Manuals / WatchGuard Technologies / Computer Equipment / Network Router

WatchGuard Technologies FireboxTM System 4.6 Configuring a Network, Running the QuickSetup wizard

Models: FireboxTM System 4.6

1 170

Download 170 pages 21.61 Kb

Page 45

CHAPTER 6 Configuring a Network

Configuring a network refers to setting up the three Firebox interfaces. To do this, you need to:

•Enter the IP address or addresses for the Firebox interfaces.

•Enter the IP addresses of secondary networks that are connected to and associated with a Firebox interface.

•Enter the default gateway for the Firebox.

Use Policy Manager to configure parameters for the three Firebox interfaces– Trusted, External, and Optional.

Trusted

Modify settings for the Ethernet device connecting the Firebox to the protected LAN or other host.

External

Modify settings for the Ethernet device connecting the Firebox to the outside world.

Optional

Modify settings for the Ethernet device connecting the Firebox to the optional bastion network (this is sometimes called the “Demilitarized Zone,” or “DMZ”). As its name implies, you can use the Optional network in different ways. One common application is to use it for a public Web server.

Running the QuickSetup wizard

During the installation of the WatchGuard Firebox System, you are prompted to run the QuickSetup wizard. The QuickSetup wizard creates a basic configuration file and saves it to the primary area (Sys A) of the Firebox flash disk. The Firebox loads the primary configuration file when it boots.

User Guide

35

Image 45

WatchGuard Technologies FireboxTM System 4.6 manual Configuring a Network, Running the QuickSetup wizard, Trusted, External

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information DisclaimerWatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of ConformityFCC Certification CE NoticeCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Part I Introduction Welcome to WatchGuardWatchGuard Firebox System components WatchGuard Firebox WatchGuard Control CenterWatchGuard security suite Minimum requirements LiveSecurity ServiceSoftware requirements Web browser requirementsCPU Hardware requirementsLiveSecurity Service Part II WatchGuard ServicesWatchGuard Optional Features Technical SupportPage Software Update LiveSecurity ServiceLiveSecurity broadcasts Information AlertEditorial Activating the LiveSecurity ServiceSupport Flash Virus AlertMinimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQClick the LSS/SOHO Known Issues link on the left Known issuesGetting Internet technical support Getting telephone supportWatchGuard Interactive Training System Wits TrainingWatchGuard users group Online HelpInstructor-led courses Searching for topics Starting WatchGuard Online HelpCopying the Help system to additional platforms Online Help system requirementsContext-sensitive Help Currently available options WatchGuard OptionsVPN Manager High AvailabilityObtaining WatchGuard options Mobile User VPNSpamScreen Part III Configuring a Security Policy Set up network address translation NAT Set up logging and notificationConnect with out-of-band management Firebox Basics What is a Firebox?Placing a Firebox within a network Saving a configuration file Opening a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard diskSaving a configuration to the local hard disk Resetting Firebox passphrasesSaving a configuration to the Firebox Tips for creating secure passphrasesReinitializing a misconfigured Firebox Setting the time zoneSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizardBooting from the system area Starting the Control Center and connecting to a Firebox Using the WatchGuard Control CenterNavigating the WatchGuard Control Center Control Center componentsQuickGuide Front panelFirebox and VPN tunnel status Remote VPN tunnels IPSecExpanding and collapsing the display Red exclamation pointSetting the maximum number of log messages Connecting to a FireboxWorking with the Control Center Traffic MonitorPolicy Manager Manipulating the Traffic MonitorOpening WatchGuard Firebox System tools Firebox Monitors LogViewerChanging the Policy Manager view HostWatch Historical ReportsLiveSecurity Event Processor LiveSecurity Event Processor Running the QuickSetup wizard Configuring a NetworkTrusted ExternalSetting up a drop-in network Setting up a routed network Adding a secondary network Select Network = ConfigurationDefining a network route Select Network = RoutesSelect Network = Default Gateway Setting the default gatewayDefining a host route Changing an interface IP addressSelect Network = Configuration. Click the Dhcp Server tab Select Network = Configuration. Click the General tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp serverModifying an existing subnet Removing a SubnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Configuring default packet handling Select Setup = Default Packet HandlingBlocking Sites and Ports Removing a blocked site Blocking a site permanentlyChanging the auto-block duration Logging and notification for blocked sitesRemoving a blocked port Blocking a port permanentlyLogging and notification for blocked ports Category list, click Blocked SitesBlocking sites temporarily with service settings Configuring a service to temporarily block sitesViewing the Blocked Sites list Configuring Services Adding an existing serviceClick OK to close the Properties dialog box Ignore Creating a new serviceSecure PortAdding incoming service properties Defining service propertiesAdding outgoing service properties Adding addresses to service propertiesWorking with wg icons Modifying a service Configuring services for authenticationDeleting a service Under Internal Hosts, click AddConfiguring an Smtp proxy service Setting up proxy servicesConfiguring the incoming Smtp proxy Click YesAdding address patterns Selecting content typesProtecting your mail server against relaying Select headers to allowConfiguring the outgoing Smtp proxy Configuring an FTP proxy serviceClick Outgoing Add masquerading optionsConfiguring an Http proxy service Service precedence From Rank Any List Service precedence Controlling Web Traffic How WebBlocker worksReverting to old WebBlocker databases Prerequisites to using WebBlocker Configuring the WebBlocker serviceLogging and WebBlocker Activating WebBlockerScheduling operational and non-operational hours Setting privilegesCreating WebBlocker exceptions Click the WebBlocker Controls tabDebug- Outputs debugging information Manually downloading the WebBlocker databaseWhat is dynamic NAT? Setting Up Network Address TranslationSelect Setup = NAT Using simple dynamic NATEnabling simple dynamic NAT Adding dynamic NAT entriesUsing service-based NAT Enabling service-based NATConfiguring service-based NAT exceptions Setting static NAT for a service Configuring a service for incoming static NATSelect Network = Configuration. Click the External tab Adding external IP addressesEnter the internal IP address CheckboxClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging NotificationWatchGuard logging architecture Designating Event Processors for a FireboxLiveSecurity Event Processor Select Setup = Logging Editing an Event Processor settingAdding an Event Processor Enabling Syslog loggingReordering Event Processors Removing an Event ProcessorSynchronizing Event Processors For Windows NT Event ProcessorsInstalling the Event Processor program Setting up the LiveSecurity Event ProcessorRunning an Event Processor on Windows Running an Event Processor on Windows NT or WindowsInteractive mode from a DOS window As a Windows NT or Windows 2000 ServiceViewing the Event Processor Click WG LiveSecurity Event Processor. Click StartupSetting the log encryption key Setting global logging and notification preferencesSetting the interval for log rollover Starting and stopping the Event ProcessorScheduling log reports Customizing logging and notification by service or optionControlling notification CategorySetting Launch Interval and Repeat Count Setting logging and notification for a serviceSelect Setup = Blocked Sites Setting logging and notification for blocked sites and portsConnecting a Firebox with OOB management Connect with Out-of-Band ManagementEnabling the Management Station Configure the dial-up connection Install the modemPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOBSelect Network = Configuration. Click the OOB tab Configuring the Firebox for OOBConfiguring PPP for connecting to a Firebox Establishing an OOB connectionEstablishing an OOB connection Aliases and Authentication Part IV Administering a Security PolicyFirebox Activity Monitors Network Activity ReportsPage Using host aliases Creating Aliases Implementing AuthenticationAdding a host alias Modifying a host aliasRemoving a host alias What is user authentication? User authentication typesHow user authentication works Configuring Windows NT Server authentication Configuring Firebox authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click CloseClick the Windows NT Server tab Configuring Radius server authenticationEnter the administrator password Configuring CRYPTOCard server authenticationOn the Radius Server Enter or accept the time-out in secondsConfiguring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN accessMonitoring Firebox Activity Starting Firebox Monitors and connecting to a FireboxServiceWatch Setting Firebox Monitors view propertiesBandwidth Meter StatusReportPacket counts Network configurationLog and notification hosts Blocked Sites listLogging options Authentication host informationMemory Load averageInterfaces RoutesInterface the Firebox uses for each destination address Authentication list Blocked Sites listARP table HostWatch display Replaying a log fileSelect File = Connect Select File = OpenControlling the HostWatch display Viewing authenticated usersViewing specific hosts Viewing specific portsAdd Modifying view propertiesHostWatch 102 Reviewing and Working with Log Files Setting LogViewer preferencesViewing files with LogViewer Starting LogViewer and opening a log fileCopying and exporting LogViewer data Searching for specific entriesDisplaying and hiding fields Consolidating logs from multiple locations Working with log filesCopying log files Setting log encryption keysForcing the rollover of log files From LiveSecurity Event ProcessorWorking with log files 108 Starting Historical Reports Generating Reports of Network ActivityCreating and editing reports Viewing the reports listCreating a new report Specifying report sectionsEditing an existing report Deleting a reportSetting report properties Specifying a report time spanConsolidating report sections Exporting reports to Html format Exporting reportsExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the tableUsing report filters Exporting a report to a text fileCreating a new filter Editing a filter Scheduling and running reportsDeleting a filter Applying a filterManually running a report Report sections and consolidated sectionsTime Summary Proxied Traffic Session Summary Packet FilteredHost Summary Proxied Traffic Proxy SummaryConsolidated Sections 118 Part V WatchGuard Virtual Private Networking Branch office virtual private networkRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private NetworkingHow does Dvcp work? Using Dvcp to connect to devicesBasic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtcSelect Network = Branch Office VPN = Basic Dvcp Editing a tunnel to a deviceTelecommuter IP Address Soho Private NetworkRemoving a tunnel to a device Branch office VPN with IPSecDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click EditSelect Network = Branch Office VPN = IPSec Configuring a gatewayAdding a gateway Click GatewaysIncoming Settings for Outgoing checkbox Configuring a tunnel with manual securityUsing Encapsulated Security Protocol ESP Removing a gatewayUsing Authenticated Headers AH Configuring a tunnel with dynamic securityClick Key. Enter a passphrase. Click OK Click the Dynamic Security tabBlock Creating an IPSec policyBypass Dst Port field, enter the remote host portChanging IPSec policy order Configuring services for branch office VPN with IPSecSrc Port field, enter the local host port IncomingWatchGuard VPN configuration models Configuring WatchGuard VPNSetting up WatchGuard VPN Allow VPN access to any servicesChanging remote network entries Enable the Activate WatchGuard VPN checkboxPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make KeyVerifying successful WatchGuard VPN configuration Configuring incoming services to allow VPNConfiguring the Firebox for Remote User VPN Remote User PptpMobile User VPN Configuring shared servers for Ruvpn Adding remote access usersAdding a member to built-in Ruvpn user groups Configuring services to allow incoming Ruvpn By individual serviceUsing the Any service Activating Remote User Pptp Configuring the Firebox for Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tabConfiguring the Firebox for Mobile User VPN Purchasing a Mobile User VPN licenseRules for valid Remote User Pptp addresses Entering license keys Preparing Mobile User VPN configuration filesDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tabDistributing the software and configuration files Saving the configuration to a FireboxModifying an existing Mobile User VPN entry Select Network = Remote UserConfiguring debugging options Debugging Mobile User VPNDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPNRemote host operating system Windows 95/98 platform preparationClick the Identification tab Installing Client for Microsoft Networks Installing Dial-Up Adapter #2 VPN SupportWindows NT platform preparation Click Dial Out Only. Click Continue Setting up Ruvpn for WindowsAdding a domain name to a Windows NT workstation Select Computer BrowserInstalling a VPN adapter on Windows 95/98 Configuring the remote host for Ruvpn with PptpInitial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OKUsing Remote User Pptp Installing a VPN adapter on Windows NTStarting Remote User Pptp Running Remote User Pptp Enter the remote client username and passwordDouble-click the Ruvpn connection Click ConnectConfiguring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160