Manuals / WatchGuard Technologies / Computer Equipment / Network Router

WatchGuard Technologies FireboxTM System 4.6 manual Resetting Firebox passphrases

Models: FireboxTM System 4.6

1 170

Download 170 pages 21.61 Kb

Page 34

Resetting Firebox passphrases

Saving a configuration to the local hard disk

From Policy Manager in the Advanced view:

1Select File =>Save =>As File.

The Save dialog box appears.

2Enter the name of the file.

The default is to save the file to the WatchGuard directory.

3Click Save.

The configuration file is saved to the local hard disk.

Saving a configuration to the Firebox

From Policy Manager in the Advanced view:

1Select File =>Save =>To Firebox.

2Use the Firebox drop list to select a Firebox.

3Enter the configuration (read-write) passphrase. Click OK.

The configuration file is saved first to the local hard disk and then to the primary area of the Firebox flash disk. You are prompted to restart the Firebox. The new Firebox configuration will not be enabled until the Firebox is restarted.

4If you entered the IP address of a different Firebox, you are asked to confirm your choice. Click Yes.

Resetting Firebox passphrases

WatchGuard recommends that for optimum security you periodically change the Firebox passphrases. To do this, you must have the current configuration passphrase. From Policy Manager:

1Open the configuration file running on the Firebox.

For more information, see “Opening a configuration from the Firebox” on page 23.

2Select File =>Save =>To Firebox.

3Use the Firebox drop list to select a Firebox. Enter the configuration passphrase. Click OK.

4Enable the Save To Firebox checkbox. Select Save Configuration File and New Flash Image. Click Continue.

5Enter the new monitoring (read-only) and configuration (read-write) passphrases.

Click OK.

The new image, including the new passphrases, is saved to the Firebox, and the Firebox automatically restarts.

Make certain that your monitoring and configuration passphrases are different from one another.

Tips for creating secure passphrases

Although an attacker could crack any passphrase eventually, you can toughen your passphrases using the following tips:

24

Image 34

WatchGuard Technologies FireboxTM System 4.6 Resetting Firebox passphrases, Saving a configuration to the local hard disk

Contents

WatchGuard Firebox System User Guide Disclaimer Copyright and Patent InformationWatchGuard Firebox System WFS End-User License Agreement Page Declaration of Conformity WatchguardCE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Software requirements LiveSecurity ServiceMinimum requirements Web browser requirementsHardware requirements CPUWatchGuard Optional Features Part II WatchGuard ServicesLiveSecurity Service Technical SupportPage LiveSecurity broadcasts LiveSecurity ServiceSoftware Update Information AlertSupport Flash Activating the LiveSecurity ServiceEditorial Virus AlertMinimize or close your Web browser LiveSecurity broadcasts Accessing frequently asked questions FAQ Technical SupportGetting Internet technical support Known issuesClick the LSS/SOHO Known Issues link on the left Getting telephone supportTraining WatchGuard Interactive Training System WitsOnline Help WatchGuard users groupInstructor-led courses Copying the Help system to additional platforms Starting WatchGuard Online HelpSearching for topics Online Help system requirementsContext-sensitive Help VPN Manager WatchGuard OptionsCurrently available options High AvailabilityMobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management What is a Firebox? Firebox BasicsPlacing a Firebox within a network Opening a configuration from the Firebox Opening a configuration fileSaving a configuration file Opening a configuration from a local hard diskSaving a configuration to the Firebox Resetting Firebox passphrasesSaving a configuration to the local hard disk Tips for creating secure passphrasesSelect Setup =Time Zone Setting the time zoneReinitializing a misconfigured Firebox Reinitialize the Firebox using the QuickSetup wizardBooting from the system area Navigating the WatchGuard Control Center Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Control Center componentsFront panel QuickGuideFirebox and VPN tunnel status Expanding and collapsing the display IPSecRemote VPN tunnels Red exclamation pointWorking with the Control Center Connecting to a FireboxSetting the maximum number of log messages Traffic MonitorManipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor Trusted Configuring a NetworkRunning the QuickSetup wizard ExternalSetting up a drop-in network Setting up a routed network Defining a network route Select Network = ConfigurationAdding a secondary network Select Network = RoutesDefining a host route Setting the default gatewaySelect Network = Default Gateway Changing an interface IP addressEntering Wins and DNS server addresses Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Defining a Firebox as a Dhcp serverRemoving a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Changing the auto-block duration Blocking a site permanentlyRemoving a blocked site Logging and notification for blocked sitesLogging and notification for blocked ports Blocking a port permanentlyRemoving a blocked port Category list, click Blocked SitesConfiguring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Secure Creating a new serviceIgnore PortDefining service properties Adding incoming service propertiesAdding addresses to service properties Adding outgoing service propertiesWorking with wg icons Deleting a service Configuring services for authenticationModifying a service Under Internal Hosts, click AddConfiguring the incoming Smtp proxy Setting up proxy servicesConfiguring an Smtp proxy service Click YesProtecting your mail server against relaying Selecting content typesAdding address patterns Select headers to allowClick Outgoing Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Add masquerading optionsConfiguring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Logging and WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Activating WebBlockerCreating WebBlocker exceptions Setting privilegesScheduling operational and non-operational hours Click the WebBlocker Controls tabManually downloading the WebBlocker database Debug- Outputs debugging informationSetting Up Network Address Translation What is dynamic NAT?Enabling simple dynamic NAT Using simple dynamic NATSelect Setup = NAT Adding dynamic NAT entriesEnabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Select Network = Configuration. Click the External tab Configuring a service for incoming static NATSetting static NAT for a service Adding external IP addressesCheckbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Setting Up Logging Notification Ensure logging with failover loggingDesignating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Adding an Event Processor Editing an Event Processor settingSelect Setup = Logging Enabling Syslog loggingSynchronizing Event Processors Removing an Event ProcessorReordering Event Processors For Windows NT Event ProcessorsRunning an Event Processor on Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows NT or WindowsViewing the Event Processor As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Click WG LiveSecurity Event Processor. Click StartupSetting the interval for log rollover Setting global logging and notification preferencesSetting the log encryption key Starting and stopping the Event ProcessorControlling notification Customizing logging and notification by service or optionScheduling log reports CategorySetting logging and notification for a service Setting Launch Interval and Repeat CountSetting logging and notification for blocked sites and ports Select Setup = Blocked SitesConnect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Preparing a Windows NT Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows 95/98 Management Station for OOBConfiguring PPP for connecting to a Firebox Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Establishing an OOB connectionEstablishing an OOB connection Firebox Activity Monitors Part IV Administering a Security PolicyAliases and Authentication Network Activity ReportsPage Creating Aliases Implementing Authentication Using host aliasesModifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works Under Authentication Enabled Via, click the Firebox option Configuring Firebox authenticationConfiguring Windows NT Server authentication To close the Setup Remote User dialog box, click CloseConfiguring Radius server authentication Click the Windows NT Server tabOn the Radius Server Configuring CRYPTOCard server authenticationEnter the administrator password Enter or accept the time-out in secondsConfiguring SecurID authentication Using authentication to define remote user VPN access Example Configuring a service for Remote User VPNStarting Firebox Monitors and connecting to a Firebox Monitoring Firebox ActivityBandwidth Meter Setting Firebox Monitors view propertiesServiceWatch StatusReportLog and notification hosts Network configurationPacket counts Blocked Sites listMemory Authentication host informationLogging options Load averageRoutes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table Select File = Connect Replaying a log fileHostWatch display Select File = OpenViewing specific hosts Viewing authenticated usersControlling the HostWatch display Viewing specific portsModifying view properties AddHostWatch 102 Viewing files with LogViewer Setting LogViewer preferencesReviewing and Working with Log Files Starting LogViewer and opening a log fileSearching for specific entries Copying and exporting LogViewer dataDisplaying and hiding fields Working with log files Consolidating logs from multiple locationsForcing the rollover of log files Setting log encryption keysCopying log files From LiveSecurity Event ProcessorWorking with log files 108 Creating and editing reports Generating Reports of Network ActivityStarting Historical Reports Viewing the reports listEditing an existing report Specifying report sectionsCreating a new report Deleting a reportSpecifying a report time span Setting report propertiesConsolidating report sections Exporting a report to WebTrends for Firewalls and VPNs Exporting reportsExporting reports to Html format Enter the number of elements to rank in the tableExporting a report to a text file Using report filtersCreating a new filter Deleting a filter Scheduling and running reportsEditing a filter Applying a filterReport sections and consolidated sections Manually running a reportHost Summary Proxied Traffic Session Summary Packet FilteredTime Summary Proxied Traffic Proxy SummaryConsolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuring Branch Office Virtual Private Networking Configuration checklistBasic and Enhanced Dvcp Using Dvcp to connect to devicesHow does Dvcp work? Creating a tunnel to a Soho or SOHOtcTelecommuter IP Address Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Soho Private NetworkDefining a Firebox as an Enhanced Dvcp Client Branch office VPN with IPSecRemoving a tunnel to a device Select the tunnel policy. Click EditAdding a gateway Configuring a gatewaySelect Network = Branch Office VPN = IPSec Click GatewaysUsing Encapsulated Security Protocol ESP Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Removing a gatewayClick Key. Enter a passphrase. Click OK Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click the Dynamic Security tabBypass Creating an IPSec policyBlock Dst Port field, enter the remote host portSrc Port field, enter the local host port Configuring services for branch office VPN with IPSecChanging IPSec policy order IncomingSetting up WatchGuard VPN Configuring WatchGuard VPNWatchGuard VPN configuration models Allow VPN access to any servicesPreventing IP spoofing with WatchGuard VPN Enable the Activate WatchGuard VPN checkboxChanging remote network entries Enter the encryption key. Click Make KeyConfiguring incoming services to allow VPN Verifying successful WatchGuard VPN configurationRemote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Entering IP addresses for Remote User sessions Configuring the Firebox for Remote User PptpActivating Remote User Pptp Select Network = Remote User. Click the Pptp tabPurchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Defining a new mobile user Preparing Mobile User VPN configuration filesEntering license keys Select Network = Remote User. Click the Mobile User VPN tabModifying an existing Mobile User VPN entry Saving the configuration to a FireboxDistributing the software and configuration files Select Network = Remote UserDebugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing a Host for Remote User VPN Preparing the client computersWindows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Adding a domain name to a Windows NT workstation Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Select Computer BrowserInitial Connection window that appears, click Yes Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Click Obtain an IP Address Automatically. Click OKInstalling a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Double-click the Ruvpn connection Enter the remote client username and passwordRunning Remote User Pptp Click ConnectConfiguring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160