Watchguard Firebox V10, User Manual

Page 1: ...WatchGuard Firebox Vclass User Guide Vcontroller 5 0 ...

Page 2: ...nd or other countries Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries RC2 Symmetric Block Cipher RC4 Symmetric Stream Cipher RC5 Symmetric Block Cipher BSAFE TIPEM RSA Public Key Cryptosystem MD MD2 MD4 and MD5 are either trademarks or registered trademarks of RSA Data Security Inc Certain materials herein ar...

Page 3: ...tsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and bin...

Page 4: ... use in the mod_ssl project http www modssl org THIS SOFTWARE IS PROVIDED BY RALF S ENGELSCHALL AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL RALF S ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIA...

Page 5: ...oped by Ralf S Engelschall rse engelschall com Copyright c 1999 2003 Ralf S Engelschall rse engelschall com Copyright c 1999 2003 The OSSP Project http www ossp org Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions...

Page 6: ...RE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Regular expression support is provided by the PCRE library package which is open source software written by Philip Hazel and copyright by the University of Cambridge England Source code for the PCRE library can be obtained via ftp ftp ftp csx cam ac uk pub software programming pcre PCRE is a library of functions to support regular expressions whose s...

Page 7: ...ANTIES EXPRESS OR IMPLIED BY WAY OF EXAMPLE BUT NOT LIMITATION PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 2 2 2 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS 5 PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 2 2 2 FOR ANY INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF M...

Page 8: ...tware and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights These restrictions trans...

Page 9: ...special circumstances For example on rare occasions there may be a special need to encourage the widest possible use of a certain library so that it becomes a de facto standard To achieve this non free programs must be allowed to use the library A more frequent case is that a free library does the same job as widely used non free libraries In this case there is little to gain by limiting the free ...

Page 10: ...e program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and distribute a copy of th...

Page 11: ...to a given copy of the Library To do this you must alter all the notices that refer to this License so that they refer to the ordinary GNU General Public License version 2 instead of to this License If a newer version than version 2 of the ordinary GNU General Public License has appeared then you can specify that version instead if you wish Do not make any other change in these notices Once this c...

Page 12: ...ce provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License You must supply a copy of this License If the work during execution displays copyright notices you must inc...

Page 13: ...rary facilities is otherwise permitted and provided that you do these two things a Accompany the combined library with a copy of the same work based on the Library uncombined with any other library facilities This must be distributed under the terms of the Sections above b Give prominent notice with the combined library of the fact that part of it is a work based on the Library and explaining wher...

Page 14: ... of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 12 If the distribution and or use of the Library is restricted in certain countries either by patents or by copyright...

Page 15: ... of the WatchGuard Vclass software incorporate source code covered under the GNU General Public License GPL To obtain the source code covered under the GPL please contact WatchGuard Technical Support at 877 232 3531 in the United States and Canada 1 360 482 1083 from all other countries This source code is free to download There is a 35 charge to ship the CD GNU GENERAL PUBLIC LICENSE Version 2 Ju...

Page 16: ... work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope...

Page 17: ...charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for ...

Page 18: ... system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to mak...

Page 19: ... either an individual or a single entity and WatchGuard Technologies Inc WATCHGUARD for the WATCHGUARD Firebox Vclass software product which includes computer software components whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the WATCHGUARD hardware product and may include associated media printed materials and on line or electronic docu...

Page 20: ...rchival purposes only 3 Prohibited Uses You may not without express written permission from WATCHGUARD A Use copy modify merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT B Use any backup or archival copy of the SOFTWARE PRODUCT or allow someone else to use such a copy for any purpose other than to replace the original copy in the event it i...

Page 21: ...D FAULT FOR ANY INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS BUSINESS INTERRUPTION OR LOSS OF BUSINESS INFORMATION ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FA...

Page 22: ... IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS AGREEMENT B THE ENTITY HAS THE FULL POWER CORPORATE OR OTHERWISE TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT AND C THIS AGREEMENT AND THE PERFORMANCE OF THE ENTITY S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD PARTY AGREEMENT TO WHICH THE ...

Page 23: ...WatchGuard Firebox Vclass Appliance Options 5 High Availability 6 Mobile User VPN 6 About This Guide 6 CHAPTER 2 Service and Support 9 Benefits of LiveSecurity Service 9 LiveSecurity Broadcasts 10 Activating the LiveSecurity Service 12 LiveSecurity Self Help Tools 14 Interactive Support Forum 15 Product Documentation 16 Assisted Support 16 LiveSecurity Program 16 LiveSecurity Gold Program 17 ...

Page 24: ...appliance is discovered 30 If an appliance is discovered 31 Setting the IP address of Interface 0 or the System IP 32 Running the Vcontroller Installation Wizard 34 Before You Begin 34 Starting the Installation Wizard 35 Edit the General information 36 Configure the Interfaces in Router Mode 39 Configure Interface 2 and 3 DMZ 44 Configure the Interfaces in Transparent Mode 45 Configure Routing 47 ...

Page 25: ...ger CPM 76 CHAPTER 5 Router and Transparent Mode 79 Router Mode 79 Transparent Mode 81 Unsupported features in Transparent Mode 82 Setting a Vclass Appliance to Transparent Mode 82 Setting an Appliance to Transparent Mode using Device Discovery 83 Setting an Appliance to Transparent Mode using the Installation Wizard 87 CHAPTER 6 System Configuration 89 General Configuration 90 Interface Configura...

Page 26: ...145 High Availability Configuration 148 CHAPTER 7 Using Account Manager 149 Configuring Accounts 149 End user accounts for authentication 152 Managing accounts 154 External Access for Remote Management 155 Account Access Conflicts 156 Resolving login conflicts 156 CHAPTER 8 About Security Policies 159 About Security Policies 159 Security policy components 160 Types of policies 161 Using Policy Man...

Page 27: ...fining a Load Balancing Action 203 Using Policy Schedules 205 Defining a Schedule 205 Using the Advanced Settings 207 CHAPTER 9 Security Policy Examples 211 Firewall Policy Examples 211 Example 1 Allowing Internet access 211 Example 2 Restricting Internet access 212 Example 3 Allowing unlimited access for authorized users 214 Example 4 Allowing communication between branch offices 216 Example 5 De...

Page 28: ...Client Proxy 238 SMTP Proxy 239 Rules and Rulesets 239 General Proxy Configuration 241 Using a Proxy Action in the Policy Manager 241 Creating a Proxy Action 241 Editing an existing Proxy Action 243 Configuring proxy rules 245 Ordering listed Rules in a Proxy Action 249 Proxy Parameters Reference 251 HTTP Client Proxy 251 SMTP Incoming Proxy 272 SMTP Outgoing Proxy 286 Reference Sources 297 CHAPTE...

Page 29: ...ication database 335 Editing and deleting a user group profile 337 Removing the backup server 338 Defining an IKE Policy and IKE Action 339 Defining an IKE action for RUVPN 339 Defining an IKE policy 341 Defining an RUVPN Security Policy and an IPSec Action 343 Defining an IPSec action for RUVPN 343 Defining a security policy for RUVPN 345 Controlling a remote user s access privileges 348 Monitori...

Page 30: ... Archiving 387 CHAPTER 16 System Information 389 General Information 389 VPN Tunnel Information 390 Viewing tunnel details 392 Traffic Information 393 Route Information 394 RAS User Information 395 Viewing RAS user information and tunnel details 396 Interface 1 Public Information 397 DHCP Server Information 398 Runtime Blocked IP List 399 CHAPTER 17 Backing Up and Restoring Configurations 403 Crea...

Page 31: ...text file 419 Executing a CLI Script 421 Saving Diagnostic Information 422 CHAPTER 19 Setting Up a High Availability System 425 High Availability Modes 425 Active Standby 426 Active Active 426 In this chapter 426 How High Availability works 427 Prerequisites for a High Availability System 427 Connecting the Appliances 428 Configuring a Standby Appliance 428 Customizing HA System Parameters 432 Che...

Page 32: ...xxxii Vcontroller ...

Page 33: ...ment and security analysis These costly sys tems were difficult to integrate and not easy to update The WatchGuard Firebox Vclass appliance combines firewall security VPN support and powerful traffic management with Fast Ethernet and Gigabit Ethernet connections The Vclass security ASIC architecture delivers scalable support up to 20 000 tunnels in a sin gle rack space device V100 or 40 000 VPN tu...

Page 34: ...Core hardware ensemble A well integrated chip set and memory system powers every Firebox Vclass appliance in its primary duties protecting your network and efficiently managing legitimate data WatchGuard Firebox Vclass Operating System OS Every Firebox Vclass security appliance is preinstalled with the latest version of the Firebox Vclass Operating System which is identified on the packaging by a ...

Page 35: ...E For the most current information on Vclass hardware and operating system requirements see the Readme file on the Firebox Vcontroller CD In addition updates are frequently posted on the WatchGuard Web site Windows workstation Operating System Windows NT 4 0 2000 XP CPU Pentium II or later Processor speed 500 MHz or faster Memory 64 MB minimum 128 MB is recommended Input device CD ROM or DVD Hard ...

Page 36: ...lization issues involving Linux platforms see the Sun Web site CPU Pentium II or later Processor speed 500 MHz or faster Memory 64 MB minimum 128 MB is recommended Input device CD ROM or DVD Hard disk space 10 MB minimum Network interface NICs or embedded network connections Sun Solaris workstation Operating system Solaris v2 6 or later Memory 64 MB minimum 128 MB recommended Input device CD ROM o...

Page 37: ... optional products Increasing the capacity of a particular feature Extending the duration of a limited term feature or service High Availability and WatchGuard Mobile User VPN are optional products and you receive those license keys upon purchase For more information on optional products see WatchGuard Firebox Vclass Appliance Options on page 5 For more information on increasing the capacity or le...

Page 38: ... VPN traffic is encrypted using DES or 3DES About This Guide The purpose of this guide is to help users of the Watch Guard Firebox Vclass appliance set up and configure a basic network security system and maintain administer and enhance the configuration of their network security The audience for this guide represents a wide range of experience and expertise in network management and security The ...

Page 39: ...e from the Open drop down list URLs and email addresses appear in sans serif font for example wg users watchguard com Code messages and file names appear in monospace font for example wgl and idx files In command syntax variables appear in italics for example fbidsmate import_passphrase Optional command parameters appear in square brackets ...

Page 40: ...CHAPTER 1 Introduction 8 Vcontroller ...

Page 41: ...tion LiveSecurity Service keeps your security system up to date by providing solutions directly to you In addition the WatchGuard Technical Support team and Training department offer a wide variety of meth ods to answer your questions and assist you with improving the security of your network Benefits of LiveSecurity Service As the frequency of new attacks and security adviso ries continues to sur...

Page 42: ...s you time by providing the latest software to keep your WatchGuard Firebox Vclass up to date You receive instal lation wizards and release notes with each software update for easy installation These ongoing updates ensure that your WatchGuard Firebox Vclass remains state of the art without your having to take time to track new releases Access to technical support and training When you have questi...

Page 43: ...is protected Software Update You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox Vclass Editorial Leading security experts join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject Foundations Articles specifically written for novice security administr...

Page 44: ...u have the Firebox Vclass serial number handy You will need this during the activation process The Firebox Vclass serial number is displayed in two locations a small silver sticker on the outside of the shipping box and a sticker on the back of the Firebox Vclass just below the UPC bar code 2 Using your Web browser go to http www watchguard com activate NOTE You must have JavaScript enabled on you...

Page 45: ...oller software see Importing LiveSecurity Feature Key on page 13 11 Click Continue The Confirmation Web page appears Importing LiveSecurity Feature Key To import a feature key from the LiveSecurity Service Web site to Vcontroller software 1 Launch Vcontroller software 2 Click System Configuration 3 Click on the License tab 4 Click Add The Import License window appears 5 Copy the feature key inform...

Page 46: ...formation about configuration options and interoperability Known Issues Confirmed issues and fixes for current software Interactive Support Forum A moderated Web board about WatchGuard products Online Training Information on product training certification and a broad spectrum of publications about network security and WatchGuard products These courses are designed to guide users through all compon...

Page 47: ...and networking This forum is cate gorized and searchable The forum is moderated during regular business hours by WatchGuard engineers and Technical Support personnel However this forum should not be used for reporting support issues to WatchGuard Technical Support Instead contact WatchGuard Technical Support directly via the Web interface or telephone Joining the WatchGuard users forum To join the...

Page 48: ...pport For a summary of the cur rent technical support services offered please refer to the WatchGuard Web site at http support watchguard com aboutsupport asp NOTE You must register for LiveSecurity Service before you can receive technical support LiveSecurity Program WatchGuard LiveSecurity Technical Support is included with every new Firebox Vclass This support program is designed to assist you ...

Page 49: ...ilable For more information please refer to WatchGuard Web site at http support watchguard com lssupport asp LiveSecurity Gold Program This premium program is designed to meet the aggressive support needs of companies that are heavily dependent upon the Internet for Web based commerce or VPN tun nels WatchGuard Gold LiveSecurity Technical Support offers support coverage 24 hours a day seven days a...

Page 50: ...ote VPN Installation Services are designed to provide you with comprehensive assistance for basic VPN installation You can schedule a dedicated two hour time slot with one of our WatchGuard techni cians to review your VPN policy help you configure your VPN tunnels and test your VPN configuration This ser vice assumes you have already properly installed and con figured your Firebox Vclass appliance...

Page 51: ...ecessary to configure deploy and manage enterprise security solutions Using the Online Help Online help is available from almost all WatchGuard Vcontroller windows Because the online help uses Web browsers for display you should be aware of a problem in opening help in Netscape browsers If you use a Netscape browser on a workstation running any Microsoft Windows operating system version 4 7 3 or l...

Page 52: ...CHAPTER 2 Service and Support 20 Vcontroller ...

Page 53: ...lowing steps in the installation process Gathering Network Information on page 22 Setting up the Management Station on page 23 Cabling the Appliance on page 27 Start a Firebox Vclass Security Appliance on page 27 Using Appliance Discovery on page 29 Running the Vcontroller Installation Wizard on page 34 Deploying the Firebox Vclass into your Network on page 57 For a quick summary of this informati...

Page 54: ...onfiguration Files on page 410 Before installing the Firebox Vclass appliance verify the package contents Consult the Firebox Vclass Hardware Guide to make sure you have received all of the proper con tents Gathering Network Information One good way to set up your network is to write down two sets of basic network information the first set of informa tion describes your current network before depl...

Page 55: ...essing information that rep resents your new Firebox Vclass security appliance Use the notes you completed in the previous section Gather ing Network Information on page 22 NOTE The installer installs a local copy of the correct version of the Java Runtime Environment to enable the software to run This installation of the JRE is independent of any other JRE or JDK you install on your system For ad...

Page 56: ...on that will represent your new Firebox Vclass security appliance Use the notes you completed in the previous section Gather ing Network Information on page 22 NOTE Be sure to review the release notes that were included in this package for information about Solaris Java issues including the Solaris and JRE versions For additional updates check the WatchGuard Web site To install Vcontroller 1 Inser...

Page 57: ...rd setup sh 6 When asked by the installation script for the directory location of the JRE and JDK software enter the appropriate pathway 7 Vcontroller installation is complete To launch Vcontroller execute the following command Vcontroller Be certain the directory containing Vcontroller software is listed in the PATH environment variable Installing Vcontroller on a Linux workstation Before proceed...

Page 58: ...tchGuard recommends that you install the most recent version 4 If you have not installed JRE or JDK type N The installer quits but provides information on where to obtain the most current versions of JRE and JDK software from the Sun Web site 5 When the JRE and JDK software has been installed and any required Linux updates are completed start the installer application again by entering the followi...

Page 59: ... appliance on any stable flat surface near the Management Station 3 Connect the appliance through interface 0 Private to the Management Station using the red crossover Ethernet cable or corresponding optical cable depending upon the Firebox model 4 Connect the appliance to a nearby power source using the power cord If connecting the appliance to a UPS device be sure to use the WatchGuard supplied ...

Page 60: ...and initialized the following lights on the front of the device should be lit The Power LED The Ready LED One of the Private Public and DMZ interface speed indicator lights if those connections have been made If problems occur If the expected lights are not lit check the following If the Power LED is not lit disconnect and reconnect the power cord For the V10 disconnect the power cord from the out...

Page 61: ... to the same LAN seg ment or subnet as the Management Station through inter face 0 Private 1 Launch Vcontroller The Vcontroller Login dialog box appears 2 Click the binoculars icon to the right of the Server IP Name drop down list The WatchGuard Security Appliance Discovery dialog box appears 3 Click Find to start the process If the Management Station has more than one NIC you must select the IP a...

Page 62: ...red If no appliances are discovered a Devices Not Found dia log box appears Check the Firebox Vclass appliance for the following Verify that the appliance has been properly connected to the network Verify that all cable connections are secure Make sure that the appliance is turned on The Ready LED should be lit Click Find Again to attempt another discovery ...

Page 63: ... appliances discovered in the local subnet In this case only your new Firebox Vclass appliance will be listed You can set interface 0 Private IP addresses or import profiles into more than one appliance at the same time A collection of options that enable you to set the identity of a selected appliance s Private interface or import an existing appliance profile into a selected device You set the I...

Page 64: ...ng the device in Transparent Mode you must set the System IP After this is complete you can log in with Vcontroller and perform further configuration 1 From the Devices Found field select the appliance you want to configure 2 Click the Set Interface IP button 3 Click Router Mode or Transparent Mode to set the System Mode 4 For Router Mode in the Interface 0 IP field type an unused IP address from ...

Page 65: ... for this IP address 6 Click Update If more than one appliance is listed in this window you can set an IP address for each appliance at this time prior to clicking Apply All 7 If there are no more appliances to be set click Apply All A confirmation window appears 8 Click Yes The Result window appears ...

Page 66: ...ppliances Before You Begin To complete the initial installation of a new Firebox Vclass appliance you need the following network address infor mation Unused IP addresses and network masks to assign to all interfaces of this appliance that you will use Router Mode or a single unused IP address and network mask that will govern all interfaces on the appliance Transparent Mode A domain name for this ...

Page 67: ... box appears 3 Type the IP address or host name of the Firebox Vclass in the Server IP Name field or select it from the drop down list 4 Type your administrator login name and password in the appropriate fields The default name and password for the Firebox Vclass appliance is admin NOTE All data traffic between the Management Station and the Firebox Vclass appliance including all configuration exc...

Page 68: ...CHAPTER 3 Getting Started 36 Vcontroller 6 Read the qualifications and instructions Edit the General information 1 Click Next to proceed The General Information window appears ...

Page 69: ...n of where your appliance will be used This can be a building floor number office name or other simple description 4 In the System Contact field enter the name and phone number or email address of the principal administrator or department responsible for management of the appliance Changing the System Time Date and Time Zone Click Change to open the Date Time and Time Zone win dow Make any necessa...

Page 70: ...CHAPTER 3 Getting Started 38 Vcontroller ...

Page 71: ...e the Interfaces in Router Mode This procedure describes how to configure an interface using the Installation Wizard for an appliance running in Router Mode Configure Interface 0 Private 1 Click Next The Interface Information window appears The appliance is in Router Mode by default ...

Page 72: ...nter the IP address and network mask for the interface in the appropriate fields If you wish to change the size of the Maximum Transmission Unit MTU type a number in the MTU field This number represents the maximum size in bytes of a packet 4 If you want to enable the appliance as a DHCP server click Enable DHCP Server ...

Page 73: ...ng Time drop down list and type the number of hours or days that an IP address will be loaned to a DHCP client 7 You can use a separate DHCP Server with the Vclass appliance using DHCP relay This option makes the Vclass act as a DHCP agent requesting DHCP leases from a separate DHCP server Click DHCP Relay to use this option A Remote DHCP Server IP field appears 8 In the Remote DHCP Server IP fiel...

Page 74: ...iate interface option and provide the relevant entries as follows Static IP Enter the IP address and network mask in the appropriate fields DHCP Enter the IP address or DNS host name of the DHCP server assigned by your ISP in the Host ID field This entry is optional PPPoE Enter the user name and password assigned to you by your ISP in the appropriate fields ...

Page 75: ... as previously described by clicking Static DHCP or PPPoE and entering the required values For the Backup WAN connection PPPoE is only available in an Always On state Dial on Demand is not available 4 Establish Connection Failure Detection criteria This section of the screen allows you to enter 3 different IP addresses that the appliance should be able to ping to determine whether the network is u...

Page 76: ... respond to a ping request within this interval the connection is considered failed and a failover occurs Configure Interface 2 and 3 DMZ 1 To configure Interface 2 and 3 if applicable enter the IP address and network mask in the appropriate fields 2 When you have finished with the Interface window entries click Next The Interface Change dialog box appears providing two options Save Only and Apply...

Page 77: ...zard see System Configuration on page 89 Configure the Interfaces in Transparent Mode In Transparent Mode the Firebox Vclass is given a single System IP and System Subnet Mask These addresses are used for all interfaces on the system For more information on Transparent Mode see Router and Transparent Mode on page 79 To configure interfaces in Transparent Mode 1 Click Next from the General window o...

Page 78: ...t on page 407 3 In the System IP field type the IP address that will be used for all interfaces on the appliance 4 In the System Mask field type the Subnet Mask address that will be used for all interfaces on the appliance You can change the link speed and MTU Maximum Transmission unit size for each physical interface or leave the defaults Auto Negotiate 1500 bytes 5 To change the link speed and M...

Page 79: ...g screen appears NOTE All entries made to configure routing are optional for completing the Installation Wizard and are dependent upon your network environment 2 In the Specify Default Route field type the IP address of the default gateway 3 If you want to enter any additional network routes for this appliance click Add The Add Route dialog box appears ...

Page 80: ...traffic will be exchanged from the Interface Port drop down list 6 Type the Metric number in the appropriate field 7 Click OK 8 Repeat this process as needed Define the DNS servers 1 When you have finished adding routes click Next to proceed to the next step of the Installation Wizard If you added any new routes a confirmation window appears click OK The Setup DNS Servers window appears ...

Page 81: ...ntries made to configure DNS servers are optional for completing the Installation Wizard and will differ based on your network configuration 1 Type the domain name of the Firebox Vclass appliance in the Domain Name field 2 To add a DNS server click Insert The DNS Server window appears ...

Page 82: ... listing the DNS servers click Next to proceed The Default Firewall Policy window appears NOTE All entries made to configure the default firewall policy are optional for completing the Installation Wizard and are dependent upon your network environment 2 Determine your default firewall policy or select the No Change option 3 If you decide to activate the default firewall policy select the Select t...

Page 83: ...traffic from external networks to Interface 1 Public If you want to permit particular types of traffic to gain access to part or all of your network activate the relevant policy You can later customize your firewall policies to provide further protections For more information on configuring firewall policies see About Security Policies on page 159 NOTE If you do not activate any predefined policy ...

Page 84: ...ects against a sustained flood of ICMP pings Select this checkbox then type the threshold number in the text field SYN Flood Attack Protects against a sustained flood of TCP SYN requests without the corresponding ACK response Select this checkbox then type the threshold number in the text field UDP Flood Attack Protects against a sustained flood of UDP packets Select this checkbox then type the th...

Page 85: ... single server Select this checkbox then type the threshold number in the text field The number here represents the maximum request capacity per second of the server If more than the specified number of connection requests are received the Firebox Vclass appliance drops the excess requests Per Client Quota Restricts the number of connection requests from a single client in one second Select this c...

Page 86: ... to proceed If you enabled the Allow all outbound traffic from the Interface 0 private option a DNAT window appears 2 If you want to use dynamic NAT click Yes A default dynamic NAT policy is added to the outbound traffic policy Change the Password The Change Password screen appears This step requires you to replace the default root admin account password with a new secure password of your choosing...

Page 87: ...Guide 55 1 In the Password field type a new password Passwords must be between 6 and 20 characters can include letters or numbers and are case sensitive 2 Confirm the password by retyping it in the provided field 3 Click Next to proceed The completion window appears ...

Page 88: ...Vcontroller 4 Click Finish 5 If you changed the IP address for interface 0 Private a window appears asking if you want to restart the Firebox Vclass appliance Click Yes The Firebox Vclass appliance reboots and reinitializes itself ...

Page 89: ...st name Vcontroller remembers the IP addresses of all appliances and stores them in this drop down list You will however need to remember all the separate passwords 3 In the Name field type admin 4 In the Password field type your newly created secure password 5 Click OK to connect to the appliance The main Vcontroller window appears 6 Click Shut down 7 When the shutdown confirmation window appears...

Page 90: ... you can restart the appliance Use the power cord to connect the appliance to a UPS device or to a protected outlet For a V10 make sure that you connect the power cord to the V10 before you connect it to the AC outlet or the UPS device This will start the V10 appliance For all other models turn on the power with the switch on the back of the appliance When the appliance has started the Ready LED b...

Page 91: ...es that you the administrator set up and main tain With every incoming or outgoing data stream that it detects the appliance performs a two stage task It analyzes the initial packet for key traffic specifications including source destination type of service and specific appliance interface used by the data stream If the data matches all the specifications established in a given policy the applianc...

Page 92: ...tents of packets beyond the headers and traffic specifications for a deeper level of security Firebox Vclass Features The Firebox appliances provide the following features Firewall Protects your network from unauthorized access and use Load balancing except the V10 model Distributes incoming data to specific internal destinations Quality of Service Makes data exchanges more efficient Prioritizes a...

Page 93: ...ets Multi tenant domains except the V10 model Manages traffic routed to and from both kinds of multiple tenant virtual domains user domains and VLANs Where the Information is Stored When you use Vcontroller to connect to a Firebox Vclass appliance Vcontroller accesses a specialized database stored in the Firebox Vclass appliance This storage capac ity is an integral part of the appliance hardware ...

Page 94: ...ity If this occurs you are prompted to log in again 1 Launch Vcontroller according to the operating system you are using Microsoft Windows Double click the WatchGuard Vcontroller icon on the desktop or select Start Programs WatchGuard Vcontroller WatchGuard Vcontroller Solaris Linux Navigate to the appropriate directory and type Vcontroller at the command prompt Vcontroller launches and a login wi...

Page 95: ...he Server IP Name field or select it from the drop down list 3 Type your administrator login name in the Name field NOTE For information on creating administrator accounts see Using Account Manager on page 149 4 In the Password field type the password for your administrator account 5 Click OK The main Vcontroller window appears ...

Page 96: ...sholds are exceeded This window also allows you to view newly triggered alarms diagnose alarm conditions and clear resolved alarms For more information see Using Alarm Manager on page 351 Monitor Click this button to open the Real time Monitor window which provides a detailed view of the security appliance activities You can use existing probes or create your own to measure system activity as well...

Page 97: ...and configuring security policies see About Security Policies on page 159 Security Policy Click this button to open the Policy Manager window which lists the current catalog of security policies This window allows you to view edit add and remove policies The Policy Manager is also used to view edit add and remove security proxies IKE Policy Click this button to open another view of the Policy Mana...

Page 98: ...ation dialog box which assists in the setup of remote access service RAS connections This feature is not available on the V10 model Proxies Click this button to open a dialog box that lists all existing Proxy Actions and allows you to add delete and edit them Proxies are a licensed feature which are available on your system after you complete the initial LiveSecurity registration process Administr...

Page 99: ...ables you to back up the current system configuration You can also use this window to restore previously archived configurations as needed For more information see Backing Up and Restoring Configurations on page 403 Upgrade Click this button to open the Upgrade window which allows you to view the current software version download and install any recent upgrades and view the recent upgrade history ...

Page 100: ...connect the Management Station from the Firebox Vclass appliance Help Click this button to open the main online Help window Right click this button to see the Help version and copyright information Alarm Bell If you see an animated ringing bell this indicates that an alarm condition was triggered Click the alarm bell icon to open the Alarm Manager window For more information see Using Alarm Manage...

Page 101: ... be active 1 From the Vcontroller main page click Log Out The Logout confirmation dialog box appears 2 Click Yes If you have made any changes a Flush dialog box appears requesting to save these to the permanent data storage The system name assigned to this appliance The refresh button The current status indicators for the interfaces green indicates active red indicates inactive The total number of...

Page 102: ...ating that the save was successful 4 Click OK You can now exit Vcontroller or click Log In to reconnect to the Firebox Vclass appliance Shutting Down and Rebooting To perform a software shutdown prior to turning off the appliance 1 From the main Vcontroller window click Shutdown Reboot A Confirmation dialog box appears ...

Page 103: ... 4 Unplug the power cord from the Firebox Vclass appliance NOTE Do not remove the cover on the power supply switch on the back of any appliances and use that switch to cut power This can damage the appliance Once you have fully shut down the Firebox Vclass appli ance you can restart it by following these steps Connect the Firebox Vclass appliance to a power source Use the Power switch on the back ...

Page 104: ...oot is complete After a long interval the Vcontroller Login dialog box reappears Restarting the appliance You can physically force a restart by inserting a straight pin into the recessed Reset button opening on the front of the appliance Upgrading and Downgrading the Software Version When new versions of the Firebox Vclass operating system software become available Vcontroller provides a simple wa...

Page 105: ...sion number of the latest available upgrade against the version number listed in the Upgrade tab Do not upgrade your appliance until you have backed up the current configuration file For information on backing up your configuration see Backing Up and Restoring Configurations on page 403 6 Review the instructions on this Web page If a newer upgrade is available click Download 7 When the download is...

Page 106: ...n dialog box appears 10 Click OK to proceed The Vclass appliance automatically restarts When the restart is complete you can log into the appliance and use Vcontroller to check the upgraded appliance To downgrade the software version 1 Click the Downgrade tab 2 Read the instructions on the screen and then click Downgrade Now A confirmation dialog box appears ...

Page 107: ...the software After this downgrade is complete your appliance will be using an earlier version of software with the configurations and policies that were in effect at that time All subsequent entries and changes will be lost For information about restoring older settings see Restor ing an Archived Configuration on page 405 The Upgrade History The Upgrade History tab notes the dates times and ver si...

Page 108: ...ntroller provides management access to more built in functionality in Firebox Vclass appliances than CPM For example you cannot use the Firebox Vclass appliance for RAS user authentication in CPM as you can with Vcontroller only a RADIUS server can be used However if you have five or more Firebox Vclass appliances CPM is the preferred global management tool You cannot use both Vcontroller and CPM ...

Page 109: ...Transferring from Vcontroller to WatchGuard Central Policy Manager CPM Firebox Vclass User Guide 77 Vcontroller will be erased when a new or updated profile is deployed to that appliance from CPM ...

Page 110: ...CHAPTER 4 Firebox Vclass Basics 78 Vcontroller ...

Page 111: ...ances running in Router Mode inte grate firewall VPN and routing functions in a single appliance In this mode the Vclass appliance func tions as a security gateway as shown in Figure 6 Vclass Router Mode operation on page 80 Depending on the Vclass model up to four network interfaces are provided which you can use to route traffic between a private network the public network or Internet and DMZ ne...

Page 112: ...ets sent out from the Vclass are marked with the Vclass interface MAC as their source Figure 6 Vclass Router Mode operation No special configuration is required to set an appliance to Router Mode Vclass appliances are set to Router Mode by default Use the instructions provided throughout this guide to configure your Router Mode appliance You can switch an appliance to Router Mode at any time using...

Page 113: ...ns are handled by the router and the Vclass pro vides firewall and VPN functions The main differences between Transparent and Router modes are Transparent mode interfaces are promiscuous A promiscuous interface receives not only the packets addressed to it as in Router Mode but also packets addressed to other hosts on the network However the Vclass appliance passes packets without taking any actio...

Page 114: ...acket s source MAC address is preserved Unsupported features in Transparent Mode Not all features available in Router Mode are feasible or usable in Transparent Mode Unsupported features are Backup WAN connection WAN Failover DHCP Client and Server Proxies Dynamic Routing High Availability Active Standby or Active Active VLAN and Tenants NAT including SNAT DNAT VIP PPPoE Secondary IP Spanning Tree...

Page 115: ...to the Factory Default configuration see Restoring to Fac tory Default on page 407 Setting an Appliance to Transparent Mode using Device Discovery To use Device Discovery successfully the appliance you are configuring must be connected to the same LAN seg ment or subnet as the Management Station through inter face 0 Private 1 Launch Vcontroller The Vcontroller Login dialog box appears 2 Click the ...

Page 116: ...pears and remains open until the discovery process is complete If no appliance is discovered If no appliances are discovered a Devices Not Found dia log box appears Check the Firebox Vclass appliance for the following Verify that the appliance has been properly connected to the network Verify that all cable connections are secure Make sure that the appliance is started The Ready LED should be lit ...

Page 117: ...dresses or import profiles into more than one appliance in the same Discovery session A collection of options that enable you to set the identity of a selected appliance s interface 0 Router Mode or System IP Transparent Mode or import an existing appliance profile into a selected device You set the IP address as described in the following section This is the task you perform with a new appliance ...

Page 118: ...ield select the appliance you want to configure 2 Click the Set Interface IP button 3 To set the System Mode click Router Mode or Transparent Mode 4 For Router Mode in the Interface 0 IP field type an unused IP address from the same subnet as the Management Station This IP address will apply only to Interface 0 Private In the Interface 0 Mask field type the subnet mask for this IP address 5 For Tr...

Page 119: ...y All A confirmation window appears 8 Click Yes to proceed The Result window appears 9 Wait for the Result window to display ALL DONE and then click Close to return to the Set Interface window 10 You can now use Vcontroller to edit the interface for this appliance and continue the installation process Setting an Appliance to Transparent Mode using the Installation Wizard You can set a factory defa...

Page 120: ...CHAPTER 5 Router and Transparent Mode 88 Vcontroller Configure the Interfaces in Transparent Mode on page 45 ...

Page 121: ... following configuration functions are available in the System Configuration window General Configuration on page 90 Interface Configuration on page 93 Routing Configuration on page 107 DNS Configuration on page 112 SNMP Configuration on page 114 Log Configuration on page 116 Certificate Configuration on page 116 LDAP Server Configuration on page 125 NTP Server Configuration on page 127 Advanced C...

Page 122: ...5 High Availability Configuration on page 148 General Configuration Use the General tab to fill in general information about the Vclass name location and owner and to set the system time 1 From the main Vcontroller window click System Configuration The System Configuration window appears 2 Click the General tab The General system settings are displayed ...

Page 123: ... appliance System Location Type the location of your Firebox Vclass appliance The location can be a building and floor number or a simple identifier such as LAN Room System Contact Type the name phone number or email address of the principal system administrator or the person responsible for maintenance of the Firebox Vclass system ...

Page 124: ... time and date for your system Select AM or PM from the drop down list Click the TimeZone tab to update the geographic location of your system Select the appropriate location from the list and then click OK to return to the General tab When you have finished configuring the system settings click one of the following options Reset To return the settings to the previous configuration Apply To immedi...

Page 125: ...g In addition Interfaces appear differently depending on whether the appliance is deployed in Router Mode or Transparent Mode NOTE In Transparent Mode the System IP and System Mask are set from the main Interface window This IP applies to all interfaces on the appliance The only configuration items you can change for specific interfaces are MTU size and Link Speed Click the Interface tab The Inter...

Page 126: ...e System Mode in which this system is deployed In addition you can switch from Transparent Mode to Router Mode here but you cannot automatically switch from Router Mode to Transparent Mode you must restore the appliance to Factory Default first a process which is started when you select Transparent Mode here In Transparent Mode two more fields are visible in this window ...

Page 127: ...ic or external network traffic Interface 1 supports the Backup WAN feature which allows the connection to automatically switch over to a backup ISP in the event of a network failure NOTE Backup WAN is not supported in Transparent Mode Interface 2 Interface 2 should be assigned to any DMZ network traffic This interface is not available on the V10 V100 or V200 models Interface 3 Interface 3 should b...

Page 128: ...se the HA2 ports as direct management connections For more information see Setting Up a High Availability System on page 425 This interface is not available on the V10 model High Availability is not supported in Transparent Mode If you need to make any changes to the configuration of the interfaces use the following instructions Configuring Interface 0 To edit the interface settings 1 Select the i...

Page 129: ...ath these fields 3 In the MTU field type the MTU to determine the maximum size of each packet The default is 1500 bytes Enable DHCP Server 4 If you want to enable the appliance as a DHCP server click Enable DHCP Server The dialog box changes to show DHCP Server options This option is not available if the appliance is configured for High Availability or the appliance is in Transparent Mode ...

Page 130: ...ays or Hours 7 Type the number of days or hours that an IP address will be loaned to a DHCP client DHCP Relay 8 To allow the Vclass appliance to request and relay DHCP addresses from another DHCP server on your network click DHCP Relay The dialog changes to show Remote DHCP Server IP options This option is not available if the appliance is configured for High Availability or the appliance is in Tr...

Page 131: ...n option you want to use for this interface The default is Auto Negotiate Auto Negotiate is the only option available on the V100 and V200 models 11 Click OK to close the Edit Interface dialog box and return to the Interface tab Configuring Interface 1 To edit the interface settings 1 Select the interface entry and then double click The Edit Interface dialog box appears ...

Page 132: ...troller Interface 1 Public allows you to choose from three net work addressing options 2 Select the addressing option you want to use Static DHCP or PPPoE Static In the IP Address and Network Mask fields type the IP address and network mask ...

Page 133: ...r This option is not available when using High Availability or in Transparent Mode PPPoE In the User Name and Password fields type the user name and password In the Confirm Password field type the password again to confirm it Select the Always On or Dial on Demand option and then type the desired time interval in the appropriate field ...

Page 134: ...peed Configuration option you want to use for this interface The default is Auto Negotiate Auto Negotiate is the only option available on the V100 and V200 models Backup Connection 1 Click Backup Connection to configure WAN Interface Failover if you are using this feature WAN Interface Failover allows you to specify a backup ISP to provide Internet service to Interface 1 in the event of an ISP net...

Page 135: ...t must be configured as Always On The Dial on Demand option is not available 3 Establish Connection Failure Detection criteria This section of the window allows you to type up to three different IP addresses that the appliance should be able to ping to determine whether the WAN is up or down and timing values to determine when the ISP has failed 4 Type up to three IP addresses for public well know...

Page 136: ...on is considered failed and a failover occurs 7 In the last field on this dialog type the number of minutes you want to elapse between successive failovers The default is 10 minutes Since each failover requires a system restart processing is interrupted for a brief period during failover If both your Primary and Backup WAN connections are subject to frequent failure this can lead to a lot of proce...

Page 137: ...d beneath these fields 3 In the MTU field type a new size for the MTU if you want to change it from the default size 1500 bytes 4 Click the Link Speed Configuration option you want to use for this interface The default is Auto Negotiate Auto Negotiate is the only option available on the V100 and V200 models 5 Click OK to close the Edit Interface dialog box and return to the Interface tab ...

Page 138: ... the HA ports though you can change them for internal reasons In the IP address and Network Mask fields type the IP address and network mask The interface Hardware Address MAC address is displayed beneath these fields 3 Click OK to close the Edit Interface dialog box and return to the Interface tab When you have finished configuring the interfaces click one of the following options Reset To return...

Page 139: ...stem Click Yes to proceed The appliance immediately restarts in order to apply the new interface configurations The System Configuration dialog box closes and Vcontroller displays the Log In dia log box NOTE If you have changed the Interface 0 Private settings be sure to use the new IP address when next logging in to Vcontroller Routing Configuration Use the Routing tab to record static routes or ...

Page 140: ...CHAPTER 6 System Configuration 108 Vcontroller 2 To configure a static route click Add The Add Route dialog box appears ...

Page 141: ... 6 Click OK Configuring dynamic routing Firebox Vclass supports 3 dynamic routing protocols which are built on GNU Zebra http www zebra org rout ing software support Routing Information Protocol RIP version 1 and 2 Open Shortest Path First OSPF Border Gateway Protocol BGP NOTE Dynamic routing currently does not support MIBs SNMP multicast or IPv6 routing protocols NOTE Dynamic Routing is not suppo...

Page 142: ... to paste a preconfigured dynamic routing configuration file into the text field or click Browse to locate the conf file on your management station To paste a file it must first be copied to your system s clipboard 5 When you have pasted or loaded your routing configuration files click Apply The Routing dialog now indicates that the protocols you configured are Running ...

Page 143: ...llowing options Reset To return the settings to the previous configuration Save Only To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted When you are finished click Close Apply To immediately commit the settings to the Firebox Vclass appliance At this time the Firebox Vclass checks your entries for accuracy If the entry is correct a gr...

Page 144: ...Edit button to open the Edit Route dialog box The box allows you to check the text for errors DNS Configuration Use the DNS tab to configure the Firebox Vclass appliance with a host domain name and DNS server entries To configure a system domain name 1 Click the DNS tab The DNS settings are displayed ...

Page 145: ...ebox Vclass User Guide 113 2 In the Domain Name field type the domain name of the Firebox Vclass appliance To add a DNS server 1 Click Insert The DNS Server dialog box appears 2 Type the IP address in the appropriate field ...

Page 146: ...settings to the previous configuration Apply To immediately apply the settings to the Firebox Vclass appliance SNMP Configuration Use the SNMP tab to add the IP addresses of management stations that will be monitoring this appliance You also use these fields to record the relevant SNMP community string For a complete list of supported MIBs for Firebox Vclass appliances review the MIB files that ar...

Page 147: ...ss appliance you must first create and apply a security policy that allows SNMP traffic to pass through the appli ance To configure SNMP traps 1 Click the SNMP tab The SNMP settings are displayed 2 Click Add The SNMP Management Station dialog box appears ...

Page 148: ...disabled triggered alarms are still logged by the appliance When you have finished configuring the SNMP manage ment stations click one of the following options Reset To return the settings to the previous configuration Apply To immediately commit the settings to the Firebox Vclass appliance Log Configuration Use the Log tab to configure the logging settings For infor mation on configuring these se...

Page 149: ...hich the authorizing source will send to you on occasion A CRL effectively cancels any cer tificates that have been compromised by hackers Before initiating a certificate request you must obtain the following The encryption key cosigning authority s name and web site URL A payment method for all requested certificates preferably credit card Any root certificates provided by this authority To impor...

Page 150: ...CHAPTER 6 System Configuration 118 Vcontroller 2 To request a new x 509 certificate click Create Request The Certificate Request dialog box appears ...

Page 151: ...in the General settings See General Configuration on page 90 Department Name The group or department name that administers this appliance This field is optional Company Name The requesting company name Country The name of the country in which this appliance and the certificate will be used 4 Click Next The next certificate request dialog box appears as shown in the following figure ...

Page 152: ...letions or changes in this text field if you know the proper formatting for all the elements DNS Name Type the appliance name or domain name for example wg001 corporation com IP Address Type the IP address of interface 0 Public This step is optional User Domain Name Type the user name of this appliance This step is optional Algorithm Click the preferred option for this certificate Length Click the...

Page 153: ...text in the dialog box and then press Control a 8 Click Copy 9 Open a Web browser and connect to the Web site of your key co signing authority 10 Open the key co signing authority certificate request form and paste the text into the appropriate field 11 Provide any other required payment information 12 Submit the request and then close the browser window 13 Return to the Certificate Request dialog...

Page 154: ...t dialog box closes and the System Configuration dialog box reappears A new entry appears in the Certificate list representing the pending certificate request To view specific information about a pending certificate 1 Select the entry from the Certificates list 2 Click Detail A Certificate dialog box appears that summarizes all the relevant certificate information ...

Page 155: ...e from the co signing authority When you have received it follow the instructions in the next procedure Importing a certificate or CRL file If this is the first certificate you import you must import the root certificate before importing the actual certificate or the new x 509 certificate and any others you subse quently import will not be usable To import the root certificate 1 Make sure that the...

Page 156: ...plete the dialog box closes and the newly imported certificate appears in the Certificates list 6 Repeat this process to import any other certificates into the Firebox Vclass appliance At regular intervals your key cosigning authority will issue a Certificate Revocation List CRL which nullifies any existing certificates that have been compromised You can import these lists so that your system will...

Page 157: ...Certificates list 6 To remove an entry from the Certificate list select the entry and click Remove LDAP Server Configuration Use the LDAP tab to set up a connection between a Firebox Vclass appliance and any LDAP server on which Certifi cate Revocation List CRL files are centrally stored After this configuration is set up the Firebox Vclass can verify every certificate it uses against the CRLs sto...

Page 158: ... the IP address or domain name of the LDAP server 4 If the LDAP server is not using the default port number 389 type the correct port number in the Port Number field When you have finished configuring the LDAP server set tings click one of the following options Reset To return the settings to the previous configuration ...

Page 159: ...ox Vclass appliance NTP Server Configuration Use the NTP tab to configure the Firebox Vclass to contact a NTP server A NTP server uses Coordinated Universal Time UTC to synchronize computer clock times To configure the NTP settings 1 Click the NTP tab The page refreshes then displays the NTP Server settings ...

Page 160: ...able NTP If you later decide to disable NTP click No 3 Enter the IP address of an NTP server It is possible that the connection to a NTP server can be broken If this occurs the Current NTP Status displays Not Running 1 Click Restart A Confirmation dialog box appears ...

Page 161: ...irebox Vclass appliance Advanced Configuration The Advanced tab allows you to configure global policy settings These settings will apply to all security policies you create However you can configure each policy to use a per policy setting instead of these global settings For more information regarding the configuration of the advanced settings and security policies see Using the Advanced Settings ...

Page 162: ...les the inspection of a proper TCP three way handshake It provides an extra layer of protection against illegal TCP connections To enable TCP SYN checking select the Enable Syn Checking checkbox VPN These options concern the fragmentation of encrypted packets and the ability to allow IPSec users to connect to a different appliance ...

Page 163: ...error messages you want to allow TCP Maximum Segment Size Adjustment This feature works in conjunction with the MTU settings to limit the size of packets if configured This feature overcomes the following problems Oversized packets can result in fragmentation degrading VPN performance Proxies may require MSS adjustment to prevent fragmentation Some older systems do not support MTU to regulate pack...

Page 164: ...P header If you select this option packets may fragment When you have finished configuring the advanced set tings click one of the following options Reset To return the settings to the previous configuration Apply To immediately commit the settings to the Firebox Vclass appliance Hacker Prevention Configuration If you have not already used the Installation Wizard to set up hacker prevention option...

Page 165: ...se attacks flood your network with requests for information clogging servers and possibly shutting down your network After you activate these options and set thresholds the Firebox Vclass appliance prevents such attacks If more than the specified number of requests are received per second the Firebox Vclass appliance drops the specified excess number of requests within the same second while it per...

Page 166: ...from a sustained flood of UDP packets After selecting the checkbox type the threshold number in the text field that will trigger the denial of service protection Ping of Death Safeguards your network from user defined large data packet pings Select the checkbox to activate this denial of service protection IP Source Route Safeguards your network from a flood of false client IP addresses designed t...

Page 167: ...om being overwhelmed by too many connection requests in a short period of time Per Client Quota Restricts the number of connection requests from a single client within a second After selecting the checkbox type a threshold number in the text field that represents the maximum number of requests per second from a single client If more than the specified number of connection requests are received wit...

Page 168: ...fied CPM server to manage the Firebox Vclass appliance 1 Click the CPM Management tab The CPM Management settings are displayed 2 Select the Enable CPM Management checkbox 3 In the CPM Server IP Address field type the CPM server IP address 4 In the CPM Server Port field type the CPM server port The default port is 7850 ...

Page 169: ...nage ment settings click one of the following options Reset To return the settings to the previous configuration Apply To immediately apply the settings to the Firebox Vclass appliance License Configuration Use the Licenses tab to import licenses which you obtain from WatchGuard and add extra features For more infor mation about licensing additional features and capacity for your Firebox Vclass ap...

Page 170: ...CHAPTER 6 System Configuration 138 Vcontroller To import a new license 2 Click Add The Import License dialog box appears ...

Page 171: ...e license into the Firebox Vclass appliance After the import is complete the dialog box and the System Configuration window close 6 Repeat this process to import any other licenses into the Firebox Vclass appliance 7 To remove a license select the entry and click Remove A confirmation dialog box appears 8 Click OK The entry is removed from the License list To view the details of a particular licen...

Page 172: ...appears 2 Review the active features along with their capacity and status 3 Click Refresh to update the feature list 4 When you are finished click Close Install licenses from a license package When you purchase licenses for multiple Vclass appli ances they are delivered in a License Package file This is a gzipped tar tgz format file Internally the file includes license and serial number informatio...

Page 173: ...current appliance determined by the serial number are applied You must install the License Package separately to each appliance to apply or update all of your licenses To install a License Package 1 Click the Licenses tab The Licenses list is displayed 2 Click Install License Package The Open Bulk License File dialog appears ...

Page 174: ...log appears or the license package file is not valid in which case an error dialog appears Click OK to accept the results of the dialog VLAN Forwarding Option Your network may include a number of VLANs As a result you may need to create security policies to route traffic between two separate VLANs and this security appliance In such a situation which is known as VLAN forwarding you can create secu...

Page 175: ...nt work station in VLAN 1 to connect through the local gateway appliance and to monitor and maintain a Web server assigned to VLAN 3 which entails inter VLAN connec tions VLAN forwarding is a feature built into Firebox Vclass appliances and is inactive by default NOTE VLAN features are not available in Transparent Mode To activate VLAN forwarding 1 Click the VLAN Forwarding tab The VLAN Forwarding...

Page 176: ...corporate these VLAN forwarding features 2 Select the Enable Inter VLAN Forwarding checkbox When you have finished configuring the VLAN Forward ing settings click one of the following options Reset To return the settings to the previous configuration Apply To immediately apply the settings to the Firebox Vclass appliance ...

Page 177: ...ckets from a Blocked IP address reach the Vclass through the Public port they are dropped The Blocked Sites List also includes an Exception List for IP addresses that are allowed NOTE The System Configuration Blocked Sites List is static and changes only when an administrator makes changes to it You can block IPs dynamically for a specified time period using the System Information Blocked IP List ...

Page 178: ...ss 1 Click the Blocked Sites tab The System Configuration Blocked Sites window appears 2 To add a blocked site click the Add button under the Permanent Blocked Site IP List To edit a blocked site entry select the entry and click Edit The Add or Edit Site dialog appears ...

Page 179: ...t entry select the entry and click Edit The Add or Edit Site dialog appears 3 In the Site IP field type the IP address exception then click OK The new or edited site address is listed in the Exception List To delete a blocked site or exception list entry 1 Click the Blocked sites tab The System Configuration Blocked Sites window appears 2 Select an entry from the Blocked Sites List or the Exceptio...

Page 180: ...nd the address You can click Cancel to return the Blocked Sites List High Availability Configuration Use the High Availability tab to configure all of the neces sary features to connect link and run a high availability system using two HA ready Firebox Vclass appliances This provides continuous network management in the event of a security appliance failure For complete information on using this t...

Page 181: ...stem A super admin account grants the user a wide range of controls over the appliance and policies while the admin account restricts its user to status checks the policy checker tool and alarm resolution The end user account allows users to connect through a firewall to external networks or the Internet where such access is blocked by the firewall It primarily affects internal network users Confi...

Page 182: ...ly access to Vcontroller features with the exception of the Outstanding Alarms feature The user of an admin account can open Vcontroller to check on the status of the system but is not able to change or delete settings If however an alarm is detected the admin user can log in and both investigate and clear an active alarm The admin user can also open and use the Policy Checker to help troubleshoot...

Page 183: ...a brief description for the account This field is optional 5 Type the appropriate password in the Password field The password must be between 6 and 20 characters 6 Retype the password in the Retype Password field 7 Select the appropriate role from those displayed in the Unselected list Click Add to move the role to the Selected column 8 Click Apply A new account entry appears below the appropriate...

Page 184: ...ver a number of inside users need external access you can grant it to them by creating end user accounts and configuring a policy to allow authenticated users to bypass the firewall For more information of creating security policies see About Security Policies on page 159 Using a Web browser to authenticate After you create end user accounts contact prospective users and provide them with their en...

Page 185: ...e appears in the Web browser similar to this example 5 Type the end user account name in the User ID field 6 Type the end user password in the Password field 7 Click Login If the entries are accepted a status message appears in the browser confirming the connection The user can now connect to Web sites NOTE All end user connections have an idle timeout of two hours If the user does not maintain ac...

Page 186: ...mplete list of accounts appears in the Account Man ager window If needed you can edit or delete any of the listed accounts as described in the following sections Modifying an existing account To change an account by adding or removing an access privilege 1 Open the Account Manager and expand the category list on the left 2 Select the account to be edited The current access roles of this account ap...

Page 187: ...you use Vcontroller to manage a Firebox Vclass appliance through the interface 0 Private this is the default setup and requires the installation of Vcontrol ler on a Management Station located on the same private network as the appliance In certain settings a Management Station may be located on a network external from the Firebox Vclass appliance and you must gain external access through interfac...

Page 188: ...logs in as a super admin user and a second per son then attempts to log in as the default super admin the second person is given the option of killing logging out the first non default super admin user and taking over full super admin privileges Any number of non super admin access accounts which can only be used to check status and clear new alarms can log in at the same time If you attempt to lo...

Page 189: ...ntroller and did not log out correctly Another person was already logged in as a non default super admin user when you attempted to log in with the default super admin account The appliance gives you the opportunity to quit or to disconnect access for the other user You can click OK to close a previous session or to bump a secondary super admin user and to connect as the root super admin When Vcon...

Page 190: ...CHAPTER 7 Using Account Manager 158 Vcontroller ...

Page 191: ... policy operates in a similar way it lists qualifications that the Firebox Vclass appliance uses as it analyzes the initial packets of a new stream of data The sources of data can be your internal network or any external networks including the Internet Then if the packets match the traffic specifications of a given policy the appliance can take several types of actions firewall actions proxy actio...

Page 192: ...ther attributes of every data stream traveling through the Fire box Traffic specifications incorporate the following compo nents Source Refers to the origin of a stream of data whether it originates in your private network the DMZ or an external network Destination Refers to the final destination for traffic that will be passed through the Firebox Vclass appliance by that policy It can refer to a ...

Page 193: ...etwork address translation for internal networks Apply Quality of Service QoS controls to qualifying data traffic You can often combine several actions in the same policy as described in Policies with multiple actions on page 163 Types of policies You can use Vcontroller to create as few or as many policies as are needed by your particular network with each policy applying one or more compatible a...

Page 194: ...address behind an alias with Static NAT so that the alias is the only network ID visible to external users Virtual IP load balancing uses a single legitimate IP address and then evenly distributes data requests to any number of servers all mirroring the same information Your assets are not limited to a single server with a single IP address Traffic Shaping Quality of Service policies assign priori...

Page 195: ... unaffected Policies with multiple actions You can combine one or more actions in a policy For exam ple suppose you created a VPN policy that permits two server farm sites to share data with one another You might also want to implement load balancing so that the data is distributed equally among several servers The required policy would focus on the two gateway appliances as source and destination...

Page 196: ...y you can create a variety of actions as well as define schedules address groups tenants and other components for security poli cies You can also use the Policy Checker to make sure you have defined your policy correctly From the main Vcontroller window click Security Policy The Policy Manager window appears Static NAT YES YES NO NO na YES QoS YES YES YES YES YES na a ...

Page 197: ...The Address Group dialog box appears To create a new Address Group click New For instructions on defining the entry see Defining an address group on page 180 To edit an address group select the entry and click Edit To delete an address group select the entry and click Delete When you are finished click Close ...

Page 198: ...ined entries The Service dialog box appears To create a new Service click New For instructions on defining the entry see Defining a service on page 182 To edit a service select the entry and click Edit To delete a service select the entry and click Delete When you are finished click Close ...

Page 199: ...s The IPSec Action dialog box appears To create a new IPSec action click New For instructions on defining the entry see Defining an IPSec action on page 315 To edit an IPSec action select the entry and click Edit To delete an IPSec action select the entry and click Delete When you are finished click Close ...

Page 200: ...es The Proxy Action dialog box appears To create a new Proxy action click New For instructions on defining the entry see Creating a Proxy Action on page 241 To edit a Proxy action select the entry and click Edit To delete a Proxy action select the entry and click Delete When you are finished click Close ...

Page 201: ...ntries The QoS Action dialog box appears To create a new QoS action click New For instructions on defining the entry see Defining a QoS action on page 196 To edit a QoS action select the entry and click Edit To delete a QoS action select the entry and click Delete When you are finished click Close ...

Page 202: ...alog box appears To create a new NAT or Load Balancing action click New For instructions on defining the entry see About Load Balancing on page 200 To edit a NAT or Load Balancing action select the entry and click Edit To delete a NAT or Load Balancing action select the entry and click Delete When you are finished click Close ...

Page 203: ...ed entries The Schedule dialog box appears To create a new schedule click New For instructions on defining the entry see Defining a Schedule on page 205 To edit a schedule select the entry and click Edit To delete a schedule select the entry and click Delete When you are finished click Close ...

Page 204: ...ns on defining the entry see Defining tenants on page 189 To edit a tenant select the entry and click Edit To delete a tenant select the entry and click Delete When you are finished click Close To create a duplicate entry select a policy and click Clone To edit a particular entry select the policy and click Edit To delete a particular entry select the policy and click Delete ...

Page 205: ...ne help system within your browser window Click Security Policy or IKE Policy to toggle between these two displays How policy order governs policy application Vcontroller applies policies to new data in the order you set This order can be critical to the proper operation of your Firebox Vclass appliance For example suppose you define a policy that admits HTTP packet streams and you list this polic...

Page 206: ...r Continue to click until the selected policy appears in the desired location as shown here This illustration shows the selected policy has been moved from row 1 to row 4 Applying system wide QoS port shaping If your Firebox Vclass appliance sends data to a network device such as a modem router or hub that has a lower throughput speed you may want to adjust the throughput speed of the Firebox Vcla...

Page 207: ...s 4 Click Done Using tunnel switching For information on using tunnel switching with VPN poli cies see Using Tunnel Switching on page 323 Using Policy Checker As you compile and insert new policies in the Policy Man ager window you can use the Security Policy Checker win dow to find and apply the correct policy This limited test verifies that the policy is in the proper sort order and that it will...

Page 208: ...ternal device to which the expected source traffic will arrive 4 Select the appropriate interface at which the expected traffic will arrive from the Incoming Interface drop down list 5 From the Preference drop down list select one of the following Use Service Group If you select this item the Service drop down list is your only active option Use Protocol and Port If you select this item the Protoc...

Page 209: ...nt to Change the order of policies Edit each policy to change any overlapping settings If no match is found either your newly created policy con tained errors or the test scenario you hoped to validate had errors in the settings To examine the rule and its set tings 1 Resort the policies in the window and use the Security Policy Checker again to test the sort order after verifying your test traffi...

Page 210: ...t your connection to the private interface HOST_OUT Permits all outgoing traffic regardless from which internal interface the traffic originates access to external networks such as the Internet Defining a Security Policy The Insert Security Policy dialog box allows you to com bine traffic specifications and policy actions You use this dialog box to define all security policies regardless of type 1...

Page 211: ...for a security policy are defined in the Traffic Specs page of the Insert Security Policy dialog box To see this page click the Traffic Specs tab on the Insert Security Policy dialog box NOTE When you are editing a policy that already exists this dialog is called the Edit Security Policy dialog box However the functionality is the same The default sources and destinations are as follows ANY This r...

Page 212: ... of all interfaces If none of the listed items represent the source or destina tion you want to use for a policy you must define a new address group as described in the next section Defining an address group To create an address group 1 On the Traffic Specs tab click New next to the Source or Destination drop down lists You can also define an Address Group by clicking Address Group in the Policy M...

Page 213: ...ry of members that will be the source or destination of traffic The options include the following Host IP Address A single host or a single networked device IP Network Address A particular subnet IP Address Range A series of sequentially numbered IP addresses Address Group An existing address group 5 If you chose Host IP Address in the Host IP Address text field type the host computer s IP address...

Page 214: ...reated address group NOTE You can nest address groups as members within other address groups as suggested by the Address Group drop down list in the New Address Group Member dialog box This does require however the creation of each group before you can do so For example you could create an address group representing employee departments or employees within a subnet then in a separate process creat...

Page 215: ... separate policy for each service Although a comprehen sive set of protocols is included in the Service drop down list you can create a new service group using the proce dure in the next section To create a new service group 1 Click New The New Service dialog box appears 2 In the Name and Description fields type a name and brief description for the service The Description field is optional 3 Click...

Page 216: ...n list make the appropriate selection In the Server Port field type the port number used by this protocol Click Done 6 To create a service group containing a single protocol and a range of port numbers Select Service Range from the Type drop down list From the Protocol drop down list make the appropriate selection In the Start Server Port field type the lowest port number used by this protocol In ...

Page 217: ... box reappears the Service drop down list automatically displays this new group as your selection NOTE If this group is for use in a policy that blocks traffic of some type remember that blocking a service group effectively blocks all the service items in that group Before doing so you must make sure this is indeed your intent You ll only rarely need to block an entire service group instead you sh...

Page 218: ...not available on the V10 or V100 models Internal The traffic originates from within the appliance itself For example you would use this option if you created a policy that permits RADIUS query traffic to go to a VLAN network Using Tenants Using Vcontroller you can create policies that direct traffic in a multi tenant network environment Generally used in a service provider environment a customer s...

Page 219: ... are not supported in Transparent Mode About VLANs and tenants VLANs have become increasingly popular for both corpo rate networks and service providers as a way of partition ing a network into discrete regions VLANs can also be used to segregate a number of users who need to remain separate from one another The Firebox Vclass appliance permits you to use VLAN tags or IDs as part of the traffic sp...

Page 220: ...sword and a domain name Certificate based authentication A pre installed VPN certificate automatically supplies the client user name and domain name The password must be manually entered by the user This certificate must be imported by an IT administrator into the client system s Web browser which is required for all secure access After the three entries are supplied to the Firebox Vclass applianc...

Page 221: ...mation The browser displays either a Confirmation message indicating that the connection is complete and ready for use or an Invalid Entry alert allowing the user to try reentering his or her login information The user can now perform any network tasks with this connection Defining tenants To create VLAN tenants 1 Click New next to the Tenant drop down list The New Tenant dialog box appears ...

Page 222: ... field 2 Select the interface that connects to the VLAN network from the Interface drop down list 3 In the VLAN IP field type the IP address that is assigned to the interface on the specified VLAN network This IP address can also be used as a default gateway address for the devices on the specified VLAN network 4 In the VLAN Mask field type the mask associated with the VLAN IP address 5 In the Gat...

Page 223: ...e before it is automatically terminated 3 In the RADIUS IP field type the IP address of the RADIUS server 4 In the RADIUS Secret field type the password used by this Firebox to gain access to the RADIUS system In the Confirm Secret field retype the same RADIUS password 5 If the RADIUS server is not using the default UDP port shown in the RADIUS Port field clear the Use Default checkbox In the RADI...

Page 224: ...to any available backup RADIUS system In the Confirm Secret field retype the same RADIUS password This step is optional 10 If the Secondary RADIUS server is not using the default UDP port shown in the Backup RADIUS Port field clear the Use Default checkbox In the Backup RADIUS Port field type the correct port number This step is optional 11 Click Done 12 Repeat the process as needed to additional ...

Page 225: ...ne a firewall policy for internal traffic to block internal network users from unauthorized Internet access such as Web browsing Defining the firewall action The firewall action is defined in the Actions page of the Insert Security Policy dialog box To see and configure fire wall actions click the Actions tab Select one of the following options to define what you want the firewall to do with the t...

Page 226: ...ith Pass or Proxy Requires that internal users authenticate to the Firebox Vclass appliance before they are granted access through the firewall to external networks This option is available if you select Pass or Proxy as the action for the Policy If you select the User Authentication option you must create end user accounts for use by authorized users For more instructions on using the User Authen...

Page 227: ...rk congestion the traffic between HQ and branch offices will benefit from five times more bandwidth than that allowed to outbound Internet data TOS marking This allows you to overwrite the TOS byte value in the IP header of qualified packets These TOS values can be used by routers that recognize TOS precedence DTR bits or by routers that implement Differentiate Services Code Point DCP so that they...

Page 228: ...e New QoS Action dialog box appears 2 In the Name and Description fields type a name and brief description for the QoS action The Description field is optional 3 From the QoS Type drop down list select Weighted Fair Queue This is the only selection available at this time 4 In the Bandwidth Weight field type the percentage of bandwidth you want to assign to qualifying data You can type a value rang...

Page 229: ...1 Click TOS Marking The TOS Marking dialog box appears 2 Click one of the following TOS marking options TOS Precedence TOS Precedence and DTR or DiffServe CodePoint 3 Click either Forward Reverse or both Forward The policy will mark the packets that are transmitted in the same direction as this policy Reverse The policy will mark packets sent in the reverse direction of this policy 4 Depending on ...

Page 230: ... to outside public or optional addresses Using NAT also conserves the number of global IP addresses your company needs More impor tantly with NAT you can use a single public IP address for all outgoing and incoming communication which keeps your trusted addresses secure Static NAT You may have situations in which you want a subnet a server or a group of users to be associated with a different IP a...

Page 231: ...erface If IP addresses that are to be mapped are not in the same subnet as interface 1 Public proper routing must be configured to ensure that traffic to these mapped IP addresses is routed to interface 1 of this appliance Dynamic NAT If you have a number of employees or other private net work users whose client computers have been assigned IP addresses for internal use you can grant all of them f...

Page 232: ...rity appliance you can create a policy that lists each server and then assigns a percentage of total requests to that server based on its capacity in comparison to other servers After you apply this policy to your network traffic your Firebox Vclass security appli ance distributes new data requests to additional servers in the queue after previous servers have been fully utilized Load balancing al...

Page 233: ...e 2 If a VLAN or user domain tenant is affected by this action select the appropriate entry from the Tenant drop down list 3 Select Dynamic NAT from the NAT Load Balancing drop down list 4 Click New from the right of the NAT Load Balancing drop down list The New Load Balancing NAT Action dialog box appears 5 In the Name and Description fields type a name and brief description for the dynamic NAT a...

Page 234: ...op down list The New Load Balancing NAT Action dialog box appears 2 In the Name and Description fields type a name and brief description for the dynamic NAT action The Description field is optional 3 Select Static NAT from the NAT Type drop down list 4 Click New The New Mapping dialog box appears 5 Select an address group from the External Address Group and Internal Address Group drop down lists 6...

Page 235: ...ncing action The Description field is optional 3 Select Virtual IP from the NAT Type drop down list 4 Select one of the following options from the Load Balancing Algorithm drop down list Round Robin Each server is treated with equal priority Weighted Round Robin Each server is given priority based on its ability to deliver specific applications Random Traffic is randomly distributed to a series of...

Page 236: ... field is active 2 Choose one of these options and follow these instructions Address Group Select an option from the drop down list IP Address Type the IP address of a server in this field 3 In the Port field type a port number 4 Type the number that represents the percentage of load you want to direct to this server in the Weight field The percentages should be related to the total number of serv...

Page 237: ...ny given day in a week you can choose up to four periods that a policy will be activated Outside of that time period the Firebox Vclass appliance will not apply this policy Sched ules can be formulated within a policy while you create it or created separately and applied to an existing policy Defining a Schedule To define a schedule 1 Click New The New Schedule dialog box appears 2 In the Name and...

Page 238: ... create weekly schedules 1 Select Weekly 2 Select the appropriate day you want to schedule 3 Click Edit Day Schedule The Edit Day Schedule dialog box appears 4 Select the Period 1 checkbox 5 Type the values in the From and To fields or use the arrow buttons to adjust the values NOTE Remember to type afternoon and evening hours in military time For example 1 00 PM must be entered as 13 00 6 Repeat ...

Page 239: ...e the arrow buttons to adjust the values NOTE Remember to type afternoon and evening hours in military time For example 1 00 PM must be entered as 13 00 5 Repeat this process for the remaining periods as needed 6 Click Done to close the Edit Day Schedule dialog box and return to the New Schedule dialog box 7 Click Done Using the Advanced Settings Use the advanced policy settings to create global s...

Page 240: ...anced Configuration on page 129 Use Per Policy Settings Selecting this option allows you to define ICMP error handling parameters particularly for this security policy effectively overriding any global settings you may have configured Click one of the following options Allow All ICMP Errors or Allow Specified ICMP Errors Selecting the latter allows you to define which ICMP error messages will be a...

Page 241: ...ance to log for this particular security policy click Enable Per policy Log The traffic log setting must also be enabled For more information on configuring logging see Log Settings on page 383 5 Click the MSS tab 6 To enable per Policy TCP MSS Maximum Segment Size click Use Per policy Settings ...

Page 242: ...uto Adjustment Auto adjustment calculates the MSS automatically using the following calculations Determining the lesser value of the input port MTU and the output port MTU Subtracting packet overhead including IP and TCP addressing VLAN ESP PPPoE AH and UDP encapsulation The result is then rounded down to the next lower multiple of 8 bits 8 bit aligned to determine the size in bytes that is requir...

Page 243: ...ur system security policies Firewall Policy Examples The following sections describe different types of net works and how to create firewall policies to meet their security objectives Example 1 Allowing Internet access Westchester Inc has a small branch office with a lim ited number of publicly routable IP addresses This office requires a simple set of firewall policies that allows users to access...

Page 244: ...ester s requirements by doing the fol lowing 1 Create two firewall policies with these parameters 2 Have all the users in the private network reconfigure their computers default gateway to the IP address of the Private interface on the Firebox Vclass appliance Note that Dynamic NAT is applicable only to firewall poli cies for outgoing traffic Example 2 Restricting Internet access Stillbrook Corpor...

Page 245: ...st addi tional policy denies HTTP traffic from the private network using a schedule such that the policy action takes effect only from 9am to 5pm The second new policy uses the same traffic specifications but passes all HTTP traffic using dynamic NAT without any schedule restrictions NOTE If you create a security policy that applies an action according to a schedule it is a good practice to create...

Page 246: ...nts to block Internet access during working hours However it wants to make exceptions for certain authorized users To achieve this you would make use of the user authenti cation firewall feature and replace the Deny_HTTP pol icy with a scheduled Allow_User policy When this revised policy is in effect during office hours only autho Name Src Dest Service In Firewall NAT LB Schd 1 Deny_ HTTP ANY ANY ...

Page 247: ... 9am and 5pm Monday through Friday This permits the Allow_HTTP policy to be active outside the specified office hours at which time all users can surf the Internet 5 Before this group of authorized users can access the Internet they must first authenticate their access request so that they can proceed through the firewall They would do so by entering the following URL in their Web browser https 12...

Page 248: ...created on each Firebox Vclass appliance so that the users in the private net of the first branch office can access the computers in the private net work of the second branch office The policy on Firebox Vclass appliance 1 specifies the traffic coming in from the private interface while the policy on Firebox Vclass appli ance 2 specifies the traffic coming in from the public inter face Also note t...

Page 249: ...nt to allow the users in the private network of branch 2 office to access the computers in the private network of branch 1 office create two more policies on that appliance to permit such traffic The final list of policies used by the appliances should look like this Policies on Appliance 1 Policies on Appliance 2 Name Src Dest Service In Firewall Branch_1to2 Branch_1 Branch_2 ANY 0 Pass Name Src ...

Page 250: ...age of FTP services In such a network environment you may want to create a number of complementary policies that permit access by certain users to a limited set of assets servers while per mitting free external access to all internal users 1 Open the System Configuration dialog box and use the Route tab features to add a new route to the appliance The new route represents the default gateway which...

Page 251: ...hould resemble this list and be listed in exactly this order in the Policies table NOTE IP addresses are shown for these examples You must define a separate address group entry for each policy Example 6 Controlling access at corporate headquarters Lubec Corporation wants to augment an existing corporate firewall to provide the following access controls Only authorized internal network users can su...

Page 252: ...route represents the default gateway which will be the remote access server 2 All of the computers in the private network must be reconfigured with a default gateway that represents the Private interface of the Firebox Vclass appliance which in the example is 126 20 20 1 3 Create a new address group that represents the subnet connected to the private interface of the Firebox Vclass appliance using...

Page 253: ...thorized users on page 214 6 Create the following security policies in the exact order shown Note that the user authenticated firewall policy the first one to be created will apply policy actions only to authorized users while blocking all unauthorized users who are sources of the same type of traffic Name Src Dest Service In Firewall Schd 1 Allow_ User_ http HQ ANY HTTP 0 Pass Authenticate 9to5 M...

Page 254: ...ed VLAN ID 3 Customer XYZ s servers are in network 10 1 2 0 255 255 255 0 which has been assigned VLAN ID 25 To make this work the needed VPN policies are applied in the ASP s security appliance to allow Company ABC and XYZ to access their assets in the ASP through secure VPN tunnels Because the ASP should not be allowed to access Company ABC and XYZ s private networks uni direc tional VPN policie...

Page 255: ...0 XYZ_Net IP Address 205 118 17 0 Subnet Mask 255 255 255 0 Tenant_ABC IP Address 10 1 1 0 Subnet Mask 255 255 255 0 Tenant_XYZ IP Address 10 1 2 0 Subnet Mask 255 255 255 0 ABC VLAN id 3 interface 0 Private VLAN IP mask 10 1 1 1 255 255 255 0 XYZ VLAN id 25 interface 0 Private VLAN IP mask 10 1 2 1 255 255 255 0 SRC Dest Srvc In Tenant Firewall IPSec ABC_Net Tenant_ABC ANY 1 ABC Pass ipsec_ABC XY...

Page 256: ...the appliance to perform traffic management for multi tenant domains without the attendant VLAN hard ware The concept behind the definition of a user domain tenant involves identifying the tenant and establishing the means of authenticating that tenant For example the Vcontroller administrator first defines a new user domain tenant as described in this section At this time the administrator must l...

Page 257: ...r she opens a Web browser and logs into the Firebox appliance The user s IP address is also noted by the appliance After the user provides a user name password and domain name specified in the Tenant entry as referenced by the policy his or her name and password are validated by the RADIUS system The user is granted access to the external network The appliance now classifies packets from the user ...

Page 258: ...ple shows how this works in conjunction with other QoS policies Example 1 Policy 1 QoS action A with WFQ weight 5 Policy 2 No QoS Policy 3 No QoS Policy 4 QoS action B with WFQ weight 10 Policy 5 No QoS In this case the ratio between all three QoS actions is 5 default 5 QoS A and 10 QoS B When the network bandwidth is fully utilized policy 1 traffic will use 25 of the bandwidth policy 4 will use 5...

Page 259: ...he remaining 20 1 5 of bandwidth Static NAT Policy Examples The following sections describe different examples of static NAT applications Example 1 Translating IP addresses into aliases If one region of your network is protected from unautho rized internal use connections it may rely on a pool of internal use IP addresses that are also used in other net work regions You can set up a static NAT pol...

Page 260: ...ternal Internal_net External Alias Example 2 Preventing conflicts between IP addresses If your extended network relies on VPN connections between gateway appliances at remote sites you can set up address translation to prevent conflicts between the com mon pools used in the internal networks behind each appliance Name Source Dest Srvc In Static NAT action 1 Inbound static NAT ANY Alias ANY 1 stati...

Page 261: ...ude these settings 192 168 12 11 192 168 12 12 192 168 12 13 192 168 12 14 192 168 12 15 192 168 12 11 192 168 12 12 192 168 12 13 192 168 12 14 192 168 12 15 144 120 55 11 144 120 55 12 144 120 55 13 144 120 55 14 144 120 55 15 For Site A Net_A 192 168 12 0 24 Alias_A 212 12 3 0 24 Net_B 144 120 55 0 24 For Site B Net_B 192 168 12 0 24 Alias_B 144 120 55 0 24 Net_A 212 12 3 0 24 For Site A static...

Page 262: ...licies in the Site B security appliance would include these settings Name Src Dest Srvc In Static NAT action SITE_ A B Net_A Net_B ANY 0 pvt static NAT_A IPSec_A B Name Src Dest Srvc In static NAT action SITE_ B A Net_B Net_A ANY 0 pvt static NAT_b IPSec_A B ...

Page 263: ...w in the Security Policies list Your new policy appears in the row you selected and moves the existing policy down a row NOTE If your Firebox Vclass appliance is already using a block all external traffic firewall policy this new load balancing policy must be listed above the firewall policy 3 Click the Insert button at the bottom of the window The Insert Security Policy dialog box appears 4 In th...

Page 264: ...manage the growing num ber of consumers An e commerce site may get several hundred thousand hits a day A Firebox Vclass appliance can be strategically placed in the network to function as both a firewall that protects internal network assets and a load balancer for the Web servers In this scenario any number of external client users will be trying to connect to a Web site with a URL that points so...

Page 265: ... servers will not pick up the excess requests automatically A load balancing policy fixes these problems Because all clients use the publicly routable IP address 128 100 0 2 the Firebox Vclass appliance automatically receives all such requests and distributes them to the Web servers in the DMZ net regardless of what IP addresses each Web server is assigned In this example the site s publicly routa...

Page 266: ...each other The specific number can be determined using the following formula as shown in these two examples Load Capacity First Web server1 Second Web server2 twice as much as the first Web server Third Web server3 three times as much as the first Web server The weight distribution for these Web servers would be 1 2 3 Load Capacity First Web server1 Second Web server1 same as the first Web server ...

Page 267: ... Vclass User Guide 235 14 Save your new policy and then apply it in the Policy Manager window The final load balancing policy will have these settings Name Src Dest Service In Firewall NAT LB Allow_HTT P ANY 128 100 0 2 HTTP 1 Pass Web Load ...

Page 268: ...CHAPTER 9 Security Policy Examples 236 Vcontroller ...

Page 269: ...ges Such items are common methods of transmitting computer viruses The SMTP proxy knows these content types are not allowed while a packet filter would not detect the unauthorized con tent in the packet s data payload Proxies work at the application level while other poli cies work at the network and transport protocol level In other words each packet processed by a proxy is stripped of all networ...

Page 270: ... two proxy types HTTP Client Proxy SMTP Proxy Outbound and Inbound HTTP Client Proxy The HTTP Client Proxy is a versatile high performance content filtering method that you can use to selectively fil ter and protect your web clients and web servers from potentially hostile entities on the Internet The HTTP proxy offers the following features Can be used to force strict RFC compliance for the web s...

Page 271: ...s containing suspect attach ments can be stripped of their attachments and then sent to the intended recipient denied entirely or Blocked denied with the Sender IP added to the Blocked Sites List The Outbound SMTP proxy can be used to prevent mali cious SMTP messages that originate within your network from passing through the Vclass appliance and out to the internet or WAN The Inbound SMTP proxy i...

Page 272: ...le Figure 11 Ruleset description Rule processing occurs as follows Rules are processed in order from the top to the bottom of the window Rules can be ordered using the rule ordering arrows Once a filtered item matches a rule it is processed according to the specified action specified Content can match multiple listed rules or the default rule However only the first rule matched is used Default Rul...

Page 273: ...neral Proxy Configuration Proxies are configured as proxy actions from the Policy Manager Vcontroller includes three default proxies pre configured for the three available proxy types In addition to these preconfigured proxies you can create your own customized proxies or copy and edit the defaults Using a Proxy Action in the Policy Manager Proxy actions are implemented and ordered in the Policy M...

Page 274: ...ing proxy action to use as the base for the new proxy action from the Based On drop down list Click OK The proxy action Details window appears This window is different for each type of proxy The following figure shows the initial window for a new proxy action based on the Default HTTP Outgoing proxy action ...

Page 275: ...ce A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter See Proxy Parameters Reference on page 251 for more information Editing an existing Proxy Action To edit an existing proxy action 1 Launch Vcontroller and log in 2 Click Proxies The Proxy Actions window appears ...

Page 276: ...HAPTER 10 Using Proxies 244 Vcontroller 3 Select a proxy action from the list and click Edit NOTE Note that you cannot save changes to the three default proxy actions The Add Proxy Action dialog appears ...

Page 277: ...meters Reference on page 251 for more information 5 When you have finished configuring the proxy action click OK to save your changes or click Cancel to close the proxy action without saving your changes Configuring proxy rules To create and configure proxy rules 1 Create or edit a proxy action 2 Navigate to the tab where you are creating the rule In this example a proxy rule is created in the HTT...

Page 278: ...sing Proxies 246 Vcontroller 3 Edit or Add a rule To edit a rule double click the rule or select the rule and click Edit The Edit Rule dialog box appears To add a new rule click Add The New Rule dialog box appears ...

Page 279: ...resentation for a Java file 0xCAFEBABE Pattern Match Select this to match a glob style pattern This field is case insensitive Regular Expression Select this to match a pattern employing full regular expression syntax This field is case Character Usage Example a wildcard used to match 0 to many characters vbs will match any filename that includes the extension vbs a wildcard used to match any singl...

Page 280: ...elect whether to write this event to the event log 9 Click OK to complete the rule Action Description Allow This option allows the connection to proceed as normal Deny or Strip This option denies or strips a specific request but maintains the connection if possible When this option is strip the content is dropped and replaced with the strip message When this option is strip all applicable filtered...

Page 281: ...e is always the last step for filtered content in a proxy action To order listed rules 1 Edit a proxy action See Editing an existing Proxy Action on page 243 for this procedure 2 Locate the ruleset you want to order 3 Select the rule you want to move and use the up or down arrows to change its position in the list Repeat this process for each rule that needs to be re ordered ...

Page 282: ...rule for the MIME subtype image tiff is ordered so it is above the allow rule for the MIME type image The image tiff rule is an exact match rule for the MIME type image tiff and the image rule is a pattern match rule for the master type image At runtime the proxy processes the image tiff rule first so images of type TIF are identified and stripped However all other image sub types do not match the...

Page 283: ...figure for proxy actions Settings for the three factory default proxy actions are also described The following default proxy actions are described HTTP Client Proxy on page 251 SMTP Incoming Proxy on page 272 SMTP Outgoing Proxy on page 286 HTTP Client Proxy Info tab This tab allows you to type a name and description for the HTTP proxy action ...

Page 284: ...acters the name is truncated to 30 characters Description A description of the proxy for your reference The proxy action should be used with the following services The default services for the HTTP proxy are TCP Ports 80 8000 and 8080 This section is informational only The proxy will filter all content of the specified type regardless of the port used ...

Page 285: ...ection Idle Timeout Specifies the time in seconds the proxy waits before dropping an idle connection Default is 110 seconds Maximum Allowed URL Length Specifies the maximum length in bytes of an allowed outbound HTTP URL Default is 1024 bytes Some sites may use longer URLs than this however the longer the URL the greater the chance that some systems may be vulnerable to certain attacks ...

Page 286: ... hacks Get The GET method retrieves the information entity identified by the Request URI This is the most frequently used request method RFC 2616 Head The HEAD method is identical to GET except that the server must not return a message body in the response The metainformation contained in the HTTP headers in response to a HEAD request is identical to the information sent in response to a GET reque...

Page 287: ...e If the Request URI does not point to an existing resource and that URI is capable of being defined as a new resource by the requesting user agent the origin server can create the resource with that URI RFC 2616 Link The LINK entity header field provides a means for describing a relationship between two resources generally between the requested resource and another resource An entity may include ...

Page 288: ... resource after the PATCH action has been applied The list of differences is in a format defined by the media type of the entity for example application diff and must include sufficient information to allow the server to recreate the changes necessary to convert the original version of the resource to the desired version RFC 2068 section 19 6 1 1 Options The OPTIONS method requests information abo...

Page 289: ...T request fails the server state preceding the request is restored RFC 3253 section 4 3 URL Paths URL Paths is a ruleset that allows you to filter the content of an HTTP path The path is everything after the initial slash For example in www server com cgi index html the path content is cgi index html The current ruleset implementation is set to catch and strip common executable program file extens...

Page 290: ... problems Windows DLL A pattern match rule that denies URL path content with the extension dll This effectively prevents users from accessing some Windows applications across HTTP DLLs are sometimes use for web applications such as banners or tickers However DLLs can pose a threat to your systems and network Exercise caution when changing this rule NOTE Blocking exe files in URLs prevents Windows ...

Page 291: ...h The maximum total length of the HTTP Request Header Some systems may be vulnerable to overflow attacks if the header field is too large The default value is 0 which means there is no maximum Maximum Line Length The maximum length of each line of characters in the HTTP Request Header Some systems may be vulnerable to exploits that use very long lines The default value is 1024 bytes ...

Page 292: ...ecipients between the user agent and the server on requests and between the origin server and the client on responses It is intended to be used for tracking message forwards avoiding request loops and identifying the protocol capabilities of all senders along the request response chain RFC 2616 Referer The Referer request header field allows the client to specify the address URI of the resource fr...

Page 293: ... must authenticate itself with a user ID and a password for each realm The realm value is an opaque string that can only be compared for equality with other realms on that server The server services the request only if it can validate the user ID and password for the protection space of the Request URI There are no optional authentication parameters RFC 2617 Digest Like Basic Access Authentication...

Page 294: ...the interactive logon process and consist of a domain name a user name and a one way hash of the user s password NTLM uses an encrypted challenge response protocol to authenticate a user without sending the user s password over the wire Instead the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials Microsoft ...

Page 295: ...nds that the connection to the server is allowed to idle before the connection is dropped Default is 110 seconds Body Content Type This ruleset specifies rules for filtering content in an HTTP Response The ruleset is configured to strip Windows OCX Windows CAB and Java applets The default rule allows all other response body content types Windows OCX Windows ActiveX controls OCX can be used to exec...

Page 296: ...tain malicious code that can be executed on a client system This rule specifies a pattern match for the Windows CAB signature 0x4d53434600000000 Java applet Java applets are widely used in many safe applications on the Web However Java applets can be used to maliciously attack or exploit a client This rule specifies a pattern match for the Java applet signature 0xcafebabe Response Headers tab This...

Page 297: ...s that use very large headers If the total header size exceeds this limit the entire HTTP Response is denied The default value is 0 no limit Maximum Line Length This specifies the maximum allowed length of a line of characters in the HTTP Response Headers Some systems might be vulnerable to buffer overflows with very long lines so you can adjust this setting according to the capabilities of your s...

Page 298: ...allowed Header Fields are Accept RFC 2616 Accept Charset RFC 2616 Accept Encoding RFC 2616 Accept Language RFC 2616 Accept Ranges RFC 2616 Age RFC 2616 Allow RFC 2616 Alternates RFC 2068 19 6 2 1 Authorization RFC 2616 Cache Control RFC 2616 Connection RFC 2616 Content Base RFC 2068 14 11 Content Disposition RFC 1806 Content Encoding RFC 2616 Content Language RFC 2616 Content Length RFC 2616 Conte...

Page 299: ...nk RFC 1945 D 2 6 Location RFC 2616 Mime Version RFC 1945 D 2 7 Max Forwards RFC 2616 Pragma RFC 2616 Proxy Authenticate RFC 2616 Proxy Authorization RFC 2616 Proxy Connection undocumented Functionality is same as Connection but applies only to proxies This can cause problems with proxies that do not support it Public HTTP 1992 Range RFC 2616 Referer RFC 2616 Retry After RFC 2616 Server RFC 2616 S...

Page 300: ...ticate RFC 2616 Content Types This ruleset specifies rules for filtering Content Type MIME type content in HTTP Response Headers The ruleset is configured to allow some safe Content Types and strip MIME content that has no specified Content Type The default rule strips all Content Types that do not match the listed rules NOTE You might want to allow JavaScript content depending on your organizatio...

Page 301: ...n match for video Text based This rule allows all MIME text types by identifying the MIME Content Type text The rule uses a pattern match for text No Content Type present This rule allows all MIME text types by identifying the MIME Content Type text The rule uses a pattern match for text Images This rule allows all MIME text types by identifying the MIME Content Type image The rule uses a pattern ...

Page 302: ...ies When you configure a rule to strip a Cookie use pattern matching then type cookiedomain com as the pattern to match Deny Message tab This tab allows you to customize a Deny Message The Deny Message replaces content that is denied You can customize the Deny Message with standard HTML The first line of the Deny message is part of the HTTP header There must be a blank line between the first line ...

Page 303: ...ollowing values can be called from the proxy action method This inserts the proxy rule that identified the content to strip reason This inserts a plain text reason that the content was stripped transaction This inserts transaction information for the stripped content url host This inserts the server address from which the stripped content originated url path This inserts the URL of the stripped co...

Page 304: ...A name for the proxy This field is limited to 30 characters If the name you specify is longer than 30 characters the name is truncated to 30 characters Description A description of the proxy for your reference The proxy action should be used with the following services The default service for the SMTP proxy is TCP Ports 25 This section is informational only The ...

Page 305: ...ts Specifies the maximum number of email recipients to which a message can be sent This acts as a counter and allows the specified number of messages through then drops the remaining addresses For example if the default setting of 50 is used and a message is addressed to 52 recipients the first 50 addressees receive the email message and the last two addressees are dropped Distribution lists that ...

Page 306: ...efault is 3 000 000 bytes 3 million bytes Maximum Address Length Specifies a maximum length for addressee email addresses Restricting email address size can prevent some buffer overflow exploits from being used The default is 50 bytes Maximum Line Length Specifies the maximum line length for lines in an SMTP message Very long line lengths can cause overflow conditions on some mail systems Most ema...

Page 307: ...specified without it Allow Source Routed Addresses Allows source routed addresses This is an old UUCP convention that is not used much today except in the proliferation of spam email This field is disabled by default It is recommended that you do not enable this field HELO EHLO Greeting Hostname These commands are used to identify the SMTP receiver to the SMTP server The argument field contains th...

Page 308: ...tent Types or Address Patterns Content Types This ruleset allows six common MIME types and all of their subtypes The default rule strips all other MIME types This ruleset does not by default allow any application or model MIME types Depending on your network needs you might want to allow certain application MIME types To find MIME types that you might want to allow or strip refer to ...

Page 309: ...y identifying the MIME Content Type message The rule uses a pattern match for message multipart This rule allows all MIME multipart types by identifying the MIME Content Type multipart The rule uses a pattern match for multipart Note that if you do not allow multipart MIME your users might lose a lot of messages and attachments Multipart is used frequently to create messages that include attachmen...

Page 310: ... Microsoft Word doc file extension The rule uses a pattern match for doc Text file This rule allows standard text attachments with the txt file extension The rule uses a pattern match for txt Excel spreadsheet This rule allows attachments with the standard Microsoft Excel spreadsheet xls file extension The rule uses a pattern match for xls Address Patterns tab This tab allows you to specify values...

Page 311: ...From This ruleset contains no listed rules from the factory The default rule is allow In this configuration mail from all senders is allowed into your network Mail To This ruleset contains no listed rules from the factory The default rule is allow In this configuration mail addressed to any recipient is allowed into your network ...

Page 312: ...ltering Header Rules This ruleset allows a number of SMTP Headers The default rule strips all other SMTP headers As there are hundreds of possible SMTP headers it might be useful or necessary to allow other SMTP headers in your system The Headers that are allowed include Approved By Bcc Cc Comments Content Description ...

Page 313: ...ntent Language Content Length Content MD5 Content Transfer Encoding Content Type Date Encoding Encrypted From In Reply To Keywords MIME Version Message ID Precedence References Reply To Resent Bcc Resent Cc Resent Date Resent From Resent Message ID Resent Reply To Resent To Status Subject To ...

Page 314: ...nctional extensions to SMTP and for clients who support extended features to recognize each other For RFC documentation sources on extensions to SMTP see Reference Sources on page 297 Allow BDAT CHUNKING Allows BDAT and CHUNKING if enabled on the SMTP host and client BDAT and CHUNKING enable large messages to be sent more easily over SMTP connections RFC 3030 Allow Remote Message Queue Starting Al...

Page 315: ... bit ASCII using SMTP RFC 1652 Allow Binary MIME Allows the Binary MIME extension if the sender and receiver support it Binary MIME avoids the overhead of base64 and quoted printable encoding of binary objects sent using the MIME message format over SMTP RFC 3030 NOTE BDAT CHUNKING must be allowed for Binary MIME to work Authentication Rules This ruleset allows a number of ESMTP Authentication typ...

Page 316: ...ginates from a single domain Masquerading mes sage IDs allows you to replace the message ID SMTP Header with new IDs Masquerading is generally only useful for outgoing SMTP Domain Name Type a domain name here to replace the domain names for incoming messages with the specified domain For example if you type watchguard com then to your users it will appear that all incoming email is from senders at...

Page 317: ...b This tab allows you to customize a Deny Message The Deny Message replaces inline content that is stripped You can customize the Deny Message with standard text You can also change the character set for non English text and you can call values from the proxy action to describe why content was removed The following values can be called from the proxy action type This inserts the Content Type for t...

Page 318: ...ts the name of the rule that stripped the content SMTP Outgoing Proxy Info tab This tab allows you to type a name and description for the SMTP Outgoing proxy action Name A name for the proxy This field is limited to 30 characters If the name you specify is longer than 30 characters the name is truncated to 30 characters ...

Page 319: ...s 25 This section is informational only The proxy will filter all content of the specified type regardless of the port used General tab This tab allows you to specify general values for Incoming SMTP content filtering Maximum Recipients Specifies the maximum number of email recipients to which a message can be sent This acts as a counter and allows the specified number through then drops the remai...

Page 320: ...g to enable them to be sent over 7 bit email systems These types of encoding causes an increase in size of approximately 1 3 for encoded files Therefore if you want to allow messages of up to 1000 bytes you should set this field to a minimum of 1334 bytes to ensure that all mail gets through The default is 3000000 bytes 3 million bytes Maximum Address Length Specifies a maximum length for addresse...

Page 321: ...a single percentage sign character The commercial at character is not included because this list specifies only the characters on either side of the as email addresses cannot be specified without it Allow Source Routed Addresses Allows source routed addresses This is an old UUCP convention that is not used much today except in the proliferation of spam email This field is disabled by default It is...

Page 322: ...SMTP content filtering Category This specifies the ruleset category Content Types or Address Patterns Content Types This ruleset does not include any factory defined rules The default rule is set to allow Attachment Filenames This ruleset does not include any factory defined rules The default rule is set to allow ...

Page 323: ...he ruleset category Mail From or Mail To Mail From This ruleset contains no listed rules from the factory The default rule is allow In this configuration mail from all senders is allowed out of your network Mail To This ruleset contains no listed rules from the factory The default rule is allow In this configuration mail addressed to any recipient is allowed to leave your network ...

Page 324: ...sing Proxies 292 Vcontroller Headers tab This tab allows you to specify values for outgoing SMTP Header filtering Header Rules This ruleset includes no factory defined rules The default rule allows all SMTP headers ...

Page 325: ... for functional extensions to SMTP and for clients who support extended features to recognize each other For RFC documentation sources on extensions to SMTP see Reference Sources on page 297 Allow BDAT CHUNKING Allows BDAT and CHUNKING if enabled on the SMTP host and receiver BDAT and CHUNKING enable large messages to be sent more easily over SMTP connections RFC 3030 Allow Remote Message Queue St...

Page 326: ...t ASCII using SMTP RFC 1652 Allow Binary MIME Allows the Binary MIME extension if the sender and receiver support it Binary MIME avoids the overhead of base64 and quoted printable encoding of binary objects sent using the MIME message format over SMTP RFC 3030 NOTE BDAT CHUNKING must be allowed for Binary MIME to work Authentication Rules This ruleset allows a number of ESMTP Authentication types ...

Page 327: ... present all email as if it originates from a single domain Masquerading mes sage IDs allows you to replace the message ID SMTP Header with new IDs Domain Name Type a domain name here to replace the domain names for outgoing messages with the specified domain For example if you type watchguard com then all messages originating from your network will appear to originate from username watchguard com...

Page 328: ...s tab allows you to customize a Deny Message The Deny Message replaces messages that are denied You can customize the Deny Message with standard text You can also change the character set for non English text and you can call values from the proxy action to describe why content was removed The following values can be called from the proxy action type This inserts the Content Type for the content t...

Page 329: ...tocol for Networked Information 1992 http www w3 org Protocols HTTP HTTP2 html RFC 822 Standard for the Format of ARPA Internet Text Messages http www ietf org rfc rfc0822 txt RFC 1652 SMTP Service Extension for 8bit MIMEtransport http www ietf org rfc rfc1652 txt RFC 1806 Communicating Presentation Information in Internet Messages The Content Disposition Header http www ietf org rfc rfc1806 txt R...

Page 330: ...nsfer Protocol HTTP 1 1 June 1999 http www w3 org Protocols rfc2616 rfc2616 html RFC 2821 Simple Mail Transfer Protocol April 2001 http www ietf org rfc rfc2821 txt RFC 2965 HTTP State Management Mechanism http www ietf org rfc rfc2965 txt also RFC 2109 RFC 3030 SMTP Service Extensions for Transmission of Large and Binary MIME Messages http www ietf org rfc rfc3030 txt RFC 3253 Versioning Extensio...

Page 331: ...ts a vast quantity of information at your fingertips The benefits of using the Internet to exchange infor mation and conduct business are enormous Unfortu nately so are the risks Because data packets traveling the Internet are transported in plain text anyone can potentially read them and place the security of your network in jeopardy ...

Page 332: ...te headquarters branch offices remote users telecommuters and traveling employees User authentica tion verifies the identity of both the sender and the receiver Data sent by way of the Internet is encrypted so that only the sender and the receiver of the message can see it in a clearly readable state For more information on VPN technology see the online support resources at http support watchguard...

Page 333: ...ism to ensure the confidentiality and authenticity of IP packets IPSec func tionality is based on modern cryptographic technologies providing extremely strong data authentication and pri vacy IPSec makes secure communication possible over the Internet and IPSec standards allow interoperability between VPN solutions A major benefit of IPSec is its interoperability Instead of specifying a proprietar...

Page 334: ...can access certain network locations Authentication can either take place through a firewall or through an external authentication server such as Remote Authentication Dial In User Service RADIUS An authen tication server is a trusted third party that provides authentication services to other systems on a network Internet Key Exchange IKE As the number of VPN tunnels between WatchGuard appliances ...

Page 335: ...e to compute the keys NAT Traversal UDP Encapsulation A problem occurs with IPSec encrypted packets crossing NAT devices The IPsec authentication header AH pro tects entire IP packets including IP headers from modifi cation NAT modifies the IP header causing an inherent incompatibility The IPsec Encapsulating Security Payload ESP encrypts IP packets NAT cannot modify TCP and UDP ports when these v...

Page 336: ...lutions The WatchGuard Firebox System offers several methods to provide secure tunnels Mobile User VPN Remote User VPN VPN to other IPSec compliant devices Mobile User VPN Mobile User VPN MUVPN requires configuration of both the Firebox Vclass appliance and the remote client comput ers However the Firebox Vclass administrator has consid erable control over the client configuration MUVPN users auth...

Page 337: ...yption for VPN traffic originating from your sales team and the stronger Triple DES encryption for all data transmitted from your finance department About VPN Policies To establish VPN connections between your present site and other remote sites you must create and apply VPN policies These policies specify the required levels of authentication and encryption to protect the data VPN policies and IP...

Page 338: ...specifies whether the key is created automatically or manually Automatic key management is done in accordance with IKE an IETF standard protocol Using IKE encryption keys are automatically negotiated and selected by two connected security appliances This provides the easiest most efficient wat to manage keys Encryption authentication Two principal types of security protocols protect data packets i...

Page 339: ... proposal may use ESP with DES for encryption and AH with MD5 for authentication When a Firebox Vclass appliance negotiates with another appli ance to select an automatic key the initiating appliance sends a list of proposals to the other appliance starting a negotiation process at the end of which a protocol and algorithm are chosen and used NOTE You must activate your LiveSecurity Service to ena...

Page 340: ...CHAPTER 11 Using Virtual Private Networks VPN 308 Vcontroller 2 Select an entry point from the list of policies and then click Insert The Insert IKE Policy dialog box appears ...

Page 341: ...field select one of the following options Address Group Select the address group of the remote gateway from the drop down list or click New to create a new address group For information on creating an address group see Defining an address group on page 180 Domain Name Type the domain name of the remote gateway User Domain Name Type the user domain name of the remote gateway X 500 Name Type the X 5...

Page 342: ...ns become active NOTE This key will be shared among all participating peer IKE systems If a remote peer does not use the same key or if a different authentication is used negotiations will fail 10 Click either String or Hex and then type and confirm the key in the fields The key can consist of any combination of letters and numbers but it cannot contain blank spaces 11 Click Done Defining an IKE a...

Page 343: ...lower mode that provides greater security This is the recommended mode Aggressive A faster less secure mode If you choose this mode you can include only one IKE transform 4 Select the Enable NAT Traversal checkbox NAT Traversal is enabled by default For more information see NAT Traversal UDP Encapsulation on page 303 5 If you want to change the NAT Traversal keep alive time click Advanced The NAT ...

Page 344: ... or click New to create a new IKE transform The New IKE Transform dialog box appears 9 From the Authentication Type drop down list select the Authentication Type 10 From the DH Group drop down list select a DH group type DH Diffie Helman groups enable two peer systems to publicly exchange and agree on a shared secret key The numbers available on the drop down list 768 and 1024 are the number of bi...

Page 345: ...5 In the Life Length field type the maximum size in kilobytes This field is optional 16 Click Done The transform is added to the IKE transforms list 17 Repeat this process to add any other transforms Aggressive mode permits only a single transform 18 When all the required transforms are listed you can shuffle the order if necessary by selecting a transform and clicking the Up or Down arrows to the...

Page 346: ...og box appears 3 In the Name and Description fields type a name and brief description for the security policy The Description field is optional 4 From the Source drop down list select a preconfigured address group that corresponds to the remote appliance or click New to create a new address group For information on creating an address group see Defining an address group on page 180 5 From the Dest...

Page 347: ...interface selection is 0 or 2 and not 1 Defining an IPSec action To define an IPSec action 1 Click New The New IPSec Action dialog box appears 2 In the Name and Description fields type a name and brief description for the IPSec action The Description field is optional 3 From the Mode drop down list select Tunnel or Transport ...

Page 348: ...s the peer IP address of the tunnel from the drop down list Click Peer Tunnel IP Address and then type the peer IP address 5 From the Key Management drop down list select one of the following options Automatic IKE This key management process regularly replaces existing keys with randomly generated keys are created by the Firebox Vclass For information on creating an automatic key see Defining an a...

Page 349: ... new keys as necessary Keys encryption and authentication algorithms are negotiated and then chosen and used by the two participating security appliances To define an automatic key 1 From the Key Management drop down list select Automatic IKE 2 Select the Perfect Forward Secrecy checkbox if you want to use this option If you select this checkbox this policy uses new key material every time it gene...

Page 350: ...tion you can create your own proposals 1 Click New The New IPSec Proposal dialog box appears 2 In the Name and Description fields type a name and brief description for the IPSec proposal The Description field is optional 3 From the Anti Replay window select an anti replay option These options can protect your system from replay attacks You can now add an ESP transform AH transform or both A transf...

Page 351: ...ect If you type zero this key will have an unlimited lifetime 4 From the the Lifetime drop down list select either Hours or Minutes 5 In the Life Length field type the maximum number of kilobytes of traffic that would be encrypted by this key before it expires If you type zero there is no maximum limit to the amount of traffic encrypted by this key NOTE Either Lifetime or Life Length must be a non...

Page 352: ... keys in this security protocol Only one of the transforms is chosen when negotiation is complete If none of the transforms are matched by the peer appliance the proposal is rejected 11 When you are finished click Done To define an AH transform 1 Enable the AH checkbox 2 Click New to open the New AH Transform dialog box 3 In the Lifetime field type the number of hours or minutes a key will be in e...

Page 353: ...rms into the proper order of application Click a transform you want to move and click the up or down arrow until it appears in the proper place The order of transforms represents the preference of the encryption authentication algorithm and lifetime of keys in this security protocol Only one of the transforms is chosen when negotiation is complete If none of the transforms are matched by the peer ...

Page 354: ...3 In the Peer SPI field type the unique number of the remote appliance 4 From the Encryption Algorithm drop down list select the encryption algorithm 5 Click String or Hex for the encryption key to specify the key text to be used either character or hexadecimal notation 6 Type and confirm the key in the appropriate fields 7 Select the Authentication Algorithm from the drop down list 8 Select eithe...

Page 355: ...he Authentication Algorithm drop down list select the authentication algorithm 14 Click either String or Hex to specify the type of key text to be used 15 In the Key and Confirm Key fields type and confirm the key Using Tunnel Switching Maintaining and managing VPN tunnels can be compli cated and labor intensive This is particularly true when using a fully meshed topology in which a VPN tunnel is ...

Page 356: ...h all branch offices connect to corporate headquarters or any centralized site with a sin gle VPN tunnel All communications between branch offices pass through the designated central site Remote users too can dial into headquarters to access branch offices without the need to establish additional VPN tun nels This topology shown in the following figure dramat ically reduces the effort of managing ...

Page 357: ...switching is performed by the Firebox Vclass appli ance which prevents any degradation of network perfor mance The greatest benefit gained from tunnel switching is the reduced cost of managing corporate VPNs If a new branch office is added to the corporate VPN network the adminis trator only needs to add a new policy in the Firebox Vclass appliance at headquarters No additional configuration is ne...

Page 358: ...icies for site to site tunnel switching you must activate tunnel switching in the Firebox Vclass appliance hardware which is disabled by default To do so 1 Open the Policy Manager window 2 Click the Tunnel Switch button in the left margin this button is not available on the V10 or in Transparent Mode The System Tunnel Switching dialog box appears 3 Select the Enable Tunnel Switching checkbox 4 Cli...

Page 359: ...tion of both the Firebox Vclass appliance and the remote client computers The complete procedure for using RUVPN is documented in the Vclass Mobile User VPN Adminis tration Guide and the operating system specific MUVPN end user brochures However this chapter provides the Firebox Vclass appliance procedures you need to perform before using these other guides ...

Page 360: ...te a security policy and distribute it along with the RUVPN software to each telecommuter After the software is installed on the telecommuters computers they can securely access corporate resources RUVPN users can modify their security policy You can also restrict RUVPN users fo that they they have read only access to the policy Remote User VPN is available on all Firebox Vclass models except the ...

Page 361: ...r by using shared keys or certificates To configure the general settings of the RUVPN authentica tion policy 1 From the main Vcontroller window click Remote Users The RAS Configuration dialog box appears 2 To the right of the Default User Group drop down list click New The New User Group Profile dialog box appears ...

Page 362: ...l IP address when a connection is made Internal Each remote user will be assigned an internal IP address when a connection is made You must then select a preconfigured address group from the Address Pool drop down list or click New to create a new address group For information on creating an address group see Defining an address group on page 180 5 In the DNS Server field type the IP address of th...

Page 363: ...s 8 From the Session Time Limit drop down list select either Hours or Minutes 9 In the Idle Timeout field type the appropriate number of hours or minutes 10 From the Idle Timeout drop down list select either Hours or Minutes 11 In the Concurrent Logins field type the maximum number of logins to be permitted 12 Click Done This new user group profile is displayed in the User Group entry list ...

Page 364: ...e checkbox and then click Commit To continue configuring the remote users authentication policy select an authentication method Internal database For information on using this option to authenticate remote users see Using an internal authentication database below RADIUS Server For information on using this option to authenticate Remote Users see Using a RADIUS authentication database on page 335 ...

Page 365: ...ide 333 Using an internal authentication database To set up an internal authentication database 1 Enable the Internal database option 2 Click the Internal Database tab The RAS users list is displayed 3 To create a new user entry click New The New RAS User dialog box appears ...

Page 366: ... by typing values you want NOTE The Enabled checkbox in the New RAS User dialog box controls whether or not this user account is active If you need to temporarily disable an entry select the user from the list of entries and click Edit Click to clear the Enabled checkbox You can reactivate this account at any time by clicking the Enabled checkbox again 9 Click Done This entry is displayed among th...

Page 367: ...RADIUS server 1 From the main Vcontroller window click Remote Users The RAS Configuration dialog box appears 2 Click RADIUS Server 3 To the right of Primary Radius click Edit The RADIUS Server dialog box appears 4 In the IP Address field type the IP address of the RADIUS server 5 In the Secret and Confirm Secret fields type the secret and confirm it ...

Page 368: ... click Commit NOTE Depending on how the RADIUS servers area is configured you might encounter a situation where the internal IP address and DNS server IP address information might be available on both the RADIUS server and the Firebox Vclass security appliance In this case the Firebox Vclass appliance automatically yields precedence to the RADIUS server when a user is being authenticated Resetting...

Page 369: ... user After a remote user account has expired you can reactivate it by resetting the account expiration 1 Click the Internal Database tab Any expired users are labeled as such under the Status column 2 Select the expired user and then click Account Renewal 3 Click Done 4 Click Apply The Commit dialog box appears 5 To flush any active connections that may be affected by the changes click the approp...

Page 370: ...page 328 you have the option to connect a Firebox Vclass appliance to both a primary and backup RADIUS server The backup server may at some time become unavailable temporarily or permanently In this situation you should remove the backup server setting 1 From the main Vcontroller window click Remote Users The RAS Configuration dialog box appears 2 Click Clear A confirmation window appears 3 Click ...

Page 371: ...an authentication policy you must define IKE and Security policies Defining an IKE action for RUVPN To define an IKE action 1 From the main Vcontroller window click IKE Policy The Policy Manager window appears 2 Click IKE Action The New IKE Action dialog box appears 3 In the Name and Description fields type a name and brief description for the IKE action The Description field is optional ...

Page 372: ...ype drop down list select the Authentication Type 9 From the DH Group drop down list select a DH group type DH Diffie Helman groups enable two peer systems to publicly exchange and agree on a shared secret key The numbers available on the drop down list 768 and 1024 are the number of bits used for exponentiation to generate private and public keys The larger the number the greater the protection 1...

Page 373: ...sforms are listed you can shuffle the order if necessary by selecting a transform and clicking the Up or Down arrows to the left of the list The order in which transforms are listed establishes the preference order of all listed transforms during phase one negotiations 18 Click Done For more information on configuring IKE actions see Defining an IKE action on page 310 Defining an IKE policy To def...

Page 374: ...ormation on creating an address group see Defining an address group on page 180 4 Select a preconfigured IKE Action from the drop down list or click New to create a new IKE action For information on creating an IKE action see Defining an IKE action on page 310 5 From the Peer Authentication ID field select Any 6 If you previously selected an IKE action that incorporates RSA or DSA as the authentic...

Page 375: ...ype the Pre Shared Key options become active 8 Click String and then type and confirm the key in the appropriate fields The key can consist of any combination of letters and numbers but it cannot contain blank spaces 9 Click Done For more information on configuring IKE policy see Defining an IKE Policy on page 307 Defining an RUVPN Security Policy and an IPSec Action After defining IKE actions and...

Page 376: ...n field is optional 4 From the Mode drop down list select Tunnel 5 Click Peer Tunnel Address Group or Peer Tunnel IP Address Peer Tunnel Address Group Then select the address group that represents the IP address remote user from the drop down list Peer Tunnel IP Address Then type the remote user IP address 6 From the Key Management drop down list select Automatic IKE ...

Page 377: ...Defining a security policy for RUVPN To define a security policy 1 On the left side of the Policy Manager window click Security Policy or on the main Vcontroller window click Security Policy The Policy Manager window refreshes and the Security Policy list is displayed 2 Select an entry point from the list of policies and then click Insert The Insert Security Policy dialog box appears showing the G...

Page 378: ...of ANY If internal IP addresses will be automatically assigned to all remote users the Source should then be the address group you created earlier in the User Group Profile dialog box 6 Select a preconfigured address group from the Destination drop down list corresponding to the local appliance or click New to create a new address group For information on creating an address group see Defining an ...

Page 379: ...rs will use whether a few or a wide range of services 8 From the Incoming Interface drop down list select 1 Public 9 Click the Actions tab The Actions page appears 10 Click Pass 11 from the IPSec drop down list select a previously created IPSec action 12 Click Done 13 When you have finished configuring RUVPN policies click Apply to save the settings to the Firebox Vclass appliance Form more inform...

Page 380: ...ss is subject to the security policies defined within the Policy Manager Therefore by controlling the network address assignment for a group of users a network admin istrator can establish different levels of access privileges for whole groups of users Associating an address group to a user group allows you to control which part of the corporate networks can be accessed by users in a particular us...

Page 381: ...er Guide 349 You can also view a basic summary of the recent connec tion history of a particular user though not the current one by opening the RAS Configuration dialog box and clicking the Internal Database tab select a listed user and click Details ...

Page 382: ... appears summarizing the most recent connection history of that user Click Active Users to monitor currently active users The System Information dialog box appears displaying a list of active RAS users For more information on monitoring active RAS users see RAS User Information on page 395 ...

Page 383: ...fications for basic system processes such as the log file reaching a certain size or you can configure alarms that alert the on duty sys tem administrator when critical conditions have been detected You can establish single condition or multi ple condition alarms for any level of complexity that your system might encounter You can also use the Alarm Manager window to view the current status of the...

Page 384: ...condition 1 From the main Vcontroller window click Alarm The Alarm Manager window appears 2 Click the Alarm Definitions tab to view the current list of alarm definitions This tab lists pre defined default alarms along with indications of their severity and whether or not they have been enabled ...

Page 385: ...ser Guide 353 3 Click Add The Alarm Definition dialog box appears 4 In the Alarm Name field type a name for the alarm 5 Click and move the Severity slider to the point on the scale that matches the value of this alarm Low Medium or High ...

Page 386: ...pears 2 From the Probe Category drop down list select System Policy or VPN End point Pairs The display changes depending upon your choice of Probe Category Policy Select the policy of your choice and then select the counter you want to use for the alarm Selecting For All Policies displays a different list of counters System Select the counter you want to use for the alarm VPN End point Pairs Selec...

Page 387: ... keep a record of all instances of this alarm 7 Click SNMP Trap to initiate an SNMP trap When this alarm is triggered a message is sent to the Management Station Indicates less than Indicates greater than Indicates equal to Indicates less than or equal to Indicates greater than or equal to Indicates not equal to becomes becomes Condition will be true if the counter value becomes greater than the t...

Page 388: ...Alarm Definitions Repeat this process to create other single condition alarms Defining a multiple condition alarm 1 Click the Alarm Definitions tab and then click Add 2 Click More Two condition options appear 3 Click Add The Select Condition dialog box appears 4 Click the text field where counter appears This field acts as a button The Select a Counter dialog box appears 5 From the Probe Category ...

Page 389: ...the alarm 6 Click Select For more information about the counters and their capabilities see A Catalog of Real time Monitor Probe Counters on page 368 The selected conditions appear in the Select Condition dialog box 7 Select the condition 8 Delete the text in the threshold field type either a whole number or a percentage for this counter and then click OK The newly created condition appears in the...

Page 390: ...all instances of this alarm 12 Select the SNMP Trap checkbox to initiate an SNMP trap When this alarm is triggered a message is sent to the Management Station 13 Select the Email Notification checkbox to activate email notification enable the response option Type the email address in the field that appears to the right of the checkbox To send an email notification to more than one email address ty...

Page 391: ...on enable or disable a current alarm or delete an alarm definition that is no longer needed in the Alarm Manager window To Update an alarm definition 1 Open the Alarm Manager window and click the Alarm Definitions tab 2 Select the alarm that is to be updated and click Edit The Alarm Definition dialog box appears 3 Make the changes to the severity and response options 4 Click OK when finished to re...

Page 392: ... An animated alarm bell icon appears at the top of the WatchGuard Vcontroller main page The red Alarm LED illuminates on the front of the Firebox Vclass appliance A notice appears in the Outstanding Alarms tab of the Alarm Manager window You receive a SNMP trap message You receive an email or pager notification The relative severity of the alarm determines which contact method is used If the alarm...

Page 393: ... the Vcontroller main page click the animated alarm bell or click the Alarm button The Alarm Manager window appears listing the current alarms at the Outstanding Alarms tab 2 Review the list of alarm notices To view more information about a specific alarm notice double click the notice or select the notice and click Detail The Alarm Details dialog box appears ...

Page 394: ...nformation displayed 4 Click OK to close the Alarm Detail dialog box 5 To clear an outstanding alarm select the alarm notice and click Clear To clear all outstanding alarms click Clear All The Alarm Manager removes the alarm notice from the Outstanding Alarms tab ...

Page 395: ...ow and watch the custom probes as they dynamically track the activities of the appliance and its network traffic Using the Real Time Monitor The Real time Monitor window provides a set of probes which you can customize and apply that gen erate real time reports on system usage The probes can then be viewed in a graphic display in the Real time Chart window which provides a visual cardio gram of th...

Page 396: ...licy Policy probes observe and report on the activities of selected policies For example you can set up a probe to monitor the number of packets governed by a specific policy System System probes provide snapshots of the operational status For example you can create separate probes that track both CPU and memory use total throughput for the entire system and amount of free space available for log ...

Page 397: ...be to monitor the number of packets received by a specific interface Defining probes To define a probe for any of the categories 1 Click Add The Select Probe window appears 2 From the Probe Category drop down list select a category After you select a probe category the window refreshes and displays fields relevant to the category you select 3 From the Polling Time Interval drop down list select th...

Page 398: ...reate an new probe 3 When the probe has been edited test it by clicking Show Monitor in the Real time Monitor window and then click Start Monitoring to activate the graphic display To disable an existing probe 1 Click the tab for the probe you want to disable 2 Select the Enabled checkbox The checkmark disappears Disabling a probe is temporary you can re enable a probe at any time To delete an exi...

Page 399: ...Monitoring After a brief pause which reflects the Interval times previously selected the activity measured by each probe is displayed The graph changes according to the per second interval you configured 4 When you are finished monitoring click Stop Monitoring 5 Click Close ...

Page 400: ...em memory utilization Interface 1 Public Status 1 up Interface 1 status 1 up 0 down Interface 0 Private Status 1 up Interface 0 status 1 up 0 down Interface 2 DMZ Status 1 up Interface 2 status 1 up 0 down System Throughput bytes sec Number of bytes processed per second Packets Recv sec Packets received rate packets second Packets Sent sec Packets sent rate packets second IPSec Throughput bytes se...

Page 401: ...ceived from Interface 1 packets sec Interface 1 Public Sent Throughput Packets sec Rate of packets sent from Interface 1 packets sec Interface 0 Private Received Bytes Number of bytes received from Interface 0 bytes Interface 0 Private Sent Bytes Number of bytes sent from Interface 0 bytes Interface 0 Private Recv Packets Number of packets received from Interface 0 packets Interface 0 Private Sent...

Page 402: ...ed from Interface 2 bytes sec Interface 2 DMZ Sent Throughput Bytes sec Rate of bytes sent from Interface 2 bytes sec Interface 2 DMZ Recv Throughput Packets sec Rate of packets received from Interface 2 packets sec Interface 2 DMZ Sent Throughput Packets sec Rate of packets sent from Interface 2 packets sec Log Disk Total KB Total disk space for log files in Kbytes Log Disk Used KB Total disk spa...

Page 403: ... Rate KB sec Traffic log file size increment rate Kbytes second Alarm Log Growth Rate KB sec Alarm log file size increment rate Kbytes second Phase One SA Log Size KB Phase one SA log file size in Kbytes Phase Two SA Log Size KB Phase two SA log file size in Kbytes Remote User Log Size KB Remote user log file size in Kbytes Incoming Stream Requests Number of incoming stream requests Interface 1 Pu...

Page 404: ...am Requests Denied Number of denied stream requests from Interface 0 Interface 2 DMZ Stream Requests Denied Number of denied stream requests from Interface 2 Incoming Stream Req Denied sec Rate of denied stream requests Interface 1 Public Stream Requests Denied sec Rate of denied stream requests from Interface 1 Interface 0 Private Stream Requests Denied sec Rate of denied stream requests from Int...

Page 405: ...rently Total Manual Key SA Number of SA using manual key in the system currently Total Auto Key SA Number of SA using auto IKE key in the system currently Total Expired SA Total number of expired SA since start of system HA1 Port Status 1 up HA1 interface status 1 up 0 down HA2 Port Status 1 up HA2 interface status 1 up 0 down Active User Sessions Number of remote users sessions Remote Users Logon...

Page 406: ...outbound SA Total Inbound Pkts sec Packet rate through inbound SA Total Outbound Pkts sec Packet rate through outbound SA Total Decryption Error Rate Total Decryption Error Packet Rate Total Authentication Error Rate Total Authentication Error Packet Rate Total Inbound SA Total number of inbound SA Counter Name Description of Counter s Function Inbound SA number of inbound SA of a VPN end point pa...

Page 407: ...n error packet rate of a VPN end point pair Replay Error Rate Replay error packet rate of a VPN end point pair Inbound Bytes Number of inbound bytes of a VPN end point pair Outbound Bytes Number of outbound bytes of a VPN end point pair Inbound Packets Number of inbound packets of a VPN end point pair Outbound Packets Number of outbound packets of a VPN end point pair Counter Name Description of C...

Page 408: ...ge of packets discarded by Authentication errors Packets Disc by Replay Error Percentage of packets discarded by Replay errors Counter Name Description of Counter s Function Counter Name Description of Counter s Function Traffic Bytes Number of bytes handled by a policy Traffic Packets Number of packets handled by a policy Throughput Bytes sec Throughput in bytes sec of a policy Throughput Pkts se...

Page 409: ...or Packets Number of error packets handled by a policy with replay error Decryption Error Rate Decryption error rate of a policy Authentication Error Rate Authentication error rate of a policy Replay Error Rate Replay error rate of a policy Counter Name Description of Counter s Function ...

Page 410: ...CHAPTER 14 Monitoring the Firebox Vclass 378 Vcontroller ...

Page 411: ...ents such as key negotiation activities denial of service attacks device failures and administrative activities Traffic log Records all the traffic going through the appliance and whether or not this data is passed or blocked according to the current set of policies Alarm log Records a history of all alarms that have been triggered by various events or occurrences RAS User log Records a history of...

Page 412: ...t the oldest entries are deleted To help you manage your log files to prevent losing any entries a predefined alarm LOG_FILE_FULL alerts you when a specific log file is getting too big At that time you can back up the log file for future reference WatchGuard recommends the use of remote logging using syslog as described in Activating the remote logging fea ture on page 385 Viewing the Logs Use Log...

Page 413: ...n the status message in the lower left corner click Next to download the next group of records 4 Click Prev to display earlier listings 5 To update the screen with the latest entries click Refresh 6 To increase or decrease the number of entries displayed click Number of Entries in the lower right corner of this window A counter pop up appears in the tab ...

Page 414: ...ng the appropriate tab right click a specific column header to open the Filter pop up window Right clicking different column headers displays different filter choices relevant to the header 2 Select a search option or type a text string in the Search field and then click Filter You can use shift select for more than one search option Vcontroller filters out only those records matching the search o...

Page 415: ...u want 3 To undo the filtering reopen the Filter pop up and click Disable Filter Vcontroller restores the previously visible log entries that were filtered out of view Log Settings You can use four separate log files to monitor and record almost any level of Firebox Vclass system activities To configure the logging settings 1 Click Settings The System Configuration dialog box appears displaying th...

Page 416: ...w to view information about other system activity For more information see Viewing the Logs on page 380 3 To enable the EvSelect the Enable Event Logging checkbox to enable the Traffic log 4 To change the amount of information recorded in the Event log click the Event Log Level options slider and move it to the logging level you want NOTE The system purges the oldest log files when they reach a ce...

Page 417: ...ase one and phase two SA and traffic logs to any designated remote server that supports the remote syslog mechanism To make this possible the remote logging features on the Firebox Vclass appliance must be linked to the log server as described in the follow ing instructions In addition the syslog daemon process on the server must be set to enable log traffic from other sys tems The user documentat...

Page 418: ... log category To use the default settings click Default 5 Click Done 6 When you have finished configuring click Reset or Apply Reset To return the settings to the previous configuration Apply To immediately commit the settings to the Firebox Vclass appliance 7 Click Close The System Configuration dialog box closes ...

Page 419: ... specific directory on your workstation Windows workstations c WatchGuard log UNIX workstations users home directory Log files are assigned a name in this format type _ date rsl For example a traffic log file that was archived at 10 30 am on May 19 2001 would be named traffic_20010519_1030 rsl To archive your log files 1 From the main Vcontroller window click Log Manager The Log Manager window app...

Page 420: ...Alarms Events Traffic RAS Users Phase One SA and Phase Two SA 4 Click Archive Now to archive a file to the default directory location C WatchGuard Log or click Browse to select a different directory When the archiving is complete a dialog box appears 5 Click OK NOTE You cannot set up the Firebox Vclass appliance to automatically archive logs ...

Page 421: ... status This dialog box contains a number of tabs that provide information on a variety of system compo nents General Information For general information on Firebox Vclass appliance status use the System Information window General tab 1 From the main Vcontroller window click System Information The System Information dialog box appears 2 Click the General tab ...

Page 422: ...son and location of the appliance 3 Click Close VPN Tunnel Information You can view tunnels and traffic statistics delete specific tunnels or delete all tunnels and purge the appliance of all residual tunnel records Remember that tunnels are not always closed when the connection is broken 1 From the main Vcontroller window click System Information The System Information dialog box appears 2 Click ...

Page 423: ...ays a list of currently active IPSec peers The total count of tunnels may include some that are not in active use but are still on record within the database By Policies Displays a list of all policies you have created and the number of VPN tunnels established by each policy ...

Page 424: ...s button is unavailable 6 Click Refresh to remove the Statistics information from the IPSec Peer List field 7 To delete a specific tunnel associated with an IPSec Peer or Policy and force the creation of a new tunnel select the entry from the tunnel list and click Delete 8 To update the tunnel list with the most recent information click Refresh 9 Click Close Viewing tunnel details To view a detail...

Page 425: ...ormation is displayed on the Traffic tab Total Packets Total number of packets processed since the last reboot of this appliance This includes packets that pass through this appliance and those that are discarded by firewall policies Total Bytes Data traffic in total bytes processed through this appliance since the last reboot IPSec Packets IPSec activity in total number of packets that have been ...

Page 426: ...lay with the most recent information 4 Click Reset Connections to disconnect all current connections This will flush the Firebox Vclass appliance of all residual data connections that may be hampering performance 5 Click Close Route Information To view the routing table information 1 Click the Routes tab 2 Click Refresh to update the display with the most recent information ...

Page 427: ...nd manage the current remote user connections using the System Information window 1 Click the RAS User tab This currently active RAS users are displayed 2 Click Disconnect to break the selected user connection including any established tunnels If an internal IP address was assigned to this user it will be returned to the system for future use 3 Click Refresh to update the Active RAS Users display ...

Page 428: ...being used by this user and detailed traf fic statistics 1 Select a user entry from the Active RAS Users list and then click Detail The RAS User Information dialog box appears The User Information and Statistics areas provide extensive information about this user and the current connection The Tunnel List catalogs the tunnels currently in use 2 Click Refresh to update the Statistics display with t...

Page 429: ...nel list and then click Details Most of the time a RAS User connection will have only a single tunnel The Detail Tunnel Information dialog box appears Click Refresh to update the Current SAs list with the most recent information When you are finished click Close to return to the System Information Tunnels tab When you are finished click Close to return to the RAS User Information window Interface ...

Page 430: ...ently inactive WAN If Primary is the current configuration the Switch To option is Backup If the Backup connection is active the Switch To option is Primary 5 When you are finished click Close DHCP Server Information If you have configured the Firebox Vclass appliance to act as a DHCP server you can use this tab to view the DHCP lease information This tab is not available in Transparent Mode 1 Fro...

Page 431: ...t The Blocked IP List in the System Information window allows you to temporarily block sites by IP address Sites that are automatically blocked by a proxy action are also added to this list This is a runtime list and the list is dis carded upon a system reboot To permanently block IP addresses use the Blocked Sites list in the System Configu ration window 1 From the main Vcontroller window click S...

Page 432: ...locked Site dialog appears 4 In the IP Address field type the IP address that you want to block 5 In the Expiration Time field type an expiration time for this site in minutes The maximum time you can block a runtime site for is 100 000 minutes or approximately 70 days 6 Click Apply to add the site to the list or Cancel to return to the window without adding a site ...

Page 433: ...ew expiration period for the IP address and then click Apply or click Cancel to return to the Runtime Blocked Site List To delete an entry from the Runtime Blocked Site list 1 Select the entry and click Delete A warning dialog appears 2 Click OK to delete the entry or Cancel to return to the Runtime Blocked IP List NOTE You can Shift click to select multiple contiguous sites from the list or Contr...

Page 434: ...ime Blocked IP List Click Refresh The List of Runtime Blocked IP addresses is refreshed New sites that have been blocked by Proxy Actions since the last refresh of the window now appear Sites that have expired since the last refresh of the window are no longer listed ...

Page 435: ...ertificates and software licenses are not archived You must reimport the original files into an appliance when necessary Three scenarios require that you restore your security appliance database The Firebox Vclass appliance crashes and corrupts the current set of configurations and policies A recently modified set of policies is compromised You create and apply a different configuration and then l...

Page 436: ...lar archive sets available Create a Backup File 1 From the main Vcontroller window click Back Up Restore The Backup Restore dialog box appears 2 Click the Backup tab 3 To use the default file name and directory click Backup Now 4 To use a different directory of your choosing click Browse The Select Backup File dialog box appears ...

Page 437: ...d file into a safe location Restoring an Archived Configuration You can restore the Vclass configuration from any previous configuration that you have backed up as long as it is backed up with the same Vclass software version for example 5 0 Be careful when restoring configurations to restore the correct configuration to the appropriate appli ance For example a backup configuration for a V80 model...

Page 438: ...and then click Select The backup file name appears in the File Name field 4 Click Restore Now A Warning dialog box appears 5 To restore the appliance click OK otherwise click Cancel After the restoration is complete another dialog box appears 6 Click OK to proceed Another dialog box appears reporting that the server is restarting This dialog box closes itself when restart is complete 7 Click the L...

Page 439: ... also required for some configuration changes such as changing an appliance from Router Mode to Transparent Mode 1 Click the Factory Default tab 2 Read the displayed text If you want to complete the process click Restore to Factory Default A confirmation dialog box appears asking if you want to erase all the current settings and policies 3 If you want to continue click OK The Firebox Vclass applia...

Page 440: ...where you cannot otherwise remedy the configu ration After this process completes All ethernet interfaces will revert back to their default addresses The superadmin username and password will revert back to admin The policy database and all other configuration data will be erased What you need A PC with a terminal emulator program for example Hyperterminal The RJ45 to RJ45 null modem serial cable ...

Page 441: ...ting reset the device and try again 5 You will see the following message Please Enter Serial Number Enter the system serial number This field is case sensitive Enter the system serial number again when prompted 6 The following message appears SUCCESS Database and password were reset to factory default Continue Booting 7 Wait five minutes turn off the device then start the system again The Vclass d...

Page 442: ...e your settings and later import it to restore your Vclass configu ration After this is done you may need to make a few adjustments to the file and import any needed CA certifi cates 1 Click the Export Import tab To export an XML file containing the complete configura tion settings and policies 1 Click Export A Save dialog box appears 2 Open the destination directory and name the export file 3 Cli...

Page 443: ...the usual configuration and setup process you can import a complete appliance profile as part of the device discovery process NOTE No international or high ASCII characters can be extracted and incorporated into the XML file Only ASCII characters or numbers are permitted in a Firebox Vclass appliance s XML profile 1 When the Devices Found dialog box appears select the entry of the appliance to con...

Page 444: ...the XML file after the appliance has been restarted 7 Click Update After the profile is imported the Results dialog box appears 8 Review the messages and then click Close 9 When the Devices Found dialog box reappears click Cancel to close it 10 You can now use the Login dialog box to log in to this appliance using the newly assigned IP address Editing an exported configuration file If the exported...

Page 445: ...y can make the appliance unreliable or inoperable If the policies include VPN or IPSec policies that rely on automatic IKE exchanges you must use the System Con figuration dialog box to initiate a new certificate request process When the certificate is delivered import the new certificate into Vcontroller Edit the IKE policies to incorpo rate the new certificate The IKE exchanges are now enabled I...

Page 446: ...7 Backing Up and Restoring Configurations 414 Vcontroller Preshared Key Default Mode Main PFS Yes IKE transform Authentication Preshared key Encryption algorithm DES Authentication algorithm MD5 Lifetime 8 hours ...

Page 447: ...le shooting features that can help you identify and resolve problems Using Connectivity to Test Network Connections If network connections appear to be broken you can use the Firebox Vclass appliance to test the hardware and cabling 1 From the main Vcontroller window click Diagnostics CLI The Diagnostics dialog box appears ...

Page 448: ...2 Click the Connectivity tab 3 In the IP Address Name field type the IP address or DNS host name 4 Click Ping The Ping History table displays the result This entry describes the time of the test the address you attempted to ping and the result either OK or Failed ...

Page 449: ...ponents NOTE To obtain WatchGuard Technical Support visit the WatchGuard Web site at the following URL http www watchguard com For more information on technical support see Service and Support on page 9 Using the Support Features The debugging support features are helpful in trouble shooting possible malfunctions but only in conjunction with technical support A technical support representative may...

Page 450: ...LI Feature 418 Vcontroller Configuring debugging support 1 From the main Vcontroller window click Diagnostics CLI The Diagnostics dialog box appears 2 Click the Support tab 3 Click Configuration The Debugging Support dialog box appears ...

Page 451: ...ocations 5 Click Apply 6 Click Save Debug Information The Select the File dialog box appears 7 Browse to the proper directory and then click Save A confirmation dialog box appears 8 Click OK Saving a Policy to a text file 1 From the main Vcontroller window click Diagnostics CLI The Diagnostics dialog box appears 2 Click the Support tab ...

Page 452: ...R 18 Using the Diagnostics CLI Feature 420 Vcontroller 3 Click Save Policy The Select the file dialog box appears 4 Browse to the proper directory and click Select A confirmation dialog box appears 5 Click OK ...

Page 453: ...Vclass device NOTE This is not an actual command line interface window After you have received the script from a network admin istrator or other personnel and stored it on your file sys tem you can follow these steps to execute it on your appliance 1 From the main Vcontroller window click Diagnostics CLI The Diagnostics dialog box appears 2 Click the CLI tab 3 Click Open The Open dialog box appear...

Page 454: ...ving diagnostic information is helpful in troubleshooting possible malfunctions but only in conjunction with techni cal support A technical support representative may ask you to save diagnostic information and then forward the file to WatchGuard for analysis 1 From the main Vcontroller window click Diagnostics CLI The Diagnostics dialog box appears 2 Click the Diagnostic Information tab ...

Page 455: ...ostic Information Firebox Vclass User Guide 423 3 Click Save The Save dialog box appears 4 Browse to the proper directory and select the appropriate file 5 Click Select A confirmation dialog box appears 6 Click OK ...

Page 456: ...CHAPTER 18 Using the Diagnostics CLI Feature 424 Vcontroller ...

Page 457: ...k traffic This chap ter guides you in connecting linking and running such a high availability HA system using two Fire box Vclass appliances in a primary and standby rela tionship NOTE High Availability is not available in Transparent Mode High Availability Modes There are two High Availability modes Active Standby and Active Active Active Active requires the purchase of a software upgrade license...

Page 458: ...Availability HA Ethernet ports Active Active uses transparent state failover which provides a seamless transition if one of the boxes fails and the other must take over System configura tion policies and firewall and VPN connections are shared between the two active appliances so if one fails the other is fully aware of the state of all connections and can con tinue carrying the load without dropp...

Page 459: ...eat to the standby appliance If the primary appli ance fails the heartbeat ceases When the standby appli ance detects three consecutive missed heartbeats it assumes full network functions and operations within a few seconds Prerequisites for a High Availability System To set up a High Availability Active Standby system you need the following Two Firebox Vclass appliances of the same model running ...

Page 460: ... the primary appliance to a hub or switch must be matched with a connection from the standby appliance to the same hub or switch Connect the HA interfaces with crossover cables Connect HA1 to HA1 and HA2 to HA2 Connect the Management Station to a hub that is connected to interface 0 private on both appliances The Management Station can also be connected to an HA2 port Configuring a Standby Applian...

Page 461: ...Configuring a Standby Appliance Firebox Vclass User Guide 429 3 Select the Enable High Availability checkbox 4 Select the Active Standby checkbox The following HA options are displayed ...

Page 462: ...ces will be monitored If any interface is detected as LINK DOWN the standby appliance will take over The HA heartbeat interval is set to one beat every second The HA Group ID which uniquely identifies this group pair of Firebox Vclass appliances currently backing each other up is recorded as 3 The HA heartbeat is sent through the HA1 interface ...

Page 463: ...rfaces are connected directly with a crossover cable NOTE For better performance leave the HA secret blank This shared secret is used to encrypt HA state sync information VPN tunnel information is always encrypted even if this encryption is disabled 7 From the far right of the Interface list select the Monitoring checkboxes to active monitoring on specific interfaces You may have to scroll the Int...

Page 464: ...emember to perform HA Sync every time you make any changes to configurations or to the policy database to assure total operational consistency between primary and standby appliances Customizing HA System Parameters You can customize a number of HA parameters using the Advanced HA Parameters dialog box At this level you can configure the following Send the HA heartbeat to the secondary appliance s ...

Page 465: ...gured the HA2 interface for management access in the Interface tab of the System Configuration dialog box reopen that dialog box and undo those entries Note that even if HA is enabled on the HA2 Port the HA1 ports must still be connected 3 If specific IP addresses have been assigned to the HA ports type the IP addresses and netmasks in each of the two HA Interface fields primary and standby Otherw...

Page 466: ...pairs on your network Each HA Active Standby pair should have a separate Group ID You need to change this number only if other devices are running the VRRP protocol using the same VRRP ID on the networks connected to this appliance VRRP allows both HA security appliances to share the same MAC and IP addresses 5 Click OK to save the parameter entries and close the Advanced HA Parameters dialog box ...

Page 467: ...alog box This status includes the HA role status DB timestamp and failure reason if one exists for both systems To view detailed system status open the System Configu ration dialog box and click the High Availability tab You can view the HA status of both the primary and standby appliances at the same time The following list describes the possible Status messages you might see Active The current a...

Page 468: ...t or both You should also make sure that all SNMP stations have been registered in the appliances as can be done in the System Configura tion dialog box s SNMP tab For more information on defining alarms see Using Alarm Manager on page 351 Takeover The peer appliance has failed and the current system takes over Admin Administration mode Unavailable When then current appliance cannot detect its pee...

Page 469: ...ating email notification for 358 changing definition of 359 clearing 362 defining 352 359 defining severity of 353 defining single condition 354 selecting conditions for setting SNMP trap for 355 358 Allow 248 appliances configuring standby 428 Authentication Header 306 automatic key mode 317 automatic key VPN policies authentication type 312 340 perfect forward secrecy 317 protecting against repl...

Page 470: ...8 419 421 422 Diagnostics CLI button 68 dialog boxes Active Features 140 Add Route 47 108 Address Group 165 Advanced HA 432 Advanced HA Parameters 432 Advanced Policy Settings 207 Alarm Definition 353 359 Alarm Details 361 Backup Restore 404 Certificate Request 118 Date Time and Time Zone 92 Debugging Support 418 Detail Tunnel Information 392 397 Devices Found 31 85 411 Diagnostics 415 418 419 421...

Page 471: ... RAS User dialog box 336 Edit Security Policy dialog box 177 editing a Proxy Action 243 email screening with SMTP proxy 239 email notification of alarm 358 Enable User Authentication option 194 Encapsulating Security Payload 306 encryption described 307 end user accounts delivering to users 152 described 149 150 setting up 152 ESP 306 Event log activating 384 described 379 Exact Match 247 examples...

Page 472: ...ptions for 429 configuring standby appliance 428 connecting appliances for 428 connecting appliances to network 428 customizing parameters 432 customizing parameters for 432 default settings 430 described 425 system quick check 435 HTTP Proxy 238 hub and spoke configuration 324 I ICMP flood attack 134 IKE policies creating 307 for remote users 339 IKE Policy button 65 IKE Policy dialog box 307 Imp...

Page 473: ... Manager window 380 387 Log Out button 68 logging configuring 116 enabling remote 385 setting options for 383 logging off 69 login conflicts 156 Login dialog box 75 logs changing number displayed 381 filtering entries 382 types of 379 viewing 380 M Management Station described 23 setting up 23 manual key mode 316 manual key VPN policies overview 314 maximum segment size 131 Maximum Segment Size MS...

Page 474: ...policy actions for firewall policies 193 for QoS policies 196 for Web server load balancing policy 203 Policy Checker 174 175 policy database backing up 404 Policy Manager using 164 policy See security policy port shaping applying 174 175 described 195 power 27 all models except V10 28 V10 28 PPPoE IP address assigned using 42 probes defining 365 described 363 real time monitor 368 377 types of 36...

Page 475: ... viewing activity of 348 Remote Users button 66 replay attacks protecting against 318 requirements system 3 Results dialog box 412 Review CSR dialog box 123 Round Robin 203 Router Mode 79 routes adding 107 112 115 configuring dynamic 109 described 107 routing options 107 Rule add 246 edit 246 Exact Match 247 matching options 247 Pattern Match 247 Regular Expression 247 Rule sets ordering Rules 249...

Page 476: ...on 65 System Information dialog box 389 390 System Location field 37 System Modes Router Mode 79 Transparent Mode 81 System Name field 37 System QoS dialog box 175 system requirements 3 system time setting 92 System Tunnel Switching dialog box 326 T TCP maximum segment size 131 TCP MSS 131 209 Technical Support assisted support 16 described 9 Firebox Installation Services 18 frequently asked quest...

Page 477: ...authentication 306 key management 306 transport mode 306 tunnel mode 306 VPN tunnels reviewing current 396 reviewing details about 392 viewing existing 392 VPNs and static NAT 199 described 300 fully meshed topology 323 hub and spoke topology 324 remote users See remote user VPN policies W WAN Interface Failover enabling 103 Enter Serve IPs 103 polling interval 104 polling timeout 104 WAN interfac...