WatchGuard Technologies FireboxTM System 4.6 guide

CHAPTER 11 Setting Up Logging and

Notification

Logging and notification are crucial to an effective network security policy. Together, they make it possible to monitor your network security, identify both attacks and attackers, and take action to address security threats and challenges.

Logging occurs when the firewall records the occurrence of an event to a log file. Notification occurs when the firewall sends e-mail, pops up a window on the Event Processor, or dials a pager to notify an administrator that WatchGuard detected a triggering event.

WatchGuard logging and notification features are both flexible and powerful. You can configure your firewall to log and notify on a wide variety of events, including specific events at the level of individual services.

Ensure logging with failover logging

WatchGuard relies on failover logging to minimize the possibility of missing log events. With failover logging, you configure a list of Event Processors to accept logs in the event of a failure of the primary Event Processor. By default, the Firebox sends log messages to the primary Event Processor. If for any reason the Firebox cannot establish communication with the primary Event Processor, it automatically sends

User Guide

69

Image 79

WatchGuard Technologies FireboxTM System 4.6 manual Setting Up Logging Notification, Ensure logging with failover logging

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity CE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Web browser requirements LiveSecurity ServiceMinimum requirements Software requirements CPU Hardware requirements Technical Support Part II WatchGuard ServicesLiveSecurity Service WatchGuard Optional FeaturesPage Information Alert LiveSecurity ServiceSoftware Update LiveSecurity broadcasts Virus Alert Activating the LiveSecurity ServiceEditorial Support Flash Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Getting telephone support Known issuesClick the LSS/SOHO Known Issues link on the left Getting Internet technical support WatchGuard Interactive Training System Wits Training Online Help WatchGuard users groupInstructor-led courses Online Help system requirements Starting WatchGuard Online HelpSearching for topics Copying the Help system to additional platforms Context-sensitive Help High Availability WatchGuard OptionsCurrently available options VPN Manager Mobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management Firebox Basics What is a Firebox? Placing a Firebox within a network Opening a configuration from a local hard disk Opening a configuration fileSaving a configuration file Opening a configuration from the Firebox Tips for creating secure passphrases Resetting Firebox passphrasesSaving a configuration to the local hard disk Saving a configuration to the Firebox Reinitialize the Firebox using the QuickSetup wizard Setting the time zoneReinitializing a misconfigured Firebox Select Setup =Time Zone Booting from the system area Control Center components Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Navigating the WatchGuard Control Center Front panel QuickGuideFirebox and VPN tunnel status Red exclamation point IPSecRemote VPN tunnels Expanding and collapsing the display Traffic Monitor Connecting to a FireboxSetting the maximum number of log messages Working with the Control Center Manipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor External Configuring a NetworkRunning the QuickSetup wizard Trusted Setting up a drop-in network Setting up a routed network Select Network = Routes Select Network = ConfigurationAdding a secondary network Defining a network route Changing an interface IP address Setting the default gatewaySelect Network = Default Gateway Defining a host route Defining a Firebox as a Dhcp server Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Entering Wins and DNS server addresses Removing a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Logging and notification for blocked sites Blocking a site permanentlyRemoving a blocked site Changing the auto-block duration Category list, click Blocked Sites Blocking a port permanentlyRemoving a blocked port Logging and notification for blocked ports Configuring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Port Creating a new serviceIgnore Secure Adding incoming service properties Defining service properties Adding addresses to service properties Adding outgoing service propertiesWorking with wg icons Under Internal Hosts, click Add Configuring services for authenticationModifying a service Deleting a service Click Yes Setting up proxy servicesConfiguring an Smtp proxy service Configuring the incoming Smtp proxy Select headers to allow Selecting content typesAdding address patterns Protecting your mail server against relaying Add masquerading options Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Click Outgoing Configuring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Activating WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Logging and WebBlocker Click the WebBlocker Controls tab Setting privilegesScheduling operational and non-operational hours Creating WebBlocker exceptions Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Adding dynamic NAT entries Using simple dynamic NATSelect Setup = NAT Enabling simple dynamic NAT Enabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Adding external IP addresses Configuring a service for incoming static NATSetting static NAT for a service Select Network = Configuration. Click the External tab Checkbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification Designating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Enabling Syslog logging Editing an Event Processor settingSelect Setup = Logging Adding an Event Processor For Windows NT Event Processors Removing an Event ProcessorReordering Event Processors Synchronizing Event Processors Running an Event Processor on Windows NT or Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows Click WG LiveSecurity Event Processor. Click Startup As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Viewing the Event Processor Starting and stopping the Event Processor Setting global logging and notification preferencesSetting the log encryption key Setting the interval for log rollover Category Customizing logging and notification by service or optionScheduling log reports Controlling notification Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Connect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Preparing a Windows 95/98 Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows NT Management Station for OOB Establishing an OOB connection Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Configuring PPP for connecting to a Firebox Establishing an OOB connection Network Activity Reports Part IV Administering a Security PolicyAliases and Authentication Firebox Activity MonitorsPage Using host aliases Creating Aliases Implementing Authentication Modifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works To close the Setup Remote User dialog box, click Close Configuring Firebox authenticationConfiguring Windows NT Server authentication Under Authentication Enabled Via, click the Firebox option Click the Windows NT Server tab Configuring Radius server authentication Enter or accept the time-out in seconds Configuring CRYPTOCard server authenticationEnter the administrator password On the Radius Server Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox StatusReport Setting Firebox Monitors view propertiesServiceWatch Bandwidth Meter Blocked Sites list Network configurationPacket counts Log and notification hosts Load average Authentication host informationLogging options Memory Routes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table Select File = Open Replaying a log fileHostWatch display Select File = Connect Viewing specific ports Viewing authenticated usersControlling the HostWatch display Viewing specific hosts Add Modifying view properties HostWatch 102 Starting LogViewer and opening a log file Setting LogViewer preferencesReviewing and Working with Log Files Viewing files with LogViewer Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files From LiveSecurity Event Processor Setting log encryption keysCopying log files Forcing the rollover of log files Working with log files 108 Viewing the reports list Generating Reports of Network ActivityStarting Historical Reports Creating and editing reports Deleting a report Specifying report sectionsCreating a new report Editing an existing report Specifying a report time span Setting report propertiesConsolidating report sections Enter the number of elements to rank in the table Exporting reportsExporting reports to Html format Exporting a report to WebTrends for Firewalls and VPNs Exporting a report to a text file Using report filtersCreating a new filter Applying a filter Scheduling and running reportsEditing a filter Deleting a filter Manually running a report Report sections and consolidated sections Proxy Summary Session Summary Packet FilteredTime Summary Proxied Traffic Host Summary Proxied Traffic Consolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking Creating a tunnel to a Soho or SOHOtc Using Dvcp to connect to devicesHow does Dvcp work? Basic and Enhanced Dvcp Soho Private Network Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Telecommuter IP Address Select the tunnel policy. Click Edit Branch office VPN with IPSecRemoving a tunnel to a device Defining a Firebox as an Enhanced Dvcp Client Click Gateways Configuring a gatewaySelect Network = Branch Office VPN = IPSec Adding a gateway Removing a gateway Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Using Encapsulated Security Protocol ESP Click the Dynamic Security tab Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click Key. Enter a passphrase. Click OK Dst Port field, enter the remote host port Creating an IPSec policyBlock Bypass Incoming Configuring services for branch office VPN with IPSecChanging IPSec policy order Src Port field, enter the local host port Allow VPN access to any services Configuring WatchGuard VPNWatchGuard VPN configuration models Setting up WatchGuard VPN Enter the encryption key. Click Make Key Enable the Activate WatchGuard VPN checkboxChanging remote network entries Preventing IP spoofing with WatchGuard VPN Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Remote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Remote User PptpActivating Remote User Pptp Entering IP addresses for Remote User sessions Purchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Select Network = Remote User. Click the Mobile User VPN tab Preparing Mobile User VPN configuration filesEntering license keys Defining a new mobile user Select Network = Remote User Saving the configuration to a FireboxDistributing the software and configuration files Modifying an existing Mobile User VPN entry Debugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPN Windows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Select Computer Browser Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Adding a domain name to a Windows NT workstation Click Obtain an IP Address Automatically. Click OK Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Initial Connection window that appears, click Yes Installing a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Click Connect Enter the remote client username and passwordRunning Remote User Pptp Double-click the Ruvpn connection Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160