-
WatchGuard Technologies FireboxTM System 4.6 - page 1
W atchGuar d ® Fir ebox ™ System User Guide Firebox System 4.6 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 2
ii Disclaimer Information in this guide is subject to change with out noti ce. Companies , names, and data us ed in examples her ein are fi ctitious unless otherwise noted. No part of this guide may b e repro duced or transm itted in a ny form or by any means, el ectronic or mech anical, f or any purp ose, with out the express written p ermission o ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 3
User Guid e iii W atchGuar d T echnologies, Inc. Fir ebox System Softwar e End-User License Agr eem ent Wa tchGuard Firebox System (WFS) End-User License Agreement IMPORTANT — RE AD CAREFULL Y BEFO RE ACCESSING WA TCH GUARD SOF TWARE: This WFS End-User Licens e Agreement ( “ AGREEMENT”) is a legal agreement between you (either an individu al ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 4
iv (D) T ransfer this license to ano ther party unless (i) the trans fer is permanent, (ii) the third party recipient agr ees to the term s of this AGREEM ENT , and (iii) yo u do not retain any copies of the SOFTWARE PRODUCT ; or (E) R everse engineer , disassemble or decompile the SOFTW ARE PRODUCT . 4. Limited W arranty . WA TCHGUA RD makes the f ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 5
User Guid e v subdivision (c)(1)(ii) of the R ights in T echnical Data and Com puter Sof tware clause at DFARS 252.227- 7013, or in s ubdivision (c) (1) and (2) o f the Comm ercial Com puter Sof tware -- R estricted Rights Clause a t 48 C.F .R . 52.227 -19, as applicable. Manufacturer is WatchGuard T echn ologies, Incorporat ed, 505 Fif th Avenue, ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 6
vi FCC Certifi cation This device has been tes ted and found to compl y with limits for a Cl ass A digital device, pursuant to P ar t 15 of the FCC Rules. Oper ation is subjec t to the following two conditions: 1 This device may not ca use harmful interfere nce. 2 This device must acc ept any interference received, incl uding interfer ence that may ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 7
User Guid e vii T able of Contents PART I Introdu ction . ..... ..... ..... .... ........ ............ ............ ............ ..... .... ..... ..1 W elcome to W atchGuard ............. .............. ........................ ......... ... 1 W atchGuar d Fir ebox S ystem components ...... ......... .......... ......... ... 1 Minimum r e quir emen ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 8
viii Resetting Fir ebox pass phrases .......... .......... ......... .............. .......... 24 Setting the time z one .......... .......... ......... ......... .......... ......... .......... 25 Reinitializing a misconf igur ed Fir ebox ............. .......... ......... .......... 25 CHAP TER 5 Using the W atchGuard Contr ol Center . .......... ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 9
User Guid e ix Service pr ecedence .................. ....................... ......... .......... ......... . 56 CHAP TER 9 Controlling W eb T raffic ............ ......... ......... .......... ......... . 59 How We bBlocker works ............ ....................... ......... .......... .......... 59 Configuring the W e bBlocker se rvice ...... . ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 10
x CHAP TER 15 Reviewing and Working with log files ................ ........ 103 Viewing files with LogViewer .................. ......... .............. ............. 103 Displaying an d hiding fie lds ........................ ......... ......... .......... ... 105 W orking with log files ...... .............. ....................... ......... ... ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 11
User Guid e 1 PART I Intr oduction W elcome to W atchGuard The W atchGuard Fireb ox System consists of : • A suite of management and s ecurity software tools • A Plug and P lay network appliance ca lled the W atchGuard Fi rebox • A security-r elated broadcast s ervice In the past, a connec ted enterprise needed a complex se t of tools, system ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 12
W at chGuard Fir ebox System components 2 •S e c u r i t y s u i t e • LiveSecurity Service W atchGuard Fir ebox The Firebox fam ily of appl iances are specially desi gned and optimized machines. They are sma ll, effi cient, and reli able. The Fire box is a l ow-prof ile compone nt with an indicator di splay panel i n front and physical in terf ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 13
User Guid e 3 Minimum requirements LiveSecurity Servi ce The innovative LiveSecurity Service subscription make s it easy to maintain the security of an or ganization’s network. W atchGuard’s team of security experts publish alerts and software updates, which are broadcas t to your e-mail cl ient. Minimum requirements This section describes the ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 14
Minimum requirements 4 Ha rd wa re re q ui re me n t s Minimum hardwar e requirem ents ar e the same as for the oper ating system on which the W atchGuard Fir ebox System 4.6 runs. The rec ommended hardware ranges ar e listed below . Hardware featur e Minimum requireme nt CPU Pe n t i u m I I Memor y Same a s for o peratin g system . R ecommended: ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 15
User Guid e 5 PART II W atchGuar d ® Services The W atchGuard Fire box System is consi derabl y more t han a piece of hardware . This section describ es two W atchGuard service components that addres s your security requireme nts, and the optional features availab le to you. LiveSecuri ty Service The key to a high quality , effect ive network secu ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 16
6 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 17
User Guid e 7 CHAP TER 1 LiveSecurity Service No Internet security solution i s complete wit hout systematic updates. F rom t he latest hacker tec hniques to the most r ecently discover ed operating system bug, t he daily barrage of new threats poses a perpetual cha llenge to any Internet sec urity solution. The LiveSecurity Service k eeps your sec ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 18
LiveSecurity broadcasts 8 accompany each tr ansmission f or easy installati on. These convenient tra nsmissions reli eve you of the burden of tr acking the latest software versi on to keep your sys tem state of the art. Editorial Leading security experts fr om around t he world join the W atchGuard Rapi d Response T eam in contributi ng useful edit ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 19
User Guid e 9 LiveSecurity broadcasts • The License K ey number is l ocated on the W atchGuard LiveSec urity Agreement License K ey Certificate. Enter the number in the exa ct form shown on the key , including the hyphens. • V erify that your e-mail a ddress is correct. Y ou will rece ive your activ ation confirmation mail and al l of your Live ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 20
LiveSecurity broadcasts 10 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 21
User Guid e 11 CHAP TER 2 T e chnical Support Developing and implementing a network security policy can be a challenge. In addition to fami liarity with the W atchGuard F irebox Syste m, it requir es experience with advanced networking concepts, pr ograms , and protocols . The W atchGuard T echnical Support team has a vari ety of methods to answer ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 22
Getting Intern et tec hnical suppo rt 12 Known issues Another source of information about the W atchGuard Fireb ox System is the Known Issues page on the T echn ical Support W eb. When our engineering or T echnical Support team discovers a li mitation or problem wit h our product, we immedi ately post the information on t he Known Issues page. W e ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 23
User Guid e 13 T raining When you call W atchGuar d T echnical Support, you are prompted for your LiveSecurity Lic ense key. W e use this k ey to track the informati on you report about your network, and to add thi s issue to our datab ase of all t he support issues you have brought to our attention. After you enter your LiveSecurity License k ey , ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 24
W atchGuard users group 14 Instructor -led courses W atchGuard offers a series of courses supporting our product l ine. Current titles include a two-day c ourse on fir ewalling basics with the W atchGuard Fi rebox System and a one-day course on virt ual private networking. These courses ar e delivered b y certified W atchGuard tr ainers, both at ou ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 25
User Guid e 15 Onli ne He lp Starting WatchGuar d Online H elp W atchGuard Online Help can be started either from the W atchGuard Manageme nt Station or dir ectly fr om a br owser . • In the Management Station softw are, press F1 . • On any platform, browse to the direct ory con taining W atchGuard Online Help. Open LSSHelp.html . The default i ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 26
Online Help 16 Context-sens itive Help In addition to the regular online Help system, context-sensi tive or What’s This? Help is also avai lable. What’s This? Hel p provides a definition and useful informati on on fields and butt ons in the dialog boxes. T o access What’s This? Help: 1 Right-click a ny field or butt on. 2C l i c k What’ s T ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 27
User Guid e 17 CHAP TER 3 W atchGuar d Options The W atchGuard Fireb ox System is enhanced by optional featur es designed to accommodate the needs of differ ent customer envir onments and security requ ir emen ts . Curr ently available optio ns VPN Manager W atchGuard VPN Manager is a centr alized module for creating and managi ng the network secur ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 28
Obtaining WatchGuar d options 18 Mobile Use r VPN Mobile User VPN is the W atchGuard IPSec i mplementation of rem ote user virtual private networking. Mobile User VPN connects a n employee on the road or working from home to trusted a nd optional networks behind a F irebox usi ng a standard Internet connection, without compromi sing security. Mobil ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 29
User Guid e 19 PART III Configuring a Security Policy This secti on de scribe s how to conf igure y our se curity syste m. It s prim ar y focu s is o n using the W atchGuard Contr ol Center and P olicy Manager to devel op and implement a network security policy. It includes c hapters on: Watc hGuar d Control Cen ter The W atchGuard Control Center i ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 30
20 you to exert fine contr ol over the type of W eb sites users on your T rusted network are all owed to view . Set up network addr ess tr anslation (NA T) Hide the real IP addr esses of t he hosts and networks behind yo ur firewall through the use of network addr ess translation. Y ou can set NA T polic y at both the glob al and the indivi dual se ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 31
User Guid e 21 CHAP TER 4 Fir ebox Basics This chapter describes the f ollowing tasks, which require direct i nteracti on between the Management Station and the Firebox: •S e t u p a F i r e b o x • Open and save a configur ation fi le to a loc al har d disk or the F ireb ox • Reset Fir ebox passphrases • Set the F irebox time zone • Rein ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 32
What is a F irebox? 22 Placing a Fir ebox within a network The most common location f or a Fir ebox is dire ctly behind the Internet router , as pictured belo w: Other parts of the network ar e as follows: Management Stati on The computer on which you install and run the W atchGuard LiveSecurity Control Ce nter . Event P roc essor The computer that ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 33
VPN Manage r Guide 23 Opening a configuration file Opening a configuration fi le P olicy Manage r is a compreh ensive software tool for cr eating, modifying, and savi ng configur ation fil es. A configur ation fi le, with the exte nsion .cfg, contai ns all the settings, options, addr esses, and information that together constitute your Fir ebox sec ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 34
Resetti ng Fir ebox pass phrases 24 Saving a config uration to the local hard disk Fr om P olicy Manager in the Advanced view: 1 Select File => Save => As File . The Save dial og box app ears. 2 Enter the name of the file. The default is to save the file to the Wat chGuard directo r y . 3C l i c k Save . The configurat ion file is saved to th ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 35
VPN Manage r Guide 25 Setting the time zone • Don’t use words in sta ndard dict ionaries, even if you use them back ward or in a for eign la ngua ge . Cre ate your own a crony ms ins te ad. • Don’t use proper names, e speciall y company names or those of fa mous people. • Use a combin ation of upper case and lower c ase char acters, numer ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 36
Reinitial izing a misco nfigured Firebox 26 4 When you complete the QuickSetup wizar d, remove the loopb ack cabl e (assuming your Firebox has one) and return the F irebox to its regular position in your network. The Firebox r esumes normal oper ation the next time it restarts. Some Fireb oxes have a fa ctory default button. T o place the unit into ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 37
User Guid e 27 CHAP TER 5 Using the W atchGuar d Contr ol Center The W atchG uard Contr ol Center combines access to W atchGua rd F irebox System application s and tools in on e intuitive interface. The Contr ol Center also displa ys a real-tim e monitor of tr affic through the firewall , connection s tatus, tunnel st atus, and rec ent log ac tiv i ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 38
Control Center components 28 • A real-time monitor of tr affic thr ough the Fir ebox. QuickGuide The top part of the display just b elow the title bar is t he QuickGuide. It c ontains butt ons t o: • Open the W atchGua rd Contr o l Center menu • P ause the display • Launch P olicy Manager • Launch Firebox Mon itors • Launch LogViewer ? ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 39
User Guid e 29 Control Center components •I P S e c •D V C P • W atchGuard VPN The first line of the tunnel entry shows the name that was a ssigned when the tunnel was created, al ong with the tunnel type (IPSec, D V CP , or W atchGuard). If the tunnel is an IPSec or D V CP tunnel, it also shows the IP addr ess of the destinati on IPSec devic ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 40
W orking with the C ontr ol Center 30 When you expand an entry that has a r ed exclamation point, another excl amation point appears next to t he specific devi ce or tunnel with the probl em. Use this fe ature to r apidly identify and l ocate problems with your VPN network. Tr a f f i c M o n i t o r The T raffic Monitor shows, in r eal time, the t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 41
User Guid e 31 Policy Manager much more appr opriate tool for trac king logs; T raffic Monitor just pr ovides a real- time view of what the F irebox a ctivity. 1 Click the W atchGuard Contr ol Center button. Cli ck Sett ings . 2 T ype or use the scroll control to change t he Max Log Entries field. Click OK . The value entered represent s the number ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 42
Firebox Mo nitors 32 The P olicy Manager display includ es: Pull-down menus Menus that pr ovide acce ss to most configur ation and administration ta sks. T oolbar A row of b uttons immediatel y below the pull- down menus. Each button corresponds to a frequently performed P olicy Manager task. P osition the mouse over the button t o view a toolti p ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 43
User Guid e 33 HostW atch HostW atch The HostW atch application display s active connections occurri ng on a Fireb ox in real ti me. It can also gr aphically represent the c onnections list ed in a log file , eit her p layi ng ba ck a p revio us f ile for rev iew or displaying connecti ons as they are a dded to the curr ent log file. T o open HostW ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 44
LiveSecurity Event Processor 34 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 45
User Guid e 35 CHAP TER 6 Configuring a Network Configuring a network refers to setting up the thr ee Fireb ox interfaces. T o do this, you need to: • Enter the IP address or addre sses for the Fir ebox interfaces. • Enter the IP addresses of secondary networks that are connected to and associated with a Fi rebox interfac e. • Enter the defau ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 46
Setting up a drop-in network 36 Th e Quic kSe tup w izard a lso w rite s a ba sic c onfig uratio n fi le ca lled wizard.cfg to the har d disk of the Management Station. If you later want to expand or change the basic F irebo x configurat ion using P olicy Manager , use wizard.cfg as the base file to which you mak e changes. Y ou can run the QuickSe ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 47
User Guid e 37 Setting up a routed network • The T rusted interface ARP address replac es the router’s ARP address. • All three Fi rebox interfaces ar e assigned the same IP address. This is true whether or not you use the Optional interface. • The majority of a L AN resides on the T rusted interface . • Y ou c an have other networks in o ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 48
Adding a secondary network 38 Addi ng a secondary netw ork A secondary network is a network on the same ph ysical wire as a Fi rebox interface that has an addr ess belonging to an entire ly differ ent network. Addin g a secondary network to a F i rebox interface ma ps an IP a ddress from the sec ondary network to the IP address of the int erface. T ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 49
User Guid e 39 Defining a host route Defining a host route Configure a host r oute if ther e is only one host b ehind the router . Enter the IP addre ss of that single, spe cific host , and do not enter a bitmask. F rom P olicy Manager in the Advanced vi ew: 1 Select Netw ork = > Routes . The Setup R outes dialog box ap pears. 2C l i c k Add . T ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 50
Entering WINS and DNS server add res ses 40 Entering WINS and DNS server addresses Several a dvanced feat ures of the F irebox, suc h as DHCP and Remote User VPN, r ely on shared W i ndows Internet Name Ser ver (WINS) and Domain Name System (DNS) server addresses. These servers must be ac cessible fr om the Firebox T rusted interface. Fr om P olicy ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 51
User Guid e 41 Defining a Firebox as a DHCP server Modifying an exis ting subnet Fro m Pol ic y Ma na g e r: 1 Select Netw ork = > Configur ation . Cl ick the DHCP Server tab . 2 Click the subnet to r eview or modify. Click Edit . 3 When you have finished reviewin g or modifying the subnet, cl ick OK . Removing a Subnet Fro m Pol ic y Ma na g e ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 52
Defining a Firebox as a DHCP server 42 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 53
User Guid e 43 CHAP TER 7 Blocking Sites and Ports Many types of network security attac ks are ea sily identif ied by patterns found in packet headers. P or t space pr obes, addr ess space pr obes, and spoofing atta cks all exhibit cha racteri stic behav ior that a good fir ewall can recogniz e and protect against. W atchGuard allows both manual an ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 54
Blocking a site permanently 44 2 Modify the default pac ket-h andling properties ac cording to your se curity policy prefer ences. For a description of each con trol, right-click the co ntrol, and then click What’s This? 3C l i c k OK . Blocking a site perman ently The W atchGuar d auto-blocking and logging mechanisms help you deci de which sites ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 55
User Guid e 45 Blocking a port p ermanently 2I n t h e Category li st, c lic k Blocke d Sites . 3 Modify the logging and notification par ameters accordi ng to your security policy prefer ences. F or detailed instr uctions, see “Customizing logging an d notification by servi ce or option” on page 76 . Blocking a port perma nently Y ou can block ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 56
Bloc king sit es tempo rarily with se rvice settings 46 Blocking sites tem porarily with service settings Use service properties to aut omatically and tem porarily block sit es when incoming tra ffic attempts to u se a denied service . Y ou can use this feat u re to i ndividually l og, block, and monitor si tes that attempt access to r estricted po ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 57
User Guid e 47 CHAP TER 8 Configuring Services The Services Arena of P olicy Manager displays an icon for each configured service. A service represent s a particular type of proxy or pa cket-filtering conne ction such as FTP , SMTP , or proxied HTTP . A symbol next to the service indicates whether the ser vic e is c onfig ured for ou tgoi ng traf f ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 58
Creating a new service 48 7 Y ou can add multiple services to the Services Arena while the Services dialog b ox is open. When you finish a dding services, click Close . The Ser vices Arena displays an icon fo r each ser vice added. 8C l i c k F i l e => S a v e => T o F i r e b o x to save your changes to the F irebox. Speci fy the loca ti on ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 59
User Guid e 49 Defining service pr oper ties 8I n t h e Po r t text box , enter the well-known port number for thi s service. F or a list of well-kno wn services and their asso ciated por ts, see th e R eference Guide or Online Help. 9C l i c k OK . P o licy Man ager adds t h e port configurati on to the N ew Ser vice dial og box. 10 V erify that t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 60
Defining service pr oper ties 50 6C l i c k OK . Adding outgoing s ervice properties Fro m Pol ic y Ma na g e r: 1 In the Services Arena, double-cl ick the service. Cli ck the Outgoing tab. The Proper ties dialog box displays the Outgoing properties ta b. 2U s e t h e Outgoing Connections Are dr op list to select Enabled an d Allowed . 3 T o define ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 61
User Guid e 51 Configuring services for authentication Configurin g serv ices for authentication One way to create eff ective use r authentication envir on ments is to res trict all outgoing services to allow connecti ons only fr om authenticated users. The following example applies to dynami cally address ed (DH CP-base d) networks. 1 Create a gro ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 62
Setting up proxy services 52 2 On the toolbar , click the Delete Service icon (it appears as an “X”). Y ou can also select Edit => Delete. A verificatio n alert appears. 3C l i c k Ye s . P o licy Manager removes the s er vice from the Services Arena. 4C l i c k F i l e => S a v e => T o F i r e b o x to save your changes to the F ireb ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 63
User Guid e 53 Setting up proxy services 3C l i c k Incoming . The Incomi ng SMTP P roxy dialo g box appear s, disp laying th e General tab. 4 Modify gener al properties accor ding to your preference. For a description of each con trol, right-click it, and then click What’s T his?. 5 T o modify logging propert ies, click the Logg ing tab. Selecti ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 64
Setting up proxy services 54 Configuring th e outgoing SMTP proxy Use the Outgoing SMTP Pr oxy dialog box to set t he parameters f or tra ffic going fr om your T rusted and Optional network to the world. Y ou must alr eady have an SMTP Proxy service icon in the Services Arena. Double-cli ck the icon to open the service’s Properti es dial og bo x: ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 65
User Guid e 55 Setting up proxy services 5C l i c k OK . 6C l i c k F i l e => S a v e => T o F i r e b o x to save your changes to the F irebox. Speci fy the loca ti on and na me of the new c onf igur ation fil e. Configuring an HTTP proxy service HyperT ext T ransfer Protocol ( HTTP) is the protocol used by the W orld Wi de W eb to move inf ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 66
Service pr ecedence 56 3 If you are using the HTTP proxy service because you want to use W ebBlock er , follow the pr ocedure in the next section . Otherwise, enable HTTP prox y properties acc ording to your secu rity policy pr eferences. F or detai led descri ptions of HTTP proxy op tions, see the R eference Guide . 4C l i c k t h e Safe Content t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 67
User Guid e 57 Service pr ecedence “IP” refers to exactly one host I P address; “L ist” ref ers to multiple host I P addresses, a network address, or an ali as; and “Any” ref ers to the speci al “Any” tar get (not “Any” services). When two icons are repre senting the same service (for exampl e, two T elnet icons or two Any icons ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 68
Service pr ecedence 58 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 69
User Guid e 59 CHAP TER 9 Contr olling W eb T raf fic W ebBlocker is a feature of the Fir ebox System that works in conjunction with the HTTP proxy to provid e W eb-site filtering ca pabilities. It enables you to exert fine control over the type of W eb sites that users on your trusted network ar e allowed to view . F or more information about W eb ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 70
Configuring the W ebB locker service 60 Logging and W ebBlocker W ebBlocker logs a ttempts to acc ess sites bloc ked b y W ebBloc ker . The log that is genera ted displays informat ion about source and destination addr ess as well as the block ed URL and the category that caused the denial . W ebBlocker also ge nerates a l og entry showing the resu ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 71
User Guid e 61 Configuring the W ebB locker service Proces sor regularly and automatic ally updates the W ebBlock er database stored on your Firebox. F rom P olicy Manager: 1 If you have not alre ady done so, double-cl ick the service icon you ar e using for HTTP . Click the Properties tab . Click Sett ings . The p roxy’s dialo g box appea rs. 2C ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 72
Manually do wnloading the W ebBlocker dat abase 62 2I n t h e Allowed Exceptions sec tion, cl ick Add to add ei ther a network or host IP address to be allowed a t all times. T o allow a specific string for a domain, select Host Address. T o allow a specific directory pattern, enter the string to be allow ed. 3I n t h e Deny Exceptions section , cl ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 73
User Guid e 63 CHAP TER 10 Setting Up Network Addr ess T ranslation Network address translat ion (NA T) hides internal network addresses fr om hosts on an e xt er nal netw or k. W at ch Gua rd s upp or ts tw o type s of NA T: • Outgoing dynamic NA T Hides network addresses from hosts on anot her network; works only on outgoing messages . • Inco ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 74
Using simpl e dynamic NA T 64 Using simp le dynamic NA T In the majority of networks, the preferr ed security policy is to globally appl y network address transla tion to al l outgoing pack ets. Simp le dynamic NA T provides a q uick method to set NA T policy for your entire network. Enabling simple dynamic NA T The default configur ation of simple ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 75
User Guid e 65 Using service- based NA T Using service-based NA T Using service-based NA T , you can set outgoing dynamic NA T policy on a service-by - service basis. Service-ba sed NA T is most frequently used to ma ke exce ptions to a globally appl ied simple dynamic NA T entr y. F or example, use service-based NA T on a network with simple NA T ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 76
Configuring a service for incoming static NA T 66 Configurin g a service for incoming stati c NA T Static NA T works on a port-to-host basis. Incoming pack ets destine d for a specific public addres s and port on the External network are r emapped to an addr ess and port behind the firewall. Y ou must configure each service separatel y for static N ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 77
User Guid e 67 Configuring a service for incoming static NA T 6 Enter the internal IP address. The inter nal IP address is the final destination on the T r usted network. 7 If appropriate, enable the S et Inte rn al P or t T o Diffe rent P ort T ha n Ser vic e che ckbox . This feat ure is ra rely used. It enabl es you to redi rect packets not onl y ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 78
Configuring a service for incoming static NA T 68 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 79
User Guid e 69 CHAP TER 11 Setting Up Logging and Notification Logging and notification ar e crucial to an effective network security policy. T ogether , they make it possi ble to monitor your network sec urity , identify both attacks and attack ers, and take action to addres s security threats and chal lenges. Logging occurs when the firewal l rec ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 80
W atchGuard logging architecture 70 log messages to the se cond Event Proces sor . It continues through the list until it finds an Event Processor c apable of rec ording events. W atchGuard logging ar chitecture The flexible architec ture of the F irebox System ma kes i t possible to separa te the logging and notific ation responsibili ties to mult ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 81
User Guid e 71 Designating Event Processor s for a Firebox you run the QuickSetup wizar d. Y ou can specify a different primary Event Pr ocessor as well as multi ple backup Eve nt Proc essors. Adding an Event Processor Fro m Pol ic y Ma na g e r: 1 Select Se tup = > Logging . 2C l i c k Add . 3 Enter the IP address to be used by the Event Pr oce ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 82
Designating Event Processor s for a Firebox 72 Removing an Event P rocessor Remove an Event Processor when you no longer want to use it for any logging purpose. Fr om P olicy Manager: 1 Select Se tup = > Logging . The Logging Setup di alog bo x appears. 2 Click the host name. Click Remove . 3C l i c k OK . The Logging Setup dialog bo x closes an ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 83
User Guid e 73 Setting up the Li veSecurity Event Proces sor Another way to set the Event Pr ocessor (and domain contr oller) clocks is to use an independent sour ce such as the atomic clock—b ased servers availa ble on the Internet. One place t o access this service is: http://www .bldrdoc.gov/timefreq Setting up th e LiveSecurity Event Processo ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 84
Setting up the Li veSecurity Event Proces sor 74 W indows NT service. The defaul t method on installation is for it to run as a Windows NT service. As a Windows NT or Windows 2 000 Service By default, the Eve nt Processor is installed t o run as a W indows NT service, starting automatically every time the host computer resta rts. Y ou can also inst ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 85
User Guid e 75 Setting global logging a nd notification prefer ences Starting and st opping the Event Processor The Event Proces sor starts automatica lly when you start the host on which it reside s. However , it is possible to stop or r estar t the Event Pr ocessor fr om its interfa ce at any time. Open the Event Pr ocessor interface: • T o sta ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 86
Custom izing l ogging an d notifica tion by s ervice or option 76 3 F or a record size, enable th e By Number of Entri es chec kb ox. Use the s crol l con tro l or en ter a nu mb er of l og rec ord e nt rie s. The Approximate Size field changes to display the approximate file size of the final log file. Fo r a detailed descript ion of each cont rol ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 87
User Guid e 77 Custom izing log ging and no tificat ion by servi ce or opti on Send Notifi cation Enable this checkbox to enabl e notificati on on the event type; clear it to disable logging for the event type . The remainin g controls a re acti ve when you enable t he Send Notificatio n checkb ox: E-mail T riggers an e-mail message when t he event ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 88
Custom izing l ogging an d notifica tion by s ervice or option 78 Fro m Pol ic y Ma na g e r: 1 Double-click a s ervice in the Services Arena. The Pro perties dialog box app ears. 2C l i c k Logging . The Logging and No tification dialog bo x appears. The options for ea ch ser vice are identical; t he main difference is based on whether the se rv i ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 89
User Guid e 79 CHAP TER 12 Connect with Out-of-Band Management The W atchGuard Fi rebox System out-of-ba nd (OOB) management feature enables the Management Station to commun icate with a Fir ebox by way of a modem and telephone line. O OB is useful for remotely conf iguring a F irebox when access via the Ethernet interfaces is unavailab le. Connect ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 90
Enabling the Management Stat ion 80 Preparing a Windows NT Management Station for OOB Install the Microsoft Remote Acces s Server (RAS) on the Management Station. F rom the W indows NT Desktop: 1 Attach a modem to your computer a ccording t o the manufacturer’s instruct ions. 2 Select Start = > Settings = > Control P anel . 3D o u b l e - c ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 91
User Guid e 81 Configuring the Firebox for OOB 5 Enter a nam e for you r c onne ct ion. This can be a nything th at remi nds you of the icon ’s purp ose — VPN Conn ection, for example. 6C l i c k Finish . 7 Click either Dial or Cancel . A new icon is now in the Network and Dial -Up Connections fol der . T o use this di al- up connection, double ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 92
Establishing an OOB connection 82 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 93
VPN Manage r Guide 83 PART IV Administerin g a Security Policy Network security is mor e than just designing and impleme nting a security policy and copying the r esulting configuration file to a W atchGuar d Fir ebox. T ruly effective network security requir es constant vi gilance and ongoing adaptatio n to changing business needs. W atchGuard pr ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 94
84 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 95
VPN Manage r Guide 85 CHAP TER 13 Cr eating Aliases and Implementing Authentication Aliases are s hortcuts used to identify gr oups of hosts, networks, or users with one name. The use of aliases simplif ies user authentication and service configur ation. User authentication provi des access control for outgoing connections. Authentic ation dynamica ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 96
Using ho st aliases 86 Adding a host alias Fro m Pol ic y Ma na g e r: 1 Select Se tup = > Authentica tion . The Member Access and Aut hentication Setup dialo g box appear s. 2C l i c k t h e Alia ses tab. 3C l i c k Add . 4I n t h e Host Alias Name t ext box, enter the name used to identif y the alias when configuring services and authenticati ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 97
VPN Manage r Guide 87 What is user authentication? What is user au thenticati on? User authentication allows the t racki ng of connect ions based on name rat her than IP address . Wi th authentication, it no longer matters what IP address is used or from which machine a person chooses to work; the username defines t he permissions of the user , and ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 98
Configuring Firebox authentication 88 Configurin g Firebox authentication Y ou can use the W atchGuard F irebox Syst em to define users and groups for authentication. Enter Fi rebox User informat ion using P olicy Manager . Fir ebox Users are intended fo r remote user virtual private networking (VPN). W atchGuard automatically a dds two Fir ebox us ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 99
VPN Manage r Guide 89 Configuring RADIUS server authentication 2 Under Authenti cation Enable d V i a , clic k th e NT Servic e option. Wa tchGuard activates the Windows NT Server controls. 3C l i c k t h e Windows NT Server tab. 4 T o identify the host either: - Enter both the host name and the IP addres s of the Windows NT network. - Enter the ho ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 100
Configuring CRYP TOCard server authentication 90 On the RADIUS Server 1 Add the IP address of t he Fireb ox where appr opriate accor ding to the RADIUS server vendor . Some RADIUS vendors may not requir e this. T o deter mine if this is req uired for your implementation, check th e RADI US ser ver vendor documen tation. 2 T ake the user or gr oup a ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 101
VPN Manage r Guide 91 Configuring SecurID authentication 8 Enter the value of the shar ed secret between the F irebox and the CRYPT OCard server . This is the key or cl ient key in the “P eers” file on the CR YPTOCard ser ver . Th is key is case sensitive and mus t be identical on the Firebox and th e CRYPTOCard server for CRYPTOCard authentica ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 102
Using authentication to define remote user VPN access 92 7 If you ar e using a back up server , enable the Spec ify backup Secur ID server checkbox. Enter the IP address and port number for the backup server . 8C l i c k OK . Using authenti cation to defi ne re mote user VPN access W atchGuard uses two built- in Fi rebox gr oups to identi fy curren ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 103
User Guid e 93 CHAP TER 14 Monitoring Fir ebox Activity An important part of an eff ective network securit y policy is the monitoring of network events. Monitoring enables you to re cognize patterns, id entify potential attacks, and tak e appropriate action. If a n attack occurs, t he records kept b y W atchGua rd will help you re construct what ha ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 104
Firebox Mo nitors 94 Setting F ir ebox Mo nitors vi ew properties Y ou can configure Firebox Monitors to displ ay tra ffic at different spe eds, intervals, and amplitude. From F irebox Monitors: 1 Select V iew = > Properties . 2 Modify display pr oper ties accor ding to your preferences. Bandwid th Meter The Bandwidth Meter tab displ ays real- t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 105
User Guid e 95 Firebox Mo nitors P acket counts The number of pack ets all owed, denied, and rej ected between st atus queries. Rejected pack ets are denied pack ets for which W atchGuard se nds an ICMP error messa ge. Allowed: 5832 Denied: 175 Rejects: 30 Log and notif icati on hosts The IP addresses of the log and notifi cation hosts. Log host(s) ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 106
Firebox Mo nitors 96 Block Network 123.152.24.64/28 eth2 Logging opti ons Logging options configur ed with either the QuickSetup wizard or by adding and configurin g services fr om P olicy Ma nager . Logging options: Outgoing traceroute Incoming traceroute logged(warning) notifies(traceroute) hostile Outgoing ping Incoming ping Outgoing Archie Inco ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 107
User Guid e 97 Firebox Mo nitors 42 http-serve S 1052 536 476 372 41 fwcheck S 716 288 296 232 43 http-proxy S 1072 660 580 472 22121 smtp-proxy S 984 360 536 464 19698 http-serve S 1176 704 600 326 Inte r face s Each network interface is displaye d in this sectio n, along with detailed info rma tion regard ing it s sta tus a nd pa cket co unt: Int ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 108
HostW atch 98 198.148.32.0 * 255.255 .255.0 U 1500 0 129 eth1:0 127.0.0.0 * 255.0.0.0 U 3584 0 9 lo default 207.54.9.30 * UG 1500 0 95 eth0 ARP table A snapshot of the ARP table on the running Firebox. The ARP table is used to map IP addresses t o hardwar e addresse s: ARP Table Address HWtype HWaddress Flags Mask Iface 207.23.8.32 ether 00:20:AF:B ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 109
User Guid e 99 HostW atch The HostW atch display uses the logging set tings configured for your F irebox usi ng the P olicy Manager . F or instance, to see all denied attempts at incoming T elnet in HostW atch, configure the F irebox to log incomi ng denied T elnet atte mpts. The line connecting the sour ce host and destinati on host is color-coded ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 110
HostW atch 100 2 Browse to l ocate and sele ct the Logdb file. By default, log files are stored in the WatchGuard installa tion director y at C:Program Files Wa tchGuar dlogs . HostW atch loads the log f ile and beg ins to r eplay the acti vity . 3 T o pause the display , click Pa u s e . 4 T o restart the display , click Continue . 5 T o step t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 111
User Guid e 101 HostW atch 4I n t h e New User field, enter the user ID of the authenticated user to watch. Cli ck Add . R epeat for each authenti cated us er that Ho stW atch sho uld monit or . 5C l i c k OK . Modi fying view pr opertie s Y ou c an change how HostW a tch displays information. F o r example, HostW atch can display host names ra the ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 112
HostW atch 102 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 113
User Guid e 103 CHAP TER 15 Reviewing and W orking with Log Files Log entries ar e stored on the prima ry and backup LiveSecurity Event Pr ocessor . By default, log fil es are placed i n the W atchG uard insta llation directory in a subdirectory called l ogs. The log file to which the Event P roce ssor is curr ently writ ing reco rds is named Fire ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 114
Viewing files with LogView er 104 2 Configure LogV iewer display preferences as you c hoose. For a description of each con trol on the Genera l tab, right-click it and th en click What’s This? For infor mat ion on the F ilter D ata t ab, se e “D ispl aying and hi ding f ields” o n page 105. Searching for specific entries Log V iew er ha s a s ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 115
VPN Manage r Guide 105 Displaying and hiding fields Displayin g and hiding fi elds Use the Pref erences dialog box to show or hide columns displa yed in LogV iewer . Fro m L o g Vie we r : 1 Select V iew = > Preferenc es . Click the Fi lter D ata tab. 2 Enable the checkboxes of the fields you would li ke to display. Disabl e the checkboxes of th ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 116
W orkin g with log files 106 IP header l ength Length, in octets, of the I P header for this pack et. A header length that is not equal to 20 indicat es that IP options were pr esent. Default = Hide TTL (time to live) The value of the TTL field i n the logged pack et. Default = Hide Sour ce addr ess The source IP addr ess of the logged pac ket. D e ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 117
VPN Manage r Guide 107 W ork ing with log files 4 Enter the destination for the f iles in the Copy to T his Di rector y box. 5C l i c k Merg e . The log files are merged and saved to the new file in the designa ted directory . Copyin g log files Y ou can copy a single log file f rom one locat ion to another , and you can copy the current, act ive l ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 118
W orkin g with log files 108 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 119
User Guid e 109 CHAP TER 16 Generating Reports of Network Activity Historical Reports is a r epor ting tool that c reates summa ries and reports of F irebox log activit y. It gener ates these report s using the log files c reated by and stor ed on the LiveSecurity Event Pr ocessor . Use Historical Reports to define reports, creat e filters, and pro ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 120
Specifying report sections 110 Creating a new report Fr om Historical Reports: 1C l i c k Add . 2 Enter the report name. The report name will appear in Histor ical R eports, the LiveSecurity Event P rocessor , and the title of the out put. 3 Use the box next to Log Directory to define the locati on of log fi les. The defaul t location for l og file ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 121
User Guid e 111 Specifying a report time span 2 Enable the checkboxes for sec tions to be included in the r eport. F or a description of each section, see “R eport sections and cons olidated sections” on page 115. Specifying a report time span When running Historical Reports, the de fault is to run the re port across the entire log file. Y ou c ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 122
Exporting reports 112 3 Enter the number of elements to r an k in the tab le. Defaul t is 1 00. 4 Select the style of gr aph to use in the r epor t. 5 Select the manner in which you want the proxied summary reports sorted: bandwidth or connections. 6 Enter the number of r ecords to display per page for the deta iled sect ions. The default is 1,000 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 123
User Guid e 113 Using report filte rs Exporti ng a r eport to a text file When y ou se lect T ext Export from the Setup tab on the Report P roperties dialo g box , the report output i s created as a comma-delimited forma t fil e. The report appears a s a .txt file in the f ollowing path: driv e : WatchGua r d Install Dir ectory Report s Report D ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 124
Scheduling and running reports 114 Editing a filter At any time, you can modif y the properties of an existing fil ter . Fr om the Filt ers dialog box in Histori cal Reports: 1 Highlight th e filter to modify. Click Edit . The R eport F ilter dialo g box appea rs. 2 Modify filter pr oper ties acc ording to your pr eferences. For a description of ea ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 125
User Guid e 115 Report sections and consolidated sections Manually runnin g a r e port At any time, you can run one or more r eports using Historical Reports. F rom Historical Reports: 1 Enable the checkbox next to each re port you would like to gener ate. 2C l i c k Run . Report sections and consolidated se ctions Y ou can use Historical Reports t ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 126
Report sections and consolidated sections 116 Session Summary – P acket F iltere d A table, and optionall y a gra ph, of the t op incoming and outgoing sess ions, sorted either by byt e count or number of connections. The format of the session is: cl ient -> server : service. If the connection is proxied, the service i s repres ented in all c ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 127
User Guid e 117 Report sections and consolidated sections Denied Outgoi ng P acket Detail A list of denied outg oing pack ets, sorted by time. The fields are Date, Tim e, T ype, Client, Client P ort, Server , Ser ver P or t, Protocol , and Durati on. Denied Incomi ng P acket Detai l A list of denied i ncoming pack ets, sorted by ti me. The fields a ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 128
Report sections and consolidated sections 118 Reports attempts to r esolve the server port to a table to repr esent the ser vice name. If r esolution fai ls, Historical Reports displ ays the port number . T ime Summar y – Proxi ed T r affic A table, and option ally a gr aph, of al l accepte d proxied conn ections distributed along user-defined in ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 129
User Guid e 119 PART V W atchGuar d ® Virtual Private Networking A virtual private network (VPN) allows the secure tunneling of data between two networks (or a host to a network) vi a a third unpr otected network. The W atchGuard Firebox Sys tem includes two met hods to provide s ecure tunnels: Br anch office virtual p rivate n etwork Use the W at ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 130
120 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 131
User Guid e 121 CHAP TER 17 Configuring Branch Of fice V irtual Private Networking Branch offi ce vir tual p rivate networ king (V PN) c reates a secure tunnel , over an unsecure network, between two networks pr otected by the W atchGuard F irebox System or bet ween a W atchGuard Fireb ox and an IPSec-compli ant device. Usi ng branch offic e VPN, y ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 132
Using DVCP to connect to devices 122 • IP network addresses for the networks com municating with one another . • A common passphrase, kn own as a shared secr et. • F or W atchGuard VPN only , the local VPN IP addr ess of each Fi rebox. It must be selected f rom a r eserved network address that is not in use on either of the networks being con ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 133
User Guid e 123 Using DVCP to connect to devices Note also tha t if you configure a SOHO for both Basic and Enhanced D V CP , the gateway names must be different. Fro m Pol ic y Ma na g e r: 1 Select N e t w o r k => B r a n c h O f f i c e V P N => B a s i c D V C P . The DVCP Con figura tion dial og box app ears. 2C l i c k Add . 3 Enter a ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 134
Branch of fice VPN with IPSec 124 Y ou c an also change the network range of a W atchGuard client. However , when you save the configur ation to the server , it automatically triggers the client to reboot a nd load the new polic y. Fro m Pol ic y Ma na g e r: 1 Select N e t w o r k => B r a n c h O f f i c e V P N => B a s i c D V C P . 2 Sel ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 135
User Guid e 125 Branch of fice VPN with IPSec and how W atchGuard implements branc h office VPN with IPSec, see the Ne two rk Secu rity Han dbook. Fro m Pol ic y Ma na g e r: • Select N e t w o r k => B r a n c h O f f i c e V P N => I P S e c . Configuring a gateway A gateway specifi es endpoints for one or mor e tunnels. The standard spec ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 136
Branch of fice VPN with IPSec 126 Removing a ga teway Fro m t h e Configure Gateways dia log box: 1 Click the gateway. 2C l i c k Remove . Configuring a tunnel with manual security A tunnel encapsulates pack ets between two gateways. It speci fies encryption type and/or authentication method. A tunnel al so specifies e ndpoints. The followi ng desc ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 137
User Guid e 127 Branch of fice VPN with IPSec 5U s e t h e A uthe nticat ion drop list to selec t an authentication method. Options inclu de: None (no authe ntication), MD5-HMA C (128-bit algo rithm), or SHA1-HMAC (160-bi t algorit hm). 6C l i c k Key . Enter a passphrase. Cl ick OK . The passphrase ap pears in the Auth entication K ey field. Y ou ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 138
Branch of fice VPN with IPSec 128 11 After you add all tunnels f or this gateway , click OK . The Config ure Gate ways dialo g box appea r s. 12 T o configure more tunnels for another gateway , click T unnels . Select a new gateway and repeat the tunnel c reation pro cedure for that gateway. 13 When all the tunnels ar e create d, click OK . Creatin ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 139
User Guid e 129 Branch of fice VPN with IPSec 9U s e t h e Protocol drop lis t to limit the prot ocol used by the policy. Option s inclu de: * (specify port s but not protoco l), TCP , and UD P . 10 In the Sr c P ort fi eld, enter the local host port. The local host por t number is opti onal and is the por t from whi ch W atchGuard sends a ll commu ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 140
Configuring Wat chGuard VPN 130 Allow VPN a ccess to any services T o allow all tr affi c from VPN connection s, add the Any service to the Services Arena and configur e it as descr ibed above. Allow VPN access to selective services T o allow tra ffic fr om VPN connections only for speci fic services, add each se rvice to the Services Arena and con ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 141
User Guid e 131 Configuring Wat chGuard VPN 4I n t h e Local Fir ebox IP fiel d, enter an IP address from a r eser ved network not in use on the local or rem ote networks. 5 In the text box to the left of the Add button, enter the IP address i n slash notation of any rem ote network to which acces s should be granted from th e lo cal Fir ebox . Cli ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 142
Configuring Wat chGuard VPN 132 Conf igur ing incom ing serv ice s to allo w V PN Because users on the r e mote Fi rebox are tec hnically outside the truste d network, you must confi gure servi ces to all ow tr affic thr ou gh t he VPN connect ion. W atchGuar d recommends the following method: 1 Create a host al ias correspondi ng to the VPN remote ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 143
User Guid e 133 CHAP TER 18 Configuring the Fir ebox for Remote User VPN Remote user virtual private networking (RUVPN) establishes a secur e connection between an unsecured r emote host and a pr otected network over an unsecur ed network. RUVPN connects an employee on the road or working from home to trusted and optional net works behind a Fir ebo ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 144
Configuring shared servers fo r RUVPN 134 • The IP addresses of the DNS and WINS servers in the trusted network that perform IP addres s lookup on host alias names. • The usernames and passwords of those a uthorized to connect to the F irebox using RUVPN. • F or Mobile User VPN, you will al so need: - Mobile User VPN license k ey - T arget F ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 145
User Guid e 135 Configuring services to allow incoming RUVPN 3 Enter the username and password. Firebox usernames are case sensitive. 4 T o add the user to a gr oup, select the gr oup name in the Not Member Of list. Click the left-pointin g arrow . Use pptp_u sers for R emote User PPTP and ipsec_users for Mobile User VPN. A given user can be a memb ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 146
Configuring the Firebox for Remote User PPTP 136 -F r o m : S e l e c t e d - T o: pptp_users or ipsec_users Configurin g the Firebox for Remote User PP TP Configuring the Firebox for Remote User PPTP requires that you perform the following: • Enter IP addresses and networks used f or clients • Add usernames to the built-in F irebox User gr oup ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 147
User Guid e 137 Configuring the Firebox for Mobile User VPN Fro m t h e R emote Us er Setu p dialog box: 1C l i c k t h e PPTP tab. 2C l i c k Add . 3U s e t h e Choo se T ype drop list to sele ct either a host or network. Y ou can configure u p to 50 addresses. I f you select a network address, R emote User PPTP w ill use the first 50 addres ses i ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 148
Configuring the Firebox for Mobile User VPN 138 automatically incl uded in the P olicy Manager software, to activate the fe ature a license for eac h installati on of the client software must be purc hased. T o purcha se IPSec lic ense key s, contact your loc al resel ler or visit: http://www .watchguard.com/sales Entering l icense keys The first s ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 149
User Guid e 139 Configuring the Firebox for Mobile User VPN 10 Use the Encryption dr op list to select an encryption method. Options available with the s trong encryption version of WatchGuard Firebox System include: None (no encryption), DES-CBC (56-bit), an d 3DES-CBC (16 8-bit). 11 Click Ne xt . Click Finis h . The wizard closes and th e user na ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 150
Configuring d ebugging options 140 The packages are l ocated on the W atchGuard Li veSecurity Service W eb site at http://www .watchguard.com/support. Enter the Service W eb site using your LiveSecurity username and password. Click the Mobile User VPN link. • .exp end-user configur ation fil e A prompt appears so you can save the end-user confi g ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 151
User Guid e 141 CHAP TER 19 Pr eparing a Host for Remote User VPN Remote user virtual private networking (RUVPN) establishes a secur e connection between an unsecured r emote host and a pr otected network over an unsecur ed network. RUVPN connects an employee on the road or working from home to trusted and optional net works behind a Fir ebox using ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 152
Preparing the client computers 142 • Public I P address Remote hos t operating sys tem The remote client must be running Windows and have the most r ecent MSDUN (Microsoft Dial -Up Networking) upgra des installed and may need other extensions and updates for pr oper configurati on. Currently , Remote User VPN with PPT P requires these upgrades ac ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 153
User Guid e 143 Preparing the client computers 5 Enter the domain name you are connec ting to. This shou ld be the same as the “Log on to Windo ws NT domain” va lue. 6 Enter a description for your com puter (optional). 7 V erify that Dial-Up Adapter #2 ( VPN Support) is installed. If you do not have Dial-Up Ad apter #2 (V PN Support ), you must ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 154
Preparing the client computers 144 9C l i c k Dial Out On ly . Clic k Continue . 10 Click OK . 11 Restart the mach ine. Adding a domain name to a Windows NT workstation Often remote clients need to connect to a domai n behind the fir ewall. T o do this, the remote clie n t must be able to r ecognize the domains to whi ch they belong. Adding a domai ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 155
User Guid e 145 Configuring the remote host for RUVPN with PP TP 9I n t h e Initial Connec tion windo w th at ap pear s, cl ick Ye s . 10 Click Pr operties . The Virtual Pri vate Connecti on window a ppears. 11 Click the Ge ner al tab, and e nter a host name or an IP address of the destinati on comp uter . 12 Click the Security tab . Select T ypica ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 156
Using Remote Us er PPTP 146 10 Click OK . Click OK again . 11 Restart the comput er . Installing a VPN ad apter on Windows NT Fr om the Windows NT Desktop of t he remote host: 1D o u b l e - c l i c k My Com puter . 2D o u b l e - c l i c k Dial-Up Networking . If you have not already configured an entr y , W indows guides you through the creation ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 157
User Guid e 147 Configuring d ebugging optio ns 3 Double-click the RUVPN connection. If you conf igured th e client co mputer as descr ibed in “Wi ndows 95 /98 plat form preparati on” o n page 14 2, double- click Con nect with RU VPN. 4 Enter the remote client username and passwor d. These are assign ed when you add the us er to the pptp_u sers ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 158
Configuring d ebugging options 148 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 159
User Guid e 149 Index A Access cont roll ing 83 Access r ules def ining 49 Accessing kno wn issues 12 Activating LiveSecurity Service 8 Active connections 95 FTP 95 Active TCP connections 95 Addin g existing ser vice 47 incoming ser vice properties 49 new domai n 144 outgoing ser vice properties 50 permanent blocke d sites 44 secondar y network 38 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 160
150 C Changi ng an interface IP address 39 IPSec policy order 129 remote network entries on VPN 131 Checklist, branch office VPN 121 Client DVCP 122 Client f or Micr osof t Networ ks installing 143 Client Wizard, DV CP 122 Communi cation,o ut-of-band 79 Completing Support I ncident fo rm, 12 Configur ation Fir ebo x 21 network 19 RUVPN checklist 13 ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 161
User Gui de 151 characte ristic s 36 configur ation 36 DVCP Client Wizard 122 introductio n 122 Dynamic NA T adding ent ries 64 described 63 disabl ing 65 enabling 63, 65 enabling si mple 64 reord erin g entri es 64 using s imple 64 Dynamic security 12 7 Dynamically blocked sites 46 E Editing filter in H istorical R eports 114 gateway 12 5 repor ts ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 162
152 monitor s 2, 32 , 93 Band widthMe ter 94 opening co nfigur ation fi le 23 opening co nfigur atio n file fr om 23 PPP timeout disconnects 81 reinitiali zing 25 resettin g pass phr ase 24 saving conf iguration file 23 saving configur ation file to 24 saving RUV PN conf igurat ion to 139 se tting inte r fa ces 35 setting the time zon e 25 starti n ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 163
User Gui de 153 exporti ng repo rts as 112 HTTP 48 , 60, 94, 99 protoc ol 55 proxied 60 proxy 59 types of ser vices 55 HTTP p roxy 112 HTTP proxy repo rts HT TP detail 116 most popu lar d omains 116 I Icon WatchG uard S er vi ce 60 Icons workin g with wg_ Ico ns 50 Implementing A uthentication 83 Index sear ch, on line he lp 15 Infop acks editorial ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 164
154 for blo cked sites 44 global preferences 75 LogV ie wer 103 options 96 PPTP 137 repl ayin g a fil e 99 searching log files 103 setting f or a service 77 setting u p 20 viewing files 103 WebB locker 60 Logs consolidat ing in LogViewer 10 6 LogViewer 2, 83 consolida ting logs 106 copying 104 copying lo g files 107 described 32 displayi ng fi elds ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 165
User Gui de 155 Navigating Control Center 27 Netscape Communica tor 3 Network broadc ast 2 changing range of clie nt 124 configur ation 95 configur ing 35 conf igu ring OO B 81 inter faces 97 LiveSecurity Broad cast 5, 7 routed des cribed 37 secondar y 38 ser vice s de buggin g 93 setting th e default ga teway 39 star with DV CP 12 2 Networ k addre ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 166
156 pull-down menus 32 ser vices arena 32 Status B ar 32 toolbar 32 P olicy order changing IPSec 129 P olling rate changing 30 P o rt a ddress trans lation. See also Dynami c NA T P ort nu mbers, protec ting 43 P o rt space probes 43 Po r t s blocked 19 Ethernet 22 for W atchG uard VP N 130 permanently blocked 45 viewing on HostWatch 100 PPP 81 PPT ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 167
User Gui de 157 adding a domain n ame to an NT workst ation 144 adding new doma in fo r NT works tat ion 144 installing a V PN adaptor f or Windows 95/ 98 145 installing a VPN ad aptor on Windows NT 146 installing client for Microsoft Networks 143 installing dial-up a dapter #2 for Window s 95/ 98 143 prepar ing Windo ws 95/98 for RUVP N 14 2 runni ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 168
158 introductio n 37 Ro u t e s 97 network co nfigur ation 37 RUVPN 147 activating r emote user PPTP 136 adding a d omain nam e for NT 144 adding mem bers to bui lt-in user grou ps 13 4 adding new domain f or NT wor kstatio n 144 adding remot e access users 134 configurat ion checkl ist 133 conf igure rem ote host for remo te user PPTP 145 configur ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 169
User Gui de 159 Sof tware U pdate 7 SOHO editing tunn el properties 123 reboo ting 12 4 removing t unnel 124 SpamScreen 18 Security P a rameter In dex see also SPI (Security P ara meter Index) 126 Spoofing 43, 95, 12 4 Star n etwor k DVCP 122 Starti ng Control Center 27 LogV ie wer 103 WatchGuard Online Help 15 Static NA T adding ext ernal IP addre ...
-
WatchGuard Technologies FireboxTM System 4.6 - page 170
160 manager 17 mo bile us er 18 multiple-box config uration 130 preventing IP spoof ing 131 remote us er 11 9 removing IPSec gatew ay 12 6 r u nning w ith PPTP 147 two-box co nfigur ation 130 verifying successful configur ation 132 VPN ad aptor instal ling o n Wind ows NT 146 VPN Monitor collapsing dis play 29 expandin g display 29 Firebox Sta tus ...
Do you have a question concerning WatchGuard Technologies FireboxTM System 4.6?
Use the form below
If you did not solve your problem by using a manual WatchGuard Technologies FireboxTM System 4.6, ask a question using the form below. If a user had a similar problem with WatchGuard Technologies FireboxTM System 4.6 it is likely that he will want to share the way to solve it.