WatchGuard Technologies FireboxTM System 4.6 instruction

Designating Event Processors for a Firebox

you run the QuickSetup wizard. You can specify a different primary Event Processor as well as multiple backup Event Processors.

•IP address of each Event Processor

•Encryption key to secure the connection between the Firebox and Event Processors

•Priority order of primary and backup Event Processors

Adding an Event Processor

From Policy Manager:

1Select Setup => Logging.

2 Click Add.

3 Enter the IP address to be used by the Event Processor.

4Enter the encryption key that secures the connection between the Firebox and the

Event Processor.

The default encryption key is the monitoring passphrase set in the QuickSetup wizard. You must use the same log encryption key for both the Firebox and the LiveSecurity Event Processor.

5Click OK.

Repeat until all primary and backup Event Processors appear in the LiveSecurity Event Processors list.

Enabling Syslog logging

Note that Syslog logging is not encrypted; therefore, do not set the Syslog server to a host on the External interface. From Policy Manager:

1Select Setup => Logging.

The Logging Setup dialog box appears.

2In the Logging Setup dialog box, click the Syslog tab.

3 Enable the Enable Syslog Logging checkbox.

4 Enter the IP address of the Syslog server.

Editing an Event Processor setting

Modify an Event Processor entry to change the log encryption key. From Policy Manager:

1Select Setup => Logging.

The Logging Setup dialog box appears.

2Click the host name. Click Edit.

3Modify the IP address or log encryption key fields. Click OK.

You must use the same log encryption key for both the Firebox and the LiveSecurity Event Processor. To change the log encryption key on the Event Processor, see “Setting the log encryption key” on page 75.

User Guide

71

Image 81

WatchGuard Technologies FireboxTM System 4.6 Adding an Event Processor, Enabling Syslog logging, Select Setup = Logging

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity FCC Certification CE NoticeCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Part I Introduction Welcome to WatchGuardWatchGuard Firebox System components WatchGuard Firebox WatchGuard Control CenterWatchGuard security suite Minimum requirements LiveSecurity ServiceSoftware requirements Web browser requirements CPU Hardware requirements LiveSecurity Service Part II WatchGuard ServicesWatchGuard Optional Features Technical SupportPage Software Update LiveSecurity ServiceLiveSecurity broadcasts Information Alert Editorial Activating the LiveSecurity ServiceSupport Flash Virus Alert Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Click the LSS/SOHO Known Issues link on the left Known issuesGetting Internet technical support Getting telephone support WatchGuard Interactive Training System Wits Training WatchGuard users group Online HelpInstructor-led courses Searching for topics Starting WatchGuard Online HelpCopying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options WatchGuard OptionsVPN Manager High Availability Obtaining WatchGuard options Mobile User VPNSpamScreen Part III Configuring a Security Policy Set up network address translation NAT Set up logging and notificationConnect with out-of-band management Firebox Basics What is a Firebox? Placing a Firebox within a network Saving a configuration file Opening a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration to the local hard disk Resetting Firebox passphrasesSaving a configuration to the Firebox Tips for creating secure passphrases Reinitializing a misconfigured Firebox Setting the time zoneSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizard Booting from the system area Starting the Control Center and connecting to a Firebox Using the WatchGuard Control CenterNavigating the WatchGuard Control Center Control Center components QuickGuide Front panelFirebox and VPN tunnel status Remote VPN tunnels IPSecExpanding and collapsing the display Red exclamation point Setting the maximum number of log messages Connecting to a FireboxWorking with the Control Center Traffic Monitor Policy Manager Manipulating the Traffic MonitorOpening WatchGuard Firebox System tools Firebox Monitors LogViewerChanging the Policy Manager view HostWatch Historical ReportsLiveSecurity Event Processor LiveSecurity Event Processor Running the QuickSetup wizard Configuring a NetworkTrusted External Setting up a drop-in network Setting up a routed network Adding a secondary network Select Network = ConfigurationDefining a network route Select Network = Routes Select Network = Default Gateway Setting the default gatewayDefining a host route Changing an interface IP address Select Network = Configuration. Click the Dhcp Server tab Select Network = Configuration. Click the General tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp server Modifying an existing subnet Removing a SubnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Configuring default packet handling Select Setup = Default Packet HandlingBlocking Sites and Ports Removing a blocked site Blocking a site permanentlyChanging the auto-block duration Logging and notification for blocked sites Removing a blocked port Blocking a port permanentlyLogging and notification for blocked ports Category list, click Blocked Sites Blocking sites temporarily with service settings Configuring a service to temporarily block sitesViewing the Blocked Sites list Configuring Services Adding an existing serviceClick OK to close the Properties dialog box Ignore Creating a new serviceSecure Port Adding incoming service properties Defining service properties Adding outgoing service properties Adding addresses to service propertiesWorking with wg icons Modifying a service Configuring services for authenticationDeleting a service Under Internal Hosts, click Add Configuring an Smtp proxy service Setting up proxy servicesConfiguring the incoming Smtp proxy Click Yes Adding address patterns Selecting content typesProtecting your mail server against relaying Select headers to allow Configuring the outgoing Smtp proxy Configuring an FTP proxy serviceClick Outgoing Add masquerading options Configuring an Http proxy service Service precedence From Rank Any List Service precedence Controlling Web Traffic How WebBlocker worksReverting to old WebBlocker databases Prerequisites to using WebBlocker Configuring the WebBlocker serviceLogging and WebBlocker Activating WebBlocker Scheduling operational and non-operational hours Setting privilegesCreating WebBlocker exceptions Click the WebBlocker Controls tab Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Select Setup = NAT Using simple dynamic NATEnabling simple dynamic NAT Adding dynamic NAT entries Using service-based NAT Enabling service-based NATConfiguring service-based NAT exceptions Setting static NAT for a service Configuring a service for incoming static NATSelect Network = Configuration. Click the External tab Adding external IP addresses Enter the internal IP address CheckboxClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification WatchGuard logging architecture Designating Event Processors for a FireboxLiveSecurity Event Processor Select Setup = Logging Editing an Event Processor settingAdding an Event Processor Enabling Syslog logging Reordering Event Processors Removing an Event ProcessorSynchronizing Event Processors For Windows NT Event Processors Installing the Event Processor program Setting up the LiveSecurity Event ProcessorRunning an Event Processor on Windows Running an Event Processor on Windows NT or Windows Interactive mode from a DOS window As a Windows NT or Windows 2000 ServiceViewing the Event Processor Click WG LiveSecurity Event Processor. Click Startup Setting the log encryption key Setting global logging and notification preferencesSetting the interval for log rollover Starting and stopping the Event Processor Scheduling log reports Customizing logging and notification by service or optionControlling notification Category Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Connecting a Firebox with OOB management Connect with Out-of-Band ManagementEnabling the Management Station Configure the dial-up connection Install the modemPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Select Network = Configuration. Click the OOB tab Configuring the Firebox for OOBConfiguring PPP for connecting to a Firebox Establishing an OOB connection Establishing an OOB connection Aliases and Authentication Part IV Administering a Security PolicyFirebox Activity Monitors Network Activity ReportsPage Using host aliases Creating Aliases Implementing Authentication Adding a host alias Modifying a host aliasRemoving a host alias What is user authentication? User authentication typesHow user authentication works Configuring Windows NT Server authentication Configuring Firebox authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click Close Click the Windows NT Server tab Configuring Radius server authentication Enter the administrator password Configuring CRYPTOCard server authenticationOn the Radius Server Enter or accept the time-out in seconds Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox ServiceWatch Setting Firebox Monitors view propertiesBandwidth Meter StatusReport Packet counts Network configurationLog and notification hosts Blocked Sites list Logging options Authentication host informationMemory Load average Interfaces RoutesInterface the Firebox uses for each destination address Authentication list Blocked Sites listARP table HostWatch display Replaying a log fileSelect File = Connect Select File = Open Controlling the HostWatch display Viewing authenticated usersViewing specific hosts Viewing specific ports Add Modifying view properties HostWatch 102 Reviewing and Working with Log Files Setting LogViewer preferencesViewing files with LogViewer Starting LogViewer and opening a log file Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files Copying log files Setting log encryption keysForcing the rollover of log files From LiveSecurity Event Processor Working with log files 108 Starting Historical Reports Generating Reports of Network ActivityCreating and editing reports Viewing the reports list Creating a new report Specifying report sectionsEditing an existing report Deleting a report Setting report properties Specifying a report time spanConsolidating report sections Exporting reports to Html format Exporting reportsExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the table Using report filters Exporting a report to a text fileCreating a new filter Editing a filter Scheduling and running reportsDeleting a filter Applying a filter Manually running a report Report sections and consolidated sections Time Summary Proxied Traffic Session Summary Packet FilteredHost Summary Proxied Traffic Proxy Summary Consolidated Sections 118 Part V WatchGuard Virtual Private Networking Branch office virtual private networkRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking How does Dvcp work? Using Dvcp to connect to devicesBasic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtc Select Network = Branch Office VPN = Basic Dvcp Editing a tunnel to a deviceTelecommuter IP Address Soho Private Network Removing a tunnel to a device Branch office VPN with IPSecDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click Edit Select Network = Branch Office VPN = IPSec Configuring a gatewayAdding a gateway Click Gateways Incoming Settings for Outgoing checkbox Configuring a tunnel with manual securityUsing Encapsulated Security Protocol ESP Removing a gateway Using Authenticated Headers AH Configuring a tunnel with dynamic securityClick Key. Enter a passphrase. Click OK Click the Dynamic Security tab Block Creating an IPSec policyBypass Dst Port field, enter the remote host port Changing IPSec policy order Configuring services for branch office VPN with IPSecSrc Port field, enter the local host port Incoming WatchGuard VPN configuration models Configuring WatchGuard VPNSetting up WatchGuard VPN Allow VPN access to any services Changing remote network entries Enable the Activate WatchGuard VPN checkboxPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make Key Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Configuring the Firebox for Remote User VPN Remote User PptpMobile User VPN Configuring shared servers for Ruvpn Adding remote access usersAdding a member to built-in Ruvpn user groups Configuring services to allow incoming Ruvpn By individual serviceUsing the Any service Activating Remote User Pptp Configuring the Firebox for Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN licenseRules for valid Remote User Pptp addresses Entering license keys Preparing Mobile User VPN configuration filesDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tab Distributing the software and configuration files Saving the configuration to a FireboxModifying an existing Mobile User VPN entry Select Network = Remote User Configuring debugging options Debugging Mobile User VPNDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPN Remote host operating system Windows 95/98 platform preparationClick the Identification tab Installing Client for Microsoft Networks Installing Dial-Up Adapter #2 VPN SupportWindows NT platform preparation Click Dial Out Only. Click Continue Setting up Ruvpn for WindowsAdding a domain name to a Windows NT workstation Select Computer Browser Installing a VPN adapter on Windows 95/98 Configuring the remote host for Ruvpn with PptpInitial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OK Using Remote User Pptp Installing a VPN adapter on Windows NTStarting Remote User Pptp Running Remote User Pptp Enter the remote client username and passwordDouble-click the Ruvpn connection Click Connect Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160