WatchGuard Firebox X Edge e-Series User Guide Firebox X Edge e-Series version 10 All Firebox X Edge e-Series Standard and Wireless Models
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revision: 04/7/2008 Copyright, Trademark, and Patent Information Copyright © 1998 - 2008 WatchGuard Technologies, Inc.
Table of Contents Chapter 1 Introduction to Network Security ............................................................................................ 1 About networks and network security .......................................................................................................... About Internet Connections ......................................................................................................................... About protocols...............................................
Set your computer to connect to the Edge................................................................................................ 17 Use DHCP ........................................................................................................................................................... 17 Use a static IP address ................................................................................................................................... 18 Chapter 3 Configuration Pages Overview .....
Get a feature key ............................................................................................................................................. 48 Restart the Firebox locally............................................................................................................................ 49 Using the web browser............................................................................................................................ 49 Disconnecting the power supply ..............
About the Dynamic DNS service .................................................................................................................... 86 Create a DynDNS account............................................................................................................................ 86 Set up the Firebox X Edge for Dynamic DNS ........................................................................................ 86 Configure the Firebox to use BIDS ...........................................
Filter outgoing traffic for a custom policy .......................................................................................... Control traffic from the trusted to optional network...................................................................... Disable traffic filters between trusted and optional networks.................................................... About policy precedence.....................................................................................................................
About blocked ports........................................................................................................................................ Default blocked ports............................................................................................................................ Block a port .................................................................................................................................................... Drop DoS flood attacks .........................
Use Microsoft CA to create a certificate............................................................................................... Send the certificate request ................................................................................................................ Issue the certificate................................................................................................................................. Download the certificate...........................................................
Add, remove, or change a category ...................................................................................................... Add an allowed site..................................................................................................................................... Add a denied site ......................................................................................................................................... Allow internal hosts to bypass WebBlocker.........................
Chapter 17 Gateway AntiVirus and Intrusion Prevention Service ........................................................ 239 About Gateway AntiVirus and Intrusion Prevention ........................................................................... About Gateway AntiVirus settings......................................................................................................... POP3 proxy deny messages and Gateway AV/IPS ......................................................................
Mobile User VPN client icon ................................................................................................................ See Mobile VPN log messages ................................................................................................................ Secure your computer with the Mobile VPN firewall...................................................................... Enable the link firewall .....................................................................................
1 Introduction to Network Security About networks and network security A network is a group of computers and other devices that are connected to each other. It can be two computers that you connect with a serial cable, or many computers around the world connected through the Internet. Computers on the same network can work together and share data. Although the Internet gives you access to a large quantity of information and business opportunity, it also opens your network to attackers.
Introduction to Network Security About protocols A protocol is a group of rules that allow computers to connect across a network. Protocols are the grammar of the language that computers use when they speak to each other across a network. The standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the usual language of computers on the Internet. A protocol also tells how data is sent through a network.
Introduction to Network Security About IP addresses To send ordinary mail to a person, you must know his or her street address. For one computer on the Internet to send data to a different computer, it must know the address of that computer. a computer address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP addresses, which enable other devices on the Internet to find and interact with them.
Introduction to Network Security This table shows common network masks and their equivalents in slash notation. Network mask Slash equivalent 255.0.0.0 /8 255.255.0.0 /16 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 About entering IP addresses When you type IP addresses in the Quick Setup Wizard or dialog boxes in Firebox management software, type the digits and periods in the correct sequence.
Introduction to Network Security About Domain Name Service (DNS) If you do not know the address of a person, you can frequently find it in the telephone directory. On the Internet, the equivalent to a telephone directory is the DNS (Domain Name System). This is a network system of servers that translates numeric IP addresses into readable Internet addresses, and vice versa. DNS takes the “friendly” domain name you type when you want to see a particular web site, such as www.example.
Introduction to Network Security About ports Although computers have hardware ports you use as connection points, ports are also numbers used to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are where programs transmit data. If an IP address is like a street address, a port number is like an apartment unit number or building number within that street address.
Introduction to Network Security About Firewalls A firewall separates your trusted computers on the internal network from the external network, or the Internet, to decrease risk of an external attack. The figure below shows how a firewall divides the trusted computers from the Internet. Firewalls use access policies to identify and filter different types of information. They can also control which policies or ports the protected computers can use on the Internet (outbound access).
Introduction to Network Security The Firebox X Edge and your Network The Firebox X Edge controls all traffic between the external network and the trusted network. The Edge also includes an optional network interface that is separate from the trusted network. Use the optional network for computers with mixed trust. For example, customers frequently use the optional network for their remote users or for public servers such as a web server or email server.
2 Installation Before you begin To install the WatchGuard Firebox X Edge e-Series in your network, you must complete these steps: Verify basic requirements. Check the package contents. Identify and record the TCP/IP properties for your Internet connection. Register your Firebox on the WatchGuard LiveSecurity website. Disable the HTTP proxy and disable the pop-up blocker settings in your web browser. Connect the Edge to your network. Connect your computer to the Edge.
Installation Check package contents Make sure that the package for your Firebox X Edge e-Series includes these items: Firebox X Edge e-Series User Guide on CD-ROM Firebox X Edge e-Series Quick Start Guide LiveSecurity Service activation card Hardware warranty card AC power adapter (12 V/1.2A) with international plug kit Power cable clip Use this clip to attach the cable to the side of the Edge. This decreases the tension on the power cable.
Installation Network Addressing Requirements Speak with your ISP or corporate network administrator to learn how your computer receives its IP address. Use the same method to connect to the Internet with the Firebox X Edge that you use with your computer. If you connect your computer directly to the Internet with a broadband connection, you can put the Edge between your computer and the Internet and use the network configuration from your computer to configure the Edge external interface.
Installation Finding your TCP/IP properties on Macintosh OS 9 1. Select the Apple menu > Control Panels > TCP/IP. The TCP/IP window appears. 2. Record the values that you see for the primary network adapter. Finding your TCP/IP properties on Macintosh OS X 10.5 1. Select the Apple menu > System Preferences, or select the icon from the Dock. The System Preferences window appears. 2. Click the Network icon. The Network preference pane appears. 3.
Installation Register your Firebox and activate LiveSecurity Service To enable all of the features on your Firebox X Edge, you must register on the WatchGuard LiveSecurity web site and retrieve your feature key. You have only one user license (seat license) until you apply your feature key. You must also use your feature key to apply any additional upgrades that you purchase. See About user licenses for more information.
Installation Disable the HTTP proxy in Firefox 2.x 1. Open the browser software. 2. Select Tools > Options. The Options window appears. 3. Click the Advanced icon. 4. Select the Network tab. Click Settings. 5. Click the Connection Settings button. The Connection Settings dialog box appears. 6. Make sure the Direct Connection to the Internet option is selected. 7. Click OK two times. Disable the HTTP proxy in Safari 2.0 1. Open the browser software. 2. From the application menu, select Preferences.
Installation Connect the Firebox X Edge Many people configure their Firebox X Edge e-Series on one computer before they put it on the network. Use this procedure to connect a computer to your Firebox X Edge: 1. Shut down your computer. 2. If you use a DSL or cable modem to connect to the Internet, disconnect its power supply. 3. Find the Ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the Edge external interface (labeled WAN 1). 4.
Installation Add computers to the trusted network You can connect as many as three computers to the trusted interface of the Firebox X Edge e-Series if you connect each computer to one of the Edge’s Ethernet ports 0 through 2. You can use 10/100 BaseT Ethernet hubs or switches with RJ-45 connectors to connect more than three computers. It is not necessary for the computers on the trusted network to use the same operating system. To add more than three computers to the trusted network: 1.
Installation About user licenses Your Firebox X Edge firewall is enabled with a set number of user licenses. The total number of available sessions is determined by the Edge model you have, and any upgrade licenses you apply. The number of licenses limits the number of sessions. To control the number of users at any time, close one or more sessions. When you close a session, you make that user license available for another user.
Installation Use a static IP address This procedure configures a computer with the Windows XP operating system to use a static IP address. If your computer does not use Windows XP, read the operating system help for instructions on how to set your computer to use a static IP address. You must select an IP address on the same subnet as the trusted network. 1. Select Start > Control Panel. The Control Panel window appears. 2. Double-click the Network Connections icon. 3.
Installation Run the Quick Setup Wizard The Quick Setup Wizard starts after you type https://192.168.111.1 into the URL or address field of your Internet browser. If your browser blocks pop-up windows, you must disable pop-up blocking to complete the Quick Setup Wizard. You must use the wizard to configure the Ethernet interfaces. You can change the configuration of the interfaces after you complete the Quick Setup Wizard. The Quick Setup Wizard includes this set of dialog boxes.
Installation 20 Firebox X Edge e-Series
3 Configuration Pages Overview About Edge Configuration Pages After you connect the WatchGuard Firebox X Edge e-Series to your network, you must configure the Edge. You can create firewall rules to enforce the security requirements of your company. You can also use the Edge configuration pages to create a user account, look at network statistics, and see the configuration of the Edge. Read this chapter to find basic information about the Firebox X Edge configuration pages and system monitor pages.
Configuration Pages Overview For example: 1. Start your web browser. 2. Select File > Open, type https://192.168.111.1 in the Open text box, and click OK. You also can type https://192.168.111.1 directly into the address or location bar and press Enter. 3. When a security certificate notification appears, click Yes. You see this warning because the certificate given by the Edge is signed by the WatchGuard certificate authority, which is not a trusted authority on your browser.
Configuration Pages Overview Navigating the Firebox X Edge User Interface On the left side of the System Status page is the navigation bar you use to get to other Firebox X Edge configuration pages. You must enable JavaScript in your browser to use the navigation bar. Each menu item contains secondary menus that you use to configure the properties of that feature. To see these secondary menus, click the plus sign (+) to the left of the menu item.
Configuration Pages Overview Network page The Network page shows the current configuration of the trusted, optional, and external networks. On this page, you can also view WAN failover and any static routes you have configured. Adjacent to each section is a button you can use to change configurations and to see network statistics. For more information, see the topics under Change the Firebox IP addresses with the Network Setup Wizard.
Configuration Pages Overview Firebox Users page The Firebox Users page shows statistics on active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that you can download. For more information, see About Mobile VPN client configuration files.
Configuration Pages Overview Administration page The Administration page shows whether the Firebox X Edge uses HTTP or HTTPS for its configuration pages, if the Edge is configured as a managed Firebox client, and which feature upgrades are enabled. It has buttons to change configurations, add upgrades, and see the configuration file. You can also change the name of the Firebox. For more information, see topics under About basic configuration and management tasks.
Configuration Pages Overview Firewall page The Firewall page shows incoming and outgoing policies and proxies, blocked web sites, and other firewall settings. This page also has buttons to change these settings. For more information, look at the topics below Proxy Settings in the Table of Contents.
Configuration Pages Overview Logging page The Logging page shows the current event log, and the status of the Log Server and syslog logging.
Configuration Pages Overview WebBlocker page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites. For more information, see About WebBlocker.
Configuration Pages Overview spamBlocker page The spamBlocker page shows spamBlocker status and settings, including actions for suspected spam and the use of trusted email forwarders. For more information, see About spamBlocker.
Configuration Pages Overview Gateway AV/IPS page The Gateway AV/IPS page shows the Gateway AntiVirus and Intrusion Prevention Service status and settings. It tells you which proxies are enabled for the service, and what version of the signature database you are using. The Gateway AV/IPS menu contains links to change Gateway AV and IPS settings and to update signatures. For more information, see About Gateway AntiVirus and Intrusion Prevention.
Configuration Pages Overview VPN page The VPN page shows information on managed VPN gateways, manual VPN gateways, echo hosts, and buttons to change the configuration of VPN tunnels. You can add the Firebox X Edge e-Series to a Watchguard System Manager VPN network with the WSM Access page in Administration. For more information, see the topics under About Branch Office Virtual Private Networks (BOVPN).
Configuration Pages Overview Monitoring the Firebox X Edge The System Status page is the primary configuration page of the Firebox X Edge. This page appears first when you connect to the Firebox X Edge. The system status page shows: Edge components and their current versions The serial number of the device The status of key Edge features The status of upgrade options Network configuration information Which external network (external or failover) is active.
Configuration Pages Overview Mask If a netmask is associated with the entry, it is listed here. If not, an asterisk (*) is shown. Device Interface on the Edge where the hardware address for that IP address was found. The Linux kernel name for the interface is shown in parentheses. Authentications This status page shows the IP address, user name, start time, idle time, and connection type for every user that is currently authenticated to the Edge.
Configuration Pages Overview UDP is a stateless protocol. For UDP, the connection shows as: o REPLIED - there have been packets sent in both directions o UNREPLIED - packets have been sent in only one direction Other protocols are shown as "n/a". Expires in (secs) Number of seconds before the connection times out unless traffic is sent on the connection to restart the timer. Components list This status page shows the software that is installed on the Edge.
Configuration Pages Overview Disk usage This status page shows the current state of the flash memory on the Edge. Filesystem Name of the partition on the flash memory. "None" is a partition that exists only in memory, not on the flash card. Size Size of the partition. Used Amount of memory that is used in the partition. Avail Amount of free space that is in the partition. % Used Percentage of used space on the partition. Mounted on Where the partition is mounted in the system.
Configuration Pages Overview MTU TCP maximum transmission unit. Metric Metric of the interface. RX packets Statistics of received packets. TX packets Statistics of sent packets. Collisions The number of collisions. TXqueuelen The maximum size of the transmit queue before the Edge starts to drop packets. RX and TX bytes Amount of data received and sent on the interface. License This status page shows basic information about licenses that are used on the Edge. It also shows the original feature key.
Configuration Pages Overview STATE State of the process: R — running S — sleeping D,Z — inactive RSS Total number of kilobytes of physical memory used by the process. SHARE Total number of kilobytes of shared memory used by the process. TIME Time that the process has used since the last time the Edge was started. CPU Percentage of CPU time used by the process since the last time the Edge was rebooted. PRI Priority of the process. A lower number has a higher priority for CPU resources.
Configuration Pages Overview Security Services This status page shows basic reports on the activity of any enabled security subscription: Gateway AntiVirus, the Intrusion Prevention Service, WebBlocker, and spamBlocker. There is a report for each security subscription in which you can see the amount of processed and blocked requests for each service over a time period you specify. Syslog This status page shows the most recent entries in the Edge log file.
Configuration Pages Overview VPN statistics This status page shows VPN statistics such as: SA (Security Association) Traffic control within VPN tunnels Packet counts Errors Wireless statistics This status page shows statistics about wireless traffic such as: 40 Interface statistics Keys Bit rates Frequencies Firebox X Edge e-Series
4 Configuration and Management Basics About basic configuration and management tasks After your Firebox X Edge e-Series is installed on your network and operating with a basic configuration file, you can start to add custom configuration settings to meet the needs of your organization. The topics in this section help you perform these basic management and maintenance tasks. About the Edge backup configuration file Sometimes, you must restore the factory-default settings for your Firebox X Edge e-Series.
Configuration and Management Basics Before You Begin Do not edit your configuration file manually. Always use a WatchGuard Management Server or the Firebox X Edge web interface to make changes to your configuration. User passwords in the backup configuration file are encrypted, but the full file is not encrypted. We recommend that you encrypt your backup configuration file and keep it in a safe location.
Configuration and Management Basics Back up your Edge configuration After you have configured your Firebox X Edge e-Series, you can save your Edge configuration file to your local hard drive for backup purposes. You can use your backup file to restore your Edge to a previous configuration if you make a change that does not work the way you intended, or after you reset the Edge to factory default settings. Create a backup configuration file 1.
Configuration and Management Basics Reconnect the Firebox X Edge to a management server If your Firebox was managed by a WatchGuard System Manager Management Server, then you must do additional steps to restore communication between your Firebox X Edge and your Management Server after restoring your Edge configuration. Use these steps to re-enter all WSM access configuration information on the Firebox X Edge: 1.
Configuration and Management Basics 8. In the Management Server Address text box, type the IP address of the Management Server if it has a public IP address. If the Management Server has a private IP address, type the public IP address of the Firebox that protects the Management Server. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server.
Configuration and Management Basics About factory default settings The term factory default settings refers to the configuration on the Firebox X Edge when you first receive it before you make any changes. The default network and configuration properties for the Edge are: Trusted network The default IP address for the trusted network is 192.168.111.1. The subnet mask for the trusted network is 255.255.255.0.
Configuration and Management Basics Restore the Firebox to the factory default settings If you cannot correct a configuration problem and must start over, you can restore the factory default settings. For example, if you do not know the administrator account passphrase or a power interruption causes damage to the Firebox X Edge appliance software, you can restore the Edge to the factory default settings and build your configuration again.
Configuration and Management Basics Get a feature key Before you activate a new feature, you must have a license key certificate from WatchGuard that is not already registered on the LiveSecurity web site. 1. Open a web browser and connect to: https://www.watchguard.com/activate 2. If you have not already logged in to LiveSecurity, you are directed to the LiveSecurity Log In page. Type your LiveSecurity user name and passphrase. 3.
Configuration and Management Basics About Restarting the Firebox You can restart the Firebox X Edge e-Series from a computer on the trusted network. If you enable external access to the Edge, you also can restart the Edge from a computer on the Internet. The Firebox X Edge restart cycle is approximately one minute. During the restart cycle, the mode indicator on the front of the Edge turns off and then turns on again.
Configuration and Management Basics Restart the Firebox remotely If you want to be able to connect to the Edge to manage it or restart it from a computer external to the Edge, you must first configure the Edge to allow incoming HTTPS traffic to the Edge trusted interface IP address. For more information on how to configure the Edge to receive incoming traffic, see Set access control options (incoming).
Configuration and Management Basics About using NTP to set system time To set the system time for Edge, you can specify a NTP server to set the time automatically. The Network Time Protocol (NTP) synchronizes computer clock times across a network. The Firebox can use NTP to get the correct time automatically from NTP servers on the Internet. Because the Firebox puts the time from its system clock in each log message it generates, the time must be set correctly.
Configuration and Management Basics 4. To set the system time automatically, select the Use NTP to periodically automatically set system time option. To set the time manually, select the Set date and time manually option. If you set the system time manually, skip to step 6. 5. If you set the system time automatically, the Firebox X Edge gets the current time from the selected server in the NTP Servers list. If that server is not available, the Edge uses the next server.
Configuration and Management Basics About SNMP Simple Network Management Protocol (SNMP) is a set of tools for monitoring and managing networks. SNMP uses management information bases (MIBs) that give configuration information for the devices the SNMP server manages or monitors. The Firebox X Edge supports SNMPv2c and SNMPv3. SNMP polls You can configure the Firebox to accept SNMP polls from an SNMP server.
Configuration and Management Basics About selecting HTTP or HTTPS for management HTTP (Hypertext Transfer Protocol) is the language used to move files (text, graphic images, and multimedia files) on the Internet. HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is a more secure version of HTTP. When you use HTTPS, all information sent between the web server and your browser is encrypted. The Firebox X Edge e-Series uses HTTPS by default, for better security.
Configuration and Management Basics Change the HTTP server port HTTPS typically uses TCP port 443 and HTTP typically uses TCP port 80. By default, you must connect to the Firebox X Edge e-Series configuration pages on those ports. You can change the default port on the Administration > System Security page. Type the new value in the HTTP Server Port field in the System Security configuration page shown above.
Configuration and Management Basics Enable centralized management with WSM Use these instructions to configure remote access from WatchGuard System Manager (WSM) 10. WSM 10 allows centralized management of Firebox X Edge e-Series devices running v10. 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1. 2. From the navigation bar, select Administration > WSM Access.
Configuration and Management Basics 8. In the Management Server Address text box, type the IP address of the Management Server if it has a public IP address. If the Management Server has a private IP address, type the public IP address of the Firebox that protects the Management Server. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server.
Configuration and Management Basics 4. From the Management Type drop-down list, select VPN Manager. 5. If you use VPN Manager 7.3, select the VPN Manager 7.3 check box. 6. Select the Enable VPN Manager Access check box to allow VPN Manager to connect to the Firebox X Edge. Type and confirm the status and configuration passphrase for the Edge. If you do not type the same passphrase when you add the device to VPN Manager, you cannot connect to the Firebox X Edge. 7.
Configuration and Management Basics Configure the Edge to forward HTTPS connections You must do this procedure from a computer that is connected to the Edge trusted network. 1. To connect to the System Status page, type https:// in the browser address bar, and then the IP address of the Firebox X Edge external interface. The default URL is: https://192.168.111 2. Type your user name and passphrase. You must log in as the Edge administrator, or as a user with administrative access. 3.
Configuration and Management Basics About updating the Firebox X Edge software One advantage of your LiveSecurity Service is continuous software updates. As new threats appear and WatchGuard adds product enhancements, you receive alerts to let you know about new versions of your Firebox X Edge e-Series software. To install any firmware on the Edge, you must have a current LiveSecurity subscription. For Firebox X Edge updates, see the WatchGuard web site at: https://www.watchguard.
Configuration and Management Basics About upgrade options You use two items to add upgrades to your Firebox X Edge: a feature key and a license key. It is important to understand the differences between these two keys. Your Firebox X Edge comes with certain features by default. These features are specified by the feature key. If you purchase an upgrade for your Edge, you must apply a new feature key to your Edge. You do not immediately get a feature key when you upgrade your Edge, however.
Configuration and Management Basics 5. From the navigation bar on the left side, select Administration > Upgrade. The Upgrade window appears. 6. Click Get License Key or paste in the new feature key. You can right-click and select Paste or you can use CTRL-V. 7. Click Submit. 8. Restart the Edge. Upgrade your Firebox X Edge model A model upgrade gives the Firebox X Edge e-Series the same functions as a higher model. A model upgrade increases capacity, user licenses, sessions, and VPN tunnels.
5 Network Settings About network interface setup A primary component of the WatchGuard Firebox setup is the configuration of network interface IP addresses. When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow through the Firebox. You can use the procedures in this section to change this configuration after you run the Quick Setup Wizard, or to add other components of your network to the configuration.
Network Settings Change the Firebox IP addresses with the Network Setup Wizard The easiest method to change the network IP addresses of the Firebox X Edge e-Series is with the Network Setup Wizard. 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, click Wizards. 3. Adjacent to Setup the primary network interfaces of the Firebox X Edge, click Go. 4.
Network Settings Configure external interfaces You must configure your external network manually if you do not use the Network Setup Wizard. When you configure the external network, set the method your Internet service provider (ISP) uses to give you an IP address for your Firebox. If you do not know the method, get the information from your ISP or corporate network administrator. For information about IP addressing methods, see Static and dynamic IP addresses.
Network Settings If your ISP uses static IP addresses If your ISP uses static IP addresses, you must enter the address information into your Firebox X Edge before it can send traffic through the external interface. To set your Firebox X Edge to use a static IP address for the external interface: 1. Use your browser to connect to the System Status page. 2. From the navigation bar, select Network > External. The External Network Configuration page appears. 3.
Network Settings If your ISP uses PPPoE If your ISP uses PPPoE, you must enter the PPPoE information into your Firebox X Edge before it can send traffic through the external interface. For more information in PPPoE, see Advanced PPPoE settings. To set your Firebox to use PPPoE on the external interface: 1. Use your browser to connect to the System Status page. 2. From the navigation bar, select Network > External. The External Network Configuration page appears. 3.
Network Settings Advanced PPPoE settings The Quick Setup Wizard allows you to set up basic PPPoE settings. If necessary, you can also configure more advanced settings. Click Submit when you have completed the configuration of the Advanced PPPoE settings. Service Name Use this field to add a service name. The Firebox X Edge starts a session only with a PPPoE server, known as an access concentrator, that supports the specified service. Usually, this option is not used.
Network Settings Configure your external interface as a wireless interface You can configure your primary external interface (WAN1) for your Edge as a wireless interface. 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > External. Click the Wireless tab. The External Network Configuration page, Wireless tab appears 3.
Network Settings About advanced external network settings On the Network > External configuration page, select the Advanced tab to change the settings for link speed or change the MAC address for the Edge’s external interface. Select Automatic from the Link Speed drop-down list to have the Edge select the best network speed, or select a static link speed that you know is compatible with your equipment.
Network Settings To change the MAC address of the external interface: 1. Connect to the System Status page. Type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, click Network > External. The External Network Configuration page appears. 3. On the Advanced tab, select the Enable override MAC address check box. 4.
Network Settings About changing the IP address of the trusted network If necessary, you can change the trusted network IP address. For example, if you connect two or more Firebox X Edge devices in a virtual private network, each Edge must use a different trusted network address. If the two sides of the VPN use the same trusted network IP addresses, one side must change the trusted network IP address range so that it is different from the other side. For more information, see What you need to create a VPN.
Network Settings Enable DHCP server on the trusted network The DHCP Server option allows the Firebox X Edge e-Series to give IP addresses to the computers on the trusted network. When the Edge receives a DHCP request from a computer on the trusted network, it gives the computer an IP address. By default, the DHCP Server option for the trusted interface is enabled. To use DHCP on the trusted network: 1. Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted.
Network Settings Set trusted network DHCP address reservations You can manually give the same IP address to a specified computer on your trusted network each time that computer makes a request for a DHCP IP address. The Firebox X Edge identifies the computer by its MAC address. 1. Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2. Click the DHCP Reservations button.
Network Settings About DHCP relay agents One way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP server on a different network. The Firebox can send a DHCP request from a DHCP client to a DHCP server at a different location through a VPN tunnel. It gives the reply to computers on the trusted or optional network. This option lets computers in more than one office use the same network address range. In this procedure, the Firebox is a DHCP relay agent.
Network Settings Use static IP addresses for trusted computers You can use static IP addresses for some or all of the computers on your trusted network. If you disable the Firebox X Edge DHCP server and you do not have a DHCP server on your network, you must manually configure the IP address and subnet mask of each computer. For example, this is necessary when a clientserver software application must use a static IP address for the server.
Network Settings Restrict access to the trusted interface by MAC address 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > Trusted and click the Allowed MAC Addresses tab. 3. Select the Restrict Access by Hardware MAC Address check box. 4. Click Scan to have the Edge find all known hardware addresses on the network.
Network Settings 6. To manually add a hardware address and its host name to your configuration, click Add. The Add Allowed Address Control dialog box appears. 7. Select the Log attempted access from MAC addresses not in the list check box if you want the Edge to generate a log message each time a computer whose hardware address is not in the list tries to get access to the Edge. 8. Click Submit Find the MAC address of a computer A MAC address is also known as a hardware address or an Ethernet address.
Network Settings About configuring the optional network The optional network is an isolated network for less secure public resources. By default, a Firebox X Edge does not allow traffic from the optional network to get to the trusted network. The factory default settings allow traffic that starts from the trusted network to get to the optional network, but you can restrict that traffic. For more information, see About policies for the optional network.
Network Settings Enable the optional network 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 3. Select the Enable Optional Network check box. If necessary, you can change the optional network address. By default, the optional interface IP address is set to 192.
Network Settings Enable DHCP server on the optional network The DHCP Server option sets the Firebox X Edge to give IP addresses to the computers on the optional network. When the Edge receives a DHCP request from a computer on the optional network, it gives the computer an IP address. By default, the Edge has the DHCP Server option for the optional interface turned off. To use DHCP on the optional network: 1. Use your browser to connect to the System Status page.
Network Settings Set optional network DHCP address reservations You can manually assign an IP address to a specified computer on your optional network. The Firebox X Edge identifies the computer by its MAC address. 1. Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2. Click the DHCP Reservations button. The DHCP Address Reservations page appears. 3. Type a static IP address in the IP Address field.
Network Settings Make the Firebox a DHCP relay agent for the optional interface To configure the Firebox X Edge as a DHCP Relay Agent for the optional interface: 1. Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2. Select the Enable DHCP Relay on Optional Network check box. 3. Type the IP address of the DHCP server in the adjacent text box. 4. Click Submit.
Network Settings About restricting access to an interface by MAC address You can control access to a Firebox X Edge e-Series interface by computer hardware (MAC) address. If this feature is enabled, and the MAC address of a computer that tries to connect to the Edge network is not included in this configuration, the connection fails. If you choose to restrict access to the Edge by MAC address, make sure that you include the MAC address for the computer you use to administer the Edge.
Network Settings Add a static route 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > Routes. The Routes page appears. 3. Click Add. The Add Route page appears. 4. From the Type drop-down list, select Host or Network. Select Network if you have a full network behind a router on your local network.
Network Settings About the Dynamic DNS service You can register the external IP address of the Firebox with the dynamic Domain Name Server (DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your domain name changes when your ISP gives your Firebox a new IP address. The Firebox gets the IP address of members.dyndns.org when it starts up. It makes sure the IP address is correct every time it restarts and at an interval of every twenty days.
Network Settings o The option statdns sends updates for a Static DNS host name. A Static DNS host is a dynamically acquired IP address that does not change (for example, it is associated with a MAC address, DHCP host ID, or PPPoE static IP address/login). o The option custom sends updates for a custom DNS host name. This option is frequently used by businesses that pay to register their domain with dyndns.com. 6. In the Options field, you can type these options.
Network Settings About using multiple external interfaces With the Firebox, you can have redundant support for the external interface. Companies use this option if they must have a constant Internet connection. If you have an Edge Pro license for your Firebox X Edge and have a second Internet connection, you can configure a second external interface on the Edge.
Network Settings About multiple external interfaces and DNS When you configure more than one external interface on your Edge, it is a good idea to enter two DNS server addresses when you configure DHCP settings for the trusted and optional networks. Some ISPs allow queries to their DNS servers only if the query comes from that ISP network. If you leave the DNS server information blank in the trusted network DHCP settings, the Edge continues to use the WAN1 DNS server after it fails over to WAN2.
Network Settings Configure advanced WAN2 settings You can configure additional settings for your second WAN interface (WAN2) on the Advanced tab below WAN 2. 1. From the Link Speed drop-down list, select Automatic if you want the Edge to select the best network speed. You can also select one of the half-duplex or full-duplex speeds that you know is compatible with your equipment. We strongly recommend that you do not change this setting unless instructed to by Technical Support.
Network Settings Configure the Edge to use round-robin load balancing 1. From the navigation bar, select Network > External. If you have an Edge Pro license, you see the options to configure your Edge with a multi-WAN configuration. 2. Select the Use multi-WAN check box. 3. Select the method you want the Edge to use to route traffic between the two external interfaces. If you select Round Robin load balancing, the Edge tries to balance traffic between the two interfaces equally.
Network Settings Configure WAN failover If you have an Edge Pro license, you can configure your Firebox X Edge with a WAN failover configuration and use a second external interface connected to a broadband Internet connection. To configure the WAN failover network: 1. Connect one end of an Ethernet cable to the WAN2 interface. Connect the other end to the source of the secondary external network connection. This connection can be a cable modem or a hub. 2.
Network Settings 3. Type the IP addresses of the hosts to ping for the WAN1 (external) and WAN2 (failover) interfaces. The Firebox X Edge will send pings to the IP addresses you type here. If pings to the host on that network are not successful, the Edge starts the failover. You control the frequency of pings in the fields below. 4. Type the number of seconds between pings and the number of seconds to wait for a reply. 5. Type the maximum number of pings before timeout in the No Reply Limit field. 6.
Network Settings Configure your modem for WAN failover Use the settings available in the Modem (Serial Port) Configuration area of the Network > External page to set up your external modem for failover. The Edge has been tested with these modems: Hayes 56K V.90 serial fax modem Zoom FaxModem 56K model 2949 U.S. Robotics 5686 external modem Creative Modem Blaster V.92 serial modem MultiTech 56K Data/Fax Modem International Enter your dial-up account settings 1.
Network Settings Enter your DNS settings If your dial-up ISP does not give DNS server IP addresses, or if you must use a different DNS server, you can manually enter the IP addresses for a DNS server to use after failover occurs. 1. Select the Manually configure DNS server IP addresses check box. 2. In the Primary DNS Server text box, type the IP address of the primary DNS server. If you have a secondary DNS server, type its IP address in the Secondary DNS server text box. 3.
Network Settings About virtual local area networks (VLANs) An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are grouped together independent of their physical location. When you create a VLAN, you create a new software-based network interface that you can use in your configurations.
Network Settings Add a VLAN tag to the Trusted or Optional Interface To mark traffic sent to the trusted or optional interface on your Edge as part of a VLAN: 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > Trusted or Network > Optional. The Trusted or Optional Network Configuration page appears. 3.
Network Settings 98 Firebox X Edge e-Series
6 Wireless Setup About wireless setup The Firebox X Edge e-Series Wireless can be configured as a wireless access point with three different security zones. You can enable wireless devices to connect to the Edge Wireless as part of the trusted network or part of the optional network. You can also enable a wireless guest services network for Edge users. Computers that connect to the guest network connect through the Edge, but have no access to computers on the trusted or optional networks.
Wireless Setup About wireless configuration settings When you enable wireless access to the trusted, optional, or wireless guest network, some configuration settings are common to all three security zones. . Change the SSID The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless network from a client computer, the wireless network card in the computer must have the same SSID as the Firebox X Edge e-Series Wireless network the computer will connect to.
Wireless Setup Log authentication events An authentication event occurs when a wireless computer tries to connect to an Edge wireless interface. To have the Edge record these events in the log file, select the Log Authentication Events check box. Change the fragmentation threshold The Firebox X Edge e-Series Wireless allows you to set the maximum frame size it can send without fragmenting the frame. This is called the fragmentation threshold. This setting is rarely changed.
Wireless Setup About wireless security settings The Firebox X Edge e-Series Wireless uses three security protocol standards to protect your wireless network. They are WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol standard can encrypt the transmissions on the wireless LAN between the computers and the access points. They also can prevent unauthorized access to the wireless access point.
Wireless Setup Open system and shared key authentication Encryption options for open system and shared key authentication are WEP 64-bit hexadecimal, WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select open system authentication, you also can select no encryption. 1. If you use WEP encryption, type hexadecimal or ASCII characters in the Key text boxes. Not all wireless adapter drivers support ASCII characters. You can have a maximum of four keys.
Wireless Setup Allow wireless connections to the trusted interface 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network >Trusted. Select the Wireless tab. 3. Select the Enable wireless bridge to Trusted Network check box to enable the Edge trusted interface as a wireless access point.
Wireless Setup Allow wireless connections to the optional interface 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Network > Optional. Select the Wireless tab. 3. Select the Enable wireless bridge to Optional Network check box to enable the Edge optional interface as a wireless access point.
Wireless Setup 8. From the Authentication drop-down list, select the type of authentication to enable for wireless connections to the optional interface. We recommend that you use WPA2 if the wireless devices in your network can support WPA2. 9. From the Encryption drop-down list, select the type of encryption to use for the wireless connection and add the keys or passwords required for the type of encryption you select.
Wireless Setup 3. On the Settings tab, select the Enable Wireless Guest Network check box to allow wireless connections through the Edge to the Internet according to the rules you have configured for outgoing access on your Edge. These computers have no access to computers on the trusted or optional network. 4. The Edge must assign the wireless guest network and IP address and subnet mask. The default IP address is 192.168.113.1. It is not necessary to change this IP address unless you already use the 192.
Wireless Setup About wireless radio settings The Firebox X Edge e-Series Wireless uses radio frequency signals to send and receive traffic from computers with wireless ethernet cards. Several settings are specific to Edge channel selection. You can see and change these settings if you connect to the Edge Wireless and select Network > Radio Settings from the left navigation bar. Most users do not change these settings.
Wireless Setup Configure the wireless card on your computer These instructions are for the Windows XP with Service Pack 2 operating system. To see the installation instructions for other operating systems, go to your operating system documentation or help files. 1. Select Start > Settings > Control Panel > Network Connections. The Network Connections dialog box appears. 2. Right-click Wireless Network Connection and select Properties. The Wireless Network Connection dialog box appears. 3.
Wireless Setup 110 Firebox X Edge e-Series
7 Firewall Policies About policies The security policy of your organization is a set of definitions for protecting your computer network and the information that goes through it. The Firebox denies all packets that are not specifically allowed. When you add a policy to your Firebox configuration file, you add a set of rules that tell the Firebox to allow or deny traffic based upon factors such as source and destination of the packet or the TCP/IP port or protocol used for the packet.
Firewall Policies About adding policies to your Firebox The Firebox includes many pre-configured packet filters and proxies that you can add to your configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet policy that you can modify for your needs. You can also make a custom policy for which you set the ports, protocols, and other parameters.
Firewall Policies Common policies for the Firebox X Edge Common Proxy Policies Policy Function FTP-Proxy Used to transfer files from one computer to another H323-Proxy Used to enable Voice-over-IP (VoIP) HTTP-Proxy WWW protocol HTTPS-Proxy Secure WWW protocol used for secure communications and transactions Outgoing-Proxy Applies to all outgoing traffic, including traffic managed by other common policies POP3-Proxy Used to move email messages from an email server to an email client SIP-Proxy
Firewall Policies Policy rules A Firebox X Edge policy is one or more rules that together monitor and control traffic. These rules set the firewall actions for a policy: Allow lets data or a connection through the Edge. Deny stops data or a connection from going through the Edge, and sends a response to the source. No Rule sets a rule to off, or disables the rule. It is not always easy to decide if you should select Deny or No Rule for a policy.
Firewall Policies About policy-based routing To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. In some cases, you want to send traffic to a different path than the default route specified in the routing table. You can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. This technique is known as policy-based routing.
Firewall Policies About using common packet filter policies You can control the traffic between the trusted, optional, and external networks using packet filter policies. The Firebox X Edge supplies a list of frequently used policies, called common policies, that you can use to easily allow or deny the most common traffic categories. You can use the default settings of the packet filters or you can edit them to meet your needs.
Firewall Policies Editing common packet filter policies You can edit some default settings of a common packet filter policy. On the Incoming tab, you can define a service host, redirect the port, enable logging, or restrict the IP addresses on the external network that can connect to a computer behind the Firebox X Edge e-Series.
Firewall Policies Set access control options (outgoing) 1. From the Edit Policies page, select the Outgoing tab. 2. From the Outgoing Filter drop-down list, select the rule you want to apply. This rule affects only outgoing traffic. 3. To specify which computers on your trusted and optional network can use this policy, in the From field, select Any and click Remove. Select Host IP Address, Network IP Address, Host Range, or Alias from the drop-down list.
Firewall Policies About custom policies You must define a custom policy for traffic if you need to allow for a protocol that is not included by default as a Firebox configuration option. A custom policy is also necessary if You must create an additional packet filter for a policy. You must change the port or protocol for a policy. You can add a custom policy that uses: TCP ports UDP ports An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, and OSPF.
Firewall Policies Add a custom packet filter policy manually You can add a custom policy without the wizard. 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firewall > Incoming for incoming or Firewall > Outgoing for outgoing. The Filter Traffic page appears. 3. Scroll to the bottom of the page. 4.
Firewall Policies Filter outgoing traffic for a custom policy These steps restrict outgoing traffic through the Firebox X Edge. For information on how to restrict incoming traffic, see Filter incoming traffic for a custom policy. 1. From the Outgoing Filter drop-down list, select Allow or Deny. To allow all outgoing traffic from the trusted or optional network to the external network using this policy, skip to step 10. 2.
Firewall Policies About policies for the optional network By default, the Firebox X Edge e-Series allows all traffic that starts in the trusted network and tries to go to the optional network, and denies all traffic that starts in the optional network and tries to go to the trusted network. Here are some examples of how you can use the optional network: You can use the optional network for servers that accept incoming connections from the external network.
Firewall Policies Disable traffic filters between trusted and optional networks To allow network traffic from the optional network to the trusted network, you must allow all traffic between the trusted and optional networks. Select the Disable traffic filters check box to allow all incoming and outgoing traffic between the trusted and optional interfaces. When you select the Disable traffic filters check box, the trusted network is not protected from the optional network.
Firewall Policies 124 Firebox X Edge e-Series
8 Proxy Settings About proxy policies All WatchGuard policies, whether they are packet filter policies or proxy policies, are important tools for network security. While a packet filter examines each packet’s IP and TCP/UDP header, a proxy monitors and scans whole connections. It examines the commands used in the connection to make sure they are in the correct syntax and order. It also uses deep packet inspection to make sure that connections are secure.
Proxy Settings About adding and configuring proxy policies When you add a proxy policy to your Firebox configuration, you specify types of content that the proxy must look for as it filters traffic. If the content matches (or does not match) the criteria you set in the proxy definition, the proxy allows or denies the network traffic. For each proxy policy, you can use the default settings or you can configure individual settings to suit your needs.
Proxy Settings To add or edit a custom proxy policy: 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firewall Settings > Outgoing. 3. In the Custom Proxy Policies section, click Add Proxy Policy. The Add Policy - Custom Policy page appears. 4. In the Policy Name text box, type a name to identify your custom proxy policy. 5.
Proxy Settings About the HTTP proxy Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP client is usually a web browser. The HTTP server is a remote resource that keeps or creates HTML files, images, and other content. When the HTTP client starts a request, it establishes a Transmission Control Protocol (TCP) connection on port 80. An HTTP server listens for requests on port 80.
Proxy Settings HTTP requests: General settings Idle connection timeout This setting controls how long the HTTP proxy waits for the client to make a request after it has established a connection to the server. If the client does not make a request in the specified time, the proxy closes the connection. This makes sure that the network resources can be used by the proxy again. The default value is 10 minutes.
Proxy Settings HTTP proxy: Deny message The Firebox gives a default deny message that replaces the content that is denied. You can replace that deny message with one that you write. You can customize the deny message with standard HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of the deny message is a component of the HTTP header. You must include an empty line between the first line and the body of the message.
Proxy Settings HTTP proxy exceptions You use HTTP proxy exceptions to bypass HTTP proxy rules for certain web sites without bypassing the proxy framework. Traffic that matches HTTP proxy exceptions still goes through the standard proxy handling used by the HTTP proxy. However, when a match occurs, some proxy settings are skipped. Define exceptions You can add host names or patterns as HTTP proxy exceptions. For example, if you block all web sites that end in .
Proxy Settings Add, delete, or modify content types 1. Select the HTTP Content tab. 2. Select the Allow only safe content types check box if you want to limit content types allowed through the proxy. A list of common MIME types is included by default. 3. To add common content types to the list, select the MIME type in the Predefined content type column and click the << button. 4. To add other content types, enter them in the empty field and click Add.
Proxy Settings About the FTP proxy FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network. The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20.
Proxy Settings FTP proxy: Proxy limits On the FTP Settings tab, you can set the maximum user name length, password length, file name length, and command-line length allowed through the proxy. These limits help protect your network from buffer overflow attacks. Use the default settings or enter a new value in bytes Maximum username length Sets a maximum length for user names on FTP sites. Maximum password length Sets a maximum length for passwords used to log in to FTP sites.
Proxy Settings FTP proxy: Upload and download content You can control the type of files that the FTP proxy allows for downloads and uploads. For example, because many hackers use executable files to deploy viruses or worms on a computer, you could select to deny requests for *.exe files. Or, if you do not want to let users upload Windows Media files to an FTP server, you could add *.wma to the proxy definition and specify that these files are denied. Use the asterisk (*) as a wild card. 1.
Proxy Settings Set access control options On the Outgoing or Incoming tab, you can set rules that filter IP addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. 1. Select the Outgoing tab. 2. From the Outgoing Filter drop-down list, select Deny, Allow, or No Rule. 3. Use the From drop-down list to add the IP address, network address, range of IP addresses of computers on the trusted or optional network, or an alias for which this policy applies.
Proxy Settings Maximum email line length This setting prevents some types of buffer overflow attacks. It is unlikely that you will need to change this setting unless it prevents access to legitimate mail. Deny Message In the Deny Message field, you can write a custom plain text message that will appear in the recipient email when the proxy blocks that email. You can use these variables: %(type)% Puts the content type of the email. %(filename)% Puts the name of the attached file.
Proxy Settings POP3 proxy: Content types Certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. On the POP3 Content tab, you limit content types, and block specified path patterns and URLs. You can use the asterisk (*) as a wildcard character.
Proxy Settings POP 3 proxy: Deny unsafe file name patterns If you want to deny certain file name attachments, select the Deny unsafe file name patterns check box. This is a list of file names or types that you want the proxy to block. Use the asterisk (*) as a wild card. For example, if you want to block all MP3 files, type *.mp3. If you read about a vulnerability in a LiveSecurity Service Alert that affects PowerPoint files and you want to deny them until you install the patch, type *.ppt. 1.
Proxy Settings Edit the SMTP proxy To change the default settings of the SMTP proxy, select Firewall > Incoming from the navigation menu. Find the SMTP proxy and click Edit. Make sure you look at all tabs of the SMTP proxy configuration. The Properties tab shows you what port and protocol the proxy uses. You cannot make changes on this tab. Set access control options On the Outgoing or Incoming tab, you can set rules that filter IP addresses, network addresses, or host ranges.
Proxy Settings SMTP proxy: Proxy limits On the SMTP Settings tab, you can adjust timeout, email size, and line length limits. This stops the SMTP proxy from using too many network resources and can prevent some types of attacks. You can also customize the deny message that users see when an email message is blocked by the SMTP proxy. Timeout Set the length of time an incoming SMTP connection can idle before the SMTP proxy closes the connection.
Proxy Settings SMTP proxy: Deny message In the Deny Message field, you can write a custom plain text message that will appear in the recipient email message when the proxy blocks that message. You can use these variables: %(type)% Puts the content type of the email message. %(filename)% Puts the name of the attached file. %(virus)% Puts the type of virus found. %(action)% Puts the action taken by the proxy policy. %(reason)% Puts the reason the proxy policy denied the content.
Proxy Settings SMTP proxy: Email content Certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. On the SMTP Content tab, you limit content types, and block specified path patterns and URLs. You can use the asterisk (*) as a wildcard character. Allow only safe content types The headers for email messages include a Content Type header to show the MIME type of the email and of any attachments.
Proxy Settings Deny unsafe file name patterns If you want to deny certain file name attachments, select the Deny unsafe file name patterns check box. This is a list of file names or types that you want the proxy to block. Use the asterisk (*) as a wildcard character. For example, if you want to block all MP3 files, type *.mp3. If you read about a vulnerability in a LiveSecurity Service Alert that affects PowerPoint files and you want to deny them until you install the patch, type *.ppt.
Proxy Settings About the H.323 proxy If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation Protocol) proxy policy to open the ports necessary to enable VoIP through your Firebox. These proxy policies have been created to work in a NAT environment to maintain security for privately addressed conferencing equipment behind the Firebox. H.323 is used commonly on older videoconferencing equipment and voice installations.
Proxy Settings About the SIP proxy If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323 proxy policy to open the ports necessary to enable VoIP through your Firebox. These proxy policies have been created to work in a NAT environment to maintain security for privately-addressed conferencing equipment behind the Firebox. H.323 is used commonly on older videoconferencing equipment and voice installations.
Proxy Settings About the Outgoing Proxy The Outgoing policy applies to all outgoing network traffic, including traffic managed by other common policies such as HTTP or FTP. As a packet filter policy, you can restrict which IP addresses can send traffic from the trusted or optional interfaces to the external interface. As a proxy policy, you can set specific options for different types of traffic and monitor connections for instant messaging (IM) or peer-to-peer (P2P) applications.
Proxy Settings 148 Firebox X Edge e-Series
9 Default Threat Protection About intrusion prevention The Firebox X Edge e-Series includes a set of default threat protection features designed to keep out network traffic from systems you know or think are a security risk. This set of features includes: Permanently blocked site The Blocked Sites list is a list of IP addresses you add manually to your configuration file. The IP addresses on this list cannot connect to or through the Edge on any port.
Default Threat Protection About blocked sites A blocked site is an IP address that cannot make a connection through the Firebox.You tell the Firebox to block specific sites you know or think are a security risk. After you find the source of suspicious traffic, you can block all connections from that IP address. You can also define the Firebox to send a log message each time the source tries to connect to your network. From the log file, you can see the services that the sources use to launch attacks.
Default Threat Protection Block a site permanently 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is https://192.168.111.1 2. From the navigation bar, click Firewall > Default Threat Protection. Click on the Blocked Sites Tab. 3. Use the drop-down list to select whether you want to enter a host IP address, a network address, or a range of IP addresses.
Default Threat Protection Block sites temporarily To see a list of IP addresses auto-blocked by the Edge, go to System Status > Hostile Sites. You can look at the temporary Blocked Sites list together with your log messages to help you make decisions about which IP addresses to block permanently. Follow these steps to configure your Firebox to automatically block sites temporarily: 1. Connect to the System Status page.
Default Threat Protection About blocked ports You can block the ports that you know can be used to attack your network. This stops specified external network services. Blocking ports can protect your most sensitive services. When you block a port, you override all the rules in your firewall configuration. To block a port, see Block a port. Default blocked ports With the default configuration, the Firebox blocks some destination ports.
Default Threat Protection Block a port Be very careful if you block port numbers higher than 1023. Clients frequently use these source port numbers. 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is https://192.168.111.1 2. From the navigation bar, click Firewall > Intrusion Prevention. Click on the Blocked Ports tab. 3. In the Ports text box, type the name of the port you want to block.
Default Threat Protection About denial-of-service attacks The Firebox X Edge e-Series includes an integrated denial-of-service (DoS) protection feature to protect against some of the most common and frequent DoS and Distributed DoS (DDos) attacks used on the Internet. A DoS attack is an attempt to make a computer resource unavailable to its intended users.
Default Threat Protection On the Firewall > Intrusion Prevention page, select the DoS Defense tab and set the packet/second threshold for these types of DoS flood attacks: IPSec flood attack A DoS attack where the attacker overwhelms a computer system with a large number of IPSec connections. IKE flood attack A DoS attack where the attacker overwhelms a computer system with a large number of IKE (Internet Key Exchange) connections.
Default Threat Protection Configure firewall options You can use the Firewall Options page to configure rules that increase your network security. 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, click Firewall > Firewall Options. The Firewall Options page appears. Firewall options are pre-configured to meet the needs of many Edge customers.
Default Threat Protection Log all allowed outbound access If you use the standard property settings, the Firebox X Edge e-Series records only unusual events. When traffic is denied, the Edge records the information in the log file. You can configure the Edge to record information about all the outgoing traffic in the log file. When you record all outgoing traffic, it creates a large number of log records.
10 Traffic Management About Traffic Management The Firebox X Edge e-Series supplies many different ways to manage the traffic on your network. You can: limit the rate of traffic sent to the external or IPSec interface using QoS (Quality of Service) through Traffic Control manage data transmission by giving more or less bandwidth to different traffic types change the visible network address of incoming or outgoing traffic to prevent conflicts using NAT (Network Address Translation).
Traffic Management Traffic Categories The Firebox X Edge e-Series allows you to limit data sent through policies and Traffic Control filters. A policy can allow or deny all data of a specified type. Traffic Control does not allow or deny data, but creates filters that separate important network traffic from other data. For example, you can create a filter that identifies email (SMTP) traffic or secure shell (SSH) connections.
Traffic Management Traffic Marking If your Firebox X Edge is part of a larger network that uses Quality of Service (QoS) and your upstream device, LAN equipment, and IPS support it, you can apply marking to each category of network traffic you define on your Edge. The Edge then marks all traffic that matches the criteria in your Traffic Control rule. When you mark traffic, you change up to six bits on packet header fields defined for this purpose.
Traffic Management The following table shows the DSCP values you can select, the corresponding IP Precedence value (which is the same as the CS value), and the description in PHB keywords.
Traffic Management Enable Traffic Control You must have at least one packet filter policy, proxy policy, or VPN tunnel enabled to add traffic filters. You can use any enabled policy or active VPN tunnel as a Traffic Control filter. Incoming and outgoing policies are identified by [Out] or [In] adjacent to the policy name.Traffic Control is used only for outgoing network traffic.
Traffic Management 4. In the Upstream bandwidth limit text box, type the upstream bandwidth limit of your external network connection (WAN1). Enter a value from 19 Kbps to 100,000 Kbps. The default setting is 512 Kbps. 5. Select the Prioritization check box if you want to add filters to other network traffic categories. The prioritization lists are enabled. 6. To create filters for the interactive, high, medium, or low traffic categories, click the Add button adjacent to the category name.
Traffic Management About Network Address Translation (NAT) Network Address Translation (NAT) is a term used to describe any of several forms of IP address and port translation. At its most basic level, NAT changes the IP address of a packet from one value to a different value. The primary purposes of NAT are to increase the number of computers that can operate off a single publicly routable IP address, and to hide the private IP addresses of hosts on your LAN.
Traffic Management About dynamic NAT Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing connection to the public IP address of the Firebox. Outside the Firebox, you see only the external interface IP address of the Firebox on outgoing packets. Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your network.
Traffic Management Company ABC selects five public IP addresses from the same network address as the external interface of their Firebox, and creates DNS records for the email servers to resolve to. These addresses are: 50.1.1.1 50.1.1.2 50.1.1.3 50.1.1.4 50.1.1.5 Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this: 10.1.1.1 <--> 50.1.1.1 10.1.1.
Traffic Management Add a secondary external IP address for 1-to1 NAT mapping 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firewall > NAT. The NAT (Network Address Translation) page appears. 3. Type a public IP address from the external network and a private IP address from the trusted or optional network, then click Add.
11 Logging About logging and log files An important feature of a good network security policy is to gather messages from your security systems, to examine those records frequently, and to keep them in an archive. You can use logs to monitor your network security and activity, identify any security risks, and address them. A log file is a list of events, along with information about those events. An event is one activity that occurs on the Firebox.
Logging Event Log and System Status Syslog You can see the Event Log on the Logging page. The event log contains data on the most recent activity on the Firebox. You can see the same information, without other logging settings at System Status > Syslog. The Syslog page can display continuous real time log information. Click the Start Continuous Refresh button to have the log data updated in real time.
Logging About logging to a WatchGuard Log Server The WatchGuard Log Server (previously known as the WatchGuard System Event Processor, or WSEP) is a component of WatchGuard System Manager. If you have a Firebox III, Firebox X Core, or Firebox X Peak, configure a primary Log Server to collect the log messages from your Firebox X Edge e-Series. You can also configure a backup Log Server. If the Firebox X Edge cannot connect to the primary Log Server, it tries to connect to the backup Log Server.
Logging 4. Select the Send logs in native XML format check box to have the Edge log messages sent to the WatchGuard Log Server in the XML format standard for Fireware v8.0 or higher. The WSM/Log Server installation must be WSM v8.3 or greater. If you select this option, the Edge generates log messages in native XML, which includes more detail for each log message. This allows the WSM administrator to create Reports that include these details for the Edge.
Logging About Syslog Syslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Firebox to send log information to a syslog server. A Firebox can send log messages to a Log Server and a syslog server at the same time, or send log messages to one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.
Logging 174 Firebox X Edge e-Series
12 Certificates About certificates When you use local authentication to connect to your Firebox over secure HTTP, the Firebox uses a certificate to secure your session. You can also use certificates for VPN authentication. Certificates are files that use a digital signature to match the identity of a person or organization with an encryption key. Certificates use a security component called a key pair, which consists of two mathematically related numbers.
Certificates Create a certificate Use OpenSSL to generate a CSR OpenSSL is installed with most GNU/Linux distributions. To download the source code or a Windows binary file, go to http://www.openssl.org/ and follow the installation instructions for your operating system. You can use OpenSSL to convert certificates and certificate signing requests from one format to another. For more information, see the OpenSSL man page or online documentation. 1. Open a command line interface terminal. 2.
Certificates Issue the certificate 1. Connect to the server where the Certification Authority is installed, if necessary. 2. From the Start Menu, select Control Panel > Administrative Tools > Certification Authority. 3. From the Certification Authority (Local) tree in the left navigation pane, select Your Domain Name > Pending Requests. 4. Select the CSR in the right navigation pane. 5. From the Action menu, select All Tasks > Issue. 6. Close the Certification Authority window. Download the certificate 1.
Certificates Remove a certificate 1. From the System Status page on the Firebox X Edge, select Administration > Certificates. 2. Select the certificate you want to delete, and then click the adjacent Remove button. VPN tunnels do not operate correctly if you remove a certificate that is currently in use. We recommend that you change the VPN tunnel authentication method before you remove a Remote VPN Gateway certificate.
13 User and Group Management About user licenses Your Firebox X Edge firewall is enabled with a set number of user licenses (also called nodes). The total number of available sessions is determined by the Edge model you have, and any upgrade licenses you apply. The number of licenses limits the number of sessions. License upgrades are available from your reseller or from the WatchGuard web site: http:// www.watchguard.com/products/purchaseoptions.asp.
User and Group Management When a user license is not used A user license is not used when: Traffic is passed between the trusted and optional networks. Traffic is passed from a computer on the trusted or optional network to a computer on the other end of a Branch Office VPN. Incoming traffic of any kind is passed to the Edge protected network. Traffic is passed from a computer to the Edge itself when no user authentication is required for access to the external network.
User and Group Management About user authentication User authentication is the process of finding whether a user is who he or she is declared to be. On the Firebox, the use of passwords allows a user name to be associated with an IP address. This helps the Firebox administrator to monitor connections through the Firebox. With authentication, users can log in to the network from any computer, but get access to only the network ports and protocols for which they are authorized.
User and Group Management Set authentication options for all users Some authentication options have an effect on all users. To set or change authentication options: 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users > Settings. The Settings page appears. 3. Use the definitions below to help you change your parameters.
User and Group Management About user accounts When you create a local user for the Firebox X Edge e-Series, you select the administrative access level for that user. You select access control for the external network and the Branch Office VPN tunnel, and time limits on this access. You also can enable Mobile VPN with PPTP, enable Mobile VPN with SSL, add a WebBlocker profile to the user account, and configure the user’s Mobile VPN with IPSec settings.
User and Group Management 4. In the Account Name field, type a name for the account. The user types this name to authenticate. The account name is case-sensitive. 5. In the Full Name field, type the first and last name of the user. This is for your information only. A user does not use this name to authenticate. 6. In the Description field, type a description for the user. This is for your information only. A user does not use this description to authenticate. 7.
User and Group Management Authenticate a session without administrative access If you require authentication to the Edge for the user to access resources such as the external network, the user must connect to the trusted interface IP address of the Edge using HTTPS, and type a user name and password. The default URL for the trusted interface IP address of the Edge is https://192.168.111.1.
User and Group Management Use the built-in administrator account The Firebox X Edge e-Series has a built-in administrator account that cannot be deleted. You can change some of the administrator account settings. On the Firebox Users page, click the icon in the Edit column of the administrator account. Make sure you keep the administrator name and password in a safe location. You must have this information to see the configuration pages.
User and Group Management Change a user account name or password You can change an account name or account password. If you change the account name, you must give the account password. 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users. The Firebox Users page appears. 3.
User and Group Management About LDAP/Active Directory authentication If you use LDAP authentication, you do not have to keep a separate user database on the Firebox X Edge. You can configure the Edge to forward user authentication requests to a generic LDAP or Active Directory server. You can use LDAP authentication and local Firebox authentication at the same time. With LDAP authentication, user privileges are controlled on a group basis.
User and Group Management Configure the LDAP/Active Directory authentication service When you enable LDAP authentication, you define one authentication server and its properties. To enable LDAP authentication: 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users > Settings. The Firebox Users Settings page appears. 3.
User and Group Management 9. Use the LDAP Timeout drop-down list to select the number of seconds to use as a timeout for any LDAP operation. 10. In the Search Base text box, type the base in the LDAP directory to start the search for user account entries. This must be a legitimate LDAP DN (Distinguished Name). A Distinguished Name is a name that uniquely identifies an entry in an LDAP directory. A DN includes as many qualifiers as it must to find an entry in the directory.
User and Group Management Add a group for LDAP authentication 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users > New Group. The Firebox Users New Group page appears. 3. In the Account Name text box, type the name of the new group. This name must match the name of a group in the LDAP directory.
User and Group Management 10. Select the Allow remote access with Mobile VPN with PPTP check box to allow the members of this group to establish PPTP connections with the Edge from remote locations. 11. Select the Allow remote access with Mobile VPN with SSL check box to allow the members of this group to establish SSL VPN connections with the Edge. 12. Click Submit.
User and Group Management To use SSO, you must install the WatchGuard Authentication Gateway software, also known as the SSO agent software, on a domain computer in your network. When a user logs on to a computer, the SSO agent gathers all the information from the user and sends it to the Firebox. The Firebox can then check the user information against all the defined policies for that user and/or user group at one time.
User and Group Management Enable Single Sign-On 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users > Settings. The Firebox Users Settings page appears. 3. Make sure that the Require user authentication (enable local user accounts) check box is selected. 4. If necessary, select other access options.
User and Group Management Before you install The SSO agent service must be run as a user. We recommend that you create a new user account for this purpose. For the SSO agent service to operate correctly, configure the user account with the following properties: Add the account to the Domain Admin group. Make the Domain Admin group the primary group. Allow the account to log on as a service. Set the password to never expire. Install the SSO agent service Double-click WG-Authentication-Gateway.
User and Group Management Enable RADIUS authentication When you enable RADIUS authentication, you define one authentication server and its properties. When you set up your RADIUS server, you must make sure that, when it sends a message to the Firebox that a user is authenticated, it also sends a FilterID string, for example "engineeringGroup" or "financeGroup". The FilterID is RADIUS attribute 11.
User and Group Management See active sessions and users On the Firebox Users page, you see information about the users who are online. 1. To connect to the System Status page, type https:// in the browser address bar, with the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Firebox Users. The Firebox Users page appears.
User and Group Management Stop a session The Firebox X Edge e-Series monitors and records the properties of each user session. If the Automatic Session Termination time limit for all sessions is reached, or if the Firebox X Edge restarts, all sessions are stopped at the same time. The Edge administrator also can use the Firebox Users page to stop a session. To stop a session manually: 1.
User and Group Management Editing a user account To edit a user account, click the Edit icon. For descriptions of the fields you can configure, see About user accounts. Deleting a user account To remove a user account, click the X adjacent to the account name. A dialog box appears. Click Yes to remove the account. You cannot delete the admin account. Allow internal devices to bypass user authentication You can make a list of internal devices that bypass user authentication settings.
User and Group Management 200 Firebox X Edge e-Series
14 WebBlocker About WebBlocker If you give users unlimited web site access, your company can suffer lost productivity and reduced bandwidth. Uncontrolled Internet surfing can also increase security risks and legal liability. The WebBlocker security subscription gives you control of the web sites that are available to your users. WebBlocker uses a database of web site addresses controlled by SurfControl, a leading web filter company.
WebBlocker Configure global WebBlocker settings The first WebBlocker page in the Firebox X Edge e-Series configuration pages is the WebBlocker Settings page. Use this page to: Activate WebBlocker Set the full access password Set the inactivity timeout Set an action if the Edge cannot connect to the WebBlocker server Set an action if the WebBlocker license expires To configure WebBlocker: 1.
WebBlocker 5. Type a number, in minutes, in the Inactivity Timeout field. The Inactivity Timeout field shows the length of time the full access password is active if no web browsing is done. If a user types the full access password and no HTTP or HTTPS traffic is sent from that user’s computer for the length of time set in the Inactivity Timeout field, WebBlocker rules start again. The value can be from 1 to 1440 minutes. 6.
WebBlocker Install the Quarantine Server and WebBlocker Server To use the quarantine feature of spamBlocker or Gateway AntiVirus, or if you want to install and maintain your own WebBlocker Server, you must download and install the WatchGuard Quarantine Server and WebBlocker Server. You can install the server software on a computer with Windows 2003, Windows XP, or Windows Vista. We recommend at least 512 MB RAM, a 2.
WebBlocker Create a WebBlocker profile 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, click WebBlocker > Profiles. The Profiles page appears. 3. Click New. The New Profile page appears.
WebBlocker 4. In the Profile Name field, type a familiar name. Use this name to identify the profile during configuration. For example, give the name 90day to a group of employees that have worked at your company for less than 90 days. 5. In Blocked Categories, select the categories of web sites to block by selecting the check box adjacent to the category name. For more information on categories, see About WebBlocker categories.
WebBlocker About WebBlocker categories The WebBlocker database contains nine category groups, with 54 website categories. A web site is added to a category when the contents of the web site meet the correct criteria. Web sites that give opinions or educational material about the subject matter of the category are not included. For example, the Illegal Drugs category denies sites that tell how to use marijuana. They do not deny sites with information about the historical use of marijuana.
WebBlocker Add, remove, or change a category If you receive a message that the URL you entered is not in the SurfControl list, you can submit it on the Test Results page. 1. Click Submit A Site. The Submit A Site page appears. 2. Select whether you want to Add a site, Delete a site, or Change the category. 3. Enter the site URL. 4. If you want to request that the category assigned to a site is changed, select the new category from the drop-down menu. 5. Click Submit.
WebBlocker About allowing sites to bypass WebBlocker WebBlocker might deny a web site that is necessary for your business. You can override WebBlocker by defining a web site normally denied by WebBlocker as an exception to allow users to access it. For example, suppose employees in your company frequently use web sites that contain medical information. Some of these web sites are forbidden by WebBlocker because they fall into the sex education category.
WebBlocker Add a denied site 1. From the navigation bar, select WebBlocker > Denied Sites. The WebBlocker Denied Sites page appears. 2. From the drop-down list, select Host IP Address or Domain Name/URL 3. Type the host IP address or domain name of the denied web site. 4. Repeat step 3 for each additional host, IP address, or domain name you want to add to the Denied Sites list. The domain (or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu.
WebBlocker Allow internal hosts to bypass WebBlocker You can make a list of internal hosts that bypass WebBlocker. The internal hosts that you put on this list also bypass any user authentication settings. If a user is on this list, that user does not have to authenticate to get access to the Internet. No WebBlocker rules apply to the users on this list. 1. From the navigation bar, select Firebox Users > Trusted Hosts. The Firebox Users Trusted Hosts page appears. 2.
WebBlocker 212 Firebox X Edge e-Series
15 spamBlocker About spamBlocker Unwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam decreases bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard spamBlocker option uses industry-leading pattern detection technology from Commtouch to block spam at your Internet gateway and keep it from getting to your email server. Commercial mail filters use many methods to find spam.
spamBlocker About Virus Outbreak Detection (VOD) Virus Outbreak Detection (VOD) is a technology that identifies email virus outbreaks worldwide within minutes. Provided by Commtouch, an industry leader in email spam and virus protection, VOD isincorporated into the spamBlocker security service. VOD uses traffic analysis technology to provide zero hour protection against viruses. If you use both spamBlocker and Gateway AntiVirus, the two features work together to keep viruses out of your network.
spamBlocker spamBlocker categories The Commtouch Recurrent-Pattern Detection (RPD) solution classifies spam attacks in its Anti-Spam Detection Center database according to severity. spamBlocker queries this database and assigns a category to each email message. spamBlocker has three categories: The Confirmed category includes email messages that come from known spammers.
spamBlocker 3. By default, VOD scans inbound email messages up to a 40 kilobyte limit. You can increase or decrease this limit with the Limit VOD scanning to first text box. If you configure a larger limit for spamBlocker as described in step 5, the larger limit is used. If you type a very large number in this text box, your network throughput may be slow. We recommend that you keep the scan limit under 50 kilobytes (KB). 4.
spamBlocker Set POP3 email actions 1. From the Confirmed drop-down list, select Allow or Add a subject tag. The default action is Allow. If you choose Add a subject tag, a text box appears with the default tag ***SPAM***. You can change this tag to some text you prefer. 2. From the Bulk drop-down list, select Allow or Add a subject tag. The default action is Allow. The default tag is ***BULK***. You can change this tag to some text you prefer. 3.
spamBlocker About spamBlocker exceptions You can create an exception list to the general spamBlocker actions that is based on the sender’s or recipient’s address. For example, if you want to allow a newsletter that spamBlocker identifies as Bulk email, you can add that sender to the exception list and use the Allow action regardless of the spamBlocker category the sender is assigned to.
spamBlocker About using spamBlocker with multiple proxies You can configure more than one SMTP or POP3 proxy service to use spamBlocker. This lets you create custom rules for different groups in an organization. For example, you can allow all email to your management and use a spam tag for the marketing team. If you want to use more than one proxy service with spamBlocker, your network must use one of these configurations: Each proxy policy must send email to a different internal email server.
spamBlocker 8. The wizard asks what you want to do with the message. Select the move it to the specified folder check box. Then, in the bottom pane, click specified to select the destination folder. 9. In the Choose a Folder dialog box, click New. 10. In the folder name field, type Spam. Click OK. 11. Click Next two times. 12. To complete the rule setup, type a name for your spam rule and click Finish. 13. Click Apply. Repeat these steps to create a rule for bulk email, using the bulk email tag.
spamBlocker Use RefID record instead of message text If you want to send a report to Commtouch send but cannot send the initial email message because the information in the message is confidential, you can use the RefID record from the email header instead. The RefID record is the reference number for the transaction between the Firebox and the Commtouch Detection Center. spamBlocker adds an X-WatchGuard-Spam-ID header to each email. The header looks like this: X-WatchGuard-Spam-ID: 0001.0A090202.43674BDF.
spamBlocker Add trusted email forwarders to improve spam score accuracy Part of the spam score for an email message is calculated using the IP address of the server that the message was received from. If an email forwarding service is used, the IP address of the forwarding server is used to calculate the spam score. Because the forwarding server is not the initial source email server, the spam score can be inaccurate.
16 Quarantine Server About the Quarantine Server The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanism for any email messages suspected or known to be spam or to contain viruses. This repository receives email messages from the SMTP proxy and are filtered by spamBlocker. Granular control allows you to configure preferences for mail disposition, storage allocations, and other parameters.
Quarantine Server Install the Quarantine Server and WebBlocker Server To use the quarantine feature of spamBlocker or Gateway AntiVirus, or if you want to install and maintain your own WebBlocker Server, you must download and install the WatchGuard Quarantine Server and WebBlocker Server. You can install the server software on a computer with Windows 2003, Windows XP, or Windows Vista. We recommend at least 512 MB RAM, a 2.
Quarantine Server Start the Quarantine Server To start the Quarantine Server, you must: Install Quarantine Server Run the Setup Wizard Define the server location Install server components You can install Quarantine Server as part of WatchGuard System Manager, or as part of a special installer for Firebox X Edge users. When you run the installer, you are asked which client and server components you want to install. Under the Server Components section, make sure you select Quarantine Server.
Quarantine Server Configure the Quarantine Server When you configure the Quarantine Server, you have these options: Set general server parameters Change the expiration and user domain settings: When to delete or how long to keep messages, and add and delete user domains. Only users in the domains that are in this list can have their messages sent to the Quarantine Server. Change notification settings: The message sent to users that tells them they have messages on the Quarantine Server.
Quarantine Server Change expiration settings and user domains 1. To open the Quarantine Server Configuration dialog box, right-click and select Configure. Type the server management passphrase. This is the server management passphrase you created in the second screen of the Quarantine Server Setup Wizard or when you configured your Management Server. The Quarantine Server Configuration dialog box appears. 2. From the Quarantine Server Configuration dialog box, click the Expiration Settings tab. 3.
Quarantine Server Add or remove user domains The Expiration Settings tab of the Quarantine Server Configuration dialog box shows the domain names for which the Quarantine Server will accept email messages. Only users in the domains that are in the list can have messages sent to the Quarantine Server for them. Messages sent to users that are not in one of these domains are deleted. 1. To add or remove a domain name from the server, click Update. The Add Domains dialog box appears. 2.
Quarantine Server 3. From the Quarantine Server Configuration dialog box, click the User Notification Settings tab. 4. To enable or disable notification (and the fields on this dialog box), use the Send notification to users check box. 5. In the Send email from field, type the full email address of the account you want to send from. 6. In the Subject field, type a name for the subject of the notification messages. The default is WatchGuard Quarantine Server Notification. 7.
Quarantine Server Change logging settings You can enable or disable logging for the server, and define where the server will send log messages. To open the configuration dialog box: 1. Right-click the icon for the server and select Configure. 2. Type the management server passphrase when prompted. 3. From the dialog box that appears, click the Logging tab.
Quarantine Server Change Quarantine Server rules You set up rules to automatically remove certain messages if they come from a specific domain or sender, or if they contain specific text strings in the subject line. 1. To open the Quarantine Server Configuration dialog box, right-click and select Configure. 2. Type the server management passphrase. This is the server management passphrase you created in the second screen of the Quarantine Server Setup Wizard or when you configured your Management Server.
Quarantine Server 5. Click the underlined words in the rule to add a specific domain, sender, or text string in the subject line. The Edit Auto-Remove Rule dialog box appears. 6. To add a new domain, sender, or string, type it in the top box and click Add. 7. To remove a domain, sender, or string, select it in the bottom box and click Remove. Note the following restrictions on modifying rules: 232 Rules do not support wildcard characters.
Quarantine Server Manage messages You can see all messages on the Quarantine Server in a dialog box. You can sort messages by user, quarantine status, sender, subject, and date/time received. You can only have one Quarantine Server dialog box open at a time. After you are done with one Quarantine Server dialog box, you must close it before you open a new one. Open the messages dialog box 1. Right-click and select Manage Messages. 2. Type the server management passphrase.
Quarantine Server Set viewing options You can use the Filter By drop-down list to see all messages or only those with a particular quarantine status. To see the body of a message, select the View message body check box. Select any message. A second pane appears at the bottom of the dialog box that shows the message body. You can also select any message and click Edit > View Message Body, or right-click any message and select View Message Body.
Quarantine Server Open the messages dialog box You can only have one Quarantine Server dialog box open at a time. After you are done with one Quarantine Server dialog box, you must close it before you open a new one. 1. Right-click the Quarantine Server icon and select Manage Messages. 2. Type the server management passphrase. The Quarantine Server Message and User Management dialog box appears.
Quarantine Server About managing users You add, delete, and configure users from the Users tab of the Quarantine Server Message and User Management dialog box. This dialog box shows: 236 Email addresses of users that can have email messages sent to the Quarantine Server. Whether users are notified when they have email on the Quarantine Server. Whether users are validated or unvalidated.
Quarantine Server Add users Users are automatically added when messages are sent to the Quarantine Server for them. Use this procedure to manually add users: 1. From the Quarantine Server Message and User Management dialog box, click the Users tab. Select Edit > Add User. The Add User dialog box appears. 2. Type the full email address of the user, such as myname@mydomain.com. 3.
Quarantine Server Get statistics on Quarantine Server activity Quarantine Server statistics include those messages that have been deleted, either manually or automatically. You can only have one Quarantine Server dialog box open at a time in this release of WatchGuard System Manager. After you are done with one Quarantine Server dialog box, you must close it before you open a new one. 1. Right-click and select View Statistics. 2. Type the server management passphrase.
17 Gateway AntiVirus and Intrusion Prevention Service About Gateway AntiVirus and Intrusion Prevention Hackers use many methods to attack computers on the Internet. The two primary categories of attack are viruses and intrusions. Viruses, including worms and Trojans, are malicious computer programs that self-replicate and put copies of themselves into other executable code or documents on your computer. When a computer is infected, the virus can destroy files or record key strokes.
Gateway AntiVirus and Intrusion Prevention Service About Gateway AntiVirus settings WatchGuard Gateway AntiVirus (Gateway AV) stops viruses before they get to computers on your network. Gateway AV operates with the WatchGuard SMTP, POP3, HTTP, and FTP proxies. When you enable Gateway AV, the SMTP, POP3, HTTP, and FTP proxy looks at various types of traffic and performs an action that you specify.
Gateway AntiVirus and Intrusion Prevention Service Configure Gateway AV 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Gateway AV/IPS > Settings. 3. Select the Enable Gateway AntiVirus for SMTP check box to scan email sent to an email server protected by your Edge for viruses. 4.
Gateway AntiVirus and Intrusion Prevention Service 9. Select the Limit Scanning check box if you want the Gateway AV service to stop scanning each file after it examines the specified number of kilobytes. This improves the performance of the Edge. Most viruses are small and many are in the first hundred kilobytes of a file. You must select the correct balance of performance and security for your network. 10.
Gateway AntiVirus and Intrusion Prevention Service Configure the Intrusion Prevention Service 1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select Gateway AV/IPS > Settings. 3. Select ore or more check boxes to enable IPS for SMTP, POP3, FTP, HTTP, or the Outgoing service on your Edge.
Gateway AntiVirus and Intrusion Prevention Service Update Gateway AV/IPS New viruses and intrusion methods appear on the Internet frequently. The Gateway AV/IPS service uses a database of signatures to check for viruses and intrusions. WatchGuard frequently publishes updates to the signature database to our customers as new signatures become known. Usually, new Gateway AV signatures are published several times a day. New IPS signatures are published less frequently.
18 Branch Office Virtual Private Networks A VPN (Virtual Private Network) creates a secure connection between computers or networks in different locations. This connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints are authenticated. Data in the tunnel is encrypted. Only the sender and the recipient of the message can read it.
Branch Office Virtual Private Networks What you need to create a VPN Before you configure your WatchGuard Firebox X Edge VPN network, read these requirements: You must have two Firebox X Edge devices or one Firebox X Edge and a second device that uses IPSec standards. Examples of these devices are a Firebox III, Firebox X Core, Firebox X Peak, or a Firebox SOHO 6. You must enable the VPN option on the other device if it is not already active.
Branch Office Virtual Private Networks About managed VPNs You can configure a VPN tunnel on the Firebox X Edge e-Series with two procedures: Managed VPN and Manual VPN. For information on creating a Manual VPN tunnel, see Create Manual VPN tunnels on your Edge. The WatchGuard Management Server (previously known as the DVCP Server) uses DVCP (Dynamic VPN Configuration Protocol) to keep the VPN tunnel configuration. DVCP is the WatchGuard protocol that you can use to create IPSec tunnels easily.
Branch Office Virtual Private Networks Sample VPN address information table 248 Item Description Assigned by External IP Address The IP address that identifies the IPSec-compatible device on the Internet. ISP Example: Site A: 207.168.55.2 Site B: 68.130.44.15 ISP Local Network Address An address used to identify a local network. These are the IP addresses of the computers on each side that are allowed to send traffic through the VPN tunnel.
Branch Office Virtual Private Networks Create Manual VPN tunnels on your Edge 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. From the navigation bar, select VPN > Manual VPN. The Manual VPN page appears. 3. Click Add. The Add Gateway page appears. 4. Type a name for your tunnel. This name is used for identification only. 5.
Branch Office Virtual Private Networks Phase 1 settings Internet Key Exchange (IKE) is a protocol used with VPN tunnels to manage keys automatically. IKE negotiates and changes keys. Phase 1 authenticates the two sides and creates a key management security association to protect tunnel data. The default settings for Phase 1 are the same for all Firebox X Edge devices. Many users keep the factory default settings. Make sure that the Phase 1 configuration is the same on the two devices.
Branch Office Virtual Private Networks To change Phase 1 configuration: 1. Select the negotiation mode from the Mode drop-down list. You can use Main Mode only when the two devices have static IP addresses. If one or both of the devices have external IP addresses that are dynamically assigned, you must use Aggressive Mode. 2. Enter the local ID and remote ID. Select the ID types—IP Address or Domain Name—from the dropdown lists.
Branch Office Virtual Private Networks If your Edge is behind a device that does NAT The Firebox X Edge e-Series can use NAT Traversal. This means that you can make VPN tunnels if your ISP does NAT (Network Address Translation) or if the external interface of your Edge is connected to a device that does NAT. We recommend that the Firebox X Edge external interface have a public IP address. If that is not possible, use this section for more information.
Branch Office Virtual Private Networks Phase 2 settings Phase 2 negotiates the data management security association for the tunnel. The tunnel uses this phase to create IPSec tunnels and put data packets together. You can use the default Phase 2 settings to make configuration easier. Make sure that the Phase 2 configuration is the same on the two devices. To change the Phase 2 settings: 1. Select the authentication method from the Authentication Algorithm drop-down list. 2.
Branch Office Virtual Private Networks 6. Type the IP address of the local network and the remote networks that will send encrypted traffic across the VPN. You must enter network addresses in slash notation (also known as CIDR or Classless Inter Domain Routing notation). For more information on how to enter IP addresses in slash notation, see this FAQ: http://www.watchguard.com/support/advancedfaqs/general_slash.asp 7. Click Add. 8. Repeat step 5 if you must add additional networks. 9. Click Submit.
Branch Office Virtual Private Networks Configure VPN Keep Alive To keep the VPN tunnel open when there are no connections through it, you can use the IP address of a computer at the other end of the tunnel as an echo host. The Firebox X Edge e-Series sends a ping each minute to the specified host. Use the IP address of a host that is always online and that can respond to ping messages. You can enter the trusted interface IP address of the Firebox that is at the other end of the tunnel.
Branch Office Virtual Private Networks Related questions Why do I need a static external address? To make a VPN connection, each device must know the IP address of the other device. If the address for a device is dynamic, the IP address can change. If the IP address changes, connections between the devices cannot be made unless the two devices know how to find each other. You can use Dynamic DNS if you cannot get a static external IP address. For more information, see About the Dynamic DNS service.
19 About Mobile VPN with PPTP You can configure the Firebox X Edge e-Series as a PPTP VPN endpoint and allow up to 10 users to make simultaneous secure connections to the Edge and access the networks protected by the Edge. Before remote users can connect to the Firebox with PPTP, you must: User Guide On the Edge, activate PPTP and enter the IP address of the first of 10 available sequential IP addresses on the trusted or optional network that are currently not in use.
About Mobile VPN with PPTP Enable PPTP on the Edge 1. To connect to the System Status page, type https:// and the IP address of the Firebox X Edge trusted interface in the browser address bar. The default URL is https://192.168.111.1 2. From the navigation bar, select VPN > Mobile VPN. The Mobile User page appears. 3. To enable PPTP, select the Activate remote user VPN with Mobile VPN with PPTP check box. 4.
About Mobile VPN with PPTP 6. When a PPTP user connects to the Edge, the Edge must assign that user’s computer an available IP address from the network the user wants to connect to. Type the first IP address in the address pool the Edge can use to assign PPTP user IP addresses in the Start of IP address pool field. The Edge gives out this IP address to the first PPTP user that connects.
About Mobile VPN with PPTP Enable PPTP access for firewall users When you enable Mobile VPN with PPTP on your Edge, you must enable PPTP access for each remote user who uses PPTP to connect to the Edge. 1. To connect to the System Status page, type https:// and the IP address of the Firebox X Edge trusted interface in the browser address bar. The default URL is https://192.168.111.1 2. From the navigation bar, select Firebox Users. The Firebox Users page appears. 3.
About Mobile VPN with PPTP Prepare the client computers You must make sure each remote user’s computer is prepared to use PPTP. Each computer must have Internet access, and must have the necessary version of Microsoft Dial-Up Networking and any necessary service packs. Some operating systems can require a VPN adapter. You can find Microsoft upgrades and service packs on the Microsoft Download Center web site at http://www.microsoft.com/downloads/search.aspx.
About Mobile VPN with PPTP Create and connect a PPTP Mobile VPN for Windows XP To prepare a Windows XP client computer, you must configure the PPTP connection in the network settings. Create the PPTP Mobile VPN From the Windows Desktop of the client computer: 1. Click Start > Control Panel > Network Connections. 2. Click Create a new connection from the menu on the left. Or click New Connection Wizard in Windows Classic view. The New Connection wizard appears. 3. Click Next. 4.
About Mobile VPN with PPTP Create and connect a PPTP Mobile VPN for Windows 2000 To prepare a Windows 2000 remote host, you must configure the PPTP connection in the network settings. Create the PPTP Mobile VPN From the Windows Desktop of the client computer: 1. Click Start > Settings > Network Connections > Create a New Connection. The New Connection wizard appears. 2. Click Next. 3. Select Connect to the network at my workplace and click Next. 4. Click Virtual Private Network connection. 5.
About Mobile VPN with PPTP Options for Internet access through a Mobile VPN with PPTP tunnel You can enable remote users to access the Internet through a Mobile VPN tunnel. This option affects your security because Internet traffic is not filtered or encrypted. You have two options for Mobile VPN tunnel routes: default-route VPN and split tunnel VPN. Default-route VPN The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox.
20 About Mobile VPN with IPSec The WatchGuard Mobile VPN with IPSec client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network through an unsecured network. The Mobile VPN client uses Internet Protocol Security (IPSec) to secure the connection. Client requirements Before you install the client, make sure you understand these requirements.
About Mobile VPN with IPSec Enable Mobile VPN for a Firebox user account 1. To connect to the Edge System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2. To add a new Firebox user, select Firebox Users > New User. You can also edit the properties of an existing user. Go to the main Firebox User page and find the name of the user account you want to edit. 3.
About Mobile VPN with IPSec 10. Select Mobile User in the VPN Client Type drop-down list. This selection is required if you use a Windows desktop, laptop, or handheld PC. 11. Select the All traffic uses tunnel (0.0.0.0/0 IP Subnet) check box if the remote client sends all its traffic (including usual web traffic) through the VPN tunnel to the Firebox X Edge. This can also let the Mobile VPN client connect with other networks that the Edge connects to.
About Mobile VPN with IPSec About Mobile VPN Client configuration files With Mobile VPN with IPSec, the Firebox X Edge administrator controls end-user profiles. You use the Edge web configuration interface to set the name of the end user and create a client configuration file, or profile, with the file extension .wgx. The .wgx file contains the shared key, user identification, IP addresses, and settings that are used to create a secure tunnel between the remote computer and the Edge.
About Mobile VPN with IPSec WINS/DNS Settings for Mobile VPN with IPSec Mobile VPN clients use shared Windows Internet Naming Service (WINS) and Domain Name System (DNS) server addresses. DNS changes host names into IP addresses, while WINS changes NetBIOS names to IP addresses. The trusted interface of the Edge must have access to these servers. DNS Server IP Address Type a DNS server IP address to enable DNS to change host names to IP addresses.
About Mobile VPN with IPSec Distribute the software and profiles WatchGuard recommends distributing end-user profiles by encrypted email or by another secure method. Each client computer must have: Software installation package The packages are located on the WatchGuard LiveSecurity Service web site at: http://www.watchguard.com/support Log in to the site using your LiveSecurity Service user name and password.
About Mobile VPN with IPSec About the Mobile VPN with IPSec client The WatchGuard Mobile VPN with IPSec client is installed on a user’s computer, whether the user travels or works from home. The user connects with a standard Internet connection and activates the Mobile VPN client. The Mobile VPN client then creates an encrypted tunnel to your trusted and optional networks, which are protected by a WatchGuard Firebox.
About Mobile VPN with IPSec 4. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same name. This is useful if your network administrator gives you a new .wgx file and you must reimport it. Click Next. 5. If you connect to a Firebox X Edge, click Finish. If you connect to a Firebox running Fireware appliance software, click Next. 6. On the Authentication screen, you can select whether to type the user name and password that you use to authenticate the VPN tunnel.
About Mobile VPN with IPSec Connect and disconnect the Mobile VPN client The WatchGuard Mobile VPN with IPSec client software makes a secure connection from a remote computer to your protected network over the Internet. To start this connection, you must connect to the Internet and use the Mobile VPN client to connect to the protected network. Start your connection to the Internet through a Dial-Up Networking connection or LAN connection.
About Mobile VPN with IPSec Control connection behavior For each profile you import, you can control the action the Mobile VPN client software takes when the VPN tunnel goes down for any reason. To set the behavior of the Mobile VPN client when the VPN tunnel goes down: 1. From the WatchGuard Mobile VPN Connection Monitor, select Configuration > Profile Settings. 2. Select the name of the profile and click Configure. 3. From the left pane, select Line Management. 4.
About Mobile VPN with IPSec Mobile User VPN client icon The Mobile User VPN icon appears in the Windows desktop system tray to show the status of the full featured desktop firewall, the link firewall, and the VPN network. You can right-click the icon to easily connect and disconnect your Mobile VPN and see which profile is in use. See Mobile VPN log messages You can use the Mobile VPN client log file to troubleshoot problems with the negotiations that occur during the VPN client connection.
About Mobile VPN with IPSec 3. From the left pane, select Link Firewall. 4. From the Stateful Inspection drop-down list, select when connected or always. If you select when connected, the link firewall operates only when the VPN tunnel is active for this profile. If you select always, the link firewall is always active, whether the VPN tunnel is active or not. 5. Click OK.
About Mobile VPN with IPSec Enable the desktop firewall To enable the full-featured desktop firewall: 1. From the WatchGuard Mobile VPN Connection Monitor, select Configuration > Firewall Settings. The firewall is disabled by default. 2. When you enable the firewall, you must choose between two firewall modes: o Basic Locked Settings - When you enable this mode, the firewall denies all connections to or from your computer unless you have created a rule to specifically allow the connection.
About Mobile VPN with IPSec Define friendly networks You can generate a firewall rule set for specific known networks that you define. For example, if you want to use the Mobile VPN client on a local network where you want your computer available to other computers, you can add the network address of that LAN as a friendly network. This differentiates the firewall rules for that LAN from the firewall rules you create for connections to the Internet and to remote VPN networks. 1.
About Mobile VPN with IPSec General tab You can define the basic properties of your firewall rules on the General tab of the Firewall Rule Entry dialog box. Rule Name Type a descriptive name for this rule. For example, you might create a rule called Web surfing that includes traffic on TCP ports 80 (HTTP), 8080 (alternate HTTP), and 443 (HTTPS). State To make a rule inactive, select Disabled. New rules are enabled by default.
About Mobile VPN with IPSec Local tab You can define any local IP addresses and ports that are controlled by your firewall rule on the Local tab of the Firewall Rule Entry dialog box. We recommend that, in any rule, you configure the Local IP Addresses setting to enable the Any IP address radio button. If you are configuring an incoming policy, you can add the ports to control with this policy in the Local Ports settings.
About Mobile VPN with IPSec Remote tab You can define any remote IP addresses and ports that are controlled by this rule on the Remote tab of the Firewall Rule Entry dialog box. For example, if your firewall is set to deny all traffic and you want to create a rule to allow outgoing POP3 connections, add the IP address of your POP3 server as an Explicit IP Address in the Remote IP Addresses section. Then, in the Remote Ports section, specify port 110 as an Explicit Port for this rule.
About Mobile VPN with IPSec Applications tab You can limit your firewall rule so that it applies only when a specific application is used. 1. On the Applications tab of the Firewall Rule Entry dialog box, select the Bind Rule To Application below check box. 2. Click Select Application to browse your local computer for a list of available applications. 3. Click OK.
21 About Mobile VPN with SSL The WatchGuard Mobile VPN with SSL client is installed on a user’s computer, whether the user travels or works from home. The user can then connect with a standard Internet connection and activate the Mobile VPN client. The Mobile VPN client then creates an encrypted tunnel to your trusted and optional networks, which are protected by a WatchGuard Firebox. The Mobile VPN client allows you to supply remote access to your internal networks and not compromise your security.
About Mobile VPN with SSL Client requirements The WatchGuard Mobile VPN with SSL product supplies a VPN client for all Firebox X e-Series devices. It does not provide endpoint security. You can install the Mobile VPN with SSL client software on computers with the following operating systems: Microsoft Windows Vista (32 bit) Microsoft Windows XP (32 bit) Microsoft Windows 2000 Mac OS X, versions 10.
About Mobile VPN with SSL Enable Mobile VPN with SSL for a group When you enable Mobile VPN with SSL on your Edge, you must make sure to enable access for each remote user or group who uses SSL to connect to the Edge. If you use extended authentication, you must configure the group name to match exactly the name of the group on your authentication server. The Firebox supports extended authentication to an LDAP/Active Director or a RADIUS authentication server. 1.
About Mobile VPN with SSL 9. If you want the users in this group to have access to computers on the other side of a Branch Office VPN tunnel, select the Allow access to manual and managed VPN tunnels check box. 10. If you want the users in this group to be able to use Mobile VPN with PPTP to the Edge for secure remote access, select the Allow remote access with Mobile VPN with PPTP check box. 11.
About Mobile VPN with SSL Enable the Edge to use Mobile VPN with SSL 1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is https://192.168.111.1 2. From the navigation bar, select VPN > Mobile VPN with SSL. The SSL VPN page appears. 3. To enable Mobile VPN with SSL, select the Enable Mobile VPN with SSL check box. 4. Configure the settings on the General and Advanced tabs.
About Mobile VPN with SSL Virtual IP Address Range When a Mobile VPN user connects to the Edge, the Edge must assign that user’s computer an available IP address from a network behind the Edge. Type the first IP address in the address pool the Edge can use to assign Mobile VPN connections in the Start of IP address pool field. The Edge gives out this IP address to the first Mobile VPN with SSL client that connects.
About Mobile VPN with SSL DNS and WINS Servers The Domain Name Service (DNS) changes host names into IP addresses. WINS changes NetBIOS names to IP addresses. By default, SSL VPN users that connect to the Edge use the WINS and DNS servers identified on the Network > Trusted page of your Edge configuration. If you want to specify a different WINS or DNS server, add it in the DNS Server and WINS Server IP Address text boxes near the bottom of the Mobile User page.
About Mobile VPN with SSL About the Mobile VPN with SSL client The WatchGuard Mobile VPN with SSL client is installed on a user’s computer, whether the user travels or works from home. The user can then connect with a standard Internet connection and activate the Mobile VPN client. The Mobile VPN client then creates an encrypted tunnel to the trusted and optional networks, which are protected by a WatchGuard Firebox.
About Mobile VPN with SSL Install the Mobile VPN with SSL client software (Mac OS X) After Mobile VPN with SSL has been enabled on the Firebox and users are added to the SSL-VPN Users group, remote clients can install the client software. 1. Open a web browser on the remote client computer to connect and authenticate to the Firebox. For more information about how to connect and authenticate to your Firebox, see About the client software. 2. Click the Download button for WG-MVPN-SSL.dmg. 3.
About Mobile VPN with SSL Mobile VPN with SSL client controls When the Mobile VPN with SSL client is running, the WatchGuard logo icon appears in the System Tray (Win) or on the right side of the menu bar (Mac). The VPN connection status is displayed in the icon’s magnifying glass. The client is running but the VPN connection is not established. The VPN connection has been established. You can securely connect to resources behind the Firebox.
