WatchGuard® Firebox® X Edge User Guide Firebox X Edge - Firmware Version 7.
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: - This appliance may not cause harmful interference. - This appliance must accept any interference received, including interference that may cause undesired operation.
Certifications and Notices VCCI Notice Class A ITE User Guide iii
Declaration of Conformity iv WatchGuard Firebox X Edge
Notice to Users Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
(C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only. 3. Prohibited Uses.
Copyright, Trademark, and Patent Information INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. 5. United States Government Restricted Rights. The SOFTWARE PRODUCT is provided with Restricted Rights. Use, duplication or disclosure by the U.S.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved. © 1995-1998 Eric Young (eay@cryptsoft). All rights reserved. © 1998-2003 The OpenSSL Project. All rights reserved.
Copyright, Trademark, and Patent Information 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Apache Software License, Version 1.1 Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Copyright, Trademark, and Patent Information 1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission.
too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price.
Copyright, Trademark, and Patent Information The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0.
then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Copyright, Trademark, and Patent Information execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License.
these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11.
Copyright, Trademark, and Patent Information Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
Copyright, Trademark, and Patent Information If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
Limited Hardware Warranty AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR
Abbreviations Used in this Guide xxii 3DES Triple Data Encryption Standard BOVPN Branch Office Virtual Private Network DES Data Encryption Standard DNS Domain Name Service DHCP Dynamic Host Configurationl Protocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point-to-Poin
Contents CHAPTER 1 Introduction to Network Security ........................1 Network Security .....................................................................1 About Networks .......................................................................2 Clients and servers ...............................................................2 Connecting to the Internet .......................................................2 Protocols ...........................................................................
Disabling the HTTP Proxy Setting ...........................................15 Connecting the Firebox X Edge ...............................................17 Cabling the Firebox X Edge for more than seven devices .........18 ......................19 Setting your computer to use DHCP ......................................20 Setting your computer with a static IP address ......................20 Browsing to the System Status page .....................................21 Configuring the External Interface ....
Changing the IP address of the trusted network .....................49 Configuring the Firebox as a DHCP server .............................49 Setting DHCP Address Reservations .....................................51 Configuring the Firebox as a DHCP relay agent ......................51 Assigning static IP addresses ...............................................52 Configuring additional computers on the trusted network ........52 Configuring the Optional Network ...........................................
CHAPTER 7 Configuring WebBlocker ..................................83 How WebBlocker Works .........................................................84 Configuring Global WebBlocker Settings .................................84 Creating WebBlocker Profiles .................................................85 WebBlocker Categories ..........................................................87 Allowing Certain Sites to Bypass WebBlocker .........................89 Blocking Additional Web Sites ..................
Disconnecting the MUVPN client ........................................131 ............................131 Using Log Viewer ..............................................................131 Using Connection Monitor .................................................132 The ZoneAlarm Personal Firewall .........................................133 Allowing traffic through ZoneAlarm .....................................134 Shutting down ZoneAlarm .................................................
Index............................................................................
CHAPTER 1 Introduction to Network Security Congratulations on your purchase of the WatchGuard Firebox® X Edge. Your new security device provides peace of mind when countering today’s network security threats. To provide context for the many features described throughout this user guide, this chapter explains basic concepts of networking and network security.
Introduction to Network Security Computer security must always be kept up-to-date. Intruders are always discovering new vulnerabilities to exploit in computer software. About Networks A network is a connected group of computers and other devices. It can consist of anything from two computers connected by a serial cable to thousands of computers connected by high-speed data communication links located throughout the world.
Protocols share the same bandwidth. Because of this "shared-medium" topology, cable modem users might experience somewhat slower network access during periods of peak demand, and can be more susceptible to certain types of attacks more than users with other types of connectivity. Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, provides the user with dedicated bandwidth.
Introduction to Network Security Internet, the file is divided into chunks of data. Each chunk, or packet, is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file. To make sure that the packets are received at the destination, information is added to the packets.
IP Addresses IP Addresses IP addresses are like street addresses—when you want to send some information to someone, you must first know his or her address. Similarly, when a computer connected to the Internet needs to send data to another computer, it must first know its IP address. Each computer on the Internet has its own unique IP address. An IP address consists of four sets of numbers separated by decimal points. Examples of IP addresses are: • 192.168.0.11 • 10.1.20.18 • 208.15.15.
Introduction to Network Security About PPPoE Some ISPs assign the IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE emulates a standard dial-up connection to provide some of the features of Ethernet and PPP. This system allows the ISP to use the billing, authentication, and security systems designed for dial-up, DSL modem, and cable modem service. Domain Name Service (DNS) If you don’t know a person’s street address, you can look it up in the telephone directory.
Ports Although some services are essential, they can also be a security risk. To send and receive data, you must “open a door” in your computer, which makes your network vulnerable. One of the most common ways networks are broken into is by intruders exploiting services. Ports On computers and other telecommunication devices, a port is a specific place for physically connecting another device, usually with a socket and plug. A computer usually has one or more serial ports and one parallel port.
Introduction to Network Security Firewalls A firewall divides your internal network from the Internet to reduce this danger. The computers on the “trusted” (internal) side of a firewall are protected. The illustration below shows how a firewall physically divides the trusted network (your computers) from the Internet. Firewalls allow the user to define access policies for the Internet traffic going to the computers they are protecting.
Firebox® X Edge and Your Network needs. Firewalls are implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Introduction to Network Security 10 WatchGuard Firebox X Edge
CHAPTER 2 Installing the Firebox® X Edge To install the WatchGuard® Firebox® X Edge in your network, use this procedure: • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy property of your Web browser. • Connect the Firebox X Edge to your network. • Enable DHCP on your computer. • Activate the LiveSecurity® Service.
Installing the Firebox® X Edge Package Contents Make sure that the Firebox® X Edge package includes: • The Firebox X Edge QuickStart Guide - read the Firebox X Edge QuickStart Guide for a summary of the procedures in this chapter. • A LiveSecurity® Service activation card - use this card to activate LiveSecurity Service. • A Hardware Warranty Card - use this card to read your hardware warranty. • An AC adapter (12 V) - use this adapter to connect the Firebox to a power source.
Identifying Your Network Settings • The Firebox X Edge serial number. Find this number on the bottom of the Firebox. You use the serial number to register the Firebox. • An Internet connection. The Internet connection can be a cable or DSL modem, an ISDN router, or a direct LAN connection. Identifying Your Network Settings An Internet Service Provider (ISP) gives computers an Internet Protocol (IP) address. An ISP can give you a static or dynamic IP address.
Installing the Firebox® X Edge network address translation (NAT). You must get a public IP address and disable NAT on your intranet router for full functionality. Get instructions from your ISP. Your TCP/IP Properties Table TCP/IP Property Value IP Address . . . . . . . . . Subnet Mask Default Gateway DHCP Enabled DNS Server(s) Yes No Primary . . . . . . Secondary To find your TCP/IP properties, follow the instructions for your computer operating system.
Disabling the HTTP Proxy Setting Microsoft Windows 98 or ME 1 Click Start => Run. 2 At the MS-DOS prompt, type winipcfg and then press the Enter key. 3 4 5 Click OK. Select the Ethernet Adapter. Record the values in the Your TCP/IP Properties Table on page 14. 6 Click Cancel. Macintosh 1 Click the Apple menu => Control Panels => TCP/IP. 2 Record the values in the Your TCP/IP Properties Table on page 14. 3 Close the window.
Installing the Firebox® X Edge information. Many opensource browsers automatically disable the HTTP proxy feature by default. Netscape 1 Open Netscape. 2 Click Edit => Preferences. The Preferences window appears. 3 There is a list of options at the left side of the window. Click the arrow symbol to the left of the Advanced heading to expand the list. 4 5 Click Proxies. Make sure the Direct Connection to the Internet option is selected. 6 Click OK. Internet Explorer 1 Open Internet Explorer.
Connecting the Firebox X Edge Connecting the Firebox X Edge Use this procedure to connect your Firebox® X Edge Ethernet and power cables: 1 2 Shut down your computer. 3 Find the Ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the Firebox external interface (WAN 1). 4 Find the Ethernet cable supplied with your Firebox. Connect this cable to a trusted interface (0-6) on the Firebox.
Installing the Firebox® X Edge 6 Find the AC adapter supplied with your Firebox. Connect the AC adapter to the Firebox and to a power source. The Firebox power indicator light comes on and the external interface indicator lights flash and then come on. The Firebox is ready. NOTE NOTE Use only the AC adapter supplied with the Firebox X Edge. 7 When the Firebox is ready, start your computer.
Connecting to the System Configuration Pages • A straight-through Ethernet cable to connect each hub to the Firebox X Edge. To connect more than seven devices to the Firebox X Edge: 1 Shut down your computer. If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply from this device. 2 Disconnect the Ethernet cable that runs from your DSL modem, cable modem, or other Internet connection to your computer.
Installing the Firebox® X Edge A factory default Firebox allows HTTP traffic on port 80. After you set the administrator password, the Firebox uses only secure HTTP (HTTPS) on port 443 for system configuration. For your computer to connect to the Firebox, you must choose one of these options: • Get a dynamic IP address from the Firebox using DCHP • Set a static IP address within the default trusted interface address range The default trusted interface IP address is 192.168.111.1/24.
Connecting to the System Configuration Pages use DHCP. You must use an IP address on the same network as the Firebox X Edge trusted interface. 1 Click Start => Control Panel. The Control Panel window appears. 2 3 4 Double-click the Network Connections icon. Double-click the Local Area Connection icon. Double-click the Internet Protocol (TCP/IP) item. The Internet Protocol (TCP/IP) Properties dialog box appears. 5 6 Select the Use the following IP address option.
Installing the Firebox® X Edge 2 In the Address bar, type the Firebox trusted interface IP address which is https://192.168.111.1 for a new Firebox. Press the Enter key. Configuring the External Interface Your Internet Service Provider (ISP) uses DHCP, PPPoE, or static IP addressing to identify your computer on their network. After you connect the Firebox, you must configure the external interface with the information from your ISP.
Configuring the External Interface 2 From the navigation bar on the left side, click the + symbol to the left of Network. Click External. 3 4 Use the Configuration mode drop-down list to select DHCP. 5 Click Submit. In the DHCP ID field, type the DHCP name or ID you got from your ISP. Setting a Static IP Address If your ISP uses static IP addressing, you must set the Firebox external interface address. Use the information in the Your TCP/IP Properties Table on page 14 to do this procedure.
Installing the Firebox® X Edge PPPoE Address Settings PPPoE Setting Value Login Name Domain Password For more information in PPPoE, see “About PPPoE” on page 6. To configure the Firebox for PPPoE: 1 Open your Web browser and click Stop. Because the Internet connection is not configured, the browser cannot load your home page from the Internet. The browser can only open the configuration pages stored on the Firebox.
Registering Your Firebox and Activating LiveSecurity Service 5 Type the PPPoE login name and domain as well as the PPPoE password supplied by your service provide in the applicable fields. 6 Type the time delay before inactive TCP connections are disconnected. 7 If appropriate, select the Automatically restore lost connections checkbox. This option keeps a constant flow of traffic between the Firebox and the PPPoE server.
Installing the Firebox® X Edge http://www.watchguard.com/activate NOTE NOTE To activate the LiveSecurity Service, your browser must have JavaScript enabled. 2 If you have a user profile on the WatchGuard Web site, enter your user name and password. If you have not registered before, you must create a user profile. To do this, follow the instructions on the Web site. 3 Record your LiveSecurity Service user profile information in the table below. Keep this information confidential.
CHAPTER 3 Configuration and Management Basics Configuration is the process of customizing the WatchGuard® Firebox® X Edge to meet the specific security needs of your organization. This is your main task after installing your Firebox. The configuration of the Firebox X Edge is made using Web pages stored on the Firebox. You can connect to these configuration pages with your Web browser.
Configuration and Management Basics “Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is https://192.168.111.1.” The purpose of the step is to open your Firebox system configuration pages. Your computer must be connected to the Firebox with an Ethernet cable. You can change the IP address of the trusted network from https://192.168.111.1 to an IP address of your choice.
Navigating the Configuration Pages Using the navigation bar On the left side of the System Status page is a navigation bar that provides access to other Firebox X Edge configuration and status pages. To view the main page for each area, click the appropriate menu item on the navigation bar. For example, to view how logging is currently configured for your Firebox and to see the current event log, click Logging. Each area contains submenus that you use to configure various settings within that area.
Configuration and Management Basics Configuration Overview The Firebox X Edge system configuration pages are grouped by functional task. The following provides a brief introduction to each category and directs you to chapters in this User Guide providing detailed information about each feature. Firebox System Status Page The System Status page is the main configuration page of the Firebox X Edge. The center panel of the page shows information about the current settings.
Configuration Overview Network Page The Network page shows the configuration of each network interface. It also shows any configured routes and provides buttons to change configurations and to view network statistics. For more information, see Chapter 4, “Changing Your Network Settings.
Configuration and Management Basics Firebox Users Page The Firebox Users page shows statistics on the active sessions and defined local user accounts. It provides buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that are available for download. If your Firebox does not yet support MUVPN clients, the page provides a button for you to upgrade your Firebox to enable MUVPN client support.
Configuration Overview Administration Page The Administration page shows whether the Firebox uses HTTP or HTTPS for its configuration pages, whether VPN Manager access is enabled, and which upgrades are enabled. It provides buttons to change configurations, add upgrades, and view the configuration file. For more information, see Chapter 10, “Managing the Firebox X Edge.
Configuration and Management Basics Firewall Page The Firewall page shows the incoming and outgoing services, blocked sites, as well as other firewell settings including an unrestricted address on the optional network. It also provides buttons to change these settings. For more information, see Chapter 5, “Configuring Firewall Settings.
Configuration Overview Logging Page The Logging page shows the current event log, status of WSEP and Syslog logging, and the system time. It also provides buttons to change these settings and to synchronize system time with your local computer. For more information, see Chapter 6, “Configuring Logging.
Configuration and Management Basics WebBlocker Page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites. It also provides buttons to change the current settings. For more information, see Chapter 7, “Configuring WebBlocker.
Configuration Overview VPN Page The VPN page shows information on managed VPNs, manual VPN gateways, and echo hosts along with buttons to change the configuration of VPN tunnels. It also provides a button for you to view statistics on active tunnels. For more information, see Chapter 8, “Configuring VPNs. Wizards Page The Wizards page shows the wizards available to help you quickly and easily set up key Firebox X Edge features: • Network Interface Wizard Configure all interfaces, including WAN failover.
Configuration and Management Basics Updating Firebox X Edge Software One benefit of your LiveSecurity® Service is ongoing software updates. As new threats appear and WatchGuard adds product enhancements, you receive alerts to let you know about new versions of your Firebox® X Edge software. When you receive the alert, you will be provided with instructions on how to download the software to your personal computer.
Factory Default Settings Factory Default Settings The term factory default settings refers to how the Firebox® X Edge is configured when you first receive it—before you have made any changes of your own to the configuration. The default network and configuration settings for the Firebox X Edge are as follows: Trusted network - The default IP address for the trusted network is 192.168.111.1. The subnet mask for the trusted network is 255.255.255.0.
Configuration and Management Basics Resetting the Firebox to the factory default settings You may have occasion to reset the Firebox to the factory default settings. For example, you might be having problems correcting a configuration problem and just want to “start over.” Sometimes, a reset is your only choice: such as if the system security passphrase is unknown or the firmware of the Firebox X Edge is damaged by a power interruption.
Rebooting the Firebox Using the Web browser 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 2 Click Reboot. Disconnecting the power supply Disconnect the Firebox power supply. After a minimum of 10 seconds, connect the power supply.
Configuration and Management Basics 42 WatchGuard Firebox X Edge
CHAPTER 4 Changing Your Network Settings A primary task in setting up your WatchGuard® Firebox® X Edge is configuring the network interfaces. At the least, you must configure the external and trusted network interfaces to enable traffic to flow through the Firebox from the Internet to the internal network. You can also set up a third, optional interface, which connects to a second secured network, typically any network of servers provided for public access.
Changing Your Network Settings The Network Interface Wizard consists of the following steps: Step 1: Welcome The first screen describes the purpose of the wizard and the information you need before running it. Step 2: External Interface Configuration The next screen asks you how the Firebox X Edge determines its external IP address settings. For more information, see the introductory material in “Configuring the External Network” on page 45.
Configuring the External Network Step 9: Summary The wizard’s last screen displays a summary of the settings you have made using the wizard. Configuring the External Network When you configure the external network, you select the method of communication between the Firebox® X Edge and your Internet service provider (ISP). Make this selection based on the method of network address distribution in use by your ISP.
Changing Your Network Settings If your service provider uses DHCP The default configuration sets the Firebox X Edge to get the external address information through DHCP. If your ISP supports this method, the Firebox gets IP address information from the ISP when the Firebox reboots and connects to the Internet. For more information about DHCP, see “About DHCP” on page 5.
Configuring the External Network If your ISP uses PPPoE If your ISP assigns IP addresses through PPPoE, your PPPoE login name and password are required to configure the Firebox X Edge. For more information in PPPoE, see “About PPPoE” on page 6. To configure the Firebox for PPPoE: 1 Open your Web browser and click Stop. Because the Internet connection is not configured, the browser cannot load your home page from the Internet. The browser can open the configuration pages in the Firebox.
Changing Your Network Settings 7 8 Type the PPPoE password supplied by your ISP. 9 If appropriate, select the Automatically restore lost connections checkbox. Type the time delay before inactive TCP connections are disconnected. This option keeps a constant flow of traffic between the Firebox and the PPPoE server. This allows the Firebox to keep the PPPoE connection open during a period of frequent packet loss. If the flow of traffic stops, the Firebox reboots.
Configuring the Trusted Network Changing the IP address of the trusted network Sometimes it is necessary to change the trusted network address range. For example, if you are connect two or more Firebox devices in a virtual private network, each Firebox must use a different network address range. For more information, see “What You Need to Create a VPN” on page 93.
Changing Your Network Settings To configure the Firebox as a DHCP server: 1 If you have not already done so, use your browser to open the Firebox X Edge configuration pages. Select Network => Trusted. The Trusted Network Configuration page appears. 2 Select the Enable DHCP Server on the Trusted Network checkbox. 3 Type the first IP address and last IP address that is available for the computers that connect to the trusted network in the applicable fields.
Configuring the Trusted Network Setting DHCP Address Reservations You can bind a static IP address to a specific hardware device by way of its MAC address. 1 If you have not already done so, use your browser to open the Firebox X Edge configuration pages. Select Network => Trusted. The Trusted Network Configuration page appears. 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears.
Changing Your Network Settings To configure the Firebox as a DHCP relay agent: 1 If you have not already done so, use your browser to open the Firebox X Edge configuration pages. Select Network => Trusted. The Trusted Network Configuration page appears. 2 3 Select the Enable DHCP Relay checkbox. 4 5 Click Submit. Type the IP address of the DHCP relay server in the applicable field. Reboot the Firebox X Edge.
Configuring the Optional Network over the same LAN. If you mix computers with different operating systems on your network, they pass traffic through the Firebox X Edge to access the Internet. To add more computers to the trusted network: 1 2 Verify each additional computer has an Ethernet card installed. 3 4 Set the computers to obtain their addresses using DHCP. Connect each computer to the network the same way you did in “Cabling the Firebox X Edge for more than seven devices” on page 18.
Changing Your Network Settings 2 From the navigation bar at left, select Network => Optional. The Optional Network Configuration page appears. 3 Select the Enable Optional Network checkbox. Changing the IP address of the optional network Sometimes it is necessary to change the optional network address range. One example might be if your optional network is wireless and you want to separate the wireless and wired networks.
Configuring the Optional Network Configuring DHCP on the optional network Just as with the trusted network, you can use the Firebox as either a DHCP server or DHCP relay. To configure the Firebox as a DHCP server: 1 If you have not already done so, use your browser to open the Firebox X Edge configuration pages. Select Network => Optional. The Optional Network Configuration page appears. 2 Select the Enable DHCP Server on the Optional Network checkbox.
Changing Your Network Settings 4 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix in the applicable fields. If no value is entered, the Firebox by default uses the address settings provided to it from your service provider. 5 6 Click Submit. Reboot the Firebox X Edge. To configure the Firebox as a DHCP relay agent: 1 If you have not already done so, use your browser to open the Firebox X Edge configuration pages.
Configuring Static Routes NOTE NOTE All changes to the Optional Network Configuration page require that you click Submit and then reboot the Firebox before they take effect. But you can make all the changes you want to make and then reboot just once when you are done. You can either enable or disable the DHCP server on the optional network. Requiring encrypted connections You can require encrypted MUVPN connections on this interface if you want to secure a wireless network.
Changing Your Network Settings 2 From the navigation bar at left, select Network => Routes. The Routes page appears. 3 Click Add. The Add Route page appears. 4 From the Type drop-down list, select either Host or Network. A host is a single computer. A network is a range of IP addresses on which many computers can connect. 5 Type the IP address of the route’s destination and the IP address for the route’s gateway in the applicable fields. The gateway of the route is the local interface of the router.
Viewing Network Statistics Viewing Network Statistics The Firebox® X Edge Network Statistics page gives information about network performance. This page is useful during troubleshooting. Follow these instructions to access the Network Statistics page: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select Network => Network Statistics.
Changing Your Network Settings Or, see the following FAQs on the WatchGuard Technical Support site at: https://www.watchguard.com/support/advancedfaqs/sogen_main.asp What is Dynamic DNS? How do I set up Dynamic DNS? NOTE NOTE WatchGuard is not affiliated with DynDNS.org. 1 Create a dynamic DNS account.
Enabling the WAN Failover Option Enabling the WAN Failover Option The WAN Failover option adds redundant support for the external interface. With this upgrade installed, the Firebox® X Edge starts a connection through the WAN2 port when the primary external port (WAN1) connection fails. It is frequently used by businesses who can not afford even a small amount of lost connection time and will pay for a second Internet account. No new policy definitions are required.
Changing Your Network Settings is used. If the WAN1 port is not available, the Firebox connects through the WAN2 port. To configure the failover network: 1 Connect one end of a straight-through Ethernet cable to the WAN2 port, and connect the other end to the source of the secondary external network connection. This connection can be a cable modem or a hub. 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge.
Enabling the WAN Failover Option 4 Select the Enable failover using the Ethernet (WAN2) interface checkbox. 5 From the drop-down list, select the interface for the feature: Ethernet or modem. 6 Type the IP addresses of the hosts to ping for WAN1 and WAN2 interfaces in the applicable fields. 7 Type the number of seconds between pings and the number of seconds to wait for a reply in the applicable fields. 8 Type the limit number of pings before timeout in the applicable field. 9 Click Submit.
Changing Your Network Settings 64 WatchGuard Firebox X Edge
CHAPTER 5 Configuring Firewall Settings The firewall configuration settings of the WatchGuard® Firebox® X Edge control the flow of traffic between the trusted network and the external network. The configuration you select depends on the degree of risk you determine to be acceptable for the trusted network. Configuring Incoming and Outgoing Services For basic information about services, see “Services” on page 6. Network traffic is classified as either incoming or outgoing.
Configuring Firewall Settings pare the value of access to each service against the security risk caused by that service. When configuring a service, you set the allowable traffic sources and destinations, as well as determine the filter rules and policies for the service. Preconfigured (common) services A number of pre-configured services are available.
Configuring Incoming and Outgoing Services Creating a custom service using the wizard If you need to allow a service that is not listed in the common services, configure a custom service based on a TCP port, a UDP port, or a protocol. The easiest way to do this is to use the Traffic Filter Wizard. 1 2 From the navigation bar at left, select Wizards. Next to Define a rule for filtering network traffic between interfaces, click Go. 3 Work through the wizard, following the instructions on the screens.
Configuring Firewall Settings to expose a service such as HTTP (a Web server) to the external network. Step 6: Summary The wizard’s last screen displays a summary of the settings you have made using the wizard. Creating a custom service manually Follow these steps to configure a custom service manually: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https//192.168.111.
Filtering Outgoing Traffic to the Optional Network 5 In the fields separated by the word To, either type a port number and leave the second box blank (for one port), type a range of port numbers (for range of ports), or type the protocol number. NOTE For a TCP port or a UDP port, specify a port number or a range of ports. For a protocol, specify an IP protocol number. You cannot specify a port number for an IP protocol that is not TCP or UDP.
Configuring Firewall Settings 4 Click Submit. You can also select the Disable traffic filters checkbox to allow all services between the networks. Note, however, that this allows all traffic in both directions between the trusted and the optional network. Blocking External Sites The Blocked Sites feature of the Firebox® helps you prevent unwanted contact from or to known or suspected hostile systems. After you identify an intruder, you can block all attempted connections from them.
Configuring Firewall Options • Prevents the transmission of all packets from the external network to the trusted network You can change the configuration to prevent access to specified Internet sites. Follow these steps to configure the blocked sites: 1 From the navigation bar at left, select Firewall => Blocked Sites. The Blocked Sites page appears. 2 Select either Host IP Address, Network IP Address, or Host Range from the drop-down list.
Configuring Firewall Settings 2 From the navigation bar at left, select Firewall => Options. The Firewall Options page appears. Responding to ping requests You can configure the Firebox X Edge to deny all ping packets received on the external or trusted interface. 1 Select the Do not respond to PING requests received on External Network checkbox or the Do not respond to PING requests received on Trusted Network checkbox. 2 Click Submit.
Configuring Firewall Options SOCKS implementation for the Firebox X Edge The Firebox X Edge functions as a SOCKS network proxy server. An application that uses more than one socket connection and implements the SOCKS version 5 protocol can communicate through the Firebox. SOCKS supplies a secure, two-way communication channel between a computer on the external network and a computer on the trusted network.
Configuring Firewall Settings NOTE The Firebox X Edge uses port 1080 to communicate with a computer that uses a SOCKS-compatible application. Make sure that port 1080 is not in use by other applications on the computer. 1 If there is a selection of protocols or SOCKS versions, select SOCKS version 5. 2 3 Select port 1080. Set the SOCKS proxy to the URL or IP address of the Firebox X Edge. The default IP address is: https://192.168.111.1.
Configuring Firewall Options 2 Click Submit. Enabling the MAC address override If your ISP has previously registered your computer’s MAC address and will only allow connections from that MAC address, enable this option and use the MAC address of the computer that was previously used to connect to the ISP on this line. The MAC address must be entered in this format: hhhhhhhh where: • Each of the 12 “h” digits is a hexadecimal character with a value between 0 and 9 or between “a” and “f”.
Configuring Firewall Settings Creating an Unrestricted Pass Through The Firebox® X Edge can allow traffic to flow from the external network to a computer on the trusted network that has a public IP address. Follow these steps to configure a pass through: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select Firewall => Pass Through.
CHAPTER 6 Configuring Logging An event is any single activity that occurs at the Firebox® X Edge, such as denying a packet from passing through the Firebox. Logging is the process of recording and storing information about these events. Because the log keeps a record of events that show possible security problems, logging is an important part of an effective network security policy. For example, a sequence of denied packets can show that an unauthorized person tried to access your network.
Configuring Logging because of a packet handling violation, duplicate messages, return error messages, and IPSec messages. Each log message has three parts: Time The exact time of the event that triggered the log message. Category The category of the message. For example, whether the message originated from an outside source such as an IP address, from the configuration file, and so on.
Logging to a WatchGuard Security Event Processor Log Host to do this, see the WatchGuard System Manager User Guide. Then follow these instructions to send your event logs to the WSEP. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select Logging => WSEP Logging. The WatchGuard Security Event Processor Logging page appears.
Configuring Logging Logging to a Syslog Host Syslog is a logging interface, originally developed for UNIX, but now used by a number of computer systems. This option sends the Firebox® X Edge log messages to a syslog host. If you already maintain a syslog host, you can set the Firebox to send log messages to that host. Follow these steps to configure a syslog host: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge.
Setting the System Time Setting the System Time For each log entry, the Firebox® X Edge records the time from its system clock. You can select one of two ways. You can specify that your system is symchronized using Network TIme Protocol (NTP) or you can set the date and time manually. Follow these steps to set the system time: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.
Configuring Logging 4 (Optional) Select the Adjust for daylight savings time checkbox. 5 Select the method you want to set system time, as described in the next two sections. 6 Click Submit. Setting time using NTP Network Time Protocol (NTP) synchronizes clocks of computers on a network. For more information on NTP, see http://www.ntp.org. 1 From the System Time page, select Use NTP to periodically automatically set system time. 2 Select an NTP server from the list.
CHAPTER 7 Configuring WebBlocker Allowing network users to access any Web site they choose can lead to problems. An obvious one is loss of productivity. When employees are not guarded from distractions such as sports, entertainment, financial, and other non-work Web sites, their work performance can suffer. Web surfing can also reduce network bandwidth and take up disk space. Network security is an issue as well.
Configuring WebBlocker How WebBlocker Works WebBlocker uses a database of Web site addresses that is owned and maintained by SurfControl®, a leading Web and e-mail filtering company. The database shows the type of content found on thousands of Web sites. WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regular intervals.
Creating WebBlocker Profiles 2 From the navigation bar at left, select WebBlocker => Settings. The WebBlocker Settings page appears. 3 4 Select the Enable WebBlocker checkbox. Type a password in the Full Access Password field. The full access password allows a user to access all Web sites until the password expires or the browser is closed. 5 6 Retype the same password in the Confirm Password field. Type a value, in minutes, in the Inactivity Timeout field.
Configuring WebBlocker After you define profiles, you can apply them to users when you set up user accounts, as described in Chapter 10, “Managing the Firebox X Edge.” 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox® X Edge. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select WebBlocker => Profiles. The Profiles page appears. 3 Click New. The New Profile page appears.
WebBlocker Categories WebBlocker Categories The WebBlocker database contains 14 categories. A Web site is added to a category only if the contents of the Web site advocate the subject matter of the category. Web sites that provide opinion or educational material about the subject matter of the category are not included. For example, the drugs/drug culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana.
Configuring WebBlocker Satanic/cult Pictures or text advocating devil worship, an affinity for evil, wickedness, or the advocacy to join a cult. A cult is defined as: a closed society that is headed by a single individual where loyalty is demanded and leaving is punishable. Intolerance Pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another.
Allowing Certain Sites to Bypass WebBlocker Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos.
Configuring WebBlocker NOTE NOTE This WebBlocker feature is applicable only for outbound requests to access Web sites. You cannot use WebBlocker exceptions to make an internal host exempt from WebBlocker rules. 1 From the navigation bar on the left, select WebBlocker => Allowed Sites. The WebBlocker Allowed Sites page appears. 2 From the drop-down list at the lower-left portion of the page, select whether the address or addresses you specify are a host IP address, network IP address, or host range.
Blocking Additional Web Sites is corrupted with hacker code. Using the Denied Sites feature, you can make sure your employees do not access this site. 1 From the navigation bar on the left, select WebBlocker => Denied Sites. The WebBlocker Denied Sites page appears. 2 From the drop-down list at the lower-left portion of the page, select whether the address or addresses you specify are the host IP address, network IP address, or host range.
Configuring WebBlocker Allowing Internal Hosts to Bypass WebBlocker You can define a list of internal hosts that bypass WebBlocker settings: 1 From the navigation bar on the left, select WebBlocker => Trusted Hosts. The WebBlocker Trusted Hosts page appears. 2 In the text box at the bottom of the page, type the host IP address of the site you want to allow. Click Add. 3 Repeat for other allowed hosts. When you are done adding hosts, click Submit. To remove an item from the list, select the address.
CHAPTER 8 Configuring Virtual Private Networks A virtual private network (VPN) allows secure connections between computers or networks in separate physical locations. The networks and hosts at the endpoints of a VPN are typically corporate headquarters, branch offices, remote users, telecommuters, and traveling employees. User authentication verifies the identity of both the sender and the receiver.
Configuring Virtual Private Networks • The static IP address of each Firebox X Edge external interface, the network address of the private (trusted) network located behind each Firebox X Edge (the networks that will communicate through the VPN), and their subnet masks. The base trusted IP address of each Firebox X Edge must be static and unique. The DNS and WINS server IP addresses, if used. The shared key (passphrase) for the tunnel. The same shared key must be used by both devices.
What You Need to Create a VPN If the devices that connect through the VPN tunnel are not configured correctly, the VPN tunnel will not function. Special considerations Consider these points before you configure your WatchGuard Firebox X Edge VPN network: • You can connect a maximum of 10 Firebox X Edge appliances together in a star configuration. To configure more VPN tunnels, a WatchGuard Firebox III or Firebox X with WatchGuard VPN Manager is necessary.
Configuring Virtual Private Networks Sample VPN Address Information Table Item Description Assigned By External IP Address The IP address that identifies the IPSeccompatible device to the Internet. ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The bitmask that shows which part of the IP address identifies the local network. For example, a class C address includes 256 addresses and has a netmask of 255.255.255.0.
Using a DVCP server to manage your VPN tunnels Item Description Assigned By Encryption Method DES uses 56-bit encryption. 3DES uses 168-bit encryption. The 3DES encryption method gives better security, but decreases the speed of communication. The two IPSec-compatible appliances must use the same encryption method. You Site A: 3DES Site B: 3DES Authentication The two IPSec-compatible appliances must use the same authentication method.
Configuring Virtual Private Networks Setting up management for a dynamic Edge device This procedure is necessary for Edge devices with a dynamic external IP address. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1. 2 From the navigation bar at left, select VPN => Managed VPN. The Managed VPN page appears. 3 4 5 Select the Enable Managed VPN checkbox. 6 Click Submit.
Setting Up Manual VPN Tunnels 2 From the navigation bar at left, select VPN => Managed VPN. The Managed VPN page appears. 3 4 5 Select the Enable Managed VPN checkbox. 6 Click Submit. Enter the IP address of the DVCP server. Enter the client name and the shared key. Use the Client Name you entered on the Basic DVCP server. Setting Up Manual VPN Tunnels An administrator of a Firebox® X Edge can configure a maximum of 10 VPN tunnels to other Firebox X Edge devices.
Configuring Virtual Private Networks 4 Type the Name and Shared Key for the VPN tunnel. The shared key is a passphrase used by two IPSec-compatible appliances to encrypt and decrypt the data that goes through the VPN tunnel. The two appliances use the same passphrase. If the appliances do not have the same passphrase, they cannot encrypt and decrypt the data correctly.
Setting Up Manual VPN Tunnels NOTE NOTE The Phase 1 settings must be the same on both devices. 1 Select the negotiation mode for Phase 1 from the drop-down list. The mode selections are Main Mode and Aggressive Mode. If the external IP address is dynamic, select Aggressive Mode. If the external IP address is static, use either mode. 2 If you chose Main Mode, enter the remote IP address in the field provided. 3 Select the Local ID type and the Remote ID type from the dropdown list.
Configuring Virtual Private Networks NOTE NOTE The IKE Keep Alive feature is different from the VPN Keep Alive feature described in“VPN Keep Alive,” on page 103. Phase 2 settings Phase 2 negotiates data management security association, which uses the data management policy to set up IPSec tunnels in the kernel for encapsulating and decapsulating data packets.
VPN Keep Alive 7 Click Submit. VPN Keep Alive To help keep the VPN tunnel open when there is no communication across it, enter the IP address of a computer at the other end of the tunnel as the echo host. The Firebox® X Edge will send a ping once a minute to the specified host. Choose a host IP address that will always be up, and always responds to ping messages.
Configuring Virtual Private Networks 2 From the navigation bar at left, select VPN => Keep Alive. The VPN Keep Alive page appears. 3 4 Enter the IP address of an echo host. Click Add. Click Submit. Viewing VPN Statistics The Firebox® X Edge has a configuration page that displays VPN statistics. Use this page to monitor VPN traffic and to solve problems with the VPN configuration.
Frequently Asked Questions addresses can change. A changing address prevents a connection between the two appliances. However, this issue can be resolved by using Dynamic DNS. For information, see “Registering with the Dynamic DNS Service” on page 59. How do I get a static external IP address? The external IP address for your computer or network is assigned by your ISP.
Configuring Virtual Private Networks Is the Firebox X Edge compabtible with WatchGuard System Manager? Yes. The default Firebox X Edge configuration is compatible with WatchGuard System Manager v7.3. To configure the Edge for use with WSM v7.0, v7.1, and v7.2, browse to the VPN Manager Access page. Check the Compatible with pre WFS v.3 VPN Manager.
CHAPTER 9 Configuring the MUVPN Client The MUVPN client is a software application that is installed on a remote computer. This application makes a secure connection from the remote computer to your protected network through an unsecured network. The MUVPN client uses Internet Protocol Security (IPSec) to guarantee the security of the connection. The following is an example of how the MUVPN client can be used. First, the MUVPN client is installed on the remote computer.
Configuring the MUVPN Client Preparing Remote Computers to Use the MUVPN Client The MUVPN client can be installed only on computers that meet the following requirements: System requirements • • A computer with a Pentium processor (or equivalent) Compatible operating systems and minimum RAM: - Microsoft Windows 98: 32 MB - Microsoft Windows ME: 64 MB - Microsoft Windows NT 4.
Preparing Remote Computers to Use the MUVPN Client 2 Double-click the Network icon. The Network window appears. 3 Make sure the Client for Microsoft Networks is installed. The Client for Microsoft Networks must be installed before you continue with this procedure. For instructions, see “Installing the Client for Microsoft Networks” on page 109. 4 5 Click the Identification tab. Type a name for the remote computer in the applicable field. This name must be unique on the remote network.
Configuring the MUVPN Client From the Windows desktop: 1 2 Select Start => Settings => Control Panel. Double-click the Add/Remove Programs icon. The Add/Remove Properties window appears. 3 Click the Windows Setup tab. The Windows Setup dialog box appears. The operating system searches for installed components. 4 Select the Communications checkbox and then click OK. The Copying Files dialog box appears. The operating system copies the necessary files. 5 The Dial-Up Networking Setup window appears.
Preparing Remote Computers to Use the MUVPN Client 7 Click the WINS Configuration tab and then select the Enable WINS Resolution checkbox. 8 Type the IP address of the WINS server in the WINS Server Search Order text field and then click Add. If you have multiple remote WINS servers, repeat steps 7 and 8. 9 Click OK to close the TCP/IP Properties window. Click OK to close the Network window. The System Settings Change dialog box appears. 10 Click Yes to restart the computer. The computer reboots.
Configuring the MUVPN Client modem is not available, you can select a serial cable between two computers. 8 Select the modem added in the previous step from the Add RAS Device window. 9 Click OK, click Continue and then click Close. 10 Reboot the computer. Configuring the WINS and DNS settings The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the Firebox X Edge.
Preparing Remote Computers to Use the MUVPN Client From the Windows desktop: 1 2 Select Start => Settings => Network and Dial-up Connections. Select the dial-up connection you use to access the Internet. The connection window appears. 3 4 Click Properties and then click the Networking tab.
Configuring the MUVPN Client Configuring the WINS and DNS settings The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the Firebox X Edge. From the connection window, Networking tab: 1 Select the Internet Protocol (TCP/IP) component and then click Properties. The Internet Protocol (TCP/IP) Properties window appears. 2 Click Advanced. The Advanced TCP/IP Settings window appears.
Preparing Remote Computers to Use the MUVPN Client These components must be installed before the MUVPN Client will function correctly on a Windows XP computer. From the Windows desktop: 1 Select Start => Control Panel The Control Panel window appears. 2 3 Double-click the Network Connections icon. Double-click the connection you use to access the Internet. The connection window appears. 4 5 Click Properties and then click the Networking tab.
Configuring the MUVPN Client 2 Double-click the Client network component. The Select Network Protocol window appears. 3 Select the Client for Microsoft Networks network client. Click OK. Configuring the WINS and DNS settings The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the Firebox X Edge. From the connection window, Networking tab: 1 2 Select the Internet Protocol (TCP/IP) component.
Installing and Configuring the MUVPN Client 11 Click Cancel to close the connection window. Installing and Configuring the MUVPN Client The MUVPN installation files are available at the WatchGuard Web site: http://www.watchguard.com/support NOTE To install and configure the MUVPN client, you must have local administrator rights on the remote computer. Installing the MUVPN client Follow these steps to install the MUVPN client: 1 2 Copy the MUVPN installation file to the remote computer. 3 Click Next.
Configuring the MUVPN Client 11 The InstallShield wizard searches for a user profile file. Click Next to skip this step. The user profile file does not need to be installed. An information dialog box appears. 12 Click OK to continue the installation. 13 The installation of the MUVPN client is complete. Make sure the option Yes, I want to restart my computer now is selected. Click Finish. The computer reboots.
Installing and Configuring the MUVPN Client 4 Type a unique name for the new connection. If this will be a unique policy for a specific user, enter a unique name to identify the policy. For example, you may want to include the name of the user. 5 Select the Secure option. This is the default setting. 6 7 Select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop-down list. The Remote Party Identity and Addressing fields are updated.
Configuring the MUVPN Client Using this option also allows the MUVPN client to access any networks across a VPN that the Firebox X Edge has constructed to another office. NOTE The addresses you type in the Subnet and Mask fields must be identical to the virtual IP address you typed on the Add MUVPN Client page. See “Preparing Remote Computers to Use the MUVPN Client” on page 108. 9 Select All from the Protocol drop-down list. This is the default setting.
Installing and Configuring the MUVPN Client 3 Select Aggressive Mode. Make sure the Enable Perfect Forward Secrecy (PFS) checkbox is clear and the Enable Replay Detection checkbox is selected. 4 Select My Identity. The My Identity and Internet Interface settings appear to the right. 5 Select Options => Global Policy Settings. The Global Policy Settings window appears.
Configuring the MUVPN Client 6 Clear the Allow to Specify Internal Network Address checkbox. Click OK. It is not necessary to specify the MUVPN client’s internal IP address. The Firebox X Edge assigns this address automatically. Because setting the internal address improperly causes the VPN to fail, clearing this checkbox prevents that possible error by making it impossible to set the internal IP address. 7 8 Select None from the Select Certificate drop-down list.
Installing and Configuring the MUVPN Client 10 Select Any from the Name drop-down list. This is the default setting. 11 Click Pre-Shared Key. The Pre-Shared Key dialog box appears. 12 Click Enter Key. The text field is enabled. 13 Type the exact text of the MUVPN client passphrase entered on the Firebox X Edge. Click OK. NOTE Both the pre-shared key and the e-mail address must exactly match the system passphrase and system administrator name settings of the Firebox X Edge.
Configuring the MUVPN Client Edge and must match exactly as described below. Phase 2 settings must match the settings of the Firebox X Edge. 1 From the Network Security Policy field, expand Security Policy. Both Phase 1 and Phase 2 negotiations appear. 2 Expand Authentication (Phase 1). A Proposal entry appears. 3 Select Proposal 1. The Authentication Method and Algorithms settings appear to the right. 4 Select Pre-Shared Key from the Authentication Method dropdown list.
Installing and Configuring the MUVPN Client 7 Select Diffie-Hellman Group 1 from the Key Group drop-down list. 8 Expand Key Exchange (Phase 2). A Proposal entry appears. 9 Select Proposal 1. The IPSec Protocols settings appear to the right. 10 Select Both from the SA Life drop-down list. 11 Type 86400 in the Seconds field and 8192 in the KBytes field. 12 Select None from the Compression drop-down list. This is the default setting. The Firebox X Edge does not support compression.
Configuring the MUVPN Client Uninstalling the MUVPN client Follow these directions to uninstall the MUVPN client. WatchGuard recommends that you use the Windows Add/Remove Programs tool. Disconnect all existing tunnels and dial-up connections. Reboot the remote computer. Perform these steps from the Windows desktop: 1 Select Start => Settings => Control Panel. The Control Panel window appears. 2 Double-click the Add/Remove Programs icon. The Add/Remove Programs window appears.
Enabling MUVPN Access for a User Account Enabling MUVPN Access for a User Account 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default trusted IP address is https://192.168.111.1. 2 Add a new user or edit an existing user, as described in “Adding or Editing a User Account” on page 143. 3 4 Click the MUVPN tab. 5 6 Type a shared key in the applicable field. Select the Enable MUVPN for this account checkbox.
Configuring the MUVPN Client Configuring the Firebox for MUVPN Clients Using Pocket PC To create a MUVPN tunnel between the Firebox X Edge and your Pocket PC, you must configure the MUVPN Clients feature on the Firebox. Follow the previous procedure, except select Pocket PC from the VPN Client Type drop-down list. For additional information about configuring your Pocket PC to serve as an MUVPN client, go to the WatchGuard Web site: https://www.watchguard.com/support/sohoresources/soinstallhelp.
Connecting and Disconnecting the MUVPN Client The MUVPN Security Policy is deactivated. This icon may appear if the Windows operating system did not start a required MUVPN service. If this occurs, the remote computer must be restarted. If the problem continues, reinstall the MUVPN client. Activated The MUVPN client is ready to establish a secure, MUVPN tunnel connection. Activated and Transmitting Unsecured Data The MUVPN client is ready to establish a secure, MUVPN tunnel connection.
Configuring the MUVPN Client The MUVPN client has established at least one secure, MUVPN tunnel connection. The red and green bars on the right of the icon indicate that the client is transmitting both secured and unsecured data. Allowing the MUVPN client through a personal firewall The following programs are associated with the MUVPN client. To establish the MUVPN tunnel, you must allow these programs through the personal firewall: • MuvpnConnect.exe • IreIKE.
Monitoring the MUVPN Client Connection From the New Program alert window: 1 Select the Remember this answer the next time I use this program checkbox and the click Yes. With the option selected, the ZoneAlarm personal firewall will allow this program to access the Internet each time you attempt to make a MUVPN connection. The New Program alert window appears to request access for the IreIKE.exe program. 2 Set the Remember this answer the next time I use this program check box and then click Yes.
Configuring the MUVPN Client 2 Select Log Viewer. The Log Viewer window appears. Using Connection Monitor The Connection Monitor displays statistical and diagnostic information for each active connection in the security policy. This display shows the security policy settings and the security association (SA) information. The displayed information is determined during the phase 1 IKE negotiations and the phase 2 IPSec negotiations.
The ZoneAlarm Personal Firewall • • An animated black line underneath a key indicates that the client is processing secure IP traffic for the connection. A single SA icon with several key icons above it indicates a single phase 1 SA to a gateway that protects multiple phase 2 SAs. The ZoneAlarm Personal Firewall A personal firewall is a barrier between your computer and the outside world. A computer is most vulnerable at the connection points. These connection points are called ports.
Configuring the MUVPN Client For more information about the features and configuration of ZoneAlarm, refer to the ZoneAlarm help system. To access the help system, select Start => Programs => Zone Labs => ZoneAlarm Help. Allowing traffic through ZoneAlarm When an application requires access through the ZoneAlarm personal firewall, a New Program alert will be displayed on the Windows desktop. This alert tells the user which program requires access.
The ZoneAlarm Personal Firewall Programs That Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs That May be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.exe services.exe svchost.exe winlogon.
Configuring the MUVPN Client could be shared by other programs on the system. Click Yes to All to completely remove all of these files. 6 The Install window appears and prompts you to restart the computer. Click OK to reboot your system. Troubleshooting Tips Additional information about how to configure the MUVPN client is available from the WatchGuard Web site: www.watchguard.com/support The answers to several frequently asked questions about the MUVPN client are answered below.
Troubleshooting Tips tant that you enter this information correctly, just as you would at the office. Windows stores the information for use by network adapters and network applications. Later, when you connect to your ISP and start the MUVPN client, your computer uses the stored information to connect to the company network. I am not prompted for my user name and password when I turn my computer on... This is probably caused by the ZoneAlarm personal firewall application.
Configuring the MUVPN Client 4 Click OK. The mapped drive appears in the My Computer window. Even if you select the Reconnect at Logon checkbox, the mapped drive will only appear the next time you start your computer if the computer is directly connected to the network. I am sometimes prompted for a password when I am browsing the company network... Due to a Windows networking limitation, remote user virtual private networking products can allow access only to a single network domain.
CHAPTER 10 Managing the Firebox® X Edge Firebox® X Edge provides a number of ways for you to manage your network and users, such as: • Viewing current users and settings • Configuring users and customizing individual user accounts • Upgrading the Firebox • Viewing the current configuration file in a text format Viewing Current Sessions and Users A session is the period of time a user views or communicates with a piece of software.
Managing the Firebox® X Edge tion on the sessions currently active on your Firebox. You can also see information on the users that have been defined for this Firebox. 1 From the navigation bar at left, select Firebox Users. Under Firebox User Settings, view the current status of global Firebox User settings. Click the Configure button, to open the Settings page.
Configuring Global Settings • • • • The name of the user Whether Internet access is allowed for the user Whether the user has full administrative access Whether the User is configured to use WebBlocker, MUVPN, or VPN. Closing a session To close a session, click X in the Close column of the session you want to close. When prompted, confirm that you indeed want to close the session. Editing a user account To edit a user account, click the icon in the Edit column of the user you want to edit.
Managing the Firebox® X Edge 2 From the navigation bar at left, select Firebox => Settings. The Settings page appears. 3 The Require user authentication checkbox under Firebox User Access Restriction Enforcement and Options specify whether users must log in at local computers and, if so, whether certain options apply. Select any checkboxes for options you want to enforce. 4 To set a timeout value for sessions, select the Enable automatic session termination every checkbox.
Adding or Editing a User Account Preferred (Default value) If the virtual adapter is already in use or otherwise unavailable, address assignment is performed without it. Required The mobile user must use a virtual adapter to connect to the MUVPN client. 7 Specify, if you choose, DNS and WINS server addresses for MUVPN clients. Adding or Editing a User Account When you define a user for the Firebox® X Edge, you specify the types of access permitted for that user.
Managing the Firebox® X Edge 3 Under Local User Accounts, click Add. The New User page appears with the Settings tab visible. 4 5 6 7 In the Account Name field, enter a name for the account. In the Full Name field, enter the user’s full name. In the Description field, enter a description for the user. In the Password field, enter a password of up to eight characters. Select a combination of eight letters, numbers, and symbols. Do not use an English or foreign word.
Adding or Editing a User Account To create a read-only user account, edit the User Account. Use the Administrative Access drop-down list to select Read Only. Setting a WebBlocker profile for a user A WebBlocker profile is a unique set of restrictions you can apply to users on your network. To set a WebBlocker profile for a new user, click the WebBlocker tab and select a profile from the drop-down list. For more information on WebBlocker profiles, see “Creating WebBlocker Profiles” on page 85.
Managing the Firebox® X Edge • • • the Firebox administrator uses the Firebox Users page to end the session; the user ends the session by closing all browser windows; or the Firebox restarts. To end a session manually: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select Firebox Users. The Firebox Users page appears.
Setting up VPN Manager Access Follow these instructions to use HTTP instead of HTTPS: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox. The default IP address is: https://192.168.111.1 2 From the navigation bar at left, select Administration => System Security. The System Security page appears. 3 Select the Use non-secure HTTP instead of secure HTTPS for administrative Web site checkbox.
Managing the Firebox® X Edge 2 From the navigation bar at left, select Administration => VPN Manager Access. The VPN Manager Access page appears. 3 4 Select the Enable VPN Manager Access checkbox. 5 Type the configuration passphrase and then type it again to confirm in the applicable fields. NOTE NOTE Type the status passphrase and then type it again to confirm in the applicable fields. These passphrases must match the passphrases used in the VPN Manager software or the connection will fail.
Updating the Firmware must update your firmware with the second procedure because those operating systems cannot run Windows executable files. Method 1 The first method uses an auto-executable file and is the preferred method for updating the Firebox X Edge firmware from a Windows computer. Download the Software Update Installer to use this method. To use the Software Update Installer: 1 Launch the installer on a computer running Windows that is on the trusted side of the Firebox X Edge.
Managing the Firebox® X Edge 3 From the navigation bar at left, select Administration => Update. The Administration Page appears with the End User License Agreement (EULA). 4 Read the text of the EULA. If you agree, select the I accept the above license agreement checkbox. 5 Type the name of the file containing the new Firebox X Edge software in the Select file box. Or click Browse to locate the file on the network. 6 Click Update and folloow the instructions.
Configuring Additional Options 7 From the navigation bar at left, select Administration => Upgrade. The Upgrade page appears. 8 Paste the feature key in the applicable field. 9 Click Submit. Upgrade options User licenses A seat license upgrade allows more connections between the trusted network and the external network. For example, a 25seat license allows 25 connections instead of the standard 10 connections.
Managing the Firebox® X Edge Manual VPN The manual VPN feature allows you to set up VPN tunnels manually. For more information, see Chapter 8, “Configuring VPNs.” WAN Failover The WAN failover feature adds redundant support for the external interface. For more information, see “Enabling the WAN Failover Option” on page 61. Viewing the Configuration File You can view the contents of the Firebox® X Edge configuration file in text format from the View Configuration page.
Viewing the Configuration File User Guide 153
Managing the Firebox® X Edge 154 WatchGuard Firebox X Edge
APPENDIX A Firebox® X Edge Hardware The WatchGuard® Firebox® X Edge is a firewall for small businesses and branch or remote offices.
• • An AC adapter (12 V) One straight-through Ethernet cable Hardware Specifications Processor 64 bit MIPS Memory - Flash 16 MByte Memory - RAM 64 MByte Network Interfaces 10 x 10/100 Serial ports 1 DB9 Power supply 12V DC Operating Temperature 0 - 40C Dimensions Depth = 5.75 inches Width = 8.75 inches Height = 1.25 inches Weight 1.9 U.S. pounds Hardware Description The Firebox® X Edge has a straight-forward hardware design.
Hardware Description Front panel The front panel of the Firebox X Edge has 24 indicator lights to provide link and status information. The top light in each link pair indicates traffic passing through the designated interface. The bottom light in each pair indicates negotiation speed. The bottom light turns on when the speed is 100 mpbs. WAN 1, 2 Indicates a physical connection to the external (WAN) ports. The indicator blinks yellow when traffic is passing through the interface.
Status Indicates that a management connection has been made. This light turns off a few minutes after you close the browser connection to the Firebox X Edge Web pages. Mode When lit and steady, indicates that the Firebox X Edge is operational and has connected to the Internet. When lit and flashing, indicates that the WAN is connected but the Firebox cannot establish a connection to the Internet. Attn Reserved for future use. Power Indicates that the Firebox X Edge is currently powered up.
Hardware Description Power input Connect the power input to a power supply using the 12-volt AC adapter supplied with the Firebox X Edge. The power supply tip is plus (+) polarity. Side panels On both side panels of the Firebox X Edge is a slot for a personal computer locking system.
160 WatchGuard Firebox X Edge
APPENDIX B Glossary This glossary contains a list of terms, abbreviations, and acronyms frequently used when discussing networks, firewalls, and WatchGuard products. access control A method of restricting access to resources, allowing access only to privileged entities. active mode FTP One of two ways an FTP data connection is made. In active mode, the FTP server establishes the data connection. In passive mode, the client establishes the connection.
address space probe An intrusion measure in which a hacker sequentially attacks IP addresses. These probes are usually attempts to map IP address space to look for security holes that a sender might exploit to compromise system security. agent A computer program that reports information to another computer or allows another computer access to the local system. Agents can be used for good or malice.
asymmetric keys A separate but integrated user key pair, composed of one public key and one private key. Each key is one way, meaning that a key used to encrypt information cannot be used to decrypt the same data. attack An attempt to hack into a system. Because not all security issues represent true attacks, most security vendors prefer the use of the word “event” or “incident.” ATM (asynchronous transfer mode) High-speed packet switching with dynamic bandwidth allocation.
block cypher A symmetric cipher operating on blocks of plain text and cipher text, usually 64 bits. blocked port A security measure in which a specific port associated with a network service is explicitly disabled, blocking users outside the firewall from gaining access to that service port. A blocked port takes precedence over any service settings that are generally enabled. blocked site An IP address outside the Firebox explicitly blocked so it cannot connect with hosts behind the Firebox.
cable segment A section of network cable separated by hubs, routers, or bridges to create a subnet. cascade A command that arranges windows so that they are overlapped, with the active window in front. cascading Connecting hubs with 10BASE-T cable; sometimes requires a crossover cable. Category 3 cabling A 10BASE-T unshielded twisted-pair cabling type commonly used in today’s 10Mbps Ethernet networks.
CIDR (Classless Inter-Domain Routing) A routing mechanism designed to deal with the exhaustion of Class B network addresses, and the subsequent allocation of multiple Class C addresses to sites. CIDR is described in RFC 1519. cipher block chaining A form of DES encryption that requires the entire message to decrypt rather than a portion of the message. cipher text The result of manipulating either characters or bits by way of substitution, transposition, or both.
compression function A function that takes a fixed-size input and returns a shorter, fixed-sized output. connected enterprise A company or organization with a computer network exchanging data with the Internet or some other public network. Control Center See System Manager. Control Panel The set of Windows NT, Windows 2000, and Windows XP programs used to change system hardware, software, and Windows settings.
cryptanalysis The art or science of transferring cipher text into plain text without initial knowledge of the key used to encrypt the plain text. CRYPTOCard An authentication system that uses an offline card to hash encryption keys, which increases their safety against unauthorized decryption. cryptography The art and science of creating messages that have some combination of being private, signed, and unmodified with non-repudiation.
default A predefined setting that is built into a program and is used when an alternative setting is not specified. default packet handling The practice of automatically and temporarily blocking hosts that originate probes and attacks against a network. denial of service attack (DoS) A way of monopolizing system resources so that other users are ignored. For example, someone could Finger an unsecured host continuously so that the system is incapable of running or executing other services.
dimmed The grayed appearance of a command or option that is unavailable. disarmed The state of a Firebox when it is not actively protecting a network. DMZ (Demilitarized Zone) Another name for the optional network. One common use for this network is as a public Web server. DNS (Domain Name System) A network system of servers that converts numeric IP addresses into readable, hierarchical Internet addresses. DoS See denial of service attack.
dynamic NAT (Also known as IP masquerading or port address translation) A method of hiding network addresses from hosts on the external or on a less trusted network. Hosts elsewhere on the Internet see only outgoing packets from the Firebox itself. dynamic packet filtering Filtering based not only on service types, but also on conditions surrounding the initiation of a connection.
external interface An interface connected to the external network that presents the security challenge, typically the Internet. external network The network presenting the security challenge. failover Configuration that allows a secondary machine to take over in the event of a failure in the first machine, allowing normal use to return or continue.
fingerprint A unique identifier for a key that is obtained by hashing specific portions of the key data. FIPS (Federal Information Processing Standard) A U.S. government standard published by the National Institute of Standards and Technology. Firebox The WatchGuard firewall appliance, consisting of a red box with a purpose-built computer and input/output architecture optimized as the resident computer for network firewall software.
hash code A unique, mathematical summary of a document that serves to identify the document and its contents. Any change in the hash code indicates that the document’s contents have been altered. header A series of bytes at the beginning of a communication packet that provide identification information about the packet such as its computer of origin, the intended recipient, packet size, and destination port number. Help system A form of online information about a software or hardware system.
host route A setup in which an additional router is behind the Firebox and one host is behind that router. A host route must be configured to inform the Firebox of this additional host behind the additional router. HostWatch A WatchGuard Firebox System application that provides a real-time display of the hosts that are connected from behind the Firebox to hosts on the Internet.
IKE (Internet Key Exchange) A protocol used with IPSec virtual private networks. Automates the process of negotiating keys, changing keys, and determining when to change keys. implicit trust A condition reserved for pairs located on a local keyring. If the private portion of a key pair is found on a user’s keyring, PGP assumes that user is the owner of the key pair and implicitly trusts himself or herself.
Intrusion Detection System (IDS) A class of networking products devoted to detecting, monitoring, and blocking attacks from hackers. IDSs that operate on a host to detect malicious activity on that host are called host-based IDSs. IDSs that operate on network data flows are called network-based IDSs. IP (Internet Protocol) A protocol used by the Internet that enables computers to communicate over various physical media. IP address host The 32-bit address that identifies a host.
ISAKMP (Internet Security Association Key Management Protocol) Defines the procedures for authenticating a communicating peer, creation and management of security associations, key generation techniques, and threat mitigation; for example, denial of service and replay attacks. ISO (International Organization for Standardization) An organization responsible for a wide range of standards, like the OSI model and international relationship with ANSI on X.509.
key management The process and procedure for safely storing and distributing accurate cryptographic keys; the overall process of generating and distributing cryptographic key to authorized recipients in a secure manner. key pair A public key and its complementary private key. keyring A set of keys. Each user has two types of keyrings: a private keyring and a public one. key splitting The process of dividing a private key into multiple pieces and sharing those pieces among several users.
management station The computer on which the WatchGuard Firebox System Manager and Policy Manager runs; sometimes referred to as the administration host. man-in-the-middle attack An attack that deceives two parties into thinking they are communicating with each other while, in fact, they are both communicating with a third party. This type of attack is often attempted when the attacker desires communication with a system under the identity of a particular user.
MD5 (Message Digest 5) An improved, more complex version of MD4, but still a 128-bit, one-way hash function. message digest A number that is derived from a message. A change to a single character in the message will cause it to have a different message digest. MIME (Multipurpose Internet Mail Extensions) Extensions to the SMTP format that allow binary data, such as that found in graphic files or documents, to be published and read on the Internet.
subnetting is in effect. Some systems require the netmask to be an even number of bits. network adaptor, network interface card A device that sends and receives data between the computer and the network cabling. It may work either internally, such as a PCI, or externally, such as a SCSI adaptor which connects to a computer’s SCSI port. network number The portion of an IP address that is common to all hosts on a single network and is normally defined by the set portion of the corresponding netmask.
optional interface An interface that connects to a second secured network, typically any network of servers provided for public access. optional network A network protected by the firewall but still accessible from the trusted and external networks. Typically, any network of servers provided for public access. OSI (Open Systems Interconnection) A standard description or reference model for how messages should be transmitted between any two points in a telecommunication network.
PCMCIA (Personal Computer Memory Code International Association) card A standard compact physical interface used in personal computers. The most common application of PCMCIA cards is for modems and storage. perfect forward secrecy (PFS) A cryptosystem in which the cipher text yields no possible information about the plain text, except possibly the length. PEM See Privacy Enhanced Mail. peer-to-peer A network computing system in which all computers are treated as equals on the network.
PLIP (Parallel Line Internet Protocol) A protocol for exchanging IP packets over a parallel cable. Plug and Play A standard in the personal computer market that assures the user that the product is as simple to install as possible. Policy Manager One component in the WatchGuard Firebox System that provides a user interface for modifying and uploading a Firebox configuration file. pop-up window A window that suddenly appears (pops up) when an option is selected with a mouse or a function key is pressed.
Pretty Good Privacy (PGP) An application and protocol (RFC 1991) for secure email and file encryption. PGP uses a variety of algorithms, like IDEA, RSA, DSA, MD5, SHA-1, for providing encryption, authentication, message integrity, and key management. primary key (IPSec) An IPSec key responsible for creating a security association. Values can be set in time or data size.
pseudo-random number A number that results from applying randomizing algorithms to input derived from the computing environment, such as mouse coordinates. See also random number. public key The publicly available component of an integrated asymmetric key pair, often referred to as the encryption key. public key cryptography Cryptography in which a public and private key pair is used, and no security is needed in the channel itself.
related networks Networks on the same physical wire as the Firebox interfaces but with network addresses that belong to an entirely different network. repeater A network device that regenerates signals so that they can extend the cable length. report A formatted collection of information that is organized to provide project data on a specific subject. revocation Retraction of certification or authorization. RFC (Request for Comments) RFC documents describe standards used or proposed for the Internet.
scalable architecture Software and/or hardware constructed so that, after configuring a single machine, the same configuration can be propagated to a group of connected machines. screening router A machine that performs packet filtering. SCSI (Small Computer System Interface) A processor-independent standard for system-level interfacing between a computer and intelligent devices including hard disks, floppy disks, CD-ROM, printers, and scanners.
segment One or more nodes in a network. Segments are connected to subnets by hubs and repeaters. self-extracting file A compressed file that automatically decompresses when double-clicked. server A computer that provides shared resources to network users. server-based network A network in which all client computers use a dedicated central server computer for network functions such as storage, security, and other resources.
sign To apply a signature. signature A digital code created with a private key. single sign-on A sign-on in which one logon provides access to all resources on the network. slash notation A format for writing IP addresses in which the number of bits in the IP number is specified at the end of the IP address. For example: 192.168.44.0/24. SLIP (Serial Line Internet Protocol) A protocol for exchanging IP packets over a serial line.
SSL See Secure Sockets Layer. stance The policy of a firewall regarding the default handling of IP packets. Stance dictates what the firewall will do with any given packet in the absence of explicit instructions. The WatchGuard default stance is to discard all packets that are not explicitly allowed, often stated as “That which is not explicitly allowed is denied.
syslog An industry-standard protocol used for capturing log information for devices on a network. Syslog support is included in Unix-based and Linux-based systems. System Manager A WatchGuard toolkit of applications run from a single location, enabling configuration, management, and monitoring of a network security policy. Formerly called Control Center. TCP (Transmission Control Protocol) A reliable byte-streaming protocol that implements a virtual connection.
tooltip A name or phrase that appears when the mouse pointer pauses over a button or icon. topology A wiring configuration used for a network. Transport Layer Security (TLS) Based on the Secure Sockets Layer (SSL) version 3.0 protocol, TLS provides communications privacy over the Internet. Transport Layer Security Protocol (TLSP) ISO 10736, draft international standard. transposition cipher A cipher in which the plain text remains the same but the order of the characters is transposed.
URL (Universal Resource Locator) The user-friendly address that identifies the location of a Web site such as http:/ /www.watchguard.com. validation A means to provide timeliness of authorization to use or manipulate information or resources. verification The act of comparing a signature created with a private key to its public key. Verification proves that the information was actually sent by the signer and that the message has not been subsequently altered by anyone else.
WebBlocker An optional WatchGuard software module that blocks users behind the Firebox from accessing undesirable Web sites based on content type, time of day, and/or specific URL. WINS (Windows Internet Name Service) WINS provides name resolution for clients running Windows NT and earlier versions of Microsoft operating systems. With name resolution, users access servers by name rather than needing to use an IP address.
Index A bandwidth, described 3 blocked sites configuring 71 described 70 Blocked Sites page 71 broadband connections 2 cabling failover network 62 for 0-6 devices 17 for 7+ devices 18 CIDR notation 102 Classless Inter Domain Routing 102 Client for Microsoft Networks, installing 109, 113 client, described 2 configuration file, viewing 152 configuration pages connecting to 19 description 27–37 navigating 27 opening 28 configuration pages.
Denied Sites page 91 described 9 DHCP if ISP uses DHCP 46 described 5, 45 if ISP uses PPPoE 47 setting the Firebox to use 22 if ISP uses static addressing 46 setting your computer to use 20 External Network Configuration page DHCP address reservations 51 24, 46, 47 DHCP Address Reservations page 51 DHCP relay agent, configuring Firebox as 52, 56 DHCP server factory default settings configuring Firebox as 49, 50, 55 described 39 dialog boxes resetting to 40 Internet Protocol (TCP/IP) Properties failover netw
Firewall Options page 72 Firewall page 34 firewalls, described 8 firmware, updating 148 FTP access, denying to the trusted interface 72 Internet Protocol (TCP/IP) Properties dialog box 20, 21 IP addresses described 5 dynamic 5 giving your computer static 20 setting static 23 static 45 H L hardware description 156–159 hardware operating specifications 159 LiveSecurity Service hardware specifications 156 and software updates 38 HTTP proxy settings, disabling 15 registering with 25 HTTP/HTTPS, using for Fir
preparing remote computers for seat license upgrade 151 WAN failover 152 WebBlocker 151 108–117 troubleshooting 136–138 uninstalling 126 MUVPN Clients upgrade 151 My Identity settings, defining 120 N navigation bar 29 netmask 13 network address translation (NAT) 14 Network Interface Wizard 43 network interfaces, configuring 43–63 Network page 31 network security, described 1 Network Statistics page 59 network statistics, viewing 59 Network Time Protocol 82 networks, types of 2 NTP 82 numbered ports 158
Upgrade 151 VPN 37 VPN Keep Alive 104 VPN Manager Access 147, 148 VPN Statistics 104 WAN Failover 62 WatchGuard Security Event Processor Logging 79 WebBlocker 36 WebBlocker Settings 85, 86 Wizards 37 passphrases, described 144, 146 Perfect Forward Secrecy 102 Phase 1 settings 100, 123 Phase 2 settings 102, 123 ping packets, denying all 72 Pocket PCs, creating tunnels to 128 Point-to-Point Protocol over Ethernet.
system configuration pages.
W WAN Failover configuring 62 described 61, 152 WAN Failover page 62 WAN ports 158 WAN1 port 61 WAN2 port 61 WatchGuard Security Event Processor 78 WSEP 78 Z ZoneAlarm allowing traffic through 134 described 107, 133 icon for 131 shutting down 135 uninstalling 135 WatchGuard Security Event Processor Logging page 79 Web sites, blocking specific 90 Web sites, controlling access to.
204 WatchGuard Firebox X Edge
