XTMdevices, you can use the default Phase 1 and Phase 2 settings on both devices.
For a complete list of settings, and a detailed example of how to configure settings for a
BOVPNbetween two XTMdevices, see WatchGuard VPN Interoperability Fireware XTMto
Fireware XTM.
Step 2 Configure the VPN gateway on the Site A device
1. Select VPN >Branch Office VPN.
2. Below the Gateways list, click Add.
3. In the Gateway Name text box, type a name to identify this gateway.
4. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
5. Below the Gateway Endpoint list, click Add.
6. In the Local Gateway tab, select By IP Address.
7. In the By IP Address text box, type the external IP address of the Site A device.
8. Fromthe External Interface drop-down list, select the interface that has the external IP
address you selected.
9. Select the Remote Gateway tab.
10. Select Static IP Address.
11. In the Static IP Address text box, type the external (public) IP address of the Site B
device.
12. Select By IP Address. In the By IP Address text box, type the external IP address of the
Site B device.
13. Click OK to close the Gateway Endpoint Settings dialog box.
14. Click Save to save the gateway settings.
Step 3 Configure the VPN tunnel on the Site A device
1. On the Branch Office VPN page, below the Tunnels list, click Add.
2. In the Tunnel Name text box, type a name for the tunnel.
3. Fromthe Gateway drop-down list, select the gateway you created.
4. Below the Addresses list, click Add.
5. In the Local IP section, fromthe Choose Type drop-down list, select the type of local
address. For example, select Network IPv4 to add an IPv4 subnet.
6. In the adjacent text box, type the privatenetwork address at Site A.
7. In the Remote IP section, fromthe Choose Type drop-down list, select the type of remote
address. For example, select Network IPv4 to add an IPv4 subnet.
8. In the adjacent text box, type the private network address at Site B.
9. Fromthe Direction drop-down list, select the tunnel direction. The tunnel direction
determines which endpoint of the VPN tunnel can start a VPN connection through the
tunnel.
10. Click OK.
11. Click Save to save the tunnel settings.
Step 4 Configure the VPNgateway on the Site B device
1. Select VPN >Branch Office VPN.
2. Below the Gateways list, click Add.
3. In the Gateway Name text box, type a name to identify this gateway.
4. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
5. Below the Gateway Endpoint list, click Add.
6. In the Local Gateway tab, select By IP Address.
7. In the By IP Address text box, type the external IP address of the Site B device.
8. Fromthe External Interface drop-down list, select the interface that has the external IP
address you selected.
9. Select the Remote Gateway tab.
10. Select Static IP Address.
11. In the Static IP Address text box, type the external (public) IP address of the Site A
device.
12. Select By IP Address. In the By IP Address text box, type the external IP address of the
Site A device.
13. Click OK to close the Gateway Endpoint Settings dialog box.
14. Click Save to save the gateway settings.
Step 5 Configure the VPN tunnel on the Site B device
1. On the Branch Office VPN page, below the Tunnels list, click Add.
2. In the Tunnel Name text box, type a name for the tunnel.
3. Fromthe Gateway drop-down list, select the gateway you created.
4. Below the Addresses list, click Add.
5. In the Local IP section, fromthe Choose Type drop-down list, select the type of local
address. For example, select Network IPv4 to add an IPv4 subnet.
6. In the adjacent text box, type the privatenetwork address at Site B.
7. In the Remote IP section, fromthe Choose Type drop-down list, select the type of remote
address. For example, select Network IPv4 to add an IPv4 subnet.
8. In the adjacent text box, type the private network address at Site A.
9. Fromthe Direction drop-down list, select the tunnel direction. The tunnel direction
determines which endpoint of the VPN tunnel can start a VPN connection through the
tunnel.
10. Click OK.
11. Click Save to save the tunnel settings.
After you complete and save the VPN configuration on both devices, the devices automatically
negotiate the tunnel. If the devices cannot establish the tunnel, examine the log files on both XTM
devices for the time period you tried to start the tunnel. You should see log messages that show where
the failure occured and which settings could be part of the problem. You can also check the log
messages in real time with Firebox SystemManager.
For more information about how to troubleshoot a branch office VPN tunnel, see Troubleshoot Branch
Office VPNTunnels.
Branch Office VPNs
1018 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1019
Branch Office VPNTerminology
When you configure branch office VPNs, it is useful to understand these terms. Some of these terms
have a specific meaning when you set up and monitor branch office VPNson a WatchGuard
XTMdevice.
Security Association (SA)
A Security Association is defined in RFC 2408 as part of the ISAKMP (Internet Security
Association and Key Management Protocol) standard. In a VPN, you can think of an SA as the
context that includes all of the information, such as encryption, authentication, and integrity
checks, required for two peers to communicate securely. Both peers must share and agree
upon this information. SA is a general termthat can apply to different protocols, and the SA
structure is different for different VPN protocols. SAs are uni-directional.
For an IPSec VPN tunnel, there are two types of SAs:
Phase 1 SA
Negotiated based on the Phase 1 settings, thePhase 1 SA creates a secure channel for
Phase 2 negotiations. In Fireware XTM, you configure Phase 1 settings when you
configure the branch office VPN gateway.
Phase 2 SA
Negotiated based on the Phase 2 settings, the Phase 2 SA defines what traffic can be sent
over the VPN, and how to encrypt and authenticate that traffic. In Fireware XTM, you
configure Phase 2 settings when you configure the branch office VPN tunnel.
Gateway
For a Fireware XTMdevice, a branch office VPN gateway defines the settings for a connection
between one or more pairs of VPN gateway endpoints. Each gateway endpoint pair consists of
a local gateway and a remote gateway. When you configure a gateway endpoint pair, you
specify the addresses of the two gateway endpoints, and the Phase I settings the two gateway
endpoints use to exchange keys or negotiate an encryption methodology to use. If one or both
sites has multi-WAN, the branch office VPN gateway can have multiple gateway endpoint
pairs, and the gateway endpoint pairs can fail over to one another.
You can configure multiple tunnels to use the same gateway. The gateway creates a secure
connection for the VPN tunnels that use it.
Tunnel
For a Fireware XTMdevice, a branch office VPN tunnel defines the phase 2 configuration
settings, and includes one or more tunnel routes to define who can exchange traffic through the
tunnel.
Tunnel route
For a Fireware XTMdevice, the tunnel route defines which hosts or networks can send and
receive traffic through the tunnel. When you add a tunnel route, you specify a pair of local and
remote IPaddresses of devices at each end of the tunnel. Each IP address in a tunnel route can
be for a host or network. You can add multiple tunnel routes to the same tunnel. Each tunnel
route has a pair of associated SAs, one inbound and one outbound.
In Firebox SystemManager, each active tunnel route appears as a separate tunnel.
This allows you to easily monitor the status of each tunnel route. In the feature key,
the number of Branch Office VPN tunnels refers to the maximumnumber of active
branch office VPN tunnel routes.
For more information about the feature key and maximumtunnel routes, see VPNTunnel
Capacity and Licensing.
Branch Office VPNs
1020 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1021
Configure Gateways
A gateway is a connection point for one or more tunnels. To create a tunnel, you must set up gateways
on both the local and remote endpoint devices. To configure these gateways, you must specify:
n Credential method Either pre-shared keys or an IPSec XTMdevice certificate.
For information about using certificates for BOVPNauthentication, see Certificates for Branch
Office VPN (BOVPN) Tunnel Authentication on page 977.
n Location of local and remote gateway endpoints, either by IP address or domain information.
n Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation. This phase defines the
security association, or the protocols and settings that the gateway endpoints will use to
communicate, to protect data that is passed in the negotiation.
You can use Fireware XTMWeb UIto configure the gateways for each endpoint device.
1. Select VPN >Branch Office VPN.
The Branch Office VPN configuration page appears.
2. To add a gateway, click Add below the Gateways list.
The Gateway settings page appears.
3. In the Gateway Name text box, type a name to identify the gateway for this XTMdevice.
4. Fromthe Gateway page, select either Use Pre-Shared Key or Use IPSec Firebox
Certificate to identify the authentication procedure this tunnel uses.
If you selected Use Pre-Shared Key
Type or paste the shared key. You must use the same shared key on the remote device.
This shared key must use only standard ASCII characters.
If you selected Use IPSec Firebox Certificate
The table below the radio button shows current certificates on the XTMdevice. Select the
certificate to use for the gateway.
For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
on page 977.
You can now define the gateway endpoints. For more information, see Define Gateway Endpoints on
page 1023.
Branch Office VPNs
1022 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1023
Define Gateway Endpoints
Gateway Endpoints are the local and remote gateways that a BOVPN connects. The gateway
endpoints configuration tells your XTMdevice how to identify and communicate with the remote
endpoint device when it negotiates the BOVPN. It also tells the XTMdevice how to identify itself to the
remote endpoint when it negotiates the BOVPN. You must configure at least one gateway endpoint
pair when you add a BOVPN gateway or a BOVPNvirtual interface.
Any external interface can be a gateway endpoint. If you have more than one external interface, you
can configure multiple gateway endpoints for VPNfailover. For more information, see Configure VPN
Failover on page 1098.
Do not use a secondary network IP address as the gateway endpoint.
Local Gateway
In the Local Gateway section, you configure the gateway ID and the interface the BOVPN connects to
on your XTMdevice. For the gateway ID, if you have a static IPaddress you can select By
IPAddress. If you have a domain that resolves to the IPaddress the BOVPN connects to on your
XTMdevice, select By Domain Information.
Fromthe Gateway page:
1. In the Gateway Endpoints section, click Add.
The New Gateway Endpoints Settings dialog box appears.
2. Select an option and specify the gateway ID:
n By IP address Type the IPaddress of the XTMdevice interface IPaddress . Do not use
a secondary network IP address to specify the gateway endpoint.
n By Domain Name Type your domain name.
n By User ID on Domain Type the user name and domain with the format
UserName@DomainName.
n By x500 Name Type the x500 name.
3. Fromthe External Interface drop-down list, select the interface on the XTMdevice with the
IPaddress or domain you chose for the gateway ID. If you configured the wireless client as an
external interface, select the interface WG-Wireless-Client.
Remote Gateway
In the Remote Gateway tab, you configure the gateway IPaddress and gateway ID for the remote
endpoint device that the BOVPN connects to. The gateway IPaddress can be either a static
IPaddress or a dynamic IPaddress. The gateway ID can be By Domain Name, By User IDon
Domain, or By x500 Name. The administrator of the remote gateway device can tell you which to use.
Branch Office VPNs
1024 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1025
If the remote VPN endpoint uses DHCP or PPPoE to get its external IP address, set
the ID type of the remote gateway to Domain Name. Set the peer name to the fully
qualified domain name of the remote VPN endpoint. The XTMdevice uses the IP
address and domain name to find the VPN endpoint. Make sure the DNS server used
by the XTMdevice can identify the name.
1. In the Gateway Endpoint Settings dialog box, select the Remote Gateway tab.
2. Select the remote gateway IPaddress type.
n Static IPaddress Select this option if the remote device has a static IPaddress. For
IPAddress, type the IPaddress or select it fromthe drop-down list.
n Dynamic IPaddress Select this option if the remote device has a dynamic IPaddress.
3. Select an option and specify the gateway ID:
n By IP address Type the IPaddress.
n By Domain Name Type the domain name.
n By User IDon Domain Type the user ID and domain.
n By x500 Name Type the x500 name.
n If the domain name of the remote endpoint is resolvable, select the Attempt to resolve
domain check box.
When this option is selected, the XTMdevice automatically does a DNSquery to find the
IPaddress associated with the domain name for the remote endpoint. Connections do not
proceed until the domain name can be resolved. Select this check box for configurations that
depend on a dynamic DNSserver to maintain a mapping between a dynamic IPaddress and
a domain name.
4. Click OK.
The gateway pair you defined appears in the list of gateway endpoints.
5. To configure Phase 1 settings for this gateway, follow the steps in Configure Mode and
Transforms (Phase 1 Settings) on page 1027.
Branch Office VPNs
1026 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1027
Configure Mode and Transforms (Phase 1 Settings)
When an IPSec connection is established, Phase 1 is when the two peers make a secure,
authenticated channel they can use to communicate. This is known as the ISAKMP Security
Association (SA).
A Phase 1 exchange can use either Main Mode or Aggressive Mode. The mode determines the type
and number of message exchanges that occur in this phase.
A transformis a set of security protocols and algorithms used to protect VPN data. During IKE
negotiation, the peers make an agreement to use a certain transform.
You can define a tunnel so that it offers a peer more than one transformfor negotiation. For more
information, see Add a Phase 1 Transformon page 1030.
The Phase 1 settings you can configure are the same for a BOVPNgateway or a BOVPNvirtual
interface.
n For a BOVPNgateway, you configure Phase 1 settings in the gateway settings.
n For a BOVPNvirtual interface, you configure Phase 1 settings in the BOVPNvirtual interface
settings.
To configure Phase 1 settings:
1. In the Gateway page or the BOVPNVirtual Interface page, select the Phase 1 Settings tab.
2. Fromthe Mode drop-down list, select Main, Aggressive, or Main fallback to Aggressive.
Main Mode
This mode is more secure, and uses three separate message exchanges for a total of six
messages. The first two messages negotiate policy, the next two exchange Diffie-Hellman
data, and the last two authenticate the Diffie-Hellman exchange. Main Mode supports
Diffie-Hellman groups 1, 2, and 5. This mode also allows you to use multiple transforms, as
described in Add a Phase 1 Transformon page 1030.
Aggressive Mode
This mode is faster because it uses only three messages, to exchange About Diffie-
Hellman Groups data and identify the two VPN endpoints. The identification of the
VPNendpoints makes Aggressive Mode less secure.
Branch Office VPNs
1028 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1029
When you use Aggressive mode, the number of exchanges between two endpoints is
fewer than it would be if you used Main Mode, and the exchange relies mainly on the ID
types used in the exchange by both appliances. Aggressive Mode does not ensure the
identity of the peer. Main Mode ensures the identity of both peers, but can only be used if
both sides have a static IP address. If your device has a dynamic IPaddress, you should
use Aggressive mode for Phase 1.
Main fallback to aggressive
The XTMdevice attempts Phase 1 exchange with Main Mode. If the negotiation fails, it
uses Aggressive Mode.
3. If you want to build a BOVPN tunnel between the XTMdevice and another device that is behind
a NAT device, select the NAT Traversal check box. NAT Traversal, or UDP Encapsulation,
enables traffic to get to the correct destinations.
4. In the Keep-alive Interval text box, type or select the number of seconds that pass before the
next NATkeep-alive message is sent.
5. To have the XTMdevice send messages to its IKE peer to keep the VPN tunnel open, select
the IKE Keep-alive check box.
6. In the Message Interval text box, type or select the number of seconds that pass before the
next IKEKeep-alive message is sent.
IKE Keep-alive is used only by XTMdevices. Do not enable it if one VPN endpoint is
a third-party IPSec device.
7. To set the maximumnumber of times the XTMdevice tries to send an IKE keep-alive message
before it tries to negotiate Phase 1 again, type the number you want in the Max failures text
box.
8. Use the Dead Peer Detection check box to enable or disable traffic-based dead peer detection.
When you enable dead peer detection, the XTMdevice connects to a peer only if no traffic is
received fromthe peer for a specified length of time and a packet is waiting to be sent to the
peer. This method is more scalable than IKE keep-alive messages.
If you want to change the XTMdevice defaults, in the Traffic idle timeout text box, type or
select the amount of time (in seconds) that passes before the XTMdevice tries to connect to
the peer. In the Max retries text box, type or select the number of times the XTMdevice tries to
connect before the peer is declared dead.
Dead Peer Detection is an industry standard that is used by most IPSec devices. We
recommend that you select Dead Peer Detection if both endpoint devices support it.
Do not enable both IKEKeep-alive and Dead Peer Detection.
If you configure VPN failover, you must enable Dead Peer Detection. For more
information about VPN failover, see Configure VPN Failover on page 1098
9. The XTMdevice contains one default transformset, which appears in the Transform Settings
list. This transformspecifies SHA1 authentication, 3DES encryption, and Diffie-Hellman Group
2.
You can:
n Use this default transformset.
n Remove this transformset and replace it with a new one.
n Add an additional transform, as explained in Add a Phase 1 Transformon page 1030.
Add a Phase 1 Transform
You can define a tunnel to offer a peer more than one transformset for negotiation. For example, one
transformset might include [SHA2-256]-[3DES]-[DF1] ([authentication method]-[encryption method]-
[key group]) and a second transformmight include [SHA1]-[3DES]-[DF2], with the [SHA2-256]-[3DES]
-[DF1] transformas the higher priority transformset. When the tunnel is created, the XTMdevice can
use either [SHA2-256]-[3DES]-[DF1 or [SHA1]-[3DES]-[DF2] to match the transformset of the other
VPN endpoint.
For more information about these options, see About IPSec Algorithms and Protocols.
You can include a maximumof nine transformsets. You must specify Main Mode in the Phase 1
settings to use multiple transforms.
1. When you add or edit a gateway, on the Gateway page, select the Phase 1 Settings tab.
2. In the Transform Settings section, click Add.
The Transform Settings dialog box appears.
3. Fromthe Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-
512 as the authentication method.
Branch Office VPNs
1030 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1031
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820, 830,
1050, and 2050 devices. The hardware cryptographic acceleration in those models
does not support SHA2.
4. Fromthe Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit),
DES, or 3DES as the type of encryption.
5. To change the SA (security association) life, type a number in the SA Life text box, and select
Hour or Minute fromthe adjacent drop-down list. The SAlife must be a number smaller than
596,523 hours or 35,791,394 minutes.
6. Fromthe Key Group drop-down list, select a Diffie-Hellman group. Fireware XTMsupports
groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange
process. A higher group number provides greater security, but more time is required to make the
keys. For more information, see About Diffie-Hellman Groups on page 1032.
7. Click OK.
The Transform appears in the New Gateway page in the Transform Settings list. You can add up to
nine transform sets.
8. Repeat Steps 26 to add more transforms. The transformset at the top of the list is used first.
9. To change the priority of a transformset, select the transformset and click Up or Down.
10. Click OK.
About Diffie-Hellman Groups
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Higher group numbers are more secure, but require additional time to compute the key.
Fireware XTMsupports these Diffie-Hellman groups:
n DH Group 1: 768-bit group
n DH Group 2: 1024-bit group
n DH Group 5: 1536-bit group
n DHGroup 14:2048-bit group
n DHGroup 15:3072-bit group
n DH Group 19:256-bit elliptic curve group
n DH Group 20: 384-bit elliptical curve group
Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1 of
the IPSec negotiation process. When you define a manual BOVPN tunnel, you specify the Diffie-
Hellman group as part of Phase creation of an IPSec connection. This is where the two peers make a
secure, authenticated channel they can use to communicate.
DH groups and Perfect Forward Secrecy (PFS)
In addition to Phase 1, you can also specify the Diffie-Hellman group to use in Phase 2 of an IPSec
connection. Phase 2 configuration includes settings for a security association (SA), or how data
packets are secured when they are passed between two endpoints. You specify the Diffie-Hellman
group in Phase 2 only when you select Perfect Forward Secrecy (PFS).
PFS makes keys more secure because new keys are not made fromprevious keys. If a key is
compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-
Hellman exchange occurs each time a new SA is negotiated.
The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1.
Howto Choose a Diffie-Hellman Group
For branch office VPN tunnels and BOVPN virtual interfaces, the default DH group for both Phase 1
and Phase 2 is Diffie-Hellman Group 2. This group provides basic security and good performance. If
the speed for tunnel initialization and rekey is not a concern, use a higher DH group. Actual initialization
and rekey speed depends on a number of factors. You might want to try one of the higher DH groups
and decide whether the slower performance time is a problemfor your network. If the performance is
unacceptable, change to a lower DH group.
Branch Office VPNs
1032 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1033
Edit and Delete Gateways
To change the definition of a gateway
1. Select VPN >BOVPN.
2. Select a gateway and click Edit.
The Gateway settings page appears.
3. Make your changes and click Save.
To delete a gateway, select the gateway and click Remove.
Disable Automatic Tunnel Startup
BOVPN tunnels are automatically created each time the XTMdevice starts. You can use Fireware
XTMWeb UI to change this default behavior. A common reason to change it would be if the remote
endpoint uses a third-party device that must initiate the tunnel instead of the local endpoint.
To disable automatic startup for tunnels that use a gateway:
1. Select VPN >Branch Office VPN.
The Branch Office VPN configuration page appears
2. Select a gateway and click Edit.
The Gateway page appears.
3. Clear the Start Phase1 tunnel when Firebox starts check box at the bottomof the page.
For a BOVPNvirtual interface, automatic tunnel startup is enabled by default for XTM2, 3, and 5
Series models.
To disable automatic startup for a BOVPN virtual interface:
1. Select VPN >BOVPNVirtual Interface.
2. Clear the Start Phase1 tunnel when Firebox starts check box.
If you clear this check box, the XTMdevice still automatically restarts the tunnel
when it is inactive if any policy uses policy-based routing to route outbound traffic to
this BOVPN virtual interface.
You can also disable a BOVPNgateway and all associated tunnels. For more information, see Disable
or Enable a Branch Office VPN.
If Your XTM Device is Behind a Device That Does NAT
The XTMdevice can use NAT Traversal. This means that you can make VPN tunnels if your ISP does
NAT (Network Address Translation) or if the external interface of your XTMdevice is connected to a
device that does NAT. We recommend that the XTMdevice external interface have a public IP
address. If that is not possible, follow the subsequent instructions.
Devices that do NAT frequently have some basic firewall features. To make a VPN tunnel to your XTM
device when the XTMdevice is installed behind a device that does NAT, the NAT device must let the
traffic through. These ports and protocols must be open on the NAT device:
n UDP port 500 (IKE)
n UDP port 4500 (NAT Traversal)
n IP protocol 50 (ESP)
See the documentation for your NAT device for information on how to open these ports and protocols
on the NAT device.
If the external interface of your XTMdevice has a private IP address, you cannot use an IP address as
the local ID type in the Phase 1 settings.
n If the NAT device to which the XTMdevice is connected has a dynamic public IP address:
o
First, set the device to Bridge Mode. For more information, see Bridge Mode on page
175. In Bridge Mode, the XTMdevice gets the public IP address on its external
interface. Refer to the documentation for your NAT device for more information.
o
Set up Dynamic DNS on the XTMdevice. For information, see About the Dynamic
DNS Service on page 167. In the Phase 1 settings of the Manual VPN, set the local ID
type to Domain Name. Enter the DynDNS domain name as the Local ID. The remote
device must identify your XTMdevice by domain name and it must use the DynDNS
domain name associated with your XTMdevice in its Phase 1 configuration.
n If the NAT device to which the XTMdevice is connected has a static public IP address In the
Phase 1 settings of the Manual VPN, set the local ID type drop-down list to Domain Name.
Enter the public IP address assigned to the external interface of the NATdevice as the local ID.
The remote device must identify your XTMdevice by domain name, and it must use the same
public IP address as the domain name in its Phase 1 configuration.
Branch Office VPNs
1034 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1035
Make Tunnels Between Gateway Endpoints
After you define gateway endpoints, you can make tunnels between them. To make a tunnel, you
must:
n Define a Tunnel
n Configure Phase 2 Settings for the Internet Key Exchange (IKE) negotiation. This phase sets up
security associations for the encryption of data packets.
Define a Tunnel
FromFireware XTMWeb UI, you can add, edit, and delete Branch Office VPNtunnels.
1. Select VPN > Branch Office VPN.
The Branch Office VPN page appears.
2. In the Tunnels section, click Add.
The New Tunnel dialog box appears.
3. In the Name text box, type a name for the tunnel.
Make sure the name is unique among tunnel names, Mobile VPN group names, and interface
names.
4. Fromthe Gateway drop-down list, select the gateway for this tunnel to use.
5. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, select the Add this
tunnel to the BOVPN-Allow policies check box. These policies allow all traffic that matches
the routes for this tunnel.
To restrict traffic through the tunnel, clear this check box and create custompolicies for types of
traffic that you want to allow through the tunnel.
You can now Add Routes for a Tunnel, Configure Phase 2 Settings, or Enable Multicast Routing
Through a Branch Office VPN Tunnel.
Branch Office VPNs
1036 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1037
Edit or Delete a Tunnel
You can use Fireware XTMWeb UI to change or remove a tunnel.
To edit a tunnel:
1. Select select VPN >Branch Office VPN.
2. Select the tunnel and click Edit.
The Tunnel page appears.
3. Make the changes and click Save.
To delete a tunnel:
1. Fromthe BOVPN page, select the tunnel..
2. Click Remove.
Add Routes for a Tunnel
1. On the Addresses tab of the Tunnel dialog box, click Add.
The Tunnel Route Settings dialog box appears.
2. In the Local IP section, select the type of local address fromthe Choose Type drop-down list.
Then type the value in the adjacent text box. You can enter a host IP address, network address,
a range of host IP addresses, or a DNS name.
3. In the Remote IP section, select the type of remote address fromthe Choose Type drop-down
list. Then type the value in the adjacent text box. You can enter a host IP address, network
address, a range of host IP addresses, or a DNS name.
4. In the Direction drop-down list, select the direction for the tunnel. The tunnel direction
determines which direction traffic can flow through the tunnel.
5. If you want to enable broadcast routing over this tunnel, select the Enable broadcast routing
over the tunnel check box. For more information, see Enable Broadcast Routing Through a
Branch Office VPN Tunnel.
6. You can use the NATtab to enable 1-to-1 NAT and dynamic NAT for the tunnel if the address
types and tunnel direction you selected are compatible. For more information, see Set Up
Outgoing Dynamic NAT Through a Branch Office VPN Tunnel on page 1066 and Use 1-to-1
NATThrough a Branch Office VPN Tunnel on page 1071.
7. Click OK.
You can configure an unlimited number of tunnel routes, but the number of tunnel routes that can be
active on the XTMdevice at the same time is limited by the device feature key. For more information,
see VPNTunnel Capacity and Licensing.
Configure Phase 2 Settings
Phase 2 settings include settings for a security association (SA), which defines how data packets are
secured when they are passed between two endpoints. The SA keeps all information necessary for the
XTMdevice to know what it should do with the traffic between the endpoints. Parameters in the SA
can include:
n Encryption and authentication algorithms used.
n Lifetime of the SA (in seconds or number of bytes, or both).
n The IP address of the device for which the SA is established (the device that handles IPSec
encryption and decryption on the other side of the VPN, not the computer behind it that sends or
receives traffic).
n Source and destination IP addresses of traffic to which the SA applies.
n Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming
and outgoing).
The Phase 2 settings you can configure are the same for a BOVPNgateway or a BOVPNvirtual
interface.
n For a BOVPNgateway, you configure Phase 2 settings in the gateway settings.
n For a BOVPNvirtual interface, you configure Phase 2 settings in the BOVPNvirtual interface
settings.
To configure Phase 2 settings:
1. From the Gateway page or the BOVPNVirtual Interface page, select the Phase 2 Settings
tab.
Branch Office VPNs
1038 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1039
2. Select the PFS check box if you want to enable Perfect Forward Secrecy (PFS). If you enable
PFS, select the Diffie-Hellman group.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys
made with PFS are not made froma previous key. If a previous key is compromised after a
session, your new session keys are secure. For more information, see About Diffie-Hellman
Groups on page 1032.
3. The XTMdevice contains one default proposal, which appears in the IPSec Proposals list.
This proposal specifies the ESP data protection method, AES encryption, and SHA-1
authentication. You can either:
n Click Add to add the default proposal.
n Select a different proposal fromthe drop-down list and click Add.
n Add an additional proposal, as explained in Add a Phase 2 Proposal on page 1039.
If you plan to use the IPSec pass-through feature, you must use a proposal with ESP (Encapsulating
Security Payload) as the proposal method. IPSec pass-through supports ESP but not AH. For more
information on IPSec pass-through, see About Global VPN Settings on page 1059.
Add a Phase 2 Proposal
You can define a tunnel to offer a peer more than one proposal for Phase 2 of the IKE. For example, you
could specify [ESP]-[3DES]-[SHA2-256] in one proposal and [ESP]-[DES]-[3SHA1] for a second
proposal. When traffic passes through the tunnel, the security association can use either [ESP]-
[3DES]-[SHA2-256] or [ESP]-[3DES]-[SHA1] to match the transformsettings on the peer.
For more information about these options, see About IPSec Algorithms and Protocols.
You can include a maximumof eight proposals.
Add an Existing Proposal
There are six preconfigured proposals. The names follow the format <Type>-<Authentication>-
<Encryption>. For all six, Force Key Expiration is configured for 8 hours or 128000 kilobytes.
To use one of the six preconfigured proposals or another proposal you have previously created:
1. Select VPN > Branch Office VPN.
2. In the Tunnels section, click Add, or double-click an existing tunnel to edit it.
3. Select the Phase 2 Settings tab.
4. Fromthe Tunnels page, in the IPSec Proposals section, select the proposal you want to add
to this tunnel.
5. Click Add.
Create a New Proposal
1. Select VPN > Phase2 Proposals.
2. Click Add.
The Phase 2 Proposal page appears.
3. In the Name text box, type a name for the new proposal.
4. (Optional) In the Description text box, type a description to identify this proposal.
Branch Office VPNs
1040 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1041
5. Fromthe Type drop-down list, select ESP or AH as the proposal method.
We recommend that you use ESP (Encapsulating Security Payload). The differences between
ESP and AH (Authentication Header) are:
n ESP is authentication with encryption.
n AH is authentication only. ESP authentication does not include the protection of the IP
header, while AH does.
n IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though
feature, you must specify ESP as the proposal method.
For more information on IPSec pass-through, see About Global VPN Settings on page 1059.
6. Fromthe Authentication drop-down list, select the authentication method.
The options are None, MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512, which are listed in
order fromleast secure to most secure.
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820, 830,
1050, and 2050 devices. The hardware cryptographic acceleration in those models
does not support SHA2.
7. If you selected ESP fromthe Type drop-down list, fromthe Encryption drop-down list, select
the encryption method.
The options are DES, 3DES, and AES (128-bit), AES (192-bit), or AES (256-bit), which are
listed in order fromleast secure to most secure.
8. To force the gateway endpoints to generate and exchange new keys after a quantity of time or
amount of traffic passes, configure the settings in the Force Key Expiration section.
n Select the Time check box to expire the key after a quantity of time. Type or select the
quantity of time that must pass to force the key to expire.
n Select the Traffic check box to expire the key after a quantity of traffic. Type or select the
number of kilobytes of traffic that must pass to force the key to expire. The value must be a
minimumof 24576 kilobytes. If you set it to a lower number, it is automatically set to 24576
when you save the proposal.
n If both Force Key Expiration options are disabled, the key expiration interval is set to 8
hours.
9. Click Save.
Edit a Proposal
You can only edit user-defined proposals.
1. Select VPN > BOVPN.
2. In the Phase 2 Proposals section, select a proposal and click Edit.
3. Update the settings as described in the previous section.
Change Order of Tunnels
The order of VPNtunnels is particularly important when more than one tunnel uses the same routes or
when the routes overlap. A tunnel higher in the list of tunnels on the Branch Office IPSec Tunnels
dialog box takes precedence over a tunnel below it when traffic matches tunnel routes of multiple
tunnels.
FromFireware XTMWeb UI, you can change the order in which the XTMdevice attempts
connections. You can only change the order of tunnels for manual VPNtunnels.
1. Select VPN > Branch Office VPN.
The Branch Office VPN page appears.
2. Select a tunnel and click Move Up or Move Down to move it up or down in the list.
Branch Office VPNs
1042 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1043
About BOVPNVirtual Interfaces
For greater flexibility and networking capabilities, you can configure a Branch Office VPN (BOVPN) as
a virtual interface. A BOVPN virtual interface is supported only for a branch office VPNtunnel between
XTMdevices that run Fireware XTMv11.8 or higher.
A BOVPNvirtual interface defines a BOVPN tunnel that is treated in the configuration like an interface.
A BOVPNvirtual interface enables you to configure the XTMdevice to treat the VPN tunnel as another
external interface. The XTMdevice uses the routes table to determine whether to route a packet
through the BOVPN virtual interface or through another interface.
When you use a BOVPNvirtual interface, you can:
o
Add static routes for a BOVPN virtual interface
o
Assign an IPaddress to the BOVPN virtual interface (required for dynamic routing)
o
Use a BOVPNvirtual IPaddress in the dynamic routing configuration
o
Configure policies to send traffic through a BOVPN virtual interface
o
Configure policy-based routing to use a BOVPN virtual interface
You cannot configure policy-based routing for failover froma BOVPN virtual interface
or to a BOVPN virtual interface.
You can simultaneously configure BOVPNgateways and tunnels, and BOVPNvirtual interfaces. You
can configure each BOVPN gateway endpoint pair in a branch office VPN gateway or within a BOVPN
virtual interface, but not both at the same time.
A BOVPN virtual interface provides greater scalability for organizations that have dynamic networks.
This is because you do not need to change the BOVPN tunnel route configuration when network
changes are made on one or both sides of the BOVPN tunnel. This is especially valuable if you have
local networks behind the XTMdevices that were learned through routers, and you want these
networks to be accessible through the BOVPN.
BOVPN virtual interface supports multicast routing, but does not support broadcast routing.
BOVPNVirtual Interface Configuration Scenarios
When you configure a branch office VPN as a virtual interface, the XTMdevice routes a packet through
the tunnel based on the outgoing interface for the packet. The BOVPN virtual interface is in the routing
table, and the decision about whether to send traffic through the VPN tunnel is affected by static and
dynamic routes, and by policy-based routing. This provides a lot of flexibility in how you can configure
the XTMdevice to use a BOVPNtunnel.
Because a BOVPN virtual interface is treated as an interface in the configuration, it provides many
flexible configuration and routing options. Here are three configuration scenarios that show some of the
ways you can configure an XTMdevice to use a BOVPN virtual interface to achieve different
objectives.
Metric-based VPN Failover and Failback
Objective
For two sites that are connected with an MPLS link, enable traffic to automatically failover and
failback to a secondary branch office VPN connection over an IPnetwork.
Configuration Summary
n Configure the external interfaces for the primary connection between the two sites over the
MPLS network. The primary connection must use dynamic routing, or must be configured as a
BOVPN virtual interface. This is required so that the primary route either gets a higher metric or
is removed fromthe routing table when the primary connection is not available.
n Configure a BOVPN virtual interface for the secondary link between the two sites.
n Add a BOVPN virtual interface static route, and set a high metric (such as 200) for the route
Branch Office VPNs
1044 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1045
How it works
With this configuration, there are two routes between the two sites, one over the MPLS
network, and another static route through the BOVPN virtual interface. When two routes are
available, the final decision about which path a packet takes is based on which route has higher
priority (a lower metric) than the other. Because the BOVPN virtual interface route has a high
metric, the XTMdevice uses the primary route through the MPLS link, when it is available. If the
MPLS link is not available, the primary route is either removed fromthe routing table, or is
assigned a higher metric than the route for the secondary BOVPN virtual interface. The
XTMdevice then uses the route for the secondary BOVPN virtual interface, because it has the
lowest route metric. When the MPLS route becomes available again, the XTMdevice
automatically fails back to use that route, because it has a lower metric.
You could use a similar configuration to enable automatic failover and failback between two
BOVPN virtual interfaces. To do this, create two BOVPN virtual interfaces, with a static route
for each, and set the metric for the preferred BOVPNroute lower than the metric for the backup
BOVPN route.
For an example of this type of configuration, see BOVPNVirtual Interface with Metric-Based
Failover.
BOVPNVirtual Interface with Dynamic Routing
Objective
Enable two sites to dynamically exchange information about multiple local networks through a
secure VPN tunnel. This avoids the need to manually add and maintain explicitly configured
routes between all the private networks at each site.
Configuration summary
n Configure a branch office VPN between the two sites as a BOVPNvirtual interface. On the
VPNRoutes tab, configure virtual IPaddresses. Make sure that the Start Phase 1 tunnel
when it is inactive check box is selected.
n Enable dynamic routing between the two sites. In the dynamic routing configuration, use the
virtual IPaddresses as the peer network IPaddresses.
n For OSPF, use the network command, and the peer virtual IPaddress with a /32 netmask.
For example: network <peer_virtual_ip>/32 area 0.0.0.0
n For BGP, use the neighbor command, and the peer virtual IP address
For example:neighbor <peer_virtual_ip> remote-as 65535
n Use dynamic routing commands to configure which local networks each device propagates
routes for. To control the dynamic routes, you can use the Interface Cost for OSPF or the Local
Preference for BGP. For OSPF, the lower the Interface Cost, the more preferred the route is.
For BGP, the higher the Local Preference, the more preferred the route is.
How it works
The BOVPN virtual interface establishes a connection between the two sites. Each site
propagates routes for the local networks, based on the dynamic routing configuration. The
dynamic routing protocol enables each of the gateways to automatically learn the routes to the
local networks behind the gateway at the other end of the BOVPN tunnel. Depending on which
dynamic routing protocol you use, the routes are preferred either based on Interface Cost, Local
Preference or both.
For an example of this type of configuration, see BOVPNVirtual Interface with Dynamic
Routing.
BOVPNVirtual Interface with Policy-Based Routing
Branch Office VPNs
1046 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1047
Objective
One site (Site A) has a single external interface, and two branch office VPN gateways to
another site (Site B) that has two external interfaces. The two network connections at Site B
have different quality or cost. The objective is to send latency-sensitive traffic, such as VoIP
through the tunnel over the network with the lowest latency, and send all other traffic, such as
FTP, through the other tunnel route.
Configuration Summary
n On the Site A device:
n Configure a BOVPNvirtual interface between Site A and the Site B external interface that
uses the low-latency link. On the VPNRoute tab, you do not need to add routes. The first
BOVPNvirtual interface is called bvpn1. Make sure that the Start Phase 1 tunnel when it
is inactive check box is selected in the BOVPNvirtual interface configuration.
n Configure another BOVPNvirtual interface between Site A and Site B's second external
interface. The second BOVPNvirtual interface is called bvpn2. You may add routes for
other traffic.
n Edit the SIPpolicy that handles VoIPtraffic.
n In the From list, add the network address of the local network where traffic handled
by this policy originates
n In the To list, add the network address of the trusted or optional network at the
remote site where traffic handled by this policy is routed.
n Enable policy-based routing. Select the BOVPNvirtual interface with a lower latency
for this policy.
n For all other traffic, you can define either static routes, or dynamic routes, and use the other
BOVPNvirtual interface that has higher latency.
n On the Site B device:
n Configure a BOVPN virtual interface between Site Bs first External Interface and Site A.
Again, on the VPN Route tab you do not need to add routes. This will be bvpn1 and again
is the low-latency link in this example. Make sure that the Start Phase 1 tunnel when it is
inactive check box is selected.
n Configure a BOVPN virtual interface between Site A and Site Bs second External
Interface. This will be bvpn2 you may add routes for other traffic.
n Edit the SIPpolicy that handles VoIPtraffic.
n In the From list, add the network address of the local network where traffic handled
by this policy originates
n In the To list, add the network address of the trusted or optional network at the
remote site where traffic handled by this policy is routed.
n Enable policy-based routing. Select the BOVPNvirtual interface with a lower latency
for this policy.
n For all other traffic, you can define either static routes, or dynamic routes, and use the other
BOVPNvirtual interface that has higher latency.
How it Works:
The two BOVPN virtual interfaces each establish a connection between the two sites. The
source and destination addresses are determined by the policy, in this example the SIP policy.
Although the routes are not defined in the BOVPN virtual interface settings, the SIPpolicy uses
policy-based routing (PBR) to redirect traffic through the tunnel that has the lower latency
connection. This encrypts the packets and sends the traffic through the tunnel. Note that this
configuration does not provide failover to the other tunnel, since you cannot configure PBR
failover froma BOVPN virtual interface to another BOVPN virtual interface.
Branch Office VPNs
1048 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1049
Configure a BOVPN Virtual Interface
When you configure a BOVPNvirtual interface, you configure the BOVPN gateway settings, VPN
routes, and other VPN settings. For each BOVPNvirtual interface, the Device Name is automatically
assigned and is not configurable. The Device Name is used to identify this interface in the Status
Report in Firebox SystemManager.
To add a BOVPN Virtual Interface:
1. Select VPN > BOVPNVirtual Interfaces.
The list of BOVPN Virtual Interfaces appears.
2. Click Add.
The New BOVPNVirtual Interface dialog box appears.
3. In the Interface Name text box, type a name to identify this BOVPNvirtual interface.
4. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox
Certificate to identify the authentication procedure this tunnel uses.
If you select Use Pre-Shared Key
Type or paste the shared key. You must use the same shared key on the remote device.
This shared key must use only standard ASCII characters.
If you select Use IPSec Firebox Certificate
The table below the radio button shows current certificates on the XTMdevice. Select the
certificate to use for the gateway.
For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
on page 977.
5. In the Gateway Endpoint section, add at least one pair of gateway endpoints. For more
information, see Define Gateway Endpoints on page 1023.
There are two other settings in the Gateway Settings tab.
Use Modemfor failover
If you have enabled modemfailover, select this check box to configure the branch office VPN to
fail over to a modemif all external interfaces cannot connect. You cannot select this check box
if modemfailover is not enabled. For more information, see Configure VPNModemFailover.
Start Phase 1 tunnel when it is inactive
When selected, this option causes the XTMdevice to automatically restart the tunnel if it is not
active. This check box is selected by default for XTM2, 3, and 5 Series models. Clear this
check box if you do not want the XTMdevice to automatically start the tunnel.
If you clear this check box, the XTMdevice still automatically restarts the tunnel
when it is inactive if any policy uses policy-based routing to route outbound traffic to
this BOVPN virtual interface.
Add this tunnel to the BOVPN-Allow policies
When selected, this option adds the tunnel to the BOVPN-Allow.in and the BOVPN-Allow.out
policies. These policies allow all traffic that matches the routes for this tunnel.
To restrict traffic through the tunnel, clear this check box and create custompolicies for types of
traffic that you want to allow through the tunnel.
On the other tabs, you can configure these settings for this BOVPNvirtual interface:
n Select the VPNRoutes tab to add routes that you want to use this VPN virtual interface and to
configure virtual interface IPaddresses for use in dynamic routing. For more information, see
Configure VPNRoutes.
n Select the Phase1 Settings tab to configure the Phase 1 settings for this BOVPNvirtual
interface. These settings are exactly the same as the Phase1 settings you can configure for a
BOVPN gateway. For more information, see Configure Mode and Transforms (Phase 1
Settings).
n Select the Phase2 Settings tab to configure the Phase 2 settings for this BOVPNvirtual
interface. These settings are exactly the same as the Phase1 settings you can configure for a
BOVPN tunnel. For more information, see Configure Phase 2 Settings.
Branch Office VPNs
1050 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1051
n Select the Multicast Settings tab to enable multicast routing over the tunnel. For more
information, see Configure BOVPNVirtual Interface Multicast Settings.
Configure VPNRoutes
For a BOVPNvirtual interface, the XTMdevice uses the routing table to determine whether to send
traffic through the VPNtunnel. For a BOVPNvirtual interface, you do not explicitly configure the local
and remote addresses for each tunnel route. Instead, for each BOVPNvirtual interface, you can
configure static routes that use this BOVPNvirtual interface as a gateway. For each route, you specify
a destination and a metric. Static routes that you add to this list also appear in the static routes list for
the device.
IPv6 BOVPN virtual interface routes are 6in4 tunnel routes thatuse a GREtunnel within the IPSec
BOVPN tunnel. You can use an IPv6 BOVPN virtual interface route to send traffic between two IPv6
networks through an IPv4 BOVPN virtual interface tunnel. You cannot configure a BOVPN virtual
interface route for traffic between an IPv4 network and an IPv6 network.
IPv6 BOVPNvirtual interface routes are supported in Fireware XTMOSv11.9 and
higher.
The static and dynamic routes for a BOVPN virtual interface appear in the route table. To see the
routes, select System Status >Routes.
By default, the XTMdevice does not remove the static routes fromthe route table if
the VPN is down. You can change this setting in the global VPN settings. For more
information, see About Global VPN Settings.
Add VPN Routes
1. Add or edit a BOVPN virtual interface. For more information, see Configure a BOVPN Virtual
Interface.
2. Select the VPNRoutes tab.
Branch Office VPNs
1052 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1053
3. Click Add.
The VPN Route Settings dialog box appears.
4. Fromthe Choose Type drop-down list, select an option:
n Host IPv4Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 Select this option if you have a full IPv4 network behind a router on your
local network.
n Host IPv6Select this option if only one IPv6 host is behind the router or you want traffic
to go to only one host.
n Network IPv6 Select this option if you have a full IPv6 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
7. Click OK.
The route is added to the BOVPNvirtual interface configuration.
On the VPNRoutes tab, you can also add BOVPN virtual interface IP addresses. These are required if
you want to configure dynamic routing to use the BOVPNvirtual interface. For more information, see
Assign BOVPNVirtual Interface IPAddresses.
Branch Office VPNs
1054 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1055
Assign BOVPNVirtual Interface IPAddresses
If you want to use the BOVPNvirtual interface in your dynamic routing configuration, you must assign
virtual interface IPaddresses to the local and peer XTMdevice. These addresses are used as the
endpoints of the GREtunnel that encapsulates traffic for this BOVPNvirtual interface. There are two
IPaddresses you configure:
n Local IPaddress The IPaddress to use for the local end of the tunnel.
n Peer IPaddress The IPaddress to use for the remote end of the BOVPNtunnel.
On each XTMdevice, the Local IPaddress for the BOVPNvirtual interface must match the Peer
IPaddress configured for the BOVPNvirtual interface on the XTMdevice at the other end of the
tunnel.
We recommend that you select IP addresses in a private network IPaddress range that is not used by
any local network or by any remote network connected through a VPN. This ensures that the
addresses do not conflict with any other device. The private network ranges are:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
If you enable a BOVPNvirtual interface for a FireCluster, make sure that the IP address does not
conflict with the cluster interface IPaddresses or the cluster management IP addresses.
To assign virtual interface IP addresses:
1. Add or edit a BOVPN virtual interface. For more information, see Configure a BOVPN Virtual
Interface.
2. Select the VPNRoutes tab.
3. In the Interface section, select the Assign virtual interface IPs check box.
4. In the Local IP addresstext box, type the IPaddress to use for the local end of the tunnel.
This address must match the Peer IPaddress configured for this BOVPNvirtual interface on the peer
device.
5. In the Peer IP addresstext box, type the IP address to use for the remote end of the tunnel.
This address must match the Local IPaddress for this BOVPNvirtual interface on the peer device.
When you configure dynamic routing for a BOVPNvirtual interface, use the virtual interface
IPaddresses rather than the device name.
Branch Office VPNs
1056 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1057
Configure BOVPNVirtual Interface Multicast Settings
You can enable the XTMdevice to send or receive multicast traffic through a BOVPN virtual interface.
To configure multicast settings:
1. Select the Multicast Settings tab.
2. Select the Enable multicast routing over the tunnel check box.
3. In the Origination IPtext box, type the IPaddress of the originator of the traffic.
4. In the Group IP text box, type the multicast IP address to receive the traffic.
Enable the Device to Send Multicast Traffic Through The Tunnel
1. Select Enable device to send multicast traffic.
2. Fromthe Input Interface drop-down list, select the interface fromwhich the multicast traffic
originates.
Enable the Device to Receive Multicast Traffic Through the Tunnel
1. Select Enable device to receive multicast traffic.
2. Select the check box for each interface that you want to receive multicast traffic.
Disable or Enable a Branch Office VPN
In Fireware XTMv11.9 and higher, you can enable or disable a BOVPN virtual interface or a BOVPN
gateway.
When you disable a BOVPN gateway or BOVPNvirtual interface:
n You can still edit BOVPN gateway, tunnel, and virtual interface settings.
n The tunnels associated with a disabled BOVPN gateway are disabled.
n Disabled tunnel routes do not appear in the Status Report.
n BOVPNvirtual interface routes are not added to the routing table.
n Disabled tunnels and BOVPN virtual interfaces are disabled in the BOVPN-Allow.out and
BOVPN-Allow.in policies.
Disabled BOVPN tunnels or virtual interfaces remain in the To or From list of any
policies that use them. Policies do not send traffic through a disabled BOVPN tunnel
or virtual interface.
Disable or Enable a BOVPN Gateway
To disable a BOVPN gateway
1. Select VPN >BOVPN.
2. Select an enabled gateway.
3. Click Disable.
4. Click OK to confirmthat you want to disable the gateway.
The gateway and all associated tunnels are disabled.
To enable a disabled gateway, select the gateway and click Enable.
Disable or Enable a BOVPN Virtual Interface
To disable a BOVPNvirtual interface:
1. Select VPN >BOVPN Virtual Interface.
2. Select an enabled BOVPN virtual interface.
3. Click Disable.
4. Click OK to confirmthat you want to confirmthe BOVPN virtual interface.
The BOVPNvirtual interface is disabled.
To enable a disabled BOVPN virtual interface, Select the BOVPN virtual interface and click Enable.
Branch Office VPNs
1058 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1059
About Global VPN Settings
FromFireware XTMWeb UI, you can select settings that apply to manual BOVPN tunnels, managed
BOVPN tunnels, and Mobile VPN with IPSec tunnels.
1. Select VPN > Global Settings.
The Global VPN Settings page appears.
2. Configure the settings for your VPN tunnels, as explained in the subsequent sections.
Enable IPSec Pass-through
For a user on the trusted or optional network to make outbound IPSec connections to an XTMdevice
located behind a different XTMdevice, you must select the Enable IPSec pass-through check box.
For example, if mobile employees are at a customer location that has an XTMdevice, they can use
IPSec to make a VPN connection to their network. For the local XTMdevice to correctly allow the
outgoing IPSec connection, you must add an IPSec policy to the configuration.
When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to
the configuration. The policy allows traffic fromany trusted or optional network to any destination.
When you disable IPSec pass-through, the WatchGuard IPSec policy is automatically deleted.
The Enable IPSec pass-through check box enables outbound IPSec pass-through.
To enable inbound IPSec pass through, you must clear the Enable built-in IPSec
policy check box, and create IPSec policies to handle inbound VPN traffic to the
XTMdevice and any other VPN endpoints. For more information, see Configure
Inbound IPSec Pass-through with SNAT.
Enable TOS for IPSec
Type of Service (TOS) is a set of four-bit flags in the IP header that can tell routing devices to give an
IP datagrammore or less priority than other datagrams. Fireware XTMgives you the option to allow
IPSec tunnels to clear or maintain the settings on packets that have TOS flags. Some ISPs drop all
packets that have TOS flags.
If you do not select the Enable TOS for IPSec check box, all IPSec packets do not have the TOS
flags. If the TOS flags were set before, they are removed when Fireware XTMencapsulates the packet
in an IPSec header.
When the Enable TOS for IPSec check box is selected and the original packet has TOS flags,
Fireware XTMkeeps the TOS flags set when it encapsulates the packet in an IPSec header. If the
original packet does not have the TOS flags set, Fireware XTMdoes not set the TOS flag when it
encapsulates the packet in an IPSec header.
Make sure to carefully consider whether to select this check box if you want to apply QoS marking to
IPSec traffic. QoS marking can change the setting of the TOS flag. For more information on QoS
marking, see About QoS Marking on page 808.
Enable the Use of Non-Default (Static or Dynamic) Routes to
Determine if IPSec is Used
This option applies only to traffic through a BOVPN that is not a BOVPN virtual
interface.
When this option is not enabled, all packets that match the tunnel route specified in the IPSec gateway
are sent through the IPSec branch office VPN. If this option is enabled, the XTMdevice uses the
routing table to determine whether to send the packet through the IPSec VPN tunnel.
If a default route is used to route a packet
The packet is encrypted and sent through the VPN tunnel, to the interface specified in the
VPNgateway configuration.
Branch Office VPNs
1060 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1061
If a non-default route is used to route a packet
The packet is routed to the interface specified in the non-default route in the routing table. When
a non-default route is used, the decision about whether to send the packet through the IPSec
VPN tunnel depends on the interface specified in the routing table. If the interface in the non-
default route matches the interface in the BOVPN gateway, the packet goes through the
BOVPN tunnel configured for that interface. For example, if the BOVPNgateway interface is
set to Eth0, and the matched non-default route uses Eth1 as the interface, the packet is not sent
through the BOVPN tunnel. However, if the matched non-default route uses Eth0 as the
interface, the packet is sent through the BOVPN tunnel.
This feature works with any non-default route (static or dynamic).You can use this feature in
conjunction with dynamic routing to enable dynamic network failover froma private network route to an
encrypted IPSec VPNtunnel.
For example, consider an organization that sends traffic between two networks, Site A and Site B.
They use a dynamic routing protocol to send traffic between the two sites over a private network
connection, with no VPNrequired. The private network is connected to the Eth1 interface of each
device. They have also configured a BOVPN tunnel between the two sites to send BOVPNtraffic over
the local Internet connection, over the Eth0 interface of each device. They want to send traffic over the
BOVPN tunnel only if the private network connection is not available.
If they select the Enable the use of non-default (static or dynamic)routes to determine if IPSec
is used check box in the Global VPNSettings, the XTMdevice sends traffic over the private network if
a dynamic route to that network is present over the Eth1 interface. Otherwise, it sends traffic over the
encrypted IPSec BOVPNtunnel on the Eth0 interface.
For more information about how to use this setting, see Configure a Branch Office VPN for Failover
froma Leased Line.
Disable or Enable the Built-in IPSec Policy
The XTMdevice includes a built-in IPSec policy that allows IPSec traffic fromAny-External to
Firebox. This hidden policy enables the XTMdevice to function as an IPSec VPN endpoint for Branch
Office VPN and Mobile VPN with IPSec tunnels. The built-in IPSec policy has a higher precedence
than any manually created IPSec policy. The built-in IPSec policy is enabled by default. To disable this
policy, clear the Enable built-in IPSec Policy check box. Do not disable the built-in policy unless you
want to create another IPSec policy to terminate a VPN tunnel at a device other than the XTMdevice,
such as a VPN concentrator on the XTMdevice trusted or optional network.
If you clear the Enable built-in IPSec Policy check box, you must create IPSec policies to handle
inbound VPN traffic to the XTMdevice and any other VPN endpoints. For more information, see
Configure Inbound IPSec Pass-through with SNAT.
Remove VPNRoutes for a BOVPN Virtual Interface
You can choose whether you want the XTMdevice to automatically remove the static VPNroutes
configured for a BOVPNvirtual interface fromthe Routes:Main table when the BOVPN virtual interface
is down. This controls whether the XTMdevice can use the default route for packets that match these
routes if the BOVPNvirtual interface is down.
Select the Remove VPNroutes when the tunnel for a BOVPNvirtual interface is down check
box if you want to automatically remove static routes for the BOVPNvirtual interface fromthe routing
table when the BOVPNvirtual interface is down. If the destination IPaddress of a packet does not
match any routes in the routing table, the XTMdevice sends it through the default route, which could be
an unencrypted connection. If you select this check box, you must do one of two things to make sure
that the VPN routes for a BOVPN virtual interface are added to the routes table when the tunnel is
available. You can either enable policy-based routing for the BOVPN virtual interface, or, in the
BOVPNvirtual interface settings, select the Start Phase1 tunnel when it is inactive check box. This
is selected by default when you configure the BOVPN virtual interface.
Clear the Remove VPNroutes when the tunnel for a BOVPNvirtual interface is down check box
if you want to keep the route in the routing table when the BOVPNvirtual interface is down. This is the
default setting. When a BOVPNvirtual interface is down, the metric for the routes that use it are
automatically changed to a large number, so that they are lower priority than other routes. Because the
route remains in the routing table, packets that match this route are not sent through the default route
when the BOVPN virtual interface is down.
Regardless of this setting, if there is an alternate route for a packet to take, the XTMdevice sends the
packet through the alternate route, when the BOVPNvirtual interface is down, rather than the default
route.
Enable LDAP Server for Certificate Verification
When you create a VPN gateway, you specify a credential method for the two VPN endpoints to use
when the tunnel is created. If you choose to use an IPSec XTMdevice certificate, you can identify an
LDAP server that validates the certificate. Type the IP address for the LDAP server. You can also
specify a port if you want to use a port other than 389.
BOVPNNotification
In the BOVPN Notification section, you can configure the XTMdevice to send a notification when a
BOVPN tunnel is down.
For information about the notification options, see Set Logging and Notification Preferences on page
882.
BOVPNnotification settings do not apply to Mobile VPN with IPSec tunnels.
Configure Inbound IPSec Pass-through with SNAT
By default, the XTMdevice is configured to terminate all inbound IPSec VPN tunnels at the
XTMdevice itself. You can configure the XTMdevice to pass inbound IPSec VPN traffic through to
another VPN endpoint, such as a VPN concentrator on the trusted or optional network.
Branch Office VPNs
1062 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1063
To do this, you must disable the built-in IPSec policy that sends all inbound traffic to the XTMdevice.
Then you must create specific IPSec policies to handle incoming VPN traffic that terminates at the
XTMdevice or at another device on your network. You can use a static NAT(SNAT)action in the
policy to map an external IP address to the private IP address of the VPNendpoint on your network.
Disable the Built-in IPSec Policy
Because the built-in IPSec policy is a hidden policy, you cannot edit it directly. You must disable it in
the VPN global settings.
1. Select VPN >VPNSettings.
2. Clear the Enable the built-in IPSec Policy check box.
Add IPSec Policies
After you disable the built-in IPSec policy, you must add one or more IPSec packet filter policies to
handle incoming IPSec VPN traffic.
For example, if your XTMdevice has a primary external IPaddress of 203.0.113.2, and a secondary
external IPaddress of 203.0.113.10, you could use an SNATaction in an IPSec policy to map IPSec
traffic that comes to the secondary external IP address to the private IP address of the VPN
concentrator. You could create another policy to send all other incoming IPSec traffic to the XTM
device.
Those two policies could look like this:
Policy: IPSec_to_VPN_concentrator
IPSec connections are: Allowed
From: Any-External
To: 203.0.113.10 --> 10.0.2.10 (added as an SNATaction)
Policy:IPSec_to_XTM_Device
IPSec connections are: Allowed
From: Any-External
To: Firebox
If auto-order mode is enabled, the policies are automatically sorted in the correct precedence order and
the IPSec policy that contains the SNATaction is higher in the policy list than the other IPSec policy.
This means that all incoming IPSec traffic with a destination that does not match the SNATrule in the
first IPSec policy is handled by the second IPSec policy.
This example uses static NAT to direct incoming traffic to the internal VPN concentrator. You could
also use 1-to-1 NAT for this purpose.
Configure a Branch Office VPN for Failover from a
Leased Line
You can configure your XTMdevice to use the IPSec branch office VPN tunnel for failover if another
route (such as a private leased line) becomes unavailable.
Requirements
For VPN failover to operate correctly, the configuration must meet these requirements:
n Each site must have a router connected to the leased line between the two sites.
n At each site, the router that connects to the leased line must connect to a XTMdevice trusted or
optional interface. The interface it connects to must be different than the interface used for the
branch office VPN tunnel.
n The two routers connected to the leased line must be configured to use dynamic routing (OSPF,
BGP, or RIP).
n Dynamic routing must also be enabled on the XTMdevices at both sites.
n The Enable the use of non-default (static or dynamic)routes to determine if IPSec is
used Global VPN setting must be enabled on the XTMdevices at both sites.
To use this feature for automatic failover froma leased line, you must use dynamic
routing.
With this configuration, Internet traffic is handled by the XTMdevice based on the regular firewall
policies. This configuration does not create any limitations on the use of multi-WAN in your device
configuration.
Configuration Overview
The general steps to configure failover froma leased line to a branch office VPN are:
1. Configure dynamic routing and add the associated RIP, OSPF,or BGP policy at each site to
create the route over the leased line.
For more information, see About Dynamic Routing.
2. Configure the branch office VPN to connect the two sites.
3. Configure Global VPN settings to enable the failover feature at each site.
On the VPN Settings page, select the Enable the use of non-default (static or dynamic)
routes to determine if IPSec is used check box.
Branch Office VPNs
1064 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1065
How Failover to the Branch Office VPN Operates
When you enable dynamic routing, the XTMdevice automatically updates the routing table based on
the status of the connection. If the connection to the leased line router fails, the XTMdevice
dynamically removes that route fromthe routing table. You can see the routing table on the Status
Report tab in Firebox SystemManager.
The XTMdevice at each office site sends traffic to the other office over the trusted interface connected
to the private leased line, if a dynamic route to that site is present. If a dynamic route is not present in
the routing table, the XTMdevice at each site sends traffic over the encrypted IPSec BOVPNtunnel on
the external interface. When the dynamic route over the leased line is restored, the devices
automatically send traffic over the private leased line again.
Set Up Outgoing Dynamic NAT Through a Branch
Office VPN Tunnel
You can use dynamic NAT (DNAT)through Branch Office VPN (BOVPN) tunnels. Dynamic NAT acts
as unidirectional NAT, and keeps the VPN tunnel open in one direction only. This can be helpful when
you make a BOVPN tunnel to a remote site where all VPN traffic comes fromone public IP address.
For example, suppose you want to create a BOVPN tunnel to a business partner so you can get
access to their database server, but you do not want this company to get access to any of your
resources. Your business partner wants to allow you access, but only froma single IP address so they
can monitor the connection.
You must know the external and trusted network IP addresses of each VPN endpoint to complete this
procedure. If you enable dynamic NAT though a BOVPN tunnel, you cannot use the VPN failover
feature for that VPN tunnel.
The step by step instructions below work with any BOVPN that uses dynamic NAT to make all traffic
fromone endpoint appear to come froma single IPaddress. The DNAT address can be any routable IP
address, such as the Site A public IPaddress, or a private IP address on the trusted network at Site A.
The subsequent images show the settings for a BOVPN where all traffic fromSite A must come from
the public IPaddress of Site A.
Site A
Public IP address 203.0.113.2
Trusted Network 10.0.1.0/24
Site B
Public IP address 198.51.100.2
Trusted Network 10.50.1.0/24
Configure the Endpoint Where All Traffic Must Appear to
Come from a Single Address (Site A)
1. FromFireware XTMWeb UI, configure the gateway for the BOVPN.
For more information, see Configure Gateways on page 1021.
2. Select VPN >Branch Office VPN.
3. Click Add below to the Tunnels list to add a new tunnel, or select a tunnel and click Edit.
The Tunnel configuration settings appear.
4. Select the gateway fromthe Gateway drop-down list.
5. On the Addresses tab, click Add.
The Tunnel Route Settings dialog box opens.
Branch Office VPNs
1066 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1067
6. In the Local IP section, select the type of local address fromthe Choose Type drop-down list.
Then type the value in the text box below. You can type a host IP address, network address, a
range of host IP addresses, or a DNS name.
7. In the Remote IP section, select the type of remote address fromthe Choose Type drop-down
list. Then type the value in the text box below. You can type a host IP address, network
address, a range of host IP addresses, or a DNS name.
8. In the Direction drop-down list, selectlocal-to-remote.
9. Click the NATtab. Select the Dynamic NAT check box. In the adjacent text box, type the
IPaddress that you want the remote network to see as the source for all traffic through the
tunnel.
10. Click OK.
The tunnel route is added.
Branch Office VPNs
1068 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1069
11. Save the changes to the XTMdevice.
Configure the Endpoint that Expects All Traffic to Come from a
Single IPAddress (Site B)
1. Fromthe Fireware XTMWeb UI, configure the gateway for the BOVPN. For more information,
see Configure Gateways on page 1021.
2. Select VPN >BOVPN. Click Add below the Tunnels list to add a new tunnel or select an
existing tunnel and click Edit.
The Add Tunnel or Edit Tunnel dialog box opens. The tunnel settings appear.
3. Select the gateway fromthe Gateways drop-down list.
4. On the Addresses tab, click Add.
The Tunnel Route Settings dialog box opens.
5. In the Local IP section, select the type of local address fromthe Choose Type drop-down list.
Then type the value in the adjacent text box. You can type a host IP address, network address,
a range of host IP addresses, or a host name. This must match the Remote address configured
in the tunnel route at Site A.
6. In the Remote IP section, select the type of remote address fromthe Choose Type drop-down
list. Type the value in the adjacent text box. You can type a host IP address, network address, a
range of host IP addresses, or a host name.This must match the DNAT address configured at
Site A.
7. Fromthe Direction drop-down list, select remote-to-local.
8. Do not select anything in the NATtab.
9. Click OK.
The tunnel route is added.
10. Save the changes to the XTMdevice.
When the XTMdevice at Site B restarts, the two XTMdevices negotiate a VPN tunnel. The Site
AXTMdevice applies dynamic NAT to all traffic sent to the trusted network of the Site B XTMdevice.
When this traffic reaches Site B, it arrives as traffic that originated fromthe DNAT IPaddress.
Branch Office VPNs
1070 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1071
Use 1-to-1 NATThrough a Branch Office VPN
Tunnel
When you create a Branch Office VPN (BOVPN) tunnel between two networks that use the same
private IP address range, an IP address conflict occurs. To create a tunnel without this conflict, both
networks must apply 1-to-1 NAT to the VPN. 1-to-1 NAT makes the IP addresses on your computers
appear to be different fromtheir true IP addresses when traffic goes through the VPN.
1-to-1 NAT maps one or more IP addresses in one range to a second IP address range of the same
size. Each IP address in the first range maps to an IP address in the second range. In this document,
we call the first range the real IP addresses and we call the second range the masqueraded IP
addresses. For more information on 1-to-1 NAT, see About 1-to-1 NAT on page 260.
1-to-1 NAT and VPNs
When you use 1-to-1 NAT through a BOVPN tunnel:
n When a computer in your network sends traffic to a computer at the remote network, the XTM
device changes the source IP address of the traffic to an IP address in the masqueraded IP
address range. The remote network sees the masqueraded IP addresses as the source of the
traffic.
n When a computer at the remote network sends traffic to a computer at your network through the
VPN, the remote office sends the traffic to the masqueraded IP address range. The XTMdevice
changes the destination IP address to the correct address in the real IP address range and then
sends the traffic to the correct destination.
1-to-1 NAT through a VPN affects only the traffic that goes through that VPN. The rules you see in
Fireware XTMWeb UI at Network > NAT do not affect traffic that goes through a VPN.
Other Reasons to Use 1-to-1 NAT Through a VPN
In addition to the previous situation, you would also use 1-to-1 NAT through a VPN if the network to
which you want to make a VPN already has a VPN to a network that uses the same private IP
addresses you use in your network. An IPSec device cannot route traffic to two different remote
networks when the two networks use the same private IP addresses. You use 1-to-1 NAT through the
VPN so that the computers in your network appear to have different (masqueraded) IP addresses.
However, unlike the situation described at the beginning of this topic, you need to use NAT only on
your side of the VPN instead of both sides.
A similar situation exists when two remote offices use the same private IP addresses and both remote
offices want to make a VPN to your XTMdevice. In this case, one of the remote offices must use NAT
through its VPN to your XTMdevice to resolve the IP address conflict.
Alternative to Using NAT
If your office uses a common private IP address range such as 192.168.0.x or 192.168.1.x, it is very
likely that you will have a problemwith IP address conflicts in the future. These IP address ranges are
often used by broadband routers or other electronic devices in homes and small offices. You should
consider changing to a less common private IP address range, such as 10.x.x.x or 172.16.x.x.
Branch Office VPNs
1072 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1073
How to Set Up the VPN
These steps and the subsequent example apply to a branch office VPN that is not
configured as a BOVPN virtual interface. For a BOVPN virtual interface, you
configure 1-to-1 NAT as you would for an interface. For more information, see
Configure Firewall 1-to-1 NAT.
1. Select a range of IP addresses that your computers show as the source IP addresses when
traffic comes fromyour network and goes to the remote network through the BOVPN. Consult
with the network administrator for the other network to select a range of IP addresses that are
not in use. Do not use any of the IP addresses from:
n The trusted, optional, or external network connected to your XTMdevice
n A secondary network connected to a trusted, optional, or external interface of your XTM
device
n A routed network configured in your XTMdevice policy (Network > Routes)
n Networks to which you already have a BOVPN tunnel
n Mobile VPN virtual IP address pools
n Networks that the remote IPSec device can reach through its interfaces, network routes, or
VPN routes
2. Configure Gateways for the local and remote XTMdevices.
3. Make Tunnels Between Gateway Endpoints. In the Tunnel Route Settings dialog box for each
XTMdevice, select the 1:1 NAT check box and type its masqueraded IPaddress range in the
adjacent text box.
The number of IPaddresses in this text box must be exactly the same as the number of
IPaddresses in the Local text box at the top of the dialog box. For example, if you use slash
notation to indicate a subnet, the value after the slash must be the same in both text boxes. For
more information, see About Slash Notation on page 5.
You do not need to define anything in the Network >NAT settings in Fireware XTMWeb UI. These
settings do not affect VPNtraffic.
Example
Suppose two companies, Site A and Site B, want to set up a Branch Office VPN between their trusted
networks. Both companies use a WatchGuard XTMdevice with Fireware XTM. Both companies use
the same IP addresses for their trusted networks, 192.168.1.0/24. Each company's XTMdevice uses
1-to-1 NAT through the VPN. Site A sends traffic to Site Bs masqueraded range and the traffic goes
outside Site As local subnet. Also, Site B sends traffic to the masqueraded range that Site A uses.
This solution solves the IP address conflict at both networks. The two companies agree that:
n Site A makes its trusted network appear to come fromthe 192.168.100.0/24 range when traffic
goes through the VPN. This is Site As masqueraded IP address range for this VPN.
n Site B makes its trusted network appear to come fromthe 192.168.200.0/24 range when traffic
goes through the VPN. This is Site Bs masqueraded IP address range for this VPN.
Define a Branch Office Gateway on Each XTM Device
The first step is to make a gateway that identifies the remote IPSec device. When you make the
gateway, it appears in the list of gateways in Fireware XTMWeb UI. To see the list of gateways from
Fireware XTMWeb UI, select VPN > Branch Office VPN.
Configure the Local Tunnel
1. Select VPN >Branch Office VPN.
The Branch Office VPN page appears.
2. In the Tunnel section of the BOVPN page, click Add.
The Tunnel settings page appears.
Branch Office VPNs
1074 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1075
3. Type a descriptive name for the tunnel. The example uses "TunnelTo_SiteB".
4. Fromthe Gateway drop-down list, select the gateway that points to the IPSec device of the
remote office. The example uses the gateway called "SiteB".
5. Select the Phase 2 Settings tab. Make sure the Phase 2 settings match what the remote office
uses for Phase 2.
6. Select the Addresses tab. Click Add to add the local-remote pair.
The Tunnel Route Settings dialog box appears.
7. In the Local IPsection, select Network IPv4 fromthe Choose Type drop-down list. In the
Network IP text box, type the real IPaddress range of the local computers that use this VPN
This example uses 192.168.1.0/24.
8. In the Remote section, select Network IPv4 fromthe Choose Type drop-down list. In the
Network IPtext box, type the private IP address range that the local computers send traffic to.
This examples uses 192.168.200.0/24.
In this example, the remote office Site B uses 1-to-1 NAT through its VPN. This makes Site Bs
computers appear to come fromSite Bs masqueraded range, 192.168.200.0/24. The local
computers at Site A send traffic to Site Bs masqueraded IP address range. If the remote
network does not use NAT through its VPN, type the real IP address range in the Remote text
box.
9. Select the NAT tab. Select the 1:1 NAT check box and type the masqueraded IP address
range for this office. This is the range of IP addresses that the computers protected by this XTM
device show as the source IP address when traffic comes fromthis XTMdevice and goes to the
other side of the VPN. (The 1:1 NAT check box is enabled after you type a valid host IP
address, a valid network IP address, or a valid host IP address range in the Local text box on
the Addresses tab.) Site A uses 192.168.100.0/24 for its masqueraded IP address range.
10. Click OK. The device adds the new tunnel to the BOVPN-Allow.out and BOVPN-Allow.in
policies.
If you need 1-to-1 NAT on your side of the VPN only, you can stop here. The device at the other end of
the VPN must configure its VPN to accept traffic fromyour masqueraded range.
Configure the Remote Tunnel
1. Follow Steps 16 in the previous procedure to add the tunnel on the remote XTMdevice. Make
sure the Phase 2 settings match.
2. In the Local IPsection, select Network IP fromthe Choose Type drop-down list. In the
Network IPtext box, type the real IP address range of the local computers that use this VPN.
This example uses 192.168.1.0/24.
3. In the Local IPsection, select Network IP fromthe Choose Type drop-down list. In the
Network IP text box, type the private IP address range that the computers at the remote office
send traffic to. In our example, Site A does 1-to-1 NAT through its VPN. This makes the
computers at Site A appear to come fromits masqueraded range, 192.168.100.0/24. The local
computers at Site B send traffic to the masqueraded IP address range of Site A.
Branch Office VPNs
1076 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1077
4. Select the NAT tab. Select the 1:1 NAT check box and type the masqueraded IP address
range of this site. This is the range of IP addresses that computers behind this XTMdevice
show as the source IP address when traffic comes fromthis XTMdevice and goes to the other
side of the VPN. Site B uses 192.168.200.0/24 for its masqueraded IP address range.
5. Click OK. The device adds the new tunnel to the BOVPN-Allow.out and BOVPN-Allow.in
policies.
Define a Route for All Internet-Bound Traffic
When you enable remote users to access the Internet through a VPN tunnel, the most secure setup is
to require that all remote user Internet traffic is routed through the VPN tunnel to the XTMdevice. From
the XTMdevice, the traffic is then sent back out to the Internet. With this configuration (known as a
hub route or default-route VPN), the XTMdevice is able to examine all traffic and provide increased
security, although more processing power and bandwidth on the XTMdevice is used. When you use
default-route VPN, a dynamic NAT policy must include the outgoing traffic fromthe remote network.
This allows remote users to browse the Internet when they send all traffic to the XTMdevice.
When you define a default route through a BOVPN tunnel, you must do three things:
n Configure a BOVPN on the remote XTMdevice (whose traffic you want to send through the
tunnel) to send all traffic fromits own network address to 0.0.0.0/0.
n Configure a BOVPN on the central XTMdevice to allow traffic to pass through it to the remote
XTMdevice.
n Add a route on the central XTMdevice from0.0.0.0/0 to the network address of the remote XTM
device.
Before you begin the procedures in this topic, you must have already created a manual branch office
VPNbetween the central and remote XTMdevices. For information on how to do this, see About
Manual Branch Office VPN Tunnels on page 1010.
Configure the BOVPN Tunnel on the Remote XTM Device
1. Log into the Web UI for the remote XTMdevice.
2. Select VPN > Branch Office VPN. Find the name of the tunnel to the central XTMdevice and
click Edit.
The Tunnel page appears.
3. Click Add.
The Tunnel Route Settings dialog box appears.
Branch Office VPNs
1078 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1079
4. Under Local IP, in the Host IP text box, type the trusted network address of the remote XTM
device.
5. Under Remote IP, select Network IP fromthe Choose Type drop-down list. In the Host IP
text box, type 0.0.0.0/0 and click OK.
6. Select any other tunnel to the central XTMdevice and click Remove.
7. Click Save to save the configuration change.
Configure the BOVPN Tunnel on the Central XTM Device
1. Log into the Web UI for the central XTMdevice.
2. Select VPN > Branch Office VPN. Find the name of the tunnel to the remote XTMdevice and
click Edit.
The Tunnel page appears.
3. Click Add.
The Tunnel Route Settings dialog box appears.
4. Under Local IP, select Network IPfromthe Choose Type drop-down list. In the Host IPtext
box, type 0.0.0.0/0.
5. Under Remote IP, type the trusted network address of the remote XTMdevice and click OK.
6. Select any other tunnel to the remote XTMdevice and click Remove.
7. Click Save to save the configuration change.
Add a Dynamic NATEntry on the Central XTM Device
To allow a computer with a private IP address to access the Internet through the XTMdevice, you
must configure the central XTMdevice to use dynamic NAT. With dynamic NAT, the XTMdevice
replaces the private IP address included in a packet sent froma computer protected by the XTMdevice
with the public IP address of the XTMdevice itself. By default, dynamic NAT is enabled and active for
the three RFC-approved private network addresses:
192.168.0.0/16 - Any-External
172.16.0.0/12 - Any-External
10.0.0.0/8 - Any-External
When you set up a default route through a branch office VPN tunnel to another XTMdevice, you must
add a dynamic NAT entry for the subnet behind the remote XTMdevice if its IP addresses are not
within one of the three private network ranges.
1. Select Network > NAT.
The NATpage appears.
2. In the Dynamic NAT section of the NAT page, click Add.
The Dynamic NAT configuration page appears.
Branch Office VPNs
1080 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1081
3. In the From section, select Network IP fromthe Member Type drop-down list.
4. Type the network IP address of the network behind the remote XTMdevice.
5. In the To section, select Any-External fromthe second drop-down list.
6. Click Save.
Mobile VPN Traffic Through a Branch Office VPN
Tunnel
You can configure the XTMdevice to send traffic frommobile VPN users to a remote network through
a branch office VPN tunnel. When you configure a mobile VPN, you assign virtual IP addresses for the
mobile VPN users. These are the IP addresses the XTMdevice sees when the mobile users send
traffic to the local network, or to a remote network connected by a branch office VPN tunnel.
To enable mobile VPN clients to get access to network resources through a branch office VPN tunnel,
you must make sure that:
n The mobile VPN client sends traffic to the remote networks through the mobile VPN tunnel
n The branch office VPN can send traffic frommobile VPN user virtual IP addresses to the
remote network
n The policies that control mobile VPN and branch office VPN traffic allow traffic between the
mobile VPN clients and the remote network
Configure Mobile VPN Client Routes
Mobile VPN with IPSec
You can configure Mobile VPN with IPSec to force all traffic through the tunnel, or you can specify the
network resources the VPN client can access through the tunnel. If you specify the allowed network
resources in the Mobile VPN with IPSec profile, make sure the allowed resources list includes the
IPaddress of the remote networks.
For more information, see Modify an Existing Mobile VPN with IPSec Group Profile
If you edit the allowed resources, the resource list is automatically updated only in
the default Mobile VPNwith IPSec policy for this group. The resources are not
automatically updated for any other Mobile VPN with IPSec policies for group. You
must edit the allowed resources in the Mobile VPN with IPSec policies and update if
necessary. For more information, see Configure Policies to Filter Mobile VPN Traffic.
If you update the allowed resources in an existing Mobile VPN with IPSec profile, you must distribute a
new configuration file to each user.
For more information, see Distribute the Software and Profiles
Mobile VPN with SSL
When you configure Mobile VPN with SSL on your XTMdevice, you select whether to bridge or route
VPN traffic to the network.
Branch Office VPNs
1082 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1083
If you select Bridge VPN Traffic, the XTMdevice assigns each VPN client an IP address on one of
your internal networks. With this configuration, the Mobile VPN with SSL client sends all traffic that
does not overlap with the client's local network through the SSL VPN tunnel. This includes traffic
through the branch office VPN.
If you select Routed VPN Traffic, you can configure the client to force all client traffic through the
tunnel, or to send only specific network traffic through the tunnel. If you don't force all the traffic through
the tunnel, you must select Specify allowed resources, and then specify the network resources the
VPN client can access through the tunnel. If you specify the allowed network resources, make sure
the allowed resources list includes the IPaddress of the remote networks.
Mobile VPN with L2TP and Mobile VPN with PPTP
Mobile VPN with PPTP and Mobile VPN with L2TP VPN client tunnel routes are not configured on the
XTMdevice, but are instead defined by the client computer. On most client devices, the user can
choose to force all outbound traffic through the mobile VPN tunnel (default-route VPN), or to route
traffic through the tunnel only to destinations on the same subnet as the virtual IP address assigned to
the VPN client (split-tunnel VPN). For example, in a split-tunnel VPN, a client that uses a virtual
IPaddress of 10.0.2.230 only sends traffic for the 10.0.2.x network through the mobile VPN tunnel. If
you want the VPN client to send traffic to other networks through the mobile VPN tunnel, you must
either configure the VPN client to force all traffic through the tunnel, or you must manually add
TCP/IProutes to the routing table on the client computer.
To learn how to configure the split-tunnel and default-route VPN options for a Windows VPN client,
see:
n Options for Internet Access Through a Mobile VPN with L2TP Tunnel
n Options for Internet Access Through a Mobile VPN with PPTP Tunnel
Configure Manual Branch Office VPN Routes
Branch office VPN tunnel routes define which local network traffic the XTMdevice sends through the
VPN tunnel to remote networks. If you want the XTMdevice to send traffic frommobile VPN users
through a branch office VPN tunnel, you must make sure that the branch office VPN configuration
includes a tunnel route fromthe network that includes the mobile VPN client's virtual IPaddress to the
remote network.
If a branch office VPN tunnel route to the remote network has a local address of 0.0.0.0/0, then all
traffic fromthe local network that does not overlap with other configured routes is sent through the
branch office VPN tunnel, including traffic fromyour mobile VPN clients.
If you need to add a new branch office VPN tunnel route that includes the mobile VPN client virtual
IPaddresses, make sure to add the matching route in the VPN configuration on the remote VPN
device. For more information, see Add Routes for a Tunnel.
For an example of how to add VPN tunnel routes for connections fromthe Mobile VPN with SSLclient,
see Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel.
Configure BOVPN Virtual Interface Routes
For a BOVPN virtual interface, you do not explicitly configure the local and remote addresses for each
tunnel route. Instead, you configure static routes that use the BOVPN virtual interface as a gateway.
Because BOVPN virtual interface routes do not specify which local networks can send traffic through
the tunnel, traffic frommobile VPN clients can be sent through the tunnel to any destination as long as
a route exists to the remote network.
For information about BOVPN virtual interface routes, see Configure VPNRoutes.
Configure Policies to Allow the Connection
Policies control traffic allowed through all VPN tunnels. You must make sure that all policies that
control VPN traffic allow the traffic between the remote network and the virtual IPaddresses of the
mobile VPN users.
On the remote device, confirmthat the policy that allows traffic through the branch office VPN tunnel
includes the virtual IP address of the VPN client. If the remote device is an XTMdevice, the alias of the
branch office VPN tunnel appears in the BOVPN-Allow.in and BOVPN-Allow.out policies by default.
This means that the policy allows all traffic that matches the routes for this tunnel.
On the local device, the policies that control mobile VPN traffic also apply to traffic through the branch
office VPN tunnel. Make sure that the policies for each mobile VPN client allow connections to remote
network resources.
Mobile VPN with IPSec
The policies that apply to traffic fromMobile VPN with IPSec users are in the Mobile VPNwith IPSec
tab in Policy Manager. By default, Mobile VPN with IPSec users have full access to XTMdevice
resources with the Any Mobile VPN with IPSec policy. If you make a change to the allowed resources
for a Mobile VPN with IPSec profile, you could also need to update the policy for that profile to include
the new resources.
For more information, see Configure Policies to Filter Mobile VPN Traffic.
Mobile VPN with SSL
When you configure Mobile VPN with SSL, the XTMdevice automatically creates the Allow
SSLVPN-Users policy that allows traffic fromthe user group SSLVPN-Users to Any. If you have
modified this policy to be more specific, you could need to update your policy to include the remote
networks.
For more information, see Configure the XTMDevice for Mobile VPN with SSL.
Mobile VPN with L2TP
When you configure Mobile VPN with L2TP, the L2TP setup wizard automatically creates the Allow
L2TP-Users policy that allows traffic fromthe user group L2TP-Users to Any. If you have modified
this policy to be more specific, you could need to update your policy to include the remote networks.
Branch Office VPNs
1084 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1085
For more information, see About L2TPPolicies.
Mobile VPN with PPTP
When you configure Mobile VPN with PPTP, you must create a policy to allow those users access to
local or remote networks. To allow traffic to the remote networks, make sure that there is a policy that
allows traffic fromPPTPclients to the remote network.
For more information, see Configure Policies to Allow Mobile VPN with PPTP Traffic.
Enable Multicast Routing Through a Branch Office
VPN Tunnel
You can enable multicast routing through a Branch Office VPN (BOVPN) tunnel to support one-way
multicast streams between networks protected by XTMdevices. For example, you can use multicast
routing through a BOVPN tunnel to streammedia froma video on demand (VOD) server to users on the
network at the other end of a branch office VPN tunnel. Multicast routing through a BOVPN tunnel is
supported only between XTMdevices.
Multicast routing is not supported for traffic over a LAN bridge. For more information,
see About LAN Bridges.
When you enable multicast routing through a BOVPN tunnel, the tunnel sends multicast traffic froma
single IP address on one side of the tunnel to an IP Multicast Group address. You configure the
multicast settings in the tunnel to send multicast traffic to this IPMulticast Group address through the
tunnel.
You must configure the multicast settings on each XTMdevice differently. You must configure the
tunnel on one XTMdevice to send multicast traffic through the tunnel, and configure the tunnel settings
on the other XTMdevice to receive multicast traffic. You can configure only one origination IP address
per tunnel.
The steps to configure this are different for a BOVPN virtual interface, and for a BOVPN tunnel that is
not configured as part of a virtual interface.
n For a branch office VPN tunnel that is not configured as a BOVPNvirtual interface, you
configure multicast routing in the tunnel settings.
n For a BOVPN virtual interface, you configure multicast routing in the BOVPN virtual interface
settings.
About Helper Addresses
When you enable multicast routing for a BOVPNtunnel that is not a BOVPNvirtual interface, you must
also configure helper addresses. The XTMdevice uses these IP addresses as the endpoints of the
broadcast/multicast GRE tunnel inside the IPSec BOVPNtunnel. You can set Local IPand Remote IP
to any unused IP address. We recommend you use private IP addresses that are not used on any local
network or on any remote network the XTMdevice connects to.
We recommend that you select helper IP addresses in a private network IPaddress range that is not
used by any local network or by any remote network connected through a VPN. This ensures that the
addresses do not conflict with any other device. The private network ranges are:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
Branch Office VPNs
1086 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1087
If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that
you use a different pair of helper IP addresses for each tunnel.
If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not
conflict with the cluster interface IPaddresses or the cluster management IP addresses.
When you enable multicast routing through a BOVPNtunnel, the XTMdevice creates a GREtunnel
inside the IPSec VPNtunnel between the networks. The XTMdevice sends the multicast traffic
through the GREtunnel. The GRE tunnel requires an unused IP address on each side of the tunnel.
You must configure helper IP addresses for each end of the BOVPNtunnel.
If you enable broadcast or multicast routing in more than one BOVPN tunnel, make
sure that you use a different pair of helper IP addresses for each tunnel.
You do not need to configure helper addresses to send multicast traffic through a BOVPNvirtual
interface, because the BOVPNvirtual interface already includes a GREtunnel. For a BOVPNvirtual
interface, the XTMdevice uses the virtual interface IPaddresses (if configured), or the XTMdevice
external interface IPaddresses for the GRE tunnel endpoints.
Enable an XTM Device to Send Multicast Traffic Through a
Tunnel
On the XTMdevice fromwhich the multicast traffic is sent, edit the tunnel configuration to enable the
device to send multicast traffic through the BOVPN tunnel.
1. Select VPN > Branch Office VPN.
2. Select a tunnel and click Edit.
3. Fromthe Tunnel page, click the Multicast Settings tab.
4. Select the Enable multicast routing over the tunnel check box.
5. In the Origination IPtext box, type the IPaddress of the originator of the traffic.
6. In the Group IP text box, type the multicast IP address to receive the traffic.
7. Select Enable device to send multicast traffic.
8. Fromthe Input Interface drop-down list, select the interface fromwhich the multicast traffic
originates.
9. Click the Addresses tab.
The Helper Addresses settings are enabled at the bottom of the Addresses tab.
Branch Office VPNs
1088 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1089
10. In the Helper Addresses section, type IPaddresses for each end of the multicast tunnel.
n In the Local IP text box, type an IPaddress to use for the local end of the tunnel.
n In the Remote IP text box, type an IPaddress to use for the remote end of the tunnel.
Enable an XTM Device to Receive Multicast Traffic Through a
Tunnel
On the XTMdevice on the network on which you want to receive the multicast traffic, configure the
multicast settings to enable the device to receive multicast traffic through the tunnel.
1. Select VPN > Branch Office VPN.
2. Select a tunnel and click Edit.
3. Fromthe Tunnel page, click the Multicast Settings tab.
4. Select the Enable multicast routing over the tunnel check box.
5. In the Origination IPtext box, type the IPaddress of the originator of the traffic.
6. In the Group IP text box, type the multicast address to receive the traffic.
7. Select Enable device to receive multicast traffic.
8. Select the check box for each interface that you want to receive multicast traffic.
9. Select the Addresses tab.
The Helper Address settings are enabled at the bottom of the Addresses tab.
10. In the Helper Addresses section, type the opposite IP addresses you typed in the
configuration for the other end of the tunnel.
n In the Local IP text box, type the IPaddress that you typed in the Remote IP field for the
XTMdevice at the other end of the tunnel.
n In the Remote IP text box, type the IPaddress that you typed in the Local IP field for the
XTMdevice at the other end of the tunnel.
Enable an XTMDevice to Send Multicast Traffic Through a
BOVPNVirtual Interface
On the XTMdevice fromwhich the multicast traffic is sent, edit the tunnel configuration to enable the
device to send multicast traffic through the BOVPN virtual interface.
1. Select VPN > BOVPN Virtual Interface.
2. Select a BOVPNvirtual interface and click Edit.
3. Fromthe BOVPNVirtual Interface page, click the Multicast Settings tab.
Branch Office VPNs
1090 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1091
4. Select the Enable multicast routing over the tunnel check box.
5. In the Origination IPtext box, type the IPaddress of the originator of the traffic.
6. In the Group IP text box, type the multicast IP address to receive the traffic.
7. Select Enable device to send multicast traffic.
8. Fromthe Input Interface drop-down list, select the interface fromwhich the multicast traffic
originates.
Enable an XTMDevice to Receive Multicast Traffic Through a
BOVPNVirtual Interface
On the XTMdevice on the network on which you want to receive the multicast traffic, configure the
multicast settings to enable the device to receive multicast traffic through the BOVPNvirtual interface.
1. Select VPN > BOVPN Virtual Interface.
2. Select a BOVPNvirtual interface and click Edit.
3. Fromthe BOVPNVirtual Interface page, click the Multicast Settings tab.
4. Select the Enable multicast routing over the tunnel check box.
5. In the Origination IPtext box, type the IPaddress of the originator of the traffic.
6. In the Group IP text box, type the multicast address to receive the traffic.
7. Select Enable device to receive multicast traffic.
8. Select the check box for each interfaces that you want to receive the multicast traffic.
Enable Broadcast Routing Through a Branch
Office VPN Tunnel
You can configure your XTMdevice to support limited broadcast routing through a Branch Office VPN
(BOVPN) tunnel. When you enable broadcast routing, the tunnel supports broadcasts to the limited
broadcast IPaddress, 255.255.255.255. Local subnet broadcast traffic is not routed through the tunnel.
Broadcast routing supports broadcast only fromone network to another through a BOVPN tunnel.
Broadcast routing through a BOVPN tunnel is supported only between XTMdevices,
and is not supported across a BOVPNvirtual interface.
Broadcast routing through a BOVPN tunnel does not support these broadcast types:
n DHCP/ Bootstrap Protocol (bootp) broadcast
n NetBIOS broadcast
n Server Message Block (SMB) broadcast
Some software applications require the ability to broadcast to other network devices in order to
operate. If devices that need to communicate this way are on networks connected by a BOVPN tunnel,
you can enable broadcast routing through the tunnel so the application can find the devices on the
network at the other end of the tunnel.
When you enable multicast or broadcast routing through a BOVPNtunnel, the XTMdevice creates a
GREtunnel inside the IPSec VPNtunnel between the networks. The XTMdevice sends the broadcast
or multicast traffic through the GREtunnel. The GRE tunnel requires an unused IP address on each
side of the tunnel. So you must configure helper IP addresses for each end of the BOVPNtunnel.
We recommend that you select helper IP addresses in a private network IPaddress range that is not
used by any local network or by any remote network connected through a VPN. This ensures that the
addresses do not conflict with any other device. The private network ranges are:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that
you use a different pair of helper IP addresses for each tunnel.
If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not
conflict with the cluster interface IPaddresses or the cluster management IP addresses.
Branch Office VPNs
1092 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1093
Enable Broadcast Routing for the Local XTM device
1. Select VPN > Branch Office VPN.
2. Select a tunnel and click Edit.
3. Fromthe Tunnel page, select the tunnel route and click Edit.
The Tunnel Route Settings dialog box appears.
4. Select the Enable broadcast routing over the tunnel check box. Click OK.
The Tunnel pageappears.The Helper Addresses are enabled at the bottom of the Addresses tab.
5. In the Helper Addresses section, type IPaddresses for each end of the broadcast tunnel. The
XTMdevice uses these addresses as the endpoints of the broadcast/multicast GRE tunnel
inside the IPSec BOVPNtunnel. You can set the Local IPand Remote IP to any unused IP
address. We recommend you use private IP addresses that are not used on any local network
or on any remote network the XTMdevice connects to.
n In the Local IP text box, type an IPaddress to use for the local end of the tunnel.
n In the Remote IP text box, type an IPaddress to use for the remote end of the tunnel.
Branch Office VPNs
1094 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1095
Configure Broadcast Routing for the XTM Device at the Other
End of the Tunnel
1. Repeat Steps 14 above to enable broadcast routing for the device at the other end of the
tunnel.
2. In the Helper Addresses section, type the opposite addresses you typed in the configuration
for the other end of the tunnel.
n In the Local IP text box, type the IPaddress that you typed in the Remote IP text box for
the device at the other end of the tunnel.
n In the Remote IP text box, type the IPaddress that you typed in the Local IP text box for
the device at the other end of the tunnel.
Configure Name Resolution Through a Branch
Office VPN Tunnel
The goal of a branch office VPN connection is to allow users to connect to remote network resources
as if those resources were on the local network. On the local network, NetBIOS traffic enables you to
use the device name to connect to a network device. It is not necessary to know the IP address of
each network device. However, NetBIOSrelies on broadcast traffic to operate correctly, and local
subnet broadcast traffic cannot be routed through a branch office VPN tunnel. So you must use an
alternate method for name resolution through a branch office VPN tunnel.
Methods of Name Resolution Through a Branch Office VPN
Tunnel
You can use one of two methods for name resolution:
WINS/DNS (Windows Internet Name Service/Domain Name System)
Configure a WINS server that contains a database of NetBIOS name resolution for the local
network. Or configure a DNSserver, which uses a similar method. If your domain uses only
Active Directory, you must use DNS for name resolution.
LMHOSTS file
Manually create an LMHOSTS file that you install on all client computers. The file contains a list
of resource names and their associated IP addresses.
Select the Best Method for Your Network
Because of the limited administration requirements and current information it provides, WINS/DNS is
the preferred solution for name resolution through a branch office VPN tunnel. The WINS server
constantly listens to the local network and updates its information. If the IP address of a resource
changes, or a new resource is added, you do not have to change any settings on the client computer.
When the client tries to get access to a resource by name, a request is sent to the WINS/DNS servers
and the WINSor DNSserver returns the most current IP address.
If you do not already have a WINS server, the LMHOSTS file is a fast way to provide name resolution
to client computers. Unfortunately, it is a static file and you must edit it manually any time there is a
change. Also, the resource name/IP address pairs in the LMHOSTS file apply to all network
connections, not only when the client computer is connected to your network.
Configure WINS or DNS for Name Resolution
Each network is unique in terms of the resources available and the skills of the administrators. The
best resource to help you learn how to configure a WINS server is the documentation for your server.
When you configure your WINS or DNS server, note that:
n The WINS server must be configured to be a client of itself.
n Your XTMdevice must be the default gateway of the WINS or DNS server.
n If you use a WINS server, must make sure that network resources do not have more than one
IP address assigned to a single network interface. NetBIOS only recognizes the first IP address
assigned to an interface. For more information, see http://support.microsoft.com/kb/q131641/.
Use WINSand DNSServers for Client Computers
If you use WINS or DNS for name resolution at one end of the branch office VPN tunnel, clients at the
remote site should also use those WINS or DNS servers, or a local DNS server that can resolve the
names of those remote resources.
For more information, see Add WINS and DNS Server Addresses
If you have configured WINS or DNS settings in the DHCP settings for an interface, or in the mobile
VPN configuration, this overrides the global WINS/DNS settings on the XTMfor client computers on
that interface or VPN connection.
Configure an LMHOSTS File to Provide Name Resolution
When you use an LMHOSTS file to get name resolution for remote resources, no changes to the XTM
device are necessary. Basic instructions to help you create an LMHOSTS file are included in the
subsequent section. These instructions must be followed on each device that needs to access
resources by name across the VPN tunnel.
Branch Office VPNs
1096 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1097
Edit an LMHOSTS File
1. Find the LMHOSTS file on the client computer.
The LMHOSTS file is usually located in the C:\WINDOWS\system32\drivers\etc directory.
2. Open the LMHOSTS file with a text editor, such as Notepad.
If you cannot find an LMHOSTS file, create a new file in a text editor.
3. To create an entry in the LMHOSTS file, type the IP address of a network resource, five
spaces, and then the name of the resource.
The resource name must be 15 characters or less. It should look like this:
192.168.42.252server_name
4. If you started with an older LMHOSTS file, save the file with the original file name.
If you created a new file, save it with the file name lmhost in the
C:\WINDOWS\system32\drivers\etc directory.
If you used Notepad to create the new file, you must also choose the type All Files in the Save
dialog box, or Notepad adds the .txt file extension to the file name.
5. Reboot the client computer for the LMHOSTS file to become active.
Configure VPN Failover
Failover is an important function of networks that need high availability. When you have multi-WAN
failover configured, VPN tunnels automatically fail over to a backup external interface if a failure
occurs. You can also configure VPN tunnels to fail over to a backup endpoint if the primary endpoint
becomes unavailable.
VPN failover occurs when one of these two events occur:
n A physical link is down. The XTMdevice monitors the status of the VPN gateway and the
devices identified in the multi-WAN link monitor configuration. If the physical link is down, VPN
failover occurs.
n The XTMdevice detects the VPN peer is not active.
When failover occurs, if the tunnel uses IKEkeep-alive IKE continues to send Phase 1 keep-alive
packets to the peer. When it gets a response, IKE triggers failback to the primary VPN gateway. If the
tunnel uses Dead Peer Detection, failback occurs when a response is received fromthe primary VPN
gateway.
When a failover event occurs, most new and existing connections failover automatically. For example,
if you start an FTP PUT command and the primary VPN path goes down, the existing FTP
connection continues on the backup VPN path. The connection is not lost, but there is some delay.
VPN failover can occur only if:
n The devices at each tunnel endpoint are Firebox or XTMdevices with Fireware XTMv11.0 or
higher installed.
n Multi-WAN failover is configured, as described in About Using Multiple External Interfaces on
page 227.
n The interfaces of your XTMdevice are listed as gateway pairs on the remote Firebox or XTM
device. If you have already configured multi-WAN failover, your VPN tunnels will automatically
fail over to the backup interface.
n DPD is enabled in the Phase 1 settings for the branch office gateway at each end of the tunnel.
VPN failover does not occur for BOVPN tunnels with dynamic NAT enabled as part of their tunnel
configuration. For BOVPN tunnels that do not use NAT, VPN Failover occurs and the BOVPN session
continues. With Mobile VPN tunnels, the session does not continue. You must authenticate your
Mobile VPN client again to make a new Mobile VPN tunnel.
Branch Office VPNs
1098 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1099
Define Multiple Gateway Pairs
To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one
set of local and remote endpoints (gateway pairs) for each gateway.
For complete failover functionality for a VPN configuration, you must define gateway pairs for each
combination of external interfaces on each side of the tunnel. For example, consider two XTMdevices
that each have two external interfaces.
Local XTMdevice
Primary external interface IPaddress: 203.0.113.2
Secondary external interface IPaddress: 192.0.2.2
Remote XTMdevice
Primary external interface IPaddress: 198.51.100.2
Secondary external interface IPaddress: 198.51.100.3
For complete VPN failover, you must add four gateway pairs to the branch office gateway on the local
XTMdevice:
203.0.113.2 - 198.51.100.2
203.0.113.2 - 198.51.100.3
192.0.2.2 - 198.51.100.2
192.0.2.2 - 198.51.100.3
To configure the gateway endpoint settings:
1. Select VPN >Branch Office VPN. Click Add adjacent to the Gateways list to add a new
gateway. Give the gateway a name and define the credential method, as described in Configure
Gateways on page 1021.
2. In the Gateway Endpoints section of the Gateway settings page, click Add.
The Gateway Endpoints Settings dialog box appears.
3. Specify the location of the local gateway. Fromthe External Interface drop-down list, select
the external interface name that matches the local gateway IP address or domain name you
add.
4. Select the Remote Gateway tab.
Branch Office VPNs
1100 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1101
3. Specify the location of the remote gateway. You can add both a gateway IP address and
gateway ID for the remote gateway. The gateway ID is usually the IP address. It could be
necessary to use something other than the IPaddress as the gateway ID if the remote gateway
is behind a NAT device and requires more information to authenticate to the network behind the
NAT device.
3. Click OK to close the New Gateway Endpoints Settings dialog box.
The gateway pair you defined is added to the list of gateway endpoints.
4. Repeat the previous steps to add additional gateway pairs to this gateway configuration. You
can add up to nine gateway pairs to a gateway. You can select a pair and click Up or Down to
change the order in which the XTMdevice attempts connections.
5. Click Save.
Branch Office VPNs
1102 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1103
Configure VPNModem Failover
If you have enabled modemfailover on your XTMdevice, you can configure the branch office VPN to
fail over to a modemif all external interfaces cannot connect. The branch office VPN failover to a
modemcan be useful in a situation where you have a central office that accepts branch office VPN
connections fromone or more remote offices that use a modemfor failover.
Modemfailover is supported only for Firebox T10, XTM25, 26, XTM3 Series, and
XTM5 Series devices.
Before You Begin
Before you can configure modemfailover for a branch office VPN, you must first enable and configure
modemfailover in the network settings. For more information, see Configure ModemFailover. After
you enable modemfailover, the Use modem for failover check box appears below the Gateway
Endpoints list when you add or edit a branch office VPNgateway.
The Use modem for failover check box is disabled until you add at least one gateway endpoint.
Branch Office VPNConfiguration Requirements
To use a modemfor VPNfailover, the branch office VPN gateway configuration must meet these
requirements:
n The VPNgateway configuration must include a gateway endpoint pair for each enabled physical
external interface.
n The local gateway for each gateway endpoint pair must use an ID (rather than an IPaddress) as
the ID for tunnel authentication.
n If the device has more than one external interface, the local gateway for each local external
interface must use a unique ID for tunnel authentication.
n The remote gateway must be reachable. Either of these configurations meet this requirement:
n The remote gateway has a static IPaddress, and the remote gateway IDis the static
IPaddress
n The remote gateway has a dynamic IPaddress, and the remote gateway ID is a domain
name that resolves to the dynamic IPaddress.
Because the device with modemfailover enabled uses an ID for tunnel authentication, this device
must initiate the VPN connection. This means that you cannot enable modemfailover for both devices
configured as gateway endpoints for the same branch office VPN tunnel.
Configure a Branch Office VPNGateway for Modem Failover
1. Select VPN >Branch Office VPN.
2. To add a gateway, click Add adjacent to the Gateways list.
The Gateway settings page appears.
3. In the Gateway Name text box, type a name for this VPN gateway.
4. Select the Phase 1 Settings tab.
5. Fromthe Mode drop-down list, select either Aggressive or Main Fallback to Aggressive.
6. Select the General Settings tab.
7. Configure the VPNcredential method.
For more information, see Configure Gateways.
8. In the Gateway Endpoints section, click Add.
The Gateway Endpoints Settings dialog box appears.
9. In the Local Gateway section, select By Domain Name.
10. In the adjacent text box, type an IDto use for the interface for tunnel gateway authentication.
The ID does not need to match an actual domain name.
11. Fromthe External Interface drop-down list, select the external interface to use for this
gateway.
12. Select the Remote Gateway tab.
Branch Office VPNs
1104 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1105
13. . Select Static IPAddress.
14. In the adjacent text box, type the IPaddress of the remote gateway.
15. Select By IPAddress to specify an IPaddress for tunnel authentication.
16. In the adjacent text box, type the IPaddress of the remote gateway.
17. Click OK.
The gateway endpoints pair appears in the Gateway Endpoints list.
18. If the device has more than one physical external interface, repeat these steps to add a gateway
endpoint pair for each external interface. Make sure to use a unique local ID for each external
interface.
19. Below the Gateway Endpoints list, select the Use modem for failover check box.
20. Click OK.
The steps in the previous procedure assume that the remote gateway uses a static IPaddress. If the
remote gateway uses a dynamic IPaddress, use these steps to configure the remote gateway
endpoint for each gateway endpoint pair:
1. In the Remote Gateway settings, select Dynamic IPaddress.
2. Select By Domain Name.
3. In the adjacent text box, type a resolvable domain name.
4. Select the Attempt to resolve check box.
This configuration enables the device with modemfailover enabled to use the domain name to find the
IPaddress to connect to.
For more information about these gateway endpoint settings, see Define Gateway Endpoints.
For more information about Phase1 settings, see Configure Mode and Transforms (Phase 1 Settings).
Branch Office VPNs
1106 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1107
Configure a Branch Office VPNVirtual Interface for Modem
Failover
1. Select VPN > BOVPNVirtual Interfaces.
The list of BOVPN Virtual Interfaces appears.
2. Click Add.
The New BOVPNVirtual Interface dialog box appears.
3. In the Interface Name text box, type a name for this BOVPN virtual interface.
4. Select the Phase1 Settings tab.
5. Fromthe Mode drop-down list, select Aggressive, or Main fallback to Aggressive.
6. Select the General Settings tab.
7. Configure the VPN credential method.
For more information, see Configure a BOVPN Virtual Interface.
8. In the Gateway Endpoints section, click Add.
The Gateway Endpoints Settings dialog box appears.
9. Configure the BOVPNvirtual interface name and credential method.
For more information, see Configure a BOVPN Virtual Interface.
10. Configure the gateway endpoints as described in the previous section.
Configure the Gateway on the Remote Device
Configure the device at the other end of the tunnel to use the same authentication and Phase 1
settings. Make sure the domain name matches the name you configured on the first device. Do not
select the Attempt to resolve domain check box, since this ID is not a resolvable domain name.
For example, if the XTMdevice configured for modemfailover uses the domain name ID "XTM-33", the
configuration of the domain information on the peer XTMdevice should look like this:
Configure Tunnels
After you have configured your gateway, you configure tunnels between the gateway endpoints just as
you would for any other branch office VPN. For more information, see Make Tunnels Between
Gateway Endpoints.
About Modem Failover
The Firebox or XTMdevice does not use the modemfor the branch office VPN unless it cannot send
traffic through any external interface. If all external interfaces are down, the device starts a modem
connection between the two sites. It then initiates a VPNconnection over the modemconnection. The
device uses the first local gateway IDconfigured for the external interface as the local gateway ID for
the modemconnection. Because the branch office VPN connection over a modemuses the same
authentication ID as a connection froman external interface, there is no need to change the
configuration of the remote gateway to enable a connection through the modem.
Branch Office VPNs
1108 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1109
VPN Modem Failover and Multi-WAN
You can use modemfailover and multi-WAN failover together to provide increased redundancy for the
branch office VPN connections between two networks. When you enable modemfailover on a device,
you can configure the branch office VPN gateway to use the modemfor failover. If the device has
multiple external interfaces, you must configure the branch office VPN gateway endpoint settings so
that each interface uses a unique local ID for gateway authentication. The gateway configuration
examples below show how to configure gateway endpoint settings for branch office VPN
configurations between sites with or without multi-WAN enabled at each site.
This topic focuses on just the gateway endpoint settings. For a complete description of branch office
VPN modemfailover, see Configure VPNModemFailover
In these examples, the branch office VPN is configured between XTMdevices at two sites, a central
office and a small office. The small office uses a modemconnection for failover. For these examples,
the two devices use these IPaddresses:
Central office XTMdevice without modemfailover
n External:203.0.113.2/24
n External-2: 192.0.2.2/24 (only if multi-WAN is enabled)
Small office XTMdevice with modemfailover enabled
n External: 198.51.100.2/24
n External-2: dynamic IPaddress (only if multi-WAN is enabled)
n Modemfailover is enabled and configured in Network > Modem
Example 1 Single WANat Both Sites
The XTMdevices at the small office and the central office each have one physical external interface.
Modemfailover is enabled at the small office. The gateway endpoints pair defined in the branch office
VPN gateway configuration at each site must use the same ID to refer to the gateway endpoint at the
small office.
Gateway endpoint pair on the XTMdevice at the small office:
Gateway endpoint pair on the XTMdevice at the central office:
If the external interface at the small office is down, modemfailover occurs. The XTMdevice at the
small office uses the local ID to connect to the XTMdevice at the central office through the modem.
Example 2 Multi-WAN at the Small Office
The XTMdevice at the central office has a single physical external interface. The XTMdevice at the
small office has two physical external interfaces. Modemfailover is enabled at the small office. The ID
used to identify each interface at the small office must be different.
Gateway endpoint pairs on the XTMdevice at the small office:
Gateway endpoint pairs on the XTMdevice at the central office:
If both external interfaces at the small office are down, modemfailover occurs. The XTMdevice at the
small office uses the first local ID to connect to the XTMdevice at the central office through the
modem.
Example 3 Multi-WAN at the Central Office
The XTMdevice at the central office has two physical external interface. The XTMdevice at the small
office has one physical external interface. Each device has two gateway endpoint pairs.
Branch Office VPNs
1110 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1111
Gateway endpoint pairs on the XTMdevice at the small office:
Gateway endpoint pairs on the XTMdevice at the central office:
If the external interface at the small office is down, modemfailover occurs. The XTMdevice at the
small office uses the local gateway ID to connect to the XTMdevice at the central office through the
modem.
Multi-WAN at Both Sites
It is also possible to configure both sites to use multi-WAN, along with modemfailover. In that case,
you configure four gateway endpoint pairs on each device, just as you would if modemfailover was not
enabled. The only difference is that for modemfailover, you must use a local ID for authentication of
the device that has modemfailover enabled.
See VPN Statistics
You can use Fireware XTMWeb UIto monitor XTMdevice VPN traffic and troubleshoot the VPN
configuration.
1. Select System Status >VPN Statistics.
The VPN Statistics page appears.
2. To force the selected BOVPNtunnel to rekey, click Rekey selected BOVPNtunnel.
For more information, see Rekey BOVPN Tunnels on page 1112.
3. To see additional information for use when you troubleshoot, click Debug.
For more information, see VPN Statistics on page 948.
Rekey BOVPN Tunnels
The gateway endpoints of BOVPN tunnels must generate and exchange new keys after either a set
period of time or an amount of traffic passes through the tunnel. If you want to immediately generate
new keys before they expire, you can rekey a BOVPN tunnel to force it to expire immediately. This can
be helpful when you troubleshoot tunnel issues.
To rekey a BOVPNtunnel:
1. Select System Status >VPNStatistics.
The VPNStatistics page appears.
2. In the Branch Office VPN Tunnels list, select a tunnel.
3. Click Rekey selected BOVPN tunnel.
Related Questions About Branch Office VPN Set
Up
Why do I Need a Static External Address?
To make a VPN connection, each device must know the IP address of the other device. If the address
for a device is dynamic, the IP address can change. If the IP address changes, connections between
the devices cannot be made unless the two devices know how to find each other.
You can use Dynamic DNS if you cannot get a static external IP address. For more information, see
About the Dynamic DNS Service on page 167.
How do I Get a Static External IP Address?
You get the external IP address for your computer or network fromyour ISP or a network administrator.
Many ISPs use dynamic IP addresses to make their networks easier to configure and use with many
users. Most ISPs can give you a static IP address as an option.
How do I Troubleshoot the Connection?
If you can send a ping to the trusted interface of the remote Firebox and to the computers on the remote
network, the VPN tunnel is up. The configuration of the network software or the software applications
are possible causes of other problems.
Why is Ping not Working?
If you cannot send a ping to the local interface IP address of the remote XTMdevice, use these steps:
1. Ping the external address of the remote XTMdevice.
Branch Office VPNs
1112 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1113
For example, at Site A, ping the IP address of Site B. If you do not receive a response, make
sure the external network settings of Site B are correct. Site B must be configured to respond to
ping requests on that interface. If the settings are correct, make sure that the computers at Site
B have a connection to the Internet. If the computers at site B cannot connect, speak to your
ISP or network administrator.
2. If you can ping the external address of each XTMdevice, try to ping a local address in the
remote network.
Froma computer at Site A, ping the internal interface IP address of the remote XTMdevice. If
the VPN tunnel is up, the remote XTMdevice sends the ping back. If you do not receive a
response, make sure the local configuration is correct. Make sure that the local DHCP address
ranges for the two networks connected by the VPN tunnel do not use any of the same IP
addresses. The two networks connected by the tunnel must not use the same IP addresses.
Troubleshoot Branch Office VPNTunnels
Branch office VPN tunnels require a reliable connection and matching VPN configuration settings on
both VPN endpoints. A configuration error or network connectivity issue can cause problems for
branch office VPNtunnels.
To troubleshoot the cause of a branch office VPN tunnel problem, we recommend that you start here:
n Use the VPN Diagnostic Report
n Filter Branch Office VPN Log Messages
If you have confirmed that your branch office VPN endpoints are enabled and have matching VPN
settings, but your VPN does not operate correctly, consider other conditions that can cause problems
with a branch office VPN, and actions you can take that could improve the availability of the VPN.
For more information, see Improve Branch Office VPN Tunnel Availability.
If you configure multiple branch officeVPNtunnel routes, it is possible that you have configured more
tunnel routes than the number of active tunnel routes the device can support. The XTMdevice cannot
establish branch office VPN tunnel routes that exceed the maximumnumber set in the feature key. If
the device attempts to establish a BOVPN tunnel that would exceed the limit, this message appears in
the log file: License Feature(BOVPN_TUNNEL) enforcement: Reached maximumnumber of tunnels.
For more information about tunnel license limits, see VPNTunnel Capacity and Licensing.
Use the VPN Diagnostic Report
You can use the VPNDiagnostic Report to see configuration and status information about a gateway
and its associated tunnels for a period of time. This is helpful if you want to troubleshoot a branch office
VPN tunnel problem.
To generate the VPN diagnostic report:
1. Select System Status > Diagnostics.
The Diagnostics page appears.
2. Click the VPNtab.
3. Fromthe Gateway drop-down list, select a branch office VPN gateway.
4. In the Duration text box, type or select a duration for the test.
5. Click Start Report.
The XTMdevice temporarily increases the log level for the selected gateway and collects log
messages for the specified duration. The finished report shows the gateway and tunnel configuration,
and information about the status of any active tunnels for the selected gateway.
VPN Diagnostic Report presents information in six sections:
Gateway Summary
This section shows a summary of the gateway configuration, and each configured gateway
endpoint.
Tunnel Summary
This section shows a summary of the tunnel configuration for all tunnels that use the selected
gateway. This includes both active and inactive tunnels.
Run-time Info (bvpn routes)
When you run the diagnostic report for a BOVPNvirtual interface, this section shows the static
and dynamic routes that use the selected BOVPN virtual interface, and the metric for each
route.
Run-time Info (gateway IKE_SA)
This section shows information about the status of the IKE (Phase 1) security association for
the selected gateway.
Run-time Info (tunnel IPSEC_SA)
This section shows information about the status of the IPSec tunnel (Phase 2) security
association for active tunnels that use the selected gateway.
Run-time Info (tunnel IPSec_SP)
This section shows information about the status of the IPSec tunnel (Phase 2) security policy
for active tunnels that use the selected gateway.
Related Logs
This section shows tunnel negotiation log messages, if a tunnel negotiation occurs during the
time period that you run the diagnostic report.
Filter Branch Office VPN Log Messages
If you want to troubleshoot issues with a branch office VPN tunnel for a period of time longer than set in
the VPNDiagnostic Report, it can be useful to look at the log messages to find information about the
status of the VPN connection. You can use the gateway IP addresses that appear in the log message
header to filter the log messages.
Branch office VPN log messages have a header that shows the IP addresses of the local and remote
gateway. The format of the header is:
(local_gateway_ip<->remote_gateway_ip)
Branch Office VPNs
1114 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1115
To see log messages fromyour XTMdevice as they are generated, select Dashboard >Traffic
Monitor. You can then use the IP address of a gateway endpoint to filter the log messages so only the
log messages related to a specific gateway appear in the Traffic Monitor list.
To filter your log messages on a specific gateway, in the filter text box, type the IP address of the local
or remote VPN gateway.
For more information, see Traffic Monitor on page 900.
To see more detailed log messages, you can change the diagnostic log level that is specified for IKE
traffic in the diagnostic log level settings for the VPN category. When you increase the IKEdiagnostic
log level, the log file contains diagnostic log messages for all branch office VPN gateways. If you have
several VPN gateways, you can filter the log messages by the gateway IPaddress to see only the log
messages for a specific gateway.
In Fireware XTMv11.9 and higher, you can disable a BOVPNgateway or BOVPN virtual interface. If
another VPN endpoint attempts to negotiate a tunnel with a disabled BOVPN gateway or virtual
interface, tunnel negotiation fails. When this happens, an Information level log message indicates that
the IKE policy for the gateway is not enabled. To see this log message, the diagnostic log level for
VPN log messages must be set to Information or Debug.
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.
Improve Branch Office VPN Tunnel Availability
There are Branch Office VPN (BOVPN) installations in which all the settings are correct, but BOVPN
connections do not always operate correctly. You can use the information below to help you
troubleshoot your BOVPN tunnel availability problems. These procedures do not improve general
BOVPN tunnel performance.
Most BOVPN tunnels remain available to pass traffic at all times. Problems are often associated with
one or more of these three conditions:
n One or both endpoints have unreliable external connections. High latency, high packet
fragmentation, and high packet loss can make a connection unreliable. These factors have a
greater impact on BOVPN traffic than on other common traffic, like HTTPand SMTP. With
BOVPN traffic, the encrypted packets must arrive at the destination endpoint, be decrypted,
and then reassembled before the unencrypted traffic can be routed to the destination IP
address.
n One endpoint is not an XTMdevice, or is an older Firebox with older systemsoftware.
Compatibility tests between new WatchGuard products and older devices are done with the
latest software available for older devices. With older software, you could have problems that
have been fixed in the latest software release.
Because they are based on the IPSec standard, XTMdevices are compatible with most third-
party endpoints. However, some third-party endpoint devices are not IPSec-compliant because
of software problems or proprietary settings.
n If there is a low volume of traffic through the tunnel, or if there are long periods of time when no
traffic goes through the tunnel, some endpoints terminate the VPN connection. Firebox devices
that run Fireware XTM, and Firebox X Edge devices do not do this. Some third-party devices
use this condition as a way to terminate tunnels that seemto be dead.
You can install the latest operating systemand management software on all XTMdevices, but all of
the other conditions in this list are out of your control. You can, however, take certain actions to
improve the availability of the BOVPN.
Select Either IKE Keep-alive or Dead Peer Detection (Not Both)
Both IKE Keep-alive and Dead Peer Detection settings can show when a tunnel is disconnected.
When they find the tunnel has disconnected, they start a new Phase 1 negotiation. If you select
both IKE Keep-alive and Dead Peer Detection, the Phase 1 renegotiation that one starts can
cause the other to identify the tunnel as disconnected and start a second Phase 1 negotiation.
Each Phase 1 negotiation stops all tunnel traffic until the tunnel has been negotiated. To improve
tunnel stability, select either IKEKeep-alive or Dead Peer Detection. Do not select both.
Note the following about these settings:
Branch Office VPNs
1116 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1117
The IKE Keep-alive setting is used only by XTMdevices. Do not use it if the remote endpoint
is a third-party IPSec device.
When you enable IKE Keep-alive, the XTMdevice sends a message to the remote
gateway device at a regular interval and waits for a response. Message interval
determines how often a message is sent. Max Failures is how many times the remote
gateway device can fail to respond before the XTMdevice tries to renegotiate the Phase 1
connection.
Dead Peer Detection is an industry standard that is used by most IPSec devices. Select Dead
Peer detection if both endpoint devices support it.Improve Branch Office VPN Tunnel
Availability
When you enable Dead Peer Detection, the XTMdevice monitors tunnel traffic to identify
whether a tunnel is active. If no traffic has been received fromthe remote peer for the
amount of time entered for Traffic idle timeout, and a packet is waiting to be sent to the
peer, the XTMdevice sends a query. If there is no response after the number of Max
retries, the XTMdevice renegotiates the Phase 1 connection. For more information about
Dead Peer Detection, see http://www.ietf.org/rfc/rfc3706.txt.
The IKEKeep-alive and Dead Peer Detection settings are part of the Phase 1 settings.
1. FromFireware XTMWeb UI, select VPN > BOVPN.
2. Select the gateway and click Edit.
3. Click the Phase 1 Settings tab.
Use the Default Settings
The default BOVPN settings provide the best combination of security and speed. Use the default
settings when possible. If the remote endpoint device does not support one of the WatchGuard
default settings, configure the XTMdevice to use the default setting fromthe remote endpoint.
These are the default settings for WSM11.x:
If a setting is not displayed on the VPN >BOVPN configuration pages, you
cannot change it.
General Settings
Mode Main (Select Aggressive if one of the devices has a dynamic
external IPaddress.)
NATTraversal Yes
NATTraversal Keep-alive
Interval
20 seconds
IKE Keep-alive Disabled
IKEKeep-alive Message
Interval
None
IKEKeep-alive Max Failures None
Dead Peer Detection
(RFC3706)
Enabled
Dead Peer Detection Traffic
Idle Timeout
20 seconds
Dead Peer Detection Max
Retries
5
PHASE 1 Transform Settings
Authentication Algorithm SHA-1
Encryption Algorithm 3DES
SA Life or Negotiation Expiration (hours) 8
SA Life or Negotiation Expiration (kilobytes) 0
Diffie-Hellman Group 2
Branch Office VPNs
1118 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1119
PHASE 2 Proposal Settings
Type ESP
Authentication Algorithm SHA-1
Encryption Algorithm AES (256 bit)
Force Key Expiration Enable
Phase 2 Key Expiration (hours) 8
Phase 2 Key Expiration (kilobytes) 128000
Enable Perfect Forward Secrecy No
Diffie-Hellman Group None
Configure the XTM Device to Send Log Traffic Through the Tunnel
If no traffic goes through a tunnel for a period of time, an endpoint can decide that the other
endpoint is unavailable and not try to renegotiate the VPN tunnel immediately. One way to make
sure traffic goes through the tunnel at all times is to configure the XTMdevice to send log traffic
through the tunnel. You do not need a Log Server to receive and keep records of the traffic. In this
case, you intentionally configure the XTMdevice to send log traffic to a log server that does not
exist. This creates a consistent but small amount of traffic sent through the tunnel, which can help
to keep the tunnel more stable.
There are two types of log data: WatchGuard logging and syslog logging. If the XTMdevice is
configured to send log data to both a WatchGuard Log Server and a syslog server, you cannot use
this method to pass traffic through the tunnel.
You must choose a Log Server IPaddress to send the log data to. To choose the IPaddress, use
these guidelines.
n The Log ServerIP address you use must be an IPaddress that is included in the remote
tunnel route settings. For more information, see Add Routes for a Tunnel on page 1037.
n The Log Server IPaddress should not be an IPaddress that is used by a real device.
The two types of logging generate different amounts of traffic.
WatchGuard Logging
No log data is sent until the XTMdevice has connected to a Log Server. The only types of
traffic sent through the tunnel are attempts to connect to a Log Server that are sent every
three minutes. This can be enough traffic to help tunnel stability with the least impact on
other BOVPN traffic.
Syslog Logging
Log data is immediately sent to the syslog server IPaddress. The volume of log data
depends on the traffic that the XTMdevice handles. Syslog logging usually generates
enough traffic that packets are always passing through the tunnel. The volume of traffic can
occasionally make regular BOVPN traffic slower, but this is not common.
To improve stability and have the least impact on BOVPN traffic, try the WatchGuard Logging
option first. If this does not improve the stability of the BOVPNtunnel, try syslog logging. The
subsequent procedures assume that both endpoint devices are WatchGuard devices, and that
neither endpoint is configured to send log data to either a WatchGuard Log Server or a syslog
server. If an endpoint is already configured to send log data that a server collects, do not change
those logging settings.
Different options you can try include:
n Configure one endpoint to send WatchGuard log traffic through the tunnel.
n Configure the other endpoint to send WatchGuard log traffic through the tunnel.
n Configure both endpoints to send WatchGuard log traffic through the tunnel.
n Configure one endpoint to send syslog log traffic through the tunnel.
n Configure only the other endpoint to send syslog log traffic through the tunnel.
n Configure both endpoints to send syslog log traffic through the tunnel.
Send WatchGuard Log Data Through the Tunnel
1. Select System > Logging.
The Logging page appears.
2. Select the Send log messages to these WatchGuard servers check box.
3. Click Add.
4. In the Log Server Address text box, type the IP address you have selected for the Log
Server.
5. Type an encryption key in the Encryption Key text box and confirmthe encryption key in
the Confirm text box.
The allowed range for the encryption key is 832 characters. You can use all characters except
spaces and slashes (/ or \).
6. Click Add. Click Save.
Send Syslog Data Through the Tunnel
1. Select System > Logging.
The Logging page appears.
2. Select the Send log messages to the syslog server at this addresscheck box.
3. Type the IP address you have chosen for the syslog server in the adjacent text box.
4. Click Save.
BOVPN Virtual Interface Examples
Branch Office VPNs
1120 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1121
BOVPNVirtual Interface with Dynamic Routing
One reason to use a BOVPN virtual interface is so that the XTMdevice can use dynamic routing to
learn the routes to private networks on a peer XTMdevice through the VPNtunnel. When you use
dynamic routing with a BOVPNvirtual interface, the device at each end of the tunnel automatically
learns the routes to networks advertised by the other gateway.
Example Scenario
This example shows the configuration settings for a BOVPNvirtual interface and dynamic routing
between two XTMdevices at Site A and Site B. The two sites use OSPFto dynamically update routes
through the BOVPNvirtual interface.
Site AXTMDevice (XTM530)
For this example, the Site A XTMdevice is an XTM530 with two external interfaces, one trusted
network, and four optional networks.
Interface Type Name IPAddress
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24
2 Optional Optional-1 10.0.2.1/24
3 Optional Optional-2 10.0.3.1/24
4 Optional Optional-3 10.0.4.1/24
5 Optional Optional-4 10.0.5.1/24
6 External External-2 190.0.2.2/24
The administrator at Site A wants to propagate routes for the Trusted, Optional-1, and Optional-2
networks through the BOVPNtunnel, but does not want to propagate routes for the Optional-3 and
Optional-4 networks.
Site B XTMDevice (XTM 33)
For this example, the Site B XTMdevice is an XTM33 with one external interface, one trusted network
and three optional networks.
Interface Type Name IPAddress
0 External External 198.51.100.2/24
1 Trusted Trusted 10.50.1.1/24
2 Optional Optional-1 10.50.2.1/24
3 Optional Optional-2 10.50.3.1/24
4 Optional Optional-3 10.50.4.1/24
The administrator at Site B wants to propagate routes for the Trusted and Optional-1 networks through
the BOVPN tunnel, but does not want to propagate routes for the Optional-2 and Optional-3 networks.
BOVPNVirtual Interface Configuration
The BOVPNvirtual interface on each XTMdevice must be configured to use the same settings. For
this example, we assume that Site A and Site B agree to use a pre-shared key and to use these
IPaddresses for the BOVPNvirtual interface:
Site A BOVPNvirtual interface local IP address:10.1.1.1
Site B BOVPNvirtual interface local IPaddress: 10.2.2.2
All other BOVPN virtual interface settings remain at the default values.
Site A BOVPNVirtual Interface Configuration
The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes two gateway endpoint pairs, one for each external
interface at Site A.
o
First gateway endpoint pair
o
Local Gateway:203.0.113.2 (the IP address of the first external interface on the Site A
XTMdevice)
o
RemoteGateway:198.51.100.2 (the external interface IPaddress of the Site B
XTMdevice)
o
Second gateway endpoint pair
o
Local Gateway:190.0.2.2 (the IPaddress of the second external interface on the Site A
XTMdevice)
o
Remote Gateway:198.51.100.2 (the external interface IPaddress of the Site B
XTMdevice)
Branch Office VPNs
1122 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1123
The VPNRoutes tab of the BOVPN virtual interface configuration uses these settings:
n Assign virtual IPaddresses: Enabled
n Local IPaddress: 10.1.1.1
n Peer IPaddress: 10.2.2.2
The Site B XTMdevice must use the same interface IPaddresses, except that the local and peer
IPaddresses are reversed.
Site B BOVPNVirtual Interface Configuration
The configuration at Site B is exactly the same as at Site A, except that the local and remote gateway
IP addresses are reversed, and the local and peer IPaddresses are reversed.
The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes two gateway endpoint pairs, one for each external
interface at Site A.
o
First gateway endpoint pair
o
Local Gateway:198.51.100.2 (the external interface IPaddress of the Site B
XTMdevice)
o
Remote Gateway:203.0.113.2 (the IP address of the first external interface on the Site A
XTMdevice)
o
Second gateway endpoint pair
o
Local Gateway:198.51.100.2 (the external interface IPaddress of the Site B
XTMdevice)
o
Remote Gateway:190.0.2.2 (the IPaddress of the second external interface on the Site
A XTMdevice)
Branch Office VPNs
1124 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1125
The VPNRoutes tab of the BOVPN virtual interface configuration uses these settings:
n Assign virtual IPaddresses: Enabled
n Local IPaddress: 10.2.2.2
n Peer IPadddress: 10.1.1.1
Dynamic Routing Configuration
After the BOVPN virtual interface IPaddresses have been configured, you can use themin the
dynamic routing configuration.
In the OSPF example configuration:
n The BOVPN virtual interface is a peer-to-peer interface. The OSPF network command must use
the peer IPaddress specified in the local BOVPN virtual interface configuration and must use a
/32 netmask.
n For this example, the OSPF access-list command filters the connected networks to propagates
routes for.
Site A OSPFconfiguration
The administrator at Site A uses dynamic routing to propagate routes for the Trusted, Optional-1, and
Optional-2 networks through the BOVPNtunnel, but does not propagate routes for the Optional-3 and
Optional-4 networks.
The OSPF configuration on the Site AXTMdevice uses these settings:
! filter the connected networks to propagate
access-list ospf_filter permit 10.0.1.0/24
access-list ospf_filter permit 10.0.2.0/24
access-list ospf_filter permit 10.0.3.0/24
access-list ospf_filter deny any
Branch Office VPNs
1126 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1127
!
route-map ospf_redis permit 10
match ip address ospf_filter
!
router ospf
redistribute connected route-map ospf_redis
network 10.2.2.2/32 area 0.0.0.0
! The network command uses the BOVPN virtual interface
! peer IP address, because this is a P2P interface
Site B OSPFconfiguration
The administrator at Site B uses dynamic routing to propagate routes for the Trusted and Optional-1
networks, but does not propagate routes for the Optional-2 and Optional-3 networks.
The OSPF configuration on the Site BXTMdevice uses these settings:
! filter the connected networks to propagate
access-list ospf_filter permit 10.50.1.0/24
access-list ospf_filter permit 10.50.2.0/24
access-list ospf_filter deny any
!
route-map ospf_redis permit 10
match ip address ospf_filter
!
router ospf
redistribute connected route-map ospf_redis
network 10.1.1.1/32 area 0.0.0.0
! The network command uses the BOVPN virtual interface
! peer IP address, because this is a P2P interface
After the configuration files are saved to the devices at Site A and Site B, the BOVPN tunnel becomes
active and dynamic routes are propagated through the tunnel.
If you want to each device to redistribute static routes, you can also use the
redistribute static command. This is not necessary in this example, because all
of the networks we want to propagate are directly connected to each XTMdevice.
See Dynamic Network Routes
After the BOVPN tunnel is established, each device uses OSPF to learn the routes to the connected
networks propagated by the peer device.
The learned network routes appear in the route table for each XTMdevice. To see the routes, select
System Status >Routes.
The interface name used for routes that use the BOVPN virtual interface is the Device Name that is
automatically assigned when you create the BOVPN virtual interface. The name of the first BOVPN
virtual interface is bvpn1.
Branch Office VPNs
1128 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1129
For this example, the routes that use the bvpn1 interface at Site A are:
Destination Interface Gateway Description
10.2.2.2 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.50.1.0 bvpn1 10.2.2.2 Route learned fromSite B
10.50.2.0 bvpn1 10.2.2.2 Route learned fromSite B
On the SiteA device, the Routes table look like this:
For this example, the routes that use the bvpn1 interface at Site B are:
Destination Interface Gateway Description
10.1.1.1 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.0.1.0 bvpn1 10.1.1.1 Route learned fromSite A
10.0.2.0 bvpn1 10.1.1.1 Route learned fromSite A
10.0.3.0 bvpn1 10.1.1.1 Route learned fromSite A
On the Site B device, the Routes table looks like this:
Branch Office VPNs
1130 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1131
BOVPNVirtual Interface with Metric-Based Failover
Because you use routes to define what traffic to send through a BOVPN virtual interface, you can
create more than one BOVPN virtual interface, and set different metrics for multiple routes to the same
network. This enables you to configure BOVPN virtual interface routes through a primary tunnel that
fail over to BOVPN virtual interface routes through another tunnel if the primary tunnel is not available.
Example Scenario
This example shows how to configure settings for two BOVPN virtual interfaces between
XTMdevices at Site A and Site B. This configuration uses different route metrics in the BOVPN virtual
interface configuration to control which BOVPN virtual interface routes are preferred.
For this example, we assume that the device at Site A has two external interfaces, and that one of the
external interfaces is the preferred route for outbound traffic to Site B, either because that interface is
lower cost or has faster throughput. The second external interface is used for VPN traffic only when the
primary external interface is not available.
Site AXTMDevice
For this example, the Site A XTMdevice has two external interfaces, one trusted network, and one
optional network.
Interface Type Name IPAddress
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24
2 Optional Optional-1 10.0.2.1/24
3 External External-2 190.0.2.2/24
Site B XTMDevice
For this example, the Site B XTMdevice has one external interface, and one trusted network.
Interface Type Name IPAddress
0 External External 198.51.100.2/24
1 Trusted Trusted 10.50.1.1/24
BOVPNVirtual Interface Configuration
The devices at each site must have two BOVPN virtual interfaces configured. One BOVPN virtual
interface uses interface 0 (External) on the Site A device, and the second BOVPN virtual interface
uses interface 3 (External-2) on the Site A device. Because interface 0 is the preferred interface for
VPN traffic between these devices, the primary BOVPN virtual interface that uses interface 0 has
routes with a low metric. This gives routes through the primary BOVPN virtual interface the highest
priority, when that virtual interface is available. The same routes on the BOVPN virtual interface that
uses the less-preferred external interface each have a higher metric, so these routes are only used if
the routes through the other BOVPN virtual interface are not available.
The BOVPNvirtual interfaces on each XTMdevice must be configured to use the same settings. For
this example, we assume that Site A and Site B agree to use a pre-shared key. All other BOVPN virtual
interface settings remain at the default values.
Site A BOVPNVirtual Interfaces
The primary BOVPN virtual interface at Site A uses these gateway settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes one gateway endpoint pair:
o
External Interface:External
o
Local Gateway:203.0.113.2 (the IP address of the first external interface on the Site A XTM
device)
o
RemoteGateway:198.51.100.2 (the IPaddress of the external interface on the Site B
XTMdevice)
The primary BOVPN virtual interface at Site A has one VPNroute to the trusted network at Site B:
n Route to 10.50.1.0/24, Metric 1
Branch Office VPNs
1132 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1133
The secondary BOVPN virtual interface at Site A uses these gateway settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes one gateway endpoint pair:
o
External Interface:External-2
o
Local Gateway:90.0.2.2 (the IP address of the second external interface on the Site A XTM
device)
o
RemoteGateway:198.51.100.2 (the IP address of the external interface on the Site B
XTMdevice)
The secondary BOVPN virtual interface at Site A has one VPNroute to the trusted network at Site B:
n Route to 10.50.1.0/24, Metric 200
Site B BOVPNVirtual Interfaces
The device at Site B has two BOVPNvirtual interfaces.
The primary BOVPN virtual interfaceat Site B uses these gateway settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes one gateway endpoint pair:
o
Local Gateway:198.51.100.2 (the IPaddress of the external interface on the Site B
XTMdevice)
o
Remote Gateway:203.0.113.2 (the IP address of the first external interface on the Site A
XTMdevice)
The primary BOVPN virtual interface at Site B has two VPNroutes to the trusted and optional
networks at Site A:
Branch Office VPNs
1134 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1135
n Route to 10.0.1.0/24, Metric 1
n Route to 10.0.2.0/24, Metric 1
The secondary BOVPN virtual interfaceat Site B, uses these gateway settings:
n The Credential Method uses the pre-shared key the two sites agreed upon.
n The Gateway Endpoints list includes one gateway endpoint pair:
o
Local Gateway: 198.51.100.2 (the IP address of the external interface on the Site B XTM
device)
o
RemoteGateway:90.0.2.2 (the IP address of the second external interface on the Site A
XTMdevice)
The secondary BOVPN virtual interface at Site B has two VPNroutes to the trusted and optional
networks at Site A:
n Route to 10.0.1.0/24, Metric 200
n Route to 10.0.2.0/24, Metric 200
How This Configuration Works
In this example, each XTMdevice has two BOVPN virtual interfaces to a peer XTMdevice. The routes
configured for both BOVPN virtual interfaces are the same, except for the metrics. The XTMdevice
uses the route with the lowest metric (highest priority). This means that:
If both BOVPN virtual interfaces are available
The XTMdevice uses the routes through the primary BOVPN virtual interface, because those
routes have the highest priority (lowest metric).
If the primary BOVPN virtual interface is not available, but the secondary BOVPN virtual interface
is available
The XTMdevice automatically changes the metrics for routes that use the primary BOVPN
virtual interface to 255, to give these routes the lowest priority. The XTMdevice then uses the
routes through the second BOVPNvirtual interface, because those routes with a metric of 200
are now the highest priority routes to that destination.
Branch Office VPNs
1136 Fireware XTMWeb UI
Branch Office VPNs
User Guide 1137
When the primary BOVPN virtual interface becomes available again
The XTMdevice automatically changes the route metrics for routes through the primary
BOVPN virtual interface back to the configured route metric, in this case 1. Traffic between the
two sites automatically uses the routes through the primary BOVPN virtual interface because
those routes now have higher priority.
You can optionally configure the XTMdevice to remove the route completely, rather
than increase the metric when the route is down. For more information, see About
Global VPN Settings.
Branch Office VPNs
User Guide 1138
User Guide 1139
22
Mobile VPN with PPTP
About Mobile VPN with PPTP
Mobile Virtual Private Networking (Mobile VPN) with Point-to-Point Tunneling Protocol (PPTP) creates
a secure connection between a remote computer and the network resources behind the XTMdevice.
Each XTMdevice supports as many as 50 users at the same time. Mobile VPN with PPTP users can
authenticate to the XTMdevice, or to a RADIUS or VACMAN Middleware authentication server. To
use Mobile VPN with PPTP, you must configure the XTMdevice and the remote client computers.
Mobile VPN with PPTP Requirements
Before you configure an XTMdevice to use Mobile VPN with PPTP, make sure you have this
information:
n The IP addresses for the remote client to use for Mobile VPN with PPTP sessions.
For Mobile VPN with PPTP tunnels, the XTMdevice gives each remote user a virtual IP
address. These IP addresses cannot be addresses that the network behind the XTMdevice
uses. The safest procedure to give addresses for Mobile VPN users is to install a "placeholder"
secondary network. Then, select an IP address fromthat network range. For example, create a
new subnet as a secondary network on your trusted network 10.10.0.0/24. Select the IP
addresses in this subnet for your range of PPTP addresses.
n The IP addresses of the DNS and WINS servers that resolve host names to IP addresses.
n The user names and passwords of users that are allowed to connect to the XTMdevice with
Mobile VPN with PPTP.
Encryption Levels
For Mobile VPN with PPTP, you can select to use 128-bit encryption or 40-bit encryption. Software
versions of Windows XP in the United States have 128-bit encryption enabled. You can get a strong
encryption patch fromMicrosoft for other versions of Windows. The XTMdevice always tries to use
128-bit encryption first. It can be configured to use 40-bit encryption if the client cannot use a 128-bit
encrypted connection.
For more information on how to allow 40-bit encryption, see Configure Mobile VPN with PPTP on page
1140.
Configure Mobile VPN with PPTP
To configure your XTMdevice to accept PPTPconnections you must first activate and configure the
settings for Mobile VPN with PPTP.
1. Select VPN > Mobile VPN with PPTP.
2. Select the Activate Mobile VPN with PPTP check box.
This allows PPTP remote users to be configured and automatically creates a WatchGuard
PPTP policy to allow PPTP traffic to the XTMdevice. We recommend that you do not change
the default properties of the WatchGuard PPTP policy.
3. Configure the authentication settings as described in the subsequent sections.
4. Click Save.
Mobile VPN with PPTP
1140 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1141
Authentication
Mobile VPN with PPTPusers can authenticate to the XTMdevice internal database or use extended
authentication to a RADIUS or VACMAN Middleware server as an alternative to the XTMdevice. The
instructions to use a VACMAN Middleware server are identical to the instructions to use a RADIUS
server.
To use the XTMdevice internal database, do not select the Use RADIUS authentication for
PPTPusers check box.
To use a RADIUS or VACMANMiddleware server for authentication:
1. Select the Use RADIUS Authentication for PPTP users check box.
2. Configure RADIUS Server Authentication or Configure VASCOServer Authentication.
3. On the RADIUS server, create a PPTP-Users group and add names or groups of PPTP users.
To establish the PPTPconnection, the user must be a member of a group named
PPTP-Users. Once the user is authenticated, the XTMdevice keeps a list of all
groups that a user is a member of. Use any of the groups in a policy to control traffic
for the user.
For information about how to configure a RADIUSserver to use an Active Directory database, see
Configure RADIUS Server Authentication with Active Directory Users and Groups For Mobile VPN
Users.
Encryption Settings
U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong
encryption patch fromMicrosoft for other versions of Windows.
n If you want to require 128-bit encryption for all PPTP tunnels, select Require 128-bit
encryption.
We recommend that you use 128-bit encryption for VPN.
n To allow the tunnels to drop from128-bit to 40-bit encryption for connections that are less
reliable, select Allow Drop from 128-bit to 40-bit.
The XTMdevice always tries to use 128-bit encryption first. It uses 40-bit encryption if the client
cannot use the 128-bit encrypted connection. Usually, only customers outside the United
States select this check box.
n To allow traffic that is not encrypted through the VPN, select Do not require encryption.
Add to the IP Address Pool
Mobile VPN with PPTP supports as many as 50 users at the same time. The XTMdevice gives an
open IP address to each incoming Mobile VPN user froma group of available IP addresses. This
continues until all the addresses are in use. After a user closes a session, the address is put back in
the available group. The subsequent user who logs in gets this address.
For more information about virtual IPaddresses, see Virtual IPAddresses and Mobile VPNs.
You must configure two or more IP addresses for PPTP to operate correctly.
1. In the IP Address Pool section, click Add.
2. in the Choose Type drop-down list, select either Host IP (for a single IP address) or Host
Range (for a range of IP addresses).
3. In the Host IP text box, type an IP address.
If you selected Host Range, the first IPaddress in the range is From and the last IPaddress in
the range is To.
4. Click Add to add the host IPaddress or host range to the IPaddress pool.
You can configure up to 50 IP addresses.
If you select Host IP, you must add at least two, but not more than 50 IP addresses.
5. Repeat Steps 13 to configure all the addresses for use with Mobile VPN with PPTP.
Advanced Tab Settings
1. On the Mobile VPN with PPTPpage, select the Advanced tab.
2. Configure the Timeout Settings, and the Maximum Transmission Unit (MTU) and
Maximum Receive Unit (MRU)settings as described in the subsequent sections.
We recommend that you use the default settings.
Mobile VPN with PPTP
1142 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1143
Timeout Settings
You can define two timeout settings for PPTP tunnels if you use RADIUS authentication:
Session Timeout
The maximumlength of time the user can send traffic to the external network. If you set this
field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can
stay connected for any length of time.
Idle Timeout
The maximumlength of time the user can stay authenticated when idle (no traffic passes to the
external network interface). If you set this field to zero (0) seconds, minutes, hours, or days, no
idle timeout is used and the user can stay idle for any length of time.
If you do not use RADIUS for authentication, the PPTP tunnel uses the timeout settings that you set
for each Firebox User. For more information about Firebox user settings, see Define a New User for
Firebox Authentication on page 522.
Other Settings
The Maximum Transmission Unit (MTU) or Maximum Receive Unit (MRU) sizes are sent to the
client as part of the PPTP parameters to use during the PPTP session. Do not change MTUor MRU
values unless you know the change fixes a problemwith your configuration. Incorrect MTUor
MRUvalues cause traffic through the PPTP VPN to fail.
To change the MTUor MRUvalues:
1. On the Mobile VPN with PPTPpage, select the Advanced tab.
2. In the Other Settings section, type or select the Maximum Transmission Unit (MTU) or
Maximum Receive Unit (MRU)values.
Configure PPTPPolicies
After you enable Mobile VPN with PPTP you must configure policies to allow PPTP users access to
network resources. For instructions, see Configure Policies to Allow Mobile VPN with PPTP Traffic.
Configure WINS and DNS Servers
Mobile VPN clients use shared Windows Internet Name Server (WINS) and Domain Name System
(DNS) server addresses. DNS translates host names into IP addresses, while WINS resolves
NetBIOS names to IP addresses. These servers must be accessible fromthe XTMdevice trusted
interface. Make sure you use only an internal DNS server.
In the network configuration, you can specify WINSand DNS servers to use.
Although you can add up to three DNSservers, the mobile VPN clients use only the
first two in the list.
1. Select Network > Interfaces.
The Interfaces configuration page appears.
2. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
Mobile VPN with PPTP
1144 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1145
3. In the DNSServer or WINSServer text box, type the primary and secondary address for each
DNS or WINS server.
4. Click Add.
5. (Optional) Repeat Steps 23 to specify up to three DNS servers.
6. Click Save.
Add New Users to the PPTP-Users Group
To create a PPTP VPN tunnel with the XTMdevice, mobile users type their user names and
passphrases to authenticate. The XTMdevice uses this information to authenticate the user.
When you enable PPTP in your XTMdevice configuration, a default user group is created
automatically. This user group is called PPTP_Users. You see this group name when you create a new
user or add user names to policies.
For more information on XTMdevice groups, see Configure Your XTMDevice as an Authentication
Server on page 518.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Click Firebox.
3. In the Users section, click Add.
The Firebox User dialog box appears.
Mobile VPN with PPTP
1146 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1147
4. Type a Name for the new user.
5. (Optional) Type a Description.
6. Type a Passphrase for the new user. Type the passphrase again to confirmit.
We recommend that you do not change the default values for Session Timeout and Idle
Timeout.
7. In the Firebox Authentication Groups list, select PPTP-Users.
8. Click OK.
9. Click Save.
For more information about other user authentication settings, see Define a New User for Firebox
Authentication.
Configure Policies to Allow Mobile VPN with PPTP Traffic
Mobile VPN with PPTP users do not have access privileges through a XTMdevice by default. To give
remote users access to specified network resources, you must add user names, or the PPTP-Users
group, as sources and destinations in individual policy definitions.
For more information, see Use Authorized Users and Groups in Policies on page 564.
To use WebBlocker to control remote user access, add PPTP users or the PPTP-Users group to a
proxy policy that controls WebBlocker.
If you assign addresses froma trusted network to PPTP users, the traffic fromthe
PPTP user is not considered to be trusted. All Mobile VPN with PPTP traffic is not
trusted by default. Regardless of assigned IPaddress, policies must be created to
allow PPTP users to get access to network resources.
Configure Policies to Allow Mobile VPN with
PPTP Traffic
Mobile VPN with PPTP users do not have access privileges through a XTMdevice by default. You
must configure policies to allow PPTP users to get access to network resources. You can add new
policies or edit existing policies.
If you assign addresses froma trusted network to PPTP users, the traffic fromthe
PPTP user is not considered to be trusted. All Mobile VPN with PPTP traffic is
untrusted by default. Regardless of assigned IP address, policies must be created to
allow PPTP users access to network resources.
Allow PPTP Users to Access a Trusted Network
In this example, you add an Any policy to give all members of the PPTP-Users group full access to
resources on all trusted networks.
1. Select Firewall >Firewall Policies.
2. Click Add Policy.
3. In the Select a policy type section, select Packet Filter.
4. Fromthe adjacent drop-down list, select Any.
5. In the Policy Name text box, type the policy name.
6. Click Add Policy.
7. In the From list, select Any-Trusted and click Remove.
8. In the From list, click Add.
The Add Member dialog box appears.
9. Fromthe Member Type drop-down list, select PPTPGroup.
10. Select PPTP-Users and click OK.
The name of the authentication method appears in parenthesis .
If the PPTP-Users group does not appear in the list, you must first define it for your device. For more
information, see Use Authorized Users and Groups in Policies on page 564.
11. In the To section, select Any-External and click Remove.
Mobile VPN with PPTP
1148 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1149
12. In the To section, click Add.
The Add Member dialog box appears.
13. In the Select Members list, select Any-Trusted and click OK.
Any-Trusted appears in the To list.
14. Click Save.
For more information about policies, see Add Policies to Your Configuration on page 598.
Use Other Groups or Users in a PPTP Policy
Users must be a member of the PPTP-Users group to make a PPTP connection. When you configure
a policy to give the PPTP users access to network resources, you can use the individual user name or
any other group that the user is a member of.
To select add user or group other than PPTP-Users to a policy:
1. Select Firewall >Firewall Policies.
2. Double-click a policy.
The Policy configuration page appears with the Policy tab selected.
3. In the From section, click Add.
The Add Member dialog box appears.
4. Fromthe Member Type drop-down list, select Firewall User or Firewall Group.
5. Select the user or group you want to add and click OK.
The user you selected appears in the From list.
6. Click Save.
For more information on how to use users and groups in policies, see Use Authorized Users and
Groups in Policies on page 564.
Options for Internet Access Through a Mobile
VPN with PPTP Tunnel
You can enable remote users to access the Internet through a Mobile VPN tunnel. This option affects
your security because this Internet traffic is not filtered or encrypted. You have two options for Mobile
VPN tunnel routes: default-route VPN and split tunnel VPN.
Default-Route VPN
The most secure option is to require that all remote user Internet traffic is routed through the VPN
tunnel to the XTMdevice. Then, the traffic is sent back out to the Internet. With this configuration
(known as default-route VPN), the XTMdevice is able to examine all traffic and provide increased
security, although it uses more processing power and bandwidth. When you use default-route VPN, a
dynamic NAT policy must include the outgoing traffic fromthe remote network. This allows remote
users to browse the Internet when they send all traffic to the XTMdevice.
If you use the "route print" or "ipconfig" commands after you start a Mobile VPN
tunnel on a computer with Microsoft Windows installed, you see incorrect default
gateway information. The correct information is located on the Details tab of the
Virtual Private Connection Status dialog box.
Split Tunnel VPN
Another configuration option is to enable split tunneling. This configuration enables users to browse the
Internet without the need to send Internet traffic through the VPNtunnel. Split tunneling improves
network performance, but decreases security because the policies you create are not applied to the
Internet traffic. If you use split tunneling, we recommend that each client computer have a software
firewall.
Default-Route VPN Setup for Mobile VPN with PPTP
In Windows Vista, XP, and 7, the default setting for a PPTP connection is default-route. Your XTM
device must be configured with dynamic NATto receive the traffic froma PPTP user. Any policy that
manages traffic going out to the Internet frombehind the XTMdevice must be configured to allow the
PPTPuser traffic.
When you configure your default-route VPN:
n Make sure that the IP addresses you have added to the PPTP address pool are included in your
dynamic NAT configuration on the XTMdevice.
FromPolicy Manager, select Network > NAT.
n Edit your policy configuration to allow connections fromthe PPTP-Users group through the
external interface.
For example, if you use WebBlocker to control web access, add the PPTP-Users group to the
proxy policy that is configured to with WebBlocker enabled.
Split Tunnel VPN Setup for Mobile VPN with PPTP
On the client computer, edit the PPTPconnection properties to not send all traffic through the VPN.
For Windows 8:
1. Fromthe Windows 8 charmmenu, select Settings.
2. Select Network.
The Connections list appears.
3. In the Connection list, right click the VPN connection name.
4. Click View connection properties.
The VPN Properties dialog box appears.
5. Select the Networking tab.
6. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
7. On the General tab, click Advanced.
Mobile VPN with PPTP
1150 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1151
The Advanced TCP/IPSettings dialog box appears.
8. On the IPSettings tab, clear the Use default gateway on remote network check box.
For Windows 7:
1. Select Control Panel > Network and Internet > Connect to a network.
2. Right click the VPN connection.
3. Select Properties.
The VPN properties dialog box appears.
4. Select the Networking tab.
5. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
6. On the General tab, click Advanced.
The Advanced TCP/IPSettings dialog box appears.
7. On the IPSettings tab, clear the Use default gateway on remote network check box.
For Windows Vista or XP:
1. Select Control Panel > Network Connections and right-click the VPN connection.
2. Select Properties.
The VPN properties dialog box appears.
3. Select the Networking tab.
4. Select Internet Protocol (TCP/IP) in the list box and click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears.
5. On the General tab, click Advanced.
The Advanced TCP/IPSettings dialog box appears.
6. Windows XP On the General tab, clear the Use default gateway on remote network
check box.
Windows Vista On the Settings tab, clear the Use default gateway on remote network
check box.
PPTProuting is defined by the client computer. If you do not select the Use default
gateway on remote network check box, the client computer routes traffic through
the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address
assigned to the client computer. For example, if the client is assigned the virtual
IPaddress 10.0.1.225, traffic destined for 10.0.1.0/24 network is routed through VPN
tunnel, but traffic destined for 10.0.2.0 is not.
Prepare Client Computers for PPTP
Before you can use your client computers as Mobile VPN with PPTP remote hosts, you must configure
and establish the PPTPconnection on the each client computer. The steps to configure a
PPTPconnection are different for each version of Microsoft Windows.
Windows 8 Create and Connect a PPTP Mobile VPN for Windows 8
Windows 7 Create and Connect a PPTP Mobile VPN for Windows 7
Windows Vista Create and Connect a PPTP Mobile VPN for Windows Vista on page 1154
Windows XP Create and Connect a PPTP Mobile VPN for Windows XP on page 1155
Create and Connect a PPTP Mobile VPN for Windows 8
You can use the Windows 8 VPN client to make an PPTP VPN connection to a WatchGuard XTM
device.
Create a PPTP Connection
To prepare a Windows 8 client computer, you must configure the PPTP connection in the network
settings.
The exact steps could be slightly different depending on your Control Panel view, and
your existing configuration.
1. In the Windows 8 Start page, type control panel. Click Control Panel in the search results.
2. In Control Panel, click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Set up a new connection or network
The New Connection Wizard starts.
5. Click Connect to a workplace and click Next.
The Connect to a workplace page appears.
6. If your computer has an existing workplace connection, select No, create a new connection
and click Next.
The How do you want to connect dialog box appears.
7. Click Use my Internet connection (VPN).
The Type the Internet address to connect to page appears.
8. In the Internet address text box, type the hostname or IP address of the XTMdevice external
interface.
9. In the Destination name text box, type a name for the Mobile VPN (such as "PPTP to XTM").
10. Click Create.
The new connection is added to the Connections list.
11. In the Connections list, right click the connection name.
12. Select View Connection Properties.
Mobile VPN with PPTP
1152 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1153
13. Select the Security tab.
14. In the Type of VPN drop-down list, select Point to Point Tunneling Protocol (PPTP).
15. Click OK.
Start the PPTP Connection
The name of the VPN connection in the steps below is the destination name you used when you
configured the PPTP connection on the client computer. The user name and password refers to one of
the users you added to the PPTP-Users group. For more information, see Add New Users to the
PPTP-Users Group on page 1146.
Make sure your computer has an active connection to the Internet before you begin.
1. Fromthe Windows 8 Start page, move the mouse to the lower right corner of the screen to see
the charmmenu.
2. Select Settings.
3. Select Network.
The Connections list appears.
4. In the Connection list, select the name of this VPN connection you created. Click Connect.
The Connect page appears.
5. Type your user name and password.
6. Click OK.
Create and Connect a PPTP Mobile VPN for Windows 7
Create a PPTP Connection
To prepare a Windows 7 client computer, you must configure the PPTP connection in the network
settings.
The exact steps could be slightly different depending on your Control Panel view, and
your existing configuration.
1. Fromthe Windows Start menu, open Control Panel.
2. Click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Set up a new connection or network
The New Connection Wizard starts.
5. Click Connect to a workplace and click Next.
The Connect to a workplace page appears.
6. If your computer has an existing workplace connection, select No, create a new connection
and click Next.
The How do you want to connect dialog box appears.
7. Click Use my Internet connection (VPN).
The Type the Internet address to connect to page appears.
8. In the Internet address text box, type the hostname or IP address of the XTMdevice external
interface.
9. In the Destination name text box, type a name for the Mobile VPN (such as "PPTP to XTM").
10. Select whether you want other people to be able to use this connection.
11. Select the Dont connect now; just set it up so I can connect later check box so that the
client computer does not try to connect at this time.
12. Click Next.
The Type your user name and password page appears.
13. Type the User name and Password for this client.
14. Click Create.
15. Click Close.
16. Click Connect to a Network.
A list of the configured VPN connections appears.
17. Select the name of the VPN connection you just created. Click Connect.
The Connect dialog box appears.
18. Click Properties to edit other properties for this connection.
The Properties dialog box appears.
19. Select the Security tab.
20. In the Type of VPN drop-down list, select Point to Point Tunneling Protocol (PPTP).
21. Click OK.
Establish the PPTP Connection
The name of the VPN connection in the steps below is the destination name you used when you
configured the PPTP connection on the client computer. The user name and password refers to one of
the users you added to the PPTP-Users group. For more information, see Add New Users to the
PPTP-Users Group on page 1146.
Make sure your computer has an active connection to the Internet before you begin.
1. Fromthe Windows Start menu, open Control Panel.
2. Click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Connect to a network
A list of configured network connections appears.
5. In the connection list, select the name of this VPN connection. Click Connect.
The Connect page appears.
6. Type your user name and password.
7. Click Connect.
Create and Connect a PPTP Mobile VPN for Windows Vista
Create a PPTP Connection
To prepare a Windows Vista client computer, you must configure the PPTP connection in the network
settings.
1. Fromthe Windows Start menu, select Settings > Control Panel.
The Start menu in Windows Vista is located in the lower-left corner of the screen.
Mobile VPN with PPTP
1154 Fireware XTMWeb UI
Mobile VPN with PPTP
User Guide 1155
2. Click Network and Internet.
The Network and Sharing Center appears.
3. In the left column, below Tasks, click Connect to a network.
The New Connection Wizard starts.
4. Select Connect to a workplace and click Next.
The Connect to a workplace dialog box appears.
5. Select No, create a new connection and click Next.
The How do you want to connect dialog box appears.
6. Click Use my Internet connection (VPN).
The Type the Internet address to connect to dialog box appears.
7. Type the hostname or IP address of the XTMdevice external interface in the Internet address
field.
8. Type a name for the Mobile VPN (such as "PPTP to XTM") in the Destination name text box.
9. Select whether you want other people to be able to use this connection.
10. Select the Dont connect now; just set it up so I can connect later check box so that the
client computer does not try to connect at this time.
11. Click Next.
The Type your user name and password dialog box appears.
12. Type the User name and Password for this client.
13. Click Create.
The connection is ready to use dialog box appears.
14. To test the connection, click Connect now.
Start the PPTP Connection
To connect a Windows Vista client computer, replace [name of the connection] with the actual name
you used when configuring the PPTP connection. The user name and password refers to one of the
users you added to the PPTP-Users group. For more information, see Add New Users to the PPTP-
Users Group on page 1146.
Make sure you have an active connection to the Internet before you begin.
1. Select Start > Settings > Network Connections > [name of the connection]
The Windows Vista Start button is located in the lower-left corner of your screen.
2. Type the user name and password for the connection and click Connect.
3. The first time you connect, you must select a network location. Select Public location.
Create and Connect a PPTP Mobile VPN for Windows XP
To prepare a Windows XP client computer, you must configure the PPTPconnection in the network
settings.
Create the PPTP Mobile VPN
Fromthe Windows Desktop of the client computer:
1. Fromthe Windows Start menu, select Control Panel > Network Connections.
2. Select Create a new connection.
Or, click New Connection Wizard in Windows Classic view.
The New Connection wizard appears.
3. Click Next.
4. Select Connect to the network at my workplace and click Next.
5. Select Virtual Private Network connection and click Next.
6. Type a name for the new connection (such as "Connect with Mobile VPN") and click Next.
7. Select if Windows ensures the public network is connected:
n For a broadband connection, select Do not dial the initial connection.
n For a modemconnection, select Automatically dial this initial connection, and then
select a connection name fromthe drop-down list.
8. Click Next.
9. Type the host name or IP address of the XTMdevice external interface and click Next.
10. Select Add a shortcut to this connection to my desktop.
11. Click Finish.
The Connect dialog box appears.
12. Click Properties.
13. Select the Networking tab.
14. In the Type of VPN drop-down list, select PPTP VPN.
15. Click OK.
Start the PPTP Connection
1. Start an Internet connection through a dial-up network, or directly through a LAN or WAN.
2. Double-click the shortcut to the new connection on your desktop.
Or, select Control Panel > Network Connections and select your new connection fromthe
Virtual Private Network list.
3. Type the user name and passphrase for the connection.
For more information about the user name and passphrase, see Add New Users to the PPTP-
Users Group on page 1146.
4. Click Connect.
Make Outbound PPTP Connections from Behind
an XTM Device
If necessary, you can make a PPTP connection to a XTMdevice frombehind a different XTMdevice.
For example, one of your remote users goes to a customer office that has a XTMdevice. The user can
connect to your network with a PPTP connection. For the local XTMdevice to correctly allow the
outgoing PPTP connection, add the PPTP policy and allow traffic fromthe network the user is on to the
Any-External alias.
To add a policy, see Add Policies to Your Configuration on page 598.
Mobile VPN with PPTP
1156 Fireware XTMWeb UI
User Guide 1157
23
Mobile VPN with IPSec
About Mobile VPN with IPSec
Mobile VPN with IPSec accepts connections fromIPSec VPN client software installed on a remote
computer or device. The client makes a secure connection fromthe remote computer to your protected
network through an unsecured network, such as the Internet. The Mobile VPN client uses Internet
Protocol Security (IPSec) to secure the connection.
Fireware XTMsupports two IPSec VPNclients:
Shrew Soft VPN Client
You can download the Shrew Soft VPN Client for Windows directly fromthe WatchGuard
Portal, or fromShrew Soft (http://www.shrew.net/download). The Shrew Soft VPN client is
supported on WatchGuard XTMdevices that use Fireware XTMv11.4.1 or higher, and on
Firebox X e-Series devices that use Fireware XTMv11.3.4 or higher.
For more information, see About the Shrew Soft VPNClient.
WatchGuard XTMIPSec Mobile VPN Client
You can download the WatchGuard IPSec Mobile VPN client fromthe WatchGuard Portal. This
VPN client, powered by NCP, is compatible with all versions of Fireware XTM, and supports all
WatchGuard Mobile VPN with IPSec configuration settings. The IPSec Mobile VPNClient
includes a free 30-day trial license. To use the client after the initial 30 day trial period, you must
purchase a WatchGuard IPSec Mobile VPN Client license.
WatchGuard also supports the NCP client (http://www.ncp-e.com) for connections to
WatchGuard devices.
For more information about theIPSec Mobile VPN client, see About the XTMIPSec Mobile
VPNClient.
You can also make an IPSec VPN connection fromsome mobile devices. For more information, see:
n Use the Mac OS X or iOSNative IPSec VPN Client
n Use Mobile VPN with IPSec with an AndroidDevice
Configure a Mobile VPN with IPSec Connection
You can configure the XTMdevice to act as an endpoint for Mobile VPN with IPSec tunnels.
1. Connect to Fireware XTMWeb UI for your XTMdevice.
2. Select VPN >Mobile VPN with IPSec.
A user must be a member of a Mobile VPN group to be able to make a Mobile VPN with IPSec
connection. When you add a Mobile VPN group, an Any policy is added to Firewall > Mobile VPN
Policies tab that allows traffic to pass to and fromthe authenticated Mobile VPN user. To restrict
Mobile VPN client access, delete the Any policy and add policies to Firewall > Mobile VPN Policies
that allow access to resources.
The user must have an end-user profile file to configure the Mobile VPN client computer. For
information about how to generate the end-user profile, see Generate Mobile VPN with IPSec
Configuration Files
If you use a certificate for authentication, you must use Policy Manager to generate the .p12 and
cacert.pemfiles. These files can be found in the same location as the end-user profile generated by
Policy Manager.
After Mobile VPNwith IPSec is configured on the XTMdevice, you must install a supported VPNclient
on each client computer, and import the end-user profile. For information on how to install the VPN
client software and import the end-user profile, see:
n Install the IPSec Mobile VPN Client Software on page 1193
n Install the Shrew Soft VPN Client Software
When the user computer is correctly configured, the user starts the Mobile VPN connection. If the
user's authentication credentials match an entry in the authentication server user database, and if the
user is in the Mobile VPN group you create, the Mobile VPN session is authenticated.
System Requirements
Before you configure your XTMdevice for Mobile VPN with IPSec, make sure you understand the
systemrequirements for the mobile user client computer.
You can install the Shrew Soft VPN client on any computer that uses Windows XP, Windows Vista,
Windows 7, or Windows 8.
You can install the WatchGuard IPSec Mobile VPN Client software on any computer with Windows
XP, Windows Vista, Windows 7, or Windows 8. Before you install the client software, make sure the
remote computer does not have any other IPSec VPN client software installed. You must also uninstall
any desktop firewall software (other than Microsoft firewall software) fromeach remote computer. For
more information, see Client Requirements on page 1193.
Mobile VPN with IPSec
1158 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1159
To distribute the end-user profile as an encrypted (.wgx) file, we recommend that you
use WatchGuard SystemManager. You can use Fireware XTMWeb UI to configure
Mobile VPN with IPSec and generate the unencrypted (.ini or .vpn) end-user profile.
For more information about the types of end-user profile configuration files, see About
Mobile VPN Client Configuration Files on page 1160.
Options for Internet Access Through a Mobile VPN with IPSec
Tunnel
When you configure Mobile VPN for your remote users, you must choose whether you want their
general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can
affect your network security because Internet traffic that does not go through the tunnel is not filtered or
encrypted. In your configuration, you specify your choice with the tunnel route you select: default-route
VPN or split tunnel VPN.
Default-Route VPN
The most secure option is to require that all remote user Internet traffic is routed through the VPN
tunnel to the XTMdevice. Fromthe XTMdevice, the traffic is then sent back out to the Internet. With
this configuration (known as default-route VPN), the XTMdevice is able to examine all traffic and
provide increased security, although the XTMdevice uses more processing power and bandwidth.
When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic fromthe
remote network. This allows remote users to browse the Internet when they send all traffic to the XTM
device.
For more information about dynamic NAT, see Add Network Dynamic NAT Rules on page 252.
Split Tunnel VPN
Another configuration option is to enable split tunneling. This configuration allows users to browse the
Internet normally. Split tunneling decreases security because XTMdevice policies are not applied to
the Internet traffic, but performance is increased. If you use split tunneling, your client computers
should have a software firewall.
About Mobile VPN Client Configuration Files
With Mobile VPN with IPSec, the network security administrator controls end user profiles. Policy
Manager is used to create the Mobile VPN with IPSec group and create an end user profile, with the file
extension .wgx, .ini, .vpn, or .wgm. The .wgx, .ini, .vpn, and .wgmfiles contain the shared key, user
identification, IP addresses, and settings that are used to create a secure tunnel between the remote
computer and the XTMdevice.
The .wgx file is encrypted with a passphrase that is eight characters or greater in length. You must use
Policy Manager to generate the .wgx file. Both the administrator and the remote user must know this
passphrase. When you use the WatchGuard IPSec Mobile VPN Client software to import the .wgx file,
the passphrase is used to decrypt the file. The .wgx file does not configure the Line Management
settings.
The .ini configuration file is not encrypted. It should only be used if you have changed the Line
Management setting to anything other than Manual. For more information, see Line Management on
the Advanced tab in Modify an Existing Mobile VPN with IPSec Group Profile on page 1171.
The .vpn configuration file is for use with the Shrew Soft VPN client. This file is not encrypted. For
more information, see About the Shrew Soft VPNClient.
Mobile VPN with IPSec
1160 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1161
The .wgmconfiguration file is for use with the WatchGuard Mobile VPN app for Android and iOS
devices. The .wgmfile is encrypted with a passphrase that is eight characters or greater in length. Both
the administrator and the remote user must know this passphrase. When you use the WatchGuard
Mobile VPN app for Android or iOS to import the .wgmfile, the passphrase is used to decrypt the file.
You can create or re-create the VPN client configuration file at any time. For more information, see
Generate Mobile VPN with IPSec Configuration Files on page 1184.
If you want to lock the profiles for mobile users who use the WatchGuard IPSec Mobile VPN Client,
you can make themread-only. For more information, see Lock Down an End User Profile on page
1183.
Configure the XTM Device for Mobile VPN with IPSec
You can enable Mobile VPN with IPSec for a group of users you have already created, or you can
create a new user group. The users in the group can authenticate either to the XTMdevice or to a third-
party authentication server included in your XTMdevice configuration.
Configure a Mobile VPN with IPSec Group
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Click Add.
The Mobile User VPN with IPSec Settings page appears.
3. In the Name text box, type a name for this Mobile VPN group.
You can type the name of an existing group, or the name for a new Mobile VPN group. Make
sure the name is unique among VPN group names, as well as all interface and VPN tunnel
names.
If you create a Mobile VPN user group that authenticates to an external
authentication server, make sure you create a group on the server that has the same
name as the name you added in the wizard for the Mobile VPN group. If you use
Active Directory as your authentication server, the users must belong to an Active
Directory security group with the same name as the group name you configure for
Mobile VPN with IPSec. For more information, see Configure the External
Authentication Server.
4. Configure these settings to edit the group profile:
Mobile VPN with IPSec
1162 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1163
Authentication Server
Select the authentication server to use for this Mobile VPN group. You can authenticate
users with the internal XTMdevice database (Firebox-DB) or with a RADIUS, VASCO,
SecurID, LDAP, or Active Directory server. Make sure that the method of authentication
you choose is enabled.
Passphrase
Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users
in this group. The shared key can use only standard ASCII characters. If you use a
certificate for authentication, this is the PINfor the certificate.
Confirm
Type the passphrase again.
Primary
Type the primary external IP address to which Mobile VPN users in this group can connect.
This can be an external IP address, secondary external IPaddress, or external VLAN. For
a device is drop-in mode, use the IP address assigned to all interfaces.
Backup
Type a backup external IP address to which Mobile VPN users in this group can connect.
This backup IP address is optional. If you add a backup IP address, make sure it is an IP
address assigned to an XTMdevice external interface or VLAN.
Session Timeout
Select the maximumtime in minutes that a Mobile VPN session can be active.
Idle Timeout
Select the time in minutes before the XTMdevice closes an idle Mobile VPN session. The
session and idle timeout values are the default timeout values if the authentication server
does not have its own timeout values. If you use the XTMdevice as the authentication
server, the timeouts for the Mobile VPN group are always ignored because you set
timeouts for each XTMdevice user account.
The session and idle timeouts cannot be longer than the value in the SA Life field.
To set this value, in the Mobile VPN with IPSec Settings dialog box, click the IPSec
Tunnel tab, and click Advanced for Phase 1 Settings. The default value is 8 hours.
5. Select the IPSec Tunnel tab.
The IPSec Tunnel page opens.
6. Configure these settings:
Use the passphrase of the end user profile as the pre-shared key
Select this option to use the passphrase of the end user profile as the pre-shared key for
tunnel authentication. You must use the same shared key on the remote device. This
shared key can use only standard ASCII characters.
Use a certificate
Select this option to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication
on page 979.
CA IP address
If you use a certificate, type the IP address of the Management Server that has been
configured as a certificate authority.
Timeout
If you use a certificate, type the time in seconds before the Mobile VPNwith IPSec client
stops an attempt to connect if there is no response fromthe certificate authority. We
recommend you keep the default value.
Mobile VPN with IPSec
1164 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1165
Phase 1 Settings
Select the authentication and encryption methods for the VPN tunnel. To configure
advanced settings, such as NAT Traversal or the key group, click Advanced, and see
Define Advanced Phase 1 Settings on page 1178.
The Encryption options are listed fromthe most simple and least secure, to the most
complex and most secure:
DES
3DES
AES (128 bit)
AES (192 bit)
AES (256 bit)
Phase 2 Settings
Select PFS (Perfect Forward Secrecy) to enable PFS and set the Diffie-Hellman group.
To change other proposal settings, click Advanced and see Define Advanced Phase 2
Settings on page 1180.
7. Select the Resources tab.
The Resources page appears.
8. Configure these settings:
Allow All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN.
This is more secure, but network performance decreases.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the
Internet. This is less secure, but users can browse the Internet more quickly.
Allowed Resources
This list includes the resources that users in the Mobile VPN authentication group can get
access to on the network.
To add an IP address or a network IP address to the network resources list, click Add.
Select Host IPv4or Network IPv4, type the address, and click OK.
To delete the selected IP address or network IP address fromthe resources list, select a
resource and click Remove.
Virtual IP Address Pool
This list includes the internal IP addresses that are used by Mobile VPN users over the
tunnel.
To add an IP address or a network IP address to the virtual IP address pool, click Add.
Select Host IPv4or Network IPv4, type the address, and click OK.
To remove it fromthe virtual IP address pool, select a host or network IPaddress and click
Remove.
The IP addresses in the virtual IPaddress pool cannot be used for anything else on
your network.
For more information about virtual IPaddresses, see Virtual IPAddresses and Mobile
VPNs.
9. Select the Advanced tab.
The Advanced page appears.
10. Configure the Line Management settings:
Mobile VPN with IPSec
1166 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1167
Connection mode
Manual In this mode, the client does not try to restart the VPN tunnel automatically if
the VPN tunnel goes down. This is the default setting.
To restart the VPN tunnel, you must click the Connect button in Connection Monitor, or
right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Automatic In this mode, the client tries to start the connection when your computer
sends traffic to a destination that you can reach through the VPN. The client also tries to
restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.
Variable In this mode, the client tries to restart the VPN tunnel automatically until you
click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel
again until you click Connect.
Inactivity timeout
If the Connection Mode is set to Automatic or Variable, the Mobile VPNwith IPSec
client software does not try to renegotiate the VPNconnection until there has not been
traffic fromthe network resources available through the tunnel for the length of time you
enter for Inactivity timeout.
The default Line Management settings are Manual and 0 seconds. If you change
either setting, you must use the .ini file to configure the client software.
11. Click Save.
The Mobile VPN with IPSec page opens and the new IPSec group appears in the Groups list.
12. Click Save.
Users that are members of the group you create are not able to connect until they import the correct
configuration file in their WatchGuard XTMIPSec Mobile VPN Client software. You must generate the
configuration file and then provide it to the end users.
To generate the end user profiles for the group you edited:
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Fromthe Client drop-down list, select the VPN client.
3. Click Generate.
4. Select the browser option to save the file.
Fireware XTMWeb UI can generate only the .ini, .vpn, and .wgmmobile user
configuration files. If you want to generate the .wgx file, you must use Policy
Manager.
Configure the External Authentication Server
If you create a Mobile VPN user group that authenticates to a third-party server, make sure you create
a group on the server that has the same name as the name you added in the wizard for the Mobile VPN
group.
If you use Active Directory as your authentication server, the users must belong to an Active Directory
security group with the same name as the group name you configure for Mobile VPN with IPSec.
For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute
(RADIUS attribute 11) when a user successfully authenticates, to tell the XTMdevice what group the
user belongs to. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it
appears in the Fireware XTMRADIUS authentication server settings. All Mobile VPN users that
authenticate to the server must belong to this group.
The Shrew Soft VPN client is not compatible with 2-factor authentication. You must use the
WatchGuard XTMIPSec Mobile VPN Client if you want to use Vasco RADIUS or RSASecurID
authentication servers.
Add Users to a Firebox Mobile VPN Group
To open a Mobile VPN tunnel with the XTMdevice, remote users type their user name and password to
authenticate. WatchGuard SystemManager software uses this information to authenticate the user to
the XTMdevice. To authenticate, users must be part of a Mobile VPNwith IPSec group.
For information about how to create a Mobile VPN with IPSec group, see Configure the XTMDevice
for Mobile VPN with IPSec.
For more information on XTMdevice groups, see Types of Firebox Authentication on page 518.
To add users to a group if you use a third-party authentication server, use the instructions provided in
your vendor documentation.
To add users to a group if you use Firebox authentication:
1. Select Authentication > Servers.
The Authentication Servers page appears.
Mobile VPN with IPSec
1168 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1169
2. Click Firebox.
3. To add a new user, in the Firebox Users section, click Add.
The Setup Firebox User dialog box appears.
4. Type a Name
5. (Optional) Type a Description for this user.
6. Type a Passphrase for the user. The passphrase must be at least 8 characters long. Type the
passphrase again to confirmit.
We recommend that you do not change the values for Session Timeout and Idle Timeout.
7. In the Firebox Authentication Groups list, select a group name.
8. Click OK.
The new user is added to the Firebox Users list.
9. Click Save.
For information about other user authentication settings, see Define a New User for Firebox
Authentication.
Mobile VPN with IPSec
1170 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1171
Modify an Existing Mobile VPN with IPSec Group Profile
After you create a Mobile VPN with IPSec group, you can edit the profile to:
n Change the shared key
n Add access to more hosts or networks
n Restrict access to a single destination port, source port, or protocol
n Change the Phase 1 or Phase 2 settings
Configure a Mobile VPN with IPSec Group
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Select the group you want to edit and click Edit.
The Mobile User VPN with IPSec Settings page appears.
3. Configure these options to edit the group profile:
Authentication Server
Select the authentication server to use for this Mobile VPN group. You can authenticate
users to the XTMdevice (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active
Directory server. Make sure that this method of authentication is enabled.
Passphrase
To change the passphrase that encrypts the .wgx file, type a new passphrase. The shared
key can use only standard ASCII characters. If you use a certificate for authentication, this
is the PINfor the certificate.
Confirm
Type the new passphrase again.
Mobile VPN with IPSec
1172 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1173
Primary
Type the primary external IP address or domain to which Mobile VPN users in this group
can connect. This can be an external IP address, secondary external IPaddress, or
external VLAN. For a device is drop-in mode, use the IP address assigned to all interfaces.
Backup
Type a backup external IP address or domain to which Mobile VPN users in this group can
connect. This backup IP address is optional. If you add a backup IP address, make sure it
is an IP address assigned to a XTMdevice external interface or VLAN.
Session Timeout
Select the maximumtime in minutes that a Mobile VPN session can be active.
Idle Timeout
Select the time in minutes before the XTMdevice closes an idle Mobile VPN session. The
session and idle timeout values are the default timeouts if the authentication server does
not return specific timeout values. If you use the XTMdevice as the authentication server,
the timeouts for the Mobile VPN group are always ignored because you set timeouts in
each XTMdevice user account.
The session and idle timeouts cannot be longer than the value in the SA Life text box.
To set this value, select the IPSec Tunnel tab. In the Phase 1 Settings section, click
Advanced. The default value is 8 hours.
4. Select the IPSec Tunnel tab.
5. Configure these options to edit the IPSec settings:
IPSec Tunnel Settings
You can use a preshared key or a certificate for tunnel authentication.
Select Use the passphrase of the end-user profile as the pre-shared key to use the
passphrase of the end-user profile as the pre-shared key for tunnel authentication. The
passphrase is set on the General tab in the Passphrase section. You must use the same
shared key on the remote device, and this shared key can use only standard ASCII
characters.
Select Use a certificate to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication
on page 979.
If you use a certificate, you must also specify the CAIPAddress, and Timeout. In the
CA IP Address text box, type the IP address of the Management Server that is configured
as the certificate authority. In the Timeout text box, type the time, in seconds, before the
Mobile VPNwith IPSec client no longer attempts to connect to the certificate authority
without a response. We recommend you use the default setting.
Mobile VPN with IPSec
1174 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1175
Phase 1 Settings
Select the authentication and encryption methods for the Phase 1 transformfor the Mobile
VPN tunnel. For more information about these settings, see About IPSec Algorithms and
Protocols.
Fromthe Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or
SHA2-512 as the authentication method.
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820, 830,
1050, and 2050 devices. The hardware cryptographic acceleration in those models
does not support SHA2.
SHA2 is supported for VPN connections fromthe Shrew Soft VPN client v2.2.1 or
higher, or the WatchGuard IPSec Mobile VPNclient v11.32. SHA2 is not supported
for VPN connections fromAndroid or iOS devices, and is not supported by older
versions of the Shrew Soft or WatchGuard IPSec VPN clients.
Fromthe Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit),
DES, or 3DES as the encryption method.
To configure advanced settings, such as NAT Traversal or the key group, click Advanced.
For more information, see Define Advanced Phase 1 Settings.
Phase 2 Settings
To change the proposal and key expiration settings, click the Proposal button. For more
information, see Define Advanced Phase 2 Settings on page 1180.
To enable Perfect Forward Secrecy (PFS), select the PFS check box. If you enable PFS,
select the Diffie-Hellman group.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys
made with PFS are not made froma previous key. If a previous key is compromised after a
session, your new session keys are secure. For more information, see About Diffie-
Hellman Groups on page 1032.
6. Select the Resources tab.
7. Configure these options:
Allow All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN.
This is more secure, but web site access can be slow.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the
Internet. This is less secure, but users can browse the Internet more quickly.
Allowed Resources
This list includes the network resources that are available to users in the Mobile VPN
group.
To add an IP address or a network IP address to the network resources list, select Host
IPor Network IP, type the address, and click Add.
To delete an IP address or network IP address fromthe resources list, select a resource
and click Remove.
If you edit the allowed resources, the resource list is automatically updated only in
the default Mobile VPNwith IPSec policy for this group. The resources are not
automatically updated for any other Mobile VPN with IPSec policies for group. You
must edit the allowed resources in the Mobile VPN with IPSec policies and update if
necessary. For more information, see Configure Policies to Filter Mobile VPN Traffic.
Mobile VPN with IPSec
1176 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1177
Virtual IP Address Pool
The internal IP addresses that are used by Mobile VPN users over the tunnel appear in this
list. These addresses cannot be used by any network devices or other Mobile VPN group.
To add an IP address or a network IP address to the virtual IP address pool, select Host
IPor Network IP, type the address, and click Add.
To delete a host or network IPaddress fromthe virtual IP address pool, select the host or
IPaddress and click Remove.
For more information about virtual IPaddresses, see Virtual IPAddresses and Mobile
VPNs.
8. Select the Advanced tab.
9. Configure the Line Management settings:
Connection mode
Manual In this mode, the client does not try to restart the VPN tunnel automatically if
the VPN tunnel goes down. This is the default setting.
To restart the VPN tunnel, you must click Connect in Connection Monitor, or right-click the
Mobile VPN icon on your Windows desktop toolbar and select Connect.
Automatic In this mode, the client tries to start the connection when your computer
sends traffic to a destination that you can reach through the VPN. The client also tries to
restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.
Variable In this mode, the client tries to restart the VPN tunnel automatically until you
click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel
again until after the next time you click Connect.
Inactivity timeout
If you set the Connection Mode to Automatic or Variable, the Mobile VPNwith IPSec
client software does not try to renegotiate the VPNconnection for the duration you specify.
The inactivity timeout can have a maximumvalue of 65,535 seconds.
The default Line Management settings are Manual and 0 seconds. If you change
either setting, you must use the .ini file to configure the client software.
10. Click Save.
The Mobile VPN with IPSec page appears.
11. Click Save.
Users that are members of the group you edit are not able to connect until they import the correct
configuration file in their WatchGuard IPSec Mobile VPN Client software. You must generate the
configuration file and then provide it to the end users.
To generate the end user profiles for the group you edited:
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Click Generate.
Fireware XTMWeb UI can only generate the .ini or .vpn mobile user configuration
file. If you want to generate the .wgx file, you must use Policy Manager.
Define Advanced Phase 1 Settings
You can define the advanced Phase 1 settings for your Mobile VPN user profile.
1. On the Edit Mobile VPN with IPSec page, select the IPSec Tunnel tab.
2. In the Phase 1 Settings section, click Advanced.
The Phase1 Advanced Settings appear.
Mobile VPN with IPSec
1178 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1179
3. Configure the settings for the group, as described in the subsequent sections.
We recommend you use the default settings.
4. Click OK.
5. Click Save.
Phase 1 Options
SA Life
Select a SA (security association) lifetime duration and select Hour or Minute in the drop-down
list. When the SAexpires, a new Phase 1 negotiation starts. A shorter SAlife is more secure
but the SA negotiation can cause existing connections to fail.
Key Group
Select a Diffie-Hellman group. WatchGuard supports groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange
process. Higher group numbers are more secure, but use more time and resources on the client
computer, and the XTMdevice is required to make the keys.
NAT Traversal
Select this check box to build a Mobile VPN tunnel between the XTMdevice and another device
that is behind a NAT device. NAT Traversal, or UDP Encapsulation, allows traffic to route to the
correct destinations.
IKE Keep-alive
Select this check box only if this group connects to an older Firebox that does not support Dead
Peer Detection. All Firebox devices with Fireware v9.x or lower, Edge v8.x or lower, and all
versions of WFS do not support Dead Peer Detection. For these devices, select this check box
to enable the Firebox to send messages to its IKE peer to keep the VPN tunnel open. Do not
select both IKEKeep-alive and Dead Peer Detection.
Message interval
Select the number of seconds for the IKE keep-alive message interval.
Max failures
Set the maximumnumber of times the XTMdevice waits for a response to the IKE keep-alive
messages before it terminates the VPN connection and starts a new Phase 1 negotiation.
Dead Peer Detection
Select this check box to enable Dead Peer Detection (DPD). Both endpoints must support
DPD. All Firebox or XTMdevices with Fireware v10.x or higher and Edge v10.x or higher
support DPD. Do not select both IKEKeep-alive and Dead Peer Detection.
DPD is based on RFC 3706 and uses IPSec traffic patterns to determine if a connection is
available before a packet is sent. When you select DPD, a message is sent to the peer when no
traffic has been received fromthe peer within the selected time period. If DPD determines a
peer is unavailable, additional connection attempts are not made.
Traffic Idle Timeout
Set the number of seconds the XTMdevice waits before it checks to see if the other device is
active.
Max retries
Set the maximumnumber of times the XTMdevice tries to connect before it determines the
peer is unavailable, terminates the VPN connection, and starts a new Phase 1 negotiation.
Define Advanced Phase 2 Settings
In the advanced Phase 2 settings, you can change the Phase 2 proposal type, authentication method,
encryption method, and expiration settings. For more information about the available algorithms, see
About IPSec Algorithms and Protocols.
To define advanced Phase 2 settings:
1. On the Edit Mobile VPN with IPSec page, click the IPSec Tunnel tab.
2. In the Phase 2 Settingssection, click Advanced.
The Phase 2 Advanced Settings appear.
Mobile VPN with IPSec
1180 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1181
3. Configure the Phase 2 options as described in the subsequent section.
4. Click OK.
5. Click Save.
Phase 2 Options
Type
The two proposal method options are ESP or AH. Only ESP is supported at this time.
Authentication
Select an encryption method fromthe drop-down list. The options are listed fromthe most
simple and least secure to the most complex and most secure.
n MD5
n SHA1
n SHA2-256
n SHA2-384
n SHA2-512
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820, 830,
1050, and 2050 devices. The hardware cryptographic acceleration in those models
does not support SHA2.
SHA2 is supported for VPN connections fromthe Shrew Soft VPN client v2.2.1 or
higher, or the WatchGuard IPSec Mobile VPNclient v11.32. SHA2 is not supported
for VPN connections fromAndroid or iOS devices, and is not supported by older
versions of the Shrew Soft or WatchGuard IPSec VPN clients.
Encryption
Select an encryption method. The options are listed fromthe most simple and least secure, to
the most complex and most secure.
n DES
n 3DES
n AES (128-bit)
n AES (192-bit)
n AES (256-bit)
Force Key Expiration
To force the gateway endpoints to generate and exchange new keys after a quantity of time or
amount of traffic passes, configure the settings in the Force Key Expiration section.
n Select the Time check box to expire the key after a quantity of time. Type or select the
quantity of time that must pass to force the key to expire.
n Select the Traffic check box to expire the key after a quantity of traffic. Type or select the
number of kilobytes of traffic that must pass to force the key to expire.
n If both Force Key Expiration options are disabled, the key expiration interval is set to 8
hours.
Configure WINS and DNS Servers
Mobile VPN clients use shared Windows Internet Name Server (WINS) and Domain Name System
(DNS) server addresses. DNS translates host names into IP addresses, while WINS resolves
NetBIOS names to IP addresses. These servers must be accessible fromthe XTMdevice trusted
interface. Make sure you use only an internal DNS server.
In the network configuration, you can specify WINSand DNS servers to use.
Although you can add up to three DNSservers, the mobile VPN clients use only the
first two in the list.
1. Select Network > Interfaces.
The Interfaces configuration page appears.
Mobile VPN with IPSec
1182 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1183
2. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
3. In the DNSServer or WINSServer text box, type the primary and secondary address for each
DNS or WINS server.
4. Click Add.
5. (Optional) Repeat Steps 23 to specify up to three DNS servers.
6. Click Save.
Lock Down an End User Profile
You can use the global settings to lock down the end user profile so that users can see some settings
but not change them, and hide other settings so that users cannot change them. We recommend that
you lock down all profiles so that users cannot make changes to their profiles.
1. Select VPN > Mobile VPN withIPSec.
2. To give mobile users read-only access to their profiles, select the Make security policies
read-only in the WatchGuard Mobile VPN client check box.
3. Click Save.
The next time you generate a configuration file for the WatchGuard Mobile VPN client, the .ini
configuration file is locked for the WatchGuard IPSec Mobile VPN Client.
Generate Mobile VPN with IPSec Configuration Files
To configure the WatchGuard IPSec Mobile VPN Client, you import a configuration file. The
configuration file is also called the end user profile. When you first configure a Mobile VPN with IPSec
group, or if you make a change to the settings for a group, you must regenerate the configuration file for
the group and provide it to mobile users.
To use Fireware XTMWeb UI to generate an end-user profile file for a group:
1. Select VPN >Mobile VPN >IPSec.
2. In the Groups list, select the Mobile VPN group.
3. Fromthe Client drop-down list, select the type of VPNclient you use.
n Select Shrew Soft VPN to generate a .vpn file for the Shrew Soft VPNclient.
n Select WatchGuard Mobile VPN to generate a .ini file for the WatchGuard Mobile VPN
client.
n Select WatchGuard iOS/Android Client to generate a .wgmfile for the WatchGuard
Mobile VPNapp for iOSand Android devices.
4. Click Generate.
5. Select a file name and location to save the configuration file. The correct file extension is
automatically added when the file is saved. Do not specify a different file extension.
You can now distribute the configuration file to the end users.
There are four types of configuration files.
.wgx
The .wgx file is used by the WatchGuard IPSec Mobile VPN Client. A.wgx file cannot set the
Line Management settings in the client software. If you set Line Management to anything other
than Manual, you must use the.ini configuration file. The .wgx file is encrypted with the
passphrase specified in the Mobile VPN with IPSec configuration. You must use Policy
Manager to generate the encrypted .wgx file.
.ini
The .ini file is used by the WatchGuard IPSec Mobile VPN Client. Use this file format only if you
did not set Line Management to Manual. The .ini file is not encrypted.
For more information, see Line Management on the Advanced tab in Modify an Existing Mobile
VPN with IPSec Group Profile on page 1171.
.vpn
The .vpn file is used by the Shrew Soft VPNclient. The .vpn configuration file is not encrypted.
The Shrew Soft VPN client does not support some Mobile VPN with IPSec configuration
settings and features.
For more information, see About the Shrew Soft VPNClient.
Mobile VPN with IPSec
1184 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1185
.wgm
The .wgmfile is used by the WatchGuard Mobile VPN app for iOSand Android devices. The
Mobile VPN with IPSec .wgmfile is encrypted with the passphrase specified in the Mobile VPN
with IPSec configuration.
The .ini file for the WatchGuard IPSec Mobile VPN Client can be generated as read-only so that the
end users cannot change settings in the client.
For more information, see Lock Down an End User Profile on page 1183.
Fireware XTMWeb UI cannot generate the encrypted .wgx file . To generate the
.wgx file, you must use Policy Manager.
Configure Policies to Filter Mobile VPN Traffic
In a default configuration, Mobile VPN with IPSec users have full access to XTMdevice resources
with the Any policy. The Any policy allows traffic on all ports and protocols between the Mobile VPN
user and the network resources available through the Mobile VPN tunnel. To restrict VPN user traffic
by port and protocol, you can delete the Any policy and replace it with policies that restrict access.
You can add and edit Mobile VPN with IPSec policies just like you add or edit any other policy. There
are, however, some policy properties that are different.
In a Mobile VPN with IPSec policy:
n The Policy tab lists the Available Resources. This list defines the network resources available
through the VPN tunnel for this policy.
n The Advanced tab includes only the advanced settings that apply to VPN traffic.
All other policy properties are the same as described in About Policy Properties.
Add an Individual Policy
To create policies that restrict VPNuser traffic:
1. Select Firewall >Mobile VPN Policies.
2. Click Add Policy.
3. In the Select a policy type section, select Packet Filter, Proxies, or Custom.
4. Fromthe adjacent drop-down list, select the policy type.
5. Fromthe Select a group drop-down list, select the Mobile VPN group for this policy.
6. Click Add Policy.
7. Edit the Allowed Resources list as appropriate for this policy.
This list automatically includes the available resources defined in the Mobile VPN with IPSec
profile for the selected Mobile VPNgroup.
8. Configure other policy properties as described in About Policy Properties.
9. Save your configuration to the XTMdevice.
Edit a Mobile VPN with IPSec Policy
When you create a Mobile VPN with IPSec profile, Fireware XTMautomatically creates a Mobile VPN
with IPSec Any policy that allows all traffic fromusers in the group to the resources available through
the tunnel. Any additional Mobile VPNwith IPSec policies you create are also associated with a Mobile
VPN group.
If you edit the Mobile VPN with IPSec group profile to change the resources accessible through the
tunnel, the Allowed Resources in the policies for that group are not updated automatically. If you want
to update the Allowed Resources list, you must edit the existing policy.
To edit a Mobile VPN with IPSec Any policy:
1. Select Firewall > Mobile VPN Policies.
2. Click the name of the Any policy associated with the Mobile VPN with IPSec group.
The policy name is the group name followed by -Any.
3. On the Settings tab, edit the Allowed Resources list for the policy.
Click Copy from Group to copy the allowed resources fromthe Mobile VPN with IPSec group
configuration.
4. Update other policy properties as described in About Policy Properties.
5. Save the configuration to the XTMdevice.
Mobile VPN with IPSec
1186 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1187
Distribute the Software and Profiles
WatchGuard recommends that you distribute end-user profiles by encrypted email or another secure
method.
Each VPN client device must have:
n Software installation package
For Windows devices
The Shrew Soft VPNClient installation package is available directly fromthe WatchGuard
Portal, or fromShrew Soft (http://www.shrew.net/download).
The WatchGuard IPSec Mobile VPN Client, is available for download fromthe
WatchGuard Portal. This premiumclient comes with a 30 day trial, and requires a license
for use after the trial period.
For Mac OSX devices
The WatchGuard IPSec Mobile VPN Client is available for download fromthe WatchGuard
Portal. This premiumclient comes with a 30 day trial, and requires a license for use after
the trial period.
For iOS or Android devices
The WatchGuard VPN client app for iOS devices is available fromthe Apple App Store.
The WatchGuard VPN client app for Android devices is available fromGoogle Play. The
user must install the WatchGuard VPN client app in order to use the .wgmmobile
configuration profile.
n The end user profile
This file contains the group name, shared key, and settings that enable a remote computer to
connect securely over the Internet to a protected, private computer network. The end user
profiles have these file names groupname.wgx, groupname.ini, groupname.vpn, and
groupname.wgm.
For more information about the end-user profile types, see Generate Mobile VPN with IPSec
Configuration Files
n Two certificate files, if you use certificates for authentication
The first file is the .p12 file, which is an encrypted file containing the certificate.The second file
is the cacert.pem, which contains the root (CA) certificate. The .p12 and cacert.pemfiles can
be found in the same location as the .wgx end user profile.
n User documentation
Documentation to help the remote user install the Mobile VPN client and import the Mobile VPN
configuration file can be found in the About Mobile VPN Client Configuration Files topics.
n Passphrase
To import the encrypted .wgx end user profile to the WatchGuard XTMIPSec Mobile VPN
Client, the user must type the passphrase to decrypt the file. To import the encrypted .wgm
profile profile to the WatchGuard Mobile client app on an iOSor Android device, the user must
also type the passphrase to decrypt the file.
You set the encryption passphrase when you create the Mobile VPN group is created in Policy
Manager. The Fireware XTMWeb UI cannot generate the encrypted .wgx file.
For information about how to change the shared key, see Modify an Existing Mobile VPN with
IPSec Group Profile on page 1171.
The end-user profile passphrase, user name, and user password are sensitive
information. For security reasons, we recommend that you do not provide this
information by email. Because email is not secure, an unauthorized user can use the
information to get access to your internal network. Give the user the information to
the use by a method that does not allow an unauthorized person to intercept it.
Mobile VPN with IPSec
1188 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1189
Additional Mobile VPN Topics
This section describes special topics for Mobile VPN with IPSec.
Making Outbound IPSec Connections from Behind an XTM Device
A user might have to make IPSec connections to an XTMdevice frombehind another XTMdevice. For
example, if a mobile employee travels to a customer site that has a XTMdevice, that user can make
IPSec connections to their network. For the local XTMdevice to correctly manage the outgoing IPSec
connection, you must set up an IPSec policy that includes the IPSec packet filter.
For more information on how to enable policies, see About Policies on page 593.
Because the IPSec policy enables a tunnel to the IPSec server and does not complete any security
checks at the firewall, add only the users that you trust to this policy.
Terminate IPSec Connections
To fully stop VPN connections, the XTMdevice must be restarted. Current connections do not stop
when you remove the IPSec policy.
Global VPN Settings
Global VPN settings on your XTMdevice apply to all manual BOVPN tunnels, managed tunnels, and
Mobile VPN tunnels. You can use these settings to:
n Enable IPSec pass-through.
n Clear or maintain the settings of packets with Type of Service (TOS) flags set.
n Use an LDAP server to verify certificates.
To change these settings, fromFireware XTMWeb UI, select VPN >Global Settings. For more
information on these settings, see About Global VPN Settings on page 1059.
See the Number of Mobile VPN Licenses
FromFireware XTMWeb UI, you can see the number of Mobile VPN licenses that are available with
the feature key.
1. Select System >Feature Key.
The Feature Key page appears.
2. Scroll down to Mobile VPN Users in the Feature column, and find the number in the Value
column. This is the maximumnumber of Mobile VPN users that can connect at the same time.
Purchase Additional Mobile VPN Licenses
WatchGuard Mobile VPN with IPSec is an optional feature. Each XTMdevice includes a number of
Mobile VPN licenses. You can purchase more licenses for Mobile VPN.
Licenses are available through your local reseller, or on the WatchGuard web site at
http://www.watchguard.com/sales.
Add Feature Keys
For more information on how to add feature keys, see About Feature Keys on page 61.
Mobile VPN and VPN Failover
You can configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes
unavailable. For more information on VPN failover, see Configure VPN Failover on page 1098.
If VPN failover is configured and failover occurs, Mobile VPN sessions do not continue. You must
authenticate your Mobile VPN client again to make a new Mobile VPN tunnel.
FromFireware XTMWeb UI, you can configure VPN failover for Mobile VPN tunnels.
1. Select VPN >Mobile VPN with IPSec.
The Mobile VPN with IPSec Settings page appears.
2. Select a mobile user group fromthe list and click Edit.
The Edit Mobile VPN with IPSec dialog box appears.
3. Select the General tab.
4. In the Firebox IP Addresses section, type a backup WAN interface IP address in the Backup
text box.
You can specify only one backup interface for tunnels to fail over to, even if you have additional
WAN interfaces.
Mobile VPN with IPSec
1190 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1191
Configure Mobile VPN with IPSec to a Dynamic IPAddress
We recommend that you use either a static IP address for a XTMdevice that is a VPN endpoint, or use
Dynamic DNS. For more information about Dynamic DNS, see About the Dynamic DNS Service on
page 167.
If neither of these options are possible, and the external IP address of the XTMdevice changes, you
must either give remote IPSec users a new .wgx configuration file or have themedit the client
configuration to include the new IPaddress each time that the IPaddress changes. Otherwise, IPSec
users cannot connect until they get the new configuration file or IPaddress.
Use these instructions to configure the XTMdevice and support the IPSec client users if the XTM
device has a dynamic IPaddress and you cannot use Dynamic DNS.
Keep a Record of the Current IPAddress
FromFireware XTMWeb UI, you can find the current IPaddress of the XTMdevice external interface.
1. Select Dashboard >Interfaces.
2. Find the interface with the alias External and review the IPaddress. This is the external
IPaddress of the XTMdevice.
This is the IPaddress that is saved to the .wgx configuration files. If remote users cannot connect,
check the external IPaddress of the XTMdevice to see if the IP address has changed.
Configure the XTM Device and IPSec Client Computers
The XTMdevice must have an IPaddress assigned to the external interface before you download the
.wgx files. This is the only difference fromthe normal configuration of the XTMdevice and IPSec client
computers.
Update the Client Configurations When the Address Changes
When the external IPaddress of the XTMdevice changes, the remote IPSec Mobile VPN client
computers cannot connect until they have been configured with the new IPaddress. You can change
the IP address in two ways.
n Give remote users a new .wgx configuration file to import.
n Have remote users manually edit the IPSec client configuration. For this option, you must
configure the XTMdevice so remote users can edit the configuration. For more information, see
Lock Down an End User Profile on page 1183.
FromFireware XTMWeb UI, you can give users a new .wgx configuration file.
1. Select VPN > Mobile VPNwith IPSec.
2. Select a Mobile VPNuser group and click Generate to generate and download the .wgx files.
3. Distribute the .wgx files to the remote users.
4. Tell the remote users to Import the End-User Profile.
To have users manually edit the client configuration:
1. Give remote users the new external IPaddress of the XTMdevice and tell themto performthe
next five steps.
2. On the IPSec client computer, select Start > All Programs > WatchGuard Mobile VPN >
Mobile VPN Monitor.
3. Select Configuration >Profile Settings.
4. Select the profile and click Configure.
5. In the left column, select IPSec General Settings.
6. In the Gateway text box, type the new external IPaddress of the XTMdevice.
Mobile VPN with IPSec
1192 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1193
About the XTMIPSec Mobile VPNClient
The WatchGuard IPSec Mobile VPN Client is installed on a mobile client computer, whether the user
travels or works fromhome. The user connects with a standard Internet connection and activates the
Mobile VPN client to get access to protected network resources.
The Mobile VPN client creates an encrypted tunnel to your trusted and optional networks, which are
protected by a XTMdevice. It enables you to provide remote access to your internal networks and not
compromise your security.
Client Requirements
Before you install the WatchGuard IPSec Mobile VPN Client, make sure you understand these
requirements and recommendations.
You must configure your XTMdevice to enable connections froman IPSec VPN client. If you have not
done this, see Configure the XTMDevice for Mobile VPN with IPSec for more information.
n You can install the WatchGuard IPSec Mobile VPNClient software on any computer with Mac
OSX 10.7 and 10.8.
n You can install the WatchGuard IPSec Mobile VPN Client software on any computer with
Windows XP, Windows Vista, Windows 7, and Windows 8. Before you install the client
software, make sure the remote computer does not have any other IPSec VPN client software
installed. You must also uninstall any desktop firewall software (other than Microsoft firewall
software) fromeach remote computer.
n If the client computer uses Windows XP, you must log on using an account that has
administrator rights to install the Mobile VPN client software and to import the .wgx or .ini
configuration file. Administrator rights are not required to connect after the client has been
installed and configured.
n If the client computer uses Windows Vista, you must log on using an account that has
administrator rights to install the Mobile VPN client software. Administrator rights are not
required to import a .wgx or .ini file or to connect after the client has been installed.
n We recommend that you check to make sure all available service packs for your client operating
systemare installed before you install the Mobile VPN client software.
n WINS and DNS settings for the Mobile VPN client are obtained in the client profile you import
when you set up your Mobile VPN client.
n We recommend that you do not change the configuration of any Mobile VPN client setting not
explicitly described in this documentation.
Install the IPSec Mobile VPN Client Software
You can install the IPSec Mobile VPN Client software on any computer that uses Windows XP SP2,
Windows 7, 8, or 8.1, or Mac OSX 10.7, 10.8, or 10.9. The installation process consists of two parts:
install the client software on the remote computer, and import the end-user profile into the client. Before
you start the installation, make sure you have the following installation components:
n The WatchGuard IPSec Mobile VPN client installation file (Windows or Mac)
n An end-user profile, with a file extension of .wgx or .ini
n Passphrase
n A cacert.pemand a .p12 file (if you use certificates to authenticate)
n User name and password
Write the passphrase down and keep it in a secure location. You must use it during
the final steps of the installation procedure.
To install the client on a Windows computer:
1. Copy the Mobile VPN installation file (.zip) to the remote computer and extract the contents of
the file. Do not run the installation software froma CDor other external drive.
2. Copy the end user profile (the .wgx or .ini file) to the same location on the remote (client or user)
computer.
If you use certificates to authenticate, copy the cacert.pem and .p12 files to the root directory.
3. Double-click the .exe file you extracted in Step 1. This starts the WatchGuard Mobile VPN
Installation wizard. You must restart your computer when the installation wizard completes.
To install the client on a Mac OSX computer:
1. Copy the Mobile VPN disk image file (.dmg) to the remote computer. Do not run the installation
software froma CDor other external drive.
2. Copy the end user profile (the .wgx or .ini file) to the same location on the remote (client or user)
computer.
If you use certificates to authenticate, copy the cacert.pem and .p12 files to the root directory.
3. Double-click the Mobile VPN installation file.
4. Double-click the Watchguard Mobile VPN.pkg icon to start the WatchGuard Mobile
VPNInstaller.
For detailed instructions written for WatchGuard IPSec Mobile VPN Client end-users, see End-User
Instructions for WatchGuard IPSec Mobile VPN Client Installation on page 1204.
Import the End-User Profile
When the WatchGuard Mobile VPN client starts for the first time after you install it, it prompts you to
manually configure a profile. Click No in the Windows client, or Cancel in the Mac OSX client to skip
the manual profile configuration step. Then, use the steps in the subsequent sections to import the
mobile VPN configuration .wgx or .ini file to the WatchGuard Mobile VPN client.
Import the End-User Profile in the Windows Client
To import a Mobile VPN configuration .wgx or .ini file to the WatchGuard Mobile VPN Client for
Windows:
1. Fromyour Windows desktop, select Start > All Programs > WatchGuard Mobile VPN >
Mobile VPN Monitor.
2. Select Configuration > Profiles.
3. Click Add/Import.
The Profile Import Wizard starts.
Mobile VPN with IPSec
1194 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1195
4. On the Select User Profile screen, browse to the location of the .wgx or .ini configuration file.
5. Click Next.
6. If you use a .wgx file, on the Decrypt User Profile screen, type the passphrase. The
passphrase is case-sensitive.
7. Click Next.
8. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same
name. This is useful if your network administrator gives you a new .wgx file to import.
9. Click Next.
9. On the Authentication screen, you can select whether to type the user name and password
that you use to authenticate the VPN tunnel.
If you keep these fields empty, you are prompted to enter your user name and password each
time you connect.
If you type your user name and password, the XTMdevice stores themand you do not have to
enter this information each time you connect. However, this is a security risk. You can also type
just your user name and keep the Password text box empty.
10. Click Next.
11. Click Finish.
The computer is now ready to use Mobile VPN with IPSec.
Import the End-User Profile in the Mac OSX Client
To import a Mobile VPN configuration .wgx or .ini file to the WatchGuard Mobile VPNClient for Mac
OSX:
1. Start the WatchGuard Mobile VPNClient.
2. Select WatchGuard Mobile VPN Client >Profiles.
3. Click Import.
The Profile Import Wizard starts.
4. On the Select User Profile screen, browse to the location of the .wgx or .ini configuration file.
5. Click Next.
6. If you use a .wgx file, on the Decrypt User Profile screen, type the passphrase. The
passphrase is case-sensitive.
7. Click Next.
8. Select the profile within the imported file to import.
The imported profile automatically overwrites any existing profile that has the same name.
9. Click Next.
9. On the Authentication screen, you can select whether to type the user name and password
that you use to authenticate the VPN tunnel.
If you keep these fields empty, you are prompted to enter your user name and password each
time you connect.
If you type your user name and password, the XTMdevice stores themand you do not have to
enter this information each time you connect. However, this is a security risk. You can also type
just your user name and keep the Password text box empty.
10. Click Next.
11. Click Finish.
The computer is now ready to use Mobile VPN with IPSec.
Select a Certificate and Enter the PIN
If you use certificates for authentication, you must add the correct certificate and then configure the
Mobile VPNconnection profile to use that certificate.
To add a certificate to the Mobile VPN client profile, you must have a cacert.pemand a .p12 file.
Configure the Certificate in the Windows client
Add the certificate:
1. Start the WatchGuard Mobile VPNClient.
2. Select Configuration > Certificates.
3. Click Add.
4. On the User Certificate tab, select from PKS#12 file fromthe Certificate drop-down list.
5. Adjacent to the PKS#12 Filename text box, click the button and browse to the location of the
.p12 file.
6. Click OK. Click Close.
Select the certificate for the Mobile VPNprofile:
1. Select Configuration >Profiles.
2. Select the profile name. Click Edit.
3. Click Identities.
4. Fromthe Certificate configuration drop-down box, select the certificate configuration you
added.
5. Select Connection > Enter PIN.
6. Type the passphrase and click OK.
Configure the Certificate in the Mac OSX Client
Add the certificate:
1. Start the WatchGuard Mobile VPN Client.
2. Select WatchGuard Mobile VPN > Preferences
The list of certificates appears.
3. Click "+" to add a new certificate.
4. Type a name for the certificate.
5. Fromthe Certificate drop-down list, select from PKS#12 file.
6. Adjacent to the PKS#12 Filename text box, click the button and browse to the location of the
.p12 file.
7. Click OK.
8. Close the Preferences dialog box.
Select the certificate for the Mobile VPN profile:
1. Select WatchGuard Mobile VPN>Profiles.
2. Select the profile name. Click Edit.
3. Click Identities.
4. Fromthe Certificate configuration drop-down box, select the certificate configuration you
added.
Mobile VPN with IPSec
1196 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1197
5. Click OK.
6. Close the Profiles dialog box.
7. Select Connection > Enter PIN.
8. Type the passphrase and click OK.
Uninstall the IPSec Mobile VPN Client
We recommend that you use the Windows Add/Remove Programs tool to uninstall the WatchGuard
IPSec Mobile VPN Client for Windows.
It is not necessary to uninstall the Mobile VPN client software before you apply an
upgrade to the client software.
Before you uninstall the client, disconnect all tunnels and close the Mobile VPN Connection Monitor.
Uninstall the WatchGuard Mobile VPN Client for Windows
Fromthe Windows desktop:
1. Click Start > Settings > Control Panel.
The Control Panel window appears.
2. Double-click the Add/Remove Programs icon.
The Add/Remove Programs window appears.
3. Select WatchGuard Mobile VPN and click Change/Remove.
The InstallShield Wizard window appears.
4. Click Remove and click Next.
The Confirm File Deletion dialog box appears.
5. Click OK to completely remove all of the components. If you do not select this check box at the
end of the uninstall, the next time you install the Mobile VPN software the connection settings
fromthis installation are used for the new installation.
Uninstall the WatchGuard IPSec Mobile VPNClient for Mac OSX
The installation disk image file (.dmg) includes an uninstaller that you can use to remove the client from
your computer.
To uninstall the client:
1. Copy the Mobile VPN .dmg to the remote computer if it is not already there.
2. Double-click the Mobile VPN .dmg file.
3. Double-click the Uninstall icon
The WatchGuard Mobile VPNUninstaller starts.
4. Complete the uninstaller to completely uninstall the client and configuration files.
Connect and Disconnect the Mobile VPN Client
The WatchGuard IPSec Mobile VPN Client makes a secure connection froma remote computer to
your protected network over the Internet. To start this connection, you must connect to the Internet and
use the Mobile VPN client to connect to the protected network.
Start your connection to the Internet through a Dial-Up Networking connection or LAN connection.
Then, use the instructions below to connect.
You can also select the profile, connect, or disconnect by right-clicking the Mobile
VPN icon in the Windows systemtray or clicking the Mobile VPNicon in the Mac OS
X menu bar.
1. Start the WatchGuard Mobile VPNClient.
2. Fromthe Profile drop-down list, select the name of the profile you created for your Mobile VPN
connections to the XTMdevice.
3. Click to connect.
Disconnect the Mobile VPN Client
On the Mobile VPN Monitor dialog box, click to disconnect.
Mobile VPN with IPSec
1198 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1199
Control Connection Behavior
For each profile you import, you can control the action the WatchGuard IPSec Mobile VPN Client takes
when the VPN tunnel becomes unavailable for any reason. You can configure these settings on the
XTMdevice and use a .ini file to configure the client software. A.wgx file does not change these
settings.
If you import a .ini file to configure the client software, do not change any of the Line
Management settings. The .ini file configures these settings for you.
Fromthe WatchGuard Mobile VPN Monitor, you can manually set the behavior of the VPN client when
the VPN tunnel becomes unavailable.
1. On a Windows computer, fromthe Windows WatchGuard Mobile VPN client, select
Configuration > Profiles. Or, on a Mac OSX computer, fromthe WatchGuard Mobile VPN
client, select WatchGuard Mobile VPN Client >Profiles.
2. Select the name of the profile and click Edit.
3. Select Line Management.
4. In the Connection Mode drop-down list, select a connection behavior for this profile.
n Manual When you select manual connection mode, the client does not try to restart the
VPN tunnel automatically if the VPN tunnel goes down. To restart the VPN tunnel, you
must click the Connect button in the Mobile VPN Client, or right-click the Mobile VPN icon
on your Windows desktop toolbar and click Connect.
n Automatic When you select automatic connection mode, the client tries to start the
connection when your computer sends traffic to a destination that you can reach through
the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel
goes down.
n Variable When you select variable connection mode, the client tries to restart the VPN
tunnel automatically until you click Disconnect. The client does not try to restart the VPN
tunnel again until after the next time you click Connect.
5. Click OK.
IPSec Mobile VPN Client Icon
The WatchGuard Mobile VPN client icon appears in the systemtray (Windows) or menu bar (OSX).
The icon color indicates the status of the VPN connection.
n Red the VPN is not connected
n Yellow the VPN client is attempting to connect
n Green the VPN is connected
Windows System Tray Icon
On a Windows computer, you can right-click the icon in the systemtray to reconnect and disconnect
your Mobile VPN, and to see the profile in use.
Mobile VPN with IPSec
1200 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1201
Mac OSXMenu Bar Icon
On a Mac OSX computer, the VPN client icon does not automatically appear in the menu bar. To make
the icon appear in the menu bar, in the Mobile VPNClient, select WatchGuard Mobile VPN > Show
VPN client monitor in menu bar.
Click the icon in the menu bar to show VPN connection status.
Fromthe menu bar icon, you can:
n Connect or disconnect the VPN
n Select the profile to use
n See connection information and a local log file
n Start the VPN client monitor as an application (this removes the icon fromthe menu bar)
n Quick the WatchGuard Mobile VPN client.
See Mobile VPN Log Messages
You can use the Mobile VPN client log file to troubleshoot problems with the IPSec VPN client
connection.
To see Mobile VPN log messages in the Mac OSX VPN client, select Log >Logbook fromthe
WatchGuard Mobile VPN client.
The Log Book dialog box appears.
To see Mobile VPN log messages in the Windows VPN client , select Help > Logbook fromthe
WatchGuard Mobile VPNMonitor.
The Log Book dialog box appears.
Secure Your Computer with the Mobile VPN Firewall
The WatchGuard IPSec Mobile VPN Client includes two firewall components:
Link firewall (Windows client only)
The link firewall is not enabled by default. When the link firewall is enabled, your computer
discards any packets received fromother computers. You can choose to enable the link firewall
only when a Mobile VPN tunnel is active, or enable it all the time.
Desktop firewall
This full-featured firewall can control connections to and fromyour computer. You can define
friendly networks and set access rules separately for friendly and unknown networks.
Enable the Link Firewall
When the link firewall is enabled, the WatchGuard IPSec Mobile VPN Client drops any packets sent to
your computer fromother hosts. It allows only packets sent to your computer in response to packets
your computer sends. For example, if you send a request to an HTTP server through the tunnel from
your computer, the reply traffic fromthe HTTP server is allowed. If a host tries to send an HTTP
request to your computer through the tunnel, it is denied.
To enable the link firewall in the Mobile VPN client for Windows:
1. Fromthe WatchGuard Mobile VPN Monitor, select Configuration > Profiles.
2. Select the profile you want to enable the link firewall for and select Edit.
3. Fromthe left pane, select Link Firewall.
4. Fromthe Stateful Inspection drop-down list, select when connected or always.
If you select when connected, the link firewall operates only when the VPN tunnel is active for
this profile.
If you select always, the link firewall is always active, whether the VPN tunnel is active or not.
Mobile VPN with IPSec
1202 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1203
5. Click OK.
Enable the Desktop Firewall
The WatchGuard IPSec VPNClient includes a full-featured desktop firewall. The firewall operates
even when the VPN client is not connected.
To enable the desktop firewall:
1. In the Windows VPNclient, select Configuration > Firewall.
Or, in the Mac OSX VPN client, select WatchGuard Mobile VPN > Preferences > Firewall.
2. Select the Enable Firewall check box.
If you enable the firewall, and do not configure firewall rules, the firewall blocks all
incoming and outgoing IP traffic.
To configure the firewall, you can add one of the predefined firewall rules, or create new firewall rules.
To add a predefined firewall rule:
1. Fromthe Predefined firewall rules drop-down list, select a rule.
2. Click Insert
The selected rule is added to the rules list. The IPaddresses for the selected rule appear below the
table.
To add a customfirewall rule:
1. Click New.
A new firewall rile is added to the table. By default, a new rule allows all outgoing traffic from any
IPv4 address.
2. Click each column in the table to edit the rule properties.
3. Edit the IPaddresses for the selected rule in the Local and Remote sections below the table.
After you have enabled the desktop firewall, you can configure your firewall settings.
For more information about how to edit the properties of a firewall rule, and for information about how to
configure friendly networks, firewall options and logging, see the Firewall section of the help in the
VPN client.
End-User Instructions for WatchGuard IPSec Mobile VPN Client
Installation
These instructions are written for WatchGuard IPSec Mobile VPN Client end users.
They tell end users to contact their network administrator for instructions on how to
install a desktop firewall or configure the firewall that is part of the client software,
and for the settings to control the connection behavior if they do not use a .ini file. You
can print these instructions or use themto create a set of instructions for your end
users.
The WatchGuard IPSec Mobile VPN Client creates an encrypted connection between your computer
and the XTMdevice with a standard Internet connection. The Mobile VPN client enables you to get
access to protected network resources fromany remote location with an Internet connection.
Before you install the client, make sure you understand these requirements and recommendations:
n You can install the IPSec Mobile VPN Client software for Windows on any computer with
Windows XP SP2, 7, 8, or 8.1.
n You can install the IPSec Mobile VPN Client software for Mac OSX on any computer with Mac
OSX 10.7, 10.8., or 10.9.
n Make sure the computer does not have any other IPSec VPN client software installed.
n Uninstall any desktop firewall software other than Microsoft firewall software fromyour
computer.
n If the client computer uses Windows XP, to install the Mobile VPN client software and to import
the .wgx configuration file, you must log on with an account that has administrator rights.
Administrator rights are not required to connect after the client has been installed and
configured.
n If the client computer uses Windows Vista, to install the IPSec Mobile VPN Client software,
you must log on with an account that has administrator rights. Administrator rights are not
required to import a .wgx or .ini file or to connect after the client has been installed.
n We recommend that you check to make sure all available service packs are installed before you
install the Mobile VPN client software.
n We recommend that you do not change the configuration of any Mobile VPN client setting not
explicitly described in this documentation.
Mobile VPN with IPSec
1204 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1205
Before you start the installation, make sure you have the following installation components:
n Mobile VPN with IPSec software installation file
n End-user profile, with a .wgx or .ini file extension
n Passphrase (if the end-user profile is a .wgx file or the connection uses certificates for
authentication)
n User name and password
n cacert.pemand .p12 certificate file (if the connection uses certificates for authentication)
n The WatchGuard XTMIPSec VPNClient license number and serial number to activate the
client (to activate the client to work longer than the 30 day trial period)
Install the Client Software for Windows
To install the client on a Windows computer:
1. Copy the Mobile VPN .zip file to the remote computer and extract the contents of the file to the
remote (client or user) computer. Do not run the installation software froma CDor other external
drive.
2. Copy the end user profile (the .wgx or .ini file) to the same location as the client installation
software.
If you use certificates to authenticate, copy the cacert.pem and .p12 files to the same location as well.
3. Double-click the .exe file you extracted in Step 1. This starts the WatchGuard Mobile VPN
Installation Wizard. You must restart your computer when the installation wizard completes.
4. Click through the wizard and accept all the default settings.
5. Restart your computer when the installation wizard completes.
6. When the computer restarts, the WatchGuard Mobile VPN Monitor appears. When the software
starts for the first time after you install it, you see this message:
There is no profile for the VPN dial-up!
Do you want to use the configuration wizard for creating a profile now?
7. Click No.
8. Select View > Autostart > No Autostart so that the programdoes not run automatically.
To start the WatchGuard Mobile VPN client:
Fromyour Windows desktop, select Start > All Programs > WatchGuard Mobile VPN >
Mobile VPN Monitor.
To configure the client, you import the end user profile that configures the IPSec Mobile VPN client
with the settings required to create a VPN tunnel. For this step, you need the profile passphrase set by
the administrator.
To import a Mobile VPN configuration .wgx or .ini file:
1. Fromthe WatchGuard Mobile VPN client, select Configuration > Profiles.
2. Click Add/Import.
The Profile Import Wizard starts.
3. On the Select User Profile screen, browse to the location of the .wgx or .ini configuration file.
4. Click Next.
5. If you use a .wgx file, on the Decrypt User Profile screen, type the passphrase. The
passphrase is case-sensitive.
6. Click Next.
7. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same
name. This is useful if your network administrator gives you a new .wgx file to import.
8. Click Next.
9. On the Authentication screen, you can select whether to type the user name and password
that you use to authenticate the VPN tunnel.
If you keep these fields empty, you must enter your user name and password each time you
connect.
If you type your user name and password, the XTMdevice stores themand you do not have to
enter this information each time you connect. However, this is a security risk. You can also type
just your user name and keep the Password field empty.
After you install the client software, reinstall the original desktop firewall software or configure the
firewall that is part of the client software. If you use a third-party desktop firewall, make sure you
configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel.
Contact your network administrator for instructions.
Install the Client Software for Mac OSX
To install the client on a Mac OSX computer:
1. Copy the Mobile VPN disk image file (.dmg) to the remote computer. Do not open the disk
image file froma CDor other external drive.
2. Copy the end user profile (the .wgx or .ini file) to the remote (client or user) computer.
If you use certificates to authenticate, copy the cacert.pem and .p12 files to the root directory.
3. Double-click the Mobile VPN installation file.
4. Double-click the Watchguard Mobile VPN.pkg icon
The WatchGuard Mobile VPNInstaller starts.
5. Click through the wizard and accept the default settings.
The VPN client software is installed in the Application folder.
To start the WatchGuard Mobile VPNClient:
Fromthe Applications folder, double-click the WatchGuard Mobile VPN client.
To configure the client, you import the end user profile that configures the IPSec Mobile VPN client
with the settings required to create a VPN tunnel. For this step, you need the profile passphrase set by
the administrator.
To import the end user profile:
1. Start the WatchGuard Mobile VPN Client
The first time you start the WatchGuard Mobile VPNclient, it asks you to type a profile name.
2. Click Cancel.
3. To import the profile, click Import.
4. Browse to the folder where you saved the .wgx. or .ini file.
5. Select the file and click Open.
6. Click Next.
7. If you use a .wgx file, in the Key text box, type the passphrase for this profile.
Mobile VPN with IPSec
1206 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1207
8. Click Next.
9. Select the profile within the imported file to import.
10. Click Next.
9. On the Authentication data page, you can select whether to type the user name and password
that you use to authenticate the VPN tunnel.
If you keep these fields empty, you must enter your user name and password each time you
connect.
If you type your user name and password, the XTMdevice stores themand you do not have to
enter this information each time you connect. However, this is a security risk. You can also type
just your user name and keep the Password field empty.
10. Click Next.
11. Click Finish.
12. Click OK.
To see the installed profiles, or install a different profile, in the WatchGuard Mobile VPNclient, select
WatchGuard Mobile VPN > Profiles.
After you install the client software, reinstall the original desktop firewall software or configure the
firewall that is part of the client software. If you use a third-party desktop firewall, make sure you
configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel.
Contact your network administrator for instructions.
Select a Certificate and Type the PIN
Complete these steps only if you have a cacert.pemand a .p12 file.
To configure the certificate in the Windows VPN client:
1. Start the WatchGuard Mobile VPNClient.
2. Select Configuration > Certificates.
3. Click Add.
4. On the User Certificate tab, select from PKS#12 file fromthe Certificate drop-down list.
5. Adjacent to the PKS#12 Filename text box, click the button and browse to the location of the
.p12 file.
6. Click OK. Click Close.
7. Select Configuration >Profiles.
8. Select the profile name. Click Edit.
9. Click Identities.
10. Fromthe Certificate configuration drop-down box, select the certificate configuration you
added.
11. Select Connection > Enter PIN.
12. Type the passphrase and click OK.
To configure the certificate in the Mac OSX VPN client:
1. Start the WatchGuard Mobile VPN Client.
2. Select WatchGuard Mobile VPN > Preferences
The list of certificates appears.
3. Click "+" to add a new certificate.
4. Type a name for the certificate.
5. Fromthe Certificate drop-down list, select from PKS#12 file.
6. Adjacent to the PKS#12 Filename text box, click the button and browse to the location of the
.p12 file.
7. Click OK.
8. Close the Preferences dialog box.
9. Select WatchGuard Mobile VPN>Profiles.
10. Select the profile name. Click Edit.
11. Click Identities.
12. Fromthe Certificate configuration drop-down box, select the certificate configuration you
added.
13. Click OK.
14. Close the Profiles dialog box.
15. Select Connection > Enter PIN.
16. Type the passphrase and click OK.
Mobile VPN with IPSec
1208 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1209
Activate the VPNClient License
The IPSec Mobile VPNclient comes with a 30 day trial license. To use the client longer than 30 days,
you must activate a license for it. To activate your IPSec Mobile VPNClient, you must have:
n The WatchGuard Mobile VPNClient for Windows v11.3.2 or higher
or the WatchGuard Mobile VPN Client for Mac OSX
n An active connection to the Internet
n The license number and serial number fromyour administrator
To activate the client:
1. Start the WatchGuard Mobile VPN client.
2. At the bottomof the dialog box, click Activation.
The License Data dialog box appears. The Activation status shows that the client is not activated.
3. Click Activation to start the Software Activation Wizard.
This button is available only if the client has not already been activated.
4. Select Online Activation.
5. Click Next.
The License Data step appears.
6. Type the License Key and Serial Number for the VPNclient.
7. Click Next.
The Internet Connection step appears.
8. Make sure your computer can connect to the Internet.
If your computer already has an Internet connection, you do not need to do anything in this step.
In the Windows client, the Software Activation Wizard provides two options you can use to
connect to the Internet:
n To use an existing VPNclient profile to connect to the Internet, select the Establish an
internet connection using a profile entry check box. Fromthe Profile drop--down list,
select the profile to use.
n To connect to the Internet through a proxy server, click Proxy Settings. Select the settings
for your proxy server.
9. Click Next.
The wizard processes your online activation and tells you whether it was successful.
10. Click Finish to exit the wizard.
The serial number you activated appears on the License Data dialog box, and the Activation
status is OK.
11. Click Close to close the License Data dialog box.
To reopen the License Data dialog box after activation, select Help > License Data and Activation.
Mobile VPN with IPSec
1210 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1211
Connect and Disconnect the Mobile VPN Client
Connect to the Internet through a dial-up networking connection or a LAN connection. Then, use the
instructions below to select your profile, connect, and disconnect.
To select your profile in the WatchGuard Mobile VPN client:
1. Start the WatchGuard Mobile VPNClient.
2. Fromthe Profile drop-down list, select the name of the profile you imported.
3. Click to connect.
To disconnect the Mobile VPN client:
1. Restore the Mobile VPN Monitor.
2. Click to disconnect.
Or select Disconnect fromthe Mobile VPNicon menu in the Windows systemtray or Mac OSX menu
bar.
WatchGuard Mobile VPN Client Icon
The WatchGuard Mobile VPN client icon appears in the systemtray (Windows) or menu bar (OSX).
The icon color indicates the status of the VPN connection.
n Red the VPN is not connected
n Yellow the VPN client is attempting to connect
n Green the VPN is connected
On a Windows computer, you can right-click the icon in the systemtray to reconnect and disconnect
your Mobile VPN, and to see the profile in use.
On a Mac OSX computer, the VPN client icon does not automatically appear in the menu bar. To make
the icon appear in the menu bar, in the Mobile VPNClient, select WatchGuard Mobile VPN > Show
VPN client monitor in menu bar.
Click the icon in the menu bar to show VPN connection status.
Fromthe menu bar icon, you can:
n Connect or disconnect the VPN
n Select the profile to use
n See connection information and a local log file
n Start the VPN client monitor as an application (this removes the icon fromthe menu bar)
n Quick the WatchGuard Mobile VPN client.
Control the Connection Behavior
The connection behavior controls the action the IPSec Mobile VPN client software takes when the
VPN tunnel becomes unavailable for any reason. By default, you must manually reconnect. You are
not required to change the connection behavior, but you can configure the client to automatically or
variably reconnect. Contact your network administrator for the suggested setting.
If you import a .ini file to configure the client software, do not change any of the Line
Management settings. The .ini file configures these settings for you.
To set the behavior of the Mobile VPN client when the VPN tunnel becomes unavailable:
1. On a Windows computer, fromthe Windows WatchGuard Mobile VPN client, select
Configuration > Profiles. Or, on a Mac OSX computer, fromthe WatchGuard Mobile VPN
client, select WatchGuard Mobile VPN Client >Profiles.
2. Select the name of the profile and click Edit.
Mobile VPN with IPSec
1212 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1213
3. Fromthe left pane, select Line Management.
4. Use the Connection Mode drop-down list to set a connection behavior for this profile.
n Manual When you select manual connection mode, the client does not try to restart the
VPN tunnel automatically if the VPN tunnel goes down.
To restart the VPN tunnel, you must click the Connect button in the Mobile VPNclient or
right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
n Automatic When you select automatic connection mode, the client tries to start the
connection when your computer sends traffic to a destination that you can reach through the
VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel goes
down.
n Variable When you select variable connection mode, the client tries to restart the VPN
tunnel automatically until you click Disconnect. After you disconnect, the client does not try
to restart the VPN tunnel again until after the next time you click Connect.
5. Click OK.
About the Shrew Soft VPNClient
You can use the Shrew Soft VPNClient for Windows to enable your users to make a secure
connection froma remote computer to your network. The Shrew Soft VPN Client functions similarly to
the WatchGuard IPSec Mobile VPN Client and shares many of the same configuration settings, but it
does have some limitations.
SHA2 authentication and encryption options require Shrew Soft VPN Client v2.2.1 or
higher.
Shrew Soft VPNClient Limitations
The Shrew Soft VPNClient does not support these Mobile VPN with IPSec configuration settings and
features:
Mobile VPN with IPSec
1214 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1215
Feature Details
IKE keep-alive Not supported
Configuration of multiple
VPNgateways for multi-WAN
failover
Not supported
Line management configuration
settings Connection mode and
Inactivity timeout
Not supported
Phase 2 proposal Force Key
Expiration settingkilobytes
Does not apply to the
Shrew Soft VPN client.
Dead Peer Detection (DPD)
configuration settings:Traffic idle
timeout and Max retries
Do not apply to the Shrew
Soft VPNclient.
If DPDis enabled, the
Shrew Soft VPNclient
supports DPD with a
traffic idle timeout value of
15 seconds.
RADIUS 2-factor authentication Not supported
SecurID 2-factor authentication Not supported
Read-only profile Not supported
User name and password stored
for user authentication
Not supported
Users must type their user
names and passwords
each time they connect.
Shrew Soft VPNEnd-User Profile
The Shrew Soft VPNend-user profile is generated as a .vpn file that is not encrypted. We recommend
that you use a secure method to distribute this file.
Install the Shrew Soft VPN Client Software
You can install the Shrew Soft VPN client on any computer that uses Windows XP, 7, 8, or 8.1. The
installation process includes two parts: install the client software on the remote computer and import
the end-user profile into the client.
Before you start the installation, make sure you have these installation components:
n The Shrew Soft VPN client installation file
n A Shrew Soft VPN end-user profile (.vpn file)
Install the Shrew Soft VPN Client
1. Copy the Shrew Soft VPN installation file to the remote computer.
2. Run the .exe file.
The Shrew Soft VPN Client Setup Wizard appears.
3. In the Setup Wizard, select the destination folder.
4. Complete the Setup Wizard.
The Shrew Soft VPN client software and Shrew Soft VPNClient Administrators Guide are installed in
the destination folder you selected.
Import the End-User Profile
1. Copy the end-user profile (.vpn file) to the root directory on the remote (client or user) computer.
2. Fromthe Windows Start menu, start Shrew Soft VPN Access Manager.
Shrew Soft VPN Access Manager appears.
3. Select File >Import.
4. Select the .vpn file you copied to the client computer in Step 1.
5. Click Open.
The VPN client configuration is imported and a new site configuration appears in the Shrew Soft
VPNAccess Manager window.
Each time you import a .vpn file, make sure that you use a unique file name. For
example, if you generate an updated end-user profile, the .vpn file has the same
name as the previously generated file. If necessary, you can rename the updated
.vpn file before you import it to the Shrew Soft VPNClient. If you import a .vpn file
that has the same name as a previously imported .vpn file, two site configurations
with the same name appear in the Shrew Soft VPN Client , but only the most recently
imported configuration operates correctly.
After you import the end-user profile, if you use certificates for authentication, you must import your
certificates to the Shrew Soft VPN Client. However, if you used Policy Manager to generate the end-
user profile client configuration file (.vpn file), the certificate is embedded in the .vpn file, so you do not
have to manually import it. But, if you used Fireware XTMWeb UI or the CLIto generate the .vpn file,
you must manually import the certificates to the Shrew Soft VPN client after you import the end-user
profile.
For more information about how to import certificates to the Shrew Soft VPN Client, see Import
Certificates to the Shrew Soft VPN Client on page 1216.
Import Certificates to the Shrew Soft VPN Client
If you use certificates for authentication, you must import your certificates to the Shrew Soft VPN
Client before you can connect to your network. If you used Policy Manager to generate the .vpn client
profile, you do not have to import the certificates manually because Policy Manager automatically
embeds the certificate in the .vpn profile when it is generated. Then, when you import the .vpn profile to
Mobile VPN with IPSec
1216 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1217
the Shrew Soft VPN client, the certificates are already included. If you used Fireware XTMWeb UI or
the CLI to generate the certificates, after you import the end-user profile (.vpn file) you must manually
import these certificates:
n cacert.pemThe certificate for the Certificate Authority
n .p12 file The client certificate file
To manually import certificates:
1. Start Shrew Soft VPN Access Manager.
Shrew Soft VPN Access Manager appears.
2. Select an end-user profile (.vpn file).
3. Click Modify.
The VPNSite Configuration dialog box appears.
4. Select the Authentication tab.
The Authentication settings appear, on three tabs.
5. Select the Credentials tab.
6. In the Server Certificate Authority File text box, type or select the location and file name of
the cacert.pemfile.
7. In the Client Certificate File and Client Private Key File text boxes, type or select the
location and file name of the .p12 certificate file.
8. Click Save.
Use the Shrew Soft VPN Client to Connect
You can use the Shrew Soft VPN Client for Windows to connect to an XTMdevice that is configured
for Mobile VPN with IPSec.
Before you can use the Shrew Soft VPN Client, you must install the client software and import the end-
user profile (.vpn file). You must also know the user name and password. For more information, see
Install the Shrew Soft VPN Client Software on page 1215.
Start a Shrew Soft VPN Connection
To start a VPN connection:
1. Open Shrew Soft VPN Access Manager.
Shrew Soft VPN Access Manager appears.
2. Select the imported client profile.
Mobile VPN with IPSec
1218 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1219
3. Click Connect.
The Shrew Soft VPN Connect dialog box appears.
4. Type the Username and Password for the Mobile VPN user.
5. Click Connect.
6. If you use certificates for authentication, a second password dialog box appears. Type the
same Mobile VPN user password again.
This password is used to open the private key for the client certificate.
It can take several seconds for the Shrew Soft VPN client to connect. When the VPN client has
connected, the Tunnel Enabled message appears.
After the VPN client has connected, you can minimize the Shrew Soft VPN Connect dialog box, but
do not close it. To keep your VPN connection, you must keep the Shrew Soft VPN Connect dialog
box open. You can close the Shrew Soft Access Manager window.
Stop a Shrew Soft VPN Connection
You can use two methods to stop your VPN connection: close the Shrew Soft VPN Connect dialog
box, or use the disconnect option in the Shrew Soft VPN Connect dialog box.
To use the disconnect option to end your VPN connection:
1. Maximize the Shrew Soft VPN Connect dialog box.
2. Click Disconnect.
Your VPN connection ends.
Troubleshoot the Shrew Soft VPN Client
If the Shrew Soft VPN client fails to connect, you can use the Shrew Soft VPNTrace utility to see
more information about why the connection failed.
To use the Shrew Soft VPN Trace utility:
1. Fromthe Windows Start menu, select the Shrew Soft VPNClient >Trace Utility.
The Shrew Soft VPN Trace utility appears.
2. Select File >Options.
The Debug Output Options dialog box appears.
3. Fromthe Log output level drop-down list, select loud.
4. Click OK.
5. Select the IKEService tab.
Mobile VPN with IPSec
1220 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1221
6. Click Open Log.
7. Click Restart.
Debug log messages appear in the console.
8. To copy log messages fromthe Shrew Soft VPN Trace utility, highlight the text in the console,
then press Ctrl-C on your keyboard.
9. Open a text file and press Ctrl-V on your keyboard to paste the copied text into the file.
10. Review the content of the new text file to find any problems with your connection.
When you set the Log output level to loud, the Shrew Soft VPN Trace utility can
quickly generate a very large file. Make sure you reset the Log output level to none
after you have resolved the connection problem.
About the WatchGuard Mobile VPNApp
The WatchGuard Mobile VPNapp can import a WatchGuard .wgmVPN profile so that the VPNclient
on Android and iOSdevices can make VPN connections to an XTMdevice.
WatchGuard Mobile VPNApp for Android
The WatchGuard Mobile VPN app for Android is a VPN client app. It can import a Mobile VPN with
IPSec profile and then use the settings in that profile to connect to your network. The profile used by
the WatchGuard Mobile VPN app is a .wgmfile, that you generate fromthe Mobile VPNwith IPSec
configuration in Policy Manager or fromthe Fireware XTMWeb UI. You can use the Android VPN
client to make an IPSec VPN connection to a WatchGuard XTMdevice that runs Fireware XTMv11.7
or later.
The WatchGuard Mobile VPN app for Android is supported on Android 4.0.x or 4.1.x. WatchGuard
Mobile VPN is a free app available in the Google Play app store.
Before you use the WatchGuard Mobile VPN app for Android, you must configure Mobile VPN with
IPSec on the XTMdevice with the required settings and you must generate the end-user profile.
For information, see Use Mobile VPN with IPSec with an AndroidDevice.
WatchGuard Mobile VPNApp for iOS
The WatchGuard Mobile VPNapp for iOS is a VPNsetup app that can import a .wgmprofile to the
native iOS VPN client. You then use the native iOSVPN client to make the IPSec VPNconnection.
Unlike the WatchGuard Mobile VPN app for Android, the WatchGuard Mobile VPN app for iOS is not a
VPN client. It is a helper app that imports a .wgmprofile to the native VPN client on the iOS device.
You can use the native iOSVPN client to make an IPSec VPN connection to an XTMdevice that runs
Fireware XTMv11.5.1 or later.
The WatchGuard Mobile VPN app for iOS is supported for iOS 5.x and 6.x. The WatchGuard Mobile
VPNapp for iOS is a free app available in the Apple app store.
Before you use the WatchGuard Mobile VPN app for iOS, you must configure Mobile VPN with IPSec
on the XTMdevice with the required settings and you must generate the end-user profile.
For information, see Use the Mac OS X or iOSNative IPSec VPN Client.
Mobile VPNApp End-User Profile
After you configure Mobile VPN with IPSec, you can generate an end-user profile. The WatchGuard
Mobile VPNappend-user profile is generated as a .wgmfile. You can generate a .wgmfile for Mobile
VPN with IPSec and Mobile VPN with L2TP.
n The .wgmfile for Mobile VPN with IPSec is supported in the WatchGuard Mobile VPN app for
Android and iOS.
n The .wgmfile for Mobile VPN with L2TPis supported only in the WatchGuard Mobile VPN app
for iOS.
The .wgmend-user profile is encrypted.
n For Mobile VPN with IPSec, the .wgmfile is encrypted with the passphrase specified in the
Mobile VPN with IPSec configuration.
n For Mobile VPN with L2TP, the .wgmfile is encrypted with the encryption passphrase you
specify when you generate the profile.
The mobile user must know the passphrase in order to open the .wgmfile in the WatchGuard Mobile
VPN app. Make sure you use a secure method to communicate the passphrase to the mobile users.
Mobile VPN with IPSec
1222 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1223
Use the Mac OS X or iOSNative IPSec VPN Client
Apple iOSdevices (iPhone, iPad, and iPod Touch) and Mac OSX 10.6 and higher devices include a
native Cisco IPSec VPNclient. You can use this client to make an IPSec VPN connection to an
XTMdevice. To do this, you must configure the VPN settings on your XTMdevice to match those on
the iOSor Mac OSX device.
For IPSec VPN connections froma Mac OSX device, you can also use the WatchGuard IPSec
VPNClient for Mac OSX. For more information, see Install the IPSec Mobile VPN Client Software.
For an iOSdevice, you can install the WatchGuard Mobile VPN app for iOS. This app can import a
Mobile VPN with IPSec profile into the native VPN client on the iOSdevice. For a Mac OSX device,
you must manually configure the settings in the native VPN client.
You can use the same Mobile VPN with IPSec profile for VPN connections fromiOS and Android
devices. For information about how to configure the VPN client on an Android device, see Use Mobile
VPN with IPSec with an AndroidDevice.
In the Mobile VPN with IPSec settings on the XTMdevice, do not use SHA2 in the
Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN client on
iOSdevices.
You cannot use a certificate for VPN tunnel authentication between the native VPN
client and an XTMdevice. This does not work because the VPN client uses main
mode, and the XTMdevice uses aggressive mode for Phase 1 VPN negotiations.
Configure the XTM Device
Many of the VPN tunnel configuration settings in the VPN client on the Mac OSX or iOS device are not
configurable by the user. It is very important to configure the settings on your XTMdevice to match the
settings required by the VPN client on the Mac OSX or iOS device.
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Click Add.
The Mobile VPN with IPSec Settings page appears.
3. In the Name text box, type the name of the authentication group your Mac OSX or iOS VPN
users belong to.
You can type the name of an existing group, or the name for a new Mobile VPN group. Make
sure the name is unique among VPN group names, as well as all interface and VPN tunnel
names.
4. Fromthe Authentication Server drop-down list, , select an authentication server.
You can authenticate users to the XTMdevice (Firebox-DB) or to a RADIUS, VASCO,
SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is
enabled.
If you create a Mobile VPN user group that authenticates to an external
authentication server, make sure you create a group on the server that has the same
name as the name you added in the wizard for the Mobile VPN group. If you use
Active Directory as your authentication server, the users must belong to an Active
Directory security group with the same name as the group name you configure for
Mobile VPN with IPSec. For more information, see Configure the External
Authentication Server.
5. Type and confirmthe Passphrase to use for this tunnel.
6. In the Firebox IPAddresses section, type the primary external IP address or domain name to
which Mobile VPN users in this group can connect.
7. Select the IPSec Tunnel tab .
The IPSec Tunnel settings appear.
Mobile VPN with IPSec
1224 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1225
8. Select Use the passphrase of the end user profile as the pre-shared key.
This is the default setting.
9. Fromthe Authentication drop-down list, select either SHA-1 or MD5.
10. Fromthe Encryption drop-down list, select one of these options:
n 3DES
n AES (128 bit)
n AES (256 bit)
11. In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings appear.
12. Set the SALife to 1 hours.
The VPN client on the Mac OSX or iOS device is configured to rekey after 1 hour. If this profile
is only used for connections by VPN client on Mac OSXor iOS devices, set the SALife to 1
hour to match the client setting.
If you plan to use this VPN profile for all supported VPN clients, set the SALife to 8
hours. When the SALife is set to 8 hours, the Shrew Soft VPN and WatchGuard
XTMIPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the OSX
or iOSdevice uses the smaller rekey value of 1 hour.
13. Fromthe Key Group drop-down list, select Diffie-Hellman Group 2.
14. Do not change any of the other Phase 1 advanced settings.
15. Click OK.
16. In the Phase 2 Settings section, clear the PFS check box.
Mobile VPN with IPSec
1226 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1227
17. In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced settings appear.
18. Fromthe Authentication drop-down list, select SHA1 or MD5.
19. Fromthe Encryption drop-down list, select 3DES, AES (128-bit), or AES (256-bit).
20. In the Force Key Expiration settings, set the expiration Time to 1 hours.
21. In the Force Key Expiration settings, clear the Traffic check box.
22. Click OK.
23. Select the Resources tab.
24. Select the Allow All Traffic Through Tunnel check box.
This configures the tunnel for default-route VPN. The VPN client on the Mac OSX or iOS device does
not support split tunneling.
25. In the Virtual IPAddress Pool list, add the internal IP addresses that are used by Mobile VPN
users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, select Host IPor
Network IP, type the address, and click Add.
The number of IP addresses should be the same as the number of Mobile VPN users. The
virtual IPaddresses do not need to be on the same subnet as the trusted network. If FireCluster
is configured, you must add two virtual IP addresses for each Mobile VPN user.
The IP addresses in the virtual IPaddress pool cannot be used for anything else on
your network.
26. Click Save.
Make sure that you add all VPN users to the authentication group you selected.
For information about how to add users to a Fireboxuser group, see Define a New User for Firebox
Authentication.
Mobile VPN with IPSec
1228 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1229
Configure the VPN Client on an iOS Device
There are two methods you can use to configure the VPN client on an iOSdevice. You can use the
WatchGuard Mobile VPN app for iOS to import a .wgmend-user profile to the VPN client on the iOS
device. This is the easiest way to configure the iOS device. If you do not install the WatchGuard
mobile VPN app on the iOS device, you can manually configure the VPN client with the correct
settings to connect.
To use the WatchGuard Mobile VPN app to import the IPSec VPN settings to the native iOSVPN
client:
1. Generate the .wgmprofile for the Mobile VPN with IPSec group.
2. Send the .wgmprofile to the mobile users as an email attachment.
3. Use a secure method to give the passphrase to the mobile users
4. On the iOSdevice, install the free WatchGuard Mobile VPN app fromthe Apple App Store.
5. In the email client on the iOSdevice, open the email that contains the .wgmfile attachment.
6. Open the .wgmfile attachment.
The WatchGuard Mobile VPN app launches.
7. Type the passphrase received fromthe administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration
profile in the iOSVPN client.
To manually configure the VPN client settings on the iOSdevice:
1. Select Settings >General >Network >VPN > Add VPNConfiguration.
2. Configure these settings in the VPN client:
n Server The external IP address of the XTMdevice
n Account The user name on the authentication server
n Use Certificate Set this option to OFF
n Group Name The group name you chose in the XTMdevice Mobile VPN with IPSec
configuration
n Secret The tunnel passphrase you set in the XTMdevice Mobile VPN with IPSec
configuration
n Users Password The password for the user on the authentication server
After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOSdevice.
Click the VPN switch to enable or disable the VPN client. When a VPN connection is established, the
VPN icon appears in the status bar.
The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If
the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN
clients. If users save their passwords, they do not need to retype the password each time the VPN
client reconnects. Otherwise, they must type the password each time the client reconnects.
Configure the VPNClient on a Mac OSX Device
The XTMdevice does not generate a client configuration file for the VPN client on the Mac OSX
device. The user must manually configure the VPN client settings to match the settings configured on
the XTMdevice.
To configure the VPN settings on the Mac OS X device:
1. Open System Preferences and select Network.
2. Click + at the bottomof the list to add a new interface. Configure these settings:
n Interface VPN
n VPNType Cisco IPSec
n Service Name type the name you want to use for this connection
3. Click Create.
The new VPN interface appears in the list of network interfaces.
4. Select the new interface in the list. Edit these settings:
n Server Address The external IPaddress of the XTMdevice
n Account Name The user name on the authentication server
n Password The password for the user on the authentication server
5. Click Authentication Settings. Set these settings:
n Shared Secret The tunnel passphrase you set in the XTMdevice Mobile VPNwith
IPSec configuration
n Group Name The group name you chose in the XTMdevice Mobile VPNwith IPSec
configuration
6. Select the Show VPNstatus in menu bar check box to add the VPN status icon to the
OSXmenu bar.
7. Click Connect to start the VPN tunnel.
After you apply these settings, a VPN status icon appears in the menu bar of the Mac OSXdevice.
Click the VPN status icon to start or stop the VPN client connection.
Mobile VPN with IPSec
1230 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1231
Use Mobile VPN with IPSec with an
AndroidDevice
There are two VPN clients that you can use to make Mobile VPN with IPSec connections froman
Android device to an XTMdevice.
Android native VPNclient
Mobile devices that run Android version 4.x and later include a VPN client. You can use the
Android VPN client to make an IPSec VPN connection to a WatchGuard XTMdevice that runs
Fireware XTMv11.5.1 or later. To do this, you must configure the VPN settings on your XTM
device to match those on the Android device. Then, manually configure the VPN client settings
on the Android device to match the settings on the XTMdevice. We recommend you use
Android version 4.0.4 or later for IPSec VPN connections to a WatchGuard XTMdevice.
WatchGuard Mobile VPNapp for Android
The WatchGuard Mobile VPN app for Android is a VPN app that can use to import a Mobile
VPN with IPSec profile and then use those settings to connect to your network. You can use
the WatchGuard Android VPN client to make an IPSec VPN connection to a WatchGuard XTM
device that runs Fireware XTMv11.7 or later. The WatchGuard Mobile VPN app is supported on
Android 4.0.x or 4.1.x.
For more information, see About the WatchGuard Mobile VPNApp.
WatchGuard has tested the IPSec VPN configuration described here on these Android devices:
n Samsung Galaxy S III Android 4.0.4
n Samsung Galaxy Nexus Android 4.1.1
n Nexus 7 tablet Android 4.1.1
n HTCSense 4.0 Android 4.0.3
n HTCReZound Android 4.0.3
You can use the same Mobile VPN with IPSec settings for VPNconnections fromthe native Android
VPN client and for the WatchGuard Mobile VPNapp for Android. You can use the same generated
profile for VPNconnections fromthe Mac OSXor iOSdevices.
For information about how to configure the VPN client on an iOS device, see Use the Mac OS X or
iOSNative IPSec VPN Client.
In the Mobile VPN with IPSec settings on the XTMdevice, do not use SHA2 in the
Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN clients on Android
devices.
You cannot use a certificate for VPN tunnel authentication between the native VPN
client and an XTMdevice. This does not work because the VPN client uses main
mode, and the XTMdevice uses aggressive mode for Phase 1 VPN negotiations.
Configure the XTM Device
You use the same Mobile VPN with IPSec configuration settings for the native Android VPN client and
for the WatchGuard Mobile VPNapp for Android.
Use these steps to configure the required settings:
1. Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
2. Click Add.
The Mobile VPN with IPSec Settings page appears.
3. In the Group name text box, type the name of the authentication group your Android VPN users
belong to.
You can type the name of an existing group, or the name for a new Mobile VPN group. Make
sure the name is unique among VPN group names, as well as all interface and VPN tunnel
names.
4. Fromthe Authentication Server drop-down list, , select an authentication server.
Make sure that this method of authentication is enabled.
Mobile VPN with IPSec
1232 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1233
If you create a Mobile VPN user group that authenticates to an external
authentication server, make sure you create a group on the server that has the same
name as the name you added in the wizard for the Mobile VPN group. If you use
Active Directory as your authentication server, the users must belong to an Active
Directory security group with the same name as the group name you configure for
Mobile VPN with IPSec.
For more information, see Configure the External Authentication Server.
5. Type and confirmthe Passphrase to use for this tunnel.
6. In the Firebox IPAddresses section, type the primary external IP address or domain name to
which Mobile VPN users in this group can connect.
7. Select the IPSec Tunnel tab .
The IPSec Tunnel settings appear.
8. Select Use the passphrase of the end user profile as the pre-shared key.
This is the default setting.
9. Fromthe Authentication drop-down list, select either SHA-1 or MD5.
10. Fromthe Encryption drop-down list, select one of these options:
n 3DES
n AES (128 bit)
n AES (256 bit)
11. In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings dialog box appears.
12. Set the SALife to 1 hours.
The Android VPN client is configured to rekey after 1 hour. If this profile is only used for
connections by the Android VPN, set the SALife to 1 hour to match the client setting.
If you plan to use this VPN profile for all supported VPN clients, set the SALife to 8
hours. When the SALife is set to 8 hours, the Shrew Soft VPN and WatchGuard
XTMIPSec Mobile VPN clients rekey after 8 hours, but the Android VPN client uses
the smaller rekey value of 1 hour.
13. Fromthe Key Group drop-down list, select Diffie-Hellman Group 2.
14. Do not change any of the other Phase 1 advanced settings.
15. Click Return to General Settings.
16. In the Phase 2 Settings section, clear the PFS check box.
Mobile VPN with IPSec
1234 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1235
17. In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced Settings dialog box appears.
18. Fromthe Authentication drop-down list, select SHA1 or MD5.
Do not select a SHA2 authentication method for a Mobile VPN with IPSec profile you want to
use with the WatchGuard Mobile VPN app.
19. Fromthe Encryption drop-down list, select 3DES, AES (128-bit), or AES (256-bit).
20. In the Force Key Expiration settings, set the expiration Time to 1 hours and clear the Traffic
check box.
21. Click OK.
22. Select the Resources tab.
23. Select the Allow All Traffic Through Tunnel check box.
This configures the tunnel for default-route VPN. The Android VPN client does not support split
tunneling.
24. In the Virtual IPAddress Pool list, add the internal IP addresses that are used by Mobile VPN
users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, select Host IPor
Network IP, type the address, and click Add.
Mobile VPN users are assigned an IP address fromthe virtual IPaddress pool when they
connect to your network. The number of IP addresses in the virtual IPaddress pool should be
the same as the number of Mobile VPN users. The virtual IPaddresses do not need to be on the
same subnet as the trusted network.
The IP addresses in the virtual IPaddress pool cannot be used for anything else on
your network.
25. Click Save.
To authenticate fromthe Android VPN client, Android VPN users must be members of the
authentication group you specified in the Add Mobile VPN with IPSec Wizard.
n For information about how to add users to a Fireboxuser group, see Define a New User for
Firebox Authentication.
n If you use a third-party authentication server, use the instructions provided in your vendor
documentation.
Configure the WatchGuard Mobile VPN App
If your mobile users use the WatchGuard Mobile VPN app for Android, you can generate a VPNprofile
and send it to the Mobile VPN user. This configures the WatchGuard Mobile VPN app to connect with
Mobile VPN with IPSec.
To configure the WatchGuard Mobile VPN app for Android:
1. Generate the .wgmprofile for the Mobile VPN with IPSec group.
2. Send the .wgmprofile to the mobile users as an email attachment.
3. Use a secure method to give the passphrase to the mobile users
4. On the Android device, install the free WatchGuard Mobile VPN app fromthe Google Play app
store.
5. In the email client on the Android device, open the email that contains the .wgmfile attachment.
6. Open the .wgmfile attachment.
The WatchGuard Mobile VPN app launches.
7. Type the passphrase received fromthe administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration and creates a VPN connection profile.
8. Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN
connection.
Mobile VPN with IPSec
1236 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1237
Configure the Native Android 4.x VPNClient
You can also use the native Android VPN client to connect. To use the native Android VPN client, the
user must manually configure the VPN client settings to match the settings configured on the XTM
device.
To manually configure the native VPN client on the Android device:
1. On the Settings page, in the Wireless &Networks section. select More > VPN.
2. Click Add VPN Network.
The Edit VPN network page appears.
3. Configure these settings:
n Name A name to identify this VPN connection on the Android device
n Type Select IPSec Xauth PSK
n Server address The external IP address of the XTMdevice
n IPSec Identifier The group name you specified in the XTMdevice Mobile VPN with
IPSec configuration
n IPSec pre-shared key The tunnel passphrase you set in the XTMdevice Mobile VPN
with IPSec configuration
4. Save the connection.
5. Open the connection and type the Username and Password for a user in the specified
authentication group.
Mobile VPN with IPSec
1238 Fireware XTMWeb UI
Mobile VPN with IPSec
User Guide 1239
6. Click Connect.
To verify your connection was successful and that the VPN tunnel is active, browse to a web site that
shows your IP address, such as www.whatismyip.com. If your Android device is connected through
the VPN, your IP address is the external IP address of the XTMdevice.
Mobile VPN with IPSec
User Guide 1240
User Guide 1241
24
Mobile VPN with SSL
About Mobile VPN with SSL
The WatchGuard Mobile VPN with SSL client is a software application that is installed on a remote
computer. The client makes a secure connection fromthe remote computer to your protected network
through an unsecured network, such as the Internet. The Mobile VPN client uses SSL (Secure
Sockets Layer) to secure the connection.
Configure the XTM Device for Mobile VPN with
SSL
When you activate Mobile VPN with SSL, an SSLVPN-Users user group and a WatchGuard SSLVPN
policy are automatically created to allow SSL VPN connections fromthe Internet to your external
interface. You can use these groups, or you can create new groups that match the user group names
on your authentication servers.
When you enable a Management Tunnel over SSL on your WatchGuard Management Server, some of
the SSL configuration settings are the same settings used by Mobile VPN with SSL. When a
Management Tunnel is enabled, you cannot change many of the settings in the Mobile VPN with
SSLconfiguration. You must change these shared settings in the device properties on the
management server.
Because Management Tunnel over SSL and Mobile VPNwith SSLuse the same
OpenVPNserver, if you enable a Management Tunnel over SSL, some of the
settings that are shared by the Mobile VPN with SSLtunnels become managed by
your Management Server. You cannot change these settings in the Mobile VPNwith
SSLconfiguration. These settings include the Firebox IPaddresses, networking
method, virtual IPaddress pool, VPNresources, data channel, and configuration
channel. You also cannot disable the Firebox-DBauthentication server, which is
required for Management Tunnel authentication.
Before You Begin
Before you configure Mobile VPN with SSL, decide how you want the XTMdevice to send traffic
through the VPN tunnel. Based on the option you choose, you might need to make changes to your
network configuration before you enable Mobile VPN with SSL.
You can configure Mobile VPN with SSLto use one of two methods to handle VPN traffic to your
network:
Routed VPNTraffic
This is the default selection. With this option, the XTMdevice routes traffic fromthe VPN tunnel
to all local networks or to specific network resources you specify.
If you select Routed VPN Traffic in the Mobile VPN with SSLconfiguration on an
XTMv virtual machine, you must enable promiscuous mode on the attached virtual
switch (vSwitch) in VMware.
Bridge VPNTraffic
This option enables you to bridge SSL VPN traffic to a trusted or optional network. When you
select this option, you cannot filter traffic between the SSL VPN users and the network that the
SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users
are in the same security zone as other users on the network that you bridge to, and the traffic for
those mobile users is handled by the same security policies as traffic for other users on the
bridged network. For example, if you bridge VPN traffic to a trusted interface, all policies that
allow traffic for the "Any-Trusted" alias allow traffic for the users who connect to the network
with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to
any secondary networks on the selected network bridge.
The choice of interfaces you can bridge VPN traffic to depends on the version of Fireware XTM
the device uses.
n In Fireware XTMv11.8.x and lower, you can bridge VPN traffic to any interface that is not a
LAN bridge.
n In Fireware XTMv11.9 and higher, you can bridge VPN traffic only to a LAN bridge.
Mobile VPN with SSL
1242 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1243
Do not change the interface that you used to log in to the Web UI to a bridge
interface. This causes you to immediately lose the management connection to the
device. If this happens, you must use a different configured interface to reconnect.
Use these steps to change the trusted or optional interface you use for management to a bridge
interface:
1. Configure another trusted or optional interface to use as a temporary management interface.
2. Connect the management computer to the new interface, and log in to the Web UI.
3. Change the original management interface to a bridge interface, and configure a LAN bridge that
includes this interface.
4. Connect the management computer to the original management interface.
5. Disable the temporary management interface.
For detailed instructions, see Create a Network Bridge Configuration.
Configure Connection Settings
1. Select VPN > Mobile VPN with SSL.
The Mobile VPN with SSL Configuration page opens.
2. Select the Activate Mobile VPN with SSL check box.
3. In the Primary text box, type a public IP address or domain name.
This is the IPaddress or domain name that Mobile VPN with SSL clients connect to by default.
This can be an external IP address, secondary external IPaddress, or external VLAN. For a
device in drop-in mode, use the IP address assigned to all interfaces.
4. If your XTMdevice has more than one external address, in the Secondary text box, type a
different public IPaddress.
This is the IP address that the Mobile VPN with SSLclient connects to if it is unable to establish
a connection with the primary IP address. If you add a Secondary IP address, make sure it is an
IP address assigned to an XTMdevice external interface or VLAN.
Configure the Networking and IP Address Pool Settings
In the Networking and IP Address Pool section, you configure the network resources that Mobile
VPN with SSL clients can use.
1. In the Networking and IP address pool section, fromthe drop-down list, select the method
the XTMdevice uses to send traffic through the VPN tunnel.
n Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify. When you
select this option, you cannot filter traffic between the SSL VPN users and the network that
the SSL VPN traffic is bridged to.
n Select Routed VPN Traffic to route VPN traffic to specified networks and resources. This
is the default for all WatchGuard XTMdevices.
2. Select or clear the Force all client traffic through the tunnel check box.
n To send all private network and Internet traffic through the tunnel, select Force all client
traffic through tunnel.
This option sends all external traffic through the XTMdevice policies you create and offers
consistent security for mobile users. However, because it requires more processing power
on the XTMdevice, access to Internet resources can be very slow for the mobile user.
For information about how to allow clients to access the Internet when this option is
selected, see Options for Internet Access Through a Mobile VPN with SSL Tunnel on page
1255.
n To send only private network information through the tunnel, clear the Force all client
traffic through tunnel check box.
This option gives your users better network speeds by routing only necessary traffic through
the XTMdevice, but access to Internet resources is not restricted by the policies on your
Mobile VPN with SSL
1244 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1245
XTMdevice.
a. To restrict Mobile VPN with SSL client access to only specified devices on your
private network, select Specify allowed resources.
b. Type the IP address of the network resource in slash notation and click Add.
3. Configure the IP addresses the XTMdevice assigns to Mobile VPN with SSL client
connections. The virtual IP addresses in this address pool cannot be part of a network protected
by the XTMdevice, any network accessed through a route or BOVPN, assigned by DHCP to a
device behind the XTMdevice, or used for Mobile VPN with IPSec or Mobile VPN with PPTP
address pools.
Routed VPN traffic
For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24 or enter a
different range. Type the IP address of the subnet in slash notation. IP addresses from
this subnet are automatically assigned to Mobile VPN with SSL client connections. You
cannot assign an IP address to a user.
The virtual IP addresses in this address pool cannot be part of a network protected by the
XTMdevice, any network accessible through a route or BOVPN, assigned by DHCP to
a device behind the XTMdevice, or used for Mobile VPN with IPSec or Mobile VPN with
PPTP address pools.
Bridge VPN traffic
Fromthe Bridge to interface drop-down list, select the name of the interface to bridge
to. The choice of interfaces you can bridge VPN traffic to depends on the version of
Fireware XTMthe device uses.
n In Fireware XTMv11.8.x and lower, you can bridge VPN traffic to any interface
that is not a LAN bridge.
n In XTMv11.9 and higher, you can bridge VPN traffic only to a LAN bridge.
For more information, see Before You Begin.
In the Start and End text boxes, type the first and last IP addresses in the range that you
want to assign to Mobile VPN with SSL client connections. The Start and End IP
addresses must be on the same subnet as the bridged interface.
For more information about virtual IPaddresses, see Virtual IPAddresses and Mobile VPNs.
Configure Authentication Settings
Next, you must configure the authentication settings. You can select one or more configured
authentication servers to use. The server at the top of the list is the default server. The default server is
used for authentication if the user does not specify the authentication server or domain in the Mobile
VPN with SSLclient.
If you create a Mobile VPN user group that authenticates to an external
authentication server, make sure you create a group on the server that has the same
name as the name you added in the wizard for the Mobile VPN group. If you use
Active Directory as your authentication server, the users must belong to an Active
Directory security group with the same name as the group name you configure for
Mobile VPN with SSL. For more information, see Configure the External
Authentication Server.
Select Authentication Servers
Fromthe Mobile VPN with SSL page:
1. Select the Authentication tab.
A list of configured Authentication Servers appears.
2. Select the check box for each authentication server you want to use for Mobile VPN with SSL
user authentication. You can select any enabled authentication server: the internal XTMdevice
database (Firebox-DB) or a RADIUS, VACMAN Middleware, SecurID, LDAP, or an Active
Directory server domain.
Only enabled authentication method servers and domains are listed. For information about
supported authentication methods, see Authentication Server Types.
Mobile VPN with SSL
1246 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1247
3. If you selected more than one server to use for authentication, select the server you want to be
the default server. Click Default to move that server to the top of the list.
If a user does not specify the authentication server in the Username text box when they use the
Mobile VPN with SSL client to authenticate, Mobile VPN with SSL uses the default authentication
server.
4. Select the Auto reconnect after a connection is lost check box if you want the Mobile VPN
with SSLclient to be able to automatically reconnect. If you enable this option, the mobile user
can select a check box on the Mobile VPN with SSL client to control whether the client
automatically reconnects.
5. Select the Force users to authenticate after a connection is lost check box if you want to
require users to authenticate after a Mobile VPN with SSL connection is disconnected. We
recommend you select this check box if you use two-factor authentication method with a one-
time password, such as RADIUS, SecurID or VASCO. If you do not force users to authenticate
after a connection is lost, the automatic connection attempt can fail. This is because the Mobile
VPN with SSL client tries to use the one-time password the user originally entered, which is no
longer correct, to automatically reconnect after a connection is lost.
6. Select the Allow the Mobile VPNwith SSLclient to remember password check box, if you
want the Mobile VPNwith SSLclient to be able to remember the password. If you enable this
option, the mobile user can select a check box in the Mobile VPN with SSLclient to control
whether the client remembers the password.
If you configure Mobile VPN with SSL to use more than one authentication server,
users who do not use the default authentication server must specify the
authentication server or domain as part of the user name. For more information and
examples, see Install and Connect the Mobile VPN with SSL Client.
Add Users and Groups
If you use the Firebox-DBfor authentication you must use the default SSLVPN-Users group. If you
use an authentication server other than Firebox-DB, you can use the default SSLVPN-Users group (if
you also add that group on your authentication server) or you can add the name of users and groups
that exist on your other authentication server.
The group SSLVPN-Users is created by default. You can add the names of other groups and users
that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server
where the group exists, or select Any if that group exists on more than one authentication server. The
group or user name you add must exist on the authentication server. The group and user names are
case sensitive and must exactly match the name on your authentication server.
To add the users and groups to the Mobile VPN with SSLconfiguration:
1. Below the list of users and groups, click Add.
The Add User or Group dialog box appears.
2. Select Group or User to add a group or user.
3. In the Name text box, type the name of the group or user in the adjacent text box. The name
must match the name of a group or user in your authentication server.
4. Fromthe Authentication Server drop-down list, select the authentication server where the
user or group exists. Or, select All if the group can be used with all selected authentication
servers.
5. Click OK.
The user or group is added to the Users and Groups list.
6. Click Save to save the configuration settings.
To remove a user or group:
1. Select the group or user in the list.
2. Click Remove.
The Allow SSLVPN-Users Policy and Mobile VPN with SSLGroups and
Users
When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created
or updated to apply to the groups and users you configured for authentication. The group and user
names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the
single group name SSLVPN-Users appears. Even though the group and user names you added do not
appear in the From list, this policy does apply to all users and groups you configured in the Mobile VPN
with SSL authentication settings.
Mobile VPN with SSL
1248 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1249
Configure Advanced Settings for Mobile VPN with SSL
1. Select VPN > Mobile VPN with SSL.
The Mobile VPN with SSL Configuration page appears.
2. Select the Advanced tab.
3. Configure the advanced settings:
Authentication
Select an authentication method to use to establish the connection: MD5, SHA-1, SHA-
256, and SHA-512.
On a device that uses Fireware XTMv11.8.x or lower, SHAauthentication is also
available.
Encryption
Select an algorithmto use to encrypt the traffic: Blowfish, DES, 3DES, AES (128 bit),
AES (192 bit), or AES (256 bit). The algorithms appear in order fromweakest to strongest,
with the exception of Blowfish, which uses a 128-bit key for strong encryption.
For best performance with a high level of encryption, we recommend that you choose MD5
authentication with Blowfish encryption.
Data channel
Select the protocol and port Mobile VPN with SSL uses to send data after a VPN
connection is established. You can use the TCP or UDP protocol. Then, select a port. The
default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the
standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with
SSL as long as the you do not use the same external IP address in an incoming HTTPS
policy.
If you change the data channel to use a port other than 443, users must manually type this
port in the Mobile VPN with SSL connection dialog box. For example, if you change the
data channel to 444, and the XTMdevice IP address is 203.0.113.2, the user must type
203.0.113.2:444 instead of 203.0.113.2.
If the port is set to the default 443, the user must only type the XTMdevices IP address. It
is not necessary to type :443 after the IP address.
For more information, see Choose the Port and Protocol for Mobile VPN with SSL on page
1253.
Configuration channel
Select the protocol and port Mobile VPN with SSL uses to negotiate the data channel and
to download configuration files. If you set the data channel protocol to TCP, the
configuration channel automatically uses the same port and protocol. If you set the data
channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP,
and you can use a different port than the data channel.
Keep-alive
Specify how often the XTMdevice sends traffic through the tunnel to keep the tunnel active
when there is no other traffic sent through the tunnel.
Timeout
Specify how long the XTMdevice waits for a response. If there is no response before the
timeout value, the tunnel is closed and the client must reconnect.
Renegotiate Data Channel
If a Mobile VPN with SSL connection has been active for the amount of time specified in
the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a
new tunnel. The minimumvalue is 60 minutes.
Mobile VPN with SSL
1250 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1251
DNS and WINS Servers
You can use DNS or WINS to resolve the IP addresses of resources that are protected by
the XTMdevice. If you want the Mobile VPN with SSL clients to use a DNS or WINS
server behind the XTMdevice instead of the servers assigned by the remote network they
are connected to, type the domain name and IP addresses of the DNS and WINS servers
on your network. For more information on DNS and WINS, see Name Resolution for Mobile
VPN with SSL on page 1256.
Configure Policies to Control Mobile VPN with SSL Client
Access
When you enable Mobile VPN with SSL, an Allow SSLVPN-Users policy is added. It automatically
includes all users and groups in your Mobile VPN with SSLconfiguration, and it has no restrictions on
the traffic that it allows fromSSL clients to network resources protected by the XTMdevice. To restrict
Mobile VPN with SSL client access, disable the Allow SSLVPN-Users policy. Then, add new policies
to your configuration or add the group with Mobile VPN with SSL access to the From section of your
policies.
If you assign addresses froma trusted network to Mobile VPN with SSL users, the
traffic fromthe Mobile VPN with SSL user is not considered trusted. All Mobile VPN
with SSL traffic is untrusted by default. Regardless of assigned IP address, you must
create policies to allow Mobile VPN with SSL users access to network resources.
Allow Mobile VPN with SSL Users to Access a Trusted Network
In this example, you use Fireware XTMWeb UI to add an Any policy which gives all members of the
SSLVPN-Users group full access to resources on all trusted networks.
1. Select Firewall > Firewall Policies. Click Add Policy.
2. Fromthe Packet Filter drop-down list, select Any.
3. In the Name text box, type a name for the policy. Choose a name that will help you identify this
policy in your configuration.
4. Click Add Policy.
5. On the Settings tab, in the From section, select Any-Trusted and click Remove.
6. In the From section, click Add.
The Add Member dialog box appears.
7. Fromthe Member Type drop-down list, select SSLVPN Group.
8. Select SSLVPN-Users.
9. Click OK to close the Add Member dialog box.
10. In the To section, select Any-External and click Remove.
11. In the To section, click Add.
The Add Member dialog box appears.
12. Fromthe member list, select Any-Trusted.
13. Click OK.
14. Click Save.
For more information on policies, see Add Policies to Your Configuration on page 598.
Use Other Groups or Users in a Mobile VPN with SSL Policy
To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or
any group you added to the Mobile VPN with SSLconfiguration. You can use policies with other groups
to restrict access to resources after the user connects. If you added groups froma third-party
authentication server in your Mobile VPN with SSL configuration, and you want to use those group
names in policies to restrict access, you must also add those groups to the Authorized Users and
Groups list in the Fireware XTMdevice configuration.To do this, select Authentication > Users and
Groups.
For more information, see Use Authorized Users and Groups in Policies.
After you add users or groups fromthe Mobile VPN with SSL configuration to the Authorized Users and
Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a
specific group or user. For example, if you want the Allow SSLVPN-Users policy to apply to only the
user group LDAP-Users1:
1. Select Authentication > Users and Groups.
2. Add the LDAP-Users1 group that you added to the Mobile VPN with SSLconfiguration. When
you add the group, make sure you set the Auth Server to LDAP.
3. Edit the Allow SSLVPN-Users policy.
4. In the From section, remove the SSLVPN-Users group.
5. In the From section, select Add.
The Add Member dialog box appears.
6. Fromthe Member Type drop-down list, select SSLVPNGroup.
A list of groups appears.
7. Select and add the LDAP-Users1 group.
8. Click OK.
The Allow SSLVPN-Users policy now applies only to the LDAP-Users1 group.
Mobile VPN with SSL
1252 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1253
Choose the Port and Protocol for Mobile VPN with SSL
The default protocol and port for Mobile VPN with SSL is TCP port 443. If you try to configure the XTM
device to use a port and protocol that is already in use, you see an error message.
Common network configurations that require the use of TCP 443 include:
n The XTMdevice protects a web server that uses HTTPS.
n The XTMdevice protects a Microsoft Exchange server with Microsoft Outlook Web Access
configured.
If you have an additional external IP address that does not accept incoming TCP port 443 connections,
you can configure it as the primary IP address for Mobile VPN with SSL.
Mobile VPN with SSL traffic is always encrypted using SSL, even if you use a
different port or protocol.
How to Choose a Different Port and Protocol
If you need to change the default port or protocol for Mobile VPN with SSL, we recommend that you
choose a port and protocol that is not commonly blocked. Some additional considerations include:
Select a common port and protocol
Mobile VPN with PPTP and Mobile VPNwith IPSec use specific ports and protocols that are
blocked by some public Internet connections. By default, Mobile VPN with SSL operates on the
port and protocol used for encrypted web site traffic (HTTPS) to avoid being blocked. This is
one of the main advantages of SSL VPN over other Mobile VPN options. We recommend that
you choose TCP port 53, or UDP port 53 (DNS) to keep this advantage.
These ports are allowed by almost all Internet connections. If the access site uses packet
filters, the SSL traffic should pass. If the access site uses proxies, the SSL traffic is likely to be
denied because it does not follow standard HTTP or DNS communications protocols.
UDP versus TCP
Normally TCP works as well as UDP, but TCP can be significantly slower if the connection is
already slow or unreliable. The additional latency is caused by the error checking that is part of
the TCP protocol. Because the majority of traffic that passes through a VPNtunnel uses TCP,
the addition of TCP error checking to the VPN connection is redundant. With slow and
unreliable connections, the TCPerror checking timeouts cause VPN traffic to be sent more and
more slowly. If this happens enough times, the poor connection performance is noticed by the
user.
UDPis a good choice if the majority of the traffic generated by your MVPNwith SSL clients is
TCP-based. The HTTP, HTTPS, SMTP, POP3 and Microsoft Exchange protocols all use TCP
by default. If the majority of the traffic generated by your Mobile VPN with SSL clients is UDP,
we recommend that you select TCPfor the MVPNwith SSL protocol.
Mobile VPN with SSL
1254 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1255
Options for Internet Access Through a Mobile VPN with SSL
Tunnel
Force All Client Traffic Through Tunnel
This is the most secure option. It requires that all remote user Internet traffic is routed through the VPN
tunnel to the XTMdevice. Fromthe XTMdevice, the traffic is then sent back out to the Internet. With
this configuration (also known as default-route VPN), the XTMdevice is able to examine all traffic and
provide increased security. However, this requires more processing power and bandwidth fromthe
XTMdevice. This can affect network performance if you have a large number of VPN users. By
default, a policy named Allow SSLVPN-Users allows access to all internal resources and the Internet.
Allow Direct Access to the Internet
If you select Routed VPN traffic in the Mobile VPN with SSLconfiguration, and you do not force all
client traffic through the tunnel, you must configure the allowed resources for the SSL VPN users. If
you select Specify allowed resources or Allow access to networks connected through Trusted,
Optional and VLANs, only traffic to those resources is sent through the VPN tunnel. All other traffic
goes directly to the Internet and the network that the remote SSL VPN user is connected to. This
option can affect your security because any traffic sent to the Internet or the remote client network is
not encrypted or subject to the policies you configured on the XTMdevice.
Use the HTTP Proxy to Control Internet Access for Mobile VPN with SSL
Users
If you configure Mobile VPN with SSLto force all client traffic through the tunnel, you can use HTTP
proxy policies to restrict Internet access. The default Allow SSLVPN-Users policy has no restrictions
on the traffic that it allows fromSSL clients to the Internet. To restrict Internet access, you can use an
HTTP proxy policy you have already configured, or add a new HTTP proxy policy for SSL clients.
1. Select Firewall > Firewall Policies.
2. Double-click the policy to open the Policy Configuration page.
3. On the Policy tab, click Add in the From area.
4. Fromthe Member Type drop-down list, select SSLVPNGroup.
5. Select SSLVPN-Users and click OK.
6. Click Save.
The HTTP proxy policy takes precedence over the Any policy. You can leave the Any policy to handle
traffic other than HTTP, or you can use these same steps with another policy to manage traffic from
the SSL clients.
For more information on how to configure an HTTP proxy policy, see About the HTTP-Proxy on page
699.
Name Resolution for Mobile VPN with SSL
The goal of a mobile VPN connection is to allow users to connect to network resources as if they were
connected locally. With a local network connection, NetBIOS traffic on the network allows you to use
the device name to connect to your devices. It is not necessary to know the IP address of each
network device. However, Mobile VPN tunnels cannot pass broadcast traffic. Because NetBIOS relies
on broadcast traffic to operate correctly, you must use an alternate method for name resolution.
Methods of Name Resolution Through a Mobile VPN with SSL
Connection
You must choose one of these two methods for name resolution:
WINS/DNS (Windows Internet Name Service/Domain Name System)
A WINS server keeps a database of NetBIOS name resolution for the local network. DNS uses
a similar method. If your domain uses only Active Directory, you must use DNS for name
resolution.
LMHOSTS file
An LMHOSTS file is a manually created file that you install on all computers with Mobile VPN
with SSL. The file contains a list of resource names and their associated IP addresses.
Select the Best Method for Your Network
Because of the limited administration requirements and current information it provides, WINS/DNS is
the preferred solution for name resolution through a Mobile VPN tunnel. The WINS server constantly
listens to the local network and updates its information. If the IP address of a resource changes, or a
new resource is added, you do not have to change any settings on the SSL client. When the client tries
to get access to a resource by name, a request is sent to the WINS/DNS servers and the most current
information is given.
If you do not already have a WINS server, the LMHOSTS file is a fast way to provide name resolution
to Mobile VPN with SSL clients. Unfortunately, it is a static file and you must edit it manually any time
there is a change. Also, the resource name/IP address pairs in the LMHOSTS file are applied to all
network connections, not only the Mobile VPN with SSL connection.
Mobile VPN with SSL
1256 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1257
Configure WINS or DNS for Name Resolution
Each network is unique in terms of the resources available and the skills of the administrators. The
best resource use to help you learn how to configure a WINS server is the documentation for your
server, such as the Microsoft web site. When you configure your WINS or DNS server, note that:
n The WINS server must be configured to be a client of itself.
n Your XTMdevice must be the default gateway of the WINS and DNS servers.
n For WINS, you must make sure that network resources do not have more than one IP address
assigned to a single network interface. NetBIOS only recognizes the first IP address assigned
to a NIC. For more information, see http://support.microsoft.com/kb/q131641/.
Add WINS and DNS Servers to a Mobile VPN with SSL Configuration
1. Select VPN > Mobile VPN with SSL.
2. Select the Advanced tab.
The Mobile VPN with SSL Advanced page appears.
3. In the WINS and DNS Servers section, type the primary and secondary addresses for the
WINS and DNS servers.
You can also type a domain suffix in the Domain Name text box for a client to use with
unqualified names.
4. Click Save.
The next time an SSL client computer authenticates to the XTMdevice, the new settings are applied to
the connection.
Configure an LMHOSTS File to Provide Name Resolution
When you use an LMHOSTS file to get name resolution for your Mobile VPN clients, no changes to the
XTMdevice or the Mobile VPN client software are necessary. Basic instructions to help you create an
LMHOSTS file are included in the subsequent section.
Edit an LMHOSTS File
1. Find the LMHOSTS file on the Mobile VPN client computer.
The LMHOSTS file is usually located in the C:\WINDOWS\system32\drivers\etc directory.
2. Open the LMHOSTS file with a text editor, such as Notepad.
If you cannot find an LMHOSTS file, create a new file in a text editor.
3. To create an entry in the LMHOSTS file, type the IP address of a network resource, five
spaces, and then the name of the resource.
The resource name must be 15 characters or less. It should look like this:
192.168.42.252server_name
4. If you started with an older LMHOSTS file, save the file with the original file name.
If you created a new file, save it with the file name lmhost in the
C:\WINDOWS\system32\drivers\etc directory.
If you used Notepad to create the new file, you must also choose the type All Files in the Save
dialog box, or Notepad adds the .txt file extension to the file name.
5. Reboot the SSL client computer for the LMHOSTS file to become active.
Configure the External Authentication Server
If you create a Mobile VPN user group that authenticates to a third-party server, make sure you create
a group on the server that has the same name as the name you added for the Mobile VPN group.
If you use Active Directory as your authentication server, the users must belong to an Active Directory
security group with the same name as the group name you configure for Mobile VPN with SSL.
For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute
(RADIUS attribute 11) when a user successfully authenticates, to tell the XTMdevice what group the
user belongs to. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it
appears in the Fireware XTMRADIUS authentication server settings. All Mobile VPN users that
authenticate to the server must belong to this group.
Mobile VPN with SSL
1258 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1259
Install and Connect the Mobile VPN with SSL
Client
The Mobile VPN with SSL software enables users to connect, disconnect, gather more information
about the connection, and to exit or quit the client. The Mobile VPN with SSL client adds an icon to the
systemtray on the Windows operating system, or an icon in the menu bar on Mac OS X. You can use
this icon to control the client software.
To use Mobile VPN with SSL, you must:
1. Verify systemrequirements
2. Download the client software
3. Install the client software
4. Connect to your private network
If a user is unable to connect to the XTMdevice, or cannot download the installer
fromthe XTMdevice, you can Manually Distribute and Install the Mobile VPN with
SSL Client Software and Configuration File.
Client Computer Requirements
You can install the Mobile VPN with SSL client software on computers with these operating systems:
n Microsoft Windows XP SP2 (32-bit)
n Microsoft Windows 7 and 8 (32-bit and 64-bit)
n Microsoft Windows Server 2003 (32-bit)
n Mac OS X v10.6, v10.7, v10.8, v10.9
If the client computer has Windows XP, you must log on with an account that has administrator rights
to install the Mobile VPN with SSL client software. Administrator rights are not required to connect
after the SSL client has been installed and configured. In Windows XP Professional, the user must be
a member of the Network Configuration Operators group to run the SSL client.
If the client computer has Mac OS X, administrator rights are not required to install or use the SSL
client.
Download the Client Software
To download the client software, you authenticate to the XTMdevice with an HTTPS connection over
port 4100.
1. Connect to one of these addresses with a web browser:
https://[device interface IP address]/sslvpn.html
https://[device interface IP address]:4100/sslvpn.html
https://[device host name]/sslvpn.html
https://[device host name]:4100/sslvpn.html
The authentication web page appears.
2. Type your Username and Password.
3. If Mobile VPN with SSLis configured to use more than one authentication method, select the
authentication server fromthe Domain drop-down list.. For a WatchGuard device that uses
Fireware XTMv11.8.x or lower, the Domain drop-down list does not appear, and you must
specify the non-default authentication server in the Username text box, before the user name.
For example:
n If RADIUS is the non-default server: radius\j_smith
n If the Active Directory server ad1_example.comis the non-default server:ad1_
example.com\j_smith
n If Firebox-DB is the non-default authentication server:Firebox-DB\j_smith
The Mobile VPN with SSLdownload page appears.
Mobile VPN with SSL
1260 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1261
4. Click the Download button for the installer you want to use. There are two available versions:
Windows (WG-MVPN-SSL.exe) and Mac OS X (WG-MVPN-SSL.dmg).
5. Save the file to your desktop or another folder of your choice.
On this page you can also download the Mobile VPN with SSLclient profile for connections fromany
SSLVPN client that supports .ovpn configuration files. For more information about the Mobile VPN
with SSLclient profile, see Use Mobile VPN with SSL with an OpenVPN Client.
Install the Client Software
For Microsoft Windows:
1. Double-click WG-MVPN-SSL.exe.
The Mobile VPN with SSL client Setup Wizard starts.
2. Accept the default settings on each screen of the wizard.
3. If you want to add a desktop icon or a Quick Launch icon, select the check box in the wizard
that matches the option. A desktop or Quick Launch icon is not required.
4. Finish and exit the wizard.
For Mac OS X:
To install the Mobile VPN with SSLsoftware on Mac OS 10.9 Mavericks, you must
select System Preferences > Security &Privacy >General and select the option
to allow apps downloaded fromanywhere.
1. Double-click WG-MVPN-SSL.dmg.
A volume named WatchGuard Mobile VPN is created on your desktop.
2. In the WatchGuard Mobile VPN volume, double-click WatchGuard Mobile VPN with SSL
Installer <version>.mpkg.
The client installer starts.
3. Accept the default settings on each screen of the installer.
4. Finish and exit the installer.
After you download and install the client software, the Mobile VPN client software automatically
connects to the XTMdevice. Each time you connect to the XTMdevice, the client software checks for
configuration updates.
Connect to Your Private Network
For Microsoft Windows:
To start the Mobile VPN with SSL client, use one of these methods:
n Fromthe Start Menu, select All Programs > WatchGuard > Mobile VPN with SSL client >
Mobile VPN with SSL client.
n Double-click the Mobile VPN with SSL shortcut on your desktop.
n Click the Mobile VPN with SSL icon in the Quick Launch toolbar.
For Mac OS X:
To start the Mobile VPN with SSLclient on Mac OS X:
1. Open a Finder window.
2. Go to Applications > WatchGuard.
3. Double-click the WatchGuard Mobile VPN with SSL application.
To connect to your private network fromthe Mobile VPNwith SSL client:
1. In the Server text box, type or select the address of the XTMdevice you want to connect to.
The IPaddress of the server you most recently connected to is selected by default.
Mobile VPN with SSL
1262 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1263
2. In the Username text box, type the user name. If Mobile VPN with SSL on the XTMdevice is
configured to use multiple authentication methods, you might need to specify the authentication
server or domain as part of the user name.
3. In the Password text box, type the password to use for authentication.
The client remembers the password, if the administrator configures the authentication settings to
allow it.
4. Click Connect.
The Server is the IP address of the primary external interface of an XTMdevice. If Mobile VPN with
SSLon the XTMdevice is configured to use a port other than the default port 443, in the Server text
box, you must type the primary external interface followed by a colon and the port number. For
example, if Mobile VPN with SSL is configured to use port 444, and the primary external IPaddress is
203.0.113.2, the Server is 203.0.113.2:444.
The Username can include the authentication server and user name of the user. If Mobile VPN with
SSL on the XTMdevice is configured to use multiple authentication methods, users who do not use the
default authentication server must specify the authentication server or domain as part of the user
name.
The user name must be in one of these formats:
Use the default authentication server
In the User name text box, type just the user name.
Example: j_smith
Use a non-default authentication server
In the User name text box, type <authentication server>\<user name>.
Examples:
n If RADIUS is the non-default server: radius\j_smith
n If the Active Directory server ad1_example.comis the non-default server:ad1_
example.com\j_smith
n If Firebox-DB is the non-default authentication server:Firebox-DB\j_smith
The SSL client user must enter their login credentials. Mobile VPN with SSLdoes not support any
Single Sign-On (SSO) services. If the connection between the SSL client and the XTMdevice is
temporarily lost, the SSL client tries to establish the connection again.
Other Connection Options
Two other connection options are available in the client only if the administrator has enabled themon
the device you connect to.
Automatically reconnect
Select the Automatically reconnect check box if you want the Mobile VPN with SSLclient to
automatically reconnect when the connection is lost.
Remember password
Select the Remember password check box if you want the Mobile VPN with SSL client to
remember the password you typed for the next time you connect.
Mobile VPN with SSL Client Controls
When the Mobile VPN with SSL client runs, the WatchGuard Mobile VPN with SSL icon appears in the
systemtray (Windows) or on the right side of the menu bar (Mac OS X). The VPN connection status is
shown by the appearance of the icon's magnifying glass.
n The VPN connection is not established.
n The VPN connection has been established. You can securely connect to resources behind
the XTMdevice.
n The client is in the process of connecting or disconnecting.
To see the client controls list, right-click the Mobile VPN with SSL icon in the systemtray (Windows),
or click the Mobile VPN with SSL icon in the menu bar (Mac OS X). You can select fromthese actions:
Connect/Disconnect
Start or stop the Mobile VPN with SSL connection.
Status
See the status of the Mobile VPN with SSL connection.
View Logs
Open the connection log file.
Properties
Windows Select Launch program on startup to start the client when Windows starts. Type
a number for Log level to change the level of detail included in the logs.
Mac OS X Shows detailed information about the Mobile VPN with SSLconnection. You can
also set the log level.
About
The WatchGuard Mobile VPN dialog box opens with information about the client software.
Exit (Windows) or Quit (Mac OS X)
Disconnect fromthe XTMdevice and shut down the client.
Manually Distribute and Install the Mobile VPN with SSL Client
Software and Configuration File
If there is some reason your users cannot download the client software fromthe XTMdevice, you can
manually provide themwith the client software and configuration file. You can download the Mobile
VPNwith SSL client software on the WatchGuard Portal. Use the steps below to get the
SSLVPNconfiguration file to distribute.
Mobile VPN with SSL
1264 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1265
Get the Configuration File from the XTM device
To get the Mobile VPN with SSLconfiguration file, you must install WatchGuard SystemManager.
Then you can use Firebox SystemManager to get the file. For more information, see the Mobile VPN
for SSLchapter in the WatchGuard SystemManager Help or User Guide.
Install and Configure the SSL Client Using the Installation Software and
a Configuration File
You must have two files:
n Mobile VPN with SSL VPN client installation software
WG-MVPN-SSL.exe (Microsoft Windows) or WG-MVPN-SSL.dmg (Mac OS X)
n Mobile VPN with SSL VPN configuration file
sslvpn_client.wgssl
For Microsoft Windows:
1. Double-click WG-MVPN-SSL.exe.
The Mobile VPN with SSL client Setup Wizard starts.
2. Accept the default settings on each screen of the wizard.
3. If you want to add a desktop icon or a Quick Launch icon, select the check box for that option.
A desktop or Quick Launch icon is not required. The client icon is added to the Windows Start menu
by default.
4. Finish and exit the wizard.
5. Use one of these three methods to start the client software:
n Fromthe Start Menu, select All Programs > WatchGuard > Mobile VPN with SSL
client > Mobile VPN with SSL client.
The client installer starts.
n Double-click the Mobile VPN with SSL client icon on the desktop.
n Click the Mobile VPN with SSL client icon in the Quick Launch toolbar.
6. Double-click sslvpn-client.wgssl to configure the Mobile VPN with SSL client software.
For Mac OS X:
1. Double-click WG-MVPN-SSL.dmg.
A volume named WatchGuard Mobile VPN is created on the desktop.
2. In the WatchGuard Mobile VPN volume, double-click WatchGuard Mobile VPN with SSL
Installer V15.mpkg.
The client installer starts.
3. Accept the default settings in the installer.
4. Finish and exit the installer.
5. Start the client software. Open a Finder window and go to Applications > WatchGuard.
6. Double-click the WatchGuard Mobile VPN with SSL application.
The WatchGuard Mobile VPN with SSL logo appears in the menu bar.
7. Double-click sslvpn-client.wgssl to configure the Mobile VPN with SSL client software.
Update the Configuration of a Computer that is Unable to Connect to
the XTM Device
You must have an updated sslvpn-client.wgssl file. For information on how to get the sslvpn-
client.wgssl file, see Get the configuration file fromthe XTMdevice.
1. Double-click sslvpn-client.wgssl.
The SSL client starts.
2. Type your user name and password. Click Connect.
The SSL VPN connects with the new settings.
Uninstall the Mobile VPN with SSL Client
You can use the uninstall application to remove the Mobile VPN with SSL client froma computer.
Microsoft Windows
1. Fromthe Start Menu, select All Programs > WatchGuard > Mobile VPN with SSL client >
Uninstall Mobile VPN with SSL client.
The Mobile VPN with SSL client uninstall program starts.
2. Click Yes to remove the Mobile VPN with SSL client and all of its components.
3. When the programis finished, click OK.
Mac OS X
1. In a Finder window, go to the Applications > WatchGuard folder.
2. Double-click the Uninstall WG SSL VPN application to start the uninstall program.
The Mobile VPN with SSL client uninstall program starts.
3. Click OK on the Warning dialog box.
4. Click OK on the Done dialog box.
5. In a Finder window, go to the Applications folder.
6. Drag the WatchGuard folder to the Trash.
Mobile VPN with SSL
1266 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1267
Use Mobile VPN with SSL with an OpenVPN Client
In Fireware XTMv11.7.4 and later, the XTMdevice creates a Mobile VPN with SSLclient profile that
users can import to an OpenVPN client to create a profile for connections to the XTMdevice. This
enables you to configure an OpenVPN client, such as the OpenVPN Connect app for Android and iOS,
to make an SSL VPN connection to the XTMdevice.
Fireware XTMv11.7.3 also supports connections fromOpenVPN Connect, but does
not generate the .ovpn file. For information about how to create this file manually for
connections to a device that uses Fireware XTMv11.7.3, see the article Create an
SSLVPNProfile for OpenVPN Connect for Android/iOS in the WatchGuard
Knowledge Base.
OpenVPN Connect is available fromwww.openvpn.net, the Google Play app store, or the Apple app
store.
Requirements
Before you download the Mobile VPNwith SSLclient profile, make sure your XTMdevice configuration
meets these requirements:
n The XTMdevice must use Fireware XTMv11.7.4 or later.
n The XTMdevice must be configured to route VPNtraffic. Make sure that Routed VPNtraffic is
selected in the Mobile VPNwith SSL configuration. For more information, see Configure the
XTMDevice for Mobile VPN with SSL.
n The certificates for Mobile VPN with SSL must be created with Fireware XTMv11.7.3 or later. If
you upgraded froman earlier version, your certificates may not be compatible with the
OpenVPN client.
To generate new SSLVPNcertificates, you must delete the SSLVPNcertificates fromthe XTM
device and reboot the XTMdevice. When the XTMdevice restarts, it creates new SSLVPN
certificates.
The three SSLVPNcertificates have these common name (cn) attributes:
n cn=Fireware SSLVPN Server
n cn=Fireware SSLVPN Client
n cn=Fireware SSLVPN (SN...) CA
You must use Firebox SystemManager (FSM) to delete certificates. For more information, see
the WatchGuard SystemManager Help.
After the XTMdevice generates new SSLVPN certificates, existing WatchGuard
Mobile VPN with SSL clients automatically download the new certificates the next
time your users connect. The WatchGuard Mobile VPN with SSL client prompts the
user to accept the new certificate if the user does not have the CA certificate for the
XTMdevice.
Download the Mobile VPN with SSL Client Profile
After Mobile VPN with SSLis configured, you can download the client.ovpn file fromthe XTMdevice,
and send it to the device where the OpenVPN client is installed.
Because the web browser on some mobile devices do not support file downloads, this procedure
describes how to download the file to another device, and then email it to the mobile device as a file
attachment.
To download the .ovpn profile fromthe XTMdevice:
1. Connect to this address with a web browser:
https://<IP address of an XTM device interface>/sslvpn.html
or
https://<Host name of the XTM device>/sslvpn.html
2. Type your user name and password to authenticate to the XTMdevice.
The Mobile VPN with SSLdownload page appears.
Mobile VPN with SSL
1268 Fireware XTMWeb UI
Mobile VPN with SSL
User Guide 1269
3. Click the Download button for the Mobile VPN with SSLclient profile. The file you download is
called client.ovpn.
4. Save the file to a location on your computer.
5. Send the file as an email file attachment to the mobile user.
Import the Client Profile
To import a client profile to an Android or iOS device:
1. Install the OpenVPN Connect app.
2. Open the email message that contains the .ovpn email attachment.
3. Tap the attachment to open the file in the OpenVPN Connect app.
4. Import the .ovpn file to the VPN client to create a new connection profile.
5. In the profile, type the Username and Password you use to authenticate to the XTMdevice.
6. To start the VPN tunnel, select or turn on the VPN profile in OpenVPNConnect.
See the documentation for your OpenVPN client for more information about how to import a .ovpn file.
24
Mobile VPN with L2TP
Mobile VPN with L2TP
1270 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1271
About Mobile VPN with L2TP
Mobile Virtual Private Networking (Mobile VPN) with L2TP (Layer 2 Tunneling Protocol) creates a
secure connection between a remote computer and the network resources behind the XTMdevice. By
default, Mobile VPN with L2TP uses IPSec to provide strong encryption and authentication.
If you have a WatchGuard XTM21, 22, or 23 device, this feature is not available for
your device.
Client Compatibility
Mobile VPN with L2TP supports connections frommost L2TP VPN v2 clients that comply with the
L2TP RFC 2661 standard.
Authentication Server Compatibility
Mobile VPN with L2TPsupports local authentication on the XTMdevice (Firebox-DB) and
RADIUSauthentication servers. For more information, see About L2TPUser Authentication.
Licensing
To support more than one Mobile VPN with L2TP connection, your XTMdevice must have Fireware
XTMwith a Pro upgrade. The Pro upgrade is included with most XTMdevice models. The maximum
number of supported L2TPconnections varies for each XTMdevice model. The L2TPusers value in
the device feature key indicates the maximumnumber of Mobile VPN with L2TPconnections your
device supports.
Options for Internet Access Through a Mobile
VPN with L2TP Tunnel
When you configure Mobile VPN for your remote users, you must choose whether you want their
general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can
affect your network security because Internet traffic that does not go through the tunnel is not filtered or
encrypted
In your configuration, you specify your choice with the tunnel route you select: default-route VPN or
split tunnel VPN.
Default-Route VPN
The most secure option is to require that all remote user Internet traffic is routed through the VPN
tunnel to the XTMdevice. Then, the traffic is sent back out to the Internet. With this configuration
(known as default-route VPN), the XTMdevice is able to examine all traffic and provide increased
security, although it uses more processing power and bandwidth. When you use default-route VPN, a
dynamic NAT policy must include the outgoing traffic fromthe remote network. This allows remote
users to browse the Internet when they send all traffic to the XTMdevice.
Split Tunnel VPN
Another configuration option is to enable split tunneling. This configuration enables users to browse the
Internet without the need to send Internet traffic through the VPNtunnel. Split tunneling improves
network performance, but decreases security because the policies you create are not applied to the
Internet traffic. If you use split tunneling, we recommend that each client computer have a software
firewall.
The native VPN clients on Android and iOS devices do not support split tunneling.
Default-Route VPN Setup for Mobile VPN with L2TP
In Windows XP, Windows 7, and Mac OSX, the default setting for an L2TP connection is default-
route. Your XTMdevice must be configured with dynamic NATto receive the traffic froman L2TP user.
Any policy that manages traffic going out to the Internet frombehind the XTMdevice must be
configured to allow the L2TPuser traffic.
When you configure your default-route VPN:
n Make sure that the IP addresses you have added to the L2TP address pool are included in your
dynamic NAT configuration on the XTMdevice.
FromPolicy Manager, select Network > NAT.
Mobile VPN with L2TP
1272 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1273
n Edit your policy configuration to allow connections fromthe L2TP-Users group through the
external interface.
For example, if you use WebBlocker to control web access, add the L2TP-Users group to the
proxy policy that is configured with WebBlocker enabled.
Split Tunnel VPN Setup for Mobile VPN with L2TP
If your VPN client supports split tunneling, on the client computer, edit the L2TPconnection properties
to not send all traffic through the VPN.
To enable L2TPsplit tunneling in Windows 8:
1. Fromthe Windows 8 charmmenu, select Settings.
2. Select Network.
The Connections list appears.
3. In the Connection list, right click the VPN connection name.
4. Click View connection properties.
The VPN Properties dialog box appears.
5. Select the Networking tab.
6. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
7. On the General tab, click Advanced.
The Advanced TCP/IPSettings dialog box appears.
8. On the IPSettings tab, clear the Use default gateway on remote network check box.
To enable L2TPsplit tunneling in Windows 7:
1. Select Control Panel > Network and Internet > Connect to a network.
2. Right click the L2TP VPN connection and select Properties.
The VPN properties dialog box appears.
3. Select the Networking tab.
4. Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
5. Click Advanced.
The Advanced TCP/IPSettings dialog box appears.
6. On the IPSettings tab, clear the Use default gateway on remote network check box.
To enable L2TP split tunneling in Windows XP:
1. Select Start >Control Panel >Network Connections.
2. Right click the L2TP VPN connection and select Properties.
The VPN properties dialog box appears.
3. Select the Networking tab.
4. Select Internet Protocol (TCP/IP) in the list and click Properties.
5. Click Advanced.
The Advanced TCP/IPSettings dialog box appears.
6. On the General tab, clear the Use default gateway on remote network check box.
L2TProuting is defined by the client computer. If you do not select the Use default
gateway on remote network check box, the client computer routes traffic through
the VPN tunnel only if the traffic destination is the /24 subnet of the virtual IP address
assigned to the client computer. For example, if the client is assigned the virtual
IPaddress 10.0.1.225, traffic destined for 10.0.1.0/24 network is routed through VPN
tunnel, but traffic destined for 10.0.2.0 is not.
Mobile VPN with L2TP
1274 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1275
About L2TPUser Authentication
When you configure Mobile VPN with L2TP, you select authentication servers, and configure users
and groups for authentication. The users and groups you specify must exist on the selected
authentication server.
Mobile VPN with L2TP supports two authentication methods:
Local authentication on the XTMdevice (Firebox-DB)
You can use the local authentication server on the XTMdevice for L2TP user authentication. If
you use Firebox-DBfor authentication you must use the L2TP-Users group that is created by
default. You can also add other users and groups in the L2TPconfiguration. The users and
groups you add to the L2TP configuration are automatically included in the L2TP-Users group.
When you add a user or group to the Mobile VPNwith L2TP configuration and select Firebox-
DB as the authentication server, this does not automatically add the user or group for Firebox
authentication. You must also add users and groups in the Firebox authentication settings. For
detailed instructions to add users and groups, see Define a New User for Firebox Authentication
on page 522 and Define a New Group for Firebox Authentication on page 526.
RADIUS
You can use a RADIUS server for L2TPuser authentication. If you use a RADIUSserver for
authentication, you can use the default L2TP-Users group (if you also add that group on the
RADIUSauthentication server), or you can add the names of users and groups that exist in the
RADIUSauthentication server database.
If you want to use an Active Directory database for authentication, you can configure your
RADIUSserver to use the Active Directory database. Then you can configure the
RADIUSserver on the XTMdevice, select RADIUSas the authentication method for Mobile
VPN with L2TP, and add the users and groups fromyour Active Directory database to the
Mobile VPN with L2TPconfiguration.
For more information about how to configure a RADIUSserver to use an Active Directory
database, see Configure RADIUS Server Authentication with Active Directory Users and
Groups For Mobile VPN Users.
Mobile VPN with L2TPdoes not support RADIUS2 factor authentication.
Use the WatchGuard L2TPSetup Wizard
The WatchGuard L2TPSetup Wizard helps you activate and configure Mobile VPNwith L2TP. The
setup wizard is only available when Mobile VPN with L2TP has not been activated. Any Mobile VPN
with L2TPsettings not configurable in the wizard are set to their default values. When you activate
Mobile VPN with L2TP, IPSec is enabled by default.
Before you Begin
When you configure Mobile VPN with L2TP, you select an authentication server and add users and
groups for authentication. Make sure that the authentication server you want to use for L2TP user
authentication is configured before you enable Mobile VPN with L2TP. Also, make sure that any users
and groups you want to use are added to the authentication server.
For more information about supported user authentication methods for L2TP, see About L2TPUser
Authentication
You cannot configure Mobile VPN with L2TPif the device configuration already has a
branch office VPN gateway that uses main mode and has a remote gateway with a
dynamic IPaddress.
Start the L2TP Setup Wizard
1. Select VPN >Mobile VPN with L2TP.
The Mobile VPN with L2TP page appears.
2. Click Run Wizard.
The WatchGuard L2TPSetup Wizard appears.
Mobile VPN with L2TP
1276 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1277
3. Click Next.
A list of configured authentication servers appears.
4. Select the check box for each authentication server you want to use for Mobile VPN with L2TP
user authentication. You can use the internal XTMdevice database (Firebox-DB) or a RADIUS
server if you have configured one.
For more information about user authentication methods for L2TP, see About L2TPUser
Authentication.
5. If you selected more than one authentication server, select the server you want to be the default
server. Click Make Default to move that server to the top of the list.
If users do not specify the authentication server as part of the user name when they authentication
from an L2TPclient, Mobile VPN with L2TP uses the default authentication server.
If you select more than one authentication server, users who use the non-default
authentication server must specify the authentication server or domain as part of the
user name. For more information and examples, see Connect froman L2TPVPN
Client .
6. Click Next.
The Authentication Users and Groups page appears. The L2TP-Users group is automatically added
by default.
7. Click Add to add a user or group to authenticate with Mobile VPN with L2TP.
The Add Authentication User or Group dialog box appears.
If you use the Firebox-DBfor authentication you must use the L2TP-Users group that is created
by default. You can add the names of other groups and users that use Mobile VPN with L2TP.
For each group or user you add, you can select the authentication server where the group
exists, or select Any if that group exists on more than one authentication server. The group or
user name you add must exist on the authentication server. The group and user names are case
sensitive and must exactly match the name on your authentication server.
n Set the Type to Group or User.
n In the Name text box, type the name of the group or user.
n Fromthe Authentication Server drop-down list, select the authentication server where the
user or group exists. Or, select Any if the group can be used with all selected
authentication servers.
n Click OK.
8. After you configure users and groups, click Next.
The Virtual IP Address Pool page appears.
9. Click Add.
The Add Address Pool dialog box appears.
Mobile VPN with L2TP
1278 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1279
10. In the Choose Type drop-down list, select whether to add a an IPv4host address, network
address, or address range. You must add at least two IPaddresses to the virtual IPaddress
pool. Type the IPaddress or range and click OK.
The address is added to the virtual IPaddress pool.
For more information about virtual IPaddress pools, see Virtual IPAddresses and Mobile
VPNs.
11. After you define the virtual IPaddress pool, click Next.
The Select the tunnel authentication method page appears.
12. Select an option for IPSec tunnel authentication. There are two options:
Use Pre-Shared Key
Type or paste the shared key. You must use the same pre-shared key in the IPSec settings
on the L2TP client.
Use IPSec Firebox Certificate
Select the certificate to use fromthe table. You must have already imported a certificate to
the XTMdevice to use this option.
For more information, see Certificates for Mobile VPN with L2TP Tunnel Authentication.
13. Click Next.
14. Click Finish to exit the wizard and save the configuration.
When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow
the traffic. For more information, see About L2TPPolicies.
Mobile VPN with L2TP
1280 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1281
Edit the Mobile VPNwith L2TPConfiguration
We recommend that you use the WatchGuard L2TPSetup Wizard to set up Mobile VPN with L2TP for
the first time. For more information, see Use the WatchGuard L2TPSetup Wizard.
To edit the Mobile VPNwith L2TPconfiguration:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
The Mobile VPNwith L2TPpage appears.
3. Select the Activate Mobile VPNwith L2TP check box, if Mobile VPNwith L2TPis not already
activated.
Mobile VPNwith L2TPis enabled, and IPSec is enabled in the configuration by default.
4. Use the information in the subsequent sections to configure Mobile VPNwith L2TP settings.
You cannot enable IPSec in the Mobile VPNwith L2TPconfiguration if the device
configuration already includes a branch office VPN gateway that uses main mode,
and a remote gateway with a dynamic IPaddress. When you activate Mobile VPN
with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If
IPSec cannot be enabled because of an existing branch office VPN configuration, a
warning message appears when you activate Mobile VPN with L2TP. You can
choose to enable L2TP without IPSec, though that is less secure and is not
recommended.
Edit the Virtual IPAddress Pool
On the Network tab, the Virtual IPAddress Pool shows the internal IP addresses that are used by
Mobile VPN with L2TP users over the tunnel. The XTMdevice uses these addresses only when they
are needed. The virtual IPaddress pool must contain at least two IPaddresses.
For more information about virtual IP addresses, see Virtual IPAddresses and Mobile VPNs.
To add to the virtual IPaddress pool:
1. In the Virtual IPAddress Pool section, click Add.
2. Fromthe Choose Type drop-down list, select one of these options:
n Host to add a single IPv4 address
n Network to add an IPv4 network address
n Host Range to add a range of IPv4 addresses
3. Type the host IPaddress, network IPaddress, or IPaddress range to add.
4. Click OK.
To remove an IPaddress or address range fromthe virtual IP address pool:
1. Select the IP address entry you want to remove.
2. Click Remove.
Edit Network Settings
On the Network tab in the Mobile VPNwith L2TPConfiguration dialog box there are several network
settings you can configure. The default values are best for most L2TP configurations. We recommend
that you do not change these values unless you are sure the change corrects a known problem.
The settings you can configure are:
Keep Alive Timeout
This specifies how often the XTMdevice sends the L2TP "Hello" message. The default value is
60 seconds.
Mobile VPN with L2TP
1282 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1283
Retransmission Timeout
This specifies how long the XTMdevice waits for a message acknowledgement. A message
will be retransmitted if the XTMdevice does not receive an acknowledgement in this time
frame. The default value is 5 seconds.
MaximumRetries
This specifies the maximumnumber of times the XTMdevice will retransmit a message. If the
maximumretries is exceeded, the XTMdevice closes the connection. The default value is 5.
MaximumTransmission Unit (MTU)
This specifies the maximumpacket size to receive in the PPP session through the L2TP tunnel.
The default value is 1400 bytes.
MaximumReceive Unit (MRU)
This specifies the maximumpacket size to send in the PPP session through the L2TP tunnel.
The default value is 1400 bytes.
Edit Authentication Settings
On the Authentication tab you can configure authentication servers, and the authorized users and
groups.
Configure AuthenticationServers
To select the authentication servers to use:
1. In the Mobile VPN with L2TPpage, select the Authentication tab.
2. In the Authentication Server Settings section, select the check box for each authentication
server you want to use for Mobile VPN with L2TP user authentication. You can use the internal
XTMdevice database (Firebox-DB) or a RADIUS server if you have configured one.
For more information about user authentication methods for L2TP, see About L2TPUser
Authentication
3. If you selected more than one authentication server, select the server you want to be the default
server. Click Make Default to move that server to the top of the list.
If you select more than one authentication server, users who use the non-default
authentication server must specify the authentication server or domain as part of the
user name. For more information and examples, see Connect froman L2TPVPN
Client .
Mobile VPN with L2TP
1284 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1285
Configure Users and Groups
If you use Firebox-DBfor authentication you must use the L2TP-Users group that is created by
default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each
group or user you add, you can select the authentication server where the group exists, or select Any if
that group exists on more than one authentication server. The group or user name you add must exist
on the authentication server. The group and user names are case sensitive and must exactly match the
name on your authentication server.
To configure the users and groups to authenticate with Mobile VPNwith L2TP:
1. In the Authentication Users and Groups section, click Add.
The Add Authentication User or Group text box appears.
2. Set the Type to Group or User.
3. In the Name text box, type the name of the group or user.
4. Fromthe Authentication Server drop-down list, select the authentication server where the
user or group exists. Or, select All if the group can be used with all selected authentication
servers.
5. Click OK.
For more information about user authentication methods for L2TP, see About L2TPUser
Authentication
When you add a user or group and select Firebox-DB as the authentication server, this does not
automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use
Firebox-DBauthentication are also configured in the Firebox authentication settings. For more
information, see Configure Your XTMDevice as an Authentication Server.
Edit L2TP IPSec Settings
Mobile VPNwith L2TPcan operate with or without IPSec enabled. L2TP with IPSec provides strong
encryption and authentication. L2TPwithout IPSec does not provide strong encryption and
authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP
configuration.
When you enable Mobile VPNwith L2TP, IPSec is enabled by default. The only IPSec setting you
must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to
default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar
to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change themto match the
IPSec settings of the L2TPclients you use. The IPSec settings on the L2TPclients must match the
settings in the Mobile VPNwith L2TPconfiguration.
Enable or Disable IPSec
1. In the Mobile VPN with L2TP page, select the IPSec tab.
2. To disable IPSec for L2TP,clear the Enable IPSec check box.
or, to enable IPSec for L2TP, select the Enable IPSec check box.
Configure IPSec Phase 1 Settings
When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1
settings. You configure the tunnel authentication method in the WatchGuard L2TPSetup Wizard, or
you can do it on the IPSec tab.
To configure the IPSec tunnel authentication method:
1. In the Mobile VPN with L2TP page, select the IPSec tab.
2. Select the Phase 1 Settings tab.
3. Select an option for IPSec tunnel authentication. There are two options:
Use Pre-Shared Key
Type the shared key. You must use the same pre-shared key in the IPSec settings on the
L2TP clients.
Use IPSec Firebox Certificate
Select the certificate to use fromthe table. You must have already imported a certificate to
the XTMdevice to use this option.
For more information about IPSec certificates, see Certificates for Mobile VPN with L2TP
Tunnel Authentication.
Mobile VPN with L2TP
1286 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1287
If you want to generate a configuration for the WatchGuard Mobile VPNapp for iOS,
you must select Use Pre-Shared Key. For more information, see Configure Mobile
VPN with L2TPfor Use with iOS Devices.
The default L2TP IPSec configuration contains one default transformset, which appears in the
TransformSettings list. This transformspecifies SHA-1 authentication, 3DES encryption, and Diffie-
Hellman Group 2.
You can:
n Use this default transformset.
n Remove this transformset and replace it with a new one.
n Add additional transforms, as explained in Add an L2TPIPSec Phase 1 Transform.
In the Advanced section, you can configure settings for NATTraversal and Dead Peer Detection.
For more information about advanced Phase 1 settings, see Configure L2TPIPSec Phase 1 Advanced
Settings.
Configure IPSec Phase 2 Settings
IPSec phase 2 settings include settings for a security association (SA), which defines how data
packets are secured when they are passed between two endpoints. The SA keeps all information
necessary for the XTMdevice to know what it should do with the traffic between the endpoints.
Parameters in the SA can include:
n Encryption and authentication algorithms used.
n Lifetime of the SA (in seconds or number of bytes, or both).
n The IP address of the device for which the SA is established (the device that handles IPSec
encryption and decryption on the other side of the VPN, not the computer behind it that sends or
receives traffic).
n Source and destination IP addresses of traffic to which the SA applies.
n Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming
and outgoing).
To configure Phase 2 settings:
1. In the Mobile VPN with L2TPpage, select the IPSec tab.
2. Select the Phase2 Settings tab.
3. Select the Enable Perfect Forward Secrecy check box if you want to enable Perfect Forward
Secrecy (PFS).
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys
made with PFS are not made froma previous key. If a previous key is compromised after a
session, your new session keys are secure.
PFS is disabled by default, because many L2TPclients do not support it. Make sure
your L2TPclients enable PFS before you enable it in your Mobile VPN with L2TP
configuration.
4. If you enable PFS, select the Diffie-Hellman group.
For more information about Diffie-Hellman groups, see About Diffie-Hellman Groups on page
1032.
5. Configure Phase 2 Proposals. The L2TPIPSec configuration contains two default IPSec Phase
2 proposals, which appear in the IPSec Proposals list. You can:
n Use the default proposals.
n Remove the default proposals and add new ones.
Mobile VPN with L2TP
1288 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1289
n Add additional proposals, as explained in Add an L2TP IPSec Phase 2 Proposal.
When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow
the traffic. For more information, see About L2TPPolicies.
Configure Mobile Clients
After you configure Mobile VPN with L2TP, you can generate the mobile app configuration file to use
with the WatchGuard Mobile VPN app for iOS devices. You do this on the Mobile Clients tab. For
more information, see Generate and Distribute the L2TPMobile Client Profile.
Add an L2TPIPSec Phase 1 Transform
You can define a tunnel to offer a peer more than one transformset for negotiation. For example, one
transformset might include SHA1-DES-DF1 ([authentication method]-[encryption method]-[key
group]) and a second transformmight include MD5-3DES-DF2, with the SHA1-DES-DF1 transformas
the higher priority transformset. When the tunnel is created, the XTMdevice can use either SHA1-
DES-DF1 or MD5-3DES-DF2 to match the transformset of the other VPN endpoint.
You can include a maximumof nine transformsets.
1. On the Mobile VPNwith L2TP page, click Configure.
2. Select the IPSec tab.
3. Select the Phase1 Settings tab.
4. In the Transform Settings section, click Add.
The Transform Settings dialog box appears.
5. Fromthe Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-
512 as the authentication method.
SHA2 is not supported on XTM510, 520, 530, 515, 525, 535, 545, 810, 820,
830, 1050, and 2050 devices. The hardware cryptographic acceleration in
those models does not support SHA2.
6. Fromthe Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit),
DES, or 3DES as the type of encryption.
7. To change the SA (security association) life, type a number in the SA Life text box, and select
Hour or Minute fromthe adjacent drop-down list. The SAlife must be a number smaller than
596,523 hours or 35,791,394 minutes.
8. Fromthe Key Group drop-down list, select a Diffie-Hellman group. Fireware XTMsupports
groups 1, 2, and 5.
Diffie-Hellman groups determine the strength of the master key used in the key exchange
process. A higher group number provides greater security, but more time is required to make the
keys. For more information, see About Diffie-Hellman Groups on page 1032.
9. Click OK.
10. Repeat Steps 37 to add more transforms. The transformset at the top of the list is used first.
11. To change the priority of a transformset, select the transformset and click Up or Down.
12. Click Save.
Mobile VPN with L2TP
1290 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1291
Configure L2TPIPSec Phase 1 Advanced Settings
To change advanced IPSec Phase 1 settings in the Mobile VPN with L2TPconfiguration:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
The Mobile VPNwith L2TPpage appears.
3. Select the IPSec tab.
4. Select the Phase 1 Settings tab.
5. In the Advanced section, configure the advanced settings.
NATTraversal
n If you want to build a VPN tunnel between the XTMdevice and L2TP VPN clients that are
behind a NAT device, select the NAT Traversal check box. NAT Traversal, or UDP
Encapsulation, enables traffic to get to the correct destinations.
n In the Keep-alive interval text box, type or select the number of seconds that pass before
the next NATkeep-alive message is sent.
Dead Peer Detection (RFC3706)
n Use the Dead Peer Detection check box to enable or disable traffic-based dead peer
detection. When you enable dead peer detection, the XTMdevice connects to a peer only if
no traffic is received fromthe peer for a specified length of time and a packet is waiting to
be sent to the peer. This method is more scalable than IKE keep-alive messages.
n In the Traffic idle timeout text box, type or select the amount of time (in seconds) that
passes before the XTMdevice tries to connect to the peer.
n In the Max retries text box, type or select the number of times the XTMdevice tries to
connect before the peer is declared dead.
Dead Peer Detection is an industry standard that is used by most VPN clients that support
IPSec. We recommend that you select Dead Peer Detection if your L2TPVPNclients
support it.
Add an L2TP IPSec Phase 2 Proposal
You can configure Mobile VPNwith L2TP to offer an L2TP client more than one proposal for Phase 2 of
the IKE. For example, you could specify ESP-3DES-SHA1 in one proposal and ESP-DES-MD5 for a
second proposal. When traffic passes through the VPN tunnel, the security association can use either
ESP-3DES-SHA1 or ESP-DES-MD5 to match the transformsettings on the L2TPclient.
You can include a maximumof eight proposals.
To add a new IPSec phase 2 proposal for Mobile VPNwith L2TP:
1. Select VPN > Mobile VPNwith L2TP.
2. Click Configure.
3. Select the IPSec tab.
4. Select the Phase 2 Settings tab.
Add an Existing Phase 2 Proposal
There are six preconfigured proposals. The names follow the format <Type>-<Authentication>-
<Encryption>. For all six, Force Key Expiration is configured for 8 hours or 128000 kilobytes.
To use one of the six preconfigured proposals or another phase 2 proposal you have previously
created:
1. In the IPSec Proposals section, select an existing proposal fromthe drop-down list
2. Click Add.
The list of existing proposals shows only proposals that use the ESP proposal method. Mobile VPN
with L2TPdoes not support the AH proposal method.
Create a New Phase 2 Proposal
The IPSec Phase 2 proposals used for Mobile VPN with L2TP are the same ones that can be used
when you configure a branch office VPN. To create a new Phase 2 proposal, you must add it in the
Branch Office VPN page.
To create a new Phase 2 proposal:
1. Select VPN > Phase2 Proposals.
2. Click Add.
The Phase 2 Proposal page appears.
Mobile VPN with L2TP
1292 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1293
3. Configure the Phase 2 proposal settings as described in Add a Phase 2 Proposal.
After you add the Phase 2 proposal, you can add it to the L2TP configuration as described in the
previous procedure.
About L2TPPolicies
When you activate Mobile VPNwith L2TP, Policy Manager automatically creates two policies:
WatchGuard L2TP This L2TPpolicy allows L2TP traffic to the XTMdevice.
Allow L2TP-Users This policy allows the groups and users you configured for L2TP authentication
to get access to resources on your network. By default, this policy allows access to all network
resources.You can edit this policy to change the allowed resources.
The single group name L2TP-Users appears in the From list of the Allow L2TP-Users policy. Even
though any other group and user names you added to the Mobile VPNwith L2TPconfiguration do not
appear in the From list, this policy does apply to all users and groups in the L2TP configuration.
Configure WINS and DNS Servers
Mobile VPN clients use shared Windows Internet Name Server (WINS) and Domain Name System
(DNS) server addresses. DNS translates host names into IP addresses, while WINS resolves
NetBIOS names to IP addresses. These servers must be accessible fromthe XTMdevice trusted
interface. Make sure you use only an internal DNS server.
In the network configuration, you can specify WINSand DNS servers to use.
Although you can add up to three DNSservers, the mobile VPN clients use only the
first two in the list.
Changes to the global WINS/DNSsettings do not apply to L2TPuntil you reboot the
XTMdevice.
1. Select Network > Interfaces.
The Interfaces configuration page appears.
Mobile VPN with L2TP
1294 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1295
2. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
3. In the DNSServer or WINSServer text box, type the primary and secondary address for each
DNS or WINS server.
4. Click Add.
5. (Optional) Repeat Steps 23 to specify up to three DNS servers.
6. Click Save.
Configure Client Devices for Mobile VPN with
L2TP
Before you can use your client computers or mobile devices as Mobile VPN with L2TP remote clients,
you must configure and establish the L2TP connection on each client device. Many client operating
systems include a native L2TPclient. The steps to configure an L2TP connection are different for each
client operating system.
For more information see:
n Configure and Use L2TPon Windows 8
n Configure and Use L2TPon Windows 7
n Configure and Use L2TPon Windows XP
n Configure and Use L2TPon Mac OSX
n Configure and Use L2TP on Android
For an iOSdevice, such as an iPhone or iPad, you have two configuration options:
n Import the L2TPConfiguration to the iOSVPNClient
n Manually Configure L2TPon an iOS Device
If the instructions for your client operating systemare not included here, see the documentation for
your operating systemfor information about how to configure an L2TPVPN connection. For any
L2TPVPN client, make sure the settings in the VPN client match the settings you configured on the
XTMdevice.
Configure and Use L2TPon Windows 8
You can use the Windows 8 VPN client to make an L2TP VPN connection to a WatchGuard XTM
device.
Configure the L2TPConnection
To prepare a Windows 8 computer to make an L2TP VPN connection, you must configure the
L2TPconnection in the network settings.
The exact steps could be slightly different, depending on your Control Panel view,
and your existing configuration.
1. In the Windows 8 Start page, type control panel. Click Control Panel in the search results.
2. In Control Panel, click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Set up a new connection or network
The New Connection Wizard starts.
5. Click Connect to a workplace and click Next.
The Connect to a workplace page appears.
Mobile VPN with L2TP
1296 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1297
6. If your computer has an existing workplace connection, select No, create a new connection
and click Next.
The How do you want to connect page appears.
7. Click Use my Internet connection (VPN).
The Type the Internet address to connect to page appears.
8. In the Internet address text box, type the hostname or IP address of the XTMdevice external
interface.
9. In the Destination name text box, type a name for the Mobile VPN (such as "L2TP to XTM").
10. Click Create.
The new connection is added to the Connections list.
11. In the Connections list, right click the connection name.
12. Select View Connection Properties.
13. The General tab contains the hostname or IPaddress you provided in the New Connection
Wizard. You do not need to change anything on this tab unless the IPaddress of your XTM
device changes.
14. Select the Options tab.
15. (Optional) If you do not want the Connect dialog box to provide a text box where the user can
type a domain name, clear the Windows logon domain check box.
When this check box is cleared, the Connect dialog box asks only for a user name and password.
16. (Optional) To enable software compression, click PPP Settings. Select the Enable software
compression check box.
17. Select the Security tab.
18. Fromthe Type of VPN drop-down list, select Layer 2 Tunneling Protocol with IPsec
(L2TP/IPSec).
19. Fromthe Data encryption drop-down list, select Require encryption.
20. Select Microsoft CHAPVersion 2 as the only allowed protocol.
21. Click Advanced settings.
The Advanced Properties dialog box appears.
22. If Mobile VPN with L2TP on the XTMdevice is configured to use a pre-shared key as the IPSec
credential method:
n Select Use pre-shared key for authentication.
n In the Key text box, type the pre-shared key for this tunnel. The pre-shared key must match
the pre-shared key configured on the XTMdevice Mobile VPN with L2TPIPSec settings.
23. If Mobile VPN with L2TP on the XTMdevice is configured to use a certificate as the IPSec
credential method:
n Select Use certificate for authentication.
n Make sure the Verify the Name and Usage attributes of the servers certificate check
box is selected.
n Make sure you have imported the certificate to the client device.For more information, see
Import a Certificate on a Client Device
24. Click OK.
25. Do not change the default settings on the Networking tab.
26. Click OK.
Start the L2TP Connection
The name of the VPN connection is the destination name you used when you configured the L2TP
connection on the client computer. The user name and password refers to one of the users you added
to the L2TP-Users group. For more information, see About L2TPUser Authentication.
Before you begin, make sure the client computer has an active connection to the Internet.
1. Fromthe Windows 8 Start page, move the mouse to the lower right corner of the screen to see
the charmmenu.
2. Select Settings.
3. Select Network.
The Connections list appears.
4. In the Connection list, select the name of this VPN connection you created. Click Connect.
The Connect page appears.
5. Type your user name and password.
6. Click OK.
For information about how to specify the non-default authentication server when you connect, see
Connect froman L2TPVPN Client.
Configure and Use L2TPon Windows 7
Windows 7 include a native VPN client. You can use the Windows 7 VPN client to make an L2TP VPN
connection to a WatchGuard XTMdevice.
Configure the L2TPConnection
To prepare a Windows 7 computer to make an L2TP VPN connection, you must configure the
L2TPconnection in the network settings.
The exact steps could be slightly different, depending on your Control Panel view,
and your existing configuration.
Fromthe Windows Desktop of the client computer:
1. Fromthe Windows Start menu, open Control Panel.
2. Click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Set up a new connection or network
The New Connection Wizard starts.
5. Click Connect to a workplace and click Next.
The Connect to a workplace page appears.
6. If your computer has an existing workplace connection, select No, create a new connection
and click Next.
The How do you want to connect page appears.
Mobile VPN with L2TP
1298 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1299
7. Click Use my Internet connection (VPN).
The Type the Internet address to connect to page appears.
8. In the Internet address text box, type the hostname or IP address of the XTMdevice external
interface.
9. In the Destination name text box, type a name for the Mobile VPN (such as "L2TP to XTM").
10. Select whether you want other people to be able to use this connection.
11. Select the Dont connect now; just set it up so I can connect later check box so that the
client computer does not try to connect at this time.
12. Click Next.
The Type your user name and password page appears.
13. Type the User name and Password for this client.
14. Click Create.
15. Click Close.
16. Click Connect to a Network.
A list of the configured VPN connections appears.
17. Select the name of the VPN connection you just created. Click Connect.
The Connect dialog box appears.
18. Click Properties to edit other properties for this connection.
The Properties dialog box appears.
19. The General tab contains the hostname or IPaddress you provided in the New Connection
Wizard. You do not need to change anything on this tab unless the IPaddress of your XTM
device changes.
20. Select the Options tab.
21. (Optional) If you do not want the Connect dialog box to provide a text box where the user can
type a domain name, clear the Windows logon domain check box.
When this check box is cleared, the Connect dialog box asks only for a user name and password.
22. (Optional) To enable software compression, click PPP Settings. Select the Enable software
compression check box.
23. Select the Security tab.
24. Fromthe Type of VPN drop-down list, select Layer 2 Tunneling Protocol with IPsec
(L2TP/IPSec).
25. Fromthe Data encryption drop-down list, select Require encryption.
26. Select Microsoft CHAPVersion 2 as the only allowed protocol.
27. Click Advanced settings.
The Advanced Properties dialog box appears.
28. If Mobile VPN with L2TP on the XTMdevice is configured to use a pre-shared key as the IPSec
credential method:
n Select Use pre-shared key for authentication.
n In the Key text box, type the pre-shared key for this tunnel. The pre-shared key must match
the pre-shared key configured on the XTMdevice Mobile VPN with L2TPIPSec settings.
29. If Mobile VPN with L2TP on the XTMdevice is configured to use a certificate as the IPSec
credential method:
n Select Use certificate for authentication.
n Make sure the Verify the Name and Usage attributes of the servers certificate check
box is selected.
n Make sure you have imported the certificate to the client device.For more information, see
Import a Certificate on a Client Device
30. Click OK.
31. Do not change the default settings on the Networking tab.
32. Click OK.
Start the L2TP Connection
The name of the VPN connection is the destination name you used when you configured the L2TP
connection on the client computer. The user name and password refers to one of the users you added
to the L2TP-Users group. For more information, see About L2TPUser Authentication.
Before you begin, make sure the client computer has an active connection to the Internet.
1. Fromthe Windows Start menu, open Control Panel.
2. Click Network and Internet.
3. In the right pane, click Network and Sharing Center.
The Network and Sharing Center appears.
4. Select Connect to a network
A list of configured network connections appears.
5. In the connection list, select the name of this VPN connection. Click Connect.
6. Type your user name and password.
7. Click Connect.
For information about how to specify the non-default authentication server when you connect, see
Connect froman L2TPVPN Client.
Configure and Use L2TPon Windows XP
Windows XP includes a native VPN client. You can use the Windows XP VPN client to make an L2TP
VPN connection to a WatchGuard XTMdevice.
Configure the L2TPConnection
To prepare a Windows XPcomputer to make an L2TPVPN connection, you must configure the
L2TPconnection in the network settings.
The exact steps could be slightly different, depending on your Control Panel view,
and your existing configuration.
Fromthe Windows Desktop of the client computer:
1. Fromthe Windows Start menu, select Control Panel > Network Connections.
2. Select Create a new connection.
Or, click New Connection Wizard in Windows Classic view.
The New Connection wizard appears.
3. Click Next.
4. Select Connect to the network at my workplace and click Next.
5. Select Virtual Private Network connection and click Next.
6. Type a name for the new connection (such as "L2TP Mobile VPN") and click Next.
The VPN Server Selection page appears.
Mobile VPN with L2TP
1300 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1301
7. Type the host name or IP address of the XTMdevice external interface and click Next.
The Completion screen appears.
8. Select Add a shortcut to this connection to my desktop if you want to create a shortcut on
your desktop.
9. Click Finish.
The Connect dialog box appears.
10. Click Properties to edit other properties for this connection.
The Properties dialog box appears.
11. The General tab contains the IPaddress you provided in the New Connection Wizard. You do
not need to change anything on this tab unless the IPaddress of your XTMdevice changes.
12. Select the Options tab.
13. (Optional) If you want the Connect dialog box to provide a text box where the user can type a
domain name, select the Windows logon domain check box.
When this check box is selected, the Connect dialog box asks for a domain name as well as a user
name and password.
14. Select the Security tab.
15. Select Advanced (custom settings). Click Settings.
16. In the Data encryption drop-down list, select Require encryption.
17. Select Microsoft CHAPVersion 2 as the only allowed protocol.
18. Click OK to save the advanced security settings.
19. In the Security tab, click IPSec Settings.
20. Select the Use pre-shared key for authentication check box.
21. In the Key text box, type the pre-shared key for this tunnel. The pre-shared key must match the
pre-shared key configured on the XTMdevice Mobile VPN with L2TPIPSec settings.
22. Click OK.
23. Select the Networking tab.
24. Fromthe Type of VPNdrop-down list, select L2TP IPSec VPN.
25. Do not change the default PPP settings or TCP/IPproperties.
Start the L2TP Connection
The name of the VPN connection is the destination name you used when you configured the L2TP
connection on the client computer. The user name and password refers to one of the users you added
to the L2TP-Users group. For more information, see About L2TPUser Authentication .
Make sure the client computer has an active connection to the Internet before you begin.
1. Double-click the shortcut to the new connection on your desktop.
Or, select Control Panel > Network Connections and select the new connection fromthe
Virtual Private Network list.
2. Type the user name and passphrase for the connection.
3. Click Connect.
For information about how to specify the non-default authentication serve when you connect, see
Connect froman L2TPVPN Client.
Configure and Use L2TPon Mac OSX
Mac OSX includes a native VPN client. You can use the Mac OSX VPN client to make an L2TP VPN
connection to a WatchGuard XTMdevice.
Configure the L2TPNetwork Settings
To prepare a Mac OSX device to make an L2TP VPN connection, you must configure the
L2TPconnection in the network settings.
1. In the Apple menu, select System Preferences.
2. Click the Network icon.
3. Click "+" icon in the lower left corner to create a new network interface.
4. In the Interface drop-down list, select VPN.
5. Fromthe VPNType drop-down list, select L2TP over IPSec.
6. In the Service Name text box, type a name for this VPN connection, such as "L2TP XTM".
7. Click Create.
The settings for the VPN connection appear.
You can use the default configuration, or you can create your own configuration. These steps
use the default configuration.
8. In the Server Address text box, type the external IPaddress of the XTMdevice to connect to.
9. In the Account Name text box, type your user name as it appears in the authentication server
that you use for Mobile VPN with L2TP user authentication.
10. Click Authentication Settings.
11. In the Password text box, type the password of the user.
12. If Mobile VPN with L2TP on the XTMdevice is configured to use a pre-shared key as the IPSec
credential method:
n Select Shared Secret.
n In the Shared Secret text box, type the pre-shared key for this tunnel. The pre-shared key
must match the pre-shared key configured on the XTMdevice Mobile VPN with L2TPIPSec
settings.
13. If Mobile VPN with L2TP on the XTMdevice is configured to use a certificate as the IPSec
credential method:
n Select Certificate.
n Click Select to select the certificate to use.
n Make sure you have imported the certificate to the client device.For more information, see
Import a Certificate on a Client Device.
14. Click Apply to save the configuration changes.
Start the L2TP Connection
The name of the VPN connection is the service name you used when you configured the L2TP
connection on the client computer. The user name and password refers to one of the users you added
to the L2TP-Users group. For more information, see About L2TPUser Authentication.
To start the L2TPconnection:
Mobile VPN with L2TP
1302 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1303
1. In the Apple menu, select System Preferences.
2. Click the Network icon.
3. Select the VPN connection you created in the Network dialog box.
4. Click Connect.
After the VPN connection is started, the Connect button changes to Disconnect.
If you want to connect to the non-default authentication server, specify the authentication server in the
Account Name text box. For more information, see Connect froman L2TPVPN Client.
Configure and Use L2TP on Android
Mobile devices that run Android version 4.x and later include a VPN client. You can use the Android
VPN client to make an L2TP VPN connection to a WatchGuard XTMdevice.
Configure the L2TPNetwork Settings
1. On the Settings page, in the Wireless &Networks section. select More > VPN.
2. Click Add VPN Network.
The Edit VPN network page appears.
3. In the Name text box, type a name for this VPN connection, such as "L2TP XTM".
4. If Mobile VPN with L2TP on the XTMdevice is configured to use a pre-shared key as the IPSec
credential method:
n In the Type drop-down list, select L2TP/IPSec PSK.
n In the IPSec pre-shared key text box, type the pre-shared key for this tunnel. The pre-
shared key must match the pre-shared key configured on the XTMdevice Mobile VPN with
L2TPIPSec settings.
5. If Mobile VPN with L2TP on the XTMdevice is configured to use a certificate as the IPSec
credential method:
n In the Type drop-down list, select L2TP/IPSec RSA.
n Make sure the certificate is imported to your Android device.
6. In the Server Address text box, type the external IPaddress of the XTMdevice to connect to.
7. Save the connection.
Start the L2TP Connection
To start the VPN connection:
1. Select the L2TP VPN connection you configured.
2. Type the Username and Password.
3. Click Connect.
Mobile VPN with L2TP
1304 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1305
About L2TP Connections from an iOSDevice
Apple iOSdevices include a native Cisco VPNclient. You can use this client to make an L2TPVPN
connection to an XTMdevice. The easiest way to configure an iOSdevice to useMobile VPN with
L2TP is to use the WatchGuard Mobile VPNapp for iOS. This free app allows users to quickly import
the connection settings froma WatchGuard L2TPmobile client profile to the native VPN client on the
iOSdevice.
The WatchGuard Mobile VPNapp for iOS requires:
n iPhone, iPad, or iPad with Retina display
n iOS version 5.x or 6.x
To set up Mobile VPNwith L2TPfor connections froman iOSdevice you must complete these steps:
n Configure Mobile VPN with L2TPfor Use with iOS Devices
n Generate and Distribute the L2TPMobile Client Profile
n Import the L2TPConfiguration to the iOSVPNClient
If you would rather manually configure the native iOSVPNclient, see Manually Configure L2TPon an
iOS Device
Configure Mobile VPN with L2TPfor Use with iOS Devices
Use the WatchGuard L2TPSetup Wizard to configure Mobile VPNwith L2TP settings that are
compatible with the WatchGuard Mobile VPN app for iOS.
This procedure describes the options required for compatibility with the WatchGuard
Mobile VPN app for iOS. For a more complete description of the L2TPSetup Wizard,
see Use the WatchGuard L2TPSetup Wizard.
1. Select VPN > Mobile VPN with L2TP.
2. Click Activate.
3. Click Next.
A list of configured authentication servers appears.
4. Select the check box for each authentication server you want to use for Mobile VPN with L2TP
user authentication. You can use the internal XTMdevice database (Firebox-DB) or a RADIUS
server if you have configured one.
5. Click Next.
The Add authorized users and groups page appears. The L2TP-Users group is automatically
selected by default.
Mobile VPN with L2TP
1306 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1307
6. Add users and groups to authenticate with Mobile VPN with L2TP.
7. After you configure users and groups, click Next.
The Virtual IPAddress Pool page appears.
8. Click Add to add at least two IPaddresses to the virtual IPaddress pool. Click Next.
The Select the tunnel authentication method page appears.
9. In the Pre-Shared Key text box, type the shared key to use for tunnel authentication.
The WatchGuard Mobile VPNapp does not support the use of certificates for authentication.
10. Click Next to complete the wizard.
Next, you must generate the Mobile VPN with L2TPprofile that the WatchGuard Mobile VPNappuses
to set up the VPNconnection on the native iOSVPN client. For more information, see Generate and
Distribute the L2TPMobile Client Profile.
Mobile VPN with L2TP
1308 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1309
Generate and Distribute the L2TPMobile Client Profile
After you activate and configure Mobile VPN with L2TP, you can generate the mobile app configuration
file to use with the WatchGuard Mobile VPN app for iOS devices. A single configuration file is used for
all users who connect fromthe WatchGuard VPN client app on iOS devices.
Before you generate the Mobile VPN with L2TP profile, make sure that you have configured Mobile
VPN with L2TP in a way that is compatible with the WatchGuard Mobile VPN app for iOS. For more
information, see Configure Mobile VPN with L2TPfor Use with iOS Devices.
Generate the Mobile VPN with L2TP Profile
To generate the end user profile for the WatchGuard Mobile VPN app for iOS:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
The Mobile VPNwith L2TPpage appears.
3. Select the Mobile Clients tab.
4. In the IPaddress or domain name text box, type the IPaddress or domain name the
WatchGuard VPN client connects to. This is usually the external IP address of your XTM
device.
5. In the Encryption password and Confirm password text boxes type and confirmthe
password to use for encryption of the .wgmconfiguration file.
This is the password you must give to your iOS users so they can decrypt the file.
6. Click Save.
The main Mobile VPN with L2TP configuration page appears.
7. Click Generate.
8. Specify a file name and location to save the .wgmfile.
The file name is also used as the name of the profile in the Mobile VPN app. The default name is
L2TP.wgm. Some browsers automatically save the file with the default name, and do not prompt you
to change the file name.
Send the Profile and Encryption Password
After you generate the L2TP.wgmfile, you must send it to the iOS users.
1. Send the Mobile VPN with L2TP .wgmprofile, to the iOSusers as an email attachment.
2. Use a secure method to communicate the encryption password for the profile to the iOS users.
For security reasons, we recommend that you do not send the encryption password
or the user name and password for authentication to your mobile users by email.
Because email is not secure, an unauthorized user could get the information and gain
access to your internal network. Give the user the information by telling it to the user,
or by some other method that does not allow an unauthorized person to intercept it.
The iOS mobile user must open the .wgmemail file attachment on the iOSdevice on which the
WatchGuard Mobile VPN app is installed. When the user opens the attachment, the WatchGuard
Mobile VPN app launches. The WatchGuard Mobile VPN app requires the user to type the encryption
password before it uses the.wgmprofile to create an L2TP VPN configuration the iOS VPN client.
For detailed steps for the iOSusers, see Import the L2TPConfiguration to the iOSVPNClient.
Mobile VPN with L2TP
1310 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1311
Import the L2TPConfiguration to the iOSVPNClient
With the WatchGuard Mobile VPNapp for iOS, you can quickly import the connection settings froma
WatchGuard L2TPmobile client profile to the native VPN client on the iOSdevice. The L2TP profile is
stored in a file with a .wgmfile extension.
This procedure occurs after the administrator configures Mobile VPN with L2TPand generates the
.wgmprofile. For more information, see:
n Configure Mobile VPN with L2TPfor Use with iOS Devices
n Generate and Distribute the L2TPMobile Client Profile
Import the L2TP VPNsettings on the iOSdevice:
1. Install the free WatchGuard Mobile VPN app fromthe Apple App Store on the iOSdevice.
2. On the iOSdevice, open the email that contains the .wgmfile attachment.
3. Open the .wgmfile attachment.
The WatchGuard Mobile VPN app launches.
4. Type the passphrase received fromthe administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration and creates an L2TPVPN configuration
profile in the iOSVPN client.
Start an L2TP VPN connection fromthe iOSdevice:
1. On the iOSdevice, select Settings > General >VPN.
2. Select the L2TP VPN profile to use.
3. Turn on the VPN to start the connection.
To remove an imported VPN profile fromthe iOSdevice:
1. On the iOSdevice, select Settings >General >Profile.
2. Select the VPNprofile to remove.
3. Tap Remove.
Manually Configure L2TPon an iOS Device
Apple Mac OS X 10.6 and 10.7, and iOSdevices include a native VPNclient. You can use this client to
make an L2TP VPN connection to an XTMdevice.
The WatchGuard Mobile VPN app for iOSis the easiest way to set up an L2TPVPN connection from
iOS devices. The Mobile VPN app imports an end-user profile to the native iOS VPN client. For more
information, see About L2TP Connections froman iOSDevice.
If you do not want to install the WatchGuard Mobile VPN app on the iOSdevice, you can manually
configure the L2TP VPN connection in the native iOS VPN client.
Manually Configure L2TP VPN on an Apple iOS iPhone or iPad
The account and password refers to one of the users you added to the L2TP-Users group. For more
information, see About L2TPUser Authentication.
To configure the L2TPconnection:
1. Select Settings >General >Network >VPN
2. Click Add VPNConfiguration.
3. In the Description text box, type a name for the VPN connection.
4. In the Server text box, type the external IPaddress of the XTMdevice to connect to.
5. In the Account text box, type your user name as it appears in the authentication server that you
use for Mobile VPN with L2TP user authentication.
6. Set the RSASecurID setting toOFF.
7. In the Password text box, type the password of the user.
8. In the Secret text box, type the pre-shared key for this tunnel. The pre-shared key must match
the pre-shared key configured on the XTMdevice Mobile VPN with L2TPIPSec settings.
9. Set the Send All Traffic setting to ON.
10. For the Proxy setting, select OFF.
Start the L2TPConnection
The name of the VPN connection is the service name you used when you configured the L2TP
connection on the client computer.
To start the L2TPconnection:
1. On the iOSdevice. select Settings > General >VPN.
2. Select the L2TP VPN profile to use.
3. Turn on the VPN to start the connection.
Mobile VPN with L2TP
1312 Fireware XTMWeb UI
Mobile VPN with L2TP
User Guide 1313
Connect from an L2TPVPN Client
When you start an L2TPconnection fromany L2TP client, you must provide a user name and
password.
The user name and password must match the name and password of a user on the authentication
server specified in the Mobile VPN with L2TP configuration. If you enable multiple authentication
servers in the Mobile VPN with L2TP configuration on the XTMdevice, users who do not use the
default authentication server must specify the authentication server. The user can specify the non-
default authentication server as part of the user name, or as the Domain.
The user name must be in one of these formats:
Use the default authentication server
In the User name text box, type just the user name.
Example: j_smith
Use a non-default authentication server
In the User name text box, type <authentication server>\<user name>.
For example, if RADIUS is the non-default server: radius\j_smith
For example, if Firebox-DB is the non-default authentication server:Firebox-DB\j_smith
Alternatively, the user can type the authentication server (radius or Firebox-DB) in the Domain text
box instead of as part of the user name.
Mobile VPN with L2TP
User Guide 1314
User Guide 1315
25
WebBlocker
About WebBlocker
If you give users unlimited web site access, your company can suffer lost productivity and reduced
bandwidth. Uncontrolled Internet surfing can also increase security risks and legal liability. The
WebBlocker security subscription gives you control of the web sites that are available to your users.
WebBlocker uses a database of web site addresses, which are identified by content categories. When
a user on your network tries to connect to a web site, the Firebox or XTMdevice examines the
WebBlocker database. If the web site is not in the database or is not blocked, the page opens. If the
web site is in the WebBlocker database and is blocked based on the content category of the site, a
notification appears and the web site is not displayed.
WebBlocker Server Options
When you configure WebBlocker, you have two options for the type of WebBlocker database the
Firebox or XTMdevice uses to control access to web content.
Websense cloud with Websense categories
Websense cloud is a URLcategorization database with over 100 content categories, provided
by Websense.
The Websense cloud option does not use a locally installed WebBlocker Server. When you
enable WebBlocker for the first time, Websense cloud is selected by default. The Websense
cloud option is only available for devices that use Fireware XTMv11.7 and later.
The Firebox or XTMdevice sends URL categorization lookups to the Websense cloud over
HTTP.
If you have a WatchGuard XTM21, 22, or 23 device, this feature is not available for
your device.
WebBlocker Server with SurfControl categories
The WebBlocker Server is a WatchGuard server that uses a URLcategorization database with
54 categories, provided by SurfControl.
If you use WebBlocker with the WebBlocker Server on any device other than a Firebox T10,
XTM2 Series, or XTM33, you must first set up a local WebBlocker Server on your
management computer. Firebox T10, XTM2 Series, and XTM33 devices can use a
WebBlocker Server hosted and maintained by WatchGuard.
The Firebox or XTMdevice sends URL categorization lookups to the WebBlocker server over
UDP port 5003.
The WebBlocker Server is installed as part of the WatchGuard SystemManager installation. To
learn about how to set up a WebBlocker Server, see Install a Local WebBlocker Server.
WebBlocker and Policies
WebBlocker works with the HTTP and HTTPS proxy policies to control web browsing. After you
configure a WebBlocker profile, you must apply it to a user-defined HTTPor HTTPS proxy action.
WebBlocker Licensing
To configure WebBlocker, your Firebox or XTMdevice must have a WebBlocker service subscription.
After you activate your WebBlocker subscription, make sure to get an updated feature key to enable
the feature on your device.
For more information about feature keys, see About Feature Keys on page 61.
Install a Local WebBlocker Server
WebBlocker can use the Websense cloud or it can use a WebBlocker Server. If you want WebBlocker
to use a WebBlocker Server, your XTMdevice must connect to a WebBlocker Server to determine if a
web site matches a SurfControl content category.
To configure any XTMdevice other than an XTM2 Series or XTM33 to use a WebBlocker Server, you
must first install a WebBlocker server on your local network. If you use a WebBlocker Server on an
XTM2 Series or XTM33 device, the XTMdevice connects to a WebBlocker Server maintained by
WatchGuard by default.
You can install a WebBlocker Server fromthe WatchGuard SystemManager installer. On the
computer where you want to install the WebBlocker Server, download the WatchGuard System
Manager software. When you run the WatchGuard SystemManager installer, select the WebBlocker
Server option.
WebBlocker
1316 Fireware XTMWeb UI
WebBlocker
User Guide 1317
For more information about how to set up a local WebBlocker Server, see the Fireware
XTMWatchGuard SystemManager Help at http://www.watchguard.com/help/documentation/.
After you install a WebBlocker Server, you can configure WebBlocker profiles to use your WebBlocker
Server.
For instructions to change your WebBlocker profiles, see Get Started with WebBlocker on page 1317.
Get Started with WebBlocker
To use WebBlocker, you must define WebBlocker actions for at least one WebBlocker profile, which
specifies the type of server to use and the content categories to block. Then you can apply the
WebBlocker profile to an HTTPor HTTPS proxy policy with a user-defined proxy action.
When a user tries to visit a web site, your XTMdevice sends a request to the WebBlocker Server to
find out if the user can get access to that web site based on the site category. The result of this request
is saved in a cache. You can change the size of this cache to improve performance.
WebBlocker Server Options
Before you configure a WebBlocker profile, you must decide what type of server you want to use, and
install a local WebBlocker Server, if necessary.
The WebBlocker server options are:
Use the Websense cloud for WebBlocker lookups
Websense cloud is a URLcategorization database provided by Websense. The Websense
cloud option has over 100 categories and does not use a locally installed WebBlocker Server.
When you create a new WebBlocker profile, this option is selected by default.
Use a WebBlocker Server with SurfControl
The WebBlocker Server is a WatchGuard server that uses a URLcategorization database
provided by SurfControl. The SurfControl database has 54 categories. If you select this option
for any XTMdevice other than an XTM2 Series or XTM33, you must add the IP address of at
least one locally installed WebBlocker Server.
For information about how to set up a local WebBlocker Server, see Install a Local WebBlocker Server
on page 1316.
Create a WebBlocker Profile
1. Select Subscription Services > WebBlocker.
The WebBlocker page appears.
2. In the WebBlocker Actions section, click Add.
The Add WebBlocker Action page appears.
3. In the Profile Name text box, type a name for the WebBlocker configuration.
4. Configure the WebBlocker settings.
The WebBlocker profile page includes tabs to you can use to:
n Configure WebBlocker Servers
n Change Categories to Block
n Add WebBlocker Exceptions
n Define Advanced WebBlocker Options
n Define WebBlocker Alarms
WebBlocker
1318 Fireware XTMWeb UI
WebBlocker
User Guide 1319
Configure the HTTP-Proxy and HTTPS-Proxy Policies
To use WebBlocker, your configuration must have an HTTP-proxy and an HTTPS-proxy that each use
a user-defined proxy action. If you do not already have these policies, you must create them.
To make sure your HTTP-proxy and the HTTPS-proxy policies use a user-defined proxy action:
1. Select Firewall > Firewall Policies.
2. Select the proxy policy you want to edit.
3. Select the Proxy Action tab.
4. Look at the Proxy Action setting.
If (predefined) appears adjacent to the Proxy Action drop-down list, the selected proxy action is not a
user-defined proxy action.
5. To add a user-defined proxy action, select the proxy action fromthe Proxy Action drop-down
list, or select Clone the current proxy action to create a new user-defined proxy action.
6. Click Save.
For more information about proxy actions, see About Proxy Actions.
Apply a WebBlocker Profile to HTTP and HTTPS Proxy Actions
To enable WebBlocker for an HTTP-proxy or HTTPS-proxy policy, you apply a WebBlocker profile to
the proxy action the policy uses. You can only apply a WebBlocker profile to a user-created proxy
action. For WebBlocker to block all web content that matches the configured categories, you must
enable WebBlocker in both the HTTP-proxy and HTTPS-proxy policies.
To apply a WebBlocker profile to a proxy action:
1. In the WebBlocker Policies section, select one or more HTTP or HTTPS proxy actions to
configure.
2. Fromthe Select Action drop-down list, select the WebBlocker action to use for the selected
policies.
3. Click Save.
All proxy policies that use the HTTPand HTTPSactions use the WebBlocker profile you applied.
If you enable deep inspection in the HTTPS-proxy action, make sure that you also
enable WebBlocker in the HTTP-proxy action used for deep inspection. For more
information, see HTTPS-Proxy: Content Inspection.
Configure WebBlocker Servers
In the WebBlocker configuration, you can change the type of server that WebBlocker uses and you can
add the IP addresses of locally installed WebBlocker servers.
Select the WebBlocker Server Type
On the Servers tab in a WebBlocker profile, you can select the type of server that WebBlocker uses.
You can choose to Use the Websense cloud for WebBlocker lookups, or Use a WebBlocker
Server with SurfControl.
For more information about the WebBlocker server options, see Get Started with WebBlocker.
When you switch fromthe Websense cloud to a WebBlocker Server or froma WebBlocker Server to
Websense cloud, the Web UI gives you the option to automatically convert the category actions from
one server to a similar set of category actions on the other server.
If you choose to automatically convert the category selections, make sure to look at the converted
category settings to make sure that WebBlocker blocks all the categories you want to block. For more
information, see Change Categories to Block.
Add New WebBlocker Servers or Change Their Order
If you configure WebBlocker to use a locally installed WebBlocker Server, you can add up to five
WebBlocker Servers. If the XTMdevice cannot connect to the first server in the list, it tries to connect
to the subsequent one in the list. The first server in the list is the primary server.
WebBlocker
1320 Fireware XTMWeb UI
WebBlocker
User Guide 1321
For information about how to set up a local WebBlocker server, see Install a Local WebBlocker Server
on page 1316.
Add a WebBlocker Server
You can add up to five WebBlocker Servers to a WebBlocker profile.
For XTM2 Series and XTM33 devices, WebBlocker uses a WebBlocker Server hosted by
WatchGuard by default. If you want WebBlocker to use a locally configured WebBlocker Server, select
Locally installed WebBlocker server.
To add an entry for a local WebBlocker Server:
1. In the IP text box, type the IP address of your WebBlocker Server.
2. In the Port text box, type or select the port number. The default port number for the WebBlocker
Server is 5003.
3. To add the WebBlocker Server to the list, click Add.
Reorder or Remove WebBlocker Servers
The order of the servers in the list defines the order in which the XTMdevice fails over to backup
servers.
1. Select the server you want to move or change.
2. Click a button adjacent to the list.
n Click Move Up to move the selected server higher in the list.
n Click Move Down to move the selected server lower in the list.
n Click Remove to remove the selected server fromthe list.
Advanced Server Settings
By default, WebBlocker denies access to a web site if it cannot connect to a server within 5 seconds.
In the Advanced tab, you can change the timeout duration, and the actions WebBlocker takes when
the server cannot be reached.
For more information, see Define Advanced WebBlocker Options on page 1334.
Change Categories to Block
When you add a WebBlocker profile, you select a server to use for WebBlocker. The list of categories
you can configure in the WebBlocker configuration depends on which type of server you choose.
On the Servers tab in a WebBlocker profile, you can configure the categories that WebBlocker blocks.
Configure Websense Cloud Categories
If you configured WebBlocker to use the Websense cloud option, you configure the action for each
Websense category or subcategory. Select the check box adjacent to a category to select all
subcategories.
The top level categories are more than a summation of the subcategories they contain. Websense can
also use the top level categories to classify web sites that fit the description of the category, but do not
fit the description of any subcategory.
To block content that matches a category:
1. Click a category name to see the category description below the list.
2. In the category list, select each category or subcategory that you want to block.
3. To block access to web sites that match all categories, select the Deny All Categories check
box.
WebBlocker
1322 Fireware XTMWeb UI
WebBlocker
User Guide 1323
4. To configure the action WebBlocker takes for uncategorized web sites, fromthe When a URL
is uncategorized drop-down list at the bottomof the page, select Allowor Deny.
For more information about Websense cloud categories, see About WebBlocker Websense
Categories.
Configure SurfControl Categories
If you configured WebBlocker to use a WebBlocker Server with SurfControl, you select which
SurfControl categories to block.
1. On the Categories tab, select the check box for each content category you want to block.
The SurfControl content categories appear.
2. To block access to web sites that t match all categories, click Select All.
3. To configure the action WebBlocker takes for uncategorized web sites, fromthe When a URL
is uncategorized drop-down list at the bottomof the page, select Allowor Deny.
For more information about SurfControl categories, see About WebBlocker SurfControl
Categories on page 1327.
To make sure users cannot go to web sites that hide their identities to try to avoid
WebBlocker, select to block the Proxies & Translators category.
Send an Alarm when a Site is Denied
You can define WebBlocker to send an alarmif a user tries to go to a site and is denied. In the Action
to Take section at the bottomof the page, select Alarm if denied.
To set parameters for the alarms, click the Alarm tab. For information on the fields in this dialog box,
see Set Logging and Notification Preferences on page 882.
WebBlocker
1324 Fireware XTMWeb UI
WebBlocker
User Guide 1325
Log WebBlocker Actions
You can define WebBlocker to send a message to the log file if a user tries to go to a site and is denied.
In the Action to Take section at the bottomof the page, select Log this action.
About WebBlocker Websense Categories
If you configure WebBlocker to use the Websense cloud for WebBlocker lookups, WebBlocker uses
the Websense content categories. A web site is added to a category when the content of the web site
meets the criteria for the content category.
In the Categories tab in a WebBlocker profile, click a category name to see a description of the criteria
for the category.
For information about how to see how Websense categorizes a site, or to send site categorization
feedback, see:
n See How Websense Categorizes a Site
n Request a Websense Category Change
See How Websense Categorizes a Site
You can use the WatchGuard Security Portal to see how Websense categorizes a web site.
1. Open a web browser and go the WatchGuard Security Portal at
http://www.watchguard.com/SecurityPortal.
2. Click Websense Cloud.
3. If you are not already logged in to the WatchGuard web site, type your User name and
Password.
4. Type up to five URLsor IPaddresses, each separated by a space, comma, or semicolon.
5. Click Search.
The Websense categorization for each URLor IPaddress appear in the Results section of the page.
Request a Websense Category Change
If you configured WebBlocker to use Websense cloud, you can send feedback about site
categorization to Websense for review. To request a category change, send an email to
suggest@websense.com. In the email, include the URL of the site, and information about which
categories you think the site should be removed fromor added to.
WebBlocker
1326 Fireware XTMWeb UI
WebBlocker
User Guide 1327
About WebBlocker SurfControl Categories
If you configure WebBlocker to use a WebBlocker Server with SurfControl, WebBlocker uses the 54
web site categories defined by SurfControl.
A web site is added to a category when the contents of the web site meet the criteria for the content
category. Web sites that give opinions or educational material about the subject matter of the category
are not included. For example, the Illegal Drugs category denies sites that tell how to use marijuana.
They do not deny sites with information about the historical use of marijuana.
See How SurfControl Categorizes a Site
You can use the WatchGuard Security Portal to see how SurfControl categorizes a web site.
1. Open a web browser and go the WatchGuard Security Portal at
http://www.watchguard.com/SecurityPortal.
2. Click SurfControl.
The WatchGuard Test-a-Site page appears.
3. Type the URL or IP address of the site to check.
4. Click Test Site.
The WatchGuard Test-a-Site Results page appears.
If a site is not categorized, or if you think the site is not categorized correctly, you can send feedback to
SurfControl. For more information, see Request a SurfControl Category Change.
Request a SurfControl Category Change
If you think a web site is categorized incorrectly, you can submit a request to change the site
categorization. On the WatchGuard Test-a-Site Test Results page, you can optionally send feedback
about the site categorization to SurfControl for review. Specifically, you can submit a request to:
n Add the web site to a category
n Remove a URLfroma category
n Change the category for a site
To request a category change for a site in the SurfControl database:
1. Open a web browser and go the WatchGuard Security Portal at
http://www.watchguard.com/SecurityPortal.
2. Click SurfControl.
The WatchGuard Test-a-Site page appears.
3. Type the URL or IP address of the site to check.
4. Click Test Site.
The WatchGuard Test-a-Site Results page appears.
5. On the Test Results page, click Submit A Site.
The Submit A Site page appears.
WebBlocker
1328 Fireware XTMWeb UI
WebBlocker
User Guide 1329
6. Select whether you want to Add a site, Delete a site, or Change the category.
7. Type the site URL.
8. To suggest a new category for the site, select the new category fromthe drop-down list.
9. Click Submit.
About WebBlocker Exceptions
WebBlocker could deny a web site that is necessary for your business. You can override WebBlocker
when you define a web site usually denied by WebBlocker as an exception to allow users to get
access to it. For example, suppose employees in your company frequently use web sites that contain
medical information. Some of these web sites are forbidden by WebBlocker because they fall into the
sex education category. To override WebBlocker, you specify the web site domain name. You can also
deny sites that WebBlocker usually allows
WebBlocker exceptions apply only to HTTP and HTTPS traffic. If you deny a site with WebBlocker,
the site is not automatically added to the Blocked Sites list.
To add WebBlocker exceptions, see Add WebBlocker Exceptions on page 1330.
Define the Action for Sites that do not Match Exceptions
In the Use category list section below the list of exception rules, you can configure the action to occur
if the URL does not match the exceptions you configure. By default the Use the WebBlocker
category list to determine accessibility radio button is selected, and WebBlocker compares sites
against the categories you selected on the Categories tab to determine accessibility.
You can also choose not to use the categories at all and instead use the exception rules to restrict web
site access. To do this, click the Deny website access radio button.
Alarm
Select to send an alarmwhen the XTMdevice denies a WebBlocker exception. To set
parameters for the alarms, click the Alarm tab. For information on the Alarm tab fields, see Set
Logging and Notification Preferences on page 882.
Log this action
Select to send a message to the log file when the XTMdevice denies a WebBlocker exception.
Components of Exception Rules
Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the XTM
device block or allow a URL with an exact match. Usually, it is more convenient to have the XTM
device look for URL patterns. The URL patterns do not include the leading "http://". To match a URL
path on all web sites, the pattern must have a trailing /*.
The host in the URL can be the host name specified in the HTTP request, or the IP address of the
server.
Network addresses are not supported, however you can use subnets in a pattern (for example,
10.0.0.*).
For servers on port 80, do not include the port. For servers on ports other than 80, add :port, for
example: 10.0.0.1:8080. You can also use a wildcard for the portfor example,10.0.0.1:*but this
does not apply to port 80.
Exceptions with Part of a URL
You can create WebBlocker exceptions with the use of any part of a URL. You can set a port number,
path name, or string that must be blocked for a special web site. For example, if it is necessary to block
only www.sharedspace.com/~dave because it has inappropriate photographs, you type
www.sharedspace.com/~dave/*. This gives the users the ability to browse to
www.sharedspace.com/~julia, which could contain content you want your users to see.
To block URLs that contain the word sex in the path, you can type */*sex*. To block URLs that
contain sex in the path or the host name, type *sex*.
You can block ports in an URL. For example, look at the URL
http://www.hackerz.com/warez/index.html:8080. This URL has the browser use the HTTP protocol on
TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching
*8080.
Add WebBlocker Exceptions
If you want WebBlocker to always allow or always deny access to a web site, regardless of the
content category, you can add a WebBlocker exception for that site. You can add a WebBlocker
exception that is an exact match of a URL, a pattern match of a URL, or a regular expression.
WebBlocker
1330 Fireware XTMWeb UI
WebBlocker
User Guide 1331
WebBlocker does not include query strings (the part of a URLthat starts with the ?
character) in the categorization request it sends to the WebBlocker Server. This
means that you cannot create a WebBlocker exception to block specific queries.
Exact match
Exact matches match an exact URL or IP address, character by character. You cannot use
wildcards, and you must type each character exactly as you want it to be matched. For
example, if you enter an exception to allow www.yahoo.comas an exact match only, and a user
types www.yahoo.com/news, the request is denied.
Pattern match
Pattern matches match a pattern in the URL or IP address, for example pattern in
www.pattern.com. Make sure to drop the leading http:// and include /*" at the end. Use the
wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern.
For example, the pattern www.somesite.com/* will match all URL paths on the
www.somesite.comweb site. To enter a network address, use a pattern match that ends in a
wildcard. For example, to match all the web sites at 1.1.1.1 on port 8080, set the directory to *.
Regular expression
Regular expression matches use a Perl-compatible regular expression to make a match. For
example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one
letter fromeach bracket, in order. When you create a regular expression to match URL path, do
not include the leading http://. Regular expressions support wild cards used in shell scripts.
For example:
n The regular expression: (www)?\.watchguard\.[com|net] matches URL paths
including www.watchguard.com, www.watchguard.net, watchguard.com, and
watchguard.net
n The regular expression: 1.1.1.[1-9] matches all IP addresses from1.1.1.1 to 1.1.1.9.
Regular expressions are more efficient, in terms of CPU usage, than pattern
matches. For best performance, we recommend that you use regular expressions
rather than pattern matches to define your WebBlocker exceptions, when several
exceptions are configured. You can create a regular expression that is equivalent to a
pattern match. For example, the pattern match *.hostname.com/* is equivalent to the
regular expression ^[0-9a-zA-Z\-\_.]{1,256}hostname\.com.
For more information about how to use regular expressions, see About Regular Expressions on page
656.
1. To create exceptions to the WebBlocker categories, select the Exceptions tab.
2. Click Add to add a new exception rule.
The WebBlocker Exception dialog box appears.
3. In the Name text box edit the name for this exception. The default name is WB Rule[number].
4. Fromthe Action drop-down list, select whether WebBlocker allows or denies the exception.
WebBlocker
1332 Fireware XTMWeb UI
WebBlocker
User Guide 1333
5. Fromthe Match Type drop-down list, select Pattern Match, Exact Match, or Regular
Expression.
6. Type the URL pattern, value, or expression, depending on the value you selected for Match
Type.
For a host IPaddress, type the address, port, and directory to be matched.
7. Click OK to close the New WebBlocker Exception dialog box.
8. Click Save.
You can use any of these options for WebBlocker exceptions:
n Select the Log check box if you want a log message when an action is taken on a WebBlocker
exception.
n Select the Alarm check box if you want WebBlocker to send an alarmwhen an action is taken
on a WebBlocker exception.
n To disable a exception but keep it in your configuration for possible use at a later time, clear the
Enabled check box.
n In the Use category list section below the list of exception rules, you can configure the action
to take if the URL does not match the exceptions you configure. The default setting is that the
Use the WebBlocker category list to determine accessibility radio button is selected, and
WebBlocker compares sites against the categories you selected on the Categories tab to
determine accessibility.
n You can also choose to not use the categories at all, and instead only use exception rules to
restrict web site access. To deny access to all sites not listed on the exceptions list, select
Deny website access.
n To allow access to all sites not listed on the exceptions list, select Use the WebBlocker
category list to determine accessibility. Then, make sure that no categories are selected on
the Categories tab.
Define Advanced WebBlocker Options
To configure advanced WebBlocker options, select the Advanced tab in the WebBlocker profile.
WebBlocker
1334 Fireware XTMWeb UI
WebBlocker
User Guide 1335
Local Override
If you want to allow users to bypass WebBlocker if they know a passphrase, select the Use this
passphrase to enable WebBlocker local override check box. Type and confirmthe override
passphrase in the Passphrase. If desired, change the Inactivity Timeout.
When you enable WebBlocker local override, if a user tries to visit a site that is denied by WebBlocker,
the user is prompted to type the override password. When the user types the correct password,
WebBlocker allows the user to get to the destination web site until the inactivity timeout is reached or
until an authenticated user logs out. This feature operates only with HTTP proxy policies. For more
information about local override, see Use WebBlocker Local Override on page 1337.
Cache Size
Change this setting to improve WebBlocker performance.
Cache Size
Select or type a number to change the number of entries in the cache.
The Cache Size setting applies to Fireware XTMv11.6.x and lower. For information
about how the cache size is set in Fireware XTMv11.7 and higher, see About the
WebBlocker Cache.
Server Timeout
If the server can't be reached in
Set the number of seconds to try to connect to the server before the XTMdevice times out.
Alarm
Select to send an alarmwhen the XTMdevice cannot connect to the WebBlocker Server and
times out. To set parameters for the alarms, click the Alarm tab. For information about the
settings on the Alarm tab, see Set Logging and Notification Preferences on page 882.
Log this action
Select to send a message to the log file if the XTMdevice times out.
Allow the user to view the web site
Select if you want to allow the user to see the web site if the XTMdevice times out and does not
connect to the WebBlocker Server.
Deny access to the web site
Select to deny access if the XTMdevice times out.
The XTMdevice attempts to reach the WebBlocker Server even when it is unavailable. If you allow
web traffic when the server is unavailable, each user who sends a web request must wait for the
number of seconds in the Server Timeout settings before the XTMdevice allows access to the web
site. When the XTMdevice can connect to the WebBlocker Server again, it starts to apply WebBlocker
rules again.
To add or delete servers, or to change their order of priority, see Configure WebBlocker Servers on
page 1320.
License Bypass
The license bypass setting controls whether users on your network can get access to web sites if
WebBlocker is enabled and the WebBlocker security subscription expires.
Fromthe When the WebBlocker license expires, access to all sites is drop-down box, select one
of these options:
Denied
Select to block access to all web sites when the WebBlocker license expires
Allowed
Select to allow access to all web sites when the WebBlocker license expires
By default, license bypass is configured to block access to all web sites if the WebBlocker security
subscription is expired. This is the most secure option if you must block your users fromspecific types
of content.
For information about how to renew your security subscription see Renew Subscription Services on
page 112.
Diagnostic Log Level
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, fromthe Diagnostic log level for this proxy action drop-down list, select a
log level:
n Error
n Warning
n Information
n Debug
The log level you select overrides the diagnostic log level that is configured for all proxy policies that
use this WebBlocker action.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 878.
WebBlocker
1336 Fireware XTMWeb UI
WebBlocker
User Guide 1337
About the WebBlocker Cache
To improve performance, WebBlocker stores recent URL lookups in a local cache on the XTMdevice.
WebBlocker caches up to a three levels of the URL path. For example, if WebBlocker looks up the
URLwww.example.com/path1/path2/path3/path4/webpage.html, it caches only
www.example.com/path1/path2/path3.
In Fireware XTMv11.7 and higher, one WebBlocker cache is shared by all WebBlocker actions
configured for the same categorization database type (Websense or SurfControl) on the device. The
WebBlocker cache size varies by device model, and is not configurable.
WebBlocker cache size XTMdevice model
8K Firebox T10, XTM2 Series, 33, 330, 505, 510, 520, 530
32K XTM515, 525, 535, 545, 810, 820, 830
64K XTM1050
512K XTM850, 860, 870, 1500, 2050, 2500
In Fireware XTM11.6.x or lower, the size of the cache for each WebBlocker action is a number of
entries based on the Cache Size configured in the Advanced settings for each WebBlocker profile. For
more information, see Define Advanced WebBlocker Options.
Use WebBlocker Local Override
WebBlocker local override is a feature that allows a user to type an override password to go to a web
site that is blocked by the WebBlocker policy. For example, in a school, a teacher could use the
override password to allow a student to access an approved site that is blocked by WebBlocker
content categories.
When a user tries to go to a site that is blocked by the WebBlocker policy, if local override is enabled,
the user sees a deny message in the browser.
If the XTMdevice uses a self-signed certificate for authentication, the user can also see a certificate
warning. We recommend that you install a trusted certificate on the XTMdevice for this purpose, or
import the self-signed certificate on each client device.
To get access to the requested site, the user must type the override destination and the override
password.
1. In the Override destination text box, type the URL to allow access to. By default, the override
destination is set to the URL that was blocked. You can use wildcards in the override
destination to allow access to more than one site, or more pages in one site. Examples of
override destinations that use wildcards:
*.amazon.com
allows access to all subdomains. of amazon.com
*amazon.com
allows access to all domain names that end with amazon.com, such as images-
amazon.com
www.amazon.com/books-used-books-textbooks/*
allows access to only pages in that path
2. In the Override Password text box, type the override password configured in the WebBlocker
profile.
3. Click Submit.
After the user types the correct override password, the XTMdevice allows access to the override
destination until an authenticated user logs out, or until there is no traffic to a matching site for the
amount of time specified in the WebBlocker local override inactivity timeout. You enable local override
and set the local override inactivity timeout in the WebBlocker profile..
For more information about how to configure WebBlocker local override, see Get Started with
WebBlocker on page 1317.
Define WebBlocker Alarms
To configure notification parameters for WebBlocker alarms, select the Alarm tab in the WebBlocker
profile.
You can send an alarmwhen the XTMdevice cannot connect to the WebBlocker Server and times out,
or when the XTMdevice times out and access to a site is denied. For information about the Alarm tab
settings, see Set Logging and Notification Preferences on page 882.
To change server timeout settings, see Define Advanced WebBlocker Options on page 1334.
WebBlocker
1338 Fireware XTMWeb UI
WebBlocker
User Guide 1339
About WebBlocker Subscription Services
Expiration
If your site uses WebBlocker, you must renew or disable the WebBlocker subscription as soon as it
expires to prevent an interruption in web browsing. WebBlocker has a default setting that blocks all
traffic when the connections to the server time out. When your WebBlocker expires, it no longer
contacts the server. This appears to the XTMdevice as a server timeout. All HTTP traffic is blocked
unless this default was changed before expiration.
To change this setting:
1. On the WebBlocker configuration page, select the Advanced tab.
2. In the License Bypass section, change the setting to Allowed.
WebBlocker
User Guide 1340
User Guide 1341
26
spamBlocker
About spamBlocker
Unwanted email, also known as spam, fills the average Inbox at a very high rate. A large volume of
spamdecreases bandwidth, degrades employee productivity, and wastes network resources.
Commercial mail filters use many methods to find spam. Blacklists keep a list of domains that are
used by known spamsources or are open relays for spam. Content filters search for key words in the
header and body of email messages. URL detection compares a list of domains used by known spam
sources to the advertised link in the body of the email message. All of these procedures scan each
individual email message. Attackers can easily bypass those fixed algorithms. They can mask the
sender address to bypass a blacklist, change key words, embed words in an image, or use multiple
languages. They can also create a chain of proxies to disguise the advertised URL.
spamBlocker uses a combination of rules, pattern matching, and sender reputation to accurately
identify and block spammessages and keep themaway fromyour email server.
spamBlocker uses anti-spamtechnology fromCYREN (formerly Commtouch).
spamBlocker Requirements
Before you enable spamBlocker, you must have:
n A spamBlocker feature key To get a feature key, contact your WatchGuard reseller.
n POP3 or SMTP email server spamBlocker works with the WatchGuard POP3 and SMTP
proxies to scan your inbound email. You must configure at least one POP3 or SMTP proxy
before you can configure the spamBlocker service. If you have more than one proxy policy for
POP3 or for SMTP, spamBlocker works with all of them.
n DNS configured on your XTMdevice In Fireware XTMWeb UI, select Network >
Interfaces. In the DNS Servers list, add the IP addresses of the DNS servers your XTMdevice
uses to resolve host names.
n A connection to the Internet
spamBlocker Actions, Tags, and Categories
You configure the action that spamBlocker takes based on the spamcategory of each email message.
spamBlocker Actions
Firebox or XTMdevices uses spamBlocker actions to apply decisions about the delivery of email
messages. When a message is assigned to a category, the related action is applied. Not all actions are
supported when you use spamBlocker with the POP3-proxy.
Allow
Allows the email message to go through the Firebox or XTMdevice.
Add subject tag
Allows the email message to go through the Firebox or XTMdevice, but inserts text in the
subject line of the email message to mark it as spamor possible spam. You can use the default
tags or you can customize them, as described in the subsequent spamBlocker section. You can
also create rules in your email reader to sort the spamautomatically based on the subject tags,
as described in Create Rules for Your Email Reader on page 1357.
Quarantine (SMTP only)
Sends the email message to the Quarantine Server. The Quarantine option is supported only
when you use spamBlocker with the SMTP-proxy. The POP3-proxy does not support this
option.
Deny (SMTP only)
Stops delivery of the email message to the mail server. The Firebox or XTMdevice sends this
571 SMTP message to the sending email server: Delivery not authorized, message refused.The
Deny option is supported only if you use spamBlocker with the SMTP-proxy. The POP3-proxy
does not support this option.
spamBlocker
1342 Fireware XTMWeb UI
spamBlocker
User Guide 1343
Drop (SMTP only)
Drops the connection immediately. The Firebox or XTMdevice does not give any error
messages to the sending server. The Drop option is supported only if you use spamBlocker
with the SMTP-proxy. The POP3-proxy does not support this option.
spamBlocker Tags
If you select the spamBlocker action to add a tag to certain email messages, the Firebox or XTM
device adds a text string to the subject line of the message. You can use the default tags provided, or
you can create a customtag. The maximumlength of the tag is 30 characters.
This example shows the subject line of an email message that was found to be spam. The tag added is
the default tag: ***SPAM***.
Subject: ***SPAM*** Free auto insurance quote
This example shows a customtag: [SPAM]
Subject: [SPAM] You've been approved!
spamBlocker Categories
spamBlocker assigns one of three categories to each email message.
Confirmed Spam
The Confirmed Spam category includes email messages fromknown spammers.
If you use spamBlocker with the SMTP-proxy, select the Deny action for this category.
If you use spamBlocker with the POP3-proxy, select the Add subject tag action for this
category.
Suspected Spam
The Suspect category includes email messages that appear to be associated with a new spam
attack. Frequently, suspected spammessages are legitimate email messages, but appear in
this category as false positives. Unless you have verified that most messages in this category
are not false positives for your network, you should consider a suspect email message as not
spam, and select the Add a subject tag action for suspect email, or the Quarantine action if
you use spamBlocker with the SMTP-proxy.
Bulk
The Bulk category includes email messages that are not fromknown spammers, but do match
some known spamstructure patterns. For this category, select the Add subject tag action, or
the Quarantine action if you use spamBlocker with the SMTP-proxy.
See the spamBlocker Category for a Message
After spamBlocker categorizes a message, it adds the spamcategory to the full email message header
as a spamscore. To see the spamcategory, you must review the full email message header.
To find the spamscore for an email message in Microsoft Outlook 2010:
1. In an open email message, select the File tab.
2. Click Properties.
3. In the Internet headers text box, review the message header information.
To find the spamscore for an email message in Microsoft Outlook 2007:
1. Open the email message.
2. On the Message tab, in the Options group, click .
The Message Options dialog box appears.
3. In the Internet headers text box, review the full message header.
In the Internet headers text box, the spamscore appears in this line:
X-WatchGuard-Spam_Score:
See the Spam Score in the Message Header
Here is an example of how the spamscore appears in the email message header:
X-WatchGuard-Spam-Score: 3, bulk; 0, no virus
The first number on this line is the spamcategory. This number has one of these values:
0 Clean
1 Clean
2 Suspect
3 Bulk
4 spam
If you enable Virus Outbreak Detection (VOD) in your spamBlocker configuration, the spamscore in
the email message header has a second number, the VOD category. This number has one of these
values:
0 No virus
1 No virus
2 Virus threat possible
3 Virus threat high
spamBlocker
1344 Fireware XTMWeb UI
spamBlocker
User Guide 1345
Configure spamBlocker
You can enable spamBlocker for the SMTP or POP3 proxy.
Before You Begin
Before you can configure spamBlocker for an SMTP or POP3 proxy policy, you must configure the
policy to use a user-defined proxy action. To create a user-defined proxy action, you can clone the
default (predefined) proxy action, and use that proxy action for the proxy policy.
To find the proxy action your policy uses:
1. Select Firewall >Firewall Policies.
2. Select the proxy policy, and fromthe Action menu, select Edit Policy.
The Policy Configuration page appears.
3. Select the Proxy Action tab.
The Proxy Action for the policy appears at the top.
4. Verify whether the proxy action is a predefined or user-defined proxy action.
For more information about proxy actions, see About Proxy Actions.
If the proxy policy uses a predefined proxy action, you must clone the proxy action before you can
enable subscription services for the proxy policy. You can clone the proxy action in the Proxy Action
tab when you edit the proxy policy.
1. Fromthe Proxy Action drop-down list, select Clone the current proxy action.
2. Type a new name for the cloned proxy action, or use the default name.
3. Edit the proxy action.
For more information, see About Proxy Actions.
4. Click Save.
Configure spamBlocker for an SMTP or POP3 Proxy Action
1. Select Subscription Services > spamBlocker.
The spamBlocker configuration page appears, with a list of the SMTP and POP3 proxy actions on
your XTM device and whether spamBlocker is enabled for each one.
2. In the spamBlocker Actions list, select a user-defined SMTP or POP3 proxy action. Click
Configure. You cannot configure spamBlocker for a predefined proxy action.
The spamBlocker configuration settings appear.
spamBlocker
1346 Fireware XTMWeb UI
spamBlocker
User Guide 1347
3. Select the Enable spamBlocker check box.
4. Set the actions spamBlocker applies for each category of email in the drop-down lists adjacent
to each spamcategory. WatchGuard recommends you use the Add a subject tag action for
messages categorized as Suspect. If you select this action, you can change the tag that
appears in the text box to the right of the drop-down list.
For more information on spamBlocker tags, see spamBlocker Actions, Tags, and Categories on
page 1342.
5. If you want to send a log message each time spamBlocker takes an action, select the Send a
log message check box for the action. If you do not want to record log messages for an action,
clear this check box.
6. The When the spamBlocker server is unavailable drop-down list specifies how the XTM
device handles incoming email when the spamBlocker server cannot be contacted. We
recommend you use the default Allowaction.
n If you set this option to Deny for the POP3 or SMTP proxy, it causes a conflict with
Microsoft Outlook. When Outlook starts a connection to the email server, spamBlocker
tries to contact the spamBlocker server. If the spamBlocker server is not available,
spamBlocker stops the email download. When this happens, a cycle starts. Outlook tries
to download email and spamBlocker stops the download. This continues until the XTM
device can connect to the spamBlocker server, or the request is dropped because the
proxy times out, or you cancel the request.
n If you set this option to Deny with the SMTP proxy, the XTMdevice sends this 450 SMTP
message to the sending email server: Mailbox is temporarily unavailable.
7. The Send log message for each email classified as not spam check box specifies whether
a message is added to the log file if an email message is scanned by spamBlocker but is not
designated as Confirmed Spam, Bulk, or Suspect. Select this check box if you want to add a
message to the log file in this situation.
8. (Optional) Add spamBlocker exception rules, as described in About spamBlocker Exceptions
on page 1348.
9. (Optional)Enable Virus Outbreak Detection, as described in Enable and Set Parameters for
Virus Outbreak Detection (VOD) .
10. Click Save.
The XTMdevice uses the HTTP protocol to send requests to the spamBlocker
server. If the traffic fromthe XTMdevice must go through a perimeter firewall to
reach the Internet, make sure the firewall does not block HTTPtraffic.
After you enable spamBlocker for a proxy action or policy, you can define global spamBlocker settings.
These settings apply to all spamBlocker configurations. Click Settings to see or modify the global
spamBlocker configuration settings. For more information, see Configure Global spamBlocker Settings
on page 1352.
About spamBlocker Exceptions
You can create an exception list to the general spamBlocker actions that is based on the senders or
recipient's address. For example, if you want to allow a newsletter that spamBlocker identifies as
Confirmed Spamemail, you can add that sender to the exception list and use the Allowaction
regardless of the spamBlocker category the sender is assigned to. Or, if you want to apply a tag to a
sender that spamBlocker designates as safe, you can add that to the exceptions list as well.
Make sure you use the senders actual address that appears in the X-WatchGuard-Mail-From line in
the Internet header of the message. This is the address that was specified in the MAILFROM
command in the SMTPtransaction, and might not match the address you see in the From field when
you look at the email message. For example, to see the Internet header for a message in Microsoft
Outlook, with the message open, in the Options group, click the Dialog Box Launcher icon , and look
in the Internet headers box. The addresses of the sender and recipient are in these lines:
X-WatchGuard-Mail-From:
X-WatchGuard-Mail-Recipients:
Be careful when you add wildcards to an exception. Spammers can spoof header information. The
more specific the addresses in your exception list, the more difficult it is to spoof them.
To add an exception rule, see Add spamBlocker Exception Rules on page 1348.
To change the order of the rules listed in the dialog box, see Change the Order of Exceptions on page
1350.
Add spamBlocker Exception Rules
After you enable spamBlocker, you can use Fireware XTMWeb UI to define exceptions that allow
email fromspecific senders to bypass spamBlocker.
1. Select Subscription Services > spamBlocker.
The spamBlocker Configuration page appears.
2. Select a proxy action and click Configure. Select the spamBlocker Exceptions tab.
spamBlocker
1348 Fireware XTMWeb UI
spamBlocker
User Guide 1349
3. Click Add.
4. Fromthe Action drop-down list, select an action: Allow, Add subject tag, Quarantine, Deny,
or Drop. (The POP3 proxy supports only the Allowand Add subject tag spamBlocker
actions.)
5. Type a sender, a recipient, or both. You can type the full email address or use wildcards.
Make sure you use the actual address of the sender. You can find this address in the Mail-
From field in the email message header. This address might not match the address in the
From: field that you see at the top of the email message. To get the actual address for an
exception, get the full email message header (fromMicrosoft Outlook, with the message open,
select View > Options and look in the Internet headers box). The addresses of the sender and
recipient are in these lines:
X-WatchGuard-Mail-From:
X-WatchGuard-Mail-Recipients:
Use care when you add wildcards to an exception. Spammers can spoof header information.
The more specific the addresses in your exception list, the more difficult it is to spoof them.
6. Click Add.
The exception is added to the bottom of the exceptions list.
7. To send a log message each time an email matches one of the exceptions, select the Log
exceptions check box.
The exceptions are processed in the order they appear in the list. To Change the Order of Exceptions,
click Up and Down.
Change the Order of Exceptions
The order that the spamBlocker exception rules appear in the dialog box shows the order in which email
messages are compared to the rules. The proxy policy compares messages to the first rule in the list
and continues in sequence fromtop to bottom. When a message matches a rule, the XTMdevice
performs the related action. It performs no other actions, even if the message matches a rule or rules
later in the list.
To change the order of rules, select the rule whose order you want to change. Click Up or Down to
move the selected rule up or down in the list.
Configure Virus Outbreak Detection Actions
Virus Outbreak Detection (VOD) identifies and blocks spammessages that contain viruses.
spamBlocker
1350 Fireware XTMWeb UI
spamBlocker
User Guide 1351
To configure Virus Outbreak Detection actions:
1. Select Subscription Services > spamBlocker.
2. Make sure Virus Outbreak Detection is enabled:
n On the spamBlocker page, click Settings.
n On the spamBlocker Settings page, select the VOD tab.
n Select the Enable Virus Outbreak Detection (VOD) check box.
For more information, see Enable and Set Parameters for Virus Outbreak Detection
(VOD) on page 1355.
n Click Save.
3. On the spamBlocker page, select a proxy policy and click Configure. Select the Virus
Outbreak Detection tab.
4. Fromthe When a virus is detected drop-down list, select the action the XTMdevice takes if
VOD detects a virus in an email message.
5. Fromthe When a scan error occurs drop-down list, select the action the XTMdevice takes
when VOD cannot scan an email message or attachment.
Attachments that cannot be scanned include binhex-encoded messages, certain encrypted
files, or files that use a type of compression that spamBlocker does not support such as
password-protected zip files.
6. Select the Log this action check boxes to send a log message when a virus is detected or
when a scan error occurs.
7. Select the Alarm check boxes to send an alarmwhen a virus is detected or when a scan error
occurs.
The SMTP proxy supports the Allow, Lock, Remove, Quarantine, Drop, and Block actions. The
POP3 proxy supports only the Allow, Lock, and Remove actions.
For more information on these actions, see spamBlocker Actions, Tags, and Categories on page 1342.
Configure spamBlocker to Quarantine Email
The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanismfor any email
messages suspected or known to be spamor to contain viruses. This repository receives email
messages fromthe SMTP proxy and filtered by spamBlocker.
To configure spamBlocker to quarantine email:
1. When you configure spamBlocker (as described in Configure spamBlocker on page 1345), you
must make sure you enable spamBlocker for the SMTP proxy. The POP3 proxy does not
support the Quarantine Server.
2. When you set the actions spamBlocker applies for different categories of email, make sure you
select the Quarantine action for at least one of the categories.
You can also select the Quarantine action for email messages identified by Virus Outbreak Detection
to contain viruses. For more information, see Configure Virus Outbreak Detection Actions on page
1350.
About Using spamBlocker with Multiple Proxies
You can configure more than one SMTP or POP3 proxy policy to use spamBlocker. This lets you
create customrules for different groups in an organization. For example, you can allow all email to your
management employees and use a spamtag for the marketing team.
If you want to use more than one proxy policy with spamBlocker, your network must use one of these
configurations:
n Each proxy policy must send email to a different internal email server.
n You must set the external source or sources that can send email for each proxy policy.
Configure Global spamBlocker Settings
You can use global spamBlocker settings to optimize your spamBlocker configuration. Because some
of these parameters affect the amount of memory that spamBlocker uses on your Firebox or XTM
device, you must balance spamBlocker performance with other device functions.
Before you can configure global spamBlocker settings, you must enable spamBlocker for at least one
proxy policy.
To configure the global parameters for spamBlocker:
1. Select Subscription Services > spamBlocker.
2. Select the Settings tab.
The spamBlocker Global Settings page appears.
spamBlocker
1352 Fireware XTMWeb UI
spamBlocker
User Guide 1353
3. In the Maximum file size to scan text box, type or select the number of bytes of an email
message to be passed to spamBlocker to be scanned.
Usually, 2040K is enough for spamBlocker to correctly detect spam. However, if image-based
spamis a problemfor your organization, you can increase the maximumfile size to block more
image-based spam.
For information about the default and maximumscan limits for each XTMdevice model, see
About spamBlocker Scan Limits on page 1357.
4. In the Cache size text box, type the number of entries spamBlocker caches locally for
messages that have been categorized as spamand bulk.
A local cache can improve performance because it reduces network traffic. Usually, you do not
have to change this value.
You can set the Cache size to 0 to force all email to be sent to CYREN. This is most often used
only for troubleshooting.
5. To disable the Proactive Patterns feature, clear the Enabled check box.
This feature uses a large amount of memory while the local database is updated. If you have
limited memory or processor resources, you might want to disable this feature. For more
information, see About spamBlocker Proactive Patterns.
6. (Optional) Define other parameters for spamBlocker:
n Use an HTTP Proxy Server for spamBlocker
n Add Trusted Email Forwarders to Improve SpamScore Accuracy
n Enable and Set Parameters for Virus Outbreak Detection (VOD)
7. Click Save.
Use an HTTP Proxy Server for spamBlocker
If spamBlocker must use an HTTP proxy server to connect to the CYREN server through the Internet,
you must configure the HTTP proxy server settings on the spamBlocker Settings page.
1. On the spamBlocker page, click Settings.
The spamBlocker Settings page appears.
2. Select the HTTP Proxy Server tab.
3. Select the Connect to spamBlocker using an HTTP Proxy server check box.
4. In the Server Address text box, type the IPaddress or host name of the HTTP proxy server.
5. In the Server port text box, type the number of the port the Firebox or XTMdevice must use to
contact the HTTPproxy server.
6. Fromthe Server authentication drop-down list, select the authentication method to use for
proxy server connections.
7. If you selected Basic or NTLMas theauthentication method, type the User name, User
domain, and Password for connections to the HTTPproxy server.
Add Trusted Email Forwarders to Improve Spam Score
Accuracy
Part of the spamscore for an email message is calculated using the IP address of the server that the
message was received from. If an email forwarding service is used, the IP address of the forwarding
server is used to calculate the spamscore. Because the forwarding server is not the initial source
email server, the spamscore can be inaccurate.
spamBlocker
1354 Fireware XTMWeb UI
spamBlocker
User Guide 1355
To improve spamscoring accuracy, you can enter one or more host names or domain names of email
servers that you trust to forward email to your email server. If you use SMTP, enter one or more host
names or domain names for SMTP email servers that you trust to forward messages to your email
server. If you use POP3, enter domain names for known or commonly used POP3 providers that you
trust to download messages from.
After you add one or more trusted email forwarders, spamBlocker ignores the trusted email forwarder in
email message headers. The spamscore is calculated using the IP address of the source email server.
1. Fromthe spamBlocker Settings page, select the Settings tab.
2. Below the Trusted Email Forwarders list, type a host or domain name in the text box. Click
Add.
If you add a domain name, make sure you add a leading period (.) to the name, as in
.firebox.net.
3. (Optional) Repeat Step 2 to add more trusted email forwarders.
4. Click Save.
Enable and Set Parameters for Virus Outbreak Detection (VOD)
Virus Outbreak Detection (VOD) identifies email virus outbreaks and provides protection against those
viruses. By default, VOD scans inbound email messages up to a default size limit that is optimal for
your Firebox or XTMdevice model. When you configure the parameters for VOD, you can increase or
decrease the file size limit.
For information about the default and maximumscan limits for each XTMdevice model, see About
spamBlocker Scan Limits on page 1357.
To enable and configure VOD:
1. On the spamBlocker Settings page, select the Virus Outbreak Detection tab.
2. Select the Enable Virus Outbreak Detection (VOD) check box.
3. To change the VOD file size limit, in the VOD maximum file size to scan text box, type the
new file size in kilobytes.
VOD uses the larger of the maximumfile size values set for VOD or spamBlocker. If the global
spamBlocker value set for the Maximum file size to scan option in the Settings tab is greater than
the VOD maximum file size to scan value, VOD uses the global spamBlocker value.
For information about spamBlocker global settings, see Configure Global spamBlocker Settings on
page 1352.
In the proxy definitions for spamBlocker, you can set the actions for spamBlocker to take when a virus
is found, as described in Configure Virus Outbreak Detection Actions on page 1350.
spamBlocker
1356 Fireware XTMWeb UI
spamBlocker
User Guide 1357
About spamBlocker Proactive Patterns
The Proactive Patterns feature enables spamBlocker to identify and block new spammessages even
before the recurrent pattern is added to the CYREN database. For example, each day new types of
spamare introduced on the Internet. With Proactive Patterns enabled, spamBlocker blocks email
messages that use the newly identified spammethods. When clear patterns are established for these
new attacks, the pattern is added to the CYREN database.
Proactive Patterns is enabled by default. This feature requires large amounts of space while the local
database on your Firebox or XTMdevice is updated. If your device has limited memory or processor
resources, you might want to disable this feature in the spamBlocker global settings.
To disable Proactive Patterns:
1. In the spamBlocker Settings dialog box, select the General tab.
2. Clear the Enable check box.
About spamBlocker Scan Limits
spamBlocker scans each file up to a specified kilobyte count. Any additional bytes in the file are not
scanned. This allows the proxy to partially scan very large files without a large effect on performance.
The default scan limit for spamBlocker is 100 Kb for all devices except Firebox T10 and XTM2 Series
models, which have a default scan limit of 60 Kb. The minimumscan limit is 1 Kb for all Firebox and
XTMdevice models.
The maximumscan limit is 2000 Kb for all XTMdevices except Firebox T10 and XTM2 Series models,
which have a maximumscan limit of 60 Kb.
Create Rules for Your Email Reader
To use the Tag action in spamBlocker, it is best to configure your email reader to sort messages. With
most email readers, such as Outlook, Gmail, and Mac Mail, you can set rules that automatically send
email messages with tags to a subfolder. Some email readers also let you create a rule to
automatically delete the message.
Because you can use a different tag for each spamBlocker category, you can set a different rule for
each category. For example, you can set one rule to move any email message with the
***SUSPECT*** tag in the subject line to a Suspect subfolder in your Inbox. You can set another rule
that deletes any email message with the ***SPAM*** tag in the subject line.
For instructions on how to configure the Microsoft Outlook email client, see Send Spamto an Outlook
Folder on page 1358. For information about how to use this procedure on other types of email clients,
look at the user documentation for those products.
If you use spamBlocker with the SMTP proxy, you can have spamemail sent to the
Quarantine Server. For more information on the Quarantine Server, see About the
Quarantine Server on page 1467.
Send Spam to an Outlook Folder
This procedure shows you the steps to create rules for spamand suspect email in Microsoft Outlook.
You can have email with a spam or suspect tag delivered directly to special folders in Outlook.
When you create these folders, you keep possible spamemail out of your usual Outlook folders, but
you can get access to the email if it becomes necessary.
Before you start, make sure that you configure spamBlocker to add a tag for confirmed spamand
suspect spamcategories. You can use the default tags, or create customtags. The steps below
describe how to create folders with the default tags.
1. Fromyour Outlook Inbox, select Tools > Rules and Alerts.
2. Click New Rule to start the Rules wizard.
3. Select Start from a blank rule.
4. Select Check messages when they arrive. Click Next.
5. Select the condition check box: with specific words in the subject. Then, in the bottompane,
edit the rule description by clicking on specific.
6. In the Search Text dialog box, type the spamtag as ***SPAM***. If you use a customtag, type
it here instead.
7. Click Add and then click OK.
8. Click Next.
9. The wizard asks what you want to do with the message. Select the move it to the specified
folder check box. Then, in the bottompane, click specified to select the destination folder.
10. In the Choose a Folder dialog box, click New.
11. In the folder name field, type Spam. Click OK.
12. Click Next two times.
13. To complete the rule setup, type a name for your spamrule and click Finish.
14. Click Apply.
Repeat these steps to create a rule for suspect email, using the ***SUSPECT*** email tag. You can
send suspected spamemail to the same folder, or create a separate folder.
spamBlocker
1358 Fireware XTMWeb UI
spamBlocker
User Guide 1359
Monitor spamBlocker Statistics
To see statistics on current spamBlocker activity in the Web UI, select Dashboard > Subscription
Services. For more information, see About the Dashboard and SystemStatus Pages.
You can also use Firebox SystemManager and the WatchGuard Report Server to monitor
spamBlocker statistics. For more information, see the WatchGuard SystemManager Help.
Report False Positives or Missed Spam
A false positive email message is a legitimate message that spamBlocker incorrectly identifies as
spam. A false negative, or missed spam, email message is a spammessage that spamBlocker does
not correctly identify as spam. If you find a false positive or false negative email message, you can
send feedback to WatchGuard.
You can also send feedback directly to the CYREN (formerly Commtouch) data center. You can also
send feedback about a false positive for a solicited bulk email message. This is a message that
spamBlocker identifies as bulk email when a user actually requested the email message.
Do not send a report about a false positive when the email is assigned to the Suspect
category. Because this is not a permanent category, CYREN does not investigate
error reports for suspected spam.
Send Feedback to CYREN
You must have access to the email message to send a false positive or false negative report to
CYREN. You must also know the category (Confirmed Spamor Bulk) into which spamBlocker put the
email message. To find the category, you must configure a spamBlocker action to add a subject tag
and use a unique sequence of characters to add to the beginning of the email subject line.
To report a false positive or false negative:
1. Save the email as a .msg or .eml file.
You cannot forward the initial email message because CYREN needs the email header. If you
use email software such as Microsoft Outlook or Mozilla Thunderbird, you can drag-and-drop
the email message into a computer desktop folder. If you use email software that does not have
drag-and-drop functionality, you must use the software menu Save As option to save the email
message to a folder.
2. Create a new email message addressed to:
reportfp@blockspam.biz for false positives
reportfn@blockspam.biz for false negatives
reportso@blockspam.biz for false positive solicited bulk email
3. In the subject line of your email message type:
FP Report <Your Company Name> <Date of submission> for false positives
FN Report <Your Company Name> <Date of submission> for false negatives
FP Report <Your Company Name> <Date of submission> for false positive
solicited bulk email
4. Attach the .msg or .eml file to the email message and send the message.
If you have many messages to send to CYREN, you can put themall into one ZIP file. Do not put the
ZIP file into a ZIP archive. The ZIP file can be compressed to only one level for CYREN to analyze it
automatically.
Report Feedback About a Confidential Message
If you want to send a report to CYREN, but you cannot send the initial email message because the
information in the message is confidential, you can send the RefID record fromthe email header
instead. The RefID record is the reference number for the transaction between the Firebox or
XTMdevice and the CYREN Detection Center.
spamBlocker adds an X-WatchGuard-Spam-ID header to each email. For example:
X-WatchGuard-Spam-ID: 0001.0A090202.43674BDF.0005-G-gg8BuArWNRyK9/VKO3E51A==
The long sequence of numbers and letters after the X-WatchGuard-Spam-ID: part of the header is the
RefID record.
Copy the RefID record fromthe header and paste it in the body of your email message. To send a
report about more than one email message, put each RefID record on a separate line.
To see email headers if you use Microsoft Outlook:
1. Open the email message in a new window or select it in Outlook.
2. If you open the email in a separate window, select View > Options.
If you highlight the email in Outlook, right-click the email message and select Options.
The header appears at the bottom of the Message Options window.
To see email headers if you use Microsoft Outlook Express:
1. Open the email message in a new window or highlight it in Outlook Express.
2. If you open the email in a separate window, select File > Properties.
If you highlight the email in Outlook Express, right-click the email and select Properties.
3. To view the headers, select the Details tab.
Find the Category a Message is Assigned To
Message tags are the only indication of which category a message is assigned to. Change the action
to Add subject tag and use a unique sequence of characters to add to the beginning of the email
subject line. For more information on how to use spamBlocker tags, see spamBlocker Actions, Tags,
and Categories.
spamBlocker
1360 Fireware XTMWeb UI
User Guide 1361
27
Reputation Enabled Defense
About Reputation Enabled Defense
You can use the Reputation Enabled Defense (RED) security subscription to increase the performance
and enhance the security of your XTMdevice.
Reputation Enabled Defense is not supported on Firebox Xe-Series models.
WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score
between 1 and 100 to every URL. When a user goes to a web site, RED sends the requested web
address (or URL) to the WatchGuard reputation server. The WatchGuard server responds with a
reputation score for that URL. Based on the reputation score, and on locally configured thresholds,
RED determines whether the XTMdevice should drop the traffic, allow the traffic and scan it locally
with Gateway AV, or allow the traffic without a local Gateway AV scan. This increases performance,
because Gateway AV does not need to scan URLs with a known good or bad reputation.
Reputation Thresholds
There are two reputation score thresholds you can configure:
n Bad reputation threshold If the score for a URL is higher than the Bad reputation threshold,
the HTTP proxy denies access without any further inspection.
n Good reputation threshold If the score for a URL is lower than the Good reputation
threshold and Gateway AntiVirus is enabled, the HTTP proxy bypasses the Gateway AV scan.
If the score for a URL is equal to or between the configured reputation thresholds and Gateway AV is
enabled, the content is scanned for viruses.
Reputation Scores
The reputation score for a URL is based on feedback collected fromdevices around the world. It
incorporates scan results fromtwo leading anti-malware engines: Kaspersky and AVG. It also includes
data fromother leading sources of malware intelligence for the web.
A reputation score closer to 100 indicates that the URL is more likely to contain a threat. A score closer
to 1 indicates that the URL is less likely to contain a threat. If the RED server does not have a previous
score for a web address, it assigns a neutral score of 50. The reputation score changes fromthe default
score of 50 based on a number of factors.
These factors can cause the reputation score of a URL to increase, or move toward a score of 100:
n Negative scan results
n Negative scan results for a referring link
These factors can cause the reputation score of a URL to decrease, or move toward a score of 1:
n Multiple clean scans
n Recent clean scans
Reputation scores can change over time. For increased performance, the XTMdevice stores the
reputation scores for recently accessed web addresses in a local cache.
Reputation Lookups
The XTMdevice uses UDPport 10108 to send reputation queries to the WatchGuard reputation server.
UDPis a best-effort service. If the XTMdevice does not receive a response to a reputation query soon
enough to make a decision based on the reputation score, the HTTP proxy does not wait for the
response, but instead processes the HTTP request normally. In this case the content is scanned
locally if Gateway AV is enabled.
Reputation Enabled Defense
1362 Fireware XTMWeb UI
Reputation Enabled Defense
User Guide 1363
A reputation score of -1 means that your device did not get a response soon enough
to make a decision based on the reputation score.
Reputation lookups are based on the domain and URL path, not just the domain. Parameters after
escape or operator characters, such as & and ? are ignored.
For example, for the URL:
http://www.example.com/example/default.asp?action=9&parameter=26
the reputation lookup is:
http://www.example.com/example/default.asp
Reputation Enabled Defense does not do a reputation lookup for sites added to the HTTPProxy
Exceptions list of the HTTP proxy action.
Reputation Enabled Defense Feedback
If Gateway AntiVirus is enabled, you can choose if you want to send the results of local Gateway AV
scans to the WatchGuard server. You can also choose to upload Gateway AV scan results to
WatchGuard even if Reputation Enabled Defense is not enabled or licensed on your device. All
communications between your network and the Reputation Enabled Defense server are encrypted.
We recommend that you enable the upload of local scan results to WatchGuard to improve overall
coverage and accuracy of Reputation Enabled Defense.
Configure Reputation Enabled Defense
You can enable Reputation Enabled Defense (RED) to increase the security and performance of HTTP
proxy policies, when used with Gateway AntiVirus.
If you enable Reputation Enabled Defense for an HTTPproxy policy that also has Gateway AntiVirus
enabled, Reputation Enabled Defense can improve overall performance, because the HTTPproxy
skips the Gateway AV scan for sites with a known good or bad reputation.
If you enable Reputation Enabled Defense for an HTTPproxy policy that does not have Gateway
AntiVirus enabled, the HTTP proxy still does a reputation score lookup for each URL, and blocks sites
that have a bad reputation. But since no Gateway AV scan is avoided, there is no performance benefit,
and HTTPproxy performance could be slower than without Reputation Enabled Defenseenabled.
For best effectiveness and performance, we recommend that you enable both Reputation Enabled
Defense and Gateway AntiVirus in your HTTP proxy action.
Before You Begin
Reputation Enabled Defense is a subscription service. Before you can configure RED, you must Get a
Feature Key for Your XTMDevice on page 63 and Manually Add a Feature Key to Your XTMDevice on
page 67.
The XTMdevice sends reputation queries over UDP port 10108. Make sure this port
is open between your XTMdevice and the Internet.
Before you can configure Reputation Enabled Defense for the HTTP proxy policy, you must configure
the policy to use a user-defined proxy action. To create a user-defined proxy action, you can clone the
default (predefined) proxy action, and then apply that to your proxy policy.
To find the proxy action your policy uses:
1. Select Firewall >Firewall Policies.
2. Select the proxy policy, and fromthe Action menu, select Edit Policy.
The Policy Configuration page appears.
3. Select the Proxy Action tab.
The Proxy Action for the policy appears at the top.
4. Verify whether the proxy action is a predefined or user-defined proxy action.
For more information about proxy actions, see About Proxy Actions.
If the proxy policy uses a predefined proxy action, you must clone the proxy action before you can
enable subscription services for the proxy policy. You can clone the proxy action in the Proxy Action
tab when you edit the proxy policy.
1. Fromthe Proxy Action drop-down list, select Clone the current proxy action.
2. Type a new name for the cloned proxy action, or use the default name.
3. Edit the proxy action.
For more information, see About Proxy Actions.
4. Click Save.
Reputation Enabled Defense
1364 Fireware XTMWeb UI
Reputation Enabled Defense
User Guide 1365
Configure Reputation Enabled Defense for a Proxy Action
1. Select Subscription Services > Reputation Enabled Defense.
The Reputation Enabled Defense configuration page appears with a list of HTTP proxy actions.
2. Select a user-defined HTTP proxy action. Click Configure. You cannot configure Reputation
Enabled Defense settings for predefined proxy actions.
The Reputation Enabled Defense configuration settings for that proxy action appear.
3. Select the Immediately block URLs that have a bad reputation check box to block access
to sites that score higher than the configured Bad reputation threshold.
4. Select the Bypass any configured virus scanning for URLs that have a good reputation
check box to have Gateway AntiVirus not scan sites that have a score lower than the
configured Good reputation threshold.
5. To trigger an alarmfor an action, select the Alarm check box for that RED action. To disable
the alarm, clear the Alarm check box for that action.
6. To record log messages for an action, select the Log check box for that RED action. If you do
not want to record log messages for a RED response, clear the Log check box for that action.
If you want a Reputation Enabled Defense action to appear in reports you generate fromWatchGuard
Log and Report Manager, make sure that you:
n select the Log check box for the Reputation Enabled Defense action
n select the Enable logging for reports check box in the General settings of the HTTPproxy
action
For more information about WatchGuard Log and Report Manager, see the WatchGuard System
Manager Fireware XTMHelp available at http://www.watchguard.com/help/documentation/.
Configure the Reputation Thresholds
You can change the reputation thresholds in the Advanced settings.
1. On the Reputation Enabled Defense settings page, click Advanced.
The Advanced Settings dialog box appears.
2. In the Bad reputation threshold text box, type or select the threshold score for bad reputation.
The proxy can block access to sites with a reputation higher than this threshold.
3. In the Good reputation threshold text box, type or select the threshold score for good
reputation.
The proxy can bypass a Gateway AntiVirus scan for sites with a reputation score lower than this
threshold.
4. Click Restore Defaults if you want to reset the reputation thresholds to the default values.
5. Click OK.
Send Gateway AV Scan Results to WatchGuard
When you enable Reputation Enabled Defense, the default configuration allows your XTMdevice to
send the results of local Gateway AntiVirus scans to WatchGuard servers. This action helps to
improve Reputation Enabled Defense results for all Fireware XTMusers. If you have Gateway
AntiVirus, but do not have Reputation Enabled Defense, you can still send Gateway AntiVirus scan
results to WatchGuard.
Reputation Enabled Defense
1366 Fireware XTMWeb UI
Reputation Enabled Defense
User Guide 1367
To see or change the feedback setting, select Subscription Services > Reputation Enabled
Defense.
The Send encrypted scan results to WatchGuard servers to improve overall coverage and
accuracy check box controls whether the XTMdevice sends results of Gateway AntiVirus scans to
the WatchGuard servers. This check box is selected by default when you configure Reputation
Enabled Defense.
n Select this check box to send Gateway AntiVirus scan results to WatchGuard.
n Clear this check box if you do not want to send Gateway AntiVirus scan results.
We recommend that you allow the XTMdevice to send anti-virus scan results to WatchGuard. This
can help improve performance, because the scan results help to improve the accuracy of the reputation
scores. All feedback sent to the WatchGuard Reputation Enabled Defense service is encrypted.
Reputation Enabled Defense
User Guide 1368
User Guide 1369
28
Gateway AntiVirus
About Gateway AntiVirus
Hackers use many methods to attack computers on the Internet. Viruses, including worms and
Trojans, are malicious computer programs that self-replicate and put copies of themselves into other
executable code or documents on your computer. When a computer is infected, the virus can destroy
files or record key strokes.
To help protect your network fromviruses, you can purchase the Gateway AntiVirus subscription
service. Gateway AntiVirus operates with the SMTP, POP3, HTTP, FTP, and TCP-UDP proxies.
When a new attack is identified, the features that make the virus unique are recorded. These recorded
features are known as the signature. Gateway AV uses these signatures to find viruses when content
is scanned by the proxy.
When you enable Gateway AV for a proxy, Gateway AV scans the content types configured for that
proxy. Gateway AV can scan these compressed file types: .zip, .gzip, .tar, .jar, .rar, .chm, .lha, .pdf,
XML/HTML container, OLE container (Microsoft Office documents), MIME (mainly email messages in
EML format), .cab, .arj, .ace, .bz2 (Bzip), .swf (flash; limited support).
WatchGuard cannot guarantee that Gateway AV can stop all viruses, or prevent
damage to your systems or networks froma virus.
You can see statistics on current Gateway AntiVirus activity on the Dashboard > Subscription
Services page as described in Subscription Services Status and Manual Signatures Updates on page
112.
Install and Upgrade Gateway AV
To install Gateway AntiVirus, you must Get a Feature Key for Your XTMDevice on page 63 and
Manually Add a Feature Key to Your XTMDevice on page 67.
New viruses appear on the Internet frequently. To make sure that Gateway AV gives you the best
protection, you must update the signatures frequently. You can configure the XTMdevice to update the
signatures automatically fromWatchGuard, as described in Configure the Gateway AV Update Server
on page 1379. To see your signature update status or force a manual update, see Subscription
Services Status and Manual Signatures Updates.
About Gateway AntiVirus and Proxy Policies
Gateway AV can work with the WatchGuard SMTP, POP3, HTTP, FTP, and TCP-UDP proxies.
When you enable Gateway AV, these proxies examine various types of traffic and performan action
that you specify, such as to drop the connection or to block the packet and add its source address to
the Blocked Sites list.
Gateway AV scans different types of traffic according to which proxy policies you use the feature with:
n SMTP or POP3 proxy Gateway AV looks for viruses and intrusions encoded with frequently
used email attachment methods. You can also use Gateway AV and the SMTP proxy to send
virus-infected email to the Quarantine Server. For more information, see About the Quarantine
Server on page 1467 and Configure Gateway AntiVirus to Quarantine Email on page 1377.
n HTTP proxy Gateway AV looks for viruses in web pages that users try to download and files
that users upload to web pages.
n TCP-UDP proxy This proxy scans traffic on dynamic ports. It recognizes traffic for several
different types of proxies, including HTTP and FTP. The TCP-UDP proxy then sends traffic to
the appropriate proxy to scan for viruses or intrusions.
n FTP proxy Gateway AV looks for viruses in uploaded or downloaded files.
Each proxy that uses Gateway AV is configured with options that are special to that proxy. For
example, the categories of items you can scan is different for each proxy.
For all proxies, you can limit file scanning up to a specified kilobyte count. The default scan limit and
maximumscan limits are different for each XTMdevice model. The XTMdevice scans the start of
each file up to the specified kilobyte count. This allows large files to pass with partial scanning.
For more information about the default and maximumscan limits for each XTMdevice model, see
About Gateway AntiVirus Scan Limits on page 1377.
To make sure Gateway AV has current signatures, you can enable automatic
updates for the Gateway AV server, as described in Configure the Gateway AV
Update Server on page 1379.
Gateway AntiVirus
1370 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1371
Configure the Gateway AntiVirus Service
You can configure Gateway AV to work with the WatchGuard SMTP, POP3, HTTP, FTP, and TCP-
UDP proxies.
Before You Begin
Before you enable the Gateway AntiVirus Service, you must:
1. Get a Gateway AV feature key. Contact your WatchGuard reseller or go to the WatchGuard
LiveSecurity web site at: http://www.watchguard.com/store.
2. Manually Add a Feature Key to Your XTMDevice.
Before you can configure the Gateway AntiVirus service for a proxy policy, you must configure the
policy to use a user-defined proxy action. To create a user-defined proxy action, you can clone the
default (predefined) proxy action, and then apply that proxy action to the proxy policy.
To find the proxy action your policy uses:
1. Select Firewall >Firewall Policies.
2. Select the proxy policy, and fromthe Action menu, select Edit Policy.
The Policy Configuration page appears.
3. Select the Proxy Action tab.
The Proxy Action for the policy appears at the top.
4. Verify whether the proxy action is a predefined or user-defined proxy action.
For more information about proxy actions, see About Proxy Actions.
If the proxy policy uses a predefined proxy action, you must clone the proxy action before you can
enable subscription services for the proxy policy. You can clone the proxy action in the Proxy Action
tab when you edit the proxy policy.
1. Fromthe Proxy Action drop-down list, select Clone the current proxy action.
2. Type a new name for the cloned proxy action, or use the default name.
3. Edit the proxy action.
For more information, see About Proxy Actions.
4. Click Save.
Configure the Gateway AntiVirus Service
1. Select Subscription Services > Gateway AV.
The Gateway AV page appears.
2. To update global settings, click Settings and Update Gateway AntiVirus Settings.
3. To configure actions for a specific proxy action, select a user-defined proxy action and click
Configure. You cannot configure Gateway AntiVirus for a predefined proxy action.
The Gateway AntiVirus settings for that proxy action appear.
4. Configure the Gateway AV settings as described in Configure Gateway AntiVirus Actions.
Configure Gateway AntiVirus Actions
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in
an email message (SMTP or POP3 proxies), web page download or upload post (HTTP proxy), or
uploaded or downloaded file (FTP proxy). When Gateway AntiVirus is enabled, it scans each file up to
a specified kilobyte count. Any additional bytes in the file are not scanned. This allows the proxy to
partially scan very large files without a large effect on performance.
The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Deny
(FTP proxy only)
Denies the file and send a deny message.
Gateway AntiVirus
1372 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1373
Lock
(SMTP and POP3 proxies only)
Locks the attachment. This is a good option for files that cannot be scanned by the XTMdevice.
A file that is locked cannot be opened easily by the user. Only the administrator can unlock the
file. The administrator can use a different antivirus tool to scan the file and examine the content
of the attachment.
Quarantine
(SMTP proxy only)
When you use the SMTP proxy with the Gateway AntiVirus security subscription, you can send
email messages with viruses, or possible viruses, to the Quarantine Server. The SMTPproxy
removes the message part that triggered the DLPviolation and sends the modified message to
the recipient. The removed message part is replaced with the deny message configured in the
proxy.
For more information on the Quarantine Server, see About the Quarantine Server on page 1467.
For information on how to set up Gateway AntiVirus to work with the Quarantine Server, see
Configure Gateway AntiVirus to Quarantine Email on page 1377.
Remove
(SMTP and POP3 proxies only)
Removes the attachment and sends the rest of the message to the recipient. Replaces the
removed attachment with the deny message configured in the proxy.
Drop
(Not supported in POP3 proxy)
Drops the packet and drops the connection. No information is sent to the source of the
message.
Block
(Not supported in POP3 proxy)
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
Configure Gateway AntiVirus Actions for a Proxy Action
1. Select Subscription Services > Gateway AV.
The Gateway AV configuration page appears.
2. Select a user-defined proxy action and click Configure. You cannot modify Gateway AntiVirus
settings for predefined proxy actions.
The Gateway AntiVirus configuration settings for that proxy action appear.
Gateway AntiVirus
1374 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1375
3. To enable Gateway AntiVirus for this proxy action, select the Enable Gateway AntiVirus
check box.
4. Fromthe When a virus is detected drop-down list, select the action the XTMdevice takes if a
virus is detected in an email message, file, web page, or web upload. See the beginning of this
section for a description of the actions.
5. Fromthe When a scan error occurs drop-down list, select the action the XTMdevice takes
when it cannot scan an object or an attachment. Attachments that cannot be scanned include
binhex-encoded messages, certain encrypted files, or files that use a type of compression that
Gateway AV does not support such as password-protected Zip files. See the beginning of this
section for a description of the actions.
6. To create log messages for the action, select the Log check box for the antivirus response. If
you do not want to record log messages for an antivirus response, clear the Log check box.
7. To trigger an alarmfor the action, select the Alarm check box for the antivirus response. If you
do not want to set an alarm, clear the Alarm check box for that action.
8. In the Limit scanning to first text box, type the file scan limit.
For information about the default and maximumscan limits for each XTMdevice model, see
About Gateway AntiVirus Scan Limits on page 1377.
If you enable DLPand Gateway AV for the same proxy action, the larger configured
scan limit is used for both services.
Configure Alarm Notifications for Antivirus Actions
You can configure an alarmnotification to tell users when a proxy rule applies to network traffic. If you
enable alarms for a proxy antivirus action, you must also configure the type of alarmto use in the proxy
policy.
To configure the alarmtype to use for a proxy policy:
1. Select Firewall > Firewall Policies.
2. Double click a policy to edit.
3. Select the Properties tab.
4. Configure the notification settings as described in Set Logging and Notification Preferences on
page 882.
Gateway AntiVirus
1376 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1377
Configure Gateway AntiVirus to Quarantine Email
The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanismfor any email
messages suspected or known to contain viruses. The Quarantine Server receives email messages
fromthe SMTP proxy.
To configure Gateway AntiVirus to quarantine email:
1. When you configure Gateway AntiVirus (as described in Configure Gateway AntiVirus Actions
on page 1372), you must make sure you enable Gateway AntiVirus for the SMTP proxy. The
POP3 proxy does not support the Quarantine Server.
2. When you set the actions spamBlocker applies for different categories of email (as described in
Configure spamBlocker on page 1345), make sure you select the Quarantine action for at least
one of the categories. When you select this action, you are prompted to configure the
Quarantine Server if you have not already done so.
You can also select the Quarantine action for email messages identified by Virus Outbreak Detection
to contain viruses. For more information, see Configure Virus Outbreak Detection Actions on page
1350.
About Gateway AntiVirus Scan Limits
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are
not scanned. This allows the proxy to partially scan very large files without a large effect on
performance. The minimumGateway AntiVirus scan limit is 10 KB for all XTMdevices. The default
and maximumscan limits vary by XTMdevice model. The default scan limit for most Firebox and XTM
devices is 1024 KB. Firebox T10 and XTM2 Series have a default of 512 KB.
Most malware is delivered in files smaller than 1 MB in size. Larger files are less likely to spread
quickly in a viral manner. We recommend that you use the default scan limit setting. If you increase the
scan limit, Gateway AntiVirus scans larger files (or partial files), but it could result in fewer concurrent
connections through the appliance, because the available memory is constant. If you decrease the
scan limit, we recommend that you do not set it to a value lower than 256 KB.
If you enable DLPand Gateway AV for the same proxy action, the larger configured
scan limit is used for both services.
For information about how to set the scan limit, see Configure Gateway AntiVirus Actions on page
1372.
Update Gateway AntiVirus Settings
The XTMdevice has Gateway AntiVirus settings that are used regardless of which proxy Gateway
AntiVirus is configured to work with. For more information, see Configure Gateway AV Decompression
Settings on page 1378.
It is important to update the signatures for Gateway AntiVirus/Intrusion Prevention Service. Automatic
updates to the signatures for these services are not automatically enabled by default. You can update
the signatures in two ways:
n Configure the Gateway AV Update Server to enable automatic updates
n Update the signatures manually in Firebox SystemManager, as described in Subscription
Services Status and Manual Signatures Updates on page 112.
If you Use a Third-Party Antivirus Client
If you use a third-party antivirus service on computers that are protected by your XTMdevice, you
could have problems with updates for the third-party service. When the client for that secondary
service tries to update its signature database on port 80, the WatchGuard Gateway AV service,
working through the HTTP proxy, recognizes the signatures and strips thembefore they download to
the client. The secondary service cannot update its database. To avoid this problem, you must add
HTTP-Proxy: Exceptions to the policy that denies the update traffic. You must know the host name of
the third-party signature database. Then you can add that host name as an allowed exception.
Configure Gateway AV Decompression Settings
Gateway AV can scan inside compressed files if you enable decompression in the Gateway AV
configuration settings.
1. Fromthe Fireware XTMWeb UI, select Subscription Services > Gateway AV.
The Gateway AV configuration page appears.
2. Click Settings.
The Gateway AV Global Settings page appears.
3. To scan inside compressed attachments, select the Enable Decompression check box.
Select or type the number of compression levels to scan. If you enable decompression, we
recommend that you keep the default setting of three levels, unless your organization must use
a larger value. If you specify a larger number, your XTMdevice could send traffic too slowly.
Gateway AntiVirus supports up to six levels. If Gateway AntiVirus detects that the archive
depth is greater than the value set in this field, it will generate a scan error for the content.
Compressed attachments that cannot be scanned include encrypted files or files that use a type
of compression that we do not support such as password-protected Zip files. To set the action
Gateway AntiVirus
1378 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1379
for the XTMdevice when it finds a message it cannot scan, select an action for When a scan
error occurs in the General category of the policy configuration.
4. Click Restore Defaults if you want to reset the user interface to default settings.
5. Click Save.
Configure the Gateway AV Update Server
Gateway AntiVirus downloads signature updates froma signature update server. Gateway AV, IPS,
Application Control, and Data Loss Prevention all use the same signature update server. When you
configure the signature update server for any of these subscription services, the settings apply to all of
these services.
To make sure that the XTMdevice can connect to the update server, you must add at
least one DNS server to your network configuration. The XTMdevices uses DNS to
resolve the update server URLto an IPaddress. For more information, see Add
WINS and DNS Server Addresses.
Configure Signature Updates
1. Fromthe Fireware XTMWeb UI, select Subscription Services > Gateway AV.
2. Click Settings.
The Gateway AV settings page appears.
3. To enable automatic signature updates, select the Enable automatic update check box. This
option is enabled by default.
4. Fromthe Interval drop-down list, enter the number of hours between automatic updates.
5. Select the Gateway AntiVirus Signatures check box to automatically update signatures at the
selected update interval.
Connect to the Update Server Through an HTTP Proxy Server
If your XTMdevice must connect through an HTTP proxy to get to the signature update server, you
must add information about the HTTP proxy server to your update server configuration.
1. In the HTTPProxy Server section, select the Connect to Update server using an HTTP
proxy server check box.
2. In the Server address text box, type the IP address or host name of your HTTP proxy server.
3. Most HTTP proxy servers receive requests on port 8080. If your HTTP proxy uses a different
port, type it in the Server port field.
4. Fromthe Server Authentication drop-down list, select the type of authentication your HTTP
proxy server uses.
Gateway AntiVirus
1380 Fireware XTMWeb UI
Gateway AntiVirus
User Guide 1381
n If your HTTP proxy does not require authentication, select No Auth .
n If your HTTP proxy server requires NTLMor Basic authentication, type your User name,
Domain, and Password in the text boxes.
5. Click Save.
Block Access from the Trusted Network to the Update Server
If you do not want to allow all users on your trusted network to have unfiltered access to the IP address
of the signature database, you can use an internal server on your trusted network to receive the
updates. You can create a new HTTP proxy policy with HTTP-Proxy: Exceptions or an HTTP packet
filter policy that allows traffic only fromthe IP address of your internal server to the signature database.
Update Signatures Manually
For information about how to see the status of Application Control signature updates, and how to
manually force an update to the most current signatures, see Subscription Services Status and Manual
Signatures Updates.
28
APTBlocker
About APTBlocker
An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware
and zero-day exploits to get access to networks and confidential data over extended periods of time.
APT attacks are highly sophisticated and often target specific, high-profile institutions, such as
government or financial-sector companies. Use of this advanced malware has also expanded to target
smaller networks and lower-profile organizations.
Because APT attacks use the latest targeted malware techniques and zero-day exploits (flaws that
software vendors have not yet discovered or fixed) to infect and spread within a network, traditional,
signature-based scan techniques do not provide adequate protection against these threats. APT
malware is designed to reside within a network for an extended period of time. The communication
fromthe malware is hidden, and all evidence of the presence of the malware is removed, which allows
it to evade detection.
APT Blocker is a subscription service that uses best-of-breed, full-systememulation analysis by
Lastline to identify the characteristics and behavior of APTmalware in files and email attachments that
enter your network. APTBlocker does not use signatures like other traditional scanners, such as
antivirus programs. Files that enter your network are scanned and an MD5 hash of the file is generated.
This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS. Lastline compares
the file to a database of analyzed files and immediately returns the scan results. If the analysis finds a
match to a known malware threat, you can take immediate action on the file, such as to block, drop, or
quarantine the file. Results of the file analysis are stored in a local cache so that if that same file is
processed again, the results are known immediately without the need to send the MD5 hash of the file
to the Lastline data center again.
If there is not a match to the available results of a previously analyzed file, that specific file has not
been seen or analyzed before. The file is then submitted to the Lastline data center where the file
APTBlocker
1382 Fireware XTMWeb UI
APTBlocker
User Guide 1383
receives deep analysis for APTactivity in a next-generation sandbox environment. The analysis
occurs at the same time as the file transfer, and the connection is allowed while the device waits for
the result of the analysis. When the result is returned, if there is evidence of malware activity in the file,
your Firebox or XTMdevice can generate an alarmnotification.
Supported Proxy Policies
APT Blocker can scan files for these proxy policies:
n HTTP-proxy
n FTP-proxy
n SMTP-proxy
Supported File Types
APTBlocker can scan these file types:
n Windows PE (Portable Executable) files
This includes files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions. Windows XP
and Windows 7/8.
n Adobe PDF documents
n Microsoft Office documents
n Rich Text Format (RTF) documents
n Android executable files (.apk)
APTBlocker can also examine files within compressed archives. APTBlocker supports these archive
file types:
n gzip
n tar
n zip
The scan limit for APT Blocker is based on the Gateway AntiVirus scan limit. The
default scan limit is 1 MB for most Firebox and XTMdevices. Firebox T10 and XTM2
Series have a default of 512 KB. Although APTBlocker cannot scan and analyze
partial files, most malware is delivered in files smaller than 1 MB in size. Larger files
are less likely to spread quickly in a viral manner. The maximumfile size allowed for
APT Blocker is 8 MB. For detailed information on scan limits, see About Gateway
AntiVirus Scan Limits. For information about how to set the scan limit, see Configure
Gateway AntiVirus Actions on page 1372.
APT Threat Levels
APTBlocker categorizes APTactivity based on the severity of the threat:
n High
n Medium
n Low
All threat levels are considered malware. This rating is determined based on a score assigned to the file
when it is analyzed by Lastline. The High level indicates a higher score because more characteristics
of malware were identified in the analysis.
For each threat level, you can assign an action (Allow, Drop, Block, and Quarantine), and enable alarm,
notification, and logging settings.
WatchGuard recommends that you select the Alarm and Log options for all three threat levels in your
APTBlocker configuration.
APTBlocker
1384 Fireware XTMWeb UI
APTBlocker
User Guide 1385
Enable and Configure APTBlocker
To enable APTBlocker on your Firebox or XTMdevice, you must:
1. Get a Feature Key for Your XTMDevice.
2. Manually Add a Feature Key to Your XTMDevice.
3. Configure the Gateway AntiVirus Service.
4. Configure APTBlocker.
APT Blocker and Other Security Services
APT Blocker detects advanced malware that uses zero-day exploits, and combines with the other
security services on your Firebox or XTMdevice to provide another layer of defense against network
threats.
APTBlocker and Gateway AntiVirus
APTBlocker uses the same scan process as Gateway AntiVirus. You must have Gateway AntiVirus
enabled on your Firebox or XTMdevice to enable APTBlocker on the device. Then, if a proxy policy is
configured to enable Gateway AntiVirus to scan the traffic through the policy, and you enable APT
Blocker for the policy, the traffic is also scanned by APTBlocker.
Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT
Blocker. APT Blocker scans compatible file types if they are enabled in the Gateway AntiVirus
configuration.
About Scan Limits
APTBlocker scan limits are based on the scan limits set in the Gateway AntiVirus configuration. The
default and maximumscan limits vary by Firebox or XTMdevice model. Although APTBlocker cannot
scan and analyze partial files, most malware is delivered in files smaller than 1 MB in size. You can
increase the scan limit to scan larger files for increased protection, but this uses more systemmemory
and it could result in fewer concurrent connections through the appliance. The default scan limit for
most Firebox and XTMdevices is 1 MB. Firebox T10 and XTM2 Series have a default of 512 KB.
For information about default scan limits, see About Gateway AntiVirus Scan Limits.
For information about how to set the scan limit, see Configure Gateway AntiVirus Actions on page
1372.
APTBlocker and Reputation Enabled Defense (RED)
WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score
between 1 and 100 to every URL.
WatchGuard recommends that you do not enable the Bypass any configured virus scanning for
URLs that have a good reputation option in the Reputation Enabled Defense configuration. This
ensures that all traffic is scanned by Gateway AntiVirus and APTBlocker.
For information on this option, see Configure Reputation Enabled Defense
APTBlocker and WebBlocker
An important defense against advanced malware is to detect botnet activity and any command and
control traffic frominside your network to external servers.
WebBlocker uses a database of web site addresses (identified by content categories) to allow or block
web site traffic. WatchGuard recommends that you configure the WebBlocker service to block traffic
for these security URLcategories to detect and prevent this type of activity:
n Security
n Malicious Web Sites
n Spyware
n Phishing and Other Frauds
n Keyloggers
n Potentially Unwanted Software
n Bot Networks
n Malicious Embedded Link
n Malicious Embedded iFrame
n Suspicious Embedded Link
n Mobile Malware
n Advanced Malware Command and Control
n Elevated Exposure
n Emerging Exploits
n Potentially Damaging Content
n Dynamic DNS
For more information, see About WebBlocker.
Configure APTBlocker
You can use APTBlocker in addition to Gateway AntiVirus to provide protection against advanced
malware techniques that exploit zero-day vulnerabilities and evade traditional signature-based
scanning.
APTBlocker uses the same scan process as Gateway AntiVirus. You must enable
Gateway AntiVirus before you can enable APTBlocker for a proxy.
To use APTBlocker, you must have a feature key that enables the service.
For more information, see:
n Get a Feature Key for Your XTMDevice on page 63
n Manually Add a Feature Key to Your XTMDevice on page 67
APTBlocker
1386 Fireware XTMWeb UI
APTBlocker
User Guide 1387
APTBlocker and NTP
When you use APT Blocker, WatchGuard recommends that you enable NTP to make sure the time is
synchronized with the Lastline data center. For more information on how to enable and configure NTP,
see Enable NTP and Add NTP Servers.
Enable APTBlocker and Configure APTBlocker Actions
When you configure APT Blocker, you specify the action that APT Blocker takes for each threat level.
Options include:
Allow
Allows and delivers the file or email attachment to the recipient.
Drop
Drops the connection. For the SMTP-proxy, the attachment is stripped before the message is
delivered to the recipient.
Block
Drops the connection. For the SMTP-proxy, the attachment is stripped before the message is
delivered to the recipient. The sender or source address is added to the Blocked Sites list for 20
minutes.
Quarantine
When you use the SMTP-proxy with APTBlocker, you can send email messages to the
Quarantine Server. The SMTP-proxy removes the part of the message that triggered
APTBlocker and sends the modified message to the recipient. The removed part of the
message is replaced with the deny message that is configured in the proxy action settings.
For more information on the Quarantine Server, see About the Quarantine Server on page 1467.
For the HTTP-proxy and FTP-proxy, this action is converted to a Drop action.
To enable APTBlocker:
1. Select Subscription Services > APT Blocker.
The APTBlocker page appears.
2. Select the Enable APTBlocker check box.
3. For each threat level, select the action. Available actions are:
n Allow
n Drop
n Block
n Quarantine
4. For each threat level, to send a log message for an APTBlocker action, select the Log check
box.
5. For each threat level, to trigger an alarmfor an APTBlocker action, select the Alarm check box.
6. Click OK.
Configure Other APTBlocker Settings
In the Policies section, you can disable or enable APTBlocker for each policy in your configuration.
For more information, see Enable or Disable APT Blocker for a Proxy Policy.
Enable or Disable APT Blocker for a Proxy Policy
You can enable or disable APTBlocker in the APTBlocker configuration for a specific proxy policy, or
when you edit a proxy action. You can only enable APT Blocker for proxy policies that also have
Gateway AntiVirus enabled.
To disable or enable APTBlocker for one or more proxy policies fromthe APT Blocker settings:
1. Select Subscription Services > APTBlocker.
The APTBlocker configuration page appears. The APTBlocker Policies section shows whether
APTBlocker is enabled for each proxy policy.
APTBlocker
1388 Fireware XTMWeb UI
APTBlocker
User Guide 1389
2. Fromthe Policies list, select one or more proxy policies.
Use the Control or Shift keys to select more than one policy at the same time.
3. To enable APTBlocker for the selected policies, fromthe Select Action drop-down list, select
click Enabled.
4. To disable APTBlocker for the selected policies, fromthe Select Action drop-down list, select
Disabled.
5. Click Save.
You can also enable or disable APTBlocker when you edit a proxy action:
1. Select Firewall >Firewall Policies.
2. Double-click a proxy policy.
3. Add or edit a proxy action for the policy.
4. Select the APT Blocker tab.
5. To enable APTBlocker, select the Enable APTBlocker check box.
6. To disable APTBlocker, clear the Enable APTBlocker check box.
7. Click Save.
Configure APT Blocker Notification
To specify how your Firebox or XTMdevice notifies you when content is blocked by APT Blocker when
alarms are enabled for a threat level, you can configure the notification settings for APTBlocker.
To configure notification settings for APTBlocker:
1. Select Subscription Services > APT Blocker.
2. Make sure the Enable APT Blocker check box is selected.
3. Click Notification Settings.
The Notification Settings dialog box appears.
4. Select the notifications settings for APT Blocker.
For more information about the available options, see Set Logging and Notification Preferences
on page 882.
Monitor APTBlocker Activity
After you enable APTBlocker, you can monitor APTBlocker activity on the Subscription Services
Dashboard page.
1. Select DASHBOARD> Subscription Services.
2. Scroll to the APTBlocker section.
For more information, see Subscription Services on page 890.
APTBlocker status information includes these statistics:
n Scans Performed
n Prevented objects (files)
n Notified objects (files)
n Quarantined objects (files)
APTBlocker
1390 Fireware XTMWeb UI
APTBlocker
User Guide 1391
APTBlocker reports are only available inWatchGuard Dimension. In the reports, you can find specific
details about each threat blocked. For more information, see the About Dimension Reports topic in the
WatchGuard Dimension Help.
APTBlocker
User Guide 1392
User Guide 1393
29
Intrusion Prevention Service
About Intrusion Prevention Service
Intrusions are direct attacks on your computer. Usually the attack exploits a vulnerability in an
application. These attacks are created to cause damage to your network, get sensitive information, or
use your computers to attack other networks.
Intrusion Prevention Service (IPS) provides real-time protection fromthreats, including spyware, SQL
injections, cross-site scripting, and buffer overflows. When a new attack is identified, the features that
make the intrusion attack unique are recorded. These recorded features are known as the signature.
IPS uses these signatures to identify intrusion attacks.
By default, when you enable and configure IPS, the IPS configuration applies globally to all traffic. You
can also choose to disable IPSon a per-policy basis.
IPSThreat Levels
IPS categorizes IPS signatures into five threat levels, based on the severity of the threat. The severity
levels, fromhighest to lowest are:
n Critical
n High
n Medium
n Low
n Information
When you enable IPS, the default setting is to drop and log traffic that matches the Critical, High,
Medium, or Low threat levels. Traffic that matches the information threat level is allowed and not
logged by default.
Add the IPS Upgrade
To enable IPS on your XTMdevice, you must:
1. Get a Feature Key for Your XTMDevice on page 63
2. Manually Add a Feature Key to Your XTMDevice on page 67
3. Configure Intrusion Prevention
Keep IPSSignatures Updated
New intrusion threats appear on the Internet frequently. To make sure that IPS gives you the best
protection, you must update the signatures frequently. You can configure the XTMdevice to update the
signatures automatically fromWatchGuard, as described in Configure the IPS Update Server.
See IPSStatus
On the Dashboard > Subscription Services page, you can see statistics on current IPS activity and
update the IPS signatures. For more information, see Subscription Services Status and Manual
Signatures Updates on page 112.
Configure Intrusion Prevention
To use Intrusion Prevention Service (IPS), you must have a feature key to enable the service.
For more information, see:
n Get a Feature Key for Your XTMDevice on page 63
n Manually Add a Feature Key to Your XTMDevice on page 67
Enable IPSand Configure IPSActions
To enable IPS:
1. Select Subscription Services > IPS.
The IPSpage appears.
Intrusion Prevention Service
1394 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1395
2. Select the Enable Intrusion Prevention check box.
3. Select the Scan Mode. You can select one of two modes:
n Full Scan Scan all packets for policies that have IPSenabled.
n Fast Scan Scan fewer packets to improve performance. This option greatly improves the
throughput for scanned traffic, but does not provide the comprehensive coverage of Full
Scan mode. This is the default setting.
If you have a WatchGuard XTM21, 22, or 23 device, this feature is not available for
your device.
4. For each threat level, select the action. Available actions are:
n AllowAllows the connection.
n Drop Denies the request and drops the connection. No information is sent to the source of
the content.
n Block Denies the request, drops the connection, and adds the IPaddress of the content
source to the Blocked Sites list. If the content that matches an IPSsignature came froma
client, the client IP address is added to the Blocked Sites list. If the content came froma server,
the server IP address is added to the Blocked Sites list.
5. For each threat level, to send a log message for an IPS action, select the Log check box.
6. For each threat level, to trigger an alarmfor an IPSaction, select the Alarm check box.
7. Click Save.
If you enable IPS for an HTTPSproxy policy, you must also enable deep inspection
of HTTPScontent in the HTTPSproxy action, in order for IPSto scan the HTTPS
content. For more information, see HTTPS-Proxy: Content Inspection. IPS scanning
of HTTPS content is not supported on XTM21, 22, and 23 devices.
Configure Other IPSSettings
In the IPSPolicies section, you can disable or enable IPSfor each policy in your configuration. For
more information, see Disable or Enable IPS for a Policy.
To configure signature update settings, select the Update Server tab. For more information, see
Configure the IPS Update Server.
To add signatures to the exceptions list, select the Signatures tab. For more information, see
Configure IPS Exceptions.
Disable or Enable IPS for a Policy
When you enable IPS, it is automatically enabled for all policies. You can choose to disable it for a
specific policy in the IPS configuration or when you edit a policy.
To disable or enable IPSfor a policy:
1. Select Subscription Services > IPS.
The IPS configuration page appears. The IPSPolicies section shows whether IPS is enabled for
each policy.
2. To disable IPS for one or more policies, select the policies in the list.
Use the Control or Shift keys to select multiple policies at the same time.
3. To disable IPSfor the selected policies, fromthe Select Action drop-down list, select
Disabled.
Intrusion Prevention Service
1396 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1397
To enable IPS for the selected policies, click Enabled.
4. Click Save.
If you enable IPS for an HTTPSproxy policy, you must also enable deep inspection
of HTTPScontent in the HTTPSproxy action, in order for IPSto scan the HTTPS
content. For more information, see HTTPS-Proxy: Content Inspection. IPS scanning
of HTTPS content is not supported on XTM21, 22, and 23 devices.
You can also choose to enable or disable IPSwhen you edit a policy:
1. Select Firewall >Firewall Policies.
2. Double-click a policy.
3. To enable IPS, select the Enable Intrusion Preveion check box.
To disable IPS, clear the Enable Intrusion Prevention check box.
4. Click Save.
Configure the IPS Update Server
The Intrusion Prevention Service (IPS) downloads signature updates froma signature update server.
Gateway AV, IPS, Application Control, and Data Loss Prevention all use the same update server
settings. When you configure the update server for any one of these subscription services, the settings
apply to all of these services.
IPS and Application Control signature updates are delivered together in the same update file.
To make sure that the XTMdevice can connect to the update server, you must add at
least one DNS server to your network configuration. The XTMdevices uses DNS to
resolve the update server URLto an IPaddress. For more information, see Add
WINS and DNS Server Addresses.
Configure Automatic Signature Updates
1. Select Subscription Services > IPS.
2. Click the Update Server tab.
The Update Server settings appear.
3. To enable automatic signature updates, select the Enable automatic update check box. This
option is enabled by default.
4. Fromthe Interval drop-down list, enter the number of hours between automatic updates.
5. Select the Intrusion Prevention and Application Control Signatures check box to
automatically update signatures at the selected update interval.
Do not change the Update server URL unless you are told to do so by WatchGuard. If you change the
URLaccidentally or incorrectly, click Reset to return to the last saved setting.
Connect to the Update Server Through an HTTP Proxy Server
If your XTMdevice must connect through an HTTP proxy to get to the signature update server, you
must add information about the HTTP proxy server to your update server configuration.
1. In the HTTPProxy Server section, select the Connect to Update server using an HTTP
proxy server check box.
2. In the Server address text box, type the IP address or host name of your HTTP proxy server.
3. Most HTTP proxy servers receive requests on port 8080. If your HTTP proxy uses a different
port, type it in the Server port field.
4. Fromthe Server Authentication drop-down list, select the type of authentication your HTTP
proxy server uses.
Intrusion Prevention Service
1398 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1399
n If your HTTP proxy does not require authentication, select No Auth .
n If your HTTP proxy server requires NTLMor Basic authentication, type your User name,
Domain, and Password in the text boxes.
5. Click Save.
Block Access from the Trusted Network to the Update Server
If you do not want to allow all users on your trusted network to have unfiltered access to the IP address
of the signature database, you can use an internal server on your trusted network to receive the
updates. You can create a new HTTP proxy policy with HTTP-Proxy: Exceptions or an HTTP packet
filter policy that allows traffic only fromthe IP address of your internal server to the signature database.
Update Signatures Manually
For information about how to see the status of Application Control signature updates, and how to
manually force an update to the most current signatures, see Subscription Services Status and Manual
Signatures Updates.
Show IPSSignature Information
On the Signatures tab of the Intrusion Prevention Service configuration, you can see information about
all the IPSsignatures. You can filter and sort the signature list, and you can see details about individual
signatures. You can also add a signature to the IPSexceptions list fromthis tab.
See IPS Signatures
1. Select Subscription Services > IPS.
The IPS configuration page appears.
2. Select the Signatures tab.
The list of IPS signatures appears.
3. Double-click a signature name to see more information about the signature.
Intrusion Prevention Service
1400 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1401
4. Click the link in the More Information section to look up the signature on the WatchGuard
IPSSecurity Portal.
You can also click the Signature ID on the Signatures tab to look up the signature in the Security
Portal.
For more information about the Security Portal, see Look Up IPSSignatures on the Security Portal.
Search, Sort and Filter the IPS Signatures
The graphs at the top of the Signatures tab show the proportion and number of signatures in each
signature category and each threat level. You can filter the signature list by signature category or threat
level.
n To filter the signature list by signature category, click the bar for that category in the By
Category graph. Or, select the category fromthe Category drop-down list.
n To filter the signature list by signature threat level, click the bar in the By Threat Level graph.
Or, select the threat level severity fromthe Threat Level drop-down list.
To search for signatures that contain a specific word or IDnumber, type the text to search for in the
Search text box.
To sort the IPSsignatures by Signature ID, Name, Category, or Threat Level, click one of the
column headings.
Add an IPSException
You can add a signature to the IPSExceptions list directly fromthe Signatures tab.
1. Select a signature in the Signatures list.
2. Click Add Exception.
The Signature Exceptions dialog box appears. The IDtext box shows the IDof the signature you
want to add.
3. Select the Action, Log, and Alarm settings for this exception.
4. Click OK.
The signature exception is added to the Exceptions tab.
For more information about IPSexceptions, see Configure IPS Exceptions.
Configure IPS Exceptions
When you enable the IPS feature, the XTMdevice examines traffic to look for patterns of traffic that
match the signatures of known intrusions. When an IPS signature match occurs, the XTMdevice
denies the content and the intrusion is blocked. If you want to allow traffic that is blocked by an IPS
signature, you can find the identification number for the signature (the signature ID) and add the
signature IDto the IPS exception list.
Find the IPSSignature ID
When the XTMdevice blocks a connection based on a match with an IPSsignature, the signature ID
appears in the log file if you have enabled logging for IPS. To see which IPSsignature blocked the
connection, look in the log file for the IPS signature ID number. If a connection that you want to allow is
blocked by an IPS signature, use the signature ID to add an IPS exception to allow that connection.
On the Signatures tab, you can look up the IPS signature ID to see information about the threat a
signature IDrepresents. For more information about how to look up an IPSsignature, see Show
IPSSignature Information.
Add an IPS Signature Exception
To add an IPS signature exception:
1. Select Subscription Services > IPS.
The IPS configuration page appears.
2. Select the Exceptions tab.
The list of IPS signature exceptions appears.
Intrusion Prevention Service
1402 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1403
3. Click Add.
The Add Exception dialog box appears.
4. In the ID text box, type the ID of the IPSsignature you want to add.
5. Fromthe Action drop-down list, select the action you want IPS to take for this signature. The
available actions are:
n AllowAllows the connection.
n Drop Denies the request and drops the connection. No information is sent to the source of
the content.
n Block Denies the request, drops the connection, and adds the IPaddress of the content
source to the Blocked Sites list. If the content that matches an IPSsignature came froma
client, the client IP address is added to the Blocked Sites list. If the content came froma server,
the server IP address is added to the Blocked Sites list.
6. Select the Log check box if you want to send a log message for this IPS exception.
7. Select the Alarm check box if you want to send an alarmfor this IPSexception.
8. Click OK.
The exception is added to the Signature Exceptions list.
9. Click Save
To edit the settings for an exception, select the exception and click Edit.
To remove an exception, select the exception and click Remove.
Configure IPSNotification
To configure notification parameters for Intrusion Prevention Service, select the Notification tab on
the IPS configuration page. The notification settings determine how the XTMdevice notifies you when
content is blocked by an IPSsignature at a threat level when alarms are enabled.
For information about the Notification tab settings, see Set Logging and Notification Preferences on
page 882.
Look Up IPSSignatures on the Security Portal
You can look up information about IPSsignatures on the WatchGuard IPS Security Portal at:
http://www.watchguard.com/SecurityPortal/ThreatDB.aspx. Fromthe IPSSecurity Portal, you can
search for an IPSsignature by ID or name. Signature descriptions on the IPSSecurity Portal include
links to additional information about the signature, based on Bugtraq ID, CVE ID, or other sources
about a threat the signature blocks.
Intrusion Prevention Service
1404 Fireware XTMWeb UI
Intrusion Prevention Service
User Guide 1405
To look up an IPSsignature fromthe Web UI, you can click a signature ID in the Signatures or
Exceptions tabs in the IPSconfiguration page.
If you have enabled logging for Intrusion Prevention Service (IPS) signatures, you can also use Traffic
Monitor to find more information about the signature IDs associated with traffic log messages. When
you look up signature information for a traffic log message, you see the signature information in the
IPSSecurity Portal.
For more information about Traffic Monitor, see the WatchGuard SystemManager Help or User Guide.
Intrusion Prevention Service
User Guide 1406
User Guide 1407
30
Application Control
About Application Control
Application Control is a subscription service that enables you to monitor and control the use of
applications on your network. Application Control uses signatures that can identify and block over 1800
applications. In the Application Control action, you select the applications by name, and choose to
block or allow traffic for each application or application category. Then you apply the Application
Control action to the applicable policy. You do not need to create or maintain your own customrules to
identify applications. The Application Control service provides frequent updates to application
signatures to keep the protection current.
You can use Application Control to block the usage of specific applications, and you can report on
application use and use attempts. For some applications, you can block specific application behaviors,
such as file transfer.
Application Control Deny Message
When Application Control blocks HTTP content that matches an Application Control action, the user
who requested the content sees an Application Control deny message in the browser. The deny
message says that the content was blocked because the application was not allowed. The message is
not configurable. When Application Control blocks HTTPS content, the Application Control deny
message appears in the browser only if the application was blocked before the application sent a
response to the browser.
Add the Application Control Upgrade
To enable Application Control on your XTMdevice, you must:
1. Get a Feature Key for Your XTMDevice on page 63
2. Manually Add a Feature Key to Your XTMDevice on page 67
3. Configure Application Control Actions
Keep Application Control Signatures Updated
New applications appear on the Internet frequently. To make sure that Application Control can
recognize the latest applications, you must update the signatures frequently. You can configure the
XTMdevice to update the signatures automatically fromWatchGuard, as described in Configure the
Application Control Update Server.
Application Control
1408 WatchGuard SystemManager
Application Control
User Guide 1409
Application Control Begin with Monitoring
When you start to use Application Control, we recommend that you first configure your policies to send
log messages for all application use so that you get a true understanding of the applications that are
used on the network. To monitor application use, you can enable Application Control and logging for all
policies that match the application traffic. After you enable Application Control and logging for a policy,
all application activity for traffic through that policy is recorded in the log database and available for the
Application Control reports, even if the Global Application Control action is empty.
Monitor Application Use
To monitor application use:
1. Create an Application Control action that does not block any applications.
The Global action is empty by default, so it does not block applications.
For more information, see Configure Application Control Actions.
2. Apply the empty Application Control action to the policies that handle traffic you want to
monitor.
For information about how to enable Application Control, see Enable Application Control in a
Policy.
For information about which policies to configure, see Policy Guidelines for Application Control.
3. Enable logging in each policy that has Application Control enabled.
For information about how to enable logging in a policy, see Configure Logging and Notification
for a Policy.
If you do not enable logging for a policy that has Application Control enabled,
Application Control saves log information only for blocked applications.
Application Control Reports
After you have enabled Application Control and logging in your policies, you can use the predefined
WatchGuard reports to see information about the applications used on your network. You can use
Report Manager to view the Available Reports that the Report Server has already generated or you can
generate new On-Demand Reports or Per Client Reports.
To generate Application Control reports, you must set up a Log Server and a Report
Server. For more information about WatchGuard servers, see About WatchGuard
Servers on page 90.
These predefined WatchGuard reports for are available for Application Control:
Application Control Reports
n Application Usage Summary
n Top Applications by User
n Top Application by Host
n Top Users Blocked
n Top Hosts Blocked
Client Reports Show which users use the applications
n Top Clients by Application Usage
n Top Clients by Blocked Applications
n Top Clients by Blocked Categories
Client reports show the names of users who use applications if you have configured authentication on
the firewall.
Before you configure Application Control to block applications, we recommend that you examine the
Application Usage Summary and the Top Clients by Application Usage reports.
When you look at the Application Usage reports, consider these questions:
n Does the report show any application categories that seemto conflict with corporate policy?
n Are the applications appropriate for business use?
n Which users use the applications? Fireware XTMprovides reports that show application use by
client. The authentication capabilities in Fireware XTMenable you to see client reports by user
name rather than by IP address. You can also identify user traffic in Terminal Services
environments.
For information about how to configure Terminal Services, see Configure Terminal Services
Settings.
If the reports show an application that you are not familiar with, you can find information about the
application on the WatchGuard Application Control Security Portal at
http://www.watchguard.com/SecurityPortal/AppDB.aspx.
Application Control
1410 WatchGuard SystemManager
Application Control
User Guide 1411
For more information about Log Manager and Report Manager, see the WatchGuard SystemManager
Help or User Guide.
Policy Guidelines for Application Control
To monitor or block application use, you must enable Application Control for all policies that handle the
application traffic. We do not recommend that you apply the Global Application Control action to every
policy. Because of the performance implications, you dont want or need to enable Application
Control for every policy.
We recommend that you enable Application Control for these types of policies:
n Any outbound policy that handles HTTP or HTTPS traffic
n VPN policies that use 0.0.0.0/0 routes (default-route VPNs)
n Any outbound policy if you are not sure how the policy is used
n Policies that use the Any protocol
n Policies that use an Any-* alias, for example Allow Any-Trusted to Any-External, on a
specific port/protocol
It is not necessary to enable Application Control for a policy if you control the network on both sides of
a traffic flow the policy handles. Some examples of these types of policies include:
n POS systems
n Intranet web applications
n Internal databases and traffic in a DMZ
It is not usually necessary to enable Application Control for policies that are restricted by port and
protocol and that allow only a known service. Some examples of these types of policies include:
n Default WatchGuard policies
n DNS traffic
n RDP
n VoIP - SIP and H.323 application layer gateways
Each policy can allow only the traffic that matches the protocol for that policy. For example,
HTTPapplication traffic is never allowed through the DNS proxy. To effectively monitor or block an
application, you must consider all protocols used by that application, and enable Application Control for
all policies that handle those protocols.
To block evasive applications that dynamically use different ports, you must enable Application
Control to block those applications in all of your policies. For more information about evasive
applications, seeManage Evasive Applications.
For some examples of how to use Application Control with policies, see Application Control Policy
Examples.
Application Control
1412 WatchGuard SystemManager
Application Control
User Guide 1413
Global Application Control Action
The Global Application Control action is created by default and cannot be removed. You can configure
the Global Application Control action to control overall corporate policy. For example you can:
n Block all games
n Block use of peer-to-peer applications
The Global Application Control action does not apply to traffic unless you enable Application Control for
policies in your configuration. You can assign the Global Application Control action directly to a policy,
or you can use the Global Application Control action as a secondary action if traffic does not match the
applications configured in a user-defined Application Control action assigned to a policy.
You can create more specific application actions to implement rules that apply to user groups or to
specific interfaces. For example, you might want to apply some specific rules to allow one department
to have access to an application.
If you know that an application is specifically restricted to a specific port, you can apply an Application
Control action to a packet filter or proxy policy on that port only. If not, you must apply the Application
Control action to an outgoing policy that covers all ports to make sure that you capture all possible
traffic for the application.
Configure Application Control Actions
To block application traffic, you can create Application Control actions. You apply these actions to one
or more policies to enforce consistent rules for application usage. An Application Control action
contains a list of applications and associated actions. For each application, you can specify whether to
drop or allow the connection. You can also configure what action to take if the traffic that is detected
does not match the application.
For each application, you can choose one of these actions:
n Drop Block the selected application.
n AllowAllow the selected application.
For some applications, you can control specific application behaviors. For each behavior, you can set
the action to Drop or Allow. The behaviors you can control depend on the application. Not all
behaviors apply to all applications. The application behaviors you can control are:
n Authority Log in
n Access Command to get access to a server or peer
n Communicate Communicate with server or peer (chat)
n Connect Unknown command (P2P connect to peer)
n Games Games
n Media Audio and video
n Transfer File transfer
For each Application Control action, you configure an action to take if traffic does not match one of the
configured applications. You can set this action to:
n AllowAllow traffic that does not match the configured applications
n Drop Drop traffic that does not match the configured applications
n Use Global Action Use the Global Application Control action if traffic does not match
If traffic does not match one of the configured applications, and you set the action to take to Use
Global action, Application Control uses the Global Application Control action for any traffic that does
not match. You can also assign the Global Application Control action to a policy. The Global
Application Control action is created by default and cannot be removed.
If you have configured Traffic Management actions, you can also use Traffic Management actions in
the Application Control action to control the bandwidth used for allowed application traffic. For more
information, see Use Traffic Management with Application Control.
Add or Edit Application Control Actions
To see and edit all of the Application Control actions:
1. Select Subscription Services > Application Control.
The Application Control page appears.
2. To create a new Application Control action, click Add.
Or, to edit an action, select the action name and click Edit.
The Application Control Action Settings page appears.
Application Control
1414 WatchGuard SystemManager
Application Control
User Guide 1415
3. If this is a new action, in the Name text box, type the name for the action. Optionally, type a
Description.
4. To filter the application list, select an option:
n Show all applications Show all applications you can configure.
n Show only configured applications Show the applications that have a configured
action
n Category Select a category to filter by application category
n Search Search for applications that contain a specific word or phrase
5. To configure an application for this Application Control action, select an application in the list
and click Edit.
The Actions by Application dialog box appears.
6. Select an option:
n Set the action for all behaviors
Fromthe drop-down list, select the action to take for this application:
n Drop Block the selected application
n AllowAllow the selected application
n Set the action for specific behaviors. Select the check box for each behavior to control.
Select Drop or Allowfor each selected behavior.
If you select multiple applications, you can set the action to apply to all selected
applications, but you cannot set the action for specific behaviors.
7. If you set the action for all behaviors or a specific behavior to Allow, and you have configured a
Traffic Management action, you can enable Traffic Management and select the Traffic
Management action to control the bandwidth used by the application. For more information, see
Use Traffic Management with Application Control.
8. Click OK.
The configured action appears in the Action column.
Application Control
1416 WatchGuard SystemManager
Application Control
User Guide 1417
9. To select an action for all applications in a category, click Select by Category.
For more information, see Use Application Categories on page 1420.
10. Click Save to save the Application Control action.
The Application Control action is added to the list, but is not yet applied to a policy.
Remove Configured Applications From an Application Control
Action
To remove a configured application froman Application Control action:
1. Select Subscription Services > Application Control.
The Application Control page appears.
2. Select an Application Control action. Click Edit.
The settings for the selected Application Control Action appear.
3. To show only the configured applications, select Show only configured applications
The list updates to show only the applications configured for this Application Control action.
4. Select one or more configured applications to remove fromthis Application Control action.
5. To clear the action for the selected applications, click Clear Action.
The action for the selected applications is cleared. The application is removed from the configured
applications list.
6. Click Save to save the Application Control action.
To block an entire application category, you can click Select by Category. For more information, see
Use Application Categories on page 1420.
Apply an Application Control Action to a Policy
When you create an Application Control action, it is not automatically applied to your policies. There
are two ways you can apply an application control to a policy.
n In the Application Control Policies section of the Application Control page, select an
Application Control action to enable for each policy.
For more information, see Configure Application Control for Policies on page 1422.
n Change the Application Control action when you edit a policy.
For more information, see Enable Application Control in a Policy on page 1423.
Clone an Application Control Action
To create an Application Control action that is similar to one that you have already created, you can
clone (copy)an existing Application Control action.
1. Select Subscription Services > Application Control.
The Application Control page appears
Application Control
1418 WatchGuard SystemManager
Application Control
User Guide 1419
2. Fromthe Application Control Actions list, select an Application Control action.
3. Click Clone.
The Application Control Action settings page appears.
4. In the Name text box, type a new name for this action.
5. (Optional) In the Description text box, type a new description for this action.
6. Select Show only configured applications to see the applications already configured in this
action.
7. Edit the Application Control action as described in the previous section.
8. Click Save to save the new Application Control action.
The new action appears in the list Application Control actions list.
Remove Application Control Actions
Fromthe Application Control page, you can remove any Application Control action that is not used in
a policy.
1. Select an Application Control action.
2. Click Remove.
The action is removed from the list.
Use Application Categories
Application Categories are used to classify applications in Application Control reports. Categories also
provide a convenient way to search for, or block, all applications in a category. To conveniently restrict
the use of a set of applications that do not have legitimate business value, you can block all applications
in a category. Or, to limit or guarantee bandwidth for applications in a category, you can select a
configured Traffic Management action. For more information about Traffic Management actions, see
Define a Traffic Management Action in v11.9.
For example, to block all applications in the Games category for an Application Control action:
1. On the Application Control Action Settings page, click Select by Categories.
The Actions by Category dialog box appears.
2. Fromthe Games drop-down list, select Drop.
3. Click OK.
All applications in the Games category have the action set to Drop (By category).
4. To filter the list to see the blocked games, select Games fromthe Category drop-down list.
Application Control
1420 WatchGuard SystemManager
Application Control
User Guide 1421
When any new applications are added to the Games category by the signature update process,
they are also blocked by this Application Control action.
To allow traffic for an application category, but control the bandwidth for applications in the category,
you can configure a Traffic Management action and select the Traffic Management action
When an application action is configured based on a category action, the Action column shows the
label (by category) after the configured action. You can still edit the action for a specific application in
the category to override the category action, as described in the next section.
When you configure an action for an application category, any future applications that are added to the
category are automatically configured to use the same category action.
If you configure Application Control to block all applications in a category, make sure you know
everything that is included in the category and the expected consequences. For example, SWF
(Shockwave Flash) is included in the streaming media category. Flash is used widely in many web
sites to deliver content. If you block all streaming media, Flash content is also blocked.
We do not recommend that you configure Application Control to block general categories like Web /
Web 2.0, Business, or Network Protocols. It is likely that this could block an application that you did
not intend to block, or that has other, unintended consequences.
We recommend that you set up Application Control to send log messages for all activity for a period of
time before you configure any actions that block applications. This enables you to determine which
applications to block.
Override a Category Action
If you configure an action for an application category, you can set a different action for a specific
application in that category. If you assign an action to a specific application, that action overrides the
action configured for the category.
To override an action for an application that is in a configured category:
1. On the Application Control Action Settings page, select an application.
2. Click Edit.
The Application Control Configuration dialog box appears.
3. Select the action for the application.
For more information, see Configure Application Control Actions on page 1413.
4. Click OK.
The application-specific action replaces the category action for that application.
Configure Application Control for Policies
Application Control is configured globally, but is not used by a policy unless you apply an action to a
policy. After you create an Application Control action in the Application Control configuration, you can
change the Application Control action to enable it for each policy.
1. Select Subscription Services > Application Control.
The Application Control Actions page appears. The Application Control Policies section shows the
Application Control action enabled for each policy.
2. To change the Application Control action for one or more policies, select the policies in the list.
3. Fromthe Select action drop-down list, select an Application Control action to apply to the
selected policies.
Or, to disable Application Control for the selected policies, select None.
4. Click Save.
Application Control
1422 WatchGuard SystemManager
Application Control
User Guide 1423
If you enable Application Control for an HTTPSproxy policy, you must also enable
deep inspection of HTTPScontent in the HTTPSproxy action. This is required for
Application Control to detect applications over an HTTPS connection. For more
information, see HTTPS-Proxy: Content Inspection. Application Control scanning of
HTTPS content is not supported on XTM21, 21-W, 22, 22-W, 23, and 23-W devices.
When you enable Application Control for a policy, the XTMdevice always identifies and creates a log
message for applications that are dropped due to an Application Control action. If you want the
XTMdevice to create a log message for all identified applications, even those that are not dropped, you
must enable logging in each policy that has Application Control enabled.
For information about how to enable logging in a policy, seeConfigure Logging and Notification for a
Policy.
Enable Application Control in a Policy
You can enable Application Control and select the Application Control action to use when you edit a
policy. You can also edit the Application Control action while you edit the policy.
When you edit an Application Control action fromwithin a policy, the updated
settings also apply to any other policy that uses the selected action.
To enable Application Control in the policy configuration:
1. Select Firewall > Firewall Policies.
2. Add or edit a policy.
3. Select the Application Control tab.
4. Fromthe Application Control Action drop-down list, select the configured Application Control
action to use for this policy.
The Application Control Action Settings for the selected action appear in the Application Control tab.
5. (Optional) Edit the Application Control settings for the selected action.
6. Click Save.
If you enable Application Control for an HTTPSproxy policy, you must also enable
deep inspection of HTTPScontent in the HTTPSproxy action. This is required for
Application Control to detect applications over an HTTPS connection. For more
information, see HTTPS-Proxy: Content Inspection. Application Control scanning of
HTTPS content is not supported on XTM21, 21-W, 22, 22-W, 23, and 23-W devices.
When you enable Application Control for a policy, the XTMdevice always identifies and creates a log
message for applications that are dropped due to an Application Control action. If you want the
XTMdevice to create a log message for all identified applications, even those that are not dropped, you
must enable logging in each policy that has Application Control enabled.
For information about how to enable logging in a policy, seeConfigure Logging and Notification for a
Policy.
Get Information About Applications
When you configure Application Control, or when you look at Application Control reports, you might
see application names you are not familiar with. To get information about any application that
Application Control can identify, you can look up the application on the WatchGuard Application
Control Security Portal at http://www.watchguard.com/SecurityPortal/AppDB.aspx.
On the Application Control Security Portal page, you can:
Application Control
1424 WatchGuard SystemManager
Application Control
User Guide 1425
n See a list of all applications that Application Control can identify.
n Search for an application by name.
n See a description of the application and supported application behaviors.
Configure the Application Control Update Server
Application Control downloads signature updates froma signature update server. Gateway AV, IPS,
Application Control, and Data Loss Prevention all use the same update server settings. When you
change configuration of the update server for any of these subscription services, the settings apply to
all of these services.
IPS and Application Control signature updates are delivered together in the same update file.
To make sure that the XTMdevice can connect to the update server, you must add at
least one DNS server to your network configuration. The XTMdevices uses DNS to
resolve the update server URLto an IPaddress. For more information, see Add
WINS and DNS Server Addresses.
Configure Signature Updates
1. Select Subscription Services >Application Control.
2. Click Update Server.
The Update Server settings appear.
3. To enable automatic signature updates, select the Enable automatic update check box. This
option is enabled by default.
4. Fromthe Interval drop-down list, enter the number of hours between automatic updates.
5. Select the Intrusion Prevention and Application Control Signatures check box to
automatically update signatures at the selected update interval.
Do not change the Update server URL unless you are told to do so by WatchGuard. If you change the
URLaccidentally or incorrectly, click Reset to return to the last saved setting.
Connect to the Update Server Through an HTTP Proxy Server
If your XTMdevice must connect through an HTTP proxy to get to the signature update server, you
must add information about the HTTP proxy server to your update server configuration.
1. In the HTTPProxy Server section, select the Connect to Update server using an HTTP
proxy server check box.
2. In the Server address text box, type the IP address or host name of your HTTP proxy server.
3. Most HTTP proxy servers receive requests on port 8080. If your HTTP proxy uses a different
port, type it in the Server port field.
4. Fromthe Server Authentication drop-down list, select the type of authentication your HTTP
proxy server uses.
n If your HTTP proxy does not require authentication, select No Auth .
n If your HTTP proxy server requires NTLMor Basic authentication, type your User name,
Domain, and Password in the text boxes.
Application Control
1426 WatchGuard SystemManager
Application Control
User Guide 1427
5. Click Save.
Block Access from the Trusted Network to the Update Server
If you do not want to allow all users on your trusted network to have unfiltered access to the IP address
of the signature database, you can use an internal server on your trusted network to receive the
updates. You can create a new HTTP proxy policy with HTTP-Proxy: Exceptions or an HTTP packet
filter policy that allows traffic only fromthe IP address of your internal server to the signature database.
Update Signatures Manually
For information about how to see the status of Application Control signature updates, and how to
manually force an update to the most current signatures, see Subscription Services Status and Manual
Signatures Updates.
Application Control and Proxies
There is some duplication of the functions available in the Application Control service and in the
WatchGuard proxy policies. In general, the proxies performdifferent and more detailed inspection and
provide more granular control over the type of content. For example with the HTTP proxy, you can
n Adjust timeout and length limits of HTTP requests and responses to prevent poor network
performance, as well as several attacks
n Customize the deny message that users see when they try to connect to a web site blocked by
the HTTP proxy
n Filter web content MIME types
n Block specified path patterns and URLs
n Deny cookies fromspecified web sites
Proxies are also used to provide Gateway AntiVirus, WebBlocker, and Reputation Enabled Defense
services.
By default, the HTTP proxy action blocks the download of these content types:
n Java bytecode
n ZIP archives
n Windows EXE/DLL files
n Windows CAB archive
The Application Control feature does not override settings in the proxy policy configuration. For
example, if you allow YouTube in Application Control, but the proxy policy is already configured with an
action to block streaming video, YouTube videos are still blocked.
Application Control and WebBlocker
If both WebBlocker and Application Control are configured in the same policy, and the traffic matches
for a web site and application, the Application Control action might or might not trigger first. Which
action triggers first depends on several factors, such as the number of packets required to identify the
application, and how much time it takes to look up and return a category for the URL. Consider
facebook.com. All access to facebook.comcan be blocked in WebBlocker if the personals and dating
category is blocked.
If your company policy is to restrict all access to Facebook, it may be appropriate to block it in
WebBlocker. You can either block the personals and dating category or add a WebBlocker exception.
Application Control provides more granular control over applications and their associated subfunctions.
With Application Control, it is possible to allow access to Facebook, but not allow access to Facebook
Games.
Manage SSLApplications
Many web-based applications are accessible through SSL (HTTPS), as well as through HTTP.
Organizations offer encrypted SSL connections to provide more security to users. SSL encryption can
also make applications more difficult for Application Control to detect. When you block applications
that are accessible through SSL, you might also need to specifically block the SSL login for that
application to make sure that you block all access to that application.
For example, when you select to block the application Google-Finance, this blocks Googles financial
applications. But it does not block Google Finance over SSL. To block that, you must also block the
application Google Authentication via SSL. It is important to understand that, once you block
Google Authentication over SSL, you lose control over the granularity of all Google SSL applications to
block. For example, access to Google Docs and Gmail over SSL is also blocked.
Similar behavior occurs for some Microsoft and Yahoo applications when they are accessed over SSL.
There are corresponding signatures for Authentication over SSL for Microsoft and Yahoo and many
other applications in the Application Control application list. To granularly manage these types of
applications, you might want to block Authentication over SSL. Then you can use the application
signatures to granularly configure the applications that can be used over the http access that is
allowed.
Manage Evasive Applications
Some applications use dynamic ports and protocols, encryption, and other techniques to make the
application traffic difficult to detect and manage. For these types of applications, there can be some
limitations to the application behaviors that Application Control can manage.
One example of this type of evasive application is Skype, a popular peer-to-peer (P2P) network
application. The Skype client uses a dynamic combination of ports that include outbound ports 80 and
443. Skype traffic is very difficult to detect and block because it is encrypted, and because the Skype
client is able to bypass many network firewalls.
For information about how to block Skype, see BlockUser Logins to Skype.
Application Control
1428 WatchGuard SystemManager
Application Control
User Guide 1429
BlockUser Logins to Skype
You can configure Application Control to block a user login to the Skype network. It is important to
understand that Application Control can only block the Skype login process. It cannot block traffic for a
Skype client that has already logged in and has an active connection. For example:
n If a remote user logs in to Skype when the computer is not connected to your network, and then
the user connects to your network while the Skype client is still active, Application Control
cannot block the Skype traffic until the user logs off the Skype network or restarts their
computer.
n When you first configure Application Control to block Skype, any users that are already logged
in to the Skype network are not blocked until they log off the Skype network, or restart their
computers.
To configure an Application Control action to block user logins to Skype:
1. Select Subscription Services > Application Control.
The Application Control page appears.
2. Double-click the Application Control action you want to edit.
3. To quickly find the Skype application, type "Skype" in the search text box.
4. Fromthe list of applications, select the Skype application.
5. Click Edit.
6. Set the action for all behaviors to Drop.
7. Click OK to save the action for the Skype application.
8. Click Save to save the Application Control action.
After you configure the Application Control action to block Skype, you must apply this Application
Control action to all policies in your configuration. You can do this when you edit each policy, or in the
Application Control Policies section of the Application Control configuration page.
To effectively block Skype, you must block it for everyone on your network. If you
create a policy to allow Skype for a specific group of users, Skype is not effectively
blocked for other users. Any Skype client on your network can identify a peer Skype
node that is not blocked, and can use that peer to complete a Skype connection.
If you have a high precedence policy that allows all DNS, you must configure the DNS policy to use
the Application Control action that blocks Skype.
Manage Applications that Use Multiple Protocols
Many applications today, especially instant messaging and peer-to-peer applications, use multiple
protocols and techniques to transfer files. For example, there are many clients that use the BitTorrent
protocol and other protocols to transfer files. To fully block applications that use multiple protocols, you
must configure Application Control with a combination of actions. This is best illustrated as an
example.
Example:Block FlashGet
When you select the BitTorrent Series application in an Application Control action, Application Control
uses a set of rules that identify the BitTorrent protocol for peer-to-peer file sharing.
FlashGet is a client application that is used for file sharing. The FlashGet client application can use the
BitTorrent peer-to-peer protocol to download files, or it can use simple HTTP downloads, FTP file
transfer, or the proprietary FlashGet protocol.
If you do not block, but only record activity in the log files, BitTorrent downloads that are triggered by
the FlashGet client appear in the log files and reports as both FlashGet and BitTorrent application
activity, at different times.
To block all possible file transfers by the FlashGet client, you must configure Application Control to
block FlashGet, and also to block BitTorrent Series, Web File Transfer, and FTP Applications. It is
important to understand that if you block BitTorrent Series, Application Control also blocks BitTorrent
use by all other applications. There is no way to block BitTorrent use by FlashGet, but allow it for other
applications.
If you block FlashGet, but do not block BitTorrent or Web File Transfer, downloads through BitTorrent
or HTTPare not blocked, even if the downloads are started by the FlashGet client.
If you block Web File Transfer or FTPApplications, this functionality is blocked for all applications.
There is no way to block HTTPfile transfers or FTP file transfers for FlashGet but allow it for other
applications.
Application Control
1430 WatchGuard SystemManager
Application Control
User Guide 1431
File Transfer Applications and Protocols
The table below shows some common applications and the variety of protocols that they use for file
transfer. The names of applications and protocols in the table correspond to application names in
Application Control.
Category Application Protocols and Applications Used
P2P Thunder
Series
Thunder Private Protocol
Web File Transfer
ASFV1, MP4,MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
BitTorrent Series
FTPApplications
P2P BitTorrent BitTorrent Series
Web File Transfer
ASFV1, MP4, MMS, FLV, RMVB, SWF, AVI, MP3, WMA,
MOV, WMA, ASF
FTPApplications
P2P FlashGet BitTorrent Series
WebFile Transfer
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
FTPApplications
P2P QQDownload BitTorrent Series
WebFile Transfer
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
FTPApplications
QQPrivate Protocol
MEDIA QQLive QQLive
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
QQPrivate Protocol
QQ/TM
Application Control
1432 WatchGuard SystemManager
Application Control
User Guide 1433
Category Application Protocols and Applications Used
MEDIA PPTV PPTV (PPLive)
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
MEDIA PPStream PPStream
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
MEDIA UUSee UUSee
ASFV1, MP4, MMS,FLV,RMVB, SWF,AVI,MP3, WMA,
MOV, WMA, ASF
IM QQ QQ/TM
QQPrivate Protocol
GAME QQ/QQFO QQGame
QQPrivate Protocol
To fully block all file transfers through applications that use multiple protocols and applications, you
must block the application, and you must block all protocols and applications the application uses.
There are some common applications and protocols that you may not want to block because they are
used by many applications.
For a description of any of the applications or protocols in this table, you can look up the application on
the WatchGuard Application Control Security Portal at
http://www.watchguard.com/SecurityPortal/AppDB.aspx.
Monitor Downloads and File Transfers
Application Control includes two general purpose applications in the File Transfer category called
Web File Transfer and FTP Applications that you can use to record log messages for common
download and file transfer activity.
Web File Transfer
Web File Transfer is a general application that detects the download of common file formats that
are often downloaded through popular P2P and File Transfer programs, including: bz2 ,doc , exe
, gz, pdf, ppt, rar , rpm, tar, xls, zip, torrent, dll, manifest, xdap, deploy, xps, , xaml, application,
mkv, and dat. It also covers HTTP upload of files.
FTP Applications
FTP Applications is an application that detects a range of FTP commands pass, list, eprt,
epsv, create directory, delete directory, get (binary and ascii), put (binary and ascii), passive
and active file transfer.
These applications are best used to generate log messages of activity. Consider the implications
carefully before you decide to block these applications, or the general File Transfer category.
Manage Facebook Applications
Some applications, such as Facebook, contain multiple application types that Application Control can
identify. You can use Application Control to granularly control which applications your users can use.
Facebook is a social networking site that includes a large number of features and applications. You can
use Application Control to block some or all Facebook applications. For example, you can configure an
Application Control action that allows Facebook, but blocks the use of Facebook games or IM. Or you
can block the use of all Facebook applications.
You can see the list of Facebook applications when you configure an Application Control action for
your device, or you can search for facebookin the Application Control security portal at
http://www.watchguard.com/SecurityPortal/AppDB.aspx.
Application Control can identify and block different types of Facebook activity.
Facebook Web IM
Identifies Facebook chat sessions.
Facebook
Identifies attempts to log in to Facebook or see Facebook web pages.
Facebook Game
Identifies the top 25 most popular Facebook games.
Facebook Applications
Identifies all applications available through the Facebook apps directory.
Facebook Plug-in
Identifies all Facebook social plug-ins that can be embedded in other sites on the Internet. This
includes plug-ins such as Like and Comments. To see the current list of Facebook social plug-
ins, see http://developers.facebook.com/plugins.
Application Control
1434 WatchGuard SystemManager
Application Control
User Guide 1435
Facebook Post
Identifies information posts to Facebook. This includes:
n Post a message to the wall
n Share status
n Share a link
Facebook Video
Identifies video uploads to Facebook.
Facebook Picture
Identifies photo uploads to Facebook.
Facebook EditProfile
Identifies Facebook user profile updates.
To block Facebook applications:
1. Create or edit an Application Control action.
2. In the search text box, type facebook.
The list of applications is filtered to show only the Facebook applications.
3. Select one or more Facebook applications to block.
4. Select Edit. Set the action for the selected applications to Block.
5. Apply the Application Control action to your policies.
Application Control Policy Examples
You can use the Global Application Control action with other Application Control actions to allow or
block different applications based on the time of day, or based on the user name or user group. To do
this, you create Application Control actions that block or allow different sets of applications. Then you
apply different Application Control actions to different policies as described in the examples below.
Each of the examples below enables Application Control actions for a single type of policy. If your
configuration includes other policy types, such as TCP-UDP, or Outgoing, you can use the same steps
to set up a two-tiered Application Control configuration for those policies. The policies you need to
apply an Application Control action to depend on which policies exist in your configuration, and which
applications you want to block. For example, if you want to block an application that you know uses
FTP, you must enable the Application Control action for the FTP policy.
For recommendations on which types of policies to configure for Application Control, see Policy
Guidelines for Application Control.
Allow an Application For a Group of Users
If the Global Application Control action blocks an application, you can create a separate Application
Control action to allow that same application for a department or other user group. For example, if you
want to block the use of MSN instant messaging for most users, but you want to allow this application
for the people in the Sales department, you can create different Application Control actions and policies
to get this result.
If you already have an HTTP packet filter policy that applies to all users, you can use these steps to
allow different applications for the Sales department.
1. Configure the Global Application Control action to block MSNinstant messaging, and any other
applications you do not want to allow.
2. Apply the Global Application Control action to the existing HTTPpacket filter policy.
3. Create a new Application Control action to allow MSN instant messaging. For example, you
could call this action, AllowIM. Configure this action to use the Global action when the
application does not match.
4. Create an HTTP policy for the users in the Sales department. For example, you could call this
policy HTTP-Sales. For information about how to create a policy for a group of users, see Use
Authorized Users and Groups in Policies.
5. Apply the AllowIMApplication Control action to the HTTP-Sales policy.
6. Enable logging for the HTTP and HTTP-Sales policies.
You must enable logging to see information about Application Control in the log files and reports.
In this example, the two resulting HTTP policies could look like this:
Policy:HTTP-Sales
HTTPconnections are: Allowed
From: Sales To: Any-External
Application Control: AllowIM
Application Control
1436 WatchGuard SystemManager
Application Control
User Guide 1437
Policy: HTTP
HTTP connections are: Allowed
From: Any-Trusted To: Any-External
Application Control: Global
The AllowIMApplication Control action applied to the HTTP-Sales policy acts as an exception to the
Global Application Control action. The users in the Sales group can use MSN instant messaging, but
cannot use any other applications blocked by the Global Application Control action.
If this device configuration included other policies, such as HTTP-Proxy, TCP-UDP, or Outgoing, that
could be used for IMtraffic, you can repeat the steps above to set up a two-tiered Application Control
configuration for other policies.
Block Applications During Business Hours
You can use Application Control with policies to block different applications based on the time of day.
For example, you might want to block the use of games during business hours. To block applications
during certain hours, you can use Application Control with policies that have an operating schedule.
If you already have an HTTP-Proxy policy that does not have an operating schedule, use these steps
to add a new policy and Application Control action to block applications during business hours.
1. Configure the Global Application Control action to block applications you want to always block.
2. Apply the Global Application Control action to the existing HTTP-Proxy policy.
3. Create a schedule called Business-Hours that defines the business hours. For more
information about schedules, see Create Schedules for XTMDevice Actions.
4. Create a new HTTP-Proxy policy that uses the Business-Hours schedule you configured. For
example, you could call the new policy HTTP-Proxy-Business. For more information about
how to set the schedule for a policy, see Set an Operating Schedule.
5. Create an Application Control action that blocks the applications you want to block during
business hours. For example, you could call this action Business.
6. Apply the Business Application Control action to the HTTP-Proxy-Business policy.
7. Enable logging for the HTTP-Proxy and HTTP-Proxy-Business policies.
You must enable logging to see information about Application Control in the log files and reports.
In this example, the two resulting policies could look like this:
Policy:HTTP-Proxy-Business
HTTPconnections are: Allowed
From: Sales To: Any-External
Application Control: Business
Policy: HTTP-Proxy
HTTP connections are: Allowed
From: Any-Trusted To: Any-External
Application Control: Global
The Business Application Control action in the HTTP-Proxy-Business policy blocks games only
during business hours. All other applications in the Global Application Control action are blocked at all
times of day.
If this device configuration included other policies, such as HTTP, TCP-UDP, or Outgoing, that might
be used for games traffic, you can repeat the steps above to set up a two-tiered Application Control
configuration for other policies.
For more information about policy precedence, see About Policy Precedence.
Application Control
1438 WatchGuard SystemManager
Data Loss Prevention
User Guide 1439
30
Data Loss Prevention
About Data Loss Prevention
The Data Loss Prevention (DLP) service enables you to detect, monitor, and prevent accidental
unauthorized transmission of confidential information outside your network or across network
boundaries. The DLPservice includes built-in auditing sensors that you can use to monitor compliance
with HIPAAor PCIinformation security requirements. You can also create customDLPsensors to
detect data that matches other content control rules, or create a customrule to search for specific
phrases in network traffic. The included DLP reports help you to evaluate and demonstrate employee
compliance with your organization's information security policies.
DLPuses content control rules to identify sensitive content. When DLPidentifies content that
matches enabled DLPcontent control rules, the content is treated as a DLPviolation. You can choose
what action the WatchGuard device takes for DLPviolations in email and non-email traffic. You can
also configure DLPto take different actions based on the source and destination of the traffic.
The Firebox T10, XTM2, 3, and 5 Series devices use the standard set of DLP
content control rules. All other device models use the full enterprise set.
DLP requires Fireware OS v11.8 or higher and a Data Loss Prevention subscription.
DLPText Extraction and File Types
DLP can extract and scan text fromthese file types:
n Adobe PDF, RTF
n Microsoft PowerPoint 2000, 2003, 2007, 2010
n Microsoft Excel 2000, 2003, 2007, 2010
n Microsoft Word 2000, 2003, 2007, 2010
n Microsoft Project 2000, 2003, 2007, 2010
n Microsoft Visio 2000, 2003, 2007, 2010
n Microsoft Outlook .MSG
n Microsoft Outlook Express .EML
n OpenOffice Calc
n LibreOffice Calc
n OpenOffice Impress
n OpenOffice Writer
n LibreOffice Impress
n LibreOffice Writer
n HTML
Data Loss Prevention
1440 WatchGuard SystemManager
Data Loss Prevention
User Guide 1441
DLP on Firebox T10, XTM2 Series and 3 Series devices does not include text
extraction. Without text extraction, DLP scans the email message body and text
files, but has a limited ability to read text fromother file types.
Add the DLP Upgrade
DLPis a subscription service. To enable DLP on your WatchGuard device, you must:
1. Get a Feature Key for Your XTMDevice on page 63
2. Manually Add a Feature Key to Your XTMDevice on page 67
3. Configure Data Loss Prevention
About DLPand Proxy Policies
You can enable DLP for the WatchGuard SMTP, FTP, HTTP, and HTTPSproxy policies.
To use DLP with an HTTPSproxy policy, you must enable deep inspection in the
HTTPS proxy action.
DLP scans different types of traffic according to which proxy policies you use it with:
n SMTP proxy DLP scans content in email messages and attachments.
n HTTPand HTTPS proxy DLP scans HTTP and HTTPSposts.
n FTPproxy DLP scans content in uploaded files.
If Gateway AVand DLPare both enabled for the same policy, the Gateway AV scan result action
takes precedence over the DLPaction.
About DLPFalse Positives
DLP looks for content that matches the patterns in the DLP content control rules you select. It is
possible that a DLP rule could falsely identify unrelated content that contains similar data as a DLP
violation. For example, the rule to match USsocial security numbers looks for occurrences of 9 digit
numbers. Other types of data could also match this pattern, and falsely trigger a DLPviolation.
Data Loss Prevention
1442 WatchGuard SystemManager
Data Loss Prevention
User Guide 1443
Configure Data Loss Prevention
To use Data Loss Prevention (DLP), you must have a feature key to enable the service.
For more information, see:
n Get a Feature Key for Your XTMDevice on page 63
n Manually Add a Feature Key to Your XTMDevice on page 67
Enable DLP and Configure DLP Sensors
To enable Data Loss Prevention:
1. Select Subscription Services > Data Loss Prevention.
2. Select the Enable Data Loss Prevention check box.
3. Click Save.
After you enable DLP, you configure the DLPsensors to detect the content types that you want to
monitor or control. Then you can enable DLP for each policy.
On the Sensors tab, you configure DLPsensors. For more information, see Configure DLPSensors.
On the Policies tab, you can select which DLPsensor to use for each policy. For more information,
see Configure DLPfor Policies.
On the Custom Rule tab, you can create a customrule that contains specific phrases to search for.
For more information, see Configure DLPCustomRule.
Configure other DLPSettings
Click Notification Settings to configure notification settings for DLP. For more information, see Set
Logging and Notification Preferences.
Click Update Server to configure signature update settings. For more information, see Configure the
DLP Update Server.
Configure DLPCustom Rule
You can use a DLPcustomrule to scan your network traffic for special phrases that are specific to
your organization. This allows you to customize your DLPconfiguration beyond the predefined rules to
better help you monitor and control the transmission of sensitive documents and messages outside of
your network.
For example, many organizations use security classifications for documents and email messages. If
the document or message is considered highly sensitive, it can contain special text that indicates that
it is confidential and should not be communicated outside of your networks. The first line or header of a
document or email message can include the classification text such as the phrase Classification:
Confidential. You can use these classifications with a DLP customrule to monitor your network traffic
and make sure that sensitive documents and messages that contain these phrases do not leave your
network.
The customrule can contain multiple words and phrases that you want to monitor or control. You can
then configure a DLPsensor to detect the customrule and enable the DLPsensor for a policy.
Customrules have these limitations:
n You can only create one customrule within the DLP configuration.
n Each phrase can be up to 127 characters in length. Long phrase lengths can impact system
performance.
n The number of phrases in your customrule can impact systemperformance. WatchGuard
recommends that you use a maximumof 15 phrases within a customrule.
n Phrases must consist of Unicode characters in the Basic Multilingual Plane (BMP) only. The
BMP is the first 65,536 characters in Unicode and consists of most major language character
sets.
n Only simple text matches are performed. Regular expressions are not supported.
n Text matches are case-insensitive.
Add a Custom Rule
To add a customrule:
1. Select Subscription Services > Data Loss Prevention.
The Data Loss Prevention dialog box appears.
2. Select the Custom Rule tab.
3. In the Rule name text box, type a descriptive name for the customrule.
The name can be up to 43 characters in length.
4. In the List of phrases text box, type one or more words or phrases with a maximumof one
phrase per line.
Data Loss Prevention
1444 WatchGuard SystemManager
Data Loss Prevention
User Guide 1445
5. Click Save.
Add a Custom Rule to a DLPSensor
In the settings for a DLPsensor, you can enable a customrule that contains the phrases to monitor and
control. Then, you can enable the DLP sensor for each policy.
1. On the Sensors tab, configure the DLPsensors.
For more information, see Configure DLPSensors.
2. On the Policies tab, select which DLPsensor to use for each policy.
For more information, see Configure DLPfor Policies.
Data Loss Prevention
1446 WatchGuard SystemManager
Data Loss Prevention
User Guide 1447
Configure DLPSensors
To detect data that matches specific content categories you can create DLPsensors. You apply a
DLPsensor to one or more policies to monitor or enforce adherence to your organization's information
security policy. Each DLPsensor contains rules, actions, and settings.
When you first start to use the Data Loss Prevention service, we recommend that you configure the
DLPsensor to allow content that matches the selected content control rules, and to send a log
message when a DLPviolation is detected. Thisenables you to monitor the activity on your network
before you configure DLPto drop, block, or quarantine content that matches the rules configured in the
DLPsensor. For more information, see Monitor DLPActivity.
DLPand Device Performance
When enabled, the Data Loss Prevention service adds more scanning load and consumes additional
memory on your appliance. Some DLPrules are very resource-intensive. If you enable many sensors
and rules, the performance of the device could be noticeably affected. Each DLPsensor requires
additional space in memory, and the number of DLP rules that are configured on each sensor also
impacts the amount of memory used by the appliance. Only select those rules that are appropriate for
your region and the use case that is relevant to your industry. This will also help to minimize any
potential false positives.
On the XTM25/26, WatchGuard recommends that you use no more than one or two
sensors, and each sensor should not contain more than 6 DLP rules.
Rules
For each sensor, you select which of the predefined content control or customrules to enable.A
content control rule is a set of conditions that describes content that the rule can identify in a file. The
content control rules are based on the DLPsignature set, and are updated over time as the DLP
signatures are updated. Customrules are rules you create to search for phrases specific to your
organization.
Each content control rule has four properties.
Name
For each rule, the rule name briefly describes the type of data the rule identifies. Some rules
look for a single type of data, such as telephone numbers, or social security numbers. Other
rules look for a combination of related data, such as credit card numbers near personally
identifiable information.
Region
Each rule applies to a specific region. Some types of data are only applicable to a specific
region. Other types of data are formatted differently in different regions. For example, there are
several driver's license rules for different regions. If a rule can identify the specified data type for
multiple regions, the region is set to Global. You can filter the rules list by region.
Category
For each rule, the category describes which general type of data the rule can identify.
Quantity
Each content control rule has an associated quantity value, that is a measure of the weighted
number of matches the rule must find in a scanned object in order to trigger a DLP violation. You
can look up the quantity values for each rule on the WatchGuard Security Portal.
For information, see Look Up DLPRules on the Security Portal.
You cannot modify the default quantity of matches for DLPrules in your
configuration.
Actions
For each sensor you define actions to take if the sensor detects content that matches the rules enabled
in the sensor. You specify one action to take for content detected in email traffic, and another action to
take for content detected in non-email traffic.
Actions for email traffic:
n AllowAllows the email
n Lock Locks the email attachment. A file that is locked cannot be opened easily by the user.
Only the administrator can unlock the file.
n Remove Removes the attachment and sends the rest of the message to the recipient.
Replaces the removed attachment with the deny message configured in the SMTP proxy.
n Quarantine Sends the original message to the Quarantine Server. Removes the message
part (message body or file attachment)that triggered the DLPviolation and sends the modified
message to the recipient. The removed message part is replaced with the deny message
configured in the SMTPproxy.
n Drop Denies the request and drops the connection. No information is sent to the source of
the content.
n Block Denies the request, drops the connection, and adds the IP address of the sender to
the Blocked Sites list.
Recipients cannot see or manage messages quarantined due to a DLP violation.
Only the administrator can manage messages quarantined by DLP.
Actions for non-email traffic:
Data Loss Prevention
1448 WatchGuard SystemManager
Data Loss Prevention
User Guide 1449
n AllowAllows the connection
n Drop Denies the request and drops the connection. No information is sent to the source of
the content.
n Block Denies the request, drops the connection, and adds the IP address of the content
source to the Blocked Sites list.
By default, a DLP sensor contains one DLPaction, which applies to scanned content fromall sources
and destinations. You can configure multiple actions for the same DLPsensor. This enables you to
configure different actions based on the source or destination of the traffic. For each action, you can
also configure whether to generate a log message and whether to send an alarmwhen the sensor
detects content that matches the enabled rules in the sensor.
Settings
In the DLPsettings, you can set the scan limit, and configure the actions to take if content cannot be
scanned for any of these reasons:
n content exceeds the scan limit
n a scan error occurs
n content is password protected
For each of these three conditions, you can set different actions for content detected in email and non-
email traffic.
Sensor Types
DLP includes two sensor types: built-in sensors, and user-defined sensors. The built-in sensors enable
the content rules related to compliance with HIPAA (the Health Insurance Portability and
Accountability Act) and PCI(Payment Card Industry) information security standards. The built-in
sensors are configured to allow all traffic, and to create a log message each time they detect content
that matches the content control rules.The built-in sensors do not block any content, even if the
content cannot be scanned.
The two built-in sensors are:
n HIPAAAudit Sensor Detects content related to compliance with HIPAA security standards
n PCIAudit Sensor Detects content related to compliance with PCI security standards
You cannot edit or delete the built-in sensors, but you can clone them, and edit the clone.
Any sensor you create is a user-defined sensor. To create a user-defined sensor, you can clone an
existing sensor or add a new one. When you configure a sensor, you select the content control and
customrules, actions, and settings that make sense for your organization.
Add a Sensor
When you add a DLPsensor, the Data Loss Prevention Wizard helps you to create the sensor, and
apply it to proxy policies. The wizard shows different pages depending on whether you already have
proxy policies in your configuration. If you do not, the wizard helps you create one or more proxy
policies.
To add a DLPsensor:
1. Select Subscription Services > Data Loss Prevention.
The Data Loss Prevention dialog box appears.
2. In the Sensors tab, click Add.
The Data Loss Prevention Wizard starts.
3. In the Name text box, edit the name of the sensor.
4. Click Next.
A list of configured FTP, SMTP, HTTP, and HTTPS proxy policies appears. If your configuration does
not include any policies that support DLP, the wizard skips this step.
5. To enable Data Loss Prevention for a policy, select the check box adjacent to any policy that
does not already have Data Loss Prevention enabled.
6. Click Next.
If your configuration does not already include an HTTP, FTPor SMTP proxy policy, the wizard asks if
you want to create new proxy policies. If your configuration already includes all of the proxy policy
types supported by DLP, the wizard skips this step.
Data Loss Prevention
1450 WatchGuard SystemManager
Data Loss Prevention
User Guide 1451
7. Select the check box adjacent to each policy you want the wizard to create.
8. Click Next.
The list of content control rules appears.
9. In the list of rules, select the check box for each content control rule or customrule you want to
enable for this sensor.
There are several ways you can change the list view to find the rules you want to enable:
n To filter the list, fromthe Filter By drop-down list, select All content control rules to show
the complete list, or Configured rules to show only the configured rules for this sensor.
n To search for rules for a particular region, select the region fromthe Region drop-down list.
n To search for a rule that contains specific text in the Name, Region, or Category description,
type the text in the Search text box.
n Click a column heading to sort the list by the contents of that column.
10. Click Next.
The Actions settings appear.
11. Fromthe When content is detected in email drop-down list, select the action to take when
content in an email message matches the enabled rules in this sensor.
12. Fromthe When content is detected in non-email traffic drop-down list, select the action to
take when content in non-email traffic matches the enabled rules in this sensor.
13. To trigger an alarmwhen this sensor detects content, select the Alarm check box.
14. To create log messages when this sensor detects content, select the Log check box.
15. Click Next.
16. Click Finish to close the wizard.
The new sensor appears in the Sensors tab in the Data Loss Prevention dialog box.
Clone a Sensor
To make a copy of an existing sensor, you clone it. This creates another user-created sensor that you
can edit. To clone a sensor, select the sensor you want to copy, and click Clone. Then edit the sensor
as described in the subsequent sections.
Edit a Sensor
You can edit any of the user-created sensors. To edit a sensor:
Data Loss Prevention
1452 WatchGuard SystemManager
Data Loss Prevention
User Guide 1453
1. Select Subscription Services > Data Loss Prevention.
The Data Loss Prevention dialog box appears.
2. In the Sensors tab, select a user-defined sensor, and click Edit.
The Edit Data Loss Prevention Sensor dialog box appears.
3. In the Rules tab, select the check box for each content control or customrule you want to
enable for this sensor. Or clear the check box to disable an enabled rule.
There are several ways you can change the list view to find the rules you wan to enable:
n To filter the list, fromthe Filter By drop-down list, select All content control rules to show
the complete list, or Enabled rules to show just the enabled rules for this sensor.
n To search for rules for a particular region, select the region fromthe Region drop-down list.
n To search for a rule that contains specific text in the Name, Region, or Category description,
type the text in the Search text box.
n Click a column heading to sort the list by the contents of that column
4. Edit the sensor actions and settings as described in the subsequent sections.
Add or Edit Sensor Actions
The first action in a new sensor applies to all traffic fromany source to any destination. When you edit
and add sensor actions, you can add multiple actions that each apply to traffic fromdifferent sources or
to different destinations. For each action, you can set the source and the destination to one of these
types:
n Host IP A single IPaddress.
n Network IP A network IPsubnet
n Email address An email address, such asuser@example,com, or *@example.com
n Authenticated user The user name of an authenticated user
n URL Any URL
n Any Any source or destination. A source or destination of Any appears as * in the Actions list.
To add or edit actions when you edit a sensor.
1. Click the Actions tab.
The list of actions enabled for this sensor appear.
2. To add a new action, click Add.
Or, to edit an existing action, select the action and click Edit.
The Add Sensor Action Properties dialog box appears.
Data Loss Prevention
1454 WatchGuard SystemManager
Data Loss Prevention
User Guide 1455
3. Fromthe Source drop-down list, select the type of source address to define for this action.
4. If you select a source other than Any, type the source address in the text box adjacent to the
Source drop-down list.
5. Fromthe Destination drop-down list, select the type of destination address to define for this
action.
6. If you selected a destination other than Any, type the destination address in the text box
adjacent to the Destination drop-down list.
7. Fromthe When content is detected in email drop-down list, select the action to take when
content in an email message matches the enabled rules in this sensor.
8. Fromthe When content is detected in non-email traffic drop-down list, select the action to
take when content in non-email traffic matches the enabled rules in this sensor.
9. To trigger an alarmwhen this sensor detects matching content, select the Alarm check box.
10. To create log messages when this sensor detects matching content, select the Log check box.
11. Click OK.
The new action appears in the Actions tab for the sensor.
Reorder Sensor Actions
If you add more than one action to a DLP sensor, DLPuses the actions in priority order fromthe top
down. If you add multiple sensor actions, make sure that the action that applies to a more specific
source or destination appears higher in the list than an action that applies to a less specific source and
destination. For example, if you use the DLP action that applies to traffic fromany source to any
destination, make sure that any other actions you add are higher in the list.
To change the order of actions in a DLPsensor:
1. Click the Actions tab.
2. Click the Source or Destination of the action you want to move.
3. Click Move Up to move the selected action higher in the list.
4. Click Move Down to move the selected action lower in the lost.
Configure Sensor Scan Settings
In each user-defined DLP sensor, you can change the settings that control how DLPscans content,
and what action to take if content cannot be scanned. To configure the scan settings, click the
Settings tab.
For more information about these settings, see Configure DLPScan Settings.
Delete a Sensor
To delete a sensor:
1. Select Subscription Services >Data Loss Prevention.
2. Select the sensor you want to delete.
3. Click Remove.
You cannot delete the built-in sensors, or a sensor that is used by a policy.
Data Loss Prevention
1456 WatchGuard SystemManager
Data Loss Prevention
User Guide 1457
Configure DLPScan Settings
In each user-defined DLP sensor, you can change the settings that control how DLPscans content,
and what action to take if content cannot be scanned.
The DLPsensor settings you can configure control:
n How much of a file or object to scan (the scan limit)
n What action to take if content cannot be scanned for each of these reasons:
o
the size of the content exceeds the scan limit
o
a scan error occurred
o
the content is password protected
If you enable DLPand Gateway AV for the same proxy action, the larger configured
scan limit is used for both services.
The actions you can configure in the settings are:
n AllowAllows the connection or email
n Drop Denies the request and drops the connection. No information is sent to the source of
the content.
n Block Denies the request, drops the connection, and adds the IP address of the content
source to the Blocked Sites list.
n Remove (email only) Removes the email attachment that cannot be scanned
n Quarantine (email only) Quarantines the email message. For more information on the
Quarantine Server, see About the Quarantine Server on page 1467.
n Lock (email only) Locks the attachment. This is a good option for files that cannot be
scanned by the WatchGuard device. A file that is locked cannot be opened easily by the user.
Only the administrator can unlock an attachment locked by DLP. The tool to unlock the file is
installed as part of WatchGuard SystemManager. For more information, see the WatchGuard
SystemManager Help available at www.watchguard.com/help/documentation/.
To configure scan settings for a DLPsensor:
1. Select Subscription Services >Data Loss Prevention.
2. Select a user-defined DLP sensor, and click Edit.
3. Select the Settings tab.
4. In the limit scanning to first text box, type the file scan limit.
If a file is larger than this size, DLPscans only the first part of the file, up to the limit.
5. In the When content exceeds scan limit section, select the action the WatchGuard device
takes if the size of a file to be scanned exceeds the scan limit.
n In the When content is detected in email drop-down list, select the action to take for
email .
n In the When content is detected in non-email traffic drop--down list, select the
action to take for non-email traffic.
Data Loss Prevention
1458 WatchGuard SystemManager
Data Loss Prevention
User Guide 1459
6. In the When a scan error occurs section, select the action the WatchGuard device takes
when it cannot scan a file due to a scan error.
n In the When content is detected in email drop-down list, select the action to take for
email.
n In the When content is detected in non-email traffic drop--down list, select the
action to take for non-email traffic.
Attachments that cannot be scanned include binhex-encoded messages, certain
encrypted files, or files that use a type of compression that DLP does not support,
such as password-protected Zip files.
7. In the When password protected section, select the action the WatchGuard device takes
when it cannot scan a file because it is password protected.
n In the When content is detected in email drop-down list, select the action to take for
email.
n In the When content is detected in non-email traffic drop--down list, select the
action to take for non-email traffic.
8. To create log messages for each type of action, select the Log check box in the section for the
action.
9. To trigger an alarmfor each type of action action, select the Alarm check box in the section for
the action.
About DLP Scan Limits
DLP scans each file up to a specified kilobyte count. Any additional bytes in the file are not scanned.
This allows the proxy to partially scan very large files without a large effect on performance. You can
set a different DLPscan limit for each DLP sensor. The minimumscan limit is 10 Kb for all devices.
The default and maximumscan limits vary by device model.
If you enable DLPand Gateway AV for the same proxy action, the larger configured
scan limit is used for both services.
For information about how to set the scan limit, see Configure DLPScan Settings .
Configure DLPfor Policies
You can enable DLP sensors for the WatchGuard SMTP, FTP, HTTP, and HTTPSproxy policies.
Before you can enable Data Loss Prevention for an HTTPSproxy policy, you must
enable deep inspection of HTTPScontent in the HTTPSproxy action. This is
required for DLP to examine content over an HTTPS connection. For more
information, see HTTPS-Proxy: Content Inspection.
Enable DLPSensors for Policies
You can enable one DLP sensor per policy.
1. Select Subscription Services >Data Loss Prevention.
2. Select the Policies tab.
A list of configured policies that support DLPappears. The Sensor column shows the sensor
enabled for each policy.
3. To change the sensor for one or more policies, select the policies in the list.
4. Fromthe Select sensor drop-down list, select a DLP sensor to enable for the selected policies.
Or, to disable DLPfor the selected policies, select None.
5. Click Save.
Data Loss Prevention
1460 WatchGuard SystemManager
Data Loss Prevention
User Guide 1461
Selectthe DLPSensor in a Proxy Action
You can also change the DLPsensor for a policy when you edit an FTP, HTTP, or SMTPproxy action.
To edit DLPsettings when you edit aproxy action:
1. Add an FTP, SMTP, or HTTP proxy you want to use with Data Loss Prevention.
For information on how to add policies, see Add a Proxy Policy to Your Configuration on page
640.
2. Double-click the policy.
The Firewall Policies / Edit page appears.
3. Select the Proxy Action tab.
4. Click Data Loss Prevention.
The DLPSensor setting appears.
5. Fromthe DLPSensor drop-down list, select the DLPsensor to use.
Configure the DLP Update Server
Data Loss Prevention downloads signature updates froma signature update server. Data Loss
Prevention, Gateway AV, IPS, and Application Control all use the same update server settings. When
you change configuration of the update server for any of these subscription services, the settings apply
to all of these services.
To make sure that the XTMdevice can connect to the update server, you must add at
least one DNS server to your network configuration. The XTMdevices uses DNS to
resolve the update server URLto an IPaddress. For more information, see Add
WINS and DNS Server Addresses.
Configure Signature Updates
1. Select Subscription Services >Data Loss Prevention.
2. Click Update Server.
The Update Server dialog box appears.
Data Loss Prevention
1462 WatchGuard SystemManager
Data Loss Prevention
User Guide 1463
3. To enable automatic signature updates, select the Enable automatic update check box. This
option is enabled by default.
4. Fromthe Interval drop-down list, enter the number of hours between automatic updates.
5. Select the Data Loss Prevention Signatures check box to automatically update signatures at
the selected update interval.
Do not change the Update server URL unless you are told to do so by WatchGuard. If you change the
URLaccidentally or incorrectly, click Reset to return to the last saved setting.
Connect to the Update Server Through an HTTP Proxy Server
If your XTMdevice must connect through an HTTP proxy to get to the signature update server, you
must add information about the HTTP proxy server to your update server configuration.
1. In the HTTPProxy Server section, select the Connect to Update server using an HTTP
proxy server check box.
2. In the Server address text box, type the IP address or host name of your HTTP proxy server.
3. Most HTTP proxy servers receive requests on port 8080. If your HTTP proxy uses a different
port, type it in the Server port field.
4. Fromthe Server Authentication drop-down list, select the type of authentication your HTTP
proxy server uses.
n If your HTTP proxy does not require authentication, select No Auth .
n If your HTTP proxy server requires NTLMor Basic authentication, type your User name,
Domain, and Password in the text boxes.
5. Click Save.
Block Access from the Trusted Network to the Update Server
If you do not want to allow all users on your trusted network to have unfiltered access to the IP address
of the signature database, you can use an internal server on your trusted network to receive the
updates. You can create a new HTTP proxy policy with HTTP-Proxy: Exceptions or an HTTP packet
filter policy that allows traffic only fromthe IP address of your internal server to the signature database.
Update Signatures Manually
For information about how to see the status of Application Control signature updates, and how to
manually force an update to the most current signatures, see Subscription Services Status and Manual
Signatures Updates.
Monitor DLPActivity
After you enable DLP, you can monitor DLP activity on the Subscription Services dashboard.
1. Select DASHBOARD> Subscription Services.
2. Scroll down to the Data Loss Prevention section.
The Subscription Services dashboard shows:
n Scans performed
n Violations Detected
n Quarantined Objects
n Blocked Objects
n Signature update status
For more information, see Subscription Services.
If you have installed a WatchGuard Report Server, you can generate Data Loss Prevention reports,
which show more detailed information about DLP violations and other DLPactivity.
Data Loss Prevention
1464 WatchGuard SystemManager
Data Loss Prevention
User Guide 1465
Look Up DLPRules on the Security Portal
To get more information about a DLPcontent control rule, you can look it up by name on the
WatchGuard Security Portal at http://www.watchguard.com/SecurityPortal/.
For each rule, the security portal shows a quantity. The quantity is a measure of the weighted number
of matches a rule must find in a scanned object in order to consider it a DLPviolation. The quantity
does not always correspond exactly to the number of text matches in the scanned content required to
trigger the rule.
You cannot modify the default quantity of matches for DLPrules in your
configuration.
A DLPrule can use multiple expressions to find matching text patterns in a scanned object. To improve
the accuracy of content matches, DLPrules internally use weights to adjust the number of matches
required, and to adjust the sensitivity of the rule to text that matches each of several expressions
within the rule. Because the quantity is not a simple count, a scanned object that triggers a DLP
violation could seemto have fewer matches than the quantity associated with the rule.
Data Loss Prevention
User Guide 1466
User Guide 1467
31
Quarantine Server
About the Quarantine Server
The WatchGuard Quarantine Server provides a safe mechanismto quarantine any email messages
suspected or known to be spamor to contain viruses,or sensitive data. The Quarantine Server is a
repository for email messages that the SMTP proxy decides to quarantine based on analysis by
spamBlocker, Gateway AntiVirus, or Data Loss Prevention. Granular control allows you to configure
preferences for mail disposition, storage allocation, and other parameters.
You must set up a Quarantine Server if you configure the SMTPproxy to quarantine
email that spamBlocker classifies as spam, or if you configure Gateway AntiVirus or
DLPto quarantine email.
The Quarantine Server provides tools for both users and administrators. Users get regular email
message notifications fromthe Quarantine Server when they have email sent to the Quarantine Server
by Gateway AntiVirus or spamBlocker. Users can then click a link in the email message to go to a web
site where they can see and manage quarantined messages. For each quarantined message, the web
site shows the sender and the subject of the suspicious email messages. For spamemail, the user can
release any email messages they choose to their email Inbox, and delete the other messages.
Administrators can configure the Quarantine Server to automatically delete future messages froma
specific domain or sender, or those that contain specified text in the subject line.
Users do not receive notification about email messages quarantined due to a DLP
violation. Messages quarantined by the Data Loss Prevention service can only be
seen and managed by the administrator.
The administrator can see statistics on Quarantine Server activity, such as the number of messages
quarantined during a specific range of dates, and the number of suspected spammessages.
The SMTP proxy adds messages to different categories based on analysis by spamBlocker and
Gateway AntiVirus. The Quarantine Server displays these classifications for quarantined messages:
n Suspected spamThe message could be spam, but there is not enough information to decide.
n Confirmed spamThe message is spam.
n Bulk The message was sent as commercial bulk email.
n Virus The message contains a virus.
n Possible virus The message might contain a virus, but there is not enough information to
decide.
n DLPviolation The message contains content that matches a configured DLP rule.
You install the Quarantine Server as part of the WatchGuard SystemManager installation.
To learn about how to set up a Quarantine Server, see the Fireware XTMWSMUser Guide at
http://www.watchguard.com/help/documentation/.
Configure the XTM Device to Quarantine Email
After you install and configure the Quarantine Server, you must update the XTMdevice configuration to
use the Quarantine Server.
There are two steps:
1. Configure the Quarantine Server IPaddress as described in Define the Quarantine Server
Location on the XTMDevice on page 1468.
2. Set up spamBlocker and Gateway AntiVirus actions for the SMTP proxy to quarantine email.
For more information, see Configure spamBlocker to Quarantine Email on page 1352, and
Configure Gateway AntiVirus to Quarantine Email on page 1377.
Define the Quarantine Server Location on the
XTM Device
You must define the location of the Quarantine Server in the XTMdevice configuration. You can use
Fireware XTMWeb UI to specify the IP address of the of the Quarantine Server where the XTMdevice
sends email messages to be quarantined.
1. Select Subscription Services > Quarantine Server.
The Quarantine Server settings page appears.
Quarantine Server
1468 Fireware XTMWeb UI
Quarantine Server
User Guide 1469
2. Type the IP address for the Quarantine Server. We recommend that you do not change the
Quarantine Server port unless asked to do so by a WatchGuard technical support
representative.
3. Click Save.
User Management of Quarantined Messages
When the administrator enables notification on the Quarantine Server in WatchGuard Server Center,
the recipient of quarantined messages receives a notification email message about their quarantined
messages.
The notification message includes:
n Subject and message body text defined by the administrator in the Quarantine Server settings
n A Go to Quarantine Server link to the web page on the Quarantine Server that enables the
user to manage quarantined messages
n A count of the total number of quarantined messages
n A Quarantined Email Report, which lists the 50 most recent quarantined messages
For example, an email notification message might look like this:
The Quarantined Email Report shows the most recently quarantined messages. To see the content of
a quarantined message, click the message subject in the report. The message body appears in the
default web browser.
Manage Quarantined Messages
After users receive a notification message about their quarantined messages, they can go to the
WatchGuard Quarantine Email Web UI to manage their quarantined messages.
1. In the notification message, click Go to Quarantine Server.
The WatchGuard Quarantine Email Web UI appears in the default web browser, with the Messages
page selected.
2. To see the quarantined messages categorized as spam, select the Spam tab.
For each message, the Quarantine Server shows the sender, subject, date and time received, and
type.
3. To see the message type, hover over the Type column for a message.
Message types include:
n Suspected spam
n Confirmed spam
n Bulk
4. To see quarantined messages that might contain a virus, select the Virus tab.
For each message, the Quarantine Server shows the sender, date and time received, and risk level.
Quarantine Server
1470 Fireware XTMWeb UI
Quarantine Server
User Guide 1471
5. To see the risk level, hover over the Risk column for a message.
Risk levels include:
n Virus
n Possible virus
6. To see quarantined messages identified by APT Blocker, select the APT tab.
For each message, the Quarantine Server shows the risk level, sender, subject of the message, and
the date and time it was received.
Fromthe Quarantine Email Web UI, the email recipient can delete quarantined messages. For
messages categorized as spam, the recipient can also choose to release the message fromquarantine
and send it to the original destination address.
The Quarantine Email Web UI does not enable users to see or manage messages
quarantined by the Data Loss Prevention (DLP) service. Only the administrator can
manage those messages.
Manage Individual Messages
1. To view the message body for a quarantined message, click on the message subject.
The message body appears in a browser dialog box.
2. To delete a virus or spammessage fromthe Quarantine Server, at the bottomof the dialog box,
click Delete.
3. To release the message to the original destination address, click Send to Mailbox.
The Quarantine Server releases the message from quarantine and sends it to the original recipient
address.
Manage Multiple Messages
To manage multiple messages:
1. Select each message to manage.
Selected messages are highlighted, with a check mark in the left column.
2. To take the same action on all selected messages, click a button:
n Send to mailbox Releases the selected messages fromquarantine and sends themto
the original destination address.
n Delete selected Deletes the selected spamor virus messages fromthe Quarantine
Server.
n Delete all Deletes all spamand virus messages fromthe Quarantine Server.
Change Quarantine Notification Settings
Fromthe Quarantine Email Web UI, the recipient can disable or enable notification settings for
quarantined email.
1. In a notification message, click Go to Quarantine Server.
The Quarantine Email web page appears in the default browser.
2. Select Personal Settings.
3. Select an option:
n Do not notify me No notification emails are sent to the recipient at the original
destination address.
n Notify me by email Notification emails are sent to the recipient at the original destination
address.
4. Click Update Settings.
Quarantine Server
1472 Fireware XTMWeb UI

Anda mungkin juga menyukai