Fireware XTM Web UI v11.1 User Guide - WatchGuard Technologies
-
Upload
others
-
View
13
-
Download
0
Embed Size (px)
Citation preview
Fireware XTM Web UI v11.1 User GuideWeb UI v11.1 User Guide
WatchGuard XTM 1050 Firebox X Peak e-Series Firebox X Core e-Series
Firebox X Edge e-Series
ii Fireware XTM Web UI
ADDRESS 505 Fifth Avenue South Suite 500 Seattle, WA 98104
SUPPORT www.watchguard.com/support U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES U.S. and Canada +1.800.734.9905 All Other Countries
+1.206.613.0895
ABOUT WATCHGUARD Since 1996, WatchGuard has been building
award-winning unified threat management (UTM) network security
solutions that combine firewall, VPN and security services to
protect networks and the businesses they power. We recently
launched the next generation: extensible threat management (XTM)
solutions featuring reliable, all-in- one security, scaled and
priced to meet the unique security needs of every sized
enterprises. Our products are backed by 15,000 partners
representing WatchGuard in 120 countries. More than a half million
signature red WatchGuard security appliances have already been
deployed worldwide in industries including retail, education, and
healthcare. WatchGuard is headquartered in Seattle, Washington,
with offices throughout North America, Europe, Asia Pacific, and
Latin America.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Notice to Users Information in this guide is subject to change
without notice. Companies, names, and data used in examples herein
are fictitious unless otherwise noted. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic
or mechanical, for any purpose, without the express written
permission of WatchGuard Technologies, Inc.
Guide revision: 10/27/2009
Copyright, Trademark, and Patent Information Copyright © 1998 -
2009 WatchGuard Technologies, Inc. All rights reserved. All
trademarks or trade names mentioned herein, if any, are the
property of their respective owners.
Complete copyright, trademark, patent, and licensing information
can be found in the Copyright and Licensing Guide, available
online: http://www.watchguard.com/help/documentation/
Abbreviations Used in this Guide
This product is for indoor use only.
3DES Triple Data Encryption Standard
IPSec Internet Protocol Security
SSL Secure Sockets Layer
ISP Internet Service Provider
TCP Transfer Control Protocol
DES Data Encryption Standard
URL Uniform Resource Locator
PPP Point-to-Point Protocol VPN Virtual Private Network
DSL Digital Subscriber Line PPTP Point-to-Point Tunneling
Protocol
WAN Wide Area Network
WSM WatchGuard System Manager
About networks and network security
..........................................................................................................
1 About Internet
connections..........................................................................................................................
1 How information travels on the Internet
.................................................................................................
2 About
protocols.................................................................................................................................................
2 Private addresses and gateways
.................................................................................................................
3 About subnet masks
........................................................................................................................................
3 About slash notation
.......................................................................................................................................
3 About entering IP
addresses.........................................................................................................................
4 Static and dynamic IP addresses
.................................................................................................................
4
Static IP addresses
.......................................................................................................................................
4 Dynamic IP
addresses.................................................................................................................................
4
Introduction to Fireware XTM
.........................................................................................................................
11 WatchGuard System Manager
...................................................................................................................
12 WatchGuard Server
Center..........................................................................................................................
13 Fireware XTM Web UI and Command Line
Interface.........................................................................
13
Fireware XTM with a Pro
Upgrade.................................................................................................................
14
About WatchGuard
Support............................................................................................................................
15 LiveSecurity
Service...................................................................................................................................
15 LiveSecurity Service
Gold........................................................................................................................
16 Service expiration
......................................................................................................................................
16
Before you
begin..................................................................................................................................................
17 Verify basic components
.........................................................................................................................
17 Get a WatchGuard device feature key
................................................................................................
17 Gather network
addresses......................................................................................................................
18 Select a firewall configuration
mode..................................................................................................
19
Run the Web Setup
Wizard..........................................................................................................................
20 Start the Web Setup Wizard
...................................................................................................................
20 After the wizard finishes
..........................................................................................................................
22 If you have problems with the wizard
................................................................................................
22
Connect to Fireware XTM Web
UI..................................................................................................................
23 Customize your security policy
.............................................................................................................
26 About LiveSecurity
Service.....................................................................................................................
26
Add a certificate exception to Mozilla Firefox v3
...........................................................................
27 Identify your network
settings...................................................................................................................
28
Network Addressing Requirements
....................................................................................................
28 Find your TCP/IP properties on Microsoft Windows Vista
.......................................................... 29 Find
your TCP/IP properties on Microsoft Windows 2000, Windows 2003, and
Windows XP
.................................................................................................................................................
29 Find your TCP/IP properties on Microsoft Windows
NT...............................................................
29 Find your TCP/IP properties on Macintosh OS
9.............................................................................
29 Find your TCP/IP properties on other operating systems (Unix,
Linux) ................................. 30 Find PPPoE
settings...................................................................................................................................
30
Set your computer to connect to your WatchGuard device
........................................................... 30 Use
DHCP
......................................................................................................................................................
30 Use a static IP address
..............................................................................................................................
31
Disable the HTTP proxy in the
browser...................................................................................................
32 Disable the HTTP proxy in Internet Explorer 6.x or 7.x
.................................................................
32 Disable the HTTP proxy in Firefox 2.x
.................................................................................................
32 Disable the HTTP proxy in Safari
2.0....................................................................................................
32
Chapter 5 Configuration and Management Basics
................................................................................
33
About basic configuration and management
tasks................................................................................
33 Restore a Firebox backup
image....................................................................................................................
34 Reset a Firebox to a previous or new configuration
...............................................................................
35
Start a Firebox X Core or Peak e-Series, or a WatchGuard XTM device
in safe mode........ 35 Run the Quick Setup Wizard
..................................................................................................................
36
About feature keys
..............................................................................................................................................
38 When you purchase a new
feature......................................................................................................
38 See features available with the current feature key
......................................................................
38
Activate the license key for a
feature.......................................................................................................
39 Add a feature key to your Firebox
............................................................................................................
41 Remove a feature key
....................................................................................................................................
42
Enable NTP and add NTP servers
...................................................................................................................
43 About SNMP
..........................................................................................................................................................
45
SNMP polls and
traps.....................................................................................................................................
45 Enable SNMP polling
.....................................................................................................................................
47 Enable SNMP management stations and
traps....................................................................................
48 Configure SNMP Management
Stations.................................................................................................
49 Send an SNMP trap for a
policy..................................................................................................................
50
User Guide v
Upgrade to a new version of Fireware
XTM...............................................................................................
63 Install the upgrade on your management
computer...................................................................
63 Upgrade the
Firebox.................................................................................................................................
63 Subscription Services
upgrades............................................................................................................
65 Appliance and software
upgrades.......................................................................................................
65 How to apply an upgrade
.......................................................................................................................
65
About network interface
setup.......................................................................................................................
67 Network modes
...............................................................................................................................................
67 Interface
types..................................................................................................................................................
68
About network configuration in drop-in
mode........................................................................................
76 Use drop-in mode for network interface configuration
...................................................................
76
Specify DHCP settings for a single interface
.........................................................................................
79 Disable an
interface........................................................................................................................................
83 Configure DHCP
Relay...................................................................................................................................
83
About LAN
bridges..............................................................................................................................................
90 Create a network bridge configuration
..................................................................................................
91 Assign a network interface to a bridge
...................................................................................................
92 Add a static
route............................................................................................................................................
93
About virtual local area networks (VLANs)
.................................................................................................
94 About
tagging..................................................................................................................................................
95 Use DHCP on a VLAN
.....................................................................................................................................
97 Use DHCP relay on a VLAN
..........................................................................................................................
97 Assign interfaces to a
VLAN.........................................................................................................................
97
Chapter 7 Multi-WAN
...............................................................................................................................
99
Interface
overflow........................................................................................................................................
101 Routing table
.................................................................................................................................................
101 Serial modem (Firebox X Edge
only).....................................................................................................
101 Before You
Begin..........................................................................................................................................
102 Configure the
interfaces............................................................................................................................
102 Before You
Begin..........................................................................................................................................
104 Configure the
interfaces............................................................................................................................
104 Before You
Begin..........................................................................................................................................
105 Configure the
interfaces............................................................................................................................
105 Before you
begin..........................................................................................................................................
106 Routing Table mode and load
balancing............................................................................................
106 Configure the
interfaces............................................................................................................................
106 When to use Multi-WAN methods and routing
................................................................................
107
When to use the Routing Table method
........................................................................................
107 When to use the Round-Robin
method..........................................................................................
107
About advanced multi-WAN settings
.......................................................................................................
108 Set a global sticky connection duration
..............................................................................................
108 Set the failback action
................................................................................................................................
109
Serial modem failover
.....................................................................................................................................
109 Enable serial modem failover
..................................................................................................................
109
Account
settings......................................................................................................................................
110 DNS
settings..............................................................................................................................................
110 Dial-up
settings........................................................................................................................................
111 Link Monitor
settings.............................................................................................................................
111
Chapter 8 Network Address Translation (NAT)
....................................................................................
115
About Network Address Translation (NAT)
.............................................................................................
115 Add firewall dynamic NAT entries
.........................................................................................................
117 Delete a dynamic NAT entry
....................................................................................................................
118 Reorder dynamic NAT
entries..................................................................................................................
118 Configure policy-based dynamic
NAT..................................................................................................
119 Disable policy-based dynamic
NAT.......................................................................................................
120
About 1-to-1 NAT and
VPNs................................................................................................................
121 Configure firewall 1-to-1
NAT..................................................................................................................
122 Define a 1-to-1 NAT rule
............................................................................................................................
123 Configure policy-based 1-to-1
NAT.......................................................................................................
124 Enable policy-based 1-to-1 NAT
.............................................................................................................
124 Disable policy-based 1-to-1
NAT............................................................................................................
124
Chapter 9 Wireless Setup
.......................................................................................................................
133
About wireless
configuration.......................................................................................................................
133 Enable/disable SSID broadcasts
.............................................................................................................
137 Change the
SSID...........................................................................................................................................
138 Log authentication
events........................................................................................................................
138 Change the fragmentation threshold
..................................................................................................
138 When to change the default fragmentation
threshold..................................................................
138 Change the fragmentation threshold
..................................................................................................
139 Change the RTS threshold
........................................................................................................................
139
Set the encryption
level.............................................................................................................................
140 WPA and WPA2 PSK
authentication......................................................................................................
141
Enable a wireless guest
network.................................................................................................................
144 Configure your external interface as a wireless interface
..................................................................
146
Configure the primary external interface as a wireless interface
.......................................... 146 Configure a BOVPN
tunnel for additional security
.....................................................................
148 Set the operating region and channel
............................................................................................
149 Set the wireless mode of operation
.................................................................................................
150
Configure the wireless card on your computer
.....................................................................................
151
Chapter 10 Dynamic Routing
...................................................................................................................
153
About dynamic routing
..................................................................................................................................
153 About routing daemon configuration files
.............................................................................................
153 About Routing Information Protocol (RIP)
..............................................................................................
154
Routing Information Protocol (RIP)
commands................................................................................
154 Configure the Firebox to use RIP
v2......................................................................................................
157 Allow RIP v2 traffic through the
Firebox..............................................................................................
158 Sample RIP routing configuration file
..................................................................................................
158
Chapter 11 Authentication
......................................................................................................................
173
Install the WatchGuard Single Sign-On (SSO)
agent.......................................................................
181 Download the SSO agent software
.......................................................................................................
181 Before you
install..........................................................................................................................................
182 Install the SSO agent
service....................................................................................................................
182 Install the WatchGuard Single Sign-On (SSO) client
.......................................................................
182 Install the SSO client service
....................................................................................................................
183 Enable Single Sign-On
(SSO)....................................................................................................................
183 Enable and configure SSO
........................................................................................................................
184 Define SSO
exceptions...............................................................................................................................
184 About using third-party authentication servers
...............................................................................
185 Use a backup authentication
server......................................................................................................
185 Types of Firebox
authentication.............................................................................................................
186
Firewall authentication
.........................................................................................................................
186 Mobile VPN with PPTP connections
.................................................................................................
187 Mobile VPN with SSL connections
....................................................................................................
188
viii Fireware XTM Web UI
Define a new user for Firebox
authentication...................................................................................
189 Define a new group for Firebox authentication
...............................................................................
190
About RADIUS
groups................................................................................................................................
195 Practical use of RADIUS groups
..............................................................................................................
195
Configure SecurID
authentication..............................................................................................................
199 Configure LDAP authentication
..................................................................................................................
200
DN of Searching User and Password of Searching User
fields..................................................... 204
Change the default port for the Active Directory server
............................................................... 205
Configure the Firebox to use the global catalog port
....................................................................
205 To find out if your Active Directory server is configured as a
global catalog server ........... 205
Before You
Begin.....................................................................................................................................
206 Specify Active Directory or LDAP Optional Settings
..................................................................
206
Chapter 12 Policies
...................................................................................................................................
213
About the Firewall or Mobile VPN Policies page
..............................................................................
215 Add a policy from the list of
templates................................................................................................
218 Disable or delete a
policy..........................................................................................................................
219 Delete a
policy...............................................................................................................................................
219 Alias
members...............................................................................................................................................
220 Create an alias
...............................................................................................................................................
221 Add an address, address range, DNS name, user, group, or
another alias to the alias....... 222 Automatic policy order
..............................................................................................................................
223 Policy specificity and protocols
..............................................................................................................
223 Firewall actions
.............................................................................................................................................
224
Schedules...................................................................................................................................................
224 Policy types and names
........................................................................................................................
224
Chapter 13 Proxy Settings
.......................................................................................................................
235
About proxy policies and
ALGs....................................................................................................................
235 Proxy
configuration.....................................................................................................................................
235
About the HTTP
proxy.....................................................................................................................................
251 Policy
tab.........................................................................................................................................................
251 Properties
tab................................................................................................................................................
251 Settings and Content tabs
........................................................................................................................
252 Allow Windows updates through the HTTP proxy
..........................................................................
252
If you still cannot download Windows updates
..........................................................................
252 File name patterns
..................................................................................................................................
254
HTTP proxy:
Settings...................................................................................................................................
256 HTTP
requests...........................................................................................................................................
256 HTTP
responses........................................................................................................................................
257 HTTP proxy exceptions
.........................................................................................................................
258
Policy
tab.........................................................................................................................................................
279 Properties
tab................................................................................................................................................
279 Advanced tab
................................................................................................................................................
279 Settings and Content tabs
........................................................................................................................
279
About Traffic Management and
QoS.........................................................................................................
283 Enable traffic management and
QoS....................................................................................................
284 Restrict bandwidth
......................................................................................................................................
285 QoS Marking
..................................................................................................................................................
285 Traffic priority
................................................................................................................................................
285 Before you
begin..........................................................................................................................................
288 QoS marking for interfaces and
policies..............................................................................................
288 Marking types and values
.........................................................................................................................
289 QoS marking settings
.................................................................................................................................
292 Prioritization settings
.................................................................................................................................
293 Priority Levels
................................................................................................................................................
293 Define a Traffic Management
action.....................................................................................................
294 Determine available
bandwidth.............................................................................................................
294 Determine the sum of your
bandwidth...............................................................................................
294 Create or modify a Traffic Management action
................................................................................
295 Add a Traffic Management action to a
policy....................................................................................
296 Add a traffic management action to multiple
policies...................................................................
296
Chapter 15 Default Threat Protection
.....................................................................................................
297
About default threat
protection..................................................................................................................
297 About spoofing
attacks..............................................................................................................................
299 How the WatchGuard device identifies network probes
.............................................................. 301
To protect against port space and address space probes
............................................................ 302
About the SYN flood attack
setting.......................................................................................................
304 About unhandled packets
........................................................................................................................
304 About distributed denial-of-service
attacks.......................................................................................
305
Permanently blocked
sites...................................................................................................................
306 Auto-blocked sites/Temporary Blocked Sites list
........................................................................
306 See and edit the sites on the Blocked Sites list
............................................................................
306
Block a site permanently
...........................................................................................................................
307 Create Blocked Site
Exceptions...............................................................................................................
308 Block sites temporarily with policy
settings.......................................................................................
308 Change the duration that sites are auto-blocked
............................................................................
309
Default blocked ports
............................................................................................................................
310 Block a port
....................................................................................................................................................
311 Block IP addresses that try to use blocked ports
..............................................................................
311
Chapter 16 Logging and Notification
......................................................................................................
313
About logging and log files
..........................................................................................................................
313 Log Servers
................................................................................................................................................
313 Logging and notification in applications and servers
............................................................... 314
About log
messages...............................................................................................................................
314
Types of log messages
...............................................................................................................................
314 Traffic log
messages...............................................................................................................................
314 Alarm log messages
...............................................................................................................................
314 Debug log messages
.............................................................................................................................
315 Statistic log messages
...........................................................................................................................
315
Configure Logging
Settings..........................................................................................................................
318 Set logging and notification preferences
...........................................................................................
320
View, Sort, and Filter log message data
..........................................................................................
322 Refresh log message data
....................................................................................................................
323
Chapter 17 Monitor your Firebox
............................................................................................................
325
The Dashboard
..................................................................................................................................................
325 System Status
pages........................................................................................................................................
327 Bandwidth Meter
..............................................................................................................................................
329 Blocked sites status
..........................................................................................................................................
330
Run a basic diagnostics command
...................................................................................................
334 Use command arguments
...................................................................................................................
335
Dynamic DNS
.....................................................................................................................................................
335 Feature Key
.........................................................................................................................................................
336 Interfaces
.............................................................................................................................................................
336
LiveSecurity.........................................................................................................................................................
337 Memory
................................................................................................................................................................
337
Syslog....................................................................................................................................................................
339
About
certificates..............................................................................................................................................
343 Use multiple certificates to establish
trust..........................................................................................
343 How the Firebox uses certificates
..........................................................................................................
344 Certificate lifetimes and CRLs
..................................................................................................................
344 Certificate authorities and signing requests
......................................................................................
345 See current certificates
..............................................................................................................................
346 Import a certificate from a file
.................................................................................................................
346 Use a web server certificate for authentication
................................................................................
347 Use OpenSSL to generate a
CSR.............................................................................................................
348 Send the certificate request
.....................................................................................................................
349 Issue the
certificate......................................................................................................................................
349 Download the
certificate...........................................................................................................................
349
Use Certificates for the HTTPS Proxy
.........................................................................................................
350 Protect a private HTTPS server
................................................................................................................
350 Examine content from external HTTPS servers
.................................................................................
351 Import the certificates on client devices
.............................................................................................
352 Troubleshoot problems with HTTPS content inspection
..............................................................
352
Use a certificate for BOVPN tunnel authentication
..............................................................................
354 Verify the certificate with FSM
................................................................................................................
354 Verify VPN certificates with an LDAP server
.......................................................................................
355
Chapter 19 Branch Office Virtual Private Networks
...............................................................................
359
What you need to create a
VPN...................................................................................................................
359 About manual BOVPN
tunnels.....................................................................................................................
360
What you need to create a VPN
.........................................................................................................
360 How to create a manual BOVPN tunnel
..........................................................................................
361 One-way tunnels
.....................................................................................................................................
361
xii Fireware XTM Web UI
VPN Failover
..............................................................................................................................................
361 Global VPN
settings................................................................................................................................
361 BOVPN tunnel
status..............................................................................................................................
361 Rekey BOVPN
tunnels............................................................................................................................
361
DH groups and Perfect Forward Secrecy (PFS)
............................................................................
372 How to choose a Diffie-Hellman group
..........................................................................................
372 Performance
analysis.............................................................................................................................
372
Define a tunnel
.............................................................................................................................................
373 Edit and delete a tunnel
............................................................................................................................
374 Add routes for a
tunnel..............................................................................................................................
375
Add an existing proposal
.....................................................................................................................
377 Create a new proposal
..........................................................................................................................
377
Edit a proposal
..............................................................................................................................................
378 Change order of tunnels
...........................................................................................................................
378
About global VPN settings
............................................................................................................................
379 Enable IPSec Pass-through
.......................................................................................................................
379 Enable LDAP server for certificate verification
..................................................................................
380
1-to-1 NAT and
VPNs..............................................................................................................................
381 Other reasons to use 1-to-1 NAT through a
VPN.........................................................................
381 Alternative to using NAT
......................................................................................................................
381 Example
......................................................................................................................................................
382 Define a Branch Office gateway on each Firebox
.......................................................................
383 Configure the local tunnel
...................................................................................................................
383
Define a route for all Internet-bound traffic
...........................................................................................
387 Configure the BOVPN tunnel on the remote Firebox
................................................................
387 Configure the BOVPN tunnel on the central
Firebox.................................................................
388 Add a dynamic NAT entry on the central
Firebox.......................................................................
388 Enable a WatchGuard device to send multicast traffic through a
tunnel .......................... 390
Example: Multicast routing through a BOVPN tunnel
....................................................................
392 Example settings
.....................................................................................................................................
392 Enable broadcast routing for the local
Firebox............................................................................
397 Configure broadcast routing for the Firebox at the other end of
the tunnel ................... 398 Example settings
.....................................................................................................................................
399 Configure broadcast routing for the BOVPN tunnel at Site
A................................................. 399 Configure
broadcast routing for the BOVPN tunnel at Site B
................................................. 401 Define
multiple gateway pairs
...........................................................................................................
403 See VPN statistics
....................................................................................................................................
405
Rekey BOVPN
tunnels......................................................................................................................................
405 Why do I need a static external address?
.......................................................................................
406 How do I get a static external IP
address?......................................................................................
406 How do I troubleshoot the
connection?.........................................................................................
406 Why is ping not working?
....................................................................................................................
406 How do I set up more than the number of allowed VPN tunnels on
my Edge?............... 406 Collect IP address and tunnel settings
............................................................................................
407
User Guide xiii
PHASE 1 Settings (Both sides must use exactly the same values)
........................................ 408 PHASE 2 Settings (Both
sides must use exactly the same
values)......................................... 408 Configure the
Phase 1 settings
..........................................................................................................
413 Configure the Phase 2 settings
..........................................................................................................
417 Configure the Phase 1 settings
..........................................................................................................
422 Add a VPN Tunnel
...................................................................................................................................
424 Configure the Phase 2 settings
..........................................................................................................
426 Collect IP address and tunnel settings
............................................................................................
428 PHASE 1 Settings (Both sides must use exactly the same values)
........................................ 429 PHASE 2 Settings (Both
sides must use exactly the same
values)......................................... 429
Configure Site A, Fireware XTM
v11.x...................................................................................................
431 Configure the Phase 1 settings
..........................................................................................................
434 Configure the Phase 2 settings
..........................................................................................................
438 Add a VPN
Gateway................................................................................................................................
440 Configure the Phase 1 settings
..........................................................................................................
442 Configure the Phase 2 settings
..........................................................................................................
446 Collect IP address and tunnel settings
............................................................................................
450 PHASE 1 Settings (Both sides must use exactly the same
values)......................................... 451 PHASE 2
Settings (Both sides must use exactly the same
values)......................................... 451 PHASE 1
Settings (Both sides must use exactly the same
values)......................................... 452 PHASE 2
Settings (Both sides must use exactly the same
values)......................................... 452
Configure Site A, Fireware 11.x
...............................................................................................................
453 Configure the Phase 1 settings
..........................................................................................................
456 Configure the Phase 2 settings
..........................................................................................................
460 Configure the Phase 1 settings
..........................................................................................................
463 Configure the Phase 2 settings
..........................................................................................................
464 Configure VPN Keep
Alive....................................................................................................................
465 Select either IKE Keep-alive or Dead Peer Detection, but not
both...................................... 466 Use the default
settings........................................................................................................................
467 Configure the Firebox to send log traffic through the
tunnel................................................ 468
Chapter 20 Mobile VPN with PPTP
..........................................................................................................
471
About Mobile VPN with
PPTP.......................................................................................................................
471 Mobile VPN with PPTP requirements
........................................................................................................
471 Configure Mobile VPN with PPTP
...............................................................................................................
473
Encryption Settings
................................................................................................................................
474 Advanced Tab
settings..........................................................................................................................
475 Configure policies to allow Mobile VPN with PPTP
traffic........................................................
479
Configure policies to allow Mobile VPN with PPTP traffic
.................................................................
480 Allow PPTP users to access a trusted network
.............................................................................
480
Options for Internet access through a Mobile VPN with PPTP
tunnel........................................... 481 Default-route
VPN...................................................................................................................................
481 Split tunnel
VPN.......................................................................................................................................
481 Default-route VPN setup for Mobile VPN with PPTP
..................................................................
482 Split tunnel VPN setup for Mobile VPN with PPTP
......................................................................
482 Prepare a Windows NT or 2000 client computer: Install MSDUN and
service packs...... 483 Create a PPTP
connection....................................................................................................................
484 Establish the PPTP
connection...........................................................................................................
484 Create the PPTP Mobile
VPN...............................................................................................................
485 Connect with the PPTP Mobile VPN
.................................................................................................
485 Create the PPTP Mobile
VPN...............................................................................................................
486 Connect with the PPTP Mobile VPN
.................................................................................................
486
Make outbound PPTP connections from behind a Firebox
..............................................................
486
xiv Fireware XTM Web UI
Chapter 21 Mobile VPN with IPSec
..........................................................................................................
487
About WatchGuard Mobile VPN with
IPSec............................................................................................
487 Configure a Mobile VPN with IPSec
connection...............................................................................
487 System requirements
.................................................................................................................................
488 Options for Internet access through a Mobile VPN
tunnel...........................................................
488
Default-route
VPN...................................................................................................................................
488 Split tunnel
VPN.......................................................................................................................................
488
Modify an existing Mobile VPN with IPSec group
profile..............................................................
497 Configure a Mobile VPN with IPSec group
.........................................................................................
498
Define advanced Phase 1 settings
....................................................................................................
504 Define advanced Phase 2 settings
....................................................................................................
506
Lock down an end user
profile................................................................................................................
509 Mobile VPN with IPSec configuration
files..........................................................................................
509 Configure policies to filter Mobile VPN traffic
...................................................................................
510
Configure Mobile VPN with IPSec to a dynamic IP
address..........................................................
512 Keep a record of the current IP
address..........................................................................................
512 Configure the Firebox and IPSec client computers
....................................................................
512
Client Requirements
...................................................................................................................................
514 Install the Mobile VPN with IPSec client
software............................................................................
514
Import the end-user
profile.................................................................................................................
515 Select a certificate and enter the
PIN...............................................................................................
516 Uninstall the Mobile VPN client
.........................................................................................................
516 Disconnect the Mobile VPN client
....................................................................................................
517 Control connection
behavior..............................................................................................................
517 Mobile User VPN client icon
................................................................................................................
519
About the desktop firewall
..................................................................................................................
520 Define friendly networks
......................................................................................................................
521 Create firewall
rules................................................................................................................................
522 Import the end user profile
.................................................................................................................
528 Select a certificate and enter the passphrase
...............................................................................
529 Connect and disconnect the Mobile VPN client
..........................................................................
529 Control the connection
behavior......................................................................................................
530 Mobile User VPN client icon
................................................................................................................
531 Mobile VPN WM Configurator and Windows Mobile IPSec client
requirements............. 532 Select a certificate and enter the
PIN...............................................................................................
533 Upload the end-user profile to the Windows Mobile
device.................................................. 536
Connect and disconnect the Mobile VPN for Windows Mobile
client................................. 537
User Guide xv
Chapter 22 Mobile VPN with SSL
.............................................................................................................
543
About Mobile VPN with
SSL..........................................................................................................................
543 Configure authentication and connection settings
...................................................................
544 Configure the Networking and IP Address Pool settings
......................................................... 545
Configure Advanced settings for Mobile VPN with
SSL............................................................ 547
Configure user authentication for Mobile VPN with
SSL.......................................................... 548
Configure policies to control Mobile VPN with SSL client
access.......................................... 548 Use other
groups or users in a Mobile VPN with SSL policy
.................................................... 549
How to choose a different port and
protocol....................................................................................
550 Allow direct access to the internet
...................................................................................................
551 Force all client traffic through tunnel
..............................................................................................
551
Use the HTTP proxy to control Internet access for Mobile VPN with
SSL users .................... 551 Name resolution for Mobile VPN
with
SSL..........................................................................................
551 Methods of name resolution through a Mobile VPN with SSL
connection ............................ 552 Select the best method
for your
network...........................................................................................
552 Configure WINS or DNS for name
resolution.....................................................................................
552 Add WINS and DNS servers to a Mobile VPN with SSL
configuration....................................... 552 Configure
an LMHOSTS file to provide name resolution
.............................................................. 552
Edit an LMHOSTS file
..................................................................................................................................
553
Install and connect the Mobile VPN with SSL
client.............................................................................
553 Client computer
requirements...........................................................................................................
553 Install the client software
.....................................................................................................................
554 Connect to your private network
......................................................................................................
555
Chapter 23 WebBlocker
............................................................................................................................
559
About WebBlocker categories
.....................................................................................................................
567 See whether a site is
categorized...........................................................................................................
567 Add, remove, or change a category
......................................................................................................
568
Define the action for sites that do not match
exceptions........................................................
569 Components of exception rules
........................................................................................................
569 Exceptions with part of a
URL.............................................................................................................
569
About WebBlocker subscription services
expiration...........................................................................
572
Chapter 24 spamBlocker
..........................................................................................................................
573
Set global spamBlocker parameters
..........................................................................................................
582 Use an HTTP proxy server for
spamBlocker........................................................................................
583 Add trusted email forwarders to improve spam score
accuracy................................................ 584 About
spamBlocker and VOD scan
limits............................................................................................
585 File scan limits by WatchGuard device model, in
kilobytes..........................................................
585 Maximum number of connections by WatchGuard device model
........................................... 586 Send spam or bulk
email to special folders in
Outlook..................................................................
587
Find the category a message is assigned
to..................................................................................
589
Chapter 25 Gateway AntiVirus and Intrusion Prevention
.....................................................................
591
About Gateway AntiVirus and Intrusion Prevention
...........................................................................
591 Install and upgrade Gateway AV/IPS
...............................................................................................
592 About Gateway AntiVirus/Intrusion Prevention and proxy policies
.................................... 592 Configure the Gateway
AntiVirus Service
......................................................................................
593
Configure Gateway AntiVirus actions for a proxy
action...............................................................
595 Configure alarm notification for antivirus actions
...........................................................................
596 Configure Gateway AntiVirus to quarantine
email..........................................................................
596 File scan limits by WatchGuard device model, in
kilobytes..........................................................
597
Update Gateway AntiVirus/IPS settings
...................................................................................................
597 If you use a third-party antivirus
client............................................................................................
597
Configure Gateway AV decompression
settings..............................................................................
598 Configure the Gateway AV/IPS update
server...................................................................................
599 Connect to the update server through an HTTP proxy
server..................................................... 600
Block access from the trusted network to the update server
...................................................... 600
Before you
begin.....................................................................................................................................
602 Configure the Intrusion Prevention Service
..................................................................................
602
User Guide 1
1 Introduction to Network Security
About networks and network security
A network is a group of computers and other devices that are
connected to each other. It can be two computers in the same room,
dozens of computers in an organization, or many computers around
the world connected through the Internet. Computers on the same
network can work together and share data.
Although networks like the Internet give you access to a large
quantity of information and business opportunities, they can also
open your network to attackers. Many people think that their
computers hold no important information, or that a hacker is not
interested in their computers. This is not correct. A hacker can
use your computer as a platform to attack other computers or
networks. Information from your organization, including personal
information about users, employees, or customers, is also valuable
to hackers.
Your WatchGuard device and LiveSecurity subscription can help you
prevent these attacks. A good network security policy, or a set of
access rules for users and resources, can also help you find and
prevent attacks to your computer or network. We recommend that you
configure your Firebox to match your security policy, and think
about threats from both inside and outside your organization.
About Internet connections ISPs (Internet service providers) are
companies that give access to the Internet through network
connections. The rate at which a network connection can send data
is known as bandwidth: for example, 3 megabits per second
(Mbps).
A high-speed Internet connection, such as a cable modem or a DSL
(Digital Subscriber Line), is known as a broadband connection.
Broadband connections are much faster than dial-up connections. The
bandwidth of a dial-up connection is less than .1 Mbps, while a
cable modem can be 5 Mbps or more.
Typical speeds for cable modems are usually lower than the maximum
speeds, because each computer in a neighborhood is a member of a
LAN. Each computer in that LAN uses some of the bandwidth. Because
of this shared-medium system, cable modem connections can become
slow when more users are on the network.
DSL connections supply constant bandwidth, but they are usually
slower than cable modem connections. Also, the bandwidth is only
constant between your home or office and the DSL central office.
The DSL central office cannot guarantee a good connection to a web
site or network.
Introduction to Network Security
2 Fireware XTM Web UI
How information travels on the Internet The data that you send
through the Internet is cut into units, or packets. Each packet
includes the Internet address of the destination. The packets that
make up a connection can use different routes through the Internet.
When they all get to their destination, they are assembled back
into the original order. To make sure that the packets get to the
destination, address information is added to the packets.
About protocols A protocol is a group of rules that allow computers
to connect across a network. Protocols are the grammar of the
language that computers use when they speak to each other across a
network. The standard protocol when you connect to the Internet is
the IP (Internet Protocol). This protocol is the usual language of
computers on the Internet.
A protocol also tells how data is sent through a network. The most
frequently used protocols are TCP (Transmission Control Protocol)
and UDP (User Datagram Protocol). TCP/IP is the basic protocol used
by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your
WatchGuard device. For more information on TCP/IP, see “Find your
TCP/IP properties” on page 29.
User Guide 3
About IP addresses
To send ordinary mail to a person, you must know his or her street
address. For one computer on the Internet to send data to a
different computer, it must know the address of that computer. A
computer address is known as an Internet Protocol (IP) address. All
devices on the Internet have unique IP addresses, which enable
other devices on the Internet to find and interact with them.
An IP address consists of four octets (8-bit binary number
sequences) expressed in decimal format and separated by periods.
Each number between the periods must be within the range of 0 and
255. Some examples of IP addresses are:
206.253.208.100 4.2.2.2 10.0.4.1
Private addresses and gateways Many companies create private
networks that have their own address space. The addresses 10.x.x.x
and 192.168.x.x are reserved for private IP addresses. Computers on
the Internet cannot use these addresses. If your computer is on a
private network, you connect to the Internet through a gateway
device that has a public IP address.
Usually, the default gateway is the router that is between your
network and the Internet. After you install the Firebox on your
network, it becomes the default gateway for all computers connected
to its trusted or optional interfaces.
About subnet masks Because of security and performance
considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses.
For example, all devices that have IP addresses whose first three
octets are 50.50.50 would belong to the same subnet.
A network IP address’s subnet mask, or netmask, is a series of bits
that mask sections of the IP address that identify which parts of
the IP address are for the network and which parts are for the
host. A subnet mask can be written in the same way as an IP
address, or in slash or CIDR notation.
About slash notation Your Firebox uses slash notation for many
purposes, including policy configuration. Slash notation, also
known as CIDR (Classless Inter-Domain Routing) notation, is a
compact way to show or write a subnet mask. When you use slash
notation, you write the IP address, a forward slash (/), and the
subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a
binary representation. 2. Count each “1” in the subnet mask. The
total is the subnet mask number.
Introduction to Network Security
4 Fireware XTM Web UI
For example, you want to write the IP address 192.168.42.23 with a
subnet mask of 255.255.255.0 in slash notation.
1. Convert the subnet mask to binary. In this example, the binary
representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each "1" in the subnet mask. In this example, there are
twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the
number from Step 2. The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in
slash notation.
About entering IP addresses When you type IP addresses in the Quick
Setup Wizard or dialog boxes, type the digits and decimals in the
correct sequence. Do not use the TAB key, arrow keys, spacebar, or
mouse to put your cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a
space after you type 16. Do not try to put your cursor after the
subsequent decimal to type 1. Type a decimal directly after 16, and
then type 1.10. Press the slash (/) key to move to the
netmask.
Static and dynamic IP addresses ISPs (Internet service providers)
assign an IP address to each device on their network. The IP
address can be static or dynamic.
Static IP addresses A static IP address is an IP address that
always stays the same. If you have a web server, FTP server, or
other Internet resource that must have an address that cannot
change, you can get a static IP address from your ISP. A static IP
address is usually more expensive than a dynamic IP address, and
some ISPs do not supply static IP addresses. You must configure a
static IP address manually.
Dynamic IP addresses A dynamic IP address is an IP address that an
ISP lets you use temporarily. If a dynamic address is not in use,
it can be automatically assigned to a different device. Dynamic IP
addresses are assigned using either DHCP or PPPoE.
Network mask Slash equivalent
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol
that computers on a network use to get IP addresses and other
information such as the default gateway. When you connect to the
Internet, a computer configured as a DHCP server at the ISP
automatically assigns you an IP address. It could be the same IP
address you had before, or it could be a new one. When you close an
Internet connection that uses a dynamic IP address, the ISP can
assign that IP address to a different customer.
You can configure your WatchGuard device as a DHCP server for
networks behind the device. You assign a range of addresses for the
DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over
Ethernet (PPPoE). PPPoE adds some of the features of Ethernet and
PPP to a standard dial-up connection. This network protocol allows
the ISP to use the billing, authentication, and security systems of
their dial-up infrastructure with DSL modem and cable modem
products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in
the telephone directory. On the Internet, the equivalent to a
telephone directory is the DNS (Domain Name System). DNS is a
network of servers that translate numeric IP addresses into
readable Internet addresses, and vice versa. DNS takes the friendly
domain name you type when you want to see a particular web site,
such as www.example.com, and finds the equivalent IP address, such
as 50.50.50.1. Network devices need the actual IP address to find
the web site, but domain names are much easier for users to type
and remember than IP addresses.
A DNS server is a server that performs this translation. Many
organizations have a private DNS server in their network that
responds to DNS requests. You can also use a DNS server on your
external network, such as a DNS server provided by your ISP
(Internet Service Provider.)
Introduction to Network Security
About firewalls
A network security device, such as a firewall, separates your
internal networks from external network connections to decrease the
risk of an external attack. The figure below shows how a firewall
protects the computers on a trusted network from the
Internet.
User Guide 7
Introduction to Network Security
Firewalls use access policies to identify and filter different
types of information. They can also control which policies or ports
the protected computers can use on the Internet (outbound access).
For example, many firewalls have sample security policies that
allow only specified traffic types. Users can select the policy
that is best for them. Other firewalls, such as WatchGuard devices
like your Firebox, allow the user to customize these
policies.
Firewalls can be in the form of hardware or software. A firewall
protects private networks from unauthorized users on the Internet.
Traffic that enters or leaves the protected networks is examined by
the firewall. The firewall denies network traffic that does not
match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections
are denied unless there is a specific rule to allow the connection.
To deploy this type of firewall, you must have detailed information
about the network applications required to meet needs of your
organization. Other firewalls allow all network connections that
have not been explicitly denied. This type of open firewall is
easier to deploy, but it is not as secure.
Introduction to Network Security
About services and policies
You use a service to send different types of data (such as email,
files, or commands) from one computer to another across a network
or to a different network. These services use protocols. Frequently
used Internet services are:
World Wide Web access uses Hypertext Transfer Protocol (HTTP) Email
uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol
(POP3) File transfer uses File Transfer Protocol (FTP) Resolve a
domain name to an Internet address uses Domain Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your
WatchGuard device configuration. Each policy you add can also add a
security risk. To send and receive data, you must open a door in
your computer, which puts your network at risk. We recommend that
you add only the policies that are necessary for your
business.
As an example of how you can use a policy, suppose the network
administrator of a company wants to activate a Windows terminal
services connection to the company’s public web server on the
optional interface of the Firebox. He or she routinely administers
the web server with a Remote Desktop connection. At the same time,
he or she wants to make sure that no other network users can use
the Remote Desktop Protocol terminal services through the Firebox.
The network administrator would add a policy that allows RDP
connections only from the IP address of his or her own desktop
computer to the IP address of the public web server.
When you configure your WatchGuard device with the Quick Setup
Wizard, the wizard adds only limited outgoing connectivity. If you
have more software applications and network traffic for your
Firebox to examine, you must:
Configure the policies on your Firebox to pass through necessary
traffic Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the
requirements of your users to get access to external
resources
User Guide 9
About ports
Although computers have hardware ports you use as connection
points, ports are also numbers used to map traffic to a particular
process on a computer. These ports, also called TCP and UDP ports,
are where programs transmit data. If an IP address is like a street
address, a port number is like an apartment unit number or building
number within that street address. When a computer sends traffic
over the Internet to a server or another computer, it uses an IP
address to identify the server or remote computer, and a port
number to identify the process on the server or computer that
receives the data.
For example, suppose you want to see a particular web page. Your
web browser attempts to create a connection on port 80 (the port
used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests from the HTTP server, such as
an image, it closes the connection.
Many ports are used for only one type of traffic, such as port 25
for SMTP (Simple Mail Transfer Protocol). Some protocols, such as
SMTP, have ports with assigned numbers. Other programs are assigned
port numbers dynamically for each connection. The IANA (Internet
Assigned Numbers Authority) keeps a list of well-known ports. You
can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your Firebox configuration have a port
number between 0 and 1024, but possible port numbers can be from 0
to 65535.
Ports are either open or closed. If a port is open, your computer
accepts information and uses the protocol identified with that port
to create connections to other computers. However, an open port is
a security risk. To protect against risks created by open ports,
you can block ports used by hackers to attack your network. For
more information, see About blocked ports.
The WatchGuard device and your network
Your WatchGuard device is a powerful network security device that
controls all traffic between the external network and the trusted
network. If computers with mixed trust connect to your network, you
can also configure an optional network interface that is separate
from the trusted network. You can then configure the firewall on
your device to stop all suspicious traffic from the external
network to your trusted and optional networks. If you route all
traffic for the mixed trust computers through your optional
network, you can increase the security for those connections to add
more flexibility to your security solution. For example, customers
frequently use the optional network for their remote users or for
public servers such as a web server or an email server.
Some customers who purchase a WatchGuard device do not know a lot
about computer networks or network security. Fireware XTM Web UI
(web-based user interface), provides many self-help tools for these
customers. Advanced customers can use the advanced integration and
multiple WAN support features of the Fireware XTM Pro appliance
software to connect a WatchGuard device to a larger wide area
network. The WatchGuard device connects to a cable modem, DSL
modem, or ISDN router.
You can use the Web UI to safely manage your network security
settings from diff