WatchGuard Firebox™ System User Guide ® Firebox System 4.
Disclaimer Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright and Patent Information Copyright© 1998 - 2001 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement WatchGuard Firebox System (WFS) End-User License Agreement IMPORTANT — READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE: This WFS End-User License Agreement (“AGREEMENT”) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc.
(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT. 4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard Technologies or an authorized dealer: (A) Media.
subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104. 6. Export Controls.
FCC Certification This device has been tested and found to comply with limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1 This device may not cause harmful interference. 2 This device must accept any interference received, including interference that may cause undesired operation. CE Notice The official CE symbol indicates compliance of this WatchGuard Technologies, Inc.
Table of Contents PART I Introduction ................................................................................1 Welcome to WatchGuard ............................................................... 1 WatchGuard Firebox System components ..................................... 1 Minimum requirements .................................................................. 3 PART II WatchGuard Services ..................................................................
Resetting Firebox passphrases .....................................................24 Setting the time zone ...................................................................25 Reinitializing a misconfigured Firebox ..........................................25 Using the WatchGuard Control Center .........................27 Navigating the WatchGuard Control Center ................................27 Control Center components .........................................................
Service precedence ...................................................................... 56 Controlling Web Traffic .................................................. 59 How WebBlocker works ................................................................ 59 Configuring the WebBlocker service ............................................ 60 Manually downloading the WebBlocker database ....................... 62 CHAPTER 9 Setting Up Network Address Translation .....................
Reviewing and Working with log files ........................103 Viewing files with LogViewer ......................................................103 Displaying and hiding fields .......................................................105 Working with log files .................................................................106 CHAPTER 15 Generating Reports of Network Activity ....................109 Starting Historical Reports ..........................................................
PART I Introduction Welcome to WatchGuard The WatchGuard Firebox System consists of: • A suite of management and security software tools • A Plug and Play network appliance called the WatchGuard Firebox • A security-related broadcast service In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis.
WatchGuard Firebox System components • Security suite • LiveSecurity Service WatchGuard Firebox The Firebox family of appliances are specially designed and optimized machines. They are small, efficient, and reliable. The Firebox is a low-profile component with an indicator display panel in front and physical interfaces in back. For detailed Firebox specifications, see the Reference Guide.
Minimum requirements LiveSecurity Service The innovative LiveSecurity Service subscription makes it easy to maintain the security of an organization’s network. WatchGuard’s team of security experts publish alerts and software updates, which are broadcast to your e-mail client. Minimum requirements This section describes the minimum hardware and software configurations necessary to successfully install, run, and administer version 4.6 of the WatchGuard Firebox System.
Minimum requirements Hardware requirements Minimum hardware requirements are the same as for the operating system on which the WatchGuard Firebox System 4.6 runs. The recommended hardware ranges are listed below. 4 Hardware feature Minimum requirement CPU Pentium II Memory Same as for operating system. Recommended: 32 MB for Windows 95a 64 MB for Windows 98 64 MB for Windows NT 4.
PART II WatchGuard® Services The WatchGuard Firebox System is considerably more than a piece of hardware. This section describes two WatchGuard service components that address your security requirements, and the optional features available to you. LiveSecurity Service The key to a high quality, effective network security policy is rapid response to challenges and threats. The LiveSecurity Service enables network security experts to provide quick responses to the changing Internet security environment.
6
CHAPTER 1 LiveSecurity Service No Internet security solution is complete without systematic updates. From the latest hacker techniques to the most recently discovered operating system bug, the daily barrage of new threats poses a perpetual challenge to any Internet security solution. The LiveSecurity Service keeps your security system up-to-date by delivering solutions to you. Software Updates, Threat Responses, and other broadcasts are emailed directly to your desktop.
LiveSecurity broadcasts accompany each transmission for easy installation. These convenient transmissions relieve you of the burden of tracking the latest software version to keep your system state of the art. Editorial Leading security experts from around the world join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.
LiveSecurity broadcasts • The License Key number is located on the WatchGuard LiveSecurity Agreement License Key Certificate. Enter the number in the exact form shown on the key, including the hyphens. • Verify that your e-mail address is correct. You will receive your activation confirmation mail and all of your LiveSecurity broadcasts at this address. 4 Click Submit. 5 Select a download site. 6 Minimize or close your Web browser.
LiveSecurity broadcasts 10
CHAPTER 2 Technical Support Developing and implementing a network security policy can be a challenge. In addition to familiarity with the WatchGuard Firebox System, it requires experience with advanced networking concepts, programs, and protocols.
Getting Internet technical support Known issues Another source of information about the WatchGuard Firebox System is the Known Issues page on the Technical Support Web. When our engineering or Technical Support team discovers a limitation or problem with our product, we immediately post the information on the Known Issues page. We provide a description of the issue as well as workarounds and, where appropriate, the software version where a permanent fix will be implemented.
Training When you call WatchGuard Technical Support, you are prompted for your LiveSecurity License key. We use this key to track the information you report about your network, and to add this issue to our database of all the support issues you have brought to our attention. After you enter your LiveSecurity License key, you are automatically routed to a support technician familiar with your WatchGuard product.
WatchGuard users group Instructor-led courses WatchGuard offers a series of courses supporting our product line. Current titles include a two-day course on firewalling basics with the WatchGuard Firebox System and a one-day course on virtual private networking. These courses are delivered by certified WatchGuard trainers, both at our facility in Seattle and by our partners around the country. For more information on upcoming training dates, please send a request to traininginfo@watchguard.
Online Help Starting WatchGuard Online Help WatchGuard Online Help can be started either from the WatchGuard Management Station or directly from a browser. • In the Management Station software, press F1. • On any platform, browse to the directory containing WatchGuard Online Help. Open LSSHelp.html. The default installation directory is C:/Program Files/ WatchGuard/Help.
Online Help Context-sensitive Help In addition to the regular online Help system, context-sensitive or What’s This? Help is also available. What’s This? Help provides a definition and useful information on fields and buttons in the dialog boxes. To access What’s This? Help: 1 Right-click any field or button. 2 Click What’s This? when it appears. A box appears with the field name on the top and information about the field beneath it.
CHAPTER 3 WatchGuard Options The WatchGuard Firebox System is enhanced by optional features designed to accommodate the needs of different customer environments and security requirements. Currently available options VPN Manager WatchGuard VPN Manager is a centralized module for creating and managing the network security of an organization that uses the Internet to conduct business. VPN Manager can administer and monitor an enterprise’s sum total of Fireboxes, log hosts, networks, and VPN tunnels.
Obtaining WatchGuard options Mobile User VPN Mobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile User VPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet connection, without compromising security. Mobile User VPN licenses are available in packs of five. Each license enables a connection for one remote host IP address.
PART III Configuring a Security Policy This section describes how to configure your security system. Its primary focus is on using the WatchGuard Control Center and Policy Manager to develop and implement a network security policy. It includes chapters on: WatchGuard Control Center The WatchGuard Control Center is an intuitive management, monitoring, and reporting package that puts everything you need at your fingertips.
you to exert fine control over the type of Web sites users on your Trusted network are allowed to view. Set up network address translation (NAT) Hide the real IP addresses of the hosts and networks behind your firewall through the use of network address translation. You can set NAT policy at both the global and the individual service levels. Set up logging and notification What events are logged and how and when a network administrator is notified is an important component of a security policy.
CHAPTER 4 Firebox Basics This chapter describes the following tasks, which require direct interaction between the Management Station and the Firebox: • Set up a Firebox • Open and save a configuration file to a local hard disk or the Firebox • Reset Firebox passphrases • Set the Firebox time zone • Reinitialize a misconfigured Firebox • Manage the flash memory of the Firebox What is a Firebox? Fireboxes are specially designed and optimized machines. They are small, efficient, and reliable.
What is a Firebox? Placing a Firebox within a network The most common location for a Firebox is directly behind the Internet router, as pictured below: Internet The Security Challenge Router Event Processor Firebox II SMTP Server HTTP Server FTP Server Management Station Trusted Network Optional Network Other parts of the network are as follows: Management Station The computer on which you install and run the WatchGuard LiveSecurity Control Center.
Opening a configuration file Opening a configuration file Policy Manager is a comprehensive software tool for creating, modifying, and saving configuration files. A configuration file, with the extension .cfg, contains all the settings, options, addresses, and information that together constitute your Firebox security policy. You can open and edit a configuration file residing on either your local hard disk or in the primary area of the Firebox flash disk.
Resetting Firebox passphrases Saving a configuration to the local hard disk From Policy Manager in the Advanced view: 1 2 3 Select File => Save => As File. The Save dialog box appears. Enter the name of the file. The default is to save the file to the WatchGuard directory. Click Save. The configuration file is saved to the local hard disk. Saving a configuration to the Firebox From Policy Manager in the Advanced view: 1 Select File => Save => To Firebox.
Setting the time zone • Don’t use words in standard dictionaries, even if you use them backward or in a foreign language. Create your own acronyms instead. • Don’t use proper names, especially company names or those of famous people. • Use a combination of uppercase and lowercase characters, numerals, and special characters (such as Im4e@tiN9).
Reinitializing a misconfigured Firebox 4 When you complete the QuickSetup wizard, remove the loopback cable (assuming your Firebox has one) and return the Firebox to its regular position in your network. The Firebox resumes normal operation the next time it restarts. Some Fireboxes have a factory default button.
CHAPTER 5 Using the WatchGuard Control Center The WatchGuard Control Center combines access to WatchGuard Firebox System applications and tools in one intuitive interface. The Control Center also displays a real-time monitor of traffic through the firewall, connection status, tunnel status, and recent log activity. Navigating the WatchGuard Control Center You interact with the Control Center using the QuickGuide toolbar and menu system.
Control Center components • A real-time monitor of traffic through the Firebox. QuickGuide The top part of the display just below the title bar is the QuickGuide.
Control Center components • IPSec • DVCP • WatchGuard VPN The first line of the tunnel entry shows the name that was assigned when the tunnel was created, along with the tunnel type (IPSec, DVCP, or WatchGuard). If the tunnel is an IPSec or DVCP tunnel, it also shows the IP address of the destination IPSec device (such as another Firebox, SOHO, or SOHO|tc). If the tunnel is DVCP, the IP address refers to the entire remote network address rather than that of the Firebox or equivalent IPSec device.
Working with the Control Center When you expand an entry that has a red exclamation point, another exclamation point appears next to the specific device or tunnel with the problem. Use this feature to rapidly identify and locate problems with your VPN network. Traffic Monitor The Traffic Monitor shows, in real time, the traffic through the Firebox.
Policy Manager much more appropriate tool for tracking logs; Traffic Monitor just provides a realtime view of what the Firebox activity. 1 2 Click the WatchGuard Control Center button. Click Settings. Type or use the scroll control to change the Max Log Entries field. Click OK. The value entered represents the number of logs in thousands. If you enter 0 in this field, the maximum number of logs (100,000) is permitted.
Firebox Monitors The Policy Manager display includes: Pull-down menus Menus that provide access to most configuration and administration tasks. Toolbar A row of buttons immediately below the pull-down menus. Each button corresponds to a frequently performed Policy Manager task. Position the mouse over the button to view a tooltip and explanatory status bar text. Services Arena A large, open panel that displays icons to represent each network service.
HostWatch HostWatch The HostWatch application displays active connections occurring on a Firebox in real time. It can also graphically represent the connections listed in a log file, either playing back a previous file for review or displaying connections as they are added to the current log file. To open HostWatch, click the HostWatch button (pictured at left) on the Control Center QuickGuide. For more information, see “HostWatch” on page 98.
LiveSecurity Event Processor 34
CHAPTER 6 Configuring a Network Configuring a network refers to setting up the three Firebox interfaces. To do this, you need to: • Enter the IP address or addresses for the Firebox interfaces. • Enter the IP addresses of secondary networks that are connected to and associated with a Firebox interface. • Enter the default gateway for the Firebox. Use Policy Manager to configure parameters for the three Firebox interfaces– Trusted, External, and Optional.
Setting up a drop-in network The QuickSetup wizard also writes a basic configuration file called wizard.cfg to the hard disk of the Management Station. If you later want to expand or change the basic Firebox configuration using Policy Manager, use wizard.cfg as the base file to which you make changes. You can run the QuickSetup wizard again at any time to a create new, basic configuration file. The QuickSetup wizard replaces the configuration file, writing over any prior version.
Setting up a routed network • The Trusted interface ARP address replaces the router’s ARP address. • All three Firebox interfaces are assigned the same IP address. This is true whether or not you use the Optional interface. • The majority of a LAN resides on the Trusted interface. • You can have other networks in other address ranges behind the Firebox using secondary networks. List the IP address of secondary networks in the configuration file.
Adding a secondary network Adding a secondary network A secondary network is a network on the same physical wire as a Firebox interface that has an address belonging to an entirely different network. Adding a secondary network to a Firebox interface maps an IP address from the secondary network to the IP address of the interface. This process is also known as adding an IP alias to the Firebox interface. The secondary network IP address becomes the default gateway for all the machines on that network.
Defining a host route Defining a host route Configure a host route if there is only one host behind the router. Enter the IP address of that single, specific host, and do not enter a bitmask. From Policy Manager in the Advanced view: 1 2 Select Network => Routes. The Setup Routes dialog box appears. Click Add. The Add Route dialog box appears. 3 Click the Host option. 4 Enter the host IP address. 5 6 7 In the Gateway text box, enter the route gateway.
Entering WINS and DNS server addresses Entering WINS and DNS server addresses Several advanced features of the Firebox, such as DHCP and Remote User VPN, rely on shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server addresses. These servers must be accessible from the Firebox Trusted interface. From Policy Manager: 1 Select Network => Configuration. Click the General tab. 2 Enter primary and secondary addresses for the WINS and DNS servers.
Defining a Firebox as a DHCP server Modifying an existing subnet From Policy Manager: 1 Select Network => Configuration. Click the DHCP Server tab. 2 Click the subnet to review or modify. Click Edit. 3 When you have finished reviewing or modifying the subnet, click OK. Removing a Subnet From Policy Manager: 1 Select Network => Configuration. Click the DHCP Server tab. 2 Click the subnet to remove it. Click Remove. 3 Click OK.
Defining a Firebox as a DHCP server 42
CHAPTER 7 Blocking Sites and Ports Many types of network security attacks are easily identified by patterns found in packet headers. Port space probes, address space probes, and spoofing attacks all exhibit characteristic behavior that a good firewall can recognize and protect against. WatchGuard allows both manual and dynamic blocking of ports and sites, and uses default packet-handling options to automatically and temporarily block hosts that originate probes and attacks.
Blocking a site permanently 2 Modify the default packet-handling properties according to your security policy preferences. For a description of each control, right-click the control, and then click What’s This? 3 Click OK. Blocking a site permanently The WatchGuard auto-blocking and logging mechanisms help you decide which sites to permanently block. Use Policy Manager to block a site permanently. The default configuration blocks three network addresses – 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Blocking a port permanently 2 In the Category list, click Blocked Sites. 3 Modify the logging and notification parameters according to your security policy preferences. For detailed instructions, see “Customizing logging and notification by service or option” on page 76. Blocking a port permanently You can block ports to explicitly cut off from external access certain network services that are vulnerable entry points to your network. The Blocked Ports list takes precedence over all service properties.
Blocking sites temporarily with service settings Blocking sites temporarily with service settings Use service properties to automatically and temporarily block sites when incoming traffic attempts to use a denied service. You can use this feature to individually log, block, and monitor sites that attempt access to restricted ports on your network. Configuring a service to temporarily block sites Configure the service to automatically block sites that attempt to connect using a denied service.
CHAPTER 8 Configuring Services The Services Arena of Policy Manager displays an icon for each configured service. A service represents a particular type of proxy or packet-filtering connection such as FTP, SMTP, or proxied HTTP. A symbol next to the service indicates whether the service is configured for outgoing traffic, incoming traffic, or both. Services with no symbol are not active. The Firebox System includes many well-known service types. You can also add unique or custom services.
Creating a new service 7 You can add multiple services to the Services Arena while the Services dialog box is open. When you finish adding services, click Close. The Services Arena displays an icon for each service added. 8 Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file. Creating a new service In addition to well-known services, you can create and add a new or custom service.
Defining service properties 8 9 In the Port text box, enter the well-known port number for this service. For a list of well-known services and their associated ports, see the Reference Guide or Online Help. Click OK. Policy Manager adds the port configuration to the New Service dialog box. 10 Verify that the name, description, and configuration of this service are correct. 11 Click Add to configure another port for this service. Repeat the process until all ports for the service are configured.
Defining service properties 6 Click OK. Adding outgoing service properties From Policy Manager: 1 In the Services Arena, double-click the service. Click the Outgoing tab. The Properties dialog box displays the Outgoing properties tab. 2 Use the Outgoing Connections Are drop list to select Enabled and Allowed. 3 To define specific users and hosts on the Trusted network that can send packets out through the service, click Add beneath the From list. The Add Address dialog box appears.
Configuring services for authentication Configuring services for authentication One way to create effective user authentication environments is to restrict all outgoing services to allow connections only from authenticated users. The following example applies to dynamically addressed (DHCP-based) networks. 1 Create a group on the Windows NT server that contains all the user accounts. 2 In the Policy Manager Services Arena, double-click the Outgoing or Proxy service icon.
Setting up proxy services 2 On the toolbar, click the Delete Service icon (it appears as an “X”). You can also select Edit => Delete. A verification alert appears. 3 4 Click Yes. Policy Manager removes the service from the Services Arena. Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file. Setting up proxy services The WatchGuard Firebox System uses a technology called “transparent proxies.
Setting up proxy services 3 4 5 Click Incoming. The Incoming SMTP Proxy dialog box appears, displaying the General tab. Modify general properties according to your preference. For a description of each control, right-click it, and then click What’s This?. To modify logging properties, click the Logging tab. Selecting content types From the SMTP Proxy Properties dialog box: 1 2 Click the Content Types tab. Click Add under the Content Types box. The Select MIME Type dialog box appears.
Setting up proxy services Configuring the outgoing SMTP proxy Use the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from your Trusted and Optional network to the world. You must already have an SMTP Proxy service icon in the Services Arena. Double-click the icon to open the service’s Properties dialog box: 1 2 Click the Properties tab. Click Outgoing. The Outgoing SMTP Proxy dialog box appears, displaying the General tab.
Setting up proxy services 5 Click OK. 6 Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file. Configuring an HTTP proxy service HyperText Transfer Protocol (HTTP) is the protocol used by the World Wide Web to move information around the Internet. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers take in response to commands.
Service precedence 3 If you are using the HTTP proxy service because you want to use WebBlocker, follow the procedure in the next section. Otherwise, enable HTTP proxy properties according to your security policy preferences. For detailed descriptions of HTTP proxy options, see the Reference Guide. Zip files are denied when you deny Java or ActiveX applets, because zip files often contain these applets. 4 Click the Safe Content tab.
Service precedence From To Rank Any IP 4 IP Any 5 Any List 6 List Any 7 Any Any 8 “IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a network address, or an alias; and “Any” refers to the special “Any” target (not “Any” services). When two icons are representing the same service (for example, two Telnet icons or two Any icons) they are sorted using the above tables. The most specific one will always be checked first for a match.
Service precedence 58
CHAPTER 9 Controlling Web Traffic WebBlocker is a feature of the Firebox System that works in conjunction with the HTTP proxy to provide Web-site filtering capabilities. It enables you to exert fine control over the type of Web sites that users on your trusted network are allowed to view. For more information about WebBlocker and site blocking, see the WebBlocker section of the Network Security Handbook. How WebBlocker works WebBlocker relies on a URL database built and maintained by SurfControl.
Configuring the WebBlocker service Logging and WebBlocker WebBlocker logs attempts to access sites blocked by WebBlocker. The log that is generated displays information about source and destination address as well as the blocked URL and the category that caused the denial. WebBlocker also generates a log entry showing the results of any attempted database retrieval, including whether or not it was successful and, if not successful, why.
Configuring the WebBlocker service Processor regularly and automatically updates the WebBlocker database stored on your Firebox. From Policy Manager: 1 If you have not already done so, double-click the service icon you are using for HTTP. Click the Properties tab. Click Settings. The proxy’s dialog box appears. 2 Click the WebBlocker Controls tab. The WebBlocker Controls tab appears only if you selected WebBlocker during installation.
Manually downloading the WebBlocker database 2 In the Allowed Exceptions section, click Add to add either a network or host IP address to be allowed at all times. To allow a specific string for a domain, select Host Address. To allow a specific directory pattern, enter the string to be allowed. 3 In the Deny Exceptions section, click Add to add either a network or an IP address to be denied at all times. To block a specific string to be denied for a domain, select Host Address.
CHAPTER 10 Setting Up Network Address Translation Network address translation (NAT) hides internal network addresses from hosts on an external network. WatchGuard supports two types of NAT: • Outgoing dynamic NAT Hides network addresses from hosts on another network; works only on outgoing messages. • Incoming static NAT Provides port-to-host remapping of incoming IP packets destined for a public address to a single internal address; works only on incoming messages.
Using simple dynamic NAT Using simple dynamic NAT In the majority of networks, the preferred security policy is to globally apply network address translation to all outgoing packets. Simple dynamic NAT provides a quick method to set NAT policy for your entire network. Enabling simple dynamic NAT The default configuration of simple dynamic NAT enables it from the Trusted network to the External network. To enable simple dynamic NAT, use the Setup Dynamic NAT dialog box.
Using service-based NAT Using service-based NAT Using service-based NAT, you can set outgoing dynamic NAT policy on a service-byservice basis. Service-based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry. For example, use service-based NAT on a network with simple NAT enabled from the Trusted to the Optional network with a Web server on the Optional network that should not be masqueraded to the actual Trusted network.
Configuring a service for incoming static NAT Configuring a service for incoming static NAT Static NAT works on a port-to-host basis. Incoming packets destined for a specific public address and port on the External network are remapped to an address and port behind the firewall. You must configure each service separately for static NAT. Typically, static NAT is used for public services such as Web sites and e-mail that do not require authentication.
Configuring a service for incoming static NAT 6 7 Enter the internal IP address. The internal IP address is the final destination on the Trusted network. If appropriate, enable the Set Internal Port To Different Port Than Service checkbox. This feature is rarely used. It enables you to redirect packets not only to a specific internal host but also to an alternative port. If you enable the checkbox, enter the alternative port number in the Internal Port field.
Configuring a service for incoming static NAT 68
CHAPTER 11 Setting Up Logging and Notification Logging and notification are crucial to an effective network security policy. Together, they make it possible to monitor your network security, identify both attacks and attackers, and take action to address security threats and challenges. Logging occurs when the firewall records the occurrence of an event to a log file.
WatchGuard logging architecture log messages to the second Event Processor. It continues through the list until it finds an Event Processor capable of recording events. Multiple Event Processors operate in failover mode, not redundancy mode—that is, events are not logged to multiple Event Processors simultaneously; they are logged only to the primary Event Processor unless that host becomes unavailable. Then the logs are passed on to the next available Event Processor according to the order of priority.
Designating Event Processors for a Firebox you run the QuickSetup wizard. You can specify a different primary Event Processor as well as multiple backup Event Processors. • IP address of each Event Processor • Encryption key to secure the connection between the Firebox and Event Processors • Priority order of primary and backup Event Processors Adding an Event Processor From Policy Manager: 1 Select Setup => Logging. 2 Click Add. 3 Enter the IP address to be used by the Event Processor.
Designating Event Processors for a Firebox Removing an Event Processor Remove an Event Processor when you no longer want to use it for any logging purpose. From Policy Manager: 1 2 3 Select Setup => Logging. The Logging Setup dialog box appears. Click the host name. Click Remove. Click OK. The Logging Setup dialog box closes and removes the Event Processor entry from the configuration file.
Setting up the LiveSecurity Event Processor Another way to set the Event Processor (and domain controller) clocks is to use an independent source such as the atomic clock—based servers available on the Internet. One place to access this service is: http://www.bldrdoc.gov/timefreq Setting up the LiveSecurity Event Processor The LiveSecurity Event Processor controls logging and notification.
Setting up the LiveSecurity Event Processor Windows NT service. The default method on installation is for it to run as a Windows NT service. As a Windows NT or Windows 2000 Service By default, the Event Processor is installed to run as a Windows NT service, starting automatically every time the host computer restarts. You can also install and run the Event Processor manually: 1 At the command line, type: controld -nt-install 2 Start the LiveSecurity Event Processor service.
Setting global logging and notification preferences Starting and stopping the Event Processor The Event Processor starts automatically when you start the host on which it resides. However, it is possible to stop or restart the Event Processor from its interface at any time. Open the Event Processor interface: • To start the Event Processor, select File => Start Service. • To stop the Event Processor, select File => Stop Service.
Customizing logging and notification by service or option 3 For a record size, enable the By Number of Entries checkbox. Use the scroll control or enter a number of log record entries. The Approximate Size field changes to display the approximate file size of the final log file. For a detailed description of each control, right-click it, and then select What’s This?. 4 Click OK. The Event Processor Interface closes and saves your entries. New settings take effect immediately.
Customizing logging and notification by service or option Send Notification Enable this checkbox to enable notification on the event type; clear it to disable logging for the event type. The remaining controls are active when you enable the Send Notification checkbox: E-mail Triggers an e-mail message when the event occurs. Set the e-mail recipient in the Notification tab of the LiveSecurity Event Processor. Pager Triggers a page when the event occurs.
Customizing logging and notification by service or option From Policy Manager: 1 2 3 Double-click a service in the Services Arena. The Properties dialog box appears. Click Logging. The Logging and Notification dialog box appears. The options for each service are identical; the main difference is based on whether the service in question is for incoming, outgoing, or bidirectional communication. Modify logging and notification properties according to your security policy preferences. Click OK.
CHAPTER 12 Connect with Out-of-Band Management The WatchGuard Firebox System out-of-band (OOB) management feature enables the Management Station to communicate with a Firebox by way of a modem and telephone line. OOB is useful for remotely configuring a Firebox when access via the Ethernet interfaces is unavailable.
Enabling the Management Station Preparing a Windows NT Management Station for OOB Install the Microsoft Remote Access Server (RAS) on the Management Station. From the Windows NT Desktop: 1 Attach a modem to your computer according to the manufacturer’s instructions. 2 Select Start => Settings => Control Panel. 3 Double-click Network. 4 Click Add. 5 The Select Network Service dialog box appears. Click Remote Access Server. Click OK. Follow the rest of the prompts to complete the installation.
Configuring the Firebox for OOB 5 6 Enter a name for your connection. This can be anything that reminds you of the icon’s purpose — VPN Connection, for example. Click Finish. 7 Click either Dial or Cancel. A new icon is now in the Network and Dial-Up Connections folder. To use this dialup connection, double-click the icon in the folder. Configuring the Firebox for OOB OOB management features are configured in Policy Manager using the Network Configuration dialog box, OOB tab.
Establishing an OOB connection 82
PART IV Administering a Security Policy Network security is more than just designing and implementing a security policy and copying the resulting configuration file to a WatchGuard Firebox. Truly effective network security requires constant vigilance and ongoing adaptation to changing business needs. WatchGuard provides the following functionality for administering your security policy: Aliases and Authentication Control access to services by requiring users to identify themselves.
84
CHAPTER 13 Creating Aliases and Implementing Authentication Aliases are shortcuts used to identify groups of hosts, networks, or users with one name. The use of aliases simplifies user authentication and service configuration. User authentication provides access control for outgoing connections. Authentication dynamically maps an individual username to a workstation IP address, allowing the tracking of connections based on name rather than static IP address.
Using host aliases Adding a host alias From Policy Manager: 1 Select Setup => Authentication. The Member Access and Authentication Setup dialog box appears. 2 Click the Aliases tab. 3 Click Add. 4 In the Host Alias Name text box, enter the name used to identify the alias when configuring services and authentication. 5 6 7 Click Add. The Add Address dialog box appears. Define the alias by adding hosts or users. To add an existing member, click the name in the Members list. Click Add.
What is user authentication? What is user authentication? User authentication allows the tracking of connections based on name rather than IP address. With authentication, it no longer matters what IP address is used or from which machine a person chooses to work; the username defines the permissions of the user, and follows the user from workstation to workstation.
Configuring Firebox authentication Configuring Firebox authentication You can use the WatchGuard Firebox System to define users and groups for authentication. Enter Firebox User information using Policy Manager. Firebox Users are intended for remote user virtual private networking (VPN). WatchGuard automatically adds two Firebox user groups to the basic configuration file: • ipsec_users – Add the names of authorized users of remote user VPN with IPSec (Mobile User).
Configuring RADIUS server authentication 2 Under Authentication Enabled Via, click the NT Service option. WatchGuard activates the Windows NT Server controls. 3 Click the Windows NT Server tab. 4 To identify the host either: - Enter both the host name and the IP address of the Windows NT network. - Enter the host name. Click Find IP. 5 6 7 Enable or clear the checkbox labeled Use Local Groups.
Configuring CRYPTOCard server authentication On the RADIUS Server Gather the IP address of the Firebox and the user or group aliases you want to authenticate using RADIUS. The aliases appear in the “From” and “To” listboxes for the individual services’ Properties dialog boxes. 1 Add the IP address of the Firebox where appropriate according to the RADIUS server vendor. Some RADIUS vendors may not require this.
Configuring SecurID authentication 8 Enter the value of the shared secret between the Firebox and the CRYPTOCard server. This is the key or client key in the “Peers” file on the CRYPTOCard server. This key is case sensitive and must be identical on the Firebox and the CRYPTOCard server for CRYPTOCard authentication to work. 9 Click OK. The Member Access and Authentication Setup dialog box closes, and the new authentication settings are saved.
Using authentication to define remote user VPN access 7 If you are using a backup server, enable the Specify backup SecurID server checkbox. Enter the IP address and port number for the backup server. 8 Click OK. Using authentication to define remote user VPN access WatchGuard uses two built-in Firebox groups to identify currently active remote user virtual private network users.
CHAPTER 14 Monitoring Firebox Activity An important part of an effective network security policy is the monitoring of network events. Monitoring enables you to recognize patterns, identify potential attacks, and take appropriate action. If an attack occurs, the records kept by WatchGuard will help you reconstruct what happened.
Firebox Monitors Setting Firebox Monitors view properties You can configure Firebox Monitors to display traffic at different speeds, intervals, and amplitude. From Firebox Monitors: 1 Select View => Properties. 2 Modify display properties according to your preferences. Bandwidth Meter The Bandwidth Meter tab displays real-time bandwidth usage for one Firebox interface at a time.
Firebox Monitors Packet counts The number of packets allowed, denied, and rejected between status queries. Rejected packets are denied packets for which WatchGuard sends an ICMP error message. Allowed: Denied: Rejects: 5832 175 30 Log and notification hosts The IP addresses of the log and notification hosts. Log host(s): 206.148.32.16 Notification host: 206.148.32.
Firebox Monitors Block Network 123.152.24.64/28 eth2 Logging options Logging options configured with either the QuickSetup wizard or by adding and configuring services from Policy Manager.
Firebox Monitors 42 41 43 22121 19698 http-serve fwcheck http-proxy smtp-proxy http-serve S S S S S 1052 716 1072 984 1176 536 288 660 360 704 476 296 580 536 600 372 232 472 464 326 Interfaces Each network interface is displayed in this section, along with detailed information regarding its status and packet count: Interfaces lo Link encap:Local Loopback inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.
HostWatch 198.148.32.0 eth1:0 127.0.0.0 default eth0 * 255.255.255.0 * 207.54.9.30 255.0.0.0 * U 1500 U UG 0 129 3584 0 1500 0 9 lo 95 ARP table A snapshot of the ARP table on the running Firebox. The ARP table is used to map IP addresses to hardware addresses: ARP Table Address 207.23.8.32 207.23.8.52 207.23.8.21 201.148.32.54 201.148.32.26 207.23.8.
HostWatch The HostWatch display uses the logging settings configured for your Firebox using the Policy Manager. For instance, to see all denied attempts at incoming Telnet in HostWatch, configure the Firebox to log incoming denied Telnet attempts. The line connecting the source host and destination host is color-coded to display the type of connection being made. These colors can be changed. The defaults are: • Red – The connection is being denied. • Blue – The connection is being proxied.
HostWatch 2 Browse to locate and select the Logdb file. By default, log files are stored in the WatchGuard installation directory at C:\Program Files\WatchGuard\logs. HostWatch loads the log file and begins to replay the activity. 3 To pause the display, click Pause. 4 To restart the display, click Continue. 5 To step through the display one entry at a time, click Pause. Click the right arrow to step forward through the log. Click the left arrow to step backward through the log.
HostWatch 4 In the New User field, enter the user ID of the authenticated user to watch. Click Add. Repeat for each authenticated user that HostWatch should monitor. Inside hosts and authenticated users are displayed even if there are no connections for them. 5 Click OK. Modifying view properties You can change how HostWatch displays information. For example, HostWatch can display host names rather than IP addresses. From HostWatch: 1 Select View => Properties.
HostWatch 102
CHAPTER 15 Reviewing and Working with Log Files Log entries are stored on the primary and backup LiveSecurity Event Processor. By default, log files are placed in the WatchGuard installation directory in a subdirectory called \logs. The log file to which the Event Processor is currently writing records is named Firebox IP.wgl. In addition, the Event Processor creates an index file in the same directory by the same name with the extension .idx.
Viewing files with LogViewer 2 Configure LogViewer display preferences as you choose. For a description of each control on the General tab, right-click it and then click What’s This? For information on the Filter Data tab, see “Displaying and hiding fields” on page 105. Searching for specific entries LogViewer has a search tool to enable you to find specific transactions quickly by keyphrase or field. From LogViewer: By keyphrase 1 Select Edit => Search => By Keyphrase.
Displaying and hiding fields Displaying and hiding fields Use the Preferences dialog box to show or hide columns displayed in LogViewer. From LogViewer: 1 Select View => Preferences. Click the Filter Data tab. 2 Enable the checkboxes of the fields you would like to display. Disable the checkboxes of those columns you would like to hide. To hide columns, point the mouse at the right edge of the column heading in the main window and click and drag the edge to the left until the column disappears.
Working with log files IP header length Length, in octets, of the IP header for this packet. A header length that is not equal to 20 indicates that IP options were present. Default = Hide TTL (time to live) The value of the TTL field in the logged packet. Default = Hide Source address The source IP address of the logged packet. Default = Show Destination address The destination IP address of the logged packet. Default = Show Source port The source port of the logged packet. UDP or TCP only.
Working with log files 4 5 Enter the destination for the files in the Copy to This Directory box. Click Merge. The log files are merged and saved to the new file in the designated directory. Copying log files You can copy a single log file from one location to another, and you can copy the current, active log file. From LiveSecurity Event Processor: 1 Select File => Copy or Merge Log Files. 2 Click Copy each file individually. 3 Enter the file to copy in the Files to Copy box.
Working with log files 108
CHAPTER 16 Generating Reports of Network Activity Historical Reports is a reporting tool that creates summaries and reports of Firebox log activity. It generates these reports using the log files created by and stored on the LiveSecurity Event Processor. Use Historical Reports to define reports, create filters, and process reports for viewing in a standard Web browser. You can customize reports to include exactly the information you need in a form that is most useful to you.
Specifying report sections Creating a new report From Historical Reports: 1 2 3 4 5 6 Click Add. Enter the report name. The report name will appear in Historical Reports, the LiveSecurity Event Processor, and the title of the output. Use the box next to Log Directory to define the location of log files. The default location for log files is the \logs subdirectory of the WatchGuard installation directory. Use the box next to Output Directory to define the location of the output files.
Specifying a report time span 2 Enable the checkboxes for sections to be included in the report. For a description of each section, see “Report sections and consolidated sections” on page 115. Specifying a report time span When running Historical Reports, the default is to run the report across the entire log file. You can use the drop list on the Time Filters dialog box to select from a group of pre-set time periods, such as “yesterday” and “today.
Exporting reports 3 Enter the number of elements to rank in the table. Default is 100. 4 Select the style of graph to use in the report. 5 Select the manner in which you want the proxied summary reports sorted: bandwidth or connections. 6 7 Enter the number of records to display per page for the detailed sections. The default is 1,000 records. A larger number than this might crash the browser or cause the file to take a long time to load. Click OK.
Using report filters Exporting a report to a text file When you select Text Export from the Setup tab on the Report Properties dialog box, the report output is created as a comma-delimited format file. The report appears as a .txt file in the following path: drive:\WatchGuard Install Directory\Reports\Report Directory Using report filters By default, a report displays information on the entire contents of a log file.
Scheduling and running reports Editing a filter At any time, you can modify the properties of an existing filter. From the Filters dialog box in Historical Reports: 1 2 Highlight the filter to modify. Click Edit. The Report Filter dialog box appears. Modify filter properties according to your preferences. For a description of each property, right-click it, and then click What’s This?. Deleting a filter To remove a filter from the list of available filters, highlight the filter. Click Remove.
Report sections and consolidated sections Manually running a report At any time, you can run one or more reports using Historical Reports. From Historical Reports: 1 Enable the checkbox next to each report you would like to generate. 2 Click Run. Report sections and consolidated sections You can use Historical Reports to build a report that includes one or more sections. Each section represents a discrete type of information or network activity.
Report sections and consolidated sections Session Summary – Packet Filtered A table, and optionally a graph, of the top incoming and outgoing sessions, sorted either by byte count or number of connections. The format of the session is: client -> server : service. If the connection is proxied, the service is represented in all capital letters. If the connection is packet filtered, Historical Reports attempts to resolve the server port to a table to represent the service name.
Report sections and consolidated sections Denied Outgoing Packet Detail A list of denied outgoing packets, sorted by time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration. Denied Incoming Packet Detail A list of denied incoming packets, sorted by time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration.
Report sections and consolidated sections Reports attempts to resolve the server port to a table to represent the service name. If resolution fails, Historical Reports displays the port number. Time Summary – Proxied Traffic A table, and optionally a graph, of all accepted proxied connections distributed along user-defined intervals and sorted by time. If you choose the entire log file or specific time parameters, the default time interval is daily. Otherwise, the time interval is based on your selection.
PART V WatchGuard® Virtual Private Networking A virtual private network (VPN) allows the secure tunneling of data between two networks (or a host to a network) via a third unprotected network. The WatchGuard Firebox System includes two methods to provide secure tunnels: Branch office virtual private network Use the WatchGuard Branch Office VPN features to securely connect two or more locations over the Internet.
120
CHAPTER 17 Configuring Branch Office Virtual Private Networking Branch office virtual private networking (VPN) creates a secure tunnel, over an unsecure network, between two networks protected by the WatchGuard Firebox System or between a WatchGuard Firebox and an IPSec-compliant device. Using branch office VPN, you can connect two or more locations over the Internet while still protecting the resources of your trusted and optional networks.
Using DVCP to connect to devices • IP network addresses for the networks communicating with one another. • A common passphrase, known as a shared secret. • For WatchGuard VPN only, the local VPN IP address of each Firebox. It must be selected from a reserved network address that is not in use on either of the networks being connected. For more information, see RFC 1918 or “Setting Up Network Address Translation” on page 63. Both ends of the tunnel must use the same encryption method.
Using DVCP to connect to devices Note also that if you configure a SOHO for both Basic and Enhanced DVCP, the gateway names must be different. From Policy Manager: 1 2 3 Select Network => Branch Office VPN => Basic DVCP. The DVCP Configuration dialog box appears. Click Add. Enter a distinctive name for the DVCP client. Enter the shared key. Click Next. The client name appears in the DVCP Configuration dialog box as well as the Control Center Firebox and Tunnel Status display.
Branch office VPN with IPSec You can also change the network range of a WatchGuard client. However, when you save the configuration to the server, it automatically triggers the client to reboot and load the new policy. From Policy Manager: 1 Select Network => Branch Office VPN => Basic DVCP. 2 Select the tunnel policy. Click Edit. 3 Use the Next and Back buttons to move through the DVCP Client Wizard and reconfigure tunnel properties. When complete, click Finish.
Branch office VPN with IPSec and how WatchGuard implements branch office VPN with IPSec, see the Network Security Handbook. • Determine the tunnel and policy endpoints • Select an encryption method • Select an authentication method From Policy Manager: • Select Network => Branch Office VPN => IPSec. Configuring a gateway A gateway specifies endpoints for one or more tunnels.
Branch office VPN with IPSec Removing a gateway From the Configure Gateways dialog box: 1 Click the gateway. 2 Click Remove. Configuring a tunnel with manual security A tunnel encapsulates packets between two gateways. It specifies encryption type and/or authentication method. A tunnel also specifies endpoints. The following describes how to configure a tunnel using a gateway with the manual key negotiation type. From the IPSec configuration dialog box: 1 Click Tunnels.
Branch office VPN with IPSec 5 6 Use the Authentication drop list to select an authentication method. Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC (160-bit algorithm). Click Key. Enter a passphrase. Click OK. The passphrase appears in the Authentication Key field. You cannot enter a key here directly. Using Authenticated Headers (AH) 1 2 3 Type or use the SPI scroll control to identify the Security Parameter Index (SPI).
Branch office VPN with IPSec 11 After you add all tunnels for this gateway, click OK. The Configure Gateways dialog box appears. 12 To configure more tunnels for another gateway, click Tunnels. Select a new gateway and repeat the tunnel creation procedure for that gateway. 13 When all the tunnels are created, click OK.
Branch office VPN with IPSec 9 Use the Protocol drop list to limit the protocol used by the policy. Options include: * (specify ports but not protocol), TCP, and UDP. 10 In the Src Port field, enter the local host port. The local host port number is optional and is the port from which WatchGuard sends all communication for the policy. To enable communication from all ports, enter 0. 11 Click OK. The IPSec Configuration dialog box appears listing the newly created policy.
Configuring WatchGuard VPN Allow VPN access to any services To allow all traffic from VPN connections, add the Any service to the Services Arena and configure it as described above. Allow VPN access to selective services To allow traffic from VPN connections only for specific services, add each service to the Services Arena and configure each as described above. Access control is a critical part of configuring a secure VPN environment.
Configuring WatchGuard VPN 4 In the Local Firebox IP field, enter an IP address from a reserved network not in use on the local or remote networks. More information on reserved networks can be found in RFC 1918. You can use the same local VPN IP address for multiple VPN connections when specifying more than one—for example, when there are several branch offices connecting to a central office.
Configuring WatchGuard VPN Configuring incoming services to allow VPN Because users on the remote Firebox are technically outside the trusted network, you must configure services to allow traffic through the VPN connection. WatchGuard recommends the following method: 1 2 Create a host alias corresponding to the VPN remote networks. For more information see “Adding a host alias” on page 86. Add the VPN host alias to Incoming and From Outgoing to properties of allowed services.
CHAPTER 18 Configuring the Firebox for Remote User VPN Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.
Configuring shared servers for RUVPN • The IP addresses of the DNS and WINS servers in the trusted network that perform IP address lookup on host alias names. • The usernames and passwords of those authorized to connect to the Firebox using RUVPN.
Configuring services to allow incoming RUVPN 3 4 Enter the username and password. Firebox usernames are case sensitive. To add the user to a group, select the group name in the Not Member Of list. Click the left-pointing arrow. Use pptp_users for Remote User PPTP and ipsec_users for Mobile User VPN. A given user can be a member of both groups. 5 6 When you finish adding the user to groups, click Add. The user is added to the Users list.
Configuring the Firebox for Remote User PPTP - From: Selected - To: pptp_users or ipsec_users Configuring the Firebox for Remote User PPTP Configuring the Firebox for Remote User PPTP requires that you perform the following: • Enter IP addresses and networks used for clients • Add usernames to the built-in Firebox User group pptp_users • Activate the Remote User PPTP feature • Configure service properties using pptp_users • Verify WINS and DNS server settings Activating Remote User PPTP If you want to se
Configuring the Firebox for Mobile User VPN From the Remote User Setup dialog box: 1 Click the PPTP tab. 2 Click Add. 3 4 5 Use the Choose Type drop list to select either a host or network. You can configure up to 50 addresses. If you select a network address, Remote User PPTP will use the first 50 addresses in the subnet. In the Value field, enter the host or network address in slash notation. Click OK.
Configuring the Firebox for Mobile User VPN automatically included in the Policy Manager software, to activate the feature a license for each installation of the client software must be purchased. To purchase IPSec license keys, contact your local reseller or visit: http://www.watchguard.com/sales Entering license keys The first step in configuring the Firebox for Mobile User VPN is to enter the license key(s) into the Firebox configuration file.
Configuring the Firebox for Mobile User VPN 10 Use the Encryption drop list to select an encryption method. Options available with the strong encryption version of WatchGuard Firebox System include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit). 11 Click Next. Click Finish. The wizard closes and the username appears in the Remote User VPN Setup dialog box on the Mobile User tab Users list. 12 Click OK.
Configuring debugging options The packages are located on the WatchGuard LiveSecurity Service Web site at http://www.watchguard.com/support. Enter the Service Web site using your LiveSecurity username and password. Click the Mobile User VPN link. • .exp end-user configuration file A prompt appears so you can save the end-user configuration files when you save a configuration to the Firebox. These files must be available to the end user during the software client installation.
CHAPTER 19 Preparing a Host for Remote User VPN Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.
Preparing the client computers • Public IP address Remote host operating system The remote client must be running Windows and have the most recent MSDUN (Microsoft Dial-Up Networking) upgrades installed and may need other extensions and updates for proper configuration. Currently, Remote User VPN with PPTP requires these upgrades according to platform: Encryption Platform Application Both Windows 95 DUN 1.3 Both Windows 98 DUN 4.
Preparing the client computers 5 6 7 Enter the domain name you are connecting to. This should be the same as the “Log on to Windows NT domain” value. Enter a description for your computer (optional). Verify that Dial-Up Adapter #2 (VPN Support) is installed. If you do not have Dial-Up Adapter #2 (VPN Support), you must install it. For instructions, see “Installing Dial-Up Adapter #2 (VPN Support)” on page 143. 8 Click OK. Click OK to close and save changes to the Network control panel.
Preparing the client computers 9 Click Dial Out Only. Click Continue. 10 Click OK. 11 Restart the machine. Adding a domain name to a Windows NT workstation Often remote clients need to connect to a domain behind the firewall. To do this, the remote client must be able to recognize the domains to which they belong. Adding a domain requires the installation of the Computer Browser Network Service.
Configuring the remote host for RUVPN with PPTP 9 In the Initial Connection window that appears, click Yes. 10 Click Properties. The Virtual Private Connection window appears. 11 Click the General tab, and enter a host name or an IP address of the destination computer. 12 Click the Security tab. Select Typical [recommended settings]. 13 Select Require secured password from the drop list. Select Require data encryption. 14 Click the Networking tab. Select Internet Protocol (TCP/IP). Click Properties.
Using Remote User PPTP 10 Click OK. Click OK again. 11 Restart the computer. Installing a VPN adapter on Windows NT From the Windows NT Desktop of the remote host: 1 2 3 Double-click My Computer. Double-click Dial-Up Networking. If you have not already configured an entry, Windows guides you through the creation of a dialup configuration. When it prompts for a phone number, enter the host name or IP address of the Firebox.
Configuring debugging options 3 4 5 Double-click the RUVPN connection. If you configured the client computer as described in “Windows 95/98 platform preparation” on page 142, double-click Connect with RUVPN. Enter the remote client username and password. These are assigned when you add the user to the pptp_users group. See “Using Remote User PPTP” on page 146. Click Connect.
Configuring debugging options 148
Index A Access controlling 83 Access rules defining 49 Accessing known issues 12 Activating LiveSecurity Service 8 Active connections 95 FTP 95 Active TCP connections 95 Adding existing service 47 incoming service properties 49 new domain 144 outgoing service properties 50 permanent blocked sites 44 secondary network 38 service addresses 50 SMTP masquerading options 54 Address patterns 53 Address space probe 43 AH (Authenticated Headers) 126 Alias adding 86 creating 83 using host 85 Any service precedence
C Changing an interface IP address 39 IPSec policy order 129 remote network entries on VPN 131 Checklist, branch office VPN 121 Client DVCP 122 Client for Microsoft Networks installing 143 Client Wizard, DVCP 122 Communication,out-of-band 79 Completing Support Incident form, 12 Configuration Firebox 21 network 19 RUVPN checklist 133 verifying configuration 132 Configuration checklist branch office VPN 121 Configuration file creating basic 35 opening 23 opening from Firebox 23 QuickSetup Wizard 36 saving 23
characteristics 36 configuration 36 DVCP Client Wizard 122 introduction 122 Dynamic NAT adding entries 64 described 63 disabling 65 enabling 63, 65 enabling simple 64 reordering entries 64 using simple 64 Dynamic security 127 Dynamically blocked sites 46 E Editing filter in Historical Reports 114 gateway 125 reports 110 SOHO tunnel properties 123 Editorial information 8 Ehanced system mode 25 E-mail list 14 e-mail support 12 Enabling simple dynamic NAT 64 Encryption 123 levels 130 WatchGuard VPN 130 End-us
monitors 2, 32, 93 BandwidthMeter 94 opening configuration file 23 opening configuration file from 23 PPP timeout disconnects 81 reinitializing 25 resetting pass phrase 24 saving configuration file 23 saving configuration file to 24 saving RUVPN configuration to 139 setting interfaces 35 setting the time zone 25 starting monitors 93 status 28 synchronizing to Event Processor 72 users inside 49 users outside 49 using out-of-band 79 Firebox II rear view 22 Firebox monitors described 32 setting view properties
exporting reports as 112 HTTP 48, 60, 94, 99 protocol 55 proxied 60 proxy 59 types of services 55 HTTP proxy 112 HTTP proxy reports HTTP detail 116 most popular domains 116 I Icon WatchGuard Service 60 Icons working with wg_ Icons 50 Implementing Authentication 83 Index search, online help 15 Infopacks editorial 8 information alert 7 news from WatchGuard 8 software updates 7 support flash 8 threat response 7 virus alert 8 Information Alert 7 Installing Event Processor on NT 74 modem 80 Quicksetup Wizard 35
for blocked sites 44 global preferences 75 LogViewer 103 options 96 PPTP 137 replaying a file 99 searching log files 103 setting for a service 77 setting up 20 viewing files 103 WebBlocker 60 Logs consolidating in LogViewer 106 LogViewer 2, 83 consolidating logs 106 copying 104 copying log files 107 described 32 displaying fields 105 fields and meanings 105 forcing file roll over 107 hiding fields 105 preferences 103 searching 103 searching for entries 104 starting 103 time zone 25 viewing files 103 worrkin
Navigating Control Center 27 Netscape Communicator 3 Network broadcast 2 changing range of client 124 configuration 95 configuring 35 configuring OOB 81 interfaces 97 LiveSecurity Broadcast 5, 7 routed described 37 secondary 38 services debugging 93 setting the default gateway 39 star with DVCP 122 Network address translation 63 Network address translation. See also Dynamic NAT. Network address translation.
pull-down menus 32 services arena 32 Status Bar 32 toolbar 32 Policy order changing IPSec 129 Polling rate changing 30 Port address translation.
adding a domain name to an NT workstation 144 adding new domain for NT workstation 144 installing a VPN adaptor for Windows 95/ 98 145 installing a VPN adaptor on Windows NT 146 installing client for Microsoft Networks 143 installing dial-up adapter #2 for Windows 95/ 98 143 preparing Windows 95/98 for RUVPN 142 running remote user VPN with PPTP 147 starting Remote User PPTP 146 Windows NT platform preparation 143 starting online help 15 starting the Control Center.
introduction 37 Routes 97 network configuration 37 RUVPN 147 activating remote user PPTP 136 adding a domain name for NT 144 adding members to built-in user groups 134 adding new domain for NT workstation 144 adding remote access users 134 configuration checklist 133 configure remote host for remote user PPTP 145 configuring a Firebox for IPSec 137 configuring debugging options 140 configuring shared servers for 134 distributing software and config files 139 entering license keys 138 entering WINS and DNS a
Software Update 7 SOHO editing tunnel properties 123 rebooting 124 removing tunnel 124 SpamScreen 18 Security Parameter Index see also SPI (Security Parameter Index) 126 Spoofing 43, 95, 124 Star network DVCP 122 Starting Control Center 27 LogViewer 103 WatchGuard Online Help 15 Static NAT adding external IP addresses 66 configuring a service 66 configuring a service for 66 described 63 setting on a service 66 Status Firebox 28 StatusReport active FTP connections 95 active TCP connections 95 ARP table 98 au
manager 17 mobile user 18 multiple-box configuration 130 preventing IP spoofing 131 remote user 119 removing IPSec gateway 126 running with PPTP 147 two-box configuration 130 verifying successful configuration 132 VPN adaptor installing on Windows NT 146 VPN Monitor collapsing display 29 expanding display 29 Firebox Status 28 front panel 28 icons 28 interpreting display 27 QuickGuide 27 reading display 27 red exclamation point 29 VPN.
