10 Training
Fireware Essentials Student Guide
WatchGuard Fireboxen
Guide Revised For: Fireware v11.10.5 & Dimension v2.0.1
Revision Date: December 2015
ii
iii
iv
Table of Contents
About the Fireware Essentials Student Guide
iii
Table of Contents
Course Introduction
Training Options
Training Scenario
Prerequisites
Additional Resources
Getting Started
10
WSM Components
10
WatchGuard Dimension
11
12
12
13
14
16
Connect to a Firebox
16
19
21
ANSWERS
Notes
23
24
Table of Contents
Administration
What You Will Learn
25
25
26
26
Saving a Configuration
27
Configuration Migration
27
27
29
31
33
35
35
37
38
40
41
ANSWERS
Notes
Network Settings
vi
25
42
43
44
44
45
46
46
46
About WINS/DNS
47
48
48
49
50
50
52
Table of Contents
IPv6
Exercise 1 Configure the External Interface
53
54
54
55
57
58
60
61
62
63
64
ANSWERS
Notes
Set Up Logging & Servers
66
67
68
68
69
70
70
Log Server
72
Log Messages
72
Log Files
73
74
75
75
76
77
77
79
80
81
84
87
vii
Table of Contents
87
89
94
95
96
96
97
99
100
102
103
105
106
109
109
112
115
116
117
ANSWERS
Notes
NAT
118
119
120
120
NAT Overview
121
Dynamic NAT
121
122
1-to-1 NAT
123
Policy-based NAT
125
125
Static NAT
About Static NAT Source IP Addresses
viii
92
126
126
Table of Contents
126
NAT Loopback
127
128
130
133
135
136
137
138
139
139
139
140
Unhandled Packets
141
141
142
143
144
144
145
146
147
ANSWERS
148
Notes
149
Policies
150
150
151
Add Policies
151
152
About Aliases
152
About FQDN
152
153
ix
Table of Contents
153
153
154
Policy Precedence
155
155
156
158
159
161
163
163
164
168
169
170
171
Exercise 7 Use Policy Tags and Filters to Group and Sort Policies
173
173
175
176
ANSWERS
Notes
Proxy Policies
177
178
179
179
179
180
181
183
183
184
156
184
Table of Contents
185
187
187
190
191
193
ANSWERS
Notes
Email Proxies and Blocking Spam
194
195
196
196
197
SMTP Rulesets
197
POP3 Rulesets
197
198
199
spamBlocker Tags
199
spamBlocker Categories
199
spamBlocker Exceptions
199
200
201
201
202
202
203
205
Control Mail Domain Use for Incoming Traffic to Prevent Mail Relay
207
209
209
210
211
213
213
xi
Table of Contents
216
217
217
218
219
220
221
ANSWERS
Notes
Web Traffic
223
224
225
225
226
227
227
228
231
231
231
232
WebBlocker Categories
232
WebBlocker Exceptions
232
233
WebBlocker Schedules
234
WebBlocker Server
234
xii
214
235
Reputation Scores
236
Reputation Thresholds
236
Reputation Lookups
237
237
238
239
Table of Contents
239
240
241
Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy
242
244
245
246
246
247
248
252
252
253
Create an Exception
254
255
256
258
259
260
ANSWERS
Notes
Signature Services and APT Blocker
263
264
265
265
266
267
267
268
268
269
269
269
270
xiii
Table of Contents
271
271
272
272
273
DLP Sensors
273
273
DLP Actions
274
DLP Settings
274
275
275
275
276
276
xiv
270
276
277
277
Per-Application Action
277
Default Action
277
278
278
279
279
280
280
281
283
285
287
287
291
Table of Contents
292
292
295
295
299
300
303
ANSWERS
Notes
Authentication
304
305
306
306
307
307
307
308
308
309
310
310
310
311
311
312
313
313
314
317
319
319
319
322
323
xv
Table of Contents
ANSWERS
Notes
326
327
327
328
330
331
332
332
333
WatchGuard Reports
334
334
335
336
Connect to Dimension
336
337
338
338
339
341
342
343
344
344
346
347
347
348
Run a Search
348
350
xvi
325
352
352
Table of Contents
View Reports
353
356
357
ANSWERS
Notes
Branch Office VPN Tunnels
358
359
360
360
BOVPN Overview
360
360
362
363
364
364
Encryption Algorithms
364
Authentication Algorithms
365
365
AH (Authentication Header)
365
366
VPN Negotiations
366
366
368
369
369
369
369
369
370
371
371
Troubleshoot a VPN
372
374
376
xvii
Table of Contents
379
Training Environment
379
380
380
Network Topology
380
Network Configuration
381
382
382
Configure Device A
382
382
386
Configure Device B
388
388
390
391
392
Ping From a Device Interface to the Trusted Interface on the Other Device
392
393
393
395
395
395
396
Configure Device A
396
Configure Device B
397
398
399
400
400
400
xviii
377
401
Table of Contents
ANSWERS
Notes
Mobile VPN
403
404
405
405
406
406
408
Encryption Support
408
408
408
409
Other Considerations
410
410
411
411
412
412
412
413
413
413
Allowed Resources
414
414
415
415
416
416
Training Environment
416
417
417
Network Topology
417
Network Configuration
418
xix
Table of Contents
BOVPN Configuration
418
Exercise 1 Configure Mobile VPN with IPSec and Generate Client Configuration Files
Create a Mobile VPN with IPSec Configuration
419
425
427
427
428
429
429
Required Files
429
429
430
430
430
431
432
432
433
435
436
436
439
440
440
441
442
xx
419
443
445
446
447
447
447
Table of Contents
448
448
449
Log In
451
452
453
Get Help
453
454
455
458
460
462
465
470
474
ANSWERS
Notes
475
476
xxi
xxii
Course Introduction
Firewall Essentials with Fireware v11.10
Devices
WatchGuard Fireboxen
Device OS versions
Fireware v11.10
Training Options
If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options
available toyou:
Classroom training with a WatchGuard Certified Training Partner (WCTP)
WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list
of training partners can be found on our website at:
http://www.watchguard.com/training/partners_locate.asp
Quick review presentation
You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an
overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the
Quick Setup Wizard, create basic security policies, and get more information about additional subscription
services.
Fireware Essentials Online Course
Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature
or function of configuration and security management.
For more information, including configuration steps for advanced procedures, see Fireware Help.
Course Introduction
Course Introduction
Training Scenario
Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this
course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of
the exercises using examples from your own network or a set of addresses and situations provided by your
WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company
and a real company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP
networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard
hardware devices is required.
Course Introduction
To support all of the exercises in this course, your training environment must include this network equipment:
n
n
n
Course Introduction
In most of the exercises, your external interface and trusted interface IP addresses are determined by your student
number. Replace the X in the exercises with your student number.
Eth0 (External) Use appropriate addressing for a training environment with an Internet connection. (This is
optional. Internet access is not required for these exercises.)
Eth1 (Trusted) 203.0.113.1/24
This is the default gateway for the primary external interface on student Fireboxen.
To allow DNS to operate from the training environment, you must also configure a DNS server, in the
Network > Configuration > WINS/DNS tab.
For DNS to function for students, the student devices and computers must also be configured to use
the DNS server.
Course Introduction
2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic
entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic
NAT rule for 203.0.113.0/24 Any-External)
Course Introduction
Additional Resources
For more information about how to install and configure WatchGuard System Manager see these resources:
Fireware Help
You can launch the Help system from your management computer after you install WSM. To view more
information about the features in a dialog box or application window, click Help or press the F1 key. A topic that
describes the features you see and provides links to additional information appears in your default web browser.
For the most up to date information, browse to http://www.watchguard.com/help/documentation/ and launch the
Fireware Help. You can also download the Help system for offline use.
WatchGuard Online Knowledge Base
Browse to http://customers.watchguard.com/.
For information about how to set up an XTMv virtual machine, see:
WatchGuard XTMv Setup Guide
Browse to http://www.watchguard.com/help/documentation/ and download the WatchGuard XTMv Setup
Guide.
Getting Started
Set Up Your Management Computer and Firebox
Use the Quick Setup Wizard to make a basic Firebox device configuration file
Before you begin the exercises in this module, make sure you read the Course Introduction module.
Getting Started
WSM Components
WatchGuard System Manager (WSM)
includes several monitoring and
configuration tools, including Policy
Manager, Firebox System Manager,
HostWatch, Log Manager, Report
Manager, and CA Manager. You can start
these tools after you open WSM.
WatchGuard Server Center is the
application you use to set up, configure,
and manage the five WatchGuard servers,
as well as configure users and groups for
role-based administration.
This diagram shows the components of
WatchGuard System Manager and how you can get access to them.
If you take this course with a training partner, the servers are installed on the management computer.
10
Getting Started
You install the WSM management software on a personal computer running Microsoft Windows 7 or higher. We refer to
this computer as your management computer. When you install WSM on your management computer, you have the
option to install any or all of the WatchGuard System Manager servers. When you select to install any of the servers,
WatchGuard Server Center is automatically installed.
n
n
n
Management Server Manages multiple Fireboxen at the same time and creates virtual private network (VPN)
tunnels with a simple drag-and-drop method.
Log Server Collects log messages from Fireboxen and servers.
Report Server Periodically consolidates data collected by your WSM Log Servers and uses this data to
generate the reports that you select.
Quarantine Server Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to
have a virus by Gateway AntiVirus or by spamBlockers Virus Outbreak Detection feature.
WebBlocker Server Provides information for an HTTP-proxy to deny user access to specified categories of
websites.
You can install these servers on your management computer, or you can install them on other computers on your
network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect
to other servers, the Firebox, or the management computer.
WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager,
Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server,
WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to
WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130.
For more information, see the training module related to each server.
WatchGuard Dimension
WatchGuard Dimension is a virtual solution you can use to capture the log data from your Fireboxen, FireClusters,
and WatchGuard servers, generate reports of that data, and to manage your Fireboxen and FireClusters. You can use
Dimension to see log data in real-time, track it across your network, view the source and destination of the traffic, view
log message details of the traffic, monitor threats to your network, and view or generate reports of the traffic. From
Dimension, you can open Fireware Web UI for Fireboxen and FireClusters that are managed by Dimension, take action
on the information you see in the log messages, tools, and reports available in Dimension, and create managed huband-spoke VPN tunnels between the Fireboxen managed by Dimension.
After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of
Dimension. Then, you configure your Fireboxen and WatchGuard servers to send log messages to Dimension and add
Fireboxen to Dimension for management.
In this training course, we only discuss the logging and reporting aspects of Dimension. For more information, see
Logging & Reporting on page 327.
11
Getting Started
If you take this course with a training partner, your Firebox will already be activated and include the
feature keys you need for the course.
12
Getting Started
To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with
Internet access. For more information about RapidDeploy, see Fireware Help.
Interface 1 (Eth1)
Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and
is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1
or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard.
To connect to the device when you use either setup wizard, your computer must have an IP address on the
10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to
interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same
subnet as the IP address of Interface 1. For example, 10.0.1.2.
13
Getting Started
Your instructor will provide you with the information and files you need to configure your Firebox for the
training environment.
A feature key You receive the feature key when you activate your Firebox on the WatchGuard website. Each
feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management
computer before you start the Quick Setup Wizard. You can finish the wizard without the feature key, but the
feature key is required to enable all device functionality.
If the Firebox does not have a feature key, it allows only one connection to the Internet.
WSM and Fireware OS on the management computer WSM is the software installed on the management
computer and WatchGuard servers. Fireware is the operating system (OS) installed with a configuration file on
the Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and
Fireware are separate software downloads. You must download and install both packages on your management
computer. The management computer must be on the same network subnet as the device.
Your network information At a minimum, you must know the IP address of your gateway router and the IP
addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use
203.0.113.1 as the default gateway.
A Firebox You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that
has been reset to factory-default settings.
For an XTMv device, Fireware OS is included in the XTMv virtual appliance Open Virtual Machine
Format (OVF) file. For more information, see the WatchGuard XTMv Setup Guide at
www.watchguard.com/help/documentation/
When you configure the Firebox with the Quick Setup Wizard or Web Setup Wizard, the wizard adds five basic policies:
Outgoing, FTP packet filter, Ping, WatchGuard WebUI, and WatchGuard. It also sets interface IP addresses.
14
Getting Started
Your instructor may use the presentation files to show these steps instead of having you do them
yourself.
3. From the list of devices, select the Firebox that you are using for this training session.
4. Configure the device name, location, and contact person.
5. Configure the external interface, Eth0, with these settings. Replace X with your student number.
IP address: 203.0.113.X/24
Default Gateway: 203.0.113.1
6. Configure the trusted interface, Eth1, with these settings: Replace X with your student number.
IP address: 10.0.X.1/24
DHCP enabled, address pool: 10.0.X.2 - 10.0.X.254
7. In the Activate the software step, browse to the feature key file saved on your computer.
8. Set the Status and Configuration passphrases for your device.
You use the Status passphrase to connect to the device with the default Device Monitor user account, status.
You use the Configuration passphrase to connect to the device with the default Device Management user
account, admin.
When you are finished with the wizard, you will have a Firebox which allows all traffic from the trusted and optional
networks to the external network but blocks everything from the external network to the protected networks.
Because you changed the IP address of the trusted interface, the DHCP server on the device will assign your computer
a new IP address in the DHCP address pool you configured. It may take a few minutes for your computer to get a new
IP address.
15
Getting Started
Connect to a Firebox
From the Windows desktop:
1. Select Start > All Programs > WatchGuard System Manager > WatchGuard System Manager.
WatchGuard System Manager appears.
.
2. On the main toolbar, click
Or, you can select File > Connect To Device.
3. In the IP Address or Name text box, type the trusted IP address of the Firebox.
Use your Firebox IP address, or get the IP address from your instructor.
16
Getting Started
To connect to a Firebox with read-only privileges, you use a Device Monitor user account. You can
use the default status Device Monitor user account for this purpose. If you save the configuration file
or add the Firebox to the Management Server as a managed device, you are prompted to type the
credentials for a user account with Device Administrator privileges. The default Device Administrator
user account for your device is the admin user account.
4. In the User Name and Passphrase text boxes, type the credentials for a Device Management user account with
a Device Monitor (read-only) role on your Firebox. The default status account is specified by default.
5. From the Authentication Server drop-down list, select the authentication server for the user you specified.
If you select an Active Directory server, you must also specify the Domain for the server you selected.
6. If necessary, change the value in the Timeout text box.
This value sets the amount of time (in seconds) that WSM waits for an answer from the Firebox before WSM shows a
message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the
value, you decrease the time you must wait for a time out message if you try to connect to a device that is not available.
7. Click Login.
WSM connects to the Firebox and shows the status of the Firebox on the Device Status tab.
8. On the Device Status tab, click the plus sign (+) to expand the Firebox entry.
Information about the Firebox appears.
17
Getting Started
18
Getting Started
You can have more than one version of WSM installed on your computer. However, you can have only
one version of the server components (Management Server, Log Server, Report Server, Quarantine
Server, and WebBlocker Server) installed.
19
Getting Started
Policy Manager opens in Details view by default.
20
Getting Started
Tool
WatchGuard System Manager Policy Manager
B) Change the device network interfaces WatchGuard System Manager Policy Manager
C) Configure a policy for web traffic
3. True or false? When connecting to your Firebox, you should decrease the Timeout setting if you have a slow
network or Internet connection to your Firebox.
4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device
configuration file that allows more than one connection to the Internet? (Select all that apply.)
21
Getting Started
6. Which of the following are WatchGuard System Manager components? (Select all that apply.)
o A) Log Manager
o B) Router
o C) Policy Manager
o D) Appliance Monitor
o E) Windows Server
o F) Report Server
o G) Management Computer
7. True or false? You must install all WatchGuard servers on one management computer.
8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.
22
Getting Started
ANSWERS
1. True
You can only use the drag-and-drop method to create a VPN tunnel between two Fireboxen managed by your
WSMManagement Server.
2. A) WatchGuard System Manager
B) Policy Manager
C) Policy Manager
3. False
You should increase the Timeout setting if you have a slow network or Internet connection to the Firebox.
4. A, C, D, and G
5. policy
6. A, C, and F
7. False
8. False
23
Notes
24
Administration
Manage the Device Configuration
Before you begin these exercises, make sure you read the Course Introduction module.
Administration
Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file
with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no
effect on Firebox operation until you save them to the Firebox.
If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS
version in the file is automatically set based on the OS version the Firebox uses.
If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you
can configure some features, such as network settings and Traffic Management.
To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.
When you save the configuration to a local file, the feature key is stored as a separate file, in the same
directory as the configuration file. For example, if you save a device configuration with the file name
Example, the configuration file is saved as a file named Example.xml and the feature key is saved in a
file named Example_lic.tgz.
26
Administration
Saving a Configuration
Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you
can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make
sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager
displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OS
Compatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that
is not compatible with the OS version on the Firebox.
Configuration Migration
You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different
Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the
new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the
configuration file. Before you can save the configuration to a different Firebox, you might also need to change other
settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS
Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.
For a video demonstration of configuration migration, see the Configuration Migration video available
in the Product Documentation section of the WatchGuard website.
Default Role
Default Passphrase
admin
readwrite
status
readonly
wgsupport
Disabled
When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts
to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the
Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that
are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the
Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the
option to allow more than one Device Administrator to log in to the Firebox at the same time. If you do not enable this
option, only one Device Administrator can log in to the Firebox at a time.
27
Administration
The wgsupport user account is disabled by default. This account is for WatchGuard Technical Support access to your
Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard
Technical Support. We will not enable or modify this user account in this course.
You can use these authentication servers for Device Management user accounts on your Firebox:
n
n
n
n
Firebox-DB
Active Directory
LDAP
RADIUS
The default Device Management user accounts use the Firebox-DB authentication server.
For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server
before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on
your Firebox are case-sensitive and must match the user credentials as they are specified on the external
authentication server.
28
Administration
Policy Manager is an offline configuration tool. Fireware Web UI and the CLI are online configuration
tools.
An offline configuration tool lets you make many changes to a configuration file without sending the
changes to the Firebox.
An online configuration tool is designed to immediately send all changes to the Firebox.
Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM)
to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file
in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to
work offline.
In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive:
1. Open WatchGuard System Manager and connect to your Firebox.
If you are not familiar with this procedure, see the Getting Started module, or ask your instructor.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager starts and loads the configuration file currently on your Firebox.
29
Administration
3. Select File > Save > As File.
The Save dialog box appears.
If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with
Device Administrator privileges, you cannot save configuration changes to the Firebox.
If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to
the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings,
and then use the default admin account, with the default passphrase readonly to save the configuration to the Firebox
from Policy Manager.
30
Administration
When you use the Quick Setup Wizard to configure your Firebox, a policy that allows you to connect to and administer
the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the
Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to
allow administrative connections from your remote location.
The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt. The Quick Setup
Wizard adds this policy with the name WatchGuard. This policy controls access to the Firebox on TCP ports 4105,
4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these
ports.
Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good
idea to consider these alternatives:
n
Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you
can connect with a VPN, then you do not need to allow connections from a computer external to your network. If
it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an
additional layer of security.
It is more secure to limit access from the external network to the smallest number of computers possible. For
example, it is more secure to allow connections from a single computer than it is to allow connections from the
alias Any-External.
To restrict or expand access to the Firebox, edit the From list in the WatchGuard policy.
n
You can allow connections to the Firebox from external networks by adding the Any-External alias (or a specific
IPaddress, user name or group name).
You can restrict connections to the Firebox from internal locations by removing the Any-Trusted and AnyOptional aliases and replacing them with the specific IP addresses from which you want to allow access.
You can remove all IP addresses and aliases, and replace them with user names or group names. When you do
this, you force users to authenticate before they are allowed to connect to the Firebox.
If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong
Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.
Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot
configuration issues from his computer later in the class.
31
Administration
To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at
a specific IPaddress:
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Edit.
The Edit Policy Properties dialog box appears.
The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is specifically
designed to be used for administration of the Firebox.
2.
3.
4.
5.
6.
32
Administration
2. In the Administrator Passphrase text box, type the default passphrase for the default admin user account,
readwrite.
3. Click OK.
The Manage Users and Roles dialog box appears.
33
Administration
4. Click Add.
The Add User dialog box appears.
5.
6.
7.
8.
In the User Name text box, type a name for the new Device Administrator user account, example-co_admin.
From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
From the Role drop-down list, select Device Administrator.
In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator
user account, passphrase.
9. Click OK.
The example-co_admin user appears in the Manage Users and Roles list.
11.
12.
13.
14.
In the User Name text box, type a name for the new Device Monitor user account, example-co_monitor.
From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
From the Role drop-down list, select Device Monitor.
In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator
user account, passphrase
15. Click OK.
The example-co_monitor user appears in the Manage Users and Roles list.
16. Click OK to close the Manage Users and Roles dialog box.
The new user accounts are automatically saved to the Firebox.
17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM.
18. In WSM, connect to your Firebox with the new example-co_admin user account credentials.
19. Start Policy Manager.
Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when
you make changes to your Firebox configuration file, the audit trail will show that the example-co_admin user account
made the changes to the configuration.
34
Administration
35
Administration
36
Administration
Complete this exercise in class only if your instructor requests that you do so and provides you with
an updated feature key.
3. Click Import.
The Import Firebox Feature Key dialog box appears.
37
Administration
You can also use Firebox System Manager to create and restore a device backup image to a USB
drive connected to the Firebox. For more information, see Fireware Help.
2. In the Administrator Passphrase text box, type Example4, the read-write passphrase for the example-co_
admin user account.
3. Click OK.
The second Backup dialog box appears.
4. Type and confirm an Encryption Key. For this exercise, type MyStrongKey.
This key is used to encrypt the backup file. If you lose or forget this encryption key, you cannot restore the backup file.
The encryption key is case-sensitive.
5. In the Back up image to text box, select the location to save the backup file.
6. Click OK.
38
Administration
The default location for a backup file with a .fxi extension is:
n
When you restore the backup image, you must specify a name and passphrase for a user with administrative privileges,
and you must type the encryption key you specified when you created the backup image. For this exercise, do not
restore the backup image to the Firebox.
Restoring a saved backup image is the only method to downgrade a Firebox without first resetting the
Firebox to factory-default settings.
39
Administration
5. From the Time zone drop-down list, select your local time zone.
Select the time zone of the Firebox itself. This enables you to synchronize reports from Fireboxen in multiple
timezones.
6. Click OK.
40
Administration
o A) Daily
o B) Weekly
o C) Monthly
o D) Each time you make a substantial change to the configuration
o E) Never
6. Which of the following information is used by WatchGuard System Manager applications to identify a Firebox?
(Select all that apply.)
o A) Firebox Name
o B) System administrator name
o C) Encryption key
o D) Model number
o E) External IP address
41
Administration
ANSWERS
1. False.
You can add many Device Administrator user accounts to your Firebox.
2. Device Administrator
3. B (GMT+09:00) Osaka, Sapporo, Tokyo Set the Firebox time zone to its physical location
4. True You can save the device configuration file to any local disk drive, including a USB flash drive or a
network share.
5. D
6. A, D, E
42
Notes
43
Network Settings
Configure Firebox Interfaces
Before you begin these exercises, make sure you read the Course Introduction module.
Network Settings
45
Network Settings
The only difference between trusted, optional, and custom interfaces is which aliases the interface is a member of.
46
Network Settings
Make sure to add enough IPaddresses to the address pool to support the number of clients on your network. For
example, in the configuration shown here, the DHCP server can assign IPaddresses to a maximum of 99
DHCPclients. When the 100th client requests an IPaddress, that request fails, and that client cannot connect.
You can also configure the device for DHCP relay. When you use DHCP relay, computers behind the device can use a
DHCP server on a different network to get IP addresses. The device sends the DHCP request to a DHCP server at a
different location than the DHCP client. The device sends the DHCP server reply to the computers on the trusted or
optional network. This option lets computers in more than one office use the same IP address range.
About WINS/DNS
Several Fireware features use Windows Internet Name Server (WINS) and Domain Name System (DNS) server IP
addresses. These servers must be accessible from the trusted interface of the device. For example, this information is
used by mobile VPNs. Make sure that you use only an internal WINS and DNS server to make sure you do not create
policies that have configuration properties that prevent users and services from connecting to the DNS server.
47
Network Settings
Drop-in Mode and Bridge mode are less commonly used, and have these characteristics:
Drop-In Mode
Bridge Mode
All of the Firebox interfaces are on the same network. You specify an
IP address to use to manage the device.
NAT is not used in Bridge mode. Traffic sent or received through the
device appears to come from its original source.
48
Network Settings
Here are a some examples of situations when secondary networks can be useful:
Network Consolidation
If you want to remove a router from your network, you can add the router IP address as a secondary IP address
on the firewall when the router is shut down. Any hosts or routers that are still sending traffic to the old router IP
address would then send traffic to the firewall.
Network Migration
Secondary addresses can help you avoid a network outage if you want to migrate your trusted network from one
subnet to another. For example, if you currently use 192.168.1.1/24 as the primary interface IP address, and you
change the interface IP address to 10.0.10.1/24, this could cause a network outage, while the devices that use
DHCP get an IP address on the new subnet. Also any devices that use a static IP address cannot connect until
you reconfigure them with an IP address on the new subnet. To avoid the outage, add the old IP address as a
secondary network, so that devices can still use IP addresses on the old subnet during the migration. When you
configure a secondary network, the devices that use DHCP get an IP address on the new subnet when they
renew their DHCP lease, without an outage. Devices that use a static IP address can continue to use the old
subnet until you have time to update their IP addresses. After all devices have been migrated to the new subnet,
you can remove the secondary IP address from the interface.
Static NAT to Multiple Servers
If your device is uses a static external IP address, you can add an IP address that is on the same subnet as your
primary external interface as a secondary network. You can then configure static NAT rules to send traffic to the
appropriate devices on that network. For example, configure an external secondary network with a second public
IP address if you have two public web servers and you want to configure a static NAT rule for each server.
You can also add secondary networks to the external interface of a device if the external interface is configured to get its
IP address through PPPoE or DHCP. You can add up to 255 secondary networks per device interface.
49
Network Settings
For information about dynamic routing, see the Network and Traffic Management courseware.
A router, or a network device such as a Firebox, stores information about routes in a routing table. The device looks in
the routing table to find a route to send each received packet toward its destination.
50
Network Settings
To add a static route, in Policy Manager, select Network > Routes.
n
n
n
n
Route Type This is automatically set to Static Route. If you have configured a BOVPN virtual interface, you
can also select BOVPN Virtual Interface Route.
Destination Type Specifies whether the destination is an IPv4 or IPv6 network or host
Route To The destination IP address
Gateway The IP address to route the traffic through
Metric The metric sets the priority for the route. If the routing table includes more than one route to the same
destination, the Firebox uses the route that has the lower metric.
Interface For a route to an IPv6 destination, you can optionally select the IPv6-enabled interface to use for the
route. For a BOVPN Virtual Interface Route, the you must select the BOVPN virtual interface to use for the
route.
You can see the routes for your Firebox in Firebox System Manager, on the Status Report tab.
51
Network Settings
The routing table includes:
n
n
n
n
Routes to networks for all enabled Firebox interfaces and BOVPN virtual interfaces
Static network routes or host routes you add to your configuration
Routes the Firebox learns from dynamic routing processes that are enabled on the device
The default route, which is used when a more specific route to a destination is not defined. This is the gateway IP
address you specify for your external interface
Each route in the routing table has an associated metric. If the routing table includes more than one route to the same
destination, the Firebox uses the route that has the lower metric. For a static route, you manually set the metric, to
control the priority of each route. If you use dynamic routing, the dynamic routing protocol automatically sets the metric
for each route.
VLANs VLANs (Virtual Local Area Networks) are an advanced network feature that allow you to group
devices by traffic patterns instead of by physical network access. You can use VLANs to connect devices on
different networks so that they appear to be part of the same network.
Link Aggregation Link Aggregation is an advanced network feature that allows you to group physical
interfaces together to work together as a single logical interface. You can use a link aggregation interface to
increase the cumulative throughput beyond the capacity of a single physical interface, and to provide redundancy
if there is a physical link failure.
Multi-WAN The multi-WAN feature allows you to send network traffic to multiple external interfaces. This is
useful when you want to have a backup Internet connection, or if you want to divide your outgoing network traffic
between multiple physical interfaces. Multi-WAN settings do not apply to incoming network traffic, and you can
only use this feature in Mixed Routing mode.
FireCluster If you have two Fireboxen of the same model,you can configure the two devices as a FireCluster
for high availability and load sharing.
52
Network Settings
IPv6
Fireware supports IPv6 only when the Firebox is configured in mixed routing mode. You can configure IPv6 interface
addresses, and you can use DHCPv6 on any interface that has IPv6 enabled. When IPv6 is enabled, you can:
n
n
n
n
n
WatchGuard continues to add more IPv6 support to Fireware for all Firebox models. For the
WatchGuard IPv6 roadmap, see http://www.watchguard.com/ipv6/index.asp.
Fireware supports basic routing and some filtering of IPv6 traffic. However, some security and networking features do
not apply to IPv6 traffic. If you enable IPv6 on an interface, you should treat this as a bridged connection. The Fireware
security features such as proxies, some default packet handling options, and most security services to not apply to
IPv6 traffic. For more information, about IPv6 support, see the Fireware Help.
The exercises in this training focus on device configuration in an IPv4-only environment.
53
Network Settings
The external interface must be configured with a static IP address for the exercises in the VPN
modules. If you configured the external interface for DHCP or PPPoE, at the end of this exercise set
the external interface to use a static IP address.
If you are in a classroom, get the address information for this exercise from your instructor.
If you used the Quick Setup Wizard to configure your device in the Getting Started exercises, your device already has a
static IP address configuration.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
54
Network Settings
6. In the Default Gateway text box, type 203.0.113.1.
7. Click OK.
The external IP address appears in the Network Configuration dialog box.
3.
4.
5.
6.
7.
For most DHCP connections, you do not need to configure any additional settings.
55
Network Settings
8. Click OK.
DHCP appears in the IP Address column in the Network Configuration dialog box.
56
Network Settings
After you configure an external interface to use PPPoE, you can optionally configure secondary
PPPoE interfaces on the PPPoE tab.
2.
3.
4.
5.
6.
8. Click OK.
PPPoE appears in the IP address column in the Network Configuration dialog box.
The external interface must be configured with a static IP address for the exercises in the VPN
modules later in this training. If you configured the external interface for DHCP or PPPoE, at the end
of this exercise set the external interface to use a static IP address.
57
Network Settings
3.
4.
5.
6.
7.
8.
9.
10.
11.
58
Network Settings
12. From the Leasing Time drop-down list, select 24 hours.
59
Network Settings
4.
5.
6.
7.
8.
9. Click OK.
The new settings appear for Interface 2.
60
Network Settings
You are not required to enter more than one DNS server. However, we recommend that you add more than one
DNS server to make sure that users can still get DNS name resolution when the primary server is not available.
5. In the WINS Servers text boxes, type 10.0.X.53 and 10.0.2.53.
These are the IP addresses for the internal WINS servers for this exercise.
6. Click OK.
61
Network Settings
62
Network Settings
If you use any other IP address range, you can have a conflict. For example, if you configure your trusted
network with the IP address 206.253.208.100/24, any user on the trusted network that tried to go to the
WatchGuard website would fail because 206.253.208.100 is the IP address of the WatchGuard website. The
Firebox would route 206.253.208.100 traffic to the trusted interface instead of the external interface to get to the
WatchGuard website server.
What is slash notation?
Slash notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a shorter way to write an
IPv4 address and its subnet mask together.
To find the subnet mask number:
1. Convert the IP address to binary.
2. Count each 1 in the subnet mask.
Some of the most common network masks are:
63
Network Mask
Slash
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.125
/25
255.255.255.192
/26
255.255.255.224
/27
255.255.255.240
/28
Network Settings
o A) An IP address
o B) A default gateway address
o C) A subnet mask
o D) A password or passphrase
o E) A user name
2. True or false? If you use DHCP on the external interface of the Firebox, you can configure a secondary network
for the external interface.
3. True or false? You can configure the Firebox as a DHCP server.
4. What features use the WINS/DNS settings in the Network Configuration dialog box?
(Select all that apply.)
64
Network Settings
7. Which of these items is NOT a method used to assign an IP address to the external interface of a Firebox?
(Select one.)
o A) Static addressing
o B) DHCP
o C) PPPoE
o D) PPPoA
8. True or false? Only the trusted interface of a Firebox is able to assign IP addresses as a DHCP Server.
9. True or false? Firewall proxy policies apply to both IPv4 and IPv6 network traffic.
65
Network Settings
ANSWERS
1.
2.
3.
4.
5.
6.
7.
8.
9.
A, B, C
True
True
A, C, E
False
C
D
False
False
66
Notes
67
Set up a WSM Log Server and set up and configure a WSM Report Server
In this module, you will connect to one or more Fireboxen, WatchGuard servers, and an instance of WatchGuard
Dimension. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP
address and passphrases for the devices, servers, and instance of Dimension used in the exercises.
Before you begin these exercises, make sure you read the Course Introduction module.
Run the Dimension Setup Wizard to configure the settings for your instance of Dimension.
WatchGuard System Manager Log Server and Report Server
You can install your Log Server and Report Server on your management computer or another computer in your
network. The servers can be installed on the same computer or on different computers. You can install more than
one Log Server on your network, but you can only install one Report Server.
a. Run the WatchGuard Server Center Setup Wizard to set up your Log Server and Report Server.
If your Log Server and Report Server are on different computers, you must run the wizard on each computer to
set up each server separately.
2. Configure your Firebox to send log messages to your Dimension server and/or WSMLog Server.
Specify the IP addresses of one or more servers where your Firebox sends log messages, set the priority for your
servers, and enable logging in your policies.
After you complete the installation and configuration process you can review log messages and reports for your
Fireboxen:
1. Review log messages:
n WatchGuard Dimension
n WatchGuard WebCenter Log Manager
69
70
71
Log Server
Both Dimension and the WSM Log Server can collect log messages from your Fireboxen and WatchGuard servers.
Dimension and the WSM Log Server can also send notification messages when a notification request is received from
the Firebox.
You can install the WSM Log Server software on your management computer, or on a different computer by selecting to
install only the Log Server component when you install WSM. For Dimension, the server component that stores log
messages is automatically installed when you deploy the Dimension VM and run the Dimension Setup Wizard.
In addition to installing the software, you must configure the Dimension server or WSM Log Server with a Log Server
encryption key. Your Fireboxen and WatchGuard servers use this key to encrypt log messages sent to Dimension or
the WSM Log Server. The same key must be specified on both the Firebox or server, and on Dimension or the WSM
Log Server. The encryption key must be no less than eight and no more than 32 characters. You set the Log Server
encryption key when you configure the Log Server settings in the Dimension Setup Wizard or the WatchGuard Server
Center Setup Wizard. One Dimension server or WSM Log Server can receive and store log messages from many
Fireboxen and WatchGuard servers.
If you install the WSM Log Server on a computer with a desktop firewall other than Windows Firewall, to enable the Log
Server to connect through the firewall, you must open TCP ports 4107 and 4115 on that firewall. If you use the default
Windows firewall, you do not have to change your configuration. To use Dimension, you must make sure that you can
make connections to Dimension over TCP ports 22, 443, and 4115.
Your Firebox can send log messages to one or more Dimension servers or WSMLog Servers at the same time. If you
specify a backup server for the primary Dimension server or WSM Log Server, the backup server is used only when the
primary server becomes unavailable.
Log Messages
An important feature of a good network security policy is to collect log messages from your security systems, examine
those messages frequently, and keep them in a log file archive. You can use these log files to monitor your network
security and activity, identify any security risks, and address them. Both WatchGuard System Manager and
WatchGuard Dimension include strong and flexible tools to help you monitor and examine your log messages.
In addition to your Dimension server or your WSM Log Server, Fireboxen can send log messages to a syslog server or
keep a limited number of log messages locally. You can choose to send log messages to one or more of these locations
at the same time.
A Firebox sends five types of log messages: Traffic, Alarm, Event, Debug, and Statistic. Each log message includes
the name of the log type as part of the log message.
Traffic Log Messages
The Firebox sends traffic log messages as it applies packet filter and proxy policy rules to traffic that goes
through the Firebox.
If your Firebox runs Fireware OS v11.10.5 or higher, for packet filter allowed traffic, you can separately select to
send log messages for logging purposes (which you can see in Traffic Monitor or Log Manager) or only for
reporting purposes (these log messages are only used in reports and do not appear in Traffic Monitor or Log
Manager),
72
Log Files
The Firebox sends log messages to a primary or backup Dimension server or WSM Log Server.
For a WSM Log Server, log messages are stored in a PostgreSQL database file in the location you specify when you run
the setup wizard. We recommend that you select the built-in directory location for your operating system. For Windows
10, 8, and 7, the built-in directory location is:
C:\ProgramData\WatchGuard\logs
For a Dimension server, log messages are also stored in a PostgreSQL database, which is automatically located in the
default location when you deploy your Dimension VM and run the Dimension Setup Wizard.
For both Dimension servers and WSM Log Servers, you can select to use an external PostgreSQL database.
73
The passphrase you want the administrator to use (must be at least 8 characters)
The Management Server license key
The IP address of the Log Server
The encryption key you want to use for the Log Server (832 characters, no spaces or slashes)
The directory location where you want to keep your log files
2. Review the Welcome page to make sure you have all the information required to complete the wizard. Click
Next.
The General Settings - Identify your organization name page appears.
5. Select Yes.
6. Type the external IP address and passphrases for your gateway Firebox. Click Next.
The Management Server - Enter a license key page appears.
7. Type the license key for your Management Server and click Add. Click Next.
The Log Server - Set an encryption key and database location page appears.
8. Type and confirm the Encryption key to use for the secure connection between the Firebox and the Log Server.
9. Select the Database location for your Log Server database.
10. Click Next.
The Review Settings page appears.
74
The first step after the Log Server is installed is to run the WatchGuard Server Center Setup Wizard. This wizard
completes the basic setup for all the WatchGuard servers you have installed on this computer. After you set up
WatchGuard Server Center, you can configure the Log Server.
75
76
2. In the Maximum Database size text box, type the maximum allowable size in gigabytes for the Log Server
database.
Make sure that this setting, combined with the maximum size you specify for the Report Server database, does not
exceed 50% of the disk space on the server computer.
77
5. In the Database Backup Settings section, select the Backup log messages automatically checkbox.
6. In the Backup log data every text box, type or select 7.
This sets the frequency of backups to once a week.
To use an existing PostgreSQL database on another computer, select the External PostgreSQL
database option.
78
7. In the Notification etup section, in the Send email to text box, type administrator@myexample.com.
8. In the Send email from text box, type netadmin@myexample.com.
9. In the Subject text box, type Log Server Notification.
79
7. Select the Log Server IP address in the list, and click Edit.
The Edit Event Processor dialog box appears.
8.
9.
10.
11.
12.
13.
In the Encryption Key and Confirm Key text boxes, type myencryptionkey.
Click OK to close the Edit Event Processor dialog box.
Click OK to close the Configure Log Servers dialog box.
Click OK to close the Logging Setup dialog box.
Save the configuration file to the Firebox.
Repeat Steps 412 for each device that sends log messages to this Log Server.
80
If the Firebox and Dimension server or WSM Log Server do not connect, add the encryption keys in
the Firebox configuration again. The most common cause of connection problems is encryption keys
that do not match.
Because the Firebox can send the same log messages to two Log Servers at the same time, the Successful Company
administrator configures two different sets of Log Servers. For each set, he must configure a primary Log Server, but
backup servers are optional. The administrator has both Dimension server and a WSMLog Server, so he configures his
Firebox to send log messages to both servers simultaneously.
In this exercise, we use Policy Manager to configure the Firebox to send log messages to both a Dimension server and
a WSM Log Server.
1. Open the configuration file for your Firebox.
2. Select Setup > Logging.
The Logging Setup dialog box appears.
81
3. Select the Send log messages to these WatchGuard Log Servers check box. Click Configure.
The Configure Log Servers dialog box appears, with the Log Servers 1 tab selected by default.
4. Click Add.
The Add Event Processor dialog box appears.
5. In the Log Server Address text box, type the IP address for your WSMLog Server (your management computer
IP address).
For this exercise, we put the WSMLog Server on the Successful Company trusted network at 10.0.1.17.
82
11. In the Log Server Address text box, type the IP address for your Dimension server.
For this exercise, we put the Dimension server on the Successful Company trusted network at 10.0.1.27.
15. Click OK again to close the Configure Log Servers dialog box.
The Logging Setup dialog box appears.
83
17. If you have access to a Firebox for this lesson, save the configuration file to the Firebox.
Example of the Logging and Notification settings for a packet filter policy that allows connections.
For proxy policies or packet filter policies that deny or reset connections through the Firebox, the administrator can only
select to send log messages that appear in both Traffic Monitor and Log Manager and are also used to generate reports.
84
The Successful Company administrator can also set custom notification rules for each policy. These rules tell the
Firebox which events should trigger a notification. Notifications can occur through email, a pop-up window on your
management computer, or with a Simple Network Management Protocol (SNMP) trap. An SNMP trap is a notification
event issued by a managed device to the network SNMP manager when a significant event occurs.
For this exercise, the Successful Company administrator will edit a packet filter policy that allows connections to send
log messages that can be viewed in Traffic Monitor and included in reports. Because the administrator wants to receive
an email notification message, we will configure the notifications settings to send a notification by email.
To enable logging in your policies:
1. Open the Firebox configuration file in Policy Manager.
2. Add or edit a packet filter policy.
3. Select the Properties tab and click Logging.
The Logging and Notification dialog box appears. The options included in the dialog box will be different depending
on the type of policy you selected.
85
4. To see log messages in Traffic Monitor and Log Manager, and to generate log messages to include in reports,
select both the Send a log message and the Send a log message for reports check boxes.
5. To send email notification messages to the administrator, select the Send notification check box and select the
Email option.
6. Click OK to save the logging and notification settings in the policy.
7. Click OK to save the policy changes.
8. Save the configuration to the Firebox.
86
87
5. In the IP address text box, type the IP address of your WSM Log Server.
In most training environments, this is the same IP address as your management computer.
7. Click OK.
The IP address of the WSM Log Server appears in the list of Log Servers. A single Report Server can consolidate data
from more than one Log Server.
88
2. In the Number of records included in each summary report text box, type 75.
3. In the Report Schedules section, click Add.
The New Schedule dialog box appears.
89
4. In the Schedule Name text box, type the name for this schedule.
For this example, type All Devices - No GAV-IPS.
5. In the Devices list, select the check box for each Firebox to include in this report generation schedule.
For this example, select the All Devices check box.
6. In the Report types list, select the check box for each report to include in this schedule.
For this example, clear the Gateway AntiVirus Reports and Intrusion Prevention Service Reports check
boxes.
7. In the Report Schedule section, select Run recurrently.
8. From the Run recurrently drop-down list, select Weekly.
9. From the Recur every week on drop-down list, select Monday.
10. In the Range of recurrence section, keep the default setting of No end date.
11. Select the Advanced Settings tab.
90
18. Click Apply to save your configuration changes to the Report Server.
91
o A) Firebox
o B) Log Server
o C) Policy Manager
4. Which of these log configuration settings are available in Policy Manager? (Select all that apply.)
o A)
Scheduling reports
o B)
o C)
o D)
o E)
Setting the mail host and email address for email notifications
o F)
5. True or false? The Firebox can generate some log messages that are only used in reports and are not available to
see in Traffic Monitor.
6. Which of these log configuration settings are available in WatchGuard Server Center in the Log Server
configuration pages? (Select all that apply.)
o A)
Scheduling reports
o B)
o C)
o D)
o E)
Setting the mail host and email address for email notifications
o F)
7. True or false? Log files created by a Firebox with Fireware OS are stored in a proprietary format.
92
o G) WatchGuard Dimension
o H) WSM Report Manager
9. Circle the WatchGuard System Manager tool you use to configure each of the following:
Select the Log Server used by a Firebox
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Policy
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
Report
Server
Log
Server
Log
Manager
Report
Manager
10. True or false? You can install Dimension on any Windows computer with a 64-bit OS.
93
ANSWERS
1. Documents and Settings\WatchGuard\logs
2. False
The Firebox can simultaneously send log messages to two WatchGuard Log Servers (WSM or Dimension), a
syslog server, or the Firebox internal database.
3. B) Log Server.
The Log Server sends a notification email in response to the log message it receives from the Firebox.
4. C, D, F
5. True
For traffic allowed by packet filter policies, you can configure the logging settings for the policy to only generate
log messages to use in reports.
6. B, C, E
7. False
Log messages are stored in a PostgreSQL database file.
8. A, C, D, F, G, H
9. Select Log Server used by a Firebox Policy Manager
Set number of HTML records per report Report Server
Select Log Server polled by Report Server Report Server
Set the frequency reports are generated Report Server
Generate a PDF of a report Report Server, Log Manager, and Report Manager
Set the date range for a report Report Server, Report Manager
Select the reports to run on a daily or weekly schedule Report Server
10. False
You install Dimension as a virtual machine on a Hyper-V or VMware platform.
94
Notes
95
Use Performance Console to create a graph that shows traffic to the external interface
Before you begin these exercises, make sure you read the Course Introduction module.
In this module, you will connect to one or more Fireboxen. If you take this course with a WatchGuard Certified Training
Partner, your instructor will provide the IP address and passphrases for the Fireboxen used in the exercises. For selfinstruction, you can safely connect to a Firebox on a production network. You will not change the configuration files of
any Firebox.
97
Firebox
System
Manager
Method
Description
Front Panel
Traffic Monitor
Bandwidth
Meter
Service
Watch
Status Report
Fireware
Web UI
Method
Description
Authentication
List
Identifies the IP addresses and user names of all the users that are
authenticated to the Firebox. Includes a Summary section with the
number of users authenticated for each authentication type, and the
total number of authenticated users.
Blocked Sites
Lists all the sites currently blocked by the Firebox. From this tab,
you can remove a site from the temporary blocked sites list.
Subscription
Services
Gateway
Wireless
Controller
Firebox
System
Manager
Fireware
Web UI
From the Firebox System Manager toolbar, you can also launch these Firebox monitoring tools:
n
Performance Console Used to prepare graphs based on Firebox performance counters to better understand
how your Firebox is functioning.
HostWatch Shows the network connections between the selected networks.
If any of your Subscription Services have expired, an expired service warning appears on the Front Panel tab in Firebox
System Manager and on the Subscription Services page in Fireware Web UI for each expired service. The Renew
Now button also appears at the top of Firebox System Manager. To renew your subscription to the expired services,
you can click Renew Now. You can also choose to hide the expired service warnings.
For more information, see Fireware Help.
98
For this exercise, your instructor might have you connect to the training lab Firebox to provide more
traffic for the exercises.
3. Type the trusted IP address of the Firebox you want to connect to.
Use your Firebox IP address, or get the IP address from your instructor.
4. In the User Name and Passphrase text boxes, type the credentials for a user account with Device Monitor
privileges.
The default Device Monitor user account user name is status.
The Firebox appears in the WSM display.
99
Expanded information for each Firebox includes the IP address and subnet mask of each interface. It also includes:
n
n
n
IP address and netmask of the default gateway (for external interfaces only).
Media Access Control (MAC) address of the interface.
Number of packets sent and received on each interface since the last Firebox restart.
100
101
In the triangle, the network traffic shows in the points of the triangle. The points show only the idle and deny conditions.
If you use the star figure, you can customize which interface is in the center. The default star figure shows the external
interface in the center. When you put a different interface in the center, you can see all traffic between that interface and
the other interfaces. All allowed and denied traffic is relative to the interface in the center of the diagram. You see no
information about traffic between interfaces on the perimeter of thestar.
In this exercise, you start Firebox System Manager and change the status display.
102
103
6. To switch to the triangle display, click the triangle icon in the top-right corner above the star display.
7. In the star display, click the red ball adjacent to eth2.
The eth2 interface moves to the center of the display. The other interfaces move in a clockwise direction.
8. Click the red ball adjacent to eth0 to move it back to the center of the display.
104
105
The number of hops and the response time of each hop determines how long it will take for the results
to appear. The results do not appear until the trace route is complete.
106
4. In the Arguments text box, type the parameters for the search. You must include the interface to examine. For
example, type -i eth0 to examine the eth0 interface.
This can be a physical interface on the Firebox (such as, eth0), a Link Aggregation interface (such as, bond0), a
wireless interface (such as, ath0), or a VLAN interface (such as, vlan10).
107
6. When the TCP dump has collected enough results, click Stop Task.
The TCP dump stops automatically if the file reaches either the maximum allowed size for your computer, or the
amount you specified in the Arguments text box. The TCP dump task stops and the Save Pcap file button appears.
7. Click Save Pcap file and specify a file name and a location to save the PCAP file.
108
109
110
When you connect to a training lab Firebox, you might not see lines form in these tabs. This is
because your training Firebox is passing only a small amount of traffic.
111
Rate If you create a graph by rate, you use the value difference divided by the time difference: (value_2value_1)/(time_2-time_1), (value_3-value_2)/(time_3-time_2), and so on.
Difference If you specify difference, you use the increase from the previous value to the new value:
value_2-value_1, value_3-value_2, and so on.
Raw Value If you specify raw value, you use the value only: value_1, value_2, and so on. The raw values
are generally counters of content such as bytes or packets. The raw values can only increase, not decrease.
Policy
To view the data for the traffic that is passing through an individual policy, select that policy from the drop-down
list.
Save Chart Data to File
Select this check box to save the data collected by the Performance Console as an XML (Extensible Markup
Language) file or a CSV (comma-separated value) file. For example, you can open an XML data file in Microsoft
Excel to see the counter value recorded for each polling interval. You can use other tools to merge data from
more than one chart.
112
2. In the Available Counters list, expand System Information and select CPU Utilization.
3. Click OK.
The CPU Utilization chart appears in the Configured Charts list.
113
5. Click Close.
114
2. To select an interface, right-click the current interface name and select a new interface.
Or, select View > Interface and select a new interface.
3. As you view the connections through the Firebox, double-click an item on either side.
The Connections For dialog box appears and shows information on the connections for that item.
4. In the HostWatch window, to add the source IP address of any connection to the Blocked Sites list, right-click
the address and select Block Site.
The Choose Expiration dialog box appears.
5. When prompted, type the user credentials for a user account with Device Administrator privileges. ClickOK.
The IP address is added to the temporary blocked sites list for the period of time you specified.
6. Close HostWatch.
115
2. From the Blocked IP list, select the IP address you just blocked. Click Delete in the lower-right corner.
The Delete Site(s) dialog box appears.
3. Click Yes and type the credentials for a user account with Device Administrator privileges. ClickOK.
4. To add a site, click Add at the bottom of the dialog box.
The Add Temporary Blocked Site dialog box appears.
116
o A) CA Manager
o B) Bandwidth Meter
o C) HostWatch
o D) Policy Manager
o E) Traffic Monitor
3.
4.
5.
6.
True or false? A PCAP file includes packet information about the protocols that manage traffic on your network.
True or false? You can save a PCAP file and open it later in Traffic Monitor.
True or false? You can add a site to the Blocked Sites list from HostWatch.
True or false? Service Watch is a monitor that provides a real-time display of the bandwidth consumed by
policies on the Firebox.
7. Match the correct Firebox System Manager monitoring tool to each task:
1) Service Watch
2) HostWatch
3) Log Server
4) Subscription Services d. Add an IP address for the Firebox to block all traffic
117
5) Traffic Monitor
ANSWERS
1.
2.
3.
4.
True
B and E
True
False
You can save a PCAP file and open it in a third-party tool, such as Wireshark.
5. True
6. True
7. 1) f
2) c
3) b
4) e
5) a
6) d
118
Notes
119
NAT
Use Network Address Translation
Add more IP addresses to which the device will apply dynamic NAT
Before you begin these exercises, make sure you read the Course Introduction module.
NAT
NAT Overview
NAT is an important tool for todays network administrators. Fireware gives you great flexibility for controlling when and
how NAT is applied. When a computer sends traffic through a Firebox interface and the traffic flow matches a NAT rule,
the device changes the IP address to an assigned value before the traffic reaches its destination. When the Firebox
sees the response, it restores the original IP address to send the response to the computer that made the request.
Static NAT for traffic from the optional network requires Fireware v11.8.1 or higher.
In general, these rules can help you understand the different types of NAT:
n
n
Dynamic NAT is used for traffic that goes out to the Internet from behind the Firebox.
Static NAT is used for traffic that comes in to your network from the Internet, or for traffic from the optional
network to the trusted network.
1-to-1 NAT is used for traffic in both directions.
Dynamic NAT
When dynamic NAT is enabled, your Firebox changes the source IP address of each outgoing connection to match the
IPaddress of the device interface that the connection goes out through. For traffic that goes to an external network,
packets go out through the device external interface, so dynamic NAT changes the source IPaddress to the device
external interface IP address. The Firebox tracks the private source IP address and destination address, as well as
other IP header information such as source and destination ports, and protocol.
121
NAT
Dynamic NAT is normally applied to connections that start from behind the device. When dynamic NAT is applied to a
packet, Fireware tries to always keep the same source port that the requesting client used. The source port is changed
only if necessary. For example, if two internal clients use the same source port to access the same web server.
However, the source IP address is always changed when dynamic NAT is applied. When the response returns to the
same device interface from which the original connection exited, the firewall examines its connection state table and
finds the original source IP address. It reverses the NAT process to send the packet to the correct host.
With Fireware, dynamic NAT is enabled by default in the NAT Setup dialog box. By default, dynamic NAT is applied to
any connection that starts from one of the three reserved private address ranges and goes to an external network.
To see the default dynamic NAT rules in Policy Manager, select Network > NAT.
Dynamic NAT is also enabled by default in each policy you create. You can override the global dynamic NAT settings in
your individual policies.
122
NAT
Set the Dynamic NAT Source IP Address in a Network Dynamic NAT rule
If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any policies
that apply to the traffic, select Network > NAT, and add a network dynamic NAT rule that specifies the source
IP address. The source IP address you specify must be on the same subnet as the primary or secondary IP
address of the interface the traffic leaves.
Set the Dynamic NAT Source IP Address in a Policy
If you want to set the source IP address for traffic handled by a specific policy, configure the source IP address
in the network settings of the policy. The source IP address you specify must be on the same subnet as the
primary or secondary IP address of the interface you specified for outgoing traffic in the policy.
Whether you specify the source IP address in a network dynamic NAT rule or in a policy, it is important that the source
IP address is on the same subnet as the primary or secondary IP address of the interface from which the traffic is sent.
It is also important to make sure that the traffic the rule applies to goes out through only one interface.
1-to-1 NAT
When you enable 1-to-1 NAT, the Firebox changes and routes all incoming and outgoing packets sent from one range of
addresses to a different range of addresses. Consider a situation in which you have a group of internal servers with
private IP addresses that must each show a different public IP address to the outside world. You can use 1-to-1 NAT to
map public IP addresses to the internal servers, and you do not need to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, we give this example:
Successful Company has a group of three privately addressed servers behind the Optional interface of their Firebox.
These addresses are:
10.0.2.11
10.0.2.12
10.0.2.13
The Successful Company administrator selects three public IP addresses from the same network address asthe
external interface of their device, and creates DNS records for the servers to resolve to. These addressesare:
203.0.113.11
203.0.113.12
203.0.113.13
Now the Successful Company administrator configures a 1-to-1 NAT rule for his servers. The 1-to-1 NAT rule builds a
static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the device creates the bidirectional routing and NAT relationship between the pool
of private IP addresses and the pool of public addresses.
123
NAT
To connect to a computer located on a different device interface that uses 1-to-1 NAT, you must use theprivate (NAT
base) IP address for that computer. If you have problems with this method, you can disable 1-to-1 NAT and use
StaticNAT.
124
NAT
Policy-based NAT
With policy-based dynamic NAT, you can make an exception to the global NAT rules (the rules at Network>NAT in
Policy Manager). Normally, the Firebox or XTM device uses the primary IP address of the Outgoing interface when it
applies dynamic NAT to outgoing packets handled by a policy. Each policy has dynamic NAT enabled by default. You
can disable dynamic NAT for all traffic handled by a policy, or you can configure the device to use a different IP address
for dynamic NAT handled by the policy.
Both dynamic NAT and 1-to-1 NAT can also be controlled at the policy level. If traffic matches both 1to-1 NAT and dynamic NAT policies, the 1-to-1 NAT policy takes precedence.
Double-click a policy.
Select the Advanced tab.
Select the Dynamic NAT check box.
To use the global dynamic NAT rules set for the device, select Use Network NAT Settings.
To apply dynamic NAT to all traffic handled by this policy, select All traffic in this policy.
This setting applies even if the source and destination IP addresses of the traffic flow do not match the source
and destination ranges for any rule on the Dynamic NAT tab in Policy Manager (Network>NATthe global
dynamic NAT rules).
6. If you select All traffic in this policy, you can also select the Set source IP check box to set a different source
IP address for traffic handled by this policy when dynamic NAT is applied.
This makes sure that any traffic handled by this policy shows a specified address from your public or external IP
address range as the source. A common reason to do this is to force outgoing SMTP traffic to show the MX record
address for your domain when the IP address on the external interface for the device is not the same as your MX
record IP address.
If you have more than one external interface configured on your device, we recommend that you do not
select Set source IP. If you select this option, you must add the specified IP address as a secondary
IP address to the interface that the traffic goes out through.
125
NAT
Static NAT
Static NAT, also known as port forwarding, allows inbound connections on specific ports to one or more public servers
from a single external IP address. The Firebox changes the destination IP address of the packets and forwards them
based on the original destination port number. You can also translate the original destination port to an alternative port on
which the server is listening.
Static NAT is typically used for public services such as websites and email. For example, you can use Static NAT to
designate a specific internal server to receive all email. Then, when someone sends email to the devices external IP
address, the device can forward the connection to the private IP address of the designated email (SMTP) server.
Server Load Balancing requires Fireware with a Pro upgrade, and is not supported on Firebox T10 or
XTM 2 Series and 3 Series devices.
126
NAT
There are two types of SNAT actions:
Static NAT
A static NAT action forwards inbound traffic addressed to one IP address to a different IP address and port
behind the firewall.
Server Load Balancing
A server load balancing SNAT action forwards inbound traffic addressed to one IP address to one of several
servers behind the firewall. In the SNAT action you select the load balancing algorithm to use and you can
optionally assign different weights to each server.
To use static NAT, you add a static NAT action to the To section of the policy that handles each type of inbound traffic.
To implement static NAT for the diagram above, you would add a different static NAT action to the FTP, SMTP, and
HTTP policies that handle the inbound traffic to each of the three servers.
NAT Loopback
NAT loopback allows a user on the Trusted or Optional networks to use the public IP address or domain name to get
access to a public server that is on the same physical device interface. For example, you could use NAT loopback if
you have an internal Web server and you want to allow users on the same network segment to access the Web server
by its public domain name or IP address.
There are no configuration settings in the user interface to enable NAT loopback, however, you must create a policy in
your configuration to allow the traffic. The From section of the policy must list the Trusted or Optional networks from
which access is allowed. The To section of the policy must contain a static NAT entry for each server to allow access
with NAT loopback.
127
NAT
192.168.0.0/16 Any-External
172.16.0.0/12 Any-External
10.0.0.0/8 Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task Force (IETF) and
are typically used for the IP addresses on private LANs. To enable dynamic NAT for other traffic flows, you must add an
entry for them. For example, you could add a dynamic NAT rule for traffic that comes from a trusted network and goes to
an optional network. In that case, all traffic sent from the trusted network and going to the optional network would appear
to come from the Optional interface IP address, because the Optional interface is the outgoing interface for that traffic.
The Firebox or XTM device applies the dynamic NAT rules in the sequence that they appear in the Dynamic NAT
Entries list.
In this exercise, we use Policy Manager to configure the Successful Company Firebox to use dynamic NAT for traffic
coming from only their trusted network and going to any external network.
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. On the Dynamic NAT tab, select the 10.0.0.0/8 - Any-External dynamic NAT rule.
3. Click Remove.
A warning message appears.
4. Click Yes.
5. Click Add.
The Add Dynamic NAT dialog box appears.
128
NAT
8. Click OK.
The new entry appears in the Dynamic NAT list.
9. Click OK.
129
NAT
In this example, we create the SNAT action from within the policy. We could also have created the
SNAT action before we created the policy. To create or edit SNAT actions from outside the policy,
select Setup > Actions > SNAT. After you configure an SNAT action, you can select the SNAT
action from the Add SNAT page in the policy.
To configure the device to use static NAT for the SMTP server:
1. Click
.
Or, select Edit > Add Policy.
2. Expand the Proxies list and select SMTP-proxy. Click Add.
The New Policy Properties dialog box appears.
5. Click Add.
The Add SNAT dialog box appears.
6. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to SMTP-SNAT.
130
NAT
7. Click Add.
The Add Static NAT dialog box appears.
8. Make sure the External/Optional IP Address text box includes the external interface IP address or name.
9. In the Internal IP Address text box, type 10.0.2.25.
This is the private IP address of the SMTP server located on the optional network.
10. (Optional) To change the packet destination to a specified internal host and to a different port, select the Set
internal port to a different port check box.
11. Click OK to close the Add Static NAT dialog box.
The static NAT mapping is added to the SNAT Members list for this SNAT action.
131
NAT
13. Click OK to close the SNAT dialog box.
The selected SNAT action is added to the Selected Members and Addresses list.
14. Click OK twice to close the Add Address menu and the New Policy Properties dialog box.
15. Click Close in the Add Policies dialog box.
The SMTP-proxy policy appears in the policy list. The Internal IP address you selected appears in the range in the To
column.
If you have set Policy Manager to use Manual-order mode, toggle the precedence back to Auto-order mode.
1. Select View> Auto-Order Mode.
2. Click Yes.
132
NAT
6. Click Add.
The Add SNAT dialog box appears.
7. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to NAT-Loopback.
8. Click Add.
The Add Static NAT dialog box appears.
9. Make sure the External IP Address text box includes the External interface IP address or name.
10. In the Internal IP Address text box, type 10.0.2.30.
This is the private IP address of the HTTP server located on the optional network.
133
NAT
12. Click OK to close the Add SNAT dialog box.
The new SNAT action is automatically selected in the list of configured SNAT actions.
134
NAT
135
NAT
___________
___________/____ Any-External
5. Static NAT for a policy is also known as (select all that apply):
o A) IP masquerading
o B) Port forwarding
o C) Tunnel swapping
o D) Quality of Service
o E) All the above
6. True or false? Dynamic NAT rewrites the source IP address of packets to use the IP addresses of the outgoing
interface.
136
NAT
ANSWERS
1.
2.
3.
4.
Dynamic
1-to-1
Loopback
192.168.0.0/16 Any-External
172.16.0.0/12 Any-External
10.0.0.0/8 Any-External
5. B
6. True
137
Notes
138
Threat Protection
Defend Your Network From Intruders
Understand the different types of intrusion protection available for the Firebox
Before you begin these exercises, make sure you read the Course Introduction module.
Threat Protection
Traffic pattern analysis examines a series of packets over time and matches them against known patterns of
attack. For example, when an attacker launches a port space probe, they attempt to send packets through each
port number until they identify which ports your firewall allows. If you can identify this pattern, you can block the
source of the probe.
A firewall-based IPS can also protect your network from a zero-day threat. In other words, before the network
security community is even aware that the vulnerability exists, broad categories of attack types are
automatically identified and blocked by a strong firewall-based IPS.
Signature-based IPS
You can configure this type of IPS defense (such as the Intrusion Prevention Service) to compare the contents of
packets against a database of character strings that are known to appear in attacks. Each unique character
string is called a signature. When there is a match, the Firebox can block the traffic and notify the network
administrator. To remain protected, you must regularly update the signature database.
Signature-based approaches use less computer processing time than firewall-based IPS options, however, to
keep them current the database must be updated regularly. As a result, signature-based IPS is good for
maintaining efficient, high performance protection while firewall-based IPS catches the zero-day threats.
The rest of this training module focuses on the available firewall-based IPS options. For more information on signaturebased options, see the Signature Services and APT Blocker.
The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP flood attacks apply
to both IPv4 and IPv6 traffic. All other options apply only to IPv4 traffic.
The default configuration of the default packet handling options stops attacks such as SYN flood attacks, spoofing
attacks, and port or address space probes. We do not recommend that you change the default packet handling settings
in your Firebox configuration file. The default settings are carefully chosen to maximize security. If a particular setting
interferes with the function of your network, or you want a more stringent defense, like that available with the Block
source of packets not handled option, you can change your device packet handling settings.
Default packet handling:
n
n
n
n
n
140
Rejects packets that could be used to get information about your network
Automatically blocks all traffic to and from a source IP address when a configured limit is reached
Adds an event to the log file
Sends an SNMP trap to the SNMP management server (when configured)
Sends a notification of possible security risks (when configured)
Threat Protection
Unhandled Packets
Packets that are denied by the firewall because they do not match any of the firewall policies are blocked as unhandled
packets. The Default Packet Handling options give you the tools to block the source of any unhandled packet. This is
an extremely aggressive security setting and is not enabled by default.
Permanent Blocked Sites These are IP addresses that you manually add to your device configuration file
because you want all connections to and from the IP address blocked. If an IP address consistently and
repeatedly tries to violate your security policies, you can add it to the Permanent Blocked Sites list.
You can add blocked sites in several ways:
n
n
n
In Policy Manager, select Setup > Default Threat Protection > Blocked Sites and click Add.
In Firebox System Manager, on the Blocked Sites tab, click Add.
In the Firebox System Manager Traffic Monitor tab, right click a connection, select the source or
destination IPaddress, then click Block Site: [ip address].
Auto-blocked sites These are IP addresses that the device adds to, and removes from, a list of sites that are
temporarily blocked based on the packet handling rules specified in your device configuration. These IP
addresses are blocked for a period of time you select. This feature is known as the Temporary Blocked Sites list.
For example, if you configure the auto-block option for a policy set to deny traffic, the device can add the denied
IP addresses to the Temporary Blocked Sites list. If a connection is blocked byyour default packet handling
rules, the source IP address is also added to the Temporary Blocked Siteslist.
You can use the Temporary Blocked Sites list and your log messages to help make decisions about which IP addresses
to permanently block.
141
Threat Protection
Service
Reason
NONE
Firebox always blocks this port and you cannot override this default.
TCPmux
(infrequently)
111
RPC
Used by RPC Services to find out which ports an RPC server uses. These are easy
to attack through the Internet.
513,
514
Because they give remote access to other computers, many attackers probe for
these services.
2049
NFS
6000
6005
X Window
System
Client connection is not encrypted and dangerous to use over the Internet.
7100
X Font Server
8000
142
Threat Protection
2. In the Distributed Denial-of-Service Prevention section, in the Per Server Quota text box, type or
select200.
This doubles the amount of connections that the Firebox allows before it triggers a DDoS block on additional
connections.
3. Click OK.
143
Threat Protection
6. Click OK.
The entry appears in the Blocked Sites list. With this configuration, the Firebox blocks all packets to and from the
192.136.15.0/24 network range.
144
Threat Protection
Many Firebox users add the IP address of their own DNS servers to the Blocked Sites exception list
to make sure connections are not blocked by traffic patterns that look like an attack.
In this exercise, we will add an exception to the 192.136.15.0/24 network we blocked in the previous exercise. We will
configure the Firebox to allow connections to and from the single IP address: 192.136.15.22.
In the Blocked Site Configuration dialog box:
1. Click the Blocked Sites Exceptions tab.
2. Click Add.
The Add Site dialog box appears.
6. Click OK.
145
Threat Protection
2. Expand the Packet Filters folder and select RSH. Click Add.
The New Policy Properties dialog box appears.
7. Click OK.
The Firebox now automatically adds the IP address of any source of RSH packets to the Blocked Sites list. With a
default configuration, the IP address stays on the Blocked Sites list for 20 minutes.
146
Threat Protection
Firewall-Based | Signature-Based
Firewall-Based | Signature-Based
D) IPS Service
Firewall-Based | Signature-Based
E) Blocked Ports
Firewall-Based | Signature-Based
3. Which of these actions can the Firebox perform when it looks for patterns that show if your network is at risk?
(Select all that apply.)
147
Threat Protection
ANSWERS
1. False
A signature-based IPS maintains a database.
2. Gateway AntiVirus Signature-based
Default Packet Handling Firewall-based
Blocked Sites Firewall-based
IPS Service Signature-based
Blocked ports Firewall-based
3. All of the above
4. True
5. Sites
148
Notes
149
Policies
Convert Network Policy to Device Configuration
Understand the difference between a packet filter policy and a proxy policy
Before you begin these exercises, make sure you read the Course Introduction module.
Policies
In this course, we refer to packet filters and proxies together as policies. Unless otherwise indicated,
the procedures refer to both types of policies.
Add Policies
Policy Manager uses either a list view or an icon view to show the policies that you configure for your Firebox. For each
policy, you can:
n
n
n
n
151
Policies
A From list (source) that specifies who can send (or cannot send) network traffic with this policy.
A To list (destination) that specifies who the Firebox can route traffic to if the traffic matches (or does not match)
the policy specifications.
The source and destination for the policy can be a host IP address, IP host range, host name, network address, user,
group, alias, VPN tunnel, FQDN or any combination of those objects.
About Aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces, that enable you to simplify the creation of
your security policies.
There are several default aliases that you can use. The most common primary default aliases are:
n
n
n
Any An alias for any address. This includes all IP addresses, interfaces, custom interfaces, tunnels, users,
and groups.
Firebox An alias for all Firebox interfaces.
Any-Trusted An alias for all Firebox interfaces configured as Trusted interfaces, and any network you can get
access to through these interfaces.
Any-External An alias for all Firebox interfaces configured as External, and any network you can get access to
through these interfaces.
Any-Optional Aliases for all Firebox interfaces configured as Optional, and any network you can get access to
through these interfaces.
You can create your own aliases that contain any combination of these items:
n
n
n
n
n
n
Host IP address
Network IP address
A range of host IP addresses
Host Name (DNS Lookup) A one-time DNS lookup is performed on the host name and resolved IP addresses
are added to the alias.
FQDN Performs forward DNS resolution and analyzes DNS replies for the specified FQDN (includes wildcard
domains such as *.example.com). Resolved IP addresses from the primary domain and any subdomains are
added to the alias.
Tunnel address Defined by a user or group, address, and name of the tunnel. This type lets you specify the
address, and set two other conditions that traffic must meet in order to match the address.
Custom address Defined by a user or group, address, and Firebox interface. This type lets you specify the
address, and set two other conditions that traffic must meet in order to match the address.
Another alias
An authorized user or group
About FQDN
FQDN(Fully Qualified Domain Name) support in policies enables you to specify a specific host domain
(host.example.com) or a wildcard domain (*.example.com). You can use FQDN in the From and To fields of a policy,
aliases, blocked sites and blocked site exceptions, and quota exceptions.
152
Policies
When you define an FQDN in your configuration, your Firebox performs forward DNS resolution for the specified domain
and stores the IP mappings. For wildcard domains, the device analyzes DNS replies that match your FQDN
configuration. As DNS traffic passes through the Firebox, it stores the IP mapping responses to relevant queries for the
domain and any subdomains.
With FQDN support, you can configure a wide variety of policy configurations. For example, you can allow traffic to
software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other
traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that
frequently add and change IP addresses.
153
Policies
Quality of Service (QoS) Marking
QoS marking allows you to mark network traffic with bits that identify it to other devices that understand QoS.
The Firebox and other QoS-capable devices can assign higher or lower priorities to each type of traffic with QoS
marking.
Network Address Translation (NAT)
You can enable or selectively disable 1-to-1 and dynamic NAT in any policy. You can also configure incoming
NAT properties to allow Internet connections to privately addressed servers protected by the Firebox.
ICMP Error Handling
You can customize the method the Firebox uses to handle ICMP errors for each policy.
Custom Idle Timeout
Use this feature to set the amount of time the Firebox waits before it drops a connection.
Sticky Connections
A sticky connection is a connection that continues to use the same interface for a defined period of time when
your Firebox is configured with multiple WAN interfaces. Stickiness makes sure that, if a packet goes out
through one external interface, any future packets between the source and destination address pair use the same
external interface for a specified period of time.
Policy-based Routing
If your Firebox is configured with multi-WAN, you can configure a policy with a specific external interface to use
for all outbound traffic that matches that policy.
Bandwidth and Time Quotas
You can enable time and bandwidth usage quotas in a policy. This feature is useful for applying a daily limit to
your user's Internet usage in an HTTPProxy Policy to enforce corporate acceptable use policies. For more
detailed information on bandwidth and time quotas, see the Web Traffic module.
154
Policies
Policy Precedence
Precedence refers to the order in which the Firebox examines network traffic and applies a policy rule. The Firebox sorts
policies automatically, from the most specific to the most general. For example, a highly specific policy could be a
policy that matches only traffic on TCP port 25 from one IP address, while a general policy could be one that matched all
traffic on UDP ports 40,000-50,000. You can also set the precedence of each policy manually.
For more information on policy precedence, including complete rules for specificity, see the Fireware XTM WatchGuard
System Manager Help.
The Firebox uses the rules from the first policy that matches the traffic for routing. If no match is found, the traffic is
denied as an unhandled packet.
155
Policies
156
Policies
3. Expand the Packet Filter list. Select IRC.
4. Click Add.
The New Policy Properties dialog box appears.
5. Click OK.
This adds a basic IRC policy to your configuration. If you do not change this policy, it allows all IRC traffic from any
trusted computer to any external computer.
6. In the packet filter list, select RDP. Click Add. Click OK.
This adds a basic RDP policy to your configuration. If you do not change this policy, it allows all RDP traffic from any
trusted computer to any external computer.
157
Policies
6. Click OK.
Any-Optional appears in the New Policy Properties dialog box in the From list.
The rule now denies IRC traffic from all computers behind the device to any external computer. Traffic that
comes from the external interface is always denied by default unless you create a rule to allow it.
158
Policies
7. Click OK to close the Edit Policy Properties dialog box.
The policy is now marked with a red X in List View or a red top banner in Large Icon View. This indicates a Deny
policy.
5. In the Value text box, type 50.51.200.22 as the IP address of the network administrators computer
6. Click OK.
The IP address appears in the Add Address dialog box Selected Members and Addresses list.
159
Policies
8. In the To section, select Any-External. Click Remove.
9. In the To section, click Add.
The Add Address dialog box appears.
160
Policies
2.
3.
4.
5.
6.
7.
8.
9.
10. In the Value text box, type *.avsignatureupdate.com, then click OK.
11. Repeat these steps and add other FQDN entries for *.windowsupdate.com, *.microsoft.com, and
*.windows.com.
161
Policies
162
Policies
3.
4.
5.
6.
It is possible to create a new policy template for a service that uses a port range. After you specify the
Type as Port Range instead of Single Port, the options to define a port range are available.
163
Policies
10. Click OK to close the Add Protocol dialog box.
The TCP 5900 protocol appears in the list of Protocols controlled by this policy.
5. Double-click Any-Optional.
Any-Optional appears in the Selected Members and Addresses list.
10. From the Choose Type drop-down list, make sure that Host IP is selected.
11. In the Value text box, type 10.0.1.201.
This address restricts VNC traffic to only the desktop computer of the network administrator.
164
Policies
12. Click OK to close the Add Member dialog box.
The IP address 10.0.1.201 appears in the Selected Members and Addresses list.
165
Policies
166
Policies
14. Click OK to close the New Policy Properties dialog box.
15. Click Close to close the Add Policies dialog box.
The VNC policy appears in the list of configured policies.
167
Policies
168
Policies
2. Click
169
Policies
The Auto-order Mode feature can be enabled or disabled. When the menu item has an adjacent check
mark, Policy Manager sets the precedence. When the check mark is missing, Policy Manager uses
manual-order mode.
170
Policies
171
Policies
5. In the Description text box, type Disable the policy in the evenings.
You can use this schedule for other policies so you should describe it with the hours blocked or allowed rather than
the policy for which you are building it.
6. In the schedule grid, change the hours from 5:00 to 10:00 PM, Monday through Friday, to Non-operational hour.
172
Policies
3. In the Name text box, type a descriptive name for the tag for the remote policies.
For this exercise, type Remote.
4. To specify a color for this policy tag, click Color and select a color from the palette.
For this exercise, select blue.
5. Click OK.
The Remote tag is applied to the policies you selected and appears in blue text in the Tags column for those policies.
The tag also appears in the Tag List in the Manage Policy Tags dialog box.
The policy tags you create are automatically added to the Tag List so you can apply them to any new
policies you add to your configuration file in future.
6. Select all of the policies in the policy list for the corporate office.
7. Right-click the selected policies and select Policy Tags > Add to policy >New.
The New Policy Tag dialog box appears.
173
Policies
10. Click OK.
The Corp tag is applied to the policies you selected and appears in red text in the Tags column for those policies.
After the Remote and Corp policy tags are applied to the policies, the Successful Company administrator can sort the
policy list by the Tags column. If a policy has more than one tag applied to it, the policy is grouped alphabetically by the
applied policy tags.
To sort the policy list and organize it alphabetically by policy tags, click the Tags column header.
The policy list is rearranged so all policies with the same tag applied are grouped together.
174
Policies
4. Click anywhere on the policy list to save your selection and apply the filter to the policy list.
The policy list is updated to show only the policies that have either the Remote or Corp filter applied.
To save a filter:
1. From the Filter drop-down list, select Custom.
.
2. Click
The Save Filter dialog box appears.
3. In the Name text box, type a descriptive name for the filter.
For this exercise, type Remote and Corp.
4. Click OK.
The filter name appears in the Filter drop-down list and the Manage Filters list.
Now that the filter is saved, the Successful Company administrator can apply the filter at any time to see only the
policies with the Corp or Remote policy tags applied.
To clear all filters from the policy list, from the Filter drop-down list, select None. All filters are removed from the policy
list.
175
Policies
Strip an attachment
2. True or false? You can use the same operating schedule for multiple policies.
3. Which of the following protocols can be used in a custom policy? (Select all that apply.)
o A) TCP
o B) Frame Relay
o C) ATM
o D) UDP
o E) ICMP
4.
5.
6.
7.
8.
176
Policies
ANSWERS
1.
Packet Filter Proxy
2.
3.
4.
5.
6.
7.
8.
177
Strip an attachment
True
A, D, and E
False
False
False
False
False. If you select Match All, only policies that have all of the policy tags you specify in the filter will appear in
the filtered policy list.
Notes
178
Proxy Policies
Use Proxy Policies and ALGs to Protect Your Network
Understand the purpose of each proxy policy or ALG (Application Layer Gateway)
Before you begin these exercises, make sure you read the Course Introduction module.
Proxy Policies
180
Proxy Policies
The user interface allows or denies based on protocol commands and not client commands. For a full
reference on FTP protocol commands, we recommend you refer to RFC 959, section 4.1.
You generally should not block these commands, because they are necessary for the FTP protocol to work
correctly:
Protocol
Command
Client
Command
Description
USER
n/a
PASS
n/a
PASV
pasv
SYST
syst
Print the servers operating system and version. FTP clients use this
information to correctly interpret and display server responses.
181
Proxy Policies
You can block these commands as necessary:
Protocol
Command
Client
Command
Description
RETR
get
STOR
put
DELE
delete
RMD
rmdir
MDK
mkdir
PWD
pwd
LIST
ls
NLST
dir
CDUP
cd..
CWD
cd <path>
SITE
site
<command>
Download
The Download ruleset controls the file names, extensions, or URL paths that users can download with FTP. Use
the FTP-Server proxy action to control download rules for the FTP server protected by your Firebox. Use the
FTP-Client proxy action to set download rules for users connecting to external FTP servers.
Upload
The Upload ruleset controls the file names, extensions, or URL paths that users can use FTP to upload. Use the
FTP-Server proxy action to control upload rules for the FTP server protected by your Firebox. Use the FTP-Client
proxy action to set upload rules for users connecting to external FTP servers. The default configuration of the
FTP-Client proxy action is to allow all files to be uploaded.
AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, you can configure the actions to take if a virus
is found in a file that is uploaded or downloaded.
For more information, see the Signature Services and APT Blocker module.
Data Loss Prevention
If you have purchased and enabled the Data Loss Prevention feature, you can configure the DLP sensor that the
FTP-proxy uses to examine allowed traffic.
182
Proxy Policies
Proxy and AV Alarms
An alarm is a mechanism to tell a network administrator when network traffic matches criteria for suspicious
traffic or content. When an alarm event occurs, the Firebox takes the action that you configure. For example, you
can set a threshold value for file length. If the file is larger than the threshold value, the device can send a log
message to the Log Server.
APT Blocker
If you have purchased and enabled the APT Blocker feature, you can enable it for use with the FTP-proxy to
examine FTP traffic for advanced malware threats.
183
Proxy Policies
4. From the Proxy Action drop-down list, make sure DNS-Outgoing is selected.
184
Proxy Policies
The DNS Proxy Action Configuration dialog box appears for the DNS-Outgoing actions.
If the Enabled or Action settings are different for any of the rules in the list, you see a warning
message when you try to select Simple View.
185
Proxy Policies
5. Click OK to close the DNS Proxy Action Configuration dialog box.
The Clone Predefined or DVCP-created Object dialog box appears. Because DNS-Outgoing is a template, you cannot
change it. Instead, you must make a copy and use it for your policies. The default name for the cloned policy is DNSOutgoing.1.
6. In the Name text box, type a new name for this action.
For example, type DNS-Outgoing-Deny-Yahoo-Messenger.
7. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
186
Proxy Policies
Make sure that users cannot delete a file from the Successful Company FTP server.
Restrict the type of files that users can upload to the FTP server to text files only, to help prevent abuse of the
Successful Company FTP server.
187
Proxy Policies
6. Click Change View.
The Rules (advanced view) page appears. In the advanced view, you can change command order as well as add,
remove, enable, and disable individual commands.
188
Proxy Policies
8. From the Action drop-down list, select Deny.
189
Proxy Policies
4. In the Name text box, type a new name for this action.
For example, type FTP-Server-Deny-Delete-Upload-TXT.
5. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
190
Proxy Policies
6.
7.
8.
9.
10.
191
Proxy Policies
11. Repeat Steps 89 and add sjones@example.com and hwatkins@example.com to the Access Levels list.
13. In the Name text box, type a new name for this action.
For example, type H323-Client-VoIP-Limited.
14. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
192
Proxy Policies
o A) *.pdf
o B) *PDF
o C) .*df
o D) *.p*
4. True or false? An Application Layer Gateway (ALG) is the same as a packet filter policy.
5. What are some reasons to create a TCP-UDP-proxy? (Select all that apply.)
193
Proxy Policies
ANSWERS
1.
2.
3.
4.
DNS-Incoming.
C
A
False
An ALG is similar to a proxy policy and also manages some network connections used by that protocol.
5. B and E
194
Notes
195
Before you begin these exercises, make sure you read the Course Introduction module.
For more information about the protocols used for email and controlled by the SMTP and POP3 proxies, see the RFC
Archives:
n
n
SMTP Rulesets
SMTP is a protocol used to send email messages between servers, or between clients and servers. The default port for
SMTP traffic is TCP port 25. You can use the SMTP-proxy to control email messages and email content. The proxy
scans SMTP messages and compares their contents to the rules in the proxy configuration.
The SMTP-proxy checks the message for harmful content and RFC compliance. It examines the SMTP headers,
message recipients, senders, and content, as well as any attachments. The SMTP-proxy can restrict traffic from
specific user names or domains. It can also strip unwanted or dangerous SMTP headers, filter attachments by filename
or MIME content type, or deny the email based on an address pattern. The ability to strip header information is
particularly valuable to many network administrators. The SMTP-proxy requires no additional configuration for either
your email server or your network clients.
When you create an SMTP-proxy policy, you can choose from two default proxy actions:
SMTP-Incoming.Standard
This proxy action includes rulesets to protect your SMTP email server from external traffic.
SMTP-Outgoing.Standard
This proxy action includes rulesets to control outgoing SMTP connections from users on your trusted and
optional networks.
POP3 Rulesets
POP3 is a protocol that moves email messages from an email server to an email client. The POP3 protocol operates on
TCP port 110. Most Internet-based email accounts use POP3. With POP3, an email client contacts the email server
and checks for any new email messages. If it finds a new message, it downloads the email message to the local email
client. After the message is received by the email client, the connection is closed.
When you create a POP3-proxy policy, you can choose from two default proxy actions:
POP3-Server.Standard
This proxy action includes rulesets to protect your POP3 email server from external traffic.
197
WatchGuard spamBlocker works with SMTP and POP3 proxy policies to examine up to 20,000 bytes of each inbound
email message. You can configure the Firebox to take any of the following actions when spamBlocker determines that
an email message processed by the SMTP proxy is spam:
n
n
n
Deny Stops the spam email message from being delivered to the mail server. The Firebox sends this
message to the sending email server: Delivery not authorized, message refused.
Add subject tag Identifies the email message as spam or not spam and allows spam email messages to go
to the mail server. See the subsequent section for more information on spamBlocker tags.
Allow Allows spam email messages to go through the Firebox without a tag.
Drop Drops the connection immediately. Unlike the Deny option, the Firebox does not give any SMTP error
messages to the sending server.
Quarantine Sends the message classified as spam to a Quarantine Server.
If you use spamBlocker with the POP3 proxy, you have only two actions to choose from: Add Subject Tag and Allow.
You cannot use the Quarantine Server with the POP3 proxy.
198
If your spam catch rates have not improved after you enable spamBlocker, make sure that you have
DNS configured on your Firebox device. DNSis required for connections to the CYREN servers.
spamBlocker Tags
The Firebox can add spamBlocker tags to the subject line of the email message. You can also configure spamBlocker
to customize the tag that it adds. This example shows the subject line of an email message that was classified as
spam. The tag added is the default tag: ***SPAM***.
Subject: ***SPAM*** Free auto insurance quote
Here are some examples of other possible spamBlocker tags:
Subject: (SPAM) You've been approved!
Subject: [POSSIBLE SPAM] Save 75%
Subject: [JUNK EMAIL] Free shipping
Subject: *SPAM/BULK* 10 lbs in 10 days!
spamBlocker Categories
spamBlocker puts potential spam email messages into two categories based on the classification of the mail envelope:
n
Confirmed Spam Includes email messages that come from known spammers. We recommend you use the
Deny action for this type of email if you use spamBlocker with the SMTP proxy, or the Add subject tag if you use
spamBlocker with the POP3 proxy.
Bulk Includes email messages that do not come from known spammers, but do match some known spam
structure patterns. We recommend that you use the Add subject tag action for this type of email, or the
Quarantine action if you use spamBlocker with the SMTP proxy.
Suspect Includes email messages that could be associated with a new spam attack. Frequently, these
messages are legitimate email messages. We recommend that you use the Allow action for this type of email or
the Quarantine action if you use spamBlocker with the SMTP proxy.
spamBlocker Exceptions
The Firebox might sometimes identify a message as spam when it is not spam. If you know the address of the sender,
you can configure the device with an exception that tells it not to examine messages from that source address or
domain.
199
spamBlocker does not detect spam in outgoing SMTP email. To prevent spam from originating from
your network and conserve network resources, you should disable email relay functionality on your
email server and enable email relay protection to inbound email using the incoming SMTP proxy
action.
200
201
2. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
9. Click Add.
The Add SNAT dialog box appears.
19. In the Description text box, type Modified policy for email inbound.
202
2. In the Limits section, select the Set the maximum email size to check box. In the adjacent text box, type
5000.
203
204
205
5. Click Add.
The New Filenames Rule dialog box appears.
206
Control Mail Domain Use for Incoming Traffic to Prevent Mail Relay
Another way to protect your SMTP server is to restrict incoming traffic to only messages that use your company
domain. This prevents external users from using your internal email server as a mail relay to send spam. In this
example, we use the example.com domain.
Another way to keep your server from being used as a relay is to use the Rewrite Banner Domain
and Rewrite HELO Domain options included in the SMTP-proxy action General Settings. This
enables your Firebox to change the From and To components of your email address to a different
value. This feature is also known as SMTP masquerading.
207
Because SMTP-Incoming is a template, you cannot change it. You can only make a copy and use it for your
policies.
4. In the Name text box, type SMTP-Incoming-Email.
5. Click OK to clone the template.
The New Policy Properties dialog box appears, with SMTP-Incoming-Email in the Proxy action drop-down list.
208
5. Click Add.
The Add Address dialog box appears.
209
3. In the Limits section, clear the Set the maximum e-mail size to check box.
This removes any restrictions on email size.
210
4. Adjacent to the If matched drop-down list, select the Alarm and Log check boxes.
6. Select the Send Notification check box and the Email option
211
You can export custom proxy configurations from one configuration to an XML file, and then import the
ruleset to another Firebox configuration file. You can see the Import and Export functions when you
look at a proxy ruleset in the Advanced view.
8. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for a clone is SMTP-Outgoing.1. You can also give it a friendly name to help you recognize it.
212
6. Click Add.
The Add Address dialog box appears.
14. From the Choose Type drop-down list, select Host Name (DNS lookup).
15. In the Value text box, type mail.yahoo.com.
16. Click OK to close the Add Member dialog box.
The Add Address dialog box appears. Policy Manager does a one-time DNS lookup for the host name
mail.yahoo.com. The IP Address for mail.yahoo.com appears in the Selected Members and Addresses list.
213
214
6. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for the clone is POP3-Client.1. You can also give it a friendly name to help you recognize it.
215
Successful Company decides to invest in spamBlocker to manage all the unwanted email its employees are receiving.
In this exercise, we use the spamBlocker Wizard in Policy Manager to activate the spamBlocker service.
1. Select Subscription Services > spamBlocker > Activate.
The Activate spamBlocker Wizard appears.
2. Click Next.
If you are working through the training modules sequentially, or taking the class with an instructor, you should have
three email proxy policies configured.
3. Clear the POP3-CFO and SMTP-Server-Outgoing policy check boxes. Click Next.
4. Click Finish.
If you do not have an SMTP or POP3 proxy policy, the wizard prompts you to create one.
216
217
2. Click Add.
The Add Exception Rule dialog box appears.
218
You must also enable Virus Outbreak Detection in the global spamBlocker settings, if you want this
feature to operate in policies.
1. In the spamBlocker Configuration dialog box, select the Virus Outbreak Detection tab.
2. From the When a virus is detected drop-down list, select Drop.
219
220
o A) Source IP Address
o B) Content
o C) RFC compliance
o D) Packet Header
o E) Attachment
2. Choose the most appropriate SMTP-proxy action for each task. (Select one.)
Task
SMTP-Incoming SMTP-Outgoing
Reduce the number of very large files sent by email to your users
Reduce spam
3. Choose the actions that spamBlocker can take when you configure spamBlocker to work with SMTP.
(Select all that apply.)
221
A) Deny
B) Tag
Add a spam tag to the email subject line and allow spam messages to go to
the recipient
C) Ignore
D) Allow
E) Drop
F)
o A) HTTP
o B) SMTP
o C) POP3
o D) FTP
222
ANSWERS
1. B, C, E
2.
Task
SMTP-Incoming SMTP-Outgoing
Reduce the number of very large files sent by email to your users
Reduce spam
3. A, B, D, E, F
4. True
5. B and C
223
Notes
224
Web Traffic
Manage the Web Traffic Through Your Firewall
Activate WebBlocker
Before you begin these exercises, make sure you read the Course Introduction module.
Web Traffic
226
Web Traffic
The HTTP-Client proxy settings give you complete control over the HTTP connections of your trusted users. You can
strip files by file name or MIME content type. You can also restrict the use of cookies, ActiveX, Java, and other
potential sources of infection.
227
Web Traffic
Many web pages get information from site visitors, such as location, email address, and name. If you
disable the POST command, the Firebox denies all POST operations to web servers on the external
network. This feature can prevent your users from sending information to a website on the external
network.
HTTP Request
General Settings
Use this ruleset to control the idle time out and maximum URL length HTTP parameters. You can configure the
Firebox to create a log message with summary information for each HTTP connection request. Make sure the
Enable logging for reports check box is selected to see bandwidth usage information in HostWatch and
Report Manager. You can also enforce the strictest Safe Search settings for web browser search engines.
Request Methods
The Request Method ruleset lets you control the types of HTTP request methods allowed through the Firebox as
part of an HTTP request. Some applications, such as Google Desktop and Microsoft FrontPage, require
additional request methods. webDAV is used for collaborative online authoring and has a large number of
additional request methods. The HTTP-proxy supports webDAV request method extensions by default,
according to the specifications in RFC 2518.
URL Paths
Use this ruleset to filter the content of the host and path of a URL. For best results, use URL path filtering
together with file header and content type filtering.
Usually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex
pattern that uses regular expression syntax configured in the Advanced View of a ruleset. It is easier
and better to filter header or body content types than it is to filter URL paths.
Header Fields
This ruleset supplies content filtering for the full HTTP header name and its value. By default, the Firebox uses
exact matching rules to strip Via and From headers, and allows all other headers. The Via header can be added to
a client request by a proxy server to track message forwards and avoid request loops. Stripping the Via header
can protect client privacy. The From header passes the client users' email address to the server, which can be
harvested by bulk mail recipient lists. Stripping this header helps reduce the chance of receiving spam and
maintains client anonymity and privacy.
Authorization
228
Web Traffic
This ruleset sets the criteria for content filtering of HTTP Request Header authorization fields. When a web
server starts a WWW-Authenticate challenge, it sends information about which authentication methods it can
use. The proxy puts limits on the type of authentication sent in a request. With a default configuration, the
Firebox allows Basic, Digest, NTLM, and Passport 1.4 authentication.
HTTP Response
General Settings
Use this ruleset to configure basic HTTP response parameters, including idle time out, maximum line length, and
maximum total length of an HTTP response header. If you set a value control to zero (0) bytes, the Firebox
ignores the size of HTTP response headers.
Header Fields
This ruleset controls which HTTP response header fields the Firebox allows. Response headers can be used to
specify cookies, supply modification dates for caching, instruct the browser to reload the page after a specified
time interval, and for several other tasks.
Content Types
This ruleset controls the types of MIME content allowed through the Firebox in HTTP response headers. By
default, the Firebox allows some safe content types and denies MIME content that has no specified content
type. This is a common way of restricting the types of files that users can download from websites.
Cookies
Use this ruleset to control cookies included in HTTP responses. The default ruleset allows all cookies. HTTP
cookies are used to track and store information about users who visit particular sites.
Body Content Types
This ruleset gives you control of the content in an HTTP response. The Firebox is configured to deny Windows
exe/dll files by default. It is a good idea to examine the file types used in your organization and allow only
necessary file types.
Use Web Cache Server
If you have an existing HTTP caching proxy server on your network, you can forward HTTP requests from the
Firebox to your proxy server. For more information, see the Fireware XTM WatchGuard System Manager Help or
User Guide.
HTTP-Proxy Exceptions
All traffic to or from a domain listed in this ruleset will bypass the proxy completely. Only trusted sites that supply
needed files that would be denied by other parts of the HTTP-proxy should be listed here. Bydefault, the
Microsoft Windows Update websites are ignored by the HTTP-proxy.
Data Loss Prevention
If you have purchased and enabled the Data Loss Prevention feature, you can configure the DLP sensor the
HTTP-proxy uses to examine allowed traffic.
WebBlocker
See the subsequent section for more information on how to restrict Web access with a WebBlocker profile.
229
Web Traffic
Antivirus
This ruleset sets the actions necessary if a virus is found. Although you can use the proxy definition screens to
activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For
more information, see the Signature Services and APT Blocker.
Reputation Enabled Defense
If you have purchased the Reputation Enabled Defense Service, this ruleset enables you to immediately block
URLs that have a bad reputation, and bypass any configured virus scanning for URLs that have a good
reputation. You can also change the Good and Bad reputation thresholds. See the subsequent sections for more
information on how to restrict Web access with Reputation Enabled Defense.
Deny Message
Use this feature to customize the default deny message that your trusted users will see if the Firebox denies
HTML content.
Proxy and AV Alarms
This ruleset lets you define the type of alarm that is sent any time a notification is triggered by an HTTP ruleset.
APT Blocker
If you have purchased the APT Blocker subscription service, this ruleset lets you enable APT Blocker to analyze
HTTP traffic for advanced malware.
230
Web Traffic
Quota limits are applied to users and groups based on authentication to the Firebox. You can create exceptions to
quotas so that any traffic to a specific destination address is not counted towards the usage quota. Quotas cannot be
enforced if a user is able to access websites without authentication.
231
Web Traffic
Install and set up the WebBlocker Server (only if you want to use the SurfControl categories)
Activate a WebBlocker license
Configure an HTTP-proxy policy to use WebBlocker
WebBlocker Categories
When you configure WebBlocker, you select the server to use for WebBlocker lookups and you select the content
categories you want WebBlocker to block. The list of content categories you can configure depends on which type of
server you choose.
Both the Websense and SurfControl databases contain content categories such as News, Drugs, Gambling, or
Adult/Sexually Explicit. The Websense database has more granular categories than the SurfControl database. After
you select the type of WebBlocker server to use, you select which content categories you want to block.
To see a description of any content category, click the category name in the WebBlocker configuration.
WebBlocker Exceptions
To override a WebBlocker action, you can add an exception to the WebBlocker categories to allow or deny a particular
website. The exceptions are based on IP addresses, a pattern based on a URL, or a regular expression. To match a
URL path on all websites, the pattern must have a trailing /*. The host in the URL can be the host name specified in the
HTTP request, or the IP address of the server.
232
Web Traffic
The websites you block with WebBlocker exceptions apply only to HTTP traffic (not HTTPS). They
are not added to the Blocked Sites list.
To create a WebBlocker pattern match exception, you can use of any part of a URL. You can set a port number, path
name, or string that must be blocked for a special website. For example, if it is necessary to block only
www.sharedspace.com/~dave because it has inappropriate photographs, you type
www.sharedspace.com/~dave/*. This gives users the ability to browse to
www.sharedspace.com/~julia, which could contain content you want your users to see.
To block URLs that contain the word sex in the path, you can type */*sex*. To block URLs that contain sex in the
path or the host name, type *sex*. Such broad wildcards should be used cautiously, however, since a rule like this
would also unintentionally block access to a website for the City of Middlesex.
Regular expressions are more efficient, in terms of CPU usage on the Firebox, than pattern matches.
If you add many WebBlocker exceptions you can improve performance by configuring your
WebBlocker exceptions as regular expressions rather than pattern matches. You can create a regular
expression that is equivalent to a pattern match. For example, the regular expression ^[0-9a-zA-Z\-\_]
\.hostname\.com. is equivalent to the pattern match *.hostname.com/*. For more information about
regular expressions, see the WatchGuard System Manager Help or User Guide.
You can also block ports in a URL. For example, for http://www.hackerz.com/warez/index.html:8080, the
browser uses the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the
port by matching *8080.
233
Web Traffic
If the user types the correct password, WebBlocker allows access to the override destination. The user can also edit
the override destination using wildcards to allow override access to more than one site, or to more pages in a site. You
can use wildcards can in an override destination in the same way you use them to define a WebBlocker exception. In
effect, WebBlocker local override allows the user to define a temporary WebBlocker exception. WebBlocker enables
access to the override destination until the WebBlocker local override inactivity timeout is reached or until the user logs
out, if the user was authenticated. The default inactivity timeout for local override is five minutes.
WebBlocker Schedules
You can set an operating schedule for a set of WebBlocker rules. You use time periods to set rules for when to block
different websites. For example, you can block sports websites during usual business hours of operation, but allow
users to browse at lunch time, evenings, and weekends. To do this, you add a schedule to the HTTP-proxy policy that
WebBlocker is assigned to. You can also configure two HTTP policies, but create a schedule for only one of them. Each
policy uses one of the HTTP-proxy actions. Each of these HTTP-proxy actions points to one of at least two
WebBlocker actions.
WebBlocker Server
If you want to configure WebBlocker to use a WebBlocker Server with SurfControl, you must install a WebBlocker
Server. If you use the Websense cloud for WebBlocker lookups, WebBlocker does not use a local WebBlocker Server.
You install the WebBlocker Server when you install WatchGuard System Manager (WSM). If you did not originally
install the WebBlocker Server when you installed WSM, you can do so at any time. Run the WSM installer again and
select the check box for WebBlocker. Then, continue installation.
After you first install the WebBlocker Server, you must download the full WebBlocker database to theWebBlocker
Server. The WebBlocker Server automatically updates the WebBlocker database once per day.
234
Web Traffic
235
Web Traffic
Reputation Scores
The WatchGuard reputation server assigns every URL a reputation score from 1 to 100. A reputation score closer to 100
indicates that the URL is more likely to contain a threat. A score closer to 1 indicates that the URL is less likely to
contain a threat. If the RED server does not have feedback about a web address, it assigns a neutral score of 50.
These factors can cause the reputation score of a URL to increase, or move toward a score of 100:
n
n
These factors can cause the reputation score of a URL to decrease, or move toward a score of 1:
n
n
Reputation scores change over time. For increased performance, the Firebox stores the reputation scores for recently
accessed web addresses in a local cache.
Reputation Thresholds
There are two reputation score thresholds you can configure:
n
Bad reputation threshold If the score for a URL is higher than the Bad reputation threshold, the HTTP proxy
denies access without any further inspection.
Good reputation threshold If the score for a URL is lower than the Good reputation threshold and Gateway
AntiVirus is enabled, the HTTP proxy bypasses the Gateway AV scan.
If the score for a URL is equal to or between the configured reputation thresholds and if you have enabled Gateway AV,
the content is scanned for viruses.
236
Web Traffic
Reputation Lookups
If the response comes back late, it is possible you will see the reputation score assigned as -1 in the
Traffic Monitor.
The Firebox uses UDP port 10108 to send reputation queries to the WatchGuard reputation server. Make sure this port
is open between your Firebox and the Internet. UDP is a best-effort service. If the Firebox does not receive a response
to a reputation query soon enough to make a decision based on the reputation score, the HTTP proxy does not wait for
the response, but instead processes the HTTP request normally. In this case the content is scanned locally if Gateway
AV is enabled.
Reputation lookups are based on the domain and URL path, not just the domain. Parameters after escape or operator
characters, such as & and ? are ignored.
For example, for the URL:
http://www.example.com/example/default.asp?action=9¶meter=26
the reputation lookup is:
http://www.example.com/example/default.asp
Reputation Enabled Defense does not do a reputation lookup for sites that have been added to the HTTP Proxy
Exceptions list of the HTTP proxy action.
237
Web Traffic
238
Web Traffic
239
Web Traffic
2. In the General Settings, select the Enable logging for reports check box.
240
Web Traffic
241
Web Traffic
4. Click Add.
The New Content Type Rule dialog box appears.
5.
6.
7.
8.
9. Repeat Steps 27 for Microsoft PowerPoint (PPT) files. Use application/mspowerpoint as the pattern.
PowerPoint presentations are now allowed by the HTTP-proxy.
10. Repeat Steps 27 for Microsoft Word (DOC) files. Use application/msword as the pattern.
Word documents are now allowed by the HTTP-proxy.
11. Repeat Steps 27 for zip archive (ZIP) files. Use application/zip as the pattern.
Zip archives are now allowed by the HTTP-proxy.
12. In the Rules (advanced view) list, select application/*. Click Edit.
The Edit Content Type Rule dialog box appears.
242
Web Traffic
13. From the Action drop-down list, select Deny. Click OK.
All other content types not specifically allowed are denied by the HTTP-proxy.
14. In the Categories list, expand HTTP Responses and select Body Content Types.
The Body Content Types page appears.
17. From the Action drop-down list, select Allow. Click OK.
This action allows zip archives as a body content type.
243
Web Traffic
2. In the Deny Message text box, select the WatchGuard HTTP proxy phrase.
3. To replace the selected phrase, type Successful Company firewall.
4. At the end of the <b> Path: </b> %(url-path)% </p> line, click to place your cursor and press Enter on
your keyboard.
5. On the new line, press the space bar to align the new text with the text in the previous line.
6. On the new line, type: <p>For more information, contact Dustin and Nandi at
<a href="mailto:itsupport@example.com">itsupport@example.com</a>.<p>
8. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for a clone is HTTP-Client.1. You can also give it a friendly name to help you recognize it.
244
Web Traffic
4. In the text box below the HTTP Proxy Exceptions list, type *.mozilla.com and click Add.
*.mozilla.com appears in the list
5. Click OK to close the Edit HTTP Proxy Action Configuration dialog box.
6. Click OK to close the Edit Policy Properties dialog box.
245
Web Traffic
7. Click Add.
The Add SNAT dialog box appears.
8. In the SNAT Name text box, type a name for this SNAT action.
9. Click Add.
The Add Static NAT dialog box appears.
12. Click OK to close the Add SNAT and the SNAT dialog boxes.
The IP address appears in the Add Address dialog box in the Selected Members and Addresses list.
18. Click OK. Click Close to close the Add Policies dialog box.
The HTTP-Public-Server policy appears in the policy list.
246
Web Traffic
The first portion of the list is in blue text and consists of the default policies. The second portion of the
list is in black text and includes the templates we created during our exercises.
7. From the Action drop-down list, select Strip. Select the Log check box.
This rule strips all headers that include Passport1.4 authentication requests and sends a log message.
247
Web Traffic
8. Click OK to close the Edit Authorization Rule dialog box.
The Clone HTTP Proxy Action Configuration dialog box Authorization page appears. The updated rule appears in the
Rules list.
9. Click OK to close the Clone HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears with the cloned proxy action in the list.
This enables us to quickly apply this ruleset again in the future. You now have a ruleset which strips
Passport 1.4 authorization requests.
248
Web Traffic
3.
4.
5.
6.
7.
8.
9.
10.
For the Quota Action, click the Add Quota Action icon.
Type a Name and Description for this quota action.
Select the Bandwidth check box, then set the value to 1000 MB.
Select the Time check box, then set the value to 60 minutes.
249
Web Traffic
11.
12.
13.
14.
250
Web Traffic
1.
2.
3.
4.
5. Click OK.
251
Web Traffic
2. Click Add.
The New WebBlocker Configuration dialog box appears, with the Servers tab selected.
252
Web Traffic
253
Web Traffic
Create an Exception
A website about advertising principles that has a section on Ravels Bolero is in the Adult Content category. However,
this is a useful site for the Successful Company Marketing department. The network administrator wants to create a
WebBlocker exception for this site.
In the New WebBlocker Configuration dialog box:
1. Select the Exceptions tab.
2. Click Add.
The New WebBlocker Exception dialog box appears.
6. Click OK.
The new exception appears in the list. WebBlocker now allows access to this site even though its IP address is in the
Adult Content category.
254
Web Traffic
12. From the WebBlocker drop-down list, select General employees.
13. Click OK to close the Edit HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears.
4. Select the Use this passphrase and inactivity timeout to control WebBlocker local override checkbox.
5. Type and confirm the local override Passphrase.
The local override passphrase must be between eight and 32 characters.
255
Web Traffic
Make sure your device has a Reputation Enabled Defense feature key.
Make sure the device has at least one HTTP proxy policy configured.
After the Successful Company network administrator adds the feature key and saves it to the Firebox, he opens the
device configuration in Policy Manager to enable the service.
1. Select Subscription Services > Reputation Enabled Defense.
The Reputation Enabled Defense dialog box appears.
256
Web Traffic
3. Click Configure.
The Reputation Enabled Defense settings for the selected policy appear.
When you enabled Reputation Enabled Defense for this policy, the Immediately block URLs that have a bad
reputation check box and the Bypass any configured virus scanning for URLs that have a good
reputation check box were both automatically selected.
4. Click Advanced.
You can change the reputation thresholds, but we recommend that you keep them at the default
values initially. After you have used Reputation Enabled Defense for a period of time., you can adjust
the thresholds, if you find that either setting is too aggressive.
257
Web Traffic
Make sure your Firebox can run queries over UDP port 10108 to the WatchGuard reputation server in
the cloud.
In this example, we can see that 91% of all requested URLs had a good reputation score, and did not require local
scanning by Gateway AV. We can also see that 67% of the URLs visited had a reputation score stored in the local
cache. This means that the RED service did not need to request the score from the WatchGuard reputation server.
If Gateway AV is enabled, it scans the content of websites that have an inconclusive reputation score. Those scan
results are then sent to the Reputation Enabled Defense server as input for updated reputation scores for those URLs.
This increases the likelihood that these URLs will have a more clearly good or bad reputation score in the future.
In this example, you can see that the total number of Reputation lookups is greater than the combined total number of
URLs with good, bad or inconclusive scores. This is because the Reputation lookups statistic counts all lookup
attempts, even if a response was not received in time to avoid a local AV scan. If The HTTP proxy does not receive a
timely response to a reputation lookup request, it scans the content locally. When this happens, the lookup is added to
the Reputation lookup total, but is not added to the total of good, bad, or inconclusive scores.
258
Web Traffic
You can also see that the percentages shown in this example for good, bad and inconclusive scores do not add up to
100%. This is because these scores are calculated as a percentage of the total number of reputation lookups.
If your statistics show that the number of good, bad, and inconclusive scores are zero, but the number
of Reputation lookups is high, this means that the reputation lookup attempts did not result in timely
responses from the WatchGuard reputation server. Make sure your Firebox can send queries over
UDP port 10108 to the WatchGuard reputation servers.
259
Web Traffic
D)
E)
F)
2. Fill in the blank: For better security, place your public web server on the __________ network.
260
Web Traffic
3. In the subsequent image, all of the URL Path entries are set to Deny if matched.
With this configuration, which websites will the Firebox block? (Select all that apply.)
A) terrificsex.com
B) allthemusic.bittorrent.com
C) sex.thegoodstuff.com
D) www.trumpets.org
E) prevent.pornography.org
F)
G) www.microsoft.com/patches/porno.exe
H) www.bittorrent.com
I)
singing.napster.com
J)
napster.communication.net
K) troubleshootingwinxp.hardcore.com
www.microsoft.com/porno/msupdate.asp
A) UDP
B) HTTP
C) SSL
D) PPTP
6. True or false? An exception to the WebBlocker rules allows a site that is normally blocked to be viewed, or a site
that is normally viewed to be blocked.
7. Employees can view the website 10.0.1.19, except for its pages on politics. If the sites pages on politics all
have the word politics somewhere in the path, what do you type in the Pattern text box?
8. True or false? You can allow a user to bypass the WebBlocker restrictions.
261
Web Traffic
9. True or false?Users do not have to be authenticated to the Firebox to enforce bandwidth and time quotas on their
web traffic.
10. The reputation score for a URL is based on which of the following? (Select all that apply.)
11. Which of the following URL reputation scores indicates that a site is most likely to contain a threat? (Select one.)
262
A) 95
B) 50
C) 5
Web Traffic
ANSWERS
1. A) HTTP-Client
B) Other
C) HTTP-Server
D) HTTP-Client
E) HTTP-Client
F) Other
2. Optional (also known as a DMZ)
3. B, C, E, F, G, H, I, K
4. False
5. B
6. True
7. 10.0.1.19/*politics*
8. True
9. False
10. A, B, C, E
11. A
263
Notes
264
Before you begin these exercises, make sure you read the Course Introduction module.
In this module, you will configure optional features of the Firebox. To configure these services, you must first purchase
a feature key for Gateway AntiVirus, Data Loss Prevention, Intrusion Protection Service, Application Control, and APT
Blocker. In addition, to activate the key you must have access to a Firebox. If you take this course with a WatchGuard
Certified Training Partner, your instructor will provide you with both a Firebox and a feature key to enable these
services.
APT Blocker is a non-signature based service that supplements the signature-based services. Because APTs leverage
the latest targeted malware techniques and zero-day exploits (flaws which software vendors have not yet discovered or
fixed) to infect and spread within a network, traditional signature-based scan techniques do not provide adequate
protection against these threats.
APT Blocker is a subscription service that uses best-of-breed full system emulation analysis by our solution partner
Lastline to identify the characteristics and behavior of APT malware in files and email attachments that enter your
network.
266
n
n
AntiVirus Identifies viruses and trojans brought into your network through email, web browsing, TCP
connections, or FTP downloads.
IPS Identifies direct attacks on your network applications or operating system.
APT Blocker Identifies advanced malware brought into your network through email, web browsing, or FTP
traffic.
Email With the SMTP or POP3 proxy, Gateway AntiVirus finds viruses encoded with frequently used email
attachment methods. These include base64, binary, 7-bit, 8-bit encoding, and uuencoding.
Web With the HTTP proxy, Gateway AntiVirus scans web pages and any uploaded or downloaded files for
viruses.
TCP With the TCP proxy, Gateway AntiVirus can scan HTTP traffic on dynamic ports. It recognizes that
traffic and forwards it to the default or user-defined HTTP proxy to perform antivirus scanning.
FTP With the FTP proxy, Gateway AntiVirus finds viruses in uploaded or downloaded files.
267
TCP-UDP Proxy
SMTP Proxy
POP3 Proxy
HTTP Proxy
Download
Content
Types
Content
Types
Upload
File names
File names
268
Email With the SMTP or POP3 proxy, APT Blocker finds advanced malware in email attachments.
Web With the HTTP proxy, APT Blocker scans web content and any uploaded or downloaded files for
advanced malware.
FTP With the FTP proxy, APT Blocker detects advanced malware in uploaded or downloaded files.
n
n
n
n
Windows PE (Portable Executable) files. This includes files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi
extensions. Windows XP and Windows 7/8.
Adobe PDF documents
Microsoft Office documents
Rich Text Format (RTF) documents
Android executable files (.apk)
APT Blocker can also examine files within these compressed archive types:
n
n
n
gzip
tar
zip
High
Medium
Low
All threat levels are considered malware. This rating is determined based on a score assigned to the file when it is
analyzed by Lastline. The High level indicates a higher score because more characteristics of malware were identified
in the analysis.
269
270
Each rule has an associated quantity. The quantity is a measure of the weighted number of matches the rule must find
in a scanned object to trigger a DLP violation. You can see the quantities for each rule on the WatchGuard Security
Portal, at http://www.watchguard.com/SecurityPortal/.
DLP rules internally use weights to adjust the number of matches required, and to adjust the sensitivity of the rule to text
that matches each of several expressions within the rule. The quantity associated with a rule does not always
correspond exactly to the number of text matches in the scanned content required to trigger the rule.
271
DLP on XTM 2 Series and 3 Series does not include text extraction. Without text extraction, DLP
scans the email message body and text files, but has a limited ability to read text from other file types.
272
SMTP proxy action DLP scans content in email messages and attachments.
FTP proxy action DLP scans content in downloaded and uploaded files.
HTTP proxy action DLP scans HTTP and HTTPS traffic , including downloaded and uploaded files.
For DLP to scan HTTPS content, you must enable deep inspection of content in the HTTPS proxy action, and configure
the HTTPS proxy action to use an HTTP proxy action with Data Loss Prevention configured.
DLP Sensors
To configure DLP, you define a DLP sensor. In each DLP sensor, you enable one or more of the predefined content
control rules, and configure the action to take if data is detected that matches the selected rules. You can configure
different actions for email and non-email traffic, and different actions based on the source or destination of the traffic. In
the DLP sensor you also configure the scan limit, and the action to take for objects that cannot be scanned.
You can use the same sensor for multiple proxy policies, or you can create different sensors to use for different policies.
DLP includes two built-in sensors:
n
n
HIPAA Audit Sensor Detects content related to compliance with HIPAA security standards
PCI Audit Sensor Detects content related to compliance with PCI security standards
These built-in sensors are configured to allow all traffic, and to create a log message each time they detect content that
matches the content control rules.
273
DLP Actions
For each DLP sensor, you select actions to take for DLP violations detected in email and non-email content. If you
enable both Gateway AV and DLP for the same policy, the Gateway AV scan result action takes precedence over the
DLP action.
The actions you can select in DLP are:
n
n
n
n
n
n
When an email is quarantined by DLP, the message does not appear in the Quarantine Email Web UI for the recipient.
The administrator can select Tools > Quarantine Server Client in WatchGuard System Manager to see and manage
messages quarantined by DLP.
DLP Settings
For each DLP sensor, you can configure the scan limit, which controls how much of a file or object to scan. You can
also configure the actions to take if content cannot be scanned for any of these reasons:
n
n
n
For each of these three conditions, you can select a DLP action for content detected in email and non-email traffic. If
Gateway AV and DLP are both enabled for the same policy, the Gateway AV scan result action takes precedence over
the DLP action.
DLP and Gateway AV use the same scan engine. If you enable DLP and Gateway AV for the same
proxy action, the larger configured scan limit is used for both services.
274
XTM 21, 22, and 23 devices do not support scanning of HTTPS content.
275
You can learn more about Traffic Management in the Advanced Networking course.
If you have configured Traffic Management actions, you can also use Traffic Management actions in the Application
Control action to control the bandwidth used for allowed application traffic.
When Application Control blocks HTTP content that matches an Application Control action, the user who requested the
content sees an Application Control deny message in the browser. The deny message says that the content was
blocked because the application was not allowed. The message is not configurable. For HTTPS or other types of
content blocked by Application Control, the content is blocked, but the deny message is not displayed.
276
n
n
n
In addition to the per-policy Application Control actions, you also define a Global Application Control action that can be
the default Application Control action if traffic does not match the Application Control action applied to a policy. In this
way, you can implement a tiered Application Control strategy, with the Global Application Control action acting as the
fall-back action to set policy for applications that do not match another specific Application Control action.
Per-Application Action
For each application or application category selected in an Application Control action, you can select one of these
actions:
n
n
If you have created Traffic Management actions, you can also use Traffic Management actions to control the bandwidth
used for allowed application traffic.
Default Action
In each Application Control action, you also define a default action, to take if the application does not match the
applications configured in the Application Control action. Those actions are:
n
n
n
277
It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the
policy handles. Some examples of these types of policies include policies that handle traffic for POS systems, Intranet
web applications, or internal databases and traffic in a DMZ.
It also usually unnecessary to enable Application Control for policies that are restricted by port and protocol and that
only allow a known service. Some examples of these types of policies:
n
n
n
n
If you enable Application Control for an HTTPS proxy policy, you must also enable deep inspection of HTTPS content in
the HTTPS proxy action. This is required for Application Control to detect applications over an HTTPS connection.
Application Control scanning of HTTPS content is not supported on XTM 21, 21-W, 22, 22-W, 23, and 23-W devices.
278
If you configure an Application Control action to block an application, and you create a proxy action Content
Types rule to allow the content type for that application, the content is blocked by Application Control.
If you configure an Application Control action to allow an application, and you create a proxy action Content Type
rule to drop or deny that content type, the content is blocked by the Content Type rule in the proxy action.
279
You must have the Gateway AntiVirus feature key saved to the Firebox before you can do this
exercise. For more information, see Administration on page 25.
2. Click Next.
If you are completing the training modules sequentially, or taking the class with an instructor, you should have several
email, web, and FTP policies configured.
3. Clear the check box adjacent to the HTTP-Public-Servers policy. Click Next.
4. Click Finish.
280
2. Click Settings.
The Gateway AV Decompression Settings dialog box appears.
5. Click OK.
6. Click Update Server.
The Update Server dialog box appears.
7. Select the Enable automatic update check box. By default, the Firebox automatically updates signature
database files every hour. Increase the Interval to 2 hours.
281
8. Select the Gateway AntiVirus Signatures check box to enable automatic updates for Gateway AV.
9. Click OK.
10. Click OK to close the Gateway AntiVirus dialog box.
You must save your changes to the Firebox before they take effect.
282
Before you begin, open Policy Manager and make sure there is an SMTP proxy policy present in your configuration. If
not, select Edit > Add Policies to add an SMTP proxy policy to your configuration.
1. Select Subscription Services > Gateway AntiVirus > Configure.
The Gateway AntiVirus dialog box appears.
283
Automatic content type detection can improve virus detection rates. Often, the content type value that
appears in an email header is set incorrectly by email clients. With this feature enabled, the SMTP
proxy tries to verify the content type of email attachments itself. Because hackers often try to disguise
executable files as other content types, we recommend that you enable content type auto detection to
make your installation more secure.
7. Make sure the Enable content type auto detection check box is selected.
If you do not select this check box, the SMTP proxy uses the value stated in the email header, which clients sometimes
set incorrectly. For example, an attached PDF file might have a content type stated as application/octet-stream. If you
enable content type auto detection, the SMTP proxy recognizes the PDF file and uses the actual content type,
application/pdf. If the proxy does not recognize the content type after it examines the content, it uses the value stated in
the email header, as it would if content type auto detection were not enabled.
284
4. For each Threat Level, select the Alarm and Log check boxes.
This configuration ensures that the administrator receives notification in the event advanced malware is detected, and
that APT activity can be monitored.
285
286
287
4. In the Name text box, type a name for this DLP Sensor.
For this example, type BlockSocialInsurance.
5. Click Next.
The list of configured policies that support DLP appear.
288
7. If you did not select an existing FTP proxy policy in the previous step of the wizard, select FTP to add the FTPproxy policy.
8. Click Next.
The Rules list appears.
289
11. Set the action for non-email traffic to Drop. Click Next.
12. Click Finish.
The new Sensor is added to the Sensors tab.
290
In instructor-led training, the file to use for testing might already be created for you. Your instructor will
provide you with the information you need to connect to an FTP server in the training environment.
1. If you do not already have a DLP test file for this exercise, create a new text file, and copy this text into the file.
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
Social
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
insurance
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
1234
2345
3456
4567
5678
6789
1234
2345
3456
4567
5678
6789
1234
2345
3456
4567
5678
6789
3456
4567
291
292
293
6. Select the Intrusion Prevention and Application Control Signatures check box.
7. Click OK.
294
The list of applications you can control is based on a set of signatures that Application Control uses to
identify the applications. To make sure that Policy Manager has the most recent Application Control
signatures from the Firebox, connect to your device with WatchGuard System Manager before you
use Policy Manager to edit or update Application Control actions.
If you are completing the training modules sequentially, or taking the class with an instructor, you should have several
DNS, email, HTTP, and FTP policies configured.
The Global Application Control action is a predefined action. You configure the Global action to block
applications you do not want to allow for all or most users. In this example, we want to block instant messaging
applications for all users.
295
You can use the radio buttons to show all applications, or show only applications that have an action configured.
The Search feature is the quickest way to find a specific application by name. You can also use the
Category drop-down list to filter the list by category, such as Instant Messaging. Search is generally
quicker, since each category contains many applications, and some application may not be in the
category you expect.
296
297
To allow the use of Yahoo Messenger for instant messaging, but block file transfers, you could select
the Set the action for specific behaviors radio button. Then set the action for the Transfer behavior
to Drop.
5. For this exercise, the administrator wants to block all use of the Yahoo Messenger application. Click OK to set
the action for all behaviors to Drop.
The Drop action appears in the action column for this application.
6. Click OK.
The Global Application Control action now blocks Yahoo Messenger.
You can optionally repeat the steps above to add any other applications to the Global Application Control action. Or, you
can click Select by Category to set the action for all applications in an application category.
To remove the action configured for an application, select the configured application in the list and click Clear Action.
298
4. Click OK.
The Global Application Control action is now applied to the HTTP policies.
299
300
7. From the When application does not match drop-down list, make sure Use Global action is selected. This is
the default setting.
8. Click OK.
The new Application Control action appears in the Application Control Actions dialog box.
10. For the HTTP-Employees policy, change the Action to the new action you just created.
11. Click OK.
301
302
The HTTP-Employees policy uses the AppControl.1 Application Control action as the primary action to control
application usage. For these users, Yahoo messenger application traffic is not controlled, except for file transfer
traffic, which is dropped.
If HTTP traffic handled by the HTTP-Employees policy does not match the applications listed in the
AppControl.1 action, the HTTP-Employees policy uses the Global Application Control action to determine
whether to allow or drop the application traffic.
For HTTP traffic handled by the HTTP-proxy policy, the Global Application Control action is used to control
application usage.
Delete the attachment, send nothing to the sender or recipient, and add the sender to the
Blocked Sites list.
B) Lock
Delete the attachment, send nothing to the recipient, and send nothing to the sender.
C) Remove
D) Drop
E) Block
Remove the attachment and delete it while sending the message to the recipient.
F)
Encode the attachment so that the recipient cannot open it without a network administrator.
Send
G) Deny
303
ANSWERS
1. A) Allow Let the attachment go to the recipient even if it contains a virus
B) Lock Encode the attachment so that the recipient cannot open it without a network administrator.
C) Remove Remove the attachment and delete it while sending the message to the recipient.
D) Drop Delete the attachment, send nothing to the recipient and send nothing to the sender.
E) Block Delete the attachment, send nothing to the sender or recipient, and add the sender to the Blocker
Sites list.
F) Send Not a Fireware proxy action.
G) Deny Do not accept the file and notify the sender.
H) Quarantine Send the message to the Quarantine Server.
2. True
3. False
4. False
5. True
6. False
7. True
8. True
9. False DLP scans only outgoing messages and files.
304
Notes
305
Authentication
Verify a Users Identity
List the types of third-party authentication servers you can use with Fireware
Before you begin these exercises, make sure you read the Course Introduction module.
In this module, you will configure the Firebox to use third-party authentication servers. If you take this course with a
WatchGuard Certified Training Partner, your instructor may provide you with configuration details for authentication
servers on a local network. For self-instruction, we encourage you to get the information needed to configure the Firebox
for the authentication method used by your organization.
Authentication
307
Authentication
To authenticate from an external network, users type this URL in their browser to connect to the Firebox authentication
portal:
https:// <public IP address of a Firebox external interface>:4100/
As an example, the previous image shows policies configured to allow users in the FB-Admin group to connect to the
Firebox for management. The WatchGuard Authentication policy has been modified to allow users to authenticate from
an external network. The WatchGuard policy allows management connections to the Firebox from authenticated users
in the FB-Admin user group, as well as from any user on the trusted or optional network.
With this policy configuration, a user in the FB-Admin user group can use these steps to remotely manage the Firebox:
1. The external user authenticates to the Firebox on the external interface on TCP port 4100.
2. The user connects to the Firebox external interface IPaddress from WatchGuard System Manager.
Firebox-DB
Active Directory
LDAP (Lightweight Directory Access Protocol)
RADIUS
SecureID
VASCO
308
Authentication
When you use a third-party authentication server, follow the instructions from the manufacturer to configure it correctly.
The server must be accessible from the Firebox, which usually means that it is installed on an optional network for
greater security.
You can configure a primary and backup authentication server. If the Firebox cannot connect to the primary
authentication server after three attempts, the primary server is marked as unavailable and an alarm message is
generated. The device then attempts to connect to the backup authentication server. If the device cannot connect to the
backup authentication server, it waits ten minutes, and then tries to connect to the primary authentication server again.
309
Divide your company into groups according to tasks people do and information they need
Create users for the groups
Assign groups and users to policies
Authentication
n
n
You must have the configuration information for your server such as server port, IP address, and shared secret.
If you use Active Directory or LDAP, you must also know the group membership attribute and Distinguished
Name (DN) of the Organizational Unit (OU) that contains the user accounts.
If it is available, you can configure the Firebox with a backup authentication server to contact if it cannot connect
to the primary authentication server.
The Firebox must be able to connect to the authentication server(s).
You must add the WatchGuard Authentication policy.
Add the IP address of the Firebox to the RADIUS server, as described in the RADIUS vendor documentation.
Enable and specify the RADIUS server in your device configuration.
Add RADIUS user names or group names to the policies in Policy Manager.
VASCO server authentication also uses the RADIUS configuration user interface.
310
Authentication
311
Authentication
312
Authentication
313
Authentication
5. Click OK.
The new group appears in the User Groups list.
allison
Description
Allison Grayson
Passphrase
allyscomputer
Confirm
allyscomputer
When the passphrase is set, you cannot see the passphrase in plain text again. If the passphrase is lost, you must set
a new passphrase. A passphrase must contain a minimum of eight characters.
3. To add Allison to the Marketing group, in the Available list, double-click Marketing.
Marketing appears in the Member list.
314
Authentication
4. Click OK.
Allison is added to the User list.
315
Name
Description
Passphrase
joe
Joe Uknalis
joescomputer
tim
Tim Warner
timscomputer
wyatt
Wyatt Hare
wyattscomputer
Authentication
6. After you add all users to the Marketing group, click OK.
The Authentication Servers dialog box should look like this:
316
Authentication
2. In the From list, select Any-Trusted. Click Remove. Select Any-Optional. Click Remove.
With the Any-Trusted and Any-Optional entries, any user on your optional or trusted network is able to start an FTP
connection to the entries on the To list. When you remove these entries, you block FTP connections from your optional
and trusted networks.
11. From the Choose Type drop-down, list select Host IPv4.
317
Authentication
12. In the Value text box, type 10.0.2.21.
This is the IP address of the FTP server on the optional network. In a real-world environment, you must activate NAT for
external users to be able to connect to this FTP server because it has a private IP address.
For more information, see NAT.
318
Authentication
2. In the Session Timeout text box, type or select 4. From the adjacent drop-down list, select Hours.
This is the maximum length of time the user can send traffic to the external network. If you set this field to zero (0)
seconds, minutes, hours, or days, no session timeout is used and the user can stay connected indefinitely.
3. In the Idle Timeout text box, type or select 10. From the adjacent drop-down list, select Minutes.
This is the maximum length of time the user can stay authenticated when idle (not passing any traffic to the external
network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay
idle for any length of time.
319
Authentication
In the Authentication Settings dialog box:
1. Select the Limit concurrent user sessions to option and keep the default setting of 1.
2. From the When the limit is reached drop-down list, select Allow subsequent login attempts and log off
the first session..
3. Select the Automatically redirect users to authentication page check box.
All users who have not yet authenticated are automatically redirected to the authentication login portal when they try to
get access to the Internet. If you do not select this check box, unauthenticated users must manually navigate to the
authentication login portal.
320
Authentication
4. Select the Redirect traffic sent to the IP address of the XTM device to this host name check box. In the
text box, type the host name to use for the Firebox.
Make sure the host name matches the Common Name from the web server certificate and the host name specified in
the DNS settings for your organization.
5. Select the Send a redirect to the browser after successful authentication check box.
In the text box, type http://10.0.1.80/home.html.
This is the home page of the Successful Company intranet web server, which is located on the trusted network.
321
Authentication
6. Click OK.
The Web Server Certificate dialog box closes.
322
Authentication
o A)
o B)
o C)
o D)
o E)
o F)
o G)
323
o A)
Kerberos
o B)
SecurID
o C)
Linux Authentication
o D)
AppleTalk Authorization
o E)
o F)
Active Directory
o G)
o H)
RADIUS
Authentication
4. What is the URL for the Firebox Authentication web page? (Select one.)
o A) https://auth.watchguard.com:4100/
o B) http://ip address of device interface:411/
o C) https://gateway IP address of Firebox:4000/
o D) https://<trusted or optional device interface IP address>:4100/
324
Authentication
ANSWERS
1.
2.
3.
4.
325
A, B, F
True
B, E, F, G, H
D
Notes
326
In this module, you will connect to one or more Fireboxen, an instance of WatchGuard Dimension, and WatchGuard
WebCenter. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP
address and passphrases for the Fireboxen, servers, and instance of Dimension used in the exercises.
Before you begin these exercises, make sure you read the Course Introduction and the Set Up Logging & Servers
modules.
328
Executive Dashboard Includes a high-level view of the traffic through the selected Firebox or group.
This includes top clients, top domains, top URL categories, top destinations, top applications, top
application categories, and top protocols.
Security Dashboard Includes a high-level view of the top threats in each security area protected by your
Subscription Services.
Threat Map A visual representation of the dangerous attacks on your network and from which countries
the threats originate.
FireWatch A real-time, interactive report tool, that groups, aggregates, and filters statistics about the
traffic through your devices.
Policy Map An offline interactive report tool that aggregates the allowed traffic through your Fireboxen
and shows that allowed traffic in a visualization of the traffic flows. Each traffic flow is defined by the unique
329
330
Dimension Reports
Dimension uses a single server to collect log messages and generate reports. Because only one server is involved, the
time it takes to generate reports from the log messages Dimension receives from your Fireboxen and WatchGuard
servers is greatly reduced, to as little as a five minute delay. You can view reports in Dimension for a single Firebox, a
group of Fireboxen, or a single WatchGuard server.
After your Fireboxen and servers send log messages to Dimension, any reports related to the available log messages
are automatically generated by the Dimension server and appear in the Reports list for the Firebox or server.
Because all possible reports are automatically generated from the log messages available for any time range, you do not
have to manually generate any reports from Dimension. You can, however, schedule reports to be generated and sent
as a PDF file to an email address or to ConnectWise.
For more information, see the Dimension section of the Fireware Help.
331
n
n
n
n
n
n
332
Executive Summary Report The Executive Summary Report shows a high level summary of network use and
blocked threats for the selected time frame. Some of the report data can be viewed in the Dashboard widgets or
the complete data set can be scheduled for export as a PDF of the complete report.
Per Client Reports You can navigate directly to Per Client reports, or open them from the client report pivots in
some of the other reports, as specified in the subsequent sections.
Traffic You can view Traffic reports or export them as a PDF file. Some traffic reports include bandwidth data.
Web You can view Web reports or export them as a PDF file.
Mail You can view Mail reports or export them as a PDF file.
Services You can view Services reports or export them as a PDF file.
Device You can view Device reports or export them as a PDF file.
Detail Detail reports provide a textual, grid-based view of detail information. Detail reports can be viewed and
exported as a CSV file.
Health Health reports include statistics about the health of your connected Fireboxen. Reports can be viewed
and downloaded as a PDF file, or scheduled for delivery.
AP Devices When you enable logging for reports in the Gateway Wireless Controller and you configure your
Firebox to send log messages to Dimension, your Firebox also captures log messages for your connected AP
devices and sends them to Dimension. Dimension then generates the subsequent reports about your AP
devices. APdevices reports can be exported as PDF or CSV file, dependent on the report type.
Compliance Compliance report groups combine other reports, but include information specific to HIPAA and
PCI reports. You can view the combined report or export it as a PDF.
Available Reports for Servers From any Server page, you can see the reports that were automatically
generated from the available log message data for the selected server. When you create a report schedule for
your WatchGuard servers, you can select the Audit Summary or Authentication Audit reports.
To use Report Manager from a computer that is external to your Firebox when your Report Server is behind the Firebox,
you must have a port open to allow the Report Manager traffic between the Report Server and the IPaddress of your
external computer. To make sure the correct port (4130) is open, the WG-LogViewer-ReportMgr packet filter policy
must be included in the configuration file of the Firebox that is your gateway Firebox. This policy should be added
automatically when you configure the logging settings for the Firebox. If it is missing from your gateway Firebox
configuration file, you must add it before you can connect to WebCenter.
For more information about how to add a policy to your configuration, see the Policies on page 150 module or the
Fireware Help.
The WatchGuard Web Services API for Reporting is also automatically installed with the Log Server or Report Server.
You can use the WatchGuard Web Services API to extract Log Server and Report Server data for custom reports. For
more information about this tool, see the Fireware Help.
333
WatchGuard Reports
From WSM Report Manager, you can view and generate WatchGuard Reports, which are the summaries of the log data
that you have selected to collect from your Firebox log files. Report Manager consolidates the log data from your
Fireboxen into a variety of predefined reports so you can quickly and easily locate and review the actions and events
that occur at your Fireboxen. For a complete list of all the predefined reports available from your WSMReport Manager,
see Predefined Reports List in Fireware Help.
n
n
334
Select report parameters, such as date ranges and times for reports, and the Fireboxen or servers to include in
reports.
View a report in HTML format or export it to a PDF file.
Print or save a report.
Before you can see log messages in Dimension, you must make sure your Firebox is configured to send log messages
to Dimension. If you did not specify Dimension in the second set of Log Servers in the Set Up Logging & Servers
module, you can add it now. You do not have to remove the WSM Log Server from the logging settings for your Firebox,
or change the priority of the WSM Log Server.
If you did not already add your instance of Dimension to the Logging settings for your Firebox, you can add it to the Log
Servers 2 list:
1. Open the configuration file for your Firebox in Policy Manager.
2. Select Setup > Logging.
The Logging Setup dialog box appears with the Log Servers 1 tab selected.
3. Select the Log Servers 2 tab and verify that the IP address of your Dimension server does not appear as the
first server in the list.
4. Click Configure.
The Configure Log Servers dialog box appears with the Log Servers 1 tab selected.
7. In the Log Server Address text box, type the IP address for your instance of Dimension.
8. In the Encryption Key and Confirm Key text boxes, type the Encryption Key for the Dimension server.
9. Click OK to close the Add Event Processor dialog box.
The IP address of your Dimension server appears in the Log Servers 2 list in the Configure Log Servers dialog box.
10. Click OK to save your changes and close the Configure Log Servers dialog box.
The Logging Setup dialog box appears with the Dimension server on the Log Servers 2 tab.
12. If you have access to a Firebox for this lesson, save the configuration file to the Firebox.
If you are attending a class, your instructor might have all the students send log messages to the
same Dimension server, which increases the amount of traffic and thus the number of log messages
you can view in Dimension.
After you configure your Firebox to send log messages to Dimension, you must wait a few minutes for log messages to
be generated and sent to Dimension.
335
Connect to Dimension
1. Open a web browser and type https://<IP address of Dimension>.
The WatchGuard Dimension login page appears.
336
2. In the Start and End text boxes, specify the date and time range for the list of log messages.
The Executive Dashboard refreshes with the log message data for the time range you selected.
The list of log messages updates to include log messages from all log types.
5. To change the log message data display from a bar chart to a line chart, click .
6. To change the log message data display back to a bar chart, click .
7. To see a timeslice analysis of the log message data, from the Actions drop-down list, select Timeslice
Analysis.
The Timeslice Analysis dialog box appears with a pie chart of all the selected log message data.
337
338
339
6. From the drop-down list, select the All of these words search option.
7. In the text box, type disp=Deny.
8. Click Search.
The search query runs and the results that include log messages denied by the HTTPS-proxy policy appear in the Log
Search list.
340
341
2. Click
The Dimension configuration is unlocked and the group modification buttons appear.
3. Click Add.
The Add Group dialog box appears.
4. In the Group Name text box, type the name for this group.
For this exercise, type Training Group 1.
5. (Optional) In the Description text box, type a description of the devices in this group.
.
6. To add a device to the group, click
The Select Devices page appears.
7. From the Available list, select the devices to include in the group and click
8. Click OK.
The devices you selected for the group appear in the Selected Devices list.
9. Click Save.
The new group appears in the Groups list.
10. Click
342
3. In the Start and End text boxes, specify the time range.
The Executive Dashboard is updated with information for the specified time range.
6. (Optional) From the drop-down list at the top of the report, select an option to pivot the report data on.
The report data display is updated based on the pivot you selected.
3. In the Start and End text boxes, specify the time range.
The Executive Dashboard is updated with information for the specified time range.
343
3. In the Start and End text boxes, specify the time range.
The Executive Dashboard is updated with information for the specified time range.
344
6. (Optional) From the drop-down list at the top of the report, select a pivot option: Hits or Bytes.
The report data display is updated based on the pivot you selected.
7. To export the report as a PDF file, at the top of the report, click
345
346
2. Type the Server IP address, Port, User Name, and Passphrase for your Log Server.
3. Click Login.
WatchGuard WebCenter appears, with the LOG MANAGER > Devices page selected.
347
All of the log message types appear in the log messages list.
5. To view a specific log type, at the top of the page, select the tab for the log type.
The log messages list is updated to include only log messages of the type you selected.
Run a Search
The Successful Company support team manager has contacted you because the support team is not receiving email
requests from Big Client A. To find out what is happening to email from Big Client A, you will run a search query to see if
traffic from Big Client As email server is passing through your Firebox to your email server.
You can use Log Manager to search for any details included in the log messages for your devices that are logging to
your Log Server. You can start a search from either the main LOG MANAGER > Search page or from any Firebox
page. From the Firebox page, when you specify the text to search on and click Search, the web UI automatically
switches to the Search page and populates the form with the text you specified.
When you run a search, you can search the log messages for only one Firebox at a time. You can save your search
parameters for each Firebox so you can run them again for that Firebox, but you cannot run saved search parameters for
a different Firebox. Each time you want to run a new search for a different Firebox, you must specify the parameters to
search on. To refine your search, you can specify the time range and select a log type to search for.
By default, the Search page includes one search query block. To run a simple search, just type the text to search on in
one text box in the default search query block. To run a complex search with an ANDoperator, specify text to search on
in more than one text box in a single search query block. To run a complex search that includes an ORoperator, add
another search query block. You can add up to nine search query blocks to your search.
When you define a search query, you can include the name of one or more columns in the log file in your search
parameters. Though you can search for any column included in your log files, some of the columns that are most often
searched are: policy, protocol, src_ip, src_port, dst_ip, dst_port, src_intf, dst_intf, app_name, and app_cat_name.
For more information about how to use Log Manager, see the Logging and Reporting topics in the Fireware Help.
For this exercise, we will use Log Manager to run a search query that inspects the traffic from Big Client A that was not
allowed through the firewall. To search the Traffic log messages on the Log Server to find all traffic from Big Client As
source IP address that was denied, we will include the src_ip and the disp columns in the query text.
348
If you are attending a class, your instructor will provide the source IP address for your search. If you
want to test this outside of a class, you can search on any IP address in the Source column.
2. Select a Firebox.
The Search page appears with the one search query block displayed.
3. From the Time Range drop-down list, select the amount of time to include in your search.
For this example, select Last 6 Hours.
4. In the Log Type drop-down list, Traffic is selected by default. Do not change this selection.
5. In the ANY of these wordstext box, type the IP address to search for.
For this example, we type the column to search in and the IP address to search for in this format: src_ip=<IP
address>.
6. In the ALL of these words text box, type the disposition of the traffic.
For this example, we want to find all traffic from the specified IP address that was denied, so we type
disp=Deny.
7. Click Search.
The Search results are refined to include only log messages for traffic from the specified source IP address that was
denied access through the firewall.
349
4. Click Save.
The search1.query file is saved in the location you selected.
When the Successful Company Administrator wants to run a saved query for a Firebox again, he simply loads the
search query file and runs the search again.
1. From the LOG MANAGER > Search page for a Firebox, click Load.
The Load Search Query dialog box appears.
3. Click OK.
The Search page is refreshed to include the details specified in the search query file and the search results are
updated to include only those results that match the specified search query.
4. Select the Start date and time, and End date and time.
For this exercise, select last Monday from 12:00 to 22:00.
5. Click OK.
The Log Messages page is updated with only the log messages for the specified date and time.
7. Select whether to open the ZIP file or save it to a location on your computer. Click OK.
8. If you save the file, browse to select a location.
350
11. Browse to the location where you saved the ZIP file, open the file, and extract the CSV file.
The Successful Company administrator can now open the CSV file and review the log messages, or import the CSV file
to another program or to the WatchGuard Log Server.
351
If you are attending a class, your instructor will provide the credentials for the Report Server.
2. Type the Server IP address, Port, User Name, and Passphrase for your Report Server.
3. Click Login.
WatchGuard WebCenter appears.
If your Log Server is installed on the same computer, the LOG MANAGER > Devices page is selected.
If your Log Server is not installed on the same computer, the REPORT MANAGER > Devices page is selected.
352
View Reports
After you connect to Report Manager, you can select the reports to view or generate.
1. Select REPORT MANAGER > Devices.
The Devices page appears.
353
3. From the Daily calendar, select a date to see the Available Reports for that day.
4. From the Available Reports list, select a report to view.
The selected report appears.
354
2. Put your cursor in the Start text box to select the start date and time for the report.
The date and time selection calendar appears.
3. Select a month and day from the calendar. Slide the time selectors to specify the hour and minute.
Or, click Now to select the current date and time.
4. Click Done.
The selected date and time appears in the Start text box.
5. Put your cursor in the End text box and select the end date and time for the report. Click Done.
6. From the Select a report type drop-down list, select the type of report to generate.
7. Click Run Report.
The selected report is generated.
It can take a few moments to generate the report. The longer the time range for the report, the longer it takes to generate
the report.
355
2.
3.
4.
5.
The network administrator can now send the PDF to his manager and print a copy for the auditors.
356
357
ANSWERS
1. True
The configuration settings to send log messages from your Firebox to a Dimension Log Server are the same as
for a WSM Log Server.
2. False
After you have installed Dimension and configured your devices to sent log messages to Dimension, you can
view those log messages and see reports of the log message data, usually within five minutes.
3. False
You can run a search from both the Log Manager (simple search) and the Log Search (complex search) pages in
Dimension.
4. True
You can export log messages for a single Firebox or a group of devices from Dimension to a CSV file.
5. True
You can create groups of Fireboxen in Dimension that you can use to see log messages and reports for multiple
devices at the same time.
6. False
When you create a Device group in Dimension, data for all the devices in the group are included in one report.
7. False
You can export reports from Dimension as a PDF or a CSV file when you view an automatically generated report.
8. False
You cannot save a search query to run it again later.
9. False
You can only run a search query on one Firebox at a time.
10. False
You can export the log messages for only one Firebox at a time.
11. False
From WSM Report Manager, you can only generate an On-Demand report for one Firebox at a time.
12. True
You can save a search query for a Firebox to run it again later for the same Firebox. You cannot save search
query parameters to run the same search for a different Firebox.
13. False
You can run On-Demand and Per Client reports from WSM Report Manager and generate a PDF of each report,
but WSM Report Manager cannot connect to your email program to open an email message and attach the PDF
the message.
14. False
Use the IP address of your WSM Log Server or Report Server to connect to WatchGuard WebCenter over port
4130.
15. False
You can generate a PDF of a report from WSM Report Manager, but you must save it and attach it to an email
message in your own email editor.
358
Notes
359
Before you begin these exercises, make sure you read the Course Introduction module.
BOVPN Overview
Benefits of a Branch Office VPN
A branch office VPN (BOVPN) is an encrypted and authenticated connection between two networks, where data is sent
through an untrusted network, such as the Internet. The BOVPN connection is also called a tunnel. The gateways,
which are endpoints of the tunnel on both networks, send and receive VPN data.
A branch office VPN provides these benefits:
n
Privacy or confidentiality of the data The VPN uses encryption to guarantee that traffic between the two
private networks is secret. An attacker who intercepts the traffic cannot understand it.
Data integrity The VPN guarantees that the data that passes through it has not been changed after it was
sent.
Data authentication The VPN guarantees that data that passes through the tunnel actually comes from one of
the two endpoints of the VPN, and not from some attacker on the Internet.
Direct private IP address to private IP address communication The computers at the two offices
communicate as if they were not behind devices configured with Network Address Translation (NAT). The data
tunnels through NAT for a transparent connection between the devices.
The Firebox examines traffic to and from computers on its protected networks. It uses the source and destination IP
address of the traffic and the VPN settings to decide what traffic to encrypt and send to the remote VPN gateway.
In this module, you use two Fireboxen as the gateway endpoints. You can create a VPN between your Firebox and any
other device that supports the IPSec standard.
The configuration on your Firebox must be the same on both gateway devices.
361
A managed VPN tunnel is equivalent to a manual BOVPN gateway with an associated BOVPN tunnel.
You cannot use the Management Server to configure a BOVPN virtual interface.
362
When to Use It
Manual BOVPN
BOVPN Virtual
Interface
Managed BOVPN
All branch office VPN methods use the same protocols and tunnel negotiation procedure. In this module, we focus on
what you must know to configure and monitor manual BOVPN gateways and tunnels.
363
The value in the feature key limits the number of VPN tunnels that can be active at the same time. The feature key does
not limit the number of tunnel routes you can configure for branch office VPNs.
Encryption Algorithms
Encryption algorithms protect the data so it cannot be read by a third-party while in transit. Fireware BOVPNs support
three encryption algorithms. Longer keys are more secure.
n
DES (Data Encryption Standard) Uses an encryption key that is 56 bits long. This is the weakest of the three
algorithms.
3DES (Triple-DES) An encryption algorithm based on DES that uses the DES cipher algorithm three times to
encrypt the data.
AES (Advanced Encryption Standard) The strongest encryption algorithm available. Fireware can use AES
encryption keys of these lengths: 128, 192, or 256 bits.
364
Authentication Algorithms
Authentication algorithms are used to verify that data packets are complete and not sent by a third-party. Each algorithm
produces a message digest, also called a hash, which represents a set of data packets. When the data packets are
received by the other BOVPN gateway, that device can use the same authentication algorithm to verify the data. Longer
hashes are more secure.
SHA-2 (Secure Hash Algorithm 2)
SHA-2 is the most secure authentication algorithm supported, and it is the most computationally intensive.
Fireware supports these types of SHA2:
SHA2-256 Produces a 265-bit (32 byte) message digest
SHA2-384 Produces a 384-bit (48 byte) message digest
SHA2-512 Produces a 512-bit (64 byte) message digest
SHA-2 is not supported on XTM 21, 22, 23, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050,
and 2050 devices.
AH (Authentication Header)
Defined in RFC 2402, AH is a protocol that you can use in manual BOVPN Phase 2 VPN negotiations. To provide
security, AH adds authentication information to the VPN data. While AH provides better protection against spoofed
packets, most VPN tunnels do not use AH because it does not provide encryption.
365
VPN Negotiations
When two IPSec gateway devices attempt to establish a VPN connection, they exchange a series of messages about
encryption and authentication, and agree on many different parameters. This process of agreeing on the VPN
parameters is called VPN negotiations.
VPN negotiations happen in two distinct phases: Phase 1 and Phase 2.
n
Phase 1 The main purpose of Phase 1 is to set up a secure encrypted channel through which the two devices
can negotiate Phase 2. If Phase 1 fails, the devices cannot begin Phase 2.
Phase 2 The purpose of Phase 2 negotiations is for the two VPN gateways to agree on a set of parameters
that define what traffic can go through the VPN tunnel, and how to encrypt and authenticate the traffic. This
agreement is called a Security Association.
Both VPN gateway devices must use the same Phase 1 and Phase 2 settings to create a VPN tunnel.
Main Mode ensures the identity of both VPN gateways, but can be used only if both devices have a static IP
address.
366
Aggressive Mode is faster but less secure than Main Mode, because it requires fewer exchanges between
two VPN gateways. In Aggressive Mode, the exchange relies mainly on the ID types used in the exchange
by both VPN gateways. Aggressive Mode does not ensure the identity of the VPN gateway.
5. The VPN gateways agree on Phase 1 Transform settings. The settings in the Phase 1 transform on each IPSec
device must exactly match, or IKE negotiations fail.
The items you can set in the transform are:
n
n
n
n
367
Type For a manual BOVPN, you can select the type of protocol to use: Authentication Header (AH) or
Encapsulating Security Payload (ESP). ESP encrypts the data, while AH protects against spoofing. We
recommend that you use ESP, because you can protect against spoofing in other ways. Managed BOVPN
and Mobile VPN with IPSec always use ESP.
Authentication Authentication makes sure that the information received is exactly the same as the
information sent. You can use SHA or MD5 as the algorithm the VPN gateways use to authenticate IKE
messages from each other. SHA-1 is more secure.
Encryption Encryption keeps the data confidential. You can select DES, 3DES, or AES. AES is the
most secure.
Force Key Expiration To make sure Phase 2 encryption keys change periodically, always enable key
expiration. The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use to
mount an attack on the key.
368
From Specific addresses on the other side of the VPN, or a BOVPN virtual interface name
To Specific addresses behind your Firebox
You can also add your own policies to allow traffic to the remote VPN gateway.
n
n
369
By default, only the Enable built-in IPSec policy setting is enabled. This option enables a hidden policy that allows
IPSec traffic from Any-External to Firebox. This hidden policy enables the Firebox to function as an IPSec VPN
gateway, and has a higher precedence than any manually created IPSec policy.
For information about when to change these settings, see the WatchGuard System Manager Help.
For a basic branch office VPN configuration, you do not need to change these settings.
370
n
n
371
Expand a gateway or VPN interface to see statistics and other status information.
Expand a tunnel to see statistics and information for that tunnel.
Troubleshoot a VPN
Common causes of branch office VPN failure include:
n
n
n
n
If a branch office VPN tunnel cannot be established, a VPN diagnostic error appears below the gateway.
VPN diagnostic messages can indicate a problem with the VPNtunnel or gateway configuration. VPN diagnostic
messages for a tunnel include the tunnel name, and indicate a problem with tunnel route or Phase 2 settings. VPN
diagnostic messages related to a VPN gateway refer to the gateway endpoint by number. For example, if a gateway has
two gateway endpoint pairs, VPN diagnostic messages refer to the first gateway endpoint as Endpoint 1, and the
second as Endpoint 2.
VPN diagnostic messages can be errors or warnings.
n
n
In any VPN negotiation, one gateway endpoint is the initiator, and the other is the responder. The initiator sends
proposed gateway and tunnel settings, and the responder accepts or rejects those, based on comparison with locally
configured settings. When you troubleshoot VPN negotiations, it is most useful to look at the VPN diagnostic
messages and VPN Diagnostic Report on the responder, because the responder has information about the settings on
both devices. For example, if a VPN between two devices is configured with mismatched settings in the Phase 2
proposal, the VPN diagnostics messages that appear in Firebox System Manager the two devices are very different:
372
Compare the VPN settings on both devices to make sure they match.
Look for VPN diagnostic log messages.
Run the VPN Diagnostic Report in Firebox System Manager, as described in the next section.
Review the log messages for each device during tunnel negotiation.
You may see more useful log messages for troubleshooting on the device that receives the IKE negotiation
because the receiving device is the one that authorizes the completion of IKE negotiation. The initiating device
must prove that it has valid credentials before the receiving device allows the VPN tunnel to be built.
To use ping to verify basic connectivity to the external interface of the remote device, make sure the
remote device is configured to respond to pings. To enable a Firebox to respond to a ping to the
external interface, you must edit the Ping policy to allow pings from the External interface.
373
Because the VPN Diagnostic Report temporarily increases the log level, you do not need to change
the log level yourself before you run the report.
374
The report shows the gateway and tunnel configuration, and information about the status of any active tunnels for the
selected gateway. The VPN Diagnostic Report has seven sections.
The top section summarizes the report summarizes the report.
n
[Conclusion] This section summarizes what was observed, lists any VPN diagnostic errors. it may also
include suggestions of next steps to take to troubleshoot the VPN.
The next two sections show the configured settings for the selected gateway and all tunnels that use it.
n
Gateway Summary Shows a summary of the gateway configuration, including the configuration of each
configured gateway endpoint
Tunnel Summary Shows a summary of the tunnel configuration for all tunnels that use the selected gateway
The last seven sections show run-time information based on the log message data collected when the report was run.
n
375
Run-time Info (bvpn routes) For a BOVPN virtual interface, shows the static and dynamic routes that use
the selected BOVPN virtual interface, and the metric for each route.
Run-time Info (gateway IKE_SA) Shows the status of the IKE (Phase 1) security association for the
selected gateway
Run-time Info (tunnel IPSEC_SA) Shows the status of the IPSec tunnel (Phase 2) security association for
active tunnels that use the selected gateway
Run-time Info (tunnel IPSec_SP) Shows the status of the IPSec tunnel (Phase 2) security policy for active
tunnels that use the selected gateway
Related Logs Shows tunnel negotiation log messages, if a tunnel negotiation occurs during the time period
that you run the diagnostic report
[Address Pairs in Firewalld] This section shows the address pairs and the traffic direction (IN, OUT, or
BOTH).
[Policy checker result] This section shows policy checker results for policies that manage traffic for each
tunnel route.
The VPN Diagnostic Report can help you see the status of tunnel negotiations, and help you determine what caused the
tunnel negotiations to fail. It is especially helpful if you have many BOVPN gateways, because it enables you to focus
on just the one you want to troubleshoot.
Each log message related to a branch office VPN tunnel has a header that shows the IP addresses of the local and
remote gateway. The format of the header is:
(local_gateway_ip<->remote_gateway_ip)
Where:
local_gateway_ip is the IP address of the local gateway
remote_gateway_ip is the IP address of the remote gateway
If your device sends log messages to a Dimension Server or a WSMLog Server, you can also filter log
messages by gateway IPaddress in Dimension or WatchGuard WebCenter.
376
If you increase the IKE diagnostic log level for VPN troubleshooting, dont forget to reset it to a lower
level after you have finished.
377
378
Training Environment
The exercises in this module assume this network configuration:
For instructor-led training, the training environment must include the network equipment described in the Course
Introduction module. If you use these materials for self-study, connect your device directly to the Internet.
379
Connect the management computer directly to the trusted interface (Eth1) on the student Firebox.
Make sure your management computer has an IP address in the same subnet as the trusted interface, with the
correct subnet mask. Use the trusted interface IP address as the default gateway of the computer.
Network Topology
This diagram shows the two student devices and their external interfaces connected to the Internet.
For instructor-led training, the training environment simulates the Internet connection for each student Firebox.
To complete these exercises you work with a partner. In these exercises, we assume each device is configured by a
different student. Each student configures a Firebox with one external interface. Student A configures Firebox A.
Student B configures Firebox B. The student numbers in the IP addresses are represented as A and B. In the network
configuration required for these exercises, use the student numbers your instructor gives you.
380
Replace the A in the IP address with the number of the student who manages Device A.
Replace the B in the IP address with the number of the student who manages Device B.
Network Configuration
Make sure the interfaces on the two devices are configured with these settings:
Interface
Device A
Device B
Interface 0
(External)
IP address: 203.0.113.A/24
IP address: 203.0.113.B/24
Interface 1
(Trusted)
IP address: 10.0.A.1/24
IP address: 10.0.B.1/24
DHCP enabled
DHCP enabled
DHCP pool:
10.0.A.2 - 10.0.A.254
DHCP pool:
10.0.B.2 - 10.0.B.254
These are the same network settings you configured in the Network Settings module.
381
Configure the network interfaces on both devices as described in the previous section.
Make sure all cables are connected as shown in the diagram in the previous section.
Configure Device A
Add a Branch Office Gateway to the Site A Device Configuration
1. In Policy Manager, select VPN > Branch Office Gateways.
2. Click Add.
The New Gateway dialog box appears.
3. In the Gateway Name text box, type a name to identify this gateway in your configuration.
For this exercise, type To_Device_B.
4. In the Credential Method section, select Use Pre-Shared Key.
5. In the Use Pre-Shared Key text box, type shh-secret!, or another key that you and your partner agree on.
382
7. In the Local Gateway section, IP Address text box, type or select 203.0.113.A, the external interface IP
address.
8. The External Interface drop-down list has only one item because this device has only one external interface. If
your device has multiple external interfaces, you must select the external interface to use for this gateway.
9. In the Remote Gateway section, select Static IP address.
10. In the IP Address text box, type or select the IP address of Device Bs external interface, 203.0.113.B.
11. In the Remote Gateway section, select By IP Address.
12. In the IP Address text box, type or select 203.0.113.B.
383
14. Select the Phase1 Settings tab to see the settings that will be used for Phase 1 negotiations.
For a new BOVPN gateway between two Fireboxen, we recommend you use the default Phase 1 settings on
both devices. If you change a gateway setting, your partner must make the same change to the gateway
configuration on the other device.
The mode is set by default to Main Mode. You can use Main Mode for this exercise because both VPN
gateways have static IPaddresses. If one of the devices had a dynamic external IP address, you
would use Aggressive Mode.
384
15. Select the Phase1 Transform, and click Edit to see the authentication and encryption settings.
For this exercise, do not change the Phase 1 settings. If you do change these settings, make sure your partner
makes the same change on the other device.
16. Click OK twice, and then click Close to exit the Gateway configuration.
385
2. Click Add.
The New Tunnel dialog box appears.
3. In the Tunnel Name text box, type a friendly name for the tunnel. Do not give your tunnel the same name as the
branch office gateway.
For this exercise, type Tunnel_to_Device_B.
4. Click Add and add a new tunnel route.
The Tunnel Route Settings dialog box appears.
5. In the Local text box, type the network address of the trusted interface on your device in slash notation. Type
10.0.A.0/24.
6. In the Remote text box, type the trusted network address at the remote device in slash notation.
Type 10.0.B.0/24.
7. Click OK.
The new tunnel route appears in the New Tunnel dialog box in the Addresses list.
You can add more than one tunnel route to the tunnel configuration. For example, if Device B had a
second trusted network, you could add another tunnel route from your trusted network (Local) to the
network IP address of the second trusted network at Device B (Remote). Device B would also need to
add the same route, reversing the local and remote IP addresses.
386
387
Configure Device B
Add a Branch Office Gateway to the Device B Configuration
1. Select VPN > Branch Office Gateways.
2. Click Add.
The New Gateway dialog box appears.
3. In the Gateway Name text box, type a name to identify this gateway in your configuration.
For this exercise, type To_Device_A.
4. In the Credential Method section, select Use Pre-Shared Key.
5. In the Use Pre-Shared Key text box, type shh-secret!, or another key that you and your partner agree on.
6. To add a new gateway endpoints pair, click Add.
The New Gateway Endpoints Settings dialog box appears.
388
13. To review the settings for Phase 1 negotiations, select the Phase1 Settings tab.
Do not change the settings for this exercise.
14. Click OK, and then Close to exit the gateway configuration.
389
2. Click Add.
The New Tunnel dialog box appears.
Do not give your tunnel the same name as the branch office gateway.
3. In the Tunnel Name text box, type a friendly name for the tunnel.
For this exercise, type Tunnel_to_Device_A.
4. Click Add and add a new tunnel route.
The Tunnel Route Settings dialog box appears.
5. In the Local text box, type the network address of the trusted interface on your device in slash notation. Type
10.0.B.0/24.
6. In the Remote text box, type the trusted network address at the remote device in slash notation.
Type 10.0.A.0/24.
You can add more than one tunnel route to the tunnel configuration. For example, if Site B had a
second trusted network, you could add another tunnel route from your second trusted network (Local)
to the network IP address of the trusted network at Site A (Remote). Site A would also need to add the
same route, reversing the Local and Remote IP addresses.
7. Click OK.
The new tunnel route appears in the New Tunnel dialog box in the Addresses list.
390
8. Make sure the Add this tunnel to the BOVPN-Allow policies check box is selected.
When this check box is selected, Policy Manager automatically adds the BOVPN-Allow.out and BOVPNAllow.in policies that allow all traffic to flow between the two trusted networks.
9. To review the settings for Phase2 negotiations, select the Phase2 Settings tab.
For a tunnel between two Fireboxen, we recommend you use the default Phase 2 settings. If you decide to
change a setting here, make sure your partner configures the same setting on the remote device.
10. Click OK.
The new tunnel appears in the Branch Office IPSec Tunnels dialog box.
391
392
You can hover the mouse over the Arguments text box to see a list of available command arguments.
393
4. To run the report again with a longer duration, change the Duration to 60 seconds. Click Start Report.
To see a VPN diagnostic messages, you can change a setting in the VPN configuration on one of the devices to
intentionally create an error. When you try to establish the tunnel, you can look at and compare the VPN diagnostic
messages that appear in Firebox System Manager for each endpoint.
In this part of the exercise you intentionally break the working VPN configuration. Make sure you
remember what setting you changed so that you can change it back at the end of the exercise.
394
For a more complete description of 1-to-1 NAT, see the NAT module in this courseware.
Suppose two companies, Site A and Site B, use the same IP addresses for their trusted networks, 192.168.1.0/24. To
create a VPN tunnel between these networks, the two network administrators can use 1-to-1 NAT in the tunnel
configuration to translate these addresses to different IP addresses for traffic through the tunnel. The two administrators
must first agree on a virtual IP address range to use for each site, for traffic through the VPN tunnel.
For this exercise, we assume that:
n
Site A will make its trusted network appear to come from the 192.168.100.0/24 range when traffic goes through
the VPN. This is Site As virtual IP address range for this VPN.
Site B will make its trusted network appear to come from the 192.168.200.0/24 range when traffic goes through
the VPN. This is Site Bs virtual IP address range for this VPN.
395
Configure Device A
1.
2.
3.
4.
5.
6.
396
Configure Device B
1.
2.
3.
4.
5.
6.
397
If this were an actual network with servers, you could ping one of the servers on the remote network.
1.
2.
3.
4.
398
To see both tunnels active in FSM, you might need to send another ping through the first tunnel to make it active again.
Do not configure more than one tunnel to use 1-to-1 NAT for the same IPaddresses. If you must
create BOVPNtunnels to multiple sites, we recommend that you configure the private networks so
that each site uses different private IP addresses.
399
http://www.watchguard.com/help/configuration-examples/index.asp
400
o A) Managed VPN
o B) BOVPN Virtual Interface
o C) Manual BOVPN
2. True or false? If you configure a VPN as a BOVPN virtual interface, the VPN on the remote VPN gateway must
also be configured as a BOVPN virtual interface.
3. To use policy-based routing to send traffic through a VPN tunnel, which type of VPN must you use? (Select one.)
o A) Managed VPN
o B) BOVPN Virtual Interface
o C) Manual BOVPN
4. What must you know to set up a branch office VPN between two devices? (Select all that apply.)
o A) The public IP address or domain information for the remote VPN gateway
o B) The private network address on the remote device where you want to send traffic
o C) The gateway name and tunnel name on the remote VPN gateway
o D) The phase 1 and phase 2 settings on the remote VPN gateway
o E) The pre-shared key or IPSec certificate
401
o A) No traffic has been sent to an IP address at the other end of the tunnel.
o B) There is a mismatch in Phase 1 or Phase 2 settings in the VPN configuration.
o C) There is no connection between the external interface IP addresses on each device.
o D) The gateway name or tunnel name is not the same on the remote device.
6. Which of these methods would you use to troubleshoot a VPN tunnel that is not working?
(Select all that apply.)
402
ANSWERS
1.
2.
3.
4.
5.
6.
403
c
True
b
a, b, d, e
a, b, c
c, d
Notes
404
Mobile VPN
Securely Connect Mobile Users
Select the mobile VPN (virtual private network) type(s) appropriate for your network
Configure the Firebox to allow mobile VPN connections
Generate Mobile VPN client configuration files
Install and use the Mobile VPN client on a remote device
In this module, you connect to one or more Fireboxen. If you take this course with a WatchGuard Certified Training
Partner, your instructor provides the IP address and passphrases for devices used in the exercises. For self-instruction,
you can safely connect to a Firebox on a production network. It is helpful to conduct a portion of this exercise from a
computer connected to the external network.
Mobile VPN
To use Mobile VPN, you must first enable VPN connections on your Firebox. You use Policy Manager to configure the
VPN settings for each user or group of users. Mobile VPN users authenticate either to the Firebox user database on the
Firebox or to an external authentication server. In this module, we use the Firebox authentication method to illustrate the
authentication process.
Encryption protocols
406
40-bit or 128-bit
Mobile VPN
Mobile VPN with IPSec
Required ports
Encryption protocols
Encryption strength
Encryption protocols
Encryption strength
Encryption protocols
Encryption strength
407
Mobile VPN
Encryption Support
Encryption algorithms protect the data so it cannot be read by a third-party while in transit through the VPN. Each VPN
type supports different encryption algorithms. Larger encryption key sizes are more secure. AES is the most secure
encryption algorithm, and it is supported by all VPN types except Mobile VPN with PPTP.
Mobile VPN
Firebox-DB
RADIUS
Vasco/
RADIUS
SecurID
LDAP
Active
Directory
* You can use Active Directory authentication for PPTP and L2TP through a RADIUS server.
408
Mobile VPN
To see the feature key for your device in Policy Manager, select Setup > Feature Keys.
Windows
OS X
Android / iOS
IPSec
L2TP
Users manually
configure the native
VPN client
Users authenticate to
the Firebox to
download and install
the client and
configuration.
PPTP
Use any PPTP client, and manually configure the settings to connect.
For instructions on how to configure the native VPN client on Windows, Mac OS X, and Android to
make an L2TP connection, see the WatchGuard System Manager Help.
409
Mobile VPN
Other Considerations
n
Mobile VPN with IPSec is the only VPN type for which you can have different VPN configuration profiles for
different groups of users.
Mobile VPN with SSL is the simplest VPN type to deploy. When users authenticate with your Firebox, they can
download an installer that includes both an SSL VPN client and the client configuration file.
Mobile VPN with L2TP is similar to Mobile VPN with IPSec, but Mobile VPN with L2TP uses additional
processing power on your Firebox, and NAT often does not work correctly. However, a Mobile VPN with L2TP
tunnel can send and receive network traffic from protocols such as IPX or AppleTalk.
If you use Firebox-DB authentication, Policy Manager automatically adds the required Firebox user group
when you activate Mobile VPN. You must add the VPN users to that group.
For Mobile VPN with SSL and Mobile VPN with L2TP, if you use non-default group names, the
group names do not appear in the automatically generated policy. However, the policy does
apply to all users and groups in the Mobile VPN configuration.
For RADIUS, LDAP, and Active Directory authentication, you must manually add the required VPN user
group to your authentication server, and add VPN users to that group. For RADIUS authentication, the
RADIUS server must return a Filter-Id attribute where the value of the attribute matches the name of the
group.
410
Mobile VPN
4. Define policies and resources.
When you activate and configure Mobile VPN with IPSec, SSL, or L2TP, a policy is automatically added to allow
all traffic from the users in the group to the resources available through the tunnel. Even though the Mobile VPN
connection is secure, you may want to create custom policies to limit the types of traffic allowed through the
Mobile VPN tunnel.
For Mobile VPN with PPTP, you must manually create policies to allow access to network resources.
5. Configure the client computers.
After you configure Mobile VPN on the Firebox, you must configure the clients.
Line Management controls whether the client automatically tries to restart the VPN tunnel. By default,
the VPN tunnel does not automatically restart.
.vpn
Use this file to configure the Shrew Soft IPSec VPN client. The .vpn file is not encrypted. Make sure you use a
secure method to distribute this file. The Shrew Soft VPN client does not support some Mobile VPN with IPSec
configuration settings and features.
.wgm
Use the .wgm file to configure the WatchGuard VPN apps for iOS and Android. The .wgm file is encrypted with
the tunnel passphrase.
411
Mobile VPN
Fireware Web UI can generate only the .ini, .vpn, and .wgm mobile user client configuration files. To
generate a .wgx file, you must use Policy Manager.
If you use another method to distribute the Mobile VPN with SSL client to your users, you can also
extract the SSL client configuration file from the support.tgz file on the device, and then distribute it to
your users. For more information, see the WatchGuard System Manager Help.
You cannot use the .wgm file to configure L2TP connections from the WatchGuard VPN app for
Android.
412
Mobile VPN
Split tunneling makes sense as a default setting, because most mobile users also browse the Internet
when the tunnel is not connected, and therefore should have a software firewall installed.
Use a private IP address range that is not used for anything else on your network.
If you configure Mobile VPN with SSL to bridge VPN traffic to a bridge interface, the virtual IP addresses must be
on the same subnet as the bridge interface.
For all other Mobile VPN types, the virtual IP addresses do not have to be on the same subnet as the trusted
network.
To enable the maximum number of concurrent VPN connections, make sure the virtual IP address pool contains
the same number of IP addresses as the maximum number of VPN connections your device supports.
413
Mobile VPN
Allowed Resources
When you configure mobile VPN, you configure the resources on your network you want to allow the mobile VPN users
to access. You can allow mobile VPN users to have access to all network resources, or you can restrict access to a
specific list of network resources.
For Mobile VPN with IPSec, SSL, or L2TP, you specify the allowed resources in the VPN settings. When you save the
VPN configuration, Policy Manager automatically creates policies that allow access to the network resources you
specified.
For Mobile VPN with PPTP, you do not specify the allowed resources in the VPN settings. Instead, you must create
policies to allow members of the PPTP-Users group to access resources on your network.
414
Mobile VPN
The differences are on the Policy tab:
n
Most other policy settings are the same as for firewall policies.
WatchGuard SSLVPN This SSLVPN policy allows connections from an SSL VPN client on TCP port 443.
Allow SSLVPN Users This Any policy allows the groups and users you configure for SSL authentication to
get access to resources on your network.
To restrict VPN user traffic by port and protocol, you can disable or delete the automatically generated Any policy and
create new policies that enable more limited access.
WatchGuard L2TP This L2TP policy allows connections from an L2TP client on UDP port 1701.
Allow L2TP Users This Any policy allows the groups and users you configured for L2TP authentication to get
access to resources on your network.
To restrict VPN user traffic by port and protocol, you can disable or delete the automatically generated Any policy and
create new policies that enable more limited access.
415
Mobile VPN
Training Environment
The exercises in this module assume the following network configuration:
For instructor-led training, the training environment must include the network equipment described in the Course
Introduction module. If you use these materials for self-study, connect your Firebox directly to the Internet.
416
Mobile VPN
Use an Ethernet cable to connect the management computer directly to the trusted interface (Eth1) on the
student Firebox.
Make sure your management computer has an IP address in the same subnet as the trusted interface with the
correct subnet mask. Use the Firebox trusted interface IP address as the default gateway of the computer.
Network Topology
This diagram shows the two student devices and their external interfaces connected to the Internet.
For instructor-led training, the training environment is set up to simulate the Internet connection for each student
Firebox.
417
Mobile VPN
To complete these exercises you work with a partner. In these exercises, we assume each device is configured by a
different student. Each student configures a Firebox with one external interface. Student A configures Device A.
Student B configures Device B. The student numbers in the IP addresses are represented as A and B. In the network
configuration required for these exercises, use the student numbers your instructor gives you.
n
n
Replace the A in the IP address with the number of the student who manages Device A.
Replace the B in the IP address with the number of the student who manages Device B.
Network Configuration
Make sure the interfaces on the two devices are configured with these settings:
Interface
Device A
Device B
Interface 0
(External)
IP address: 203.0.113.A/24
IP address: 203.0.113.B/24
Interface 1
(Trusted)
IP address: 10.0.A.1/24
IP address: 10.0.B.1/24
DHCP enabled
DHCP enabled
These are the same network settings you configured in the Network Settings module.
The network configuration for the Mobile VPN exercises is the same as for the Branch Office VPN
exercises.
BOVPN Configuration
Remove any branch office VPN tunnels, gateways, and BOVPN virtual interfaces that you configured for exercises in
the Branch Office VPN module. In the subsequent exercises, you use various mobile VPN clients to connect to your
partners private network.
418
Mobile VPN
Make sure that your network settings are configured as described in the Network Topology section,
and that you have removed any branch office VPN tunnels, gateways, and BOVPN virtual interfaces
from your configuration.
2. Click Add.
The Add Mobile VPN with IPSec Wizard appears.
3. Click Next.
The Select a user authentication server page appears.
419
Mobile VPN
If you use an external authentication server (not the Firebox-DB internal user database), make sure
that the authentication server has a user group with the same name, and that VPN users are members
of this group.
6. Click Next.
The Select a tunnel authentication method page appears.
420
Mobile VPN
9. Click Next.
The Direct the flow of internet traffic page appears. This is where you choose whether to configure this tunnel as a
default route or a split tunnel VPN. The split tunnel configuration, which allows Internet traffic to go directly to the
mobile users ISP, is selected by default.
If you choose the option to force all Internet traffic through the tunnel, the resources list automatically
includes the default route (0.0.0.0/0), and the Any-External alias.
11. To specify a host or network IP address that users can connect to through the tunnel, click Add.
The Add Address dialog box appears.
421
Mobile VPN
12. From the Choose Type drop-down list, select Network IPv4.
13. In the Value text box, type the network IP address of your trusted network. For example, if you are Student 10,
type 10.0.10.0/24.
This enables members of the IPSec-VPN-Users group to access your trusted network, 10.0.10.0/24, through the
VPN tunnel.
14. Click OK.
Network IP address is added to the list of resources in the Wizard.
At the bottom of this dialog box, you can see the maximum number of Mobile VPN with IPSec users that can
connect. That is the number of IP addresses you should add to the virtual IP address pool.
16. Click Add.
The Add Address dialog box appears.
17. From the Choose Type drop-down list, select Host Range IPv4.
18. In the Value and To text boxes, type the starting and ending IP addresses to define a range of IP addresses to
assign to mobile VPN users while connected. These can be any private IP addresses not used elsewhere on
your network.
For this exercise, use these IP addresses:
Value: 10.50.1.1
To: 10.50.1.25
422
Mobile VPN
19. Click OK.
The IP address range is added to the virtual IP address pool.
21. Make a note of the location of the VPN configuration files on the last page of the wizard.
You must know this location later to retrieve the files for the client.
If you did not select the check box at the end of the wizard, or if you want to add or remove users later,
select Setup > Authentication > Authentication Servers.
423
Mobile VPN
25. In the User Information section, type a Name, Description, and Passphrase for this user.
Remember the name and passphrase; your partner needs to use these credentials to connect.
26. In the Available list, double-click the IPSec-VPN-Users group to add the user to the group.
IPSec-VPN-Users is moved to the Member list.
424
Mobile VPN
To configure a VPN for connections from non-WatchGuard IPSec clients, such as the Mac OS X,
iOS, or Android native IPSec VPN clients, you must edit some of the tunnel settings to match the
settings on the client. See the Help for the settings for each client.
1. To open the Mobile VPN with IPSec Configuration dialog box, select VPN > Mobile VPN > IPSec.
425
Mobile VPN
2. Select IPSec-VPN-Users and click Edit.
426
Mobile VPN
Enabling remote management is not required for the VPN configuration. It is a method we use in the
training environment to enable each student to get the necessary files from their partners device. In an
actual network environment, you would use email, or another method to distribute the client
configuration file to your mobile users.
427
Mobile VPN
428
Mobile VPN
To install and connect with the Shrew Soft IPSec VPN client, complete exercise 3A.
To install and connect with the WatchGuard IPSec VPN client, complete exercise 3B.
Required Files
To complete exercise 3A, you must have these files:
n
n
The tunnel passphrase that your partner set in the Mobile VPN with IPSec configuration.
You must know the tunnel passphrase to import the client configuration file to the Mobile VPN with IPSec client.
If you followed the instructions in the previous exercise, the tunnel passphrase is successfulremote.
The user name and password for a Mobile VPN with IPSec user on your partners device.
Use the user name and password that your partner specified in the previous exercise.
429
Mobile VPN
If you use certificates for authentication and you use the Fireware Web UI to generate the .vpn file, the
certificates are not included in the .vpn file and must be imported to the Shrew Soft client as a
separate step. See the WatchGuard System Manager Help for more information.
430
Mobile VPN
2. Type the Username and Password for a valid user on your partners device.
3. Click Connect.
The VPN tunnel status appears in the Connect tab.
The VPN Connect client can take several seconds to connect. After the VPN client connects, the message
tunnel enabled appears on the Connect tab. A status icon also appears in the Windows taskbar.
After the VPN client connects, do not close the VPN Connect dialog box until you are ready to disconnect. You
can minimize the VPN Connect dialog box and close the Access Manager dialog box.
4. To end the Shrew Soft VPN connection, in the VPN Connect dialog box, click Disconnect.
Or, close the VPN Connect client.
431
Mobile VPN
2. Double-click the .exe file to start the WatchGuard Mobile VPN installer.
3. Accept the license agreement and the default setup type.
Reboot your computer, if prompted.
4. In the two Windows Security dialog boxes, click Install to install the necessary drivers.
5. Allow the installer to reboot your computer to complete the installation.
After the reboot, the WatchGuard Mobile VPN client starts automatically.
6. In the WatchGuard Mobile VPN dialog box , click Yes to start the 30 day trial period for the client.
After 30 days, the client does not function unless it is activated with a license.
7. In the WatchGuard Mobile VPN dialog box, click No to not create a profile.
432
Mobile VPN
6. Click Open.
7. Click Next.
The Decrypt User Profile page appears.
8. In the Key or Passphrase text box, type the passphrase set in the Mobile VPN with IPSec configuration. The
correct passphrase should be successfulremote.
9. Click Next to continue.
433
Mobile VPN
10. Click Next again to allow the installer to overwrite any existing profile that has the same name.
The Authentication page appears.
11.
12.
13.
14.
15.
Type the User name and Password for a valid user on your partners device.
Click Next.
Click Finish to import the profile and close the wizard.
Click the profile you just imported. Select the Default check box.
Click OK to close the Profiles dialog box.
The IPSec-VPN-Users profile is added to the Connection Profile drop-down list.
434
Mobile VPN
435
Mobile VPN
Make sure that your network settings are configured as described in the Network Topology section
and that the client computer is not connected with any other VPN client.
436
Mobile VPN
437
Mobile VPN
7. Select the Authentication tab.
The list of configured authentication methods appears.
If you select other authentication servers, such as LDAP, or Active Directory, you must add the users
and groups that exist on those servers to the Users and Groups list if you want users in those groups
to use Mobile VPN with SSL.
8. Make sure the check box for the Firebox-DB authentication server is selected.
This option is selected by default.
The group SSLVPN-Users is also added to the configuration by default.
9. Click OK.
438
Mobile VPN
After you activate Mobile VPN with SSL, you can see two new firewall policies for SSLVPN:
n
n
WatchGuard SSLVPN This SSLVPN policy allows SSLVPN traffic to the device on UDP port 443.
Allow SSLVPN Users This Any policy allows the groups and users you configure for SSL authentication to
get access to resources on your network.
7. Click OK.
The user is added to the SSLVPN-Users group. The configured username and passphrase can now be used to
authenticate.
439
Mobile VPN
3. Click Download for the Mobile VPN with SSL client software for Windows.
This client download also includes the Mobile VPN with SSL client configuration file.
4.
5.
6.
7.
440
Mobile VPN
2. In the Server text box, type the external interface IP address of your partners device.
3. Type the Username and Password of the user your partner added to the SSLVPN-Users group.
4. Click Connect.
When the Mobile VPN with SSL connection is active, the Mobile VPN with SSL icon in the Windows task bar is
green (
). You can position the mouse over this icon to see the IP address of the device to which you are
connected.
If you change the data channel for SSL VPN, for example to port 444, the user must type
203.0.113.2:444 instead of 203.0.113.2 in the Server text box.
If Firebox-DB is not the default SSL VPN authentication server, the user must type Firebox-DB\j_
smith instead of j_smith in the Username text box.
441
Mobile VPN
442
Mobile VPN
443
Mobile VPN
6. When must a user know the Mobile VPN with IPSec tunnel passphrase? (Select one.)
o A) To start a VPN connection from the Mobile VPN with IPSec client
o B) To log into the web page to download the VPN client
o C) To import the client configuration file to the Mobile VPN with IPSec client
o D) To import the client configuration file to the Shrew Soft VPN client
7. True or false? Mobile VPN with IPSec is the only VPN type that can use different VPN configurations for
different user groups at the same time.
8. Which of these VPN connection types can you configure in the native VPN client in Windows?
o A) IPSec
o B) SSL
o C) PPTP
o D) L2TP
444
Mobile VPN
ANSWERS
1.
2.
3.
4.
5.
6.
7.
8.
c
True
False
False
You cannot add a resource to a Mobile VPN with IPSec policy if it is not already in the Allowed Resources list
in the VPN configuration for the Mobile VPN with IPSec group.
a
c
True
c, d
445
Notes
446
Fireware Web UI
Explore Fireware Web UI
Before you begin these exercises, make sure you read the Course Introduction module.
Fireware OS versions lower than v11.8 also require Adobe Flash Player 9.
Fireware Web UI
Fireware Web UI is a real-time management tool. This means that when you use the Web UI to make changes to a
Firebox, the changes you make generally take effect immediately. With the Web UI, you do not have to build a list of
changes to a locally-stored configuration file, and then apply those changes to the Firebox all at once. This is different
from Policy Manager, which is an offline configuration tool. Changes you make to a locally-stored configuration file with
Policy Manager do not take effect until you save the configuration file to the Firebox.
If you are familiar with Policy Manager, because Fireware Web UI has similar menu items and tools, you can easily find
what you need and understand how the configuration options operate in Fireware Web UI.
In the Global Settings for your Firebox, you can optionally change the port used to connect to Fireware
Web UI.
448
Fireware Web UI
When you make this connection, the login page appears:
If you know that the IP address shown in the browser address bar is correct, you can safely click Advanced, and then
click Proceed.
449
Fireware Web UI
This is the warning you see with Internet Explorer 11:
You can safely click Continue to this website if you know that the IP address shown in your browser address bar is
correct.
This is the warning you see with Mozilla Firefox 32:
If you know that the IP address shown in the browser address bar is correct, you can safely click IUnderstand the
Risks and follow the prompts to add a certificate exception.
This certificate warning appears because your browser does not trust the certificate. There are two reasons for this:
Your browser does not trust the entity that signed the Firebox certificate.
Fireware Web UI uses a self-signed certificate. Your browser trusts only certificates signed by a trusted
Certificate Authority, and certificates that you explicitly import into the browser as trusted certificates.
The Common Name on the certificate does not match what you typed into the browser addressbar.
For a certificate to be trusted automatically, its common name must match the server name.
To correct both problems you can manually import the certificate. For more information, see the documentation from
your browser or operating system vendor.
450
Fireware Web UI
To avoid these warnings for all users, replace the certificate used by Fireware Web UI with a certificate trusted by all of
your network clients. This could be a certificate you purchase from a commercial vendor such as VeriSign or Thawte, or
one you generate from a local CA used in your organization such as Microsoft Certificate Services on a Windows
server.
You can also create a custom certificate signed by the Firebox. This certificate can have multiple names on it, so that
users can type the Firebox IP address or a domain name (if the domain name has a record in the DNS system that
resolves to the Firebox IP address). Users must still import the certificate into their operating system or browser
certificate store, however, because this is a self-signed certificate.
For more information on this process, see Fireware Help.
Log In
You can log in to the Web UI with the default admin or status user accounts, or another Device Management user
account defined in the Firebox configuration. When you use the default user accounts, the authentication server is
Firebox-DB.
451
Fireware Web UI
452
Fireware Web UI
Interfaces
This dashboard page shows current bandwidth and other information for the active interfaces. You can also
release or renew the DHCP lease for any external interface with DHCP enabled.
Traffic Monitor
This dashboard page shows log messages from your Firebox as they occur. This can help you troubleshoot
network performance. For example, you can see which policies are used most, or whether external interfaces are
constantly used to their maximum capacity.
Gateway Wireless Controller
This dashboard page shows the connection status and activity on your WatchGuard wireless AP (access point)
devices. You can also monitor and manage the client connections to your WatchGuard AP devices.
Get Help
The header at the top of each page has an icon that takes you to the Fireware Help.
To open to the context-sensitive Help topic for the current page in the Web UI, click
453
Fireware Web UI
When a user is logged in to the Web UI with a Device Administrator user account, and that user has
unlocked the configuration file to make changes, Fireware does not allow changes to the device
configuration from any other connection, including Policy Manager or the Command Line Interface.
You also use this passphrase to save your configuration file to the Firebox with Policy Manager.
The header section of the Web UI interface shows which account you used to log in:
To log out of the Web UI, at the top of the page, place your cursor over
454
Fireware Web UI
When you try to complete any of these tasks when another user is logged in with a Device Administrator user account,
and your Firebox is not configured to enable more than one Device Administrator to log in at the same time, you see a
message that shows the IP address of the current user.
Policy Manager:
Web UI:
455
Fireware Web UI
CLI:
There are two timeout settings that control administrator account access. These settings help make sure the admin
account is not locked for a large amount of time.
To change these timeout settings in the Web UI, select Authentication > Settings.
456
Fireware Web UI
457
Fireware Web UI
Idle Timeout
The amount of time with no activity in the Web UI.
Activity means that you do something in the browser that causes the browser to get data from the Firebox, or
causes the browser to send data to the Firebox.
The Web UI sends a keep-alive message to the Firebox every 20 seconds. If the Firebox does not receive this message
from your browser for over 60 seconds, the Firebox closes your session. However, the keep-alive message does not
reset the idle timeout timer for management sessions.
This lets the Firebox close a management session quickly if you close the browser without first logging out of the Web
UI. The Firebox will keep a management session open for the full idle timeout if you keep the browser open but you do
nothing withit.
458
Fireware Web UI
2. To edit the WatchGuard Web UI policy, click the policy name.
Or, select the check box for the policy and select Action > Edit Policy.
The policy appears.
3. If your Firebox is configured to allow more than one Device Administrator to log in at the same time, to unlock the
configuration and make changes, click
You can restrict or expand access to the Web UI by adding or removing entries in the From list:
n
You can allow access to the Web UI from external networks by adding the Any-External alias (or an appropriate
IP address).
You can restrict access to the Web UI from internal locations by removing the Any-Trusted and Any-Optional
aliases. Make sure to keep at least one IP address from which you want to allow access so that you can manage
the Firebox from that computer.
You can remove all IP addresses and aliases, and replace them with user names or group names. When you do
this, you force users to authenticate before they are allowed access to the Web UI.
459
Fireware Web UI
The port and protocol the WatchGuard Web UI policy controls appears on the Settings tab.
If you change this port, the URL you use to access the Web UI also changes. For example, if you
change the port to 8888, to connect to the Web UI, type https://<Firebox-IPaddress>:8888 in your browser address bar.
In Policy Manager:
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
3. Click OK.
460
Fireware Web UI
In the Web UI:
1. Select System > Global Settings.
2. To unlock the configuration file and make changes, click
.
3. On the General tab, in the Web UI Port text box, type or select the port.
4. Click Save.
5. To lock the configuration file, click
461
Fireware Web UI
462
Fireware Web UI
Note that there are no options available on the page that enable you to make changes to the Policies list.
463
Fireware Web UI
6. Navigate to other pages in the Web UI and note that you cannot change any settings.
7. At the top of the Web UI, place your cursor over
You are logged out of the Web UI and the login dialog box appears again.
464
Fireware Web UI
When you configure a Firebox with the Quick Setup Wizard, a policy that allows you to connect to the Web UI from any
computer on the trusted or optional networks is automatically created. To manage the Firebox from a remote location
(any location on an external network), you must change your configuration to allow connections to the Web UI from that
location.
Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good
idea to consider these alternatives:
Is it possible to connect to the Firebox with a VPN?
This option greatly increases the security of the connection. If you can connect with a VPN, then you do not need
to allow other connections. If it is not possible to connect to the Firebox with a VPN, we recommend that you use
authentication for additional security.
It is more secure to limit access from the external network to the smallest number of computers possible.
For example, it is more secure to allow connections from a single computer than it is to allow connections from
the Any-External alias.
If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong
passphrases. It is also a good idea to change your passphrases at regular intervals.
Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot
configuration issues from his computer later in the class.
465
Fireware Web UI
To configure the WatchGuard Web UI policy to allow access to the Web UI from an external computer:
1. From a computer on the trusted network, open a web browser and go to
https://<Firebox-IP-address>:8080.
Replace <Firebox-IP-address> in the address with the Firebox trusted interface IP address.
2. If a certificate warning appears, choose the option to accept the warning and continue to the website.
The Fireware Web UI Login page appears.
466
Fireware Web UI
467
Fireware Web UI
468
Fireware Web UI
10. Click Save to apply this change to your Firebox.
11. To lock the configuration file, click
.
12. From a computer on the external network, try to connect to the Web UI.
Type https://<Firebox-external-IP-address>:8080 in the browser address bar.
You should be able to connect to the Firebox.
469
Fireware Web UI
The FireWatch page is separated into tabs of data. Each tab presents the data in a treemap visualization. The
treemap proportionally sizes blocks in the display to represent the data for that tab. The largest blocks on the tab
represent the largest data users. The data is sorted by the tab you select and the type you select from the dropdown list at the top right of the page.
On the Source tab, each block has the IP address of the source. If your computer is the only computer
connected to the Firebox, the Source tab shows one large block.
470
Fireware Web UI
2. On the Source tab, move the mouse over the IP address in a block.
A dialog box with summary information about traffic from that source appears.
4. Click Close.
5. On the Source tab, move the mouse over an IP address in a block.
A dialog box with summary information about traffic from that source appears.
471
Fireware Web UI
6. Click Filter.
The Source tab disappears, and all other tabs show data only from the selected source. The current filter appears at
the top of the page.
7. To remove the current filter, click FireWatch in the breadcrumbs at the top of the page.
The Source tab reappears, and the data is no longer filtered by that source.
8. Select each of the other tabs to view traffic data by destination, application, policy, or interface.
9. Use a web browser to connect to different sites, and watch how the treemap view updates
10. From the drop-down list at the top-right of the page, select an option to pivot the data on, and change the
information that appears on the page.
472
Fireware Web UI
473
Fireware Web UI
o A) Device Administrator
o B) Device Monitor
o C) configuration
o D) administrator
2. What is the default port for the Web UI? (Select one.)
o A) 8100
o B) 8088
o C) 8080
o D) 8000
3. True or false? You can save the Firebox configuration file to a local disk drive from the Web UI.
4. True or false? You must install WSM software to use the Web UI.
5. How many users can simultaneously log in to the Web UI with the admin user account? (Select one.)
o A) 1
o B) 2
o C) 4
o D) unlimited
6. How many users can simultaneously log in to the Web UI with the status user account? (Select one.)
o A) 1
o B) 2
o C) 4
o D) unlimited
474
Fireware Web UI
ANSWERS
1.
2.
3.
4.
5.
6.
A
C
True
False
D
D
475
Notes
476