background image

xiv 

WatchGuard Firebox X Edge

Содержание Firebox X15

Страница 1: ...WatchGuard Firebox X Edge User Guide Firebox X Edge Firmware Version 7 5 All Firebox X Edge Standard and Wireless Models...

Страница 2: ...you accept all of the terms contained in this Agreement Please read this Agreement carefully By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement If you do...

Страница 3: ...up or archival copy of the SOFTWARE PRODUCT or allow someone else to use such a copy for any purpose other than to replace the original copy in the event it is destroyed or becomes defective C Sublice...

Страница 4: ...forth in subdivision c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or in subdivision c 1 and 2 of the Commercial Computer Software Restricted Rights Clause...

Страница 5: ...tocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile Use...

Страница 6: ...ully upgradeable as an organization grows and to deliver the industry s best combination of security performance intuitive interface and value WatchGuard Intelligent Layered Security architecture prot...

Страница 7: ...ation Travels on the Internet 4 IP Addresses 5 Network addressing 5 About DHCP 5 About PPPoE 5 Domain Name Service DNS 6 Services 6 Ports 6 Firewalls 8 Firebox X Edge and Your Network 9 CHAPTER 2 Inst...

Страница 8: ...w 32 Firebox System Status Page 32 Network Page 33 Administration Page 34 Firewall Page 35 Logging Page 37 WebBlocker Page 38 VPN Page 38 Wizards Page 39 CHAPTER 4 Configuration and Management Basics...

Страница 9: ...k 73 Changing the IP address of the optional network 73 Using DHCP on the optional network 74 Setting optional network DHCP address reservations 75 Configuring the optional network for DHCP relay 76 U...

Страница 10: ...03 About Services 103 Incoming and outgoing traffic 104 Traffic through VPN tunnels 104 About This Chapter 104 Configuring Incoming Services 105 Configuring common services for incoming traffic 106 Ab...

Страница 11: ...Authentication 137 Setting authentication options for all users 138 Configuring MUVPN client settings 140 Authenticating to the Edge 141 Using Local Firebox Authentication 142 Creating a read only ad...

Страница 12: ...ut This Chapter 192 Enabling MUVPN for Edge Users 193 Configuring MUVPN client settings 193 Enabling MUVPN access for a Firebox user account 194 Configuring the Firebox for MUVPN clients using a Pocke...

Страница 13: ...PC 214 Troubleshooting Tips 216 APPENDIX A Firebox X Edge Hardware 219 Package Contents and Specifications 219 Hardware Description 221 Front panel 221 Rear view 223 Side panels 223 About IEEE 802 11g...

Страница 14: ...xiv WatchGuard Firebox X Edge...

Страница 15: ...hapter Network Security While the Internet gives you access to a large quantity of information and business opportunity it also opens your network to attackers A good network security policy helps you...

Страница 16: ...net ISPs Internet service providers are companies that give access to the Internet through network connections Bandwidth is the rate at which a network connection can send data for example 3 megabits...

Страница 17: ...s the usual language of computers on the Internet A protocol also tells how data is sent through a network The most frequently used protocols are TCP Transmission Control Protocol and UDP User Datagra...

Страница 18: ...n use different routes through the Internet When they all get to their destination they are assembled back into a file To make sure that the packets get to the destination address information is added...

Страница 19: ...hese addresses do not change automatically and are frequently used for servers Dynamic IP addresses change with time If a dynamic address is not in use it can be automatically assigned to a different...

Страница 20: ...ent computer through the net work These services use protocols Frequently used Internet services are World Wide Web access uses Hypertext Transfer Protocol HTTP E mail uses Simple Mail Transfer Protoc...

Страница 21: ...col is assigned to port 25 Other programs are assigned port numbers dynamically for each connection The IANA Internet Assigned Numbers Authority keeps a list of well known ports You can see this list...

Страница 22: ...are protected We refer to these as trusted computers The figure below shows how a firewall divides the trusted computers from the Internet Firewalls use access policies to identify different types of...

Страница 23: ...twork Use the optional network for computers with mixed trust For example customers frequently use the optional network for their remote users or for public servers such as a Web server or e mail serv...

Страница 24: ...to a cable modem DSL modem or ISDN router The Web based user interface of the Firebox X Edge lets you man age your network safely You can manage your Edge from different locations and at different ti...

Страница 25: ...the HTTP proxy properties of your Web browser Connect the Firebox X Edge to your network Connect your computer to the Edge Use the Quick Setup Wizard to configure the Edge Activate the LiveSecurity Se...

Страница 26: ...only Two antennae Wireless models only Installation Requirements The Firebox X Edge installation requirements are A computer with a 10 100BaseT Ethernet network interface card to configure the Firebox...

Страница 27: ...ction you can put the Firebox X Edge between your computer and the Internet and use the network configuration from your computer to configure the Edge external interface You can use a static IP addres...

Страница 28: ...also assigns a subnet mask also known as the netmask to a computer A subnet mask divides a larger network into smaller net works A subnet mask is a string of bits that mask one section of an IP addres...

Страница 29: ...Identifying Your Network Settings User Guide 15 Your TCP IP Properties Table TCP IP Property Value IP Address Subnet Mask Default Gateway DHCP Enabled Yes No DNS Server s Primary Secondary...

Страница 30: ...rograms Command Prompt The Command Prompt window appears 2 At the command prompt type ipconfig all and then press Enter 3 Record the values in Your TCP IP Properties Table on page 15 4 Close the windo...

Страница 31: ...e on page 15 3 Exit the TCP IP configuration screen Finding PPPoE settings Many ISPs use Point to Point Protocol over Ethernet PPPoE because it is easy to integrate with a dial up infrastructure If yo...

Страница 32: ...he Connection Settings button The Connection Settings dialog box appears 5 Make sure the Direct Connection to the Internet option is selected 6 Click OK two times Disable the HTTP proxy in Mozilla 1 O...

Страница 33: ...disconnect its power supply 3 Find the Ethernet cable between the modem and your computer Disconnect this cable from your computer and connect it to the Edge external interface labeled WAN 1 4 Find th...

Страница 34: ...ce That same computer can then have more than one connection through the Firebox without adding another session Sessions are based on the number of com puters with active connections through the Fireb...

Страница 35: ...comes from your DSL modem cable modem or other Internet connection to your computer Connect the Ethernet cable to the WAN port on the Firebox X Edge The Firebox X Edge is connected directly to the mo...

Страница 36: ...tion icon The Local Area Connection Status window appears 4 Click the Properties button The Local Area Connection Properties window appears 5 Double click the Internet Protocol TCP IP list item The In...

Страница 37: ...ct the Use the following IP address option 7 In the IP address field type an IP address on the same network as the Edge trusted interface We recommend 192 168 111 2 The default trusted interface netwo...

Страница 38: ...onfigure the External Interface of your Firebox This screen sets the method your ISP uses to assign your IP address Configure the External Interface for DHCP On this screen type in your DHCP identific...

Страница 39: ...izard supplies a link to the WatchGuard web site to register your product After you complete the wizard the Firebox X Edge restarts If you changed the IP address of the trusted interface you must rest...

Страница 40: ...on your Firebox X Edge To register find the serial number of your Firebox X Edge The Edge serial number is printed on the bottom of the device Record your serial number in the table below and complete...

Страница 41: ...stering and Activating LiveSecurity Service User Guide 27 http www watchguard com upgrade 5 Select your product and follow the instructions for product activation At this time you can configure your E...

Страница 42: ...Installing the Firebox X Edge 28 WatchGuard Firebox X Edge...

Страница 43: ...etwork statistics and see the current configuration of the Edge Read this chapter to find basic information about the Firebox X Edge configuration pages There are sections in subsequent chapters that...

Страница 44: ...and the IP address of the Edge trusted inter face The default URL is https 192 168 111 1 This opens your Firebox system configuration pages You can change the IP address of the trusted network from 19...

Страница 45: ...he menu item on the navigation bar For example to see how logging is configured for your Firebox and to see the current event log click Logging Each menu item contains submenus that you use to configu...

Страница 46: ...guration page of the Firebox X Edge The center panel of the page shows information about the current settings It also contains the buttons you use to change these settings You can see details about ea...

Страница 47: ...dge connects to the Internet and other networks Trusted Configure the Edge trusted network interface or how the Edge gives IP addresses to trusted devices Optional Configure the Edge optional network...

Страница 48: ...rebox Users menu contains links to these pages Settings Use this page to set the properties that apply to all Edge users New User From here you can make one or more user profiles and set the network t...

Страница 49: ...Use the WSM Access page to enable remote management of the Edge through the WatchGuard Management Server Update Update the Edge firmware Upgrade Activate your Edge upgrade options View Configuration S...

Страница 50: ...oming traffic to the trusted or optional networks Outgoing Make one or more security services for outgoing traffic to the external network Optional Make one or more security services for outgoing traf...

Страница 51: ...set your system time to the same value as your local computer For more information see Chapter 8 Configuring Logging and System Time The Logging menu contains links to these pages WatchGuard Logging C...

Страница 52: ...pages Settings Configure the WebBlocker settings for all users Profiles Create sets of restrictions and apply them to groups of Edge users Allowed Sites Make a list of Web sites that you can browse to...

Страница 53: ...Manual VPNs Make a VPN tunnel to an IPSec compliant device such as a second Firebox X Edge VPN Keep Alive Keep a VPN tunnel open when no regular network traffic goes through it VPN Statistics Show imp...

Страница 54: ...information see About custom services for incoming traffic on page 107 Network Interface Wizard Configure the Edge interfaces For more information see Using the Network Setup Wizard on page 59 Wireles...

Страница 55: ...ge to factory default settings Restart the Firebox X Edge Set HTTP management preferences Enable remote management on the Firebox X Edge Update the firmware Activate upgrade options Factory Default Se...

Страница 56: ...to set the administrator account user name and passphrase After you complete the Quick Setup Wizard you must use the user name and password that you selected to see the configuration pages The Firebo...

Страница 57: ...is message if the reset button is stuck in the depressed position Check the reset button restart the Edge and try again 5 Disconnect the power supply 6 Connect the power supply again The Power Indicat...

Страница 58: ...05 After HTTPS traffic is allowed you can remotely manage your Firebox X Edge using your browser To do a remote reboot 1 To connect to the System Status page type https in the browser address bar and...

Страница 59: ...e System Security page appears 3 Select the Use non secure HTTP instead of secure HTTPS for administrative Web site check box You will see a warning to make sure you change the HTTP server port to its...

Страница 60: ...eate managed VPN tunnels between a Firebox X Edge and another WatchGuard Firebox With WatchGuard System Manager 8 0 and above you can create managed VPN tunnels between a Firebox X Edge and another Wa...

Страница 61: ...the Firebox X Edge is under centralized management access to the Firebox X Edge configuration pages is set to read only The only exception is access to the WSM Access configuration page If you disabl...

Страница 62: ...uration is necessary for this to occur 9 Type the Client Name to give your Firebox X Edge This is the name used to identify the Edge in the Management Server 10 Type the Shared Key The shared key is u...

Страница 63: ...and 8 1 do not support centralized Edge management 6 Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields 7 Type a configuration passphrase for your...

Страница 64: ...erver 10 Type the Shared Key The shared key is used to encrypt the connection between the Management Server and the Firebox X Edge This shared key must be the same on the Edge and the Management Serve...

Страница 65: ...VPN Manager 7 2 or below click the VPN Manager 7 2 or below check box 6 Click the Enable VPN Manager Access check box to allow VPN Manager to connect to the Firebox X Edge Type and confirm the status...

Страница 66: ...Firebox X Edge you must have a current LiveSecurity subscription See the WatchGuard web site regularly for Firebox X Edge updates https www watchguard com archive softwarecenter asp select Firebox X E...

Страница 67: ...es This method can be used with Windows or other operating systems You must first download the Software Update file which is a small Zip file 1 Extract the wgrd file from the Zip file you downloaded w...

Страница 68: ...Service on page 26 for more information After you have purchased an upgrade option you are given a license key You use the license key to get the feature key for the upgrade Use these steps to activat...

Страница 69: ...Activating Upgrade Options User Guide 55 7 From the navigation bar select Administration Upgrade The Upgrade page appears 8 Paste the feature key in the correct field 9 Click Submit...

Страница 70: ...ring WebBlocker WAN Failover The WAN failover feature adds redundant support for the external interface For more information see Enabling the WAN Failover Option on page 83 Enabling the Model Upgrade...

Страница 71: ...uration file in text format from the View Configuration page 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default U...

Страница 72: ...Configuration and Management Basics 58 WatchGuard Firebox X Edge...

Страница 73: ...ration after you run the Quick Setup Wizard You can also set up the optional interface Many customers use the optional network for public servers An example of a public server is a Web server Using th...

Страница 74: ...nterface with a static IP address If your ISP uses static IP addresses type the static IP address information your ISP gave you For more information see If your ISP uses static IP addresses on page 62...

Страница 75: ...information from your ISP or corporate network administrator If your ISP uses DHCP The default configuration sets the Firebox X Edge to get its external address information through DHCP If your ISP us...

Страница 76: ...n into your Edge before it can send traffic through the exter nal interface To set your Edge to use a static IP address for the external interface 1 Use your browser to connect to the System Status pa...

Страница 77: ...type the information from the table 4 Click Submit If your ISP uses PPPoE If your ISP uses PPPoE you must enter the PPPoE information into your Firebox before it can send traffic through the external...

Страница 78: ...Most ISPs using PPPoE make you use the domain name and your user name Do not include the domain name with your user name like this myname ispdomain net If you have a PPPoE name with this format type...

Страница 79: ...concentrator you identify in this field This option is not usually used Use it only if you know there is more than one access concentrator If you enter a Service Name and Access Concentrator Name you...

Страница 80: ...will reply to subsequent LCP echo requests In most cases the default setting of three is the best Reconnect lost PPPoE link This setting controls how and when the Edge tries to restart a PPPoE connec...

Страница 81: ...rk Any changes to the trusted network configuration page require that you click Submit and then restart the Firebox before the new con figuration starts You can make many changes at one time and then...

Страница 82: ...the navigation bar select Network Trusted The Trusted Network Configuration page appears 3 Type the new IP address of the Firebox X Edge s trusted interface in the IP Address text field 4 If necessary...

Страница 83: ...e IP addresses can be from 192 168 200 2 to 192 168 200 254 4 If you have a WINS or DNS server type the WINS Server Address DNS Server Primary Address DNS Server Secondary Address and DNS Domain Suffi...

Страница 84: ...ress as 12 hexadecimal digits with no space dash or semicolon characters Click Add 5 Click Submit Configuring the trusted network for DHCP relay One method to get IP addresses for the computers on the...

Страница 85: ...o not have a DHCP server on your network you must manually configure the IP address and subnet mask of each computer For example this is necessary when a client server software application must use a...

Страница 86: ...optional network is usually not allowed to the trusted network you can use the optional net work for servers that other computers can connect to from the Internet such as a web e mail or FTP server We...

Страница 87: ...URL is https 192 168 111 1 2 From the navigation bar select Network Optional The Optional Network Configuration page appears 3 Select the Enable Optional Network check box Changing the IP address of t...

Страница 88: ...68 111 1 2 From the navigation bar select Network Optional The Optional Network Configuration page appears 3 Type the first address of the new network address range in the IP Address text field 4 If n...

Страница 89: ...the optional IP address For example if your optional IP address is 192 168 112 1 the IP addresses can be from 192 168 112 2 to 192 168 112 254 4 If you have a WINS or DNS server type the WINS Server...

Страница 90: ...rk in the MAC Address field You must enter the MAC address as 12 hexadecimal digits with no space dash or semicolon characters Click Add 5 Click Submit Configuring the optional network for DHCP relay...

Страница 91: ...HCP server and you do not have a DHCP server on your optional network you must manu ally configure the IP address and subnet mask of each computer You can also configure specified devices with a stati...

Страница 92: ...ting Your Computer to Connect to the Edge on page 22 3 Connect each computer to the network Use the procedure Connecting the Edge to more than seven devices on page 20 4 Restart each computer Making S...

Страница 93: ...sh notation also known as CIDR or Classless Inter Domain Routing notation Do not type a slash for a host IP address For more information on how to enter IP addresses in slash notation refer to this FA...

Страница 94: ...tem Status page type https in the browser address bar followed by the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Network Network S...

Страница 95: ...sogen_main asp How do I set up Dynamic DNS http watchguard com support AdvancedFaqs sogen_setupdyndns asp You must log into your LiveSecurity Service account to see the FAQ NOTE NOTE WatchGuard is not...

Страница 96: ...ption custom sends updates for a Custom DNS host name For an explanation of each option see http www dyndns org services 6 In the Options field you can type these options mx mailexchanger backmx YES N...

Страница 97: ...f the link between the external interface and the device it is connected to usually a router A ping command to a specified location The Firebox sends a ping to the default gateway or a computer specif...

Страница 98: ...the automatic WAN failover capability of your Firebox Edge click Go 3 Follow the instructions on the screens The WAN Failover Setup Wizard includes these steps Welcome The first screen tells you abou...

Страница 99: ...onds between pings and the number of seconds to wait for a reply in the correct fields 6 Type the maximum number of pings before time out in the No Reply Limit field 7 Type the number of successful pi...

Страница 100: ...1 Type the IP address subnet mask default gateway primary DNS secondary DNS and DNS domain suffix into the related fields If necessary select the appropriate link speed from the drop down list If you...

Страница 101: ...elect Modem serial port 2 Below Dial Up Account Settings use the drop down list to select your ISP We support these ISPs Standard PPP AT T Worldnet CompuServe 4 0 EarthLink and MSN 3 Type the telephon...

Страница 102: ...NS server type type its IP address in the Secondary DNS server field 3 Click Submit or select a different tab to change more settings Dial up settings 1 In the Dial up time out field enter the number...

Страница 103: ...ault the wireless features of your Firebox are disabled for more security You must enable the wireless feature after you complete the Firebox X Edge Wireless Quick Setup wizard To install the Firebox...

Страница 104: ...less also uses switch functionality to connect other computers To set up a wireless network connect a computer with a Web browser to the Firebox X Edge Wireless with an Ethernet cable Use this comput...

Страница 105: ...dress bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Network Wireless 802 11g The Wireless Configuration page appears with...

Страница 106: ...ot enabled by default If the wireless client has its wireless network card set with a static IP address the IP address must be in the optional IP address range of the Edge If the wireless network card...

Страница 107: ...etwork cards send requests to see if there are wireless access points to which they can connect To configure the Firebox X Edge Wireless to send and answer these requests select the Broadcast SSID and...

Страница 108: ...entation threshold The Edge Wireless allows you to set the maximum frame size it can send without fragmenting the frame This is called the fragmenta tion threshold This setting is rarely changed It is...

Страница 109: ...o additional driver installation If you use an earlier version of Windows or a different operating system it can be necessary to install other drivers to use WPA PSK If you cannot use WPA PSK WatchGua...

Страница 110: ...e shared key is the only WPA authentication method the Firebox X Edge supports at this time Configuring encryption From the Encryption drop down list select the level of encryption for your wireless c...

Страница 111: ...authenticate as MUVPN clients 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 Fro...

Страница 112: ...1 1 2 From the navigation bar select Network Wireless 802 11g and click the Allowed Addresses tab 3 Select the Restrict Access by Hardware Address check box 4 Click Edit 5 Type the MAC address of the...

Страница 113: ...e wireless interface Guest users can connect to all regular Firebox user computers on the wireless network and Firebox users can connect to all guest user computers If you host wireless access for peo...

Страница 114: ...the guest account Setting password protection When a guest user connects to the wireless network using the Fire box X Edge Wireless as the wireless access point you can make the user type a password...

Страница 115: ...es Connecting to the Firebox as a wireless guest To log on as a wireless guest user a user must open their Web browser and do one of these procedures Type https in their browser address bar and the IP...

Страница 116: ...wn lists If necessary clear the check box labeled The key is provided for me automatically and type the network key two times 7 Click OK to close the Wireless Network Properties dialog box 8 Click the...

Страница 117: ...l traffic These rules set the firewall actions for a service Allow lets data or a connection through the Firebox Deny stops data or a connection from going through the Firebox and sends a response to...

Страница 118: ...m the optional network to the trusted network From the external network to the optional network Traffic through VPN tunnels When you create a Mobile User VPN tunnel from remote users or when you creat...

Страница 119: ...into your trusted or optional network You can also create custom services if you must allow traffic that is not in the list of frequently used ser vices You must be careful when you allow incoming se...

Страница 120: ...of this FAQ www watchguard com support Tutorials stepsoho_blockoutservice asp 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interf...

Страница 121: ...for incoming traffic is necessary if Incoming traffic does not use the same ports or protocols used by one of the common services You restrict the IP addresses on the external network that can connec...

Страница 122: ...which this service applies Restrict to local computers To put a limit on the scope of the service add the IP addresses of the computers or networks inside the firewall to which this service applies A...

Страница 123: ...TCP or UDP port number TCP is IP protocol number 6 and UDP is IP protocol number 17 If you use an IP protocol that is not TCP or UDP you must enter its number IP protocols numbers include 47 for GRE G...

Страница 124: ...on entering IP addresses in slash notation see this FAQ http www watchguard com support advancedfaqs general_slash asp 5 Click Add The From box shows the host range host IP address or network IP addr...

Страница 125: ...IP addresses that identify the computers on the external network that internal computers can connect to using this service Network IP addresses must be entered in slash notation also known as Classle...

Страница 126: ...https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Firewall Outgoing The Filter Outgoing Traffic...

Страница 127: ...om services for outgoing traffic A custom service for outgoing traffic is necessary if You must allow outgoing traffic for a service that is not on the common service list You must restrict the IP add...

Страница 128: ...ide the firewall to which this service applies Restrict to local computers To put a limit on the scope of the service add the IP addresses of the computers or networks inside the firewall to which thi...

Страница 129: ...P port number TCP is IP protocol number 6 and UDP is IP protocol number 17 If you use an IP protocol that is not TCP or UDP you must enter its number IP protocols numbers include 47 for GRE Generic Ro...

Страница 130: ...xamples of how you can use the optional network You can use the optional network for servers that the external network can get to This helps to protect the trusted network because no traffic is allowe...

Страница 131: ...on bar click Firewall Optional The Filter Outgoing Traffic to Optional Network page appears 3 To allow all traffic from the trusted network select Allow for the Outgoing service from the Filter drop d...

Страница 132: ...w all traffic between the trusted and optional networks Select the Disable traffic filters check box to allow all incoming and outgoing traffic between the trusted and optional interfaces NOTE NOTE Wh...

Страница 133: ...ess range Use the IP address of the attacker or a range of hostile IP addresses to create a Blocked Site To add a location to the Blocked Sites list 1 From the navigation bar click Firewall Blocked Si...

Страница 134: ...ss bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar click Firewall Options The Firewall Options page appears Responding to ping req...

Страница 135: ...socket connection and uses the SOCKS version 5 protocol can send traffic through the Edge SOCKS gives you secure two way communication between a computer on the external network and a computer on the...

Страница 136: ...open and not used by other software on the computer 1 If you can identify a version select SOCKS version 5 2 Select port 1080 3 Set the SOCKS proxy to the URL uniform resource locator or IP address of...

Страница 137: ...dress of the external interface Some ISPs use a MAC address to identify the computers on their network Each MAC address gets one static IP address If your ISP uses this method to identify your compute...

Страница 138: ...text box type the new MAC address for the Firebox X Edge external or failover network 3 Click Submit If the changes are successful you must restart the Firebox NOTE NOTE If the field marked MAC addre...

Страница 139: ...ous net work activity Log records can help you identify possible security prob lems NOTE The Firebox X Edge log is cleared if the power supply is disconnected or the Edge is restarted To keep the info...

Страница 140: ...tchGuard Log Server previously known as the WatchGuard System Event Processor or WSEP is a component of the Watch Guard System Manager If you have a Firebox III Firebox X Core or Firebox X Peak config...

Страница 141: ...ing check box 4 In the Device Name field type a name for the Firebox X Edge This name lets the Log Server know which log messages come from which device The Device Name appears in the Log Viewer If th...

Страница 142: ...nds the Firebox X Edge log messages to a syslog host If you use a syslog host you can set the Edge to send log messages to that host Follow these instructions to configure a syslog host 1 To connect t...

Страница 143: ...rusted network Use a VPN tunnel to increase the security of syslog message traffic If the syslog messages go through a VPN tunnel IPSec technology encrypts the data Setting the System Time For each lo...

Страница 144: ...r daylight savings time check box 4 To set the system time automatically select the Use NTP to periodically automatically set system time option To set the time manually select the Set date and time m...

Страница 145: ...o save your changes skip to step 8 6 If you set the system time manually you must set the date and time separately Select the month from the first drop down list Select the year from the second drop d...

Страница 146: ...Configuring Logging and System Time 132 WatchGuard Firebox X Edge...

Страница 147: ...igure local Firebox authentication Configure the Firebox to use LDAP or Active Directory authentication Allow internal hosts to bypass user authentication Seeing Current Sessions and Users A session i...

Страница 148: ...gs Below Firebox Users Settings you can see the current values for all global user and session settings To get access to the configuration page for these settings click the Configure button to open th...

Страница 149: ...interface The default URL is https 192 168 111 1 2 From the navigation bar select Firebox Users The Firebox Users page appears 3 Find the session in Active Sessions list Click the Close button To sto...

Страница 150: ...information on the users you configured to use this Edge Name The name given to the user The Admin user is part of the default configuration and cannot be deleted Admin Level You can set the user per...

Страница 151: ...ake connections from the trusted network to the optional network If you make users authenticate before they connect to the external network you can make sure that no user licenses are used by unau tho...

Страница 152: ...he configuration file Full Use this to see and to change Edge configuration properties You can also activate options disconnect active sessions restart the Edge and add or edit user accounts A user wh...

Страница 153: ...work If you do not select this check box there is no user based control for access to the Internet or VPN tunnels Automatically prompt for login on Web access When this option is selected the authenti...

Страница 154: ...session has been active Configuring MUVPN client settings The MUVPN client settings apply to all MUVPN connections to the Edge To configure MUVPN client settings 1 Use your browser to connect to the S...

Страница 155: ...at support Java script but we do not support them 2 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https...

Страница 156: ...sers page Using Local Firebox Authentication When you create a local user for the Firebox X Edge you select the Administrative Access level for that user You select access control for the external net...

Страница 157: ...he Description field type a description for the user This is for your information only A user does not use this description during authentication 7 In the Password field type a password with a minimum...

Страница 158: ...he Session idle time out field set the length of time the computer can stay authenticated when it is idle not passing any traffic to the external network or across the Branch Office VPN or to the Fire...

Страница 159: ...o enable MUVPN for a new user see Connecting and Disconnect ing the MUVPN Client on page 207 The Administrator account The Firebox X Edge has a built in administrator account that cannot be deleted Yo...

Страница 160: ...e default URL is https 192 168 111 1 2 From the navigation bar select Firebox Users The Firebox Users page appears 3 Below Local User Accounts click Edit for the account to change the password for The...

Страница 161: ...file When users authenticate to the Firebox they prepend their LDAP domain name to their user name in the authentication dialog box domain user name If you use an Active Directory authentication serve...

Страница 162: ...he LDAP Authentication Service section is not active 4 In the Domain Name text box type the name of the LDAP domain Do not include the top level domain The domain or host name is the part of your comp...

Страница 163: ...the directory For example a DN can look like this OU user accounts DC mycompany DC com 10 If you select Generic LDAP as the LDAP server type you must enter a Login Attribute Name and Group Attribute...

Страница 164: ...does not belong to any group configured on the Edge You can change the properties of the default group but you cannot delete the default group If a user belongs to more than one group the privileges f...

Страница 165: ...inistrative access to assign to the group You can select None The members of the group have no access to Firebox X Edge administration functions Read only The members of this group can see but not cha...

Страница 166: ...d select a profile from the drop down list You must first create WebBlocker profiles in the WebBlocker Profiles area of the Edge s configuration pages If no profile is assigned the users in this group...

Страница 167: ...gation bar select Firebox Users Trusted Hosts The Firebox Users Trusted Hosts page appears 2 In the Host IP Address text box type the IP address of the computer on your trusted or optional network to...

Страница 168: ...Managing Users and Groups 154 WatchGuard Firebox X Edge...

Страница 169: ...eature How WebBlocker Works WebBlocker uses a database of web site addresses controlled by SurfControl a web filter company When a user on your network tries to connect to a web site the Fire box X Ed...

Страница 170: ...cess password Set the inactivity time out Set a rule for the Firebox action if the Firebox X Edge cannot connect to the WebBlocker server Set a rule for the Firebox action if the WebBlocker license ex...

Страница 171: ...word in the Full Access Password field The full access password gives access to all web sites until the inactivity timeout is reached or until an authenticated user logs out 5 Type the same password a...

Страница 172: ...s drop down list to select if the Firebox is to allow or deny all web traffic if the WebBlocker subscription expires If the WebBlocker subscription is renewed the Firebox will keep the previous config...

Страница 173: ...han for other employees It is not necessary to create WebBlocker profiles if you use one set of WebBlocker rules for all of your users After you create profiles you can apply them when you set up Fire...

Страница 174: ...ategory name For more information on categories see the next section If you select the check box adjacent to a category group it automatically selects all of the categories in that group If you clear...

Страница 175: ...is added to a category when the contents of the web site meet the correct criteria Web sites that give opinion or educational material about the subject matter of the category are not included For exa...

Страница 176: ...re sexually explicit in nature Naturist sites that feature nudity Erotic or fetish photography which depicts nudity Advertise ments Banner Ad servers Pop up advertisements Adware Arts Entertain ment T...

Страница 177: ...lagiarism and cheating including the sale of research papers Drugs Alcohol Tobacco Recipes instructions or kits for manufacturing or growing illicit substances including alcohol for purposes other tha...

Страница 178: ...ants cafes eateries pubs and bars Food drink magazines and reviews Gambling Online gambling or lottery web sites that invite the use of real money Information or advice for placing wagers participatin...

Страница 179: ...of equipment and or software for purpose of hacking passwords creating viruses or gaining access to other computers and or computerized communication systems Sites that provide instruction or work aro...

Страница 180: ...ommission of felonious criminal acts which has a common name or identifying sign or symbol and whose members individually or collectively engage in criminal activity in the name of the group A cult is...

Страница 181: ...h Career Develop ment Employment agencies contractors job listings career information Career searches career networking groups Kids Sites Child centered sites and sites published by children Lifestyle...

Страница 182: ...ynagogues and other houses of worship Any faith or religious beliefs including non traditional religions such a Wicca and witchcraft Remote Proxies Remote proxies or anonymous surfing Web based transl...

Страница 183: ...ional scores and schedules Sports related online magazines or newsletters Fantasy sports and virtual sports leagues that are free or low cost Streaming Media Streaming media files or events any live o...

Страница 184: ...fensive or violent language including through jokes comics or satire Excessive use of profanity or obscene gesticulation Note We do not block news historical or press incidents that may include the ab...

Страница 185: ...er feature only applies to web sites on the Internet You cannot use WebBlocker to block your users from web sites behind the Firebox 1 From the navigation bar select WebBlocker Allowed Sites The WebBl...

Страница 186: ...tes list 5 Click Submit To remove an item from the Allowed Sites list select the address and click Remove then click Submit Blocking Additional Web Sites You can block some web sites that WebBlocker a...

Страница 187: ...cess to the Playboy web site select to add a domain name and enter playboy com If the site has a subdomain that resolves to a different IP address you must enter that subdomain to deny it For example...

Страница 188: ...r select Firebox Users Trusted Hosts The Firebox Users Trusted Hosts page appears 2 In the Host IP Address text box type the IP address of the computer on your trusted or optional network to allow to...

Страница 189: ...of the message can read it About This Chapter This chapter starts with a section that tells you the basic requirements for your Firebox X Edge to create a VPN Start with What You Need to Create a VPN...

Страница 190: ...and a second device that uses IPSec standards Examples of these devices are a Firebox III Firebox X Core Firebox X Peak or a Firebox SOHO 6 You must enable the VPN option on the other device if it is...

Страница 191: ...esses from the Edge using DHCP If you want to give the computers IP addresses of WINS and DNS servers on the other side of the VPN you can type those addresses into the DHCP settings in the trusted ne...

Страница 192: ...from the Management Server To configure a Firebox X Edge to allow WatchGuard System Man ager access for the creation of VPN tunnels see Setting up Watch Guard System Manager Access on page 46 Manual V...

Страница 193: ...ch end of the tunnel MD5 or SHA1 Each VPN device must use the same authentication method We recommend that you write down your Firebox X Edge configura tion and the related information for the other d...

Страница 194: ...ses in slash notation see this FAQ https www watchguard com support advancedfaqs general_slash asp You Site A 192 168 111 0 24 Site B 192 168 222 0 24 Shared Key The shared key is a passphrase used by...

Страница 195: ...e Add Gateway page appears 4 Type the tunnel name and shared key The tunnel name is for your identification only The shared key is a passphrase that the devices use to encrypt and decrypt the data on...

Страница 196: ...f your Firebox X Edge or remote VPN device has a static external IP address set the local ID type to IP Address Type the external IP address of the Edge or device as the local ID If your Firebox X Edg...

Страница 197: ...at regular intervals This helps the two devices to see if the tunnel is up If the Keep Alive packets get no response after three tries the Firebox X Edge starts the tunnel again NOTE NOTE The IKE Keep...

Страница 198: ...Dynamic DNS Service on page 81 In the Phase 1 settings of the Manual VPN set the local ID type to Domain Name Enter the DynDNS domain name as the Local ID The remote device must identify your Edge by...

Страница 199: ...urces 4 Type the number of kilobytes and the number of hours until the Phase 2 key expires To make the key not expire enter zero 0 For example 24 hours and zero 0 kilobytes means that the Phase 2 key...

Страница 200: ...o the specified host Use the IP address of a host that is always online and can respond to ping messages You can enter the trusted interface IP address of the Firebox that is at the other end of the t...

Страница 201: ...ics page To see the VPN Statistics page 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 1...

Страница 202: ...e Firebox X Edge For example at Site A ping the IP address of Site B If the ping packet does not come back make sure the external network settings of Site B are correct Site B must be configured to re...

Страница 203: ...Frequently Asked Questions User Guide 189 a Firebox X Edge Model Upgrade from a reseller or from the Watch Guard Web site http www watchguard com products purchaseoptions asp...

Страница 204: ...Configuring Virtual Private Networks 190 WatchGuard Firebox X Edge...

Страница 205: ...used The MUVPN client software is installed on a remote computer The remote user imports a configuration file wgx file to configure the client software The user connects to the Internet with the remo...

Страница 206: ...this wgx configuration file from the Edge You must also download the MUVPN installation program from the WatchGuard support site Read the section Distributing the Software and the wgx File on page 19...

Страница 207: ...nly so that the user cannot change the security policy file by default select the Make the MUVPN client security policy read only check box Set how the virtual adapter operates on the client Disabled...

Страница 208: ...ettings see Configuring MUVPN client settings on page 140 Enabling MUVPN access for a Firebox user account 1 Add a new Firebox user or edit a Firebox user as described in Using Local Firebox Authentic...

Страница 209: ...will send all its traffic including usual Web traffic through the VPN tunnel to the Firebox X Edge This can also let the MUVPN client connect with other networks that the Firebox X Edge connects to If...

Страница 210: ...profile or wgx file Get the MUVPN installation files from the WatchGuard Web site You must log in to the LiveSecurity Service at http www watch guard com support to download the software After you log...

Страница 211: ...e mail Because e mail is not secure an unauthorized user can get the shared key Give the user the shared key by telling it to the user or by some other method that does not allow an unauthorized pers...

Страница 212: ...virtual adapter the WINS and DNS server IP addresses are assigned to the remote computer when the VPN tunnel is created If the MUVPN client does not use the virtual adapter the remote computer must h...

Страница 213: ...ter must be able to contact the WINS servers and the DNS servers These servers are found on the trusted network that is protected by the Firebox X Edge From the Windows desktop 1 Select Start Settings...

Страница 214: ...enabled To enable a component click the adjacent check box If a component is not installed follow the instructions to install it Internet Protocol TCP IP File and Printer Sharing for Microsoft Network...

Страница 215: ...ndow Networking tab 1 Select the Internet Protocol TCP IP component and click Properties The Internet Protocol TCP IP Properties window appears 2 Click Advanced The Advanced TCP IP Settings window app...

Страница 216: ...ol Panel window appears 2 Double click the Network Connections icon 3 Right click the connection you use to get Internet access and select Properties The connection properties window appears 4 Make su...

Страница 217: ...network component The Select Network Protocol window appears 3 Select the Client for Microsoft Networks network client and click OK Configuring the WINS and DNS settings The remote computer must be ab...

Страница 218: ...r in the related field and click Add To add more WINS servers repeat steps 11 and 12 13 Click OK to close the Advanced TCP IP Settings window Click OK to close the Internet Protocol TCP IP Properties...

Страница 219: ...ing the installation The command prompt can stay for more than one minute This is usual After the file is installed the command window closes automatically and the installation continues 11 After the...

Страница 220: ...The Confirm File Deletion dialog box appears 8 Click OK to remove all of the components A command prompt window appears during the procedure This is usual After the file is removed the command prompt...

Страница 221: ...tive right click the icon and select Activate Security Policy For information about the MUVPN icon see The MUVPN client icon on page 207 2 From the Windows desktop select Start Programs Mobile User VP...

Страница 222: ...bar on the right of the icon tells you that the client is sending data that is not secure Activated Connected and Transmitting Secured Data The MUVPN client started one or more secure MUVPN tunnels T...

Страница 223: ...t time I use this program check box then click Yes This option makes the ZoneAlarm personal firewall allow Internet access for this program each time you start a MUVPN connection Disconnecting the MUV...

Страница 224: ...diagnostic informa tion for connections in the security policy This window shows the security policy settings and the security association SA informa tion The monitor records the information that app...

Страница 225: ...oneAlarm you frequently see New Program alert windows This alert appears when a software application tries to get Internet or local network access This alert stops data from your computer without your...

Страница 226: ...tart Programs Zone Labs Uninstall ZoneAlarm The Confirm Uninstall dialog box appears 2 Click Yes The ZoneLabs TrueVector service dialog box appears 3 Click Yes The Select Uninstall Method window appea...

Страница 227: ...n and instead use weaker Wired Equivalent Privacy WEP to secure the data that goes through the airwaves You can increase the security of your wireless network when you make the wireless computer users...

Страница 228: ...tunnel 0 0 0 0 0 IP Subnet in the Firebox user s MUVPN setup 2 To allow a Firebox user to connect to all networks through the VPN tunnel select the check box All traffic uses tunnel 0 0 0 0 0 IP Subn...

Страница 229: ...irebox X Edge Certificates are not supported on the Edge NAT Traversal is supported on the Edge You can have to disable NAT Traversal on the Pocket PC because of differences in how this protocol is im...

Страница 230: ...VPN setup Troubleshooting Tips You can get more information about the MUVPN client from the WatchGuard Web site http www watchguard com support Here are the answers to some frequently asked questions...

Страница 231: ...our computer from sending its network information This prevents your computer from sending the login information Make sure you turn off ZoneAlarm each time you disconnect the MUVPN connection Is the M...

Страница 232: ...a password when I am browsing the company network Because of a Windows networking limitation remote user VPN products can allow access only to a single network domain If your company has more than on...

Страница 233: ...mall organizations and branch offices The WatchGuard Firebox X Edge Wireless can con nect to computers with a wireless network interface card Package Contents and Specifications The Firebox X Edge pac...

Страница 234: ...the cable and connect to the side of the Edge This decreases the tension on the power cable One straight through cable Wall mount plate wireless models only Two antennae wireless models only Processo...

Страница 235: ...interface The bottom indicator light in each pair comes on when the link speed is 100 Mbps If the bottom indicator light does not come on the link speed is 10 Mbps WAN 1 2 Shows a physical connection...

Страница 236: ...e indicator light does not come on Status Shows a management connection to the Edge The indicator light goes on when you use your browser to connect to the Edge configuration pages The indicator light...

Страница 237: ...es are for external networks Power input We supply a 12 volt AC adapter with your Edge Connect the AC adapter to the Edge and to a power source The power supply tip is plus polarity Side panels Comput...

Страница 238: ...it is affected by background noise caused by the ambient temperature of the atmosphere at the frequency range of the sys tem Also the operating temperature of the components of the 802 11 g b receiver...

Страница 239: ...signal attenuation path loss The distance is the line of sight distance between the transmitter and the receiver The wavelength is the speed of light divided by the frequency Higher frequency signals...

Страница 240: ...tomatically selects the antenna that receives the stronger signal Laptop computers usually have one antenna and have signal loss because of antenna position Because of this the Firebox X Edge can rece...

Страница 241: ...About IEEE 802 11g b Wireless User Guide 227 cent When a different modulation scheme is selected the data rate changes...

Страница 242: ...228 WatchGuard Firebox X Edge...

Страница 243: ...registered trademarks of Netscape Communications Corporation in the United States and other countries RealNetworks RealAudio and RealVideo are either a registered trademark or trademark of RealNetwork...

Страница 244: ...Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com 1995 2003 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written...

Страница 245: ...and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the followi...

Страница 246: ...BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S O...

Страница 247: ...de reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not install...

Страница 248: ...ay cause undesired operation of the device France NOTE En France ce produit ne peut tre install et op r qu l int rieur et seulement sur les canaux 10 11 12 13 comme d fini par IEEE 802 11g b L utilisa...

Страница 249: ...Certifications and Notices User Guide 235 Taiwanese Notices...

Страница 250: ...236 WatchGuard Firebox X Edge Declaration of Conformity...

Страница 251: ...sible for returning the Product and for all costs of shipping and handling Repair or replacement of the Product shall not extend the Warranty Period Any Product component part or other item replaced b...

Страница 252: ...hall be modified or partially enforced to the maximum extent permitted by law to effectuate the purpose of this Warranty This is the entire agreement between WatchGuard and you relating to the Product...

Страница 253: ...ernal Network check box 144 Allow access to VPN check box 144 Allowed Sites pages 171 antenna directional gain 225 authentication See user authentication B bandwidth described 2 Blocked Sites page 119...

Страница 254: ...ions setting on the optional network 75 setting on the trusted network 69 DHCP Address Reservations page 70 76 DHCP relay configuring the optional network 76 configuring the trusted network 70 DHCP se...

Страница 255: ...y default settings described 41 resetting to 42 failover network See WAN failover feature key described 26 File and Printer Sharing for Microsoft Networks and Windows XP 203 File and Printer Sharing f...

Страница 256: ...ewall Options page 120 Firewall page described 35 subpages of 36 firewalls described 8 H hardware description 221 223 hardware operating specifications 223 hardware specifications 220 HTTP proxy setti...

Страница 257: ...lights on front panel 221 LiveSecurity Service and software updates 52 registering with 26 Local Area Network LAN described 2 Log Authentication Events check box 93 log messages contents of 125 viewi...

Страница 258: ...g 206 MUVPN Clients upgrade 56 MUVPNs and wgx files 196 enablng access for users 194 monitoring with Connection Monitor 210 monitoring with Log Viewer 210 system requirements for 197 using on wireless...

Страница 259: ...ork Configuration page 73 74 75 77 options model upgrade 56 MUVPN Clients 56 seat license upgrade 56 WAN failover 56 WebBlocker 56 P package contents 11 packets described 4 pages Add Gateway 181 Add R...

Страница 260: ...cs 187 WAN Failover 85 WatchGuard Security Event Processor Logging 127 WebBlocker 38 WebBlocker Settings 157 159 Wireless Network Configuration 91 passphrases described 143 146 path loss 225 Perfect F...

Страница 261: ...Access Services installing 198 RESET button 222 resetting to factory default 42 Restrict Access by Hardware Address check box 98 routes configuring static 78 viewing 33 Routes page 78 S seat licenses...

Страница 262: ...21 described 121 disabling 122 software updates 52 SSID Service Set Identifier 92 static IP addresses and VPNs 187 described 14 obtaining 188 static routes making 78 removing 79 subnet mask 14 SurfCon...

Страница 263: ...figuration page 68 69 71 134 U UDP User Datagram Protocol 3 Uniform Resource Locator URL 6 updating software 40 upgrade options activating 54 upgrade options viewing status of 32 Upgrade page 55 user...

Страница 264: ...ooting connections 188 viewing statistics 187 what you need to create 176 W wall mounting plate 223 WAN Failover and DNS settings 88 configuring 83 described 56 83 using broadband connection for 85 us...

Страница 265: ...ing Internet Protocol TCP IP Network Component on 202 preparing for MUVPN clients 202 WINS and DNS settings configuring 199 201 wireless card configuring 101 wireless communication antenna directional...

Страница 266: ...252 WatchGuard Firebox X Edge Z ZoneAlarm allowing traffic through 211 described 191 211 icon for 209 shutting down 212 uninstalling 212...

Отзывы: