WatchGuard®Firebox™ System User GuideFirebox System 4.6
xCHAPTER 15 Reviewing and Working with log files ...103Viewing files with LogViewer ...
Configuring CRYPTOCard server authentication90On the RADIUS Server1 Add the IP address of the Firebox where appropriate according to the RADIUS server
VPN Manager Guide 91Configuring SecurID authentication8 Enter the value of the shared secret between the Firebox and the CRYPTOCard server.This is the
Using authentication to define remote user VPN access927 If you are using a backup server, enable the Specify backup SecurID server checkbox. Enter th
User Guide 93CHAPTER 14 Monitoring Firebox ActivityAn important part of an effective network security policy is the monitoring of network events. Moni
Firebox Monitors94Setting Firebox Monitors view propertiesYou can configure Firebox Monitors to display traffic at different speeds, intervals, and am
User Guide 95Firebox MonitorsPacket countsThe number of packets allowed, denied, and rejected between status queries. Rejected packets are denied pack
Firebox Monitors96Block Network 123.152.24.64/28 eth2Logging optionsLogging options configured with either the QuickSetup wizard or by adding and conf
User Guide 97Firebox Monitors42 http-serve S 1052 536 476 37241 fwcheck S 716 288 296 23243 http-proxy S 1072 660 580 47222121 smtp-proxy S 984 360 53
HostWatch98198.148.32.0 * 255.255.255.0 U 1500 0 129eth1:0127.0.0.0 * 255.0.0.0 U 3584 0 9 lodefault 207.54.9.30 * UG 1500 0 95eth0ARP tableA snapshot
User Guide 99HostWatchThe HostWatch display uses the logging settings configured for your Firebox using the Policy Manager. For instance, to see all d
User Guide 1PART IIntroductionWelcome to WatchGuardThe WatchGuard Firebox System consists of:• A suite of management and security software tools• A Pl
HostWatch1002 Browse to locate and select the Logdb file.By default, log files are stored in the WatchGuard installation directory at C:\Program Files
User Guide 101HostWatch4In the New User field, enter the user ID of the authenticated user to watch. Click Add. Repeat for each authenticated user tha
HostWatch102
User Guide 103CHAPTER 15 Reviewing and Working with Log FilesLog entries are stored on the primary and backup LiveSecurity Event Processor. By default
Viewing files with LogViewer1042 Configure LogViewer display preferences as you choose.For a description of each control on the General tab, right-cli
VPN Manager Guide 105Displaying and hiding fieldsDisplaying and hiding fieldsUse the Preferences dialog box to show or hide columns displayed in LogVi
Working with log files106IP header lengthLength, in octets, of the IP header for this packet. A header length that is not equal to 20 indicates that I
VPN Manager Guide 107Working with log files4 Enter the destination for the files in the Copy to This Directory box.5Click Merge.The log files are merg
Working with log files108
User Guide 109CHAPTER 16 Generating Reports of Network ActivityHistorical Reports is a reporting tool that creates summaries and reports of Firebox lo
WatchGuard Firebox System components2•Security suite• LiveSecurity ServiceWatchGuard FireboxThe Firebox family of appliances are specially designed an
Specifying report sections110Creating a new reportFrom Historical Reports:1Click Add.2 Enter the report name.The report name will appear in Historical
User Guide 111Specifying a report time span2 Enable the checkboxes for sections to be included in the report.For a description of each section, see “R
Exporting reports1123 Enter the number of elements to rank in the table.Default is 100.4 Select the style of graph to use in the report.5 Select the m
User Guide 113Using report filtersExporting a report to a text fileWhen you select Text Export from the Setup tab on the Report Properties dialog box,
Scheduling and running reports114Editing a filterAt any time, you can modify the properties of an existing filter. From the Filters dialog box in Hist
User Guide 115Report sections and consolidated sectionsManually running a reportAt any time, you can run one or more reports using Historical Reports.
Report sections and consolidated sections116Session Summary – Packet FilteredA table, and optionally a graph, of the top incoming and outgoing session
User Guide 117Report sections and consolidated sectionsDenied Outgoing Packet DetailA list of denied outgoing packets, sorted by time. The fields are
Report sections and consolidated sections118Reports attempts to resolve the server port to a table to represent the service name. If resolution fails,
User Guide 119PART VWatchGuard® Virtual Private NetworkingA virtual private network (VPN) allows the secure tunneling of data between two networks (or
User Guide 3Minimum requirementsLiveSecurity ServiceThe innovative LiveSecurity Service subscription makes it easy to maintain the security of an orga
User Guide 121CHAPTER 17 Configuring Branch Office Virtual Private NetworkingBranch office virtual private networking (VPN) creates a secure tunnel, o
Using DVCP to connect to devices122• IP network addresses for the networks communicating with one another.• A common passphrase, known as a shared sec
User Guide 123Using DVCP to connect to devicesNote also that if you configure a SOHO for both Basic and Enhanced DVCP, the gateway names must be diffe
Branch office VPN with IPSec124You can also change the network range of a WatchGuard client. However, when you save the configuration to the server, i
User Guide 125Branch office VPN with IPSecand how WatchGuard implements branch office VPN with IPSec, see the Network Security Handbook.From Policy Ma
Branch office VPN with IPSec126Removing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway. 2Click Remove.Configuring a tunnel with m
User Guide 127Branch office VPN with IPSec5Use the Authentication drop list to select an authentication method.Options include: None (no authenticatio
Branch office VPN with IPSec12811 After you add all tunnels for this gateway, click OK.The Configure Gateways dialog box appears.12 To configure more
User Guide 129Branch office VPN with IPSec9Use the Protocol drop list to limit the protocol used by the policy.Options include: * (specify ports but n
Minimum requirements4Hardware requirementsMinimum hardware requirements are the same as for the operating system on which the WatchGuard Firebox Syste
Configuring WatchGuard VPN130Allow VPN access to any servicesTo allow all traffic from VPN connections, add the Any service to the Services Arena and
User Guide 131Configuring WatchGuard VPN4In the Local Firebox IP field, enter an IP address from a reserved network not in use on the local or remote
Configuring WatchGuard VPN132Configuring incoming services to allow VPNBecause users on the remote Firebox are technically outside the trusted network
User Guide 133CHAPTER 18 Configuring the Firebox for Remote User VPNRemote user virtual private networking (RUVPN) establishes a secure connection bet
Configuring shared servers for RUVPN134• The IP addresses of the DNS and WINS servers in the trusted network that perform IP address lookup on host al
User Guide 135Configuring services to allow incoming RUVPN3 Enter the username and password.Firebox usernames are case sensitive.4 To add the user to
Configuring the Firebox for Remote User PPTP136 -From: Selected - To: pptp_users or ipsec_usersConfiguring the Firebox for Remote User PPTPConfiguring
User Guide 137Configuring the Firebox for Mobile User VPNFrom the Remote User Setup dialog box:1Click the PPTP tab.2Click Add.3Use the Choose Type dro
Configuring the Firebox for Mobile User VPN138automatically included in the Policy Manager software, to activate the feature a license for each instal
User Guide 139Configuring the Firebox for Mobile User VPN10 Use the Encryption drop list to select an encryption method.Options available with the str
User Guide 5PART IIWatchGuard® ServicesThe WatchGuard Firebox System is considerably more than a piece of hardware. This section describes two WatchGu
Configuring debugging options140The packages are located on the WatchGuard LiveSecurity Service Web site at http://www.watchguard.com/support.Enter th
User Guide 141CHAPTER 19 Preparing a Host for Remote User VPNRemote user virtual private networking (RUVPN) establishes a secure connection between an
Preparing the client computers142• Public IP addressRemote host operating systemThe remote client must be running Windows and have the most recent MSD
User Guide 143Preparing the client computers5 Enter the domain name you are connecting to.This should be the same as the “Log on to Windows NT domain”
Preparing the client computers1449Click Dial Out Only. Click Continue.10 Click OK. 11 Restart the machine.Adding a domain name to a Windows NT worksta
User Guide 145Configuring the remote host for RUVPN with PPTP9In the Initial Connection window that appears, click Yes.10 Click Properties. The Virtua
Using Remote User PPTP14610 Click OK. Click OK again.11 Restart the computer.Installing a VPN adapter on Windows NTFrom the Windows NT Desktop of the
User Guide 147Configuring debugging options3 Double-click the RUVPN connection.If you configured the client computer as described in “Windows 95/98 pl
Configuring debugging options148
User Guide 149IndexAAccesscontrolling83Access rulesdefining49Accessing known issues 12ActivatingLiveSecurity Service8Active connections 95FTP 95Active
6
150CChangingan interface IP address39IPSec policy order 129remote network entries on VPN 131Checklist, branch office VPN 121ClientDVCP122Client for Mi
User Guide 151characteristics 36configuration 36DVCPClient Wizard122introduction 122Dynamic NATadding entries64described 63disabling 65enabling 63, 65
152monitors 2, 32, 93BandwidthMeter 94opening configuration file 23opening configuration file from 23PPP timeout disconnects 81reinitializing 25resett
User Guide 153exporting reports as 112HTTP 48, 60, 94, 99protocol 55proxied 60proxy 59types of services 55HTTP proxy 112HTTP proxy reportsHTTP detail1
154for blocked sites 44global preferences 75LogViewer 103options 96PPTP 137replaying a file 99searching log files 103setting for a service 77setting u
User Guide 155NavigatingControl Center27Netscape Communicator 3Networkbroadcast2changing range of client 124configuration 95configuring 35configuring
156pull-down menus 32services arena 32Status Bar 32toolbar 32Policy orderchanging IPSec129Polling ratechanging30Port address translation. See also Dyn
User Guide 157adding a domain name to an NT workstation144adding new domain for NT workstation 144installing a VPN adaptor for Windows 95/98145install
158introduction 37Routes 97network configuration 37RUVPN 147activating remote user PPTP 136adding a domain name for NT 144adding members to built-in u
User Guide 159Software Update 7SOHOediting tunnel properties123rebooting 124removing tunnel 124SpamScreen 18Security Parameter Indexsee alsoSPI (Secur
User Guide 7CHAPTER 1 LiveSecurity ServiceNo Internet security solution is complete without systematic updates. From the latest hacker techniques to t
160manager 17mobile user 18multiple-box configuration 130preventing IP spoofing 131remote user 119removing IPSec gateway 126running with PPTP 147two-b
LiveSecurity broadcasts8accompany each transmission for easy installation. These convenient transmissions relieve you of the burden of tracking the la
User Guide 9LiveSecurity broadcasts• The License Key number is located on the WatchGuard LiveSecurity Agreement License Key Certificate. Enter the num
iiDisclaimerInformation in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless ot
LiveSecurity broadcasts10
User Guide 11CHAPTER 2 Technical SupportDeveloping and implementing a network security policy can be a challenge. In addition to familiarity with the
Getting Internet technical support12Known issuesAnother source of information about the WatchGuard Firebox System is the Known Issues page on the Tech
User Guide 13TrainingWhen you call WatchGuard Technical Support, you are prompted for your LiveSecurity License key. We use this key to track the info
WatchGuard users group14Instructor-led coursesWatchGuard offers a series of courses supporting our product line. Current titles include a two-day cour
User Guide 15Online HelpStarting WatchGuard Online HelpWatchGuard Online Help can be started either from the WatchGuard Management Station or directly
Online Help16Context-sensitive HelpIn addition to the regular online Help system, context-sensitive or What’s This? Help is also available. What’s Thi
User Guide 17CHAPTER 3 WatchGuard OptionsThe WatchGuard Firebox System is enhanced by optional features designed to accommodate the needs of different
Obtaining WatchGuard options18Mobile User VPNMobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile
User Guide 19PART IIIConfiguring a Security PolicyThis section describes how to configure your security system. Its primary focus is on using the Watc
User Guide iiiWatchGuard Technologies, Inc.Firebox System Software End-User License AgreementWatchGuard Firebox System (WFS) End-User License Agreemen
20you to exert fine control over the type of Web sites users on your Trusted network are allowed to view.Set up network address translation (NAT)Hide
User Guide 21CHAPTER 4 Firebox BasicsThis chapter describes the following tasks, which require direct interaction between the Management Station and t
What is a Firebox?22Placing a Firebox within a networkThe most common location for a Firebox is directly behind the Internet router, as pictured below
VPN Manager Guide 23Opening a configuration fileOpening a configuration filePolicy Manager is a comprehensive software tool for creating, modifying, a
Resetting Firebox passphrases24Saving a configuration to the local hard diskFrom Policy Manager in the Advanced view:1 Select File => Save => A
VPN Manager Guide 25Setting the time zone• Don’t use words in standard dictionaries, even if you use them backward or in a foreign language. Create yo
Reinitializing a misconfigured Firebox264 When you complete the QuickSetup wizard, remove the loopback cable (assuming your Firebox has one) and retu
User Guide 27CHAPTER 5 Using the WatchGuard Control CenterThe WatchGuard Control Center combines access to WatchGuard Firebox System applications and
Control Center components28• A real-time monitor of traffic through the Firebox.QuickGuideThe top part of the display just below the title bar is the
User Guide 29Control Center components•IPSec•DVCP• WatchGuard VPNThe first line of the tunnel entry shows the name that was assigned when the tunnel w
iv(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMEN
Working with the Control Center30When you expand an entry that has a red exclamation point, another exclamation point appears next to the specific dev
User Guide 31Policy Managermuch more appropriate tool for tracking logs; Traffic Monitor just provides a real-time view of what the Firebox activity.
Firebox Monitors32The Policy Manager display includes:Pull-down menusMenus that provide access to most configuration and administration tasks.ToolbarA
User Guide 33HostWatchHostWatchThe HostWatch application displays active connections occurring on a Firebox in real time. It can also graphically repr
LiveSecurity Event Processor34
User Guide 35CHAPTER 6 Configuring a NetworkConfiguring a network refers to setting up the three Firebox interfaces. To do this, you need to:• Enter t
Setting up a drop-in network36The QuickSetup wizard also writes a basic configuration file called wizard.cfg to the hard disk of the Management Statio
User Guide 37Setting up a routed network• The Trusted interface ARP address replaces the router’s ARP address.• All three Firebox interfaces are assig
Adding a secondary network38Adding a secondary networkA secondary network is a network on the same physical wire as a Firebox interface that has an ad
User Guide 39Defining a host routeDefining a host routeConfigure a host route if there is only one host behind the router. Enter the IP address of tha
User Guide vsubdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and
Entering WINS and DNS server addresses40Entering WINS and DNS server addressesSeveral advanced features of the Firebox, such as DHCP and Remote User V
User Guide 41Defining a Firebox as a DHCP serverModifying an existing subnetFrom Policy Manager:1 Select Network => Configuration. Click the DHCP S
Defining a Firebox as a DHCP server42
User Guide 43CHAPTER 7 Blocking Sites and PortsMany types of network security attacks are easily identified by patterns found in packet headers. Port
Blocking a site permanently442 Modify the default packet-handling properties according to your security policy preferences.For a description of each c
User Guide 45Blocking a port permanently2In the Category list, click Blocked Sites.3 Modify the logging and notification parameters according to your
Blocking sites temporarily with service settings46Blocking sites temporarily with service settingsUse service properties to automatically and temporar
User Guide 47CHAPTER 8 Configuring ServicesThe Services Arena of Policy Manager displays an icon for each configured service. A service represents a p
Creating a new service487 You can add multiple services to the Services Arena while the Services dialog box is open. When you finish adding services,
User Guide 49Defining service properties8In the Port text box, enter the well-known port number for this service.For a list of well-known services and
viFCC CertificationThis device has been tested and found to comply with limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. Ope
Defining service properties506Click OK.Adding outgoing service propertiesFrom Policy Manager:1 In the Services Arena, double-click the service. Click
User Guide 51Configuring services for authenticationConfiguring services for authenticationOne way to create effective user authentication environment
Setting up proxy services522 On the toolbar, click the Delete Service icon (it appears as an “X”).You can also select Edit => Delete. A verificati
User Guide 53Setting up proxy services3Click Incoming.The Incoming SMTP Proxy dialog box appears, displaying the General tab.4 Modify general properti
Setting up proxy services54Configuring the outgoing SMTP proxyUse the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from your
User Guide 55Setting up proxy services5Click OK.6Click F i l e => S a v e => T o F i r e b o x to save your changes to the Firebox. Specify
Service precedence563 If you are using the HTTP proxy service because you want to use WebBlocker, follow the procedure in the next section. Otherwise,
User Guide 57Service precedence“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a network address, or an alias
Service precedence58
User Guide 59CHAPTER 9 Controlling Web TrafficWebBlocker is a feature of the Firebox System that works in conjunction with the HTTP proxy to provide W
User Guide viiTable of ContentsPART IIntroduction ...1Welcome to WatchGua
Configuring the WebBlocker service60Logging and WebBlockerWebBlocker logs attempts to access sites blocked by WebBlocker. The log that is generated di
User Guide 61Configuring the WebBlocker serviceProcessor regularly and automatically updates the WebBlocker database stored on your Firebox. From Poli
Manually downloading the WebBlocker database622In the Allowed Exceptions section, click Add to add either a network or host IP address to be allowed a
User Guide 63CHAPTER 10 Setting Up Network Address TranslationNetwork address translation (NAT) hides internal network addresses from hosts on an exte
Using simple dynamic NAT64Using simple dynamic NATIn the majority of networks, the preferred security policy is to globally apply network address tran
User Guide 65Using service-based NATUsing service-based NATUsing service-based NAT, you can set outgoing dynamic NAT policy on a service-by-service ba
Configuring a service for incoming static NAT66Configuring a service for incoming static NATStatic NAT works on a port-to-host basis. Incoming packets
User Guide 67Configuring a service for incoming static NAT6 Enter the internal IP address.The internal IP address is the final destination on the Trus
Configuring a service for incoming static NAT68
User Guide 69CHAPTER 11 Setting Up Logging and NotificationLogging and notification are crucial to an effective network security policy. Together, the
viiiResetting Firebox passphrases ...24Setting the time zone ...
WatchGuard logging architecture70log messages to the second Event Processor. It continues through the list until it finds an Event Processor capable o
User Guide 71Designating Event Processors for a Fireboxyou run the QuickSetup wizard. You can specify a different primary Event Processor as well as m
Designating Event Processors for a Firebox72Removing an Event ProcessorRemove an Event Processor when you no longer want to use it for any logging pur
User Guide 73Setting up the LiveSecurity Event ProcessorAnother way to set the Event Processor (and domain controller) clocks is to use an independent
Setting up the LiveSecurity Event Processor74Windows NT service. The default method on installation is for it to run as a Windows NT service.As a Wind
User Guide 75Setting global logging and notification preferencesStarting and stopping the Event ProcessorThe Event Processor starts automatically when
Customizing logging and notification by service or option763 For a record size, enable the By Number of Entries checkbox. Use the scroll control or en
User Guide 77Customizing logging and notification by service or optionSend NotificationEnable this checkbox to enable notification on the event type;
Customizing logging and notification by service or option78From Policy Manager:1 Double-click a service in the Services Arena.The Properties dialog bo
User Guide 79CHAPTER 12 Connect with Out-of-Band ManagementThe WatchGuard Firebox System out-of-band (OOB) management feature enables the Management S
User Guide ixService precedence ... 56CHAPTER 9 Controlling Web Traffic ...
Enabling the Management Station80Preparing a Windows NT Management Station for OOBInstall the Microsoft Remote Access Server (RAS) on the Management S
User Guide 81Configuring the Firebox for OOB5 Enter a name for your connection.This can be anything that reminds you of the icon’s purpose — VPN Conne
Establishing an OOB connection82
VPN Manager Guide 83PART IVAdministering a Security PolicyNetwork security is more than just designing and implementing a security policy and copying
VPN Manager Guide 85CHAPTER 13 Creating Aliases and Implementing AuthenticationAliases are shortcuts used to identify groups of hosts, networks, or us
Using host aliases86Adding a host aliasFrom Policy Manager:1 Select Setup => Authentication.The Member Access and Authentication Setup dialog box a
VPN Manager Guide 87What is user authentication?What is user authentication?User authentication allows the tracking of connections based on name rathe
Configuring Firebox authentication88Configuring Firebox authenticationYou can use the WatchGuard Firebox System to define users and groups for authent
VPN Manager Guide 89Configuring RADIUS server authentication2 Under Authentication Enabled Via, click the NT Service option.WatchGuard activates the W
Comments to this Manuals