Manuals
/
WatchGuard Technologies
/
Computer Equipment
/
Network Router
WatchGuard Technologies
FireboxTM System 4.6
manual
WatchGuard Firebox System User Guide
Models:
FireboxTM System 4.6
1
1
170
170
Download
170 pages
21.61 Kb
1
2
3
4
5
6
7
8
Install
Setting the default gateway
Connecting to a Firebox
Opening a configuration file
Known issues
Resetting Firebox passphrases
Adding remote access users
Select Setup =Time Zone
Setting privileges
What is
Page 1
Image 1
WatchGuard
®
Firebox
™
System
User Guide
Firebox System 4.6
Page 1
Page 2
Page 1
Image 1
Page 1
Page 2
Contents
WatchGuard Firebox System User Guide
Copyright and Patent Information
Disclaimer
WatchGuard Firebox System WFS End-User License Agreement
Page
Watchguard
Declaration of Conformity
CE Notice
FCC Certification
CSA Statement
Table of Contents
Using the WatchGuard Control Center
Setting Up Network Address Translation
149
Welcome to WatchGuard
Part I Introduction
WatchGuard Firebox System components
WatchGuard Control Center
WatchGuard Firebox
WatchGuard security suite
Minimum requirements
LiveSecurity Service
Software requirements
Web browser requirements
CPU
Hardware requirements
LiveSecurity Service
Part II WatchGuard Services
WatchGuard Optional Features
Technical Support
Page
Software Update
LiveSecurity Service
LiveSecurity broadcasts
Information Alert
Editorial
Activating the LiveSecurity Service
Support Flash
Virus Alert
Minimize or close your Web browser
LiveSecurity broadcasts
Technical Support
Accessing frequently asked questions FAQ
Click the LSS/SOHO Known Issues link on the left
Known issues
Getting Internet technical support
Getting telephone support
WatchGuard Interactive Training System Wits
Training
Online Help
WatchGuard users group
Instructor-led courses
Searching for topics
Starting WatchGuard Online Help
Copying the Help system to additional platforms
Online Help system requirements
Context-sensitive Help
Currently available options
WatchGuard Options
VPN Manager
High Availability
Mobile User VPN
Obtaining WatchGuard options
SpamScreen
Part III Configuring a Security Policy
Set up logging and notification
Set up network address translation NAT
Connect with out-of-band management
Firebox Basics
What is a Firebox?
Placing a Firebox within a network
Saving a configuration file
Opening a configuration file
Opening a configuration from the Firebox
Opening a configuration from a local hard disk
Saving a configuration to the local hard disk
Resetting Firebox passphrases
Saving a configuration to the Firebox
Tips for creating secure passphrases
Reinitializing a misconfigured Firebox
Setting the time zone
Select Setup =Time Zone
Reinitialize the Firebox using the QuickSetup wizard
Booting from the system area
Starting the Control Center and connecting to a Firebox
Using the WatchGuard Control Center
Navigating the WatchGuard Control Center
Control Center components
Front panel
QuickGuide
Firebox and VPN tunnel status
Remote VPN tunnels
IPSec
Expanding and collapsing the display
Red exclamation point
Setting the maximum number of log messages
Connecting to a Firebox
Working with the Control Center
Traffic Monitor
Manipulating the Traffic Monitor
Policy Manager
Opening WatchGuard Firebox System tools
LogViewer
Firebox Monitors
Changing the Policy Manager view
Historical Reports
HostWatch
LiveSecurity Event Processor
LiveSecurity Event Processor
Running the QuickSetup wizard
Configuring a Network
Trusted
External
Setting up a drop-in network
Setting up a routed network
Adding a secondary network
Select Network = Configuration
Defining a network route
Select Network = Routes
Select Network = Default Gateway
Setting the default gateway
Defining a host route
Changing an interface IP address
Select Network = Configuration. Click the Dhcp Server tab
Select Network = Configuration. Click the General tab
Entering Wins and DNS server addresses
Defining a Firebox as a Dhcp server
Removing a Subnet
Modifying an existing subnet
Click the subnet to remove it. Click Remove Click OK
Defining a Firebox as a Dhcp server
Select Setup = Default Packet Handling
Configuring default packet handling
Blocking Sites and Ports
Removing a blocked site
Blocking a site permanently
Changing the auto-block duration
Logging and notification for blocked sites
Removing a blocked port
Blocking a port permanently
Logging and notification for blocked ports
Category list, click Blocked Sites
Configuring a service to temporarily block sites
Blocking sites temporarily with service settings
Viewing the Blocked Sites list
Adding an existing service
Configuring Services
Click OK to close the Properties dialog box
Ignore
Creating a new service
Secure
Port
Adding incoming service properties
Defining service properties
Adding addresses to service properties
Adding outgoing service properties
Working with wg icons
Modifying a service
Configuring services for authentication
Deleting a service
Under Internal Hosts, click Add
Configuring an Smtp proxy service
Setting up proxy services
Configuring the incoming Smtp proxy
Click Yes
Adding address patterns
Selecting content types
Protecting your mail server against relaying
Select headers to allow
Configuring the outgoing Smtp proxy
Configuring an FTP proxy service
Click Outgoing
Add masquerading options
Configuring an Http proxy service
Service precedence
From Rank Any List
Service precedence
How WebBlocker works
Controlling Web Traffic
Reverting to old WebBlocker databases
Prerequisites to using WebBlocker
Configuring the WebBlocker service
Logging and WebBlocker
Activating WebBlocker
Scheduling operational and non-operational hours
Setting privileges
Creating WebBlocker exceptions
Click the WebBlocker Controls tab
Debug- Outputs debugging information
Manually downloading the WebBlocker database
What is dynamic NAT?
Setting Up Network Address Translation
Select Setup = NAT
Using simple dynamic NAT
Enabling simple dynamic NAT
Adding dynamic NAT entries
Enabling service-based NAT
Using service-based NAT
Configuring service-based NAT exceptions
Setting static NAT for a service
Configuring a service for incoming static NAT
Select Network = Configuration. Click the External tab
Adding external IP addresses
Checkbox
Enter the internal IP address
Click OK to close the Add Static NAT dialog box
Configuring a service for incoming static NAT
Ensure logging with failover logging
Setting Up Logging Notification
Designating Event Processors for a Firebox
WatchGuard logging architecture
LiveSecurity Event Processor
Select Setup = Logging
Editing an Event Processor setting
Adding an Event Processor
Enabling Syslog logging
Reordering Event Processors
Removing an Event Processor
Synchronizing Event Processors
For Windows NT Event Processors
Installing the Event Processor program
Setting up the LiveSecurity Event Processor
Running an Event Processor on Windows
Running an Event Processor on Windows NT or Windows
Interactive mode from a DOS window
As a Windows NT or Windows 2000 Service
Viewing the Event Processor
Click WG LiveSecurity Event Processor. Click Startup
Setting the log encryption key
Setting global logging and notification preferences
Setting the interval for log rollover
Starting and stopping the Event Processor
Scheduling log reports
Customizing logging and notification by service or option
Controlling notification
Category
Setting Launch Interval and Repeat Count
Setting logging and notification for a service
Select Setup = Blocked Sites
Setting logging and notification for blocked sites and ports
Connect with Out-of-Band Management
Connecting a Firebox with OOB management
Enabling the Management Station
Configure the dial-up connection
Install the modem
Preparing a Windows NT Management Station for OOB
Preparing a Windows 95/98 Management Station for OOB
Select Network = Configuration. Click the OOB tab
Configuring the Firebox for OOB
Configuring PPP for connecting to a Firebox
Establishing an OOB connection
Establishing an OOB connection
Aliases and Authentication
Part IV Administering a Security Policy
Firebox Activity Monitors
Network Activity Reports
Page
Using host aliases
Creating Aliases Implementing Authentication
Modifying a host alias
Adding a host alias
Removing a host alias
User authentication types
What is user authentication?
How user authentication works
Configuring Windows NT Server authentication
Configuring Firebox authentication
Under Authentication Enabled Via, click the Firebox option
To close the Setup Remote User dialog box, click Close
Click the Windows NT Server tab
Configuring Radius server authentication
Enter the administrator password
Configuring CRYPTOCard server authentication
On the Radius Server
Enter or accept the time-out in seconds
Configuring SecurID authentication
Example Configuring a service for Remote User VPN
Using authentication to define remote user VPN access
Monitoring Firebox Activity
Starting Firebox Monitors and connecting to a Firebox
ServiceWatch
Setting Firebox Monitors view properties
Bandwidth Meter
StatusReport
Packet counts
Network configuration
Log and notification hosts
Blocked Sites list
Logging options
Authentication host information
Memory
Load average
Routes
Interfaces
Interface the Firebox uses for each destination address
Blocked Sites list
Authentication list
ARP table
HostWatch display
Replaying a log file
Select File = Connect
Select File = Open
Controlling the HostWatch display
Viewing authenticated users
Viewing specific hosts
Viewing specific ports
Add
Modifying view properties
HostWatch 102
Reviewing and Working with Log Files
Setting LogViewer preferences
Viewing files with LogViewer
Starting LogViewer and opening a log file
Copying and exporting LogViewer data
Searching for specific entries
Displaying and hiding fields
Consolidating logs from multiple locations
Working with log files
Copying log files
Setting log encryption keys
Forcing the rollover of log files
From LiveSecurity Event Processor
Working with log files 108
Starting Historical Reports
Generating Reports of Network Activity
Creating and editing reports
Viewing the reports list
Creating a new report
Specifying report sections
Editing an existing report
Deleting a report
Specifying a report time span
Setting report properties
Consolidating report sections
Exporting reports to Html format
Exporting reports
Exporting a report to WebTrends for Firewalls and VPNs
Enter the number of elements to rank in the table
Exporting a report to a text file
Using report filters
Creating a new filter
Editing a filter
Scheduling and running reports
Deleting a filter
Applying a filter
Manually running a report
Report sections and consolidated sections
Time Summary Proxied Traffic
Session Summary Packet Filtered
Host Summary Proxied Traffic
Proxy Summary
Consolidated Sections
118
Branch office virtual private network
Part V WatchGuard Virtual Private Networking
Remote user virtual private network
120
Configuration checklist
Configuring Branch Office Virtual Private Networking
How does Dvcp work?
Using Dvcp to connect to devices
Basic and Enhanced Dvcp
Creating a tunnel to a Soho or SOHOtc
Select Network = Branch Office VPN = Basic Dvcp
Editing a tunnel to a device
Telecommuter IP Address
Soho Private Network
Removing a tunnel to a device
Branch office VPN with IPSec
Defining a Firebox as an Enhanced Dvcp Client
Select the tunnel policy. Click Edit
Select Network = Branch Office VPN = IPSec
Configuring a gateway
Adding a gateway
Click Gateways
Incoming Settings for Outgoing checkbox
Configuring a tunnel with manual security
Using Encapsulated Security Protocol ESP
Removing a gateway
Using Authenticated Headers AH
Configuring a tunnel with dynamic security
Click Key. Enter a passphrase. Click OK
Click the Dynamic Security tab
Block
Creating an IPSec policy
Bypass
Dst Port field, enter the remote host port
Changing IPSec policy order
Configuring services for branch office VPN with IPSec
Src Port field, enter the local host port
Incoming
WatchGuard VPN configuration models
Configuring WatchGuard VPN
Setting up WatchGuard VPN
Allow VPN access to any services
Changing remote network entries
Enable the Activate WatchGuard VPN checkbox
Preventing IP spoofing with WatchGuard VPN
Enter the encryption key. Click Make Key
Verifying successful WatchGuard VPN configuration
Configuring incoming services to allow VPN
Remote User Pptp
Configuring the Firebox for Remote User VPN
Mobile User VPN
Adding remote access users
Configuring shared servers for Ruvpn
Adding a member to built-in Ruvpn user groups
By individual service
Configuring services to allow incoming Ruvpn
Using the Any service
Activating Remote User Pptp
Configuring the Firebox for Remote User Pptp
Entering IP addresses for Remote User sessions
Select Network = Remote User. Click the Pptp tab
Purchasing a Mobile User VPN license
Configuring the Firebox for Mobile User VPN
Rules for valid Remote User Pptp addresses
Entering license keys
Preparing Mobile User VPN configuration files
Defining a new mobile user
Select Network = Remote User. Click the Mobile User VPN tab
Distributing the software and configuration files
Saving the configuration to a Firebox
Modifying an existing Mobile User VPN entry
Select Network = Remote User
Debugging Mobile User VPN
Configuring debugging options
Debugging Remote User VPN Pptp
Preparing the client computers
Preparing a Host for Remote User VPN
Windows 95/98 platform preparation
Remote host operating system
Click the Identification tab
Installing Dial-Up Adapter #2 VPN Support
Installing Client for Microsoft Networks
Windows NT platform preparation
Click Dial Out Only. Click Continue
Setting up Ruvpn for Windows
Adding a domain name to a Windows NT workstation
Select Computer Browser
Installing a VPN adapter on Windows 95/98
Configuring the remote host for Ruvpn with Pptp
Initial Connection window that appears, click Yes
Click Obtain an IP Address Automatically. Click OK
Installing a VPN adapter on Windows NT
Using Remote User Pptp
Starting Remote User Pptp
Running Remote User Pptp
Enter the remote client username and password
Double-click the Ruvpn connection
Click Connect
Configuring debugging options 148
Index
150
User Guide 151
152
User Guide 153
154
User Guide 155
156
User Guide 157
158
User Guide 159
160
Top
Page
Image
Contents