WatchGuard Firebox System Reference Guide ® ® Firebox System 6.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.
© 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.
The Apache Software License, Version 1.1 Copyright (c) 2000 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Contents CHAPTER 1 Internet Protocol Reference ..................... 1 Internet Protocol Header .................................................. 1 ..................................................... 2 Internet Protocol Options ................................................. 6 Transfer Protocols ............................................................ 7 UDP ........................................................................... 7 TCP ...........................................................
Firebox III front view (Model 700) ................................... 45 Firebox III rear view (all models except Model 700) ............ 46 Firebox III rear view (Model 700) .................................... 48 ............................................................................... 49 CHAPTER 5 Types of Services ...................................... 51 Packet Filter Services ...................................................... 51 Any .........................................................
SNMP-Trap ................................................................ SQL*Net ................................................................... Sybase SQL-Server ...................................................... ssh ........................................................................... syslog ....................................................................... TACACS ................................................................... TACACS+ ..............................................
CHAPTER 8 Resources ................................................ 101 Publishers .................................................................... 101 Books .......................................................................... 102 Non-Fiction .............................................................. 102 Fiction .................................................................... 103 White Papers & Requests for Comments ........................ 103 Mailing Lists .............................
....................................... 175 Enter Encryption Key dialog box .................................. 175 Flash Disk Management Tool dialog box ....................... 175 Log Utility ................................................................... 176 Copy or Merge Logs dialog box .................................. 176 LogViewer ................................................................... 177 Find Keyphrase dialog box ......................................... 177 Preferences dialog box .
Configure IPSec Tunnels dialog box .............................. 195 Configure Tunnels dialog box ...................................... 196 Configure Tunnel dialog box ....................................... 196 Connect to Firebox dialog box .................................... 197 Default Gateway dialog box ........................................ 197 Default Packet Handling dialog box .............................. 197 DHCP Server dialog box .............................................
Network Configuration dialog box ............................... New MIME Type dialog box ........................................ New Service dialog box ............................................. Outgoing SMTP Proxy dialog box ................................ PPTP Logging dialog box ........................................... Remote Gateway dialog box ....................................... Remote User Setup dialog box .................................... Select Firebox Time Zone dialog box ............
xii WatchGuard Firebox System 6.
CHAPTER 1 Internet Protocol Reference Internet Protocol (IP) specifies the format of packets and the addressing scheme for sending data over the Internet. By itself, it functions like a postal system allowing you to address a package and drop it into the system. There is, however, no direct link between you and the recipient. In other words, there is no package. Most networks combine IP with higher-level protocols like Transmission Control Protocol (TCP).
CHAPTER 1: Internet Protocol Reference Attribute Size Description Version 4 bits IP format number (Current version = 4) IHL 4 bits Header length in 32-bit words (Minimum = 5) TOS 8 bits Type of service sets routing priorities. It is generally under-utilized because few application layers can set it. Tot_Len 16 bits Total length of packet measured in octets. It is used in reassembling fragments. ID 16 bits Packet ID, used for reassembling fragments.
Internet Protocol Header Reference Guide Keyword Number Protocol UCL 7 UCL EGP 8 Exterior Gateway Protocol IGP 9 Any private interior gateway BBN-RCCMON 10 BBN RCC Monitoring NVP-II 11 Network Voice Protocol PUP 12 PUP ARGUS 13 ARGUS EMCON 14 EMCON XNET 15 Cross Net Debugger CHAOS 16 Chaos UDP 17 User Datagram Protocol MUX 18 Multiplexing DCN-MEAS 19 DCN Measurement Subsystems HMP 20 Host Monitoring PRM 21 Packet Radio Measurement XNS-IDP 22 XEROX NS IDP
CHAPTER 1: Internet Protocol Reference Keyword Number Protocol XTP 36 XTP DDP 37 Datagram Delivery Protocol IDPR-CMTP 38 IDPR Control Message Transport Protocol TP++ 39 TP++ Transport Protocol IL 40 IL Transport Protocol SIP 41 Simple Internet Protocol SDRP 42 Source Demand Routing Protocol SIP-SR 43 SIP Source Route SIP-FRAG 44 SIP Fragment IDRP 45 Inter-Domain Routing Protocol RSVP 46 Reservation Protocol GRE 47 General Routing Encapsulation MHRP 48 Mobile Host Ro
Internet Protocol Header Reference Guide Keyword Number Protocol VISA 70 VISA Protocol IPCV 71 Internet Packet Core Utility CPNX 72 Computer Protocol Network Executive CPHB 73 Computer Protocol Heart Beat WSN 74 Wang Span Network PVP 75 Packet Video Protocol BR-SATMON 76 Backroom SATNET Monitoring SUN-ND 77 SUN NDPROTOCOL-Temporary WB-MON 78 WIDEBAND Monitoring WB-EXPAK 79 WIDEBAND EXPAK ISO-IP 80 ISO Internet Protocol VMTP 81 VMTP SECUREVMTP 82 SECURE-VMTP VINES
CHAPTER 1: Internet Protocol Reference Keyword Number Protocol ETHERIP 97 Ethernet-within-IP Encapsulation ENCAP 98 Encapsulation Header 99 Any private encryption scheme 100 GMTP 101-254 Unassigned 255 Reserved GMTP Internet Protocol Options Internet Protocol options are variable-length additions to the standard IP header. Unfortunately, enabling IP options can be risky; hackers can use them to specify a route that helps them gain access to your network.
Transfer Protocols transmissions can involve twenty or thirty hops, rendering the record route option obsolete. Time Stamp The time stamp option helps measure network propagation delays. This task is done more effectively, however, with higherlevel time protocols or time-stamp messages. Transfer Protocols The IP protocol encapsulates information contained in the transport layer.
CHAPTER 1: Internet Protocol Reference • A connection is described by its source and destination ports and its source and destination IP addresses. In typical usage, port numbers below 1024 are reserved for well-known services (destinations), and the client side is supposed to use ports above 1023 for the source of the connection. However, this rule has many notable exceptions. In particular, NFS (port 2049) and Archie (port 1525) use server ports at numbers above 1024.
Standard Ports and Random Ports IGMP (Internet Group Multicast Protocol) A protocol primarily designed for hosts on multiaccess networks to inform locally attached routers of their group membership information. IPIP (IP-within-IP) An encapsulation protocol used to build virtual networks over the Internet. GGP (Gateway-Gateway Protocol) A routing protocol used between autonomous systems. GRE A protocol used for PPTP. ESP An encryption protocol used for IPSec.
CHAPTER 1: Internet Protocol Reference 10 WatchGuard Firebox System 6.
CHAPTER 2 MIME Content Types A content-type header is used by applications to determine what kind of data they are receiving, thus allowing them to make decisions about how it should be handled. It allows clients to correctly identify and display video clips, images, sound, or non-HTML data. People are probably most familiar with the MIME content types sent in email. The WatchGuard Proxied HTTP service uses content-type headers to determine whether to allow or deny an HTTP transaction.
CHAPTER 2: MIME Content Types In addition, WatchGuard encourages you to email requests for inclusion of new content types in our master list to: manual@watchguard.com 12 Type Subtype Reference text plain [RFC2646, RFC2046] richtext [RFC2045, RFC2046] enriched [RFC1896] tab-separated-values [Paul Lindner] html [RFC2854] sgml [RFC1874] vnd.latex-z [Lubos] vnd.fmi.flexstor [Hurtta] uri-list [RFC2483] vnd.abc [Allen] rfc822-headers [RFC1892] vnd.in3d.3dml [Powers] prs.lines.
text multipart message application Reference Guide t140 [RFC2793] vnd.ms-mediapackage [Nelson] vnd.IPTC.NewsML [IPTC] vnd.IPTC.NITF [IPTC] vnd.curl [Hodge] vnd.
CHAPTER 2: MIME Content Types application 14 postscript [RFC2045, RFC2046] oda [RFC2045, RFC2046] atomicmail [atomicmail, Borenstein] andrew-inset [andrew-inset, Borenstein] slate [slate, terry crowley] wita [Wang Info Transfer, Larry Campbell] dec-dx [Digital Doc Trans, Larry Campbell] dca-rft [IBM Doc Content Arch, Larry Campbell] activemessage [Ehud Shapiro] rtf [Paul Lindner] applefile [MacMime, Patrick Faltstrom] mac-binhex40 [MacMime, Patrik Faltstrom] news-message-id [RFC1
application Reference Guide x400-bp [RFC1494] sgml [RFC1874] cals-1840 [RFC1895] pgp-encrypted [RFC3156] pgp-signature [RFC3156] pgp-keys [RFC3156] vnd.framemaker [Wexler] vnd.mif [Wexler] vnd.ms-excel [Gill] vnd.ms-powerpoint [Gill] vnd.ms-project [Gill] vnd.ms-works [Gill] vnd.ms-tnef [Gill] vnd.svd [Becker] vnd.music-niff [Butler] vnd.ms-artgalry [Slawson] vnd.truedoc [Chase] vnd.koan [Cole] vnd.street-stream [Levitt] vnd.
CHAPTER 2: MIME Content Types application 16 vnd.japannet-registration-wakeup [Fujii] vnd.japannet-verification-wakeup [Fujii] vnd.japannet-payment-wakeup [Fujii] vnd.japannet-directory-service [Fujii] vnd.intertrust.digibox [Tomasello] vnd.intertrust.nncp [Tomasello] prs.alvestrand.titrax-sheet [Alvestrand] vnd.noblenet-web [Solomon] vnd.noblenet-sealer [Solomon] vnd.noblenet-directory [Solomon] prs.nprend [Doggett] vnd.webturbo [Rehem] hyperstudio [Domino] vnd.shana.informed.
application Reference Guide vemmi [RFC2122] vnd.ms-asf [Fleischman] vnd.ecdis-update [Buettgenbach] vnd.powerbuilder6 [Guy] vnd.powerbuilder6-s [Guy] vnd.lotus-wordpro [Wattenberger] vnd.lotus-approach [Wattenberger] vnd.lotus-1-2-3 [Wattenberger] vnd.lotus-organizer [Wattenberger] vnd.lotus-screencam [Wattenberger] vnd.lotus-freelance [Wattenberger] vnd.fujitsu.oasys [Togashi] vnd.fujitsu.oasys2 [Togashi] vnd.swiftview-ics [Widener] vnd.dna [Searcy] prs.
CHAPTER 2: MIME Content Types application 18 vnd.novadigm.EDX [Swenson] vnd.novadigm.EXT [Swenson] vnd.novadigm.EDM [Swenson] vnd.claymore [Simpson] vnd.comsocaller [Dellutri] pkcs7-mime [RFC2311] pkcs7-signature [RFC2311] pkcs10 [RFC2311] vnd.yellowriver-custom-menu [Yellow] vnd.ecowin.chart [Olsson] vnd.ecowin.series [Olsson] vnd.ecowin.filerequest [Olsson] vnd.ecowin.fileupdate [Olsson] vnd.ecowin.seriesrequest [Olsson] vnd.ecowin.
application Reference Guide vnd.intu.qbo [Scratchley] vnd.publishare-delta-tree [Ben-Kiki] vnd.cybank [Helmee] batch-SMTP [RFC2442] vnd.uplanet.alert [Martin] vnd.uplanet.cacheop [Martin] vnd.uplanet.list [Martin] vnd.uplanet.listcmd [Martin] vnd.uplanet.channel [Martin] vnd.uplanet.bearer-choice [Martin] vnd.uplanet.signal [Martin] vnd.uplanet.alert-wbxml [Martin] vnd.uplanet.cacheop-wbxml [Martin] vnd.uplanet.list-wbxml [Martin] vnd.uplanet.listcmd-wbxml [Martin] vnd.
CHAPTER 2: MIME Content Types application 20 vnd.wap.wbxml [Stark] vnd.motorola.flexsuite.wem [Patton] vnd.motorola.flexsuite.kmr [Patton] vnd.motorola.flexsuite.adsi [Patton] vnd.motorola.flexsuite.fis [Patton] vnd.motorola.flexsuite.gotap [Patton] vnd.motorola.flexsuite.ttc [Patton] vnd.ufdl [Manning] vnd.accpac.simply.imp [Leow] vnd.accpac.simply.aso [Leow] vnd.vcx [T.Sugimoto] ipp [RFC2910] ocsp-request [RFC2560] ocsp-response [RFC2560] vnd.previewsystems.
application Reference Guide index.response [RFC2652] index.obj [RFC2652] index.vnd [RFC2652] vnd.triscape.mxs [Simonoff] vnd.powerbuilder75 [Shilts] vnd.powerbuilder75-s [Shilts] vnd.dpgraph [Parker] http [RFC2616] sdp [RFC2327] vnd.eudora.data [Resnick] vnd.fujixerox.docuworks.binder [Matsumoto] vnd.vectorworks [Pharr] vnd.grafeq [Tupper] vnd.bmi [Gotoh] vnd.ericsson.quickcall [Tidwell] vnd.hzn-3d-crossword [Minnis] vnd.wap.slc [WAP-Forum] vnd.wap.sic [WAP-Forum] vnd.
CHAPTER 2: MIME Content Types application 22 vnd.mcd [Gotoh] vnd.httphone [Lefevre] vnd.informix-visionary [Gales] vnd.msign [Borcherding] vnd.ms-lrm [Ledoux] vnd.contact.cmsg [Patz] vnd.epson.esf [Hoshina] whoispp-query [RFC2957] whoispp-response [RFC2958] vnd.mozilla.xul+xml [McDaniel] parityfec [RFC3009] vnd.palm [Peacock] vnd.fsc.weblaunch [D.Smith] vnd.tve-trigger [Welsh] dvcs [RFC3029] sieve [RFC3028] vnd.vividence.scriptfile [Risher] vnd.hhe.
image audio Reference Guide isup [RFCISUP] qsig [RFCISUP] timestamp-query [RFC3161] timestamp-reply [RFC3161] vnd.pwg-xhtml-print+xml [Wright] jpeg [RFC2045,RFC2046] gif [RFC2045,RFC2046] ief [RFC1314] g3fax [RFC1494] tiff [RFC2302] cgm [Francis] naplps [Ferber] vnd.dwg [Moline] vnd.svf [Moline] vnd.dxf [Moline] png [Randers-Pehrson] vnd.fpx [Spencer] vnd.net-fpx [Spencer] vnd.xiff [SMartin] prs.btif [Simon] vnd.fastbidsheet [Becker] vnd.wap.wbmp [Stark] prs.
CHAPTER 2: MIME Content Types audio video 24 vnd.digital-winds [Strazds] vnd.lucent.voice [Vaudreuil] vnd.octel.sbc [Vaudreuil] vnd.rhetorex.32kadpcm [Vaudreuil] vnd.vmx.cvsd [Vaudreuil] vnd.nortel.vbk [Parsons] vnd.cns.anp1 [McLaughlin] vnd.cns.inf1 [McLaughlin] L16 [RFC2586] vnd.everad.plj [Cicelsky] telephone-event [RFC2833] tone [RFC2833] prs.sid [Walleij] vnd.nuera.ecelp4800 [Fox] vnd.nuera.
model model Reference Guide MP4V-ES [RFC3016] vnd.nokia.interleaved-multimedia [Kangaslampi] * [RFC2077] iges [Parks] vrml [RFC2077] mesh [RFC2077] vnd.dwf [Pratt] vnd.gtw [Ozaki] vnd.flatland.3dml [Powers] vnd.vtu [Rabinovitch] vnd.mts [Rabinovitch] vnd.gdl [Babits] vnd.gs-gdl [Babits] vnd.parasolid.transmit.text [Dearnaley, Juckes] vnd.parasolid.transmit.
CHAPTER 2: MIME Content Types 26 WatchGuard Firebox System 6.
CHAPTER 3 Services and Ports Well-known services are a combination of port number and transport protocol for specific, standard applications. This chapter contains several tables that list service names, port number, protocol, and description.
CHAPTER 3: Services and Ports Ports Used by WatchGuard Products The WatchGuard Firebox, Management Station, and WatchGuard Security Event Processor use several ports during normal functioning. 28 Port # Protocol Purpose 4100 TCP Authentication applet 4101 TCP WSEP and Management Station 4105 TCP WatchGuard service 4106 TCP WebBlocker 4107 TCP WSEP and Firebox 4103 TCP Retrieve WebBlocker database 4102 TCP Used only in Firebox System (LSS) 3.
Ports used by Microsoft Products Ports used by Microsoft Products Reference Guide Port # Protocol Purpose 137, 138 UDP Browsing 67, 68 UDP DHCP Lease 135 TCP DHCP Manager 138 139 UDP TCP Directory Replication 135 TCP DNS Administration 53 UDP DNS Resolution 139 TCP Event Viewer 139 TCP File Sharing 137, 138 139 UDP TCP Logon Sequence 138 UDP NetLogon 137, 138 139 UDP TCP Pass Through Validation 139 TCP Performance Monitor 1723 47 TCP IP PPTP 137, 138 139 UDP TCP
CHAPTER 3: Services and Ports Port # Protocol Purpose 135 TCP Client/Server Communications 135 TCP Exchange Administrator 143 TCP IMAP 993 TCP IMAP (SSL) 389 TCP LDAP 636 TCP LDAP (SSL) 102 TCP MTA - X.400 over TCP/IP 110 TCP POP3 995 TCP POP3 (SSL) 135 TCP RCP 25 TCP SMTP 119 TCP NNTP 563 TCP NNTP (SSL) Well-Known Services List In addition to the ports used by services described above, WatchGuard maintains a list of well-known services.
Well-Known Services List Service Name Port # Protocol Description tcpmux 1 TCP/UDP TCP Port Service Multiplexer compressnet 2,3 TCP/UDP Management Utility rje 5 TCP/UDP Remote Job Entry echo 7 TCP/UDP Echo discard 9 TCP/UDP Discard systat 11 TCP/UDP Active Users daytime 13 TCP/UDP Daytime qotd 17 TCP/UDP Quote of the Day msp 18 TCP/UDP Message Send Protocol chargen 19 TCP/UDP Character Generator ftp-data 20 TCP/UDP File Transfer [Default Data] ftp 21 TCP/UD
CHAPTER 3: Services and Ports 32 Service Name Port # Protocol Description auditd 48 TCP/UDP Digital Audit Daemon tacacs 49 TCP/UDP Login Host Protocol (TACACS) re-mail-ck 50 TCP/UDP Remote Mail Checking Protocol la-maint 51 TCP/UDP IMP Logical Address Maintenance xns-time 52 TCP/UDP XNS Time Protocol domain 53 TCP/UDP Domain Name Server xns-ch 54 TCP/UDP XNS Clearinghouse isi-gl 55 TCP/UDP ISI Graphics Language xns-auth 56 TCP/UDP XNS Authentication xns-mail 58 TC
Well-Known Services List Service Name Port # Protocol Description mit-ml-dev 83 TCP/UDP MIT ML device ctf 84 TCP/UDP Common Trace Facility mit-ml-dev 85 TCP/UDP MIT ML device mfcobol 86 TCP/UDP Micro Focus Cobol kerberos 88 TCP/UDP Kerberos sug-mit-tug 89 TCP/UDP SU/MIT Telnet gateway dnsix 90 TCP/UDP DNSIX Secure Application Token Map mit-dov 91 TCP/UDP MIT Dover Spooler npp 92 TCP/UDP Network Printing Protocol dcp 93 TCP/UDP Device Control Protocol objcall 94
CHAPTER 3: Services and Ports 34 Service Name Port # Protocol Description auth(ident) 113 TCP/UDP Authentication Service audionews 114 TCP/UDP Audio News Multicast sftp 115 TCP/UDP Simple File Transfer Protocol ansanotify 116 TCP/UDP ANSA REX Notify uucp-path 117 TCP/UDP UUCP Path Service sqlserv 118 TCP/UDP SQL Services nntp 119 TCP/UDP Network News Transfer Protocol cfdptkt 120 TCP/UDP CFDPTKT erpc 121 TCP/UDP Encore Expedited RPC smakynet 122 TCP/UDP SMAKYNET
Well-Known Services List Service Name Port # Protocol Description sql-net 150 TCP/UDP SQL-NET bftp 152 TCP/UDP Background File Transfer sgmp 153 TCP/UDP SGMP sqlsrv 156 TCP/UDP SQL Service pcmail-srv 158 TCP/UDP PCMail Server sgmp-traps 160 TCP/UDP SGMP-TRAPS snmp 161 TCP/UDP SNMP snmptrap 162 TCP/UDP SNMPTRAP cmip-man 163 TCP/UDP CMIP/TCP Manager cmip-agent 164 TCP CMIP/TCP Agent smip-agent 164 UDP CMIP/TCP Agent namp 167 TCP/UDP NAMP rsvd 168 TCP/UDP
CHAPTER 3: Services and Ports 36 Service Name Port # Protocol Description ipx 213 TCP/UDP IPX imap3 220 TCP/UDP Interactive Mail Access Protocol v3 fln-spx 221 TCP/UDP Berkeley rlogind with SPX auth rsh-spx 222 TCP/UDP Berkeley rshd with SPX auth backweb 371 UDP BackWeb ulistserv 372 TCP/UDP Unix Listserv netware-ip 396 TCP/UDP Novell Netware over IP biff 512 UDP Used by mail system to notify users exec 512 TCP Remote process execution login 513 TCP/UDP Login Hos
Well-Known Services List Service Name Port # Protocol Description cybercash 551 TCP/UDP Cybercash remotefs 556 TCP/UDP Rfs server 9pfs 564 TCP/UDP Plan 9 file service whoami 565 TCP/UDP Whoami msn 569 TCP Microsoft Network doom 666 TCP/UDP Doom Id Software kerberos-adm 749 TCP/UDP Kerberos administration webster 765 TCP/UDP Network dictionary phonebook 767 TCP/UDP Phone socks 1080 TCP/UDP Socks hermes 1248 TCP/UDP Hermes lotusnote 1352 TCP/UDP Lotus Notes
CHAPTER 3: Services and Ports 38 Service Name Port # Protocol Description compuserve 4144 TCP CompuServe Online rfe 5002 TCP/UDP Radio free ethernet aol 5190 TCP America OnLine x11 6000 TCP/UDP X Window System (through 6063) font-service 7100 TCP/UDP X Font Service nas 8000 TCP/UDP NCD Network Audio Server iphone 6670 TCP for connecting to the phone server iphone 22555 UDP for audio iphone 25793 TCP for the address server, in 4.x and 5.
CHAPTER 4 Hardware Illustrations WatchGuard supports several versions of Firebox hardware including the Firebox II, Firebox II Plus, Firebox II FastVPN, and Firebox IIIs. The hardware illustrations in this chapter are meant to assist with physically installing, connecting, and monitoring a Firebox. For more information on the Firebox III, see the Hardware Guide included with this product. Firebox Illustrations and Descriptions The Firebox hardware platforms are specially designed and optimized machines.
CHAPTER 4: Hardware Illustrations to support larger installations. Its appearance is identical to the Firebox II, with the exception of a gold faceplate. Firebox II FastVPN The Firebox II FastVPN is equipped with a PCI card that provides accelerated cryptographic processing for public-key and bulk data cryptographic algorithms for traffic through the Firebox. It approaches data rates up to T3 and all of the mandatory algorithms used to implement the IPSec standard for providing Internet Protocol security.
Firebox Illustrations and Descriptions Sys B Indicates that the Firebox is running from the read-only factory default system area. Security Triangle Display Indicates traffic between the interfaces on the Firebox. Green arrows briefly light to indicate allowed traffic between two interfaces in the direction of the arrows. A red light at a triangle corner indicates that the Firebox is denying packets at that interface.
CHAPTER 4: Hardware Illustrations Firebox II Plus and Firebox II FastVPN Rear View The rear view of the Firebox II Plus and Firebox II FastVPN contains ports and jacks for connectivity as well as a power switch. From the left, rear panel features are as described: AC Receptacle Ethernet Jacks I EXTERNAL 0 Power-On Power Switch Light CONSOLE PCMCIA Slots SERIAL Console Serial Input Port TRUSTED A 10 100 A OPTIONAL 10 100 A Optional External Trusted FIGURE 1.
Firebox Illustrations and Descriptions . Yel: 10 Grn: 100 Speed A Traffic FIGURE 2. Firebox II Plus Ethernet Ports Ethernet Ports Indicators for each network interface display link status, card speed, and activity. The network interface cards (NICs) are autosensing and adapt to wire speed automatically. The speed indicator lights when there is a good physical connection to the Firebox. When the card runs at 10 Mbit, the speed indicator is yellow.
CHAPTER 4: Hardware Illustrations Disarm Red light indicates the Firebox detected an error, shut down its interfaces, and will not forward any packets. Reboot the Firebox. Armed Green light indicates the Firebox has been booted and is running. Sys A Indicates that the Firebox is running from its primary userdefined configuration. Sys B Indicates that the Firebox is running from the read-only factory default system area. Power Indicates that the Firebox is currently powered up.
Firebox Illustrations and Descriptions Firebox III front view (Model 700) Firebox III Model 700 indicators are on a central back-lit indicator panel. The following photograph shows the entire front view. From the left, the indicators are as described below. Disarm Red light indicates the Firebox detected an error, shut down its interfaces, and will not forward any packets. Armed Green light indicates the Firebox has been booted and is running.
CHAPTER 4: Hardware Illustrations Firebox III rear view (all models except Model 700) The rear view of the Firebox III Model 1000, Model 2500, and Model 4500 contains ports and jacks for connectivity as well as a power switch. (Note that units shipped prior 2002 did not include the USB.) From the left, rear panel features are as described: AC Receptacle Accepts the detachable AC power cord supplied with the Firebox. Power Switch Turns the Firebox on or off. PCI Expansion Slot Reserved for future use.
Firebox Illustrations and Descriptions . Yel: 10 Grn: 100 Speed A Traffic Ethernet Ports (Shown on the previous page) Indicators for each network interface display link status, card speed, and activity. The network interface cards (NICs) are auto-sensing and adapt to wire speed automatically. The speed indicator lights when there is a good physical connection to the Firebox. When the card runs at 10Mbit, the speed indicator is yellow. When the card runs at 100 Mbit, the speed indicator is green.
CHAPTER 4: Hardware Illustrations Firebox III rear view (Model 700) The rear view of the Firebox III Model 700 contains ports and jacks for connectivity as well as a power switch. From the left, rear panel features are as described: AC Receptacle Accepts the detachable AC power cord supplied with the Firebox. Power Switch Turns the Firebox on or off. Factory Default This button is active only during the boot process.
Firebox Illustrations and Descriptions Ethernet Jacks (Shown above) Indicators for each network interface display link status, card speed, and activity. The network interface connections (NICs) are auto-sensing and adapt to wire speed automatically. The speed indicator lights when there is a good physical connection to the Firebox. When the card runs at 10Mbit, the speed indicator is yellow. When the card runs at 100 Mbit, the speed indicator is green.
CHAPTER 4: Hardware Illustrations 50 WatchGuard Firebox System 6.
CHAPTER 5 Types of Services This chapter describes well-known services, their protocols and ports as well as special considerations for adding the service to a security policy configuration. Rather than explain every service in detail, this chapter explains the telnet service thoroughly as an example from which to extrapolate configuration details for similar services. Services fall into two broad categories–packet filters and proxies.
CHAPTER 5: Types of Services The Any service has different semantics from other services. For example, if you allow FTP to a specific host, all other FTP sessions are implicitly denied by that service (unless you have also configured other FTP service icons). The Any service, however, does not implicitly deny like other services.
Packet Filter Services WatchGuard to add the source IP address to the Blocked Sites List whenever an incoming archie connection is denied. All of the usual logging options can be used with archie. We recommend that you use the available WWW interfaces to archie, such as: http://www.macsch.com/stress/archie.html Characteristics • • • Protocol: UDP Server Port(s): 1525 Client Port(s): greater than 1023 auth (ident) auth (ident) is a protocol used to map TCP connections back to a user name.
CHAPTER 5: Types of Services • RFC: 1413 Citrix ICA (WinFrame) Citrix ICA is a protocol used by Citrix for their applications, including the Winframe product. Winframe is a server-based application from Citrix that provides access to Windows from a variety of clients. ICA uses TCP port 1494 for its WinFrame software. Adding the Citrix ICA service could compromise network security because it allows traffic inside the firewall without authentication.
Packet Filter Services Clarent also supports the use of PCAnywhere for management. Refer to the PCAnywhere implementation notes for further information. Adding the Clarent-gateway service could compromise network security because it allows traffic inside the firewall based only on network address which is not a reliable method of authentication. In addition, your Clarent server may be subject to denial of service attacks in this configuration.
CHAPTER 5: Types of Services Characteristics: • • • Protocol: UDP Client Port: ignore Port Numbers(s): 5001, 5002 CU-SeeMe CU-SeeMe is a program used to do video conferencing over the Internet. For CU-SeeMe to work through the Firebox, you must ensure that you are not on a network using outgoing Dynamic NAT, and configure the CUSeeMe service for both incoming and outgoing access.
Packet Filter Services DNS Domain Name Service (DNS) maps host names to IP addresses. You will probably not need to add a DNS service icon unless you maintain a public DNS server behind the Firebox, since outgoing UDP traffic is enabled by default. The DNS multi-service icon allows UDP DNS traffic, as well as TCP zone transfers to occur as specified. All of the usual logging options can be used with DNS.
CHAPTER 5: Types of Services Filtered-SMTP Filtered SMTP allows SMTP traffic (e-mail) without using the SMTP proxy. One use of Filtered-SMTP eliminates the need for outgoing mail to be routed through the SMTP proxy twice. With the Filtered SMTP icon between the trusted network and the mail server on the optional network, mail is only proxied when it is outbound to the Internet.
Packet Filter Services Gopher Gopher is a data-retrieval protocol developed at the University of Minnesota. As HTML has proliferated and Web browsers improved Gopher servers replaced by Web servers. It is unlikely that you will ever need to run a Gopher server. Characteristics • • • Protocol: TCP Server Port(s): 70 although servers can and are configured to use other ports Client Port(s): greater than 1023 HTTPS HTTPS is a secured and encrypted version of the HTTP protocol.
CHAPTER 5: Types of Services multiple sites (such as home, work, or laptop) without the need to transfer messages and files back and forth. Characteristics • • • Protocol: TCP Server Port(s): 143 Client Port(s): client LDAP Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for accessing online directory services. The protocol runs over Internet transport protocols, such as TCP, and can be used to access standalone directory servers or X.500 directories.
Packet Filter Services NNTP Network News Transfer Protocol (NNTP) is used to transmit Usenet news articles. The best way to use NNTP is to set Internal Hosts to internal news servers, and external hosts to news feeds. In most cases NNTP has to be enabled in both directions. If you are running a public newsfeed, you must allow NNTP connections from all external hosts. External hosts can be spoofed; WatchGuard cannot verify that these packets were actually sent from the correct location.
CHAPTER 5: Types of Services NTP Network Time Protocol (NTP) is a protocol built on TCP/IP that ensures accurate local timekeeping by synchronizing computer clocks with other clocks located on the Internet. NTP is capable of synchronizing times within milliseconds over extended time periods. Characteristics • • • Protocol: UDP, TCP Server Port(s): 123 Client Port(s): client Outgoing Services Outgoing TCP connections can be allowed or denied.
Packet Filter Services • - 5632/UDP - 5631/TCP - 65301/TCP Client Port: ignore (all cases) ping ping can be used to determine whether a host can be reached and is operable and on the network). To intercept DOS-based or Windows-based traceroute packets, configure the ping service. Like traceroute, it is generally a bad idea to allow ping into a network; however, outgoing ping is useful for troubleshooting.
CHAPTER 5: Types of Services Icons in the Services Arena No icons are needed for this scenario as the connections will never reach the Firebox. Scenario 2: Description A POP server on the Optional interface, generally running on the same machine as the SMTP server. Icons needed in the Services Arena Either a Proxy icon or an Outgoing icon allowing all outgoing TCP connections. In the absence of one of these, a POP icon allowing outgoing connections to the server.
Packet Filter Services from one location. RADIUS prevents hackers from intercepting and responding to authentication requests by transmitting an authentication key that identifies it to the RADIUS client. Characteristics • • • Protocol: UDP Server Port(s): 1645 Client Port(s): client RIP RIP is a routing protocol that predates IP, making it one of the oldest protocols on the Internet. It is used to automatically build routing tables for local routers.
CHAPTER 5: Types of Services NOTE Allowing SMB through the Firebox is extremely insecure, and is strongly discouraged unless used through a VPN connection. These configuration settings are to be used only if there is no other alternative, and service icon settings should be as specific as possible.
Packet Filter Services - One UDP icon for port 138. Set client port to “port” to enable the NetBIOS datagram service to transfer information between hosts. - One TCP icon for port 139. Set client port to “client.” This sets up a NetBIOS TCP channel for passing information between hosts. SNMP Simple Network Management Protocol (SNMP) can be used to collect information about and configure remote computers. This has proven to be dangerous. A great many Internet attacks have used SNMP.
CHAPTER 5: Types of Services and a client port of ignore. Then set up incoming access from the allowed external hosts to the sql*net server. Characteristics • • • Protocols: TCP Server Port(s): 1521, 1526 Client Port(s): ignore Sybase SQL-Server Sybase uses one port for the Sybase Central and SQL Advantage software. There is no factory default port. Rather, the administrator configures the port during the installation process using the Sybase Network Connections dialog box.
Packet Filter Services provides strong authentication and secure (encrypted) communications. WatchGuard recommends the use of ssh in lieu of more vulnerable protocols like telnet, rssh, and rlogin. If you use ssh, you should also use its strong authentication mechanisms. Strong encryption mechanisms are available for U.S. customers, Canadian customers, and customers who have been approved for use of strong encryption by WatchGuard and/or the U.S. Government.
CHAPTER 5: Types of Services • Add the WatchGuard Logging icon to the Services Arena NOTE Attacks often focus on flooding syslog with log entries so that attacks are either lost in the noise or the disk fills up and attack attempts are not recorded. Generally, syslog traffic should not pass through the Firebox.
Packet Filter Services telnet The telnet service is used to log in to a remote computer, and is similar to using dial-up access except that the connection is made over a network. Characteristics • • • • Protocol: TCP Server Port(s): 23 Client Port(s): greater than 1023 RFC: 854 Common Scenario Description Telnet access is not allowed in to any machines on the Trusted network, but access is allowed out to External and/or Optional machines.
CHAPTER 5: Types of Services Characteristics • • • Protocols: UDP Server Port(s): 69 Client Port(s): generally greater than 1023 Timbuktu Timbuktu Pro is remote control and file transfer software used to gain access to Windows computers. The protocol uses TCP port 1417 and UDP port 407. Add the Timbuktu service and allow incoming access from the hosts on the Internet that need to gain access to internal Timbuktu servers, and to the internal Timbuktu servers.
Packet Filter Services a site’s Internet Service Provider. The WatchGuard traceroute service is for filtering Unix-based UDP-style traceroute only. For DOS-based or Windows-based traceroute packet filtering, use the ping service instead (see “ping” on page 63). traceroute uses ICMP and UDP packets to build pathways across networks using the UDP TTL field to return packets from every router and machine between a source and a destination.
CHAPTER 5: Types of Services Characteristics • • • Protocol: TCP Server Port(s): 4105 Client Port(s): client WatchGuard Encrypted Connections WatchGuard uses one of three levels of encrypted connections to allow remote configuration and monitoring on ports 4101, 4102, and 4103. The levels are low, medium, and strong encryption. The level you have depends on your purchase agreement with WatchGuard.
Proxied Services whois The whois protocol gives information about who administers Internet sites and networks. It is often useful for finding administrative contacts at other sites. Because very few sites run whois servers, the only service necessary to access these sites is an Outgoing or a Proxy icon. In the absence of these, use a whois icon allowing outgoing connections to the required whois servers, the most common one being rs.internic.net.
CHAPTER 5: Types of Services aware that the standard SMB or NetBios ports may also need to be allowed so that the above software will work properly. NOTE DCE-RPE allows all DCE RPC traffic through the firewall (to and from the configured addresses and ports as appropriate)—it does not filter any of the packets for harmful content.
Proxied Services Description There is a “public” FTP server on the Trusted network. Icons in the Services Arena Configuration is the same as for Scenario 1. H323 The H323 service enables applications based on the H.323 protocol to be used through the Firebox. Popular products that use this protocol include: • Microsoft NetMeeting • Intel Internet VideoPhone This service does not do any filtering for harmful content, support QoS or rsvp protocol, nor does it support any type of NAT.
CHAPTER 5: Types of Services NOTE The WatchGuard service called HTTP Proxy is not to be confused with an HTTP caching proxy. An HTTP caching proxy is a separate machine, and it performs caching of Web data.If you use an external caching proxy, you must explicitly enable (by adding service icons) any outgoing services you intend to use. If you do not, outgoing TCP connections won’t work properly.
Proxied Services Proxied-HTTP rule ensures that all outgoing HTTP traffic, regardless of port, will be proxied according to the HTTP proxy rules. WatchGuard recommends that you allow incoming HTTP only to any public HTTP servers maintained behind the Firebox. External hosts can be spoofed, as WatchGuard cannot verify that these packets were actually sent from the correct location. Configure WatchGuard to add the source IP address to the Blocked Sites List whenever an incoming HTTP connection is denied.
CHAPTER 5: Types of Services Icons in the Services Arena A RealNetworks service icon–The Incoming tab should be empty. The Outgoing tab should allow from Any to Any. Scenario 2: Description There is a RealNetworks server on the Trusted or the Optional interface. Icons in the Services Arena A RealNetworks service icon–The Incoming tab should allow from Any to the RealNetworks server. The Outgoing tab should allow to Any from Any.
Proxied Services When using incoming Static NAT with SMTP, auth must be added (see “auth (ident)” on page 53) to the Services Arena. Configure auth to allow incoming auth to the Firebox. This enables outgoing mail messages to flow unrestricted from behind the Firebox to the numerous SMTP servers on the Internet that use auth to verify other mail servers’ identities and allows these servers to return messages through the Firebox to the senders.
CHAPTER 5: Types of Services Characteristics • • • • Protocol: UDP Server Port(s): 1558 Client Port(s): 1558 RFC: No RFC, but see: http://www.streamworks.com Common Scenarios Scenario 1 Description There are StreamWorks servers off the External interface scattered across the Internet. Icons in the Services Arena A StreamWorks service icon – The Incoming tab should be empty. The Outgoing tab should allow from Any to Any.
Proxied Services • RFC: No RFC, but see: http://www.vdo.net Common Scenarios Scenario 1 Description There are VDOLive servers off the External interface, scattered across the Internet. Icons in the Services Arena A VDOLive service icon – The Incoming tab should be empty. The Outgoing tab should allow from Any to Any. Scenario 2 Description There is a VDOLive server on the Trusted or the Optional interface.
CHAPTER 5: Types of Services 84 WatchGuard Firebox System 6.
CHAPTER 6 Common Log Messages This chapter provides explanations for many of the log messages most commonly generated by the Firebox. For more information on log messages, refer to the In-Depth FAQs in the WatchGuard Knowledge Base. Go to the following Web site and log into the LiveSecurity Service: http://www.watchguard.com/support Log messages in this chapter are arranged alphabetically. xxx.xxx.xxx.
CHAPTER 6: Common Log Messages band management. The Firebox always attempts to communicate with a PCMCIA modem and will report this error if none is found. controld: ERROR: Receiving another configuration file from firebox 10.1.16.2. Indicates that the current configuration file is corrupted or incomplete. The Event Processor will close the connection. deny in eth0 tcp www.xxx.yyy.zzz www.xxx.yyy.zzz 25 1200 80 psh ack A psh ack is an acknowledgement of a push.
- Avoid using dynamic NAT between your clients and your DNS server. - Disable the outgoing portion of the DNS proxied service and replace it with a filtered DNS service. firewalld[xxx] cs_server() failed (keys didn't match) The cs_server is the process that listens for management connections to the Firebox.
CHAPTER 6: Common Log Messages firewalld [xxx] proxy accept() failed (Connection reset by peer) Indicates that a Web browser reset or failed to complete a connection. This occurs if the user clicks the Stop or Reload buttons during load. firewalld[]: Putting file wg.cfg (from x.x.x.x) Indicates that the Management Station at x.x.x.x sent a new configuration file to the Firebox. firewalld[]: Restarted by x.x.x.
fwcheck[] Killing process http-proxy (pid x) Fwcheck is the process responsible for low memory scavenging on the Firebox. If Firebox memory is overloaded for some reason, fwcheck kills other processes until memory usage returns to a safer state. http-proxy[] [x.x.x.x:1091 x.x.x.x:80] Request denied: No URI found This message indicates a connection to a Web server was not compliant with RFC 2068. The problem is not with the code of the Web page but with the server itself.
CHAPTER 6: Common Log Messages this file indicates that firewalld is taking a long time to create it. A possible cause is that the configuration file is corrupted. http-proxy[]: no proxy services configured -- exiting Indicates that no services defined on the Firebox make use of the HTTP Proxy. The HTTP Proxy process starts, determines there are no rules for the process, and then exits.
http-proxy[205]: [x.x.x.x:8921 x.x.x.x:80] Error while sending/receiving: Invalid transfer-encoding type "Identity" HTTP has a provision for defining the encoding type used in the page data transfer. The default is called "Identity," which means that no encoding or transformations are performed on the page data. The RFC for HTTP 1.1 says the following about identity: identity: The default (identity) encoding; the use of no transformation whatsoever.
CHAPTER 6: Common Log Messages ipseccfg[] No remote gateway associated with xxx Indicates that the ipseccfg was unable to parse a preconfigured remote gateway from the configuration file, possibly due to a corrupted configuration file. Try reconfiguring your VPN tunnel options and/or Mobile User IPSec options. ipseccfg[]: No Remote Gateways configured, aborting ipseccfg Indicates there are no IPSec tunnels configured on the Firebox.
kernel Problem: block on freelist at xxxxxxxxx isn't free If you see this log message, contact WatchGuard Technical Support immediately. A small number of Fireboxes experienced a manufacturing problem with their power supply, which causes this symptom. kernel: Temporarily blocking host x.x.x.x Indicates that an IP address was dynamically added to the blocked site list. Pid(x) exited status 1 Indicates that a process on the Firebox exited normally.
CHAPTER 6: Common Log Messages rbcast[] Error sending data on optional--will not use anymore: Network is unreachable The RBCAST service is unable to send broadcasts on the Optional interface. Possible causes include: - Nothing connected to the interface - Improper or no rule regarding the traffic The RBCAST service sends directed broadcasts on UDP ports to other networks. An Outgoing service rule must be associated with it.
- For SMTP: default.proxies.smtp.connect_timeout: Note that this property is global to all SMTP services, unlike the FTP version described previously. smtp-proxy[589]: [x.x.x.x:1098 x.x.x.x:25] proxy connect failed (Operation now in progress) This message indicates a Proxy Backlog. The Proxy Backlog defines the number of connection requests held by the Firebox until a proxy can be started to handle the connection. The default Proxy Backlog value is 20.
CHAPTER 6: Common Log Messages 96 WatchGuard Firebox System 6.
CHAPTER 7 WebBlocker Content WebBlocker works in conjunction with the HTTP proxy to provide content-based URL-filtering capabilities. WebBlocker Categories WebBlocker relies on a URL database built and maintained by SurfControl. The Firebox automatically and regularly downloads a current version of the WebBlocker database from the WatchGuard Web site to your log host. The Firebox then copies the new version into memory. This process ensures the most up-to-date Web filtering and blocking capabilities.
CHAPTER 7: WebBlocker Content Alcohol/Tobacco Pictures or text advocating the sale, consumption, or production of alcoholic beverages and tobacco products. Illegal Gambling Pictures or text advocating materials or activities of a dubious nature that may be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someone’s phone lines without permission), and software piracy.
WebBlocker Categories Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/Profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: Physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain.
CHAPTER 7: WebBlocker Content Full Nudity Pictures exposing any or all portions of human genitalia. Topic does not include sites categorized as Partial/Artistic Nudity containing partial nudity of a wholesome nature. For example, it does not include Web sites for publications such as National Geographic or Smithsonian magazine nor sites hosted by museums such as the Guggenheim, the Louvre, or the Museum of Modern Art.
CHAPTER 8 Resources There are many resources you can draw upon to support your efforts to improve network security. This chapter lists several sources of information commonly used by WatchGuard engineers, developers, and Technical Support teams to learn more about network security in general and the WatchGuard product line in particular.
CHAPTER 8: Resources O'Reilly Publishes many books on network security. http://www.ora.com/ Books Non-Fiction Amoroso, Edward and Bellovin, Steven. Intranet and Internet Firewall Strategies. Indianapolis: Que Corporation, 1996. ISBN 1562764225 Chapman, Brent, and Zwicky, Elizabeth D. Building Internet Firewalls. Sebastopol: O'Reilly & Associates, 1994. ISBN 1-56592-124-0. Cheswick and Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Reading, MA: Addison Wesley Longman, Inc., 1994.
White Papers & Requests for Comments Schneier, Bruce. Applied Cryptography. Second Edition. New York: John Wiley & Sons, Inc., 1996. ISBN 0-471-11709-9. Schwartau, Winn. Cybershock: Surviving Hacker, Phreakers, Identity Theives, Internet Terrorists and Weapons of Mass Disruption. New York: Thunder’s Mouth Press, 2000. ISBN 1-56025-246-4. Sheldon, Tom (Editor); Cox, Phil. Windows 2000 Security Handbook. McGraw-Hill Publishing, November 2000. ISBN 0072124334. Stevens, W. Richard. TCP/IP Illustrated.
CHAPTER 8: Resources Web Sites WatchGuard Frequently Asked Questions http://www.watchguard.com (Click Support, Log into LiveSecurityService, click Knowledge Base, click In-Depth FAQs) Attrition http://www.attrition.org/ Bugtraq http://www.securityfocus.com Center for Education and Research in Information Assurance and Security http://www.cerias.purdue.edu/ Complete Intranet Firewalls Resource Page http://www.intrack.com/intranet/firewall.shtml CSI Firewall Product Search Center http://www.gocsi.
Web Sites Internet Firewalls - Frequently Asked Questions http://www.interhack.net/pubs/fwfaq Internet Firewalls — Resources http://www.cerias.purdue.edu/coast/firewalls The Java Security Web Site http://www.rstcorp.com/javasecurity/ National Institute of Standards and Technology, Computer Security Resource Center http://www-08.nist.gov Note: Yes, the dash after “www” is correct. NFR Security archives http://www.nfr.net/firewall-wizards/ Laboratory of Computer Communications and Networking http://www.cs.
CHAPTER 8: Resources Dictionaries of Computer Terminology http://www.webopedia.com/ http://www.whatis.com/ http://info.astrian.net/jargon/ Newsgroups comp.security.firewalls Use your newsreader or electronic messaging application to subscribe to the comp.security.firewalls Usenet newsgroup. Deja.com Deja.com provides a Web-based alternative to news reader services. In addition to comp.security.firewalls, it includes several discussion groups and the occasional room discussing network security issues.
CHAPTER 9 Out-of-Band Initialization Strings This chapter provides a reference list of PPP and modem initialization strings used to configure out-of-band (OOB) management. The PPP client for Linux is called Pppd. PPP Initialization Strings These are the strings and syntaxes available for use when configuring a Firebox for out-of-band management in Policy Manager: asyncmap
CHAPTER 9: Out-of-Band Initialization Strings escape xx,yy,.. Specifies that certain characters should be escaped on transmission (regardless of whether the peer requests them to be escaped with its async control character map). The characters to be escaped are specified as a list of hex numbers separated by commas. Almost any character can be specified for the escape option, unlike the asyncmap option which allows only control characters to be specified.
PPP Initialization Strings values give better compression but consume more kernel memory for compression dictionaries. Alternatively, a value of 0 for nr or nt disables compression in the corresponding direction. Use nobsdcomp or bsdcomp 0 to disable BSD-Compress compression entirely. debug Enables connection debugging facilities. When this option is given, pppd logs the contents of all control packets sent or received in a readable form. default-asyncmap Disables asyncmap negotiation, forcing all control.
CHAPTER 9: Out-of-Band Initialization Strings active-filter option is given, data packets that are rejected by the specified activity filter also count as the link being idle. ipcp-accept-local With this option, pppd accepts the peer’s idea of our local IP address, even if the local IP address was specified in an option. ipcp-accept-remote With this option, pppd accepts the peer’s idea of its remote IP address, even if the remote IP address was specified in an option.
PPP Initialization Strings lcp-max-configure n Sets the maximum number of LCP configure-request transmissions to n (default 10). lcp-max-failure n Sets the maximum number of LCP configure-NAKs. lcp-max-terminate n Sets the maximum number of LCP terminate-request transmissions to n (default 3). lcp-restart n Sets the LCP restart interval (retransmission time-out) to n seconds (default 3). local Do not use the modem control lines.
CHAPTER 9: Out-of-Band Initialization Strings noauth Do not require the peer to authenticate itself. nobsdcomp Disables BSD-Compress compression; pppd will not request or agree to compress packets using the BSD-Compress scheme. noccp Disables CCP (Compression Control Protocol) negotiation. This option should be required only if the peer is buggy and gets confused by requests from pppd for CCP negotiation. nocrtscts Disables hardware flow control (that is, RTS/CTS) on the serial port.
Modem Initialization Strings xonxoff Uses software flow control (that is, XON/XOFF) to control the flow of data on the serial port. Modem Initialization Strings These parameters specify a chat session that occurs between the Firebox and the modem to properly initialize the modem. In most cases the default initializations work with a wide variety of modems. The default initializations are known to work with the list of approved modems.
CHAPTER 9: Out-of-Band Initialization Strings 7 8 Expect “OK” back. 9 Expect back a final “OK” from the modem. Send “ATS0=1” to direct the modem to answer incoming calls after one ring. For an out-of-band management connection, the modem needs to be set up to answer the phone when it rings, and to use hardware flow control on the serial line. The Flow Control and Modem Initialization fields on the OOB tab enable you to make these settings.
Modem Initialization Strings "" or ‘ ‘ Expect or send a null string. If you send a null string, it will still send the return character. This sequence can either be a pair of apostrophes or quotes. \b Backspace. \c Suppress the new line at the end of the reply string. This is the only method to send a string without a trailing return character. It must be at the end of the send string. For example, the sequence hello\c will simply send the characters h, e, l, l, o (not valid in expect).
CHAPTER 9: Out-of-Band Initialization Strings \t Send or expect a tab character \\ Send or expect a backslash character \ddd Collapse the octal digits (ddd) into a single ASCII character and send that character. Some characters are not valid in Ctrl+C; for these characters, substitute the sequence with the control character represented by C. For example, the character DC1 (17) is shown as Ctrl+Q. Some characters are not valid in expect. 116 WatchGuard Firebox System 6.
CHAPTER 10 Firebox Read-Only System Area WatchGuard ships all Fireboxes with a fixed, baseline set of functionality stored on the read-only system area of the Firebox flash disk memory. It is possible to start the Firebox using this read-only system area when the primary user area is misconfigured or corrupted.
CHAPTER 10: Firebox Read-Only System Area With the Firebox running the read-only system area, use one of two methods to initialize the Firebox and prepare it for configuration: • Out-of-band via a modem • Direct via a serial cable Enhanced System Mode By default, all Fireboxes (shipped with Firebox System 4.1 or later) boot into an Enhanced System Mode. When a Firebox is running from the Enhanced System Mode, the SysA light on the front panel flickers yellow in a repeating pattern.
Initializing a Firebox Using a Serial Cable interfaces. Turn on the Firebox. A flickering SysA light indicates that the Firebox is running System 4.1 or later. To perform this procedure, you must have: • A newly shipped Firebox or any model of Firebox already initialized with System 4.1 or later • Management Station running LSS/WFS that can attach via local LAN connection to the Trusted interface of the Firebox 1 Use a cross-over cable to connect the Firebox External and Optional ethernet interfaces.
CHAPTER 10: Firebox Read-Only System Area Booting from the system area From Control Center: 1 Select Tools => Advanced => Flash Disk Management. 2 Select Boot From the System Area. Click Continue. 3 Enter the IP address you want to temporarily assign to the Firebox Trusted interface. Click OK. The Flash Disk Management Tool dialog box appears. The read-only system area Setup dialog box appears. The Firebox uses this address for only a brief period of time until the Firebox reboots.
Initializing a Firebox Using a Serial Cable 2 Start Policy Manager. Use it to copy a valid configuration file to the primary area of the Firebox flash disk. - Initializing an older Firebox for the first time– Create a valid configuration file using Policy Manager. - Recovering a previously configured Firebox– Use the configuration file on the Management Station hard drive. - Attempting to solve some other problem– Create a valid configuration file using the Policy Manager.
CHAPTER 10: Firebox Read-Only System Area Initializing a Firebox Using a Modem The WatchGuard Firebox can accept both external and PCMCIA modems. Use a modem for out-of-band initialization and configuration in cases where the Firebox is located remotely from the Management Station Before starting this procedure, make sure you have: • Management Station running Firebox System 4.
Initializing using Remote Provisioning • • • The Management Station is running System 4.1 or later that has IP connectivity to the network on which the Firebox is connected The network address and the netmask of the net behind the router must be known One or more unused IP connections are behind the router.
CHAPTER 10: Firebox Read-Only System Area 5 Select an unused IP address behind the router on the same network to which the Firebox is attached. Set the Firebox’s read-write passphrase to wg. Set the timeout to 90 seconds. Click OK. 6 If the procedure is successful, the open operation on the Management Station completes. You can then follow regular procedures described in the User Guide to configure and download a new flash image to the Firebox.
Managing Flash Disk Memory 5 Select a file name for the Firebox backup. 6 Enter a key for encrypting the backup file. Click OK. 7 Click OK. The Enter Encryption Key dialog box appears. This ensures that no one can obtain sensitive information from the backup file. When the backup is successful, an Operation Complete alert appears. You do not need to reboot the Firebox.
CHAPTER 10: Firebox Read-Only System Area 126 WatchGuard Firebox System 6.
CHAPTER 11 Glossary This glossary contains a list of terms, abbreviations, and acronyms frequently used when discussing networks, firewalls, and WatchGuard products. access control A method of restricting access to resources, allowing access only to privileged entities. active mode FTP One of two ways an FTP data connection is made. In active mode, the FTP server establishes the data connection. In passive mode, the client establishes the connection.
CHAPTER 11: Glossary Address Resolution Protocol (ARP) A TCP/IP protocol used to convert an IP address into a physical address such as an Ethernet address. address space probe An intrusion measure in which a hacker sequentially attacks IP addresses. These probes are usually attempts to map IP address space to look for security holes that a sender might exploit to compromise system security.
armed A state of a Firebox in which it is actively guarding against intrusion and attack. ARP See Address Resolution Protocol. ARP table A table of active ARP addresses on a computer. ascending A method of ordering a group of items from lowest to highest, such as from A to Z. ASN.1 (Abstract Syntax Notation One) ISO/IEC standard for encoding rules used in ANSI X.509 certificates. Two types exist: DER (Distinguished Encoding Rules) and BER (Basic Encoding Rules).
CHAPTER 11: Glossary authorization To convey official access or legal power to a person or entity. backbone A term often used to describe the main network connections composing the Internet. backdoor A cipher design fault, planned or accidental, that allows the apparent strength of the design to be easily avoided by those who know the trick. When the design background of a cipher is kept secret, a back door is often suspected. bandwidth The rate at which a network can transfer data.
blocked site An IP address outside the Firebox explicitly blocked so it cannot connect with hosts behind the Firebox. Blocked sites can be manual and permanent, or automatic and temporary. Blue Screen of Death (BSoD) A condition in which a Windows NT—based system encounters a serious error, the entire operating system halts, and a screen appears with information regarding the error. The name comes from the blue color of the error screen. boot up To start a computer.
CHAPTER 11: Glossary cascade A command that arranges windows so that they are overlapped, with the active window in front. cascading Connecting hubs with 10BASE-T cable; sometimes requires a crossover cable. Category 3 cabling A 10BASE-T unshielded twisted-pair cabling type commonly used in today’s 10Mbps Ethernet networks. Category 5 cabling A higher grade of unshielded twisted-pair cabling required for networking applications wich as 100Mbps Fast Ethernet. CBC See cipher block chaining.
checkbox A dialog box option that is not mutually exclusive with other options. Clicking a checkbox inserts or removes an X or a checkmark. CIDR (Classless Inter-Domain Routing) A routing mechanism designed to deal with the exhaustion of Class B network addresses, and the subsequent allocation of multiple Class C addresses to sites. CIDR is described in RFC 1519. cipher block chaining A form of DES encryption that requires the entire message to decrypt rather than a portion of the message.
CHAPTER 11: Glossary cold boot The process of starting a computer by turning on the power to the system unit. collisions Conflicts that occur when two packets are sent over the network simultaneously. Both packets are rejected; Ethernet will automatically resend them at altered timing. communications software Software such as email and faxing software that allows users to send or receive data. compress To compact a file or group of files so that they occupy less disk space. See also decompress.
personal information such as ID and password, mailing address, or credit card number. coprocessor A separate processor designed to assist in specific functions, such as handling complex mathematics or graphics, and to temporarily reduce the workload of the microprocessor. corporate signing key A public key that is designated by the security officer of a corporation as the system-wide key that all corporate users trust to sign other keys.
CHAPTER 11: Glossary cryptography The art and science of creating messages that have some combination of being private, signed, and unmodified with nonrepudiation. CSLIP (Compressed Serial Line Internet Protocol) A protocol for exchanging IP packets over a serial line, which compresses the headers of many TCP/IP packets. custom filter rules Filter rules created in WatchGuard Policy Manager to allow specific content types through the Firebox.
decrypt To decode data that has been encrypted and turn it back into plain text. dedicated server A computer on a network that is assigned to function only as a resource server and cannot be used as a client. default A predefined setting that is built into a program and is used when an alternative setting is not specified. default packet handling The practice of automatically and temporarily blocking hosts that originate probes and attacks against a network.
CHAPTER 11: Glossary dial-up connection A connection between a remote computer and a server using software, a modem, and a telephone. dictionary attack An attack that attempts to reveal a password by trying logical combinations of words. Diffie-Hellman A mathematical technique for securely negotatiating secret keys over a public medium. digital signature An electronic identification of a person or thing created by using a public key algorithm.
driver A software program that manipulates the computer hardware in order to transmit data to other equipment. drop-in configuration A configuration in which the Firebox is physically located between the router and the LAN without any of the computers on the Trusted interface being reconfigured. This protects a single network that is not subdivided into smaller networks. drop-in network A configuration that allows for distribution of logical address space across the Firebox interface.
CHAPTER 11: Glossary entropy A mathematical measurement of the amount of uncertainty or randomness. ESMTP (Extended Simple Mail Transfer Protocol) A protocol that provides extensions to SMTP for sending email that supports graphics, audio, and video files, and text in various foreign languages. ESP (Encapsulation Security Payload) A protocol used in IPSec used with IPSec Branch Office VPN and MUVPN.
failover Configuration that allows a secondary machine to take over in the event of a failure in the first machine, allowing normal use to return or continue. failover logging A process in which contact is automatically established with a secondary log host, in the event that the Firebox cannot communicate with the primary log host. fail-shut mode A condition in which a firewall blocks all incoming and outgoing traffic in the event of a firewall failure.
CHAPTER 11: Glossary filters Small, fast programs in a firewall that examine the header files of incoming packets and route or reject the packets based on the rules for the filter. fingerprint A unique identifier for a key that is obtained by hashing specific portions of the key data. FIPS (Federal Information Processing Standard) A U.S. government standard published by the National Institute of Standards and Technology.
graphical user interface (GUI) The visual representation on a computer screen that allows users to view, enter, or change information. hack To use a computer or network to perform illegal acts or gain unauthorized access. hacker An individual who uses a computer or network to perform illegal acts or gain unauthorized access. The term also can refer to an individual who is simply a computer enthusiast or expert; however, WatchGuard publications use the former definition.
CHAPTER 11: Glossary any given moment, one Firebox is in active mode while the other is in standby mode, ready to take over if the first box fails. Historical Reports A WatchGuard Firebox System application that creates HTML reports displaying session types, most active hosts, most used services, and other information useful in monitoring and troubleshooting a network.
HTTPS (Secure HTTP) A variation of HTTP enabling the secure transmission of data and HTML files. Generally used in conjunction with Secure Sockets Layer (SSL). hub A device that receives and sends signals along the network between the nodes connected to it. hyperlink An object on a Web page such as a graphic or underlined text that represents a link to another location in the same file or a different file. When clicked, the page or graphic appears.
CHAPTER 11: Glossary assumes that user is the owner of the key pair and implicitly trusts himself or herself. initialization vector A block of arbitrary data that serves as the starting point for a block cipher using a chaining feedback mode. See also cipher block chaining. initialize To prepare a disk for information storage. installation wizard A wizard specifically designed to guide a user through the process of installing software. See wizard.
of the Internet architecture and the smooth operation of the Internet. intranet A self-contained network that uses the same communications protocols and file formats as the Internet. Intrusion Detection System A class of networking products devoted to detecting, monitoring, and blocking attacks from hackers. IP (Internet Protocol) A protocol used by the Internet that enables computers to communicate over various physical media. IP address host The 32-bit address that identifies a host.
CHAPTER 11: Glossary IPSec provides several encryption and authentication options to maximize the security of the transmission over a public medium such as the Internet. IP spoofing The act of inserting a false sender IP address into an Internet transmission to gain unauthorized access to a computer system. ISA (Industry Standard Architecture) A unique network interface card on the motherboard of a computer.
Kerberos A trusted third-party authentication protocol developed at Massachusetts Institute of Technology. key A means of gaining or preventing access, possession, or control represented by any one of a large number of values. key exchange A scheme for two or more nodes to transfer a secret session key across an unsecured channel. key fingerprint A uniquely identifying string of numbers and characters used to authenticate public keys. key ID A code that uniquely identifies a key pair.
CHAPTER 11: Glossary LAN (local area network) A computer network that spans a relatively small area generally confined to a single building or group of buildings. LDAP (Lightweight Directory Access Protocol) A protocol that supports access and search operations on directories containing information such as names, phone numbers, and addresses across otherwise incompatible systems over the Internet.
name resolution The allocation of an IP address to a host name. See Domain Name System. NetBIOS (Network Basic Input / Output System) An extension of the DOS BIOS that enables a computer to connect to and communicate with a LAN (Local Area Network). NetBEUI (NetBIOS Extended User Interface) A non-routable networking protocol used by smaller, nonsubnetted networks for internal communications. Because NetBEUI is not routable, network transmissions sent via NetBEUI cannot be transmitted over the Internet.
CHAPTER 11: Glossary MD5 (Message Digest 5) An improved, more complex version of MD4, but still a 128-bit, one-way hash function. message digest A number that is derived from a message. A change to a single character in the message will cause it to have a different message digest. MIME (Multipurpose Internet Mail Extensions) Extensions to the SMTP format that allow binary data, such as that found in graphic files or documents, to be published and read on the Internet.
network address translation (NAT) A method of hiding or masquerading network addresses from hosts on another network, protecting the confidentiality and architecture of the network. netmask An inverse mask of the significant bits of a network address. On a local net, the range of addresses one can expect to be found directly connected to the network. Because netmasks generally occur with a Class C license address space of 8 bits, the netmask is 255.255.255.0.
CHAPTER 11: Glossary non-seed router A router that waits to receive routing information (the routing maintenance table) from other routers on the network before it begins routing packets. NTP (Network Time Protocol) An Internet service used to synchronize clocks between Internet hosts. Properly configured, NTP can usually keep the clocks of participating hosts within a few milliseconds of each other.
out-of-band (OOB) A management feature that enables the Management Station to communicate with the Firebox using a telephone line and a modem. OOB is very useful for remotely configuring a Firebox when Ethernet access is unavailable. packet A unit of information containing specific protocols and codes that allow precise transmittal from one node in a network to another.
CHAPTER 11: Glossary PCMCIA (Personal Computer Memory Code International Association) card A standard compact physical interface used in personal computers. The most common application of PCMCIA cards is for modems and storage. perfect forward secrecy (PFS) A cryptosystem in which the cipher text yields no possible information about the plain text, except possibly the length. PEM See Privacy Enhanced Mail. peer-to-peer A network computing system in which all computers are treated as equals on the network.
ping (packet Internet groper) A utility for determining whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply. PKCS See Public Key Crypto Standards. PKI See Public Key Infrastructure. plain text Characters in a human-readable form prior to or after encryption. Also called clear text. PLIP (Parallel Line Internet Protocol) A protocol for exchanging IP packets over a parallel cable.
CHAPTER 11: Glossary behind the firewall based on the original destination port number. Also called static NAT. port space probe An intrusion measure in which a hacker sequentially attacks port numbers. These probes are usually attempts to map port space to look for security holes which the sender might exploit. port, TCP or UDP A TCP or UDP service endpoint. Together with the hosts’ IP addresses, ports uniquely identify the two peers of a TCP connection.
Privacy Enhanced Mail (PEM) A protocol to provide secure Internet mail (RFC 1421-1424), including services for encryption, authentication, message integrity, and key management. PEM uses ANSI X.509 certificates. private key The privately held "secret" component of an integrated asymmetric key pair, often referred to as the decryption key. protocol A set of formal rules describing how to transmit data, especially across a network.
CHAPTER 11: Glossary proxy server A server that stands in place of another server. In firewalling, a proxy server poses as a specific service but has more rigid access and routing rules. protocol An agreed-upon format for transmitting data between two devices.
typically derived from analog sources, and usually involve the use of special hardware. RC4 (Rivest Cipher 4) A variable key size stream cipher, once a proprietary algorithm of RSA Data Security, Inc. RC5 (Rivest Cipher 5) A block cipher with a variety of arguments, block size, key size, and number of rounds. related hosts A method to place hosts on the Optional or External interface when using a simple or drop-in network configuration.
CHAPTER 11: Glossary routed configuration or network A configuration with separate network addresses assigned to at least two of the three Firebox interfaces. This type of configuration is intended for situations in which the Firebox is put in place with separate logical networks on its interfaces. router A device, connected to at least two networks, that receives and sends packets between those networks. Routers use headers and a forwarding table to forward packets to their destination.
secret key Either the private key in public key (asymmetric) algorithms or the session key in symmetric algorithms. secret sharing See key splitting. secure channel A means of conveying information from one entity to another such that an intruder does not have the ability to reorder, delete, insert, or read. Secure Sockets Layer (SSL) A protocol for transmitting private documents over the Internet. SSL works by using a private key to encrypt data transferred over an SSL connection.
CHAPTER 11: Glossary server A computer that provides shared resources to network users. server-based network A network in which all client computers use a dedicated central server computer for network functions such as storage, security, and other resources. Server Message Block (SMB) A message format used by DOS and Windows to share files, directories, and devices. NetBIOS is based on the SMB format, and many network products use SMB.
SHTTP See HTTPS. sign To apply a signature. signature A digital code created with a private key. single sign-on A sign-on in which one logon provides access to all resources on the network. slash notation A format for writing IP addresses in which the number of bits in the IP number is specified at the end of the IP address. For example: 192.168.44.0/24. SLIP (Serial Line Internet Protocol) A protocol for exchanging IP packets over a serial line.
CHAPTER 11: Glossary SOHO Small Office—Home Office. Also the name of the WatchGuard firewall devices designed for this segment of the market. spam Unsolicited email sent to many recipients, much like an electronic version of junk mail. spoofing Altering packets to falsely identify the originating computer to confuse or attack another computer. The originating computer is usually misidentified as a trusted computer within an organization. SSL See Secure Sockets Layer.
create two additional netmasks under it that separate the first 128 and last 128 addresses into separate identifiable networks. Subnetting enables a client with a single network to create multiple networks; the advanced or multiple network configurations can then be used when setting up the Firebox. subnet mask A 32-bit number used to identify which port of an IP address is masked.
CHAPTER 11: Glossary because most authentication occurs only at the start of the TCP session. Telnet A terminal emulation program for TCP/IP networks. It runs on a computer and connects a workstation to a server on a network. terminator A resistor at the end of an Ethernet cable that absorbs energy to prevent reflected energy back along the cable (signal bounce). It is usually attached to an electrical ground at one end.
Transport Layer Security Protocol (TLSP) ISO 10736, draft international standard. transposition cipher A cipher in which the plain text remains the same but the order of the characters is transposed. triple-DES An advanced form of encryption using three keys rather than one or two. It is roughly as secure as single DES would be if it had a 112-bit key. trust Confidence in the honesty, integrity, or reliability of a person, company, or other entity.
CHAPTER 11: Glossary URL (Universal Resource Locator) The user-friendly address that identifies the location of a Web site such as http://www.watchguard.com. validation A means to provide timeliness of authorization to use or manipulate information or resources. verification The act of comparing a signature created with a private key to its public key. Verification proves that the information was actually sent by the signer and that the message has not been subsequently altered by anyone else.
Web browser Software that interprets and displays documents formatted for the Internet or an intranet. Web of Trust A distributed trust model used by PGP to validate the ownership of a public key. Web page A single HTML-formatted file. Web site A collection of Web pages located in the directory tree under a single home page. WebBlocker An optional WatchGuard software module that blocks users behind the Firebox from accessing undesirable Web sites based on content type, time of day, and/or specific URL.
CHAPTER 11: Glossary XOR Exclusive-or operation; a mathematical way to represent differences. X.509v3 An ITU-T digital certificate that is an internationally recognized electronic document used to prove identity and public key ownership over a communication network. It contains the issuer’s name, the user’s identifying information, and the issuer’s digital signature, as well as other possible extensions in version 3. 172 WatchGuard Firebox System 6.
CHAPTER 12 Field Definitions Control Center Connect to Firebox dialog box Firebox Use the drop list or enter the IP address of the Firebox's Trusted interface. Passphrase Enter the Firebox passphrase. When opening the Firebox in Control Center, use the status (read-only) passphrase. When opening the Firebox using VPN Manager or for configuration changes using Policy Manager, enter the configuration (read/ write) passphrase. There can be only one read/write session open to a Firebox at any time.
CHAPTER 12: Field Definitions OK Closes this dialog and saves any changes. Enter Read/Write Passphrase dialog box Passphrase Enter the configuration (read/write) passphrase for the Firebox. There can be only one read/write session open to a Firebox at any time. OK Closes this dialog box and saves any changes. Polling dialog box Polling Rate Enter the seconds used to update the status and light information. Frequent updates place more demand on the Firebox, although they make the display more accurate.
Flash Disk Management Tool Text Color Use to change the log's text color. Background Color Use to change the log's background color. Reset to Defaults Click to reset the format of the Logs to Default. Sample Displays a sample log with format changes. Flash Disk Management Tool Enter Encryption Key dialog box Encryption Key Enter an encryption key to be used to encrypt your backup image. An encryption key is the publicly available component of a key pair. Confirm Reenter the encryption key to verify.
CHAPTER 12: Field Definitions Continue Click to continue with the selected Flask Disk Management option. Log Utility Copy or Merge Logs dialog box Copy each file individually Select to copy an existing log file from one location or file name to another. You can use this command with the currently active log file or with another log file you specify below. Merge all files to one file Select to merge multiple log files into a single log file. Enter the name of the new log file.
LogViewer LogViewer Find Keyphrase dialog box Keyphrase Enter the keyphrase you want to find in the current log file. Use Whole Words Select to use all the words in the keyphrase. Case Insensitive Select to make the keyphrase case insensitive. In the main window Select to show search results in the main window. In a separate filter window Select to show results in a separate filter window. This is an interim window that pops up in which you can perform search functions.
CHAPTER 12: Field Definitions Preferences dialog box General tab Load this file always Specify the file to load when Log Viewer is launched. You can type or use the Browse button to specify the file. Browse Click this button to find the file to load when Log Viewer is launched. Load last file opened Select to load the last file opened when Log Viewer is launched. Don't load any files Select to not load any files when Log Viewer is launched. GMT Time Click to have time zone set to Greenwich Standard Time.
LogViewer - Click the Field column. Use the Field drop list to select a field name. - Click the Value column. Use the Value drop list to select a value, or type in a specific value. Search Click to search the fields. Close Closes this dialog box without saving any changes. More or Less This control toggles a control to define where the search output appears. More -- Click to access the results control. Less -- Click to hide the results control. Match all Select to match all values in the search.
CHAPTER 12: Field Definitions Policy Manager 1-to-1 Mapping dialog box Interface Select the interface from the drop list. The choices are external, trusted, optional, IPSec. Number of hosts to NAT Select the number of host that should be translated to NAT. Arrows Use the arrows to select your preferred value. NAT base Enter the base for the exposed NAT range. Real base Enter the base for the real IP address range. OK Closes this dialog box and saves any changes.
Policy Manager Selected Members and Addresses Lists the names and addresses of selected members. OK Closes this dialog box and saves any changes. Add Dynamic NAT dialog box From Select from the drop list or select the ... to enter the IP address or host alias of the origin of outgoing packets. For example, use the trusted host alias to enable NAT from the Trusted network. ... Click to enter the IP address. The Add Address dialog box opens.
CHAPTER 12: Field Definitions Add External IP dialog box Add External IP A list of IP addresses available for the Firebox External interface. Add Enter the IP address available for the External Interface in the text box and click Add. Delete Removes the selected IP address from the list of External IP addresses. OK Closes this dialog box and saves any changes. Add Firebox Group dialog box Add Firebox Group Enter the group name to add to Firebox users list.
Policy Manager Add Member dialog box Choose Type Use the drop list to select the new type: Host IP Address - Designate a single host by IP address. Network IP Address - Designate an entire network by IP address using slash notation. Host Range - Designate a range of IP addresses within a single network. Value Enter the value identifying the selected type. For example, use a single IP address with a type of Host IP Address. OK Closes this dialog box and saves any changes.
CHAPTER 12: Field Definitions Add Route dialog box Route Select to add a new route to the network protected by the Firebox. Net - Select when an entire network is behind a router. Host - Select when only one host is behind a router. IP Address Enter the IP address of the host behind the router. Network Address Enter the network address behind the router using slash notation. Gateway Enter the gateway IP address. You must specify an address that is on the same network as the Firebox.
Policy Manager Internal IP Address Enter the final destination of incoming packets on the Trusted network. Set internal port to different port than service This feature is rarely used. It enables you to redirect packets to not only a specific internal host but also to an alternative port. Internal Port If you enable the above checkbox, enter the final port destination of incoming packets to the Trusted network. OK Closes this dialog box and saves any changes.
CHAPTER 12: Field Definitions Remove Click to remove a host. Disable NAT between optional and trusted Enable this checkbox to disable NAT between the Optional and Trusted interfaces. Advanced Export File Preferences dialog box Make the security policy readonly in the Secure VPN Client Enable this checkbox to allow the Mobile User read-only access to their security policy. Virtual Adapter Settings of the Secure VPN Client Select the Virtual Adapter rule you want applied to the mobile user.
Policy Manager Src Port Enter a port number to restrict the routing policy to a single source port. OK Closes this dialog box and saves any changes. Advanced NAT Settings dialog box Server-Based tab Enable Service-Based NAT Enable this checkbox to allow service-based NAT, which is dynamic NAT on a per-service basis. Once enabled, use the Outgoinb tab of each service icon to refine your NAT configuraiton. 1-to-1 NAT Setup tab Enable 1-to-1 NAT Check to enable 1-to-1 NAT.
CHAPTER 12: Field Definitions Add Select to add an address to the exception entries list. The Add Exception dialog box appears. Remove Select to remove the address chosen from the exception entries list above. Aliases dialog box Aliases A list of host and network aliases. Add Click to add Aliases. The Host Alias dialog box opens. Edit Select an alias from the list and click to edit it. The Host Alias dialog box opens. Remove Click to remove the selected alias from the list.
Policy Manager Groups A list of Firebox user groups. Groups enable you to configure services for multiple users at the same time. Two Firebox user groups used for remote user virtual private networking are automatically added to the basic configuration file: ipsec_users and ruvpn_users. Add Click to open the Add Firebox Group dialog box. Remove Click to remove the selected item from the list above. NT Server tab Host Name Enter the host name for the Windows NT Server.
CHAPTER 12: Field Definitions Find IP Click to find the host IP address. IP Address Enter the Windows NT server IP address. Use Local Groups Enable this checkbox to use local groups. NT Server list Lists all the NT Servers on the network. Test Click to test the connection. RADIUS Server tab IP Address (primary) Enter the IP address of the primary RADIUS server. The server must be accessible by the Firebox.
Policy Manager CRYPTOCard Server tab IP Address Enter the IP address of the CRYPTOCard server. The server must be accessible by the Firebox. Port Enter the port number configured on the CRYPTOCard server to receive authentication requests. Administrator Password Enter the administrator password for the CRYPTOCard server. This password must be represented identically on both the CRYPTOCard server and the Firebox. Timeout Enter the length of inactivity time before an authenticated session times out.
CHAPTER 12: Field Definitions Port (Backup) Enter the port number configured on the backup SecurID server to receive authentication requests. Basic DVCP Server Configuration dialog box Basic DVCP Server Configuration A list of clients configured to use Dynamic VPN Configuration Protocol (DVCP) to connect to the Firebox. Add Click to add a new client to the list. The DVCP Client Wizard launches. Edit Click to edit the selected client from the list. The DVCP Client Wizard launches.
Policy Manager Auto-block sites that attempt to use blocked ports Enable the checkbox to ensure that attempts from a single location to penetrate your network are prevented without your direct intervention. You can click the Logging button to configure logging and notification of attempts on blocked ports. OK Closes this dialog box and saves any changes. Cancel Closes this dialog box without saving any changes. Logging Click to access the Logging and Notification dialog box.
CHAPTER 12: Field Definitions notify a network administrator when someone attempts to access on blocked sites. Import You can create a list of blocked sites in an external file. Click to load the external file into your blocked sites list. Blocked Sites Exceptions dialog box Blocked Sites Exceptions list A list of current blocked site exceptions. Add Open the Add Site dialog box to select the exception type and enter the host or network IP address.
Policy Manager Configure Gateways dialog box Configure Gateways A list of all currently configured gateways. A gateway specifies a point of connection for one or more tunnels. Tunnels Click to access the Configure Tunnels dialog box. Add Click to access the Remote Gateways dialog box where you can configure new gateways. Edit Select a gateway from the list. Click Edit to access the Remote Gateways dialog box and modify gateway settings.
CHAPTER 12: Field Definitions Remove Click to remove a tunnel. Configure Tunnels dialog box Configure Tunnels A list of the gateway, name, and type of configured tunnels. Add Click to configure a new IPSec tunnel. Edit Click to access the Configure Tunnels dialog box where you can edit the selected tunnel. Remove Click to delete the selected tunnel. OK Configure Tunnel dialog box Identity tab Name Enter the name of a tunnel. This name is used to identify the tunnel in monitoring and administration tools.
Policy Manager Encryption Select the degree of encryption from the drop list. Force key expiration Select the checkbox to force key expiration. Connect to Firebox dialog box Firebox Type or use the drop list to select the IP address or the name of the Firebox to which you want to establish a connection. Passphrase Enter the status (read-only) passphrase of the Firebox. The passphrase will not appear in clear text.
CHAPTER 12: Field Definitions port space probes, IP options, address space probes, and SYN flood attacks. Block Spoofing Attacks "Spoofing" occurs when someone alters packets to falsely identify the originating computer to confuse or attack another computer. The originating computer is usually misidentified as a trusted computer within an organization. Sometimes improperly configured computers elsewhere on the Internet send packets that falsely identify themselves and thus appear to be spoofed.
Policy Manager Arrows Use the arrows to select your preferred value. Auto-Block source of packets not handled Enable this checkbox to auto-block the source of packets blocked due to another packet handling option. When enabled, the Firebox automatically temporarily rejects all communication attempts from a site that has been sending IP options or probes. Adjust the auto-block duration using the Blocked Sites dialog box. Auto-blocking is a separate function from blocking sites manually.
CHAPTER 12: Field Definitions Default Lease Time Enter the number of hours before the DHCP relay times out. Arrows Use the arrows to select your preferred value. Max Lease Time Enter the maximum number of hours in any lease time. Arrows Use the arrows to select your preferred value. DHCP Server list A list of address ranges distributed by the DHCP server including the subnet network address and the starting and ending IP addresses.
Policy Manager DVCP Client Setup dialog box Enable this Firebox as a DVCP Client The Firebox can be treated as a client in an Enhanced DVCP network even if the Management Station and Firebox itself are not upgraded with Enhanced DVCP (VPN Manager 2.0 or later). Enable this checkbox to enable this Firebox to be a DVCP client and then add the servers to which it can be connected. Firebox Name Enter the Firebox name as it should appear in all monitoring and configuration tools.
CHAPTER 12: Field Definitions DVCP Client Wizard Name and Key screen Enter Client Name Enter the name to be assigned to the network client. This name is used to identify the client in administration and monitoring tools such as Control Center and VPN Manager. Enter Shared Key Enter a shared key for this client's DVCP account. Access and Connections screen Allow Client Access To Using slash notation, enter the address of the primary network to which the client has access behind the Firebox.
Policy Manager Encryption Select the level of encryption from the drop list: None - No encryption DES-CBC - 56-bit encryption 3DES-CBC - 168-bit encryption Key expires Select the key expiration date based on kilobytes and/or hours. Arrows Use the arrows to select your preferred value. Additional Access screen Configured policies Lists the networks to which you want to provide access. Add Click to add a network. Remove Click to remove a network.
CHAPTER 12: Field Definitions DVCP Server Properties dialog box Enable this Firebox as a DVCP Server The Firebox can dynamically assign VPN policies to requesting devices using DVCP (Dynamic VPN Configuration Protocol). Enable debug log messages for the DVCP Server When the Firebox is acting as a DVCP server, it can process log messages reporting its status. This feature is particularly useful when troubleshooting VPN tunnels and the DVCP server itself.
Policy Manager Dynamic NAT dialog box Enable Dynamic NAT Select to enable dynamic NAT. TCP Idle Timeouts Enter the time in seconds for TCP idle timeouts. For more information on TCP, see chapter 1 of the Reference Guide. Arrows Use the arrows to select your preferred value. TCP Finish Timeout Enter the TCP finish timeout in seconds. For more information on TCP, see Chapter 1 of the Reference Guide. Arrows Use the arrows to select your preferred value.
CHAPTER 12: Field Definitions Advanced Click to access the Advanced Dynamic NAT dialog box. Edit Routing Policy dialog box Local Select whether the local end of the policy represents either a single host or an entire network. Then enter the host or network IP address. Remote Select whether the remote end of the policy represents either a single host or an entire network. Then enter the host or network IP address. Disposition Select the disposition from the drop list.
Policy Manager Dst Port Enter a port number to restrict the policy to a single destination port. To enable communication to all ports, enter 0. Protocol Select a protocol type to restrict the routing policy to a particular protocol. Options include TCP and UDP. Src Port Enter a port number to restrict the policy to a single source port. To enable communication to all ports, enter 0.
CHAPTER 12: Field Definitions Cancel Closes this dialog box without saving any changes. Filter Authentication dialog box Authentication Enabled Via Select an authentication methodology and configure global settings. The Firebox supports five types of authentication: Firebox, Windows NT Server, Radius Server, CRYPTOCard Server, and Secured Server. The Firebox uses only one type of authentication at a time. Firebox Enable this checkbox to allow authentication via a Firebox.
Policy Manager Firebox Flash Disk dialog box Save to firebox Check to save the Flash Image and/or configuraiton file to the firebox, which you specify by checking the circles below. Save Configuration File ONLY Check to save the Configuration File to the Firebox. Save Configuration File and New Flash Image Check to save the Configuration File and Flash Image to the Firebox. Make backup of current flash image before saving Check to make a backup copy of the current flash image before saving to the Firebox.
CHAPTER 12: Field Definitions Firebox Name dialog box Name Enter a unique Firebox name. This name is used to identify the Firebox in monitoring, reporting, logging, and status tools. OK Closes this dialog box and saves any changes. FTP Proxy dialog box Make incoming FTP connection read only Enable this checkbox to make the FTP service read only for incoming FTP requests. Make outgoing FTP connections read only Enable this checkbox to prevent internal personnel from transfering files to an FTP.
Policy Manager Log outgoing accounting/auditing information Enable this checkbox to record the number of bytes transferred per outgoing FTP session. You can then retrieve "byte count" information by running Historical Reports and specifying the statistical parameters you want. OK Closes this dialog box and saves any changes. Generate Key dialog box Generate Key Enter a phrase and press OK to generate a key. OK Closes this dialog box and saves any changes.
CHAPTER 12: Field Definitions Default Heartbeat (Optional interface) Enable this checkbbox if you want to use the Optional interface as the default heartbeat for the Standby Firebox. A heartbeat is a signal emitted at regular intervals by software to show it is still functioning. Host Alias dialog box Host Alias Name The name used to identify a host alias. Select a name that is easily remembered. Alias Members A list of individuals, hosts, networks, or groups that are members of this host alias.
Policy Manager information stored on client machines and retransmitted the next time a client visits the server from which the cookie originated. Deny submissions Enable this checkbox to deny the GET (if there is a question mark in the URL), POST, and PUT commands, disabling form submission. Deny Java applets Enable this checkbox to prohibit content that has embedded Java commands. Note that enabling this feature can result in some .zip files being denied by the proxy.
CHAPTER 12: Field Definitions Firebox and performs caching of Web data. It is not supplied by WatchGuard. IP Enter the IP address of the HTTP caching proxy. Port Enter the port number of the HTTP caching proxy. Safe Content tab Allow only safe content types Enable this checkbox to permit only the content types listed in the box below. This arrangement allows you to easily block everything and allow in only those MIME types you deem acceptable security risks.
Policy Manager WebBlocker Controls tab Activate WebBlocker Enable this checkbox to filter Web sites based on the rule set defined by the WB tabs. Auto-download the WebBlocker database Enable this checkbox to have the log host automatically check the WatchGuard Web site database once a day. If the database is different from the one being used at a site, the log host obtains a new database and loads it into the Firebox. When disabled, the log host does not perform database checking.
CHAPTER 12: Field Definitions Illegal Gambling Pictures or text advocating materials or activities of a dubious nature that may be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someone's phone lines without permission), and software piracy. Also includes text advocating gambling relating to lotteries, casinos, betting, numbers games, online sports, or financial betting, including non-monetary dares.
Policy Manager includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/Profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: Physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain. Topic includes obscene words, phrases, and profanity in either audio, text, or pictures. Search Engines Search engine sites such as AltaVista, InfoSeek, Yahoo!, and Google.
CHAPTER 12: Field Definitions museums such as the Guggenheim, the Louvre, or the Museum of Modern Art. Partial/Artistic Nudity Pictures exposing the female breast or full exposure of either male or female buttocks except when exposing genitalia which is handled under the Full Nudity category. Topic does not include swimsuits, including thongs. WB: Exceptions tab Allowed Exceptions Use exceptions to override any WebBlocker setting. Exceptions take precedence over all other rules.
Policy Manager Define Exceptions dialog box Select type of exception You can choose from the following three exceptions. Lookup Domain Name: If you know the URL of the Web site exception, enter the URL in the text box and click Lookup to add to the Results list. Host Address: If you know the host IP address of the Web site exception, enter the IP address and enable the checkbox to block a specific port or specific directory pattern.
CHAPTER 12: Field Definitions Key Click to create an encryption key. Use AH Select to use an Authentication Header. SP1 Select the SP1 from the drop list. Arrows Use the arrows to select your preferred value. Authentication Select the authentication from the drop list. Authentication Key Enter an authentication key. Key Click to create an encryption key. Use Incoming settings for Outgoing Enable the checkbox to use incoming settings for outgoing.
Policy Manager Arrows Use the arrows to select your preferred value. Line Length The maximun line length of a single email. Arrows Use the arrows to select your preferred value. Allow Characters Enter the allowable characters for address validation. Allow 8-bit Characters If enabled, the firewall allows messages that have 8-bit characters in usernames of sender and recipient addresses.
CHAPTER 12: Field Definitions Remove Click to remove the selected AUTH type. Content Types tab Allow only safe content types and block file patterns Check to enable the safe content types and block file pattern rules that you specify below. Safe Content Types and Blocked File Patterns list A list of safe content types and blocked file patterns. Add Click to access the Select MIME Type dialog box from which you can select known MIME content types as well as add new MIME types.
Policy Manager Address Patterns The Firebox checks host names of the SMTP client and mail sender against this list of allowed and denied address patterns. This feature can reduce such things as: unsolicited commercial email, forgeries, and unauthorized mail relaying. Add Enter the new address pattern and click Add. Remove Click to remove an address pattern from the Address Pattern list. Headers tab Allow these Headers A list of all allowed, incoming email header types. A default list is provided.
CHAPTER 12: Field Definitions IPSec Configuration dialog box IPSec Routing Policies A list of current IPSec virtual private networking routing policies.
Policy Manager Edit Select a policy from the list above and click this button to modify it. The Edit Routing Policy dialog box opens. Remove Select an item from the list above and click this button to remove it. OK Closes this dialog box and saves any changes. Cancel Closes this dialog box without saving any changes. Gateways Click to open the Configure Gateways dialog box from which you can create a new gateway. Tunnels Click to open the Configure Tunnels dialog box from which you can create a new tunnel.
CHAPTER 12: Field Definitions passage of VPN traffic. It is generally only used by WatchGuard Technical Support to assist with debugging an IPSec VPN tunnel problem. Logging and Notification dialog box Category A list of logging and notification categories. This list changes depending on the service or option. Click the event name to display and set its properties. Enter it in the log Enable this checkbox to enter an event in the log. All denied packets are logged by default.
Policy Manager Arrows Use the arrows to select your preferred value. Repeat Count Enter the number of events to be counted before a new notification is launched. Arrows Use the arrows to select your preferred value. OK Closes this dialog box and saves any changes. Logging Setup dialog box WSEP Log Hosts tab WacthGuard Security Event Processors A list of log hosts to run the WatchGuard Firebox system. Add Click to add a new log host to the list. The Add IP Address dialog box opens.
CHAPTER 12: Field Definitions Syslog Server Enter the interface to set as the Syslog Server. Syslog Facility Enter or use the drop list to set the Syslog facility. Manual Security dialog box Manual Security View the manual security incoming and outgoing properties. You can change these settings by clicking the Settings button. Mobile User Client - Select New Passphrase dialog box User Name Displays the Mobile User name. Passphrase Enter a new passpharse for the Mobile User client.
Policy Manager Enter Shared Key Enter a shared key for this user's mobile VPN account. Define Access screen Allow user access to Enter the network resource you want to allow for this mobile user. Virtual IP Address to mobile user Enter the virtual IP address to use for IPSec connections. Encryption and Authentication screen Type Select the type of encryption from the drop list for this mobile user's connection. Authentication Select the authentication from the drop list for this mobile user's connection.
CHAPTER 12: Field Definitions External Authentication Groups screen Group Name Enter the group name for the Externally Authenticated Group. Passphrase Enter the passphrase that will be used to encrypt the MUVPN Client Export file for this group. IPSec Tunnel Authentication screen Use Passphrase Enable this checkbox to use a passphrase to negotiate the encryption and/or authentication. Use Certificate Enable this checkbox to use a certificate to negotiate the encryption and/or authentication.
Policy Manager Remove Click to remove network resources for the mobile user. IPSec Connections screen IPSec Connections list Lists the virtual IP address to user for IPSec connections. Add Click to add virtual IP addresses used for IPSec connections. Remove Click to remove virtual IP addresses used for IPSec connections. External Authentication screen Authentication Server Type or select an external authentication server used to verify the mobile user’s credentials.
CHAPTER 12: Field Definitions OK Closes this dialog box and saves any changes. NAT Setup dialog box Enable Dynamic NAT Enable this checkbox to enable Dynamic NAT. The default configuration of dynamic NAT enables it from the Trusted network to the External network. Dynamic NAT Entries A list of all Dynamic NAT entries. Up Select an entry and click to move it up in the list. Down Select an entry and click to move it down in the list. Add Click to add a new Dynamic NAT entry to the list above.
Policy Manager Network Configuration dialog box Interfaces tab External Interface The Firebox allows dynamic IP support on the External Interface. Due to this fact, you have four configuration choices for the External interface of the Firebox. Routed Mode: You can choose static, DHCP, or PPPoE. If you choose static, enter the IP address and Default Gateway for the External interface. If you choose DHCP, enter nothing. The External IP address is obtained automatically.
CHAPTER 12: Field Definitions Configure interfaces in Drop-in mode Enable this checkbox to configure the Firebox in Drop-in mode. The Interface dialog box changes to allow only one IP address and Default Gateway. This is because in a Drop-in configuration the Firebox is put in place with the same network address on all Firebox interfaces. Advanced Drop-In tab Automatic Enable this checkbox to make proxy ARP automatic for the related hosts listed below.
Policy Manager Enable DHCP dedbugging Enable this check to allow DHCP debugging. DHCP debugging generates large amounts of data. Do not enable DHCP debugging unless you are having connection problems and need help from Technical Support. Advanced PPPoE tab PPPoE Initialization Timeout Enter the duration in seconds the Management Station waits for a response from the PPPoE server.
CHAPTER 12: Field Definitions Optional (drop down menu selection) Select to view or add the secondary networks on the Optional interface. External (drop down menu selection) Select to view or add the secondary network on the External interface. Add Click to add the secondary network to the interface you specify in the drop list. Remove Click to remove the secondary network to the interface you specify in the drop list.
Policy Manager Firebox IP Enter the IP address for the Firebox. PPP Initialization Enter the PPP initialization string. This is a list of commands that can be found in Chapter 9 of the Reference Guide. Modem Initialization These specify a chat session that occurs between the Firebox and the modem to properly initialize the modem. In most cases the default initialization is sufficient. A list of strings appear in the Reference Guide.
CHAPTER 12: Field Definitions DNS Servers (Primary and Secondary) Enter the primary and secondary name of the domain name server (DNS). The server values entered in this dialog box are used by the DHCP server, RUVPN, and other features of the firewall. Domain Name Enter the DNS domain name. The server values entered in this dialog box are used by the DHCP server, RUVPN, and other features of the firewall. New MIME Type dialog box MIME Type Enter a new MIME type.
Policy Manager Add Click to access the Add Port dialog box and to configure the new service. You can configure more than one port for the service. Remove Click to remove the selected item from the list above. OK Closes this dialog box and saves any changes you have made. Outgoing SMTP Proxy dialog box General tab Allow these Header Patterns A list of currently allowed header types. To add another header type, enter it in the field below the list box and click the Add button.
CHAPTER 12: Field Definitions Remove Click to remove the selected item from the list above. Don't substitute for these address patterns Enter the addresses to appear "as is" outside the firewall. Add Click to add the new address pattern to the list. Remove Click to remove the selected item from the list above.
Policy Manager PPTP Logging dialog box Enable Control Channel Protocol Logging (TCP 1732) Check to enable control channel protocol logging. Enable Data Channel Protocol Logging (IP 47) Check to enable data channel protocol logging. Enable Data Channel Packet Logging (IP 47) Check to enable data channel packet logging. Remote Gateway dialog box Name This name identifies a gateway within the administration and monitoring tools but is not passed to other devices.
CHAPTER 12: Field Definitions Encryption In the drop list, specify the type of encryption: DES or 3DES. Diffie-Hellman Group In the drop list, specify the Diffie-Hellman group. Diffie-Hellman refers to a mathematical technique for securely negotiating secret keys over a public medium. Diffie-Hellman groups are collections of parameters used to achieve this. WatchGuard supports groups 1 & 2. Enable Perfect Forward Secrecy Enable this checkbox to enable Perfect Forward Secrecy.
Policy Manager Add Click to add another Mobile User VPN to the list. Edit Select an item from the list and click to edit its properties. Remove Click an item in the list and click to delete it. Mobile User Licenses tab Mobile User Licenses A list of Mobile User License keys. Add Enter the license key you want to add to the list and click Add. Remove Select a key from the list and click to remove it. PPTP tab Activate Remote User Enable this checkbox to allow an active remote user.
CHAPTER 12: Field Definitions Select Firebox Time Zone dialog box Select Firebox Time Zone Select a Firebox time zone from the list. OK Closes this dialog box and saves any changes. Cancel Closes this dialog box without saving any changes. Select Gateway dialog box Select Gateway Select a gateway from the list and click OK to open the Configure Tunnel dialog box. OK Closes this dialog box and opens the Configure Tunnel dialog box.
Policy Manager Edit Click to edit the selected service properties. Only custom, userfilter services can be edited. Remove Click to remove the selected service properties. Only custom, user-filter services can be removed. Details The port and protocol information that defines a service. Comments Displays any comments associated with the selected service. Help Click to access the online Help system. Add Click to add an existing service to the Services list.
CHAPTER 12: Field Definitions From Restricts the source of incoming connections by host, network, user name, or alias. The Any global icon indicates that the service is allowed inbound from any source. Add Click to open the Add Member dialog box. Remove Click to remove the selected item from the list above. To A list of outbound connections that meet the connection criterion. Add Click to open the Add Member dialog box. Remove Click to remove the selected item from the list above.
Policy Manager Add Click to add a new item to the list. Remove Select an item in the list and click to remove it. Logging Click to access the Logging and Notification dialog box. Choose Dynamic NAT Setup Select from the drop list the Dynamic NAT setup. Properties tab Name Specifies the name of the service. Properties Lists the service's properties. Comments Lists any comments for the service's properties. Set Policy Ordering dialog box Set Policy Ordering List the policies in order.
CHAPTER 12: Field Definitions Password Enter the user password. Member Of A list of all groups to which the user named above is a member. Arrows Use the arrow to move a user in or out of a group. Not Member Of A list of groups to which the above named user is not a member. Add Click to add the user to a group. Setup New User dialog box User Name Enter the new user's name to create a new account. Passphrase Enter the pass phrase for the new user's account.
Policy Manager Slash Notation dialog box Close Click to close the slash notation box. SpamScreen dialog box RBL Server Enter the RBL server. A RBL (Real Time Black Hole List) is a name server that has DNS record for sites considered to be spammers. Allow Select to allow spam mail handling. Tag Select to tag certain spam mail handling. Enter the tag information in the text box. Deny Select to deny the spam mail handling. Advanced Spam Mail Filtering Enable this checkbox to use advanced spam mail filtering.
CHAPTER 12: Field Definitions WatchGuard Find dialog box Find what Enter the information you are looking for. Address Select to look for an IP, Network, User, Alias, or other address. Port Number Select to look for a port number. Protocol Select to look for TCP, UDP, HTTP or other protocol. Found these services Lists what was found based on search criteria you entered. Find Click to find the information to specified.
Policy Manager Encryption tab RC4 (40-bit) Click to enable 40-bit encryption between two WatchGuard Fireboxes using the WatchGuard VPN protocol. RC4 (128-bit) Click to enable stronger, 128-bit encryption between two WatchGuard Fireboxes using the WatchGuard VPN protocol. Encryption Key Enter a pass phrase or secret. Click Make a Key to hash the pass phrase which will appear below. The hashed encryption key must be identical on both Fireboxes.
CHAPTER 12: Field Definitions Activate Outgoing Log You have the option of logging outgoing traffic using WatchGuard VPN protocol. Activating logging often generates a high volume of log entries, however, which can significantly slow the passage of VPN traffic. It is recommended only for debugging purposes. Firebox Monitors Add Displayed Service dialog box Name Enter a name for the new service to display in ServiceWatch. Port Number Enter the port number used by this service.
Firebox Monitors Sample Interval Configure the interval between display updates. Use the slider control from slowest (represented by the tortoise on the left) to fastest (represented by the hare on the right). Number of Samples Determine how many samples are displayed within the sample interval. BandwidthMeter tab Net Interface Displayed Select the Firebox interface displayed by the Bandwidth Meter. Amplitude Scale Select the scale that suits the speed and type of connection.
CHAPTER 12: Field Definitions Historical Reports Add Report Filter dialog box Filter tab Filter Name The name of the filter as it will appear in the Filter drop list in the Report Properties Setup tab. Type Include - Select this option to include in the report all log records that match any of the filter's criteria. Exclude - Select this option to exclude from the report all log records that match any of the filter's criteria.
Historical Reports Add Click to add an item to the list on the left. Remove Click to remove the selected item from the list on the left. User Filter tab Users Restrict report output to only those records that specifically reference an authenticated user or list of users. Enter the user name below and click Add. User Enter the user. Add Click to add the entered item to the list on the left. Remove Click to remove the selected item from the list on the left.
CHAPTER 12: Field Definitions Help Click to access the online Help system. Reports A list of reports created and ready to be scheduled using the WatchGuard Security Event Processor. For each report, there is a ReportName.rep created in [WatchGuard installation directory]\report-def. Report Properties dialog box Setup tab Report Name The name of the report as it appears in Historical Reports, the WatchGuard Security Event Processor and the title of the output.
Historical Reports Text Export Select to generate report in a comma-delimited text file (.cdf). The text file fields are the following: Record type Time Client IP address Client DNS name (if DNS is on and resolved) Client port (or proxy for HTTP, FTP, SMTP, and RealAudio) Server port Authenticated user name Argument (either a URL or a variety of denied packet/service information) Filter A drop list of filters created using the Filters dialog box. You can only apply one pre-configured filter to a report.
CHAPTER 12: Field Definitions Remove Click to remove the selected item from the list on the left. Time Filters tab Time Stamps Local Time -- Report uses date and time of the Management Station local time zone to display records. Stamp sGMT -- Report uses Greenwich Mean Time to display records. Time Span The span of time reported upon. The default is the entire log file. Options include specific time intervals or a custom, specific time filter.
Historical Reports Consolidated Sections tab Consolidated Sections A list of reports available to run against multiple devices. Enable the checkbox next to the consolidated section you want to generate. Check All Click to select all consolidated section types. Reset All Click to disable all consolidated section types. Preferences tab Elements to Graph The top number of elements in a particular section to graph. Elements to Rank The top number of elements in a particular section to rank.
CHAPTER 12: Field Definitions HostWatch Filter Properties dialog box Inside Hosts tab Display all hosts Enable this checkbox to display all hosts. Displayed hosts A list of all displayed hosts. New Host Enter a new host to add to the list. Add Click to add the new host to the list. Remove Select an item from the list and click to delete it. Outside Hosts tab Display all hosts Enable this checkbox to display all hosts. Displayed hosts A list of all displayed hosts.
HostWatch Add Click to add a new user to the list. Remove Select an item in the list and click to delete it. Displayed authentication users A list of all authenticated users. Ports tab Display all ports Check to display all ports. Displayed ports A list of all displayed ports. New Port Enter a new port number to add to the list. Add Click to add the new port number to the list. Remove Select an item from the list and click to delete it.
CHAPTER 12: Field Definitions Line Color tab Denied Displays the line color used for denied entires in the log. Dynamic NAT Displays the line color used for dynamic entires in the log. Proxy Displays the line color used for proxy entires in the log. Normal Displays the line color used for normal entires in the log. Misc. tab Icon legend Displays the icons used in Policy Manager for Telnet, HTTP, Mail, FTP, and Other services. Sample interval Displays the sample interval and allows you to change it.
WatchGuard Security Event Processor Help Click to access the online Help system. WSEP: Log Files tab Roll Log Files by Time Interval Enable this checkbox to specific the log rollover time interval. When this interval is reached, the WSEP saves the log file with a time stamp. It continues to write new log records to the base Firebox log file identified either by Firebox name or by IP address. Daily Select this option to force log rollovers once per day.
CHAPTER 12: Field Definitions stamp. It continues to write new log records to the base log file identified either by Firebox name or IP address. Approximate Size Displays the approximate size of a log file when it contains the number of log record entries selected in By Number of Entries. WSEP: Reports tab Reports Enable the checkbox next to the reports to be generated on a regular schedule. The reports listed here are created using the Historical Reports tool.
WatchGuard Security Event Processor NOTE The email address entered in this field is not verified. Validate the address before entering it into the email address text box Pager Number The telephone number of the pager contacted by the WSEP. To use the pager option, a modem must be connected to the log host. Entering a value in this field assigns a value to the environment variable MZ_PAGER in notification programs. Pager Code The pager code number passed to the pager program.
CHAPTER 12: Field Definitions 266 WatchGuard Firebox System 6.
Index booting from system area 120 C 1-to-1 NAT Setup dialog box 180 checksum 92 Citrix ICA 54 Clarent-command service 55 Clarent-gateway service 54 COM Port Setup dialog box 120 AC receptacle 46 configuration files corrupted 86 Add Address dialog box 180 making backup of 124 Add Displayed Service dialog box 252 restoring backup 125 Add Dynamic NAT dialog box 181 successful transfer 87 Add Exception dialog box 181 Configure Gateways dialog box 195 Add External IP dialog box 182 Configure IPSec Tunnels di
Add Routing Policy 184 Add Service 184 Add Static NAT 184 Advanced DVCP Policy Configuration 185 Advanced Dynamic NAT 185 Advanced Mobile User VPN Policy Configuration 186 Basic DVCP Configuration 192 Blocked Ports 192 Blocked Sites 193 Blocked Sites Exceptions 194 COM Port Setup 120 Configure Gateways 195 Configure IPSec Tunnels 195 Configure Tunnel 196 Configure Tunnels 196 Connect to Firebox 124, 125, 173, 197 Copy or Merge Logs 176 Default Gateway 197 Default Packet Handling 197 DHCP Subnet Properties 2
Filtered-HTTP service 57 Filtered-SMTP service 58 Find Keyphrase dialog box 177 finger service 58 Firebox Flash Disk dialog box 209 Firebox flash disk memory 117 Firebox II 42 Firebox III booting 46, 48 Model 700 45 ports and jacks 46, 48 rear panel 46, 48 system load average 44 traffic through 44, 45 Firebox III rear view Model 1000 46 Model 2500 46 Model 4500 46 Model 700 48 Firebox Monitors, dialog boxes 252 Firebox Name dialog box 210 Firebox read-only system area described 117 running from 118 visual i
IP described 1 header 1 header number list 2 options 6 IPIP 9 IPSec Configuration dialog box 224 IPSec Logging dialog box 225 ipseccfg, log messages about 91, 92 IP-within-IP 9 L LDAP service 60 lights Armed 44, 45, 117 Disarm 44, 45 Power 44, 45 Sys A 44, 45, 118, 123 Sys B 44, 45, 122 SysB 117, 120 load indicator 44 log messages, list of 85 Logging and Notification dialog box 226 Logging Setup dialog box 227 logging, dialog boxes 176 LogViewer dialog boxes 177 Lotus Notes service 60 M MAC addresses 85
Process Load Indicator 44 Processor Load Indicator 123 Properties dialog box 245, 261 protocols ESP 9 GGP 9 GRE 9 ICMP 8 IGMP 9 Internet 1 IPIP 9 TCP 8 UDP 7 Proxied-HTTP service 78 Proxy Backlog 95 Proxy Connect Timeout 88, 90, 94 proxy info file 89 proxy services 75 psh ack 86 push 86 R random ports 9 RBCAST 93, 94 read-only system area Setup dialog box 120 read-only system area.
well-known 27, 30, 51 whois 75 Services dialog box 244 Set Log Encryption Key dialog box 265 Set Policy Ordering dialog box 247 Setup Firebox User dialog box 247 Setup New User dialog box 248 Setup Routes dialog box 248 Simple Mail Transfer Protocol 80 Simple Network Management Protocol (SNMP) 67 SMB service 65 SMTP service described 80 with static incoming NAT 53 SNMP service 67 SNMP-Trap service 67 SpamScreen dialog box 249 SQL*Net service 67 SQL-Server service 68 ssh service 68 standard ports 9 static NA
