WatchGuard® Firebox® X Edge e-Series User Guide Firebox X Edge e-Series - Firmware Version 8.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2006 WatchGuard Technologies, Inc. All rights reserved.
End-User License Agreement AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty. 2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single WATCHGUARD hardware product at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers.
OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERRORFREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT
Abbreviations Used in this Guide Firmware Version: 8.0 Part Number: 1776-0000 Guide Version: 8.
vi WatchGuard Firebox X Edge e-Series
Contents CHAPTER 1 Introduction to Network Security ........................1 Network Security .....................................................................1 About Networks .......................................................................1 Clients and servers ...............................................................1 Connecting to the Internet .......................................................2 Protocols ............................................................................
Static addresses, DHCP, and PPPoE ......................................10 TCP/IP properties ...............................................................11 PPPoE settings ...................................................................12 Web Browser HTTP Proxy Settings ..........................................13 Web Browser Pop-up Blocking Settings ..................................14 Connecting the Firebox X Edge ...............................................
Enable remote management with WFS v7.3 or earlier ............40 Updating the Firebox X Edge Software ....................................41 Method 1: Installing software automatically ...........................41 Method 2: Installing software manually .................................42 Activating Upgrade Options ....................................................42 Upgrade options .................................................................43 Enabling the Model Upgrade Option .....................
Configuring Basic Wireless Settings .......................................67 Selecting the wireless network assignment ...........................67 Setting the SSID .................................................................68 Setting the operating region and channel ..............................68 Controlling SSID broadcasts ................................................68 Logging authentication events .............................................68 Setting the wireless mode ....................
Blocking External Sites ..........................................................89 Configuring Firewall Options ...................................................89 Responding to ping requests ...............................................90 Denying FTP access to the Firebox X Edge .............................90 Logging all allowed outgoing traffic .......................................90 Logging denied broadcast traffic ..........................................91 Log denied spoofed traffic .........
Local User Accounts .........................................................109 About User Licenses ...........................................................110 About User Authentication ...................................................110 Setting authentication options for all users .........................110 Configuring MUVPN client settings ......................................112 Authenticating to the Edge ................................................112 Using Local Firebox Authentication ..
Frequently Asked Questions .................................................143 CHAPTER 13 Configuring the MUVPN Client .......................145 About This Chapter ..............................................................145 Enabling MUVPN for Firebox X Edge e-Series Users ..............146 Configuring MUVPN client settings ......................................146 Enabling MUVPN access for a Firebox user account .............147 Configuring the Edge for MUVPN clients using a Pocket PC ...
Side panels .....................................................................168 AC Power Adapter .............................................................169 About the Firebox X Edge e-Series Wireless. ........................169 Antenna directional gain ...................................................170 Signal attenuation ............................................................170 Channel data rate ............................................................
VCCI Notice Class A ITE .....................................................200 Taiwanese Class A Notice ..................................................200 Taiwanese Wireless Notice .................................................200 Declaration of Conformity ....................................................201 Limited Hardware Warranty ..................................................
xvi WatchGuard Firebox X Edge e-Series
Introduction to Network Security CHAPTER 1 Introduction to Network Security Thank you for your purchase of the WatchGuard® Firebox® X Edge e-Series. This security device helps protect your computer network from threat and attack. This chapter gives you basic information about networks and network security. This information can help you when you configure the Firebox X Edge. If you are experienced with computer networks, we recommend that you go to the subsequent chapter.
Introduction to Network Security Connecting to the Internet ISPs (Internet service providers) are companies that give access to the Internet through network connections. Bandwidth is the rate at which a network connection can send data: for example, 3 megabits per second (Mbps). A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known as a broadband connection.
Introduction to Network Security How Information Travels on the Internet The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet address of the destination. The packets that make up a connection can use different routes through the Internet. When they all get to their destination, they are assembled back into a file. To make sure that the packets get to the destination, address information is added to the packets.
Introduction to Network Security Network addressing ISPs (Internet service providers) assign an IP address to each device on their network. The IP address can be static or dynamic. Each ISP has a small number of IP addresses. Static IP addresses are permanently assigned to a device. These addresses do not change automatically, and are frequently used for servers. Dynamic IP addresses change with time. If a dynamic address is not in use, it can be automatically assigned to a different device.
Introduction to Network Security • • • • • World Wide Web access uses Hypertext Transfer Protocol (HTTP) E-mail uses Simple Mail Transfer Protocol (SMTP) File transfer uses File Transfer Protocol (FTP) Changing a domain name to an Internet address uses Domain Name Service (DNS) Remote terminal access uses Telnet or SSH (Secure Shell) Some services are necessary, but each service you add to your security policy can also add a security risk.
Introduction to Network Security Firewalls A firewall divides your internal network from the Internet to decrease risk from an external attack. The computers and networks on the Internet are the external network. The computers on the internal side of the firewall are the trusted computers. The figure below shows how a firewall divides the trusted computers from the Internet. Firewalls use access policies to identify different types of information.
Introduction to Network Security protected networks go through the firewall, which examines each message and denies those that do not match the security criteria. The Firebox® X Edge and Your Network The Firebox® X Edge controls all traffic between the external network and the trusted network. The Edge also includes an optional network. Use the optional network for computers with “mixed trust.
Introduction to Network Security 8 Firebox X Edge e-Series
Installing the Firebox X Edge e-Series CHAPTER 2 Installing the Firebox X Edge e-Series To install the WatchGuard® Firebox® X Edge e-Series in your network, you must complete these steps: • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy properties of your Web browser. • Connect the Edge to your network. • Connect your computer to the Edge. • Use the Quick Setup Wizard to configure the Edge. • Activate the LiveSecurity® Service.
Installing the Firebox X Edge e-Series • AC power adapter (12 V/1.2A) with international plug kit. • Power cable clip Use this clip to attach the cable to the side of the Edge. This decreases the tension on the power cable. • One straight-through Ethernet cable • Wall mount plate (wireless models only) • Two antennae (wireless models only) Identifying Your Network Settings To configure your Firebox® X Edge, you must know some information about your network.
Installing the Firebox X Edge e-Series • Static: A static IP address is an IP address that always stays the same. If you have a Web server, FTP server, or other Internet resource that must have an address that cannot change, you can get a static IP address from your ISP. A static IP address is usually more expensive than a dynamic IP address, and some ISPs do not supply static IP addresses. • DHCP: A dynamic IP address is an IP address that an ISP lets you use temporarily.
Installing the Firebox X Edge e-Series To find your TCP/IP properties, use the instructions for your computer operating system. Finding your TCP/IP properties on Microsoft Windows 2000, Windows 2003, and Windows XP 1 Click Start > All Programs > Accessories > Command Prompt. The Command Prompt window appears. 2 3 At the command prompt, type ipconfig /all and press Enter. Record the values in the Table, “Your TCP/IP Properties,” on page 11.
Installing the Firebox X Edge e-Series PPPoE Address Settings PPPoE Setting Value Login name Domain (optional) Password Web Browser HTTP Proxy Settings Many Web browsers are configured to use an HTTP proxy server to increase the download speed of web pages. To manage or configure the Firebox® X Edge e-Series, your browser must connect directly to the Edge. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy setting in your browser.
Installing the Firebox X Edge e-Series 3 Click the arrow adjacent to the Advanced label and select Proxies. The Proxies preference window appears. 4 5 Make sure the Direct Connection to the Internet option is selected. Click OK. Web Browser Pop-up Blocking Settings The Firebox® X Edge e-Series uses pop-up windows for many features, including the Quick Setup Wizard. If you block pop-up windows, you must disable this function when you connect to the Edge.
Installing the Firebox X Edge e-Series Connecting the Firebox X Edge Use this procedure to connect Ethernet and power cables to your Firebox® X Edge: 1 2 3 Shut down your computer. 4 Find the Ethernet cable supplied with your Edge. Connect this cable to a trusted interface (LAN0LAN2) on the Edge. Connect the other end of this cable to the Ethernet interface of your computer. 5 6 If you use a DSL or cable modem, connect its power supply.
Installing the Firebox X Edge e-Series network is limited by the number of session licenses available. See the subsequent section, “About session licenses” for more information.
Installing the Firebox X Edge e-Series http://www.watchguard.com/products/purchaseoptions.asp Setting Your Computer to Connect to the Edge Before you can use the Quick Setup Wizard, you must configure your computer to connect to the Firebox® X Edge. You can set your network interface card to use a static IP address, or use DHCP to get an IP address automatically. If your computer gets its address from DHCP This procedure configures a computer with the Windows XP operating system to use DHCP.
Installing the Firebox X Edge e-Series If your computer has a static IP address This procedure configures a computer with the Windows XP operating system to use a static IP address. If your computer does not use Windows XP, read the operating system help for instructions on how to set your computer to use a static IP address. You must select an IP address on the same subnet as the trusted network. 1 Click Start > Control Panel. The Control Panel window appears.
Installing the Firebox X Edge e-Series Configure the External Interface for PPPoE Type your PPPoE information as supplied by your ISP. Configure the External Interface with a static IP address Type your static IP address information as supplied by your ISP. Configure the Trusted Interface of the Firebox Type the IP address of the trusted interface. Set the User Name and Passphrase Enter a user name and passphrase for the administrator account for the Edge. Set the Wireless Region (For wireless models only.
Installing the Firebox X Edge e-Series Registering and Activating LiveSecurity Service After you install the Firebox® X Edge e-Series, you can register the Edge and activate your LiveSecurity® service subscription. The LiveSecurity service gives you threat alert notifications, security advice, virus protection information, software updates, technical support by Web or telephone, and access to online help resources and the WatchGuard® user forum.
Navigating the Firebox X Edge e-Series Configuration Pages CHAPTER 3 Navigating the Firebox X Edge e-Series Configuration Pages After you connect the WatchGuard® Firebox® X Edge e-Series to your network, you must configure the Edge. You can create firewall rules to enforce the security requirements of your company. You also can use the Edge configuration pages to create an account, look at network statistics, and see the configuration of the Edge.
Navigating the Firebox X Edge e-Series Configuration Pages Navigating the Configuration Pages All configuration procedures for the Firebox® X Edge e-Series use the configuration pages. The System Status page appears when you connect to the Edge. In this User Guide, most procedures start with this step: “To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1.
Navigating the Firebox X Edge e-Series Configuration Pages Using the navigation bar On the left side of the System Status page is the navigation bar you use to get to other Firebox X Edge configuration pages. To see the primary page for each feature, click the menu item on the navigation bar. For example, to see how logging is configured for the Firebox X Edge and to see the current event log, click Logging. Each menu item contains secondary menus that you use to configure the properties of that feature.
Navigating the Firebox X Edge e-Series Configuration Pages Configuration Overview You use the Firebox® X Edge e-Series system configuration pages to set up your Edge and protect your network. This section gives an introduction to each category of pages, and tells you where to find more information about each category in the User Guide. System Status page The System Status page is the primary configuration page of the Firebox X Edge e-Series.
Navigating the Firebox X Edge e-Series Configuration Pages Network page The Network page shows the current configuration of each interface and network route. Adjacent to each section is a button you can use to change configurations and to see network statistics. For more information, see “Changing Your Network Settings” on page 45 The Network menu contains links to these pages: External Configure the Edge external network interface, or how the Edge connects to the Internet and other networks.
Navigating the Firebox X Edge e-Series Configuration Pages Firebox Users page The Firebox Users page shows statistics on active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that you can download. For more information, see Chapter 9 “Managing Users and Groups.
Navigating the Firebox X Edge e-Series Configuration Pages Update Update the Firebox X Edge e-Series firmware. Upgrade Activate your Edge upgrade options. View Configuration Shows the Edge configuration file as text. Firewall page The Firewall page shows incoming and outgoing services, blocked Web sites, and other firewall settings. This page also has buttons to change these settings. For more information, see Chapter 7, “Configuring Firewall Settings.
Navigating the Firebox X Edge e-Series Configuration Pages Firewall Options Customize your security policy. Logging page The Logging page shows the current event log, and the status of the Log Server and syslog logging. It also has buttons to change these properties and to set your system time to the same value as your local computer. For more information, see “Configuring Logging” on page 103.
Navigating the Firebox X Edge e-Series Configuration Pages WebBlocker page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites. It also has buttons to change the current settings. For more information, see Chapter 10, “Configuring WebBlocker.” The WebBlocker menu contains links to these pages: Settings Configure the WebBlocker settings for all users. Profiles Create sets of restrictions and apply them to groups of Firebox X Edge users.
Navigating the Firebox X Edge e-Series Configuration Pages The VPN menu contains links to these pages: Manual VPNs Make a VPN tunnel to an IPSec compliant device, such as a second Firebox X Edge. VPN Keep Alive Keep a VPN tunnel open when no regular network traffic goes through it. Wizards page The Wizards page shows the wizards you can use to help you set up Firebox X Edge features. Each wizard launches a new window to help you configure the Edge settings.
Navigating the Firebox X Edge e-Series Configuration Pages WAN Failover Setup Wizard Set up the failover network. For more information, see “Enabling the WAN Failover Option” on page 60.
Navigating the Firebox X Edge e-Series Configuration Pages 32 Firebox X Edge e-Series
Configuration and Management Basics CHAPTER 4 Configuration and Management Basics After your Firebox® X Edge e-Series is installed on your network and operating with a basic configuration file, you can start to add custom configuration settings to meet the needs of your organization. This chapter shows you how to do some basic management and maintenance tasks.
Configuration and Management Basics - All incoming services are denied. - The outgoing service allows all outgoing traffic. - Ping requests received on the external network are denied. System Security - The Firebox X Edge e-Series administrator account is set to the default user name of “admin” and the default passphrase of “admin.” When you connect to the Edge, the Quick Setup Wizard includes a dialog box for you to set the administrator account user name and passphrase.
Configuration and Management Basics The Firebox X Edge restart cycle is approximately one minute. During the restart cycle, the mode indicator on the front of the Edge turns off and then turns on again. Local restart You can locally restart the Firebox X Edge e-Series using one of two methods: use the web browser, or disconnect the power supply.
Configuration and Management Basics To set the system time: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Logging > System Time. The System Time page appears. 3 4 Select the time zone from the drop-down list. To set the system time automatically, select the Use NTP to periodically automatically set system time option.
Configuration and Management Basics 7 To the right of the date, set the time. - Type the hours in the first field. - Type the minutes in the second field. - Type the seconds in the third field. - Select AM or PM from the drop-down list. 8 Click Submit. Selecting HTTP or HTTPS for Management HTTP (Hypertext Transfer Protocol) is the “language” used to move files (text, graphic images, and multimedia files) on the Internet.
Configuration and Management Basics To change the port that you use to connect to the Firebox X Edge, type the new value in the HTTP Server Port field in the System Security configuration page shown above. Note After you change the HTTP server port, you must type the port when you connect to the Firebox X Edge. For example, if you change the HTTP server port to 880, you would type: http://192.168.111.
Configuration and Management Basics Note WSM v8.2 or later can manage Firebox X Edge (version 7.5) devices. To manage Firebox X Edge e-Series (version 8.0) devices, you must use WSM v8.3.1. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. 1 The default URL is: https://192.168.111.1 2 From the navigation bar, select Administration >WSM Access. The WatchGuard System Manager Access page appears.
Configuration and Management Basics 9 Type the Client Name to give to your Firebox X Edge. This is the name used to identify the Edge in the Management Server. 10 Type the Shared Key. The shared key is used to encrypt the connection between the Management Server and the Firebox X Edge. This shared key must be the same on the Edge and the Management Server. Get the shared key from your VPN administrator. 11 Click Submit. Enable remote management with WFS v7.
Configuration and Management Basics 7 Click the Enable Managed VPN check box to configure the Firebox X Edge as a client to the WatchGuard DVCP server. 8 9 In the DVCP Server Address text box, type the IP address of the DVCP server. Type the Client Name to give to your Firebox X Edge. This is the name used to identify the Edge in VPN Manager. 10 Type the Shared Key. The shared key is used to encrypt the connection between the DVCP Server and the Firebox X Edge.
Configuration and Management Basics Method 2: Installing software manually The second method uses the Firebox X Edge e-Series configuration pages. This method can be used with Windows or other operating systems. You must first download the Software Update file, which is a small compressed file. 1 Extract the “wgrd” file from the compressed file you downloaded with an archiving utility such as WinZip (for Windows computers), StuffIt (for Macintosh), or the zip program (for Linux).
Configuration and Management Basics 7 From the navigation bar, select Administration >Upgrade. The Upgrade page appears. 8 9 Paste the feature key in the field. Click Submit. Upgrade options User licenses A seat license upgrade allows more connections between the trusted network and the external network. For example, a 5-seat user license upgrade allows five more connections to the external network.
Configuration and Management Basics Enabling the Model Upgrade Option A model upgrade gives the Firebox® X Edge e-Series the same functions as a higher model. A model upgrade increases capacity, user licenses, sessions, and VPN tunnels. For a brochure that shows the features of the different Firebox X Edge models, go to: http://www.watchguard.com/docs/datasheet/edge_ds.
Changing Your Network Settings CHAPTER 5 Changing Your Network Settings A primary component of the WatchGuard® Firebox® X Edge e-Series setup is the configuration of network interface IP addresses. At a minimum, you must configure the external network and the trusted network to let traffic flow through the Edge. You do this when you use the Quick Setup Wizard after you install the Edge. You can use the procedures in this chapter to change this configuration after you run the Quick Setup Wizard.
Changing Your Network Settings Configure the external interface with a static IP address If your ISP uses static IP addresses, type the static IP address information your ISP gave you. For more information, see “If your ISP uses static IP addresses” on page 47. Configure the trusted interface of the Firebox On this screen, type the IP address of the trusted interface. For more information, see “Configuring the Trusted Network” on page 50.
Changing Your Network Settings 2 From the navigation bar, select Network > External. The External Network Configuration page appears. 3 From the Configuration Mode drop-down list, select DHCP Client. 4 If your ISP makes you identify your computer to give you an IP address, type this name in the Optional DHCP Identifier field. 5 Click Submit.
Changing Your Network Settings If your ISP uses PPPoE If your ISP uses PPPoE, you must enter the PPPoE information into your Firebox X Edge before it can send traffic through the external interface. For more information in PPPoE, see “About PPPoE” on page 4. To set your Firebox to use PPPoE on the external interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > External. The External Network Configuration page appears..
Changing Your Network Settings Service Name Use this field to add a service name. The Firebox X Edge only starts with access concentrators that support the specified service. Usualy, this option is not used. Use this field only if there is more than one access concentrator or you know that you must use a specified service name. Access Concentrator Name Use this field to identify a PPPoE server, known as an access concentrator.
Changing Your Network Settings Configuring the Trusted Network You must configure your trusted network manually if you do not use the Network Setup Wizard. You can use static IP addresses or DHCP for the computers on your trusted network. The Firebox® X Edge e-Series has a built-in DHCP server to give IP addresses to computers on your trusted and optional networks. You can also change the IP address of the trusted network.
Changing Your Network Settings 4 If necessary, type the new subnet mask. Using DHCP on the trusted network The DHCP Server option sets the Firebox X Edge e-Series to give IP addresses to the computers on the trusted network. When the Edge receives a DHCP request from a computer on the trusted network, it gives the computer an IP address. By default, the Edge has the DHCP Server option for the trusted interface enabled.
Changing Your Network Settings 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears. 3 Type a static IP address in the IP Address field. The IP address must be on the trusted network. For example, if the trusted network starts with 192.168.111.1, you can enter any address from 192.168.111.2 to 192.168.111.254. 4 Type the MAC address of the computer on the trusted network in the MAC Address field.
Changing Your Network Settings Using static IP addresses for trusted computers You can use static IP addresses for some or all of the computers on your trusted network. If you disable the Firebox X Edge DHCP server and you do not have a DHCP server on your network, you must manually configure the IP address and subnet mask of each computer. For example, this is necessary when a client-server software application must use a static IP address for the server.
Changing Your Network Settings Enabling the optional network 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 3 Select the Enable Optional Network check box.
Changing Your Network Settings 2 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 3 4 5 In the IP Address text box, type the IP address to give the optional interface. If necessary, type the new subnet mask. Click Submit. Using DHCP on the optional network The DHCP Server option sets the Firebox X Edge to give IP addresses to the computers on the optional network.
Changing Your Network Settings Setting optional network DHCP address reservations You can manually assign an IP address to a specified computer on your optional network. The Firebox X Edge identifies the computer by its MAC address. 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears.
Changing Your Network Settings Note If the Firebox X Edge cannot connect to the DHCP server in 30 seconds, it uses its DHCP server to give IP addresses to computers on the optional network. You must enable the DHCP server on the optional network for the DHCP relay function to operate. Using static IP addresses for optional computers You can use static IP addresses for some or all of the computers on your optional network.
Changing Your Network Settings 2 From the navigation bar, select Network > Routes. The Routes page appears. 3 Click Add. The Add Route page appears. 4 From the Type drop-down list, select Host or Network. This box tells if the destination for the static route is one computer or a network of computers. Note A host is one computer. A network is more than one computer using a range of IP addresses.
Changing Your Network Settings Note WatchGuard is not affiliated with DynDNS.com. Create a DynDNS.org account To set up your account, go to this web site: http://www.dyndns.com This site also has information about how Dynamic DNS operates. Set up the Firebox X Edge for Dynamic DNS 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.
Changing Your Network Settings 7 One or more options can be chained together with the ampersand character like this: &mx=backup.kunstlerandsons.com&backmx=YES&wildcard=ON See this site for more information: http://www.dyndns.com/developers/specs/syntax.html Click Submit. Note The Firebox X Edge gets the IP address of members.dyndns.org when it starts up. The Edge connects to the IP address it finds for members.dyndns.org to register the current Edge external interface IP address with the DynDNS service.
Changing Your Network Settings Using the WAN Failover Setup Wizard 1 From the navigation bar, select Wizards. 2 Adjacent to Configure the automatic WAN failover capability of your Firebox Edge, click Go. 3 Use the instructions on the screens. The WAN Failover Setup Wizard includes these steps: Welcome The first screen tells you about the wizard. Select the secondary interface Use this screen to set the secondary interface your Firebox X Edge uses.
Changing Your Network Settings 2 3 If you have a static IP address, select Manual Configuration. If your IP address is assigned using PPPoE, select PPPoE Client. If you selected DHCP Client 1 If you must identify your computer when you request an IP address, type the name in the Optional DHCP Identifier field. If necessary, adjust the link speed from the drop-down list. 2 Click Submit.
Changing Your Network Settings Configuring BIDS Telstra customers in Australia must use client software to connect to the BigPond network. The Firebox® X Edge e-Series uses BIDS to make this connection. If you do not connect to the BigPond network, it is not necessary to use BIDS. To configure your Firebox to connect to the BigPond network using BIDS: 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Firebox X Edge trusted interface.
Changing Your Network Settings 64 Firebox X Edge e-Series
Firebox X Edge e-Series Wireless Setup CHAPTER 6 Firebox X Edge e-Series Wireless Setup Wireless networks use RF (radio frequency) signals to send and receive traffic from computers. The Firebox® X Edge e-Series Wireless protects the computers that are connected to your network and it protects your network wireless connections. The Edge Wireless obeys the 802.11b and 802.11g guidelines set by the Institute of Electrical and Electronics Engineers (IEEE).
Firebox X Edge e-Series Wireless Setup Use this computer to configure the wireless network. See “Connecting the Edge to more than four devices” on page 15 for information about connecting computers, printers, or other devices that connect directly to the Firebox X Edge Wireless. Using the Wireless Network Wizard The Wireless Network Wizard is a tool that you use to automatically configure your Firebox® X Edge wireless network.
Firebox X Edge e-Series Wireless Setup Configuring Basic Wireless Settings If you do not use the Wireless Network Wizard, or if you want to change wireless settings manually, you can use the Firebox X Edge e-Series Wireless configuration page. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. 1 The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Wireless (802.11g).
Firebox X Edge e-Series Wireless Setup enabled by default. If the wireless client has its wireless network card set with a static IP address, the IP address must be in the optional IP address range of the Edge. If the wireless network card is set to DHCP, the DHCP server on the Edge’s optional network must be active and configured. If this option is selected, the wireless client can send any type of traffic to the other computers on the optional network. This includes Windows Networking NetBIOS broadcasts.
Firebox X Edge e-Series Wireless Setup Setting the wireless mode Most wireless cards can operate only in 802.11b (up to 11 MB/second) or 802.11g (54 MB/second) mode. To set the operating mode for the Firebox X Edge e-Series Wireless, select an option from the Wireless Mode drop-down list. There are two wireless modes: 802.11g and 802.11b This is the default mode. This mode allows the Edge to connect with devices that use 802.11b or 802.11g. 802.
Firebox X Edge e-Series Wireless Setup To protect privacy, you can use these features together with other LAN security mechanisms such as password protection, VPN tunnels, and user authentication. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Wireless (802.11g) and click the Security tab.
Firebox X Edge e-Series Wireless Setup Open system and shared key authentication Encryption options for open system and shared key authentication are WEP 64-bit hexadecimal, WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select open system authentication, you also can select no encryption. 1 If you use WEP encryption, type hexadecimal or ASCII characters in the Key text boxes. Not all wireless adapter drivers support ASCII characters. You can have a maximum of four keys.
Firebox X Edge e-Series Wireless Setup 2 From the navigation bar, select Network > Wireless (802.11g) and click the Allowed Addresses tab. 3 4 Select the Restrict Access by Hardware Address check box. Type the MAC address of the computer that is allowed to connect to the Firebox X Edge Wireless in the correct field. Look for the physical address of the wireless adapter. 5 Click Add. Repeat steps 3–4 for each computer that can connect to the Edge. 6 Click Submit.
Firebox X Edge e-Series Wireless Setup • The guest user account is enabled. You can make users authenticate with a password, or without a password. Enabling guest services 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Wireless (802.11g) and click the Guest Services tab.
Firebox X Edge e-Series Wireless Setup Guests can access VPN Select this check box to allow guest users to access VPN tunnels through the Firebox X Edge eSeries Wireless. WebBlocker Profile If you use WebBlocker, the options in this drop-down list control the types of web sites guest users can get access to through the Firebox X Edge e-Series Wireless. You can apply any existing WebBlocker profile to guest users. If this option is set to No WebBlocker, all guest users have full access to all web sites.
Firebox X Edge e-Series Wireless Setup The Firebox X Edge e-Series Wireless is configured to protect the wired and wireless computers that are attached to it from security risks.
Firebox X Edge e-Series Wireless Setup 76 Firebox X Edge e-Series
Configuring Firewall Settings CHAPTER 7 Configuring Firewall Settings The Firebox® X Edge e-Series uses services and other firewall options to control the traffic between the trusted, optional, and external networks. The configuration of allowed services and firewall options sets the level of security the Edge applies to your network. About This Chapter The section “Configuring Outgoing Services” on page 83 shows you how to control traffic to the external network from the trusted and optional networks.
Configuring Firewall Settings Incoming and outgoing traffic Traffic that comes from the external network is incoming traffic. Traffic that goes to the external network is outgoing traffic. By default, the Firebox X Edge e-Series denies incoming traffic to protect your trusted and optional networks.
Configuring Firewall Settings Configuring common services for incoming traffic The Firebox X Edge e-Series includes standard services known as common services that you can use to control traffic through the Edge. You can use the procedure below to configure the properties of a common service. For more information on common services, refer to the list at the end of this FAQ: www.watchguard.com/support/Tutorials/stepsoho_blockoutservice.asp You must log in to your LiveSecurity account to see this FAQ.
Configuring Firewall Settings About custom services for incoming traffic A custom service for incoming traffic is necessary if: • Incoming traffic does not use the same ports or protocols used by one of the common services. • You restrict the IP addresses on the external network that can connect to a computer behind the Firebox X Edge e-Series. You can add a custom service using one or more of these: • TCP ports • UDP ports • An IP protocol that is not TCP or UDP.
Configuring Firewall Settings 4 Below Custom Services, click Add Service. The Custom Service page appears. 5 6 7 In the Service Name text box, type the name for your service. From the Protocol Settings drop-down list, select TCP Port, UDP Port, or Protocol. In the text box adjacent to the Port/Protocol drop-down list, type a port number or protocol number. To use a single port, type a port number in the first text box.
Configuring Firewall Settings Filter incoming traffic for a custom service These steps restrict incoming traffic for a service to specified computers behind the firewall. Refer to the subsequent section for information on controlling outgoing traffic. 1 2 From the Incoming Filter drop-down list, select Allow or Deny. If you set the Incoming Filter to Allow, type the IP address of the service host. This is the computer that receives the traffic.
Configuring Firewall Settings 6 In the adjacent text boxes, type the host or network IP address, or type the range of IP addresses that identify the computers on the external network that internal computers can connect to using this service. Network IP addresses must be entered in “slash” notation (also known as Classless Inter Domain Routing or CIDR notation). For more information on entering IP addresses in slash notation, see this FAQ: http://www.watchguard.com/support/advancedfaqs/general_slash.asp.
Configuring Firewall Settings Configuring common services for outgoing traffic By default, the Firebox X Edge allows all traffic to go out to the external network. This is because the common service called Outgoing is set to Allow. When the Outgoing common service is set to Deny, all outgoing traffic is blocked. When the Outgoing common service is set to No Rule, traffic that is not specially permitted is blocked.
Configuring Firewall Settings • UDP ports • An IP protocol that is not TCP or UDP. You identify an IP protocol that is not TCP or UDP with the IP protocol number. Adding a custom service using the wizard 1 From the navigation bar, click Wizards. 2 Adjacent to Define a custom service, click Go. 3 Follow the instructions in the wizard. The Traffic Filter Wizard includes these steps: Welcome The first screen tells you about the wizard and the information you must have to complete the wizard.
Configuring Firewall Settings 5 6 7 In the Service Name text box, type the name for your service. From the Protocol drop-down list, select TCP Port, UDP Port, or Protocol. In the text box adjacent to the Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box. Note An IP protocol number is not the same as a TCP or UDP port number. TCP is IP protocol number 6 and UDP is IP protocol number 17.
Configuring Firewall Settings Here are some examples of how you can use the optional network: • You can use the optional network for servers that the external network can get to. This helps to protect the trusted network, because no traffic is allowed to the trusted network from the optional network when the Firebox X Edge is in default configuration. When computers are accessible from the external network, they are more vulnerable to attack.
Configuring Firewall Settings Disabling traffic filters between trusted and optional networks To allow network traffic from the optional network to the trusted network, you must allow all traffic between the trusted and optional networks. Select the Disable traffic filters check box to allow all incoming and outgoing traffic between the trusted and optional interfaces. Note When you select the Disable traffic filters check box, the trusted network is not protected from the optional network.
Configuring Firewall Settings Blocking External Sites A Blocked Site is an external IP address that is always blocked from connecting to computers behind the Firebox® X Edge e-Series. You can examine the data in your log files to look for patterns of suspicious actions and identify the IP addresses that start the connections. Use these IP addresses to create a Blocked Sites list. To add a location to the Blocked Sites list: 1 From the navigation bar, click Firewall > Blocked Sites.
Configuring Firewall Settings Responding to ping requests You can configure the Firebox X Edge e-Series to deny ping requests. This option overrides all other Edge settings. 1 Select the Do not respond to PING requests received on External Network check box or the Do not respond to PING requests received on Trusted Network check box. 2 Click Submit. Denying FTP access to the Firebox X Edge You can configure the Firebox X Edge e-Series to not allow any FTP connections from the trusted network.
Configuring Firewall Settings Logging denied broadcast traffic If you use the standard property settings, the Firebox X Edge e-Series records only unusual events. When traffic is denied, the Edge records the information in the log file. You can configure the Edge to record information about denied network traffic that was sent to many destinations at the same time. To record denied broadcast traffic: 1 2 Select the Log denied broadcast traffic check box. Click Submit.
Configuring Firewall Settings 3 Below the Advanced tab, select the Enable override MAC address check box. 4 In the Override MAC address text box, type the new MAC address for the Firebox X Edge external network. You must enter the MAC address as a hexadecimal number. Do not use extra characters, such as spaces or hyphens. 5 Click Submit. You must restart the Firebox to see the changes.
Managing Network Traffic CHAPTER 8 Managing Network Traffic The Firebox® X Edge e-Series allows many different ways to manage the traffic on your network. You can limit the rate of traffic sent to the external interface using QoS (Quality of Service) through Traffic Control. You can manage data transmission by giving more or less bandwidth to different traffic types.
Managing Network Traffic Traffic Categories The Firebox® X Edge e-Series allows you to limit data sent through services and Traffic Control filters. A service can allow or deny all data of a specified type. Traffic Control does not allow or deny data, but creates “filters” that separate important network traffic from other data. For example, you can create a filter that identifies e-mail (SMTP) traffic or secure shell (SSH) connections.
Managing Network Traffic Traffic control and prioritization are on This option allows you to configure filters for all traffic categories. Note To use prioritization, you must know your upstream bandwidth limit in kilobits per second (Kb/s). If you do not know your upstream bandwidth limit, ask your network administrator or ISP. For better traffic control, the Edge subtracts 5% from the upstream bandwidth rate limit to decrease packet latency.
Managing Network Traffic 7 Click Submit. Traffic control is enabled. Add a traffic control filter Before you add a traffic control filter to allow or deny traffic for an program, you must know the port numbers that the program uses to send data. If you do not know the port numbers, see the documentation for the program. 1 Click the Add button adjacent to the traffic category. The Add Traffic Control dialog box appears. 2 In the Name text box, type a name for the traffic control filter.
Managing Network Traffic Edit a traffic control filter 1 Select one entry from any category, then click the Edit button adjacent to the category. The Edit Traffic Control Filter dialog appears. 2 3 Complete the fields as shown in the procedure, “Add a traffic control filter”. Click Submit on the Traffic Control page to save your changes. Change the priority of a traffic control filter 1 Select an entry from any category. To select multiple entries, hold down the Control or Shift key.
Managing Network Traffic 1-to-1 NAT You can use 1-to-1 NAT to map a secondary external IP address to the server behind the Edge. You do not have to change the IP address of your internal server. When you enable 1-to-1 NAT, the Firebox X Edge changes all outgoing packets sent from one private IP address to a public IP address different from the Edge’s primary external IP address. Static NAT Static NAT is usually known as “port forwarding.
Managing Network Traffic Enable 1-to-1 NAT Note You must add at least one 1-to-1 NAT entry before you can enable 1-to-1 NAT. For more information, see the subsequent section. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Firewall > NAT. The NAT (Network Address Translation) page appears.
Managing Network Traffic 7 To add a custom service to the NAT entry, click Add Service. For more information, see the subsequent section. Add or Edit a Custom Service for 1-to-1 NAT 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Firewall > NAT. The NAT (Network Address Translation) page appears.
Managing Network Traffic 9 To add a host or network to the From list, select Host IP Address, Network IP Address, or Network Range from the drop-down list. Type the IP address or range in the adjacent text box and click Add. The entry is added to the From list. To remove an entry, select an IP address or range and click Remove. 10 To create an entry in the log for each incoming packet, select the Log Incoming Traffic check box.
Managing Network Traffic 102 Firebox X Edge e-Series
Configuring Logging CHAPTER 9 Configuring Logging A log file is a list of all the events that occur on the Firebox® X Edge e-Series. A log file records and saves information about these events. A log message is an important part of a network security policy. A sequence of denied packets can show a pattern of suspicious network activity. Log records can help you identify possible security problems. Note The Firebox X Edge log is cleared if the power supply is disconnected or the Edge is restarted.
Configuring Logging 2 From the navigation bar, click Logging. The Logging page appears with the Event Log at the bottom of the page. Log to a WatchGuard Log Server The WatchGuard® Log Server (previously known as the WatchGuard System Event Processor, or WSEP) is a component of the WatchGuard System Manager. If you have a Firebox® III, Firebox X Core, or Firebox X Peak, configure a primary Log Server to collect the log messages from your Firebox X Edge e-Series. You also can configure a backup Log Server.
Configuring Logging 6 Type a passphrase in the Log Encryption Key field and confirm the passphrase in the Confirm Key field. The same passphrase also must be used when the Log Server is configured to receive log messages from this Firebox X Edge. 7 If you have a backup Log Server available, type its IP address and Log Encryption Key. If the Firebox X Edge cannot connect to the primary Log Server, it will send log messages to the backup Log Server until the primary Log Server becomes available again.
Configuring Logging 106 Firebox X Edge e-Series
Managing Users and Groups CHAPTER 10 Managing Users and Groups The Firebox® X Edge e-Series includes tools you can use to manage your network and your users. You can create users and manage access to the Internet or to your VPN tunnels with user authentication. Or, you can allow free access to the Internet and VPN tunnels to all users.
Managing Users and Groups Active Sessions A session is created when traffic goes from a computer on the trusted or optional network to a computer on the external network. For example, when a user on your trusted network opens a browser to connect to a web site on the Internet, a session starts on the Firebox® X Edge. Note Only sessions from computers on the trusted or optional network to computers on the external network use a user license.
Managing Users and Groups • The authenticated user manually stops the session. To stop the session, the user clicks the Logout button on the Login Status dialog box and closes all open browser windows. You can increase the number of sessions available with a license upgrade. For more information, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/edge_seatlicense.asp License upgrades are available from your reseller or from the WatchGuard® web site: http://www.watchguard.
Managing Users and Groups About User Licenses The Firebox® X Edge e-Series comes with a set number of available user licenses. The number of user licenses puts a limit on how many users can access the Internet at one time. The total number of available user licenses is set by the Edge model you have and any upgrade licenses you apply. The Firebox Users page shows the maximum number of user licenses available and how many are in use at a given time.
Managing Users and Groups 3 Use the definitions below to help you change your parameters. Click Submit. • Require User Authentication (Enable local user accounts): When you select this check box, all hosts must authenticate to the Firebox X Edge to send or receive network traffic. If you do not select this check box, there is no user-based control for access to the Internet or VPN tunnels.
Managing Users and Groups Configuring MUVPN client settings The MUVPN client settings apply to all MUVPN connections to the Firebox X Edge e-Series. To configure MUVPN client settings: 1 Use your browser to connect to the System Status page. From the navigation bar, select Firebox Users > Settings. The Settings page appears. 2 If necessary, use the scroll bar to scroll to the Firebox User Common MUVPN Client Settings section. 3 You can lock the MUVPN client security policy (.
Managing Users and Groups If you are using local authentication, you must type your name as it appears in the Firebox user list. If you use Active Directory or another LDAP server for authentication through the Firebox X Edge, you must include the domain name. For example, if a user authenticates using the local Firebox user list,he or she types jsmith. If the admin user authenticates with an LDAP authentication server through the Edge, the administrator must type MyCompany\jsmith.
Managing Users and Groups 7 In the Password field, type a password with a minimum of eight characters. Mix eight letters, numbers, and symbols. Do not use a word you can find in a dictionary. For increased security use a minimum of one special symbol, a number, and a mixture of uppercase and lowercase letters. 8 9 Type the password again in the Confirm Password field.
Managing Users and Groups down list. You must first create WebBlocker profiles in the WebBlocker > Profiles area of the Firebox X Edge configuration pages. For more information on WebBlocker profiles, see “Creating WebBlocker Profiles” on page 123. Enabling MUVPN for a user To enable MUVPN for a new user, see “Connecting and Disconnecting the MUVPN Client” on page 156. The Administrator account The Firebox X Edge e-Series has a built-in administrator account that cannot be deleted.
Managing Users and Groups Using LDAP/Active Directory Authentication If you use LDAP authentication, you do not have to keep a separate user database on the Firebox® X Edge. You can configure the Edge to forward user authentication requests to a generic LDAP or Active Directory server. You can use LDAP authentication and local Firebox authentication at the same time. With LDAP authentication, user privileges are controlled on a group basis.
Managing Users and Groups 2 From the navigation bar, select Firebox Users > Settings. The Firebox Users Settings page appears. 3 Select the Enable LDAP authentication check box. If user authentication is not enabled in the top section of this configuration page, the LDAP Authentication Service section is not active. 4 In the Domain Name text box, type the name of the LDAP domain. Do not include the top-level domain. The domain (or host) name is the part of your company’s URL that ends with .com, .
Managing Users and Groups The Group Attribute Name is the name of the group membership attribute of user entries in the LDAP directory. 11 Click Submit. Using the LDAP authentication test feature After the Firebox X Edge e-Series is configured to use LDAP authentication, you can use the LDAP authentication test feature to make sure the Edge can connect to the LDAP server.
Managing Users and Groups 2 From the navigation bar, select Firebox Users > New Group. The Firebox Users New Group page appears. 3 In the Account Name text box, type the name of the new group. This name must match the name of a group in the LDAP directory. This name must contain only letters, numbers, and the underscore (_)or dash (-) characters. Spaces are not permitted. 4 5 In the Description text box, you can enter a description of the group. This field is optional.
Managing Users and Groups LDAP Authentication and MUVPN Because MUVPN settings cannot be assigned at the group level, you must create a local Firebox user account for the user and add MUVPN settings for the user on the MUVPN. See “Using Local Firebox Authentication” on page 113 for more information. Allowing Internal Hosts to Bypass User Authentication You can make a list of internal hosts that bypass user authentication settings.
Configuring WebBlocker CHAPTER 11 Configuring WebBlocker WebBlocker is an option for the Firebox® X Edge e-Series that gives you control of the web sites that are available to your users. Some companies restrict access to some web sites to increase employee productivity. Other companies restrict access to offensive web sites. Note You must purchase the WebBlocker upgrade to use this feature.
Configuring WebBlocker To configure WebBlocker: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select WebBlocker > Settings. The WebBlocker Settings page appears. 3 4 Select the Enable WebBlocker check box to turn on the WebBlocker feature.
Configuring WebBlocker Adult/Sexually Explicit. This web site does not comply with our Internal Use Policy. 9 Click Submit. Creating WebBlocker Profiles A WebBlocker profile is a set of restrictions you apply to users or groups of users on your network. You can create different profiles, with different groups of restrictions. For example, you can create a profile for new employees with more restrictions than for other employees.
Configuring WebBlocker To remove a profile, from the WebBlocker Profiles page, select the profile from the Profile drop-down list. Click Delete. Note If you do not use user authentication, the default WebBlocker profile is applied to all users. For more information about user authentication, see Chapter 10, “Managing Users and Groups”. WebBlocker Categories The WebBlocker database contains nine groups of categories with 40 individual categories.
Configuring WebBlocker User Guide Category Description of Content Adult/ Sexually Explicit • Sexually oriented or erotic full or partial nudity • Depictions or images of sexual acts, including inanimate objects used in a sexual manner • Erotic stories and textual descriptions of sex acts • Sexually exploitive or sexually violent text or graphic • Bondage, fetishes, genital piercing • Adult products including sex toys, CD-ROMs, and videos • Adult services including videoconferencing, escort services, an
Configuring WebBlocker Category Description of Content Computing and Internet • Reviews, information, computer buyer’s guides, computer parts and accessories, and software • Computer/software/Internet companies, industry news, and magazines • Pay-to-surf sites • Downloadable (non-streaming) movie, video, or sound clips • Downloadable mobile phone/PDA software, including themes, graphics, and ringtones • Freeware and shareware sites • Personal storage and backup • Clip art, fonts, and animated GIF pages
Configuring WebBlocker Category Description of Content Food & Drink • Recipes, cooking instruction and tips, food products, and wine advisors • Restaurants, cafes, eateries, pubs, and bars • Food/drink magazines and reviews Gambling • Online gambling or lottery web sites that invite the use of real money • Information or advice for placing wagers, participating in lotteries, gambling real money, or running numbers • Virtual casinos and offshore gambling ventures • Sports picks and betting pools • Virt
Configuring WebBlocker Category Description of Content Hate Speech • Advocating or inciting degradation of or attacks on specified populations or institutions based on associations such as religion, race, nationality, gender, age, disability, or sexual orientation • Promoting a political or social agenda that is supremacist in nature or exclusionary of others based on their race, religion, nationality, gender, age, disability, or sexual orientation • Holocaust revisionist/denial sites • Coercion or recr
Configuring WebBlocker User Guide Category Description of Content Hosting Sites • Web sites that host business and individual web pages (i.e. GeoCities, earthlink.
Configuring WebBlocker Category Description of Content Sex Education • Pictures or text advocating the proper use of contraceptives, including condom use, the correct way to wear a condom, and how to put a condom in place • Sites related to discussion about the use of birth control pills, IUDs, and other types of contraceptives • Discussion sites on how to talk to your partner about diseases, pregnancy, and respecting boundaries Note: Not included in this category are commercial sites that sell sexual p
Configuring WebBlocker Category Description of Content Violence • Portraying, describing, or advocating physical assault against humans, animals, or institutions • Depictions of torture, mutilation, gore, or horrific death • Advocating, encouraging, or depicting selfendangerment or suicide, including the use of eating disorders or addictions • Instructions, recipes, or kits for making bombs and other harmful or destructive devices • Sites promoting terrorism • Excessively violent sports or games (includ
Configuring WebBlocker Allowing Certain Sites to Bypass WebBlocker WebBlocker can deny a web site that is necessary for your work. You can override WebBlocker using the Allowed Sites feature. For example, employees in your company frequently use web sites that contain medical information. Some of these web sites are forbidden by WebBlocker because they fall into the sex education category. To override WebBlocker, you add the web site’s IP address or its domain name to the Allowed Sites record.
Configuring WebBlocker the web site’s IP address or domain name to WebBlocker to make sure your employees cannot not look at this web site. 1 From the navigation bar, select WebBlocker > Denied Sites. The WebBlocker Denied Sites page appears. 2 From the drop-down list, select host IP address or domain name. 3 Type the host IP address or domain name of the denied web site. Repeat step 3 for each additional host, IP address, or domain name you wish to add to the Denied Sites list.
Configuring WebBlocker cate to get access to the Internet. No WebBlocker rules apply to the users on this list. For more information about user authentication, see “Managing Users and Groups” on page 107. 1 From the navigation bar, select Firebox Users > Trusted Hosts. The Firebox Users Trusted Hosts page appears. 2 In the Host IP Address text box, type the IP address of the computer on your trusted or optional network to allow to browse the Internet without authentication restrictions. 3 Click Add.
Configuring Virtual Private Networks CHAPTER 12 Configuring Virtual Private Networks A VPN (Virtual Private Network) creates secure connections between computers or networks in different locations. This connection is known as a tunnel. The networks and hosts on a VPN tunnel can be corporate headquarters, branch offices, remote users, or telecommuters. When a VPN tunnel is created, the two tunnel endpoints are authenticated. Data in the tunnel is encrypted.
Configuring Virtual Private Networks • You must have an Internet connection. • The ISP for each VPN device must let IPSec go across their networks. Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your Internet service to a level that supports VPN tunnels.
Configuring Virtual Private Networks Server, your Edge is a client of the Management Server in a client-server relationship. The Edge gets all of its VPN configuration from the Management Server. To configure a Firebox X Edge to allow WatchGuard System Manager access for the creation of VPN tunnels, see “Setting up WatchGuard System Manager Access” on page 38.
Configuring Virtual Private Networks Sample VPN Address Information Table Item Description Assigned by External IP Address The IP address that identifies the IPSec-compatible device on the Internet. ISP Example: Site A: 207.168.55.2 Site B: 68.130.44.15 Local Network Address An address used to identify a local network. These are the IP addresses of the computers on each side that are allowed to send traffic through the VPN tunnel.
Configuring Virtual Private Networks 2 From the navigation bar, select VPN > Manual VPN. The Manual VPN page appears. 3 Click Add. The Add Gateway page appears. 4 Type the tunnel name and shared key. The tunnel name is for your identification only. The shared key is a passphrase that the devices use to encrypt and decrypt the data on the VPN tunnel. The two devices must use the same passphrase, or they cannot encrypt and decrypt the data correctly.
Configuring Virtual Private Networks - If your Firebox X Edge or remote VPN device has a static external IP address, set the local ID type to IP Address. Type the external IP address of the Edge or device as the local ID. - If your Firebox X Edge or remote VPN device has a dynamic external IP address, you must select Aggressive Mode and the device must use Dynamic DNS. For more information, see “Registering with the Dynamic DNS Service” on page 58. Set the local ID type to Domain Name.
Configuring Virtual Private Networks - First, set the device to Bridge Mode. In Bridge Mode, the Edge gets the public IP address on its external interface. Refer to the manufacturer of your NAT device for more information. - Set up Dynamic DNS on the Firebox X Edge. For information, see “Registering with the Dynamic DNS Service” on page 58. In the Phase 1 settings of the Manual VPN, set the local ID type to Domain Name. Enter the DynDNS domain name as the Local ID.
Configuring Virtual Private Networks 7 Click Submit. VPN Keep Alive To keep the VPN tunnel open when there are no connections through it, you can use the IP address of a computer at the other end of the tunnel as an echo host. The Firebox® X Edge e-Series sends a ping each minute to the specified host. Use the IP address of a host that is always online and that can respond to ping messages. You can enter the trusted interface IP address of the Firebox that is at the other end of the tunnel.
Configuring Virtual Private Networks 4 Click Submit. Viewing VPN Statistics You can monitor Firebox® X Edge e-Series VPN traffic and troubleshoot the VPN configuration with the VPN Statistics page. To see the VPN Statistics page: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select System Status > VPN Statistics.
Configuring Virtual Private Networks How do I set up more than the number of allowable VPNs on my Edge? The number of VPN tunnels that you can create on your Firebox X Edge e-Series is set by the Edge model you have. You can purchase a model upgrade for your Edge to make more VPN tunnels. You can purchase a Firebox X Edge Model Upgrade from a reseller or from the WatchGuard® web site: http://www.watchguard.com/products/purchaseoptions.
Configuring the MUVPN Client CHAPTER 13 Configuring the MUVPN Client Mobile User VPN lets remote users connect to your internal network through a secure, encrypted channel. The MUVPN client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network through an unsecured network. The MUVPN client uses Internet Protocol Security (IPSec) to secure the connection.
Configuring the MUVPN Client • • • • • • “Distributing the Software and the .wgx File” on page 148 for information about how to get these items and how to give them securely to the remote user. The remote user’s computer must have the correct networking components for MUVPN to operate correctly. See “Preparing Remote Computers for MUVPN” on page 149 to be sure that the user’s computer is prepared to install and use MUVPN software. When the user has the MUVPN installation files and the .
Configuring the MUVPN Client Required The mobile user must use a virtual adapter to connect with the MUVPN client. If the virtual adapter is not available on the MUVPN client computer, the VPN tunnel cannot connect. The remote computer is assigned WINS and DNS addresses you entered in the Firebox Users > Settings area of the Firebox X Edge configuration pages. • Type the IP addresses of the DNS and WINS servers for the MUVPN clients.
Configuring the MUVPN Client Configuring the Edge for MUVPN clients using a Pocket PC To create a MUVPN tunnel between the Firebox X Edge e-Series and your Pocket PC, you must configure the Firebox User account differently. Follow the previous procedure, but select Pocket PC from the VPN Client Type drop-down list. Note WatchGuard® does not distribute a MUVPN software package for Pocket PCs. You must examine the software manufacturer’s instructions to configure their software and the Pocket PC.
Configuring the MUVPN Client - At the prompt, save the .wgx file to your computer. Give these two files to the remote user Give the MUVPN software, and the .wgx file to the remote user. You also must give the user the shared key you used when you enabled the Firebox User account to use MUVPN, as described in “Enabling MUVPN for Firebox X Edge e-Series Users” on page 146. The user uses this shared key at the end of the installation process. Note The shared key is highly sensitive information.
Configuring the MUVPN Client ers, the IP addresses of the WINS and DNS servers must be configured on the remote computer or they must be assigned by the Edge when the VPN tunnel connects. If the MUVPN client uses the virtual adapter, the WINS and DNS server IP addresses are assigned to the remote computer when the VPN tunnel is created.
Configuring the MUVPN Client 5 6 Click the DNS tab and click Add. Type the IP address of your DNS server. To add more DNS servers, repeat steps 5 and 6 for each server. Note The DNS server on the private network of the Firebox X Edge must be the first server in the list. 7 Click the WINS Address tab, type the IP address of your WINS server in the applicable field, and then click OK. You also can add a secondary or backup WINS server IP address. 8 Click Close to close the Network window.
Configuring the MUVPN Client Installing the Client for Microsoft Networks on Windows 2000 From the connection window Networking tab: 1 Click Install. The Select Network Component Type window appears. 2 Double-click the Client network component. The Select Network Protocol window appears. 3 Select the Client for Microsoft Networks network client and click OK. Configuring WINS and DNS settings on Windows 2000 The remote computer must be able to connect to the WINS and DNS servers.
Configuring the MUVPN Client - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) Network Component on Windows XP From the connection window Networking tab: 1 Click Install. The Select Network Component Type window appears. 2 Double-click the Protocol network component. The Select Network Protocol window appears.
Configuring the MUVPN Client Note The DNS server on the private network of the Firebox X Edge must be the first server in the list. 7 8 Select the Append these DNS suffixes (in order) radio button. Below the radio button, click Add. The TCP/IP Domain Suffix window appears. 9 Enter the domain suffix for your network’s private domain and click Add. To add more DNS suffixes, repeat steps 8 and 9. 10 Click the WINS tab. 11 From the section WINS addresses, in order of use, click Add.
Configuring the MUVPN Client 10 Click Next to install the files. A command prompt window appears during the installation. The command prompt can stay for more than one minute. This is usual. After the file is installed, the command window closes automatically and the installation continues. 11 After the installation is complete, click Finish. 12 The InstallShield wizard looks for a user profile. Use the Browse button to find and select the folder containing the .wgx file. Click Next.
Configuring the MUVPN Client 12 Right-click Mobile User VPN and select Delete to remove this selection from your Start menu. Connecting and Disconnecting the MUVPN Client The MUVPN client software makes a secure connection from a remote computer to your protected network on the Internet. To start this connection, you must connect to the Internet and use the MUVPN client to connect to the protected network.
Configuring the MUVPN Client The MUVPN client is connected with one or more secure MUVPN tunnels, but it is not sending data. Activated, Connected, and Transmitting Unsecured Data The MUVPN client started one or more secure MUVPN tunnel connections. The red bar on the right of the icon tells you that the client is sending data that is not secure. Activated, Connected, and Transmitting Secured Data The MUVPN client started one or more secure MUVPN tunnels.
Configuring the MUVPN Client 2 Select Shutdown ZoneAlarm. The ZoneAlarm window appears. 3 Click Yes. Monitoring the MUVPN Client Connection The Log Viewer and the Connection Monitor are installed with the MUVPN client. These tools let you monitor the MUVPN connection and troubleshoot problems. Using Log Viewer Use Log Viewer to show the connections log. This shows the events that occur when the MUVPN tunnel is started.
Configuring the MUVPN Client - for a connection to a secure gateway tunnel - when a phase 2 SA connection has not been made at this time - when a phase 2 SA connection cannot be made • A key tells you that the connection has a phase 2 SA. This connection also can have a phase 1 SA. • An animated black line below a key tells you that the client is sending or receiving secure IP traffic.
Configuring the MUVPN Client Here is a list of some programs that must go through the ZoneAlarm personal firewall when you use their associated software applications. Programs That Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs That Can be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.
Configuring the MUVPN Client Using MUVPN on a Firebox X Edge e-Series Wireless Network You must protect your wireless network from unauthorized access because the signal can go out of your building. If you do not protect your network, unauthorized users can break into your network or make use of your Internet connection.
Configuring the MUVPN Client Tips for Configuring the Pocket PC WatchGuard® does not supply a Mobile User VPN software package for the Pocket PC platform. You must use the software manufacturer’s instructions to configure their software and the Pocket PC. The Firebox® X Edge e-Series allows only connections that use IPSec. The Edge does not support PPTP VPN tunnels. Here are some configuration tips for the Pocket PC.
Configuring the MUVPN Client Troubleshooting Tips You can get more information about the MUVPN client from the WatchGuard® web site: http://www.watchguard.com/support This section includes the answers to some frequently asked questions about the MUVPN client: My computer hangs immediately after installing the MUVPN client. This can be caused by one of two problems: • The ZoneAlarm® personal firewall software application is stopping usual traffic on the local network.
Configuring the MUVPN Client My mapped drives have a red X through them. Windows NT and 2000 examine and map network drives automatically when the computer starts. Because you cannot create a remote session with the company network before the computer starts, this procedure fails, which causes a red X to appear on the drive icons. To correct this problem, start a MUVPN tunnel and open the network drive. The red X for that drive disappears.
APPENDIX A Firebox X Edge e-Series Hardware The WatchGuard® Firebox® X Edge e-Series is a firewall for small organizations and branch offices.
• Two antennae (wireless models only) Specifications The specifications for the Firebox® X Edge e-Series and the Firebox X Edge e-Series Wireless are: 166 Processor X Scale (ARM) CPU 266 MHz Memory: Flash 64 MB Memory: RAM 128 MB Ethernet interfaces 6 each 10/100 Serial ports 1 DB9 Power supply 12V/1.2A Operating temperature 0 - 40 C Environment Indoor use only Dimensions for Firebox X Edge e-Series Depth = 6.25 inches Width = 7.4 inches Height = 1.
Hardware Description The Firebox® X Edge e-Series has a simple hardware architecture. All indicator lights are on the front panel and all ports and connectors are on the rear panel of the device. Front panel The front panel of the Firebox X Edge e-Series has 18 indicator lights to show link status. The top indicator light in each pair comes on when a link is made and flashes when traffic goes through the related interface. The bottom indicator light in each pair comes on when the link speed is 100 Mbps.
Firebox X Edge e-Series can connect to the external network and send traffic. The light flashes if the Firebox X Edge e-Series cannot connect to the external network and send traffic. Attn The Attn indicator will light when you reset the Firebox X Edge e-Series to factory default settings. Power The power indicator shows that the Firebox X Edge e-Series is on. Rear view Ethernet interfaces LAN0 through LAN2 The Ethernet interfaces with the marks LAN0 through LAN2 are for the trusted network.
AC Power Adapter The AC power adapter supplies power for the Firebox X Edge e-Series. You must use the correct plug for the AC power adapter for the power source used in your country. The international plug kit includes four plugs: Q-NA (North America), Q-UK (United Kingdom), Q-EU (European Union), and Q-SAA (Asia).
Antenna directional gain Antenna directional gain is based on the shape of the radiation pattern around the antenna. The Firebox X Edge e-Series Wireless uses two 5.1 dBi swivel-mount whip antennas. The whip antenna has a radiation pattern similar to a sphere that is squashed in the center. If the antenna points up, the gain is largest in the horizontal direction and less in the vertical direction. Signal attenuation Signal attenuation refers to the loss of signal power.
APPENDIX B Legal Notifications Copyright, Trademark, and Patent Information General Information Copyright© 1998 - 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S. Engelschall ." 4.
c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version. d) make other distribution arrangements with the Copyright Holder. e) permit and encourage anyone who receives a copy of the modified Package permission to make your modifications Freely Available in some specific way. 4.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of The Internet Software Consortium nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
libexpat Copyright © 1998, 1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper. Copyright © 2001, 2002, 2003 Expat maintainers.
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. zlib © 1995-2004 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
One or more of the following may apply to any one module: 1. chat, chatchat.c and sha1.[ch] are public domain 2. The Gnu Public License 3. The Gnu Lesser Public License Copyright © 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises, Inc. Livingston Enterprises, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. © The Regents of the University of Michigan and Merit Network, Inc.
of California, Berkeley. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: Initial distribution. Copyright © 1985, 1986 The Regents of the University of California.
NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Copyright © 1994-2002 Paul Mackerras. All rights reserved.
THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Copyright © 2002 Google, Inc. All rights reserved.
As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell". The following files are from OpenSSH or OpenBSD and are under a 2-term BSD license with the noted copyright holders: atomicio.c, atomicio.h, bsd-poll.
Specific copyright information for each of those software programs follows the text of the GPL. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 9 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY RDISC OR ANY PART THEREOF. In no event will Sun Microsystems, Inc. be liable for any lost revenue or profits or other special, indirect and consequential damages, even if Sun has been advised of the possibility of such damages. Sun Microsystems, Inc. 2550 Garcia Avenue Mountain View, California 94043 Copyright (c) 1989 The Regents of the University of California.
Copyright (c) 2005, Google Inc. All rights reserved. THE "BSD" LICENCE Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Redboot Red Hat eCos Public License v1.1 1. DEFINITIONS 1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications. 1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that particular Contributor. 1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4.
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual property claims: (a) to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code or as part of a Larger Work; and (b) under patents now or hereafter owned or controlled by Contributor, to Utilize the Contributor Version (or portions there
possible to put such notice in a particular Source Code file due to its structure, then you must include such notice in a location (such as a relevant directory file) where a user would be likely to look for such a notice. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor.
6.2. Effect of New Versions. Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may also choose to use such Covered Code under the terms of any subsequent version of the License published by Red Hat. No one other than Red Hat has the right to modify the terms applicable to Covered Code beyond what is granted under this and subsequent Licenses. 6.3. Derivative Works.
one party is a citizen of, or an entity chartered or registered to do business in, the United States of America: (a) unless otherwise agreed in writing, all disputes relating to this License (excepting any dispute relating to intellectual property rights) shall be subject to final and binding arbitration, with the losing party paying all costs of arbitration; (b) any arbitration relating to this Agreement shall be held in Santa Clara County, California, under the auspices of JAMS/EndDispute; and (c) any lit
Certifications and Notices WEEE Statement: WEEE is a general set of requirements dictated in the EU Directive 2002/96/EC. This Directive mandated that member EU countries enact regulations governing the Waste of Electrical and Electronic Equipment (WEEE). The Directive, and its individual transpositions into specific country laws and legislation, is aimed at the reduction of WEEE through reuse, recovery, and recycling of WEEE.
Note The antennas used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Part 68 Statement (DSL Version) This equipment complies with Part 68 of the FCC Rules. A label is attached to the equipment that contains, among other information, its FCC registration number and ringer equivalence number.
CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU) Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada.
Class A Korean Notice VCCI Notice Class A ITE Taiwanese Class A Notice Taiwanese Wireless Notice 200 Firebox X Edge e-Series
Declaration of Conformity Limited Hardware Warranty This Limited Hardware Warranty (the "Warranty") applies to the enclosed Firebox hardware product, not including any associated software which is licensed pursuant to a separate end-user license agreement and warranty (the "Product"). BY USING THE PRODUCT, YOU (either an individual or a single entity) AGREE TO THE TERMS HEREOF.
1. LIMITED WARRANTY. WatchGuard warrants that upon delivery and for one (1) year thereafter (the "Warranty Period"): (a) the Product will be free from material defects in materials and workmanship, and (b) the Product, when properly installed and used for its intended purpose and in its intended operating environment, will perform substantially in accordance with WatchGuard applicable specifications.
modified or partially enforced to the maximum extent permitted by law to effectuate the purpose of this Warranty. This is the entire agreement between WatchGuard and you relating to the Product, and supersedes any prior purchase order, communications, advertising or representations concerning the Product AND BY USING THE PRODUCT YOU AGREE TO THESE TERMS.
204 Firebox X Edge e-Series
Symbols .wgx files described 145 distributing 148 viewing available 26 Numerics 1-to-1 NAT.
C cables connecting computer and Edge 15 included in package 10, 165 channel bandwidth 170 channels, setting for wireless 68 CIDR notation 58, 82, 83, 141 Classless Inter Domain Routing 58, 82, 83, 141 Client for Microsoft Networks, installing 152 computers configuring to connect to Edge 17–18 remote, preparing for MUVPN 149–154 supported with Edge 9 configuration file, viewing 44 configuration pages description 22–30 navigating 22–30 opening 22 whether Edge uses HTTP or HTTPS 26 Connection Monitor, using t
DHCP server configuring Firebox as 51, 55 Diffie-Hellman groups 140 Digital Subscriber Line (DSL) 2 DNS described 4 dynamic DNS service 58 DVCP, described 136 Dynamic DNS client page 59 dynamic DNS service, registering with 58–60 Dynamic Host Configuration Protocol. See DHCP dynamic IP addresses and external network 46 described 4, 11 dynamic NAT. See NAT, dynamic Dynamic VPN Configuration Protocol, described 136 DynDNS.
Filter Traffic page 79, 83, 87 Firebox Users page 107, 108, 113, 115, 117, 119 described 26 subpages of 26 Firebox X Edge administrator account 115 authenticating to 112 back panel 168 cabling 15 configuring as DHCP server 51 connecting to 4+ devices 15 described 165 front panel 167 hardware description 167–168 hardware specifications 166 hardware specifications for 166 installing 9–20 lights on 167 package contents 9, 165 rear panel 168 registering with LiveSecurity 20 resetting to factory default 34 resta
Firewall Options page 89, 91 Firewall page described 27 subpages of 27–28 firewalls, described 6 firmware, updating 41–42 FTP access, denying 90 G gateway, default 4 H hardware description 167–168 hardware information 165–170 hardware specifications 166 HTTP proxy settings, disabling 13 HTTP server port, changing 37 HTTP/HTTPS, using for Firebox management 37 I incoming service, creating custom 80, 85 indicator lights 167 installation disabling TCP/IP proxy settings 13 setting your computer to connect to
dynamic 11 giving your computer static 17 methods for assigning 10 static 11, 46 L LDAP authentication 116–119 and MUVPNs 120 lights on front panel 167 LiveSecurity Service and software updates 41 registering with 20 Local Area Network (LAN) 1 Log Authentication Events check box 68 log messages contents of 103 viewing 103 Log Server, logging to 104 Log Viewer, using to monitor MUVPNs 158 logging configuring ??–37, 103–?? described 103 to syslog host 105 viewing status of 28 Logging page described 28, 104 s
icon for 156–157 installing 154 monitoring 158–159 preparing remote computers for 149–154 troubleshooting 163–164 uninstalling 155 MUVPN Clients upgrade 43 MUVPNs and LDAP authentication 120 distributing .
networks, types of 1 New User page 113 numbered ports 168 O operating region, setting for wireless 68 optional interface assigning static IP addresses on 57 changing IP address of 54 configuring 53–57 configuring additional computers on 57 default setting for 33 described 7, 53 enabling 54 setting DHCP address reservations on 56 using DHCP on 55 using DHCP relay on 56 Optional Network Configuration page 54, 55, 56 options model upgrade 44 MUVPN Clients 43 seat license upgrade 43 WAN failover 43 WebBlocker
numbered 168 numbering 5 trusted network 168 WAN 168 WAN1 60 WAN2 60 power cable clip 10, 165 power input 168 PPPoE advanced settings for 48–49 described 4, 11, 46 settings for 12 profiles, creating WebBlocker 123–124 protocols described 2 TCP/IP 2 Q Quality of Service (QoS) configuring 94–97 described 93 traffic categories for 93 Quick Setup Wizard described 18 running 18–?? R read-only administrative account 114 Remote Access Services, installing 150 remote management enabling 38–?? enabling with WFS 40
S seat licenses described 108 upgrade 43 serial number, viewing 24 services creating custom 80–81, 85–86 creating custom incoming 80, 85 described 4, 77 viewing current 27 Session idle time-out field 114 session licenses 16 Session maximum time-out field 114 sessions closing 108 described 108 idle timeout 114 maximum timeout 114 viewing current active 108 viewing currently active 108 Settings page 110 shared secret 138 signal attenuation 170 sites, blocking 89 SSID (Service Set Identifier) 68 SSID broadcast
green triangle on 24 information on 24 navigation bar 23 System Time page 36 system time, setting 35 T TCP (Transmission Control Protocol) 2 TCP/IP described 2 properties, determining 11–12 time zone setting 35 setting with Quick Setup Wizard 19 To 99 traffic categories of 94 causes for slow 93 described 93 high priority 94 interactive 94 logging all outbound 90 low priority 94 managing 93–97 medium priority 94 traffic control filter, defining 96 Traffic Control page 95 Trusted Hosts page 120, 134 trusted
Update page 42 updating software 31 upgrade options activating 42 viewing status of 24 Upgrade page 43 user accounts changing name, password 115 configuring MUVPN settings 112 configuring MUVPN settings for all 146 creating new 113 deleting 109 editing 109 enabling MUVPN access for 147 read-only administrative 114 setting WebBlocker profile for 114, 119 viewing 109 viewing current 26 viewing statistics on 26 user authentication.
Phase 2 141 special considerations for 135 troubleshooting connections 143 viewing statistics on 143 what you need to create 135 W wall mounting plate 168 WAN Failover configuring 60 described 43, 60 using broadband connection for 61 WAN Failover page 61 WAN Failover Setup Wizard 61 WAN ports described 168 WAN1 60 WAN2 60 WatchGuard Firebox System (WFS) enabling remote management with 40–41 WatchGuard Logging page 104 WatchGuard Security Event Processor 104 WatchGuard System Manager enabling remote managem
WebBlocker Settings page 122, 123 Wide Area Network (WAN), described 1 Windows 2000, preparing for MUVPN clients 151 Windows 98/ME preparing for MUVPN clients 150 Windows NT, preparing for MUVPN clients 150 Windows XP installing File and Printer Sharing for Microsoft Networks on 153 installing Internet Protocol (TCP/IP) Network Component on 153 preparing for MUVPN clients 152 WINS and DNS settings, configuring 150, 152 wireless card, configuring 74 wireless communication antenna directional gain 170 channel
