WatchGuard Technologies FireboxTM System 4.6 User Manual

WatchGuard®Firebox™ System User GuideFirebox System 4.6

xCHAPTER 15 Reviewing and Working with log files ...103Viewing files with LogViewer ...

Configuring CRYPTOCard server authentication90On the RADIUS Server1 Add the IP address of the Firebox where appropriate according to the RADIUS server

VPN Manager Guide 91Configuring SecurID authentication8 Enter the value of the shared secret between the Firebox and the CRYPTOCard server.This is the

Using authentication to define remote user VPN access927 If you are using a backup server, enable the Specify backup SecurID server checkbox. Enter th

User Guide 93CHAPTER 14 Monitoring Firebox ActivityAn important part of an effective network security policy is the monitoring of network events. Moni

Firebox Monitors94Setting Firebox Monitors view propertiesYou can configure Firebox Monitors to display traffic at different speeds, intervals, and am

User Guide 95Firebox MonitorsPacket countsThe number of packets allowed, denied, and rejected between status queries. Rejected packets are denied pack

Firebox Monitors96Block Network 123.152.24.64/28 eth2Logging optionsLogging options configured with either the QuickSetup wizard or by adding and conf

User Guide 97Firebox Monitors42 http-serve S 1052 536 476 37241 fwcheck S 716 288 296 23243 http-proxy S 1072 660 580 47222121 smtp-proxy S 984 360 53

HostWatch98198.148.32.0 * 255.255.255.0 U 1500 0 129eth1:0127.0.0.0 * 255.0.0.0 U 3584 0 9 lodefault 207.54.9.30 * UG 1500 0 95eth0ARP tableA snapshot

User Guide 99HostWatchThe HostWatch display uses the logging settings configured for your Firebox using the Policy Manager. For instance, to see all d

User Guide 1PART IIntroductionWelcome to WatchGuardThe WatchGuard Firebox System consists of:• A suite of management and security software tools• A Pl

HostWatch1002 Browse to locate and select the Logdb file.By default, log files are stored in the WatchGuard installation directory at C:\Program Files

User Guide 101HostWatch4In the New User field, enter the user ID of the authenticated user to watch. Click Add. Repeat for each authenticated user tha

HostWatch102

User Guide 103CHAPTER 15 Reviewing and Working with Log FilesLog entries are stored on the primary and backup LiveSecurity Event Processor. By default

Viewing files with LogViewer1042 Configure LogViewer display preferences as you choose.For a description of each control on the General tab, right-cli

VPN Manager Guide 105Displaying and hiding fieldsDisplaying and hiding fieldsUse the Preferences dialog box to show or hide columns displayed in LogVi

Working with log files106IP header lengthLength, in octets, of the IP header for this packet. A header length that is not equal to 20 indicates that I

VPN Manager Guide 107Working with log files4 Enter the destination for the files in the Copy to This Directory box.5Click Merge.The log files are merg

Working with log files108

User Guide 109CHAPTER 16 Generating Reports of Network ActivityHistorical Reports is a reporting tool that creates summaries and reports of Firebox lo

WatchGuard Firebox System components2•Security suite• LiveSecurity ServiceWatchGuard FireboxThe Firebox family of appliances are specially designed an

Specifying report sections110Creating a new reportFrom Historical Reports:1Click Add.2 Enter the report name.The report name will appear in Historical

User Guide 111Specifying a report time span2 Enable the checkboxes for sections to be included in the report.For a description of each section, see “R

Exporting reports1123 Enter the number of elements to rank in the table.Default is 100.4 Select the style of graph to use in the report.5 Select the m

User Guide 113Using report filtersExporting a report to a text fileWhen you select Text Export from the Setup tab on the Report Properties dialog box,

Scheduling and running reports114Editing a filterAt any time, you can modify the properties of an existing filter. From the Filters dialog box in Hist

User Guide 115Report sections and consolidated sectionsManually running a reportAt any time, you can run one or more reports using Historical Reports.

Report sections and consolidated sections116Session Summary – Packet FilteredA table, and optionally a graph, of the top incoming and outgoing session

User Guide 117Report sections and consolidated sectionsDenied Outgoing Packet DetailA list of denied outgoing packets, sorted by time. The fields are

Report sections and consolidated sections118Reports attempts to resolve the server port to a table to represent the service name. If resolution fails,

User Guide 119PART VWatchGuard® Virtual Private NetworkingA virtual private network (VPN) allows the secure tunneling of data between two networks (or

User Guide 3Minimum requirementsLiveSecurity ServiceThe innovative LiveSecurity Service subscription makes it easy to maintain the security of an orga

120

User Guide 121CHAPTER 17 Configuring Branch Office Virtual Private NetworkingBranch office virtual private networking (VPN) creates a secure tunnel, o

Using DVCP to connect to devices122• IP network addresses for the networks communicating with one another.• A common passphrase, known as a shared sec

User Guide 123Using DVCP to connect to devicesNote also that if you configure a SOHO for both Basic and Enhanced DVCP, the gateway names must be diffe

Branch office VPN with IPSec124You can also change the network range of a WatchGuard client. However, when you save the configuration to the server, i

User Guide 125Branch office VPN with IPSecand how WatchGuard implements branch office VPN with IPSec, see the Network Security Handbook.From Policy Ma

Branch office VPN with IPSec126Removing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway. 2Click Remove.Configuring a tunnel with m

User Guide 127Branch office VPN with IPSec5Use the Authentication drop list to select an authentication method.Options include: None (no authenticatio

Branch office VPN with IPSec12811 After you add all tunnels for this gateway, click OK.The Configure Gateways dialog box appears.12 To configure more

User Guide 129Branch office VPN with IPSec9Use the Protocol drop list to limit the protocol used by the policy.Options include: * (specify ports but n

Minimum requirements4Hardware requirementsMinimum hardware requirements are the same as for the operating system on which the WatchGuard Firebox Syste

Configuring WatchGuard VPN130Allow VPN access to any servicesTo allow all traffic from VPN connections, add the Any service to the Services Arena and

User Guide 131Configuring WatchGuard VPN4In the Local Firebox IP field, enter an IP address from a reserved network not in use on the local or remote

Configuring WatchGuard VPN132Configuring incoming services to allow VPNBecause users on the remote Firebox are technically outside the trusted network

User Guide 133CHAPTER 18 Configuring the Firebox for Remote User VPNRemote user virtual private networking (RUVPN) establishes a secure connection bet

Configuring shared servers for RUVPN134• The IP addresses of the DNS and WINS servers in the trusted network that perform IP address lookup on host al

User Guide 135Configuring services to allow incoming RUVPN3 Enter the username and password.Firebox usernames are case sensitive.4 To add the user to

Configuring the Firebox for Remote User PPTP136 -From: Selected - To: pptp_users or ipsec_usersConfiguring the Firebox for Remote User PPTPConfiguring

User Guide 137Configuring the Firebox for Mobile User VPNFrom the Remote User Setup dialog box:1Click the PPTP tab.2Click Add.3Use the Choose Type dro

Configuring the Firebox for Mobile User VPN138automatically included in the Policy Manager software, to activate the feature a license for each instal

User Guide 139Configuring the Firebox for Mobile User VPN10 Use the Encryption drop list to select an encryption method.Options available with the str

User Guide 5PART IIWatchGuard® ServicesThe WatchGuard Firebox System is considerably more than a piece of hardware. This section describes two WatchGu

Configuring debugging options140The packages are located on the WatchGuard LiveSecurity Service Web site at http://www.watchguard.com/support.Enter th

User Guide 141CHAPTER 19 Preparing a Host for Remote User VPNRemote user virtual private networking (RUVPN) establishes a secure connection between an

Preparing the client computers142• Public IP addressRemote host operating systemThe remote client must be running Windows and have the most recent MSD

User Guide 143Preparing the client computers5 Enter the domain name you are connecting to.This should be the same as the “Log on to Windows NT domain”

Preparing the client computers1449Click Dial Out Only. Click Continue.10 Click OK. 11 Restart the machine.Adding a domain name to a Windows NT worksta

User Guide 145Configuring the remote host for RUVPN with PPTP9In the Initial Connection window that appears, click Yes.10 Click Properties. The Virtua

Using Remote User PPTP14610 Click OK. Click OK again.11 Restart the computer.Installing a VPN adapter on Windows NTFrom the Windows NT Desktop of the

User Guide 147Configuring debugging options3 Double-click the RUVPN connection.If you configured the client computer as described in “Windows 95/98 pl

Configuring debugging options148

User Guide 149IndexAAccesscontrolling83Access rulesdefining49Accessing known issues 12ActivatingLiveSecurity Service8Active connections 95FTP 95Active

6

150CChangingan interface IP address39IPSec policy order 129remote network entries on VPN 131Checklist, branch office VPN 121ClientDVCP122Client for Mi

User Guide 151characteristics 36configuration 36DVCPClient Wizard122introduction 122Dynamic NATadding entries64described 63disabling 65enabling 63, 65

152monitors 2, 32, 93BandwidthMeter 94opening configuration file 23opening configuration file from 23PPP timeout disconnects 81reinitializing 25resett

User Guide 153exporting reports as 112HTTP 48, 60, 94, 99protocol 55proxied 60proxy 59types of services 55HTTP proxy 112HTTP proxy reportsHTTP detail1

154for blocked sites 44global preferences 75LogViewer 103options 96PPTP 137replaying a file 99searching log files 103setting for a service 77setting u

User Guide 155NavigatingControl Center27Netscape Communicator 3Networkbroadcast2changing range of client 124configuration 95configuring 35configuring

156pull-down menus 32services arena 32Status Bar 32toolbar 32Policy orderchanging IPSec129Polling ratechanging30Port address translation. See also Dyn

User Guide 157adding a domain name to an NT workstation144adding new domain for NT workstation 144installing a VPN adaptor for Windows 95/98145install

158introduction 37Routes 97network configuration 37RUVPN 147activating remote user PPTP 136adding a domain name for NT 144adding members to built-in u

User Guide 159Software Update 7SOHOediting tunnel properties123rebooting 124removing tunnel 124SpamScreen 18Security Parameter Indexsee alsoSPI (Secur

User Guide 7CHAPTER 1 LiveSecurity ServiceNo Internet security solution is complete without systematic updates. From the latest hacker techniques to t

160manager 17mobile user 18multiple-box configuration 130preventing IP spoofing 131remote user 119removing IPSec gateway 126running with PPTP 147two-b

LiveSecurity broadcasts8accompany each transmission for easy installation. These convenient transmissions relieve you of the burden of tracking the la

User Guide 9LiveSecurity broadcasts• The License Key number is located on the WatchGuard LiveSecurity Agreement License Key Certificate. Enter the num

iiDisclaimerInformation in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless ot

LiveSecurity broadcasts10

User Guide 11CHAPTER 2 Technical SupportDeveloping and implementing a network security policy can be a challenge. In addition to familiarity with the

Getting Internet technical support12Known issuesAnother source of information about the WatchGuard Firebox System is the Known Issues page on the Tech

User Guide 13TrainingWhen you call WatchGuard Technical Support, you are prompted for your LiveSecurity License key. We use this key to track the info

WatchGuard users group14Instructor-led coursesWatchGuard offers a series of courses supporting our product line. Current titles include a two-day cour

User Guide 15Online HelpStarting WatchGuard Online HelpWatchGuard Online Help can be started either from the WatchGuard Management Station or directly

Online Help16Context-sensitive HelpIn addition to the regular online Help system, context-sensitive or What’s This? Help is also available. What’s Thi

User Guide 17CHAPTER 3 WatchGuard OptionsThe WatchGuard Firebox System is enhanced by optional features designed to accommodate the needs of different

Obtaining WatchGuard options18Mobile User VPNMobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile

User Guide 19PART IIIConfiguring a Security PolicyThis section describes how to configure your security system. Its primary focus is on using the Watc

User Guide iiiWatchGuard Technologies, Inc.Firebox System Software End-User License AgreementWatchGuard Firebox System (WFS) End-User License Agreemen

20you to exert fine control over the type of Web sites users on your Trusted network are allowed to view.Set up network address translation (NAT)Hide

User Guide 21CHAPTER 4 Firebox BasicsThis chapter describes the following tasks, which require direct interaction between the Management Station and t

What is a Firebox?22Placing a Firebox within a networkThe most common location for a Firebox is directly behind the Internet router, as pictured below

VPN Manager Guide 23Opening a configuration fileOpening a configuration filePolicy Manager is a comprehensive software tool for creating, modifying, a

Resetting Firebox passphrases24Saving a configuration to the local hard diskFrom Policy Manager in the Advanced view:1 Select File => Save => A

VPN Manager Guide 25Setting the time zone• Don’t use words in standard dictionaries, even if you use them backward or in a foreign language. Create yo

Reinitializing a misconfigured Firebox264 When you complete the QuickSetup wizard, remove the loopback cable (assuming your Firebox has one) and retu

User Guide 27CHAPTER 5 Using the WatchGuard Control CenterThe WatchGuard Control Center combines access to WatchGuard Firebox System applications and

Control Center components28• A real-time monitor of traffic through the Firebox.QuickGuideThe top part of the display just below the title bar is the

User Guide 29Control Center components•IPSec•DVCP• WatchGuard VPNThe first line of the tunnel entry shows the name that was assigned when the tunnel w

iv(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMEN

Working with the Control Center30When you expand an entry that has a red exclamation point, another exclamation point appears next to the specific dev

User Guide 31Policy Managermuch more appropriate tool for tracking logs; Traffic Monitor just provides a real-time view of what the Firebox activity.

Firebox Monitors32The Policy Manager display includes:Pull-down menusMenus that provide access to most configuration and administration tasks.ToolbarA

User Guide 33HostWatchHostWatchThe HostWatch application displays active connections occurring on a Firebox in real time. It can also graphically repr

LiveSecurity Event Processor34

User Guide 35CHAPTER 6 Configuring a NetworkConfiguring a network refers to setting up the three Firebox interfaces. To do this, you need to:• Enter t

Setting up a drop-in network36The QuickSetup wizard also writes a basic configuration file called wizard.cfg to the hard disk of the Management Statio

User Guide 37Setting up a routed network• The Trusted interface ARP address replaces the router’s ARP address.• All three Firebox interfaces are assig

Adding a secondary network38Adding a secondary networkA secondary network is a network on the same physical wire as a Firebox interface that has an ad

User Guide 39Defining a host routeDefining a host routeConfigure a host route if there is only one host behind the router. Enter the IP address of tha

User Guide vsubdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and

Entering WINS and DNS server addresses40Entering WINS and DNS server addressesSeveral advanced features of the Firebox, such as DHCP and Remote User V

User Guide 41Defining a Firebox as a DHCP serverModifying an existing subnetFrom Policy Manager:1 Select Network => Configuration. Click the DHCP S

Defining a Firebox as a DHCP server42

User Guide 43CHAPTER 7 Blocking Sites and PortsMany types of network security attacks are easily identified by patterns found in packet headers. Port

Blocking a site permanently442 Modify the default packet-handling properties according to your security policy preferences.For a description of each c

User Guide 45Blocking a port permanently2In the Category list, click Blocked Sites.3 Modify the logging and notification parameters according to your

Blocking sites temporarily with service settings46Blocking sites temporarily with service settingsUse service properties to automatically and temporar

User Guide 47CHAPTER 8 Configuring ServicesThe Services Arena of Policy Manager displays an icon for each configured service. A service represents a p

Creating a new service487 You can add multiple services to the Services Arena while the Services dialog box is open. When you finish adding services,

User Guide 49Defining service properties8In the Port text box, enter the well-known port number for this service.For a list of well-known services and

viFCC CertificationThis device has been tested and found to comply with limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. Ope

Defining service properties506Click OK.Adding outgoing service propertiesFrom Policy Manager:1 In the Services Arena, double-click the service. Click

User Guide 51Configuring services for authenticationConfiguring services for authenticationOne way to create effective user authentication environment

Setting up proxy services522 On the toolbar, click the Delete Service icon (it appears as an “X”).You can also select Edit => Delete. A verificati

User Guide 53Setting up proxy services3Click Incoming.The Incoming SMTP Proxy dialog box appears, displaying the General tab.4 Modify general properti

Setting up proxy services54Configuring the outgoing SMTP proxyUse the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from your

User Guide 55Setting up proxy services5Click OK.6Click F i l e => S a v e => T o F i r e b o x to save your changes to the Firebox. Specify

Service precedence563 If you are using the HTTP proxy service because you want to use WebBlocker, follow the procedure in the next section. Otherwise,

User Guide 57Service precedence“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a network address, or an alias

Service precedence58

User Guide 59CHAPTER 9 Controlling Web TrafficWebBlocker is a feature of the Firebox System that works in conjunction with the HTTP proxy to provide W

User Guide viiTable of ContentsPART IIntroduction ...1Welcome to WatchGua

Configuring the WebBlocker service60Logging and WebBlockerWebBlocker logs attempts to access sites blocked by WebBlocker. The log that is generated di

User Guide 61Configuring the WebBlocker serviceProcessor regularly and automatically updates the WebBlocker database stored on your Firebox. From Poli

Manually downloading the WebBlocker database622In the Allowed Exceptions section, click Add to add either a network or host IP address to be allowed a

User Guide 63CHAPTER 10 Setting Up Network Address TranslationNetwork address translation (NAT) hides internal network addresses from hosts on an exte

Using simple dynamic NAT64Using simple dynamic NATIn the majority of networks, the preferred security policy is to globally apply network address tran

User Guide 65Using service-based NATUsing service-based NATUsing service-based NAT, you can set outgoing dynamic NAT policy on a service-by-service ba

Configuring a service for incoming static NAT66Configuring a service for incoming static NATStatic NAT works on a port-to-host basis. Incoming packets

User Guide 67Configuring a service for incoming static NAT6 Enter the internal IP address.The internal IP address is the final destination on the Trus

Configuring a service for incoming static NAT68

User Guide 69CHAPTER 11 Setting Up Logging and NotificationLogging and notification are crucial to an effective network security policy. Together, the

viiiResetting Firebox passphrases ...24Setting the time zone ...

WatchGuard logging architecture70log messages to the second Event Processor. It continues through the list until it finds an Event Processor capable o

User Guide 71Designating Event Processors for a Fireboxyou run the QuickSetup wizard. You can specify a different primary Event Processor as well as m

Designating Event Processors for a Firebox72Removing an Event ProcessorRemove an Event Processor when you no longer want to use it for any logging pur

User Guide 73Setting up the LiveSecurity Event ProcessorAnother way to set the Event Processor (and domain controller) clocks is to use an independent

Setting up the LiveSecurity Event Processor74Windows NT service. The default method on installation is for it to run as a Windows NT service.As a Wind

User Guide 75Setting global logging and notification preferencesStarting and stopping the Event ProcessorThe Event Processor starts automatically when

Customizing logging and notification by service or option763 For a record size, enable the By Number of Entries checkbox. Use the scroll control or en

User Guide 77Customizing logging and notification by service or optionSend NotificationEnable this checkbox to enable notification on the event type;

Customizing logging and notification by service or option78From Policy Manager:1 Double-click a service in the Services Arena.The Properties dialog bo

User Guide 79CHAPTER 12 Connect with Out-of-Band ManagementThe WatchGuard Firebox System out-of-band (OOB) management feature enables the Management S

User Guide ixService precedence ... 56CHAPTER 9 Controlling Web Traffic ...

Enabling the Management Station80Preparing a Windows NT Management Station for OOBInstall the Microsoft Remote Access Server (RAS) on the Management S

User Guide 81Configuring the Firebox for OOB5 Enter a name for your connection.This can be anything that reminds you of the icon’s purpose — VPN Conne

Establishing an OOB connection82

VPN Manager Guide 83PART IVAdministering a Security PolicyNetwork security is more than just designing and implementing a security policy and copying

84

VPN Manager Guide 85CHAPTER 13 Creating Aliases and Implementing AuthenticationAliases are shortcuts used to identify groups of hosts, networks, or us

Using host aliases86Adding a host aliasFrom Policy Manager:1 Select Setup => Authentication.The Member Access and Authentication Setup dialog box a

VPN Manager Guide 87What is user authentication?What is user authentication?User authentication allows the tracking of connections based on name rathe

Configuring Firebox authentication88Configuring Firebox authenticationYou can use the WatchGuard Firebox System to define users and groups for authent

VPN Manager Guide 89Configuring RADIUS server authentication2 Under Authentication Enabled Via, click the NT Service option.WatchGuard activates the W