Watchguard Firebox FireboxTM System 4.6, User Manual

Page 1: ...WatchGuard Firebox System User Guide Firebox System 4 6 ...

Page 2: ...rties Inc Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending 1995 1998 Eric Young eay cryptsoft All rights reserved 1998 1999 The OpenSSL Project All rights reserved Java and all Java based marks are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Microsoft Internet Explorer Windows 95 ...

Page 3: ...rights in and to the SOFTWARE PRODUCT including but not limited to any images photographs animations video audio music text and applets incorporated into the SOFTWARE PRODUCT the accompanying printed materials and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its suppliers Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT and WATCHGUARD retains all rights n...

Page 4: ... HAVE AGAINST WATCHGUARD EXPRESS OR IMPLIED ARISING BY LAW OR OTHERWISE WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE COURSE OF DEALING OR USAGE OF TRADE ANY WARRANTY OF NONINFRINGEMENT ANY WARRANTY THAT THIS SOFTWAR...

Page 5: ...of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods as amended This is the entire AGREEMENT between us relating to the contents of this package and supersedes any prior purchase order communications advertising or representations concerning the contents of this package AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS No change or m...

Page 6: ...ce of this WatchGuard Technologies Inc product to the EMC directive of the European Community The CE symbol found here or elsewhere indicates that this WatchGuard product meets or exceeds the following standards CSA Statement This Class A digital apparatus meets all requirements of the Canadian Interference Causing Equipment Regulations Cet appareil numerique de la classe A respecte toutes les exi...

Page 7: ...R 2 Technical Support 11 Accessing frequently asked questions FAQ 11 Getting Internet technical support 12 Getting telephone support 12 Training 13 WatchGuard users group 14 Online Help 14 CHAPTER 3 WatchGuard Options 17 Currently available options 17 Obtaining WatchGuard options 18 PART III Configuring a Security Policy 19 CHAPTER 4 Firebox Basics 21 What is a Firebox 21 Opening a configuration f...

Page 8: ...ing up a routed network 37 Adding a secondary network 38 Defining a network route 38 Defining a host route 39 Changing an interface IP address 39 Setting the default gateway 39 Entering WINS and DNS server addresses 40 Defining a Firebox as a DHCP server 40 CHAPTER 7 Blocking Sites and Ports 43 Configuring default packet handling 43 Blocking a site permanently 44 Blocking a port permanently 45 Blo...

Page 9: ...ing and notification preferences 75 Customizing logging and notification by service or option 76 CHAPTER 12 Connect with Out of Band Management 79 Connecting a Firebox with OOB management 79 Enabling the Management Station 79 Configuring the Firebox for OOB 81 Establishing an OOB connection 81 PART IV Administering a Security Policy 83 CHAPTER 13 Creating Aliases and Implementing Authentication 85...

Page 10: ...etworking 119 CHAPTER 17 Configuring Branch Office Virtual Private Networking 121 Configuration checklist 121 Using DVCP to connect to devices 122 Branch office VPN with IPSec 124 Configuring WatchGuard VPN 130 CHAPTER 18 Configuring the Firebox for Remote User VPN 133 Configuration checklist 133 Configuring shared servers for RUVPN 134 Adding remote access users 134 Configuring services to allow ...

Page 11: ...lete network security solution to meet modern security challenges Keep network defenses current Protect every office connected to the Internet Encrypt communications to remote offices and traveling users Manage the security system from a single site The WatchGuard Firebox System is a reliable flexible scalable and inexpensive network security solution Its setup and maintenance costs are small and ...

Page 12: ...monitoring tools into a single user interface LogViewer Displays a static view of the log data which you can filter by type search for keywords and fields and print and save to a separate file HostWatch Displays active connections occurring on a Firebox in real time or represents the connections listed in a log file HostWatch either plays back a previous file for review or displays connections in ...

Page 13: ...are version 4 6 can run on Microsoft Windows 95 Windows 98 Windows NT 4 0 or Windows 2000 as specified below Windows 95 requirements Microsoft Windows 95 Service Release 2 or later Windows 98 requirements Microsoft Windows 98 Windows NT requirements Microsoft Windows NT 4 0 Microsoft Service Pack 4 Service Pack 5 or Service Pack 6a for Windows NT 4 0 Windows 2000 requirements Microsoft Windows 200...

Page 14: ...g system Recommended 32 MB for Windows 95a 64 MB for Windows 98 64 MB for Windows NT 4 0 64 MB for Windows 2000 Professional 256 MB for Windows 2000 Server Hard disk space 25 MB to install all WatchGuard modules 15 MB minimum for log file Additional space as required for log files Additional space as required for multiple configuration files CD ROM drive optional One CD ROM drive to install WatchG...

Page 15: ...ponses to the changing Internet security environment Information such as alerts editorials threat responses and software updates are sent through your e mail client Technical Support The WatchGuard Technical Support team offers services to assist configuration and administration of the Firebox System Services include Frequently Asked Questions a WatchGuard user group mailing list Internet and tele...

Page 16: ...6 ...

Page 17: ...ely recognize and process incoming information Information Alert Information Alerts provide timely notification of breaking news and current issues in Internet security By the time the mass media report on a new hacker threat you have already been briefed on its impact and the proper system configuration necessary to protect against it Threat Response After a newly discovered threat is identified ...

Page 18: ...customers Activating the LiveSecurity Service The LiveSecurity Service can be activated two ways through the setup wizard on the CD ROM and through the activation section of the WatchGuard LiveSecurity Web pages The setup wizard is detailed thoroughly in the Install Guide Refer to that document for further information To activate the LiveSecurity Service through the Web 1 Be sure that you have the...

Page 19: ...phens Verify that your e mail address is correct You will receive your activation confirmation mail and all of your LiveSecurity broadcasts at this address 4 Click Submit 5 Select a download site WatchGuard recommends selecting the server that is geographically closest to you After you select a server a scrollable list of WatchGuard software and documentation appears 6 Minimize or close your Web b...

Page 20: ...LiveSecurity broadcasts 10 ...

Page 21: ...g frequently asked questions FAQ The WatchGuard Technical Support team listens to our customers When a question about firewall configuration or administration occurs repeatedly we pull together an FAQ to document the issue and provide explanation and clarification Where appropriate the FAQs also include workarounds and troubleshooting tips From the Control Center 1 Click the LiveSecurity Control C...

Page 22: ...nables us to link the question with information you report about your network as well as our database of all the support issues you have brought to our attention To access Internet technical support you must have your LiveSecurity License key To access Technical Support and its Web interface from the Control Center 1 Click the LiveSecurity Control Center button shown at right 2 Select On the Web S...

Page 23: ...ice properties for the WatchGuard service icon to allow From network address 208 146 43 0 24 To Any WatchGuard Technical Support numbers are 877 232 3531 U S end user support 206 521 8375 U S authorized reseller support 360 482 1083 International support Training WatchGuard is committed to providing you with accessible and comprehensive training covering our entire product line Although WatchGuard...

Page 24: ...port Instead contact WatchGuard Technical Support directly via the Web interface or telephone Subscribing to wg users watchguard com To join the WatchGuard users group send e mail to wg users request watchguard com with the word subscribe anywhere in the body of the message not the subject line Unsubscribing from wg users watchguard com To remove yourself from the WatchGuard users group send e mai...

Page 25: ...utomatically scroll to entries beginning with those letters Click a page title to view topic contents Search The Search feature offers a full text search of the entire Help system Enter a keyword Press ENTER to display a list of topics containing the word The Search feature does not support Boolean searches Copying the Help system to additional platforms WatchGuard Online Help can be copied from t...

Page 26: ...s This Help 1 Right click any field or button 2 Click What s This when it appears A box appears with the field name on the top and information about the field beneath it 3 To print or save the Help box as a separate file right click the Help field A menu offering Copy or Print appears 4 Select the menu item you want 5 When you are done left click anywhere outside the box to dismiss it Context sens...

Page 27: ...applications of the WatchGuard Firebox System High Availability High Availability enables one Firebox to take over when another fails When using High Availability you place two Fireboxes and the Management Station on the trusted network and provide each Firebox with the same configuration file The first Firebox manages traffic and protects the network while the second waits in a passive listening ...

Page 28: ...mScreen SpamScreen helps to control spam e mail sent to you or your end users without permission Spam consumes valuable bandwidth on your Internet connection and on the hard disk space and CPU time of your mail server If allowed to enter your network unchecked spam consumes workers time to read and remove WatchGuard SpamScreen identifies spam as it comes through the Firebox You can choose to eithe...

Page 29: ...ning and saving configuration files and setting the Firebox time zone Configure a network After installation the next step in implementing a security policy is to delineate your network Set up either a drop in or routed network add secondary networks and define network and host routes Block sites and ports Use default packet handling to establish a global policy for dynamically blocking packets an...

Page 30: ...u can set NAT policy at both the global and the individual service levels Set up logging and notification What events are logged and how and when a network administrator is notified is an important component of a security policy Assign and configure the LiveSecurity Event Processor and set both global and service specific log and notification preferences Connect with out of band management Configu...

Page 31: ...on file to a local hard disk or the Firebox Reset Firebox passphrases Set the Firebox time zone Reinitialize a misconfigured Firebox Manage the flash memory of the Firebox What is a Firebox Fireboxes are specially designed and optimized machines They are small efficient and reliable There are no user serviceable parts within the Firebox If a user opens a Firebox case it voids the limited hardware ...

Page 32: ...onfigure the Management Station to also serve as the Event Processor Trusted network The network behind the firewall that must be protected from the security challenge External network The network presenting the security challenge typically the Internet Optional network A network protected by the firewall but still accessible from the trusted and the external networks Typically the optional networ...

Page 33: ...x 3 In the Passphrase text box type the Firebox monitoring passphrase Click OK You can use either the monitoring read only or configuration read write passphrase However to save the configuration to the Firebox you must use the configuration passphrase The configuration file stored on the primary area of the Firebox flash disk opens and configured services appear in the Services Arena Opening a co...

Page 34: ... asked to confirm your choice Click Yes Resetting Firebox passphrases WatchGuard recommends that for optimum security you periodically change the Firebox passphrases To do this you must have the current configuration passphrase From Policy Manager 1 Open the configuration file running on the Firebox For more information see Opening a configuration from the Firebox on page 23 2 Select File Save To ...

Page 35: ...ot from the primary area of the flash disk Sys A in a mode that provides fail safe access in cases when you need to Install a Firebox for the first time Troubleshoot problems in which all access to the Firebox is lost Reset Firebox passwords when you do not know or have forgotten them This Enhanced System Mode is the default mode for new Fireboxes shipped from the factory If a Firebox is in this m...

Page 36: ...Firebox resumes normal operation the next time it restarts Some Fireboxes have a factory default button To place the unit into factory default mode press and hold this button during power up Booting from the system area You can also use the Flash Disk Management Tool to boot into the system area Sys B for recovery of a Firebox For information on using the Flash Disk Management Tool see the Referen...

Page 37: ...g the QuickGuide toolbar and menu system Starting the Control Center and connecting to a Firebox From the Windows Desktop 1 Select Start Programs WatchGuard Control Center 2 Click Continue 3 Use the Firebox drop list to select a Firebox You can also type the Firebox name or IP address 4 Enter the Firebox monitoring read only passphrase 5 Click OK Control Center components The Control Center consis...

Page 38: ...te traffic volume and the proportion of Firebox capacity being used Firebox and VPN tunnel status The section in the Control Center directly below the front panel shows the current status of the Firebox and of Branch Office VPN tunnels and Remote VPN tunnels Firebox status In Firebox status three branches show the traffic being sent and received through the three Firebox interfaces Trusted Externa...

Page 39: ... VPN tunnels Following the branch office VPN tunnels is an entry for remote VPN tunnels Remote VPN tunnels can either be Mobile User VPN with IPSec or Remote User PPTP If the tunnel is Mobile User VPN the branch displays the same statistics as for the DVCP or IPSec Branch Office VPN as described previously The tunnel shows the tunnel name followed by the destination IP address followed by the tunn...

Page 40: ...ft corner of Control Center Select Connect The Connect to Firebox dialog box appears 2 Use the Firebox drop list to select a Firebox You can also type the Firebox name or IP address 3 Enter the Firebox monitoring read only passphrase 4 Click OK The Control Center connects to the Firebox and displays its real time status Changing the polling rate You can change the interval of time in seconds at wh...

Page 41: ... scroll control of the Traffic Monitor window to scroll chronologically up and down through log records While scrolling the Traffic Monitor temporarily ceases to jump to the most recent records Page down to the bottom of the Traffic Monitor window to restart the rolling display Copy and Paste Use Click Ctrl Click or Click Shift Click to select multiple records Right click the selected records and ...

Page 42: ...when you enable features such as PPTP and authentication These icons appear only in the Advanced view The wg_ service icons rarely require modification WatchGuard recommends leaving wg_ icons in their default settings Much of this User Guide is devoted to configuring and administering a network security policy using Policy Manager Firebox Monitors Firebox Monitors combines an extensive set of Watc...

Page 43: ...d other data useful in monitoring and troubleshooting your network To open Historical Reports click the Historical Reports button pictured at left on the Control Center QuickGuide For more information see Generating Reports of Network Activity on page 109 LiveSecurity Event Processor The LiveSecurity Event Processor controls logging report schedules and notification It also provides timing service...

Page 44: ...LiveSecurity Event Processor 34 ...

Page 45: ...the protected LAN or other host External Modify settings for the Ethernet device connecting the Firebox to the outside world Optional Modify settings for the Ethernet device connecting the Firebox to the optional bastion network this is sometimes called the Demilitarized Zone or DMZ As its name implies you can use the Optional network in different ways One common application is to use it for a pub...

Page 46: ...p in configuration you place the Firebox physically between the router and the LAN without reconfiguring any of the machines on the Trusted interface Characteristics of a drop in configuration A single network that is not subdivided into smaller networks the network is not subnetted WatchGuard performs proxy ARP The Firebox answers ARP requests for machines that cannot hear the broadcasts The Fire...

Page 47: ...roxy ARP for enter the IP address and the interface they reside on in the Hosts section of the Drop In Configuration tab 3 Click Add to add a new host To remove a host select it and click Remove 4 When you are done setting up your network click OK Setting up a routed network Use a routed network configuration when the Firebox is put in place with separate logical networks on its interfaces This co...

Page 48: ... dialog box enter the network address in slash notation in the text box to the left of the Add button Click Add The address appears in the Secondary Networks list Defining a network route If you have router behind the Firebox you need to define a network route From Policy Manager 1 Verify that you are using the Advanced view of Policy Manager From Policy Manager select View Verify that the Advance...

Page 49: ...red host route 7 Click OK The route data is written to the configuration file Changing an interface IP address The IP addresses of the three Firebox interfaces are generally configured using the QuickSetup Wizard However if you need to modify an interface address you can do so manually From Policy Manager 1 Select Network Configuration The Network Configuration dialog box appears 2 Click the tab o...

Page 50: ...ent can use an IP address that it received from the DHCP server When the time is close to expiring the client will contact the DHCP server to renew the lease From Policy Manager 1 Select Network Configuration Click the DHCP Server tab 2 Enable the Enable DHCP Server checkbox 3 Enter the default lease time for the server The default lease time is provided to clients who don t specifically request t...

Page 51: ...work Configuration Click the DHCP Server tab 2 Click the subnet to review or modify Click Edit 3 When you have finished reviewing or modifying the subnet click OK Removing a Subnet From Policy Manager 1 Select Network Configuration Click the DHCP Server tab 2 Click the subnet to remove it Click Remove 3 Click OK ...

Page 52: ...Defining a Firebox as a DHCP server 42 ...

Page 53: ...can protect ports with known vulnerabilities by blocking their unauthorized use Configuring default packet handling The WatchGuard Firebox System examines and handles packets according to default packet handling options that you set The firewall examines the source of the packet and its intended destination by IP address and port number It also watches for patterns in successive packets that indic...

Page 54: ... 1 On the toolbar click the Blocked Sites icon You can also select Setup Blocked Sites The Blocked Sites dialog box appears 2 Click Add 3 Use the Choose Type drop list to select a member type 4 Enter the member value Depending on the member type the value can be an IP address host name or username 5 Click OK The Blocked Sites dialog box appears displaying the new member in the Blocked Sites list R...

Page 55: ...ker originates the connection from an allowed well known service less than 1024 Thus these connections can be attacked by appearing to be an allowed connection in the opposite direction You should add the port numbers of such services to the Blocked Ports list By default Policy Manager blocks quite a few destination ports This measure provides convenient defaults that many administrators find suff...

Page 56: ...ed service From Policy Manager 1 Double click the service icon in the Services Arena The Properties dialog box appears 2 Use the Incoming Service Connections Are drop list to select Enabled and Denied 3 Enable the Auto Block Sites that Attempt to Connect Via checkbox To change the auto block duration see Changing the auto block duration on page 44 Viewing the Blocked Sites list Use Firebox Monitor...

Page 57: ...er 1 On the toolbar click the Add Services icon it appears as a plus sign You can also select Edit Add Service 2 Click to select a service from the list of available services You can expand the tree to display all available services When you click a service the service icon appears in the dialog box on the right side Also a Details box displays basic information about the service For more informat...

Page 58: ...scription of the new service The description appears in the Details section of the Services dialog box when you select the service 5 Click Add Use the Add Port dialog box to configure the port for the new service 6 Use the Protocol drop list to select a protocol TCP TCP based services UDP UDP based services HTTP Services examined by the HTTP proxy IP Filter a service using something other than TCP...

Page 59: ...ming and Outgoing tabs The Incoming tab defines which hosts and users outside the Firebox can use the service to initiate sessions with your protected users and hosts The Outgoing tab defines which hosts and users behind the Firebox can use the service to initiate sessions with an outside host You can make any service a one directional filter by setting the Connections Are drop list to Disabled Af...

Page 60: ... 76 6 Click OK Adding addresses to service properties Both the Incoming and Outgoing properties include From and To lists of addresses Use the Add Address dialog box to add a network IP address or specific user to the From or To list From the service s Properties dialog box 1 Click Add 2 To add a member that has already been defined click your selection on the Members list Click Add The member app...

Page 61: ...that you delete the service and add it again In general you can modify any property contained in the Properties dialog box You must delete and add a new service for any property set during the initial setup Properties that can be modified on an existing service include Rule sets for incoming and outgoing traffic Logging and notification characteristics Properties that require deleting the service ...

Page 62: ...be modified from the Content Types tab in the SMTP Proxy dialog box You do not have to reboot the Firebox when you make these SMTP configuration changes The proxy also automatically disables nonstandard commands such as Debug and can limit message size and number of recipients If the message exceeds preset limits the Firebox refuses the mail The Policy Manager uses separate dialog boxes for incomi...

Page 63: ...Address Patterns tab 2 Use the Category drop list to select a category 3 Type the address pattern in the text box to the left of the Add button 4 Click Add The address pattern appears at the bottom of the pattern list Protecting your mail server against relaying Hackers and spammers can use an open relay to send mail from your server To prevent this disable open relay on your mail server From the ...

Page 64: ...gcompany com which would be anonymized to their public address bigcompany com 1 Click the Masquerading tab 2 Enter the official domain name This is the name you want visible to the outside world 3 In the Substitute text box type the address patterns that are behind your firewall that you want replaced by the official domain name All patterns entered here appear as the official domain name outside ...

Page 65: ... TCP port 80 to be proxied through the Firebox The proxy has the capability of performing HTTP specific content filtering of each connection Such content filtering can include denying or removing unsafe content types such as Java or ActiveX and performing general verifications on the HTTP exchange Filtered HTTP service allows outbound HTTP on all TCP ports but incoming access only on port 80 Filte...

Page 66: ...nd Proxy Multiservices can contain subservices of more than one precedence group Filtered HTTP and Proxied HTTP for example contain both a port specific TCP subservice for port 80 as well as a nonport subservice that covers all other TCP connections When precedence is being determined individual subservices are given precedence according to their group described previously independent of the other...

Page 67: ...o Telnet icons telnet_1 allowing from A to B and telnet_2 allowing from C to D a Telnet attempt from C to E will first check telnet_1 and then telnet_2 Because no match is found the rest of the rules are considered If an Outgoing service will allow from C to E it will do so When only one icon is representing a service in a precedence category only that service is checked for a match If the packet ...

Page 68: ...Service precedence 58 ...

Page 69: ... of the database from the WatchGuard WebBlocker site over an authorized channel In turn the Firebox regularly queries the Event Processor for changes and when appropriate downloads a new version and generates a log entry to show the transfer If the database is either corrupted incompletely retrieved or in any other way incomplete the Firebox does not load it It repeats the attempt until it complet...

Page 70: ...rd com However this address may change without notice Add some form of HTTP service icon To use WebBlocker add the Proxied HTTP Proxy or HTTP service WatchGuard recommends using Proxied HTTP which provides filtering on all ports HTTP without the Proxy service blocks only on port 80 WebBlocker takes precedence over other settings in the HTTP or Proxy services If the HTTP service allows outgoing fro...

Page 71: ...our blocks to toggle from Operational to Non Operational Setting privileges WebBlocker differentiates URLs based on their content Select the types of content accessible during operational and non operational hours using the Privileges tabs The options are identical for Operational and Non Operational From the proxy s dialog box 1 Click the WB Operational Privileges tab 2 Enable the content type ch...

Page 72: ... a specific directory pattern enter the string to be blocked for example poker 4 To remove an item from either the Allow or the Deny list click the address Click the corresponding Remove button Manually downloading the WebBlocker database You can manually force a download of the latest blocked URL database from webblocker watchguard com using a DOS utility called dbfetch 1 Open an MS DOS Prompt wi...

Page 73: ...book What is dynamic NAT Also known as IP masquerading or port address translation dynamic NAT hides network addresses from hosts on another network Hosts elsewhere only see outgoing packets from the Firebox itself This feature protects the confidentiality and architecture of your network Another benefit is that it enables you to conserve IP addresses WatchGuard implements two forms of outgoing dy...

Page 74: ...ic NAT rules in the order in which they appear in the Dynamic NAT Entries list WatchGuard recommends prioritizing entries based on the volume of traffic that each represents From the Setup Dynamic NAT dialog box 1 Click Add 2 Use the From drop list to select the origin of the outgoing packets For example use the trusted host alias to globally enable network address translation from the Trusted net...

Page 75: ...not dependent on enabling simple dynamic NAT From Policy Manager 1 Select Setup NAT Click Advanced 2 Enable the Enable Service Based NAT checkbox 3 Click OK to close the Advanced NAT dialog box Click OK to close the Dynamic NAT dialog box Configuring service based NAT exceptions By default services take on whatever dynamic NAT properties you have set for simple NAT However you can override this se...

Page 76: ...al IP address Adding external IP addresses Static NAT converts a Firebox public IP and port into specific destinations on the Trusted or Optional networks If the Firebox has not already been assigned the public IP address you want to use you must designate a new public IP address using the Add External IP dialog box From Policy Manager 1 Select Network Configuration Click the External tab 2 Click ...

Page 77: ...checkbox This feature is rarely used It enables you to redirect packets not only to a specific internal host but also to an alternative port If you enable the checkbox enter the alternative port number in the Internal Port field 8 Click OK to close the Add Static NAT dialog box The static NAT route appears in the Members and Addresses list 9 Click OK to close the Add Address dialog box Click OK to...

Page 78: ...Configuring a service for incoming static NAT 68 ...

Page 79: ...or that WatchGuard detected a triggering event WatchGuard logging and notification features are both flexible and powerful You can configure your firewall to log and notify on a wide variety of events including specific events at the level of individual services Ensure logging with failover logging WatchGuard relies on failover logging to minimize the possibility of missing log events With failove...

Page 80: ...r Install the software on each Event Processor Set global logging and notification preferences for the host Set the log encryption key on the Event Processor identical to the key set in Policy Manager Designating Event Processors for a Firebox You should have at least one Event Processor to run the WatchGuard Firebox System The default primary Event Processor is the Management Station which is set...

Page 81: ...ing is not encrypted therefore do not set the Syslog server to a host on the External interface From Policy Manager 1 Select Setup Logging The Logging Setup dialog box appears 2 In the Logging Setup dialog box click the Syslog tab 3 Enable the Enable Syslog Logging checkbox 4 Enter the IP address of the Syslog server Editing an Event Processor setting Modify an Event Processor entry to change the ...

Page 82: ... logs orderly and avoids time discrepancies in the log file if failovers occur The Firebox sets its clock to the current Event Processor If the Firebox and the Event Processor time are different the Firebox time drifts toward the new time which often results in a brief interruption in the log file Rebooting the Firebox resets the Firebox time to that of the primary Event Processor Therefore you sh...

Page 83: ...y detects whether or not the host is operating Windows NT or Windows 2000 If so it installs the program as a service that automatically starts when you restart the machine 1 Run the WatchGuard Firebox System installation wizard 2 When the wizard asks if you would like to set up logging and notification select Yes Running an Event Processor on Windows 98 If the Event Processor is to be run on a Win...

Page 84: ...tings Control Panel Administrative Tools Services 2 Click WG LiveSecurity Event Processor Click Startup 3 Verify that the Allow Service To Interact With Desktop checkbox is enabled If the Event Processor was running restart it after saving the changes Interactive mode from a DOS window On the Event Processor 1 Open a DOS window Select Start Programs Command Prompt 2 Change directories to the Watch...

Page 85: ...he maximum number of records stored in the log file Reports tab Schedule regular reports of log activity Notification tab Control to whom and how notification takes place Together these controls set the general parameters for most global event processing and notification properties Setting the interval for log rollover Log records accumulate at different rates depending on the volume of network tr...

Page 86: ...according to your security policy preferences For more information on individual settings right click the setting and then select What s This Customizing logging and notification by service or option The Firebox System allows you to create custom logging and notification properties for each service and blocking option You can fine tune your security policy logging only those events that require yo...

Page 87: ...ying field or use Browse to locate and select the program Setting Launch Interval and Repeat Count There are two parameters that work in conjunction with the Event Processor Repeat Interval to control notification timing Launch Interval The minimum time in minutes between separate launches of a notifier Set this parameter to prevent the launch of several notifiers in response to similar events tha...

Page 88: ...ties for the following default packet handling options Spoofing attacks IP options Port probes Address space probes Incoming packets not handled Outgoing packets not handled From Policy Manager 1 Select Setup Default Packet Handling The Default Packet Handling dialog box appears 2 Click Logging 3 Modify logging and notification properties according to your security policy preferences Click OK Sett...

Page 89: ...gement Station and an analog telephone line Connect the Firebox modem Connect an external or PCMCIA also known as PC Card modem to the Firebox External modems must be attached to the CONSOLE port of the Firebox Enable the Management Station for dial up networking connections Set Firebox network configuration properties Enabling the Management Station For a dial up PPP connection to work between a ...

Page 90: ...ber of the analog line connected to the Firebox s modem Click Finish If Dial Up Networking is not already installed you will be prompted to install it Preparing a Windows 2000 Management Station for OOB Before configuring the Management Station you must first install the modem If the modem is already installed go to the instructions for configuring Windows 2000 to work with OOB Install the modem 1...

Page 91: ...licy preferences For a description of each control right click it and then click What s This 3 Click OK Establishing an OOB connection In the Management Station command your dial up networking software to call the Firebox modem After the modems connect the Firebox negotiates a PPP connection with the calling host and IP traffic can pass After the connection is established you can use the WatchGuar...

Page 92: ...Establishing an OOB connection 82 ...

Page 93: ...ces by requiring users to identify themselves In addition to our own authentication scheme WatchGuard also supports Windows NT RADIUS CRYPTOCard and SecurID server authentication Use host aliases to speed configuration of authentication and service properties Firebox Activity Monitors Firebox Monitors displays real time traffic through your Firebox View bandwidth usage dynamically and manually blo...

Page 94: ...84 ...

Page 95: ... remember host IP addresses host ranges groups usernames and network IP addresses They function in a similar fashion to e mail distribution lists combining addresses and names into easily recognizable groups Use aliases to quickly build service filter rules or configure authentication Aliases cannot however be used to configure the network itself WatchGuard automatically adds four host aliases to ...

Page 96: ... and Authentication Setup dialog box appears displaying the Aliases tab 2 Click the host to review or modify Click Edit The Host Alias dialog box appears displaying the host s members 3 To add new members click Add and follow the directions described in steps 6 9 of the previous procedure To delete members select them and click Remove 4 When you finish reviewing or modifying the host alias click O...

Page 97: ...s to authenticate against any of the five types of authentication For the administrator the Firebox method requires the administrator to add usernames passwords and groups using Policy Manager while the other four methods require storing the data on the server performing authentication How user authentication works A specialized HTTP server runs on the Firebox To authenticate clients must connect ...

Page 98: ...er click the Add button beneath the Users list The Setup Firebox User dialog box appears 7 Enter the username and password 8 To add the user to a group select the group name in the Not Member Of list Click the left pointing arrow to move the name to the Member Of list 9 When you finish adding the user to groups click Add The user is added to the User list The Setup Remote User dialog box remains o...

Page 99: ...ote Authentication Dial In User Service RADIUS provides remote users with secure access to corporate networks RADIUS is a client server system that stores authentication information for users remote access servers and VPN gateways in a central user database that is available to all servers Authentication for the entire network happens from one location To add or remove services accessible by RADIU...

Page 100: ...ation server From Policy Manager 1 Select Setup Authentication The Member Access and Authentication Setup dialog box appears 2 Under Authentication Enabled Via click the CRYPTOCard Server option 3 Click the CRYPTOCard Server tab You might need to use the arrow buttons in the upper right corner of the dialog box to bring this tab into view 4 Enter the IP address of the CRYPTOCard server 5 Enter or ...

Page 101: ... information consult the CRYPTOCard server documentation Configuring SecurID authentication For SecurID authentication to work the RADIUS and ACE Server server must first be correctly configured In addition users must have a valid SecurID token and PIN number Please see the relevant documentation for these products From Policy Manager 1 Select Setup Authentication The Member Access and Authenticat...

Page 102: ...ust be a member of the appropriate VPN group for access regardless of any other authentication scheme in use When users authenticate using their account in the Firebox domain WatchGuard automatically adds their IP address to all Firebox domain groups of which they are a member including pptp_users or ipsec_users By default Remote User VPN users or any users have no access privileges through a Fire...

Page 103: ...ox Monitors and HostWatch are two tools for monitoring traffic through the Firebox Firebox Monitors Firebox Monitors is a user interface providing several real time displays of activity through the Firebox Starting Firebox Monitors and connecting to a Firebox From Control Center 1 On the QuickGuide click the Firebox Monitors button shown at right Firebox Monitors opens and displays the Bandwidth M...

Page 104: ...Firebox Monitors 1 Select View Properties Click the ServiceWatch tab 2 Click Add 3 Enter the service name and port number For a list of well known service port numbers see the Reference Guide 4 Pick the line color to represent the service on the graph 5 Click OK to close the Add Service dialog box Click OK to close the View Properties dialog box ServiceWatch adds the new service to the display and...

Page 105: ...ny Temporarily blocked site entries appear on the Blocked Sites tab Blocked list network 10 0 0 0 8 permanent network 172 16 0 0 12 permanent network 206 148 0 0 16 permanent Active TCP connections A list of any active TCP connections occurring across the Firebox Active TCP connections 201 124 50 8 1025 206 148 32 29 139 OUT Wed Dec 22 07 32 43 1999 232 251 54 158 62635 123 152 24 50 4103 IN Tue D...

Page 106: ...atistics on the memory usage of the currently running Firebox Numbers shown are bytes of memory Memory total used free shared buffers cached Mem 15372288 4886528 10485760 2318336 2061024 917504 Load average The number of jobs in the run queue averaged over 1 5 and 15 minutes The fourth number pair is the number of processes active number of total processes running and the last number is the next p...

Page 107: ...et addr 207 54 9 62 Bcast 207 54 9 63 Mask 255 255 255 240 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 33925 errors 0 dropped 0 overruns 0 TX packets 30597 errors 0 dropped 0 overruns 0 Interrupt 11 Base address 0x310 eth1 0 Link encap 10Mbps Ethernet HWaddr 00 A0 24 CC E4 37 inet addr 133 148 32 254 Bcast 133 148 32 255 Mask 255 255 255 0 UP BROADCAST RUNNING MTU 1500 Metric 1 RX ...

Page 108: ...o block Next to each blocked site is the amount of time remaining on the temporary auto block You can adjust the auto blocking value from the Blocked Sites dialog box available through Policy Manager You can selectively remove sites from this blocked list either by selecting the site and clicking the X toolbar button or by double clicking a site If the display is in continuous refresh mode that is...

Page 109: ... in the HostWatch window To start HostWatch click the HostWatch icon shown at left on the Control Center QuickGuide HostWatch display The upper pane is split into two sides Inside and Outside Double click an item on either side to produce a pop up window displaying detailed information about current connections for the item The Connects For window displays the IP addresses port number connection t...

Page 110: ... playback 9 Click OK Controlling the HostWatch display You can selectively control the HostWatch display This feature can be useful for monitoring the activities of specific hosts ports or users Viewing specific hosts From HostWatch 1 Select View Filters 2 Click the Inside Hosts or Outside Hosts tab 3 Clear the Display All Hosts checkbox 4 In the New Host field enter the IP address of the host to ...

Page 111: ...ch can display host names rather than IP addresses From HostWatch 1 Select View Properties 2 Use the Host Display tab to modify host display and text options 3 Use the Line Color tab to choose colors for lines drawn between denied dynamic NAT proxy and normal connections 4 Use the Misc tab to control the refresh rate of the real time display and the maximum number of connections displayed Inside h...

Page 112: ...HostWatch 102 ...

Page 113: ...log display tool For more information about the LiveSecurity Event Processor and configuring logging see Setting Up Logging and Notification on page 69 Viewing files with LogViewer The WatchGuard Firebox System utility called LogViewer provides a dynamic display of log file data You can view all log data page by page or search and display by keyphrases or specific log fields Starting LogViewer and...

Page 114: ... Value drop list to select a value or type in a specific value 4 Click Search LogViewer searches the entire log file and displays the results as either marked records in the main window or a separate filter window based on your selection Copying and exporting LogViewer data You can either copy and paste or export log file data as text txt from LogViewer into another application Copying log data 1 ...

Page 115: ...ow Time The time the record entered the log file Default Show The rest of the columns vary according to the type of event displayed The events of most frequency and interest however are packet events which would display data as shown below deny in eth0 339 udp 20 128 192 168 49 40 255 255 255 255 67 68 bootpc The packet event fields are described here in order from left to right Disposition Defaul...

Page 116: ...f connection may be displayed in parentheses Default Show Working with log files The Firebox is continually writing messages to log files on the LiveSecurity Event Processor Because current log files are always open they cannot be copied moved or merged using traditional copy tools you should use LiveSecurity Event Processor utilities to work with active log files Unlike with other Firebox System ...

Page 117: ...ick Copy The log file is copied to the new directory with the same file name Forcing the rollover of log files In general log files roll over based on LiveSecurity Event Processor settings For more information see Setting the interval for log rollover on page 75 However you may occasionally want to force the rollover of a log file From LiveSecurity Event Processor select File Roll Current Log File...

Page 118: ...Working with log files 108 ...

Page 119: ...ireboxes and set properties to display the report data according to your preferences Starting Historical Reports From Control Center 1 Click the Historical Reports icon shown at right You can also start Historical Reports from the WatchGuard installation directory The file name is WGReports exe Viewing the reports list To view all reports generated click Reports Page This launches your default bro...

Page 120: ...to see the main page of the report upon completion enable the Execute Browser Upon Completion checkbox 8 Click the Firebox tab 9 Enter the Firebox IP address or a unique name and then click Add 10 Specify report preferences as explained in the remaining sections in this chapter 11 When you are done defining report properties click OK The name of the report appears in the Reports list Editing an ex...

Page 121: ... Sections tab defines the types of information to be included in a report on each of a group of Fireboxes a vertical look at the data You can also specify parameters that consolidate information for a group of Fireboxes a horizontal cumulative view of data To consolidate report sections 1 From the Report Properties dialog box select the Consolidated Sections tab The tab contains a list of report s...

Page 122: ...etup tab on the Report Properties dialog box the report output is created as HTML files A JavaScript menu is used to easily navigate the different report sections Exporting a report to WebTrends for Firewalls and VPNs When you select WebTrends Export from the Setup tab on the Reports Properties dialog box the report output is created as a WebTrends Enhanced Log Format WELF file The report appears ...

Page 123: ...sed on three criteria Host Filter a report based on host IP address Port Filter a report based on service name or port number User Filter a report based on authenticated username Creating a new filter Use Historical Reports to create a new report filter Filters are stored in the WatchGuard installation directory in the subdirectory report defs with the file extension ftr From Historical Reports 1 ...

Page 124: ...s created using the Filters dialog box appear in the Filter drop list For more information see Creating a new filter on page 113 3 Click OK The new report properties are saved to the ReportName rpt file in the report defs directory The filter will be applied the next time the report is run Scheduling and running reports WatchGuard offers two methods to run reports manually at any time or scheduled...

Page 125: ...mary graphs or ranking The following is a listing of the different types of report sections and consolidated sections Firebox Statistics A summary of statistics on one or more log files for a single Firebox Authentication Detail A detailed list of authenticated users sorted by connection time Fields include authenticated user host start date of authenticated session start time of authenticated ses...

Page 126: ...dth or connections Session Summary Proxied Traffic A table and optionally a graph of the top incoming and outgoing sessions sorted either by byte count or number of connections The format of the session is client server service If the connection is proxied the service is represented in all capital letters If the connection is packet filtered Historical Reports attempts to resolve the server port t...

Page 127: ... Authentication Detail A detailed list of failures to authenticate sorted by time The fields are Date Time Host and User Consolidated Sections Network Statistics A summary of statistics on one or more log files for all devices being monitored Time Summary Packet Filtered A table and optionally a graph of all accepted connections distributed along user defined intervals and sorted by time If you ch...

Page 128: ...oxied Traffic A table and optionally a graph of internal and external hosts passing proxied traffic sorted either by bytes transferred or number of connections Proxy Summary Proxies ranked by bandwidth or connections Session Summary Proxied Traffic A table and optionally a graph of the top incoming and outgoing sessions sorted either by byte count or number of connections The format of the session...

Page 129: ...o securely connect two or more locations over the Internet You can take advantage of our WatchGuard VPN Firebox to Firebox configuration or implement a WatchGuard Firebox to IPSec compliant device tunnel Remote user virtual private network Create a secure connection between the trusted network and an employee traveling or working from home with either Point to Point Tunneling Protocol PPTP or usin...

Page 130: ...120 ...

Page 131: ...l Security This method uses IPSec to tunnel between a WatchGuard Firebox and an IPSec compliant device from another vendor or between two Fireboxes WatchGuard VPN This method uses the WatchGuard proprietary secure connection called WatchGuard VPN to create a tunnel between two WatchGuard Fireboxes Configuration checklist Before implementing branch office VPN gather the following information IP add...

Page 132: ...rties such as encryption timeouts and authentication DVCP clients can retrieve this information from the server The only information clients need to maintain is an identification name shared key and the IP address of the server External interface You use the the DVCP Client Wizard to configure a device as a DVCP server and then create tunnels to each client Firebox or SOHO The clients then contact...

Page 133: ...nly 8 Use the Authentication drop list to select an authentication method Options include None no authentication MD5 HMAC 128 bit algorithm and SHA1 HMAC 160 bit algorithm 9 Use the Encryption drop list to select an encryption method Options include None no encryption DES CBC 56 bit encryption and 3DES CBC 168 bit encryption 10 Enter values to set the interval to force key expiration Enter traffic...

Page 134: ... next time the DVCP client tries to contact the server contact will be denied If these settings were never manually configured the client will use 192 168 111 0 24 as the DHCP network range From Policy Manager 1 Select Network Branch Office VPN Basic DVCP 2 Select the tunnel policy Click Remove The policy is removed from the DVCP Configuration dialog box Defining a Firebox as an Enhanced DVCP Clie...

Page 135: ...a tunnel with dynamic security on page 127 and Configuring a tunnel with manual security on page 126 5 In the Remote Gateway IP field enter the IP address of the Firebox or other IPSec compliant host at the other end of the gateway 6 Enter the shared key The Shared Key field is available only for ISAKMP negotiated gateways The same key must be entered at the remote gateway 7 Click OK The Configure...

Page 136: ... for Outgoing checkbox If you enable this checkbox you are done with the Security Association Setup dialog box and can proceed to the next step If you clear this checkbox click the Outgoing tab and configure the security associations for outgoing traffic The fields have the same rules and parameter ranges as the Incoming tab 9 Click OK The Configure Tunnels dialog box appears displaying the newly ...

Page 137: ...me Policy Manager uses the tunnel name as an identifier 5 Click the Dynamic Security tab 6 Use the Type drop list to select a Security Association Proposal SAP type Options include Encapsulated Security Payload ESP or Authenticated Headers AH 7 Use the Authentication drop list to select an authentication method Options include None no authentication MD5 HMAC 128 bit algorithm and SHA1 HMAC 160 bit...

Page 138: ... or IPSec compliant device 5 Enter the IP address or network address in slash notation for the remote host or network 6 Use the Disposition drop list to select a bypass rule for the tunnel Secure IPSec will encrypt all traffic that matches the rule in associated tunnel policies Block IPSec will not allow traffic that matches the rule in associated tunnel policies Bypass IPSec will not allow traffi...

Page 139: ...licy order Host to host Host to network Network to host Network to network Policies must be set to the same order at both ends of the tunnel For more information about IPSec policy order see the Network Security Handbook From the IPSec Configuration dialog box To move a policy up in the list click the policy Click Move Up To move a policy down in the list click the policy Click Move Down Configuri...

Page 140: ...tiple VPN configurations to the central Firebox and configure remote Fireboxes accordingly Make sure that passphrases are unique to a single VPN connection On the central Firebox use the same IP address for multiple remote Fireboxes However the address can not be used for another purpose on either the central or remote networks Setting up WatchGuard VPN From Policy Manager 1 Select Network Branch ...

Page 141: ...security policy preferences Activating logging often generates a high volume of log entries significantly slowing the passage of VPN traffic WatchGuard recommends logging only for debugging purposes Changing remote network entries You cannot edit a remote network entry You must remove the original and add the new remote network address From the WatchGuard VPN Setup dialog box 1 Click the network a...

Page 142: ...efining service properties on page 49 An alternative method is to add the Any service with the following incoming properties Enabled and allowed From VPN host alias To Any Verifying successful WatchGuard VPN configuration To determine whether a configuration has been successful Watch for log entries as the Firebox reboots that show local and remote VPN IP addresses Check the Firebox status once it...

Page 143: ...rity This type of RUVPN is an optional feature of the WatchGuard package It requires strong or medium encryption RUVPN requires configuration of both the Firebox and the end user remote host computers This section describes how to configure a Firebox for both types of RUVPN For information on configuring the remote host see Preparing a Host for Remote User VPN on page 141 Configuration checklist B...

Page 144: ...with the tunnel type In other words an incoming PPTP tunnel would authenticate against the pptp_users group Once authenticated the Policy Manager then adds the remote client IP address to the group Use the Firebox User group to configure services for incoming and outgoing RUVPN traffic Because of the way Windows holds the username and password for subsequent logins one option to reduce end user co...

Page 145: ...y configured user s Configuring services to allow incoming RUVPN Use the Firebox user groups pptp_users and ipsec_users to quickly configure the allowed services for incoming RUVPN traffic There are two recommended methods By individual service Double click each service that you want to enable for your remote VPN users Set the following properties on the service Incoming Enabled and allowed From p...

Page 146: ...ational customers Entering IP addresses for Remote User sessions Remote User PPTP supports only 50 concurrent sessions but you can configure a virtually unlimited number of client computers The Firebox dynamically assigns an open IP address to each incoming RUVPN session from a pool of available addresses until this number is reached After the user closes a session the address reverts to the avail...

Page 147: ...ot through the default gateway are invalid Addresses in networks to which you have routes are invalid except those that are routed through default route Any other packets are allowed and handled by proxy ARP Configuring the Firebox for Mobile User VPN Mobile User VPN requires careful configuration of both the Firebox and the remote client computers However unlike Remote User PPTP the Firebox admin...

Page 148: ... user identification IP addresses and settings required to create a secure tunnel between the remote computer and the Firebox Defining a new mobile user From Policy Manager 1 Select Network Remote User Click the Mobile User VPN tab 2 Click Add The Mobile User VPN wizard appears 3 Click Next 4 Use the Select User Name drop list to select a user The only names that appear in the drop list are users ...

Page 149: ...t to step through the wizard reconfiguring the end user configuration according to your security policy preferences 5 To add access to a new network or host proceed to the Multiple Policy Configuration step in the Mobile User VPN wizard Click Add You can also use the Multiple Policy Configuration step to change the virtual IP address assigned to the remote user 6 Use the drop list to select Networ...

Page 150: ...ion and help with future troubleshooting Because enabling these debugging options can significantly increase log message volume and have potentially adverse impacts on Firebox performance it is recommended that they be enabled only for troubleshooting RUVPN problems Debugging Mobile User VPN 1 From Policy Manager click Network Remote User VPN The Remote User setup window appears with the Mobile Us...

Page 151: ...ser VPN Uses Internet Protocol Security IPSec This type of RUVPN is an optional feature of the WatchGuard package It also requires that the Firebox be approved and upgraded to strong or medium encryption level RUVPN requires configuration of both the Firebox and the end user remote host computers This section describes how to configure a remote host for Remote User VPN with PPTP For information on...

Page 152: ...yption Platform Application Both Windows 95 DUN 1 3 Both Windows 98 DUN 4 0 Base Windows 98 SE Second Edition Strong Windows 98 SE DUN 128 bit Base Windows NT 40 bit SP4 Strong Windows NT 128 bit SP4 Base Windows 2000 40 bit SP4 Strong Windows 2000 128 bit SP4 40 bit encryption is the default for Windows 2000 If you are upgrading from Windows 95 or 98 in which you had set strong encryption Windows...

Page 153: ...work Connections checkbox 7 Proceed with Step 3 of Windows 95 98 platform preparation Installing Dial Up Adapter 2 VPN Support 1 Click Add 2 Select Adapter Click Add 3 Select Microsoft from the list on the left Select Dial Up Adapter from the list on the right Click OK 4 Proceed with Step 8 of Windows 95 98 platform preparation Windows NT platform preparation Install the 40 bit or 128 bit service ...

Page 154: ... click Network The Network dialog box appears 2 Click the Protocols tab 3 Select Computer Browser Click Properties 4 Add the remote network domain name You can add multiple domain names during the same configuration session 5 Click OK 6 Reboot the workstation Setting up RUVPN for Windows 2000 From the Windows Desktop of the client computer 1 Click Start and point to Settings Click Dial Up Network ...

Page 155: ...1 Double click My Computer Double click Dial Up Networking Or click Start and point to Settings Click Dial Up Network and Connections 2 Double click Make New Connection 3 Enter a friendly name for the connection The connection name used in the WatchGuard client brochures included on the LiveSecurity installation CD ROM is Connect with RUVPN 4 Select the device Microsoft VPN Adapter Click Next 5 En...

Page 156: ... to RUVPN 4 Under the Basic tab configure the following settings Phone Number Firebox IP address Entry Name Connect to RUVPN or your preferred alternative Dial Using RASPPTPM VPN1 adapter Use Another Port if Busy enabled 5 Click the Server tab Configure the following settings PPP Windows NT Windows 95 Plus Internet TCP IP enabled Enable Software Compression enabled 6 Click the Security tab Configu...

Page 157: ...options WatchGuard offers a selection of debugging options that you can set to gather information and help with future troubleshooting For information on how to enable logging for IPSec see Debugging Mobile User VPN on page 140 For information on how to enable logging for PPTP see Debugging Remote User VPN PPTP on page 140 Remote User PPTP is usually set up such that the remote machines use nonpub...

Page 158: ...Configuring debugging options 148 ...

Page 159: ...ion 1 123 configuring services 51 CRYPTOCard 83 90 91 displaying list 98 Firebox 88 Firebox IP 4100 87 how it works 87 implementing 83 introduction to 87 ipsec_users 88 java 87 methods 87 pptp_users 88 RADIUS 83 89 viewing host information 96 Windows NT 83 88 Auto block duration changing 44 Avoiding IP 124 B BandwidthMeter 94 Blocked ports 43 45 blocking destination ports 45 introduction 19 loggin...

Page 160: ... 115 Consolidated sections reports 111 HTTP summary 118 network statistics 117 time summary proxied traffic 118 Content types MIME 53 selecting 53 Contents searching online help 15 Context sensitive help 16 Control Center 2 27 changing display size 27 changing polling rate 30 description 19 Firebox Monitors 2 Historical Reports 2 HostWatch 2 LogViewer 2 opening tools 31 Policy Manager 2 QuickGuide...

Page 161: ...3 Event processor 70 Exceptions configuring for service based NAT 65 setting in WebBlocker 61 Exceptions reports denied authentication details 117 denied incoming outgoing packet detail 117 denied packet summary 117 denied service detail 117 WebBlocker detail 117 exp file 138 Expiration key interval 123 Export log data 104 Exporting reports 112 External interface 35 External Network description 22...

Page 162: ...000 requirements 3 Windows 95 requirements 3 Windows NT requirements 3 Firebox System options high availability 17 mobile user VPN 18 purchasing 18 SpamScreen 18 VPN manager 17 WatchGuard SOHO 18 Firebox User groups 134 Fireboxmonitors 2 Flash Disk management tool 26 for Firebox System software update 7 Forms completing Support Indicent form 12 FTP 94 99 and Optional network 22 Proxy 54 proxy repo...

Page 163: ...ring BOVPN services 129 creating a policy 128 editing gateway 125 ESP 126 removing gateway 126 security disposition 128 IPSec with RUVPN 133 141 ipsec_users 88 92 134 J Java 87 K Key interval 123 Key negotiation type ISAKMP or manual 125 Keyphrase 103 searching LogViewer by 104 Keyword search 15 Known issues 12 Firebox System 12 L Launch interval setting 77 License entering keys for MUVPN 138 purc...

Page 164: ...rpreting VPN display 27 reading VPN display 27 setting view properties 94 VPN front panel 28 VPN red exclamation point 29 Monitoring Firebox activity 83 high availability host 28 introduction 93 through Control Center 2 Monitors Firebox 2 HostWatch 2 98 description 33 display properties 100 modifying view properties 101 opening 33 replaying a log file 99 viewing authenticated users 100 viewing hos...

Page 165: ...g for topics 15 using index search 15 Online help starting 15 OOB see also Out of Band Opening configuration file 23 configuration file from Firebox 23 log file in LogViewer 103 Optional features 5 Optional interface 35 Optional Network definition 22 Optional network and FTP 22 Web server 22 Options configuring debugging 147 High Availability 17 Mobile User VPN 18 purchasing 18 SpamScreen 18 VPN M...

Page 166: ... Synchronizing NT event processors 72 LogViewer consolodating logs 106 copying log files 107 displaying and hiding fields 105 forcing log file roll over 107 opening a log file 103 searching for entries 104 setting preferences 103 Monitor connecting HostWatch 99 connecting to a Firebox 93 controlling HostWatch display 100 modifying view properties on HostWatch 101 replaying a log file 99 setting Fi...

Page 167: ...mote Access Server Rebooting 72 SOHO 124 Red exclamation point in VPN Monitor 29 Reinitializing Firebox 25 Related network see also Secondary network Remote User PPTP starting 146 Remote user using PPTP 146 Removing gateway 126 reports 110 SOHO tunnel 124 Repeat count 77 setting 77 Replaying a log file 99 Report sections introduction 115 Reports 83 Authentication details 115 Consolidated sections ...

Page 168: ...lp index 15 Secondary network 38 adding 38 Sections consolidated 111 in reports 110 Security disposition 128 fundamentals 1 Security attacks address space probes 43 port space probes 43 spoofing 43 Security policy changin IPSec order 129 creating with IPSec 128 default packet handling 43 opening configuration file 23 Security Suite features 2 Security tools opening 31 Security Triangle display 22 ...

Page 169: ...ephone 12 frequently asked questions 11 Internet 12 known issues 12 telephone support 12 Telephone Technical Support 12 telnet 99 Text file exporting reports to 113 Threat Response 7 Time filters 111 Time spans setting in reports 111 Time zone 25 Timeout disconnects 81 Topic search 15 Traffic Monitor limiting messages 30 Traffice volume indicator 28 Training Firebox System Basics 13 instructor led...

Page 170: ...60 downloading DB 62 exceptions 61 introduction 19 59 logging 60 prerequisites 60 proxied HTTP 60 reverting to old database 59 scheduling 61 scheduling hours 61 setting privileges 61 time zone 25 webblocker db 59 with HTTP proxy 19 WebTrends 112 Exporting reports 113 WG SMS Notifier See WG LiveSecurity Event Processor 74 wg_ Icons working with 50 wg users watchguard com 14 What s This Help 16 Wind...