Watchguard Firebox SOHO 6.1, User Manual

Page 1: ...WatchGuard Firebox SOHO 6 User Guide SOHO 6 1 ...

Page 2: ...t navigating in your computer s environment please refer to your system user manual The following conventions are used in this guide Convention Indication Bold type Menu commands dialog box options Web page options Web page names For example On the System Information page select Disabled NOTE Important information a helpful tip or additional instructions ...

Page 3: ...ference received including interference that may cause undesired operation CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility EMC directive and the Low Voltage Directive LVD of the European Union EU Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference Causing Equip...

Page 4: ...iv WatchGuard Firebox SOHO 6 1 VCCI Notice Class A ITE ...

Page 5: ...User Guide v Declaration of Conformity ...

Page 6: ... laws and international copyright treaties as well as other intellectual property laws and treaties This is a license agreement and NOT an agreement for sale All title and copyrights in and to the SOFTWARE PRODUCT including but not limited to any images photographs animations video audio music text and applets incorporated into the SOFTWARE PRODUCT the accompanying printed materials and any copies...

Page 7: ...entation that accompanies it If the SOFTWARE PRODUCT fails to operate in accordance with this warranty you may as your sole and exclusive remedy return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it along with a dated proof of purchase specifying the problems and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund ...

Page 8: ...es Incorporated 505 5th Ave South Suite 500 Seattle WA 98104 6 Export Controls You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U S Export Administration Act and the regulations issued thereunder 7 Termination This license and your right to use the SOFTWARE PRODUCT will automatically terminate if...

Page 9: ... Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries RC2 Symmetric Block Cipher RC4 Symmetric Stream Cipher RC5 Symmetric Block Cipher BSAFE TIPEM RSA Public Key Cryptosystem MD MD2 MD4 and MD5 are either trademarks or registered trademarks of RSA Data Security Inc Certain materials herein are Copyright 1992 1999 RSA Data Sec...

Page 10: ...s package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributio...

Page 11: ...SSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL RALF S ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR B...

Page 12: ...TE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache S...

Page 13: ...tion Travel on the Internet 4 IP addresses 4 Protocol 4 Port numbers 5 How Does the SOHO 6 Process Information 5 Services 5 Network Address Translation 5 The SOHO 6 Hardware Description 6 The SOHO 6 front and rear views 6 CHAPTER 2 Installation 11 Before You Begin 12 Review and record your current TCP IP settings 12 ...

Page 14: ...27 Register your SOHO 6 and Activate the LiveSecurity Service 27 Reboot the SOHO 6 28 CHAPTER 4 Configure the Network Interfaces 31 Configure Your External Network 31 Network addressing 31 Configure the SOHO 6 External Network for dynamic addressing 32 Configure the SOHO 6 External Network for static addressing 33 Configure the SOHO 6 External Network for PPPoE 34 Configure the Trusted Network 36 ...

Page 15: ...Options 57 View the Configuration File 60 CHAPTER 6 Configure the Firewall Settings 61 Firewall Settings 61 Configure Incoming and Outgoing Services 62 Pre configured Services 62 Create a Custom Service 63 Block External Sites 65 Firewall Options 67 Ping requests received on the External Network 68 Denying FTP access to the Trusted Network interface 68 SOCKS implementation for the SOHO 6 68 Loggin...

Page 16: ...y step Instructions for Configuring a SOHO 6 VPN Tunnel 86 Special Considerations 87 Frequently Asked Questions 87 Set Up Multiple SOHO SOHO VPN Tunnels 89 Configure Split Tunneling 93 MUVPN Clients 93 View the VPN Statistics 94 CHAPTER 9 SOHO 6 WebBlocker 95 How WebBlocker Works 95 Web site not in the WebBlocker database 96 Web site in the WebBlocker database 96 WatchGuard WebBlocker database una...

Page 17: ...r Categories 103 CHAPTER 10 Support Resources 107 Troubleshooting Tips 107 General 107 Configuration 111 VPN Management 114 Contact Technical support 116 Online Documentation and In Depth FAQs 116 Special Notices 116 Index 117 ...

Page 18: ...xviii WatchGuard Firebox SOHO 6 1 ...

Page 19: ...User Guide 1 CHAPTER 1 Introduction Welcome Congratulations on purchasing the ideal solution for providing secure access to the Internet the WatchGuard Firebox SOHO 6 or SOHO 6tc security appliance ...

Page 20: ...mes with the VPN option pre installed Your new SOHO 6 provides peace of mind when connecting to the Internet using a high speed cable or DSL modem a leased line or ISDN The most current installation and user information is available at the WatchGuard Web site http support watchguard com sohoresources The Package Contents First things first check the package contents to make sure you have the follo...

Page 21: ...deo audio conferencing It also presents dangers to the privacy and security of your computer On the trusted side of your SOHO 6 firewall are all the appliances you want to protect from these dangers As is illustrated in the image below the SOHO 6 physically separates your trusted network from the Internet Using rules or policies outlined in Chapter 3 Configure Incoming and Outgoing Services on pag...

Page 22: ...r identifying both where the information is going and how it is handled en route IP addresses An IP address defines the specific computer on the Internet that sends or receives a packet Every computer on the Internet has a unique address including your SOHO 6 When defining a service behind a firewall you need to include the trusted network address for the computer hosting the application On the In...

Page 23: ...led dynamic NAT Network Address Translation Without dynamic NAT your trusted private addresses are passed along the Internet to their destination In addition the SOHO 6 protects your trusted network by disguising private IP addresses During an Internet connection all traffic passed between computers includes IP address information However because of the dynamic NAT feature applications and servers...

Page 24: ...rom those of previous SOHO models Faster Processor The SOHO 6 has a new network processor running at a speed of 150MHz It also includes built in Ethernet and encryption technology Ethernet ports The SOHO 6 has six 10 100 Base TX ports labeled OPT WAN and numbered 0 3 The SOHO 6 front and rear views The SOHO 6 has fourteen indicator lights on the front panel of the appliance The following photograp...

Page 25: ...etwork The link indicator blinks when traffic is passing through the interface 100 When a trusted network interface runs at 10Mb the 100 indicator is not illuminated When the network interface runs at 100 Mb the 100 indicator is yellow WAN Indicates a good physical connection to the external WAN port The indicator blinks when traffic is passing through the interface Mode Indicates that the SOHO 6 ...

Page 26: ...of the appliance The following photograph shows the entire rear view OPT port This Ethernet port corresponds to the Optional interface This interface is activated when you purchase the Dual ISP Port upgrade or VPNforce Port Upgrade For more information on the Dual ISP Port and VPNforce Port upgrade see Configure OPT Port Upgrades on page 44 ...

Page 27: ...to the factory defaults For more information on performing this function see Reset a SOHO 6 to factory default on page 26 NOTE The OPT port is only available if you purchase the software upgrades You can not use the OPT port as another internet port on the Trusted network WAN port This Ethernet port corresponds to the external interface 4 numbered ports 0 3 These Ethernet ports correspond to the t...

Page 28: ...Chapter 1 Introduction 10 WatchGuard Firebox SOHO 6 1 ...

Page 29: ...st complete the following steps Review and record your current TCP IP settings Disable the HTTP proxy setting of your Web browser Enable your computer for DHCP Physically connect the SOHO 6 to your network For a quick summary of this information see the Firebox SOHO 6 QuickStart Guide included with your SOHO 6 ...

Page 30: ...and the SOHO 6 to your computer A functioning Internet connection If your connection does not work please contact your ISP Internet Service Provider Call your ISP to find out which method they use to issue your network addressing static addresses DHCP or PPPoE You need this information later in the installation process see Configure Your External Network on page 31 An installed Web browser either ...

Page 31: ...ings in the chart provided below 4 Click Cancel Microsoft Windows 95 or 98 or ME 1 Click Start Run 2 Type winipcfg Click OK 3 Select the Ethernet Adapter 4 Enter the TCP IP settings in the chart provided below 5 Click Cancel Macintosh 1 Click the Apple menu Control Panels TCP IP 2 Enter the TCP IP settings in the chart provided below 3 Close the window Other operating systems Unix Linux 1 Consult ...

Page 32: ...SOHO 6 If the HTTP proxy setting in your browser is enabled you cannot access these pages making it impossible to complete the configuration process With the HTTP proxy enabled the browser automatically points itself to Web pages located on the Internet and you cannot direct the browser to Web pages located in other places Disabling the HTTP does not prevent you from accessing your favorite Web si...

Page 33: ... left hand side of the window click the symbol before the Advanced heading to expand the list 4 Click Proxies 5 Verify that the Direct Connection to the Internet option is enabled 6 Click OK to save the settings Netscape 6 x 1 Open Netscape 2 Click Edit Preferences The Preferences window appears 3 From among the categories listed on the left side of the window click the arrow symbol before the Adv...

Page 34: ...onfiguration pages on the SOHO 6 after you have physically connected it your computer must be configured to receive it s network IP address by DHCP For more information regarding network addressing as well as DHCP see Network addressing on page 31 NOTE The configuration instructions in this section are for the Windows 2000 operating system 1 Click Start Settings Control Panel The Control Panel win...

Page 35: ...ide 17 Before You Begin 4 Click Properties The network connection Properties dialog box appears 5 Double click the Internet Protocol TCP IP component The Internet Protocol TCP IP Properties dialog box appears ...

Page 36: ...e Internet Protocol TCP IP Properties dialog box Click OK again to close the network connection Properties dialog box Click Close to close the network connection dialog box Close the Control Panel window Physically connect the SOHO 6 Your SOHO 6 protects a single computer or a multi computer network It also functions as a hub to connect a variety of other appliances ...

Page 37: ...ve no more than four appliances to connect 1 Shut down your computer If you connect to the Internet using a DSL cable modem disconnect the power from this device 2 Disconnect the Ethernet cable that runs from your DSL cable modem or other Internet connection to your computer and connect it to the WAN port on the SOHO 6 The SOHO 6 is now connected directly to the modem or other Internet connection ...

Page 38: ...ing the modem is ready for use 5 Attach the AC adapter to the SOHO 6 and connect it to a power source 6 Restart your computer For information on the factory default configuration options see Default Factory Settings on page 25 For specialized configurations see Configure Your External Network on page 31 as well as Configure the Trusted Network on page 36 Cabling the SOHO 6 for more than four compu...

Page 39: ...access the Internet are allowed through the SOHO 6 A seat is taken when a computer connects to the Internet To upgrade your SOHO 6 user license please visit http www watchguard com sales buyonline asp You need these additional items One or more Ethernet hubs An Ethernet cable with RJ 45 connectors for each computer to connect to the SOHO 6 An Ethernet cable to connect each hub to the SOHO 6 1 Shut...

Page 40: ...plink port of the hub The SOHO 6 is now connected to the Internet and your hub 4 Connect Ethernet cables to the uplink ports of the hub and to the Ethernet ports of each of your computers 5 If you connect to the Internet using a DSL cable modem restore the power to this device When the indicator lights of the modem stop flashing the modem is ready for use 6 Attach the AC adapter to the SOHO 6 and ...

Page 41: ...n connect to it using your Web browser The SOHO 6 includes a Web server that provides a configuration Web page interface The SOHO 6 Home Page System Status With your Web browser go to the System Status page of the SOHO 6 using the default IP address of the Trusted Network http 192 168 111 1 ...

Page 42: ...ectively the home page of the SOHO 6 A variety of information is revealed in an effort to provide a comprehensive display of the SOHO 6 configuration This information includes The firmware version The serial number of the appliance A few of the SOHO 6 features and their status WSEP Logging VPN Manager Access Syslog ...

Page 43: ...ton in order to terminate or initiate the PPPoE connection Configuration information on firewall settings Incoming and Outgoing services A reboot button to restart the SOHO 6 Default Factory Settings Your SOHO 6 has the following default network and configuration settings External Network External network settings use DHCP Trusted Network The trusted network IP address is 192 168 111 1 All compute...

Page 44: ...d and no settings are configured Upgrade Options No upgrade options are enabled until the license keys are redeemed Reset a SOHO 6 to factory default Firmware corruptions or other unforeseen events such as a lost System Security passphrase require you to reset the SOHO 6 to its factory default settings To do this first disconnect the power supply Then find the reset button located at the rear of t...

Page 45: ... on page 20 Register your SOHO 6 and Activate the LiveSecurity Service Once the SOHO 6 is installed and configured you need to register the unit and activate your bundled LiveSecurity Service subscription Activation entitles you to receive threat alert notifications expert security advice free anti virus protection software updates technical support by web or phone and access to extensive online h...

Page 46: ...nstructions on screen for activating a product Please use the table below to record your LiveSecurity Service identification information The SOHO 6 serial number is located on the bottom of the appliance You create a LiveSecurity Service user name and password when you register your SOHO 6 Please keep this information in a secure place Reboot the SOHO 6 To reboot a SOHO 6 located on a local system...

Page 47: ...TP Web or FTP traffic to the trusted address of the SOHO 6 For information on configuring a SOHO 6 to allow incoming traffic see Configure Incoming and Outgoing Services on page 62 You then use one of these methods With your Web browser go to the System Status page using the external IP address of the SOHO 6 Click Reboot Send an FTP command to the remote SOHO 6 Use an FTP application to connect to...

Page 48: ...Chapter 3 SOHO 6 Basics 30 WatchGuard Firebox SOHO 6 1 ...

Page 49: ...g Each networked computer must have an IP address to identify itself to other computers IP address assignments are either dynamic or static With a dynamic IP address your ISP assigns each computer a different address each time it connects to the server When you power down the computer you release that IP address allowing it to be reassigned A static IP address is assigned to your computer at all t...

Page 50: ... and PPP by simulating a standard dial up connection It is popular among many ISPs because it allows them to use their existing dial up infrastructure such as billing authentication and security for DSL and cable modems When configured to use PPPoE the connection can be manually connected or disconnected from the System Status page Contact your ISP to determine which method they use to assign your...

Page 51: ...municating directly to your computer the ISP now communicates through the SOHO 6 1 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network External The External Network Configuration page appears 3 From the Configuration Mode drop list...

Page 52: ...o see if they use PPPoE If you cannot find this information contact your ISP and ask them You need your PPPoE login name and password To configure the SOHO 6 for PPPoE 1 Open your Web browser and click Stop At this point the Internet connection is not fully configured and the computer cannot load your home page from the Internet However the computer can access the configuration Web pages installed...

Page 53: ...a constant flow of heartbeat traffic between the SOHO 6 and the PPPoE server In the event of routine packet loss this option allows the SOHO 6 to maintain the PPPoE connection The SOHO 6 may reboot to recover this connection if the heartbeat fails This provides for a more consistent Internet connection and is seen as continuous traffic by the ISP and regulated and in some cases billed as such This...

Page 54: ...lly attempts to obtain its addresses from the SOHO 6 If you use a cerntralized DHCP server to hand out IP addresses the SOHO 6 has a DHCP Relay feature that forwards the DHCP request to the specified DHCP server Configure DHCP Server and DHCP Relay To configure DHCP server 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the defau...

Page 55: ...er on the Trusted Network 5 Enter the first IP address the DHCP server will hand out to computers connect to the Trusted network 6 Enter the WINS Server address DNS Server address primary and secondary and DNS Domain server suffix 7 Click Submit and reboot the SOHO 6 as necessary To configure the DHCP Relay Server 1 From the Trusted Network Configuration page enable the checkbox labeled Enable DHC...

Page 56: ...rom up to four computers Network a larger number of computers together using one or more 10BaseT Ethernet hubs with RJ 45 connectors The SOHO 6 system coexists with other systems over the same LAN Local Area Network If you mix computers with different operating systems on your network they pass traffic through the SOHO 6 to access the Internet Follow these steps to add one or more computers to you...

Page 57: ...ollow these steps 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network Trusted The Trusted Network Configuration page appears 3 Enter the IP address and the Subnet Mask in the appropriate fields ...

Page 58: ...The SOHO 6 allows you to configure static routes in order to pass traffic to networks on separate segments This means that the SOHO 6 can route data packets to additional networks connected to a router or switch behind the SOHO 6 Follow these instructions to configure static routes 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using ...

Page 59: ...User Guide 41 Configure Static Routes The Routes page appears 3 Click Add The Add Route page appears 4 From the Type drop list select either Host or Network ...

Page 60: ...work Statistics The SOHO 6 has a configuration page that displays a variety of network statistics to assist in monitoring data traffic as well as troubleshooting potential problems Follow these instructions to view this page 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the...

Page 61: ...that their dynamically assigned IP address is reassigned 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 NOTE WatchGuard is not affiliated with dyndns org 2 From the navigation bar on the left side select Network DynamicDNS The Dynamic DNS client page appears 3 Select the Enable Dyn...

Page 62: ...to activate the new feature For more information on how to Upgrade the SOHO 6 see Redeem your SOHO 6 Upgrade Options on page 57 NOTE The OPT port is only available if you purchase a software upgrades You can not use the OPT port as another internet port on the Trusted network Configure Dual ISP Port The Dual ISP Port upgrade adds fail over support for the External interface This means that when th...

Page 63: ... external port EXT if this port comes back online unless you use PPPoE to assign IP addresses Once the fail over has switched to the optional port OPT the administrator has to change the configuration back to the external port EXT when it comes back online If you use PPPoE you can set an inactivity timeout which disables any inactive TCP connections until traffic resumes For information on setting...

Page 64: ...nnection This can be either a DSL cable modem or Hub 2 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 3 From the navigation bar on the left side select Network Dual ISP The Dual ISP Options page appears 4 Select the Enable Dual ISP checkbox 5 Enter the IP address for the External Int...

Page 65: ...re access to the corporate network while the other connection is used for non corporate functions When the optional port is activated with this upgrade a separate subnet is defined that is distinct from that used by the Trusted ports By default the subnet for the optional port is 192 168 112 0 Once you have upgraded to the SOHO 6 to activate this feature follow these instructions to configure VPNf...

Page 66: ...Enable Optional Network checkbox 4 Enter the configuration information IP address DHCP Server and DHCP Relay for the Optional Interface which is the same process as configuring the Trusted network For specific instructions on these fields see Configure the Trusted Network on page 36 5 To allow traffic between the Optional and Trusted network enable the Allow traffic between Optional Network and Tr...

Page 67: ...User Guide 49 Configure OPT Port Upgrades 6 To require encrypted MUVPN connections on this interface enable the Require Encrypted MUVPN connections on this interface checkbox 7 Click Submit ...

Page 68: ...Chapter 4 Configure the Network Interfaces 50 WatchGuard Firebox SOHO 6 1 ...

Page 69: ...the SOHO 6 using System Security enabling SOHO 6 Remote Management or providing VPN Manager Access You can also update the firmware enter the feature key for any upgrade options you have purchased and have redeemed at the LiveSecurity Service Web site as well as see the SOHO 6 configuration file in a text format ...

Page 70: ...nistrator name and system passphrase are designed to protect the SOHO 6 configuration from alteration by someone on your trusted network In other words when you configure a SOHO 6 system administrator name and system passphrase no one in your office is able to change deliberately or accidentally your firewall settings without the proper passphrase NOTE Make certain that you do not lose this name a...

Page 71: ...s to setup the SOHO 6 System Passphrase 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration System Security The System Security page appears 3 Verify that the HTTP Server Port is set at 80 4 Select the System Security chec...

Page 72: ...ttp help watchguard com documentation soho asp Set up VPN Manager Access The SOHO 6 works with WatchGuard VPN Manager software access in order to configure and manage Branch Office VPN tunnels from a remote location VPN Manager software is purchased separately and must run on a WatchGuard Firebox II III For more information regarding the VPN Manager product use your Web browser to go to https www ...

Page 73: ... Manager Access The VPN Manager Access page appears 3 Select Enable VPN Manager Access 4 Enter the status passphrase and confirm it 5 Enter the configuration passphrase and confirm it NOTE These two settings must exactly match the passphrases used in the VPN Manager or the connection will fail 6 Click Submit ...

Page 74: ...rowser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration Update The Update page appears NOTE If you are managing your SOHO 6 from a computer running an operating system other than Windows such as a Macintosh or Linux OS you must update your fir...

Page 75: ... a SOHO 6 the software for all upgrade options is provided with the unit regardless of whether you have actually purchased any of those options The Feature Key that enables these software options is stored within the SOHO 6 Once you purchase an upgrade option and redeem it at the LiveSecurity Service Web site you will receive a Feature Key which you can then copy and paste into a SOHO 6 configurat...

Page 76: ...r go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 6 From the navigation bar on the left side select Administration Upgrade The Upgrade page appears 7 Paste the Feature Key in the appropriate field 8 Click Submit Upgrade options Seat Licenses This upgrade to the SOHO 6 provides more seats than the base mode...

Page 77: ... the VPN upgrade in order to configure virtual private networking The SOHO 6 does not come with the VPN upgrade license key This license key is purchased separately WebBlocker The SOHO 6 has a Web filtering option This license key is purchased separately MUVPN Clients With this upgrade the SOHO 6 allows remote users to securely connect to it through an IPSec VPN and access network resources on the...

Page 78: ...tion File From this configuration page the SOHO 6 configuration file appears in text format 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration View Configuration File The View Configuration File page appears ...

Page 79: ...ke These decisions are made in accordance with a sound security policy that defines the kinds of risks that are acceptable to you or your firm WatchGuard identifies several commonly used services that are used to define incoming and outgoing access A service is the combination of protocol and port numbers associated with a specific application or communication type ...

Page 80: ...ice It is important to remember that each service you add opens a small window into your trusted network and marginally reduces your security This is the inherent trade off between access and security Pre configured Services Each service is defined by a combination of Internet protocols and port numbers to uniquely identify the connection type to applications and servers on the Internet The SOHO 6...

Page 81: ...computer to which this rule applies In our example 192 168 111 2 4 Click Submit Create a Custom Service In addition to the pre configured services provided by the SOHO 6 configuration page you can create custom services using either a TCP port UDP port or specifying an IP protocol Follow these steps to create a custom service 1 With your Web browser go to the System Status page using the Trusted I...

Page 82: ...a name for the service in the appropriate field 4 Beneath the Protocol Settings fields select either TCP Port UDP Port or Protocol from the drop list The Custom Service page refreshes NOTE In addition to TCP and UDP ports there are several other types of Internet protocols To create a service for one of these protocols you must define the protocol number you cannot specify a port number ...

Page 83: ...e page refreshes 8 Enter either a single host IP address a network IP address or the start and end of a range of host IP addresses for this custom service in the appropriate fields 9 Click Add Repeat the last three steps until all the appropriate address information for this custom service appears in the appropriate fields 10 Click Submit Block External Sites By default the security stance of the ...

Page 84: ... Range from the drop list The Blocked Sites page refreshes 3 Enter either a single host IP address a network IP address or the start and end of a range of host IP addresses in the appropriate fields In our example Host IP Address is selected and the IP address entered is 207 68 172 246 4 Click Add The addressing appears in the Blocked Sites field 5 Click Submit ...

Page 85: ...used to provide further security for your private network These options are found on the Firewall Options page 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Firewall Firewall Options The Firewall Options page appears ...

Page 86: ...oxy filter that works with SOCKS aware applications A typical SOCKS dependent application requires that several sockets be opened and made available to the Internet When a SOCKS aware application ICQ is an example registers with the SOCKS server SOCKS is able to manage the need of the application to have many ports open To use an application with SOCKS configure the application with the SOCKS serv...

Page 87: ... application available to anyone on your trusted network SOCKS applications therefore pose a significant security risk To disable the port and close the security risk see Disabling SOCKS on the SOHO 6 on page 70 Configuring your SOCKS application Other than making certain that port 1080 is open to run a SOCKS dependent application the rest of the configuration tasks is done with the SOCKS dependen...

Page 88: ... SOHO 6 from acting as a SOCKS proxy 2 Click Submit When you need to use SOCKS again follow this procedure 1 Disable the checkbox labeled Disable SOCKS proxy This enables the SOHO 6 to act as a SOCKS proxy 2 Click Submit The SOHO 6 is enabled again as a Proxy server and ready to pass SOCKS packets Logging all allowed outbound traffic By default the SOHO 6 logs only particular events and not all tr...

Page 89: ...xternal Network 2 Enter the MAC address that will be assigned to the SOHO 6 External Network NOTE If the External Network override MAC address text box is cleared and the SOHO 6 is rebooted the SOHO 6 will automatically go back to the factory default External MAC address 3 Click Submit As a guard against MAC address collisions the SOHO 6 will look for the External Network override MAC address peri...

Page 90: ...P address go to http 192 168 111 1 2 From the navigation bar on the left side select Firewall Pass Through The Unrestricted Pass Through IP Address page appears 3 Select Enable pass through address 4 Enter the IP address to the pass through machine in the appropriate field This must be a public IP address In our example 208 253 208 103 5 Click Submit NOTE Use of the Pass Through feature increases ...

Page 91: ...User Guide 73 Create an Unrestricted Pass Through and Trusted network computers are not protected from potential threats do not use the Pass Through feature ...

Page 92: ...Chapter 6 Configure the Firewall Settings 74 WatchGuard Firebox SOHO 6 1 ...

Page 93: ...mmunication with the WatchGuard WebBlocker database or incoming traffic passing through the SOHO 6 Logging is intended to record the kinds of activities that indicate security concerns most importantly denied packets Certain patterns of denied packets can indicate the type of attack that is being attempted Remember that if power to the SOHO 6 is removed the messages are lost ...

Page 94: ... the WatchGuard Time Server discarded packets for a packet handling violation duplicate messages or return error messages and IPSec messages To view these messages 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Logging The Logging p...

Page 95: ... WatchGuard Firebox System software used by a Firebox II III The WSEP application runs on a dedicated log host and records log messages generated by the Firebox II III If you have a Firebox II III and have configured the WSEP to accept logs from your SOHO 6 then follow these instructions to send your event logs to the WSEP 1 With your Web browser go to the System Status page using the Trusted IP a...

Page 96: ...Enable WatchGuard Security Event Processor Logging 4 Enter the IP address of the WSEP server that is your log host in the appropriate field In our example 192 168 111 5 5 In the Log Encryption Key field enter a passphrase and confirm it 6 Click Submit NOTE This encryption key must be identical to the one used in the WSEP ...

Page 97: ...our Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Logging Syslog Logging The Syslog Logging page appears 3 Select Enable syslog output 4 Enter the IP address of the Syslog server In our example 206 253 208 100 5 Click Submit ...

Page 98: ... a VPN tunnel the traffic is encrypted with IPSec technology and therefore less of a security risk Set the System Time The SOHO 6 stamps each log entry with the time that the event occurred The log entry time stamp displays the time of day according to the settings for the system time To set the system time 1 With your Web browser go to the System Status page using the Trusted IP address of the SO...

Page 99: ...Port 37 Time Server 4 Select Get Time From TCP Port 37 Time Server at 5 Enter the IP address of the time server in the appropriate field 6 Click Submit To adjust your log messages for daylight savings time or set the time zone Select Adjust for daylight savings time Select a time zone from the drop list Time Zone adjustments are only applied when using the WatchGuard time server ...

Page 100: ...Chapter 7 Configure Logging 82 WatchGuard Firebox SOHO 6 1 ...

Page 101: ...ng VPN tunnels enable you to securely connect computers in two locations without requiring expensive dedicated point to point data connections With VPN you use low cost connections to the Internet to create a virtual connection between two branch offices Unlike a simple unencrypted Internet connection a VPN connection eliminates any significant risk of data being read or altered by outside users a...

Page 102: ...ce IP address optional If available a secondary DNS address Domain name optional Network addresses and subnet mask for networks By default the Trusted network address of the SOHO 6 is 192 168 111 0 and the subnet mask is 255 255 255 0 NOTE The internal networks on either end of the VPN tunnel must use different network addresses To create an IPSec tunnel between appliances you must add information...

Page 103: ...P address WatchGuard recommends using an address from one of the reserved ranges 10 0 0 0 8 172 16 0 0 12 255 240 0 0 192 168 0 0 16 255 255 0 0 You Site A 192 168 111 0 24 Site B 192 168 222 0 24 Shared Secret A phrase stored at both ends of the tunnel to authenticate the transmission as being from the claimed origin The secret can be any phrase but mixing numerical special alphabetical and upper...

Page 104: ...ade license key Step by step Instructions for Configuring a SOHO 6 VPN Tunnel WatchGuard has developed a series of step by step instructions to facilitate configuration for a SOHO 6 VPN tunnel to any of several other IPSec compliant appliances To download these instructions using your Web browser go to https support watchguard com AdvancedFaqs sointerop_main asp Authenticati on Both sides must use...

Page 105: ...find its remote counterpart Both appliances must use the same encryption method The two choices are DES or 3DES When connecting two Microsoft Windows NT networks the two networks must be in the same Microsoft Windows domain or be trusted domains This is a Microsoft Networking design implementation and not a limitation of the SOHO 6 Frequently Asked Questions Why do I need a static external address...

Page 106: ...should get a reply If not verify the External network settings of Site B If they are correct verify that computers at Site B have access to the internet If you are still having trouble contact your ISP 2 Once you are able to ping the external address of each SOHO 6 try pinging a local address From Site A ping 192 168 111 1 If the tunnel is up you should get a reply from the remote SOHO 6 If not re...

Page 107: ...VPN Manager s ability to set up a larger number of SOHO 6 to SOHO 6 tunnels remains To define multiple VPN tunnels to other SOHO 6 appliances 1 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select VPN Manual VPN The Manual VPN page appears ...

Page 108: ...a VPN tunnel The shared key is used by the local and remote SOHO to encrypt and decrypt the data going across the tunnel The shared key is the same on both ends of the tunnel The gateways can encrypt and decrypt the data correctly only if they share the same key 5 Phase 1 setting can be left at the defaults shown or modified as desired To modify Phase 1 settings complete the following ...

Page 109: ...ther Domain Name or IP Address 8 In the Local ID and Remote ID box specify the name of the local or remote network The default is LocalID and RemoteID In the Type box specify IP Address or Domain Name If you are in Main Mode both the Local and Remote IDs must be IP Address If you are in Aggressive Mode and have a static IP address the Local ID must be IP Address and the Remote ID can be either IP ...

Page 110: ...ges checkbox to keep a VPN tunnel from going down because of time out conditions A small amount of traffic is sent across the VPN tunnel to keep it alive and functioning If the tunnel fails for any reason the SOHO 6 initiates a rekey of the tunnel to restore it This checkbox is enabled by default 16 Phase 2 setting can be left at the defaults shown or modified as desired To modify Phase 2 settings...

Page 111: ...em Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select VPN Manual VPN The Manual VPN page appears 3 Click Add The Add Gateway page appears 4 Enter the information to add the gateway For instructions on completing the Add Gateway page see Set Up Multiple SOHO SOHO VPN Tunnels on...

Page 112: ...tation on configuring your SOHO 6 once this upgrade option is purchased and redeemed are at http support watchguard com sohoresources View the VPN Statistics The SOHO 6 has a configuration page that displays a variety of VPN statistics to assist you in monitoring VPN traffic as well as troubleshooting potential problems To view the VPN Statistics page 1 With your Web browser go to the System Statu...

Page 113: ...relies on a URL database service which is owned and maintained by SurfControl The WebBlocker database contains many thousands of IP addresses and directories These addresses are divided into categories based upon content such as drug culture intolerance or sexual acts WatchGuard updates the Webblocker server with a new database at regular intervals Once you purchase and activate WebBlocker every t...

Page 114: ...base If the site is in the WatchGuard WebBlocker database the SOHO 6 checks whether or not to block that type or category of site When the category is blocked the browser displays a page informing the user that the site is unavailable for viewing If the category is not blocked the Web browser opens the page for viewing WatchGuard WebBlocker database unavailable If for any reason the WatchGuard Web...

Page 115: ...s in the household The SOHO 6 WebBlocker configuration page includes a full access password field Provide this password to those members of your trusted network allowed to bypass WebBlocker When a site is blocked or unavailable the user has the option of entering the full access password With the password entered the browser displays the otherwise blocked site After the password is entered the use...

Page 116: ... WebBlocker groups and users Activate WebBlocker Follow these instructions to activate WebBlocker create a full access password define the inactivity timeout value and require that your Web users authenticate if your are using the groups and users feature option 1 With your Web browser go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6 For example if using the ...

Page 117: ... are disconnected after sitting idle for 15 minutes 6 If you intend to use WebBlocker groups and users select Require Web users to authenticate 7 Click Submit to register your changes Create WebBlocker Groups and Users Follow these instructions to create WebBlocker Groups 1 With your Web browser go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6 For example if ...

Page 118: ...Chapter 9 SOHO 6 WebBlocker 100 WatchGuard Firebox SOHO 6 1 The WebBlocker Groups page appears 3 Click New to create a group name and profile ...

Page 119: ...onfigure the SOHO 6 WebBlocker 4 Define a Group Name and select the blocked categories for this group 5 Click Submit A new Groups page appears indicating the configuration changes were accepted and are providing access ...

Page 120: ...tchGuard Firebox SOHO 6 1 6 To the right of the Users field click New The New User page appears 7 Enter a unique user name and passphrase remember to confirm the passphrase Use the Group drop list to assign the new user to a given group ...

Page 121: ...he WebBlocker database contains the following 14 categories NOTE All the categories of sites to be blocked are selected by advocacy rather than opinion or educational material For example the drugs drug culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana Alcohol tobacco Pictures or text advocating the sale consu...

Page 122: ...yrotechnics Drug Culture Pictures or text advocating the illegal use of drugs for entertainment This category includes substances that are used for other than their primary purpose to alter the individual s state of mind such as glue sniffing This does not include that is if selected these sites would not be WebBlocked under this category currently illegal drugs legally prescribed for medicinal pu...

Page 123: ...rimarily intended to hurt or inflict pain Topic includes obscene words phrases and profanity in either audio text or pictures Search Engines Search engine sites such as AltaVista InfoSeek Yahoo and WebCrawler Sports and Leisure Pictures or text describing sporting events sports figures or other entertainment activities Sex Education Pictures or text advocating the proper use of contraceptives Topi...

Page 124: ... pornographic CD ROMs and videos Full Nudity Pictures exposing any or all portions of human genitalia Topic does not include sites categorized as Partial Artistic Nudity containing partial nudity of a wholesome nature For example it does not include Web sites for publications such as National Geographic or Smithsonian magazine nor sites hosted by museums such as the Guggenheim the Louvre or the Mu...

Page 125: ... 6 General What do the PWR Status and Mode lights signify on the SOHO 6 When the PWR light is lit the SOHO 6 has power When the Status light is lit there is a management connection to the SOHO 6 When the MODE light is lit the SOHO 6 is operational If the PWR light is blinking The SOHO 6 is running from its backup flash memory You are able to connect to the SOHO 6 from a computer on one of the ...

Page 126: ...receive threat alert notifications expert security advice free anti virus protection software updates technical support by web or phone and access to extensive online help resources To activate make a note of your SOHO serial number then use your Web browser to go to http www watchguard com activate For more information see Register your SOHO 6 and Activate the LiveSecurity Service on page 27 How ...

Page 127: ...ernet are allowed through the SOHO 6 To clear the list of these first ten computers you must reboot the SOHO 6 What is a SOHO 6 Feature Key The Feature Key is an encrypted mask that tells the SOHO 6 which features are active It is obtained by redeeming an upgrade option license key at the LiveSecurity Service Web site You copy the Feature Key into a SOHO 6 configuration page and it is then stored ...

Page 128: ...ck to make sure that both sides of the cable are connected and that your Internet connection is active The link lights labeled 0 through 3 correspond to the four numbered Ethernet ports of the trusted network They tell you if the SOHO 6 is connected to a computer or hub If the lights are not lit the SOHO 6 is not connected to the computer or hub Check to make sure that both sides of the cable are ...

Page 129: ... side Two MAC addresses are often listed Please note these addresses and have them ready if you need Technical Support Configuration Where are the SOHO 6 settings stored The configuration parameters are stored in memory on the SOHO 6 How do I set up DHCP on the trusted network of the SOHO 6 1 Make sure your computer is set up to use DHCP For instructions see Enable your computer for DHCP on page 1...

Page 130: ... IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network Trusted 3 Disable Enable DHCP Server and then click Submit 4 Enter the information Click Submit How do I set up and disable Webblocker 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if u...

Page 131: ...k IP address of the computer hosting the service 5 Click Submit How do I allow incoming IP or uncommon TCP and UDP protocols You need the IP address of the computer that is receiving the incoming data and the IP protocol number that corresponds to the specific incoming IP protocol To allow an incoming IP protocol 1 With your Web browser go to the System Status page using the Trusted IP address of ...

Page 132: ...mputer to which this traffic is allowed 10 Click Submit VPN Management Before setting up VPN you must have Two properly configured and working SOHO 6s or one SOHO 6 with the latest version of firmware and one Firebox II III Each SOHO 6 must have the VPN option activated The static external IP address the network address and the subnet masks of both appliances The base trusted IP address of each SO...

Page 133: ...go to https www watchguard com products vpnmanager asp For more information on how to allow VPN Manager access to a SOHO 6 see the VPN Guide How do I set up VPN to a SOHO 6s For detailed information on how to configure a VPN tunnel between a SOHO 6 and another IPSec compliant appliance use your Web browser to go to https support watchguard com AdvancedFaqs sointerop_main asp 1 Log in to the site 2...

Page 134: ... maintains an extensive knowledge base consisting of product documentation in the form of printer friendly pdf files tutorials In Depth FAQs and more This information is available at https support watchguard com AdvancedFaqs 877 232 3531 U S End user support 206 521 8375 U S Authorized Reseller support 360 482 1083 International support ...

Page 135: ...43 DSL modems and SOHO 6 109 Dual ISP Port 44 Dynamic DNS client page 43 dynamic DNS service configuring 43 44 47 Dynamic Host Configuration Protocol See DHCP dynamic IP addresses configuring for 32 described 31 E events described 75 logging See logging External Network denying ping packets received on 68 F FAQs 116 feature keys 57 109 filter rules specifying for custom services 65 Filter Traffic ...

Page 136: ... keys redeeming 57 licenses upgrading 21 lights 100 7 link 7 MODE 107 Mode 7 power 6 PWR 107 Status 7 107 108 WAN 7 link indicator 7 LiveSecurity Service registering with 27 renewing subscription 59 log host setting WSEP 77 log messages contents of 76 synchronizing with computer 77 viewing 76 logging described 75 to a WSEP host 77 to Syslog host 79 Logging page 76 M MAC address of SOHO 6 111 MacIn...

Page 137: ... numbers 5 OPT 8 WAN 9 power input 9 PPPoE configuring for 34 described 32 pre configured services adding 62 protocols allowing incoming 113 described 4 PWR light 6 107 R rebooting 28 rebooting on remote system 29 registration 27 Remote Management 54 RESET button 8 resetting to factory default 26 Routes page 41 46 48 routes configuring static 40 S seat licenses upgrading 58 seat limitation 109 ser...

Page 138: ...iguring for 33 static routes configuring 40 Status light 7 107 108 Syslog Logging page 79 System Security page 52 53 System Status page 23 28 System Time page 81 system time setting 80 T TCP IP settings determining 12 14 technical support 116 time setting 80 traffic crearing unrestricted pass through 72 logging all outbound 70 traffic monitoring 42 troubleshooting 107 115 Trusted Network configuri...

Page 139: ...eshooting connections 88 viewing statistics 94 W WAN indicator 7 WAN port 9 WatchGuard Security Event Processor 77 WatchGuard Security Event Processor page 78 WebBlocker activating 98 categories 103 configuring 98 creating users and groups for 99 database 95 described 95 enabling and disabling 112 purchasing and activating 97 users and groups 97 WebBlocker Groups page 100 WebBlocker Settings page ...

Page 140: ...Index 122 WatchGuard Firebox SOHO 6 1 ...