Watchguard Firebox X10E, User Manual

Page 1: ...WatchGuard Firebox System User Guide WatchGuard Firebox System ...

Page 2: ...ed States and or other courtries Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending Microsoft Internet Explorer Windows 95 Windows 98 Windows NT and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Netscape and Netscape Navigator are registered trademarks of N...

Page 3: ...ND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR...

Page 4: ...knowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY ...

Page 5: ... ARE DISCLAIMED IN NO EVENT SHALL RALF S ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE O...

Page 6: ...on behalf of the Apache Software Foundation For more information on the Apache Software Foundation please see http www apache org Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications University of Illinois Urbana Champaign PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and ...

Page 7: ...tchGuard Firebox Software End User License Agreement IMPORTANT READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This Firebox Software End User License Agreement AGREEMENT is a legal agreement between you either an individual or a single entity and WatchGuard Technologies Inc WATCHGUARD for the WATCHGUARD Firebox software product which includes computer software components whether installed sepa...

Page 8: ...duct at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers B To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it To the extent that you install copies of the SOFTWARE PRODUCT on addition...

Page 9: ...panies it If the SOFTWARE PRODUCT fails to operate in accordance with this warranty you may as your sole and exclusive remedy return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it along with a dated proof of purchase specifying the problems and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund at their election D...

Page 10: ...LITY OF SUCH DAMAGES THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY 5 United States Government Restricted Rights The SOFTWARE PRODUCT is provided with Restricted Rights Use duplication or disclosure by the U S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision c 1 ii of the Rights in Technical Data and Computer Softwa...

Page 11: ... THESE TERMS IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT A SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS AGREEMENT B THE ENTITY HAS THE FULL POWER CORPORATE OR OTHERWISE TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDE...

Page 12: ...xii WatchGuard Firebox System ...

Page 13: ...box System Manager 2 WatchGuard security applications 3 WatchGuard LiveSecurity Service 3 Minimum Requirements 3 Software requirements 3 Web browser requirements 4 Hardware requirements 4 WatchGuard Options 5 VPN Manager 5 High Availability 6 Mobile User VPN 6 SpamScreen 6 BOVPN Upgrade 7 Obtaining WatchGuard Options 7 About this Guide 7 ...

Page 14: ...duct Documentation 18 Assisted Support 18 LiveSecurity Program 18 LiveSecurity Gold Program 19 Firebox Installation Services 20 VPN Installation Services 20 Training and Certification 20 CHAPTER 3 Getting Started 23 Gathering Network Information 24 Selecting a Firewall Configuration Mode 28 Routed configuration 29 Drop in configuration 30 Choosing a Firebox configuration 32 Adding secondary networ...

Page 15: ...tation s local drive 53 Resetting Firebox Passphrases 53 Setting the Firebox Model 54 Setting the Time Zone 55 Setting a Firebox Friendly Name 55 CHAPTER 5 Using Policy Manager to Configure Your Network 57 Starting a New Configuration File 58 Setting the Firebox Configuration Mode 58 Setting IP Addresses of Firebox Interfaces 58 Setting addresses in drop in mode 59 Setting addresses in routed mode...

Page 16: ...toring Firebox Traffic 80 Setting the maximum number of log entries 81 Displaying entries in color 81 Copying messages to another application 82 Copying or analyzing deny messages 82 Performing Basic Tasks with System Manager 82 Running the QuickSetup Wizard 83 Flushing the ARP cache 83 Connecting to a Firebox 84 Changing the polling rate 84 Getting Help on the Web 84 Launching Firebox Application...

Page 17: ...ming Static NAT 108 Adding external IP addresses 108 Setting static NAT for a service 108 Using 1 to 1 NAT 110 Proxies and NAT 112 CHAPTER 8 Configuring Filtered Services 113 Selecting Services for your Security Policy Objectives 114 Incoming service guidelines 114 Outgoing service guidelines 115 Adding and Configuring Services 116 Configurable parameters for services 117 Adding a service 117 Crea...

Page 18: ...the DNS Proxy Service 156 Enabling protocol anomaly detection for DNS 157 DNS file descriptor limit 158 CHAPTER 10 Creating Aliases and Implementing Authentication 161 Using Aliases 162 Adding an alias 163 How User Authentication Works 165 Authentication Server Types 166 Defining Firebox Users and Groups for Authentication 167 Configuring Windows NT Server Authentication 170 Configuring RADIUS Ser...

Page 19: ...y block sites 193 Viewing the Blocked Sites list 193 Integrating Intrusion Detection 193 Using the fbidsmate command line utility 195 CHAPTER 12 Setting Up Logging and Notification 199 Developing Logging and Notification Policies 200 Logging policy 200 Notification policy 201 Failover Logging 202 WatchGuard Logging Architecture 203 Designating Log Hosts for a Firebox 203 Adding a log host 204 Enab...

Page 20: ... and notification for blocked sites and ports 219 CHAPTER 13 Reviewing and Working with Log Files 221 Log File Names and Locations 222 Viewing Files with LogViewer 222 Starting LogViewer and opening a log file 222 Setting LogViewer preferences 223 Searching for specific entries 223 Copying and exporting LogViewer data 224 Displaying and Hiding Fields 225 Working with Log Files 228 Consolidating lo...

Page 21: ...t filter 245 Scheduling and Running Reports 245 Scheduling a report 245 Manually running a report 246 Report Sections and Consolidated Sections 246 Report sections 246 Consolidated sections 250 CHAPTER 15 Controlling Web Site Access 253 Getting Started with WebBlocker 253 Installing the WebBlocker server 254 Downloading the database using WebBlocker Utility 254 Configuring the WatchGuard service i...

Page 22: ... Station 266 Preparing a Windows NT management station for OOB 266 Preparing a Windows 2000 management station for OOB 266 Preparing a Windows XP management station for OOB 268 Configuring the Firebox for OOB 269 Establishing an OOB Connection 269 APPENDIX A Troubleshooting Firebox Connectivity 271 Method 1 Ethernet Dongle Method 272 Method 2 The Flash Disk Management Utility 274 Method 3 Using th...

Page 23: ... complete network security solution to meet these modern security challenges Keeping network defenses current Protecting every office connected to the Internet Encrypting communications to remote offices and traveling users Managing the security system from a single site The WatchGuard Firebox System is a reliable flexible scalable and inexpensive network security solution Its setup and maintenanc...

Page 24: ...all efficient and reli able The Firebox is a low profile component with an indi cator display panel in front and physical interfaces in back Firebox System Manager Firebox System Manager is a toolkit of applications run from a single location enabling you to configure manage and monitor your network security policy In addition to management and monitoring tools System Manager includes Policy Manag...

Page 25: ...ate networking Branch office virtual private networking Selective Web site blocking WatchGuard LiveSecurity Service The innovative LiveSecurity Service makes it easy to main tain the security of an organization s network Watch Guard s team of security experts publish alerts and software updates which are broadcast to your email client Minimum Requirements This section describes the minimum hardwar...

Page 26: ...ft Windows XP Web browser requirements You must have Microsoft Internet Explorer 4 0 or later to run the installation from the CD The following HTML based browsers are recommended to view WatchGuard Online Help Netscape Communicator 4 7 or later Microsoft Internet Explorer 5 01 or later Hardware requirements Minimum hardware requirements are the same as those for the operating system on which the ...

Page 27: ...e step process VPN Man ager sets a new standard for Internet security by automating the setup management and monitoring of multi site IPSec VPN tunnels between an organization s Hardware feature Minimum requirement CPU Pentium II Memory Same as for operating system Recommended 128 MB for Windows NT 4 0 128 MB for Windows 2000 Professional 256 MB for Windows 2000 Server 128 MB for Windows XP Hard d...

Page 28: ... but it is available for use only if you enable the High Availability checkbox when installing WFS and enter your license key Mobile User VPN Mobile User VPN is the WatchGuard IPSec implementa tion of remote user virtual private networking Mobile User VPN connects an employee on the road or working from home to trusted and optional networks behind a Fire box using a standard Internet connection wi...

Page 29: ...g WatchGuard Options WatchGuard options are available from your local reseller For more information about purchasing WatchGuard prod ucts go to http www watchguard com sales About this Guide The purpose of this guide is to help users of the Watch Guard Firebox System set up and configure a basic net work security system and maintain administer and enhance the configuration of their network securit...

Page 30: ...separated by arrows are selected in sequence from subsequent menus For example File Open Configuration File means to select Open from the File menu and then Configuration File from the Open menu URLs and email addresses appear in sans serif font for example wg users watchguard com Code messages and file names appear in monospace font for example wgl and idx files In command syntax variables appear...

Page 31: ...veSecurity Service keeps your security system up to date by providing solutions directly to you In addition the WatchGuard Technical Support team and Training department offer a wide variety of meth ods to answer your questions and assist you with improving the security of your network Benefits of LiveSecurity Service As the frequency of new attacks and security adviso ries continues to surge the ...

Page 32: ...ubscription saves you time by providing the latest software to keep your WatchGuard Firebox System up to date You receive instal lation wizards and release notes with each software update for easy installation These ongoing updates ensure that your WatchGuard Firebox System remains state of the art without you having to take time to track new releases Access to technical support and training When ...

Page 33: ...cted Software Update You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox System Editorial Leading security experts join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject Foundations Articles specifically written for novice security administrators no...

Page 34: ...art Guide and in the Getting Started chapter of this book To activate the LiveSecurity Service through the Web 1 Be sure that you have the LiveSecurity license key and the Firebox serial number handy You will need these during the activation process The Firebox serial number is displayed in two locations a small silver sticker on the outside of the shipping box and a sticker on the back of the Fir...

Page 35: ...Help Tools Online support services help you get the most out of your WatchGuard products NOTE You must register for LiveSecurity Service before you can access the online support services Advanced FAQs frequently asked questions Detailed information about configuration options and interoperability Basic FAQs General questions about the WatchGuard Firebox System Known Issues Confirmed issues and fix...

Page 36: ...cess to the resources you need and updated information to help you install and use the SOHO 6 To access the online support services 1 From your Web browser go to http www watchguard com and select Support 2 Log in to LiveSecurity Service WatchGuard Users Forum The WatchGuard users forum is an online group in which the users of the WatchGuard Firebox System exchange ideas questions and tips regardi...

Page 37: ...uard Users Group The WatchGuard users group is an online group in which the users of WatchGuard products can communicate infor mation Because this group is not monitored by Watch Guard it should not be used for reporting support issues to WatchGuard Technical Support Instead contact Watch Guard Technical Support directly via the Web interface or telephone For information on how to subscribe unsub ...

Page 38: ... window or dialog box press F1 On any platform browse to the directory containing WatchGuard Online Help Open LSSHelp html The default help directory is C Program Files WatchGuard Help Searching for topics You can search for topics in WatchGuard Online Help three ways Contents The Contents tab displays a list of topics within the Help system Double click a book to expand a category Click a page ti...

Page 39: ...tly as they appear in the original installation Online Help system requirements Web browser Internet Explorer 4 0 or higher Netscape Navigator 4 7 or higher Operating system Windows NT 4 0 Windows 2000 or Windows XP Sun Solaris Linux Context sensitive Help In addition to the regular online Help system context sen sitive or What s This Help is also available What s This Help provides a definition a...

Page 40: ...http help watchguard com documentation default asp Assisted Support WatchGuard offers a variety of technical support services for your WatchGuard products Several support programs described throughout this section are available through WatchGuard Technical Support For a summary of the cur rent technical support services offered by WatchGuard Technical Support please refer to the WatchGuard Web sit...

Page 41: ...sistance for specific issues concerning the installation and ongoing maintenance of Firebox SOHO and ServerLock enterprise systems Single Incident Priority Response Upgrade SIPRU and Single Incident After hours Upgrade SIAU are available For more information please refer to the WatchGuard Web site at http support watchguard com lssupport asp LiveSecurity Gold Program This premium program is design...

Page 42: ... security policy install the LiveSecurity software and Firebox hardware and build a configuration in accordance with your com pany security policy VPN setup is not included as part of this service VPN Installation Services WatchGuard Remote VPN Installation Services are designed to provide you with comprehensive assistance for basic VPN installation You can schedule a dedicated two hour time slot ...

Page 43: ...ich products you own we have a training solution for you WatchGuard classroom training is available worldwide through an extensive network of WatchGuard Certified Training Partners WCTPs WCTPs strengthen our rela tionships with our partners and customers by providing top notch instructor led training in a local setting WatchGuard offers product and sales certification focus ing on acknowledging th...

Page 44: ...Chapter 2 Service and Support 22 WatchGuard Firebox System ...

Page 45: ...on process Gathering network information Selecting a firewall configuration model Setting up the management station Cabling the Firebox Running the QuickSetup Wizard Deploying the Firebox into your network For a quick summary of this information see the WatchGuard Firebox QuickStart Guide included with your Firebox NOTE This chapter is intended for new WatchGuard Firebox System installations only ...

Page 46: ...ervice license key Gathering Network Information We encourage you to fill in the following tables in prepara tion for completing the rest of the installation process License Keys Collect your license key certificates Your WatchGuard Firebox System comes with a LiveSecurity Service key that activates your one year subscription to the LiveSecurity Service For more information on this service see Cha...

Page 47: ...s One good way to set up your network is to create two worksheets the first worksheet represents your network now before deploying the Firebox and the second rep resents your network after the Firebox is deployed Fill in the IP addresses in the worksheets below ...

Page 48: ...llowing figure In this example the Inter net router performs network address translation NAT for the internal network The router has a public IP address of 208 15 15 1 and the private network has an address of 192 168 10 0 24 This network also has three public servers with the addresses 208 15 15 10 208 15 15 15 and 208 15 15 17 ...

Page 49: ...rop in configuration simplifies the setup of these devices For more information on this type of configuration see Drop in configuration on page 30 By configuring the optional interface on the example net work the public servers can be connected directly to the Firebox because they are on the same subnet as the Fire box In the example the secondary network represents the local LAN Because the trust...

Page 50: ...g a Firewall Configuration Mode Before installing the WatchGuard Firebox System you must decide how to incorporate the Firebox into your net work This decision determines how you will set up the three Firebox interfaces external trusted and optional External interface Connects to the external network typically the Internet that presents the security threat ...

Page 51: ...guration mode that most closely reflects your existing network You must select one of two possible modes routed or drop in configuration Routed configuration In a routed configuration the Firebox is put in place with separate logical networks and separate network addresses on its interfaces Routed configuration is used primarily when the number of public IP addresses is limited or when you have dy...

Page 52: ... and all machines behind the trusted and optional interfaces must be configured with an IP address from that network The benefit of a routed configuration is that the networks are well defined and easier to manage especially regarding VPNs Drop in configuration In a drop in configuration the Firebox is put in place with the same network address on all Firebox interfaces All three Firebox interface...

Page 53: ...a drop in configuration A single network that is not subdivided into smaller networks or subnetted The Firebox performs proxy ARP a technique in which one host answers Address Resolution Protocol requests for machines behind that Firebox that cannot hear the broadcasts The trusted interface ARP address replaces the router s ARP address The Firebox can be placed in a network without changing defaul...

Page 54: ...ner ally harder to manage and is more prone to network prob lems Choosing a Firebox configuration The decision between routed and drop in mode is based on your current network Many networks are best served by routed mode However drop in mode is recommended if you have a large number of public IP addresses you have a static external IP address or you are not willing or able to reconfigure machines ...

Page 55: ...Minimum configured are external and trusted All interfaces of the Firebox are on the same network and have the same IP address Proxy ARP Criterion 2 Trusted and optional interfaces must be on separate networks and must use IP addresses drawn from those networks Both interfaces must be configured with an IP address on the same network respectively Machines on the trusted or optional interfaces can ...

Page 56: ...condary network also tells the Firebox that another network resides on the Firebox interface wire You add secondary networks in the following two ways The QuickSetup Wizard which is part of the installation process asks you to select the checkbox if you have an additional private network behind the Firebox when you are entering the IP addresses for the Firebox interfaces The additional private net...

Page 57: ...S and DNS Server Addresses on page 65 You can also change the WINS and DNS values provided by your ISP if necessary Point to Point Protocol over Ethernet PPPoE is also sup ported As with DHCP the Firebox initiates a PPPoE proto col connection to your ISP s PPPoE server which automatically configures your IP address gateway and netmask However PPPoE does not propagate DNS and WINS server informatio...

Page 58: ...vent Processor WSEP receives and stores log messages and issues notifications based on information it receives from the management station You can designate any computer on your network as the management station On the computer you have chosen install the management software as follows 1 Insert the WatchGuard Firebox System CD ROM If the installation wizard does not appear automatically double cli...

Page 59: ... components or upgrades see the WatchGuard Web site 6 At the end of the installation wizard a checkbox appears asking if you want to launch the QuickSetup Wizard You must first cable the Firebox before launching the QuickSetup Wizard Another checkbox asks if you want to download a new WebBlocker database You can download the database either now or later For more information on the WebBlocker datab...

Page 60: ...Firebox to the management station using a serial cable or over a network using TCP IP The recommended way is using a serial cable Using a serial cable Refer to the Firebox Rear Panel and Cabling for Provision ing images on the next page when cabling the Firebox Use the blue serial cable to connect the Firebox Serial Port CONSOLE to the management station COM port Use the red crossover cable to con...

Page 61: ...Cabling the Firebox User Guide 39 ...

Page 62: ...d also writes a basic configuration file called wizard cfg to the hard disk of the management station If you later want to expand or change the basic Firebox configuration using Policy Manager use wiz ard cfg as the base file to which you make changes For more information on changing a configuration file see Chapter 5 Using Policy Manager to Configure Your Net work You can also run the QuickSetup ...

Page 63: ...ecify static DHCP or PPPoE as explained in Dynamic IP support on the external interface on page 35 Enter the Firebox interface IP address or addresses Based on whether you specified routed or drop in mode enter the IP address or addresses for the Firebox interfaces You can also add a secondary network to your trusted interface by selecting the additional private network behind the Firebox checkbox...

Page 64: ...hrase is used to establish a read write connection to the Firebox Select Connection Method Select the cabling method used and enter a temporary IP address for the Firebox so that the management station can communicate with it to finish the installation process This must be an unused IP address on the same network as the management station Testing the connection After you have completed the QuickSe...

Page 65: ...ght after 16 and then type 1 10 If your address has a network mask use slash notation to enter it In slash notation a single number indicates how many bits of the IP address identify the network that the host is on A netmask of 255 255 255 0 has a slash equiva lent of 8 8 8 24 For example writing 192 168 42 23 24 is the same as specifying an IP address of 192 168 42 23 with a corresponding netmask...

Page 66: ...nect the Firebox to your network If using a routed configuration change the default gateway setting on all desktops to the Firebox trusted IP address What s Next You have successfully installed configured and deployed your new Firebox System on your network Here are some things to remember as a new customer Customizing your security policy Your organization s security policy defines who can get in...

Page 67: ...only filtered services until all your system are functional and then move to proxies as you become familiar with them as needed For more information on services see Chapter 8 Config uring Filtered Services and Chapter 9 Configuring Proxied Services What to expect from LiveSecurity Service Your Firebox includes a subscription to our award winning LiveSecurity Service Your subscription today Ensures...

Page 68: ...Chapter 3 Getting Started 46 WatchGuard Firebox System ...

Page 69: ...etting the Firebox time zone Setting a Firebox friendly name What is a Firebox A WatchGuard Firebox is a specially designed and optimized security appliance Three independent net work interfaces allow you to separate your protected office network from the Internet while providing an optional public interface for hosting Web email or FTP servers Each network interface is independently monitored and...

Page 70: ...n for a Firebox is directly behind the Internet router as pictured below Other parts of the network are as follows Management station The computer on which you install and run the WatchGuard Firebox System Manager software WatchGuard Security Event Processor The computer that receives and stores log messages and sends alerts and notifications You can configure the management station to also serve ...

Page 71: ... contains all the settings options addresses and other information that constitute your Firebox security policy When you view the settings in Policy Manager you are seeing a user friendly version of your configuration file This section describes how to open a configuration file after one has been created This assumes you have already run the QuickSetup Wizard and have a basic configuration file sa...

Page 72: ... the Firebox drop down list to select a Firebox You can also type in the IP address or host name 3 In the Passphrase text box type the Firebox status read only passphrase Click OK Do not use the configuration passphrase to connect to the Firebox 4 If you want enter a value in the Timeout field to specify the duration in seconds that the management station waits for a response from the Firebox befo...

Page 73: ... the Firebox does need to be rebooted the new policy is not active until the rebooting process completes Saving a configuration to the Firebox From Policy Manager 1 Select File Save To Firebox You can also use the shortcut Ctrl T 2 Use the Firebox drop down list to select a Firebox You can also type the IP address or DNS name of the Firebox When typing IP addresses type the digits and periods in s...

Page 74: ...fore saving NOTE It is not necessary to back up the flash image every time you make a change to the configuration file However if you do choose this option you must provide an encryption key It is especially important not to forget this key If you rely on this file to recover from a corrupted flash image and do not remember the key you will not be able to restore the entire flash image Instead you...

Page 75: ... Choosing the option marked Save Configuration File Only is normally sufficient Saving a configuration to the management station s local drive From Policy Manager 1 Select File SaveAs File You can also use the shortcut Ctrl S The Save dialog box appears 2 Enter the name of the file The default is to save the file to the WatchGuard directory 3 Click Save The configuration file is saved to the local...

Page 76: ...e new passphrases is saved to the Firebox and the Firebox automatically restarts Tips for creating secure passphrases Although a persistent attacker can crack any passphrase eventually you can toughen your passphrases using the following tips Don t use words in standard dictionaries even if you use them backward or in a foreign language Create your own acronyms instead Don t use proper names espec...

Page 77: ...Blocker The default time zone is Greenwich Mean Time Coordinated Universal Time From Policy Manager 1 Select Setup Time Zone 2 Use the drop down list to select a time zone Click OK Setting a Firebox Friendly Name You can give the Firebox a friendly name to be used in log files and reports If you do not specify a name the Fire box s IP address is used From Policy Manager 1 Select Setup Name The Fir...

Page 78: ...Chapter 4 Firebox Basics 56 WatchGuard Firebox System ...

Page 79: ... Each of the procedures in this section can also be used to override any settings you made using the Quick Setup Wizard It is recommended that you follow these steps in the following order to make sure that all necessary information is provided although not all steps are required in all installations Starting a new configuration file Setting up Firebox interfaces Adding secondary networks Setting ...

Page 80: ... are connected to The new configuration file contains defaults for the model of Firebox specified Setting the Firebox Configuration Mode For information on routed and drop in configurations see Selecting a Firewall Configuration Mode on page 28 You must decide upon your configuration mode before set ting IP addresses for the Firebox interfaces If you specify an incorrect IP address you may run int...

Page 81: ...ox located at the bottom of the dialog box 3 Enter the IP address and default gateway for the Firebox interfaces When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For more information on entering IP addresses see Entering IP addresses on page 43 If you are using static PPPoE on your external interface you also need to enter yo...

Page 82: ...lash notation When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For more information on entering IP addresses see Entering IP addresses on page 43 3 For the external interface enter the default gateway Setting DHCP or PPPoE Support on the External Interface For information on the DHCP and PPPoE options see Dynamic IP support o...

Page 83: ...uring DHCP or PPPoE support If you enable DHCP or PPPoE on the external interface you can set several optional properties 1 From the Network Configuration dialog box click Properties The Advanced dialog box appears showing the DHCP or PPPoE tab as shown in the following figures ...

Page 84: ...that are not recommended are Firebox2 or SOHO6Alpha NOTE PPPoE debugging generates large amounts of data Do not enable PPPoE debugging unless you are having connection problems and need help from Technical Support Enabling static PPPoE Although an IP address is generally obtained automati cally when using PPPoE static PPPoE is also supported To enable static PPPoE click Use the following IP addres...

Page 85: ...ialog box For a description of each control right click it and then select What s This Defining External IP Aliases You use the Aliases button on the Network Configuration dialog box when you are using static NAT For more infor mation see Adding external IP addresses on page 108 ...

Page 86: ...og box appears 2 Click the Secondary Networks tab The Secondary Networks tab appears as shown in the following figure 3 Use the drop down list in the lower right portion of the dialog box to select the interface to which you want to add a secondary network 4 Use the field in the lower left portion of the dialog box to type an unused IP address from the secondary network When typing IP addresses ty...

Page 87: ... features of the Firebox such as DHCP and Remote User VPN rely on shared Windows Internet Name Server WINS and Domain Name System DNS server addresses These servers must be accessible from the Firebox trusted interface Make sure you use only an internal DNS server for DHCP and Remote User VPN Do not use external DNS servers From Policy Manager 1 Select Network Configuration Click the WINS DNS tab ...

Page 88: ... large network A device defined as a DHCP server auto matically assigns IP addresses to network computers from a defined pool of numbers You can define the Firebox as a DHCP server for the customer network behind the fire wall One parameter that you define for a DHCP server is lease times This is the amount of time a DHCP client can use an IP address that it receives from the DHCP server When the ...

Page 89: ...client requests a longer time the request is denied and the maximum lease time is provided Adding a new subnet To make available private IP addresses accessible to DHCP clients add a subnet To add a new subnet you specify a range of IP addresses to be assigned to clients on the network For example you could define the address range from 10 1 1 10 to 10 1 1 19 to give clients a pool of 10 addresses...

Page 90: ...eturn an IP address that does not work with certain devices or services From Policy Manager 1 Select Network DHCP Server 2 Click the subnet to review or modify Click Edit 3 The DHCP Subnet Properties dialog box appears 4 When you have finished reviewing or modifying the subnet click OK Removing a subnet You can remove an existing subnet however you should be aware that doing so can cause problems ...

Page 91: ... of the Packet Filters and Proxies folders to expand them A list of pre configured filters or proxies appears 3 Under Packet Filters click WatchGuard 4 Click the Add button at the bottom of the dialog box 5 Click OK in the Add Service dialog box 6 Click OK to close the Properties dialog box 7 Repeat steps 3 6 for the Ping FTP and Outgoing services At this stage do not change the default settings f...

Page 92: ...r to pass traffic from any of its three interfaces to a router The router can then pass traffic to the appropriate destina tion according to its specific routing policies For more information on routing issues see the following FAQ http support watchguard com advancedfaqs general_routers asp The WatchGuard user s forum is also a good source of information on routing information Log in to your Live...

Page 93: ...tion file Defining a host route Define a host route if there is only one host behind the router Enter the IP address of that single specific host without slash notation From Policy Manager 1 Select Network Routes The Setup Routes dialog box appears 2 Click Add The Add Route dialog box appears 3 Click the Host option 4 Enter the host IP address 5 In the Gateway text box enter the IP address of the ...

Page 94: ...Chapter 5 Using Policy Manager to Configure Your Network 72 WatchGuard Firebox System 7 Click OK The route data is written to the configuration file ...

Page 95: ... monitor of traffic through the firewall as well as a number of monitoring tools This chapter also describes HostWatch an application that provides a real time display of active connections on a Firebox Starting System Manager and Connecting to a Firebox From the Windows Desktop 1 Select Start Programs WatchGuard Firebox System Manager 2 If you have not yet configured your Firebox click QuickSetup...

Page 96: ...ebox at this time use the Firebox drop down list to select a Firebox You can also type the IP address or DNS name of the Firebox When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For more information on entering IP addresses see Entering IP addresses on page 43 4 Enter the Firebox status read only passphrase 5 Click OK The Fro...

Page 97: ...cted to Firebox Connect to Firebox appears only when not con nected to Firebox Launch Policy Manager Launch LogViewer Launch HostWatch Create Historical Reports For more information on launching these applications see Launching Firebox Applications on page 85 Viewing basic indicators On the left side of System Manager is a representation of the front panel of the Firebox shown on the following fig...

Page 98: ...n of Firebox capacity being used For more information on the front panel see the following FAQ https support watchguard com advancedfaqs fbhw_lights asp Firebox and VPN tunnel status The section in System Manager to the right of the front panel shows the current status of the Firebox and of branch office and remote user VPN tunnels Firebox Status The following information is displayed under Firebo...

Page 99: ...c client certificate If you expand the entries under Firebox Status as shown in the following figure you can view IP address of the default gateway and netmask MAC Media Access Control address of each interface Number of packets sent and received since the Firebox rebooted Expiration date and time of root and IPSec certificates CA fingerprint This is used to detect man in the middle attacks For mo...

Page 100: ...e figure below shows an expanded entry for a BOVPN tunnel The information displayed from top to bottom is The name assigned to the tunnel during its creation along with the IP address of the destination IPSec device such as another Firebox SOHO or SOHO tc and the tunnel type IPSec or DVCP If the tunnel is DVCP the IP address refers to the entire remote network address rather than that of the Fireb...

Page 101: ...ile User VPN the branch displays the same statistics as for the DVCP or IPSec Branch Office VPN described previously the tunnel name followed by the destination IP address followed by the tunnel type Below are the packet statistics followed by the key expiration authentication and encryption specifications If the tunnel is RUVPN with PPTP the display shows only the quantity of sent and received pa...

Page 102: ...ion point next to a tunnel listing indicates a tunnel is down When you expand an entry that has a red exclamation point another exclamation point appears next to the spe cific device or tunnel with the problem Use this feature to rapidly identify and locate problems in your VPN network Monitoring Firebox Traffic To view log messages generated by the Firebox click the Traffic Monitor tab For more i...

Page 103: ...tries in color You can specify that the log entries appear in different col ors according to the type of information they show 1 Click the Main Menu button Click Settings Click the Syslog Color tab 2 To enable displaying entries in color select the checkbox marked Display Logs in Color You can also enable and disable color by right clicking any entry in the traffic monitor and selecting Colorize 3...

Page 104: ...ous section To copy the source or destination IP address of a deny message so you can paste it into another application right click the message select Source IP Copy or Destination IP Copy To issue the ping command to a source or destination IP address of a deny message right click the message and select Source IP Ping or Destination IP Ping When you issue this command you are prompted to enter th...

Page 105: ...t QuickSetup Wizard The QuickSetup Wizard begins For more information on running the QuickSetup Wizard see the QuickStart Guide included with your Firebox Flushing the ARP cache The ARP Address Resolution Protocol cache on the Fire box stores hardware MAC addresses of TCP IP hosts This cache is checked for hardware address mapping before an ARP broadcast is initiated Flushing the ARP cache is impo...

Page 106: ...ion on entering IP addresses see Entering IP addresses on page 43 3 Enter the Firebox status passphrase 4 Click OK System Manager connects to the Firebox and displays its real time status Changing the polling rate You can change the interval of time in seconds at which System Manager polls the Firebox and updates the Front Panel and the Firebox and Tunnel Status displays There is however a trade o...

Page 107: ...curity Service Select to activate LiveSecurity Service For more information on this service see Chapter 2 Service and Support Launching Firebox Applications You launch the following applications from the toolbar at the top of System Manager Policy Manager LogViewer HostWatch Historical Reports WatchGuard Security Event Processor Launching Policy Manager Use the WatchGuard Policy Manager tool to de...

Page 108: ...to the current log file For more information see HostWatch on page 167 Launching Historical Reports Historical Reports is a report building tool that cre ates HTML reports displaying session types most active hosts most used services URLs and other data useful in monitoring and troubleshooting your network For more information see Generating Reports of Network Activ ity on page 235 Opening the WSE...

Page 109: ...e Windows desktop tray click the Main Menu button Select Tools Logging Event Processor Interface Viewing Bandwidth Usage Click the Bandwidth Meter tab to view real time band width usage for all Firebox interfaces The display differen tiates by color each interface being graphed To configure the colors used on this display 1 Click the Main Menu button and select Settings 2 Click the Bandwidth Meter...

Page 110: ...e number of connections and the x axis shows time The display differentiates by color each service being graphed To configure the services that appear and how they are dis played 1 Click the Main Menu button and select Settings 2 Click the Service Watch tab Adjust the settings as appropriate Viewing Details on Firebox Activity The Status Report tab on System Manager provides a number of statistics...

Page 111: ...umber 103100033 Product Type FBIII 1000 300Mhz 64MB Product Options hifn Packet counts The number of packets allowed denied and rejected between status queries Rejected packets are denied packets for which the Firebox sends an ICMP error message Allowed 5832 Denied 175 Rejects 30 Log hosts The IP addresses of the log host or hosts Log host s 206 148 32 16 Network configuration Statistics about the...

Page 112: ...ptions configured with either the QuickSetup Wizard or by adding and configuring services from Policy Manager Logging options Outgoing traceroute Incoming traceroute logged warning notifies traceroute hostile Outgoing ping Incoming ping Authentication host information The types of authentication being used and the IP address of the authentication server Authentication Using local authentication fo...

Page 113: ...al amount of RAM the process is using SHARE Amount of memory that can be shared by more than one process TIME Total CPU time used CPU Percentage of CPU time used PRI Priority of process SCHED The way the process is scheduled PID NAME S RSS SHARE TIME CPU PRI SCHED 1 init S 1136 564 148 41 84 0 99 round robin 2 kflushd S 0 0 0 00 02 0 0 nice 3 kswapd S 0 0 0 00 00 0 0 fifo 55 nvstd S 800 412 1 27 7...

Page 114: ... 376 0 00 10 0 0 nice 91 netdbg S 828 372 0 00 05 0 0 nice 96 opt bin dns proxy S 800 400 0 00 72 0 0 nice Interfaces Each network interface is displayed in this section along with detailed information regarding its status and packet count Interfaces lo Link encap Local Loopback inet addr 127 0 0 1 Bcast 127 255 255 255 Mask 255 0 0 0 UP BROADCAST LOOPBACK RUNNING MTU 3584 Metric 0 RX packets 0 er...

Page 115: ...verruns 0 carrier 0 Collisions 193 eth1 Link encap Ethernet HWaddr 00 90 7F 1E 79 85 inet addr 192 168 253 1 Bcast 192 168 253 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 2 RX packets 6305057 errors 0 dropped 0 overruns 0 frame 0 TX packets 7091295 errors 0 dropped 0 overruns 0 carrier 0 Collisions 0 Interrupt 10 Base address 0xec00 ipsec0 Link encap UNSPEC HWaddr 00 90 7...

Page 116: ...dress when the Firebox is set up for PPPoE support Because all traffic passing over this interface is PPPoE specific the IP address that appears is a placeholder value only and can be ignored Routes The Firebox kernel routing table These routes are used to determine which interface the Firebox uses for each destination address Routes Kernel IP routing table Destination Gateway Genmask Flags MSS Wi...

Page 117: ... 00 80 AD 19 1F 80 C eth0 201 148 32 54 ether 00 A0 24 4B 95 67 C eth1 0 201 148 32 26 ether 00 A0 24 4B 98 7F C eth1 0 207 23 8 30 ether 00 A0 24 79 96 42 C eth0 For more information on the status report page see the fol lowing FAQ https support watchguard com advancedfaqs log_statusall asp Authentication list The Authentication List tab displays the host IP addresses and user names of everyone c...

Page 118: ...n time on the tem porary auto block You can adjust the auto blocking value from the Blocked Sites dialog box available through Policy Manager To remove a site from this list right click it and select Remove Blocked Site If the display is in con tinuous refresh mode that is if the Continue but ton shown at right on the toolbar is active selecting a site on the list stops the refresh mode If you ope...

Page 119: ...e Fire box to log incoming denied Telnet attempts The line connecting the source host and destination host is color coded to display the type of connection being made These colors can be changed The defaults are Red The connection is being denied Blue The connection is being proxied Green The connection is using network address translation NAT Black The connection falls into none of the first thre...

Page 120: ...etailed information about current connections for the item such as IP addresses port num ber connection type and direction The lower pane displays the same information in tabular form in addition to ports and the time the connection was established Connecting HostWatch to a Firebox From HostWatch 1 Select File Connect Or on the Hostwatch toolbar click the Connect icon shown at right 2 Use the Fire...

Page 121: ...ontinue shown at right 4 To step through the display one entry at a time click the Pause icon Click the right arrow to step forward through the log Click the left arrow to step backward through the log Controlling the HostWatch display You can selectively control the HostWatch display This feature can be useful for monitoring the activities of spe cific hosts ports or users From HostWatch 1 Select...

Page 122: ...dresses From HostWatch 1 Select View Properties 2 Use the Host Display tab to modify host display and text options For a description of each control right click it and then select What s This 3 Use the Line Color tab to choose colors for lines drawn between denied dynamic NAT proxy and normal connections 4 Use the Misc tab to control the refresh rate of the real time display and the maximum number...

Page 123: ...performed refers to the method of translation Dynamic NAT Also called IP masquerading or port address translation The Firebox either globally or on a service by service basis applies its public IP address to outgoing packets instead of using the IP address of the session behind the Firebox Static NAT Also called port forwarding Static NAT works on a port to host basis Incoming packets from the ext...

Page 124: ...he most commonly used form of NAT It works by translating the source IP address of outbound sessions those originating on the internal side of the Fire box to the one public IP address of the Firebox Hosts else where only see outgoing packets from the Firebox itself This type of NAT is most commonly used to conserve IP addresses It allows multiple computers to access the Inter net by sharing one p...

Page 125: ...packets Simple dynamic NAT provides a quick method to set a NAT policy for your entire network For more information on this type of NAT see the following FAQ https support watchguard com advancedfaqs nat_howdynamicnat asp Enabling simple dynamic NAT The default configuration of simple dynamic NAT enables it from all non routable addresses to the external network From Policy Manager 1 Select Setup ...

Page 126: ...may require addi tional entries in the From or To lists of hosts or host aliases The Firebox applies dynamic NAT rules in the order in which they appear in the Dynamic NAT Entries list Watch Guard recommends prioritizing entries based on the vol ume of traffic that each represents From the NAT Setup dialog box 1 Click Add 2 Use the From drop down list to select the origin of the outgoing packets F...

Page 127: ...n There is no method to modify a dynamic NAT entry Instead use the Remove button to remove existing entries and the Add button to add new entries Specifying simple dynamic NAT exceptions You can set up ranges of addresses in dynamic NAT so that each address in that range is a part of the NAT policy By using the dynamic NAT exceptions option you can exclude certain addresses from that policy From P...

Page 128: ... NAT policy on a service by service basis Service based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry For example use service based NAT on a network with simple NAT enabled from the trusted to the optional net work with a Web server on the optional network that should not be masqueraded to the actual trusted network Add a service icon allowing Web ac...

Page 129: ...ialog box You have three options Use Default Simple NAT Service based NAT is not enabled for the service The service uses the simple dynamic NAT rules configured in the Dynamic NAT Entries list as explained in Adding simple dynamic NAT entries on page 104 Disable NAT Disables dynamic NAT for outgoing packets using this service Use this setting to create service by service exceptions to outgoing NA...

Page 130: ... a new public IP address using the Add External IP dialog box From Policy Man ager 1 Select Network Configuration Click the Aliases button The Add External IP dialog box appears 2 At the bottom of the dialog box enter the public IP address Click Add 3 Repeat until all external public IP addresses are added Click OK Setting static NAT for a service Static NAT like service based NAT is configured on...

Page 131: ... to select the public address to be used for this service If the public address does not appear in the drop down list click Edit to open the Add External IP dialog box and add the public address 6 Enter the internal IP address The internal IP address is the final destination on the Trusted network 7 If appropriate select the checkbox marked Set internal port to different port than service This fea...

Page 132: ...translating the local network to a range that is not in conflict with the other end both sides can communicate For more information on 1 to 1 NAT see the following FAQ https support watchguard com advancedfaqs nat_onetoone asp Each NAT policy contains four configurable pieces of infor mation The interface External Trusted Optional IPSec The public IP address The internal IP address The number of h...

Page 133: ...rface external trusted optional or IPSec 7 Enter the number of hosts to be translated 8 In the NAT base field enter the base address for the exposed NAT range This will generally be the public IP address that will appear outside the Firebox 9 In the Real base field enter the base address for the real IP address range Click OK This will generally be the private IP address directly assigned to the s...

Page 134: ...cp_local_nets refers to networks behind the DVCP server 13 Click the button next to the From box and enter the value of the real IP address range as entered in step 9 Click OK 14 Click OK to close the Advanced NAT Settings dialog box Click OK to close the NAT Setup dialog box Proxies and NAT This table identifies each proxy and what types of NAT it supports Simple dynamic Static Service based 1 to...

Page 135: ...stomize rule sets destina tions protocols ports used and other parameters With both packet filters and proxies you can deter mine which hosts within your LAN and on the Inter net can communicate with each other through that protocol which events to log such as rejected incom ing packets and which series of events should initiate a notification of the network administrator For information on the di...

Page 136: ... be configured to do so You must actively select the services and protocols allowable configure each one as to which hosts can send and receive them and set other properties individual to the service Every service brings tradeoffs between network security and accessibility When selecting services balance the needs of your organization with the requirement that com puter assets be protected from at...

Page 137: ...lowing it to the trusted network Allowing incoming services from a virtual private network VPN where the organization at the other end is known and authenticated is generally safer than allowing incoming services from the Internet at large Each safety precaution you implement makes your net work significantly safer Following three or four precau tions is much safer than following one or none Outgo...

Page 138: ...n the following figure You can choose from many filtered and proxied services These services are configurable for outgoing or incoming traffic and they can also be made active or inactive When config uring a service you set the allowable traffic sources and destinations as well as determine the filter rules and poli cies for the service You can create services to customize rule sets destinations p...

Page 139: ...figured Sources and Destinations You use separate controls for configuring incoming and outgoing traffic The outgoing controls sources define entries in the From lists while incoming controls destinations define entries in the To lists Logging and Notification Each service has controls that enable you to select which events for that service are logged and whether you want to be notified of these e...

Page 140: ...alog box to add modify and remove the filtered and proxed services you want 2 Expand either the Packet Filters or Proxies folder by clicking the plus sign to the left of the folder A list of pre configured filters or proxies appears 3 Click the name of the service you want to add When you click a service the service icon appears in the area below the New Edit and Remove buttons Also the Details bo...

Page 141: ... Policy Manager Services Arena Adding multiple services of the same type In developing a security policy for your network you might want to add the same service more than once For example you might need to restrict Web access for the majority of your users while allowing complete Web access to your executive team To do this you would create two separate HTTP services with different properties for ...

Page 142: ...rties on page 125 Using the previous example you might add an alias called executives NOTE Be careful to avoid creating conflicting services for example one HTTP service that allows incoming traffic while the other is set to deny incoming traffic Creating a new service In addition to built in filtered services provided by Watch Guard you can create a new service or customize an exist ing service Y...

Page 143: ...vices dialog box when you select the service 5 To begin setting the port used for this service click Add The Add Port dialog box appears 6 From the Protocol drop down list select the protocol used for this new service The following options are available TCP TCP based services UDP UDP based services HTTP Services examined by the HTTP proxy IP Filter a service using something other than TCP IP proto...

Page 144: ...ice s Properties dialog box Properties tab shown below Client Source port can range from 1025 65565 8 In the Port field enter the port number If you are entering a range enter the lowest number of the range 9 In the To field enter the highest number of the range If you are not entering a range leave this field blank 10 Click OK Policy Manager adds the port configuration to the New Service dialog b...

Page 145: ...to close the Properties dialog box Click Close to close the Services dialog box The icon of the new service appears in the Services Arena Deleting a service From Policy Manager 1 In the Services Arena click the icon of the service you want to delete 2 On the toolbar click the Delete Service icon shown at right You can also select Edit Delete or right click the icon and select Delete 3 When asked t...

Page 146: ...hind the Firebox that use this service to initiate sessions with an outside destination The destinations on the external network to which outgoing traffic for this service can be bound In a given direction a service can be in one of three states Disabled The traffic is handled by any other rules that might apply to it If none exists the packets are denied by default packet handling and logged as s...

Page 147: ...ight Adding service properties The method used to add incoming and outgoing service properties is identical Select the tab click the Add button for either the From or the To member list and then define the members for the category The direction of traffic deter mines how you select members of the From and To lists Tab Member List Defines Incoming From External users or hosts that the service will ...

Page 148: ...service Connections Are drop down list to select Enabled and Allowed 2 Click either the Incoming tab or Outgoing tab Click the Add button underneath the From or the To list The Add Address dialog box appears as shown in the following figure 3 Click Add Other The Add Member dialog box appears 4 From the Choose Type drop down list click the type of address range host name or user you want to add 5 I...

Page 149: ... following wg_ services are available wg_authentication Added when you enable authentication wg_dhcp_server Added when you enable the DHCP server wg_pptp Added when you enable PPTP wg_dvcp Added when the device has been inserted into VPN Manager wg_sohomgt Added when you enable the DVCP server wg_ca Added when you enable the DVCP server which also configures the Firebox as a certificate authority ...

Page 150: ...riority events You use the Logging and Notification dialog box to config ure the services blocking categories and packet handling options you want Consequently once you master the con trols for one type of service the remainder are easy to con figure From the Properties dialog box 1 Click the Incoming tab 2 Click Logging The Logging and Notification dialog box appears as shown in the following fig...

Page 151: ...are denied You set notification criteria using the WatchGuard Security Event Processor WSEP For more information see Customizing Logging and Notification by Service or Option on page 215 The remaining controls are active when you select the Send notification checkbox Email Triggers an email message when the event occurs Set the email recipient in the Notification tab of the WatchGuard Security Eve...

Page 152: ...rvice This group has the highest precedence IP and ICMP services and all TCP UDP services that have a port number specified This group has the second highest precedence and is the largest of the three Outgoing services that do not specify a port number they apply to any port This group includes Outgoing TCP Outgoing UDP and Proxy Multiservices can contain subservices of more than one precedence gr...

Page 153: ...t precedence group all incidences of the Any ser vice will take precedence over the highest precedence Tel net service The precedences of services that are in the same prece dence group are ordered from the most specific services based on source and destination targets to the least spe cific service The method used to sort services is based on the specificity of targets from most specific to least...

Page 154: ...acket is denied For example if there are two Telnet icons telnet_1 allowing from A to B and telnet_2 allowing from C to D a Telnet attempt from C to E will first check telnet_1 and then telnet_2 Because no match is found the rest of the rules are considered If an outgoing service allows from C to E it will do so When only one icon is representing a service in a prece dence category only that servi...

Page 155: ...Precedence User Guide 133 ther down the precedence chain including outgoing ser vices For more information on outgoing services see the follow ing FAQ https support watchguard com advancedfaqs svc_outgoing asp ...

Page 156: ...Chapter 8 Configuring Filtered Services 134 WatchGuard Firebox System ...

Page 157: ...ms are common methods of transmitting computer viruses The SMTP proxy knows these content types are not allowed while a packet filter would not detect the unauthorized content in the packet s data payload Proxies work at the application level while packet fil ters work at the network and transport protocol level In other words each packet processed by a proxy is stripped of all network wrapping an...

Page 158: ...for protecting your network from attacks An anomaly in the context of network security is data action or behavior that deviates from what is expected for a given user network or system Because network proto cols are normally very restrictive strict models of expected behavior can be constructed and deviations easily noted Protocol anomaly detection PAD can detect a wide range of anomalies within t...

Page 159: ...Notification dialog box appears as shown in the following figure 3 Customize logging and notification using the settings in this dialog box as described in Customizing logging and notification on page 128 Configuring an SMTP Proxy Service The SMTP proxy limits several potentially harmful aspects of email The proxy scans the content type and content dis position headers and then compares them again...

Page 160: ...ported For more information on the SMTP proxy see the follow ing FAQ https support watchguard com advancedfaqs proxy_smtp asp Configuring the Incoming SMTP Proxy Use the Incoming SMTP Proxy dialog box to set the incoming parameters of the SMTP proxy You must already have an SMTP Proxy service icon in the Services Arena For information on how to add a service see the previous chapter From the Servi...

Page 161: ...g email that supports graph ics audio and video files and text in various foreign lan guages You use the ESMTP tab on the Incoming SMTP Proxy dialog box to specify support for ESMTP extensions keywords and for entering AUTH types which specify various ways of authenticating to the SMTP server From the Incoming SMTP Proxy Properties dialog box 1 Click the ESMTP tab The ESTMP information appears as ...

Page 162: ...ntent The header describes the type of multimedia content contained within an email or on a Web site For instance a MIME type of application zip in an email message indicates that the email contains a Zip file attachment By reading the MIME headers contained in an incoming email message the Firebox can strip certain MIME types and admit only the types you want You define which types of attachments...

Page 163: ...roxy Service User Guide 141 2 If you want to specify content types to allow click the upper Add button in the dialog box The Select MIME Type dialog box appears as shown in the following figure 3 Select a MIME type Click OK ...

Page 164: ... name patterns The Content Types tab includes a list of file name patterns denied by the Firebox if they appear in email attachments To add a file name pattern to the list enter a new pattern in the text box to the left of the Add button Click Add Note that denying a particular attachment does not auto matically trigger protocol anomaly detection PAD rules You must specifically add the content typ...

Page 165: ...y to send mail from your servers To prevent this disable open relay on your mail servers by restricting the destina tion to only your own domain To further increase protection from mail relaying modify the SMTP Proxy settings to allow addresses only from your domain From the Incoming SMTP Proxy Properties dia log box 1 Click the Address Patterns tab 2 Select Allowed To from the Category drop down ...

Page 166: ...ader name in the text box to the left of the Add button Click Add The new header appears at the bottom of the header list 3 To remove a header select the header name in the header list Click Remove The header is removed from the header list Specifying logging for the SMTP proxy Click the Logging tab to specify whether to log the follow ing Unknown headers that are filtered by the proxy Unknown ESM...

Page 167: ...ge 136 1 From the SMTP Properties dialog box click the Properties tab The SMTP Properties dialog box appears as shown in the following figure 2 Select the Enable auto blocking of sites using protocol anomaly detection checkbox 3 To set rules for anomaly detection click the Auto blocking Rules button The PAD Rules for SMTP Proxy dialog box appears as shown in the following figure ...

Page 168: ...nt types select the corresponding checkbox To be able to select or clear several consecutive content types as a group select the first type press Shift and select the last type and then select one of the types between the two selections To be able to select or clear several non consecutive content types as a group press Ctrl and select each type you want 6 The next box lists the denied extension t...

Page 169: ...ick Outgoing The Outgoing SMTP Proxy dialog box appears displaying the General tab as shown in the following figure 3 To add a new header pattern type the pattern name in the text box to the left of the Add button Click Add 4 To remove a header from the pattern list click the header pattern Click Remove 5 In the Idle field set a time out value in seconds 6 To modify logging properties click the Lo...

Page 170: ...ess patterns that are behind your firewall that you want replaced by the official domain name Click Add All patterns entered here appear as the official domain name outside the Firebox 4 In the Don t Substitute for these address patterns text box to the left of the Add button type the address patterns that you want to appear as is outside the firewall Click Add 5 Select the checkbox marked Masquer...

Page 171: ...s also potentially dangerous outbound because it enables users on your network to copy virtually anything from outside the network to a location behind their fire wall Therefore it is important to make the FTP service as restrictive as possible Ideally try to isolate the inbound FTP servers to a single host or hosts on your optional net work Make sure you protect your trusted network from FTP requ...

Page 172: ...at s This You can also refer to the Field Definitions chapter in the Reference Guide Note that the Make Incoming FTP Connections Read only checkbox is selected by default If you have an FTP server that accepts files be sure to clear this checkbox 4 Click OK Enabling protocol anomaly detection for FTP For a description of protocol anomaly detection see Pro tocol Anomaly Detection on page 136 1 From...

Page 173: ...TP traffic from traveling from the optional interface to the trusted interface Outgoing traffic is generally less restrictive For example many companies open outgoing HTTP traffic from Any to Any WatchGuard Firebox System offers three different types of HTTP services Choose the HTTP service that best meets your needs Proxied HTTP is a multiservice that combines configuration options for HTTP on po...

Page 174: ...not provide protection that is as thorough or as effective In addition none of the custom options including WebBlocker are available for Filtered HTTP Adding a proxy service for HTTP Most network administrators use the HTTP proxy service when configuring Web traffic Many administrators com bine their HTTP service with an outgoing proxy service configured Any to Any to keep the HTTP service both ea...

Page 175: ...16 Controlling Web Site Access For a description of each control right click it and then select What s This Or refer to the Field Definitions chapter in the Reference Guide For detailed information about the HTTP proxy see the online support resources at http support watchguard com Restricting content types for the HTTP proxy You can configure the HTTP proxy to allow only those MIME types you deci...

Page 176: ...nd here can be added to the unsafe path patterns box not testsite If you want to disable content type filtering click the Set tings tab Clear the checkbox marked Require Content Type NOTE Zip files are denied when you deny Java or ActiveX applets because Zip files often contain these applets Configuring a caching proxy server Because the Firebox s HTTP proxy does no content cach ing the Firebox ha...

Page 177: ...on to the Firebox Configuring the DNS Proxy Service Internet domain names such as WatchGuard com are located and translated into IP addresses by the domain name system DNS DNS lets users navigate the Internet with easy to remember dot com names by seamlessly translating the domain name into an IP address that serv ers routers and individual computers understand Rather than try to maintain a centra...

Page 178: ...ssed Attackers can set the value of a key variable such that the server crashes and the attacker gains unauthorized access The DNS proxy protects your DNS servers from both the TSIG and NXT attacks along with a number of other types of DNS attacks For more informa tion on the DNS proxy see the DNS Proxy section of the following collection of FAQs https support watchguard com advancedfaqs proxy_mai...

Page 179: ...DNS Proxy connections are drop down list to select Enabled and Allowed 7 Click OK to close the DNS Proxy Properties dialog box 8 Click Close The Services dialog box closes The DNS Proxy icon appears in the Services Arena Enabling protocol anomaly detection for DNS For a description of protocol anomaly detection see Pro tocol Anomaly Detection on page 136 1 From the DNS Properties dialog box click ...

Page 180: ...nsecutive rules as a group press Ctrl and select each rule you want DNS file descriptor limit The DNS proxy has only 256 file descriptors available for its use which limits the number of DNS connections in a NAT environment Every UDP request that uses dynamic NAT uses a file descriptor for the duration of the UDP timeout Every TCP session that uses dynamic static or 1 to 1 NAT uses a file descript...

Page 181: ...59 You can work around this problem in two ways the first method is the most secure Avoid using dynamic NAT between your clients and your DNS server Disable the outgoing portion of the DNS proxied service and replace it with a filtered DNS service ...

Page 182: ...Chapter 9 Configuring Proxied Services 160 WatchGuard Firebox System ...

Page 183: ...ion it does not matter which IP address is used or from which machine a person chooses to work To gain access to Internet services such as outgoing HTTP or outgoing FTP the user provides authenti cating data in the form of a username and password For the duration of the authentication the session name is tied to connections originating from the IP address from which the individual authenticated Th...

Page 184: ...ere a user workstation may have several different IP addresses over the course of a week Authentication by user is also useful in education environments such as classrooms and college computer centers where many dif ferent people might use the same IP address over the course of the day For more information on authentication see the following collection of FAQs https support watchguard com advanced...

Page 185: ...hentication 4 Click Add The Add Address dialog box appears as shown in the following figure Group Function firebox Addresses assigned to the three Firebox interfaces and any related networks or device aliases trusted Any host or network routed through the physical trusted interface optional Any host or network routed through the physical optional interface external Any host or network routed throu...

Page 186: ... down list to select a category In the Value text box enter the address range or host name Click OK 8 When you finish adding members click OK The Host Alias dialog box appears listing the new alias Click the alias to view its members To modify an alias select it click Edit and then add or delete members To remove an alias select it click Remove and then remove the alias from Properties box of any ...

Page 187: ...henticating disable the account on the authentication server Using external authentication Although the authentication applet is primarily used for outbound traffic it can be used for inbound traffic as well Authentication can be used outside the Firebox as long as you have an account on that Firebox For example if you are working at home you can point your browser to http public IP address of any...

Page 188: ...o the user the user performs many or all of the same tasks to authenticate against any of the five types of authentication The difference for the Firebox administrator is that for built in authentication the database of usernames pass words and groups are stored on the Firebox itself In all other cases the usernames passwords and groups are stored on the server performing the authentication When t...

Page 189: ...ts down the connection This is a set time limit regardless of end user traffic Defining Firebox Users and Groups for Authentication In the absence of a third party authentication server you can divide your company into groups and users for authentication Assign employees or members to groups based on factors such as common tasks and functions access needs and trustworthiness For example you might ...

Page 190: ...box users If you have more than approximately 100 users to authenticate WatchGuard recommends that you use a third party authentication server WatchGuard automatically adds two groups intended for remote users to the basic configuration file ipsec_users Add the names of authorized users of MUVPN pptp_users Add the names of authorized users of RUVPN with PPTP You can use Policy Manager to add edit ...

Page 191: ...x appears 3 Type the name of the group Click OK 4 To add a new user click the Add button beneath the Users list The Setup Firebox User dialog box appears as shown in the following figure 5 Enter the username and password 6 To add the user to a group select the group name in the Not Member Of list Click the left pointing arrow to move the name to the Member Of list ...

Page 192: ...roups click OK The users and groups can now be used to configure services and authentication Configuring Windows NT Server Authentication Windows NT Server authentication is based on Windows NT Server Users and Groups It uses the Users and Groups database already in place on your Windows NT network Only end users are allowed to authenticate the default Windows NT groups Administrators and Replicat...

Page 193: ... 5 Click OK Configuring RADIUS Server Authentication The Remote Authentication Dial In User Service RADIUS provides remote users with secure access to corporate net works RADIUS is a client server system that stores authentication information for users remote access serv ers and VPN gateways in a central user database that is available to all clients Authentication for the entire net work occurs f...

Page 194: ...r used for RADIUS authentication The default is 1645 RFC 2138 states the port number as 1812 but many RADIUS servers still use port number 1645 5 Enter the value of the secret shared between the Firebox and the RADIUS server The shared secret is case sensitive and must be identical on the Firebox and the RADIUS server 6 Enter the IP address and port of the backup RADIUS server The RADIUS servers s...

Page 195: ...For example to add the groups Sales Marketing and Engineering enter Filter Id Sales Filter Id Marketing Filter Id Engineering NOTE The filter rules for RADIUS user filter IDs are case sensitive Configuring CRYPTOCard Server Authentication CRYPTOCard is a hardware based authentication system that allows users to authenticate by way of the CRYPTO Card challenge response system which includes off lin...

Page 196: ...ion The standard is 624 5 Enter the administrator password This is the administrator password in the passwd file on the CRYPTOCard server 6 Enter or accept the time out in seconds The time out period is the maximum amount of time in seconds a user can wait for the CRYPTOCard server to respond to a request for authentication Sixty seconds is CRYPTOCard s recommended time out length 7 Enter the valu...

Page 197: ...RYPTOCard server documentation Configuring SecurID Authentication For SecurID authentication to work the RADIUS and ACE Server servers must first be correctly configured In addition users must have a valid SecurID token and PIN number Please see the relevant documentation for these products NOTE WatchGuard does not support the third party program Steel Belted RADIUS for use with SecurID You should...

Page 198: ...is 1645 5 Enter the value of the secret shared between the Firebox and the SecurID server The shared secret is case sensitive and must be identical on the Firebox and the SecurID server 6 If you are using a backup server select the Specify backup SecurID server checkbox Enter the IP address and port number for the backup server 7 Click OK To set up the RADIUS server see To configure the RADIUS ser...

Page 199: ... Default packet handling Options for how the firewall handles incoming communications that appear to be attacks on a network Blocked sites An IP address outside the Firebox that is prevented from connecting to hosts behind the Firebox The Blocked Sites feature of the Firebox helps you prevent unwanted contact from known or suspected hostile systems Blocked ports Ports that are designated as vulner...

Page 200: ...irewall examines the source of the packet and its intended destination by IP address and port number It also watches for patterns in successive packets that indicate unautho rized attempts to access the network The default packet handling configuration determines whether and how the firewall handles incoming communi cations that appear to be attacks on a network Packet han dling can Reject potenti...

Page 201: ...he Firebox prevents packets with a false identity from passing through to your network When such a packet attempts to establish a con nection the Firebox generates two log records One log record shows that the attacker s packet was blocked the other shows that the attacker s site has been added to the Blocked Sites list a compilation of all sites blocked by the Firebox You can block spoofing attac...

Page 202: ...ault Packet Handling icon You can also from Policy Manager select Setup Intrusion Prevention Default Packet Handling The Default Packet Handling dialog box appears 2 Select the checkbox marked Block Port Space Probes 3 Select the checkbox marked Block Address Space Probes Stopping IP options attacks Another type of attack that can be used to disrupt your net work involves IP options in the packet ...

Page 203: ...he browser by sending what is called a SYN ACK segment When the browser sees the SYN ACK it sends an ACK segment The server is ready to accept the URL request from the browser when it sees the ACK statement However until the ACK segment has been received the server is stuck it knows the browser wants to communicate but the connection is not yet established Many servers in use today can handle only...

Page 204: ...leted If you find that too many legitimate connection attempts fail when your SYN flood defense is active you can change SYN flood settings to minimize this problem You can set the maximum number of incomplete TCP con nections the Firebox allows before the SYN flood defense is activated The default setting of 60 means that when the number of TCP connections waiting to be validated climbs to 61 or ...

Page 205: ...attempt is challenged From Policy Manager 1 On the toolbar click the Default Packet Handling icon You can also from Policy Manager select Setup Intrusion Prevention Default Packet Handling The Default Packet Handling dialog box appears 2 Use the SYN Validation Timeout box to set how long the Firebox remembers a validated connection after that connection is dropped 3 Use the Maximum Incomplete Conn...

Page 206: ... Sites The Blocked Sites feature of the Firebox helps you prevent unwanted contact from known or suspected hostile sys tems After you identify an intruder you can block all attempted connections from them You can also configure logging to record all access attempts from these sources so you can collect clues as to what services they are attempt ing to attack A blocked site is an IP address outside...

Page 207: ...n add the offending site s IP address to the list of perma nently blocked sites Note that site blocking can be imposed only to traffic on the Firebox s external interface Connections between the trusted and optional interfaces are not subject to the Blocked Sites feature Blocking a site permanently You may know of hosts on the Internet that pose constant dangers such as a university computer that ...

Page 208: ...ked Sites dialog box appears as shown in the following figure 2 Click Add 3 Use the Choose Type drop list to select a member type The options are Host IP Address Network IP Address or Host Range 4 Enter the member value Depending on the member type this can be an IP address or a range of IP addresses When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key t...

Page 209: ...hat would otherwise add it to the list The site can still be blocked according to the Firebox configura tion but it will not be automatically blocked for any rea son From Policy Manager 1 Select Setup Intrusion Prevention Blocked Sites Exceptions The Blocked Sites Exceptions dialog box appears 2 Click Add 3 Enter the IP address of the site for which you want to create an exception Click OK 4 Click...

Page 210: ...ke the Blocked Sites feature the Blocked Ports feature blocks only packets that enter your network through the external interface Connections between the optional and Trusted interfaces are not subject to the Blocked Ports list You should consider blocking ports for several reasons Blocked ports provide an independent check for protecting your most sensitive services even when another part of the ...

Page 211: ...possible to detect by all but the most knowledgeable users The first X Window server is always on port 6000 If you have an X server with multiple displays each new display uses an additional port number after 6000 up to 6063 for a maximum of 64 displays on a given host X Font Server port 7100 Many versions of X Windows support font servers Font servers are complex programs that run as the super us...

Page 212: ...ctually used by a given RPC server Because RPC services themselves are very vulnerable to attack over the Internet the first step in attacking RPC services is to contact the portmapper to find out which services are available port 0 Port 0 is reserved by IANA but many programs that scan ports start their search on port 0 port 1 Port 1 is for the rarely used TCPmux service Blocking it is another wa...

Page 213: ...u larly likely to be used as client ports NOTE Solaris uses ports greater than 32768 for clients Blocking a port permanently From Policy Manager 1 On the toolbar click the Blocked Ports icon shown at right You can also select Setup Intrusion Prevention Blocked Ports The Blocked Ports dialog box appears as shown in the following figure 2 In the text box to the left of the Add button type the port n...

Page 214: ...vent logs and notification to accommodate attempts to access blocked ports You can configure the Firebox to log all attempts to use blocked ports or notify a network administrator when someone attempts to access a blocked port From the Blocked Ports dialog box 1 Click Logging The Logging and Notification dialog box appears 2 In the Category list click Blocked Ports 3 Modify the logging and notific...

Page 215: ...he dialog box Viewing the Blocked Sites list The Blocked Sites list is a compilation of all sites currently blocked by the Firebox Use Firebox Monitors to view sites that are automatically blocked according to a service s property configuration From System Manager click the Blocked Site List tab at the bottom of the graph You might need to use the arrows to access this tab Integrating Intrusion De...

Page 216: ...box for information Because versions are available for Win32 Windows NT Windows 2000 and Windows XP SunOS and Linux oper ating systems you can select whatever IDS application best suits your security policy and network environments Working with an external IDS application the Firebox can automatically add sites to the Blocked Sites list Timeouts and blocked site exceptions work exactly as they do ...

Page 217: ...ocked Sites dialog box It effectively extends your control of the Auto Block mechanism inside the Firebox add_log_message This command causes a message to be added to the log stream emitted by the Firebox Because the priority is used by the Firebox to construct syslog messages its range is the standard syslog 0 Emergency to 7 Debug There is no limit on message length the message is automatically b...

Page 218: ... 209 54 94 99 The 209 54 94 99 site appears on the auto blocked sites list and remains there for the duration set in Policy Manager In addition the following message appears in the log file Temporarily blocking host 209 54 94 99 Example 2 The IDS adds a message to the Firebox s log stream fbidsmate 10 0 0 1 secure1 add_log_message 3 IDS system temp blocked 209 54 94 99 With the IDS running on host...

Page 219: ...ncrypted file on the IDS host fbidsmate import_passphrase secure1 etc fbidsmate passphrase Then you could rewrite the previous examples as fbidsmate 10 0 0 1 f etc fbidsmate passphrase add_hostile 209 54 94 99 fbidsmate 10 0 0 1 f etc fbidsmate passphrase add_log_message 3 IDS system temp blocked 209 54 94 99 ...

Page 220: ...Chapter 11 Intrusion Detection and Prevention 198 WatchGuard Firebox System ...

Page 221: ...a call to a pager or the execution of a custom program For example WatchGuard recommends that you con figure default packet handling to issue a notification when the Firebox detects a port space probe When the Firebox detects one the log host sends notification to the network security administrator about the rejected packets At this point the network security adminis trator can examine the logs an...

Page 222: ...ing a logging policy you spell out what gets logged and when an event or series of events warrants sending out a notification to the on duty administrator Developing these policies simplifies the setup of individual services in the WatchGuard Firebox System If you have fully mapped out a policy you can more easily delegate configuration duties and ensure that individual efforts do not contradict t...

Page 223: ...ing traffic from any source outside to any destination inside there is little point in log ging incoming denied packets All traffic for that service in that direction is blocked Notification policy The most important events that should trigger notification are IP options port space probes address space probes and spoofing attacks These are configurable in the Default Packet Handling dialog box des...

Page 224: ...mber you might want to activate notification on this service whenever it denies or passes a packet Failover Logging WatchGuard uses failover logging to minimize the possi bility of missing log events With failover logging you con figure a list of log hosts to accept logs in the event of a failure of the primary log host By default the Firebox sends log messages to the primary log host If for any r...

Page 225: ...preferences for services and packet handling options Save the configuration file with logging properties to the Firebox WatchGuard Security Event Processor WSEP Install the WSEP software on each log host Set global logging and notification preferences for the host Set the log encryption key on each log host identical to the key set in Policy Manager Designating Log Hosts for a Firebox You should h...

Page 226: ...s support watchguard com advancedfaqs log_troubleshootinghost asp Adding a log host From Policy Manager 1 Select Setup Logging The Logging Setup dialog box appears 2 Click Add The Add IP Address dialog box appears as shown in the following figure 3 Enter the IP address to be used by the log host When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jum...

Page 227: ...ick the Syslog tab The Syslog tab information appears as shown in the following figure 3 Select the checkbox marked Enable Syslog Logging 4 Enter the IP address of the Syslog server 5 Select a Syslog facility from the drop down list You can select a facility from LOG_LOCAL_0 through LOG_LOCAL_7 6 Click OK For more information on Syslog logging see the following FAQ https support watchguard com adv...

Page 228: ...onfiguration file Reordering log hosts Log host priority is determined by the order in which the hosts appear in the WatchGuard Security Event Processor list The host that is listed first receives log messages Use the Up and Down buttons to change the order of the log hosts From the Logging Setup dialog box To move a host down click the host name Click Down To move a host up click the host name Cl...

Page 229: ...ntroller Another method to set the log host and domain controller clocks is to use an independent source such as the atomic clock based servers available on the Internet One place to access this service is http www bldrdoc gov timefreq Setting up the WatchGuard Security Event Processor The WatchGuard Security Event Processor application is available both as a command line utility and on a Win dows...

Page 230: ...Security Event Processor Click Start Or right click on the WSEP icon in the system tray and select Start You can also restart your computer The service starts automatically every time the host reboots In addition if the WSEP application is running as a service and you are using pop up notifications make sure the ser vice can interact with the Desktop 1 Verify that the WatchGuard Security Event Pro...

Page 231: ... directory is C Program Files WatchGuard 3 At the command line type controld nt install You can perform other commands for the WSEP applica tion from the Command Prompt To start the WSEP application at the command line type controld nt start To stop the WSEP application at the command line type controld nt stop To remove the WSEP application at the command line type controld nt remove Interactive ...

Page 232: ...icon is not in the tray in Firebox System Manager select Tools Log ging Event Processor Interface To start the Event Pro cessor interface when you log in to the system add a shortcut to the Startup folder in the Start menu The Watch Guard installation program does this automatically if you set up logging Starting and stopping the WSEP The WSEP starts automatically when you start the host on which ...

Page 233: ...ation From the WatchGuard Security Event Processor user inter face 1 Select File Set Log Encryption Key 2 Enter the log encryption key in both text boxes Click OK Setting Global Logging and Notification Preferences The WatchGuard Security Event Processor lists the con nected Firebox and displays its status It has three control areas which are used as follows Log Files tab Specify the maximum numbe...

Page 234: ...d how long a log file is practical to keep open and view How quickly a file hits its maximum size and is overwritten is also deter mined by how many event types are logged and how much traffic the Firebox processes For example a small operation might not see 10 000 entries in two weeks whereas a large one with many services enabled might eas ily log 100 000 entries in a day When considering your i...

Page 235: ...me of day 3 For a record size select the Roll Log Files By Number of Entries checkbox Use the scroll control or enter a number of log record entries The Approximate Size field changes to display the approximate file size of the final log file For a detailed description of each control right click it and then select What s This You can also refer to the Field Definitions chapter in the Reference Gu...

Page 236: ...2 Modify the settings according to your security policy preferences For more information on individual settings right click the setting and then select What s This You can also refer to the Field Definitions chapter in the Reference Guide Setting a Firebox friendly name for log files You can give the Firebox a friendly name to be used in log files If you do not specify a name the Firebox s IP addr...

Page 237: ... and notification configuration easier ser vices blocking categories and packet handling options share an identical dialog box as shown in the following figure Therefore once you learn the controls for one type of service you can easily configure the remainder You can define the following Category The event types that can be logged by the service or option This list changes depending on the servic...

Page 238: ...er interface Pager Triggers an electronic page when the event occurs Set the pager number in the Notification tab of the WSEP user interface If the pager is accessible by email select the Email option and then enter the email address of the pager in the Notification tab of the WSEP user interface Popup Window Makes a pop up window appear on the log host when the event occurs Custom Program Trigger...

Page 239: ...tion is repeating Notification repeats only after this number of events occurs As an example of how these two values interact suppose you have set up notification with these values Launch interval 5 minutes Repeat count 4 A port space probe begins at 10 00 a m and continues once per minute triggering the logging and notification mecha nisms Here is the time line of activities that would result fro...

Page 240: ... Manager 1 Double click a service in the Services Arena The Properties dialog box appears 2 Click Logging The Logging and Notification dialog box appears The options for each service are identical the main difference is based on whether the service in question is for incoming outgoing or bidirectional communication 3 Modify logging and notification properties according to your security policy pref...

Page 241: ...olicy preferences Click OK Setting logging and notification for blocked sites and ports You can control logging and notification properties for both blocked sites and blocked ports The process is identi cal for both operations The procedure below is for blocked sites From Policy Manager 1 Select Setup Intrusion Protection Blocked Sites The Blocked Sites dialog box appears 2 Click Logging 3 Modify ...

Page 242: ...Chapter 12 Setting Up Logging and Notification 220 WatchGuard Firebox System ...

Page 243: ...og files searching for entries in them and consolidating and copying logs The WatchGuard Security Event Processor WSEP controls logging report schedules and notification It also provides timekeeping services for the Firebox For more information about the WatchGuard Security Event Processor and configuring logging see Chapter 12 Setting Up Logging and Notification For more information on specific l...

Page 244: ...g files are named Fire boxIP timestamp wgl In addition the WSEP creates an index file using the same name as the log file but with the extension idx1 This file is located in the same directory as the log file Both the wgl and idx1 files are necessary if you want to use any monitoring or log display tool For more information on the log file names see the following FAQ https support watchguard com a...

Page 245: ...ion on the Filter Data tab see Displaying and Hiding Fields on page 225 Searching for specific entries LogViewer has a search tool to enable you to find specific transactions quickly by keyphrase or field From Log Viewer By keyphrase 1 Select Edit Search by Keyphrase 2 Enter an alphanumeric string Click Find LogViewer searches the entire log file and displays the results as either marked records i...

Page 246: ...choose to transfer is converted to a text file txt If you want to transfer specific log entries to another appli cation use the copy function Use the export function if you want to transfer entire log files or a filtered set of records see next paragraph to another application You can copy log entries to an interim window called the LogViewer filter window prior to exporting them Within the filter...

Page 247: ...indow 1 Select File Export The Save Main Window dialog box appears 2 Select a location Enter a file name Click Save LogViewer saves the contents of the selected window to a text file Displaying and Hiding Fields The following figure shows an example of the type of dis play you normally see in LogViewer Log entries sent to the WatchGuard log state the time stamp host name process name and the proce...

Page 248: ... Time The time the record entered the log file Default Show The Firebox receives the time from the log host If the time noted in the log seems later or earlier than it should be it is usually because the time zone is not set properly on either the log host or the Firebox Because some installations contain Fireboxes in multiple time zones with a single log host the Firebox uses Greenwich Mean time ...

Page 249: ...e packet event fields are described here in order from left to right Disposition Default Show The disposition can be as follows Allow Packet was permitted by the current set of filter rules Deny Packet was dropped by the current set of filter rules Direction Determines whether the packet was logged when it was received by the interface in or when it was about to be transmitted by the Firebox out D...

Page 250: ...lt Show Source port The source port of the logged packet UDP or TCP only Default Show Destination port The destination port of the logged packet UDP or TCP only Default Show Details Additional information appears after the previously described fields including data about IP fragmentation TCP flag bits IP options and source file and line number when in trace mode If WatchGuard logging is in debug o...

Page 251: ...multiple locations You can merge two or more log files into a single file This merged file can then be used with Historical Reports Log Viewer HostWatch or some other utility to examine log data covering an extended period of time From the WSEP Status Configuration user interface 1 Select File Copy or Merge log files 2 Click Merge all files to one file Enter the name of the merged file 3 Enter the...

Page 252: ... Current Log File The old log file is saved as Firebox IP Time Stamp wgl or Firebox Name Time Stamp wgl The Event Processor continues writing new records to Firebox IP wgl or Firebox Name wgl Saving log files to a new location Although log files are by default stored in a subdirectory of the WatchGuard installation directory called logs you can change this destination by using a text editor to edi...

Page 253: ...Encryption Key The Set Log Encryption Key dialog box appears 2 Enter the log encryption key in the first box Enter the same key in the box beneath it to confirm Sending logs to a log host at another location Because they are encrypted by the Firebox you can send log files over the Internet to a log host at another office You can even send this traffic over the Internet from the Firebox at one offi...

Page 254: ...d Logging Properties dialog box 9 Save the new configuration to the main office Firebox On the remote office Firebox 1 Open Policy Manager with the current configuration file 2 Select Setup Logging Click Add 3 Enter the external IP address of the main office Firebox and log encryption key of the log host on the network protected by the main office Firebox 4 Click OK to close the Add IP Address dia...

Page 255: ...Working with Log Files User Guide 233 appear until the remote office Firebox has been properly configured ...

Page 256: ...Chapter 13 Reviewing and Working with Log Files 234 WatchGuard Firebox System ...

Page 257: ...er bandwidth connection to the Internet and why What usage patterns are users developing and how do those patterns relate to the security of the network and the goals of the corporation How do current user patterns reflect the values and concerns of the corporation in regard to creating a productive workplace Historical Reports is a reporting tool that creates sum maries and reports of Firebox log...

Page 258: ... a group of Fireboxes and set properties to display the report data according to your preferences Creating and Editing Reports To start Historical Reports from Firebox System Manager click the Historical Reports icon shown at right You can also start Historical Reports from the installation directory The file name is WGRe ports exe Starting a new report From Historical Reports 1 Click Add The Repo...

Page 259: ...xport For more information on output types see Exporting Reports on page 241 6 Select the filter For more information on filters see Using Report Filters on page 243 7 If you selected the HTML output type and you want to see the main page of the report upon completion select the checkbox marked Execute Browser Upon Completion 8 Click the Firebox tab 9 Enter the Firebox IP address or a unique name ...

Page 260: ...ommand removes the rep file from the reports directory Viewing the reports list To view all reports generated click Reports Page This launches your default browser with the HTML file contain ing the main report list You can navigate through all the reports in the list Specifying a Report Time Span When running Historical Reports the default is to run the report across the entire log file You can u...

Page 261: ...description of each section see Report Sections and Consolidated Sections on page 246 3 To run authentication resolution on IP addresses select the checkbox marked Authentication Resolution on IP addresses If user authentication is not enabled you will not have the information in your logs to perform authentication resolution on IP addresses However generating a report when resolution is enabled w...

Page 262: ...ented in different ways to better focus on the specific information you want to view Detail sections are reported only as text files with a user desig nated number of records per page Summary sections can also be presented as graphs whose elements are user defined To set report properties 1 From the Report Properties dialog box select the Preferences tab 2 Enter the number of elements to graph in ...

Page 263: ...text All reports are stored in the path drive WatchGuard Install Directory Reports Under the Reports directory are subdi rectories that include the name and time of the report Each report is filed in one of these subdirectories Exporting reports to HTML format When you select HTML Report from the Setup tab on the Report Properties dialog box the report output is created as HTML files A JavaScript ...

Page 264: ...cal Reports counts the number of transactions that occur on Port 80 WebTrends for Firewalls and VPNs calcu lates the number of URL requests These numbers vary because multiple URL requests may go over the same Port 80 connection NOTE WatchGuard HTTP proxy logging must be turned on to supply WebTrends the logging information required for its reports When you select WebTrends Export from the Setup t...

Page 265: ...lt a report displays information on the entire con tent of a log file At times however you may want to view information only about specific hosts services or users Use report filters to narrow the range of data reported Filters can be one of two types Include Creates a report that includes only those records that meet the criteria set in the Host Service or User Report Filters tabs Exclude Creates...

Page 266: ...ll records except those meeting the criteria set on the Host Service and User tabs 4 Complete the Filter tabs according to your report preferences For a description of each control right click it and then click What s This You can also refer to the Field Definitions chapter in the Reference Guide 5 When you are finished modifying filter properties click OK The name of the filter appears in the Fil...

Page 267: ... Filters dialog box appear in the Filter drop down list For more information see Creating a new report filter on page 244 3 Click OK The new report properties are saved to the ReportName rep file in the report defs directory The filter will be applied the next time the report is run Scheduling and Running Reports WatchGuard offers two methods to run reports manually at any time or scheduled automa...

Page 268: ...erate 2 Click Run Report Sections and Consolidated Sections You can use Historical Reports to build a report that includes one or more sections Each section represents a discrete type of information or network activity You can consolidate certain sections to summarize particu lar types of information Consolidated sections summarize the activity of all devices being monitored as a group as opposed ...

Page 269: ...y Otherwise the time interval is based on your selection Host Summary Packet Filtered A table and optionally a graph of internal and external hosts passing packet filtered traffic through the Firebox sorted either by bytes transferred or number of connections Service Summary A table and optionally a graph of traffic for each service sorted by connection count Session Summary Packet Filtered A tabl...

Page 270: ...dth or connections Session Summary Proxied Traffic A table and optionally a graph of the top incoming and outgoing sessions sorted either by byte count or number of connections The format of the session is client server service If the connection is proxied the service is represented in all capital letters If the connection is packet filtered Historical Reports attempts to resolve the server port t...

Page 271: ...Time Type Client Client Port Server Server Port Protocol and Duration Denied Incoming Packet Detail A list of denied incoming packets sorted by time The fields are Date Time Type Client Client Port Server Server Port Protocol and Duration Denied Packet Summary Multiple tables each representing data on a particular host originating denied packets Each table includes time of first and last attempt t...

Page 272: ...val is based on your selection Host Summary Packet Filtered A table and optionally a graph of internal and external hosts passing packet filtered traffic sorted either by bytes transferred or number of connections Service Summary A table and optionally a graph of traffic for all services sorted by connection count Session Summary Packet Filtered A table and optionally a graph of the top incoming a...

Page 273: ... hosts passing proxied traffic sorted either by bytes transferred or number of connections Proxy Summary Proxies ranked by bandwidth or connections Session Summary Proxied Traffic A table and optionally a graph of the top incoming and outgoing sessions sorted either by byte count or number of connections The format of the session is client server service If proxied connections show the service in ...

Page 274: ...Chapter 14 Generating Reports of Network Activity 252 WatchGuard Firebox System ...

Page 275: ...ol over the Web surfing in your organization You can designate which hours in the day users are free to access the Web and which categories of Web sites they are restricted from visit ing For more information on WebBlocker see the fol lowing collection of FAQs https support watchguard com advancedfaqs web_main asp Getting Started with WebBlocker You must complete several tasks before you can con f...

Page 276: ...ted server run ning Windows NT 4 0 or Windows 2000 To install the WebBlocker server on a dedicated platform rerun the setup program on the dedicated server and on the Select Components screen unselect all components except the WebBlocker server You must start the WebBlocker server for WebBlocker requests from the Firebox to be processed Downloading the database using WebBlocker Utility After you i...

Page 277: ... icon Because WebBlocker relies on copying updated versions of the WebBlocker database to the event processor you must configure the WatchGuard service setting Allow Outgoing to Any It is possible to narrow this setting and use the IP address of webblocker watchguard com However this address may change without notice Add an HTTP service To use WebBlocker add the Proxied HTTP Proxy or HTTP service ...

Page 278: ...ature of several services includ ing HTTP Proxied HTTP and Proxy When WebBlocker is installed five tabs appear in the service s Properties dialog box WebBlocker Controls WB Schedule WB Operational Privileges WB Non operational Privileges WB Exceptions Activating WebBlocker To start using WebBlocker you must activate the feature From Policy Manager 1 Double click the service icon you are using for ...

Page 279: ... server bypass By default if the WebBlocker server does not respond HTTP traffic Outbound is denied To change this such that all outbound HTTP traffic is allowed if a WebBlocker server is not recognized on the WebBlocker Controls tab select Allow WebBlocker Server Bypass The Allow WebBlocker Server Bypass option is global If you set it in one HTTP service it applies to all other HTTP proxy service...

Page 280: ...tegory Request for URL u denied by WebBlocker s blocked for r With this entry in the Message for blocked user field the following string might appear in a user s browser Request for URL www badsite com denied by WebBlocker host blocked for violence profanity Scheduling operational and non operational hours WebBlocker provides two separately configurable time blocks operational hours and non operat...

Page 281: ...ou have set a Firebox time zone For information on setting the Firebox time zone see Setting the Time Zone on page 55 Setting privileges WebBlocker differentiates URLs based on their content Select the types of content accessible during operational and non operational hours using the Privileges tabs The options are identical for Operational and Non operational From the proxy s dialog box 1 Click t...

Page 282: ...redspace com dave because Dave s site con tains nude pictures you would enter dave to block that directory of sharedspace com This would still allow users to have access to www sharedspace com julia which contains a helpful article on increasing productivity If you wanted to block any sexually explicit content that might be on sharedspace com you might enter sex to block a Web page such as www sha...

Page 283: ...ecific port or directory pattern enter the port or string to be allowed When typing IP addresses type the digits and periods in sequence Do not use the TAB or arrow key to jump past the periods For more information on entering IP addresses see Entering IP addresses on page 43 5 In the Denied Exceptions section click Add Specify the host address network address or URL to be denied To block a specif...

Page 284: ... WebBlocker Servers box as shown in Activating WebBlocker on page 256 To add additional WebBlocker servers 1 On the WebBlocker Controls tab in the HTTP Proxy dialog box click Add 2 In the dialog box that appears type the IP address of the server in the Value field Click OK You can use the Up and Down buttons to change the posi tion of the servers in the list When operating two or more WebBlocker s...

Page 285: ...h you can do it less often if you have bandwidth concerns Click Next 7 Enter a start time for the process Because these downloads are close to 60 megabytes choose a time outside normal work hours 8 Select the frequency you want for this task WatchGuard recommends you perform updates on weekdays because the database is not updated on weekends 9 Select a suitable start date Click Next 10 Enter the u...

Page 286: ... select Task Scheduler If you re using Internet Explorer 5 0 or later select Offline Browsing Pack If the message cannot find Windows Update Files on this computer appears open Internet Explorer go to the Tools menu and select Windows Update This takes you to the Microsoft Web site where you can download and install the appropriate software After installation Scheduled Tasks appears under My Compu...

Page 287: ...ly configuring a Firebox when access through the Ethernet interfaces is unavailable Connecting a Firebox with OOB Management To connect to the Firebox using OOB management you must Connect the management station to a modem Connect a modem between the serial port on the management station and an analog telephone line Connect the Firebox modem Connect an external or PCMCIA also known as PC card mode...

Page 288: ...ent station for OOB Install the Microsoft Remote Access Server RAS on the management station 1 Attach a modem to your computer according to the manufacturer s instructions 2 From the Windows NT Desktop select Start Settings Control Panel 3 Double click Network 4 Click Add The Select Network Service dialog box appears 5 Click Remote Access Server Click OK Follow the rest of the prompts to complete ...

Page 289: ...on 1 From the Desktop click My Network Places Network and Dial up Connections Make New Connection The Network Connection wizard appears 2 Click Next Select Dial up to Private Network Click Next 3 Enter the telephone number of the line connected to the modem in the Firebox Click Next 4 Choose the proper designation for your connection Click Next 5 Enter a name for your connection This can be anythi...

Page 290: ...e and model of the Firebox modem and the modem speed 5 Click Finish to complete the modem installation Configure the dial up connection 1 Click Start Control Panel Click Network Connections Click New Connection Wizard The New Connection Wizard appears 2 Click Next Select Connect to the network at my workplace Click Next 3 Click Dialup connection Click Next 4 Enter a name for your connection This c...

Page 291: ... to your security policy preferences Click OK For a description of each control right click it and then select What s This You can also refer to the Field Definitions chapter in the Reference Guide Establishing an OOB Connection From the management station command your dial up net working software to call the Firebox modem After the modems connect the Firebox negotiates a PPP connection with the c...

Page 292: ...cify a username or password leave these fields blank OOB time out disconnects The Firebox starts the PPP session and waits for a valid connection from Policy Manager on your management sta tion If none is received within the default period of 90 sec onds the Firebox terminates the PPP session ...

Page 293: ...that file If you have not yet created a configuration file use the QuickSetup Wizard to create one as described in Chapter 3 Getting Started Loss of connection to the Firebox can occur because you lost or forgot your passphrases you received a new Firebox as a replacement unit or other reasons But regardless of the reason you lost connectivity you can use any of these methods to reconnect to your ...

Page 294: ...n off the Firebox 4 Make sure the management station has a static IP address If it doesn t change the TCP IP settings to a static IP address The computer designated as the management station should be on the same network as the configuration file preferably the trusted network so you do not need to reassign an IP address to your computer after the configuration file has been uploaded The following...

Page 295: ...ted for the IP address of the Firebox and the Firebox configuration passphrase Use the address you used to ping the Firebox and wg for the passphrase 10 When the Firebox Flash Disk dialog box appears as shown in the following figure select the button marked Save Configuration File and New Flash Image Make sure the checkbox marked Make Backup of current flash image before saving is not selected Aft...

Page 296: ... as the configuration file preferably the Trusted network so you do not need to reassign an IP address to your computer after the configuration file has been uploaded The following is an example of a typical IP address scheme Management station 192 168 0 5 Subnet mask 255 255 255 0 Default gateway 192 168 0 1 Trusted interface 192 168 0 1 from the configuration file 2 Connect the blue serial cable...

Page 297: ... Open a DOS prompt and ping the IP address that you used for the temporary IP Replies should follow which means the Firebox is now ready for uploading a configuration 10 In Policy Manager select File Open Configuration File Select the configuration file you want to load onto the Firebox and load it into Policy Manager 11 In Policy Manager select File Save To Firebox You are then prompted for the I...

Page 298: ...efault The subnet is 255 255 255 0 It is recommended that you give your computer s default gateway an IP address of 192 168 253 1 1 Disconnect the Firebox from the network 2 Start with the Firebox turned off Hold down the Reset button on the back of the Firebox and turn on the Firebox power switch Do not let go of the Reset button until you see this light sequence on the front of the Firebox Exter...

Page 299: ... Firebox After the configuration has been uploaded and the Firebox has been rebooted the Firebox light sequence should now look like this Armed light steady Sys A light steady Method 4 Serial Dongle Firebox II only This option requires you to use a serial cable and a cross over cable As with the previous procedures you must dis connect your management station and Firebox from the network Make sure...

Page 300: ... File Open Configuration File Select the configuration file you want to load onto the Firebox and load it into Policy Manager 6 In Policy Manager select File Save To Firebox When you are prompted for an IP address use 192 168 253 1 with wg as the passphrase 7 When the Firebox Flash Disk dialog box appears select the button marked Save Configuration File and New Flash Image 8 After the file has bee...

Page 301: ...nal 163 trusted 163 Aliases dialog box 163 anonymous FTP 115 Any service precedence 130 ARP cache flushing 83 ARP table viewing 95 attacks spoofing See spoofing attacks attacks types of 177 AUTH types for ESMTP 139 authentication CRYPTOCard server 173 defining groups for 167 described 161 165 for VPNs viewing 79 from External interface 165 from outside Firebox 165 Java applet for 165 specifying se...

Page 302: ... and time of 77 viewing status of 77 CHAP authentication 172 configuration file and Policy Manager 49 basic 40 customizing 44 opening 49 opening from Firebox 50 opening from local drive 50 rebooting Firebox after saving 51 saving 51 saving to Firebox 51 saving to local drive 53 starting new 58 configuration modes choosing 32 41 setting using Policy Manager 58 Connect to Firebox dialog box 74 84 co...

Page 303: ...Configuration 59 64 New Firebox Configuration 51 54 New Service 120 Outgoing SMTP Proxy 147 PAD Rules for DNS Proxy 157 PAD Rules for FTP Proxy 150 PAD Rules for SMTP Proxy 145 Report Properties 238 240 service Properties 117 120 124 193 Services 118 120 Set Log Encryption Key 231 Setup Firebox User 169 170 Setup Routes 70 SMTP Properties 145 SMTP Proxy Properties 138 140 Time Filters 238 WebBlock...

Page 304: ...sphrases See passphrases Firebox System components of 2 described 1 hardware requirements 4 introduction 2 requirements 3 software requirements 3 Web browser requirements 4 Firebox System applications launching 85 Firebox System Manager See System Manager Fireboxes and IDS applications 194 as certificate authority 127 cables included with 24 changing interface IP address 60 changing polling rate 8...

Page 305: ... starting new reports 236 time spans for 238 time zone 55 Historical Reports See also reports Host Alias dialog box 164 host aliases 162 163 host routes configuring 71 hosts viewing blocked 90 viewing in HostWatch 99 hosts log See log hosts HostWatch choosing colors for display 100 connecting to a Firebox 98 described 2 86 97 display 98 modifying view properties 100 opening 86 replaying a log file...

Page 306: ...setting 211 231 log files consolidating 229 copying 229 copying entries 224 copying log entries 225 default location of 222 described 221 displaying and hiding fields 225 exporting records 225 forcing rollover 230 names of 222 opening 222 packet event fields 227 replaying in HostWatch 99 saving to a new location 230 searching 223 searching by field 223 searing by keyphrase 223 sending to another o...

Page 307: ...3 setting preferences 223 starting 222 time zone 55 viewing files with 222 working with log files 228 M MAC address of interfaces viewing 77 mail servers protecting against relaying 143 main menu button 75 83 84 Make Backup of Current Flash Image checkbox 52 management station connecting with out of band 269 described 36 48 enabling for out of band 266 setting up 36 man in the middle attacks 183 m...

Page 308: ...s secondary See secondary networks New Firebox Configuration dialog box 51 54 New Service dialog box 120 notation slash 43 notification blocked port activity 192 bringing up popup window as 129 described 199 developing policies for 200 201 example policy 202 for blocked ports 192 for blocked sites 188 running custom program as 130 sending email as 129 setting launch interval 217 setting repeat cou...

Page 309: ... 85 opening 85 opening a configuration file 49 Services Arena 85 services displayed in 116 using to create configuration file 57 polling rate changing 84 POP and security policy 115 popup window as notification 129 216 port space probes and default packet handling 194 blocking 180 ports 0 190 1 190 1000 1999 191 111 190 137 through 139 190 2000 190 213 190 513 190 514 190 viewing in HostWatch 99 p...

Page 310: ... host summary 247 248 HTTP detail 248 HTTP summary 248 251 key issues 235 location of 241 network statistics 250 proxy summary 248 reasons for generating 235 running manually 246 scheduling 245 sections in 239 246 service summary 247 session summary 247 248 setting Firebox names used in 55 241 SMTP summary 249 specifying sections for 239 starting new 236 summary sections 240 time spans for 238 tim...

Page 311: ...27 HTTP 151 icons for 116 Novel IPX over IP 190 OpenWindows 190 overriding NAT setting 107 precedence 130 proxied HTTP 255 Proxy 255 rcp 190 rlogin 190 RPC portmapper 190 rsh 190 setting logging and notification for 218 setting static NAT for 108 viewing number of connections by 88 wg_ 127 X Font service 189 X Window 189 Services Arena described 85 116 displaying detailed view 116 Services dialog ...

Page 312: ...mation 89 viewing bandwidth usage 87 system requirements 3 T TCP IP cabling for 40 TCPmux service 190 Technical Support assisted support 18 described 9 Firebox Installation Services 20 frequently asked questions 9 LiveSecurity Gold Program 19 LiveSecurity Program 18 users forum 14 VPN Installation Services 20 telnet and security policy 115 third party authentication server See authentication or na...

Page 313: ...56 configuring message for 257 creating exceptions for 260 described 253 manually downloading database 264 prerequisites 253 required services 255 scheduling hours 258 setting privileges 259 time zone 55 WebBlocker server and setup program 37 installing 254 installing multiple 262 managing 262 viewing status of 255 WebBlocker Server Bypass 257 WebBlocker utility 254 WebBlocker Utility dialog box 2...

Page 314: ...292 WatchGuard Firebox System wizard cfg 40 WSEP See WatchGuard Security Event Processor X X Font server 189 X Window 189 Z Zip files 154 ...