WatchGuard Firebox System User Guide ® ® WatchGuard Firebox System
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Hudson (tjh@cryptsoft.com). © 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Apache Software License, Version 1.1 Copyright (c) 2000 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale.
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT). Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.
Contents CHAPTER 1 Introduction ................................................ 1 Welcome to WatchGuard® .............................................. 1 WatchGuard Firebox System Components ........................ 2 WatchGuard Firebox ..................................................... WatchGuard Control Center ............................................ WatchGuard security applications .................................... WatchGuard LiveSecurity® Service ...................................
............................... 11 LiveSecurity® Self Help Tools .......................................... 12 WatchGuard Users Forum ............................................... 14 Online Help .................................................................. 14 Starting WatchGuard Online Help .................................. 15 Searching for topics ..................................................... 15 Copying the Help system to additional platforms ..............
Customizing your security policy .................................... What to expect from LiveSecurity® Service ...................... 39 40 CHAPTER 4 Firebox Basics .......................................... 41 What is a Firebox? ......................................................... 41 Opening a Configuration File ......................................... 43 Opening a configuration from the Firebox ....................... Opening a configuration from a local hard disk ................
Adding Basic Services to Policy Manager ......................... 61 Configuring Routes ........................................................ 62 Defining a Network Route ............................................. 62 Defining a Host Route .................................................. 63 CHAPTER 6 Using the WatchGuard Control Center .. 65 Starting Control Center and Connecting to a Firebox ....... 65 Control Center Components ........................................... 66 QuickGuide ..............
Enabling simple dynamic NAT ....................................... Adding simple dynamic NAT entries ............................... Reordering simple dynamic NAT entries .......................... Specifying simple dynamic NAT exceptions ..................... 83 84 85 85 Using Service-Based Dynamic NAT ................................. 86 Enabling service-based dynamic NAT ............................. 86 Configuring service-based dynamic NAT .........................
Adding a proxy service for HTTP .................................. 121 Configuring a caching proxy server ............................... 122 ............................... 123 ..................................... 124 Configuring the DNS Proxy Service Adding the DNS Proxy Service CHAPTER 10 Creating Aliases and Implementing Authentication ....................................... 127 ............................................................... 128 Adding an alias .....................................
........... 156 Blocking Sites Temporarily with Service Settings ............ 157 Configuring a service to temporarily block sites .............. 157 Viewing the Blocked Sites list ...................................... 157 Setting logging and notification for blocked ports CHAPTER 12 Monitoring Firebox Activity ................. 159 Firebox Monitors ......................................................... 159 Starting Firebox Monitors and connecting to a Firebox .....
Viewing the WSEP application ..................................... 180 Starting and stopping the WSEP .................................. 181 Setting the log encryption key ..................................... 181 ...... 182 Log file size and rollover frequency ............................... 182 Setting the interval for log rollover ................................ 183 Scheduling log reports ............................................... 184 Controlling notification ......................................
Editing an existing report ........................................... Deleting a report ...................................................... Viewing the reports list .............................................. 205 205 205 Specifying a Report Time Span ..................................... 205 Specifying Report Sections ........................................... 206 Consolidating Report Sections ..................................... 206 Setting Report Properties ......................................
Setting privileges ...................................................... 223 Creating WebBlocker exceptions .................................. 223 Managing the WebBlocker Server ................................. 225 Installing Multiple WebBlocker Servers .......................... 225 Automating WebBlocker Database Downloads .............. 225 Installing Scheduled Tasks ........................................... 226 CHAPTER 17 Connecting with Out-of-Band Management ...................................
CHAPTER 1 Introduction Welcome to WatchGuard® In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis. These costly systems were difficult to integrate and not easy to update.
Chapter 1: Introduction WatchGuard Firebox System Components The WatchGuard Firebox System has all of the components needed to conduct electronic business safely. It is made up of the following: • Firebox–a plug-and-play network appliance • Control Center–a suite of management and security software tools • A collection of advanced security applications • LiveSecurity® Service–a security-related broadcast service WatchGuard Firebox The Firebox family of products is specially designed and optimized.
Minimum Requirements Historical Reports Creates HTML reports that display session types, most active hosts, most used services, URLs, and other data useful in monitoring and troubleshooting your network. WatchGuard security applications In addition to basic security policy configuration, the Firebox System includes a suite of advanced software features.
Chapter 1: Introduction Windows NT requirements • • Microsoft Windows NT 4.0 Microsoft Service Pack 4, Service Pack 5, or Service Pack 6a for Windows NT 4.0 Windows 2000 requirements • Microsoft Windows 2000 Professional or Windows 2000 Server Windows XP requirements • Microsoft Windows XP Web browser requirements You must have Microsoft Internet Explorer 4.0 or later to run the installation from the CD.
WatchGuard Options . Hardware feature Minimum requirement CPU Pentium II Memory Same as for operating system. Recommended: 64 MB for Windows 98 128 MB for Windows NT 4.
Chapter 1: Introduction VPN Manager is bundled with the WFS software, but it is available for use only if you enable the VPN Manager checkbox when installing WFS and enter your license key. NOTE The Firebox model 700 does not support VPN Manager. High Availability WatchGuard High Availability software lets you install a second, standby Firebox on your network.
About this Guide SpamScreen is bundled with the WFS software, but it is available for use only if you enable the SpamScreen checkbox when installing WFS and enter your license key. Obtaining WatchGuard Options WatchGuard options are available from your local reseller. For more information about purchasing WatchGuard products, go to: http://www.watchguard.
Chapter 1: Introduction • • • 8 Code, messages, and file names appear in monospace font; for example: .wgl and .idx files In command syntax, variables appear in italics; for example: fbidsmate import_passphrase Optional command parameters appear in square brackets.
CHAPTER 2 Service and Support No Internet security solution is complete without systematic updates and security intelligence. From the latest hacker techniques to the most recently discovered operating system bug, the daily barrage of new threats poses a perpetual challenge to any network security solution. LiveSecurity® Service keeps your security system up-to-date by providing solutions directly to you.
Chapter 2: Service and Support Threat alerts and expert advice After a new threat is identified, you’ll receive a LiveSecurity broadcast by way of an email message from our Rapid Response Team that alerts you to the threat. Each alert includes a complete description of the nature and severity of the threat, the risks it poses, and what steps you should take to make sure your network remains continuously protected.
LiveSecurity® Broadcasts Threat Response After a newly discovered threat is identified, the Rapid Response Team transmits an update specifically addressing this threat to make sure your network is protected. Software Update You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox System.
Chapter 2: Service and Support To activate the LiveSecurity Service through the Web: 1 Be sure that you have the LiveSecurity license key and the Firebox serial number handy. You will need these during the activation process.
LiveSecurity® Self Help Tools NOTE You must register for LiveSecurity Service before you can access the online support services. Advanced FAQs (frequently asked questions) Detailed information about configuration options and interoperability. Basic FAQs General questions about the WatchGuard Firebox System. Known Issues Confirmed issues and fixes for current software. WatchGuard Users Forum A moderated Web board about WatchGuard products.
Chapter 2: Service and Support To access the online support services: 1 From your Web browser, go to http://www.watchguard.com/ and select Support. 2 Log in to LiveSecurity Service. WatchGuard Users Forum The WatchGuard users forum is an online group in which the users of the WatchGuard Firebox System exchange ideas, questions, and tips regarding all aspects of the product, including configuration, compatibility, and networking.
Online Help called Help. In addition, a “live,” continually updated version of Online Help is available at: http://help.watchguard.com/lss/60 You may need to log into the LiveSecurity Service to access the Online Help system. Starting WatchGuard Online Help WatchGuard Online Help can be started either from the WatchGuard Management Station or directly from a browser. • In the Management Station software, press F1. • On any platform, browse to the directory containing WatchGuard Online Help. Open LSSHelp.
Chapter 2: Service and Support Help directory from the WatchGuard installation directory on the Management Station. It is important to include all subdirectories exactly as they appear in the original installation. Online Help system requirements Web browser • • Internet Explorer 4.0 or higher Netscape Navigator 4.7 or higher Operating system • • • Windows NT 4.
Product Documentation Product Documentation WatchGuard products are fully documented on our Web site at: http://help.watchguard.com/documentation/default.asp Assisted Support WatchGuard offers a variety of technical support services for your WatchGuard products. Several support programs, described throughout this section, are available through WatchGuard Technical Support.
Chapter 2: Service and Support Web Contact http://www.watchguard.com/support Response Time Four (4) business hours maximum target Type of Service Technical assistance for specific issues concerning the installation and ongoing maintenance of Firebox, SOHO, and ServerLock enterprise systems Single Incident Priority Response Upgrade (SIPRU) and Single Incident After-hours Upgrade (SIAU) are available. For more information, please refer to the WatchGuard Web site at: http://support.watchguard.com/lssupport.
Training and Certification VPN Installation Services WatchGuard Remote VPN Installation Services are designed to provide you with comprehensive assistance for basic VPN installation. You can schedule a dedicated two-hour time slot with one of our WatchGuard technicians to review your VPN policy, help you configure your VPN tunnels, and test your VPN configuration. This service assumes you have already properly installed and configured your Fireboxes.
Chapter 2: Service and Support 20 WatchGuard Firebox System
CHAPTER 3 Getting Started The WatchGuard Firebox System acts as a barrier between your networks and the public Internet, protecting them from security threats. This chapter explains how to install the WatchGuard Firebox System into your network.
Chapter 3: Getting Started Before installing the WatchGuard Firebox System, check the package contents to make sure you have the following items: • WatchGuard Firebox security appliance • QuickStart Guide • User documentation • WatchGuard Firebox System CD-ROM • A serial cable (blue) • Three crossover ethernet cables (red) • Three straight ethernet cables (green) • Power cable • LiveSecurity® Service license key Gathering Network Information We encourage you to fill in the following tables in preparation
Gathering Network Information Network addresses One good way to set up your network is to create two worksheets: the first worksheet represents your network now–before deploying the Firebox–and the second represents your network after the Firebox is deployed. Fill in the IP addresses in the worksheets below.
Chapter 3: Getting Started An example of a network before the Firebox is installed appears in the following figure. In this example, the Internet router performs network address translation (NAT) for the internal network. The router has a public IP address of 208.15.15.1, and the private network has an address of 192.168.10.0/24. This network also has three public servers with the addresses 208.15.15.10, 208.15.15.15, and 208.15.15.17. .
Selecting a Firewall Configuration Mode In the example, the secondary network represents the local LAN. Because the Trusted Interface is being configured with the public IP address, a secondary network is added with an unassigned private IP address from the local LAN: 192.168.10.1/24. This IP address then becomes the default gateway for devices on the local LAN.
Chapter 3: Getting Started External Interface Connects to the external network (typically the Internet) that presents the security threat. Trusted Interface Connects to the private LAN or internal network that you want protected. Optional Interface Connects to the DMZ (Demilitarized Zone) or mixed trust area of your network. Computers on the Optional interface contain content you do not mind sharing with the rest of the world. Common applications housed on this interface are Web, email, and FTP servers.
Selecting a Firewall Configuration Mode Characteristics of a routed configuration: • All interfaces of the Firebox must be on different networks. The minimum setup involves the External and Trusted interfaces. • The Trusted and Optional interfaces must be on separate networks and all machines behind the Trusted and Optional interfaces must be configured with an IP address from that network.
Chapter 3: Getting Started Characteristics of a drop-in configuration: • A single network that is not subdivided into smaller networks or subnetted. • The Firebox performs proxy ARP, a technique in which one host answers Address Resolution Protocol requests for machines behind that Firebox that cannot hear the broadcasts. The Trusted interface ARP address replaces the router’s ARP address. • The Firebox can be placed in a network without changing default gateways on the Trusted hosts.
Selecting a Firewall Configuration Mode Choosing a Firebox configuration The decision between routed and drop-in mode is based on your current network. Many networks are best served by routed mode. However, drop-in mode is recommended if you have a large number of public IP addresses, you have a static external IP address, or you are not willing or able to reconfigure machines on your LAN. The following table summarizes the criteria for choosing a Firebox configuration.
Chapter 3: Getting Started When you add a secondary network, you map an IP address from the secondary network to the IP address of the Firebox interface. This is known as creating (or adding) an IP alias to the network interface. This IP alias becomes the default gateway for all the machines on the secondary network. The presence of a secondary network also tells the Firebox that another network resides on the Firebox interface wire.
Selecting a Firewall Configuration Mode Dynamic IP support on the External interface If you are supporting dynamic IP addressing, you must choose routed configuration. If you choose the Dynamic Host Configuration Protocol (DHCP) option, the Firebox will request its IP address, gateway, and netmask from a DHCP server managed by your Internet Service Provider (ISP). This server can also provide WINS and DNS server information for your Firebox.
Chapter 3: Getting Started Setting Up the Management Station The Management Station runs the Control Center software, which displays a real-time monitor of traffic through the firewall, connection status, and tunnel status. In addition, the WatchGuard Security Event Processor (WSEP) receives and stores log messages and issues notifications based on information it receives from the Management Station. You can designate any computer on your network as the Management Station.
Cabling the Firebox more information on the WebBlocker databasem see Chapter 16, “Controlling Web Site Access.” Software encryption levels The Management software is available in three encryption levels. Base Uses 40-bit encryption Medium Uses 56-bit DES encryption Strong Uses 128-bit 3DES encryption The IPSec standard requires at least a 56-bit encryption. If you want to use virtual private networking with IPSec, you must download the medium or strong encryption software.
Chapter 3: Getting Started • 34 Plug the power cord into the Firebox power input and into a power source.
Running the QuickSetup Wizard Using TCP/IP Refer to Firebox Rear Panel image on the previous page. • Use the red (crossover) cable to connect the Firebox Trusted interface to the Management Station Ethernet port. • Plug the power cord into the Firebox power input and into a power source. Running the QuickSetup Wizard After you finish setting up the Management Station and cabling the Firebox, use the QuickSetup Wizard to create a basic configuration file.
Chapter 3: Getting Started Manager, use wizard.cfg as the base file to which you make changes. For more information on changing a configuration file, see Chapter 5, “Using Policy Manager to Configure Your Network.” You can also run the QuickSetup Wizard again at any time to a create new, basic configuration file. NOTE Rerunning the QuickSetup Wizard completely replaces the configuration file, writing over any prior version.
Running the QuickSetup Wizard Enter the Firebox Default Gateway (Not applicable if using DHCP or PPPoE on the External interface.) Enter the IP address of the default gateway, which is usually the IP address of your Internet router. This IP address must be on the same network as the Firebox External interface. If the IP address is not on the same network, the QuickSetup Wizard will warn you and ask whether you want to continue.
Chapter 3: Getting Started You can remove the blue serial cable from the Management Station and Firebox after the QuickSetup Wizard is completed. Entering IP addresses You generally enter IP addresses into fields that resemble the one below. When typing IP addresses, type the digits and periods in sequence. Do not use the TAB key, arrow key, spacebar, or mouse to jump past the periods. For example, if you are typing the address 172.16.1.
Deploying the Firebox into Your Network Deploying the Firebox into Your Network Congratulations! You have completed the installation of your Firebox. The Firebox can now be used as a basic firewall with the following properties: • All outgoing traffic is allowed. • All incoming traffic is blocked except ping on the External interface. • Logs are sent to the WatchGuard Security Event Processor on the Management Station.
Chapter 3: Getting Started addition to the ones listed in the previous section, are HTTP (Internet service) and SMTP (email service). For more information on services, see Chapter 8, “Configuring Filtered Services”, and Chapter 9, “Configuring Proxied Services.” What to expect from LiveSecurity® Service Your Firebox includes a subscription to our award-winning LiveSecurity Service. Your subscription today: • Ensures up-to-date network protection with the latest software upgrades.
CHAPTER 4 Firebox Basics This chapter describes the basic tasks you perform to set up and maintain a Firebox: • Opening a configuration file • Saving a configuration file to a local computer or the Firebox • Resetting Firebox passphrases • Setting the Firebox time zone • Setting a Firebox friendly name What is a Firebox? A WatchGuard Firebox is a specially designed and optimized security appliance.
Chapter 4: Firebox Basics NOTE There are no user-serviceable parts within the Firebox. If a user opens a Firebox case, it voids the limited hardware warranty. The most common and effective location for a Firebox is directly behind the Internet router, as pictured below: Other parts of the network are as follows: Management Station The computer on which you install and run the WatchGuard Control Center software.
Opening a Configuration File Trusted network The network behind the firewall that must be protected from the security challenge. External network The network presenting the security challenge, typically the Internet. Optional network A network protected by the firewall but still accessible from the trusted and the external networks. Typically, the optional network is used for public servers such as an FTP or Web server.
Chapter 4: Firebox Basics Opening a configuration from the Firebox 1 Select File => Open => Firebox. 2 Use the Firebox drop list to select a Firebox. 3 In the Passphrase text box, type the Firebox status (read-only) passphrase. Click OK. The Firebox drop list, as shown in the following figure, appears. You can also type in the IP address or host name. Do not use the configuration passphrase to connect to the Firebox.
Saving a Configuration File Saving a Configuration File After making changes to a configuration file, you can either save it directly to the Firebox or to a local hard disk. When you save a new configuration directly to the Firebox, Policy Manager might prompt you to reboot the Firebox so that it will use the new configuration. If the Firebox does need to be rebooted, the new policy is not active until the rebooting process completes.
Chapter 4: Firebox Basics 5 Enable the checkbox marked Save To Firebox. If you want to make a backup of the current image, enable the checkbox marked Make Backup of Current Flash Image before saving. NOTE It is not necessary to back up the flash image every time you make a change to the configuration file. However, if you do choose this option, you must provide an encryption key. It is especially important not to forget this key.
Resetting Firebox Passphrases 7 If you are making a backup, in the Backup Image field, enter the path where you want to save the backup of the current flash image. Click Continue. Instead of entering the path, you can click Browse to specify the location of the backup. 8 Enter and confirm the status (read-only) and configuration (read/ write) passphrases. Click OK. The new image is saved to the Firebox. NOTE Making routine changes to a configuration file does not require a new flash image.
Chapter 4: Firebox Basics 3 Use the Firebox drop list to select a Firebox or enter the Firebox IP address. Enter the configuration passphrase. Click OK. The Firebox Flash Disk dialog box appears. 4 Enable the checkbox marked Save To Firebox and the radio button marked Save Configuration File and New Flash Image. Disable the checkbox marked Make Backup of Current Flash Image. Click Continue. 5 Enter and confirm the new status (read-only) and configuration (read/write) passphrases.
Setting the Time Zone Setting the Time Zone The Firebox time zone determines the date and time stamp that appear on logs and that are displayed by services such as LogViewer, Historical Reports, and WebBlocker. The default time zone is Greenwich Mean Time (Coordinated Universal Time). From Policy Manager: 1 2 Select Setup => Time Zone. Use the drop list to select a time zone. Click OK.
Chapter 4: Firebox Basics 50 WatchGuard Firebox System
CHAPTER 5 Using Policy Manager to Configure Your Network Normally, you incorporate the Firebox into your network when you run the QuickSetup Wizard, as described in “Running the QuickSetup Wizard” on page 35. However, you can also create a basic configuration file from scratch using several functions in Policy Manager. Each of the procedures in this section can also be used to override any settings you made using the QuickSetup Wizard.
Chapter 5: Using Policy Manager to Configure Your Network Starting a New Configuration File To start a new configuration file: 1 From Control Center, click the Policy Manager button, shown at right. The Policy Manager appears. 2 3 From Policy Manager, select File => New. From the New Firebox Configuration dialog box, select the model of Firebox you are connected to. The new configuration file contains defaults for the model of Firebox specified.
Setting IP Addresses of Firebox Interfaces Setting addresses in drop-in mode If you are using drop-in mode, all interfaces use the same IP address: 1 Select Network => Configuration. 2 Enable the checkbox marked Configure interfaces in Drop-In mode, located at the bottom of the dialog box. 3 Enter the IP address and default gateway for the Firebox interfaces. 4 User Guide The Network Configuration dialog box appears, as shown in the following figure.
Chapter 5: Using Policy Manager to Configure Your Network Setting addresses in routed mode If you are using routed mode, the interfaces must use different IP addresses. At least two interfaces must have IP addresses configured. 1 Select Network => Configuration. 2 For each interface, in the IP Address text box, type the address in slash notation. The Network Configuration dialog box appears. When typing IP addresses, type the digits and periods in sequence.
Setting DHCP or PPPoE Support on the External Interface 2 Configure the properties in the dialog box. For a description of each control, right-click it and then select What’s This?. NOTE PPPoE debugging generates large amounts of data. Do not enable PPPoE debugging unless you are having connection problems and need help from Technical Support. Enabling static PPPoE Although an IP address is generally obtained automatically when using PPPoE, static PPPoE is also supported.
Chapter 5: Using Policy Manager to Configure Your Network Configuring Drop-in Mode If you selected drop-in mode, you can set several optional properties: 1 From the Network Configuration dialog box, click Properties. 2 Configure the properties in the dialog box. The Advanced dialog box appears, showing the Drop-In tab, as shown in the following figure. For a description of each control, right-click it and then select What’s This?.
Adding Secondary Networks Adding Secondary Networks Your configuration may require that you add secondary networks to any of the Firebox interfaces. For more information on secondary networks, see “Adding secondary networks to your configuration” on page 29. 1 Select Network => Configuration. 2 Click the Secondary Networks tab. 3 Use the drop list in the lower-right portion of the dialog box to select the interface to which you want to add a secondary network.
Chapter 5: Using Policy Manager to Configure Your Network Entering WINS and DNS Server Addresses Several advanced features of the Firebox, such as DHCP and Remote User VPN, rely on shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server addresses. These servers must be accessible from the Firebox Trusted interface. Make sure you use only an internal DNS server for DHCP and Remote User VPN. Do not use external DNS servers. From Policy Manager: 1 Select Network => Configuration.
Defining a Firebox as a DHCP Server Defining a Firebox as a DHCP Server Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that simplifies the task of administering a large network. A device defined as a DHCP server automatically assigns IP addresses to network computers from a defined pool of numbers. You can define the Firebox as a DHCP server for the customer network behind the firewall. One parameter that you define for a DHCP server is lease times.
Chapter 5: Using Policy Manager to Configure Your Network Adding a new subnet To make available (private) IP addresses accessible to DHCP clients, add a subnet. To add a new subnet, you specify a range of IP addresses to be assigned to clients on the network. For example, you could define the address range from 10.1.1.10 to 10.1.1.19 to give clients a pool of 10 addresses. From Policy Manager: 1 2 Select Network =>DHCP Server. 3 In the Subnet box, type the subnet’s IP address; for example, 10.1.1.
Adding Basic Services to Policy Manager Removing a subnet You can remove an existing subnet; however, you should be aware that doing so can cause problems. If you remove the subnet and then reboot the client, the Firebox may return an IP address that does not work with certain devices or services. From Policy Manager: 1 2 3 Select Network => DHCP Server. Click the subnet to remove it. Click Remove. Click OK.
Chapter 5: Using Policy Manager to Configure Your Network If you need more detailed information on how to add services, see “Adding a service” on page 97. Configuring Routes A route is the sequence of devices that network traffic takes from its source to its destination. A router is a device within a route that determines the next point to which traffic should be forwarded toward its destination. Each router is connected to at least two networks.
Configuring Routes 3 4 5 Click the Net option. 6 Click OK. 7 Click OK. Enter the network IP address. In the Gateway text box, enter the IP address of the router. Be sure to specify an IP address that is on one of the same networks as the Firebox. The Setup Routes dialog box lists the newly configured network route. The route data is written to the configuration file. Defining a Host Route Define a host route if there is only one host behind the router.
Chapter 5: Using Policy Manager to Configure Your Network 64 WatchGuard Firebox System
Using the WatchGuard Control Center CHAPTER 6 The WatchGuard Control Center combines access to WatchGuard Firebox System applications and tools in one intuitive interface. Control Center also displays a real-time monitor of traffic through the firewall, connection status, tunnel status, and recent log activity. Starting Control Center and Connecting to a Firebox From the Windows Desktop: 1 2 Select Start => Programs => WatchGuard => Control Center.
Chapter 6: Using the WatchGuard Control Center 5 Click OK. Control Center Components Control Center consists of: • A QuickGuide toolbar to invoke configuring, monitoring, and report programs • A duplication of the Firebox front panel that graphically displays traffic flow and rejected packets • Firebox and VPN tunnel status • A real-time display of log messages (Traffic Monitor) generated by the Firebox The figure on the following page shows the full Control Center display.
Control Center Components QuickGuide Front Panel Firebox & VPN Status Traffic Monitor QuickGuide The top part of the display just below the title bar is the QuickGuide. It contains buttons to: Open the WatchGuard Control Center menu. (This is also referred to as the Main Menu button.
Chapter 6: Using the WatchGuard Control Center Pause the display (appears only when connected to Firebox) Connect to Firebox (appears only when not connected to Firebox) Launch Policy Manager Launch Firebox Monitors Launch LogViewer Launch HostWatch Create Historical Reports Show and hide the Firebox and Tunnel Status windows Front panel Under the toolbar is a representation of the front panel of the Firebox, shown on the following figure, including the Security Triangle Display, Traffic Volume Indicator,
Control Center Components Firebox and VPN tunnel status The section in Control Center directly below the front panel shows the current status of the Firebox and of branch office and remote user VPN tunnels. Firebox Status The following information is displayed under Firebox Status, as shown in the following figure: • Status of the High Availability option. When properly configured and operational, the IP address of the standby box appears.
Chapter 6: Using the WatchGuard Control Center • • • MAC (Media Access Control) address of each interface Number of packets sent and received since the Firebox rebooted Expiration date and time of root and IPSec certificates Branch Office VPN Tunnels Beneath Firebox Status is a section on BOVPN tunnels, in which two categories of these types of tunnels appear: IPSec and DVCP. The figure below shows an expanded entry for a BOVPN tunnel.
Control Center Components • • • • The amount of data sent and received on the tunnel in both bytes and packets. The time at which the key expires and the tunnel is renegotiated. Expiration can be expressed as a time deadline or in bytes passed. DVCP tunnels that have been configured for both traffic and time deadline expiration thresholds display both; this type of tunnel expires when either event occurs first (time runs out or bytes are passed). Authentication and encryption levels set for the tunnel.
Chapter 6: Using the WatchGuard Control Center (WSEP) or Management Station. A red exclamation point next to a tunnel listing indicates a tunnel is down. When you expand an entry that has a red exclamation point, another exclamation point appears next to the specific device or tunnel with the problem. Use this feature to rapidly identify and locate problems in your VPN network. Traffic Monitor Traffic Monitor shows, in real time, log messages generated by the Firebox.
Working with Control Center • To issue a traceroute command to a source or destination IP address of a deny message, right-click the message and select Source IP => Trace Route or Destination IP => Trace Route. (When you issue this command, you are prompted to enter the configuration passphrase.
Chapter 6: Using the WatchGuard Control Center Open the WatchGuard Security Event Processor interface. (See “Opening the WSEP user interface” on page 80.) Copy or merge log files Open the Flash Disk Management tool Flushing the ARP cache The ARP (Address Resolution Protocol) cache on the Firebox stores hardware (MAC) addresses of TCP/IP hosts. This cache is checked for hardware address mapping before an ARP broadcast is initiated.
Working with Control Center Changing the polling rate You can change the interval of time (in seconds) at which Control Center polls the Firebox and updates the Front Panel and the Firebox and Tunnel Status displays. There is, however, a trade-off between polling frequency and demand on the Firebox. The shorter the interval, the more accurate the display, but also the more demand made of the Firebox. From Control Center: 1 2 Click the Control Center Main Menu button. Click Settings.
Chapter 6: Using the WatchGuard Control Center 4 To change the color, click the arrow next to Text Color. Click one of the 20 colors on the palette. The information contained in this field will appear in the new color on Traffic Monitor. A sample of how Traffic Monitor will look appears on the bottom of the dialog box. 5 You can also choose a background color for Traffic Monitor. Click the arrow next to Background Color. Click one of the 20 colors on the palette.
Manipulating Traffic Monitor Home Page Select to bring up the WatchGuard home page at: http://www.watchguard.com Product Support Select to bring up the technical support logon page on the WatchGuard Web site. Frequently Asked Questions Frequently Asked Questions (FAQs) are documents that explain and clarify issues that typically generate support calls from customers. Select to access the In-Depth FAQs available in the WatchGuard Knowledge Base.
Chapter 6: Using the WatchGuard Control Center Maximize Double-click the Traffic Monitor title bar to maximize the window. Double-click the title bar again to restore the window to the previous size. Scroll Use the scroll control of the Traffic Monitor window to scroll chronologically up and down through log records. While scrolling, Traffic Monitor temporarily ceases to jump to the most recent records. Page down to the bottom of the Traffic Monitor window to restart the rolling display.
Using Control Center Applications Launching Firebox Monitors Firebox Monitors combines an extensive set of WatchGuard monitoring tools into a single user interface accessible from Control Center. To open Firebox Monitors, click the Firebox Monitors button (shown at left) on the Control Center QuickGuide. For more information, see “Monitoring Firebox Activity” on page 159. Launching LogViewer The LogViewer application displays a static view of a log file.
Chapter 6: Using the WatchGuard Control Center Opening the WSEP user interface The WatchGuard Security Event Processor (WSEP) controls logging, report schedules, and notification. It also provides timing services for the Firebox. The WSEP automatically runs when you start the machine on which it is installed. Unlike other Firebox System applications, the WSEP button does not appear in Control Center.
CHAPTER 7 Configuring Network Address Translation Network address translation (NAT) protects your network by hiding its internal structure. It also provides an effective way to conserve public IP addresses when the number of addresses is limited. At its most basic level, NAT translates the address of a packet from one value to another. The “type” of NAT performed refers to the method of translation: Dynamic NAT Also called IP masquerading or port address translation.
Chapter 7: Configuring Network Address Translation 1-to-1 NAT The Firebox uses private and public IP ranges that you specify, rather than the ranges assigned to the Firebox interfaces during configuration. Choosing which type of NAT to perform depends on the underlying problem being solved, such as those regarding address security or preservation of public IP addresses. For more information on NAT, see the following collection of FAQs: https://support.watchguard.com/advancedfaqs/nat_main.
Using Simple Dynamic NAT NOTE Machines making incoming requests over a VPN connection are allowed to access masqueraded hosts by their actual private addresses. Using Simple Dynamic NAT In the majority of networks, the preferred security policy is to globally apply network address translation to all outgoing packets. Simple dynamic NAT provides a quick method to set a NAT policy for your entire network. For more information on this type of NAT, see the following FAQ: https://support.watchguard.
Chapter 7: Configuring Network Address Translation Adding simple dynamic NAT entries Using built-in host aliases, you can quickly configure the Firebox to masquerade addresses from your Trusted and Optional networks. If Trusted hosts are already covered by the default, non-routable ranges, no additional entries are needed: • From: Trusted • To: External The default dynamic entries are listed in the previous section.
Using Simple Dynamic NAT 5 Click OK. The new entry appears in the Dynamic NAT Entries list. Reordering simple dynamic NAT entries To reorder dynamic NAT entries, select the entry and click either Up or Down. There is no method to modify a dynamic NAT entry. Instead, use the Remove button to remove existing entries and the Add button to add new entries.
Chapter 7: Configuring Network Address Translation Using Service-Based Dynamic NAT Using service-based dynamic NAT, you can set outgoing dynamic NAT policy on a service-by-service basis. Service-based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry.
Configuring a Service for Incoming Static NAT Disable NAT Disables dynamic NAT for outgoing packets using this service. Use this setting to create service-by-service exceptions to outgoing NAT. Enable NAT Enables service-based dynamic NAT for outgoing packets using this service regardless of how the simple dynamic NAT settings are configured. From Policy Manager: 1 2 Double-click the service icon. Click Outgoing.
Chapter 7: Configuring Network Address Translation Setting static NAT for a service Static NAT, like service-based NAT, is configured on a service-by-service basis. Because of the way static NAT functions, it is available only for services based upon TCP or UDP, which use a specific port. A service containing any other protocol cannot use incoming static NAT, and the NAT button in the service’s Properties dialog box is disabled. Static NAT also cannot be used with the Any service.
Using 1-to-1 NAT 9 Click OK to close the Add Address dialog box. Click OK to close the services’s Properties dialog box. Using 1-to-1 NAT 1-to-1 NAT uses a global NAT policy that rewrites and redirects packets sent to one range of addresses to a completely different range of addresses. This address conversion works in both directions. You can configure any number of 1-to-1 NAT addresses.
Chapter 7: Configuring Network Address Translation 2 Click Advanced. 3 4 5 Click the 1-to-1 NAT Setup tab. 6 7 8 Select the appropriate interface (External, Trusted, Optional, or IPSec). The Advanced NAT Settings dialog box appears. Enable the checkbox marked Enable 1-1 NAT. Click Add. The 1-1 Mapping dialog box appears, as shown in the following figure. Enter the number of hosts to be translated. In the NAT base field, enter the base address for the exposed NAT range.
Using 1-to-1 NAT Proxies and NAT This table identifies each proxy and what types of NAT it supports.
Chapter 7: Configuring Network Address Translation 92 WatchGuard Firebox System
CHAPTER 8 Configuring Filtered Services You add filtered services–in addition to proxied services–to control and monitor the flow of IP packets through the Firebox. Services can be configured for outgoing and incoming traffic, and they can be active or inactive. When you configure a service, you set the allowable traffic end points and determine the filter rules and policies for each of these services.
Chapter 8: Configuring Filtered Services Selecting Services for your Security Policy Objectives The WatchGuard Firebox System, like most commercial firewalls, discards all packets that are not explicitly allowed, often stated as “that which is not explicitly allowed is denied.” This stance protects against attacks based on new, unfamiliar, or obscure IP services. It also provides a safety net regarding unknown services and configuration errors which could otherwise threaten network security.
Adding and Configuring Services • • Allowing a service to the optional network is safer than allowing it to the trusted network. Allowing incoming services from a virtual private network (VPN), where the organization at the other end is known and authenticated, is generally safer than allowing incoming services from the Internet at large. Each safety precaution you implement makes your network significantly safer. Following three or four precautions is much safer than following one or none.
Chapter 8: Configuring Filtered Services You can also add unique or custom services. However, if you do, take steps to permit only the traffic flow in that service that is absolutely essential. Normal View of the Services Arena To display the detailed view of the Services Arena, select the Details icon (shown at right). The detailed view appears, as shown in the following figure.
Adding and Configuring Services Configurable parameters for services Several service parameters can be configured: Sources and Destinations You use separate controls for configuring incoming and outgoing traffic. The outgoing controls (sources) define entries in the From lists while incoming controls (destinations) define entries in the To lists.
Chapter 8: Configuring Filtered Services 2 Expand either the Packet Filters or Proxies folder by clicking the plus (+) sign to the left of the folder. A list of pre-configured filters or proxies appears. 98 3 Click the name of the service you want to add. 4 Click Add. When you click a service, the service icon appears in the area below the New, Edit, and Remove buttons. Also, the Details box displays basic information about the service.
Adding and Configuring Services 5 (Optional) You can customize both the name and the comments that appear when the service is being configured. Click in the Name or Comment box and type the name or comment you want. 6 Click OK. 7 Click OK to close the Properties dialog box. 8 Click Close. The service’s Properties dialog box appears. For information on configuring service properties see, “Defining Service Properties” on page 103.
Chapter 8: Configuring Filtered Services Creating a new service In addition to built-in filtered services provided by WatchGuard, you can create a new service or customize an existing service. You might need to do this when a new product appears on the market that you would like to run behind your firewall. Remember, however, that every new service you configure and add to your firewall potentially increases your vulnerability to hackers.
Adding and Configuring Services Ignore Source port can be any number (0—65565). (If you are not sure which port setting to use, choose this option.) Secure Source port can range from 0—1024. Port Source port must be identical to the destination port, as listed in the Port number field of the destination service’s Properties dialog box, Properties tab (shown below). Client Source port can range from 1025—65565. 8 In the Port field, enter the port number.
Chapter 8: Configuring Filtered Services 11 Click OK. The Services dialog box appears with the new service displayed under the User Filters folder. You can now add the custom service to the Services Arena just as you would an existing service. 12 In the Services dialog box, expand the User Filter folder, and then click the name of the service. Click Add and then click OK to close the Add Service dialog box. Click OK to close the Properties dialog box. Click Close to close the Services dialog box.
Defining Service Properties Defining Service Properties You use the service’s Properties dialog box to configure the incoming and outgoing access rules for a given service. The Incoming tab defines: • The sources on the External network that use this service to initiate sessions with your protected users, hosts, and networks. • The destinations behind the Firebox to which incoming traffic for this service can be bound.
Chapter 8: Configuring Filtered Services Adding service properties The method used to add incoming and outgoing service properties is identical. Select the tab, click the Add button for either the From or the To member list, and then define the members for the category. The direction of traffic determines how you select members of the From and To lists.
Defining Service Properties Working with wg_icons Service icons beginning with “wg_” are created automatically when you enable features such as PPTP and authentication. Because the wg_ service icons rarely require modification, WatchGuard recommends leaving wg_ icons in their default settings. The following wg_ services are available: wg_authentication Added when you enable authentication. wg_dhcp_server Added when you enable the DHCP server. wg_pptp Added when you enable PPTP.
Chapter 8: Configuring Filtered Services From the Properties dialog box: 1 2 Click the Incoming tab. 3 Enable the options you want, as described below. Click Logging. The Logging and Notification dialog box appears, as shown in the following figure. The Logging and Notification dialog box contains the following controls: Category The list of event types that can be logged by the service or option. This list changes depending on the service or option you’ve selected.
Service Precedence The remaining controls are active when you select the Send notification checkbox: Email Triggers an email message when the event occurs. Set the email recipient in the Notification tab of the WatchGuard Security Event Processor (WSEP) user interface. Pager Triggers an electronic page when the event occurs. The Firebox must have a PCMCIA modem and be connected to a phone service to make outgoing calls.
Chapter 8: Configuring Filtered Services “Multiservices” can contain subservices of more than one precedence group. “Filtered-HTTP” and “Proxied-HTTP,” for example, contain both a port-specific TCP subservice for port 80 as well as a nonport subservice that covers all other TCP connections. When precedence is being determined, individual subservices are given precedence according to their group (described previously) independent of the other subservices contained in the multiservice.
Service Precedence based on the specificity of targets, from most specific to least specific.
Chapter 8: Configuring Filtered Services 110 WatchGuard Firebox System
CHAPTER 9 Configuring Proxied Services Proxy filtering goes a step beyond packet filtering by examining a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an email proxy examines all SMTP packets to determine whether they contain forbidden content types, such as executable programs or items written in scripting languages. Such items are common methods of transmitting computer viruses.
Chapter 9: Configuring Proxied Services Configuring an SMTP Proxy Service The SMTP proxy limits several potentially harmful aspects of email. The proxy scans the content type and content disposition headers, and then compares them against a user-defined list of known hostile signatures. Email messages containing suspect attachments are stripped of their attachments and then sent to the intended recipient. The proxy can limit message size and limit the number of message recipients.
Configuring an SMTP Proxy Service the Services Arena. (For information on how to add a service, see the previous chapter.) From the Services Arena: 1 Double-click the SMTP Proxy icon to open the SMTP Properties dialog box. 2 3 Click the Properties tab. 4 Modify properties on the General tab according to your preferences. Click Incoming. The Incoming SMTP Proxy dialog box appears, displaying the General tab. For a description of each control, right-click it, and then select What’s This?.
Chapter 9: Configuring Proxied Services Blocking email content types MIME stands for Multipurpose Internet Mail Extensions, a specification about how to pass audio, video, and graphics content by way of email or HTML. The MIME format attaches a header to content. The header describes the type of multimedia content contained within an email or on a Web site. For instance, a MIME type of "application/zip" in an email message indicates that the email contains a Zip file attachment.
Configuring an SMTP Proxy Service • • • A string is a wildcard pattern if it contains a question mark (?), an asterisk (*), or a right parenthesis ((). A question mark (?) matches any single character. An asterisk (*) matches any string, including an empty string. Denying attachments based on file name patterns The Content Types tab includes a list of file-name patterns denied by the Firebox if they appear in email attachments.
Chapter 9: Configuring Proxied Services 2 3 4 5 Select Allowed To from the Category drop list. In the text box to the left of the Add button, enter your own domain. Click Add. Save the new configuration to the Firebox. Select headers to allow The Firebox allows certain headers by default. These are listed on the Headers tab of the Incoming SMTP Proxy Properties dialog box. You can add more headers to this list, or remove headers from the list.
Configuring an SMTP Proxy Service • Accounting and auditing information. Configuring the Outgoing SMTP Proxy Use the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from the Trusted and Optional networks to the world. You must already have an SMTP Proxy service icon in the Services Arena to use this functionality. Double-click the icon to open the service’s Properties dialog box: 1 2 Click the Properties tab.
Chapter 9: Configuring Proxied Services might be inside.salesdept.bigcompany.com, which would become the public address bigcompany.com. 1 Click the Masquerading tab. 2 Enter the official domain name. 3 In the Substitute the above for these address patterns text box (to the left of the Add button), type the address patterns that are behind your firewall that you want replaced by the official domain name. Click Add. The SMTP masquerading information appears, as shown in the following figure.
Configuring an FTP Proxy Service Configuring an FTP Proxy Service The FTP proxy service enables you to access another computer (on a separate network) for the purposes of browsing directories and copying files. Consequently, FTP is inherently dangerous. If configured incorrectly, the FTP service allows intruders to access your network and important information such as passwords and configuration files.
Chapter 9: Configuring Proxied Services Selecting an HTTP Service Because of the extensive security implications of HTTP traffic, it is important to restrict the incoming service as much as possible. Many administrators set up public Web servers only on their Optional interface. They restrict incoming HTTP traffic to the Optional interface and prohibit incoming HTTP traffic from traveling from the Optional interface to the Trusted interface. Outgoing traffic is generally less restrictive.
Selecting an HTTP Service NOTE The WatchGuard service called “HTTP” is not to be confused with an HTTP caching proxy. An HTTP caching proxy refers to a separate machine that performs caching of Web data. • Filtered-HTTP is a multiservice that combines configuration options for HTTP on port 80 with a rule allowing (by default) all outgoing TCP connections.
Chapter 9: Configuring Proxied Services For detailed information about the HTTP proxy, see the online support resources at http://support.watchguard.com. Restricting content types for the HTTP proxy You can configure the HTTP proxy to allow only those MIME types you decide are acceptable security risks. On the Safe Content tab: 1 To specify that you want to restrict content types that can pass through the HTTP proxy, enable the checkbox marked Allow only safe content types.
Configuring the DNS Proxy Service The Firebox communicates with proxy servers exactly the same way that clients normally do. Instead of a GET request from the Firebox to the Internet looking like this: GET / HTTP/1.1 It ends up looking like this, and the request is sent to the configured caching proxy server instead: GET www.mydomain.com / HTTP/1.1 The proxy server then forwards this request to the Web server mentioned in the GET request.
Chapter 9: Configuring Proxied Services attacks that cause a buffer overflow, which crash the targeted server and enable the attacker to gain unauthorized access to your network. One attack uses a flaw in the transaction signature (TSIG) handling code. When BIND encounters a request with a valid transaction signature but no valid key, processing steps that initialize important variables (notably the required buffer size) are skipped.
Configuring the DNS Proxy Service 5 Click the Incoming tab. Use the Incoming DNS-Proxy connections are drop list to select Enabled and Allowed. 6 Click the Outgoing tab. Use the Outgoing DNS-Proxy connections are drop list to select Enabled and Allowed. 7 8 Click OK to close the DNS-Proxy Properties dialog box. Click Close. The Services dialog box closes. The DNS-Proxy icon appears in the Services Arena.
Chapter 9: Configuring Proxied Services 126 WatchGuard Firebox System
CHAPTER 10 Creating Aliases and Implementing Authentication Aliases are shortcuts used to identify groups of hosts, networks, or users. The use of aliases simplifies service configuration. User authentication allows the tracking of connections based on name rather than IP address. With authentication, it does not matter which IP address is used or from which machine a person chooses to work.
Chapter 10: Creating Aliases and Implementing Authentication a user workstation may have several different IP addresses over the course of a week. Authentication by user is also useful in education environments, such as classrooms and college computer centers where many different people might use the same IP address over the course of the day. For more information on authentication, see the following collection of FAQs: https://support.watchguard.com/advancedfaqs/auth_main.
Using Aliases 2 3 User Guide Click Add. In the Host Alias Name text box, enter the name used to identify the alias when configuring services and authentication. 4 Click Add. 5 Define the alias by adding members. To add an existing member, click the name in the Members list. Click Add. 6 To configure a new member, click Add Other. 7 Use the Choose Type drop list to select a category. In the Value text box, enter the address, range, or host name. Click OK.
Chapter 10: Creating Aliases and Implementing Authentication 8 When you finish adding members, click OK. The Host Alias dialog box appears listing the new alias. Click the alias to view its members. To modify an alias, select it, click Edit, and then add or delete members. To remove an alias, select it, click Remove, and then remove the alias from Properties box of any services configured to use the alias. For more information, see “Defining Service Properties” on page 103.
Authentication Server Types Enabling remote authentication Use this procedure to allow remote users to authenticate from the External interface, which gives them access to services through the Firebox. 1 In the Services Arena in Policy Manager, double-click the wg_authentication service icon. 2 3 4 On the Incoming tab, select Enabled and Allowed. Under the From box, click Add. Click Add Under and add the IP addresses of the remote users you are allowing to authenticate externally.
Chapter 10: Creating Aliases and Implementing Authentication To specify authentication type: 1 From Policy Manager, select Setup => Firewall Authentication. 2 In the Authentication Enabled Via box, select the authentication server you want you use. 3 In Logon Time-out, select how many seconds are allowed for an attempted logon before the time-out shuts down the connection. 4 In Session Time-out, set how many hours a session can remain open before the time-out shuts down the connection.
Defining Firebox Users and Groups for Authentication computers. As your organization changes, you can add or remove users or systems from groups. NOTE You can define only a limited number of Firebox users. If you have more than approximately 100 users to authenticate, WatchGuard recommends that you use a third-party authentication server. WatchGuard automatically adds two groups–intended for remote users–to the basic configuration file: ipsec_users Add the names of authorized users of MUVPN.
Chapter 10: Creating Aliases and Implementing Authentication 4 To add a new user, click the Add button beneath the Users list. 5 6 Enter the username and password. 7 When you finish adding the user to groups, click Add. 8 To close the Setup Firebox User dialog box, click Close. 9 When you finish adding users and groups, click OK. The Setup Firebox User dialog box appears, as shown in the following figure. To add the user to a group, select the group name in the Not Member Of list.
Configuring RADIUS Server Authentication 2 Click the NT Server tab. 3 To identify the host, enter both the host name and the IP address of the Windows NT network. If you don’t know the IP address of the host, click Find IP. The IP address is automatically entered. The information appears as shown in the following figure. When typing IP addresses, type the digits and periods in sequence. Do not use the TAB or arrow key to jump past the periods.
Chapter 10: Creating Aliases and Implementing Authentication authentication key that identifies it to the RADIUS server. Note that it is the key that is transmitted, and not a password. The key resides on the client and server simultaneously, which is why it is often called a “shared secret.” To add or remove services accessible by RADIUS authenticated users, add the RADIUS user or group in the individual service properties dialog box and the IP address of the Firebox on the RADIUS authentication server.
Configuring CRYPTOCard Server Authentication 7 8 Click OK. Gather the IP address of the Firebox and the user or group aliases you want to authenticate using RADIUS. The aliases appear in the From and To listboxes for the individual services. To configure the RADIUS server 1 Add the IP address of the Firebox where appropriate according to the RADIUS server vendor. Some RADIUS vendors may not require this.
Chapter 10: Creating Aliases and Implementing Authentication Properties dialog box, and the IP address of the Firebox on the CRYPTOCard authentication server. From Policy Manager: 1 Select Setup => Authentication Servers. 2 Click the CRYPTOCard Server tab. 3 4 Enter the IP address of the CRYPTOCard server. The Authentication Servers dialog box appears. You might need to use the arrow buttons in the upper-right corner of the dialog box to bring this tab into view.
Configuring SecurID Authentication On the CRYPTOCard server: 1 Add the IP address of the Firebox where appropriate according to CRYPTOCard’s instructions. 2 Take the user or group aliases from the service properties listboxes and add them to the group information in the CRYPTOCard configuration file. Only one group can be associated with each user. For more information, consult the CRYPTOCard server documentation.
Chapter 10: Creating Aliases and Implementing Authentication 3 4 Enter the IP address of the SecurID server. 5 Enter the value of the secret shared between the Firebox and the SecurID server. Enter or verify the port number used for SecurID authentication. The default is 1645. The shared secret is case-sensitive and must be identical on the Firebox and the SecurID server. 6 If you are using a backup server, enable the Specify backup SecurID server checkbox.
CHAPTER 11 Protecting Your Network From Attacks The WatchGuard Firebox System can protect your network from many types of attacks. In addition to the protection provided through filtered and proxied services, the Firebox also gives you the tools to stop attacks– such as the ones listed below–that services are not designed to defeat. Spoofing attacks Hackers alter packets to create a false identity for the purpose of gaining access to your network.
Chapter 11: Protecting Your Network From Attacks Logging options help you identify sites that exhibit suspicious behavior such as spoofing. You can use the information gathered to manually and permanently block an offending site. In addition, you can block ports (by port number) to protect ports with known vulnerabilities from any incoming traffic. For more information on log messages, see the following collection of FAQs: https://support.watchguard.com/advancedfaqs/log_main.
Default Packet Handling that the packet apparently originated from a host that is trusted, and therefore doesn’t require validation or a password. When you enable spoofing defense, the Firebox prevents packets with a false identity from passing through to your network. When such a packet attempts to establish a connection, the Firebox generates two log records.
Chapter 11: Protecting Your Network From Attacks which services are running on the hosts inside that network. From Policy Manager: 1 On the toolbar, click the Default Packet Handling icon. 2 3 Enable the checkbox marked Block Port Space Probes. You can also, from Policy Manager, select Setup => Default. The Default Packet Handling dialog box appears. Enable the checkbox marked Block Address Space Probes.
Default Packet Handling They are stored in a backlog until they are completed or time out. When the server’s backlog is full, no new connections can be accepted. A SYN Flood attack attempts to fill up the victim server’s backlog by sending a flood of SYN segments without ever sending an ACK. When the backlog fills up, the server will be unavailable to users.
Chapter 11: Protecting Your Network From Attacks recorded. If these messages occur frequently when your server is not under attack, the Maximum Incomplete Connections setting may be too low. If the SYN Flood protection feature is not preventing attacks from affecting your server, the setting may be too high. Consult your server’s documentation for help choosing a new value, or experiment by adjusting the setting until the problems disappear.
Integrating Intrusion Detection and either allow or deny packets. Little extra bandwidth is available to conduct sophisticated analysis of traffic patterns. LiveSecurity Service subscribers can download a command-line utility called the Firebox System Intrusion Detection System Mate (fbidsmate) that integrates the Firebox with most commercial and shareware IDS applications. You use the fbidsmate utility to configure your IDS to run scripts that query the Firebox for information.
Chapter 11: Protecting Your Network From Attacks add_hostile This command adds a site to the Auto-Blocked Site list, with the duration set by the administrator in Policy Manager’s Blocked Sites dialog box. It effectively extends your control of the AutoBlock mechanism inside the Firebox. add_log_message This command causes a message to be added to the log stream emitted by the Firebox.
Blocking Sites Example 2 The IDS adds a message to the Firebox’s log stream: fbidsmate 10.0.0.1 secure1 add_log_message 3 "IDS system temp. blocked 209.54.94.99" With the IDS running on host 10.0.0.2, the following message appears in the Firebox log file: msg from 10.0.0.2: IDS system temp. blocked 209.54.94.99 Example 3 Because you are running your IDS application outside the firewall perimeter, you decide to encrypt the configuration passphrase used in your IDS scripts.
Chapter 11: Protecting Your Network From Attacks • • Permanently blocked sites–which are listed in the configuration file and change only if you manually change them. Auto-blocked sites–which are sites the Firebox adds or deletes dynamically based on default packet handling rules and service-byservice rules for denied packets. For example, you can configure the Firebox to block sites that attempt to connect to forbidden ports. Sites are temporarily blocked until the auto-blocking mechanism times out.
Blocking Sites From Policy Manager: 1 On the toolbar, click the Blocked Sites icon (shown at right). You can also select Setup => Blocked Sites. The Blocked Sites dialog box appears, as shown in the following figure. 2 3 Click Add. 4 Enter the member value. 5 Click OK. Use the Choose Type drop list to select a member type. The options are Host IP Address, Network IP Address, or Host Range. Depending on the member type, this can be an IP address or a range of IP addresses.
Chapter 11: Protecting Your Network From Attacks Creating exceptions to the Blocked Sites list A blocked site exception is a host that is not added to the list of automatically blocked sites regardless of whether it fulfills criteria that would otherwise add it to the list. The site can still be blocked according to the Firebox configuration, but it will not be automatically blocked for any reason. From Policy Manager: 1 Select Setup => Blocked Sites Exceptions. 2 3 Click Add.
Blocking Ports Blocking Ports You can block ports to explicitly disable external network services from accessing ports that are vulnerable as entry points to your network. A blocked port setting takes precedence over any of the individual service configuration settings. Like the Blocked Sites feature, the Blocked Ports feature blocks only packets that enter your network through the External interface. Connections between the Optional and Trusted interfaces are not subject to the Blocked Ports list.
Chapter 11: Protecting Your Network From Attacks intrusions can be difficult or impossible to detect by all but the most knowledgeable users. The first X Window server is always on port 6000. If you have an X server with multiple displays, each new display uses an additional port number after 6000, up to 6063 for a maximum of 64 displays on a given host. X Font Server (port 7100) Many versions of X-Windows support font servers. Font servers are complex programs that run as the super-user on some hosts.
Blocking Ports port 0 Port 0 is reserved by IANA, but many programs that scan ports start their search on port 0. port 1 Port 1 is for the rarely used TCPmux service. Blocking it is another way to confuse port scanning programs. Novell IPX over IP (port 213). If you use Novell IPX over IP internally, you might want to explicitly block port 213. NetBIOS services (ports 137 through 139) You should block these ports if you use NetBIOS internally.
Chapter 11: Protecting Your Network From Attacks To remove a blocked port, select the port to remove. Click Remove. Auto-blocking sites that try to use blocked ports You can configure the Firebox such that when an outside host attempts to access a blocked port, that host is temporarily auto-blocked: In the Blocked Ports dialog box, enable the checkbox marked Auto-block sites that attempt to use blocked ports.
Blocking Sites Temporarily with Service Settings Blocking Sites Temporarily with Service Settings Use service properties to automatically and temporarily block sites when incoming traffic attempts to use a denied service. You can use this feature to individually log, block, and monitor sites that attempt access to restricted ports on your network. Configuring a service to temporarily block sites Configure the service to automatically block sites that attempt to connect using a denied service.
Chapter 11: Protecting Your Network From Attacks 158 WatchGuard Firebox System
CHAPTER 12 Monitoring Firebox Activity An important part of an effective network security policy is the monitoring of network events. Monitoring enables you to recognize patterns, identify potential attacks, and take appropriate action. If an attack occurs, the records kept by the WatchGuard Firebox System will help you reconstruct what happened.
Chapter 12: Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox From Control Center: 1 On the QuickGuide, click the Firebox Monitors button (shown at upper right). Firebox Monitors opens and displays the BandwidthMeter tab. There is no active connection to a Firebox. 2 Select File => Connect. 3 Enter a Firebox name or IP address, or use the Firebox drop list to select a Firebox. Enter the status (read-only) passphrase. Click OK.
Firebox Monitors BandwidthMeter The BandwidthMeter tab on the Firebox Monitors display, shown in the following figure, shows real-time bandwidth usage for one Firebox interface at a time. ServiceWatch The ServiceWatch tab on the Firebox Monitors display, shown in the following figure, graphs the number of connections by service, providing a service-centric view of network activity. The y axis shows the number of connections and the x axis shows time.
Chapter 12: Monitoring Firebox Activity Adding services to ServiceWatch By default, ServiceWatch graphs the SMTP, FTP, and HTTP services, but you can track other services as well. From Firebox Monitors: 1 2 Select View => Properties. Click the ServiceWatch tab. 3 Enter the service name and port number. 4 5 Pick the line color to represent the service on the graph. Click Add. The Add Displayed Service dialog box appears. For a list of well-known service port numbers, see the Reference Guide.
Firebox Monitors Log hosts The IP addresses of the log host or hosts. Log host(s): 206.148.32.16 Network configuration Statistics about the network cards detected within the Firebox, including the interface name, its hardware and software addresses, and its netmask. In addition, the display includes local routing information and IP aliases. Network Configuration: lo local 127.0.0.1 network 127.0.0.0 netmask 255.0.0.0 eth0 local 192.168.49.4 network 192.168.49.0 netmask 255.255.255.
Chapter 12: Monitoring Firebox Activity Memory Statistics on the memory usage of the currently running Firebox. Numbers shown are bytes of memory. Memory: Mem: total: used: free: 65032192 25477120 39555072 shared: buffers: cached: 9383936 9703424 362905 Load average The number of jobs in the run queue averaged over 1, 5, and 15 minutes. The fourth number pair is the number of active processes per number of total processes running, and the last number is the next process ID number. Load Average: 0.04 0.
Firebox Monitors 73 fblightd S 464 308 3927:05.75 ( 5) 74 /bin/logger S 1372 592 1:29.72 ( 0) 94 ppp-ttyS2 S 804 456 0:00.74 ( 0) 78 firewalld R 2076 1248 307:29.75 ( 0) 0 (nice) 99 (round robin) 0 (nice) 98 (round robin) 79 liedentd S 708 356 0:00.03 ( 0) 80 dvcpd S 1152 576 57:00.26 ( 0) 0 (nice) 82 fwcheck S 860 408 0:01.82 ( 0) 99 (round robin) 95 /opt/bin/rbcast S 784 372 0:39.47 ( 0) 3 (round robin) 86 authentication S 1112 496 0:02.
Chapter 12: Monitoring Firebox Activity The interfaces used in this section are as follows: eth0 - External (public) interface eth1 - Trusted (internal) interface eth2 - Optional (DMZ) interface ipsec0 - IPSec virtual interface eth0:0 - Interface alias fbd0 - Virtual interface used for DVCP VPN tunnel negotiation pptp0, 1, 2, etc - PPTP virtual VPN interfaces lo - loopback interface wgd0 - External (public) IP address when the Firebox is set up for PPPoE support.
HostWatch Authentication list The Authentication List tab displays the host IP addresses and user names of everyone currently authenticated to the Firebox. If you are using DHCP, the IP address—to—user name mapping may change whenever machines restart. Blocked Site list The Blocked Site List tab lists the IP addresses (in slash notation) of any external sites that are temporarily blocked by port space probes, spoofing attempts, address space probes, or another event configured to trigger an auto-block.
Chapter 12: Monitoring Firebox Activity The HostWatch display uses the logging settings configured with Policy Manager. For instance, to see all denied incoming Telnet attempts in HostWatch, configure the Firebox to log incoming denied Telnet attempts. The line connecting the source host and destination host is color-coded to display the type of connection being made. These colors can be changed. The defaults are: • Red – The connection is being denied. • Blue – The connection is being proxied.
HostWatch Connecting HostWatch to a Firebox: From HostWatch: 1 Select File => Connect. 2 Use the Firebox drop list to select a Firebox. 3 Enter the Firebox status passphrase. Click OK. Or, on the Hostwatch toolbar, click the Connect icon (shown at right). You can also type the Firebox name or IP address. Replaying a log file in HostWatch You can replay a log file in HostWatch in order to troubleshoot and retrace a suspected break-in. From HostWatch: User Guide 1 Select File => Open.
Chapter 12: Monitoring Firebox Activity 3 4 To restart the display, click Continue (shown at right). To step through the display one entry at a time, click the Pause icon. Click the right arrow to step forward through the log. Click the left arrow to step backward through the log. Controlling the HostWatch display You can selectively control the HostWatch display. This feature can be useful for monitoring the activities of specific hosts, ports, or users. From HostWatch: 1 2 Select View => Filters.
CHAPTER 13 Setting Up Logging and Notification An event is any single activity that occurs at the Firebox, such as denying a packet from passing through the Firebox. Logging is the recording of these events to a log host. A notification is a message sent to the administrator by the Firebox when an event occurs that indicates a security threat. Notification can be in the form of email, a popup window on the WatchGuard Security Event Processor (WSEP), a call to a pager, or the execution of a custom program.
Chapter 13: Setting Up Logging and Notification both flexible and powerful. You can configure your firewall to log and notify a wide variety of events, including specific events that occur at the level of individual services. For more information on logging, see the following collection of FAQs: https://support.watchguard.com/advancedfaqs/log_main.
Developing Logging and Notification Policies only by a small number of people in an organization. In that case you might want to log all traffic for that service so you can monitor or review that service activity. Not all denied events need to be logged. For example, if incoming FTP denies all incoming traffic from any source outside to any destination inside, there is little point in logging incoming denied packets. All traffic for that service in that direction is blocked.
Chapter 13: Setting Up Logging and Notification Failover Logging WatchGuard uses failover logging to minimize the possibility of missing log events. With failover logging, you configure a list of log hosts to accept logs in the event of a failure of the primary log host. By default, the Firebox sends log messages to the primary log host. If for any reason the Firebox cannot establish communication with the primary log host, it automatically sends log messages to the second log host.
Designating Log Hosts for a Firebox - Set the log encryption key on each log host identical to the key set in Policy Manager Designating Log Hosts for a Firebox You should have at least one log host to run the WatchGuard Firebox System. The default primary log host is the Management Station that is set when you run the QuickSetup Wizard. You can specify a different primary log host as well as multiple backup log hosts. The typical medium-sized operation has two or three high-capacity log hosts.
Chapter 13: Setting Up Logging and Notification 3 Enter the IP address to be used by the log host. 4 Enter the encryption key that secures the connection between the Firebox and the log host. When typing IP addresses, type the digits and periods in sequence. Do not use the TAB or arrow key to jump past the periods. For more information on entering IP addresses, see “Entering IP addresses” on page 38. The default encryption key is the status passphrase set in the QuickSetup Wizard.
Designating Log Hosts for a Firebox Changing the log encryption key Edit a log host entry to change the log encryption key. From Policy Manager: 1 Select Setup => Logging. 2 3 Click the host name. Click Edit. The Logging Setup dialog box appears. Type in the new log encryption key. Click OK. You must use the same log encryption key for both the Firebox and the WatchGuard Security Event Processor.
Chapter 13: Setting Up Logging and Notification The Firebox sets its clock to the current log host. If the Firebox and the log host times are different, the Firebox time drifts toward the new time, which often results in a brief interruption in the log file. Rebooting the Firebox resets the Firebox time to that of the primary log host. Therefore, you should set all log hosts’ clocks to a single source.
Setting up the WatchGuard Security Event Processor By default, the WSEP application is installed to run as a Windows service, starting automatically every time the host computer restarts. 1 To start the WatchGuard Security Event Processor service: - In Windows NT, go to Start => Settings => Control Panel => Services. - In Windows 2000, go to Start => Settings => Control Panel => Administrative Tools => Services.
Chapter 13: Setting Up Logging and Notification As a service, using the Command Prompt If the WSEP application was not installed by the WatchGuard Firebox System installation wizard, this must be done from the Command Prompt DOS window. 1 Select Start => Run and type: command. 2 Change directories to the WatchGuard installation directory. 3 At the command line, type: A Command prompt window appears. The default installation directory is C:\Program Files\WatchGuard.
Setting up the WatchGuard Security Event Processor If the WatchGuard Security Event Processor icon is not in the tray, in Control Center, select Tools => Logging => Event Processor Interface. To start the Event Processor interface when you log in to the system, add a shortcut to the Startup folder in the Start menu. The WatchGuard installation program does this automatically if you set up logging. Starting and stopping the WSEP The WSEP starts automatically when you start the host on which it resides.
Chapter 13: Setting Up Logging and Notification From the WatchGuard Security Event Processor user interface: 1 2 Select File => Set Log Encryption Key. Enter the log encryption key in both text boxes. Click OK. Setting Global Logging and Notification Preferences The WatchGuard Security Event Processor lists the connected Firebox and displays its status. It has three control areas, which are used as follows: Log Files tab Specify the maximum number of records stored in the log file.
Setting Global Logging and Notification Preferences entries in two weeks, whereas a large one with many services enabled might easily log 100,000 entries in a day. When considering your ideal maximum log file, consider how often you plan to issue reports of the Firebox activity. WatchGuard Historical Reports uses a log file as its source to build reports. If you issue weekly reports to management, you would want a log file large enough to hold a typical eight or nine days’ worth of events.
Chapter 13: Setting Up Logging and Notification Scheduling log reports You can use the WSEP application to schedule the automatic generation of network activity reports. For more information, see “Scheduling a report” on page 211. Controlling notification Notification occurs when the Firebox sends an email message, pops up a window on the log host, dials a pager, or executes a program to notify an administrator that the Firebox has detected a triggering event.
Customizing Logging and Notification by Service or Option Setting a Firebox friendly name for log files You can give the Firebox a friendly name to be used in log files. If you do not specify a name, the Firebox’s IP address is used. From Policy Manager: 1 Select Setup => Name. 2 Enter the friendly name of the Firebox. Click OK. The Firebox Name dialog box appears. All characters are allowed except blank spaces and forward or back slashes (/ or \).
Chapter 13: Setting Up Logging and Notification Category The event types that can be logged by the service or option. This list changes depending on the service or option. Click the event name to display and set its properties. Enter it in the log Enable this checkbox to log the event type; clear it to disable logging for the event type. Because the Firebox must perform domain name resolution, there may be a time lag before logs appear in the log file. All denied packets are logged by default.
Customizing Logging and Notification by Service or Option NOTE WatchGuard allows only one notification type per event. Setting Launch Interval and Repeat Count Two parameters work in conjunction with the Event Processor Repeat Interval to control notification timing: Launch Interval The minimum time (in minutes) between separate launches of a notifier. Set this parameter to prevent the launch of several notifiers in response to similar events that take place in a short amount of time.
Chapter 13: Setting Up Logging and Notification The repeat count multiplied by the launch interval equals the amount of time an event must continuously happen before it is handled as a repeat notifier.
Customizing Logging and Notification by Service or Option 2 3 Click Logging. Modify logging and notification properties according to your security policy preferences. Click OK. Setting logging and notification for blocked sites and ports You can control logging and notification properties for both blocked sites and blocked ports. The process is identical for both operations. The procedure below is for blocked sites. From Policy Manager: User Guide 1 Select Setup => Blocked Sites. 2 3 Click Logging.
Chapter 13: Setting Up Logging and Notification 190 WatchGuard Firebox System
CHAPTER 14 Reviewing and Working with Log Files Log files are a valuable tool for monitoring your network, identifying potential attacks, and taking action to address security threats and challenges. This chapter describes the procedures you use to work with log files, including viewing log files, searching for entries in them, and consolidating and copying logs. The WatchGuard Security Event Processor (WSEP) controls logging, report schedules, and notification.
Chapter 14: Reviewing and Working with Log Files The log file to which the WSEP is currently writing records can be named in two ways. If the Firebox has a friendly name, the log files are named FireboxName timestamp.wgl. (You can give your Firebox a friendly name using the Setup => Name option in Policy Manager.) If the Firebox does not have a friendly name, the log files are named FireboxIP timestamp.wgl.
Viewing Files with LogViewer Searching for specific entries LogViewer has a search tool to enable you to find specific transactions quickly by keyphrase or field. From LogViewer: By keyphrase 1 2 Select Edit => Search => by Keyphrase. Enter an alphanumeric string. Click Find. LogViewer searches the entire log file and displays the results as either marked records in the main window or a separate filter window based on your selection. By field 1 2 Select Edit => Search => By Fields.
Chapter 14: Reviewing and Working with Log Files Copying log data 1 Select the log entries you want to copy. 2 To copy the entries for pasting into another application, select Edit => Copy to clipboard. To copy the entries to the filter window prior to exporting them, select Edit => Copy to Filter Window. Use the SHIFT key to select a block of entries. Use the CTRL key to select multiple, non-adjacent entries.
Displaying and Hiding Fields Displaying and Hiding Fields The following figure shows an example of the type of display you normally see in LogViewer. Log entries sent to the WatchGuard log state the time stamp, host name, process name, and the process ID before the log summary. Use the Preferences dialog box to show or hide columns displayed in LogViewer. From LogViewer: 1 2 Select View => Preferences. Click the Filter Data tab. Enable the checkboxes of the fields you would like to display.
Chapter 14: Reviewing and Working with Log Files Time The time the record entered the log file. Default = Show The Firebox receives the time from the log host. If the time noted in the log seems later or earlier than it should be, it is usually because the time zone is not set properly on either the log host or the Firebox.
Working with Log Files IP header length Length, in octets, of the IP header for this packet. A header length that is not equal to 20 indicates that IP options were present. Default = Hide TTL (time to live) The value of the TTL field in the logged packet. Default = Hide Source address The source IP address of the logged packet. Default = Show Destination address The destination IP address of the logged packet. Default = Show Source port The source port of the logged packet, UDP or TCP only.
Chapter 14: Reviewing and Working with Log Files • Right-click the WSEP icon (shown at right) in the Windows system tray and select WSEP Status/ Configuration. If the WSEP icon does not appear in the system tray, you can launch the WSEP from Control Center by selecting Tools => Logging => Event Processor Interface. Consolidating logs from multiple locations You can merge two or more log files into a single file.
Working with Log Files log rollover” on page 183. However, you may occasionally want to force the rollover of a log file. • From the WSEP Status/Configuration user interface, select File => Roll Current Log File. The old log file is saved as Firebox IP Time Stamp.wgl or Firebox Name Time Stamp.wgl. The Event Processor continues writing new records to Firebox IP.wgl or Firebox Name.wgl.
Chapter 14: Reviewing and Working with Log Files Sending logs to a log host at another location Because they are encrypted by the Firebox, you can send log files over the Internet to a log host at another office. You can even send this traffic over the Internet from the Firebox at one office to the log host behind a second Firebox at a remote office.
Working with Log Files 5 Save the new configuration to the remote office Firebox. On the log host: You must use the same log encryption key on the remote office Firebox as is configured on the log host protected by the main office Firebox. To modify the log encryption key on the log host, see “Setting log encryption keys” on page 199. You should see the IP address for the remote office Firebox in the list as soon as it connects.
Chapter 14: Reviewing and Working with Log Files 202 WatchGuard Firebox System
CHAPTER 15 Generating Reports of Network Activity Accounting for Internet usage can be a challenging network administration task. One of the best ways to provide hard data for accounting and management purposes is to generate detailed reports showing how the Internet connection is being used and by whom.
Chapter 15: Generating Reports of Network Activity Creating and Editing Reports To start Historical Reports, from Control Center, click the Historical Reports icon (shown at right). You can also start Historical Reports from the installation directory. The file name is WGReports.exe. Starting a new report From Historical Reports: 1 Click Add. 2 Enter the report name. 3 Use the Log Directory text box to define the location of log files.
Specifying a Report Time Span Editing an existing report At any time, you can modify the properties of an existing report. From Historical Reports: 1 Select the report to modify. Click Edit. 2 Modify report properties according to your preferences. The Report Properties dialog box appears. For a description of each property, right-click it, and then click What’s This?. You can also refer to the “Field Definitions” chapter in the Reference Guide.
Chapter 15: Generating Reports of Network Activity Specifying Report Sections Use the Sections tab on the Report Properties dialog box to specify the type of information you want to be included in reports. From Historical Reports: 1 2 Click the Sections tab. 3 To run authentication resolution on IP addresses, enable the checkbox marked Authentication Resolution on IP addresses. Enable the checkboxes for sections to be included in the report.
Setting Report Properties Setting Report Properties Reports contain either Summary sections or Detail sections. Each can be presented in different ways to better focus on the specific information you want to view. Detail sections are reported only as text files with a userdesignated number of records per page. Summary sections can also be presented as graphs whose elements are user-defined. To set report properties: 1 2 From the Report Properties dialog box, select the Preferences tab.
Chapter 15: Generating Reports of Network Activity include the name and time of the report. Each report is filed in one of these subdirectories. Exporting reports to HTML format When you select HTML Report from the Setup tab on the Report Properties dialog box, the report output is created as HTML files. A JavaScript menu is used to easily navigate the different report sections. (JavaScript must be enabled on the browser so you can review the report menu.
Using Report Filters NOTE WatchGuard HTTP proxy logging must be turned on to supply WebTrends the logging information required for its reports. When you select WebTrends Export from the Setup tab on the Reports Properties dialog box, the report output is created as a WebTrends Enhanced Log Format (WELF) file. The report appears as a .
Chapter 15: Generating Reports of Network Activity Host Filter a report based on host IP address. Port Filter a report based on service name or port number. User Filter a report based on authenticated username. Creating a new report filter Use Historical Reports to create a new report filter. Filters are stored in the WatchGuard installation directory, in the subdirectory report-defs with the file extension .ftr. From Historical Reports: 1 2 Click Filters. Click Add.
Scheduling and Running Reports Deleting a report filter To remove a filter from the list of available filters, highlight the filter. Click Delete. This command removes the .ftr file from the \reportdefs directory. Applying a report filter Each report can use only one filter. To apply a filter, open the report properties. From Historical Reports: 1 2 Select the report for which you would like to apply a filter. Click Edit. 3 Click OK. Use the Filter drop list to select a filter.
Chapter 15: Generating Reports of Network Activity 6 Click OK. Manually running a report At any time, you can run one or more reports using Historical Reports. From Historical Reports: 1 2 Enable the checkbox next to each report you would like to generate. Click Run. Report Sections and Consolidated Sections You can use Historical Reports to build a report that includes one or more sections. Each section represents a discrete type of information or network activity.
Report Sections and Consolidated Sections Time Summary – Packet Filtered A table, and optionally a graph, of all accepted connections distributed along user-defined intervals and sorted by time. If you choose the entire log file or specific time parameters, the default time interval is daily. Otherwise, the time interval is based on your selection.
Chapter 15: Generating Reports of Network Activity Session Summary – Proxied Traffic A table, and optionally a graph, of the top incoming and outgoing sessions, sorted either by byte count or number of connections. The format of the session is: client -> server : service. If the connection is proxied, the service is represented in all capital letters. If the connection is packet filtered, Historical Reports attempts to resolve the server port to a table to represent the service name.
Report Sections and Consolidated Sections Denied Incoming Packet Detail A list of denied incoming packets, sorted by time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration. Denied Packet Summary Multiple tables, each representing data on a particular host originating denied packets. Each table includes time of first and last attempt, type, server, port, protocol, and number of attempts. If only one attempt is reported, the last field is blank.
Chapter 15: Generating Reports of Network Activity Service Summary A table, and optionally a graph, of traffic for all services sorted by connection count. Session Summary – Packet Filtered A table, and optionally a graph, of the top incoming and outgoing sessions, sorted either by byte count or number of connections. The format of the session is: client -> server : service. If the connection is proxied, the service is represented in all capital letters.
CHAPTER 16 Controlling Web Site Access WebBlocker is a feature of the WatchGuard Firebox System that works in conjunction with the HTTP proxy to provide Web site filtering capabilities. It enables you to exert fine control over the Web surfing in your organization. You can designate which hours in the day users are free to access the Web and which categories of Web sites they are restricted from visiting. For more information on WebBlocker, see the following collection of FAQs: https://support.watchguard.
Chapter 16: Controlling Web Site Access WFS under high load conditions, consider installing the WebBlocker server on a dedicated server running Windows NT 4.0. or Windows 2000. To install the WebBlocker server on a dedicated platform, rerun the setup program on the dedicated server and–on the Select Components screen–unselect all components except the WebBlocker server. You must start the WebBlocker server for WebBlocker requests from the Firebox to be processed.
Getting Started with WebBlocker • • Install or remove the server Start or stop the server To run the WebBlocker utility, select Start => Programs => WatchGuard => WebBlocker Utility. Configuring the WatchGuard service icon Because WebBlocker relies on copying updated versions of the WebBlocker database to the event processor, you must configure the WatchGuard service setting Allow Outgoing to Any. It is possible to narrow this setting and use the IP address of webblocker.watchguard.com.
Chapter 16: Controlling Web Site Access Configuring the WebBlocker Service WebBlocker is a built-in feature of several services, including HTTP, Proxied HTTP, and Proxy. When WebBlocker is installed, five tabs appear in the service’s Properties dialog box: • WebBlocker Controls • WB: Schedule • WB: Operational Privileges • WB: Non-operational Privileges • WB: Exceptions Activating WebBlocker To start using WebBlocker, you must activate the feature.
Configuring the WebBlocker Service 4 5 Next to the WebBlocker Servers box, click Add. In the dialog box that appears, type the IP address of the server in the Value field. Click OK. If you want to add additional WebBlocker servers, see “Installing Multiple WebBlocker Servers” on page 225. Allowing WebBlocker server bypass By default, if the WebBlocker server does not respond, HTTP traffic (Outbound) is denied.
Chapter 16: Controlling Web Site Access Request for URL www.badsite.com denied by WebBlocker: host blocked for violence/profanity. Scheduling operational and non-operational hours WebBlocker provides two separately configurable time blocks– operational hours and non-operational hours. Typically, operational hours are an organization’s normal hours of operation and nonoperational hours are when an organization is not conducting its normal business.
Configuring the WebBlocker Service Setting privileges WebBlocker differentiates URLs based on their content. Select the types of content accessible during operational and non-operational hours using the Privileges tabs. The options are identical for Operational and Nonoperational. From the proxy’s dialog box: 1 Click the WB: Operational Privileges tab or the WB: Non-operational Privileges tab. 2 Enable the content type checkboxes for the categories you would like to block.
Chapter 16: Controlling Web Site Access NOTE You cannot use WebBlocker exceptions to make an internal host exempt from WebBlocker rules. From the HTTP Proxy dialog box: 1 Click the WB: Exceptions tab (you might need to use the arrow keys at the right of the dialog box to see this tab). 2 In the Allowed Exceptions section, click Add. 3 Select the type of exception: host address, network address, or enter URL. You can also use the Lookup Domain Name option to determine the IP address of a domain.
Managing the WebBlocker Server 6 To remove an item from either the Allow or the Deny list, select the address. Click the corresponding Remove button. Managing the WebBlocker Server The WebBlocker server is installed as a Windows Service and can be started or stopped from the Services application located in the Windows Control Panel Program Group. Installing Multiple WebBlocker Servers You can install two or more WebBlocker servers in a failover configuration.
Chapter 16: Controlling Web Site Access process called WebDBdownload.bat, which appears in your WatchGuard directory under the WBServer folder: 1 Open Control Panel and select Scheduled Tasks. (If it is not listed, see “Installing Scheduled Tasks,” in the following section.) 2 3 4 Select Add Scheduled Task. 5 Navigate to your WatchGuard directory and then into WBServer. Select WebDBdownload.bat. 6 Specify how often you want to perform this task.
Automating WebBlocker Database Downloads If the message “cannot find Windows Update Files on this computer” appears, open Internet Explorer, go to the Tools menu, and select Windows Update. This takes you to the Microsoft Web site, where you can download and install the appropriate software. After installation, Scheduled Tasks appears under My Computer.
Chapter 16: Controlling Web Site Access 228 WatchGuard Firebox System
CHAPTER 17 Connecting with Out-of-Band Management The WatchGuard Firebox System out-of-band (OOB) management feature enables the Management Station to communicate with a Firebox by way of a modem (not provided with the Firebox) and telephone line. OOB is useful for remotely configuring a Firebox when access through the Ethernet interfaces is unavailable.
Chapter 17: Connecting with Out-of-Band Management Enabling the Management Station For a dial-up PPP connection to work between a Management Station and a Firebox, you must configure the Management Station to use a PPP connection. There are separate procedures for configuring a PPP connection on the Windows NT, Windows 2000, and Windows XP platforms. Preparing a Windows NT Management Station for OOB Install the Microsoft Remote Access Server (RAS) on the Management Station.
Enabling the Management Station Configure the dial-up connection 1 From the Desktop, click My Network Places => Network and Dial-up Connections => Make New Connection. The Network Connection wizard appears. 2 3 Click Next. Select Dial up to Private Network. Click Next. 4 5 Choose the proper designation for your connection. Click Next. 6 7 Click Finish. Enter the telephone number of the line connected to the modem in the Firebox. Click Next. Enter a name for your connection.
Chapter 17: Connecting with Out-of-Band Management 2 Click Next. Select Connect to the network at my workplace. Click Next. 3 4 Click Dialup connection. Click Next. 5 Enter the telephone number of the line connected to the modem in the Firebox. Click Next. 6 7 Click Finish. Enter a name for your connection. This can be anything that reminds you of the icon’s purpose—OOB Connection, for example. Click either Dial or Cancel. A new icon is now in the Network Connections folder.
Establishing an OOB Connection can pass. After the connection is established, you can use Control Center and by specifying the dial-up PPP address of the Firebox. The default address is 192.168.254.1. Configuring PPP for connecting to a Firebox In its default configuration, Firebox PPP accepts connections from any standard client.
Chapter 17: Connecting with Out-of-Band Management 234 WatchGuard Firebox System
Troubleshooting Firebox Connectivity APPENDIX A This chapter provides four ways of connecting to your Firebox should you lose connectivity. These procedures assume that you have already created a configuration file and will be restoring the Firebox with that file. If you have not yet created a configuration file, use the QuickSetup Wizard to create one, as described in Chapter 3, “Getting Started.
Appendix A: Troubleshooting Firebox Connectivity 2 Connect one end of the crossover cable to the Optional Interface and the other end to the External Interface, creating a loop. Power-cycle the Firebox. This cabling should produce the following light sequence on the front of the Firebox: Armed light: steady Sys A light: flickering (Do not be concerned with the lights on the Security Triangle Display indicating traffic between interfaces.
Method 2: The Flash Disk Management Utility 10 When the Firebox Flash Disk dialog box appears, as shown in the following figure, select the button marked Save Configuration File and New Flash Image. Make sure the checkbox marked Make Backup of current flash image before saving is not selected.
Appendix A: Troubleshooting Firebox Connectivity same network as the configuration file, preferably the Trusted network, so you do not need to reassign an IP address to your computer after the configuration file has been uploaded. The following is an example of a typical IP address scheme: Management Station: 192.168.0.5 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Trusted Interface: 192.168.0.
Method 3: Using the Reset Button - Firebox Models 500, 700, 1000, 2500, 4500 configuration passphrase. Use the address you used as the temporary IP address during the flash disk management process and wg as the passphrase. 12 When the Firebox Flash Disk dialog box appears, select the button marked Save Configuration File and New Flash Image.
Appendix A: Troubleshooting Firebox Connectivity 4 Open a DOS prompt, and ping the Firebox with 192.168.253.1. You should get a reply. 5 In Policy Manager, select File => Open => Configuration File. Select the configuration file you want to load onto the Firebox and load it into Policy Manager. 6 In Policy Manager, select File => Save => To Firebox. When you are asked for the IP address of the Firebox, use 192.168.253.1 with wg as the passphrase.
Method 4: Serial Dongle (Firebox II only) 3 Take out one end of the serial cable from the Firebox to break the loop effect. 4 On the Management Station, open a DOS prompt. Ping the Firebox with a 192.168.253.1. You should get a reply. User Guide 5 In Policy Manager, select File => Open => Configuration File. Select the configuration file you want to load onto the Firebox and load it into Policy Manager. 6 In Policy Manager, select File => Save => To Firebox.
Appendix A: Troubleshooting Firebox Connectivity 234 WatchGuard Firebox System
Index .cfg files 43 .ftr files 210 .idx files 192 .rep files 205 .wgl files 192 .wts files 209 1-1 Mapping dialog box 90 1-to-1 NAT.
and Firebox interfaces 150 and IDS applications 147 auto-block duration 152 auto-blocked 150 blocking with service settings 157 changing auto block duration 152 described 150 dynamic 157 exceptions to 152 in Firebox Monitors 163 logging and notification 152 permanent 149, 150 removing 152, 156 storing in external file 151 temporary 157 viewing list of 157 Blocked Sites dialog box 151, 152, 189 Blocked Sites Exceptions dialog box 152 Blocked Sites list described 143, 157 exceptions to 152 viewing 157, 167 C
setting up 59 DHCP Server dialog box 59 DHCP Subnet Properties dialog box 60 DHCP support on External interface 31, 36, 54 dialog boxes 1-1 Mapping 90 Add Address 88, 104, 129 Add Displayed Service 162 Add Exception 85, 90 Add External IP 87 Add External IP Address 88 Add Firebox Group 133 Add Member 104, 129 Add Port 100 Advanced 54, 56 Advanced NAT Settings 85, 90 Aliases 128 Authentication Servers 133, 134, 136, 138, 139 Blocked Ports 156 Blocked Sites 151, 152, 189 Blocked Sites Exceptions 152 Connect
External interface described 26 dynamic addressing on 54 external network 26, 43 F failover 6 failover logging 174 FAQs 7, 13, 77 fbd0 166 fbidsmate utility described 147 using 147, 148 filter window in LogViewer 193 filtered services. See services.
viewing uptime and version 162 Flash Disk management tool 229 FTP and Optional network 43 and security policy 94 FTP proxy and NAT 91 configuring 119 described 119 hazards of 119 G gateways.
entering 38 in example network 23 netmask 69 of authentication servers 163 of Firebox interfaces 52 of log hosts 163 typing 74 WINS/DNS servers 58 IP alias 30 IP options attacks blocking 144 described 141 IPSec tunnels, and DHCP/PPPoE 31 ipsec_users 133 ipsec0 166 J Java applets and Zip files 122 for authentication 130 K known issues 13 L launch interval, setting 187 license key certificates 22 LiveSecurity Gold Program 18 LiveSecurity Service activating 11 benefits of 9 broadcasts 10 described 3, 40 Rap
synchronizing NT log hosts 178 logging and notification configuring Firebox for 174 customizing by blocking option 185 customizing by service 185 default packet handling 188 defining for services 105 described 171 designating log hosts 175 for blocked sites and ports 189 global preferences 182 setting for a service 188 Logging and Notification dialog box 105, 152, 156, 188 logging options, viewing 163 Logging Setup dialog box 175, 176, 177 LogViewer consolidating logs 198 copying log data 193 described 2,
described 81 setting for a service 88 typically used for 81 types of 81 types supported by proxies 91 NAT Setup dialog box 83, 85, 89 NetBIOS services 155 netmask, viewing address of 69 Netscape Communicator 4 network address translation.
status 37 tips for creating 48 permanently blocked sites 150 ping command for source of deny messages 72 Policy Manager as view of configuration file 43 described 2, 43, 78 opening 78 opening a configuration file 43 Services Arena 78 services displayed in 95 using to create configuration file 51 polling rate, changing 75 POP, and security policy 94 popup window, as notification 107, 186 port space probes 171 and default packet handling 146 blocking 143 described 141 ports 0 155 1 155 1000-1999 155 111 154 1
proxy summary 213 reasons for generating 203 running manually 212 scheduling 211 sections in 206, 212 service summary 213 session summary 213, 214 setting Firebox names used in 49, 207 SMTP summary 214 specifying sections for 206 starting new 204 summary sections 207 time spans for 205 time summary 213, 216 using filters 209 viewing list of 205 WebBlocker detail 215 requirements hardware 4 software 3 Reset button 231 rlogin service 154 routed configuration benefits and drawbacks of 27 characteristics of 27
rsh 154 setting logging and notification for 188 setting static NAT for 88 viewing number of connections by 161 wg_ 105 X Font service 154 X Window 153 Services Arena described 78, 95 displaying detailed view 96 Services dialog box 97, 100 ServiceWatch adding services to 162 described 161 Set Log Encryption Key dialog box 199 Setup Firebox User dialog box 134 Setup Routes dialog box 62, 63 shared secret 136 sites, blocked. See blocked sites.
viewing status of 69 U unconnected network addresses 150 user authentication. See authentication users, viewing in HostWatch 170 V VDOLive, and NAT 91 View Properties dialog box 160, 162 virus alerts 11 VPN Installation Services 19 VPN Manager and wg_dvcp service 105 described 5 VPNs allowing incoming services from 95 and 1-to-1 NAT 89 in routed configurations 27 W WatchGuard Certified Training Partners (WCTPs) 19 WatchGuard Control Center.
and Firebox System requirements 4 local and global groups 135 preparing Management Station for out-ofband management 230 running log host on 178 Windows NT Server authentication 134 Windows XP and Firebox System requirements 4 preparing Management Station for out-ofband management 231 running log host on 178 WINS server addresses 58 wizard.cfg 35 WSEP.
