Watchguard Firebox X1000, Reference Manual

Page 1: ...WatchGuard Firebox System Reference Guide WatchGuard Firebox System...

Page 2: ...emarks of Sun Microsystems Inc in the United States and other countries All right reserved 1995 1998 Eric Young eay cryptsoft All rights reserved 1998 2000 The OpenSSL Project All rights reserved Redi...

Page 3: ...ERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY...

Page 4: ...r written permission please contact apache apache org 5 Products derived from this software may not be called Apache nor may Apache appear in their name without prior written permission of the Apache...

Page 5: ...ptions 6 Transfer Protocols 7 UDP 7 TCP 8 ICMP 8 Other protocols 8 Standard Ports and Random Ports 9 CHAPTER 2 MIME Content Types 11 CHAPTER 3 Services and Ports 27 Ports Used by WatchGuard Products 2...

Page 6: ...Client 44 DNS 45 Filtered HTTP 45 Filtered SMTP 46 finger 46 Gopher 47 HTTPS 47 IMAP 47 LDAP 48 Lotus Notes 48 NNTP 49 NTP 50 Outgoing Services 50 pcAnywhere 50 ping 51 POP2 and POP3 51 PPTP 52 RADIU...

Page 7: ...5 HTTP 65 Proxied HTTP 66 RTSP 67 SMTP 67 CHAPTER 5 Common Log Messages 69 CHAPTER 6 Resources 81 Publishers 81 Books 82 Non Fiction 82 Fiction 83 White Papers Requests for Comments 83 Mailing Lists 8...

Page 8: ...nfiguration 105 CHAPTER 9 Glossary 107 CHAPTER 10 Field Definitions 153 System Manager 153 Connect to Firebox dialog box 153 Enter Read Write Passphrase dialog box 154 Polling dialog box 154 Syslog Co...

Page 9: ...dialog box 172 Blocked Ports dialog box 172 Blocked Sites dialog box 173 Blocked Sites Exceptions dialog box 174 Certificate Authority Configuration 174 Configure Gateways dialog box 175 Configure IPS...

Page 10: ...Setup dialog box 207 Manual Security dialog box 208 Mobile User Client Select New Passphrase dialog box 208 Mobile User VPN Wizard 209 Mobile User VPN dialog box 212 NAT Setup dialog box 212 Network C...

Page 11: ...33 Add Displayed Service dialog box 233 Remove Site dialog box 233 View Properties dialog box 233 Historical Reports 234 Add Report Filter dialog box 234 Historical Reports dialog box 236 Report Prope...

Page 12: ...xii WatchGuard Firebox System...

Page 13: ...ckage Most networks combine IP with higher level protocols like Transmission Control Protocol TCP Unlike simple IP TCP IP establishes a connection between two host servers so that they can send messag...

Page 14: ...It is used in reassembling fragments ID 16 bits Packet ID used for reassembling fragments Flags 3 bits Miscellaneous flags Frag_Off 13 bits Identifies fragment part for this packet TTL 8 bits Time to...

Page 15: ...MUX 18 Multiplexing DCN MEAS 19 DCN Measurement Subsystems HMP 20 Host Monitoring PRM 21 Packet Radio Measurement XNS IDP 22 XEROX NS IDP TRUNK 1 23 Trunk 1 TRUNK 2 24 Trunk 2 LEAF 1 25 Leaf 1 LEAF 2...

Page 16: ...ter Domain Routing Protocol RSVP 46 Reservation Protocol GRE 47 General Routing Encapsulation MHRP 48 Mobile Host Routing Protocol BNA 49 BNA ESP 50 Encapsulated Security Payload AH 51 Authentication...

Page 17: ...OTOCOL Temporary WB MON 78 WIDEBAND Monitoring WB EXPAK 79 WIDEBAND EXPAK ISO IP 80 ISO Internet Protocol VMTP 81 VMTP SECURE VMTP 82 SECURE VMTP VINES 83 VINES TTP 84 TTP NSFNET IGP 85 NSFNET IGP DGP...

Page 18: ...ion is rarely supported Source Routing Both the loose source route option and the strict source route option enable the source of an Internet packet to provide routing information Source routing optio...

Page 19: ...overhead To ensure accurate transmission it requires that the application layer verify that packets arrive at their destination Characteristics of UDP include Often used for services involving the tra...

Page 20: ...lar fashion TCP uses a rather complicated state machine to manage connections There are several attribute bits that control the state of a connection Three very important attribute bits of TCP packets...

Page 21: ...unique connection on the Internet For example it is reasonable to have two telnet sessions from one host to another However since telnet uses a well known service number of 23 something must distingu...

Page 22: ...CHAPTER 1 Internet Protocol Reference 10 WatchGuard Firebox System...

Page 23: ...se Policy Manager to configure the Proxied HTTP service to allow or deny content types Content types are also used in SMTP and are configurable in the SMTP proxy This chapter contains a list of the mo...

Page 24: ...enriched RFC1896 tab separated values Paul Lindner html RFC2854 sgml RFC1874 vnd latex z Lubos vnd fmi flexstor Hurtta uri list RFC2483 vnd abc Allen rfc822 headers RFC1892 vnd in3d 3dml Powers prs l...

Page 25: ...lel RFC2045 RFC2046 appledouble MacMime Patrick Faltstrom header set Dave Crocker form data RFC2388 related RFC2387 report RFC1892 voice message RFC2421 RFC2423 signed RFC1847 encrypted RFC1847 bytera...

Page 26: ...Campbell dca rft IBM Doc Content Arch Larry Campbell activemessage Ehud Shapiro rtf Paul Lindner applefile MacMime Patrick Faltstrom mac binhex40 MacMime Patrik Faltstrom news message id RFC1036 Henr...

Page 27: ...vnd ms works Gill vnd ms tnef Gill vnd svd Becker vnd music niff Butler vnd ms artgalry Slawson vnd truedoc Chase vnd koan Cole vnd street stream Levitt vnd fdf Zilles set payment initiation Korver s...

Page 28: ...rectory Solomon prs nprend Doggett vnd webturbo Rehem hyperstudio Domino vnd shana informed formtemplat e Selzler vnd shana informed formdata Selzler vnd shana informed package Selzler vnd shana infor...

Page 29: ...attenberger vnd lotus freelance Wattenberger vnd fujitsu oasys Togashi vnd fujitsu oasys2 Togashi vnd swiftview ics Widener vnd dna Searcy prs cww Rungchavalnont vnd wt stf Wohler vnd dxr Duffy vnd mi...

Page 30: ...nd ecowin series Olsson vnd ecowin filerequest Olsson vnd ecowin fileupdate Olsson vnd ecowin seriesrequest Olsson vnd ecowin seriesupdate Olsson EDIFACT RFC1767 EDI X12 RFC1767 EDI Consent RFC1767 vn...

Page 31: ...uplanet alert wbxml Martin vnd uplanet cacheop wbxml Martin vnd uplanet list wbxml Martin vnd uplanet listcmd wbxml Martin vnd uplanet channel wbxml Martin vnd uplanet bearer choice wbxml Martin vnd e...

Page 32: ...ng vnd accpac simply imp Leow vnd accpac simply aso Leow vnd vcx T Sugimoto ipp RFC2910 ocsp request RFC2560 ocsp response RFC2560 vnd previewsystems box Smolgovsky vnd mediastation cdkey Flurry vnd p...

Page 33: ...moto vnd vectorworks Pharr vnd grafeq Tupper vnd bmi Gotoh vnd ericsson quickcall Tidwell vnd hzn 3d crossword Minnis vnd wap slc WAP Forum vnd wap sic WAP Forum vnd groove injector Joseph vnd fujixer...

Page 34: ...xul xml McDaniel parityfec RFC3009 vnd palm Peacock vnd fsc weblaunch D Smith vnd tve trigger Welsh dvcs RFC3029 sieve RFC3028 vnd vividence scriptfile Risher vnd hhe lesson player Jones beep xml RFC...

Page 35: ...302 cgm Francis naplps Ferber vnd dwg Moline vnd svf Moline vnd dxf Moline png Randers Pehrson vnd fpx Spencer vnd net fpx Spencer vnd xiff SMartin prs btif Simon vnd fastbidsheet Becker vnd wap wbmp...

Page 36: ...lin L16 RFC2586 vnd everad plj Cicelsky telephone event RFC2833 tone RFC2833 prs sid Walleij vnd nuera ecelp4800 Fox vnd nuera ecelp7470 Fox mpeg RFC3003 parityfec RFC3009 MP4A LATM RFC3016 vnd nuera...

Page 37: ...pi model RFC2077 iges Parks vrml RFC2077 model mesh RFC2077 vnd dwf Pratt vnd gtw Ozaki vnd flatland 3dml Powers vnd vtu Rabinovitch vnd mts Rabinovitch vnd gdl Babits vnd gs gdl Babits vnd parasolid...

Page 38: ...CHAPTER 2 MIME Content Types 26 WatchGuard Firebox System...

Page 39: ...Services and Ports Well known services are a combination of port number and transport protocol for specific standard applications This chapter contains several tables that list service names port num...

Page 40: ...Guard Security Event Processor use several ports during normal functioning Port Protocol Purpose 4100 TCP Authentication applet 4101 TCP WSEP and Management Station 4105 TCP WatchGuard service 4106 TC...

Page 41: ...tion 139 TCP Event Viewer 139 TCP File Sharing 137 138 139 UDP TCP Logon Sequence 138 UDP NetLogon 137 138 139 UDP TCP Pass Through Validation 139 TCP Performance Monitor 1723 47 TCP IP PPTP 137 138 1...

Page 42: ...el Assigned Numbers RFC1700 available at these Web sites http www cis ohio state edu htbin rfc rfc1700 html http www iana org assignments port numbers If you would like to recommend additions to this...

Page 43: ...ata 20 TCP UDP File Transfer Default Data ftp 21 TCP UDP File Transfer Control ssh 22 TCP UDP SSH Remote Login Protocol telnet 23 TCP UDP Telnet smtp 25 TCP UDP Simple Mail Transfer nsw fe 27 TCP UDP...

Page 44: ...Services whois 63 TCP UDP whois covia 64 TCP UDP Communications Integrator CI tacacs ds 65 TCP UDP TACACS Database Service sql net 66 TCP UDP Oracle SQL NET bootps 67 TCP UDP Bootstrap Protocol Server...

Page 45: ...7 TCP UDP Swift Remote Virtual File Protocol tacnews 98 TCP UDP TAC News metagram 99 TCP UDP Metagram Relay newacct 100 TCP unauthorized use hostname 101 TCP UDP NIC Host Name Server iso tsap 102 TCP...

Page 46: ...erface Net Map unitary 126 TCP UDP Unisys Unitary Login locus con 127 TCP UDP Locus PC Interface Conn Server gss xlicen 128 TCP UDP GSS X License Verification pwdgen 129 TCP UDP Password Generator Pro...

Page 47: ...ex mux 173 TCP UDP Xyplex MUX xdmcp 177 TCP UDP X Display Manager Control Protocol NextStep 178 TCP UDP NextStep Window Server bgp 179 TCP UDP Border Gateway Protocol unify 181 TCP UDP Unify irc 194 T...

Page 48: ...wing who s who cmd 514 TCP Like exec but automatic syslog 514 UDP logging facilities printer 515 TCP UDP Spooler talk 517 TCP UDP Talk protocol ntalk 518 TCP UDP another Talk utime 519 TCP UDP Unixtim...

Page 49: ...ll NetWare Comm Service Platform novell lu6 2 1416 TCP UDP Novell LU6 2 netopia 1419 8000 UDP TCP Netopia Virtual Office ms sql s 1433 TCP UDP Microsoft SQL Server ms sql m 1434 TCP UDP Microsoft SQL...

Page 50: ...e x11 6000 TCP UDP X Window System through 6063 font service 7100 TCP UDP X Font Service nas 8000 TCP UDP NCD Network Audio Server iphone 6670 TCP for connecting to the phone server iphone 22555 UDP f...

Page 51: ...broad categories packet filters and proxies Packet Filter Services Packet filter services examine the source and destination headers of each packet Packets are then either allowed or denied passage ba...

Page 52: ...ristics Protocol Any Client Port Ignore Port Number None AOL The America Online proprietary protocol allows access to the AOL service through a TCP IP network instead of the usual dial up connection T...

Page 53: ...servers that return incorrect information Incoming auth service responds with fake information to hide internal user information When using SMTP with incoming static NAT you must add auth to the Servi...

Page 54: ...ed with WinFrame Characteristics Protocol TCP Server Port s 1494 1604 Client Port s client For more information on adding the Citrix ICA service refer to the Advanced FAQs in the Knowledge Base Go to...

Page 55: ...er IP for doing voice calls between Clarent gateways across the Internet This service supports the Clarent v3 0 product and later The Clarent products use two sets of ports one for gateway to gateway...

Page 56: ...ion of ports to enable use of CU SeeMe versions 2 X and 3 X CU SeeMe Version 2 X runs on UDP port 7648 Version 3 X in addition to UDP port 7648 runs on UDP port 24032 for H 323 conferences and TCP por...

Page 57: ...ulti service rule Filtered HTTP combines configuration options for incoming HTTP on port 80 with a rule allowing all outgoing TCP connections by default Using Filtered HTTP will not result in applying...

Page 58: ...cs Protocol TCP Server Port s 25 Client Port s client finger finger is a protocol used to list information about users on a given host Although this information is often useful it can also reveal too...

Page 59: ...ol The client and the web server set up an encrypted session over TCP port 443 Because this session is encrypted on both ends the proxy cannot examine packet contents therefore this icon enables a pac...

Page 60: ...sed to access stand alone directory servers or X 500 directories Characteristics Protocol TCP Server Port s 389 Client Port s client Lotus Notes Lotus Notes is an integrated client server platform for...

Page 61: ...ets were actually sent from the correct location Configure WatchGuard to add the source IP address to the Blocked Sites List whenever an incoming NNTP connection is denied All of the usual logging opt...

Page 62: ...oxied HTTP Filtered HTTP Outgoing or Proxy icons are present in the Services Arena This icon will not enable outgoing FTP which will function only with an FTP service pcAnywhere pcAnywhere is an appli...

Page 63: ...ng into a network however outgoing ping is useful for troubleshooting Characteristics Protocol ICMP Server Port s Not Applicable Client Port s Not Applicable POP2 and POP3 POP2 and POP3 Post Office Pr...

Page 64: ...onfigure the PPTP service to allow incoming access from Internet hosts to an internal network PPTP server PPTP cannot access hosts static NAT because incoming NAT cannot forward IP protocols Because t...

Page 65: ...able RIP only if your Internet service provider requires that you run a routing daemon Incorrect or deceptive routing information can wreak havoc with local networks could cause service denial problem...

Page 66: ...d interface need to talk to a Windows NT server on the optional network Although not required WINS servers should be installed on both trusted and optional networks configure the clients on the option...

Page 67: ...er than 1023 Because SNMP could cause quite unpredictable changes in a network if enabled carefully consider alternatives and log everything SNMP Trap Simple Network Management Protocol SNMP traps are...

Page 68: ...to 10000 The Sybase SQL Server service is set to server port 10000 Verify that your Sybase SQL Server is configured for port 10000 If it is not either reconfigure the SQL Server to port 10000 or crea...

Page 69: ...tp cs hut fi see ftp ftp cs hut fi pub ssh and information on versions for Windows can be found at DataFellows http www datafellows com Characteristics Protocol TCP Server Port s 22 Client Port s less...

Page 70: ...user authentication is a server that uses existing user accounts to authenticate users into a dial up modem pool eliminating the need to maintain duplicate accounts on a UNIX system TACACS does not su...

Page 71: ...Allow Outgoing but Deny Incoming connections the default WatchGuard stance For a different stance for example to allow selected Incoming or to restrict Outgoing add the telnet services and configure...

Page 72: ...romise network security It allows traffic inside the firewall without authentication In addition the Timbuktu server may be subject to denial of service attacks WatchGuard recommends using VPN options...

Page 73: ...able Client Port s generally greater than 32768 WAIS Wide Area Information Services WAIS is a protocol used to search for documents over the Internet originally developed at Thinking Machines Incorpor...

Page 74: ...ou would like to use strong encryption 128 bit TripleDES or IPSec please contact WatchGuard Technical Support WatchGuard Logging The WatchGuard Logging service is necessary only if a second Firebox ne...

Page 75: ...HTTP SMTP and FTP The proxied service opens packets of its particular type strips out any embedded forbidden data types and reassembles the packets with the proxy s own origin and destination headers...

Page 76: ...sfer Protocol one of the most common ways to move files over the Internet Characteristics Protocol TCP Server Port s 20 command channel 21 data channel Client Port s greater than 1023 RFC 414 Common S...

Page 77: ...te to the internal host directly Use the ping utility if necessary to ensure that the connection is valid Dynamic NAT must be turned off for the incoming H323 connection to work properly There are no...

Page 78: ...network Icons in the Services Arena An HTTP icon with Incoming From Any to the HTTP server Scenario 2 Description Public HTTP server on the trusted network Icons in the Services Arena Even with dynam...

Page 79: ...r Port 554 Client Port any RFC 2326 NOTE In addition to these TCP ports there are some UDP ports that both the client and the server use The ports are determined dynamically but the mostly commonly us...

Page 80: ...cs Protocol TCP Server Port s 25 Client Port s greater than 1023 RFC 821 Common Scenarios Scenario 1 Description There is an SMTP server on the optional interface Icons in the Services Arena A SMTP se...

Page 81: ...hat the ARP table was changed or updated to reflect the MAC address of a particular IP address This occurs most frequently in the case of High Availability where the active Firebox has failed over and...

Page 82: ...ged by the two computers involved in the connection Old stale TCP connections are reset with an RST packet RST packets have a sequence number that must be valid according to certain TCP rules For exam...

Page 83: ...in eth0 68 54 24 29 www xxx yyy zzz www xxx yyy zzz unknown ip options IP options are obsolete IP parameters now used primarily for OS fingerprinting and other types of IP stack based probes Most rout...

Page 84: ...med out Indicates that the proxy was unable to connect to a FTP server The Proxy Connect Timeout defines the amount of time in seconds that the proxies will wait before giving up trying to forward a c...

Page 85: ...iform Resource Locators URL and Names URN As far as HTTP is concerned Uniform Resource Identifiers are simply formatted strings which identify via name location or any other characteristic a resource...

Page 86: ...established the standard proxy timeout values apply You may try raising this value by adding or editing the following property in the configuration file default proxies http timeout 600 http proxy x...

Page 87: ...ocess that finished whatever it was doing is now exiting normally The xx indicates the Process ID number ipseccfg Error cfg entry networking ipsec remote_gw 195 sharedkey must contain a shared key Ind...

Page 88: ...ss This usually occurs for Mobile User VPN IP addresses kernel eth2 Setting full duplex based on MII 31 link partner capability of 45e1 Indicates that the Firebox determined it can set the Ethernet in...

Page 89: ...ated RBCAST only rebroadcasts directed broadcasts originating on a primary interface IP address In other words secondary networks will not be the source of an RBCAST In addition it will not rebroadcas...

Page 90: ...roxy server WebBlocker interprets this as an attempt to bypass its protections and denies the attempt smtp proxy x x x x 35105 x x x x 25 Bad command XXXXXX The client attempted a non standard SMTP co...

Page 91: ...start iked 3 times within 5 seconds of each other something s wrong Iked is the Firebox process responsible for negotiating IPSec tunnels This message usually occurs when IPSec mobile users are in the...

Page 92: ...CHAPTER 5 Common Log Messages 80 WatchGuard Firebox System...

Page 93: ...pport teams to learn more about network security in general and the WatchGuard product line in particular These include Publishers Books White Papers and Requests for Comments Mailing Lists Web Sites...

Page 94: ...em Administrators Reading MA Addison Wesley Longman Inc 1992 Denning Dorothy E Information Warfare and Security Addison Wesley 1999 ISBN 0201433036 Farley Stearns and Mark Farley Hsu Tom Stearns and J...

Page 95: ...Richard TCP IP Illustrated Reading MA Addison Wesley Longman Inc 1994 ISBN 0201633469 Note This is a 3 volume set Stoll Cliff Cuckoo s Egg Pocket Books 1995 ISBN 0671726889 Vacca John Intranet Securit...

Page 96: ...Attrition http www attrition org Bugtraq http www securityfocus com Center for Education and Research in Information Assurance and Security http www cerias purdue edu Complete Intranet Firewalls Resou...

Page 97: ...stcorp com javasecurity National Institute of Standards and Technology Computer Security Resource Center http www 08 nist gov Note Yes the dash after www is correct Microsoft Security http www microso...

Page 98: ...ity firewalls Use your newsreader or electronic messaging application to subscribe to the comp security firewalls Usenet newsgroup Deja com Deja com provides a Web based alternative to news reader ser...

Page 99: ...This map describes which control characters cannot be successfully received over the serial line Pppd will ask the peer to send these characters as a 2 byte escape sequence The argument is a 32 bit h...

Page 100: ...peer to send packets of no more than n bytes The minimum MRU value is 128 The default MRU value is 1 500 A value of 296 is recommended for slow links 40 bytes for TCP IP header 256 bytes of data mtu...

Page 101: ...peer compress packets that it sends using the Deflate scheme with a maximum window size of 2 nr bytes and agree to compress packets sent to the peer with a maximum window size of 2 nt bytes If nt is n...

Page 102: ...te n Sets the maximum number of IPCP terminate request transmissions to n default 3 ipcp restart n Sets the IPCP restart interval retransmission timeout to n seconds default 3 lcp echo failure n When...

Page 103: ...n seconds that is n seconds after the first network control protocol comes up modem Use the modem control lines This option is the default With this option pppd will wait for the CD Carrier Detect si...

Page 104: ...o determine if possible the local IP address from the hostname With this option the peer will have to supply the local IP address during IPCP negotiation unless it was specified explicitly on the comm...

Page 105: ...he modem Explanation of fields 1 Specifies that the Firebox should expect nothing back from the modem at this point in the chat 2 Specifies that three plus characters should be sent with short pauses...

Page 106: ...e The initial timeout value is 45 seconds Once changed the timeout setting remains in effect until it is changed again EOT The special reply string of EOT indicates that the chat program should send a...

Page 107: ...ters h e l l o not valid in expect d Delay for 1 second not valid in expect K Insert a BREAK not valid in expect n Send a newline or linefeed character N Send a null character The same sequence can be...

Page 108: ...ckslash character ddd Collapse the octal digits ddd into a single ASCII character and send that character Some characters are not valid in Ctrl C for these characters substitute the sequence with the...

Page 109: ...ou do not know or have forgotten them Fireboxes shipped before Firebox System LiveSecurity System 4 1 shipped with the original standard functionality called the read only system area Fireboxes shippe...

Page 110: ...l cable Hands Free Installation via a local area network IP connection using remote provisioning Initializing an older Firebox with the Firebox System 4 1 or later automatically upgrades the Firebox a...

Page 111: ...is not flickering the Firebox is running release prior to System 4 1 and you must use either the serial or modem initialization methods 4 Use the QuickSetup Wizard to configure and initialize the Fire...

Page 112: ...Operation Complete dialog box appears 6 Click OK Working with a Firebox booted from the read only system area After you successfully boot the Firebox from the read only system area you can copy a new...

Page 113: ...file saved successfully to the Firebox use Policy Manager to open it For instructions see the User Guide chapter on Firebox Basics Opening a Configuration File from the Firebox Troubleshooting The COM...

Page 114: ...ith the Firebox to connect the Firebox Console port and external serial port in a loopback configuration Connect the Firebox Console port and external serial Turn the power on the Firebox off then on...

Page 115: ...ffic Volume Indicator for each successful IP address the Firebox claims The Firebox can claim up to eight addresses The Processor Load Indicator marks the total number of different MAC addresses the F...

Page 116: ...peration and the enhanced read only system area Sys A Continued The remainder of the Firebox software image PermFiles Area The Flash Disk Management Tool performs three different tasks for manipulatin...

Page 117: ...ly overwrite the primary configuration file The primary configuration file is incorrectly configured or is otherwise unusable NOTE This procedure is possible only when a backup configuration file is o...

Page 118: ...CHAPTER 8 Firebox Read Only System Area 106 WatchGuard Firebox System...

Page 119: ...tion is made In active mode the FTP server establishes the data connection In passive mode the client establishes the connection In general FTP user agents use active mode and Web user agents use pass...

Page 120: ...led programs hackers use to access machines AH authentication header A protocol used in IPSec available for use with IPSec Branch Office VPN AH provides authentication for as much of the IP header as...

Page 121: ...is one way meaning that a key used to encrypt information cannot be used to decrypt the same data attack An attempt to hack into a system Because not all security issues represent true attacks most se...

Page 122: ...rmerly known as the Mazameter bastion host A computer placed outside a firewall to provide public services such as WWW and FTP to other Internet sites The term is sometimes generalized to refer to any...

Page 123: ...ected by the WatchGuard Firebox System or between a WatchGuard Firebox and an IPSec compliant device It allows a user to connect two or more locations over the Internet while protecting the resources...

Page 124: ...ly Memory A disk on which data is stored certificate An electronic document attached to a public key by a trusted third party which provides proof that the public key belongs to a legitimate owner and...

Page 125: ...ing either characters or bits by way of substitution transposition or both Class A Class B Class C See Internet address class clear signed message A message that is digitally signed but not encrypted...

Page 126: ...nput and returns a shorter fixed sized output connected enterprise A company or organization with a computer network exchanging data with the Internet or some other public network Control Center See S...

Page 127: ...cks or network security Can also be used as a synonym for hacker CRL See certificate revocation list cross certification Two or more organizations or certificate authorities that share some level of t...

Page 128: ...gram A packet of data that stands alone Generally used in reference to UDP and ICMP packets when talking about IP protocols data transmission speed The number of bits that are transmitted per second o...

Page 129: ...s blocks of 64 bits The encryption is controlled by a key of 56 bits See also Triple DES descending A method of ordering a group of items from highest to lowest such as from Z to A device Networking e...

Page 130: ...One common use for this network is as a public Web server DNS Domain Name System A network system of servers that converts numeric IP addresses into readable hierarchical Internet addresses DoS See de...

Page 131: ...dynamic NAT Also known as IP masquerading or port address translation A method of hiding network addresses from hosts on the external network Hosts elsewhere on the Internet see only outgoing packets...

Page 132: ...atically when an Ethernet adapter is added to the computer This address identifies the node as a unique communication item and enables direct communications to and from that particular computer event...

Page 133: ...or view specific information about an individual task or resource file extension A period and up to three characters at the end of a file name The extension can help identify the kind of information a...

Page 134: ...a computer network against unwanted use and abuse by way of net connections firewalling The creation or running of a firewall flash disk An 8 megabyte on board flash ROM disk that acts like a hard di...

Page 135: ...se units before adding a new position for the next number Hexadecimal uses the numbers 0 9 and the letters A F hierarchical trust A graded series of entities that distribute trust in an organized fash...

Page 136: ...ured to inform the Firebox of this additional host behind the additional router HostWatch A WatchGuard Firebox System application that provides a real time display of the hosts that are connected from...

Page 137: ...ed statement that binds a key to the name of an individual and therefore delegates authority from that individual to the public key IDS See Intrusion Detection System IETF See Internet Engineering Tas...

Page 138: ...8 it is a Class A address A network with a Class A address can have up to about 16 million hosts Class B If the first octet of an IP address is from 128 to 191 it is a Class B address A network with a...

Page 139: ...t limits IP packets to about 1 500 bytes but the maximum IP packet size is 65 536 bytes To send packets larger than 1 500 bytes over an Ethernet IP fragments must be used IP masquerading See dynamic N...

Page 140: ...ganization or an educational institution may be the ISP for some organizations ITU T International Telecommunication Union Telecommunication Formerly the CCITT Consultative Committee for International...

Page 141: ...raphic key to authorized recipients in a secure manner key pair A public key and its complementary private key keyring A set of keys Each user has two types of keyrings a private keyring and a public...

Page 142: ...dresses assigned to this interface The Class A address group 127 0 0 0 has been reserved for these interfaces mail server Refers to both the application and the physical machine tasked with routing in...

Page 143: ...utside world in lieu of the IP addresses of the hosts protected by the firewall Mazameter See Bandwidth Meter MD2 Message Digest 2 A 128 bit one way hash function that is dependent on a random permuta...

Page 144: ...ddress For a class A network the network address is the first byte of the IP address For a class B network the network address is the first two bytes of the IP address For a class C network the networ...

Page 145: ...corresponding netmask NFS Network File System A popular TCP IP service for providing shared file systems over a network NIST See National Institute for Standards and Technology node A computer or CPU...

Page 146: ...rvers provided for public access OSI Open Systems Interconnection A standard description or reference model for how messages should be transmitted between any two points in a telecommunication network...

Page 147: ...tion Protocol PAP An authentication protocol that allows PPP peers to authenticate one another It does not prevent unauthorized access but identifies the remote end PCI peripheral component interconne...

Page 148: ...tion for protecting the data Phase 2 negotiates data management security association which uses the data management policy to set up IPSec tunnels in the kernel for encapsulating and decapsulating dat...

Page 149: ...Firebox System an option in which the Firebox redirects IP packets to a specific masqueraded host behind the firewall based on the original destination port number Also called static NAT port space pr...

Page 150: ...thers when creating a combination of security policies Privacy Enhanced Mail PEM A protocol to provide secure Internet mail RFC 1421 1424 including services for encryption authentication message integ...

Page 151: ...intended for another machine By faking its identity the router accepts responsibility for routing packets to the real destination proxy server A server that stands in place of another server In firew...

Page 152: ...of two pieces authentication server code and client protocols random number A necessary element in generating unique keys that are unpredictable to an adversary True random numbers are typically deri...

Page 153: ...hosts through which information travels to reach its destination host routed configuration or network A configuration with separate network addresses assigned to at least two of the three Firebox inte...

Page 154: ...ncluding hard disks floppy disks CD ROM printers and scanners secondary network A network on the same physical wire as a Firebox interface that has an address belonging to an entirely different networ...

Page 155: ...self extracting file A compressed file that automatically decompresses when double clicked server A computer that provides shared resources to network users server based network A network in which al...

Page 156: ...S it produces a 160 bit hash similar to MD4 shared secret A passphrase or password that is the same on the host and the client computer It is used for authentication SHTTP See HTTPS sign To apply a si...

Page 157: ...b browsers and FTP clients It provides a simple firewall because it checks incoming and outgoing packets and hides the IP addresses of client applications SOHO Small Office Home Office Also the name o...

Page 158: ...by hubs or repeaters For example one could take a class C network with 256 available addresses and create two additional netmasks under it that separate the first 128 and last 128 addresses into separ...

Page 159: ...Internet uses TCP TCP IP Transmission Control Protocol Internet Protocol A common networking protocol with the ability to connect different elements TCP session hijacking An intrusion in which an ind...

Page 160: ...controls tooltip A name or phrase that appears when the mouse pointer pauses over a button or icon topology A wiring configuration used for a network Transport Layer Security TLS Based on the Secure S...

Page 161: ...he TCP IP packets carried by the Internet twisted pair cable A cable used for both network and telephone communications Also known as UTP unshielded twisted pair and 10BASE T 100BASE T cable UDP User...

Page 162: ...f the WatchGuard Firebox System offering separate from the software and the Firebox which keeps network defenses current It includes the broadcast network that transmits alerts editorials threat respo...

Page 163: ...a Web browser World Wide Web Consortium W3C An international industry consortium founded in 1994 to develop common protocols for the evolution of the World Wide Web worm A program that seeks access i...

Page 164: ...CHAPTER 9 Glossary 152 WatchGuard Firebox System...

Page 165: ...stem Manager use the status read only passphrase When opening the Firebox using VPN Manager or for configuration changes using Policy Manager enter the configuration read write passphrase There can be...

Page 166: ...e Firebox although they make the display more accurate You can type or use the arrows to input the seconds Arrows Use the arrows to select your preferred value Max Log Entries Enter the maximum of log...

Page 167: ...tion key is the publicly available component of a key pair Confirm Reenter the encryption key to verify OK Closes this dialog box and saves any changes Flash Disk Management Tool dialog box Restore Ba...

Page 168: ...g file Enter the name of the new log file The extension is automatically wgl Merge all files text box Enter the name of the new log file The extension is automatically wgl Files to copy Type or use th...

Page 169: ...ain window In a separate filter window Select to show results in a separate filter window This is an interim window that pops up in which you can perform search functions By marking them in the main w...

Page 170: ...es when Log Viewer is launched GMT Time Click to have time zone set to Greenwich Standard Time Local Time Click to have time zone set to your local time To set the local time use Policy Manager Setup...

Page 171: ...o access the results control Less Click to hide the results control Match all Select to match all values in the search Match any Select to match any value in the search Delete Click to delete the sear...

Page 172: ...IP address range OK Closes this dialog box and saves any changes Add Address dialog box Members Lists existing groups configured aliases networks and users Add Select an alias network group or address...

Page 173: ...Use the drop list or enter the IP address to specify the destination of outgoing packets Click to enter the IP address The Add Memeber dialog box opens OK Closes this dialog box and saves any changes...

Page 174: ...ialog box Add Firebox Group Enter the group name to add to Firebox users list You use groups to define users accounts to such factors as authentication method or system used OK Closes this dialog box...

Page 175: ...s this dialog box and saves any changes Add Port dialog box Protocol Use the drop list to select the protocol used for the service TCP TCP based services UDP UDP based services HTTP Services examined...

Page 176: ...address that is on the same network as the Firebox OK Closes this dialog box and saves any changes Add Service dialog box Name Enter the name of the new service Comments Enter comments or a descripti...

Page 177: ...oses this dialog box and saves any changes Advanced DVCP Policy Configuration dialog box Allow access to Select or enter the host or network and port protocol client port you want to allow access via...

Page 178: ...ollowing in the drop list Disabled The mobile user cannot use a Virtual Adapter to connect to the Secure VPN Client Preferred It is preferred but not required for the mobile user to use a Virtual Adap...

Page 179: ...1 NAT Check to enable 1 to 1 NAT This type of NAT redirects packets sent to one range of addresses to a different range of addresses 1 to 1 NAT Setup list Lists the IP addresses to be redirected Add S...

Page 180: ...as from the list and click to edit it The Host Alias dialog box opens Remove Click to remove the selected alias from the list OK Closes this dialog box and saves any changes Authentication Servers dia...

Page 181: ...time Two Firebox user groups used for remote user virtual private networking are automatically added to the basic configuration file ipsec_users and ruvpn_users Add Click to open the Add Firebox Group...

Page 182: ...by the Firebox Port primary Enter the port number configured on the primary RADIUS server to receive authentication requests Secret Enter the value of the secret between the Firebox and the RADIUS se...

Page 183: ...tivity time before an authenticated session times out Secret Enter the CRYPTOCard server shared secret This secret must be identical on both the CRYPTOCard server and the Firebox SecurID Server tab IP...

Page 184: ...o the list The DVCP Client Wizard launches Edit Click to edit the selected client from the list The DVCP Client Wizard launches Remove Click to remove the selected client from the list OK Closes this...

Page 185: ...the Firebox to log all attempts to use blocked ports or to notify a network administrator when someone attempts to access a blocked port Blocked Sites dialog box Blocked Sites A list of currently blo...

Page 186: ...ion type and enter the host or network IP address Remove Select the exception and click to remove it from the list above Certificate Authority Configuration IP Address Enter the IP address of your Cer...

Page 187: ...way from the list Click Edit to access the Remote Gateways dialog box and modify gateway settings Remove Click to remove the selected gateway from the configured gateway list OK Closes this dialog box...

Page 188: ...e selected tunnel Remove Click to delete the selected tunnel OK Configure Tunnel dialog box Identity tab Name Enter the name of a tunnel This name is used to identify the tunnel in monitoring and admi...

Page 189: ...the Management Station waits for a response from the Firebox for returning a message indicating that the device is unreachable Use the arrows to select your preferred value Arrows Use the arrows to s...

Page 190: ...another computer on the Internet Block SYN Flood Attacks Enable this checkbox to block SYN Flood attacks SYN Flood attacks are a type of Denial of Service DoS attack that seek to prevent your public...

Page 191: ...Some operating systems do not handle error messages correctly and may inadvertently terminate other connections when they receive them Log incoming packets sent to broadcast addresses Enable this che...

Page 192: ...he starting and ending IP addresses Add Click to access the DHCP Subnet Properties dialog box and add a new address range Edit Select an address range in the list and click to open the DHCP Subnet Pro...

Page 193: ...Enable debug log messages for the DVCP Client Enable this checkbox to enable detailed log messages from the Firebox client to facilitate with troubleshooting and debugging the IPSec tunnel between the...

Page 194: ...tion enter the address of the primary network to which the client has access behind the Firebox Telecommuter IP Address Select only for WatchGuard SOHO Telecommuter devices Enter the virtual IP addres...

Page 195: ...access Add Click to add a network Remove Click to remove a network Telecommuter IP Address Select to specific an IP address as a Telecommuter Enter the IP address in the box Private Network Select for...

Page 196: ...this certificate External Interface IP Address Enable this checkbox to use the External Interface IP address for the CRL distribution poin Custom IP Address Enable this checkbox to use a custom IP ad...

Page 197: ...t your preferred value UDP Finish Timeout Enter the UDP finish timeout in seconds For more informationa on UDP see chapter 1 of the Reference Guide Arrows Use the arrows to select your preferred value...

Page 198: ...op list Block IPSec will not allow traffic that matches the rule in associated tunnel policies You cannot bypass a policy that has a network at the other end point Bypass IPSec will not allow traffic...

Page 199: ...se which is used for establishing read only connections to your Firebox Read only access allows you to view logs and status of the Firebox but not change configurations Confirm Re enter the Status pas...

Page 200: ...on via a Firebox NT Server Enable this checkbox to allow authentication via Windows NT Server Radius Server Enable this checkbox to allow authentication via a Radius server CRYPTOCard Server Enable th...

Page 201: ...Check to make a backup copy of the current flash image before saving to the Firebox Specify where to save the backup copy in the Backup Image section below Encryption Key Enter the encryption key for...

Page 202: ...vent users from using the SITE command which would if not denied allow them to execute arbitrary programs on the FTP server This is set to Deny by default since allowing its use can be very dangerous...

Page 203: ...d this optional product IP Address External interface Enter the External interface IP address for the standby Firebox Default Heartbeat External interface Enable this checkbbox if you want to use the...

Page 204: ...add a new member to the Alias Members list Remove Click to remove the selected item from the list above OK Closes this dialog box and saves any changes HTTP Proxy dialog box Settings tab Remove client...

Page 205: ...this checkbox to remove unknown headers including any current or future unofficial header additions Log accounting auditing information Enable this checkbox to log accounting auditing information Req...

Page 206: ...ceptable security risks For a list of content types see Chapter 2 in the Reference Guide Allowed Content Types list With the Allow only safe content types checkbox enabled only those content types lis...

Page 207: ...ebBlocker Controls tab in the HTTP Proxy dialog box click Add 2 In the dialog box that appears type the IP address of the server in the Value field Click OK You can use the UP and Down buttons to chan...

Page 208: ...e during operational and non operational hours Alcohol Tobacco Pictures or text advocating the sale consumption or production of alcoholic beverages and tobacco products Illegal Gambling Pictures or t...

Page 209: ...ndividual where loyalty is demanded and leaving is punishable Intolerance Pictures or text advocating prejudice or discrimination against any race color national origin religion disability or handicap...

Page 210: ...and lascivious behavior Topic includes masturbation copulation pedophilia as well as intimacy involving nude or partially nude people in heterosexual bisexual lesbian or homosexual encounters It also...

Page 211: ...Add Click to add an entry to the list above Remove Click to remove a selection from the list above Define Exceptions dialog box Select type of exception You can choose from the following three excepti...

Page 212: ...Key Enter the encryption key Key Click to create an encryption key Authentication Select the authentication from the drop list Authenciation Key Enter an authentication key Key Click to create an enc...

Page 213: ...ws Use the arrows to select your preferred value Maximum Size The maximum size of a single email message This restriction can help prevent the mail spool from filling up Arrows Use the arrows to selec...

Page 214: ...Starting Enable this checkbox to allow remote message queue starting Allow AUTH Enable this checkbox to allow authentication AUTH list A list of AUTH types Add Type an AUTH type in the text box to the...

Page 215: ...he content type to the message Use the variable f to add the file name pattern to the message Address Patterns tab Category Use the drop list to select a pattern type allowed or denied and direction i...

Page 216: ...uting Policies A list of current IPSec virtual private networking routing policies The list displays Local Address The IP address of the local Firebox Remote Address The IP address of the remote IPSec...

Page 217: ...nnections are routed along the higher security tunnels Add Click this button to open the Add Routing Policy dialog box and add a new IPSec routing policy Edit Select a policy from the list above and c...

Page 218: ...ements This option often generates a high volume of log entries slowing passage of VPN traffic It is generally only used by WatchGuard Technical Support to assist with debugging an IPSec VPN tunnel pr...

Page 219: ...stom program Browse Click to browse for the program path Launch Interval Enter the number of minutes between events Arrows Use the arrows to select your preferred value Repeat Count Enter the number o...

Page 220: ...og logging is not encrypted The Firebox sends the syslogs to the defined syslog server This can be the same machine as the WatchGuard Security Event Processor Syslog Server Enter the interface to set...

Page 221: ...User VPN group Enter Shared Key Enter a shared key for this user s mobile VPN account Define Access screen Allow user access to Enter the network resource you want to allow for this mobile user Virtua...

Page 222: ...mobile users External Authentication Groups screen Group Name Enter the group name for the Externally Authenticated Group Passphrase Enter the passphrase that will be used to encrypt the MUVPN Client...

Page 223: ...to connect to the Secure VPN Client Network Resources screen Network Resources list Lists the network resources allow for this mobile user Add Click to add network resources for the mobile user Remove...

Page 224: ...to select your preferred value Mobile User VPN dialog box Type Choose type from the drop list Value Enter the value of the type OK Closes this dialog box and saves any changes NAT Setup dialog box En...

Page 225: ...g box and saves any changes Cancel Closes this dialog box without saving any changes Help Click to access the online Help system Advanced Click to access the Advanced NAT Settings dialog box You use t...

Page 226: ...nd enter the PPP User Name and Password Re enter the password for verification This creates a dynamic PPPoE configuration If you want a static PPPoE configuration enable the Use the following IP addre...

Page 227: ...want to use proxy ARP Related Hosts A list of related hosts that use proxy ARP Add Enter the host IP address select the interface and click Add to add a related host to the Related Host list Remove S...

Page 228: ...the LCP Echo timeout in mileseconds LCP Echo Failure Enter the LCP Echo failure rate in number of tries Service Name Enter the Service name of the PPPoe server Access Concentrator Name Enter the Acces...

Page 229: ...name of the domain name server DNS The server values entered in this dialog box are used by the DHCP server RUVPN and other features of the firewall Domain Name Enter the DNS domain name The server v...

Page 230: ...flow control for the PCMCIA expansion configuration Local Host IP Enter the IP address for the local host Firebox IP Enter the IP address for the Firebox PPP Initialization Enter the PPP initializati...

Page 231: ...ernet Mail Extensions a specification about how to pass audio video and graphic content via email or HTML Description Enter a description of the new MIME type OK Closes this dialog box and saves any c...

Page 232: ...e Add button Add Click to add a new header pattern enter in the text box Remove Click to remove the selected item from the list above Idle Enter the interval in seconds before timing out Masquerading...

Page 233: ...d in the Domain Name field above Masquerade MIME boundary strings When this feature is enabled the firewall converts MIME boundary strings in messages and attachments to a string that does not reveal...

Page 234: ...n type Dynamic is the most frequently used type Remote ID Type Enter the Remote ID type of the remote gateway Shared Key Enable this checkbox and enter the shared key The shared key field is only avai...

Page 235: ...a single Diffie Hellman exchange and that this key is not used to derive additional keys Enable Aggressive Mode Enable this checkbox to enable Aggressive Mode Mode refers to an exchange of messages i...

Page 236: ...to add to the list and click Add Remove Select a key from the list and click to remove it PPTP tab Activate Remote User Enable this checkbox to allow an active remote user Enable Drop from 128 bit to...

Page 237: ...OK to open the Configure Tunnel dialog box OK Closes this dialog box and opens the Configure Tunnel dialog box Select MIME Type dialog box Select MIME Type Select a MIME type from the list MIME types...

Page 238: ...o the Services list Service Properties dialog box Incoming tab Incoming Connections Are Incoming connections are those that originate from beyond the firewall and whose destination is somewhere behind...

Page 239: ...ve the selected item from the list above Logging Click to access the Logging and Notification dialog box Auto block sites that attempt to connect via Check to automatically block sites that attempt to...

Page 240: ...operties tab Name Specifies the name of the service Properties Lists the service s properties Comments Lists any comments for the service s properties Set Policy Ordering dialog box Set Policy Orderin...

Page 241: ...er Name Enter the new user s name to create a new account Passphrase Enter the pass phrase for the new user s account Setup Routes dialog box Routes A list of all current routes A route is a sequence...

Page 242: ...ndling Enter the tag information in the text box Deny Select to deny the spam mail handling Advanced Spam Mail Filtering Enable this checkbox to use advanced spam mail filtering RBL list List the RBLs...

Page 243: ...d Find Click to find the information to specified WatchGuard VPN dialog box WatchGuard VPN tab Remote Fireboxes A list of remote Fireboxes configured for VPN tunnels using the WatchGuard VPN protocol...

Page 244: ...e a Key Click to hash the key Key Displays the hashed encryption key Options tab Activate WatchGuard VPN Enable this checkbox to enable WatchGuard VPN protocol Without this checkbox enabled any config...

Page 245: ...mber used by this service Note that you can assign only a single port number Line Color Select a unique line color to identify this service Remove Site dialog box Remove Site This action requires chan...

Page 246: ...mum Amplitude Control the amplitude of the ServiceWatch display Use smaller numbers for lighter volumes of traffic and larger numbers for higher volumes of traffic Add Click Add to configure a new ser...

Page 247: ...name of a new host IP to be added to the hosts list Add Click to add an item to the list on the left Remove Click to remove the selected item from the list to the left Port Filter tab Ports Restrict r...

Page 248: ...he list above Run Enable the checkboxes next to the reports you would like to generate Click Run to generate the selected reports Filters Click to open the Filters dialog box Filters restrict report o...

Page 249: ...se frames WebTrends Export Select to generate report in format acceptable for WebTrends for Firewalls and VPNs Additional information on the format can be found at http www webtrends com developers de...

Page 250: ...ributed enterprise You must identify Fireboxes by their IP address and SOHO devices by their unique name The unique SOHO name is configured using DVCP Client Wizard Add Click to add a new Firebox IP o...

Page 251: ...tion types Authentication Resolution on IP addresses Select to run authentication resolution on IP addresses DNS Resolution on IP addresses Select to run DNS resolution on IP addresses Consolidated Se...

Page 252: ...Detail Sections The number of records that appear on each HTML page The default is 1 000 HostWatch Filter Properties dialog box Inside Hosts tab Display all hosts Enable this checkbox to display all h...

Page 253: ...rs New User Enter a new user to add to the list Add Click to add a new user to the list Remove Select an item in the list and click to delete it Displayed authentication users A list of all authentica...

Page 254: ...lor tab Denied Displays the line color used for denied entires in the log Dynamic NAT Displays the line color used for dynamic entires in the log Proxy Displays the line color used for proxy entires i...

Page 255: ...nterval Enable this checkbox to specific the log rollover time interval When this interval is reached the WSEP saves the log file with a time stamp It continues to write new log records to the base Fi...

Page 256: ...es By Number of Entries Specify the maximum number of log entries in thousands When this number is exceeded the WSEP saves the log file with a time stamp It continues to write new log records to the b...

Page 257: ...ows networking must be installed and configured Email notification is performed via SMTP NOTE The email address entered in this field is not verified Validate the address before entering it into the e...

Page 258: ...n Key Enter the key used to encrypt communication between the Firebox and the WSEP The key must be identical on both the Firebox and the WSEP Use a key that you can easily remember but would be diffic...

Page 259: ...ites dialog box 173 Blocked Sites Exceptions dialog box 174 booting from system area 100 C checksum 76 Citrix ICA 42 Clarent command service 43 Clarent gateway service 42 COM Port Setup dialog box 100...

Page 260: ...uthentication Setup 208 Mobile User Client Select New Passphrase 208 NAT Setup 212 Network Configuration 214 New MIME Type 219 New Service 219 Operation Complete 100 Outgoing SMTP Proxy 220 Polling 15...

Page 261: ...et 76 H H323 service 65 hands free installation 98 High Availability dialog box 191 Historical Reports dialog box 236 Historical Reports dialog boxes 234 Host Alias dialog box 192 HostWatch dialog box...

Page 262: ...87 P pcAnywhere service 50 Pid 71 ping service 51 Policy Manager dialog boxes 160 Polling dialog box 154 POP2 service 51 POP3 service 51 ports random 9 standard 9 used by Microsoft products 29 used by...

Page 263: ...t 59 TFTP 59 Timbuktu 60 Time 60 traceroute 60 types 39 WAIS 61 WatchGuard Logging 62 well known 27 30 39 whois 63 Services dialog box 225 Set Log Encryption Key dialog box 246 Set Policy Ordering dia...

Page 264: ...DP 7 Uniform Resource Identifiers 73 URIs 73 User Datagram Protocol 7 V View Properties dialog box 233 VPNs and Any service 39 W WAIS service 61 WatchGuard encrypted connections 62 WatchGuard Find dia...