WatchGuard® Firebox® X Edge User Guide Firebox X Edge - Firmware Version 7.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
End-User License Agreement AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty. 2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single WATCHGUARD hardware product at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers.
OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERRORFREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT
Abbreviations Used in this Guide Firmware Version: 7.2 Part Number: 1776-0000 Guide Version: 7.
ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, WA 98104 ABOUT WATCHGUARD WatchGuard network security solutions provide small- to mid-sized enterprises worldwide with effective, affordable security. Our Firebox line of extendable, integrated security appliances is designed to be fully upgradeable as an organization grows, and to deliver the industry's best combination of security, performance, intuitive SUPPORT: interface, and value. WatchGuard Intelligent Layered www.watchguard.
Contents CHAPTER 1 Introduction to Network Security ........................1 Network Security .....................................................................1 About Networks .......................................................................2 Clients and servers ...............................................................2 Connecting to the Internet .......................................................2 Protocols ..............................................................................
Static addresses, DHCP, and PPPoE ......................................13 Finding your TCP/IP properties ............................................14 Finding PPPoE settings .......................................................17 Disabling the HTTP Proxy Setting ...........................................17 Connecting the Firebox X Edge ...............................................19 Connecting the Edge to more than seven devices ...................20 Setting Your Computer to Connect to the Edge .....
Setting trusted network DHCP address reservations ...............55 Configuring the trusted network for DHCP relay .....................56 Using static IP addresses for trusted computers ....................57 Adding computers to the trusted network ..............................57 Configuring the Optional Network ...........................................58 Enabling the optional network ..............................................59 Changing the IP address of the optional network ...................
Configuring Incoming Services ...............................................89 Configuring common services for incoming traffic ..................90 About custom services for incoming traffic ............................91 Adding a custom service using the wizard .............................91 Adding a custom incoming service manually ..........................92 Filtering traffic for incoming services ....................................94 Configuring Outgoing Services ...................................
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 8.0 ......................................................131 Setting up a Firebox X Edge for managed VPN .....................132 Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 7.3 ......................................................135 Getting information about the DVCP Server .........................136 Setting up the Edge for Basic DVCP ....................................
Allowing traffic through ZoneAlarm .....................................174 Shutting down ZoneAlarm .................................................175 Uninstalling ZoneAlarm .....................................................175 Using MUVPN on the Edge Wireless Network .......................176 Tips for Configuring the Pocket PC .......................................177 Troubleshooting Tips ............................................................
Side panels .....................................................................211 About IEEE 802.11g/b Wireless ..........................................212 Noise level .......................................................................212 Signal strength (Watts) ......................................................213 Channel bandwidth ...........................................................214 APPENDIX B Legal Notifications .......................................
xiv WatchGuard Firebox X Edge
CHAPTER 1 Introduction to Network Security Thank you for your purchase of the WatchGuard® Firebox® X Edge. This security device helps protect your computer network from threat and attack. This chapter gives you basic information about networks and network security. This information can help you when you configure the Edge. If you are experienced with computer networks, we recommend that you go to the subsequent chapter.
Introduction to Network Security About Networks A network is a group of computers and other devices that are connected to each other. It can be two computers that you connect by a serial cable or many computers connected by data communication links located around the world. A Local Area Network (LAN) is a group of computers connected to make a common work environment. This makes it easy to share applications and data, and is important when a group of people must do work together on one project.
Protocols Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, gives the user dedicated bandwidth. However, the maximum bandwidth available to DSL users is usually lower than the maximum cable modem rate because of differences in their respective network technologies. Also, the “dedicated bandwidth” is dedicated only between your home or office and the DSL provider's central office. The provider gives no guarantee of bandwidth across the Internet.
Introduction to Network Security How Information Travels on the Internet The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet address of the destination. The packets that make up a file can use different routes through the Internet. When they all get to their destination, they are assembled back into the original file. To make sure that the packets get to the destination, address information is added to the packets.
IP Addresses IP Addresses To send mail to a person, you must first know the person’s street address. When a computer connects to the Internet to send data to a different computer, it must first know the address of that computer. A computer address is known as an IP address. Each computer on the Internet has a unique IP address. An IP address has four sets of numbers which are divided by decimal points. Examples of IP addresses are: • 192.168.0.11 • 10.1.20.18 • 208.15.15.
Introduction to Network Security About PPPoE Some ISPs assign their IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE expands a standard dial-up connection to add some of the features of Ethernet and PPP. This system allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure with DSL modem and cable modem products. Domain Name Service (DNS) If you do not know the address of a person, you can frequently find it in the telephone directory.
Ports Some services are necessary, but each service you add to your security policy can also add a security risk. To send and receive data, you must “open a door” in your computer, which puts your network at risk. Attackers can use open access of a service to try to get into a network. We recommend that you only add services that are necessary for your business. Ports Usually, a port is a connection point where you use a socket and a plug to connect two devices.
Introduction to Network Security Firewalls A firewall divides your internal network from the Internet to decrease risk from an external attack. We refer to the computers and networks on the Internet as the external network. The computers on the internal side of the firewall are protected. We refer to these as trusted computers. The figure below shows how a firewall divides the trusted network from the Internet.
Firebox® X Edge and Your Network Firewalls can be in the form of hardware or software. They can prevent unauthorized Internet users from accessing private networks connected to the Internet. All messages that enter or go out of the trusted or protected networks go through the firewall, which examines each message and denies those that do not match the security criteria. Firebox® X Edge and Your Network The Firebox® X Edge controls all traffic between the external network and the trusted network.
Introduction to Network Security work. The Edge connects to a cable modem, DSL modem, or ISDN router. The Web-based user interface of the Firebox X Edge lets you manage your network safely. You can manage your Edge from different locations and at different times. It gives you more time and resources to use on other components of your business.
CHAPTER 2 Installing the Firebox X Edge To install the WatchGuard® Firebox® X Edge in your network, you must complete these steps: • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy properties of your Web browser. • Connect the Firebox X Edge to your network. • Connect your computer to the Edge. • Use the Quick Setup Wizard to configure the Edge. • Activate the LiveSecurity® Service.
Installing the Firebox X Edge • A power cable clip Use this clip to attach the cable to the side of the Edge. It decreases the tension on the power cable. • • • One straight-through Ethernet cable A wall mount plate (Wireless models only) Two antennae (Wireless models only) Installation Requirements The Firebox® X Edge installation requirements are: • A computer with a 10/100BaseT Ethernet network interface card to configure the Firebox. • A Web browser. You can use Netscape 7.
Identifying Your Network Settings • An Internet connection. The external network connection can be a cable or DSL modem with a 10/100BaseT port, an ISDN router, or a direct LAN connection. If you have problems with your Internet connection, call your Internet Service Provider (ISP) to solve the problem before you install the Firebox X Edge. Identifying Your Network Settings You use an Internet Service Provider (ISP) to connect to the Internet.
Installing the Firebox X Edge • • DHCP: A dynamic IP address is an IP address that an ISP lets you use (lease). With DHCP, your computer does not always use the same IP address. When you close an Internet connection that uses a dynamic IP address, the dynamic address is made available again. Then the ISP can assign that IP address to a different customer. ISPs use Dynamic Host Configuration Protocol (DHCP) to assign you a dynamic IP address.
Identifying Your Network Settings Your TCP/IP Properties Table TCP/IP Property Value IP Address . . . . . . . . . Subnet Mask Default Gateway DHCP Enabled DNS Server(s) Yes No Primary . . . . . .
Installing the Firebox X Edge To find your TCP/IP properties, use the instructions for your computer operating system. Microsoft Windows 2000, Windows 2003 and Windows XP 1 Click Start > Programs > Accessories > Command Prompt. 2 At the MS-DOS prompt, type ipconfig /all and then press Enter. 3 Record the values in Your TCP/IP Properties Table on page 15. 4 Close the window. Microsoft Windows NT 1 Click Start > Programs > Command Prompt. 2 At the MS-DOS prompt, type ipconfig /all and then press Enter.
Disabling the HTTP Proxy Setting Macintosh OS 10 1 Click the Apple menu > System Preferences > Network > TCP/IP. 2 Record the values in Your TCP/IP Properties Table on page 15. 3 Close the window. Other operating systems (Unix, Linux) 1 Read your operating system guide to find the TCP/IP settings. 2 Record the values in Your TCP/IP Properties Table on page 15. 3 Exit the TCP/IP configuration screen.
Installing the Firebox X Edge Disable the HTTP proxy in Netscape or Mozilla 1 Open the browser software. 2 Click Edit > Preferences. The Preferences window appears. 3 A list of options appears. Click the arrow symbol adjacent to Advanced to expand the list. 4 5 Click Proxies. Make sure the Direct Connection to the Internet option is selected. 6 Click OK. Disable the HTTP proxy in Internet Explorer 1 Open Internet Explorer. 2 Click Tools > Internet Options. The Internet Options window appears.
Connecting the Firebox X Edge Connecting the Firebox X Edge Use this procedure to connect your Firebox® X Edge Ethernet and power cables: 1 2 Shut down your computer. 3 Find the Ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the Edge external interface (WAN 1). 4 Find the Ethernet cable supplied with your Edge. Connect this cable to a trusted interface (0-6) on the Edge.
Installing the Firebox X Edge 6 Find the AC adapter supplied with your Edge. Connect the AC adapter to the Edge and to a power source. The Edge power indicator light comes on and the WAN indicator lights flash and then come on. NOTE NOTE Only use the AC adapter for the Firebox X Edge. Connecting the Edge to more than seven devices Although the Firebox® X Edge has only seven numbered Ethernet ports (labeled 0-6), you can connect more than seven devices.
Connecting the Firebox X Edge For more information, see the FAQ: www.watchguard.com/support/AdvancedFaqs/edge_seatlicense.asp License upgrades are available from your reseller or from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.
Installing the Firebox X Edge Setting Your Computer to Connect to the Edge Before you can use the Quick Setup Wizard, configure your computer network interface card to connect to the Firebox® X Edge and see the configuration pages. You can give your computer a static IP address, or get an IP address from the Edge using DHCP. If your computer gets its address from DHCP This procedure configures a computer with the Windows XP operating system to use DHCP.
Setting Your Computer to Connect to the Edge If your computer has a static IP address This procedure configures a computer with the Windows XP operating system to use a static IP address. If your computer does not use Windows XP, read the operating system help for instructions on how to set your computer to use a static IP address. You must use an IP address on the same network as the Firebox X Edge trusted interface. 1 Click Start > Control Panel. The Control Panel window appears.
Installing the Firebox X Edge Running the Quick Setup Wizard After you start your computer and type https://192.168.111.1 into the URL entry field of your Internet browser, the Quick Setup Wizard starts. You must use the wizard to configure the Ethernet interfaces. You can change the configuration of the interfaces after you use the wizard. The Quick Setup Wizard includes this set of dialog boxes.
Registering and Activating LiveSecurity Service The Quick Setup Wizard is complete The Quick Setup Wizard supplies a link to the WatchGuard web site to register your product. After you complete the wizard, the Firebox X Edge restarts. The system Status page appears on the screen. You can configure more features of your Edge at this time. Registering and Activating LiveSecurity Service After you install the Firebox® X Edge, you can register the Edge and activate your LiveSecurity service subscription.
Installing the Firebox X Edge You must have a subscription to the LiveSecurity service before you can get license keys for upgrades that you purchase. To install an upgrade, you must log in to LiveSecurity service and type your upgrade key. You then get a feature key to activate the features on your Firebox X Edge. You must have the serial number of your Firebox X Edge to register. The Edge serial number is on the bottom of the device.
CHAPTER 3 Configuration and Management Basics When you configure a WatchGuard® Firebox® X Edge, you create firewall rules to apply the security rules of your company. Before you create these rules you must install your Firebox. To create a basic configuration, use your Web browser to connect to the Web pages on the Firebox X Edge. You can also use the Edge configuration pages to create an account, look at network statistics, and see the current configuration of the Edge.
Configuration and Management Basics Navigating the Configuration Pages You use the configuration pages for all procedures to configure the Firebox® X Edge. The System Status page, the primary navigation page, appears below. In this User Guide, most procedures start with this step: “To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1.
Navigating the Configuration Pages For example, if you use Internet Explorer to configure your Firebox: 1 2 Start Internet Explorer. Click File > Open, type https://192.168.111.1 in the text box adjacent to the word Open, and then click OK. You can also type the URL directly into the address bar and press the Enter key. NOTE If necessary, you can connect to the Web server on the Firebox X Edge in HTTP mode instead of HTTPS mode.
Configuration and Management Basics Configuration Overview You use the Firebox® X Edge system configuration pages to set up your Edge to protect your network. This section gives an introduction to each category of pages and tells you which chapters in this User Guide contain detailed information about each feature. Firebox System Status Page The System Status page, which appears on page 28, is the primary configuration page of the Firebox X Edge.
Configuration Overview Network Page The Network page shows the configuration of each network interface. It also shows any configured routes and has buttons you can use to change configurations and to see network statistics. For more information, see Chapter 4, “Changing Your Network Settings.” The Network page contains these links to other configuration pages: • External: Use this page to configure the Edge external network interface.
Configuration and Management Basics • • • • • • 32 Optional: Use this page to configure the Edge optional network interface. Select the method the Edge uses to give IP addresses to computers on the optional network. WAN Failover: Configure a redundant network connection for the external interface. Dynamic DNS: Register the external IP address of the Edge with a dynamic Domain Name Server (DNS) service. Routes: Make a static route to a computer on the trusted or optional networks.
Configuration Overview Firebox Users Page The Firebox Users page shows statistics on the active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that you can download. For more information, see Chapter 11, “Managing the Firebox X Edge and User Accounts.
Configuration and Management Basics The Firebox Users page contains these links to other configuration pages: • Settings: Use this page to set the properties that apply to all Edge users. • New User: From here you can make one or more user profiles and set the network traffic types they can send and receive. Administration Page The Administration page shows if the Firebox uses HTTP or HTTPS for its configuration pages, if the Edge is configured as a managed Firebox client, and which upgrades are enabled.
Configuration Overview • View Configuration: Shows the Edge configuration file in a text format. Firewall Page The Firewall page shows the incoming and outgoing services, blocked sites, and other firewall settings. This page also has buttons to change these settings. For more information, see Chapter 6, “Configuring Firewall Settings.
Configuration and Management Basics • • • • Outgoing: Make one or more security services for outgoing traffic to the external network. Optional: Make one or more security services for outgoing traffic from the trusted network to the optional network. Blocked Sites: Prevent access to specified network addresses on the external interface. Firewall Options: Set the options that customize your security policy.
Configuration Overview • • • WSEP Log: Configure the WatchGuard Log Server to accept the log messages from your Edge. Syslog Log: Configure the Edge to send log messages to a Syslog host. System Time: Set the time zone and if your Edge uses daylight saving time. WebBlocker Page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, denied sites, and trusted hosts. It also has buttons to change the current settings. For more information, see Chapter 8, “Configuring WebBlocker.
Configuration and Management Basics • • • Allowed Sites: Make a list of Web sites that you can browse to when WebBlocker properties block the Web site. Denied Sites: Make a list of Web sites that you cannot browse to when WebBlocker settings allow the Web site. Trusted Hosts: Make a list of computers on the trusted or optional networks that can bypass WebBlocker.
Updating Firebox X Edge Software Wizards Page The Wizards page shows the wizards you can use to help you set up Firebox X Edge features: • Service Configuration Wizard Create a rule to filter network traffic between interfaces. For more information, see “About custom services for incoming traffic” on page 91. • Network Interface Wizard Configure the Edge interfaces. For more information, see “Using the Network Setup Wizard” on page 45.
Configuration and Management Basics download completes, use the procedure below to update your Firebox software: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 At the bottom of the System Status page, click Update. 3 Type the name of the file that contains the new Firebox X Edge software in the Select text box or click Browse to find the file on your local computer.
Factory Default Settings give static addresses to computers in the trusted network with IP addresses in the 192.168.111.2–192.168.111.254 range. External network - The external network properties use DHCP. Optional network - The optional network is disabled. Firewall settings - All incoming services are denied. - An outgoing service allows all outgoing traffic. - Ping requests received on the external network are denied.
Configuration and Management Basics Follow these steps to set the Firebox to the factory default settings: 1 2 3 Disconnect the power supply. 4 Continue to hold down the button until the yellow Attn light comes on and stays on. This shows you that the Edge has been successfully reset. Hold down the Reset button, on the front of the Firebox. Connect the power supply while you continue to hold down the Reset button. NOTE Do not try to connect to the Edge at this time.
Restarting the Firebox 2 Click Reboot. Disconnecting the power supply Disconnect the Firebox power supply. After a minimum of 10 seconds, connect the power supply. Remote restart You must configure the remote Firebox X Edge to send incoming HTTPS traffic to the Edge trusted interface IP address to use the method below to restart it. For more information on how to configure the Firebox to receive incoming traffic, see “Configuring Incoming Services” on page 89.
Configuration and Management Basics 44 WatchGuard Firebox X Edge
CHAPTER 4 Changing Your Network Settings A primary component of WatchGuard® Firebox® X Edge setup is the configuration of the network interface IP addresses. At a minimum, you must configure the external network and the trusted network to let traffic flow through the Edge. You do this when you use the Quick Setup Wizard after you install the Edge. You can use the procedures in this chapter to change this configuration after you run the Quick Setup Wizard. You can also set up the optional interface.
Changing Your Network Settings 4 Follow the instructions on the screens. The Network Setup Wizard has these steps: Welcome The first screen describes the purpose of the wizard. Configure the external interface of your Firebox This screen asks the method your ISP uses to set your IP address. For more information, see the subsequent section in this guide, “Configuring the External Network.” Configure the external interface for DHCP If your ISP uses DHCP, type the DHCP information that your ISP gave you.
Configuring the External Network • • Firebox receives an external IP address each time it connects to the ISP network. It can be the same IP address each time, or it can be a different IP address. Static IP address - Network administrators use static IP addresses to manually give an IP address to each computer on their network. A static IP address can be more expensive than a dynamic IP address because static IP addresses make it easier to set up servers.
Changing Your Network Settings If your ISP uses static IP addresses If your ISP uses static IP addresses, you must enter the address information into your Edge before it can send traffic through the external interface. To set your Edge to use a static IP address for the external interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > External. The External Network Configuration page appears.
Configuring the External Network 2 From the Configuration Mode drop-down list, select Manual Configuration. 3 Type the IP address, subnet mask, default gateway, primary DNS, secondary DNS, and DNS domain suffix into the related fields. Get this information from your ISP or corporate network administrator. If you completed the table on page 15, type the information from the table. 4 Click Submit.
Changing Your Network Settings 2 From the Configuration Mode drop-down list, select PPPoE Client. 3 Type the name and password in the related fields. Get this information from your ISP. If your ISP gives you a domain name, type it into the Domain field. Most ISPs using PPPoE make you use the domain name and your user name. Do not include the domain name with your user name like this: myname@ispdomain.net. If you have a PPPoE name with this format, type the myname section in the Name field.
Configuring the External Network 5 Select the Link Speed to set automatically, or select to assign the link speed statically at 10 Mbps Half Duplex, 10 Mbps Full Duplex, 100 Mbps Half Duplex, or 100 Mbps Full Duplex. WatchGuard recommends that you configure the link speed to Auto, unless you know this setting is not compatible with the equipment supplied by your ISP. Advanced PPPoE Settings In the Quick Setup Wizard you configure the basic PPPoE settings.
Changing Your Network Settings Use LCP echo request to detect lost PPPoE link When you enable this check box, the Edge sends an LCP echo request at regular intervals to the ISP to make sure that the PPPoE connection is active. If you do not use this option, the Edge must get a PPPoE or PPP session termination request from the ISP to identify a broken connection. LCP echo interval When you enable LCP echoes, this value sets the interval between LCP echo requests sent by the Edge to the ISP.
Configuring the Trusted Network Configuring the Trusted Network You must configure your trusted network manually if you do not use the Network Setup Wizard. You can use static IP addresses or DHCP for the computers on your trusted network. The Firebox® X Edge has a DHCP server to give IP addresses to computers on your trusted and optional networks. You can also change the IP address of the trusted network.
Changing Your Network Settings Then, you must use https://10.0.0.1 in your browser address bar to connect to the Edge’s System Status page. Also, your computer’s IP address must be changed to be in the new trusted interface IP subnet range. To change the IP address of the trusted network: 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.
Configuring the Trusted Network the computer an IP address. A factory default Firebox has the DHCP Server option for the trusted interface enabled. To use DHCP on the trusted network: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2 Select the Enable DHCP Server on the Trusted Network check box. 3 Type the first available IP address for the trusted network. Type the last IP address.
Changing Your Network Settings 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears. 3 Type a static IP address in the IP Address field. The IP address must be on the trusted network. For example, if the trusted network starts with 192.168.111.1, you can enter any address from 192.168.111.2 to 192.168.111.254. 4 Type the MAC address of the computer on the trusted network in the MAC Address field.
Configuring the Trusted Network To configure the Firebox as a DHCP Relay Agent for the trusted interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2 3 4 Select the Enable DHCP Relay check box. Type the IP address of the DHCP server in the related field. Click Submit. You must restart the Firebox for new configuration to start.
Changing Your Network Settings Ethernet hubs or switches with RJ-45 connectors to connect more than seven computers. It is not necessary for the computers on the trusted network to use the same operating system. To add more than seven computers to the trusted network: 1 2 Make sure that each computer has a functional Ethernet card. Connect each computer to the network. Use the procedure “Connecting the Edge to more than seven devices” on page 20.
Configuring the Optional Network Enabling the optional network 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 3 Select the Enable Optional Network check box. Changing the IP address of the optional network If necessary, you can change the optional network address.
Changing Your Network Settings 2 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 3 Type the first address of the new network address range in the IP Address text field. 4 If necessary, type the new subnet mask. Most networks use 255.255.255.0 which includes 254 addresses. Using DHCP on the optional network The DHCP Server option sets the Firebox X Edge to give IP addresses to the computers on the optional network.
Configuring the Optional Network 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears. 3 Type a static IP address in the IP Address field. The IP address must be on the optional network. For example, if the optional network starts with 192.168.112.1, you can enter 192.168.112.2 to 192.168.112.251. 4 Type the MAC address of the computer on the optional network in the MAC Address field.
Changing Your Network Settings To configure the Firebox as a DHCP Relay Agent for the optional interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2 3 4 Select the Enable DHCP Relay on Optional Network check box. Type the IP address of the DHCP server in the related field. Click Submit. You must restart the Edge for the new configuration to start.
Making Static Routes than one computer to the optional interface, use a 10/100 BaseT Ethernet hub or switch with RJ-45 connectors. It is not necessary for the computers on the optional network to use the same operating system. To add more than one computer to the optional network: 1 2 Make sure that each computer has a functional Ethernet card. 3 Connect each computer to the network. Use the procedure “Connecting the Edge to more than seven devices” on page 20. 4 Restart each computer.
Changing Your Network Settings 3 Click Add. The Add Route page appears. 4 From the Type drop-down list, select Host or Network. This box tells if the destination for the static route is one computer or a network of computers. NOTE NOTE A host is one computer. A network is more than one computer using a range of IP addresses. You must type network addresses in “slash” notation (also known as Classless Inter Domain Routing or CIDR notation). Do not type a slash for a host IP address.
Viewing Network Statistics Viewing Network Statistics The Firebox® X Edge Network Statistics page shows information about performance. Network administrators frequently use this page to troubleshoot a problem with the Firebox or network. 1 To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Network > Network Statistics.
Changing Your Network Settings Registering with the Dynamic DNS Service You can register the external IP address of the Firebox X Edge with the dynamic Domain Name Server (DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your domain name changes when your ISP gives your Firebox X Edge a new IP address. For more information, refer to these WatchGuard FAQs: What is Dynamic DNS? How do I set up Dynamic DNS? https://www.watchguard.com/support/AdvancedFaqs/ sogen_main.
Registering with the Dynamic DNS Service 2 From the navigation bar, select Network > Dynamic DNS. The Dynamic DNS client page appears. 3 4 5 Select the Enable Dynamic DNS client check box. Type the Domain, Name, and Password in the related fields. In the System drop-down list, select the system to use for this update. The option dyndns sends updates for a Dynamic DNS host name. The option statdns sends updates for a Static DNS host name. The option custom sends updates for a Custom DNS host name.
Changing Your Network Settings NOTE NOTE The Firebox gets the IP address of members.dyndns.org when it connects to a time server. The Firebox connects to a time server when it starts up. The Firebox connects to the IP address it finds for members.dyndns.org to register the current Firebox external IP address with the DynDNS service. The Firebox does not operate with other Dynamic DNS services, only DynDNS.org.
Enabling the WAN Failover Option • If the WAN1 interface and the WAN2 interface stop, the Firebox tries the two interfaces until it makes a connection. When the WAN2 interface is in use, the Edge will monitor the primary (WAN1) interface. When the WAN1 interface becomes available, the Edge will automatically go back to using the WAN1 interface. To configure the WAN failover network: 1 Connect one end of a straight-through Ethernet cable to the WAN2 interface.
Changing Your Network Settings Identify the computers to connect Type the IP addresses of computers to which the Edge can connect. The WAN Failover Setup Wizard is complete You can restart your Edge to activate the WAN Failover feature. Using the Network page 1 From the navigation bar, select Network > WAN Failover. The WAN Failover page appears. 70 2 From the drop-down list, select the interface for the feature: Ethernet (WAN2) or Modem (serial port).
Enabling the WAN Failover Option 6 Type the maximum number of pings before time-out in the related field. If you are using a broadband connection for failover If you selected to enable failover with a broadband connection on WAN2, select your configuration mode from the drop-down list. If you selected DHCP Client If your ISP makes you identify your computer to give you an IP address, type this name in the Optional DHCP Identifier field.
Changing Your Network Settings If you selected PPPoE See “If your ISP uses PPPoE” on page 49 for information on PPPoE settings and configure WAN2 with this information. If you are using an external modem for failover If failover occurs, the Edge can find a remote secondary host for sending traffic with a modem. We support these modems: • Hayes 56K V.90 serial fax modem • Zoom FaxModem 56K model 2949 • U.S. Robotics 5686 external modem • Creative Modem Blaster V.
Enabling the WAN Failover Option 7 To enable modem and PPP debug trace, select the related check box. DNS settings If your dialup ISP does not give DNS server IP addresses, or if your ISP gives you a DNS server IP address and you must use a different DNS server, you can manually enter the IP addresses for your DNS server: 1 Select the Manually configure DNS server IP addresses check box. 2 In the Primary DNS Server text box, type the IP address of the primary DNS server.
Changing Your Network Settings Dialup settings 74 1 In the Dial up time-out field, type the number of seconds before time-out if your modem does not connect. 2 In the Redial attempts field, enter the number of times the Edge will try to redial if your modem does not connect. 3 In the Inactivity time-out field, enter the number of seconds before time-out if no traffic goes through the modem. 4 In the Speaker volume field, set your modem speaker volume to off, low, medium, or high.
CHAPTER 5 Firebox X Edge Wireless Setup The Firebox® X Edge Wireless protects the computers that are connected to your network and it protects your network wireless connections. This chapter examines how to install the Firebox X Edge Wireless and set up the wireless network. To make sure that your network is secure, WatchGuard disables the wireless feature of the Firebox X Edge Wireless until you activate wireless traffic.
Firebox X Edge Wireless Setup • • Configure the Wireless Access Point (WAP) Configure the wireless card on your computer How Wireless Networking Works Wireless networks use radio signals to send and receive traffic from computers and the Firebox X Edge Wireless. The Firebox® X Edge Wireless obeys the 802.11b and 802.11g guidelines set by the Institute of Electrical and Electronics Engineers (IEEE).
Using the Wireless Network Wizard 2 Double-click Wireless Network Connection. The Wireless Network Connection dialog box appears. 3 4 Click the Wireless Networks tab. In the Preferred networks section, click Add. The Wireless Network Properties dialog box appears. 5 6 7 Type the SSID in the Network Name (SSID) text box. Click OK to close the Wireless Network Properties dialog box. Click Refresh. All available wireless connections appear in the Available Networks text box.
Firebox X Edge Wireless Setup Area Network (WLAN) a level of security and privacy that compares well to a wired Local Area Network (LAN). A wired LAN is usually protected by features that include login passphrases, which operate only in a controlled physical area. Because the walls of a building do not stop wireless transmissions, this feature does not help protect a wireless network.
Setting up the Wireless Access Point Setting up the Wireless Access Point To make sure that your network is secure, WatchGuard disables the wireless feature of the Firebox® X Edge Wireless until you activate wireless traffic. You can activate the wireless feature when you configure the security of the wireless connections. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.
Firebox X Edge Wireless Setup NOTE NOTE When you complete the wireless configuration, restart your Firebox X Edge Wireless. The Network Assignment drop-down list gives you three alternatives: • None (disable wireless) • Bridge to trusted network • Bridge to optional network Select the option that matches your needs. Bridge to Trusted In this mode, the wireless client is a part of the trusted network.
Setting up the Wireless Access Point requirements of wireless clients. The firewall properties control the traffic between these two networks NOTE NOTE Because any wireless clients are a component of the optional or the trusted networks, wireless clients can be a part of any Branch Office VPN tunnels you have when the local network component of the Phase 2 settings include optional or trusted network IP addresses. To control access to the VPN, you can make Firebox users authenticate.
Firebox X Edge Wireless Setup the default authentication method for some versions of Microsoft windows, it is not recommended. Shared Key In Shared Key authentication, only those wireless clients that have the shared key can authentication. This is more secure than Open System authentication. Shared Key authentication can only be used with WEP encryption.
Setting up the Wireless Access Point 2 If you typed more than one key, click the key to use as the default key from the Key Index drop-down list. The Firebox X Edge can use only one key at a time. If you select a key other than the first key in the list, you must also set your wireless client to use the same key number. Shared key authentication Encryption options for shared key authentication are WEP 64 bit hexadecimal, WEP 40 bit ASCII, WEP 128 bit hexadecimal, and WEP 128 bit ASCII.
Firebox X Edge Wireless Setup Configuring advanced settings You can configure how the Firebox X Edge Wireless transmits data to your wireless computer. Wireless computers send requests to see if there are wireless access points to which they can connect. To configure the Firebox X Edge Wireless to send and answer to these requests, select the Broadcast SSID and respond to SSID queries check box. For security, turn this option on only when you are configuring your network to connect to the Firebox X Edge.
Setting up the Wireless Access Point 802.11g only This is the default mode, which allows you to deny access to 802.11b clients so that you can keep the Edge operating in the faster 802.11g mode. 802.11g and 802.11b This mode allows Firebox X Edge Wireless to connect with wireless devices using the two wireless protocols 802.11b only This mode allows the Firebox X Edge Wireless to connect to devices using only this wireless protocol. NOTE NOTE Using 802.11b and 802.
Firebox X Edge Wireless Setup 86 WatchGuard Firebox X Edge
CHAPTER 6 Configuring Firewall Settings The Firebox® X Edge uses services and other firewall options to control the traffic between the trusted, optional, and external networks. The configuration of allowed services and firewall options set the level of security the Firebox applies to your network. About Services A Firebox® service is one or more rules that together monitor and control traffic. These rules set the firewall actions for a service: • Allow lets data or a connection through the Firebox.
Configuring Firewall Settings Incoming and outgoing traffic Traffic that does not start in your trusted or optional network is incoming traffic. Traffic that starts in your trusted or optional network and goes to the external network is outgoing traffic. In the default configuration, the Firebox stops all traffic from getting to your trusted network.
Configuring Incoming Services the trusted network. This section also has examples of how to use the optional network. Other sections show how to use the Blocked Sites feature and other firewall options: • Responding to pings • Creating log messages for all outgoing traffic • FTP access to the Firebox • SOCKS • Changing the Firebox’s hardware MAC address Configuring Incoming Services You can control the traffic that goes to the trusted or optional networks from the external network using incoming services.
Configuring Firewall Settings Configuring common services for incoming traffic The Firebox X Edge includes standard services known as common services that you can use to control traffic through the Firebox. You can use the procedure below to configure the properties of a common service. For more information on the common services, refer to the list at the end of this FAQ: www.watchguard.com/support/Tutorials/stepsoho_blockoutservice.
Configuring Incoming Services drop-down list adjacent to the service name, select Allow or Deny. In its default configuration, the Firebox does not allow incoming traffic to your network. Because of this, you can keep a service’s filter rule set to No Rule and the traffic is denied. 4 If you use Allow for a service, enter the IP address of the service host. The service host is the computer on the trusted or optional network that receives the traffic. 5 6 Click Submit.
Configuring Firewall Settings Welcome The first screen tells you about the wizard and the information you must have to complete the wizard. Service Name On this screen, type a name to identify the service. Protocols and Ports Set the protocol and ports to assign to this traffic rule. Traffic Direction Identify if this is an incoming or outgoing service. Service action Configures the Firebox to allow or deny this type of service traffic through the firewall.
Configuring Incoming Services 5 6 7 In the Service Name text box, type the name for your service. From the Protocol drop-down list, click TCP Port, UDP Port, or Protocol. In the text box adjacent to the Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box. NOTE NOTE An IP protocol number is not the same as a TCP or UDP port number. TCP is IP protocol number 6 and UDP is IP protocol number 17.
Configuring Firewall Settings 8 Click Add. Repeat the last three steps until you have a list of all the ports and protocols that this service uses. You can have more than one port and more than one protocol in a custom service. More ports and protocols make the service more dangerous. Restrict the service to only the ports and protocols that are necessary. Filtering traffic for incoming services These steps restrict incoming traffic for a service to specified computers behind the firewall.
Configuring Outgoing Services Configuring Outgoing Services You control traffic that starts in the trusted or optional network and goes to the external network using outgoing services. Usually, the Internet is the external network. In its default configuration, the Firebox® X Edge allows traffic that starts in the trusted or optional network to go to the external network. Many companies and organizations allow internal computers to use all ports and protocols.
Configuring Firewall Settings 2 From the navigation bar, select Firewall > Outgoing. The Filter Outgoing Traffic page appears. Configuring common services for outgoing traffic In its default configuration, the Firebox allows all traffic to go out to the external network. This is because the common service called Outgoing is set to Allow. (The Outgoing service is not found on the Firewall > Incoming page.) You can set the Outgoing service filter to No Rule.
Configuring Outgoing Services • To allow only specified traffic from the trusted and optional network to get to the external network: - Set the common service Outgoing to No Rule. - Select the common services to allow outgoing and set these services to Allow. NOTE NOTE If you set a common service on the Filter Outgoing Traffic page to Allow, the Firebox allows traffic that uses that service to get to the external network from computers on the trusted or optional network.
Configuring Firewall Settings Protocols and Ports Set the protocol and ports to assign to this traffic rule. Traffic Direction Identify if this is an incoming or outgoing service. Service action Configures the Firebox to allow or deny this type of service traffic through the firewall. Restrict to remote computers To put a limit on the scope of the service, add the IP addresses of the computers or networks outside the firewall to which this service applies.
Configuring Outgoing Services 5 6 7 In the Service Name text box, type the name for your service. From the Protocol drop-down list, click TCP Port, UDP Port, or Protocol. In the text box next to the Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box. NOTE NOTE An IP protocol number is not the same as a TCP or UDP port number. TCP is IP protocol number 6 and UDP is IP protocol number 17.
Configuring Firewall Settings 9 Repeat the last three steps until you have a list of all the ports and protocols that this service uses. You can have more than one port and more than one protocol in a custom service. More ports and protocols make the service more dangerous. Limit the service to only the ports and protocols that are necessary. Filtering a service for outgoing traffic These steps restrict outgoing traffic through the Firebox.
Services for the Optional Network 8 Click Add. The To box shows the IP addresses you added. Repeat the last three steps until all of the address information for this custom service is set. The To box can have more than one entry. 9 If this service is only for outgoing traffic, keep the Incoming Filter set to No Rule. If this service is for incoming traffic, see the section “Configuring Incoming Services” on page 89. 10 Click Submit.
Configuring Firewall Settings Controlling traffic from the trusted to optional network You can restrict the traffic that starts in the trusted network and goes to the optional network: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Firewall > Optional. The Filter Outgoing Traffic to Optional Network page appears.
Services for the Optional Network Disabling traffic filters To allow traffic to flow from the optional network to the trusted network, you allow all traffic between the trusted and optional networks. Select the Disable traffic filters check box to allow all incoming and outgoing traffic between the trusted and optional interfaces. NOTE NOTE When you select the Disable traffic filters check box, the trusted network is not protected from the optional network.
Configuring Firewall Settings Blocking External Sites The Blocked Sites feature helps prevent traffic from hostile sites from getting through the Firebox. When you identify a hacker, you can stop all connections that hacker tries to make. When hackers try to connect to your network, the Firebox® X Edge records data about the hacker. You can examine the data to identify attacks.
Configuring Firewall Options Configuring Firewall Options You can use the Firewall Options page to configure rules that increase your network security with methods other than service rules. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Firewall > Options. The Firewall Options page appears.
Configuring Firewall Settings Denying FTP access to the trusted network interface You can configure the Firebox X Edge to stop FTP traffic from the trusted interface or external interface. This setting has higher precedence than any configured service. 1 Select the Do not allow FTP access to Trusted Network check box. 2 Click Submit. NOTE NOTE You must clear the Do not allow FTP access to Trusted Network check box when you apply an update to the Edge firmware with the automatic installer.
Configuring Firewall Options Configuring your SOCKS application Configure the software using SOCKS on trusted network computers to connect to a computer on the external network. When you configure the software, use the recommended properties from that software documentation. NOTE NOTE The Firebox X Edge uses port 1080 to speak to computers with software using SOCKS. Make sure that port 1080 is open and not used by other software on the computer.
Configuring Firewall Settings Logging all allowed outgoing traffic If you use the standard property settings, the Firebox X Edge records only unusual events. When traffic is denied, the Edge records the information in the log file. You can configure the Edge to record information about all the outgoing traffic in the log file. NOTE NOTE Recording all outgoing traffic creates a large number of log records.
Configuring Firewall Options To change the MAC address of the external interface: 1 Select the Enable override MAC address for the External Network check box, or select the Enable override MAC address for the Failover Network check box. You can select the check boxes together. 2 In the External network override AC address or Failover network override AC address text box, type the new MAC address for the Firebox X Edge external or failover network. 3 Click Submit.
Configuring Firewall Settings 110 WatchGuard Firebox X Edge
CHAPTER 7 Configuring Logging and System Time A log file is a list of all the events that occur on the Firebox® X Edge. An event is one activity, such as when the Firebox denies a packet. A log file records and saves information about these events. An event log message is an important part of a network security policy. A sequence of denied packets can show a pattern of suspicious network activity. Log records can help you identify possible security problems.
Configuring Logging and System Time Category The type of message. For example, if the message came from an IP address or from a configuration file. Message The text of the message. This procedure shows how to see the event log file: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Logging.
Logging to a Syslog Host 2 From the navigation bar, click Logging > WSEP Logging. The WatchGuard Security Event Processor Logging page appears. 3 The Enable WatchGuard Security Event Processor Logging check box must contain a check mark. If it does not, click it. 4 5 In the Log Host IP Address field, type the IP address of the Log Server. 6 In the Device Name field, type a name for the Firebox X Edge.
Configuring Logging and System Time Configure a Syslog host: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Logging > Syslog Logging. The Syslog Logging page appears. 3 4 Select the Enable Syslog output check box. Adjacent to Address of Syslog host, type the IP address of the SysLog host.
Setting the System Time Setting the System Time For each log message, the Firebox® X Edge records the time from its system clock. The Edge uses the NTP protocol to automatically get the correct time. To manually set the system time: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, click Logging > System Time. The System Time page appears.
Configuring Logging and System Time 116 WatchGuard Firebox X Edge
CHAPTER 8 Configuring WebBlocker WebBlocker is an option for the Firebox X Edge that gives you control of the Web sites that are available to your users. Some companies restrict access to some Web sites to increase employee productivity. Other companies restrict access to Web sites that they believe are offensive. NOTE NOTE You must purchase the WebBlocker upgrade to use this feature. For information on how to activate upgrade options, see “Activating Upgrade Options” on page 201.
Configuring WebBlocker Configuring Global WebBlocker Settings The first WebBlocker page in the Firebox® X Edge Web pages is the WebBlocker Settings page.
Configuring Global WebBlocker Settings To configure WebBlocker: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select WebBlocker > Settings. The WebBlocker Settings page appears. 3 4 Select the Enable WebBlocker check box. Type a password in the Full Access Password field.
Configuring WebBlocker 7 To make users authenticate for WebBlocker, select Require Web users to authenticate. If you use one global WebBlocker setting for all users, it is not necessary to select this option. Use this option if you apply different WebBlocker profiles to different groups of users. 8 Add a custom message for users to see when they try to access a Web page that is blocked by WebBlocker. This message will appear with the usual WebBlocker message.
Creating WebBlocker Profiles Creating WebBlocker Profiles A WebBlocker profile is a set of restrictions you apply to groups of users on your network. You can create different profiles, with different groups of restrictions. For example, you can create a profile for new employees, with more restrictions than for other employees. It is not necessary to create WebBlocker profiles if you use one set of WebBlocker rules for all of your users.
Configuring WebBlocker 4 In the Profile Name field, type a familiar name. You use this name to identify the profile during configuration. For example, give the name “90day” to an employee at your company for less than 90 days. 5 In Blocked Categories, click the groups of Web sites to block. For more information on categories, see the next section. 6 Click Submit. To remove a profile, from the WebBlocker Profiles page, select the profile from the Profile drop-down list. Click Delete.
WebBlocker Categories Drug Culture Pictures or text advocating the illegal use of drugs for entertainment. This category includes substances that are used for other than their primary purpose to alter the individual’s state of mind. This does not include currently illegal drugs legally prescribed for medicinal purposes (such as drugs used to treat glaucoma or cancer). Satanic/cult Pictures or text advocating devil worship, an affinity for evil, wickedness, or the advocacy to join a cult.
Configuring WebBlocker devoted to conversations with partners about sexually transmitted diseases, pregnancy, and sexual boundaries. Not included in this category are commercial sites selling sexual paraphernalia (topics included under Sexual Acts). Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior.
Allowing Certain Sites to Bypass WebBlocker Allowing Certain Sites to Bypass WebBlocker WebBlocker can deny a Web site that is necessary for your work. You can override WebBlocker using the Allowed Sites feature. For example, employees in your company frequently use Web sites that contain medical information. Some of these Web sites are forbidden by WebBlocker because they fall into the sex education category.
Configuring WebBlocker 4 Do step 3 again for other Web sites. When you have no more Web sites to add, click Submit. To remove an item from the list, click the address. Click Remove. Blocking Additional Web Sites You can block some Web sites that WebBlocker allows. For example, you can receive a LiveSecurity® Service alert that tells you that a frequently used Web site is dangerous.
Allowing Internal Hosts to Bypass WebBlocker Allowing Internal Hosts to Bypass WebBlocker You can make a list of internal hosts that bypass WebBlocker settings: 1 From the navigation bar, select WebBlocker > Trusted Hosts. The WebBlocker Trusted Hosts page appears. 2 In the text box at the bottom of the page, type the host IP address of the computer on your trusted or optional network to allow to browse the Internet without WebBlocker restrictions. Click Add.
Configuring WebBlocker 128 WatchGuard Firebox X Edge
CHAPTER 9 Configuring Virtual Private Networks You use a virtual private network (VPN) to create secure connections between computers or networks in different locations. The networks and hosts on a VPN tunnel can be corporate headquarters, branch offices, remote users, and telecommuters. When a VPN tunnel is created, the two tunnel endpoints are authenticated. Data in the tunnel is encrypted. Only the sender and the recipient of the message can read it.
Configuring Virtual Private Networks The last part of this chapter includes Frequently Asked Questions and information on how to keep the VPN tunnel operating correctly and see VPN tunnel statistics. These last sections can help you troubleshoot the VPN tunnel. For more information on VPN tunnels, see the Advanced FAQs: https://www.watchguard.
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 8.0 your Edge to make more VPN tunnels, as described in “Enabling the Model Upgrade Option” on page 203. If you connect two Microsoft Windows NT networks, they must be in the same Microsoft Windows domain, or they must be trusted domains. This is a Microsoft Networking problem, and not a limit of the Firebox X Edge.
Configuring Virtual Private Networks uses DVCP to keep the VPN tunnel configuration. You use the name Managed VPN because the Management Server manages the VPN tunnel and sends the VPN configuration to your Edge. This makes the Edge administrator’s task easy because you must type only a small quantity of information into the Edge configuration pages. You must have WatchGuard System Manager and a Firebox III, Firebox X Core, or Firebox X Peak to have a Management Server.
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 8.0 3 4 Select the Enable VPN Manager Access check box. Type and confirm a status and configuration passphrase to be used to allow the Management Server to make read-only and read-write connections to your Firebox X Edge. You must give these passphrases to the WatchGuard Management Server administrator. You do not use these passphrases for any other tasks. 5 6 Click the Submit button.
Configuring Virtual Private Networks 10 Type the Shared Key. This is the shared key used to encrypt the connection between the Management Server and the Firebox X Edge. This shared key must be the same on the Edge and the Management Server. You must get the shared key from your VPN administrator. 11 Click Submit.
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 7.3 5 Click Submit. Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 7.3 You can configure a VPN on the Firebox® X Edge with two different methods: Managed VPN and Manual VPN. This section tells you how to use Managed VPN, or DVCP. For information on creating a Manual VPN, see “Manual VPN: Setting Up Manual VPN Tunnels” on page 140.
Configuring Virtual Private Networks Getting information about the DVCP Server You must get this information from the administrator of the DVCP Server Firebox: • Find out if the DVCP Server Firebox is a Basic DVCP Server or a VPN Manager DVCP Server. Find the procedure below to set up the Edge for Basic DVCP or VPN Manager. • The DVCP shared key This is different from the VPN shared key that you use to create a Manual VPN.
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 7.3 Setting up the Edge for Basic DVCP Use this procedure to make a Firebox X Edge a client of a Basic DVCP server. The procedure is the same if your Edge has a static IP address or a dynamic IP address on its external interface: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1.
Configuring Virtual Private Networks Setting up VPN Manager on an Edge with dynamic external IP address If the IP address assigned to your Firebox X Edge external interface is dynamic, use this procedure to configure it for VPN Manager: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. 2 From the navigation bar, select Administration > VPN Manager Access The default URL is: https://192.168.111.1.
Managed VPN: With a Firebox III or Firebox X and WatchGuard System Manager 7.3 7 From the navigation bar select VPN > Managed VPN. The Managed VPN page appears. 8 9 10 11 Select the Enable Managed VPN check box. Type the IP address of the DVCP server. Type the client name and the shared key. Click Submit.
Configuring Virtual Private Networks 3 4 Select the Enable VPN Manager Access check box. 5 If the DVCP Server Firebox uses a version of WatchGuard System Manager older than WSM version 7.3, select the Enable Interoperability with VPN Manager v7.0, v7.1, and v7.2 check box. If the DVCP Server Firebox uses WatchGuard System Manager 7.3 or later, do not select this check box. 6 Click the Submit button. Type the status passphrase and type it again to confirm it.
Manual VPN: Setting Up Manual VPN Tunnels • • • You must know the shared key (passphrase) for the tunnel. The same shared key must be used by the two devices. You must know the encryption method used for the tunnel (DES or 3DES). Each VPN device must use the same encryption method. You must know the authentication method for each end of the tunnel (MD5 or SHA1). Each VPN device must use the same authentication method.
Configuring Virtual Private Networks Sample VPN Address Information Table Item Description Assign External IP Address The IP address that identifies the IPSeccompatible device on the Internet. ISP Site A: 207.168.55.2 Site B: 68.130.44.15 Local Network Address An address used to identify a local network. These are the IP addresses of the machines on each side that are allowed to send traffic through the VPN tunnel.We recommend that you use an address from one of the reserved ranges: 10.0.0.0/8—255.
Manual VPN: Setting Up Manual VPN Tunnels To create Manual VPN tunnels on your Firebox X Edge 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1. 2 From the navigation bar, select VPN > Manual VPN. The Manual VPN page appears. 3 Click Add. The Add Gateway page appears. 4 Type the name and shared key. The tunnel name is for your identification only.
Configuring Virtual Private Networks 1 authenticates the two sides and creates a key management security association to protect tunnel data. The default settings for Phase 1 are the same for all Firebox X devices. Many users keep these settings in their default values. NOTE NOTE Make sure that the Phase 1 configuration is the same on the two devices. To change Phase 1 configuration: 1 2 Select the negotiation mode for Phase 1 from the drop-down list.
Manual VPN: Setting Up Manual VPN Tunnels NOTE NOTE If your Edge’s external interface has a private IP address instead of a public IP address, then your ISP or the Internet access device connected to the Edge’s external interface (modem or router) does Network Address Translation (NAT). See the instructions at the end of this section if your Edge’s external interface has a private IP address. 3 Select the type of authentication from the Authentication Algorithm drop-down list.
Configuring Virtual Private Networks have a public IP address. If that is not possible, use this section for more information. Devices that do NAT frequently have some basic firewall features built into them. To make a VPN tunnel to your Firebox X Edge when the Edge is behind a device that does NAT, the NAT device must let the traffic through.
Manual VPN: Setting Up Manual VPN Tunnels name, and it must use this same public IP address as the domain name in its Phase 1 setup. Phase 2 settings Phase 2 negotiates the data management security association for the tunnel. The tunnel uses this phase to create IPSec tunnels and put data packets together. You can use the default Phase 2 settings to make configuration easier. NOTE NOTE Make sure that the Phase 2 configuration is the same on the two devices.
Configuring Virtual Private Networks 7 Click Submit. VPN Keep Alive To keep the VPN tunnel open when there are no connections through it, you can use the IP address of a computer at the other end of the tunnel as an echo host. The Firebox® X Edge sends a ping each minute to the specified host. Use the IP address of a host that is always up, and that responds to ping messages.
Viewing VPN Statistics 2 From the navigation bar, select VPN > Keep Alive. The VPN Keep Alive page appears. 3 4 Type the IP address of an echo host. Click Add. Click Submit. Viewing VPN Statistics You can monitor Firebox® X Edge VPN traffic and troubleshoot the VPN configuration with the VPN Statistics page. To see the VPN Statistics page: 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface.
Configuring Virtual Private Networks the devices cannot be made unless the two devices know how to find each other. You can use Dynamic DNS. For information, see “Registering with the Dynamic DNS Service” on page 66. How do I get a static external IP address? You get the external IP address for your computer or network from your ISP or an administrator. Many ISPs use dynamic IP addresses to make their networks easier to configure and use with many users.
Frequently Asked Questions Is the Firebox X Edge compatible with WatchGuard System Manager? Yes. The default Firebox X Edge configuration is compatible with WatchGuard System Manager v7.3 and higher. To configure the Edge for use with WSM v7.0, v7.1, and v7.2, browse to the VPN Manager Access page (Administration > VPN Manager Access). Select the check box Enable interoperability with VPN Manager v7.0, v7.1, and v7.2.
Configuring Virtual Private Networks 152 WatchGuard Firebox X Edge
CHAPTER 10 Configuring the MUVPN Client Mobile User VPN lets remote users connect to your Firebox® X Edge’s private network through a secure, encrypted channel. The MUVPN client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network from an unsecured network. The MUVPN client uses Internet Protocol Security (IPSec) to secure the connection.
Configuring the MUVPN Client include ZoneAlarm. The use of ZoneAlarm is optional. Other than ZoneAlarm, the two packages are the same. This chapter shows how to prepare the Edge and the remote computer for MUVPN. This chapter also includes information about the features of the ZoneAlarm personal firewall. About This Chapter You must complete some procedures to make sure that MUVPN operates correctly.
Enabling MUVPN for Edge Users Wireless Network” on page 176 for information about how to make the wireless computers use MUVPN on the Edge’s wireless network. If you want to use a Pocket PC to make a VPN connection to the Edge, read the section “Tips for Configuring the Pocket PC” on page 177. At the end of this chapter is a section with troubleshooting tips. • • Enabling MUVPN for Edge Users Before you configure the MUVPN client, you must configure MUVPN client and user settings on the Firebox® X Edge.
Configuring the MUVPN Client Preferred If the virtual adapter is in use or it is not available, the mobile user does not use a virtual adapter to connect with the MUVPN client. If the virtual adapter is available, the remote computer is assigned the WINS and DNS addresses you entered in the Firebox Users > Settings area of the Edge configuration pages. Required The mobile user must use a virtual adapter to connect with the MUVPN client.
Enabling MUVPN for Edge Users 8 Set MUVPN key expiration in kilobytes or hours. The default values are 8192 KB and 24 hours. 9 Select Mobile User from the VPN Client Type drop-down list if the remote user is connecting from a desktop or laptop computer instead of a handheld device such as a Pocket PC. 10 Select the All traffic uses tunnel (0.0.0.0/0 IP Subnet) check box if the remote client will send all its traffic (including usual Web traffic) through the VPN tunnel to the Firebox X Edge.
Configuring the MUVPN Client Configuring the Firebox for MUVPN clients using a Pocket PC To create a MUVPN tunnel between the Firebox X Edge and your Pocket PC, you must configure the Firebox User account correctly. Use the previous procedure, but select Pocket PC from the VPN Client Type drop-down list. NOTE WatchGuard does not give a Mobile User VPN software package for the Pocket PC. You must examine the software manufacturer’s instructions to configure their software and the Pocket PC.
Preparing Remote Computers for MUVPN - At the prompt, save the .wgx file to your computer. Give these two files to the remote user Give the MUVPN software, and the .wgx file to the remote user. You must also give the user the shared key you used when you enabled the Firebox User account to use MUVPN, as described in “Enabling MUVPN for Edge Users” on page 155. The user uses this shared key at the end of the installation process. NOTE The shared key is highly sensitive information.
Configuring the MUVPN Client • • • • • • • No other IPSec VPN client software can be on the computer. Remove any other software from the user’s computer before you try to install the WatchGuard MUVPN software. We recommend that you install the most current service packs for each operating system. 10 MB hard disk space Native Microsoft TCP/IP communications protocol Microsoft Internet Explorer 5.
Preparing Remote Computers for MUVPN 3 4 5 Click the Services tab and click Add. Select Remote Access Services and click OK. Type the path to the Windows NT installation files, or put your system installation CD in the computer and click OK. The Remote Access Setup window appears. 6 Click Yes to add a RAS device, for example, a modem, and then click Add. 7 Complete the Install New Modem wizard.
Configuring the MUVPN Client 7 Click the WINS Address tab, type the IP address of your WINS server in the applicable field, and then click OK. To add more WINS servers, repeat this step. 8 Click Close to close the Network window. The Network Settings Change dialog box appears. 9 Click Yes to restart the computer. The computer restarts. Windows 2000 setup Use this section to install and configure the network components for the Windows 2000 operating system.
Preparing Remote Computers for MUVPN 4 Make sure these components are installed and enabled: - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) network component From the connection window Networking tab: 1 Click Install. The Select Network Component Type window appears. 2 Double-click the Protocol network component. The Select Network Protocol window appears.
Configuring the MUVPN Client From the connection window Networking tab: 1 Select the Internet Protocol (TCP/IP) component and click Properties. The Internet Protocol (TCP/IP) Properties window appears. 2 Click Advanced. The Advanced TCP/IP Settings window appears. 3 Click the DNS tab and from the section labeled DNS server addresses, in order of use, click Add. The TCP/IP DNS Server window appears. 4 Type the IP address of the DNS server and click Add. To add more DNS servers, repeat steps 3 and 4.
Preparing Remote Computers for MUVPN 3 Double-click the connection you use to get Internet access. The connection window appears. 4 5 Click Properties and then click the Networking tab. Make sure these components are installed and enabled: - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) Network Component From the connection window Networking tab: 1 Click Install.
Configuring the MUVPN Client Configuring the WINS and DNS settings The remote computer must be able to connect to the WINS and DNS servers. These servers are on the trusted network of the Firebox X Edge. From the connection window Networking tab: 1 2 Select the Internet Protocol (TCP/IP) component. Click Properties. The Internet Protocol (TCP/IP) Properties window appears. 3 Click Advanced. The Advanced TCP/IP Settings window appears.
Installing and Configuring the MUVPN Client Installing and Configuring the MUVPN Client NOTE To install and configure the MUVPN client, you must have local administrator rights on the remote computer. Installing the MUVPN client To install the MUVPN client: 1 No other IPSec VPN client software can be on the computer. Remove any other IPSec VPN software from the user’s computer before installing the WatchGuard® MUVPN software. 2 Copy the MUVPN installation file and the .wgx file to the remote computer.
Configuring the MUVPN Client 12 The InstallShield wizard looks for a user profile. Use the Browse button to find and select the folder containing the .wgx file. Click Next. You can click Next at this step if you do not have the .wgx file at this time. You can import the .wgx file later. To import a .wgx file, after the software is installed, double-click the .wgx file and give the shared key. 13 Click OK to continue the installation. 14 The MUVPN client is installed.
Connecting and Disconnecting the MUVPN Client 9 Click Yes to delete the security policy. The InstallShield Wizard window appears. 10 Select Yes, I want to restart my computer now. Click the Finish option. The computer restarts. NOTE The ZoneAlarm personal firewall settings are kept in these directories by default”. Windows NT and 2000: c:\winnt\internet logs\ Windows XP: c:\windows\internet logs To remove these settings, delete the contents of the appropriate directory.
Configuring the MUVPN Client The MUVPN Security Policy is not active. This icon can appear if the Windows operating system did not start a required MUVPN service. If this occurs, the remote computer must be restarted. If the problem continues, remove and install the MUVPN client again. Activated The MUVPN client can make a secure MUVPN tunnel connection. Activated and Transmitting Unsecured Data The MUVPN client can make a secure MUVPN tunnel connection.
Connecting and Disconnecting the MUVPN Client The MUVPN client started one or more secure MUVPN tunnels. The green bar on the right of the icon tells you that the client is only sending data that is secure. Activated, Connected, and Transmitting both Secured and Unsecured Data The MUVPN client started one or more secure MUVPN tunnels. The green and red bars on the right of the icon tell you that the client is sending data that is secure and data that is not secure.
Configuring the MUVPN Client 3 Right-click the ZoneAlarm icon shown at right. 4 Select Shutdown ZoneAlarm. The ZoneAlarm window appears. 5 Click Yes. Monitoring the MUVPN Client Connection The Log Viewer and the Connection Monitor are installed with the MUVPN client. These tools let you monitor the MUVPN connection and troubleshoot problems. Using Log Viewer Use Log Viewer to show the connections log. This log shows the events that occur when the MUVPN tunnel is started.
The ZoneAlarm Personal Firewall tion. The monitor records the information that appears in this window during the phase 1 IKE negotiations and the phase 2 IPSec negotiations. From the Windows desktop system tray: 1 2 Right-click the Mobile User VPN client icon. Select Connection Monitor. The Connection Monitor window appears. An icon appears to the left of the connection name: • SA tells you that the connection only has a phase 1 SA.
Configuring the MUVPN Client Allowing traffic through ZoneAlarm When a software application tries to get access through the ZoneAlarm personal firewall, a New Program alert appears. This alert tells the user the name of the software application. This can cause confusion for users. To let a program get access to the Internet each time the software application is started, select the Remember the answer each time I use this program check box.
The ZoneAlarm Personal Firewall Here is a list of some programs that must go through the ZoneAlarm personal firewall when you use their associated software applications. Programs That Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs That Can be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.
Configuring the MUVPN Client NOTE The Remove Shared Component window can appear. During the initial installation of ZoneAlarm, some files were installed that can be shared by other programs on the system. Click Yes to All to completely remove all of these files. 6 The Install window appears and gives you a prompt to restart the computer. Click OK to restart.
Tips for Configuring the Pocket PC The wireless MUVPN client cannot connect to the Internet, the computers on the optional network, or any other network that the Edge has a connection to. All networks This is the usual configuration for wireless MUVPN clients.
Configuring the MUVPN Client Here are some configuration tips for the Pocket PC. Phase 1 configuration of the Pocket PC’s VPN software • • • The Pocket PC’s “IPSec Peer Gateway Address” must be the Edge’s external IP address if the Pocket PC is connecting from the Internet. The IPSec Peer Gateway Address must be the Edge’s private IP address if the Pocket PC is connecting from the optional or trusted network. The Phase 1 ID type must be “ID_USER_FQDN”. This is also known as the IKE ID by some ISPs.
Troubleshooting Tips • • • The remote user’s virtual IP address is configured in the Firebox User account settings, on the MUVPN tab. The virtual IP address must be an IP address from the Edge’s trusted or optional network that is not being used. The Firebox X Edge does not support compression. By default, the network that the Edge allows encrypted traffic to is the trusted network. The default trusted network is 192.168.111.0/24, or 192.168.111.0 with subnet mask 255.255.255.
Configuring the MUVPN Client 4 Select Shutdown ZoneAlarm. The ZoneAlarm dialog box appears. 5 Click Yes. I must enter my network login information even when I am not connected to the network. When you start your computer, you must type your Windows network user name, password, and domain. It is very important that you type this information correctly. Windows keeps this information for use by network adapters and network applications.
Troubleshooting Tips How do I map a network drive? Because of a Windows operating system limitation, mapped network drives must be mapped again when you work remotely. To map a network drive again from the Windows desktop: 1 2 Right-click Network Neighborhood. Select Map Network Drive. The Map Network Drive window appears. 3 Use the drop-down list to select a drive letter. Select a drive from the drop-down list or type a network drive path. 4 Click OK.
Configuring the MUVPN Client 182 WatchGuard Firebox X Edge
CHAPTER 11 Managing the Firebox and User Accounts The Firebox® X Edge includes tools you can use to manage your network and your users.
Managing the Firebox and User Accounts NOTE Only sessions from computers on the Edge’s trusted or optional network to computers on the external network use a seat license. For more information on seat licenses, see “About Seat Licenses” on page 196. On the Firebox Users page, you can see information about sessions in the Active Sessions section. You can also see information on the users that you configured for this Edge.
Seeing Current Sessions and Users • The time between the last packet and the session expiration is known as the idle time. If you set the idle time for a Firebox user to 0 hours and 0 minutes, the Firebox does not disconnect the session. Stopping a session To stop an active session, click the X for the session. A dialog box appears. Click Yes to stop the session. To stop all active sessions, click Close All. • The user can log out manually by clicking the Logout button on the Login Status dialog box.
Managing the Firebox and User Accounts • • Admin Level -- You can set the user permissions to Full, None, or Read-only. For more information, see “Adding or Editing a User Account,” on page 190. Options -- You can configure a user to use WebBlocker or MUVPN. Editing a user account To edit a user account, click the Edit icon. For descriptions of the fields you can configure, see “Adding or Editing a User Account,” on page 190.
About User Authentication About User Authentication The Firebox® X Edge uses advanced authentication options to increase network security. There are options to prevent connections to some resources and to help decrease the number of seat licenses necessary. This section gives information on how a user can authenticate to the Edge, how your users and administrators can close an active session, and which options are available to customize authentication.
Managing the Firebox and User Accounts This includes dialog boxes used by wizards, and the dialog box used to log in to the Edge. When you authenticate to the Edge, one of two screens appears. A user with Read-Only or Full Administrative Access sees the Firebox X Edge System Status page. A user with Administrative Access set to None sees a dialog box with an authentication status message. When you authenticate to the Edge, your user name appears in the Active Sessions section of the Firebox Users page.
About User Authentication • • • • • • Require User Authentication – You must select this check box to use the authentication options. External Network Access Restrictions – Enable this check box if it is necessary for your users to authenticate before they connect to computers on the external network. The external network is frequently the Internet.
Managing the Firebox and User Accounts Configuring MUVPN client settings The MUVPN client settings apply to all MUVPN connections to the Edge. To configure MUVPN client settings: 1 Use your browser to connect to the System Status page. From the navigation bar, select Firebox Users > Settings. The Settings page appears. 2 If necessary, use the scroll bar to scroll to the Firebox User Common MUVPN Client Settings section. 3 You can lock the MUVPN client security policy (.
Adding or Editing a User Account time limits on this access. You can also apply a WebBlocker profile to the user account and configure the user’s MUVPN restrictions. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. 2 From the navigation bar, select Firebox Users. The default URL is: https://192.168.111.1. The Firebox Users page appears. 3 Below Local User Accounts, click Add. The New User page appears.
Managing the Firebox and User Accounts 7 In the Password field, type a password with a minimum of eight characters. Mix eight letters, numbers, and symbols. Do not use a word you can find in a dictionary. For increased security use a minimum of one special symbol, a number, and a mixture of uppercase and lowercase letters. 8 9 Type the password again in the Confirm Password field.
Adding or Editing a User Account Creating a read-only administrative account You can create a local user account with access to view Firebox configuration pages. When you log in as a read-only administrator, you cannot: • Click the Reboot button on the System Status page. • Change the configuration mode on the External page. • Click the Reset Event Log and Sync Time with Browser Now buttons on the Logging page. • Click the Synchronize Now button on the System Time page.
Managing the Firebox and User Accounts Make sure you keep the administrator name and password in a safe location. You must have this information to see the configuration pages. If the system administrator name and password are not known, you must reset the Firebox to the factory default configuration. For more information, see “Resetting the Firebox to the factory default settings” on page 41. We recommend that you change the administrator passphrase monthly.
Adding or Editing a User Account 3 Find the session in Active Sessions list. Click the Close button. To end all sessions, click the Close All button. For more information, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/ edge_seatlicense.asp License upgrades are available from your reseller or from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.asp Changing a user account name or password You can change an account name or account password. You cannot change them both.
Managing the Firebox and User Accounts About Seat Licenses The Firebox® X Edge is enabled with a specified number, or “pool,” of seat licenses. The number of seat licenses puts a limit on how many users can get out to the Internet at one time. The total number of available seat licenses in the pool is set by the Edge model you have and any upgrade licenses you apply. The Firebox Users page (below Active Sessions) shows how many active sessions there are, and how many of those sessions use seat licenses.
Selecting HTTP or HTTPS for Management puter tries to connect to the external network without authenticating, the Edge does not allow the connection. A seat license is used only when a user is allowed to connect from the trusted or optional network to the external network. Selecting HTTP or HTTPS for Management HTTP (Hypertext Transfer Protocol) is the “language” used to move files (text, graphic images, and multimedia files) on the Internet.
Managing the Firebox and User Accounts If you select this check box, you must use http:// in the browser's address bar to bring up configuration pages instead of the default https://. Changing the HTTP Server Port To connect to the Firebox® X Edge to see the configuration pages, or for a user to authenticate to the Edge, the browser's connection must use the same port as the Edge’s HTTP server port. Because HTTPS uses TCP port 443 (HTTP uses TCP port 80), the default HTTP server port for the Edge is 443.
Updating the Firmware 2 From the navigation bar, select Administration > VPN Manager Access. The VPN Manager Access page appears. 3 4 Select the Enable VPN Manager Access check box. 5 Type a configuration passphrase for your Firebox X Edge and then type it again to confirm in the correct fields. Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields.
Managing the Firebox and User Accounts update on the Firebox X Edge automatically when you start it on a Windows computer. The second method uses a smaller download and allows you to apply the firmware updates with the Firebox X Edge configuration pages. If you do not use Windows, install the update with the second procedure. Method 1 The first method uses an executable file and is the preferred method for installing the Firebox X Edge firmware update from a Windows computer.
Activating Upgrade Options You must first download the Software Update file, which is a small Zip file. 1 Extract the “wgrd” file from the Zip file you downloaded using an archiving utility such as Winzip (for Windows computers), StuffIt (for Macintosh), or Linux archive capabilities. 1 To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.
Managing the Firebox and User Accounts 2 Type your LiveSecurity Service user name and password in the fields provided. 3 4 Click Log In. 5 6 Copy the feature key from the LiveSecurity Service Web site. Use the instructions on the Web site to activate your license key and to get the feature key. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.
Enabling the Model Upgrade Option Upgrade options User licenses A seat license upgrade allows more connections between the trusted network and the external network. For example, a 5-seat user license upgrade allows five more connections to the external network than the base model with no licenses applied. MUVPN Clients The MUVPN Clients upgrade allows remote users to connect to the Firebox X Edge through a secure (IPSec) VPN tunnel. These users have access to trusted network resources.
Managing the Firebox and User Accounts Configuring Additional Options Some Firebox® X Edge options are included with your Firebox, but are disabled in the default configuration. To use these features, you must enable and configure them. These options are as follows: Managed VPN The managed VPN feature allows you to set up VPN tunnels using a WatchGuard Management Server. For more information, see Chapter 8, “Configuring VPNs.” Manual VPN The manual VPN feature allows you to set up VPN tunnels manually.
Viewing the Configuration File User Guide 205
Managing the Firebox and User Accounts 206 WatchGuard Firebox X Edge
APPENDIX A Firebox X Edge Hardware The WatchGuard® Firebox® X Edge is a firewall for small organizations and branch offices. The WatchGuard Firebox X Edge Wireless can connect to computers with a wireless network interface card.
• • • • • • • 208 LiveSecurity® Service activation card Hardware Warranty Card AC adapter (12 V) Power cable clip, to attach to the cable and connect to the side of the Edge. This decreases the tension on the power cable.
Hardware Description Operating Temperature 0 - 40C Environment Indoor use only Dimensions Depth = 5 inches Width = 8.75 inches Height = 1.25 inches Weight 1.9 U.S. pounds Hardware Description The Firebox® X Edge has a simple hardware architecture. All indicator lights appear on the front panel while all ports and connectors are on the rear panel of the device. Front panel The front panel of the Firebox X Edge has 24 indicator lights to show the link status.
F/O Shows a WAN failover. The indicator light is green when there is a WAN failover from WAN1 to WAN2. The indicator light goes off when the external interface connection goes back to WAN1. Link The link indicator light shows a physical connection to a trusted Ethernet interface. The trusted interfaces have the numbers 0 through 6. The indicator light comes on when traffic goes through the related interface. 100 When a trusted network interface operates at 100 Mbps, the related 100 indicator light comes on.
Hardware Description Rear view Serial port (DB9) Use the serial port to connect an external modem to the Edge. Ethernet interfaces 0 through 6 The seven Ethernet interfaces with the marks 0 through 6 are for the trusted network. OPT interface This Ethernet interface is for the optional network. WAN interfaces 1 and 2 The WAN1 and WAN2 interfaces are for the external network. Power input We supply a 12-volt AC adapter with your Edge. Connect the AC adapter to the Edge and to a power source.
About IEEE 802.11g/b Wireless In general, RF power and signal bandwidth create a maximum limit on the rate that data can be sent on a wireless connection. The equation below calculates the maximum data rate: 1 + SignalStrength ChannelCapacity = ChannelBandwidth × log 2 ⎛⎝ -----------------------------------------------------------------------⎞⎠ NoiseLevel This equation shows that the channel capacity (bits/s) is set by: • Channel bandwidth: 22 Mbits/s for 802.11b and 54 MBits/s for 802.
About IEEE 802.11g/b Wireless Signal strength (Watts) The signal strength is set by these factors: • Power of the RF signal that is sent and received • Amount of directional antenna gain at the transmitter and the receiver • Signal attenuation (path-loss) between the transmitter and receiver Antenna directional gain Antenna directional gain is calculated from the degree to which the radiation pattern of an antenna is focused in a specified direction. A highly directional antenna has a higher gain.
The signal attenuation caused by multi-path reflections is the result of how you adjust the antenna. When the receiver is moved ½ wavelength, the signal strength changes by as much as 30 dB. To adjust for this problem, the Firebox X Edge Wireless uses “antenna receiver diversity.” In this system, the effect of multi-path fading is decreased through the use of two antennas that are spaced other than ½ wavelength apart.
About IEEE 802.11g/b Wireless cent. When a different modulation scheme is selected, the data rate changes.
216 WatchGuard Firebox X Edge
APPENDIX B Legal Notifications Copyright, Trademark, and Patent Information Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5.
Copyright, Trademark, and Patent Information 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: - This appliance may not cause harmful interference. - This appliance must accept any interference received, including interference that may cause undesired operation.
Certifications and Notices CANADA RSS-210 The term “IC:” before the radio certification number only signifies that Industry of Canada technical specifications were met. Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
Taiwanese Notices 222 WatchGuard Firebox X Edge
Declaration of Conformity Declaration of Conformity User Guide 223
Limited Hardware Warranty This Limited Hardware Warranty (the "Warranty") applies to the enclosed Firebox hardware product, not including any associated software which is licensed pursuant to a separate enduser license agreement and warranty (the "Product"). BY USING THE PRODUCT, YOU (either an individual or a single entity) AGREE TO THE TERMS HEREOF.
Limited Hardware Warranty THE USE OF OR INABILITY TO USE THE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY. 5. MISCELLANEOUS PROVISIONS. This Warranty will be governed by the laws of the state of Washington, U.S.A., without reference to its choice of law rules. The provisions of the 1980 United Nations Convention on Contracts for the International Sales of Goods, as amended, shall not apply.
226 WatchGuard Firebox X Edge
Symbols .wgx files described 154 distributing 158 viewing available 33 A Add Gateway page 143 Add Route page 64 Administration page described 34 subpages of 34 Administrative Access levels 187 administrator account 193 Aggressive Mode 144 Allow access to the External Network check box 192 Allow access to VPN check box 192 Allowed Sites pages 125 antenna directional gain 213 authentication.
CIDR notation 64, 94, 100, 147 Classless Inter Domain Routing 64, 94, 100, 147 Client for Microsoft Networks, installing 163 client, described 2 configuration file, viewing 204 configuration pages description 28–39 navigating 28 opening 28 viewing 27 configuration pages.
DVCP Server, getting information on 136 DVCP, described 131, 135 Dynamic DNS client page 67 dynamic DNS service, registering with 66–67 Dynamic Host Configuration Protocol.
administrator account 193 and SOCKS 106 authenticating to 187 back panel 211 cabling 19 configuring as DHCP server 54 described 207 front panel 209 hardware description 209–211 hardware specifications 208 indicator lights 209 installing 11–26 package contents 11, 207 rear panel 211 rebooting 42–43 registering 25 resetting to factory default 41 serial number 12 side panel 211 updating software 39 upgrade options 201 viewing log messages for 111 Web pages.
I incoming service, creating custom 91, 92, 97 indicator lights 209 installation determining TCP/IP settings 13 disabling TCP/IP proxy settings 17 setting your computer to connect to Edge 22 TCP/IP properties 14 installation requirements 11, 12 installing the Firebox X Edge 11–26 Internet how information travels on 4 options for connecting to 2 Internet connection, required for Firebox X Edge 13 Internet Protocol (IP) 3 Internet Protocol (TCP/IP) Network Component and Windows XP 165 Internet Protocol (TCP/I
viewing status of 36 Logging page 112 described 36 subpages of 36–37 M Managed VPN page 133, 137, 139 Managed VPNs and VPN Manager 137 described 131, 135 setting Edge for DVCP 137 Manual VPN page 143 Manual VPNs creating 143 described 140 Manually configure DNS server IP addresses check box 73 model upgrades 203 modems and DNS settings 73 dialup settings 74 types supported 72 using the failover 72 multipath, described 213 MUVPN client allowing through firewall 171 configuring user settings for 190 connecti
WINS and DNS servers 160 N navigation bar 29 netmask 14 Network Address Translation (NAT), and the Edge 14, 145 network addressing, described 13 network interfaces, configuring 45–71 Network page described 31 subpages of 31–32 network security, described 1 Network Setup Wizard 45 Network Statistics page 65 network statistics, viewing 65 networks, types of 2 New User page 191 noise level 212 numbered ports 211 O optional network assigning static IP addresses on 62 changing IP address of 59 configuring 58–6
P package contents 11 packets, described 4 pages Add Gateway 143 Add Route 64 Administration 34 Allowed Sites 125 Blocked Sites 104 Custom Service 92, 98 Denied Sites 126 DHCP Address Reservations 56, 61 Dynamic DNS client 67 External Network Configuration 47, 48, 49 Filter Traffic 90, 96, 102 Firebox Users 33, 191, 194, 195 Firewall 35 Firewall Options 105 Logging 36, 112 Managed VPN 133, 137, 139 Manual VPN 143 Network 31 Network Statistics 65 New User 191 Optional Network Configuration 59, 60, 62 Routes
passphrases, described 191, 195 path-loss 213 Perfect Forward Secrecy 147 Phase 1 settings 143, 144 Phase 2 settings 147 Pocket PCs creating MUVPN tunnels to 158 creating tunnels to 158 tips for configuring 177 Point-to-Point Protocol over Ethernet.
resetting to factory default 41 Restrict Access by Hardware Address check box 84 routes configuring static 63 viewing 31 Routes page 63 S seat licenses described 184, 196 upgrade 203 seat limitation 20 serial number, viewing 30 server, described 2 services creating custom 91–94, 97–101 creating custom incoming 91, 92, 97 described 6, 87 viewing current 35 Session idle time-out field 192 Session maximum time-out field 192 sessions closing 185 described 183 idle timeout 192 maximum timeout 192 releasing 20 t
and VPNs 149 described 13 obtaining 150 static routes making 63 removing 64 subnet mask 14 SurfControl 117 Syslog host, logging to 113 Syslog Logging page 114 Syslog, described 113 system configuration pages.
U UDP (User Datagram Protocol) 3 Uniform Resource Locator (URL) 6 updating firmware 199 updating software 39 upgrade options, activating 201 upgrade options, viewing status of 30 Upgrade page 202 user accounts changing name, password 195 configuring MUVPN settings 190 configuring MUVPN settings for all 155 creating new 190 deleting 186 editing 186 enabling MUVPN access for 156 read-only administrative 193 setting WebBlocker profile for 193 viewing 185 viewing current 33 user authentication changing options
Keep Alive feature 148 special considerations for 130 troubleshooting connections 150 viewing statistics 149 what you need to create 130 W wall mounting plate 211 WAN Failover and DNS settings 73 configuring 69 described 68, 203 using broadband connection for 71 using external modem for 72 WAN Failover page 70 WAN Failover Setup Wizard 69 WAN ports 211 WAN1 port 68 WAN2 port 68 WatchGuard Security Event Processor 112 WatchGuard Security Event Processor Logging page 113 Web sites blocking specific 126 block
Windows XP installing File and Printer Sharing for Microsoft Networks on 165 installing Internet Protocol (TCP/IP) Network Component on 165 preparing for MUVPN clients 164 WINS and DNS settings, configuring 161, 163 wireless access point, setting up 79 wireless card, configuring 76 wireless communication antenna directional gain 213 channel bandwidth 214 described 212 noise level 212 path-loss 213 signal attenuation 213 signal strength 213 Wireless Encryption Privacy (WEP) 78 Wireless Network Configuration