WatchGuard Technologies FireboxTM System 4.6 specification

Configuring WatchGuard VPN

Configuring incoming services to allow VPN

Because users on the remote Firebox are technically outside the trusted network, you must configure services to allow traffic through the VPN connection. WatchGuard recommends the following method:

1Create a host alias corresponding to the VPN remote networks.

For more information see “Adding a host alias” on page 86.

2Add the VPN host alias to Incoming and From Outgoing to properties of allowed services.

For more information, see “Defining service properties” on page 49.

An alternative method is to add the Any service with the following incoming properties:

•Enabled and allowed

•From: VPN host alias

•To: Any

Verifying successful WatchGuard VPN configuration

To determine whether a configuration has been successful:

•Watch for log entries as the Firebox reboots that show local and remote VPN IP addresses.

•Check the Firebox status once it has booted. There should be an entry for a VPN interface directly following the entry for eth2.

•Check the Control Center display for tunnel status.

If none of these indicators is present, review all settings on both Fireboxes, double- check that the passphrases are the same, and verify the remote IP addresses.

132

Image 142

WatchGuard Technologies FireboxTM System 4.6 manual Configuring incoming services to allow VPN

Contents

WatchGuard Firebox System User Guide Disclaimer Copyright and Patent Information WatchGuard Firebox System WFS End-User License Agreement Page Declaration of Conformity Watchguard CE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Software requirements LiveSecurity ServiceMinimum requirements Web browser requirements Hardware requirements CPU WatchGuard Optional Features Part II WatchGuard ServicesLiveSecurity Service Technical SupportPage LiveSecurity broadcasts LiveSecurity ServiceSoftware Update Information Alert Support Flash Activating the LiveSecurity ServiceEditorial Virus Alert Minimize or close your Web browser LiveSecurity broadcasts Accessing frequently asked questions FAQ Technical Support Getting Internet technical support Known issuesClick the LSS/SOHO Known Issues link on the left Getting telephone support Training WatchGuard Interactive Training System Wits Online Help WatchGuard users groupInstructor-led courses Copying the Help system to additional platforms Starting WatchGuard Online HelpSearching for topics Online Help system requirements Context-sensitive Help VPN Manager WatchGuard OptionsCurrently available options High Availability Mobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management What is a Firebox? Firebox Basics Placing a Firebox within a network Opening a configuration from the Firebox Opening a configuration fileSaving a configuration file Opening a configuration from a local hard disk Saving a configuration to the Firebox Resetting Firebox passphrasesSaving a configuration to the local hard disk Tips for creating secure passphrases Select Setup =Time Zone Setting the time zoneReinitializing a misconfigured Firebox Reinitialize the Firebox using the QuickSetup wizard Booting from the system area Navigating the WatchGuard Control Center Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Control Center components Front panel QuickGuideFirebox and VPN tunnel status Expanding and collapsing the display IPSecRemote VPN tunnels Red exclamation point Working with the Control Center Connecting to a FireboxSetting the maximum number of log messages Traffic Monitor Manipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor Trusted Configuring a NetworkRunning the QuickSetup wizard External Setting up a drop-in network Setting up a routed network Defining a network route Select Network = ConfigurationAdding a secondary network Select Network = Routes Defining a host route Setting the default gatewaySelect Network = Default Gateway Changing an interface IP address Entering Wins and DNS server addresses Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Defining a Firebox as a Dhcp server Removing a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Changing the auto-block duration Blocking a site permanentlyRemoving a blocked site Logging and notification for blocked sites Logging and notification for blocked ports Blocking a port permanentlyRemoving a blocked port Category list, click Blocked Sites Configuring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Secure Creating a new serviceIgnore Port Defining service properties Adding incoming service properties Adding addresses to service properties Adding outgoing service propertiesWorking with wg icons Deleting a service Configuring services for authenticationModifying a service Under Internal Hosts, click Add Configuring the incoming Smtp proxy Setting up proxy servicesConfiguring an Smtp proxy service Click Yes Protecting your mail server against relaying Selecting content typesAdding address patterns Select headers to allow Click Outgoing Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Add masquerading options Configuring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Logging and WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Activating WebBlocker Creating WebBlocker exceptions Setting privilegesScheduling operational and non-operational hours Click the WebBlocker Controls tab Manually downloading the WebBlocker database Debug- Outputs debugging information Setting Up Network Address Translation What is dynamic NAT? Enabling simple dynamic NAT Using simple dynamic NATSelect Setup = NAT Adding dynamic NAT entries Enabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Select Network = Configuration. Click the External tab Configuring a service for incoming static NATSetting static NAT for a service Adding external IP addresses Checkbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Setting Up Logging Notification Ensure logging with failover logging Designating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Adding an Event Processor Editing an Event Processor settingSelect Setup = Logging Enabling Syslog logging Synchronizing Event Processors Removing an Event ProcessorReordering Event Processors For Windows NT Event Processors Running an Event Processor on Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows NT or Windows Viewing the Event Processor As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Click WG LiveSecurity Event Processor. Click Startup Setting the interval for log rollover Setting global logging and notification preferencesSetting the log encryption key Starting and stopping the Event Processor Controlling notification Customizing logging and notification by service or optionScheduling log reports Category Setting logging and notification for a service Setting Launch Interval and Repeat Count Setting logging and notification for blocked sites and ports Select Setup = Blocked Sites Connect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Preparing a Windows NT Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows 95/98 Management Station for OOB Configuring PPP for connecting to a Firebox Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Establishing an OOB connection Establishing an OOB connection Firebox Activity Monitors Part IV Administering a Security PolicyAliases and Authentication Network Activity ReportsPage Creating Aliases Implementing Authentication Using host aliases Modifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works Under Authentication Enabled Via, click the Firebox option Configuring Firebox authenticationConfiguring Windows NT Server authentication To close the Setup Remote User dialog box, click Close Configuring Radius server authentication Click the Windows NT Server tab On the Radius Server Configuring CRYPTOCard server authenticationEnter the administrator password Enter or accept the time-out in seconds Configuring SecurID authentication Using authentication to define remote user VPN access Example Configuring a service for Remote User VPN Starting Firebox Monitors and connecting to a Firebox Monitoring Firebox Activity Bandwidth Meter Setting Firebox Monitors view propertiesServiceWatch StatusReport Log and notification hosts Network configurationPacket counts Blocked Sites list Memory Authentication host informationLogging options Load average Routes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table Select File = Connect Replaying a log fileHostWatch display Select File = Open Viewing specific hosts Viewing authenticated usersControlling the HostWatch display Viewing specific ports Modifying view properties Add HostWatch 102 Viewing files with LogViewer Setting LogViewer preferencesReviewing and Working with Log Files Starting LogViewer and opening a log file Searching for specific entries Copying and exporting LogViewer data Displaying and hiding fields Working with log files Consolidating logs from multiple locations Forcing the rollover of log files Setting log encryption keysCopying log files From LiveSecurity Event Processor Working with log files 108 Creating and editing reports Generating Reports of Network ActivityStarting Historical Reports Viewing the reports list Editing an existing report Specifying report sectionsCreating a new report Deleting a report Specifying a report time span Setting report propertiesConsolidating report sections Exporting a report to WebTrends for Firewalls and VPNs Exporting reportsExporting reports to Html format Enter the number of elements to rank in the table Exporting a report to a text file Using report filtersCreating a new filter Deleting a filter Scheduling and running reportsEditing a filter Applying a filter Report sections and consolidated sections Manually running a report Host Summary Proxied Traffic Session Summary Packet FilteredTime Summary Proxied Traffic Proxy Summary Consolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuring Branch Office Virtual Private Networking Configuration checklist Basic and Enhanced Dvcp Using Dvcp to connect to devicesHow does Dvcp work? Creating a tunnel to a Soho or SOHOtc Telecommuter IP Address Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Soho Private Network Defining a Firebox as an Enhanced Dvcp Client Branch office VPN with IPSecRemoving a tunnel to a device Select the tunnel policy. Click Edit Adding a gateway Configuring a gatewaySelect Network = Branch Office VPN = IPSec Click Gateways Using Encapsulated Security Protocol ESP Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Removing a gateway Click Key. Enter a passphrase. Click OK Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click the Dynamic Security tab Bypass Creating an IPSec policyBlock Dst Port field, enter the remote host port Src Port field, enter the local host port Configuring services for branch office VPN with IPSecChanging IPSec policy order Incoming Setting up WatchGuard VPN Configuring WatchGuard VPNWatchGuard VPN configuration models Allow VPN access to any services Preventing IP spoofing with WatchGuard VPN Enable the Activate WatchGuard VPN checkboxChanging remote network entries Enter the encryption key. Click Make Key Configuring incoming services to allow VPN Verifying successful WatchGuard VPN configuration Remote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Entering IP addresses for Remote User sessions Configuring the Firebox for Remote User PptpActivating Remote User Pptp Select Network = Remote User. Click the Pptp tab Purchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Defining a new mobile user Preparing Mobile User VPN configuration filesEntering license keys Select Network = Remote User. Click the Mobile User VPN tab Modifying an existing Mobile User VPN entry Saving the configuration to a FireboxDistributing the software and configuration files Select Network = Remote User Debugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing a Host for Remote User VPN Preparing the client computers Windows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Adding a domain name to a Windows NT workstation Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Select Computer Browser Initial Connection window that appears, click Yes Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Click Obtain an IP Address Automatically. Click OK Installing a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Double-click the Ruvpn connection Enter the remote client username and passwordRunning Remote User Pptp Click Connect Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160