background image

Chapter 8: Configuring Filtered Services

116

WatchGuard Firebox System

As another example, passwords used for some services 
(FTP, telnet, POP) are sent in the clear. If the passwords are 
the same as those used internally, a hacker can hijack that 
password and use it to gain access to your network.

Adding and Configuring Services

You add and configure services using Policy Manager. The 
Services Arena of Policy Manager contains icons that repre-
sent the services (filtered and proxied) currently config-
ured on the Firebox, as shown in the following figure. You 
can choose from many filtered and proxied services. These 
services are configurable for outgoing or incoming traffic, 
and they can also be made active or inactive. When config-
uring a service, you set the allowable traffic sources and 
destinations, as well as determine the filter rules and poli-
cies for the service. You can create services to customize 
rule sets, destinations, protocols, ports used, and other 
parameters.

You can also add unique or custom services. However, if 
you do, take steps to permit only the traffic flow in that ser-
vice that is absolutely essential.

Normal View of the Services Arena

To display the detailed view of the Services Arena, 
select the Details icon (shown at right) at the far 

Summary of Contents for Firebox X1000

Page 1: ...WatchGuard Firebox System User Guide WatchGuard Firebox System...

Page 2: ...d States and or other courtries Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending Microsoft Internet Explorer Windows 95 Windows 98 Windows...

Page 3: ...D ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT O...

Page 4: ...nowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE...

Page 5: ...ARE DISCLAIMED IN NO EVENT SHALL RALF S ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT...

Page 6: ...n behalf of the Apache Software Foundation For more information on the Apache Software Foundation please see http www apache org Portions of this software are based upon public domain software origina...

Page 7: ...chGuard Firebox Software End User License Agreement IMPORTANT READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This Firebox Software End User License Agreement AGREEMENT is a legal agreement betwee...

Page 8: ...uct at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers B To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once you must pu...

Page 9: ...anies it If the SOFTWARE PRODUCT fails to operate in accordance with this warranty you may as your sole and exclusive remedy return all of the SOFTWARE PRODUCT and the documentation to the authorized...

Page 10: ...ITY OF SUCH DAMAGES THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY 5 United States Government Restricted Rights The SOFTWARE PRODUCT is provided with Restricted Rights Use dup...

Page 11: ...THESE TERMS IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT A SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREE...

Page 12: ...xii WatchGuard Firebox System...

Page 13: ...ox System Manager 2 WatchGuard security applications 3 WatchGuard LiveSecurity Service 3 Minimum Requirements 3 Software requirements 3 Web browser requirements 4 Hardware requirements 4 WatchGuard Op...

Page 14: ...uct Documentation 18 Assisted Support 18 LiveSecurity Program 18 LiveSecurity Gold Program 19 Firebox Installation Services 20 VPN Installation Services 20 Training and Certification 20 CHAPTER 3 Gett...

Page 15: ...ation s local drive 53 Resetting Firebox Passphrases 53 Setting the Firebox Model 54 Setting the Time Zone 55 Setting a Firebox Friendly Name 55 CHAPTER 5 Using Policy Manager to Configure Your Networ...

Page 16: ...oring Firebox Traffic 80 Setting the maximum number of log entries 81 Displaying entries in color 81 Copying messages to another application 82 Copying or analyzing deny messages 82 Performing Basic T...

Page 17: ...ing Static NAT 108 Adding external IP addresses 108 Setting static NAT for a service 108 Using 1 to 1 NAT 110 Proxies and NAT 112 CHAPTER 8 Configuring Filtered Services 113 Selecting Services for you...

Page 18: ...he DNS Proxy Service 156 Enabling protocol anomaly detection for DNS 157 DNS file descriptor limit 158 CHAPTER 10 Creating Aliases and Implementing Authentication 161 Using Aliases 162 Adding an alias...

Page 19: ...block sites 193 Viewing the Blocked Sites list 193 Integrating Intrusion Detection 193 Using the fbidsmate command line utility 195 CHAPTER 12 Setting Up Logging and Notification 199 Developing Loggi...

Page 20: ...and notification for blocked sites and ports 219 CHAPTER 13 Reviewing and Working with Log Files 221 Log File Names and Locations 222 Viewing Files with LogViewer 222 Starting LogViewer and opening a...

Page 21: ...filter 245 Scheduling and Running Reports 245 Scheduling a report 245 Manually running a report 246 Report Sections and Consolidated Sections 246 Report sections 246 Consolidated sections 250 CHAPTER...

Page 22: ...Station 266 Preparing a Windows NT management station for OOB 266 Preparing a Windows 2000 management station for OOB 266 Preparing a Windows XP management station for OOB 268 Configuring the Firebox...

Page 23: ...complete network security solution to meet these modern security challenges Keeping network defenses current Protecting every office connected to the Internet Encrypting communications to remote offic...

Page 24: ...ll efficient and reli able The Firebox is a low profile component with an indi cator display panel in front and physical interfaces in back Firebox System Manager Firebox System Manager is a toolkit o...

Page 25: ...te networking Branch office virtual private networking Selective Web site blocking WatchGuard LiveSecurity Service The innovative LiveSecurity Service makes it easy to main tain the security of an org...

Page 26: ...t Windows XP Web browser requirements You must have Microsoft Internet Explorer 4 0 or later to run the installation from the CD The following HTML based browsers are recommended to view WatchGuard On...

Page 27: ...step process VPN Man ager sets a new standard for Internet security by automating the setup management and monitoring of multi site IPSec VPN tunnels between an organization s Hardware feature Minimu...

Page 28: ...but it is available for use only if you enable the High Availability checkbox when installing WFS and enter your license key Mobile User VPN Mobile User VPN is the WatchGuard IPSec implementa tion of...

Page 29: ...WatchGuard Options WatchGuard options are available from your local reseller For more information about purchasing WatchGuard prod ucts go to http www watchguard com sales About this Guide The purpos...

Page 30: ...eparated by arrows are selected in sequence from subsequent menus For example File Open Configuration File means to select Open from the File menu and then Configuration File from the Open menu URLs a...

Page 31: ...eSecurity Service keeps your security system up to date by providing solutions directly to you In addition the WatchGuard Technical Support team and Training department offer a wide variety of meth od...

Page 32: ...bscription saves you time by providing the latest software to keep your WatchGuard Firebox System up to date You receive instal lation wizards and release notes with each software update for easy inst...

Page 33: ...ted Software Update You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox System Editorial Leading security experts join the WatchGuard Rapid Respo...

Page 34: ...rt Guide and in the Getting Started chapter of this book To activate the LiveSecurity Service through the Web 1 Be sure that you have the LiveSecurity license key and the Firebox serial number handy Y...

Page 35: ...elp Tools Online support services help you get the most out of your WatchGuard products NOTE You must register for LiveSecurity Service before you can access the online support services Advanced FAQs...

Page 36: ...ess to the resources you need and updated information to help you install and use the SOHO 6 To access the online support services 1 From your Web browser go to http www watchguard com and select Supp...

Page 37: ...ard Users Group The WatchGuard users group is an online group in which the users of WatchGuard products can communicate infor mation Because this group is not monitored by Watch Guard it should not be...

Page 38: ...window or dialog box press F1 On any platform browse to the directory containing WatchGuard Online Help Open LSSHelp html The default help directory is C Program Files WatchGuard Help Searching for to...

Page 39: ...ly as they appear in the original installation Online Help system requirements Web browser Internet Explorer 4 0 or higher Netscape Navigator 4 7 or higher Operating system Windows NT 4 0 Windows 2000...

Page 40: ...ttp help watchguard com documentation default asp Assisted Support WatchGuard offers a variety of technical support services for your WatchGuard products Several support programs described throughout...

Page 41: ...istance for specific issues concerning the installation and ongoing maintenance of Firebox SOHO and ServerLock enterprise systems Single Incident Priority Response Upgrade SIPRU and Single Incident Af...

Page 42: ...security policy install the LiveSecurity software and Firebox hardware and build a configuration in accordance with your com pany security policy VPN setup is not included as part of this service VPN...

Page 43: ...ch products you own we have a training solution for you WatchGuard classroom training is available worldwide through an extensive network of WatchGuard Certified Training Partners WCTPs WCTPs strength...

Page 44: ...Chapter 2 Service and Support 22 WatchGuard Firebox System...

Page 45: ...n process Gathering network information Selecting a firewall configuration model Setting up the management station Cabling the Firebox Running the QuickSetup Wizard Deploying the Firebox into your net...

Page 46: ...rvice license key Gathering Network Information We encourage you to fill in the following tables in prepara tion for completing the rest of the installation process License Keys Collect your license k...

Page 47: ...One good way to set up your network is to create two worksheets the first worksheet represents your network now before deploying the Firebox and the second rep resents your network after the Firebox...

Page 48: ...lowing figure In this example the Inter net router performs network address translation NAT for the internal network The router has a public IP address of 208 15 15 1 and the private network has an ad...

Page 49: ...op in configuration simplifies the setup of these devices For more information on this type of configuration see Drop in configuration on page 30 By configuring the optional interface on the example n...

Page 50: ...a Firewall Configuration Mode Before installing the WatchGuard Firebox System you must decide how to incorporate the Firebox into your net work This decision determines how you will set up the three...

Page 51: ...uration mode that most closely reflects your existing network You must select one of two possible modes routed or drop in configuration Routed configuration In a routed configuration the Firebox is pu...

Page 52: ...and all machines behind the trusted and optional interfaces must be configured with an IP address from that network The benefit of a routed configuration is that the networks are well defined and easi...

Page 53: ...drop in configuration A single network that is not subdivided into smaller networks or subnetted The Firebox performs proxy ARP a technique in which one host answers Address Resolution Protocol reque...

Page 54: ...er ally harder to manage and is more prone to network prob lems Choosing a Firebox configuration The decision between routed and drop in mode is based on your current network Many networks are best se...

Page 55: ...inimum configured are external and trusted All interfaces of the Firebox are on the same network and have the same IP address Proxy ARP Criterion 2 Trusted and optional interfaces must be on separate...

Page 56: ...ondary network also tells the Firebox that another network resides on the Firebox interface wire You add secondary networks in the following two ways The QuickSetup Wizard which is part of the install...

Page 57: ...and DNS Server Addresses on page 65 You can also change the WINS and DNS values provided by your ISP if necessary Point to Point Protocol over Ethernet PPPoE is also sup ported As with DHCP the Fireb...

Page 58: ...ent Processor WSEP receives and stores log messages and issues notifications based on information it receives from the management station You can designate any computer on your network as the manageme...

Page 59: ...components or upgrades see the WatchGuard Web site 6 At the end of the installation wizard a checkbox appears asking if you want to launch the QuickSetup Wizard You must first cable the Firebox before...

Page 60: ...irebox to the management station using a serial cable or over a network using TCP IP The recommended way is using a serial cable Using a serial cable Refer to the Firebox Rear Panel and Cabling for Pr...

Page 61: ...Cabling the Firebox User Guide 39...

Page 62: ...also writes a basic configuration file called wizard cfg to the hard disk of the management station If you later want to expand or change the basic Firebox configuration using Policy Manager use wiz...

Page 63: ...cify static DHCP or PPPoE as explained in Dynamic IP support on the external interface on page 35 Enter the Firebox interface IP address or addresses Based on whether you specified routed or drop in m...

Page 64: ...rase is used to establish a read write connection to the Firebox Select Connection Method Select the cabling method used and enter a temporary IP address for the Firebox so that the management station...

Page 65: ...ht after 16 and then type 1 10 If your address has a network mask use slash notation to enter it In slash notation a single number indicates how many bits of the IP address identify the network that t...

Page 66: ...ect the Firebox to your network If using a routed configuration change the default gateway setting on all desktops to the Firebox trusted IP address What s Next You have successfully installed configu...

Page 67: ...nly filtered services until all your system are functional and then move to proxies as you become familiar with them as needed For more information on services see Chapter 8 Config uring Filtered Serv...

Page 68: ...Chapter 3 Getting Started 46 WatchGuard Firebox System...

Page 69: ...tting the Firebox time zone Setting a Firebox friendly name What is a Firebox A WatchGuard Firebox is a specially designed and optimized security appliance Three independent net work interfaces allow...

Page 70: ...for a Firebox is directly behind the Internet router as pictured below Other parts of the network are as follows Management station The computer on which you install and run the WatchGuard Firebox Sy...

Page 71: ...contains all the settings options addresses and other information that constitute your Firebox security policy When you view the settings in Policy Manager you are seeing a user friendly version of yo...

Page 72: ...the Firebox drop down list to select a Firebox You can also type in the IP address or host name 3 In the Passphrase text box type the Firebox status read only passphrase Click OK Do not use the config...

Page 73: ...the Firebox does need to be rebooted the new policy is not active until the rebooting process completes Saving a configuration to the Firebox From Policy Manager 1 Select File Save To Firebox You can...

Page 74: ...ore saving NOTE It is not necessary to back up the flash image every time you make a change to the configuration file However if you do choose this option you must provide an encryption key It is espe...

Page 75: ...Choosing the option marked Save Configuration File Only is normally sufficient Saving a configuration to the management station s local drive From Policy Manager 1 Select File SaveAs File You can also...

Page 76: ...new passphrases is saved to the Firebox and the Firebox automatically restarts Tips for creating secure passphrases Although a persistent attacker can crack any passphrase eventually you can toughen...

Page 77: ...locker The default time zone is Greenwich Mean Time Coordinated Universal Time From Policy Manager 1 Select Setup Time Zone 2 Use the drop down list to select a time zone Click OK Setting a Firebox Fr...

Page 78: ...Chapter 4 Firebox Basics 56 WatchGuard Firebox System...

Page 79: ...Each of the procedures in this section can also be used to override any settings you made using the Quick Setup Wizard It is recommended that you follow these steps in the following order to make sure...

Page 80: ...are connected to The new configuration file contains defaults for the model of Firebox specified Setting the Firebox Configuration Mode For information on routed and drop in configurations see Selecti...

Page 81: ...x located at the bottom of the dialog box 3 Enter the IP address and default gateway for the Firebox interfaces When typing IP addresses type the digits and periods in sequence Do not use the TAB or a...

Page 82: ...ash notation When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For more information on entering IP addresses see Entering IP add...

Page 83: ...ring DHCP or PPPoE support If you enable DHCP or PPPoE on the external interface you can set several optional properties 1 From the Network Configuration dialog box click Properties The Advanced dialo...

Page 84: ...hat are not recommended are Firebox2 or SOHO6Alpha NOTE PPPoE debugging generates large amounts of data Do not enable PPPoE debugging unless you are having connection problems and need help from Techn...

Page 85: ...alog box For a description of each control right click it and then select What s This Defining External IP Aliases You use the Aliases button on the Network Configuration dialog box when you are using...

Page 86: ...g box appears 2 Click the Secondary Networks tab The Secondary Networks tab appears as shown in the following figure 3 Use the drop down list in the lower right portion of the dialog box to select the...

Page 87: ...features of the Firebox such as DHCP and Remote User VPN rely on shared Windows Internet Name Server WINS and Domain Name System DNS server addresses These servers must be accessible from the Firebox...

Page 88: ...large network A device defined as a DHCP server auto matically assigns IP addresses to network computers from a defined pool of numbers You can define the Firebox as a DHCP server for the customer net...

Page 89: ...lient requests a longer time the request is denied and the maximum lease time is provided Adding a new subnet To make available private IP addresses accessible to DHCP clients add a subnet To add a ne...

Page 90: ...turn an IP address that does not work with certain devices or services From Policy Manager 1 Select Network DHCP Server 2 Click the subnet to review or modify Click Edit 3 The DHCP Subnet Properties d...

Page 91: ...of the Packet Filters and Proxies folders to expand them A list of pre configured filters or proxies appears 3 Under Packet Filters click WatchGuard 4 Click the Add button at the bottom of the dialog...

Page 92: ...to pass traffic from any of its three interfaces to a router The router can then pass traffic to the appropriate destina tion according to its specific routing policies For more information on routin...

Page 93: ...ion file Defining a host route Define a host route if there is only one host behind the router Enter the IP address of that single specific host without slash notation From Policy Manager 1 Select Net...

Page 94: ...Chapter 5 Using Policy Manager to Configure Your Network 72 WatchGuard Firebox System 7 Click OK The route data is written to the configuration file...

Page 95: ...monitor of traffic through the firewall as well as a number of monitoring tools This chapter also describes HostWatch an application that provides a real time display of active connections on a Firebo...

Page 96: ...box at this time use the Firebox drop down list to select a Firebox You can also type the IP address or DNS name of the Firebox When typing IP addresses type the digits and periods in sequence Do not...

Page 97: ...ted to Firebox Connect to Firebox appears only when not con nected to Firebox Launch Policy Manager Launch LogViewer Launch HostWatch Create Historical Reports For more information on launching these...

Page 98: ...of Firebox capacity being used For more information on the front panel see the following FAQ https support watchguard com advancedfaqs fbhw_lights asp Firebox and VPN tunnel status The section in Sys...

Page 99: ...client certificate If you expand the entries under Firebox Status as shown in the following figure you can view IP address of the default gateway and netmask MAC Media Access Control address of each...

Page 100: ...figure below shows an expanded entry for a BOVPN tunnel The information displayed from top to bottom is The name assigned to the tunnel during its creation along with the IP address of the destinatio...

Page 101: ...le User VPN the branch displays the same statistics as for the DVCP or IPSec Branch Office VPN described previously the tunnel name followed by the destination IP address followed by the tunnel type B...

Page 102: ...on point next to a tunnel listing indicates a tunnel is down When you expand an entry that has a red exclamation point another exclamation point appears next to the spe cific device or tunnel with the...

Page 103: ...ries in color You can specify that the log entries appear in different col ors according to the type of information they show 1 Click the Main Menu button Click Settings Click the Syslog Color tab 2 T...

Page 104: ...us section To copy the source or destination IP address of a deny message so you can paste it into another application right click the message select Source IP Copy or Destination IP Copy To issue the...

Page 105: ...QuickSetup Wizard The QuickSetup Wizard begins For more information on running the QuickSetup Wizard see the QuickStart Guide included with your Firebox Flushing the ARP cache The ARP Address Resolut...

Page 106: ...on on entering IP addresses see Entering IP addresses on page 43 3 Enter the Firebox status passphrase 4 Click OK System Manager connects to the Firebox and displays its real time status Changing the...

Page 107: ...urity Service Select to activate LiveSecurity Service For more information on this service see Chapter 2 Service and Support Launching Firebox Applications You launch the following applications from t...

Page 108: ...o the current log file For more information see HostWatch on page 167 Launching Historical Reports Historical Reports is a report building tool that cre ates HTML reports displaying session types most...

Page 109: ...Windows desktop tray click the Main Menu button Select Tools Logging Event Processor Interface Viewing Bandwidth Usage Click the Bandwidth Meter tab to view real time band width usage for all Firebox...

Page 110: ...number of connections and the x axis shows time The display differentiates by color each service being graphed To configure the services that appear and how they are dis played 1 Click the Main Menu...

Page 111: ...mber 103100033 Product Type FBIII 1000 300Mhz 64MB Product Options hifn Packet counts The number of packets allowed denied and rejected between status queries Rejected packets are denied packets for w...

Page 112: ...tions configured with either the QuickSetup Wizard or by adding and configuring services from Policy Manager Logging options Outgoing traceroute Incoming traceroute logged warning notifies traceroute...

Page 113: ...l amount of RAM the process is using SHARE Amount of memory that can be shared by more than one process TIME Total CPU time used CPU Percentage of CPU time used PRI Priority of process SCHED The way t...

Page 114: ...376 0 00 10 0 0 nice 91 netdbg S 828 372 0 00 05 0 0 nice 96 opt bin dns proxy S 800 400 0 00 72 0 0 nice Interfaces Each network interface is displayed in this section along with detailed information...

Page 115: ...erruns 0 carrier 0 Collisions 193 eth1 Link encap Ethernet HWaddr 00 90 7F 1E 79 85 inet addr 192 168 253 1 Bcast 192 168 253 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 2 RX...

Page 116: ...ress when the Firebox is set up for PPPoE support Because all traffic passing over this interface is PPPoE specific the IP address that appears is a placeholder value only and can be ignored Routes Th...

Page 117: ...00 80 AD 19 1F 80 C eth0 201 148 32 54 ether 00 A0 24 4B 95 67 C eth1 0 201 148 32 26 ether 00 A0 24 4B 98 7F C eth1 0 207 23 8 30 ether 00 A0 24 79 96 42 C eth0 For more information on the status rep...

Page 118: ...time on the tem porary auto block You can adjust the auto blocking value from the Blocked Sites dialog box available through Policy Manager To remove a site from this list right click it and select R...

Page 119: ...Fire box to log incoming denied Telnet attempts The line connecting the source host and destination host is color coded to display the type of connection being made These colors can be changed The de...

Page 120: ...tailed information about current connections for the item such as IP addresses port num ber connection type and direction The lower pane displays the same information in tabular form in addition to po...

Page 121: ...ntinue shown at right 4 To step through the display one entry at a time click the Pause icon Click the right arrow to step forward through the log Click the left arrow to step backward through the log...

Page 122: ...resses From HostWatch 1 Select View Properties 2 Use the Host Display tab to modify host display and text options For a description of each control right click it and then select What s This 3 Use the...

Page 123: ...erformed refers to the method of translation Dynamic NAT Also called IP masquerading or port address translation The Firebox either globally or on a service by service basis applies its public IP addr...

Page 124: ...e most commonly used form of NAT It works by translating the source IP address of outbound sessions those originating on the internal side of the Fire box to the one public IP address of the Firebox H...

Page 125: ...ackets Simple dynamic NAT provides a quick method to set a NAT policy for your entire network For more information on this type of NAT see the following FAQ https support watchguard com advancedfaqs n...

Page 126: ...ay require addi tional entries in the From or To lists of hosts or host aliases The Firebox applies dynamic NAT rules in the order in which they appear in the Dynamic NAT Entries list Watch Guard reco...

Page 127: ...There is no method to modify a dynamic NAT entry Instead use the Remove button to remove existing entries and the Add button to add new entries Specifying simple dynamic NAT exceptions You can set up...

Page 128: ...NAT policy on a service by service basis Service based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry For example use service based NAT on a network with...

Page 129: ...alog box You have three options Use Default Simple NAT Service based NAT is not enabled for the service The service uses the simple dynamic NAT rules configured in the Dynamic NAT Entries list as expl...

Page 130: ...a new public IP address using the Add External IP dialog box From Policy Man ager 1 Select Network Configuration Click the Aliases button The Add External IP dialog box appears 2 At the bottom of the...

Page 131: ...to select the public address to be used for this service If the public address does not appear in the drop down list click Edit to open the Add External IP dialog box and add the public address 6 Ente...

Page 132: ...ranslating the local network to a range that is not in conflict with the other end both sides can communicate For more information on 1 to 1 NAT see the following FAQ https support watchguard com adva...

Page 133: ...face external trusted optional or IPSec 7 Enter the number of hosts to be translated 8 In the NAT base field enter the base address for the exposed NAT range This will generally be the public IP addre...

Page 134: ...p_local_nets refers to networks behind the DVCP server 13 Click the button next to the From box and enter the value of the real IP address range as entered in step 9 Click OK 14 Click OK to close the...

Page 135: ...tomize rule sets destina tions protocols ports used and other parameters With both packet filters and proxies you can deter mine which hosts within your LAN and on the Inter net can communicate with e...

Page 136: ...be configured to do so You must actively select the services and protocols allowable configure each one as to which hosts can send and receive them and set other properties individual to the service E...

Page 137: ...owing it to the trusted network Allowing incoming services from a virtual private network VPN where the organization at the other end is known and authenticated is generally safer than allowing incomi...

Page 138: ...the following figure You can choose from many filtered and proxied services These services are configurable for outgoing or incoming traffic and they can also be made active or inactive When config u...

Page 139: ...igured Sources and Destinations You use separate controls for configuring incoming and outgoing traffic The outgoing controls sources define entries in the From lists while incoming controls destinati...

Page 140: ...log box to add modify and remove the filtered and proxed services you want 2 Expand either the Packet Filters or Proxies folder by clicking the plus sign to the left of the folder A list of pre config...

Page 141: ...Policy Manager Services Arena Adding multiple services of the same type In developing a security policy for your network you might want to add the same service more than once For example you might nee...

Page 142: ...ties on page 125 Using the previous example you might add an alias called executives NOTE Be careful to avoid creating conflicting services for example one HTTP service that allows incoming traffic wh...

Page 143: ...ices dialog box when you select the service 5 To begin setting the port used for this service click Add The Add Port dialog box appears 6 From the Protocol drop down list select the protocol used for...

Page 144: ...ce s Properties dialog box Properties tab shown below Client Source port can range from 1025 65565 8 In the Port field enter the port number If you are entering a range enter the lowest number of the...

Page 145: ...o close the Properties dialog box Click Close to close the Services dialog box The icon of the new service appears in the Services Arena Deleting a service From Policy Manager 1 In the Services Arena...

Page 146: ...ind the Firebox that use this service to initiate sessions with an outside destination The destinations on the external network to which outgoing traffic for this service can be bound In a given direc...

Page 147: ...ght Adding service properties The method used to add incoming and outgoing service properties is identical Select the tab click the Add button for either the From or the To member list and then define...

Page 148: ...ervice Connections Are drop down list to select Enabled and Allowed 2 Click either the Incoming tab or Outgoing tab Click the Add button underneath the From or the To list The Add Address dialog box a...

Page 149: ...following wg_ services are available wg_authentication Added when you enable authentication wg_dhcp_server Added when you enable the DHCP server wg_pptp Added when you enable PPTP wg_dvcp Added when t...

Page 150: ...iority events You use the Logging and Notification dialog box to config ure the services blocking categories and packet handling options you want Consequently once you master the con trols for one typ...

Page 151: ...re denied You set notification criteria using the WatchGuard Security Event Processor WSEP For more information see Customizing Logging and Notification by Service or Option on page 215 The remaining...

Page 152: ...vice This group has the highest precedence IP and ICMP services and all TCP UDP services that have a port number specified This group has the second highest precedence and is the largest of the three...

Page 153: ...precedence group all incidences of the Any ser vice will take precedence over the highest precedence Tel net service The precedences of services that are in the same prece dence group are ordered fro...

Page 154: ...cket is denied For example if there are two Telnet icons telnet_1 allowing from A to B and telnet_2 allowing from C to D a Telnet attempt from C to E will first check telnet_1 and then telnet_2 Becaus...

Page 155: ...recedence User Guide 133 ther down the precedence chain including outgoing ser vices For more information on outgoing services see the follow ing FAQ https support watchguard com advancedfaqs svc_outg...

Page 156: ...Chapter 8 Configuring Filtered Services 134 WatchGuard Firebox System...

Page 157: ...s are common methods of transmitting computer viruses The SMTP proxy knows these content types are not allowed while a packet filter would not detect the unauthorized content in the packet s data payl...

Page 158: ...or protecting your network from attacks An anomaly in the context of network security is data action or behavior that deviates from what is expected for a given user network or system Because network...

Page 159: ...otification dialog box appears as shown in the following figure 3 Customize logging and notification using the settings in this dialog box as described in Customizing logging and notification on page...

Page 160: ...orted For more information on the SMTP proxy see the follow ing FAQ https support watchguard com advancedfaqs proxy_smtp asp Configuring the Incoming SMTP Proxy Use the Incoming SMTP Proxy dialog box...

Page 161: ...email that supports graph ics audio and video files and text in various foreign lan guages You use the ESMTP tab on the Incoming SMTP Proxy dialog box to specify support for ESMTP extensions keywords...

Page 162: ...tent The header describes the type of multimedia content contained within an email or on a Web site For instance a MIME type of application zip in an email message indicates that the email contains a...

Page 163: ...oxy Service User Guide 141 2 If you want to specify content types to allow click the upper Add button in the dialog box The Select MIME Type dialog box appears as shown in the following figure 3 Selec...

Page 164: ...name patterns The Content Types tab includes a list of file name patterns denied by the Firebox if they appear in email attachments To add a file name pattern to the list enter a new pattern in the te...

Page 165: ...to send mail from your servers To prevent this disable open relay on your mail servers by restricting the destina tion to only your own domain To further increase protection from mail relaying modify...

Page 166: ...der name in the text box to the left of the Add button Click Add The new header appears at the bottom of the header list 3 To remove a header select the header name in the header list Click Remove The...

Page 167: ...e 136 1 From the SMTP Properties dialog box click the Properties tab The SMTP Properties dialog box appears as shown in the following figure 2 Select the Enable auto blocking of sites using protocol a...

Page 168: ...t types select the corresponding checkbox To be able to select or clear several consecutive content types as a group select the first type press Shift and select the last type and then select one of t...

Page 169: ...ck Outgoing The Outgoing SMTP Proxy dialog box appears displaying the General tab as shown in the following figure 3 To add a new header pattern type the pattern name in the text box to the left of th...

Page 170: ...ss patterns that are behind your firewall that you want replaced by the official domain name Click Add All patterns entered here appear as the official domain name outside the Firebox 4 In the Don t S...

Page 171: ...also potentially dangerous outbound because it enables users on your network to copy virtually anything from outside the network to a location behind their fire wall Therefore it is important to make...

Page 172: ...t s This You can also refer to the Field Definitions chapter in the Reference Guide Note that the Make Incoming FTP Connections Read only checkbox is selected by default If you have an FTP server that...

Page 173: ...P traffic from traveling from the optional interface to the trusted interface Outgoing traffic is generally less restrictive For example many companies open outgoing HTTP traffic from Any to Any Watch...

Page 174: ...ot provide protection that is as thorough or as effective In addition none of the custom options including WebBlocker are available for Filtered HTTP Adding a proxy service for HTTP Most network admin...

Page 175: ...6 Controlling Web Site Access For a description of each control right click it and then select What s This Or refer to the Field Definitions chapter in the Reference Guide For detailed information abo...

Page 176: ...d here can be added to the unsafe path patterns box not testsite If you want to disable content type filtering click the Set tings tab Clear the checkbox marked Require Content Type NOTE Zip files are...

Page 177: ...n to the Firebox Configuring the DNS Proxy Service Internet domain names such as WatchGuard com are located and translated into IP addresses by the domain name system DNS DNS lets users navigate the I...

Page 178: ...sed Attackers can set the value of a key variable such that the server crashes and the attacker gains unauthorized access The DNS proxy protects your DNS servers from both the TSIG and NXT attacks alo...

Page 179: ...NS Proxy connections are drop down list to select Enabled and Allowed 7 Click OK to close the DNS Proxy Properties dialog box 8 Click Close The Services dialog box closes The DNS Proxy icon appears in...

Page 180: ...secutive rules as a group press Ctrl and select each rule you want DNS file descriptor limit The DNS proxy has only 256 file descriptors available for its use which limits the number of DNS connection...

Page 181: ...9 You can work around this problem in two ways the first method is the most secure Avoid using dynamic NAT between your clients and your DNS server Disable the outgoing portion of the DNS proxied serv...

Page 182: ...Chapter 9 Configuring Proxied Services 160 WatchGuard Firebox System...

Page 183: ...on it does not matter which IP address is used or from which machine a person chooses to work To gain access to Internet services such as outgoing HTTP or outgoing FTP the user provides authenti catin...

Page 184: ...re a user workstation may have several different IP addresses over the course of a week Authentication by user is also useful in education environments such as classrooms and college computer centers...

Page 185: ...entication 4 Click Add The Add Address dialog box appears as shown in the following figure Group Function firebox Addresses assigned to the three Firebox interfaces and any related networks or device...

Page 186: ...down list to select a category In the Value text box enter the address range or host name Click OK 8 When you finish adding members click OK The Host Alias dialog box appears listing the new alias Cli...

Page 187: ...enticating disable the account on the authentication server Using external authentication Although the authentication applet is primarily used for outbound traffic it can be used for inbound traffic a...

Page 188: ...the user the user performs many or all of the same tasks to authenticate against any of the five types of authentication The difference for the Firebox administrator is that for built in authenticati...

Page 189: ...s down the connection This is a set time limit regardless of end user traffic Defining Firebox Users and Groups for Authentication In the absence of a third party authentication server you can divide...

Page 190: ...ox users If you have more than approximately 100 users to authenticate WatchGuard recommends that you use a third party authentication server WatchGuard automatically adds two groups intended for remo...

Page 191: ...appears 3 Type the name of the group Click OK 4 To add a new user click the Add button beneath the Users list The Setup Firebox User dialog box appears as shown in the following figure 5 Enter the us...

Page 192: ...oups click OK The users and groups can now be used to configure services and authentication Configuring Windows NT Server Authentication Windows NT Server authentication is based on Windows NT Server...

Page 193: ...5 Click OK Configuring RADIUS Server Authentication The Remote Authentication Dial In User Service RADIUS provides remote users with secure access to corporate net works RADIUS is a client server syst...

Page 194: ...used for RADIUS authentication The default is 1645 RFC 2138 states the port number as 1812 but many RADIUS servers still use port number 1645 5 Enter the value of the secret shared between the Firebo...

Page 195: ...or example to add the groups Sales Marketing and Engineering enter Filter Id Sales Filter Id Marketing Filter Id Engineering NOTE The filter rules for RADIUS user filter IDs are case sensitive Configu...

Page 196: ...on The standard is 624 5 Enter the administrator password This is the administrator password in the passwd file on the CRYPTOCard server 6 Enter or accept the time out in seconds The time out period i...

Page 197: ...YPTOCard server documentation Configuring SecurID Authentication For SecurID authentication to work the RADIUS and ACE Server servers must first be correctly configured In addition users must have a v...

Page 198: ...s 1645 5 Enter the value of the secret shared between the Firebox and the SecurID server The shared secret is case sensitive and must be identical on the Firebox and the SecurID server 6 If you are us...

Page 199: ...Default packet handling Options for how the firewall handles incoming communications that appear to be attacks on a network Blocked sites An IP address outside the Firebox that is prevented from conne...

Page 200: ...rewall examines the source of the packet and its intended destination by IP address and port number It also watches for patterns in successive packets that indicate unautho rized attempts to access th...

Page 201: ...e Firebox prevents packets with a false identity from passing through to your network When such a packet attempts to establish a con nection the Firebox generates two log records One log record shows...

Page 202: ...ult Packet Handling icon You can also from Policy Manager select Setup Intrusion Prevention Default Packet Handling The Default Packet Handling dialog box appears 2 Select the checkbox marked Block Po...

Page 203: ...e browser by sending what is called a SYN ACK segment When the browser sees the SYN ACK it sends an ACK segment The server is ready to accept the URL request from the browser when it sees the ACK stat...

Page 204: ...eted If you find that too many legitimate connection attempts fail when your SYN flood defense is active you can change SYN flood settings to minimize this problem You can set the maximum number of in...

Page 205: ...ttempt is challenged From Policy Manager 1 On the toolbar click the Default Packet Handling icon You can also from Policy Manager select Setup Intrusion Prevention Default Packet Handling The Default...

Page 206: ...Sites The Blocked Sites feature of the Firebox helps you prevent unwanted contact from known or suspected hostile sys tems After you identify an intruder you can block all attempted connections from t...

Page 207: ...add the offending site s IP address to the list of perma nently blocked sites Note that site blocking can be imposed only to traffic on the Firebox s external interface Connections between the truste...

Page 208: ...ed Sites dialog box appears as shown in the following figure 2 Click Add 3 Use the Choose Type drop list to select a member type The options are Host IP Address Network IP Address or Host Range 4 Ente...

Page 209: ...at would otherwise add it to the list The site can still be blocked according to the Firebox configura tion but it will not be automatically blocked for any rea son From Policy Manager 1 Select Setup...

Page 210: ...e the Blocked Sites feature the Blocked Ports feature blocks only packets that enter your network through the external interface Connections between the optional and Trusted interfaces are not subject...

Page 211: ...ossible to detect by all but the most knowledgeable users The first X Window server is always on port 6000 If you have an X server with multiple displays each new display uses an additional port numbe...

Page 212: ...tually used by a given RPC server Because RPC services themselves are very vulnerable to attack over the Internet the first step in attacking RPC services is to contact the portmapper to find out whic...

Page 213: ...larly likely to be used as client ports NOTE Solaris uses ports greater than 32768 for clients Blocking a port permanently From Policy Manager 1 On the toolbar click the Blocked Ports icon shown at r...

Page 214: ...ent logs and notification to accommodate attempts to access blocked ports You can configure the Firebox to log all attempts to use blocked ports or notify a network administrator when someone attempts...

Page 215: ...e dialog box Viewing the Blocked Sites list The Blocked Sites list is a compilation of all sites currently blocked by the Firebox Use Firebox Monitors to view sites that are automatically blocked acco...

Page 216: ...ox for information Because versions are available for Win32 Windows NT Windows 2000 and Windows XP SunOS and Linux oper ating systems you can select whatever IDS application best suits your security p...

Page 217: ...cked Sites dialog box It effectively extends your control of the Auto Block mechanism inside the Firebox add_log_message This command causes a message to be added to the log stream emitted by the Fire...

Page 218: ...209 54 94 99 The 209 54 94 99 site appears on the auto blocked sites list and remains there for the duration set in Policy Manager In addition the following message appears in the log file Temporarily...

Page 219: ...crypted file on the IDS host fbidsmate import_passphrase secure1 etc fbidsmate passphrase Then you could rewrite the previous examples as fbidsmate 10 0 0 1 f etc fbidsmate passphrase add_hostile 209...

Page 220: ...Chapter 11 Intrusion Detection and Prevention 198 WatchGuard Firebox System...

Page 221: ...call to a pager or the execution of a custom program For example WatchGuard recommends that you con figure default packet handling to issue a notification when the Firebox detects a port space probe...

Page 222: ...ng a logging policy you spell out what gets logged and when an event or series of events warrants sending out a notification to the on duty administrator Developing these policies simplifies the setup...

Page 223: ...ng traffic from any source outside to any destination inside there is little point in log ging incoming denied packets All traffic for that service in that direction is blocked Notification policy The...

Page 224: ...ber you might want to activate notification on this service whenever it denies or passes a packet Failover Logging WatchGuard uses failover logging to minimize the possi bility of missing log events W...

Page 225: ...references for services and packet handling options Save the configuration file with logging properties to the Firebox WatchGuard Security Event Processor WSEP Install the WSEP software on each log ho...

Page 226: ...support watchguard com advancedfaqs log_troubleshootinghost asp Adding a log host From Policy Manager 1 Select Setup Logging The Logging Setup dialog box appears 2 Click Add The Add IP Address dialog...

Page 227: ...ck the Syslog tab The Syslog tab information appears as shown in the following figure 3 Select the checkbox marked Enable Syslog Logging 4 Enter the IP address of the Syslog server 5 Select a Syslog f...

Page 228: ...nfiguration file Reordering log hosts Log host priority is determined by the order in which the hosts appear in the WatchGuard Security Event Processor list The host that is listed first receives log...

Page 229: ...troller Another method to set the log host and domain controller clocks is to use an independent source such as the atomic clock based servers available on the Internet One place to access this servic...

Page 230: ...ecurity Event Processor Click Start Or right click on the WSEP icon in the system tray and select Start You can also restart your computer The service starts automatically every time the host reboots...

Page 231: ...directory is C Program Files WatchGuard 3 At the command line type controld nt install You can perform other commands for the WSEP applica tion from the Command Prompt To start the WSEP application at...

Page 232: ...con is not in the tray in Firebox System Manager select Tools Log ging Event Processor Interface To start the Event Pro cessor interface when you log in to the system add a shortcut to the Startup fol...

Page 233: ...tion From the WatchGuard Security Event Processor user inter face 1 Select File Set Log Encryption Key 2 Enter the log encryption key in both text boxes Click OK Setting Global Logging and Notificatio...

Page 234: ...how long a log file is practical to keep open and view How quickly a file hits its maximum size and is overwritten is also deter mined by how many event types are logged and how much traffic the Fire...

Page 235: ...e of day 3 For a record size select the Roll Log Files By Number of Entries checkbox Use the scroll control or enter a number of log record entries The Approximate Size field changes to display the ap...

Page 236: ...Modify the settings according to your security policy preferences For more information on individual settings right click the setting and then select What s This You can also refer to the Field Defin...

Page 237: ...and notification configuration easier ser vices blocking categories and packet handling options share an identical dialog box as shown in the following figure Therefore once you learn the controls for...

Page 238: ...r interface Pager Triggers an electronic page when the event occurs Set the pager number in the Notification tab of the WSEP user interface If the pager is accessible by email select the Email option...

Page 239: ...ion is repeating Notification repeats only after this number of events occurs As an example of how these two values interact suppose you have set up notification with these values Launch interval 5 mi...

Page 240: ...Manager 1 Double click a service in the Services Arena The Properties dialog box appears 2 Click Logging The Logging and Notification dialog box appears The options for each service are identical the...

Page 241: ...licy preferences Click OK Setting logging and notification for blocked sites and ports You can control logging and notification properties for both blocked sites and blocked ports The process is ident...

Page 242: ...Chapter 12 Setting Up Logging and Notification 220 WatchGuard Firebox System...

Page 243: ...g files searching for entries in them and consolidating and copying logs The WatchGuard Security Event Processor WSEP controls logging report schedules and notification It also provides timekeeping se...

Page 244: ...files are named Fire boxIP timestamp wgl In addition the WSEP creates an index file using the same name as the log file but with the extension idx1 This file is located in the same directory as the l...

Page 245: ...on on the Filter Data tab see Displaying and Hiding Fields on page 225 Searching for specific entries LogViewer has a search tool to enable you to find specific transactions quickly by keyphrase or fi...

Page 246: ...hoose to transfer is converted to a text file txt If you want to transfer specific log entries to another appli cation use the copy function Use the export function if you want to transfer entire log...

Page 247: ...ndow 1 Select File Export The Save Main Window dialog box appears 2 Select a location Enter a file name Click Save LogViewer saves the contents of the selected window to a text file Displaying and Hid...

Page 248: ...Time The time the record entered the log file Default Show The Firebox receives the time from the log host If the time noted in the log seems later or earlier than it should be it is usually because t...

Page 249: ...packet event fields are described here in order from left to right Disposition Default Show The disposition can be as follows Allow Packet was permitted by the current set of filter rules Deny Packet...

Page 250: ...t Show Source port The source port of the logged packet UDP or TCP only Default Show Destination port The destination port of the logged packet UDP or TCP only Default Show Details Additional informat...

Page 251: ...ultiple locations You can merge two or more log files into a single file This merged file can then be used with Historical Reports Log Viewer HostWatch or some other utility to examine log data coveri...

Page 252: ...Current Log File The old log file is saved as Firebox IP Time Stamp wgl or Firebox Name Time Stamp wgl The Event Processor continues writing new records to Firebox IP wgl or Firebox Name wgl Saving lo...

Page 253: ...ncryption Key The Set Log Encryption Key dialog box appears 2 Enter the log encryption key in the first box Enter the same key in the box beneath it to confirm Sending logs to a log host at another lo...

Page 254: ...Logging Properties dialog box 9 Save the new configuration to the main office Firebox On the remote office Firebox 1 Open Policy Manager with the current configuration file 2 Select Setup Logging Cli...

Page 255: ...Working with Log Files User Guide 233 appear until the remote office Firebox has been properly configured...

Page 256: ...Chapter 13 Reviewing and Working with Log Files 234 WatchGuard Firebox System...

Page 257: ...r bandwidth connection to the Internet and why What usage patterns are users developing and how do those patterns relate to the security of the network and the goals of the corporation How do current...

Page 258: ...a group of Fireboxes and set properties to display the report data according to your preferences Creating and Editing Reports To start Historical Reports from Firebox System Manager click the Historic...

Page 259: ...port For more information on output types see Exporting Reports on page 241 6 Select the filter For more information on filters see Using Report Filters on page 243 7 If you selected the HTML output t...

Page 260: ...mmand removes the rep file from the reports directory Viewing the reports list To view all reports generated click Reports Page This launches your default browser with the HTML file contain ing the ma...

Page 261: ...escription of each section see Report Sections and Consolidated Sections on page 246 3 To run authentication resolution on IP addresses select the checkbox marked Authentication Resolution on IP addre...

Page 262: ...nted in different ways to better focus on the specific information you want to view Detail sections are reported only as text files with a user desig nated number of records per page Summary sections...

Page 263: ...ext All reports are stored in the path drive WatchGuard Install Directory Reports Under the Reports directory are subdi rectories that include the name and time of the report Each report is filed in o...

Page 264: ...al Reports counts the number of transactions that occur on Port 80 WebTrends for Firewalls and VPNs calcu lates the number of URL requests These numbers vary because multiple URL requests may go over...

Page 265: ...t a report displays information on the entire con tent of a log file At times however you may want to view information only about specific hosts services or users Use report filters to narrow the rang...

Page 266: ...l records except those meeting the criteria set on the Host Service and User tabs 4 Complete the Filter tabs according to your report preferences For a description of each control right click it and t...

Page 267: ...Filters dialog box appear in the Filter drop down list For more information see Creating a new report filter on page 244 3 Click OK The new report properties are saved to the ReportName rep file in th...

Page 268: ...rate 2 Click Run Report Sections and Consolidated Sections You can use Historical Reports to build a report that includes one or more sections Each section represents a discrete type of information or...

Page 269: ...Otherwise the time interval is based on your selection Host Summary Packet Filtered A table and optionally a graph of internal and external hosts passing packet filtered traffic through the Firebox s...

Page 270: ...th or connections Session Summary Proxied Traffic A table and optionally a graph of the top incoming and outgoing sessions sorted either by byte count or number of connections The format of the sessio...

Page 271: ...ime Type Client Client Port Server Server Port Protocol and Duration Denied Incoming Packet Detail A list of denied incoming packets sorted by time The fields are Date Time Type Client Client Port Ser...

Page 272: ...al is based on your selection Host Summary Packet Filtered A table and optionally a graph of internal and external hosts passing packet filtered traffic sorted either by bytes transferred or number of...

Page 273: ...hosts passing proxied traffic sorted either by bytes transferred or number of connections Proxy Summary Proxies ranked by bandwidth or connections Session Summary Proxied Traffic A table and optionall...

Page 274: ...Chapter 14 Generating Reports of Network Activity 252 WatchGuard Firebox System...

Page 275: ...l over the Web surfing in your organization You can designate which hours in the day users are free to access the Web and which categories of Web sites they are restricted from visit ing For more info...

Page 276: ...ed server run ning Windows NT 4 0 or Windows 2000 To install the WebBlocker server on a dedicated platform rerun the setup program on the dedicated server and on the Select Components screen unselect...

Page 277: ...icon Because WebBlocker relies on copying updated versions of the WebBlocker database to the event processor you must configure the WatchGuard service setting Allow Outgoing to Any It is possible to n...

Page 278: ...ture of several services includ ing HTTP Proxied HTTP and Proxy When WebBlocker is installed five tabs appear in the service s Properties dialog box WebBlocker Controls WB Schedule WB Operational Priv...

Page 279: ...server bypass By default if the WebBlocker server does not respond HTTP traffic Outbound is denied To change this such that all outbound HTTP traffic is allowed if a WebBlocker server is not recognize...

Page 280: ...egory Request for URL u denied by WebBlocker s blocked for r With this entry in the Message for blocked user field the following string might appear in a user s browser Request for URL www badsite com...

Page 281: ...u have set a Firebox time zone For information on setting the Firebox time zone see Setting the Time Zone on page 55 Setting privileges WebBlocker differentiates URLs based on their content Select the...

Page 282: ...edspace com dave because Dave s site con tains nude pictures you would enter dave to block that directory of sharedspace com This would still allow users to have access to www sharedspace com julia wh...

Page 283: ...cific port or directory pattern enter the port or string to be allowed When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For mor...

Page 284: ...WebBlocker Servers box as shown in Activating WebBlocker on page 256 To add additional WebBlocker servers 1 On the WebBlocker Controls tab in the HTTP Proxy dialog box click Add 2 In the dialog box th...

Page 285: ...you can do it less often if you have bandwidth concerns Click Next 7 Enter a start time for the process Because these downloads are close to 60 megabytes choose a time outside normal work hours 8 Sel...

Page 286: ...select Task Scheduler If you re using Internet Explorer 5 0 or later select Offline Browsing Pack If the message cannot find Windows Update Files on this computer appears open Internet Explorer go to...

Page 287: ...y configuring a Firebox when access through the Ethernet interfaces is unavailable Connecting a Firebox with OOB Management To connect to the Firebox using OOB management you must Connect the manageme...

Page 288: ...nt station for OOB Install the Microsoft Remote Access Server RAS on the management station 1 Attach a modem to your computer according to the manufacturer s instructions 2 From the Windows NT Desktop...

Page 289: ...n 1 From the Desktop click My Network Places Network and Dial up Connections Make New Connection The Network Connection wizard appears 2 Click Next Select Dial up to Private Network Click Next 3 Enter...

Page 290: ...and model of the Firebox modem and the modem speed 5 Click Finish to complete the modem installation Configure the dial up connection 1 Click Start Control Panel Click Network Connections Click New C...

Page 291: ...to your security policy preferences Click OK For a description of each control right click it and then select What s This You can also refer to the Field Definitions chapter in the Reference Guide Est...

Page 292: ...ify a username or password leave these fields blank OOB time out disconnects The Firebox starts the PPP session and waits for a valid connection from Policy Manager on your management sta tion If none...

Page 293: ...hat file If you have not yet created a configuration file use the QuickSetup Wizard to create one as described in Chapter 3 Getting Started Loss of connection to the Firebox can occur because you lost...

Page 294: ...off the Firebox 4 Make sure the management station has a static IP address If it doesn t change the TCP IP settings to a static IP address The computer designated as the management station should be...

Page 295: ...ed for the IP address of the Firebox and the Firebox configuration passphrase Use the address you used to ping the Firebox and wg for the passphrase 10 When the Firebox Flash Disk dialog box appears a...

Page 296: ...as the configuration file preferably the Trusted network so you do not need to reassign an IP address to your computer after the configuration file has been uploaded The following is an example of a t...

Page 297: ...Open a DOS prompt and ping the IP address that you used for the temporary IP Replies should follow which means the Firebox is now ready for uploading a configuration 10 In Policy Manager select File O...

Page 298: ...fault The subnet is 255 255 255 0 It is recommended that you give your computer s default gateway an IP address of 192 168 253 1 1 Disconnect the Firebox from the network 2 Start with the Firebox turn...

Page 299: ...Firebox After the configuration has been uploaded and the Firebox has been rebooted the Firebox light sequence should now look like this Armed light steady Sys A light steady Method 4 Serial Dongle Fi...

Page 300: ...File Open Configuration File Select the configuration file you want to load onto the Firebox and load it into Policy Manager 6 In Policy Manager select File Save To Firebox When you are prompted for a...

Page 301: ...al 163 trusted 163 Aliases dialog box 163 anonymous FTP 115 Any service precedence 130 ARP cache flushing 83 ARP table viewing 95 attacks spoofing See spoofing attacks attacks types of 177 AUTH types...

Page 302: ...and time of 77 viewing status of 77 CHAP authentication 172 configuration file and Policy Manager 49 basic 40 customizing 44 opening 49 opening from Firebox 50 opening from local drive 50 rebooting Fi...

Page 303: ...onfiguration 59 64 New Firebox Configuration 51 54 New Service 120 Outgoing SMTP Proxy 147 PAD Rules for DNS Proxy 157 PAD Rules for FTP Proxy 150 PAD Rules for SMTP Proxy 145 Report Properties 238 24...

Page 304: ...phrases See passphrases Firebox System components of 2 described 1 hardware requirements 4 introduction 2 requirements 3 software requirements 3 Web browser requirements 4 Firebox System applications...

Page 305: ...starting new reports 236 time spans for 238 time zone 55 Historical Reports See also reports Host Alias dialog box 164 host aliases 162 163 host routes configuring 71 hosts viewing blocked 90 viewing...

Page 306: ...etting 211 231 log files consolidating 229 copying 229 copying entries 224 copying log entries 225 default location of 222 described 221 displaying and hiding fields 225 exporting records 225 forcing...

Page 307: ...setting preferences 223 starting 222 time zone 55 viewing files with 222 working with log files 228 M MAC address of interfaces viewing 77 mail servers protecting against relaying 143 main menu butto...

Page 308: ...secondary See secondary networks New Firebox Configuration dialog box 51 54 New Service dialog box 120 notation slash 43 notification blocked port activity 192 bringing up popup window as 129 describ...

Page 309: ...85 opening 85 opening a configuration file 49 Services Arena 85 services displayed in 116 using to create configuration file 57 polling rate changing 84 POP and security policy 115 popup window as not...

Page 310: ...host summary 247 248 HTTP detail 248 HTTP summary 248 251 key issues 235 location of 241 network statistics 250 proxy summary 248 reasons for generating 235 running manually 246 scheduling 245 section...

Page 311: ...7 HTTP 151 icons for 116 Novel IPX over IP 190 OpenWindows 190 overriding NAT setting 107 precedence 130 proxied HTTP 255 Proxy 255 rcp 190 rlogin 190 RPC portmapper 190 rsh 190 setting logging and no...

Page 312: ...ation 89 viewing bandwidth usage 87 system requirements 3 T TCP IP cabling for 40 TCPmux service 190 Technical Support assisted support 18 described 9 Firebox Installation Services 20 frequently asked...

Page 313: ...6 configuring message for 257 creating exceptions for 260 described 253 manually downloading database 264 prerequisites 253 required services 255 scheduling hours 258 setting privileges 259 time zone...

Page 314: ...292 WatchGuard Firebox System wizard cfg 40 WSEP See WatchGuard Security Event Processor X X Font server 189 X Window 189 Z Zip files 154...

Reviews: