WatchGuard Firebox SOHO 6 User Guide ® ® SOHO 6.
Using this Guide To use this guide you need to be familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual. The following conventions are used in this guide. ii Convention Indication Bold type Menu commands, dialog box options, Web page options, Web page names. For example: “On the System Information page, select Disabled.” NOTE Important information, a helpful tip or additional instructions.
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: • This appliance may not cause harmful interference. • This appliance must accept any interference received, including interference that may cause undesired operation.
VCCI Notice Class A ITE iv WatchGuard Firebox SOHO 6.
Declaration of Conformity User Guide v
WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc.
archival purposes only. 3. Prohibited Uses.
Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS WILL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.
No change or modification of this EULA will be valid unless it is in writing, and is signed by WATCHGUARD. Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Contents Introduction .................................................. 1 The Package Contents .............................................. 2 How Does a Firewall Work? ......................................3 How Does Information Travel on the Internet? ......... 4 IP addresses ............................................................ 4 Protocol ..................................................................4 Port numbers ..........................................................
Disable the HTTP proxy setting of your Web browser ............................................................ 14 Enable your computer for DHCP ............................. 16 Physically connect the SOHO 6 .............................. 18 Cabling the SOHO 6 for one to four appliances ....... 19 Cabling the SOHO 6 for more than four computers . 20 SOHO 6 Basics ........................................... 23 The SOHO 6 Home Page—System Status .............. 23 Default Factory Settings ................
Configure the Dynamic DNS Service ...................... 43 Configure OPT Port Upgrades ................................ 44 Configure Dual ISP Port ......................................... 44 Configure VPNforce™ Port .................................... 47 Administrative Options ............................. 51 The System Security Page ....................................... 52 System management ............................................. 52 SOHO Remote Management .................................
Configure Logging .................................... 75 View SOHO 6 Log Messages .................................. 76 Set up Logging to a WatchGuard Security Event Processor Log Host ............................................. 77 Set up Logging to a Syslog Host ............................ 79 Set the System Time ............................................... 80 CHAPTER 7 VPN—Virtual Private Networking ............ 83 Why Create a Virtual Private Network? .................... 83 What You Need .....
WebBlocker Categories ........................................ 103 CHAPTER 10 Support Resources Index ................................................................. 117 .................................. 107 Troubleshooting Tips ............................................ 107 General .............................................................. 107 Configuration ...................................................... 111 VPN Management ...............................................
xviii WatchGuard Firebox SOHO 6.
CHAPTER 1 Introduction Welcome Congratulations on purchasing the ideal solution for providing secure access to the Internet–the WatchGuard® Firebox® SOHO 6 or SOHO 6tc security appliance.
Chapter 1: Introduction This User Guide is for both the SOHO 6 and the SOHO 6tc–the name SOHO 6 refers to both these appliances throughout this guide. The only difference between them is the ability to create and use a Virtual Private Network (VPN). The VPN option is added to the SOHO 6, while the SOHO 6 tc comes with the VPN option preinstalled. Your new SOHO 6 provides peace of mind when connecting to the Internet using a high-speed cable or DSL modem, a leased line, or ISDN.
How Does a Firewall Work? How Does a Firewall Work? Fundamentally, a firewall is a way of distinguishing between, as well as protecting, “us” and “them”. On the external side of your SOHO 6 firewall is the entire Internet. The Internet offers many resources such as the Web, email, and video/audio conferencing. It also presents dangers to the privacy and security of your computer. On the trusted side of your SOHO 6 firewall are all the appliances you want to protect from these dangers.
Chapter 1: Introduction and the trusted network (your computer) and blocks any suspicious activity. How Does Information Travel on the Internet? All information transported over the Internet is packaged in a special manner to ensure that it travels from one computer to the next. The program responsible for this task is known as TCP/IP. TCP (Transmission Control Protocol) manages the assembly and reassembly of data, for example an email message or program file, into smaller chunks of data called packets.
How Does the SOHO 6 Process Information? Port numbers The port numbers are used by computers at both the sending and receiving end to determine the particular program or application for each connection. How Does the SOHO 6 Process Information? Services A service is the combination of protocol(s) and port numbers associated with a specific program or application type. To simplify configuration of your SOHO 6, WatchGuard configured versions of several common services are available for your use.
Chapter 1: Introduction the external address of the SOHO 6. When a hacker tries to violate the computer, they are stopped at the SOHO 6, never learning the true address of your computer. The SOHO 6 Hardware Description The SOHO 6 has significant improvements to the hardware platform from those of previous SOHO models. Faster Processor The SOHO 6 has a new network processor running at a speed of 150MHz. It also includes built in Ethernet and encryption technology.
The SOHO 6 Hardware Description Status When illuminated, this light indicates that a management connection has been made. Link The link indicator illuminates when there is a good physical connection to any of the numbered (0-3) interfaces of the trusted network. The link indicator blinks when traffic is passing through the interface. 100 When a trusted network interface runs at 10Mb, the 100 indicator is not illuminated. When the network interface runs at 100 Mb, the 100 indicator is yellow.
Chapter 1: Introduction The SOHO 6 has six Ethernet ports, a reset button, and a power input located on the rear of the appliance. The following photograph shows the entire rear view. OPT port This Ethernet port corresponds to the Optional interface. This interface is activated when you purchase the Dual ISP Port upgrade or VPNforce™ Port Upgrade. For more information on the Dual ISP Port and VPNforce Port upgrade , see “Configure OPT Port Upgrades” on page 44. 8 WatchGuard Firebox SOHO 6.
The SOHO 6 Hardware Description NOTE The OPT port is only available if you purchase the Dual ISP Port or VPNforce Port upgrades. You can not use the OPT port as another Ethernet port on the Trusted network. RESET button Using the reset button, you can return to the SOHO 6 to the factory defaults. For more information on performing this function, see “Reset a SOHO 6 to factory default” on page 26. NOTE The OPT port is only available if you purchase the software upgrades.
Chapter 1: Introduction 10 WatchGuard Firebox SOHO 6.
CHAPTER 2 Installation This chapter explains how to install the SOHO 6 into your network. You must complete the following steps: • Review and record your current TCP/IP settings • Disable the HTTP proxy setting of your Web browser • Enable your computer for DHCP • Physically connect the SOHO 6 to your network For a quick summary of this information, see the Firebox SOHO 6 QuickStart Guide included with your SOHO 6.
Chapter 2: Installation Before You Begin Before installing your new SOHO 6, be certain that you have the following items:. • A 10/100BaseT Ethernet I/O network card installed in your computer. • A cable or DSL modem with a 10/100BaseT port or an ISDN router. This is unnecessary if you connect to the Internet using a LAN connection. • Two Ethernet network cables with RJ45 connectors. These must not be “crossover cables” (often red or orange). One cable is furnished with your SOHO 6.
Before You Begin 2 At the default prompt, type ipconfig/all, then press Enter. 3 Enter the TCP/IP settings in the chart provided below. 4 Click Cancel. Microsoft Windows NT 1 Click Start => Programs => Command Prompt. 2 At the default prompt, type ipconfig/all, then press Enter. 3 Enter the TCP/IP settings in the chart provided below. 4 Click Cancel. Microsoft Windows 95 or 98 or ME 1 Click Start => Run. 2 Type: winipcfg. Click OK. 3 Select the “Ethernet Adapter.
Chapter 2: Installation 3 Exit the TCP/IP configuration screen. TCP/IP Setting Value IP Address Subnet Mask Default Gateway . . . . . . . . . DHCP Enabled DNS Server(s) Yes Primary Secondary No . . . . . . NOTE If you are connecting more than one computer to the trusted network behind the SOHO 6, determine the TCP/IP settings for each computer.
Before You Begin To disable the HTTP proxy in three commonly used browsers, see the instructions below. If your browser is not listed, see your browser Help menus to learn how to disable the HTTP proxy settings. Netscape 4.7 1 Open Netscape. 2 Click Edit => Preferences. 3 From among the categories listed on the left hand side of the window, click the + symbol before the Advanced heading to expand the list. 4 Click Proxies. 5 Verify that the Direct Connection to the Internet option is enabled.
Chapter 2: Installation Internet Explorer 5.0, 5.5, and 6.0 1 Open Internet Explorer. 2 Click Tools => Internet Options. 3 Click the Advanced tab. 4 Scroll down the page to HTTP 1.1 Settings. 5 Disable all checkboxes. 6 Click OK to save the settings. The Internet Options window appears.
Before You Begin 4 Click Properties. 5 Double click the Internet Protocol (TCP/IP) component. The network connection Properties dialog box appears. The Internet Protocol (TCP/IP) Properties dialog box appears.
Chapter 2: Installation 6 Select Obtain an IP address automatically. Select Obtain DNS server address automatically. 7 Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. Click OK again to close the network connection Properties dialog box. Click Close to close the network connection dialog box. Close the Control Panel window. Physically connect the SOHO 6 Your SOHO 6 protects a single computer or a multi-computer network.
Physically connect the SOHO 6 Cabling the SOHO 6 for one to four appliances Each of the Trusted Network ports (numbered 0-3) is able to connect to a variety of appliances. These include computers, printers, scanners, or other network peripherals. Use your SOHO 6 to replace an existing hub if you have no more than four appliances to connect. 1 Shut down your computer.
Chapter 2: Installation numbered, Ethernet ports (labeled 0-3) on the SOHO 6. Connect the other end into the Ethernet port of your computer. The SOHO 6 is now connected to the Internet and your computer. 4 If you connect to the Internet using a DSL/cable modem, restore the power to this device. When the indicator lights of the modem stop flashing the modem is ready for use. 5 Attach the AC adapter to the SOHO 6 and connect it to a power source. 6 Restart your computer.
Physically connect the SOHO 6 The SOHO 6 ships with a “10-seat” license. In other words, the SOHO 6 allows up to ten computers on a network behind the SOHO 6 to access the Internet. More than ten computers can exist on the network and communicate with each other, but only the first ten that attempt to access the Internet are allowed through the SOHO 6. A seat is taken when a computer connects to the Internet. To upgrade your SOHO 6 user license, please visit: http://www.watchguard.com/sales/buyonline.
Chapter 2: Installation 2 Disconnect the Ethernet cable that runs from your DSL/cable modem or other Internet connection to your computer and connect it to the WAN port on the SOHO 6. The SOHO 6 is now connected directly to the modem or other Internet connection. 3 Connect one end of the straight-through Ethernet cable supplied with your SOHO 6 into any one of the four, numbered, Ethernet ports (labeled 0-3) on the SOHO 6. Connect the other end into the uplink port of the hub.
CHAPTER 3 SOHO 6 Basics Once you have physically installed the SOHO 6, you can connect to it using your Web browser. The SOHO 6 includes a Web server that provides a configuration, Web page interface. The SOHO 6 Home Page—System Status With your Web browser, go to the System Status page of the SOHO 6 using the default IP address of the Trusted Network: http://192.168.111.1.
Chapter 3: SOHO 6 Basics The System Status page appears. The System Status page is effectively the home page of the SOHO 6. A variety of information is revealed in an effort to provide a comprehensive display of the SOHO 6 configuration. This information includes: • The firmware version • The serial number of the appliance • A few of the SOHO 6 features and their status: - WSEP Logging - VPN Manager Access - Syslog 24 WatchGuard Firebox SOHO 6.
Default Factory Settings - Pass Through • Upgrade options and their status • Configuration information for both the Trusted and External networks NOTE When the External network is configured to use the PPPoE Client, the page also displays a connect or disconnect button in order to terminate or initiate the PPPoE connection.
Chapter 3: SOHO 6 Basics Firewall Settings All incoming services are blocked. An outgoing service allowing all outbound traffic. None of the Firewall Options are enabled. The DMZ pass-through is disabled. System Security System Security is disabled and no System Administrator name or passphrase is set–the configuration pages are available to all on the trusted network. SOHO 6 Remote Management is disabled. VPN Manager Access is disabled. No remote logging is configured.
Register your SOHO 6 and Activate the LiveSecurity Service Finally, the PWR indicator light should remain illuminated. Your SOHO 6 is now reset to factory defaults. The base model SOHO 6 The base model SOHO 6 comes with a ten-seat license; that is, ten computers have access to the Internet through the SOHO 6. Remember, while only four appliances connect directly to the four (numbered 0-3) Ethernet ports, one or more of these appliances can be a hub or router.
Chapter 3: SOHO 6 Basics NOTE You must have JavaScript enabled on your browser to be able to activate LiveSecurity Service. If you are a returning customer, log in with your user name and password then choose your product and continue by following the instructions on screen. If you are a new WatchGuard customer, begin by creating a profile, then follow the instructions on screen for activating a product.
Reboot the SOHO 6 the default IP address, go to: http://192.168.111.1. Click Reboot. • Unplug the SOHO 6 and reconnect it to a power source. To reboot a SOHO 6 located on a remote system, you must set the SOHO 6 to allow either incoming HTTP (Web) or FTP traffic to the trusted address of the SOHO 6. For information on configuring a SOHO 6 to allow incoming traffic, see “Configure Incoming and Outgoing Services” on page 62.
Chapter 3: SOHO 6 Basics 30 WatchGuard Firebox SOHO 6.
CHAPTER 4 Configure the Network Interfaces Configure Your External Network When you configure the external network, you establish how the SOHO 6 communicates with your ISP. This configuration depends upon how your ISP distributes network addresses–using DHCP or PPPoE. Network addressing Each networked computer must have an IP address to identify itself to other computers. IP address assignments are either dynamic or static.
Chapter 4: Configure the Network Interfaces The most common method to distribute IP addresses is dynamically using DHCP (Dynamic Host Configuration Protocol). When your computer is connected to the network, a DHCP server at your ISP automatically assigns it a network IP address. This relieves the ISP of the responsibility to manually assign and manage individual IP addresses. Another method of dynamically assigning IP addresses is called PPPoE (Point-to-Point Protocol over Ethernet).
Configure Your External Network Configure the SOHO 6 External Network for static addressing If you are assigned a static address, then you must transfer the permanent address assignment from your computer to the SOHO 6. Instead of communicating directly to your computer, the ISP now communicates through the SOHO 6. 1 With your Web browser, go to the System Status page using the trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.
Chapter 4: Configure the Network Interfaces 4 Enter the TCP/IP settings you recorded from your computer during the installation process. Refer to the table in, “Review and record your current TCP/IP settings” on page 12. 5 Click Submit. The configuration change is saved to the SOHO 6. Configure the SOHO 6 External Network for PPPoE While less common, PPPoE is another method for an ISP to assign IP addresses. Check the information and manuals sent to you by your ISP to see if they use PPPoE.
Configure Your External Network 4 From the Configuration Mode drop list, select PPPoE Client. 5 Enter the PPPoE login name and domain supplied by your ISP. 6 Enter the PPPoE password supplied by your ISP. 7 Enter how long you want the system to wait before it disables an inactive TCP connections. 8 Click Automatically restore lost connections. 9 Click Enable pppoe debug trace to activate PPPoE debug trace. The page refreshes.
Chapter 4: Configure the Network Interfaces Configure the Trusted Network By default, the SOHO 6 uses DHCP to assign addresses to computers on your trusted network. In other words, every time you connect a computer to the SOHO 6, either directly or through a hub, it automatically attempts to obtain its addresses from the SOHO 6. If you use a cerntralized DHCP server to hand out IP addresses, the SOHO 6 has a DHCP Relay feature that forwards the DHCP request to the specified DHCP server.
Configure the Trusted Network The Trusted Network Configuration page appears. 3 Enter the IP address and the Subnet Mask in the appropriate fields. 4 Enable the checkbox labeled Enable DHCP Server on the Trusted Network. 5 Enter the first IP address the DHCP server will hand out to computers connect to the Trusted network. 6 Enter the WINS Server address, DNS Server address (primary and secondary), and DNS Domain server suffix. 7 Click Submit and reboot the SOHO 6 as necessary.
Chapter 4: Configure the Network Interfaces 2 Enter the IP address of the DHCP relay server. 3 Click Submit and reboot the SOHO 6 as necessary. The SOHO 6 will now send all DHCP requests to the specified, remote DHCP server and relay the resulting IP addresses to the computers connected to the Trusted Network. If the SOHO 6 is unable to contact the specified, remote DHCP server in 30 second, it will revert to using its own DHCP server to respond to computer on the Trusted network.
Configure the Trusted Network Configure the Trusted Network with static addresses To disable the SOHO 6 DHCP server and assign addresses statically, follow these steps: 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Trusted. The Trusted Network Configuration page appears.
Chapter 4: Configure the Network Interfaces 4 Disable the checkbox labeled Enable DHCP Server on the Trusted Network. 5 Click Submit and reboot the SOHO 6 as necessary. 6 Configure your computers and other devices on the trusted network with static addresses. Configure Static Routes The SOHO 6 allows you to configure static routes in order to pass traffic to networks on separate segments.
Configure Static Routes The Routes page appears. 3 Click Add. 4 From the Type drop list, select either Host or Network. The Add Route page appears.
Chapter 4: Configure the Network Interfaces 5 Enter the IP address and the Gateway of the route in the appropriate field. The gateway of the route is the local interface of the router. 6 Click Submit. To remove a route, select the appropriate entry and click Remove. View Network Statistics The SOHO 6 has a configuration page that displays a variety of network statistics to assist in monitoring data traffic as well as troubleshooting potential problems.
Configure the Dynamic DNS Service Configure the Dynamic DNS Service This feature allows you to register the external, IP address of the SOHO 6 with a dynamic DNS (Domain Name Server) service (www.dyndns.org). This service allows customers to bind their DNS record in the event that their dynamically assigned IP address is reassigned. 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.
Chapter 4: Configure the Network Interfaces NOTE The SOHO 6 receives the IP of members.dyndns.org when it connects to the time server. 5 Click Submit. Configure OPT Port Upgrades The optional port, OPT port, on the SOHO 6 supports two new upgrades: • Dual ISP Port upgrade • VPNforce Port upgrade To activate these upgrades, you need to buy an additional license, and then Upgrade the SOHO 6 to activate the new feature.
Configure OPT Port Upgrades The SOHO 6 uses two methods to determine if the external port connection is down: • The link to the nearest router • A ping to a specified location. The SOHO pings the default gateway or other location designated by the administrator. If there is no response, fail-over takes place.
Chapter 4: Configure the Network Interfaces Once you have upgraded to the SOHO 6 to activate this features, follow these instructions to configure Dual ISP Port: 1 Connect one end of a straight-through Ethernet cable into the OPT port, and connect the other end into the source of the secondary or fail-over External network connection. This can be either a DSL/cable modem or Hub. 2 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6.
Configure OPT Port Upgrades 9 Enter the number of times the system will ping the Interface before timeout. 10 Click Submit. Configure VPNforce™ Port The VPNforce port upgrade activates the SOHO 6 optional port for use on the trusted side. It’s main function is to provide a remote office or telecommuter a separate network behind the SOHO 6 firewall; one with secure access to the corporate network while the other connection is used for non-corporate functions.
Chapter 4: Configure the Network Interfaces 2 From the navigation bar on the left side, select Network => Optional. The Optional Network Configuration page appears. 3 To enable VPNforce, select the Enable Optional Network checkbox. 4 Enter the configuration information (IP address, DHCP Server, and DHCP Relay) for the Optional Interface, which is the same process as configuring the Trusted network. For specific instructions on these fields, see “Configure the Trusted Network” on page 36.
Configure OPT Port Upgrades 6 To require encrypted MUVPN connections on this interface, enable the Require Encrypted MUVPN connections on this interface checkbox. 7 Click Submit.
Chapter 4: Configure the Network Interfaces 50 WatchGuard Firebox SOHO 6.
CHAPTER 5 Administrative Options The SOHO 6 Administration page is where you configure access to the SOHO 6–using System Security, enabling SOHO 6 Remote Management, or providing VPN Manager Access. You can also update the firmware, enter the feature key for any upgrade options you have purchased and have redeemed at the LiveSecurity Service Web site, as well as see the SOHO 6 configuration file in a text format.
Chapter 5: Administrative Options The System Security Page The System Security configuration page allows you to create secure settings to protect the configuration of the SOHO 6. Setting a system administrator name and system passphrase allows you to protect the SOHO 6 by using a simple authentication method. This page also allows you to create a secure connection, using IPSec (Internet Protocol Security), to the SOHO 6 from a remote location.
The System Security Page recommends that the passphrase contain at least one special character, number, and a mixture of upper and lower case letters for increased security. Follow these steps to setup the SOHO 6 System Passphrase: 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1. 2 From the navigation bar on the left side, select Administration => System Security.
Chapter 5: Administrative Options 5 Enter the System Administrator Name. 6 Enter the System Passphrase and confirm it. 7 Click Submit. SOHO Remote Management This page also allows you to create a secure connection, using Internet Protocol Security (IPSec), to the SOHO from a remote location: SOHO Remote Management. This feature is discussed at length in the Firebox SOHO 6 Remote Management Guide located on our Web site at: http://help.watchguard.com/documentation/soho.
Set up VPN Manager Access 2 From the navigation bar on the left side, select Administration => VPN Manager Access. The VPN Manager Access page appears. 3 Select Enable VPN Manager Access. 4 Enter the status passphrase and confirm it. 5 Enter the configuration passphrase and confirm it. NOTE These two settings must exactly match the passphrases used in the VPN Manager or the connection will fail. 6 Click Submit.
Chapter 5: Administrative Options Update Your Firmware As new firmware is released, you should update the version running on your SOHO 6. New updates are located on the WatchGuard Web site at: http://support.watchguard.com/sohoresources/ Download the new firmware file from the Web site and save it to a known location on your management station.
Redeem your SOHO 6 Upgrade Options 4 Enter the location of the firmware files located on your computer. 5 If you do not know the location of the firmware files, click Browse to browse your computer’s directories and select them. 6 Click Update. Follow the instructions provided by the Update Wizard. NOTE The Update Wizard will request a User name and Password. These values correspond System Administrator Name and System Passphrase configured at the System Security page.
Chapter 5: Administrative Options 3 Follow the instructions provided on the site to redeem your upgrade license key. 4 Copy the Feature Key displayed at the LiveSecurity Service Web site. 5 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. 6 From the navigation bar on the left side, select Administration => Upgrade. For example, if using the default IP address, go to: http://192.168.111.1 The Upgrade page appears.
Redeem your SOHO 6 Upgrade Options Dual ISP Port This upgrade to the SOHO 6 activates the Optional port as a fail-over support for the external interface. This license key is purchased separately. VPNforce Port This upgrade to the SOHO 6 activates the Optional port as a separate secure connection to a corporate network for a remote office or telecommuter. This license key is purchased separately. IPSec Virtual Private Networking (VPN) The SOHO 6tc comes with a VPN upgrade license key.
Chapter 5: Administrative Options http://www.watchguard.com/renew/ Follow the instructions at the site to activate or purchase the renewal. View the Configuration File From this configuration page, the SOHO 6 configuration file appears in text format. 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.
CHAPTER 6 Configure the Firewall Settings Firewall Settings The flow of incoming and outgoing traffic is controlled by the configuration setting you make. These decisions are made in accordance with a sound security policy that defines the kinds of risks that are acceptable to you or your firm. WatchGuard identifies several commonly used services that are used to define incoming and outgoing access.
Chapter 6: Configure the Firewall Settings Configure Incoming and Outgoing Services By default, the security stance of the SOHO 6 is to deny incoming packets to computers on the trusted network protected by the SOHO 6 firewall. You can selectively open your network to certain types of Internet connectivity. For example, to set up a Web server behind the SOHO 6, you add an incoming Web service.
Configure Incoming and Outgoing Services 2 Locate a pre-configured service, such as FTP, Web, or Telnet, then select either Allow or Deny from the drop list. In our example, the HTTP service is set to Allow enabling Web traffic incoming. 3 Enter the trusted network IP address of the computer to which this rule applies. In our example, 192.168.111.2. 4 Click Submit.
Chapter 6: Configure the Firewall Settings 2 From the navigation bar on the left side, select Firewall => Custom Service. The Custom Service page appears. 3 Define a name for the service in the appropriate field. 4 Beneath the Protocol Settings fields, select either TCP Port, UDP Port, or Protocol from the drop list. The Custom Service page refreshes. NOTE In addition to TCP and UDP ports, there are several other types of Internet protocols.
Block External Sites 5 Enter the port number (or numbers if creating a range of ports) or enter the IP protocol number to allow in the appropriate fields and click Add. After creating a custom service, you need to specify a filter rule as well as define the incoming and outgoing properties. 6 At the Incoming and Outgoing Filter drop lists, select either Allow or Deny. 7 Select either Host IP Address, Network IP Address, or Host Range from the appropriate drop list. The Custom Service page refreshes.
Chapter 6: Configure the Firewall Settings The Blocked Sites page appears. 2 Select either Host IP Address, Network IP Address, or Host Range from the drop list. 3 Enter either a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the appropriate fields. The Blocked Sites page refreshes. In our example, Host IP Address is selected and the IP address entered is 207.68.172.246. 4 Click Add. 5 Click Submit.
Firewall Options Firewall Options The SOHO 6 firewall feature includes a few rule settings that are less specific then the service settings discussed previously and are used to provide further security for your private network. These options are found on the Firewall Options page. 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.
Chapter 6: Configure the Firewall Settings Ping requests received on the External Network You can configure the SOHO 6 to deny all ping packets that it receives on the external interface. 1 Select Do not respond to PING requests received on External Network. 2 Click Submit. Denying FTP access to the Trusted Network interface You can configure the SOHO 6 to deny FTP access to the Trusted interface. 1 Select Do not allow FTP access to Trusted Network. 2 Click Submit.
Firewall Options • SOHO 6 supports SOCKS version 5 only. • It is a limited version of SOCKS and does not support authentication. NOTE Configure the particular application so that it does not attempt to make DNS look-ups with SOCKS. Some applications use only DNS through SOCKS and therefore do not function properly with the SOHO 6. • Compatible SOCKS-aware applications that are used through the SOHO 6 include ICQ, IRC, and AOL Messenger.
Chapter 6: Configure the Firewall Settings • For the SOCKS proxy, enter the URL or IP address of the SOHO 6 trusted network. The default IP address is 192.168.111.1. Disabling SOCKS on the SOHO 6 Once you use a SOCKS-compliant application through the SOHO 6, the primary SOCKS port is available to anyone on your trusted network. You can close this security gap between uses of SOCKS applications. 1 Enable the checkbox labeled Disable SOCKS proxy. This disables the SOHO 6 from acting as a SOCKS proxy.
Firewall Options Follow these steps: 1 Select Log All Allowed Outbound Access. 2 Click Submit. Enable override MAC address for the External Network A SOHO administrator is able to assign a second MAC address to the SOHO 6 External Network making it easier to register with an ISP that requires a separate MAC for registration. 1 Select Enable override MAC address for the External Network. 2 Enter the MAC address that will be assigned to the SOHO 6 External Network.
Chapter 6: Configure the Firewall Settings Create an Unrestricted Pass Through The SOHO 6 is able to allow traffic to be passed through to a dedicated machine with a public IP address separated from the rest of the Trusted network. Follow these steps to configure a pass through: 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.
Create an Unrestricted Pass Through and Trusted network computers are not protected from potential threats, do not use the Pass Through feature User Guide 73
Chapter 6: Configure the Firewall Settings 74 WatchGuard Firebox SOHO 6.
CHAPTER 7 Configure Logging What is logging? Logging is the act of recording “events” that occur at the SOHO 6 interfaces. An event is any single activity, such as communication with the WatchGuard WebBlocker database or incoming traffic passing through the SOHO 6. Logging is intended to record the kinds of activities that indicate security concerns–most importantly denied packets. Certain patterns of denied packets can indicate the type of attack that is being attempted.
Chapter 7: Configure Logging View SOHO 6 Log Messages The WatchGuard SOHO 6 generates an ongoing activity log stored on the SOHO 6: the Event Log. This log stores a maximum of 150 messages. When it reaches this limit, the oldest message is deleted. The log messages include time synchronizations between the SOHO 6 and the WatchGuard Time Server, discarded packets for a packet handling violation, duplicate messages, or return error messages and IPSec messages.
Set up Logging to a WatchGuard Security Event Processor Log Host To have your log messages synchronize with your computer: • Click Sync Time with Browser now. The SOHO 6 synchronizes the time at startup. Set up Logging to a WatchGuard Security Event Processor Log Host The WSEP (WatchGuard Security Event Processor) is an application available with the WatchGuard Firebox System software used by a Firebox II/III.
Chapter 7: Configure Logging The WatchGuard Security Event Processor page appears. 3 Select Enable WatchGuard Security Event Processor Logging. 4 Enter the IP address of the WSEP server that is your log host in the appropriate field. 5 In the Log Encryption Key field, enter a passphrase and confirm it. 6 Click Submit. In our example, 192.168.111.5. NOTE This encryption key must be identical to the one used in the WSEP. 78 WatchGuard Firebox SOHO 6.
Set up Logging to a Syslog Host Set up Logging to a Syslog Host The SOHO 6 also sends log entries to a Syslog host. Follow these steps to setup a Syslog Host: 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. 2 From the navigation bar on the left side, select Logging => Syslog Logging. For example, if using the default IP address, go to: http://192.168.111.1. The Syslog Logging page appears. 3 Select Enable syslog output.
Chapter 7: Configure Logging To adjust your syslog messages to your browsers local time: • Select Include local time in syslog message. NOTE Syslog traffic is not encrypted and use of this option creates a potential security risk when the information is sent over the Internet. However, if this traffic is sent through a VPN tunnel the traffic is encrypted with IPSec technology and therefore less of a security risk. Set the System Time The SOHO 6 stamps each log entry with the time that the event occurred.
Set the System Time The System Time page appears. If you have decided to use the WatchGuard Time Server: 3 Select Get Time From WatchGuard Time Server. Or, to use a TCP Port 37 Time Server: 4 Select Get Time From TCP Port 37 Time Server at. 5 Enter the IP address of the time server in the appropriate field. 6 Click Submit. To adjust your log messages for daylight savings time or set the time zone: • Select Adjust for daylight savings time. • Select a time zone from the drop list.
Chapter 7: Configure Logging 82 WatchGuard Firebox SOHO 6.
CHAPTER 8 VPN—Virtual Private Networking This chapter describes an optional feature of the WatchGuard SOHO 6, Virtual Private Networking (VPN) with IPSec. Why Create a Virtual Private Network? Virtual Private Networking (VPN) tunnels enable you to securely connect computers in two locations without requiring expensive, dedicated point-to-point data connections. With VPN, you use low cost connections to the Internet to create a virtual connection between two branch offices.
Chapter 8: VPN—Virtual Private Networking What You Need • One WatchGuard SOHO 6 with VPN and an IPSeccompliant appliance. NOTE While you can create a SOHO 6 to SOHO 6 VPN, you can also create a VPN with a WatchGuard Firebox II/III, Firebox Vclass, or other IPSeccompliant appliances.
What You Need IP Address Table (example): Item Description External IP Address The IP address that identifies the SOHO 6 to the Internet. Assigned By ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The overlay of bits that determines which part of the IP address identifies your network. For example, a Class C address licenses 256 addresses and has a netmask of 255.255.255.0. ISP Site A: 255.255.255.0 Site B: 255.255.255.
Chapter 8: VPN—Virtual Private Networking Authenticati on Both sides must use the same method. You Site A: MD5 (or SHA1) Site B: MD5 (or SHA1) Enable the VPN Upgrade You must first redeem the VPN upgrade license key before configuring VPN.
Frequently Asked Questions Special Considerations Consider the following before configuring your WatchGuard SOHO 6 VPN network: • You can connect up to six SOHO 6 appliances together. To set up more VPN tunnels, you need at least one WatchGuard Firebox II/III configured with the WatchGuard VPN Manager. • Each appliance must be able to send messages to the other.
Chapter 8: VPN—Virtual Private Networking this feature to discourage users from creating Web servers. These providers usually offer a static IP address option. How do I troubleshoot the connection? If you are able to ping the remote SOHO 6 and computers behind it, your VPN tunnel is up and running. Any remaining problems are probably caused by the MS Networking or the applications being used.
Set Up Multiple SOHO-SOHO VPN Tunnels Set Up Multiple SOHO-SOHO VPN Tunnels With this release, a SOHO administrator has the ability to manually define up to six VPN tunnels to other SOHO 6 devices. VPN Manager’s ability to set up a larger number of SOHO 6 to SOHO 6 tunnels remains. To define multiple VPN tunnels to other SOHO 6 appliances: 1 With your Web browser, go to the System Status page using the trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.
Chapter 8: VPN—Virtual Private Networking The Add Gateway page appears. 4 Enter the Name, IPSec Gateway Address, and Shared Key for SOHO 6 you want to set up a VPN tunnel. The shared key is used by the local and remote SOHO to encrypt and decrypt the data going across the tunnel. The shared key is the same on both ends of the tunnel. The gateways can encrypt and decrypt the data correctly only if they share the same key. 5 90 Phase 1 setting can be left at the defaults shown or modified as desired.
Set Up Multiple SOHO-SOHO VPN Tunnels steps. Make sure that the Phase 1 settings on this device are the same as on the peer device. 6 Select the type of negotiation for Phase 1. The two Mode Types are Main and Aggressive. If your external IP address is dynamic, you must use Aggressive Mode, otherwise you may use either option. 7 Enter the local and remote ID types. These must match the settings used on the remote gateway. - If you are using Main Mode, the Local and Remote ID Type must be an IP Address.
Chapter 8: VPN—Virtual Private Networking 13 In the Diffie-Hellman Group drop list, specify the group. WatchGuard supports 1 & 2. Diffie-Hellman refers to a mathematical technique for securely negotiating secret keys over a public medium. Diffie-Hellman groups are collections of parameters used to achieve this. Group 2 is more secure than group 1, but requires more time to compute the keys. 14 If you choose, select the checkbox marked Enable Perfect Forward Secrecy.
Configure Split Tunneling Configure Split Tunneling Another new feature in this release is split tunneling that allows the administrator to specify all Internet traffic originating from the Trusted interface of the SOHO 6 to go through the VPN tunnel. Previously, only traffic headed specifically for the other end of the VPN tunnel was sent through the tunnel; Traffic destined for other Internet addresses was sent directly to the Internet.
Chapter 8: VPN—Virtual Private Networking terminating at the local SOHO 6. The SOHO 6 also allows users on the Trusted network to access networks on Branch Office VPN tunnels terminating at the local SOHO 6. If you purchase the VPNforce Port, you receive one MUVPN connection to the Optional network as well. Additional VPNforce Port user licenses can be purchase separately. Complete documentation on configuring your SOHO 6 once this upgrade option is purchased and redeemed are at: http://support.watchguard.
CHAPTER 9 SOHO 6 WebBlocker WebBlocker is an optional feature of the SOHO 6 that provides Web site filtering capabilities. It gives you precise control over the types of Web sites users on your trusted network are allowed to view. How WebBlocker Works WebBlocker relies on a URL database service, which is owned and maintained by SurfControl. The WebBlocker database contains many thousands of IP addresses and directories.
Chapter 9: SOHO 6 WebBlocker SOHO 6 queries the WatchGuard database and determines whether or not to block the site. The SOHO 6 considers the following conditions in determining whether or not to block the site: Web site not in the WebBlocker database If the site is not in the WatchGuard WebBlocker database, the Web browser opens the page for viewing.
Purchase and Activate SOHO 6 WebBlocker WebBlocker users and groups Groups A group is a collection of individuals or users of the system. Users These are individual members of a particular group. Bypass the SOHO 6 WebBlocker Occasionally, you may want to allow select individuals to bypass the filtering functions of SOHO 6 WebBlocker.
Chapter 9: SOHO 6 WebBlocker Configure the SOHO 6 WebBlocker Use the WatchGuard SOHO 6 Configuration pages to activate WebBlocker, create a full access password for bypassing WebBlocker, define an inactivity timeout that sets the duration of the full access password, define the categories you want to block, and configure WebBlocker groups and users.
Configure the SOHO 6 WebBlocker 3 4 Select Enable WebBlocking. Enter the full access password. The full access password allows a user a to bypasses otherwise blocked sites. 5 Enter the inactivity timeout in minutes. 6 If you intend to use WebBlocker groups and users, select Require Web users to authenticate. 7 Click Submit to register your changes. For example, setting the inactivity timeout at 15 minutes ensures that unattended Web browsers are disconnected after sitting idle for 15 minutes.
Chapter 9: SOHO 6 WebBlocker The WebBlocker Groups page appears. 3 100 Click New to create a group name and profile. WatchGuard Firebox SOHO 6.
Configure the SOHO 6 WebBlocker 4 5 Define a Group Name and select the blocked categories for this group. Click Submit. A new Groups page appears indicating the configuration changes were accepted and are providing access.
Chapter 9: SOHO 6 WebBlocker 6 To the right of the Users field, click New. 7 Enter a unique user name and passphrase (remember to confirm the passphrase). Use the Group drop list to assign the new user to a given group. 102 The New User page appears. WatchGuard Firebox SOHO 6.
WebBlocker Categories 8 Click Submit. NOTE You can delete users or groups at any time by selecting them and clicking Delete. WebBlocker Categories WebBlocker relies on a URL database, which is a service of SurfControl. The WebBlocker database contains thousands of IP addresses and directories. These addresses are divided into categories based on content such as drug culture, intolerance, or sexual acts. SurfControl constantly searches the Internet to update the list of blocked sites.
Chapter 9: SOHO 6 WebBlocker (using someone’s phone lines without permission), and software piracy. Also includes text advocating gambling relating to lotteries, casinos, betting, numbers games, online sports, or financial betting, including non-monetary dares. Militant/extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures. Topic includes groups that advocate violence as a means to achieve their goals.
WebBlocker Categories or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/profanity Pictures or text exposing extreme cruelty or profanity.
Chapter 9: SOHO 6 WebBlocker Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos.
CHAPTER 10 Support Resources Troubleshooting Tips The following information is offered to help overcome any difficulties that might occur when installing and setting up your SOHO 6. General What do the PWR, Status, and Mode lights signify on the SOHO 6? When the PWR light is lit, the SOHO 6 has power. When the Status light is lit, there is a management connection to the SOHO 6. When the MODE light is lit, the SOHO 6 is operational.
Chapter 10: Support Resources four, numbered, Ethernet ports (labeled 0-3) and reload the configuration. If the Mode light is blinking: The SOHO 6 requires a DHCP assigned IP address for the external interface, but did not receive it. The WAN port is not connected to another appliance, the physical connection is faulty, or the other appliance is not operating properly. How do I register my SOHO 6 with the LiveSecurity Service? Register online by activating your bundled LiveSecurity® Service subscription.
Troubleshooting Tips NOTE You can also reboot by removing the power source for ten seconds, and then restoring power. How do I reset my System Security password, if I forgot or lost it? If you forgot your password, you must reset the SOHO 6 to its factory default. For instructions, see “Reset a SOHO 6 to factory default” on page 26. How does the seat limitation on the SOHO 6 work? The default user license on the SOHO 6 allows for ten users.
Chapter 10: Support Resources a DSL router, set the NAT feature of the DSL router to bridge-only mode. How do I install and configure the SOHO 6 using a Macintosh (or other) operating system? Installation instructions for the Macintosh and other operating systems are on the WatchGuard Web site at: https://support.watchguard.com/sohoresources/ How do I know whether the cables are connected correctly to my SOHO 6? There are fourteen lights on the front of the SOHO 6 grouped in pairs.
Troubleshooting Tips How can I see the MAC address of my SOHO 6? A MAC (Media Access Control) address is a unique number used to identify the actual physical hardware of an Ethernet appliance. 1 With your Web browser, go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6. 2 Towards the bottom of the System Status page, you see the External network header on the right side. Two MAC addresses are often listed.
Chapter 10: Support Resources How do I change to a static, trusted IP address? Before you can use a static IP address, you must have a base Trusted IP address and subnet mask. The following IP address ranges and subnet masks are set aside for private networks in compliance with RFC 1918. Replace the Xs in the network IP address with a number between 1 and 254. The subnet addresses do not need to be changed. Network IP range Subnet mask 10.x.x.x 255.0.0.0 172.16.x.x 255.240.0.0 192.168.x.x 255.255.0.
Troubleshooting Tips To disable WebBlocker, deselect Enable WebBlocker. How do I allow incoming services such as POP3, Telnet, and Web (HTTP)? 1 With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Incoming. The Filter Incoming Traffic page appears.
Chapter 10: Support Resources 5 Enter the protocol number to allow in the Protocol field. 6 Click Submit. 7 From the navigation bar on the left side, select Firewall => Incoming. The Firewall Incoming Traffic page appears. 8 Near the bottom of the page, under the Custom Service header, locate the service you created and select Allow from the drop list. 9 Under the header Service Host, enter the IP address of the computer to which this traffic is allowed. 10 Click Submit.
Troubleshooting Tips How do I set up my SOHO 6 for VPN Manager Access? This requires the add-on product, WatchGuard VPN Manager software, which is purchased separately and used with the WatchGuard Firebox System software. To purchase VPN Manager, use your Web browser to go to: https://www.watchguard.com/products/vpnmanager.asp For more information on how to allow VPN Manager access to a SOHO 6, see the VPN Guide.
Chapter 10: Support Resources Contact Technical support (877) 232-3531 U.S.; End-user support (206) 521-8375 U.S.; Authorized Reseller support (360) 482-1083 International support Online Documentation and In-Depth FAQs WatchGuard maintains an extensive knowledge base consisting of product documentation in the form of printer friendly .pdf files, tutorials, In-Depth FAQs, and more. This information is available at: https://support.watchguard.com/AdvancedFaqs/ 116 WatchGuard Firebox SOHO 6.
Index Numerics 100 indicator 7 A Add Route page 41 B blocked sites configuring 65 Blocked Sites page 66 browsers, supported 12 button, RESET 8 Dynamic DNS client page 43 dynamic DNS service, configuring 43–44, ??–47 Dynamic Host Configuration Protocol.
Index H hardware description 6 HTTP proxy settings, disabling 14 I incoming service, creating custom 63 indicators 100 7 link 7 Mode 7 WAN 7 installation cabling 19 cabling for multiple computers 20 determining TCP/IP settings 12 disabling TCP/IP proxy settings 14 items required for 12 Internet how information travels on 4 problems browsing 110 IP addresses described 4 disguising 5 dynamic 31 in networks 31 maintaining table of 85 L license keys, redeeming 57 licenses, upgrading 21 lights 100 7 link 7 MO
Blocked Sites 66 Custom Service 64, 113 Dynamic DNS client 43 Filter Traffic 62 Firewall Incoming Traffic 114 Firewall Options 67 Groups 101 Logging 76 Network Statistics 42 New User 102 Routes 41, 46, 48 SOHO 6 Administration 51 Syslog Logging 79 System Security 52, 53 System Status 23, 28 System Time 81 Unrestricted Pass Through IP Address 72 Update 56 Upgrade 58 View Configuration File 60 VPN Manager Access 55 VPN Statistics 94 WatchGuard Security Event Processor 78 WebBlocker Groups 100 WebBlocker Setti
Index configuring for PPPoE 34 configuring for static addressing 33 configuring VPN tunnel with 86 connecting to 23 default factory settings 25 described 2 firewall feature 67 front view 6 function of 3 hardware 6 installing 11–22 MAC address of 111 MUVPN clients option 93 package contents 2 ports 6, 8 rear view 8 registering 27 resetting to factory default 26 seat limitation 109 setting passphrase 53 setting up VPNs between 115 troubleshooting 107–115 upgrading 57 upgrading user license 21 viewing log mes
VPNforce™ Port 47 VPNs and SOHO 6, SOHO 6 tc 2 and static IP addresses 87 between two SOHO 6s 115 configuring with SOHO 6 86–88 described 83 enabling tunnels 88 encryption for 87 license key for 59 requirements for 84, 114 special considerations for 87 troubleshooting connections 88 viewing statistics 94 W WAN indicator 7 WAN port 9 WatchGuard Security Event Processor 77 WatchGuard Security Event Processor page 78 WebBlocker activating 98 categories 103–?? configuring 98 creating users and groups for 99 da
Index 122 WatchGuard Firebox SOHO 6.
