Adding a gateway | WatchGuard Technologies FireboxTM System 4.6

Branch office VPN with IPSec

and how WatchGuard implements branch office VPN with IPSec, see the Network Security Handbook.

•Determine the tunnel and policy endpoints

•Select an encryption method

•Select an authentication method

From Policy Manager:

•Select Network => Branch Office VPN => IPSec.

Configuring a gateway

A gateway specifies endpoints for one or more tunnels. The standard specified for a gateway, such as isakmp automated key negotiation, becomes the standard for tunnels created with the gateway.

Adding a gateway

From the IPSec Configuration dialog box:

1Click Gateways.

2To add a gateway, click Add.

3Enter the gateway name.

This name identifies a gateway only within Policy Manager.

4Use the Key Negotiation Type drop list to select either isakmp (dynamic) or

Manual.

For more information, see “Configuring a tunnel with dynamic security” on page 127 and “Configuring a tunnel with manual security” on page 126.

5In the Remote Gateway IP field, enter the IP address of the Firebox (or other IPSec-compliant host) at the other end of the gateway.

6Enter the shared key.

The Shared Key field is available only for ISAKMP-negotiated gateways. The same key must be entered at the remote gateway.

7Click OK.

The Configure Gateways dialog box appears listing the newly configured gateway. Repeat the Add Gateway procedure to add additional gateways.

8When you finish adding gateways, click OK to return to the IPSec Configuration dialog box.

Editing a gateway

From the Configure Gateways dialog box:

1Click the gateway. Click Edit.

The IPSec Gateway dialog box appears.

2Make changes according to your security policy preferences.

3 Click OK.

User Guide

125

Image 135

WatchGuard Technologies FireboxTM System 4.6 manual Configuring a gateway, Select Network = Branch Office VPN = IPSec

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity FCC Certification CE NoticeCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Part I Introduction Welcome to WatchGuardWatchGuard Firebox System components WatchGuard Firebox WatchGuard Control CenterWatchGuard security suite Web browser requirements LiveSecurity ServiceMinimum requirements Software requirements CPU Hardware requirements Technical Support Part II WatchGuard ServicesLiveSecurity Service WatchGuard Optional FeaturesPage Information Alert LiveSecurity ServiceSoftware Update LiveSecurity broadcasts Virus Alert Activating the LiveSecurity ServiceEditorial Support Flash Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Getting telephone support Known issuesClick the LSS/SOHO Known Issues link on the left Getting Internet technical support WatchGuard Interactive Training System Wits Training WatchGuard users group Online HelpInstructor-led courses Online Help system requirements Starting WatchGuard Online HelpSearching for topics Copying the Help system to additional platforms Context-sensitive Help High Availability WatchGuard OptionsCurrently available options VPN Manager Obtaining WatchGuard options Mobile User VPNSpamScreen Part III Configuring a Security Policy Set up network address translation NAT Set up logging and notificationConnect with out-of-band management Firebox Basics What is a Firebox? Placing a Firebox within a network Opening a configuration from a local hard disk Opening a configuration fileSaving a configuration file Opening a configuration from the Firebox Tips for creating secure passphrases Resetting Firebox passphrasesSaving a configuration to the local hard disk Saving a configuration to the Firebox Reinitialize the Firebox using the QuickSetup wizard Setting the time zoneReinitializing a misconfigured Firebox Select Setup =Time Zone Booting from the system area Control Center components Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Navigating the WatchGuard Control Center QuickGuide Front panelFirebox and VPN tunnel status Red exclamation point IPSecRemote VPN tunnels Expanding and collapsing the display Traffic Monitor Connecting to a FireboxSetting the maximum number of log messages Working with the Control Center Policy Manager Manipulating the Traffic MonitorOpening WatchGuard Firebox System tools Firebox Monitors LogViewerChanging the Policy Manager view HostWatch Historical ReportsLiveSecurity Event Processor LiveSecurity Event Processor External Configuring a NetworkRunning the QuickSetup wizard Trusted Setting up a drop-in network Setting up a routed network Select Network = Routes Select Network = ConfigurationAdding a secondary network Defining a network route Changing an interface IP address Setting the default gatewaySelect Network = Default Gateway Defining a host route Defining a Firebox as a Dhcp server Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Entering Wins and DNS server addresses Modifying an existing subnet Removing a SubnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Configuring default packet handling Select Setup = Default Packet HandlingBlocking Sites and Ports Logging and notification for blocked sites Blocking a site permanentlyRemoving a blocked site Changing the auto-block duration Category list, click Blocked Sites Blocking a port permanentlyRemoving a blocked port Logging and notification for blocked ports Blocking sites temporarily with service settings Configuring a service to temporarily block sitesViewing the Blocked Sites list Configuring Services Adding an existing serviceClick OK to close the Properties dialog box Port Creating a new serviceIgnore Secure Adding incoming service properties Defining service properties Adding outgoing service properties Adding addresses to service propertiesWorking with wg icons Under Internal Hosts, click Add Configuring services for authenticationModifying a service Deleting a service Click Yes Setting up proxy servicesConfiguring an Smtp proxy service Configuring the incoming Smtp proxy Select headers to allow Selecting content typesAdding address patterns Protecting your mail server against relaying Add masquerading options Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Click Outgoing Configuring an Http proxy service Service precedence From Rank Any List Service precedence Controlling Web Traffic How WebBlocker worksReverting to old WebBlocker databases Activating WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Logging and WebBlocker Click the WebBlocker Controls tab Setting privilegesScheduling operational and non-operational hours Creating WebBlocker exceptions Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Adding dynamic NAT entries Using simple dynamic NATSelect Setup = NAT Enabling simple dynamic NAT Using service-based NAT Enabling service-based NATConfiguring service-based NAT exceptions Adding external IP addresses Configuring a service for incoming static NATSetting static NAT for a service Select Network = Configuration. Click the External tab Enter the internal IP address CheckboxClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification WatchGuard logging architecture Designating Event Processors for a FireboxLiveSecurity Event Processor Enabling Syslog logging Editing an Event Processor settingSelect Setup = Logging Adding an Event Processor For Windows NT Event Processors Removing an Event ProcessorReordering Event Processors Synchronizing Event Processors Running an Event Processor on Windows NT or Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows Click WG LiveSecurity Event Processor. Click Startup As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Viewing the Event Processor Starting and stopping the Event Processor Setting global logging and notification preferencesSetting the log encryption key Setting the interval for log rollover Category Customizing logging and notification by service or optionScheduling log reports Controlling notification Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Connecting a Firebox with OOB management Connect with Out-of-Band ManagementEnabling the Management Station Preparing a Windows 95/98 Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows NT Management Station for OOB Establishing an OOB connection Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Configuring PPP for connecting to a Firebox Establishing an OOB connection Network Activity Reports Part IV Administering a Security PolicyAliases and Authentication Firebox Activity MonitorsPage Using host aliases Creating Aliases Implementing Authentication Adding a host alias Modifying a host aliasRemoving a host alias What is user authentication? User authentication typesHow user authentication works To close the Setup Remote User dialog box, click Close Configuring Firebox authenticationConfiguring Windows NT Server authentication Under Authentication Enabled Via, click the Firebox option Click the Windows NT Server tab Configuring Radius server authentication Enter or accept the time-out in seconds Configuring CRYPTOCard server authenticationEnter the administrator password On the Radius Server Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox StatusReport Setting Firebox Monitors view propertiesServiceWatch Bandwidth Meter Blocked Sites list Network configurationPacket counts Log and notification hosts Load average Authentication host informationLogging options Memory Interfaces RoutesInterface the Firebox uses for each destination address Authentication list Blocked Sites listARP table Select File = Open Replaying a log fileHostWatch display Select File = Connect Viewing specific ports Viewing authenticated usersControlling the HostWatch display Viewing specific hosts Add Modifying view properties HostWatch 102 Starting LogViewer and opening a log file Setting LogViewer preferencesReviewing and Working with Log Files Viewing files with LogViewer Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files From LiveSecurity Event Processor Setting log encryption keysCopying log files Forcing the rollover of log files Working with log files 108 Viewing the reports list Generating Reports of Network ActivityStarting Historical Reports Creating and editing reports Deleting a report Specifying report sectionsCreating a new report Editing an existing report Setting report properties Specifying a report time spanConsolidating report sections Enter the number of elements to rank in the table Exporting reportsExporting reports to Html format Exporting a report to WebTrends for Firewalls and VPNs Using report filters Exporting a report to a text fileCreating a new filter Applying a filter Scheduling and running reportsEditing a filter Deleting a filter Manually running a report Report sections and consolidated sections Proxy Summary Session Summary Packet FilteredTime Summary Proxied Traffic Host Summary Proxied Traffic Consolidated Sections 118 Part V WatchGuard Virtual Private Networking Branch office virtual private networkRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking Creating a tunnel to a Soho or SOHOtc Using Dvcp to connect to devicesHow does Dvcp work? Basic and Enhanced Dvcp Soho Private Network Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Telecommuter IP Address Select the tunnel policy. Click Edit Branch office VPN with IPSecRemoving a tunnel to a device Defining a Firebox as an Enhanced Dvcp Client Click Gateways Configuring a gatewaySelect Network = Branch Office VPN = IPSec Adding a gateway Removing a gateway Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Using Encapsulated Security Protocol ESP Click the Dynamic Security tab Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click Key. Enter a passphrase. Click OK Dst Port field, enter the remote host port Creating an IPSec policyBlock Bypass Incoming Configuring services for branch office VPN with IPSecChanging IPSec policy order Src Port field, enter the local host port Allow VPN access to any services Configuring WatchGuard VPNWatchGuard VPN configuration models Setting up WatchGuard VPN Enter the encryption key. Click Make Key Enable the Activate WatchGuard VPN checkboxChanging remote network entries Preventing IP spoofing with WatchGuard VPN Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Configuring the Firebox for Remote User VPN Remote User PptpMobile User VPN Configuring shared servers for Ruvpn Adding remote access usersAdding a member to built-in Ruvpn user groups Configuring services to allow incoming Ruvpn By individual serviceUsing the Any service Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Remote User PptpActivating Remote User Pptp Entering IP addresses for Remote User sessions Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN licenseRules for valid Remote User Pptp addresses Select Network = Remote User. Click the Mobile User VPN tab Preparing Mobile User VPN configuration filesEntering license keys Defining a new mobile user Select Network = Remote User Saving the configuration to a FireboxDistributing the software and configuration files Modifying an existing Mobile User VPN entry Configuring debugging options Debugging Mobile User VPNDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPN Remote host operating system Windows 95/98 platform preparationClick the Identification tab Installing Client for Microsoft Networks Installing Dial-Up Adapter #2 VPN SupportWindows NT platform preparation Select Computer Browser Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Adding a domain name to a Windows NT workstation Click Obtain an IP Address Automatically. Click OK Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Initial Connection window that appears, click Yes Using Remote User Pptp Installing a VPN adapter on Windows NTStarting Remote User Pptp Click Connect Enter the remote client username and passwordRunning Remote User Pptp Double-click the Ruvpn connection Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160