Watchguard Firebox X15, User Manual

Page 1: ...WatchGuard Firebox X Edge User Guide Firebox X Edge Firmware Version 7 5 All Firebox X Edge Standard and Wireless Models...

Page 2: ...you accept all of the terms contained in this Agreement Please read this Agreement carefully By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement If you do...

Page 3: ...up or archival copy of the SOFTWARE PRODUCT or allow someone else to use such a copy for any purpose other than to replace the original copy in the event it is destroyed or becomes defective C Sublice...

Page 4: ...forth in subdivision c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or in subdivision c 1 and 2 of the Commercial Computer Software Restricted Rights Clause...

Page 5: ...tocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile Use...

Page 6: ...ully upgradeable as an organization grows and to deliver the industry s best combination of security performance intuitive interface and value WatchGuard Intelligent Layered Security architecture prot...

Page 7: ...ation Travels on the Internet 4 IP Addresses 5 Network addressing 5 About DHCP 5 About PPPoE 5 Domain Name Service DNS 6 Services 6 Ports 6 Firewalls 8 Firebox X Edge and Your Network 9 CHAPTER 2 Inst...

Page 8: ...w 32 Firebox System Status Page 32 Network Page 33 Administration Page 34 Firewall Page 35 Logging Page 37 WebBlocker Page 38 VPN Page 38 Wizards Page 39 CHAPTER 4 Configuration and Management Basics...

Page 9: ...k 73 Changing the IP address of the optional network 73 Using DHCP on the optional network 74 Setting optional network DHCP address reservations 75 Configuring the optional network for DHCP relay 76 U...

Page 10: ...03 About Services 103 Incoming and outgoing traffic 104 Traffic through VPN tunnels 104 About This Chapter 104 Configuring Incoming Services 105 Configuring common services for incoming traffic 106 Ab...

Page 11: ...Authentication 137 Setting authentication options for all users 138 Configuring MUVPN client settings 140 Authenticating to the Edge 141 Using Local Firebox Authentication 142 Creating a read only ad...

Page 12: ...ut This Chapter 192 Enabling MUVPN for Edge Users 193 Configuring MUVPN client settings 193 Enabling MUVPN access for a Firebox user account 194 Configuring the Firebox for MUVPN clients using a Pocke...

Page 13: ...PC 214 Troubleshooting Tips 216 APPENDIX A Firebox X Edge Hardware 219 Package Contents and Specifications 219 Hardware Description 221 Front panel 221 Rear view 223 Side panels 223 About IEEE 802 11g...

Page 14: ...xiv WatchGuard Firebox X Edge...

Page 15: ...hapter Network Security While the Internet gives you access to a large quantity of information and business opportunity it also opens your network to attackers A good network security policy helps you...

Page 16: ...net ISPs Internet service providers are companies that give access to the Internet through network connections Bandwidth is the rate at which a network connection can send data for example 3 megabits...

Page 17: ...s the usual language of computers on the Internet A protocol also tells how data is sent through a network The most frequently used protocols are TCP Transmission Control Protocol and UDP User Datagra...

Page 18: ...n use different routes through the Internet When they all get to their destination they are assembled back into a file To make sure that the packets get to the destination address information is added...

Page 19: ...hese addresses do not change automatically and are frequently used for servers Dynamic IP addresses change with time If a dynamic address is not in use it can be automatically assigned to a different...

Page 20: ...ent computer through the net work These services use protocols Frequently used Internet services are World Wide Web access uses Hypertext Transfer Protocol HTTP E mail uses Simple Mail Transfer Protoc...

Page 21: ...col is assigned to port 25 Other programs are assigned port numbers dynamically for each connection The IANA Internet Assigned Numbers Authority keeps a list of well known ports You can see this list...

Page 22: ...are protected We refer to these as trusted computers The figure below shows how a firewall divides the trusted computers from the Internet Firewalls use access policies to identify different types of...

Page 23: ...twork Use the optional network for computers with mixed trust For example customers frequently use the optional network for their remote users or for public servers such as a Web server or e mail serv...

Page 24: ...to a cable modem DSL modem or ISDN router The Web based user interface of the Firebox X Edge lets you man age your network safely You can manage your Edge from different locations and at different ti...

Page 25: ...the HTTP proxy properties of your Web browser Connect the Firebox X Edge to your network Connect your computer to the Edge Use the Quick Setup Wizard to configure the Edge Activate the LiveSecurity Se...

Page 26: ...only Two antennae Wireless models only Installation Requirements The Firebox X Edge installation requirements are A computer with a 10 100BaseT Ethernet network interface card to configure the Firebox...

Page 27: ...ction you can put the Firebox X Edge between your computer and the Internet and use the network configuration from your computer to configure the Edge external interface You can use a static IP addres...

Page 28: ...also assigns a subnet mask also known as the netmask to a computer A subnet mask divides a larger network into smaller net works A subnet mask is a string of bits that mask one section of an IP addres...

Page 29: ...Identifying Your Network Settings User Guide 15 Your TCP IP Properties Table TCP IP Property Value IP Address Subnet Mask Default Gateway DHCP Enabled Yes No DNS Server s Primary Secondary...

Page 30: ...rograms Command Prompt The Command Prompt window appears 2 At the command prompt type ipconfig all and then press Enter 3 Record the values in Your TCP IP Properties Table on page 15 4 Close the windo...

Page 31: ...e on page 15 3 Exit the TCP IP configuration screen Finding PPPoE settings Many ISPs use Point to Point Protocol over Ethernet PPPoE because it is easy to integrate with a dial up infrastructure If yo...

Page 32: ...he Connection Settings button The Connection Settings dialog box appears 5 Make sure the Direct Connection to the Internet option is selected 6 Click OK two times Disable the HTTP proxy in Mozilla 1 O...

Page 33: ...disconnect its power supply 3 Find the Ethernet cable between the modem and your computer Disconnect this cable from your computer and connect it to the Edge external interface labeled WAN 1 4 Find th...

Page 34: ...ce That same computer can then have more than one connection through the Firebox without adding another session Sessions are based on the number of com puters with active connections through the Fireb...

Page 35: ...comes from your DSL modem cable modem or other Internet connection to your computer Connect the Ethernet cable to the WAN port on the Firebox X Edge The Firebox X Edge is connected directly to the mo...

Page 36: ...tion icon The Local Area Connection Status window appears 4 Click the Properties button The Local Area Connection Properties window appears 5 Double click the Internet Protocol TCP IP list item The In...

Page 37: ...ct the Use the following IP address option 7 In the IP address field type an IP address on the same network as the Edge trusted interface We recommend 192 168 111 2 The default trusted interface netwo...

Page 38: ...onfigure the External Interface of your Firebox This screen sets the method your ISP uses to assign your IP address Configure the External Interface for DHCP On this screen type in your DHCP identific...

Page 39: ...izard supplies a link to the WatchGuard web site to register your product After you complete the wizard the Firebox X Edge restarts If you changed the IP address of the trusted interface you must rest...

Page 40: ...on your Firebox X Edge To register find the serial number of your Firebox X Edge The Edge serial number is printed on the bottom of the device Record your serial number in the table below and complete...

Page 41: ...stering and Activating LiveSecurity Service User Guide 27 http www watchguard com upgrade 5 Select your product and follow the instructions for product activation At this time you can configure your E...

Page 42: ...Installing the Firebox X Edge 28 WatchGuard Firebox X Edge...

Page 43: ...etwork statistics and see the current configuration of the Edge Read this chapter to find basic information about the Firebox X Edge configuration pages There are sections in subsequent chapters that...

Page 44: ...and the IP address of the Edge trusted inter face The default URL is https 192 168 111 1 This opens your Firebox system configuration pages You can change the IP address of the trusted network from 19...

Page 45: ...he menu item on the navigation bar For example to see how logging is configured for your Firebox and to see the current event log click Logging Each menu item contains submenus that you use to configu...

Page 46: ...guration page of the Firebox X Edge The center panel of the page shows information about the current settings It also contains the buttons you use to change these settings You can see details about ea...

Page 47: ...dge connects to the Internet and other networks Trusted Configure the Edge trusted network interface or how the Edge gives IP addresses to trusted devices Optional Configure the Edge optional network...

Page 48: ...rebox Users menu contains links to these pages Settings Use this page to set the properties that apply to all Edge users New User From here you can make one or more user profiles and set the network t...

Page 49: ...Use the WSM Access page to enable remote management of the Edge through the WatchGuard Management Server Update Update the Edge firmware Upgrade Activate your Edge upgrade options View Configuration S...

Page 50: ...oming traffic to the trusted or optional networks Outgoing Make one or more security services for outgoing traffic to the external network Optional Make one or more security services for outgoing traf...

Page 51: ...set your system time to the same value as your local computer For more information see Chapter 8 Configuring Logging and System Time The Logging menu contains links to these pages WatchGuard Logging C...

Page 52: ...pages Settings Configure the WebBlocker settings for all users Profiles Create sets of restrictions and apply them to groups of Edge users Allowed Sites Make a list of Web sites that you can browse to...

Page 53: ...Manual VPNs Make a VPN tunnel to an IPSec compliant device such as a second Firebox X Edge VPN Keep Alive Keep a VPN tunnel open when no regular network traffic goes through it VPN Statistics Show imp...

Page 54: ...information see About custom services for incoming traffic on page 107 Network Interface Wizard Configure the Edge interfaces For more information see Using the Network Setup Wizard on page 59 Wireles...

Page 55: ...ge to factory default settings Restart the Firebox X Edge Set HTTP management preferences Enable remote management on the Firebox X Edge Update the firmware Activate upgrade options Factory Default Se...

Page 56: ...to set the administrator account user name and passphrase After you complete the Quick Setup Wizard you must use the user name and password that you selected to see the configuration pages The Firebo...

Page 57: ...is message if the reset button is stuck in the depressed position Check the reset button restart the Edge and try again 5 Disconnect the power supply 6 Connect the power supply again The Power Indicat...

Page 58: ...05 After HTTPS traffic is allowed you can remotely manage your Firebox X Edge using your browser To do a remote reboot 1 To connect to the System Status page type https in the browser address bar and...

Page 59: ...e System Security page appears 3 Select the Use non secure HTTP instead of secure HTTPS for administrative Web site check box You will see a warning to make sure you change the HTTP server port to its...

Page 60: ...eate managed VPN tunnels between a Firebox X Edge and another WatchGuard Firebox With WatchGuard System Manager 8 0 and above you can create managed VPN tunnels between a Firebox X Edge and another Wa...

Page 61: ...the Firebox X Edge is under centralized management access to the Firebox X Edge configuration pages is set to read only The only exception is access to the WSM Access configuration page If you disabl...

Page 62: ...uration is necessary for this to occur 9 Type the Client Name to give your Firebox X Edge This is the name used to identify the Edge in the Management Server 10 Type the Shared Key The shared key is u...

Page 63: ...and 8 1 do not support centralized Edge management 6 Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields 7 Type a configuration passphrase for your...

Page 64: ...erver 10 Type the Shared Key The shared key is used to encrypt the connection between the Management Server and the Firebox X Edge This shared key must be the same on the Edge and the Management Serve...

Page 65: ...VPN Manager 7 2 or below click the VPN Manager 7 2 or below check box 6 Click the Enable VPN Manager Access check box to allow VPN Manager to connect to the Firebox X Edge Type and confirm the status...

Page 66: ...Firebox X Edge you must have a current LiveSecurity subscription See the WatchGuard web site regularly for Firebox X Edge updates https www watchguard com archive softwarecenter asp select Firebox X E...

Page 67: ...es This method can be used with Windows or other operating systems You must first download the Software Update file which is a small Zip file 1 Extract the wgrd file from the Zip file you downloaded w...

Page 68: ...Service on page 26 for more information After you have purchased an upgrade option you are given a license key You use the license key to get the feature key for the upgrade Use these steps to activat...

Page 69: ...Activating Upgrade Options User Guide 55 7 From the navigation bar select Administration Upgrade The Upgrade page appears 8 Paste the feature key in the correct field 9 Click Submit...

Page 70: ...ring WebBlocker WAN Failover The WAN failover feature adds redundant support for the external interface For more information see Enabling the WAN Failover Option on page 83 Enabling the Model Upgrade...

Page 71: ...uration file in text format from the View Configuration page 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default U...

Page 72: ...Configuration and Management Basics 58 WatchGuard Firebox X Edge...

Page 73: ...ration after you run the Quick Setup Wizard You can also set up the optional interface Many customers use the optional network for public servers An example of a public server is a Web server Using th...

Page 74: ...nterface with a static IP address If your ISP uses static IP addresses type the static IP address information your ISP gave you For more information see If your ISP uses static IP addresses on page 62...

Page 75: ...information from your ISP or corporate network administrator If your ISP uses DHCP The default configuration sets the Firebox X Edge to get its external address information through DHCP If your ISP us...

Page 76: ...n into your Edge before it can send traffic through the exter nal interface To set your Edge to use a static IP address for the external interface 1 Use your browser to connect to the System Status pa...

Page 77: ...type the information from the table 4 Click Submit If your ISP uses PPPoE If your ISP uses PPPoE you must enter the PPPoE information into your Firebox before it can send traffic through the external...

Page 78: ...Most ISPs using PPPoE make you use the domain name and your user name Do not include the domain name with your user name like this myname ispdomain net If you have a PPPoE name with this format type...

Page 79: ...concentrator you identify in this field This option is not usually used Use it only if you know there is more than one access concentrator If you enter a Service Name and Access Concentrator Name you...

Page 80: ...will reply to subsequent LCP echo requests In most cases the default setting of three is the best Reconnect lost PPPoE link This setting controls how and when the Edge tries to restart a PPPoE connec...

Page 81: ...rk Any changes to the trusted network configuration page require that you click Submit and then restart the Firebox before the new con figuration starts You can make many changes at one time and then...

Page 82: ...the navigation bar select Network Trusted The Trusted Network Configuration page appears 3 Type the new IP address of the Firebox X Edge s trusted interface in the IP Address text field 4 If necessary...

Page 83: ...e IP addresses can be from 192 168 200 2 to 192 168 200 254 4 If you have a WINS or DNS server type the WINS Server Address DNS Server Primary Address DNS Server Secondary Address and DNS Domain Suffi...

Page 84: ...ress as 12 hexadecimal digits with no space dash or semicolon characters Click Add 5 Click Submit Configuring the trusted network for DHCP relay One method to get IP addresses for the computers on the...

Page 85: ...o not have a DHCP server on your network you must manually configure the IP address and subnet mask of each computer For example this is necessary when a client server software application must use a...

Page 86: ...optional network is usually not allowed to the trusted network you can use the optional net work for servers that other computers can connect to from the Internet such as a web e mail or FTP server We...

Page 87: ...URL is https 192 168 111 1 2 From the navigation bar select Network Optional The Optional Network Configuration page appears 3 Select the Enable Optional Network check box Changing the IP address of t...

Page 88: ...68 111 1 2 From the navigation bar select Network Optional The Optional Network Configuration page appears 3 Type the first address of the new network address range in the IP Address text field 4 If n...

Page 89: ...the optional IP address For example if your optional IP address is 192 168 112 1 the IP addresses can be from 192 168 112 2 to 192 168 112 254 4 If you have a WINS or DNS server type the WINS Server...

Page 90: ...rk in the MAC Address field You must enter the MAC address as 12 hexadecimal digits with no space dash or semicolon characters Click Add 5 Click Submit Configuring the optional network for DHCP relay...

Page 91: ...HCP server and you do not have a DHCP server on your optional network you must manu ally configure the IP address and subnet mask of each computer You can also configure specified devices with a stati...

Page 92: ...ting Your Computer to Connect to the Edge on page 22 3 Connect each computer to the network Use the procedure Connecting the Edge to more than seven devices on page 20 4 Restart each computer Making S...

Page 93: ...sh notation also known as CIDR or Classless Inter Domain Routing notation Do not type a slash for a host IP address For more information on how to enter IP addresses in slash notation refer to this FA...

Page 94: ...tem Status page type https in the browser address bar followed by the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Network Network S...

Page 95: ...sogen_main asp How do I set up Dynamic DNS http watchguard com support AdvancedFaqs sogen_setupdyndns asp You must log into your LiveSecurity Service account to see the FAQ NOTE NOTE WatchGuard is not...

Page 96: ...ption custom sends updates for a Custom DNS host name For an explanation of each option see http www dyndns org services 6 In the Options field you can type these options mx mailexchanger backmx YES N...

Page 97: ...f the link between the external interface and the device it is connected to usually a router A ping command to a specified location The Firebox sends a ping to the default gateway or a computer specif...

Page 98: ...the automatic WAN failover capability of your Firebox Edge click Go 3 Follow the instructions on the screens The WAN Failover Setup Wizard includes these steps Welcome The first screen tells you abou...

Page 99: ...onds between pings and the number of seconds to wait for a reply in the correct fields 6 Type the maximum number of pings before time out in the No Reply Limit field 7 Type the number of successful pi...

Page 100: ...1 Type the IP address subnet mask default gateway primary DNS secondary DNS and DNS domain suffix into the related fields If necessary select the appropriate link speed from the drop down list If you...

Page 101: ...elect Modem serial port 2 Below Dial Up Account Settings use the drop down list to select your ISP We support these ISPs Standard PPP AT T Worldnet CompuServe 4 0 EarthLink and MSN 3 Type the telephon...

Page 102: ...NS server type type its IP address in the Secondary DNS server field 3 Click Submit or select a different tab to change more settings Dial up settings 1 In the Dial up time out field enter the number...

Page 103: ...ault the wireless features of your Firebox are disabled for more security You must enable the wireless feature after you complete the Firebox X Edge Wireless Quick Setup wizard To install the Firebox...

Page 104: ...less also uses switch functionality to connect other computers To set up a wireless network connect a computer with a Web browser to the Firebox X Edge Wireless with an Ethernet cable Use this comput...

Page 105: ...dress bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Network Wireless 802 11g The Wireless Configuration page appears with...

Page 106: ...ot enabled by default If the wireless client has its wireless network card set with a static IP address the IP address must be in the optional IP address range of the Edge If the wireless network card...

Page 107: ...etwork cards send requests to see if there are wireless access points to which they can connect To configure the Firebox X Edge Wireless to send and answer these requests select the Broadcast SSID and...

Page 108: ...entation threshold The Edge Wireless allows you to set the maximum frame size it can send without fragmenting the frame This is called the fragmenta tion threshold This setting is rarely changed It is...

Page 109: ...o additional driver installation If you use an earlier version of Windows or a different operating system it can be necessary to install other drivers to use WPA PSK If you cannot use WPA PSK WatchGua...

Page 110: ...e shared key is the only WPA authentication method the Firebox X Edge supports at this time Configuring encryption From the Encryption drop down list select the level of encryption for your wireless c...

Page 111: ...authenticate as MUVPN clients 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 Fro...

Page 112: ...1 1 2 From the navigation bar select Network Wireless 802 11g and click the Allowed Addresses tab 3 Select the Restrict Access by Hardware Address check box 4 Click Edit 5 Type the MAC address of the...

Page 113: ...e wireless interface Guest users can connect to all regular Firebox user computers on the wireless network and Firebox users can connect to all guest user computers If you host wireless access for peo...

Page 114: ...the guest account Setting password protection When a guest user connects to the wireless network using the Fire box X Edge Wireless as the wireless access point you can make the user type a password...

Page 115: ...es Connecting to the Firebox as a wireless guest To log on as a wireless guest user a user must open their Web browser and do one of these procedures Type https in their browser address bar and the IP...

Page 116: ...wn lists If necessary clear the check box labeled The key is provided for me automatically and type the network key two times 7 Click OK to close the Wireless Network Properties dialog box 8 Click the...

Page 117: ...l traffic These rules set the firewall actions for a service Allow lets data or a connection through the Firebox Deny stops data or a connection from going through the Firebox and sends a response to...

Page 118: ...m the optional network to the trusted network From the external network to the optional network Traffic through VPN tunnels When you create a Mobile User VPN tunnel from remote users or when you creat...

Page 119: ...into your trusted or optional network You can also create custom services if you must allow traffic that is not in the list of frequently used ser vices You must be careful when you allow incoming se...

Page 120: ...of this FAQ www watchguard com support Tutorials stepsoho_blockoutservice asp 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interf...

Page 121: ...for incoming traffic is necessary if Incoming traffic does not use the same ports or protocols used by one of the common services You restrict the IP addresses on the external network that can connec...

Page 122: ...which this service applies Restrict to local computers To put a limit on the scope of the service add the IP addresses of the computers or networks inside the firewall to which this service applies A...

Page 123: ...TCP or UDP port number TCP is IP protocol number 6 and UDP is IP protocol number 17 If you use an IP protocol that is not TCP or UDP you must enter its number IP protocols numbers include 47 for GRE G...

Page 124: ...on entering IP addresses in slash notation see this FAQ http www watchguard com support advancedfaqs general_slash asp 5 Click Add The From box shows the host range host IP address or network IP addr...

Page 125: ...IP addresses that identify the computers on the external network that internal computers can connect to using this service Network IP addresses must be entered in slash notation also known as Classle...

Page 126: ...https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar select Firewall Outgoing The Filter Outgoing Traffic...

Page 127: ...om services for outgoing traffic A custom service for outgoing traffic is necessary if You must allow outgoing traffic for a service that is not on the common service list You must restrict the IP add...

Page 128: ...ide the firewall to which this service applies Restrict to local computers To put a limit on the scope of the service add the IP addresses of the computers or networks inside the firewall to which thi...

Page 129: ...P port number TCP is IP protocol number 6 and UDP is IP protocol number 17 If you use an IP protocol that is not TCP or UDP you must enter its number IP protocols numbers include 47 for GRE Generic Ro...

Page 130: ...xamples of how you can use the optional network You can use the optional network for servers that the external network can get to This helps to protect the trusted network because no traffic is allowe...

Page 131: ...on bar click Firewall Optional The Filter Outgoing Traffic to Optional Network page appears 3 To allow all traffic from the trusted network select Allow for the Outgoing service from the Filter drop d...

Page 132: ...w all traffic between the trusted and optional networks Select the Disable traffic filters check box to allow all incoming and outgoing traffic between the trusted and optional interfaces NOTE NOTE Wh...

Page 133: ...ess range Use the IP address of the attacker or a range of hostile IP addresses to create a Blocked Site To add a location to the Blocked Sites list 1 From the navigation bar click Firewall Blocked Si...

Page 134: ...ss bar and the IP address of the Edge trusted interface The default URL is https 192 168 111 1 2 From the navigation bar click Firewall Options The Firewall Options page appears Responding to ping req...

Page 135: ...socket connection and uses the SOCKS version 5 protocol can send traffic through the Edge SOCKS gives you secure two way communication between a computer on the external network and a computer on the...

Page 136: ...open and not used by other software on the computer 1 If you can identify a version select SOCKS version 5 2 Select port 1080 3 Set the SOCKS proxy to the URL uniform resource locator or IP address of...

Page 137: ...dress of the external interface Some ISPs use a MAC address to identify the computers on their network Each MAC address gets one static IP address If your ISP uses this method to identify your compute...

Page 138: ...text box type the new MAC address for the Firebox X Edge external or failover network 3 Click Submit If the changes are successful you must restart the Firebox NOTE NOTE If the field marked MAC addre...

Page 139: ...ous net work activity Log records can help you identify possible security prob lems NOTE The Firebox X Edge log is cleared if the power supply is disconnected or the Edge is restarted To keep the info...

Page 140: ...tchGuard Log Server previously known as the WatchGuard System Event Processor or WSEP is a component of the Watch Guard System Manager If you have a Firebox III Firebox X Core or Firebox X Peak config...

Page 141: ...ing check box 4 In the Device Name field type a name for the Firebox X Edge This name lets the Log Server know which log messages come from which device The Device Name appears in the Log Viewer If th...

Page 142: ...nds the Firebox X Edge log messages to a syslog host If you use a syslog host you can set the Edge to send log messages to that host Follow these instructions to configure a syslog host 1 To connect t...

Page 143: ...rusted network Use a VPN tunnel to increase the security of syslog message traffic If the syslog messages go through a VPN tunnel IPSec technology encrypts the data Setting the System Time For each lo...

Page 144: ...r daylight savings time check box 4 To set the system time automatically select the Use NTP to periodically automatically set system time option To set the time manually select the Set date and time m...

Page 145: ...o save your changes skip to step 8 6 If you set the system time manually you must set the date and time separately Select the month from the first drop down list Select the year from the second drop d...

Page 146: ...Configuring Logging and System Time 132 WatchGuard Firebox X Edge...

Page 147: ...igure local Firebox authentication Configure the Firebox to use LDAP or Active Directory authentication Allow internal hosts to bypass user authentication Seeing Current Sessions and Users A session i...

Page 148: ...gs Below Firebox Users Settings you can see the current values for all global user and session settings To get access to the configuration page for these settings click the Configure button to open th...

Page 149: ...interface The default URL is https 192 168 111 1 2 From the navigation bar select Firebox Users The Firebox Users page appears 3 Find the session in Active Sessions list Click the Close button To sto...

Page 150: ...information on the users you configured to use this Edge Name The name given to the user The Admin user is part of the default configuration and cannot be deleted Admin Level You can set the user per...

Page 151: ...ake connections from the trusted network to the optional network If you make users authenticate before they connect to the external network you can make sure that no user licenses are used by unau tho...

Page 152: ...he configuration file Full Use this to see and to change Edge configuration properties You can also activate options disconnect active sessions restart the Edge and add or edit user accounts A user wh...

Page 153: ...work If you do not select this check box there is no user based control for access to the Internet or VPN tunnels Automatically prompt for login on Web access When this option is selected the authenti...

Page 154: ...session has been active Configuring MUVPN client settings The MUVPN client settings apply to all MUVPN connections to the Edge To configure MUVPN client settings 1 Use your browser to connect to the S...

Page 155: ...at support Java script but we do not support them 2 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https...

Page 156: ...sers page Using Local Firebox Authentication When you create a local user for the Firebox X Edge you select the Administrative Access level for that user You select access control for the external net...

Page 157: ...he Description field type a description for the user This is for your information only A user does not use this description during authentication 7 In the Password field type a password with a minimum...

Page 158: ...he Session idle time out field set the length of time the computer can stay authenticated when it is idle not passing any traffic to the external network or across the Branch Office VPN or to the Fire...

Page 159: ...o enable MUVPN for a new user see Connecting and Disconnect ing the MUVPN Client on page 207 The Administrator account The Firebox X Edge has a built in administrator account that cannot be deleted Yo...

Page 160: ...e default URL is https 192 168 111 1 2 From the navigation bar select Firebox Users The Firebox Users page appears 3 Below Local User Accounts click Edit for the account to change the password for The...

Page 161: ...file When users authenticate to the Firebox they prepend their LDAP domain name to their user name in the authentication dialog box domain user name If you use an Active Directory authentication serve...

Page 162: ...he LDAP Authentication Service section is not active 4 In the Domain Name text box type the name of the LDAP domain Do not include the top level domain The domain or host name is the part of your comp...

Page 163: ...the directory For example a DN can look like this OU user accounts DC mycompany DC com 10 If you select Generic LDAP as the LDAP server type you must enter a Login Attribute Name and Group Attribute...

Page 164: ...does not belong to any group configured on the Edge You can change the properties of the default group but you cannot delete the default group If a user belongs to more than one group the privileges f...

Page 165: ...inistrative access to assign to the group You can select None The members of the group have no access to Firebox X Edge administration functions Read only The members of this group can see but not cha...

Page 166: ...d select a profile from the drop down list You must first create WebBlocker profiles in the WebBlocker Profiles area of the Edge s configuration pages If no profile is assigned the users in this group...

Page 167: ...gation bar select Firebox Users Trusted Hosts The Firebox Users Trusted Hosts page appears 2 In the Host IP Address text box type the IP address of the computer on your trusted or optional network to...

Page 168: ...Managing Users and Groups 154 WatchGuard Firebox X Edge...

Page 169: ...eature How WebBlocker Works WebBlocker uses a database of web site addresses controlled by SurfControl a web filter company When a user on your network tries to connect to a web site the Fire box X Ed...

Page 170: ...cess password Set the inactivity time out Set a rule for the Firebox action if the Firebox X Edge cannot connect to the WebBlocker server Set a rule for the Firebox action if the WebBlocker license ex...

Page 171: ...word in the Full Access Password field The full access password gives access to all web sites until the inactivity timeout is reached or until an authenticated user logs out 5 Type the same password a...

Page 172: ...s drop down list to select if the Firebox is to allow or deny all web traffic if the WebBlocker subscription expires If the WebBlocker subscription is renewed the Firebox will keep the previous config...

Page 173: ...han for other employees It is not necessary to create WebBlocker profiles if you use one set of WebBlocker rules for all of your users After you create profiles you can apply them when you set up Fire...

Page 174: ...ategory name For more information on categories see the next section If you select the check box adjacent to a category group it automatically selects all of the categories in that group If you clear...

Page 175: ...is added to a category when the contents of the web site meet the correct criteria Web sites that give opinion or educational material about the subject matter of the category are not included For exa...

Page 176: ...re sexually explicit in nature Naturist sites that feature nudity Erotic or fetish photography which depicts nudity Advertise ments Banner Ad servers Pop up advertisements Adware Arts Entertain ment T...

Page 177: ...lagiarism and cheating including the sale of research papers Drugs Alcohol Tobacco Recipes instructions or kits for manufacturing or growing illicit substances including alcohol for purposes other tha...

Page 178: ...ants cafes eateries pubs and bars Food drink magazines and reviews Gambling Online gambling or lottery web sites that invite the use of real money Information or advice for placing wagers participatin...

Page 179: ...of equipment and or software for purpose of hacking passwords creating viruses or gaining access to other computers and or computerized communication systems Sites that provide instruction or work aro...

Page 180: ...ommission of felonious criminal acts which has a common name or identifying sign or symbol and whose members individually or collectively engage in criminal activity in the name of the group A cult is...

Page 181: ...h Career Develop ment Employment agencies contractors job listings career information Career searches career networking groups Kids Sites Child centered sites and sites published by children Lifestyle...

Page 182: ...ynagogues and other houses of worship Any faith or religious beliefs including non traditional religions such a Wicca and witchcraft Remote Proxies Remote proxies or anonymous surfing Web based transl...

Page 183: ...ional scores and schedules Sports related online magazines or newsletters Fantasy sports and virtual sports leagues that are free or low cost Streaming Media Streaming media files or events any live o...

Page 184: ...fensive or violent language including through jokes comics or satire Excessive use of profanity or obscene gesticulation Note We do not block news historical or press incidents that may include the ab...

Page 185: ...er feature only applies to web sites on the Internet You cannot use WebBlocker to block your users from web sites behind the Firebox 1 From the navigation bar select WebBlocker Allowed Sites The WebBl...

Page 186: ...tes list 5 Click Submit To remove an item from the Allowed Sites list select the address and click Remove then click Submit Blocking Additional Web Sites You can block some web sites that WebBlocker a...

Page 187: ...cess to the Playboy web site select to add a domain name and enter playboy com If the site has a subdomain that resolves to a different IP address you must enter that subdomain to deny it For example...

Page 188: ...r select Firebox Users Trusted Hosts The Firebox Users Trusted Hosts page appears 2 In the Host IP Address text box type the IP address of the computer on your trusted or optional network to allow to...

Page 189: ...of the message can read it About This Chapter This chapter starts with a section that tells you the basic requirements for your Firebox X Edge to create a VPN Start with What You Need to Create a VPN...

Page 190: ...and a second device that uses IPSec standards Examples of these devices are a Firebox III Firebox X Core Firebox X Peak or a Firebox SOHO 6 You must enable the VPN option on the other device if it is...

Page 191: ...esses from the Edge using DHCP If you want to give the computers IP addresses of WINS and DNS servers on the other side of the VPN you can type those addresses into the DHCP settings in the trusted ne...

Page 192: ...from the Management Server To configure a Firebox X Edge to allow WatchGuard System Man ager access for the creation of VPN tunnels see Setting up Watch Guard System Manager Access on page 46 Manual V...

Page 193: ...ch end of the tunnel MD5 or SHA1 Each VPN device must use the same authentication method We recommend that you write down your Firebox X Edge configura tion and the related information for the other d...

Page 194: ...ses in slash notation see this FAQ https www watchguard com support advancedfaqs general_slash asp You Site A 192 168 111 0 24 Site B 192 168 222 0 24 Shared Key The shared key is a passphrase used by...

Page 195: ...e Add Gateway page appears 4 Type the tunnel name and shared key The tunnel name is for your identification only The shared key is a passphrase that the devices use to encrypt and decrypt the data on...

Page 196: ...f your Firebox X Edge or remote VPN device has a static external IP address set the local ID type to IP Address Type the external IP address of the Edge or device as the local ID If your Firebox X Edg...

Page 197: ...at regular intervals This helps the two devices to see if the tunnel is up If the Keep Alive packets get no response after three tries the Firebox X Edge starts the tunnel again NOTE NOTE The IKE Keep...

Page 198: ...Dynamic DNS Service on page 81 In the Phase 1 settings of the Manual VPN set the local ID type to Domain Name Enter the DynDNS domain name as the Local ID The remote device must identify your Edge by...

Page 199: ...urces 4 Type the number of kilobytes and the number of hours until the Phase 2 key expires To make the key not expire enter zero 0 For example 24 hours and zero 0 kilobytes means that the Phase 2 key...

Page 200: ...o the specified host Use the IP address of a host that is always online and can respond to ping messages You can enter the trusted interface IP address of the Firebox that is at the other end of the t...

Page 201: ...ics page To see the VPN Statistics page 1 To connect to the System Status page type https in the browser address bar and the IP address of the Edge trusted interface The default URL is https 192 168 1...

Page 202: ...e Firebox X Edge For example at Site A ping the IP address of Site B If the ping packet does not come back make sure the external network settings of Site B are correct Site B must be configured to re...

Page 203: ...Frequently Asked Questions User Guide 189 a Firebox X Edge Model Upgrade from a reseller or from the Watch Guard Web site http www watchguard com products purchaseoptions asp...

Page 204: ...Configuring Virtual Private Networks 190 WatchGuard Firebox X Edge...

Page 205: ...used The MUVPN client software is installed on a remote computer The remote user imports a configuration file wgx file to configure the client software The user connects to the Internet with the remo...

Page 206: ...this wgx configuration file from the Edge You must also download the MUVPN installation program from the WatchGuard support site Read the section Distributing the Software and the wgx File on page 19...

Page 207: ...nly so that the user cannot change the security policy file by default select the Make the MUVPN client security policy read only check box Set how the virtual adapter operates on the client Disabled...

Page 208: ...ettings see Configuring MUVPN client settings on page 140 Enabling MUVPN access for a Firebox user account 1 Add a new Firebox user or edit a Firebox user as described in Using Local Firebox Authentic...

Page 209: ...will send all its traffic including usual Web traffic through the VPN tunnel to the Firebox X Edge This can also let the MUVPN client connect with other networks that the Firebox X Edge connects to If...

Page 210: ...profile or wgx file Get the MUVPN installation files from the WatchGuard Web site You must log in to the LiveSecurity Service at http www watch guard com support to download the software After you log...

Page 211: ...e mail Because e mail is not secure an unauthorized user can get the shared key Give the user the shared key by telling it to the user or by some other method that does not allow an unauthorized pers...

Page 212: ...virtual adapter the WINS and DNS server IP addresses are assigned to the remote computer when the VPN tunnel is created If the MUVPN client does not use the virtual adapter the remote computer must h...

Page 213: ...ter must be able to contact the WINS servers and the DNS servers These servers are found on the trusted network that is protected by the Firebox X Edge From the Windows desktop 1 Select Start Settings...

Page 214: ...enabled To enable a component click the adjacent check box If a component is not installed follow the instructions to install it Internet Protocol TCP IP File and Printer Sharing for Microsoft Network...

Page 215: ...ndow Networking tab 1 Select the Internet Protocol TCP IP component and click Properties The Internet Protocol TCP IP Properties window appears 2 Click Advanced The Advanced TCP IP Settings window app...

Page 216: ...ol Panel window appears 2 Double click the Network Connections icon 3 Right click the connection you use to get Internet access and select Properties The connection properties window appears 4 Make su...

Page 217: ...network component The Select Network Protocol window appears 3 Select the Client for Microsoft Networks network client and click OK Configuring the WINS and DNS settings The remote computer must be ab...

Page 218: ...r in the related field and click Add To add more WINS servers repeat steps 11 and 12 13 Click OK to close the Advanced TCP IP Settings window Click OK to close the Internet Protocol TCP IP Properties...

Page 219: ...ing the installation The command prompt can stay for more than one minute This is usual After the file is installed the command window closes automatically and the installation continues 11 After the...

Page 220: ...The Confirm File Deletion dialog box appears 8 Click OK to remove all of the components A command prompt window appears during the procedure This is usual After the file is removed the command prompt...

Page 221: ...tive right click the icon and select Activate Security Policy For information about the MUVPN icon see The MUVPN client icon on page 207 2 From the Windows desktop select Start Programs Mobile User VP...

Page 222: ...bar on the right of the icon tells you that the client is sending data that is not secure Activated Connected and Transmitting Secured Data The MUVPN client started one or more secure MUVPN tunnels T...

Page 223: ...t time I use this program check box then click Yes This option makes the ZoneAlarm personal firewall allow Internet access for this program each time you start a MUVPN connection Disconnecting the MUV...

Page 224: ...diagnostic informa tion for connections in the security policy This window shows the security policy settings and the security association SA informa tion The monitor records the information that app...

Page 225: ...oneAlarm you frequently see New Program alert windows This alert appears when a software application tries to get Internet or local network access This alert stops data from your computer without your...

Page 226: ...tart Programs Zone Labs Uninstall ZoneAlarm The Confirm Uninstall dialog box appears 2 Click Yes The ZoneLabs TrueVector service dialog box appears 3 Click Yes The Select Uninstall Method window appea...

Page 227: ...n and instead use weaker Wired Equivalent Privacy WEP to secure the data that goes through the airwaves You can increase the security of your wireless network when you make the wireless computer users...

Page 228: ...tunnel 0 0 0 0 0 IP Subnet in the Firebox user s MUVPN setup 2 To allow a Firebox user to connect to all networks through the VPN tunnel select the check box All traffic uses tunnel 0 0 0 0 0 IP Subn...

Page 229: ...irebox X Edge Certificates are not supported on the Edge NAT Traversal is supported on the Edge You can have to disable NAT Traversal on the Pocket PC because of differences in how this protocol is im...

Page 230: ...VPN setup Troubleshooting Tips You can get more information about the MUVPN client from the WatchGuard Web site http www watchguard com support Here are the answers to some frequently asked questions...

Page 231: ...our computer from sending its network information This prevents your computer from sending the login information Make sure you turn off ZoneAlarm each time you disconnect the MUVPN connection Is the M...

Page 232: ...a password when I am browsing the company network Because of a Windows networking limitation remote user VPN products can allow access only to a single network domain If your company has more than on...

Page 233: ...mall organizations and branch offices The WatchGuard Firebox X Edge Wireless can con nect to computers with a wireless network interface card Package Contents and Specifications The Firebox X Edge pac...

Page 234: ...the cable and connect to the side of the Edge This decreases the tension on the power cable One straight through cable Wall mount plate wireless models only Two antennae wireless models only Processo...

Page 235: ...interface The bottom indicator light in each pair comes on when the link speed is 100 Mbps If the bottom indicator light does not come on the link speed is 10 Mbps WAN 1 2 Shows a physical connection...

Page 236: ...e indicator light does not come on Status Shows a management connection to the Edge The indicator light goes on when you use your browser to connect to the Edge configuration pages The indicator light...

Page 237: ...es are for external networks Power input We supply a 12 volt AC adapter with your Edge Connect the AC adapter to the Edge and to a power source The power supply tip is plus polarity Side panels Comput...

Page 238: ...it is affected by background noise caused by the ambient temperature of the atmosphere at the frequency range of the sys tem Also the operating temperature of the components of the 802 11 g b receiver...

Page 239: ...signal attenuation path loss The distance is the line of sight distance between the transmitter and the receiver The wavelength is the speed of light divided by the frequency Higher frequency signals...

Page 240: ...tomatically selects the antenna that receives the stronger signal Laptop computers usually have one antenna and have signal loss because of antenna position Because of this the Firebox X Edge can rece...

Page 241: ...About IEEE 802 11g b Wireless User Guide 227 cent When a different modulation scheme is selected the data rate changes...

Page 242: ...228 WatchGuard Firebox X Edge...

Page 243: ...registered trademarks of Netscape Communications Corporation in the United States and other countries RealNetworks RealAudio and RealVideo are either a registered trademark or trademark of RealNetwork...

Page 244: ...Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com 1995 2003 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written...

Page 245: ...and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the followi...

Page 246: ...BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S O...

Page 247: ...de reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not install...

Page 248: ...ay cause undesired operation of the device France NOTE En France ce produit ne peut tre install et op r qu l int rieur et seulement sur les canaux 10 11 12 13 comme d fini par IEEE 802 11g b L utilisa...

Page 249: ...Certifications and Notices User Guide 235 Taiwanese Notices...

Page 250: ...236 WatchGuard Firebox X Edge Declaration of Conformity...

Page 251: ...sible for returning the Product and for all costs of shipping and handling Repair or replacement of the Product shall not extend the Warranty Period Any Product component part or other item replaced b...

Page 252: ...hall be modified or partially enforced to the maximum extent permitted by law to effectuate the purpose of this Warranty This is the entire agreement between WatchGuard and you relating to the Product...

Page 253: ...ernal Network check box 144 Allow access to VPN check box 144 Allowed Sites pages 171 antenna directional gain 225 authentication See user authentication B bandwidth described 2 Blocked Sites page 119...

Page 254: ...ions setting on the optional network 75 setting on the trusted network 69 DHCP Address Reservations page 70 76 DHCP relay configuring the optional network 76 configuring the trusted network 70 DHCP se...

Page 255: ...y default settings described 41 resetting to 42 failover network See WAN failover feature key described 26 File and Printer Sharing for Microsoft Networks and Windows XP 203 File and Printer Sharing f...

Page 256: ...ewall Options page 120 Firewall page described 35 subpages of 36 firewalls described 8 H hardware description 221 223 hardware operating specifications 223 hardware specifications 220 HTTP proxy setti...

Page 257: ...lights on front panel 221 LiveSecurity Service and software updates 52 registering with 26 Local Area Network LAN described 2 Log Authentication Events check box 93 log messages contents of 125 viewi...

Page 258: ...g 206 MUVPN Clients upgrade 56 MUVPNs and wgx files 196 enablng access for users 194 monitoring with Connection Monitor 210 monitoring with Log Viewer 210 system requirements for 197 using on wireless...

Page 259: ...ork Configuration page 73 74 75 77 options model upgrade 56 MUVPN Clients 56 seat license upgrade 56 WAN failover 56 WebBlocker 56 P package contents 11 packets described 4 pages Add Gateway 181 Add R...

Page 260: ...cs 187 WAN Failover 85 WatchGuard Security Event Processor Logging 127 WebBlocker 38 WebBlocker Settings 157 159 Wireless Network Configuration 91 passphrases described 143 146 path loss 225 Perfect F...

Page 261: ...Access Services installing 198 RESET button 222 resetting to factory default 42 Restrict Access by Hardware Address check box 98 routes configuring static 78 viewing 33 Routes page 78 S seat licenses...

Page 262: ...21 described 121 disabling 122 software updates 52 SSID Service Set Identifier 92 static IP addresses and VPNs 187 described 14 obtaining 188 static routes making 78 removing 79 subnet mask 14 SurfCon...

Page 263: ...figuration page 68 69 71 134 U UDP User Datagram Protocol 3 Uniform Resource Locator URL 6 updating software 40 upgrade options activating 54 upgrade options viewing status of 32 Upgrade page 55 user...

Page 264: ...ooting connections 188 viewing statistics 187 what you need to create 176 W wall mounting plate 223 WAN Failover and DNS settings 88 configuring 83 described 56 83 using broadband connection for 85 us...

Page 265: ...ing Internet Protocol TCP IP Network Component on 202 preparing for MUVPN clients 202 WINS and DNS settings configuring 199 201 wireless card configuring 101 wireless communication antenna directional...

Page 266: ...252 WatchGuard Firebox X Edge Z ZoneAlarm allowing traffic through 211 described 191 211 icon for 209 shutting down 212 uninstalling 212...