WatchGuard Firebox System 7.0 User Guide

WatchGuard ®Firebox ® SystemUser GuideWatchGuard Firebox System

4. The names "Apache" and "Apache Software Foundation" must not be usedto endorse or promote products derived from this software without priorwritten permission. For written permission, please contactapache@apache.org.5. Products derived from this software may not be called "Apache", nor may"Apache" appear in their name, without prior written permission of theApache Software Foundation.THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FORA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALLTHE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAYOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.This software consists of voluntary contributions made by many individualson behalf of the Apache Software Foundation. For more information on theApache Software Foundation, please see .Portions of this software are based upon public domain software originallywritten at the National Center for Supercomputing Applications, Universityof Illinois, Urbana-Champaign.PCRE LICENCE------------PCRE is a library of functions to support regular expressions whose syntaxand semantics are as close as possible to those of the Perl 5 language.Written by: Philip Hazel University of Cambridge Computing Service,Cambridge, England. Phone: +44 1223 334714.Copyright (c) 1997-2001 University of CambridgePermission is granted to anyone to use this software for any purpose on anycomputer system, and to redistribute it freely, subject to the followingrestrictions:1. This software is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.2. The origin of this software must not be misrepresented, either byexplicit claim or by omission. In practice, this means that if you usePCRE in software that you distribute to others, commercially orotherwise, you must put a sentence like this:Regular expression support is provided by the PCRE library package,which is open source software, written by Philip Hazel, and copyrightby the University of Cambridge, England.viWatchGuard Firebox System

somewhere reasonably visible in your documentation and in any relevantfiles or online help data or similar. A reference to the ftp site forthe source, that is, to:ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/should also be given in the documentation. However, this condition is notintended to apply to whole chains of software. If package A includesPCRE, it must acknowledge it, but if package B is software that includespackage A, the condition is not imposed on package B (unless it usesPCRE independently).3. Altered versions must be plainly marked as such, and must not bemisrepresented as being the original software.4. If PCRE is embedded in any software that is released under the GNUGeneral Purpose Licence (GPL), or Lesser General Purpose Licence z(LGPL), then the terms of that licence shall supersede any condition abovewith which it is incompatible.The documentation for PCRE, supplied in the "doc" directory, is distributedunder the same terms as the software itself.EndAll other trademarks or trade names mentioned herein, if any, are theproperty of their respective owners.Part No: 1200016Software Version: 7.0WatchGuard Firebox SoftwareEnd-User License AgreementIMPORTANT - READ CAREFULLY BEFORE ACCESSINGWATCHGUARD SOFTWARE:This Firebox Software End-User License Agreement (“AGREEMENT”) is alegal agreement between you (either an individual or a single entity) andWatchGuard Technologies, Inc. (“WATCHGUARD”) for theWATCHGUARD Firebox software product, which includes computersoftware components (whether installed separately on a computerworkstation or on the WATCHGUARD hardware product or included on theWATCHGUARD hardware product) and may include associated media,printed materials, and on-line or electronic documentation, and any updatesor modifications thereto, including those received through the WatchGuardLiveSecurity Service (or its equivalent), (the “SOFTWARE PRODUCT”).WATCHGUARD is willing to license the SOFTWARE PRODUCT to you onlyon the condition that you accept all of the terms contained in thisAgreement. Please read this Agreement carefully. By installing or using theSOFTWARE PRODUCT you agree to be bound by the terms of thisAgreement. If you do not agree to the terms of this AGREEMENT,WATCHGUARD will not license the SOFTWARE PRODUCT to you, and youwill not have any rights in the SOFTWARE PRODUCT. In that case,promptly return the SOFTWARE PRODUCT, along with proof of payment,to the authorized dealer from whom you obtained the SOFTWAREUser Guidevii

PRODUCT for a full refund of the price you paid. The WATCHGUARDhardware product is subject to a separate agreement and limited hardwarewarranty included with the WATCHGUARD hardware product packagingand/or in the associated user documentation.1. Ownership and License. The SOFTWARE PRODUCT is protected bycopyright laws and international copyright treaties, as well as otherintellectual property laws and treaties. This is a license agreement and NOTan agreement for sale. All title and copyrights in and to the SOFTWAREPRODUCT (including but not limited to any images, photographs,animations, video, audio, music, text, and applets incorporated into theSOFTWARE PRODUCT), the accompanying printed materials, and anycopies of the SOFTWARE PRODUCT are owned by WATCHGUARD or itslicensors. Your rights to use the SOFTWARE PRODUCT are as specified inthis AGREEMENT, and WATCHGUARD retains all rights not expresslygranted to you in this AGREEMENT. Nothing in this AGREEMENTconstitutes a waiver of our rights under U.S. copyright law or any other lawor treaty.2. Permitted Uses. You are granted the following rights to theSOFTWARE PRODUCT:(A) You may install and use the SOFTWARE PRODUCT on any singleWATCHGUARD hardware product at any single location and may installand use the SOFTWARE PRODUCT on multiple workstation computers.(B) To use the SOFTWARE PRODUCT on more than one WATCHGUARDhardware product at once, you must purchase an additional copy of theSOFTWARE PRODUCT for each additional WATCHGUARD hardwareproduct on which you want to use it. To the extent that you install copies ofthe SOFTWARE PRODUCT on additional WATCHGUARD hardwareproducts in accordance with the prior sentence without installing theadditional copies of the SOFTWARE PRODUCT included with suchWATCHGUARD hardware products, you agree that use of any softwareprovided with or included on the additional WATCHGUARD hardwareproducts that does not require installation will be subject to the terms andconditions of this AGREEMENT. You must also maintain a currentsubscription to the WatchGuard LiveSecurity Service (or its equivalent) foreach additional WATCHGUARD hardware product on which you will use acopy of an updated or modified version of the SOFTWARE PRODUCTreceived through the WatchGuard LiveSecurity Service (or its equivalent).(C) In addition to the copies described in Section 2(A), you may make asingle copy of the SOFTWARE PRODUCT for backup or archival purposesonly.3. Prohibited Uses. You may not, without express written permissionfrom WATCHGUARD:(A) Use, copy, modify, merge or transfer copies of the SOFTWAREPRODUCT or printed materials except as provided in this AGREEMENT;viiiWatchGuard Firebox System

(B) Use any backup or archival copy of the SOFTWARE PRODUCT (orallow someone else to use such a copy) for any purpose other than to replacethe original copy in the event it is destroyed or becomes defective;(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;(D) Transfer this license to another party unless(i) the transfer is permanent,(ii) the third party recipient agrees to the terms of this AGREEMENT, and(iii) you do not retain any copies of the SOFTWARE PRODUCT; or(E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.4. Limited Warranty. WATCHGUARD makes the following limitedwarranties for a period of ninety (90) days from the date you obtained theSOFTWARE PRODUCT from WATCHGUARD or an authorized dealer:(A) Media. The disks and documentation will be free from defects inmaterials and workmanship under normal use. If the disks ordocumentation fail to conform to this warranty, you may, as your sole andexclusive remedy, obtain a replacement free of charge if you return thedefective disk or documentation to WATCHGUARD with a dated proof ofpurchase.(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materiallyconform to the documentation that accompanies it. If the SOFTWAREPRODUCT fails to operate in accordance with this warranty, you may, asyour sole and exclusive remedy, return all of the SOFTWARE PRODUCTand the documentation to the authorized dealer from whom you obtained it,along with a dated proof of purchase, specifying the problems, and they willprovide you with a new version of the SOFTWARE PRODUCT or a fullrefund, at their election.Disclaimer and Release. THE WARRANTIES, OBLIGATIONS ANDLIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTHIN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND INSUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM ANDRELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS ANDLIABILITIES OF WATCHGUARD AND ITS LICENSORS AND ALLOTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINSTWATCHGUARD AND ITS LICENSORS, EXPRESS OR IMPLIED,ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANYNONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT(INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE,ANY IMPLIED WARRANTY ARISING FROM COURSE OFPERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANYWARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THESOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANYWARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION,ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT,WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHERUser Guideix

ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD ANDITS LICENSORS AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIMOR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY ORCONTRIBUTED TO BY, THE SOFTWARE PRODUCT).Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER INCONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANYFAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY)WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENTEXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT.THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF ANAGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLETO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT(INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE ORIMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FORANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIALDAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESSPROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESSINFORMATION) ARISING OUT OF OR IN CONNECTION WITH THISWARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWAREPRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN INTHE EVENT OF THE FAILURE OF AN AGREED REMEDY.5.United States Government Restricted Rights. The SOFTWAREPRODUCT is provided with Restricted Rights. Use, duplication ordisclosure by the U.S. Government or any agency or instrumentality thereofis subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights inTechnical Data and Computer Software clause at DFARS 252.227-7013, orin subdivision (c)(1) and (2) of the Commercial Computer Software --Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable.Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite500, Seattle, WA 98104.6.Export Controls. You agree not to directly or indirectly transfer theSOFTWARE PRODUCT or documentation to any country to which suchtransfer would be prohibited by the U.S. Export Administration Act and theregulations issued thereunder.7.Termination. This license and your right to use the SOFTWAREPRODUCT will automatically terminate if you fail to comply with anyprovisions of this AGREEMENT, destroy all copies of the SOFTWAREPRODUCT in your possession, or voluntarily return the SOFTWAREPRODUCT to WATCHGUARD. Upon termination you will destroy all copiesof the SOFTWARE PRODUCT and documentation remaining in your controlor possession.xWatchGuard Firebox System

8.Miscellaneous Provisions. This AGREEMENT will be governed by andconstrued in accordance with the substantive laws of Washington excludingthe 1980 United National Convention on Contracts for the InternationalSale of Goods, as amended. This is the entire AGREEMENT between usrelating to the SOFTWARE PRODUCT, and supersedes any prior purchaseorder, communications, advertising or representations concerning theSOFTWARE PRODUCT AND BY USING THE SOFTWARE PRODUCTYOU AGREE TO THESE TERMS. IF THE SOFTWARE PRODUCT ISBEING USED BY AN ENTITY, THE INDIVIDUAL INDICATINGAGREEMENT TO THESE TERMS REPRESENTS AND WARRANTSTHAT (A) SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THISAGREEMENT ON BEHALF OF THE ENTITY AND TO BIND THEENTITY TO THE TERMS OF THIS AGREEMENT; (B) THE ENTITY HASTHE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTOTHIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDER THISAGREEMENT AND; (C) THIS AGREEMENT AND THE PERFORMANCEOF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOTVIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITYIS A PARTY. No change or modification of this AGREEMENT will be validunless it is in writing and is signed by WATCHGUARD.User Guidexi

xiiWatchGuard Firebox System

ContentsCHAPTER 1 Introduction ................................................1Welcome to WatchGuard® ...............................................1WatchGuard Firebox System Components .........................2WatchGuard Firebox ......................................................2Firebox System Manager ................................................2WatchGuard security applications .....................................3WatchGuard LiveSecurity® Service ...................................3Minimum Requirements ....................................................3Software requirements ....................................................3Web browser requirements .............................................4Hardware requirements ..................................................4WatchGuard Options ........................................................5VPN Manager ...............................................................5High Availability ............................................................6Mobile User VPN ...........................................................6SpamScreen .................................................................6BOVPN Upgrade ...........................................................7Obtaining WatchGuard Options .......................................7About this Guide ..............................................................7User Guidexiii

CHAPTER 2 Service and Support .................................. 9Benefits of LiveSecurity® Service ...................................... 9LiveSecurity® Broadcasts ............................................... 10Activating the LiveSecurity® Service ............................... 12LiveSecurity® Self Help Tools ......................................... 13WatchGuard Users Forum .............................................. 14WatchGuard Users Group .............................................. 15Online Help ................................................................. 15Starting WatchGuard Online Help .................................. 16Searching for topics .................................................... 16Copying the Help system to additional platforms .............. 17Online Help system requirements .................................. 17Context-sensitive Help ................................................. 17Product Documentation ................................................. 18Assisted Support ........................................................... 18LiveSecurity® Program ................................................ 18LiveSecurity® Gold Program ......................................... 19Firebox Installation Services .......................................... 20VPN Installation Services .............................................. 20Training and Certification ............................................... 20CHAPTER 3 Getting Started ........................................ 23Gathering Network Information ...................................... 24Selecting a Firewall Configuration Mode ......................... 28Routed configuration ................................................... 29Drop-in configuration .................................................. 30Choosing a Firebox configuration .................................. 32Adding secondary networks to your configuration ............. 33Dynamic IP support on the external interface ................... 35Setting Up the Management Station ............................... 36Software encryption levels ............................................ 37Cabling the Firebox ....................................................... 38Using a serial cable ..................................................... 38Using TCP/IP ............................................................. 40Running the QuickSetup Wizard ..................................... 40xivWatchGuard Firebox System

Testing the connection .................................................42Entering IP addresses ...................................................43Deploying the Firebox into Your Network ........................44What’s Next ...................................................................44Customizing your security policy ....................................44What to expect from LiveSecurity® Service ......................45CHAPTER 4 Firebox Basics ...........................................47What is a Firebox? ..........................................................47Opening a Configuration File ..........................................49Opening a configuration from the Firebox ........................50Opening a configuration from a local hard disk .................50Saving a Configuration File .............................................51Saving a configuration to the Firebox ..............................51Saving a configuration to the management station’slocal drive ..........................................................53Resetting Firebox Passphrases ........................................53Setting the Firebox Model ..............................................54Setting the Time Zone ....................................................55Setting a Firebox Friendly Name .....................................55CHAPTER 5 Using Policy Manager to ConfigureYour Network ...........................................57Starting a New Configuration File ....................................58Setting the Firebox Configuration Mode ..........................58Setting IP Addresses of Firebox Interfaces .......................58Setting addresses in drop-in mode .................................59Setting addresses in routed mode ..................................60Setting DHCP or PPPoE Support on the External Interface 60Configuring DHCP or PPPoE support ..............................61Enabling static PPPoE ..................................................62Configuring Drop-in Mode ..............................................62Defining External IP Aliases .............................................63Adding Secondary Networks ...........................................64Entering WINS and DNS Server Addresses ......................65Configuring Out-of-Band Management ...........................66User Guidexv

Defining a Firebox as a DHCP Server .............................. 66Adding a new subnet .................................................. 67Modifying an existing subnet ........................................ 68Removing a subnet ..................................................... 68Adding Basic Services to Policy Manager ........................ 69Configuring Routes ........................................................ 70Defining a network route .............................................. 70Defining a host route ................................................... 71CHAPTER 6 Managing and Monitoring the Firebox .. 73Starting System Manager and Connecting to a Firebox .... 73Viewing Basic Firebox Status .......................................... 74Viewing basic indicators ............................................... 75Firebox and VPN tunnel status ....................................... 76Monitoring Firebox Traffic .............................................. 80Setting the maximum number of log entries ..................... 81Displaying entries in color ............................................ 81Copying messages to another application ....................... 82Copying or analyzing deny messages ............................. 82Performing Basic Tasks with System Manager .................. 82Running the QuickSetup Wizard .................................... 83Flushing the ARP cache ................................................ 83Connecting to a Firebox ............................................... 84Changing the polling rate ............................................. 84Getting Help on the Web ............................................. 84Launching Firebox Applications ..................................... 85Viewing Bandwidth Usage .............................................. 87Viewing Number of Connections by Service .................... 88Viewing Details on Firebox Activity ................................. 88Authentication list ....................................................... 95Blocked Site list .......................................................... 96HostWatch .................................................................... 97HostWatch display ...................................................... 98Connecting HostWatch to a Firebox ............................... 98Replaying a log file in HostWatch ................................... 99xviWatchGuard Firebox System

Controlling the HostWatch display ..................................99Modifying HostWatch view properties ...........................100CHAPTER 7 Configuring Network AddressTranslation ...............................................101Dynamic NAT ...............................................................102Using Simple Dynamic NAT ..........................................103Enabling simple dynamic NAT .....................................103Adding simple dynamic NAT entries .............................104Reordering simple dynamic NAT entries .........................105Specifying simple dynamic NAT exceptions ....................105Using Service-Based Dynamic NAT ................................106Enabling service-based dynamic NAT ............................107Configuring service-based dynamic NAT ........................107Configuring a Service for Incoming Static NAT ...............108Adding external IP addresses .......................................108Setting static NAT for a service .....................................108Using 1-to-1 NAT .........................................................110Proxies and NAT .......................................................112CHAPTER 8 Configuring Filtered Services ................113Selecting Services for your Security Policy Objectives .....114Incoming service guidelines ........................................114Outgoing service guidelines ........................................115Adding and Configuring Services ..................................116Configurable parameters for services ............................117Adding a service .......................................................117Creating a new service ...............................................120Deleting a service ......................................................123Defining Service Properties ...........................................124Accessing a service’s Properties dialog box ....................125Adding service properties ...........................................125Adding addresses or users to service properties ..............126Working with wg_icons ...............................................127Customizing logging and notification ............................128Service Precedence ......................................................130User Guidexvii

CHAPTER 9 Configuring Proxied Services ............... 135Protocol Anomaly Detection ......................................... 136Customizing Logging and Notification for Proxies .......... 137Configuring an SMTP Proxy Service .............................. 137Configuring the Incoming SMTP Proxy .......................... 138Enabling protocol anomaly detection for SMTP .............. 145Configuring the Outgoing SMTP Proxy ......................... 147Configuring an FTP Proxy Service .................................. 149Enabling protocol anomaly detection for FTP ................. 150Selecting an HTTP Service ............................................ 151Adding a proxy service for HTTP .................................. 152Configuring a caching proxy server .............................. 154Configuring the DNS Proxy Service ............................... 155Adding the DNS Proxy Service .................................... 156Enabling protocol anomaly detection for DNS ................ 157DNS file descriptor limit ............................................. 158CHAPTER 10 Creating Aliases and ImplementingAuthentication ...................................... 161Using Aliases ............................................................... 162Adding an alias ........................................................ 163How User Authentication Works ................................... 165Authentication Server Types ......................................... 166Defining Firebox Users and Groups for Authentication ... 167Configuring Windows NT Server Authentication ............ 170Configuring RADIUS Server Authentication ................... 171Configuring CRYPTOCard Server Authentication ........... 173Configuring SecurID Authentication .............................. 175CHAPTER 11 Intrusion Detection and Prevention .... 177Default Packet Handling ............................................... 178Blocking spoofing attacks ........................................... 178Blocking port space and address space attacks ............... 180Stopping IP options attacks ........................................ 180Stopping SYN Flood attacks ....................................... 181Changing SYN flood settings ...................................... 182xviiiWatchGuard Firebox System

Detecting Man-in-the-Middle Attacks ............................183Blocking Sites ..............................................................184Blocking a site permanently .........................................185Creating exceptions to the Blocked Sites list ...................187Changing the auto-block duration ................................187Logging and notification for blocked sites ......................188Blocking Ports ..............................................................188Avoiding problems with legitimate users ........................191Blocking a port permanently ........................................191Auto-blocking sites that try to use blocked ports .............192Setting logging and notification for blocked ports ...........192Blocking Sites Temporarily with Service Settings .............192Configuring a service to temporarily block sites ...............193Viewing the Blocked Sites list .......................................193Integrating Intrusion Detection ......................................193Using the fbidsmate command-line utility .......................195CHAPTER 12 Setting Up Logging and Notification ...199Developing Logging and Notification Policies ................200Logging policy ..........................................................200Notification policy .....................................................201Failover Logging ..........................................................202WatchGuard Logging Architecture ................................203Designating Log Hosts for a Firebox ..............................203Adding a log host ......................................................204Enabling Syslog logging .............................................205Changing the log encryption key ..................................205Removing a log host ..................................................206Reordering log hosts ..................................................206Synchronizing log hosts ..............................................206Setting up the WatchGuard Security Event Processor ......207Running the WSEP application on Windows NT,Windows 2000, or Windows XP ............................207Viewing the WSEP application .....................................210Starting and stopping the WSEP ...................................210User Guidexix

Setting the log encryption key ..................................... 211Setting Global Logging and Notification Preferences ..... 211Log file size and rollover frequency .............................. 212Setting the interval for log rollover ............................... 212Scheduling log reports ............................................... 213Controlling notification .............................................. 214Setting a Firebox friendly name for log files ................... 214Customizing Logging and Notification by Service orOption ............................................................... 215Setting Launch Interval and Repeat Count ..................... 217Setting logging and notification for a service .................. 218Setting logging and notification for default packet-handlingoptions ........................................................... 218Setting logging and notification for blocked sitesand ports ......................................................... 219CHAPTER 13 Reviewing and Working with Log Files 221Log File Names and Locations ...................................... 222Viewing Files with LogViewer ....................................... 222Starting LogViewer and opening a log file ..................... 222Setting LogViewer preferences .................................... 223Searching for specific entries ....................................... 223Copying and exporting LogViewer data ........................ 224Displaying and Hiding Fields ........................................ 225Working with Log Files ................................................. 228Consolidating logs from multiple locations .................... 229Copying log files ...................................................... 229Forcing the rollover of log files .................................... 230Saving log files to a new location ................................. 230Setting log encryption keys ......................................... 231Sending logs to a log host at another location ................ 231CHAPTER 14 Generating Reports of NetworkActivity .................................................. 235Creating and Editing Reports ....................................... 236Starting a new report ................................................. 236Editing an existing report ........................................... 238xxWatchGuard Firebox System

Deleting a report .......................................................238Viewing the reports list ...............................................238Specifying a Report Time Span .....................................238Specifying Report Sections ...........................................239Consolidating Report Sections ......................................239Setting Report Properties .............................................240Exporting Reports ........................................................241Exporting reports to HTML format ................................241Exporting a report to WebTrends for Firewalls and VPNs ...242Exporting a report to a text file ....................................243Using Report Filters ......................................................243Creating a new report filter ..........................................244Editing a report filter ..................................................244Deleting a report filter ................................................245Applying a report filter ...............................................245Scheduling and Running Reports ...................................245Scheduling a report ...................................................245Manually running a report ...........................................246Report Sections and Consolidated Sections ...................246Report sections .........................................................246Consolidated sections ................................................250CHAPTER 15 Controlling Web Site Access ................253Getting Started with WebBlocker ..................................253Installing the WebBlocker server ...................................254Downloading the database using WebBlocker Utility ........254Configuring the WatchGuard service icon .......................255Add an HTTP service ..................................................255Configuring the WebBlocker Service ............................256Activating WebBlocker ...............................................256Allowing WebBlocker server bypass ..............................257Configuring the WebBlocker message ...........................257Scheduling operational and non-operational hours ..........258Setting privileges ......................................................259Creating WebBlocker exceptions ..................................260User Guidexxi

Managing the WebBlocker Server ................................. 262Installing Multiple WebBlocker Servers .......................... 262Automating WebBlocker Database Downloads .............. 262Installing Scheduled Tasks .......................................... 263CHAPTER 16 Connecting with Out-of-BandManagement ......................................... 265Connecting a Firebox with OOB Management .............. 265Enabling the Management Station ................................ 266Preparing a Windows NT management station for OOB ... 266Preparing a Windows 2000 management station for OOB 266Preparing a Windows XP management station for OOB ... 268Configuring the Firebox for OOB .................................. 269Establishing an OOB Connection .................................. 269APPENDIX A Troubleshooting Firebox Connectivity 271Method 1: Ethernet Dongle Method ............................. 272Method 2: The Flash Disk Management Utility ............... 274Method 3: Using the Reset Button - FireboxModels 500, 700, 1000, 2500, 4500 ..................... 276Method 4: Serial Dongle (Firebox II only) ...................... 277Index ......................................................................... 279xxiiWatchGuard Firebox System

CHAPTER 1IntroductionWelcome to WatchGuard ®In the past, a connected enterprise needed a complexset of tools, systems, and personnel for access control,authentication, virtual private networking, networkmanagement, and security analysis. These costly systemswere difficult to integrate and not easy to update.Today, the WatchGuard Firebox System delivers acomplete network security solution to meet thesemodern security challenges:• Keeping network defenses current• Protecting every office connected to the Internet• Encrypting communications to remote offices andtraveling users• Managing the security system from a single siteThe WatchGuard Firebox System is a reliable, flexible,scalable, and inexpensive network security solution.Its setup and maintenance costs are small, and it supportsa rich feature set. When properly configured andadministered, the Firebox System reliably defends anynetwork against external threats.User Guide 1

Chapter 1: IntroductionWatchGuard Firebox System ComponentsThe WatchGuard Firebox System has all of the componentsneeded to conduct electronic business safely. It is made upof the following:• Firebox–a plug-and-play network appliance• Firebox System Manager–a suite of management andmonitoring tools• A collection of advanced security applications• LiveSecurity ® Service–a security-related broadcastserviceWatchGuard FireboxThe Firebox family of products is specially designed andoptimized. These machines are small, efficient, and reliable.The Firebox is a low-profile component with an indicatordisplay panel in front and physical interfaces in back.Firebox System ManagerFirebox System Manager is a toolkit of applications runfrom a single location, enabling you to configure, manage,and monitor your network security policy. In addition tomanagement and monitoring tools, System Managerincludes:Policy ManagerAllows you to design, configure, and manage anetwork security policy.LogViewerDisplays a static view of the log data, which youcan filter by type, search for keywords and fields,and print and save to a separate file.HostWatchDisplays active connections occurring on a Fireboxin real time or represents the connections listed in alog file.2 WatchGuard Firebox System

Minimum RequirementsHistorical ReportsCreates HTML reports that display session types,most active hosts, most used services, URLs, andother data useful in monitoring andtroubleshooting your network.WatchGuard security applicationsIn addition to basic security policy configuration, the FireboxSystem includes a suite of advanced software features.These include:• User authentication• Network address translation• Remote user virtual private networking• Branch office virtual private networking• Selective Web site blockingWatchGuard LiveSecurity ® ServiceThe innovative LiveSecurity Service makes it easy to maintainthe security of an organization’s network. Watch-Guard’s team of security experts publish alerts andsoftware updates, which are broadcast to your email client.Minimum RequirementsThis section describes the minimum hardware and softwarerequirements necessary to successfully install, run,and administer the WatchGuard Firebox System.Software requirementsWatchGuard Firebox System software can run on MicrosoftWindows NT 4.0, Windows 2000, or Windows XP as specifiedbelow:User Guide 3

Chapter 1: IntroductionWindows NT requirements• Microsoft Windows NT 4.0• Microsoft Service Pack 4, Service Pack 5, or ServicePack 6a for Windows NT 4.0Windows 2000 requirements• Microsoft Windows 2000 Professional or Windows2000 ServerWindows XP requirements• Microsoft Windows XPWeb browser requirementsYou must have Microsoft Internet Explorer 4.0 or later torun the installation from the CD. The following HTMLbasedbrowsers are recommended to view WatchGuardOnline Help:• Netscape Communicator 4.7 or later• Microsoft Internet Explorer 5.01 or laterHardware requirementsMinimum hardware requirements are the same as those forthe operating system on which the WatchGuard FireboxSystem runs. The recommended hardware ranges arelisted on the following table:4 WatchGuard Firebox System

.WatchGuard OptionsHardwarefeatureCPUMemoryHard disk spaceCD-ROM drive(optional)Minimum requirementPentium IISame as for operating system.Recommended:128 MB for Windows NT 4.0128 MB for Windows 2000 Professional256 MB for Windows 2000 Server128 MB for Windows XP25 MB to install all WatchGuard modules15 MB minimum for log filesAdditional space as required for log filesAdditional space as required for multipleconfiguration filesOne CD-ROM drive to install WatchGuardsoftware from its CD-ROM distribution disk. (Youcan also download the software from theLiveSecurity Service Web site.)WatchGuard OptionsThe WatchGuard Firebox System is enhanced by optionalfeatures designed to accommodate the needs of differentcustomer environments and security requirements.The following options are currently available for theWatchGuard Firebox System.VPN ManagerWatchGuard VPN Manager is a centralized module for creatingand managing the network security of an organizationthat uses the Internet to conduct business. It turns thecomplex task of setting up multi-site virtual private networks(VPNs) into a simple three-step process. VPN Managersets a new standard for Internet security byautomating the setup, management, and monitoring ofmulti-site IPSec VPN tunnels between an organization’sUser Guide 5

Chapter 1: Introductionheadquarters, branch offices, telecommuters, and remoteusers.VPN Manager is bundled with the WFS software, but it isavailable for use only if you select the VPN Managercheckbox when installing WFS and enter your license key.NOTEThe Firebox model 700 does not support VPN Manager.High AvailabilityWatchGuard High Availability software lets you install asecond, standby Firebox on your network. If your primaryFirebox fails, the second Firebox automatically takes overto give your customers, business partners, and employeesvirtually uninterrupted access to your protected network.High Availability is bundled with the WFS software, but itis available for use only if you enable the High Availabilitycheckbox when installing WFS and enter your license key.Mobile User VPNMobile User VPN is the WatchGuard IPSec implementationof remote user virtual private networking. MobileUser VPN connects an employee on the road or workingfrom home to trusted and optional networks behind a Fireboxusing a standard Internet connection, without compromisingsecurity. WatchGuard Mobile User VPN softwareeasily integrates into your Firebox System, allowing yourmobile users to securely connect to your network. VPNtraffic is encrypted using DES or 3DES-CBC, and authenticatedthrough MD5 or SHA-1.SpamScreenSpamScreen helps to control “spam”–email sent to you oryour end users without permission. Spam consumes valuablebandwidth on your Internet connection and on thehard disk space and CPU time of your mail server. If6 WatchGuard Firebox System

About this Guideallowed to enter your network unchecked, spam consumesworkers’ time to read and remove. WatchGuard Spam-Screen identifies spam as it comes through the Firebox. Youcan choose to either block the spam at the Firebox or tag itfor easy identification and sorting.SpamScreen is bundled with the WFS software, but it isavailable for use only if you enable the SpamScreen checkboxwhen installing WFS and enter your license key.BOVPN UpgradeThe factory default Firebox 500 does not support BOVPN.However, you can purchase the BOVPN Upgrade option toenable BOVPN support on a Firebox 500.Obtaining WatchGuard OptionsWatchGuard options are available from your local reseller.For more information about purchasing WatchGuard products,go to:http://www.watchguard.com/sales/About this GuideThe purpose of this guide is to help users of the Watch-Guard Firebox System set up and configure a basic networksecurity system and maintain, administer, andenhance the configuration of their network security.The audience for this guide represents a wide range ofexperience and expertise in network management andsecurity. The end user of the WatchGuard Firebox Systemis generally a network administrator for a company thatcan range from a small branch office to a large enterprisewith multiple offices around the world.References to FAQs, on the online support pages, areincluded throughout this guide. To access the FAQs, youUser Guide 7

Chapter 1: Introductionmust have a current subscription to the LiveSecurity Service.The following conventions are used in this guide:• Within procedures, visual elements of the userinterface, such as buttons, menu items, dialog boxes,fields, and tabs, appear in boldface.• Menu items separated by arrows (=> ) are selected insequence from subsequent menus. For example, File =>Open => Configuration File means to select Open fromthe File menu, and then Configuration File from theOpen menu.• URLs and email addresses appear in sans serif font; forexample, wg-users@watchguard.com• Code, messages, and file names appear in monospacefont; for example: .wgl and .idx files• In command syntax, variables appear in italics; forexample: fbidsmate import_passphrase• Optional command parameters appear in squarebrackets.8 WatchGuard Firebox System

CHAPTER 2Service and SupportNo Internet security solution is complete without systematicupdates and security intelligence. From thelatest hacker techniques to the most recently discoveredoperating system bug, the daily barrage of newthreats poses a perpetual challenge to any networksecurity solution. LiveSecurity ® Service keeps yoursecurity system up-to-date by providing solutionsdirectly to you.In addition, the WatchGuard Technical Support teamand Training department offer a wide variety of methodsto answer your questions and assist you withimproving the security of your network.Benefits of LiveSecurity ® ServiceAs the frequency of new attacks and security advisoriescontinues to surge, the task of ensuring that yournetwork is secure becomes an even greater challenge.The WatchGuard Rapid Response Team, a dedicatedUser Guide 9

Chapter 2: Service and Supportgroup of network security experts, helps absorb this burdenby monitoring the Internet security landscape for youin order to identify new threats as they emerge.Threat alerts and expert adviceAfter a new threat is identified, you’ll receive a LiveSecuritybroadcast by way of an email message from our RapidResponse Team that alerts you to the threat. Each alertincludes a complete description of the nature and severityof the threat, the risks it poses, and what steps you shouldtake to make sure your network remains continuously protected.Easy software updatesYour WatchGuard LiveSecurity Service subscription savesyou time by providing the latest software to keep yourWatchGuard Firebox System up-to-date. You receive installationwizards and release notes with each software updatefor easy installation. These ongoing updates ensure thatyour WatchGuard Firebox System remains state-of-the-art,without you having to take time to track new releases.Access to technical support and trainingWhen you have questions about your WatchGuard system,you can quickly find answers using our extensive onlinesupport resources, or by talking directly to one of our supportrepresentatives. In addition, you can access Watch-Guard courseware online to learn about WatchGuardsystem features.LiveSecurity ® BroadcastsThe WatchGuard LiveSecurity Rapid Response Team periodicallysends broadcasts and software informationdirectly to your desktop by way of email. Broadcasts are10 WatchGuard Firebox System

LiveSecurity® Broadcastsdivided into channels to help you immediately recognizeand process incoming information.Information AlertInformation Alerts provide timely analysis ofbreaking news and current issues in Internetsecurity combined with the proper systemconfiguration recommendations necessary toprotect your network.Threat ResponseAfter a newly discovered threat is identified, theRapid Response Team transmits an updatespecifically addressing this threat to make sureyour network is protected.Software UpdateYou receive functional software enhancements onan ongoing basis that cover your entireWatchGuard Firebox System.EditorialLeading security experts join the WatchGuardRapid Response Team in contributing usefuleditorials to provide a source of continuingeducation on this rapidly changing subject.FoundationsArticles specifically written for novice securityadministrators, non-technical co-workers, andexecutives.LoopbackA monthly index of LiveSecurity Servicebroadcasts.Support FlashThese technical tutorials provide tips for managingthe WatchGuard Firebox System. Support Flashessupplement other resources such as Online Help,FAQs, and Known Issues pages on the TechnicalSupport Web site.User Guide 11

Chapter 2: Service and SupportVirus AlertIn cooperation with McAfee, WatchGuard issuesweekly broadcasts that provide the latestinformation on new computer viruses.New from WatchGuardTo keep you abreast of new features, productupgrades, and upcoming programs, WatchGuardfirst announces their availability to our existingcustomers.Activating the LiveSecurity ® ServiceThe LiveSecurity Service can be activated through thesetup wizard on the CD-ROM or through the activationsection of the WatchGuard LiveSecurity Web pages. Thesetup wizard is detailed thoroughly in the QuickStart Guideand in the “Getting Started” chapter of this book.To activate the LiveSecurity Service through the Web:1 Be sure that you have the LiveSecurity license key andthe Firebox serial number handy. You will need theseduring the activation process.- The Firebox serial number is displayed in twolocations: a small silver sticker on the outside ofthe shipping box, and a sticker on the back of theFirebox just below the UPC bar code- The license key number is located on theWatchGuard LiveSecurity Agreement LicenseKey Certificate. Enter the number in the exactform shown on the key, including the hyphens.2 Using your Web browser, go to:http://www.watchguard.com/account/register.aspThe Account page appears.NOTEYou must have JavaScript enabled on your browser to be ableto activate the LiveSecurity Service.12 WatchGuard Firebox System

LiveSecurity® Self Help Tools3 Complete the LiveSecurity Activation form. Movethrough the fields on the form using either the TAB keyor the mouse.All of the fields are required for successful registration. Theprofile information helps WatchGuard target information andupdates to your needs.4 Verify that your email address is correct. You willreceive your activation confirmation mail and all ofyour LiveSecurity broadcasts at this address.5 Click Register.LiveSecurity ® Self Help ToolsOnline support services help you get the most out of yourWatchGuard products.NOTEYou must register for LiveSecurity Service before you canaccess the online support services.Advanced FAQs (frequently asked questions)Detailed information about configuration optionsand interoperability.Basic FAQsGeneral questions about the WatchGuard FireboxSystem.Known IssuesConfirmed issues and fixes for current software.WatchGuard Users ForumA moderated Web board about WatchGuardproducts.Online TrainingInformation on product training, certification, anda broad spectrum of publications about networksecurity and WatchGuard products. These coursesare designed to guide users through allUser Guide 13

Chapter 2: Service and Supportcomponents of WatchGuard products. Thesecourses are modular in design, allowing you to usethem in a manner most suitable to your learningobjectives. For more information, go to:www.watchguard.com/training/courses_online.aspLearn AboutA listing of all resources available for specificproducts and features.Online HelpCurrent Help system for WatchGuard products.Product DocumentationA listing of current product documentation fromwhich you can open .pdf files.General SOHO 6 ResourcesAccess to the resources you need and updatedinformation to help you install and use the SOHO6.To access the online support services:1 From your Web browser, go to http://www.watchguard.com/ and select Support.2 Log in to LiveSecurity Service.WatchGuard Users ForumThe WatchGuard users forum is an online group in whichthe users of the WatchGuard Firebox System exchangeideas, questions, and tips regarding all aspects of the product,including configuration, compatibility, and networking.This forum is categorized and searchable, and ismoderated, during regular business hours, by WatchGuardengineers and Technical Support personnel. However, thisforum should not be used for reporting support issues toWatchGuard Technical Support. Instead, contact Watch-14 WatchGuard Firebox System

WatchGuard Users GroupGuard Technical Support directly by way of the Web interfaceor telephone.Joining the WatchGuard users forumTo join the WatchGuard users forum:1 Go to www.watchguard.com. Click Support. Log into theLiveSecurity Service.2 Under Self-Help Tools, click Interactive SupportForum.3 Click Create a User Forum account.4 Enter the required information in the form. ClickCreate.The username and password should be of your own choosing.They should not be the same as that of your LiveSecurity Service.WatchGuard Users GroupThe WatchGuard users group is an online group in whichthe users of WatchGuard products can communicate information.Because this group is not monitored by Watch-Guard, it should not be used for reporting support issuesto WatchGuard Technical Support. Instead, contact Watch-Guard Technical Support directly via the Web interface ortelephone. For information on how to subscribe, unsubscribe,or post a message to all WG-user members, go to:http://lists.watchguard.com/mailman/listinfo/wg-usersOnline HelpWatchGuard Online Help is a Web-based system withcross-platform functionality that enables you to install acopy on virtually any computer. A static version of theOnline Help system is installed automatically with theUser Guide 15

Chapter 2: Service and SupportFirebox System software in a subdirectory of the installationdirectory called Help. In addition, a “live,” continuallyupdated version of Online Help is available at:http://help.watchguard.com/lss/70You may need to log into the LiveSecurity Service to accessthe Online Help system.Starting WatchGuard Online HelpWatchGuard Online Help can be started either from theWatchGuard management station or directly from abrowser.• In the management station software (any WatchGuardFirebox System window or dialog box), press F1.• On any platform, browse to the directory containingWatchGuard Online Help. Open LSSHelp.html. Thedefault help directory isC:\Program Files\WatchGuard\Help.Searching for topicsYou can search for topics in WatchGuard Online Help threeways:ContentsThe Contents tab displays a list of topics within theHelp system. Double-click a book to expand acategory. Click a page title to view topic contents.IndexThe index provides a list of keywords found withinHelp. Begin typing the keyword, and the index listwill automatically scroll to entries beginning withthose letters. Click a page title to view topiccontents.SearchThe Search feature offers a full-text search of theentire Help system. Enter a keyword. Press ENTER16 WatchGuard Firebox System

Online Helpto display a list of topics containing the word. TheSearch feature does not support Boolean searches.Copying the Help system to additionalplatformsWatchGuard Online Help can be copied from the managementstation to additional workstations and platforms.When doing so, copy the entire Help directory from theWatchGuard installation directory on the management station.It is important to include all subdirectories exactly asthey appear in the original installation.Online Help system requirementsWeb browser• Internet Explorer 4.0 or higher• Netscape Navigator 4.7 or higherOperating system• Windows NT 4.0, Windows 2000, or Windows XP• Sun Solaris• LinuxContext-sensitive HelpIn addition to the regular online Help system, context-sensitiveor What’s This? Help is also available. What’s This?Help provides a definition and useful information on fieldsand buttons in the dialog boxes. To access What’s This?Help:1 Right-click any field or button.2 Click What’s This? when it appears.A box appears with the field name on the top and informationabout the field beneath it.User Guide 17

Chapter 2: Service and Support3 To print or save the Help box as a separate file, rightclickthe Help field.A menu offering Copy or Print appears.4 Select the menu item you want.5 When you are done, click anywhere outside the box todismiss it.You can also look up the meaning of fields and buttonsusing the “Field Definitions” chapter in the Reference Guide.Product DocumentationWatchGuard products are fully documented on our Website at:http://help.watchguard.com/documentation/default.aspAssisted SupportWatchGuard offers a variety of technical support servicesfor your WatchGuard products. Several support programs,described throughout this section, are available throughWatchGuard Technical Support. For a summary of the currenttechnical support services offered by WatchGuardTechnical Support, please refer to the WatchGuard Web siteat:http://support.watchguard.com/aboutsupport.aspNOTEYou must register for LiveSecurity Service before you canreceive technical support.LiveSecurity ® ProgramWatchGuard LiveSecurity Technical Support is includedwith every new Firebox. This support program is designed18 WatchGuard Firebox System

Assisted Supportto assist you in maintaining your enterprise security systeminvolving our Firebox, SOHO 6, ServerLock, AppLock,and VPN products.HoursWatchGuard LiveSecurity Technical Supportbusiness hours are 4:00 AM to 7:00 PM Pacific Time(GMT - 7), Monday through Friday.The SOHO Program business hours are 24 hours aday, 7 days a weekPhone Contact877.232.3531 in U.S. and Canada+1.360.482.1083 all other countriesWeb Contacthttp://www.watchguard.com/supportResponse TimeFour (4) business hours maximum targetType of ServiceTechnical assistance for specific issues concerningthe installation and ongoing maintenance ofFirebox, SOHO, and ServerLock enterprise systemsSingle Incident Priority Response Upgrade (SIPRU) andSingle Incident After-hours Upgrade (SIAU) are available.For more information, please refer to the WatchGuard Website at:http://support.watchguard.com/lssupport.aspLiveSecurity ® Gold ProgramThis premium program is designed to meet the aggressivesupport needs of companies that are heavily dependentupon the Internet for Web-based commerce or VPN tunnels.WatchGuard Gold LiveSecurity Technical Support offerssupport coverage 24 hours a day, seven days a week. OurPriority Support Team staffs our support center continuouslyfrom 7 PM Sunday to 7 PM Friday Pacific Time (GMTUser Guide 19

Chapter 2: Service and Support— 7), and can help you with any technical issues you mighthave during these hours.We target a one-hour maximum response time for all newincoming cases. If a technician is not immediately availableto help you, a support administrator will log your call inour case response system and issue a support incidentnumber.Firebox Installation ServicesWatchGuard Remote Firebox Installation Services aredesigned to provide you with comprehensive assistancefor basic Firebox installation. You can schedule a dedicatedtwo-hour time slot with one of our WatchGuard techniciansto help you review your network and security policy,install the LiveSecurity software and Firebox hardware,and build a configuration in accordance with your companysecurity policy. VPN setup is not included as part ofthis service.VPN Installation ServicesWatchGuard Remote VPN Installation Services aredesigned to provide you with comprehensive assistancefor basic VPN installation. You can schedule a dedicatedtwo-hour time slot with one of our WatchGuard techniciansto review your VPN policy, help you configure yourVPN tunnels, and test your VPN configuration. This serviceassumes you have already properly installed and configuredyour Fireboxes.Training and CertificationWatchGuard offers product training, certification, and abroad spectrum of publications to customers and partnerswho want to learn more about network security andWatchGuard products. Designed to quickly bring you up20 WatchGuard Firebox System

Training and Certificationto speed on network security issues and our award-winningproduct line, you will learn exactly what you need todo to protect valuable information assets and make themost of your WatchGuard products. No matter where youare located or which products you own, we have a trainingsolution for you.WatchGuard classroom training is available worldwidethrough an extensive network of WatchGuard CertifiedTraining Partners (WCTPs). WCTPs strengthen our relationshipswith our partners and customers by providingtop-notch instructor-led training in a local setting.WatchGuard offers product and sales certification, focusingon acknowledging the skills necessary to configure,deploy, and manage enterprise security solutions.User Guide 21

Chapter 2: Service and Support22 WatchGuard Firebox System

CHAPTER 3Getting StartedThe WatchGuard Firebox System acts as a barrierbetween your networks and the public Internet, protectingthem from security threats. This chapterexplains how to install the WatchGuard Firebox Systeminto your network. You must complete the followingsteps in the installation process:• Gathering network information• Selecting a firewall configuration model• Setting up the management station• Cabling the Firebox• Running the QuickSetup Wizard• Deploying the Firebox into your networkFor a quick summary of this information, see theWatchGuard Firebox QuickStart Guide included withyour Firebox.NOTEThis chapter is intended for new WatchGuard FireboxSystem installations only. If you have an existingconfiguration, open it with Policy Manager. You will beprompted to convert to the new version.User Guide 23

Chapter 3: Getting StartedBefore installing the WatchGuard Firebox System, checkthe package contents to make sure you have the followingitems:• WatchGuard Firebox security appliance• QuickStart Guide• User documentation• WatchGuard Firebox System CD-ROM• A serial cable (blue)• Three crossover ethernet cables (red)• Three straight ethernet cables (green)• Power cable• LiveSecurity ® Service license keyGathering Network InformationWe encourage you to fill in the following tables in preparationfor completing the rest of the installation process.License KeysCollect your license key certificates. Your WatchGuardFirebox System comes with a LiveSecurity Service key thatactivates your one-year subscription to the LiveSecurityService. For more information on this service, see Chapter2, “Service and Support.” High Availability and Spam-Screen are optional products, and you receive those licensekeys upon purchase. For more information on optionalproducts, see Chapter 1, “Introduction.”24 WatchGuard Firebox System

Gathering Network InformationNetwork addressesOne good way to set up your network is to create twoworksheets: the first worksheet represents your networknow–before deploying the Firebox–and the second representsyour network after the Firebox is deployed. Fill inthe IP addresses in the worksheets below.User Guide 25

Chapter 3: Getting StartedAn example of a network before the Firebox is installedappears in the following figure. In this example, the Internetrouter performs network address translation (NAT) forthe internal network. The router has a public IP address of208.15.15.1, and the private network has an address of192.168.10.0/24. This network also has three public serverswith the addresses 208.15.15.10, 208.15.15.15, and208.15.15.17.26 WatchGuard Firebox System

.Gathering Network InformationThe following figure shows the same example networkwith a Firebox deployed. The IP address of the Internetrouter in the previous figure becomes the IP address of theFirebox’s default gateway. This network uses drop-in configurationbecause the public servers will maintain theirown IP addresses. Drop-in configuration simplifies thesetup of these devices. For more information on this type ofconfiguration, see “Drop-in configuration” on page 30.By configuring the optional interface on the example network,the public servers can be connected directly to theFirebox (because they are on the same subnet as the Firebox).In the example, the secondary network represents the localLAN. Because the trusted interface is being configuredwith the public IP address, a secondary network is addedwith an unassigned private IP address from the local LAN:User Guide 27

Chapter 3: Getting Started192.168.10.1/24. This IP address then becomes the defaultgateway for devices on the local LAN.Selecting a Firewall Configuration ModeBefore installing the WatchGuard Firebox System, youmust decide how to incorporate the Firebox into your network.This decision determines how you will set up thethree Firebox interfaces–external, trusted, and optional.External interfaceConnects to the external network (typically theInternet) that presents the security threat.28 WatchGuard Firebox System

Selecting a Firewall Configuration ModeTrusted interfaceConnects to the private LAN or internal networkthat you want protected.Optional interfaceConnects to the DMZ (Demilitarized Zone) ormixed trust area of your network. Computers onthe optional interface contain content you do notmind sharing with the rest of the world. Commonapplications housed on this interface are Web,email, and FTP servers.To decide how to incorporate the Firebox into your network,select the configuration mode that most closelyreflects your existing network. You must select one of twopossible modes: routed or drop-in configuration.Routed configurationIn a routed configuration, the Firebox is put in place withseparate logical networks and separate network addresseson its interfaces. Routed configuration is used primarilywhen the number of public IP addresses is limited or whenyou have dynamic IP addressing on the external interface.For more information on dynamic IP addressing on theexternal interface, see “Dynamic IP support on the externalinterface” on page 35. Public servers behind the Fireboxuse private addresses, and traffic is routed using networkaddress translation (NAT).User Guide 29

Chapter 3: Getting StartedCharacteristics of a routed configuration:• All interfaces of the Firebox must be on differentnetworks. The minimum setup involves the externaland trusted interfaces.• The trusted and optional interfaces must be onseparate networks and all machines behind the trustedand optional interfaces must be configured with an IPaddress from that network.The benefit of a routed configuration is that the networksare well defined and easier to manage, especially regardingVPNs.Drop-in configurationIn a drop-in configuration, the Firebox is put in place withthe same network address on all Firebox interfaces. Allthree Firebox interfaces must be configured. Because thisconfiguration mode distributes the network’s logical30 WatchGuard Firebox System

Selecting a Firewall Configuration Modeaddress space across the Firebox interfaces, you can “drop”the Firebox between the router and the LAN withoutreconfiguring any local machines. Public servers behindthe Firebox use public addresses, and traffic is routedthrough the Firebox with no network address translation.Characteristics of a drop-in configuration:• A single network that is not subdivided into smallernetworks or subnetted.• The Firebox performs proxy ARP, a technique in whichone host answers Address Resolution Protocol requestsfor machines behind that Firebox that cannot hear thebroadcasts. The trusted interface ARP address replacesthe router’s ARP address.• The Firebox can be placed in a network withoutchanging default gateways on the trusted hosts. This isbecause the Firebox answers for the router, eventhough the router cannot hear the trusted host’s ARPrequests.User Guide 31

Chapter 3: Getting Started• All trusted computers must have their ARP cachesflushed.• The majority of a LAN resides on the trusted interfaceby creating a secondary network for the LAN.The benefit of a drop-in configuration is that you don’thave to reconfigure machines already on a public networkwith private IP addresses. The drawback is that it is generallyharder to manage and is more prone to network problems.Choosing a Firebox configurationThe decision between routed and drop-in mode is based onyour current network. Many networks are best served byrouted mode. However, drop-in mode is recommended ifyou have a large number of public IP addresses, you have astatic external IP address, or you are not willing or able toreconfigure machines on your LAN. The following tablesummarizes the criteria for choosing a Firebox configuration.(For illustrative purposes, it is assumed that the dropinIP address is a public address.)32 WatchGuard Firebox System

Selecting a Firewall Configuration ModeCriterion 1Criterion 2Criterion 3Routed ConfigurationAll interfaces of theFirebox are on differentnetworks. Minimumconfigured are external andtrusted.Trusted and optionalinterfaces must be onseparate networks andmust use IP addressesdrawn from thosenetworks. Both interfacesmust be configured with anIP address on the samenetwork, respectively.Use static NAT to map anypublic addresses to privateaddresses behind thetrusted or optionalinterfaces.Drop-in ConfigurationAll interfaces of theFirebox are on the samenetwork and have the sameIP address (Proxy ARP).Machines on the trusted oroptional interfaces can beconfigured with a public IPaddress.Because machines that arepublicly accessible havepublic IP addresses, nostatic NAT is necessary.Adding secondary networks to yourconfigurationWhether you have chosen routed or drop-in, your configurationmay require that you add secondary networks toany of the three Firebox interfaces. A secondary network isa separate network connected to a Firebox interface by aswitch or hub.User Guide 33

Chapter 3: Getting StartedWhen you add a secondary network, you map an IPaddress from the secondary network to the IP address ofthe Firebox interface. This is known as creating (or adding)an IP alias to the network interface. This IP alias becomesthe default gateway for all the machines on the secondarynetwork. The presence of a secondary network also tellsthe Firebox that another network resides on the Fireboxinterface wire.You add secondary networks in the following two ways:• The QuickSetup Wizard, which is part of theinstallation process, asks you to select the checkbox ifyou have “an additional private network behind theFirebox” when you are entering the IP addresses forthe Firebox interfaces. The additional private networkyou specify becomes the secondary network on thetrusted interface. For more information on theQuickSetup Wizard, see “Running the QuickSetupWizard” on page 40.34 WatchGuard Firebox System

Selecting a Firewall Configuration Mode• After you have finished with the installation, you canadd secondary networks to any interface using PolicyManager, as described in “Adding SecondaryNetworks” on page 64.Dynamic IP support on the external interfaceIf you are supporting dynamic IP addressing, you mustchoose routed configuration.If you choose the Dynamic Host Configuration Protocol(DHCP) option, the Firebox will request its IP address,gateway, and netmask from a DHCP server managed byyour Internet Service Provider (ISP). This server can alsoprovide WINS and DNS server information for your Firebox.If it does not, you must add it manually to your configuration,as described in “Entering WINS and DNSServer Addresses” on page 65. You can also change theWINS and DNS values provided by your ISP, if necessary.Point-to-Point Protocol over Ethernet (PPPoE) is also supported.As with DHCP, the Firebox initiates a PPPoE protocolconnection to your ISP’s PPPoE server, whichautomatically configures your IP address, gateway, andnetmask. However, PPPoE does not propagate DNS andWINS server information as DHCP does.If you are using PPPoE on the external interface, you willneed the PPP user name and password when you set upyour network. Both username and password each have a256-byte capacity.When the Firebox is configured such that it obtains its IPaddresses dynamically, the following functionality (whichrequires a static IP address) is not supported unless you arecertain that the dynamic IP settings sent by your ISP willnot change:• High Availability (not supported on Firebox 500)• Drop-in mode• 1-to-1 NATUser Guide 35

Chapter 3: Getting Started• Enabling the Firebox as a DVCP server• BOVPN using Basic DVCP (not supported on Firebox500 unless you purchase the BOVPN Upgrade)• MUVPN• RUVPN with PPTPRegardless of whether the IP settings are stable, 1-to-1 NATand external aliases are not supported when the Firebox isa PPPoE client, and manual IPSec tunnels are not supportedwhen the Firebox is a DHCP or PPPoE client.Setting Up the Management StationThe management station runs the System Manager software,which displays a real-time monitor of traffic throughthe firewall, connection status, and tunnel status. In addition,the WatchGuard Security Event Processor (WSEP)receives and stores log messages and issues notificationsbased on information it receives from the managementstation.You can designate any computer on your network as themanagement station. On the computer you have chosen,install the management software as follows:1 Insert the WatchGuard Firebox System CD-ROM. If theinstallation wizard does not appear automatically,double-click install.exe in the root directory of theCD.2 Click Download Latest Software on the FireboxSystem Installation screen. This launches your Webbrowser and connects you to the WatchGuard Web site.If you do not have an Internet connection, you can install directlyfrom the CD-ROM. However, you will not be eligible for supportuntil you activate the LiveSecurity Service.3 Follow the instructions on the screen to activate yourLiveSecurity Service subscription.36 WatchGuard Firebox System

Setting Up the Management Station4 Download the WatchGuard Firebox System software.Download time will vary depending on yourconnection speed.Make sure you write down the name and path of the file as yousave it to your hard drive!5 Execute the file you downloaded and follow thescreens to guide you through the installation.The Setup program includes a screen in which you select softwarecomponents or upgrades to be installed. Certain componentsrequire a separate license.For more information on the WebBlocker Server option, seeChapter 15, “Controlling Web Site Access.” For moreinformation on other components or upgrades, see theWatchGuard Web site.6 At the end of the installation wizard, a checkboxappears asking if you want to launch the QuickSetupWizard. You must first cable the Firebox beforelaunching the QuickSetup Wizard.Another checkbox asks if you want to download a newWebBlocker database. You can download the databaseeither now or later. For more information on theWebBlocker database, see Chapter 16, “ControllingWeb Site Access.”Software encryption levelsThe management station software is available in threeencryption levels.BaseUses 40-bit encryptionMediumUses 56-bit DES encryptionStrongUses 128-bit 3DES encryptionThe IPSec standard requires at least a 56-bit encryption. Ifyou want to use virtual private networking with IPSec, youmust download the medium or strong encryption software.User Guide 37

Chapter 3: Getting StartedHigh encryption software is governed by strict exportrestrictions and may not be available for download. Formore information, see the online support resources at:https://support.watchguard.com/advancedfaqs/bovpn_ipsecgrey.asp(You may be prompted to log in first.)Cabling the FireboxCable the Firebox to the management station using a serialcable or over a network using TCP/IP. The recommendedway is using a serial cable.Using a serial cableRefer to the Firebox Rear Panel and Cabling for Provisioningimages on the next page when cabling the Firebox.• Use the blue serial cable to connect the Firebox SerialPort (CONSOLE) to the management station COMport.• Use the red crossover cable to connect the Fireboxtrusted interface to the management station Ethernetport.• Plug the power cord into the Firebox power input andinto a power source.38 WatchGuard Firebox System

Cabling the FireboxUser Guide 39

Chapter 3: Getting StartedUsing TCP/IPRefer to Firebox Rear Panel image on the previous page.• Use the red (crossover) cable to connect the Fireboxtrusted interface to the management station Ethernetport.• Plug the power cord into the Firebox power input andinto a power source.Running the QuickSetup WizardAfter you finish setting up the management station andcabling the Firebox, use the QuickSetup Wizard to create abasic configuration file. The Firebox loads this primaryconfiguration file when it boots. This enables the Firebox tofunction as a simple but immediately effective firewall.The QuickSetup Wizard also writes a basic configurationfile called wizard.cfg to the hard disk of the managementstation. If you later want to expand or change the basicFirebox configuration using Policy Manager, use wizard.cfgas the base file to which you make changes. Formore information on changing a configuration file, seeChapter 5, “Using Policy Manager to Configure Your Network.”You can also run the QuickSetup Wizard again atany time to a create new, basic configuration file.NOTERerunning the QuickSetup Wizard completely replaces theconfiguration file, writing over any prior version. To make abackup copy of the configuration file on the flash disk, see theFirebox System Area chapter in the Reference Guide.If the QuickSetup Wizard is not already launched, launch itfrom the Windows desktop by selecting Start => Programs=> WatchGuard => QuickSetup Wizard.40 WatchGuard Firebox System

Running the QuickSetup WizardProvide the information as prompted by the QuickSetupWizard, referring to the tables and network diagrams in“Gathering Network Information” on page 24.The QuickSetup Wizard takes you through the followingsteps:Select a configuration modeSpecify whether you want a routed or a drop-inconfiguration mode. If you have High Availabilityinstalled, it is recommended that you set this upusing Policy Manager instead of the QuickSetupWizard. For more information on routed or dropin,see “Selecting a Firewall Configuration Mode”on page 28. For information on High Availability,see the High Availability Guide.External interface configuration(Routed configuration only.) Specify static, DHCP,or PPPoE, as explained in “Dynamic IP support onthe external interface” on page 35.Enter the Firebox interface IP address or addressesBased on whether you specified routed or drop-inmode, enter the IP address or addresses for theFirebox interfaces. You can also add a secondarynetwork to your trusted interface by selecting theadditional private network behind the Fireboxcheckbox.Enter the Firebox Default Gateway(Not applicable if using DHCP or PPPoE on theexternal interface.) Enter the IP address of thedefault gateway, which is usually the IP address ofyour Internet router. This IP address must be onthe same network as the Firebox external interface.If the IP address is not on the same network, theQuickSetup Wizard will warn you and askwhether you want to continue.Configure Public Servers(Not applicable if using DHCP or PPPoE onexternal interface.) Select the checkbox and enterUser Guide 41

Chapter 3: Getting Startedthe IP address of any public servers on yournetwork.Firebox Name(DHCP or PPPoE only.) Specify the name used forlogging and identification of a dynamic Firebox.All characters are allowed except blank spaces andforward or back slashes (/ or \). This name doesnot have to be a DNS or host name.Create PassphrasePassphrases are case-sensitive and must be at leastseven characters long. They can be anycombination of letters, numbers, and specialcharacters. You will create two passphrases. Thestatus passphrase is used to establish a read-onlyconnection to the Firebox. The configurationpassphrase is used to establish a read/writeconnection to the Firebox.Select Connection MethodSelect the cabling method used and enter atemporary IP address for the Firebox so that themanagement station can communicate with it tofinish the installation process. This must be anunused IP address on the same network as themanagement station.Testing the connectionAfter you have completed the QuickSetup Wizard, test theconnection to the Firebox through the management station.The Firebox temporary IP address needs to be on the samenetwork as the management station. If not, the managementstation and Firebox cannot communicate, and youwill not be able to use the management station software toview the Firebox activity.You can remove the blue serial cable from the managementstation and Firebox after the QuickSetup Wizard is completed.42 WatchGuard Firebox System

Entering IP addressesRunning the QuickSetup WizardYou generally enter IP addresses into fields that resemblethe one below.When typing IP addresses, type the digits and periods insequence. Do not use the TAB key, arrow key, spacebar, ormouse to jump past the periods. For example, if you aretyping the address 172.16.1.10, do not type a space afteryou type “16” or try to position your cursor past the nextperiod to begin typing “1.” Instead, type a period rightafter “16,” and then type “1.10.”If your address has a network mask, use slash notation toenter it. In slash notation, a single number indicates howmany bits of the IP address identify the network that thehost is on. A netmask of 255.255.255.0 has a slash equivalentof 8+8+8=24. For example, writing 192.168.42.23/24 isthe same as specifying an IP address of 192.168.42.23 with acorresponding netmask of 255.255.255.0. The followingtable shows network masks and slash equivalents.Network maskSlash equivalent255.0.0.0 /8255.255.0.0 /16255.255.255.0 /24255.255.255.128 /25255.255.255.192 /26255.255.255.224 /27255.255.255.240 /28255.255.255.248 /29255.255.255.252 /30User Guide 43

Chapter 3: Getting StartedDeploying the Firebox into Your NetworkCongratulations! You have completed the installation ofyour Firebox. The Firebox can now be used as a basic firewallwith the following properties:• All outgoing traffic is allowed.• All incoming traffic is blocked except ping on theexternal interface.• Logs are sent to the WatchGuard Security EventProcessor on the management station.Complete the following steps to deploy the Firebox intoyour network:• Place the Firebox in its permanent physical location.• Connect the Firebox to your network.• If using a routed configuration, change the defaultgateway setting on all desktops to the Firebox trustedIP address.What’s NextYou have successfully installed, configured, and deployedyour new Firebox System on your network. Here are somethings to remember as a new customer.Customizing your security policyYour organization’s security policy defines who can getinto your network, where they can go, and who can getout. The security policy is enacted by your Firebox’s configurationfile.The configuration file you created using the QuickSetupWizard is only a basic configuration. You should now createa configuration file that meets the requirements of yoursecurity policy. You do this by adding filtered and proxied44 WatchGuard Firebox System

What’s Nextservices, in addition to the basic ones described in the previoussection, that expand what you allow in and out ofyour firewall.Every service brings trade-offs between network securityand accessibility. When selecting services, balance theneeds of your organization with the requirement that computerassets be protected from attack. Some common servicesthat organizations typically add, in addition to theones listed in the previous section, are HTTP (Internet service)and SMTP (email service). Generally, in a new setup,it is recommended that you use only filtered services untilall your system are functional, and then move to proxies asyou become familiar with them, as needed.For more information on services, see Chapter 8, “ConfiguringFiltered Services”, and Chapter 9, “ConfiguringProxied Services.”What to expect from LiveSecurity ® ServiceYour Firebox includes a subscription to our award-winningLiveSecurity Service. Your subscription today:• Ensures up-to-date network protection with the latestsoftware upgrades.• Solves problems with comprehensive technical supportresources.• Prevents downtime with alerts and configuration tipsto combat the newest threats and vulnerabilities.• Develops your expertise with detailed interactivetraining resources.• Extends your network security with bundled software,utilities, and special offers.User Guide 45

Chapter 3: Getting Started46 WatchGuard Firebox System

CHAPTER 4Firebox BasicsThis chapter describes the basic tasks you perform toset up and maintain a Firebox:• Opening a configuration file• Saving a configuration file to a local computer orthe Firebox• Resetting Firebox passphrases• Setting the Firebox time zone• Setting a Firebox friendly nameWhat is a Firebox?A WatchGuard Firebox is a specially designed andoptimized security appliance. Three independent networkinterfaces allow you to separate your protectedoffice network from the Internet while providing anoptional public interface for hosting Web, email, orFTP servers. Each network interface is independentlymonitored and visually displayed on the front of theFirebox.User Guide 47

Chapter 4: Firebox BasicsNOTEThere are no user-serviceable parts within the Firebox. If auser opens a Firebox case, it voids the limited hardwarewarranty.The most common and effective location for a Firebox isdirectly behind the Internet router, as pictured below:Other parts of the network are as follows:Management stationThe computer on which you install and run theWatchGuard Firebox System Manager software.WatchGuard Security Event ProcessorThe computer that receives and stores logmessages and sends alerts and notifications. Youcan configure the management station to also serveas the event processor.48 WatchGuard Firebox System

Opening a Configuration FileTrusted networkThe network behind the firewall that must beprotected from the security challenge.External networkThe network presenting the security challenge,typically the Internet.Optional networkA network protected by the firewall but stillaccessible from the trusted and the externalnetworks. Typically, the optional network is usedfor public servers such as an FTP or Web server.Opening a Configuration FilePolicy Manager is a comprehensive software tool for creating,modifying, and saving configuration files. A configurationfile, with the extension .cfg, contains all the settings,options, addresses, and other information that constituteyour Firebox security policy. When you view the settingsin Policy Manager, you are seeing a “user friendly” versionof your configuration file.This section describes how to open a configuration fileafter one has been created. This assumes you have alreadyrun the QuickSetup Wizard and have a basic configurationfile saved either on the Firebox or on your local hard drive.If you have not run the QuickSetup Wizard, see Chapter 5,“Using Policy Manager to Configure Your Network” forinformation on how to create a basic configuration fromscratch.1 Select Start => Programs => WatchGuard => FireboxSystem Manager.2 If you are prompted to run the QuickSetup Wizard,click Continue.3 If you are prompted to connect to the Firebox, clickCancel.User Guide 49

Chapter 4: Firebox Basics4 From the Firebox Manager, click the PolicyManager icon (shown at right).You can now either open a configuration from theFirebox or from the local hard disk, as explainedin the next two sections.Opening a configuration from the FireboxFrom Policy Manager:1 Select File => Open => Firebox.The Firebox drop-down list, as shown in the following figure,appears.2 Use the Firebox drop-down list to select a Firebox.You can also type in the IP address or host name.3 In the Passphrase text box, type the Firebox status(read-only) passphrase. Click OK.Do not use the configuration passphrase to connect to theFirebox.4 If you want, enter a value in the Timeout field tospecify the duration in seconds that the managementstation waits for a response from the Firebox beforereturning a message indicating that the device isunreachable.Opening a configuration from a local harddisk1 Select File => Open => Configuration File.2 Locate and select the configuration file to open. ClickOpen.50 WatchGuard Firebox System

Saving a Configuration File3 From the New Firebox Configuration dialog box,select the model of Firebox you are connected to.The new configuration file contains defaults for the model ofFirebox specified.Saving a Configuration FileAfter making changes to a configuration file, you caneither save it directly to the Firebox or to a local hard disk.When you save a new configuration directly to the Firebox,Policy Manager might prompt you to reboot the Firebox sothat it will use the new configuration. If the Firebox doesneed to be rebooted, the new policy is not active until therebooting process completes.Saving a configuration to the FireboxFrom Policy Manager:1 Select File => Save => To Firebox.You can also use the shortcut Ctrl+T.2 Use the Firebox drop-down list to select a Firebox.You can also type the IP address or DNS name of the Firebox.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.3 Enter the configuration (read/write) passphrase. ClickOK.The configuration file is saved first to the local hard disk and thento the primary area of the Firebox flash disk.User Guide 51

Chapter 4: Firebox Basics4 If you entered the IP address of a different Firebox, youare asked to confirm your choice. Click Yes.The Firebox Flash Disk dialog box, as shown in the followingfigure, appears.5 Select the checkbox marked Save To Firebox. If youwant to make a backup of the current image, select thecheckbox marked Make Backup of Current FlashImage before saving.NOTEIt is not necessary to back up the flash image every time youmake a change to the configuration file. However, if you dochoose this option, you must provide an encryption key. It isespecially important not to forget this key. If you rely on thisfile to recover from a corrupted flash image and do notremember the key, you will not be able to restore the entireflash image. Instead, you will need to reset the Firebox andthen save a new or existing configuration file to it.6 If you are not making a backup, click Continue. If youare making a backup, in the Encryption Key field,52 WatchGuard Firebox System

Resetting Firebox Passphrasesenter the encryption key for the Firebox. In theConfirm field, reenter it to confirm.7 If you are making a backup, in the Backup Image field,enter the path where you want to save the backup ofthe current flash image. Click Continue.Instead of entering the path, you can click Browse to specify thelocation of the backup.8 Enter and confirm the status (read-only) andconfiguration (read/write) passphrases. Click OK.The new image is saved to the Firebox.NOTEMaking routine changes to a configuration file does notrequire a new flash image. Choosing the option marked SaveConfiguration File Only is normally sufficient.Saving a configuration to the managementstation’s local driveFrom Policy Manager:1 Select File => SaveAs => File.You can also use the shortcut Ctrl+S.The Save dialog box appears.2 Enter the name of the file.The default is to save the file to the WatchGuard directory.3 Click Save.The configuration file is saved to the local hard disk.Resetting Firebox PassphrasesWatchGuard recommends that you periodically change theFirebox passphrases for optimum security. To do this, youmust have the current configuration passphrase. From PolicyManager:1 Open the configuration file running on the Firebox.For more information, see “Opening a configuration from theFirebox” on page 50.2 Select File => Save => To Firebox.User Guide 53

Chapter 4: Firebox Basics3 Use the Firebox drop-down list to select a Firebox orenter the Firebox IP address. Enter the configurationpassphrase. Click OK.The Firebox Flash Disk dialog box appears.4 Select the checkbox marked Save To Firebox and theradio button marked Save Configuration File andNew Flash Image. Clear the checkbox marked MakeBackup of Current Flash Image. Click Continue.5 Enter and confirm the new status (read-only) andconfiguration (read/write) passphrases. The status andconfiguration passphrases must be different from oneanother. Click OK.The new image, including the new passphrases, is saved to theFirebox, and the Firebox automatically restarts.Tips for creating secure passphrasesAlthough a persistent attacker can crack any passphraseeventually, you can toughen your passphrases using thefollowing tips:• Don’t use words in standard dictionaries, even if youuse them backward or in a foreign language. Createyour own acronyms instead.• Don’t use proper names, especially company names orthose of famous people.• Use a combination of uppercase and lowercasecharacters, numerals, and special characters (such asIm4e@tiN9).Setting the Firebox ModelAlthough you choose the Firebox model when you start anew configuration file or open an existing one, you canchange the Firebox model at any time:1 From the Setup menu, select Firebox Model.The New Firebox Configuration dialog box appears.54 WatchGuard Firebox System

Setting the Time Zone2 Select the model of the Firebox you are connecting to.The model of the Firebox entered appears at the bottom of thePolicy Manager window.Setting the Time ZoneThe Firebox time zone determines the date and time stampthat appear on logs and that are displayed by services suchas LogViewer, Historical Reports, and WebBlocker. Thedefault time zone is Greenwich Mean Time (CoordinatedUniversal Time).From Policy Manager:1 Select Setup => Time Zone.2 Use the drop-down list to select a time zone. Click OK.Setting a Firebox Friendly NameYou can give the Firebox a friendly name to be used in logfiles and reports. If you do not specify a name, the Firebox’sIP address is used. From Policy Manager:1 Select Setup => Name.The Firebox Name dialog box appears.2 Enter the friendly name of the Firebox. Click OK.All characters are allowed except blank spaces and forward orback slashes (/ or \).User Guide 55

Chapter 4: Firebox Basics56 WatchGuard Firebox System

CHAPTER 5Using PolicyManager toConfigure YourNetworkNormally, you incorporate the Firebox into your networkwhen you run the QuickSetup Wizard, asdescribed in “Running the QuickSetup Wizard” onpage 40. However, you can also create a basic configurationfile from scratch using several functions in PolicyManager.Each of the procedures in this section can also be usedto override any settings you made using the Quick-Setup Wizard. It is recommended that you followthese steps in the following order to make sure that allnecessary information is provided (although not allsteps are required in all installations).• Starting a new configuration file• Setting up Firebox interfaces• Adding secondary networks• Setting up DNS and WINS servers• Setting up the Firebox as a DHCP server• Adding the four basic services to Policy Manager• Configuring routesUser Guide 57

Chapter 5: Using Policy Manager to Configure Your NetworkStarting a New Configuration FileTo start a new configuration file:1 From System Manager, click the PolicyManager button, shown at right.The Policy Manager appears.2 From Policy Manager, select File => New.3 From the New Firebox Configurationdialog box, select the model of Firebox you areconnected to.The new configuration file contains defaults for the modelof Firebox specified.Setting the Firebox Configuration ModeFor information on routed and drop-in configurations, see“Selecting a Firewall Configuration Mode” on page 28.You must decide upon your configuration mode before settingIP addresses for the Firebox interfaces. If you specifyan incorrect IP address, you may run into problems later.Setting IP Addresses of Firebox InterfacesThe way you set the IP addresses for the Firebox interfacesdepends on the configuration mode you have chosen.58 WatchGuard Firebox System

Setting IP Addresses of Firebox InterfacesSetting addresses in drop-in modeIf you are using drop-in mode, all interfaces use the sameIP address:1 Select Network => Configuration.The Network Configuration dialog box appears, as shown in thefollowing figure.2 Select the Configure interfaces in Drop-In modecheckbox, located at the bottom of the dialog box.3 Enter the IP address and default gateway for theFirebox interfaces.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.If you are using static PPPoE on your external interface, you alsoneed to enter your PPP user name and password. For moreinformation on PPPoE support, see “Dynamic IP support on theexternal interface” on page 35.User Guide 59

Chapter 5: Using Policy Manager to Configure Your Network4 Select the method for obtaining an IP address: Static,DHCP, or PPPoE.Setting addresses in routed modeIf you are using routed mode, the interfaces must use differentIP addresses. At least two interfaces must have IPaddresses configured.1 Select Network => Configuration.The Network Configuration dialog box appears.2 For each interface, in the IP Address text box, type theaddress in slash notation.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.3 For the external interface, enter the default gateway.Setting DHCP or PPPoE Support on theExternal InterfaceFor information on the DHCP and PPPoE options, see“Dynamic IP support on the external interface” on page 35.1 Select Network => Configuration.The Network Configuration dialog box appears.2 Select either DHCP or PPPoE from the Configurationdrop-down list.3 If you enabled PPPoE support, enter the PPP username and password in the fields provided.60 WatchGuard Firebox System

Setting DHCP or PPPoE Support on the External InterfaceConfiguring DHCP or PPPoE supportIf you enable DHCP or PPPoE on the external interface,you can set several optional properties:1 From the Network Configuration dialog box, clickProperties.The Advanced dialog box appears, showing the DHCP or PPPoEtab, as shown in the following figures.User Guide 61

Chapter 5: Using Policy Manager to Configure Your Network2 Set an initialization timeout in the DHCP InitializationTimeout field.3 In the DHCP Device Name field, assign a name to thedevice.The name can be any combination of ASCII numbers and lettersup to 15 characters in length, but spaces are not allowed. It ispreferable to use a name that does not identify the unit as aFirebox or SOHO. Examples of recommended names are PC1003or HomeOffice. Examples of names that are not recommendedare Firebox2 or SOHO6Alpha.NOTEPPPoE debugging generates large amounts of data. Do notenable PPPoE debugging unless you are having connectionproblems and need help from Technical Support.Enabling static PPPoEAlthough an IP address is generally obtained automaticallywhen using PPPoE, static PPPoE is also supported. Toenable static PPPoE, click Use the following IP address,and then enter the IP address and default gateway.Configuring Drop-in ModeIf you selected drop-in mode, you can set several optionalproperties:1 From the Network Configuration dialog box, clickProperties.The Advanced dialog box appears, showing the Drop-In tab, asshown in the following figure.62 WatchGuard Firebox System

Defining External IP Aliases2 Configure the properties in the dialog box.For a description of each control, right-click it and then selectWhat’s This?.Defining External IP AliasesYou use the Aliases button on the Network Configurationdialog box when you are using static NAT. For more information,see “Adding external IP addresses” on page 108.User Guide 63

Chapter 5: Using Policy Manager to Configure Your NetworkAdding Secondary NetworksYour configuration may require that you add secondarynetworks to any of the Firebox interfaces. For more informationon secondary networks, see “Adding secondarynetworks to your configuration” on page 33.1 Select Network => Configuration.The Network Configuration dialog box appears.2 Click the Secondary Networks tab.The Secondary Networks tab appears, as shown in the followingfigure.3 Use the drop-down list in the lower-right portion of thedialog box to select the interface to which you want toadd a secondary network.4 Use the field in the lower-left portion of the dialog boxto type an unused IP address from the secondarynetwork.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.64 WatchGuard Firebox System

Entering WINS and DNS Server AddressesNOTECheck secondary network addresses carefully. PolicyManager does not verify that you have entered the correctaddress. WatchGuard strongly recommends that you do notenter a subnet on one interface that is part of a largernetwork on another interface.Entering WINS and DNS Server AddressesSeveral advanced features of the Firebox, such as DHCPand Remote User VPN, rely on shared Windows InternetName Server (WINS) and Domain Name System (DNS)server addresses. These servers must be accessible from theFirebox trusted interface.Make sure you use only an internal DNS server for DHCPand Remote User VPN. Do not use external DNS servers.From Policy Manager:1 Select Network => Configuration. Click the WINS/DNS tab.The WINS/DNS tab appears, as shown in the following figure.2 Enter primary and secondary addresses for the WINSand DNS servers. Enter a domain name for the DNSserver.User Guide 65

Chapter 5: Using Policy Manager to Configure Your NetworkConfiguring Out-of-Band ManagementYou use the OOB tab on the Network Configuration dialogbox to enable the management station to communicatewith a Firebox by way of a modem (not provided with theFirebox) and telephone line. For information on configuringout-of-band management, see Chapter 17, “Connectingwith Out-of-Band Management.”Defining a Firebox as a DHCP ServerDynamic Host Configuration Protocol (DHCP) is an Internetprotocol that simplifies the task of administering alarge network. A device defined as a DHCP server automaticallyassigns IP addresses to network computers froma defined pool of numbers. You can define the Firebox as aDHCP server for the customer network behind the firewall.One parameter that you define for a DHCP server is leasetimes. This is the amount of time a DHCP client can use anIP address that it receives from the DHCP server. When thetime is close to expiring, the client contacts the DHCPserver to renew the lease.Note that the Firebox should not be used to replace anenterprise DHCP server. If you already have a DHCPserver configured, you should continue to use that serverfor DHCP.From Policy Manager:1 Select Network => DHCP Server.The DHCP Server dialog box appears, as shown in the followingfigure.66 WatchGuard Firebox System

Defining a Firebox as a DHCP Server2 Select the Enable DHCP Server checkbox.3 Enter the default lease time for the server.The default lease time is provided to clients that do notspecifically request times.4 Enter the maximum lease time.The maximum lease time is the longest time the server willprovide for a client. If a client requests a longer time, the requestis denied and the maximum lease time is provided.Adding a new subnetTo make available (private) IP addresses accessible toDHCP clients, add a subnet. To add a new subnet, youspecify a range of IP addresses to be assigned to clients onthe network. For example, you could define the addressrange from 10.1.1.10 to 10.1.1.19 to give clients a pool of 10addresses. From Policy Manager:1 Select Network => DHCP Server.2 Click Add.The DHCP Subnet Properties dialog box appears, as shown in thefollowing figure.User Guide 67

Chapter 5: Using Policy Manager to Configure Your Network3 In the Subnet box, type the subnet’s IP address; forexample, 10.1.1.0/24.4 Define the address pool by entering values for Startand End fields.5 Click OK.Modifying an existing subnetYou can modify an existing subnet; however, you shouldbe aware that doing so can cause problems. If you modifythe subnet and then reboot the client, the Firebox mayreturn an IP address that does not work with certaindevices or services. From Policy Manager:1 Select Network => DHCP Server.2 Click the subnet to review or modify. Click Edit.3 The DHCP Subnet Properties dialog box appears.4 When you have finished reviewing or modifying thesubnet, click OK.Removing a subnetYou can remove an existing subnet; however, you shouldbe aware that doing so can cause problems. If you removethe subnet and then reboot the client, the Firebox mayreturn an IP address that does not work with certaindevices or services. From Policy Manager:1 Select Network => DHCP Server.2 Click the subnet to remove it. Click Remove.68 WatchGuard Firebox System

Adding Basic Services to Policy Manager3 Click OK.Adding Basic Services to Policy ManagerAfter you have set up IP addressing, add the following servicesto Policy Manager to give your Firebox some basicfunctionality.NOTEThe WatchGuard service is particularly important. If youomit it from your configuration or misconfigure it, you willlock yourself out of the Firebox.1 On the Policy Manager toolbar, click theAdd Services icon (shown at right).2 Click the plus (+) sign to the left of thePacket Filters and Proxies folders toexpand them.A list of pre-configured filters or proxies appears.3 Under Packet Filters, click WatchGuard.4 Click the Add button at the bottom of the dialog box.5 Click OK in the Add Service dialog box.6 Click OK to close the Properties dialog box.7 Repeat steps 3—6 for the Ping, FTP, and Outgoingservices.At this stage, do not change the default settings for any ofthese basic services. The default settings allow all trafficoutbound and deny all traffic inbound. Later, you can goback and modify the services in Policy Manger to best fityour security needs.If you need more detailed information on how to add services,see “Adding a service” on page 117.User Guide 69

Chapter 5: Using Policy Manager to Configure Your NetworkConfiguring RoutesA route is the sequence of devices that network traffic takesfrom its source to its destination. A router is a devicewithin a route that determines the next point to which trafficshould be forwarded toward its destination. Each routeris connected to at least two networks. A packet may travelthrough a number of network points with routers beforearriving at its destination.The Firebox supports the creation of static routes in orderto pass traffic from any of its three interfaces to a router.The router can then pass traffic to the appropriate destinationaccording to its specific routing policies.For more information on routing issues, see the followingFAQ:http://support.watchguard.com/advancedfaqs/general_routers.aspThe WatchGuard user’s forum is also a good source ofinformation on routing information. Log in to your LiveSecurityaccount for more details.Defining a network routeDefine a network route if you have an entire networkbehind the router. Enter the network IP address, includingslash notation. From Policy Manager:1 Select Network => Routes.The Setup Routes dialog box appears.2 Click Add.The Add Route dialog box appears, as shown in the followingfigure.70 WatchGuard Firebox System

Configuring Routes3 Click the Net option.4 Enter the network IP address.5 In the Gateway text box, enter the IP address of therouter.Be sure to specify an IP address that is on one of the samenetworks as the Firebox.6 Click OK.The Setup Routes dialog box lists the newly configured networkroute.7 Click OK.The route data is written to the configuration file.Defining a host routeDefine a host route if there is only one host behind therouter. Enter the IP address of that single, specific host,without slash notation. From Policy Manager:1 Select Network => Routes.The Setup Routes dialog box appears.2 Click Add.The Add Route dialog box appears.3 Click the Host option.4 Enter the host IP address.5 In the Gateway text box, enter the IP address of therouter.Be sure to specify an IP address that is on one of the samenetworks as the Firebox.6 Click OK.The Setup Routes dialog box lists the newly configured hostroute.User Guide 71

Chapter 5: Using Policy Manager to Configure Your Network7 Click OK.The route data is written to the configuration file.72 WatchGuard Firebox System

CHAPTER 6Managing andMonitoring theFireboxThe WatchGuard Firebox System Manager combinesaccess to WatchGuard Firebox System applicationsand tools in one intuitive interface. System Manageralso includes a real-time monitor of traffic through thefirewall, as well as a number of monitoring tools.This chapter also describes HostWatch, an applicationthat provides a real-time display of active connectionson a Firebox.Starting System Manager and Connecting to aFireboxFrom the Windows Desktop:1 Select Start => Programs => WatchGuard => FireboxSystem Manager.2 If you have not yet configured your Firebox, clickQuickSetup to start the QuickSetup Wizard, asUser Guide 73

Chapter 6: Managing and Monitoring the Fireboxexplained in the QuickStart Guide included with yourFirebox. Otherwise, click Continue.The Connect to Firebox dialog box appears. You can connect to aFirebox at this point, or you can cancel the Connect to Fireboxdialog box and connect to a Firebox later.3 If you want to connect to a Firebox at this time, use theFirebox drop-down list to select a Firebox.You can also type the IP address or DNS name of the Firebox.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.4 Enter the Firebox status (read-only) passphrase.5 Click OK.The Front Panel tab of the Firebox System Manager appears.Viewing Basic Firebox StatusThe System Manager initially displays the informationshown in the following figure.74 WatchGuard Firebox System

Viewing Basic Firebox StatusThe top part of the display just below the title bar containsseveral buttons for performing basic operations andlaunching Firebox System applications:Open the main menu for System Manager. (This isalso referred to as the Main Menu button.)Pause the display (appears only when connected toFirebox)Connect to Firebox (appears only when not connectedto Firebox)Launch Policy ManagerLaunch LogViewerLaunch HostWatchCreate Historical ReportsFor more information on launching these applications, see“Launching Firebox Applications” on page 85.Viewing basic indicatorsOn the left side of System Manager is a representation ofthe front panel of the Firebox, shown on the following figure,including the Security Triangle Display, traffic volumeindicator, processor load indicator, and basic status information.User Guide 75

Chapter 6: Managing and Monitoring the FireboxThe lights on the display represent those found on the frontpanel of the Firebox. The triangle shows the predominantflows of traffic among the trusted, external, and optionalinterfaces. A red corner of the triangle is lit when that interfaceis blocking packets. The two bar graphs indicate trafficvolume and the proportion of Firebox capacity being used.For more information on the front panel, see the followingFAQ:https://support.watchguard.com/advancedfaqs/fbhw_lights.aspFirebox and VPN tunnel statusThe section in System Manager to the right of the frontpanel shows the current status of the Firebox and of branchoffice and remote user VPN tunnels.Firebox StatusThe following information is displayed under Firebox Status,as shown in the following figure:• Status of the High Availability option. When properlyconfigured and operational, the IP address of thestandby box appears. If High Availability is installed76 WatchGuard Firebox System

Viewing Basic Firebox Statusbut the secondary Firebox is not responding, thedisplay indicates “Not Responding.”• The IP address of each Firebox interface, and theconfiguration mode of the External interface.• Status of the CA (root) certificate and the IPSec (client)certificate.If you expand the entries under Firebox Status, as shown inthe following figure, you can view:• IP address of the default gateway and netmask.• MAC (Media Access Control) address of each interface.• Number of packets sent and received since the Fireboxrebooted.• Expiration date and time of root and IPSec certificates.• CA fingerprint. This is used to detect man-in-themiddleattacks. For more information, see “DetectingMan-in-the-Middle Attacks” on page 183.User Guide 77

Chapter 6: Managing and Monitoring the FireboxBranch Office VPN TunnelsBeneath Firebox Status is a section on BOVPN tunnels, inwhich two categories of these types of tunnels appear:IPSec and DVCP.The figure below shows an expanded entry for a BOVPNtunnel. The information displayed, from top to bottom, is:• The name assigned to the tunnel during its creation,along with the IP address of the destination IPSecdevice (such as another Firebox, SOHO, or SOHO|tc),and the tunnel type (IPSec or DVCP). If the tunnel isDVCP, the IP address refers to the entire remotenetwork address rather than that of the Firebox orequivalent IPSec device.78 WatchGuard Firebox System

Viewing Basic Firebox Status• The amount of data sent and received on the tunnel inboth bytes and packets.• The time at which the key expires and the tunnel isrenegotiated. Expiration can be expressed as a timedeadline or in bytes passed. DVCP tunnels that havebeen configured for both traffic and time deadlineexpiration thresholds display both; this type of tunnelexpires when either event occurs first (time runs out orbytes are passed).• Authentication and encryption levels set for the tunnel.• Routing policies for the tunnel.Remote VPN TunnelsFollowing the branch office VPN tunnels is an entry forremote VPN tunnels, which includes Mobile User VPN(with IPSec) or RUVPN with PPTP tunnels.If the tunnel is Mobile User VPN, the branch displays thesame statistics as for the DVCP or IPSec Branch Office VPNdescribed previously: the tunnel name, followed by thedestination IP address, followed by the tunnel type. Beloware the packet statistics, followed by the key expiration,authentication, and encryption specifications.If the tunnel is RUVPN with PPTP, the display shows onlythe quantity of sent and received packets. Byte count andtotal byte count are not applicable to PPTP tunnel types.Expanding and collapsing the displayTo expand a branch of the display, click the plus sign (+)next to the entry, or double-click the name of the entry. Tocollapse a branch, click the minus sign (—) next to the entry.A lack of either a plus or minus sign indicates that no furtherinformation about the entry is available.Red exclamation pointA red exclamation point appearing next to any item indicatesthat something within its branch is not communicat-User Guide 79

Chapter 6: Managing and Monitoring the Fireboxing properly with the Firebox management station. Forexample, a red exclamation point next to the Firebox entryindicates that a Firebox is not communicating with eitherthe WatchGuard Security Event Processor (WSEP) or managementstation. A red exclamation point next to a tunnellisting indicates a tunnel is down.When you expand an entry that has a red exclamationpoint, another exclamation point appears next to the specificdevice or tunnel with the problem. Use this feature torapidly identify and locate problems in your VPN network.Monitoring Firebox TrafficTo view log messages generated by the Firebox, click theTraffic Monitor tab. For more information about messagesdisplayed, see the following collection of FAQs:https://support.watchguard.com/advancedfaqs/log_main.asp80 WatchGuard Firebox System

Monitoring Firebox TrafficSetting the maximum number of log entriesYou can change the maximum number of log entries thatare stored and viewable on the Traffic Monitor tab. Afterthe maximum is reached, the earliest logs are removed asmore come in. A high value in this field places a largedemand on your system if you have a slow processor or alimited amount of RAM. In this situation, LogViewer is amuch more appropriate tool for tracking logs than the trafficmonitor in System Manager.1 Click the Main Menu button. Click Settings.2 Type or use the scroll control to change the Max LogEntries field. Click OK.The value entered represents the number of logs in thousands. Ifyou enter zero (0) in this field, the maximum number of logs(3,000) is permitted.Displaying entries in colorYou can specify that the log entries appear in different colorsaccording to the type of information they show:1 Click the Main Menu button. Click Settings. Click theSyslog Color tab.2 To enable displaying entries in color, select thecheckbox marked Display Logs in Color. You can alsoenable and disable color by right-clicking any entry inthe traffic monitor and selecting Colorize.3 On the Allow, Deny, or Message tab, click the field youwant to colorize.The Text Color field to the right of the tabs shows the currentcolor defined for the field.4 To change the color, click the arrow next to Text Color.Click one of the 20 colors on the palette.The information contained in this field will appear in the newcolor on Traffic Monitor. A sample of how the Traffic Monitorwill look appears on the bottom of the dialog box.5 You can also choose a background color for the trafficmonitor. Click the arrow next to Background Color.Click one of the 20 colors on the palette.User Guide 81

Chapter 6: Managing and Monitoring the Firebox6 To cancel the changes you have made in this dialog boxsince opening it, click Reset to Defaults.Copying messages to another applicationTo copy a log message so you can paste it into anotherapplication such as email or Notepad, right-click the messageand select Copy Selection. You can then open up theother application and paste in the message.Copying or analyzing deny messagesYou can use several tools to copy and analyze deny messages:• To copy a deny message and paste it into anapplication, use the procedure in the previous section.• To copy the source or destination IP address of a denymessage so you can paste it into another application,right-click the message, select Source IP => Copy orDestination IP => Copy.• To issue the ping command to a source or destinationIP address of a deny message, right-click the messageand select Source IP => Ping or Destination IP => Ping.(When you issue this command, you are prompted toenter the configuration passphrase.)• To issue a traceroute command to a source ordestination IP address of a deny message, right-clickthe message and select Source IP => Trace Route orDestination IP => Trace Route. (When you issue thiscommand, you are prompted to enter the configurationpassphrase.)Performing Basic Tasks with System ManagerThe basic tasks you perform with System Manager are:• Running the QuickSetup Wizard82 WatchGuard Firebox System

Performing Basic Tasks with System Manager• Flushing the ARP cache• Connecting to a Firebox• Changing the interval at which the Firebox is queriedfor status information• Getting Help on the Web• Opening other Firebox System applicationsRunning the QuickSetup WizardNormally, you will run the QuickSetup Wizard when youfirst install your Firebox. However, you can run it fromSystem Manager as well.1 Click the Main Menu button (shown at right),which is located on the upper-left corner ofSystem Manager.2 Select QuickSetup Wizard.The QuickSetup Wizard begins. For more information on runningthe QuickSetup Wizard, see the QuickStart Guide included withyour Firebox.Flushing the ARP cacheThe ARP (Address Resolution Protocol) cache on the Fireboxstores hardware (MAC) addresses of TCP/IP hosts.This cache is checked for hardware address mappingbefore an ARP broadcast is initiated. Flushing the ARPcache is important when your network has a drop-in configuration:all trusted computers must have their ARPcaches flushed.To flush out-of-date cache entries:1 Click the Main Menu button (shown at right).Select Management => Flush ARP Cache.2 Enter the Firebox configuration (read/write)passphrase.The out-of-date cache entries are flushed.User Guide 83

Chapter 6: Managing and Monitoring the FireboxConnecting to a FireboxWhen launched, System Manager automatically promptsyou to connect to the last Firebox with which it establisheda connection. You can connect to that Firebox or you canspecify a different one. From System Manager:1 Click the Main Menu button (shown at right).Select Connect.The Connect to Firebox dialog box appears.2 Use the Firebox drop-down list to select a Firebox.You can also type the IP address or DNS name of the Firebox.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.3 Enter the Firebox status passphrase.4 Click OK.System Manager connects to the Firebox and displays its realtimestatus.Changing the polling rateYou can change the interval of time (in seconds) at whichSystem Manager polls the Firebox and updates the FrontPanel and the Firebox and Tunnel Status displays. There is,however, a trade-off between polling frequency anddemand on the Firebox. The shorter the interval, the moreaccurate the display, but also the more demand made ofthe Firebox.1 Click the Main Menu button. Click Settings.2 Type or use the scroll control to change the polling rate.Click OK.Getting Help on the WebYou can access additional information about the Watch-Guard Firebox System from System Manager. Click theMain Menu button. Click On the Web. The menu has thefollowing options:84 WatchGuard Firebox System

Performing Basic Tasks with System ManagerHome PageSelect to bring up the WatchGuard home page at:http://www.watchguard.comLiveSecurity Service LogonSelect to log in to the LiveSecurity Service. Formore information on this service, see Chapter 2,“Service and Support.”Training and CertificationSelect to bring up the WatchGuard Training andCertificate page at:http://www.watchguard.com/training/Activate LiveSecurity ServiceSelect to activate LiveSecurity Service. For moreinformation on this service, see Chapter 2, “Serviceand Support.”Launching Firebox ApplicationsYou launch the following applications from the toolbar atthe top of System Manager:Policy ManagerLogViewerHostWatchHistorical ReportsWatchGuard Security Event ProcessorLaunching Policy ManagerUse the WatchGuard Policy Manager tool to design,configure, and manage the network security policy. WithinPolicy Manager, you can configure networks and services,set up virtual private networking, regulate incoming andoutgoing access, and control logging and notification.User Guide 85

Chapter 6: Managing and Monitoring the FireboxLaunching LogViewerThe LogViewer application displays a static view ofa log file. You can filter by type, search for keywords andfields, and print and save log data to a separate file. Formore information, see “Reviewing and Working with LogFiles” on page 221.Launching HostWatchThe HostWatch application displays active connectionsoccurring on a Firebox in real time. It can also graphicallyrepresent the connections listed in a log file, eitherplaying back a previous file for review or displaying connectionsas they are added to the current log file. For moreinformation, see “HostWatch” on page 167.Launching Historical ReportsHistorical Reports is a report-building tool that createsHTML reports displaying session types, most activehosts, most used services, URLs, and other data useful inmonitoring and troubleshooting your network. For moreinformation, see “Generating Reports of Network Activity”on page 235.Opening the WSEP user interfaceThe WatchGuard Security Event Processor (WSEP)controls logging, report schedules, and notification.It also provides timing services for the Firebox.The WSEP automatically runs when you start themachine on which it is installed.Unlike other Firebox System applications, the WSEP buttondoes not appear in System Manager. To open the WSEP,right-click the WatchGuard Security Event Processor icon86 WatchGuard Firebox System

Viewing Bandwidth Usage(shown above) in the Windows Desktop tray. Click WSEPStatus/Configuration. For more information, see “Settingup the WatchGuard Security Event Processor” on page 207.If the WSEP icon is not displayed in the Windows desktoptray, click the Main Menu button. Select Tools => Logging=> Event Processor Interface.Viewing Bandwidth UsageClick the Bandwidth Meter tab to view real-time bandwidthusage for all Firebox interfaces. The display differentiatesby color each interface being graphed.To configure the colors used on this display:1 Click the Main Menu button, and select Settings.2 Click the Bandwidth Meter tab. Adjust the settings asappropriate.User Guide 87

Chapter 6: Managing and Monitoring the FireboxViewing Number of Connections by ServiceThe ServiceWatch tab on the System Manager display,shown in the following figure, graphs the number of connectionsby service, providing a service-centric view of networkactivity. The y axis shows the number of connectionsand the x axis shows time. The display differentiates bycolor each service being graphed.To configure the services that appear and how they are displayed:1 Click the Main Menu button, and select Settings.2 Click the Service Watch tab. Adjust the settings asappropriate.Viewing Details on Firebox ActivityThe Status Report tab on System Manager provides anumber of statistics on Firebox activity.NOTEWhenever the Status Report display refreshes, the viewreverts back to the top of the report.88 WatchGuard Firebox System

Viewing Details on Firebox ActivityFirebox uptime and version informationThe time range on the statistics, the Firebox uptime, andthe WatchGuard Firebox System software version.Current UTC time (GMT): Thu May 1 17:03:44 2003+----- Time Statistics (in GMT) ---------------| Statisticsfrom Thu Sep 20 17:03:02 2001 to Thu Sep 20 17:03:44 2001| Up since Tue Sep 11 17:54:34 2001 (8 days, 23:09)| Last network change Tue May 13 17:54:32 2003+----------------------------------------------WatchGuard,Copyright (C) 1996-2000 WGTIFirebox Release: mainline_devDriver version: 5.0.B769Daemon version: 5.0.B769Sys_B Version: 4.61.B730BIOS Version: 59b96cb13a2be4f4257197add3413ab5 SicilySerial Number: 103100033Product Type: FBIII 1000 300Mhz 64MBProduct Options: hifnPacket countsThe number of packets allowed, denied, andrejected between status queries. Rejected packetsare denied packets for which the Firebox sends anICMP error message.Allowed: 5832Denied: 175Rejects: 30Log hostsThe IP addresses of the log host or hosts.Log host(s): 206.148.32.16Network configurationStatistics about the network cards detected withinthe Firebox, including the interface name, itshardware and software addresses, and its netmask.In addition, the display includes local routinginformation and IP aliases.Network Configuration:lo local 127.0.0.1 network 127.0.0.0 netmask 255.0.0.0eth0 local 192.168.49.4 network 192.168.49.0 netmask255.255.255.0 outside (set)eth1 local 192.168.253.1 network 192.168.253.0 netmask255.255.255.0User Guide 89

Chapter 6: Managing and Monitoring the FireboxBlocked Sites listThe current manually blocked sites, if any.Temporarily blocked site entries appear on theBlocked Sites tab.Blocked listnetwork 10.0.0.0/8 permanentnetwork 172.16.0.0/12 permanentnetwork 192.168.0.0/16 permanentSpoofing informationThe IP addresses of blocked hosts and networks. If“none” is listed, the Firebox rejects these packets onall of its interfaces.Spoofing infoBlock Host 255.255.255.255 noneBlock Network 0.0.0.0/8 noneBlock Host 123.152.24.17 noneLogging optionsLogging options configured with either theQuickSetup Wizard or by adding and configuringservices from Policy Manager.Logging optionsOutgoing tracerouteIncoming traceroute logged(warning) notifies(traceroute)hostileOutgoing pingIncoming pingAuthentication host informationThe types of authentication being used and the IPaddress of the authentication server.AuthenticationUsing local authentication for Remote User VPN.Using radius authentication from 103.123.94.22:1645.MemoryStatistics on the memory usage of the currentlyrunning Firebox. Numbers shown are bytes ofmemory.Memory:total: used: free: shared: buffers: cached:Mem: 65032192 25477120 39555072 9383936 9703424 362905Load averageThe number of jobs in the run queue averaged over1, 5, and 15 minutes. The fourth number pair is the90 WatchGuard Firebox System

Viewing Details on Firebox Activitynumber of active processes per number of totalprocesses running, and the last number is the nextprocess ID number.Load Average:0.04 0.06 0.09 2/21 6282ProcessesThe process ID, the name of the process, and thestatus of the process, as shown in the figure on thenext page. (These codes appear under the columnmarked “S.”)• R – Running• S – Sleeping• Z – ZombieThe other fields are as follows:• RSS – Actual amount of RAM the process is using.• SHARE – Amount of memory that can be shared bymore than one process.• TIME – Total CPU time used.• (CPU) – Percentage of CPU time used.• PRI – Priority of process.• (SCHED) – The way the process is scheduled.PID NAME S RSS SHARE TIME (CPU) PRI(SCHED)1 init S 1136 564 148:41.84 ( 0) 99(round robin)2 kflushd S 0 0 0:00.02 ( 0) 0(nice)3 kswapd S 0 0 0:00.00 ( 0) 0(fifo)55 nvstd S 800 412 1:27.76 ( 0) 98(round robin)92 dvcpsv S 1284 628 3:33.43 ( 0) 2(round robin)4287 iked S 1364 744 3:08.55 ( 0) 3(round robin)71 fbr_mapper S 256 176 0:00.16 ( 0) 98(round robin)75 sslsrvd S 1648 976 0:00.37 ( 0) 0(nice)73 fblightd S 464 308 3927:05.75 ( 5) 0(nice)User Guide 91

Chapter 6: Managing and Monitoring the Firebox74 /bin/logger S 1372 592 1:29.72 ( 0) 99(round robin)94 ppp-ttyS2 S 804 456 0:00.74 ( 0) 0(nice)78 firewalld R 2076 1248 307:29.75 ( 0) 98(round robin)79 liedentd S 708 356 0:00.03 ( 0) 0(nice)80 dvcpd S 1152 576 57:00.26 ( 0) 0(nice)82 fwcheck S 860 408 0:01.82 ( 0) 99(round robin)95 /opt/bin/rbcast S 784 372 0:39.47 ( 0) 3(round robin)86 authentication S 1112 496 0:02.21 ( 0) 3(round robin)90 pswatch S 904 376 0:00.10 ( 0) 0(nice)91 netdbg S 828 372 0:00.05 ( 0) 0(nice)96 /opt/bin/dns-proxy S 800 400 0:00.72 ( 0) 0(nice)InterfacesEach network interface is displayed in this section,along with detailed information regarding itsstatus and packet count:Interfaces:loLink encap:Local Loopbackinet addr:127.0.0.1 Bcast:127.255.255.255Mask:255.0.0.0UP BROADCAST LOOPBACK RUNNING MTU:3584Metric:0RX packets:0 errors:0 dropped:0 overruns:0frame:0TX packets:0 errors:0 dropped:0 overruns:0carrier:0Collisions:0eth0Link encap:Ethernet HWaddr 00:90:7F:1E:79:84inet addr:192.168.49.4 Bcast:192.168.49.255Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500Metric:192 WatchGuard Firebox System

Viewing Details on Firebox ActivityRX packets:3254358 errors:0 dropped:0overruns:0 frame:0TX packets:1662288 errors:0 dropped:0overruns:0 carrier:0Collisions:193Interrupt:11 Base address:0xf000eth0:0 Link encap:Ethernet HWaddr00:90:7F:1E:79:84inet addr:192.168.49.5 Bcast:192.168.49.255Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500Metric:1RX packets:3254358 errors:0 dropped:0overruns:0 frame:0TX packets:1662288 errors:0 dropped:0overruns:0 carrier:0eth1Collisions:193Link encap:Ethernet HWaddr 00:90:7F:1E:79:85inet addr:192.168.253.1Bcast:192.168.253.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500Metric:2RX packets:6305057 errors:0 dropped:0overruns:0 frame:0TX packets:7091295 errors:0 dropped:0overruns:0 carrier:0Collisions:0Interrupt:10 Base address:0xec00ipsec0 Link encap:UNSPEC HWaddr 00-90-7F-1E-79-84-00-10-00-00-00-00-00-00-00-00inet addr:192.168.49.4 Bcast:192.168.49.255Mask:255.255.255.0UP BROADCAST RUNNING NOARP MULTICASTMTU:1400 Metric:5RX packets:0 errors:0 dropped:0 overruns:0frame:0TX packets:0 errors:0 dropped:0 overruns:0carrier:0Collisions:0User Guide 93

Chapter 6: Managing and Monitoring the FireboxThe interfaces used in this section are as follows:eth0 - External (public) interfaceeth1 - Trusted (internal) interfaceeth2 - Optional (DMZ) interfaceipsec0 - IPSec virtual interfaceeth0:0 - Interface aliasfbd0 - Virtual interface used for DVCP VPN tunnelnegotiationpptp0, 1, 2, etc - PPTP virtual VPN interfaceslo - loopback interfacewgd0 - External (public) IP address when theFirebox is set up for PPPoE support. (Because alltraffic passing over this interface is PPPoE- specific,the IP address that appears is a placeholder valueonly and can be ignored.)RoutesThe Firebox kernel routing table. These routes areused to determine which interface the Firebox usesfor each destination address.RoutesKernel IP routing tableDestination Gateway Genmask Flags MSSWindow Use Iface207.54.9.16 * 255.255.255.240 U 1500 058 eth0207.54.9.48 * 255.255.255.240 U 1500 019 eth1198.148.32.0 * 255.255.255.0 U 1500 0129 eth1:0127.0.0.0 * 255.0.0.0 U 3584 09 lodefault 207.54.9.30 * UG 1500 095 eth094 WatchGuard Firebox System

Viewing Details on Firebox ActivityARP tableA snapshot of the ARP table on the runningFirebox. The ARP table is used to map IP addressesto hardware addresses.ARP TableAddress HWtype HWaddress Flags MaskIface207.23.8.32 ether 00:20:AF:B6:FA:29 C *eth1207.23.8.52 ether 00:A0:24:2B:C3:E6 C *eth1207.23.8.21 ether 00:80:AD:19:1F:80 C *eth0201.148.32.54 ether 00:A0:24:4B:95:67 C *eth1:0201.148.32.26 ether 00:A0:24:4B:98:7F C *eth1:0207.23.8.30 ether 00:A0:24:79:96:42 C *eth0For more information on the status report page, see the followingFAQ:https://support.watchguard.com/advancedfaqs/log_statusall.aspAuthentication listThe Authentication List tab displays the host IP addressesand user names of everyone currently authenticated to theFirebox. If you are using DHCP, the IP address—to—username mapping may change whenever machines restart.User Guide 95

Chapter 6: Managing and Monitoring the FireboxBlocked Site listThe Blocked Site List tab lists the IP addresses (in slashnotation) of any external sites that are temporarily blockedby port space probes, spoofing attempts, address spaceprobes, or another event configured to trigger an autoblock.Next to each blocked site is the expiration time on the temporaryauto-block. You can adjust the auto-blocking valuefrom the Blocked Sites dialog box available through PolicyManager.To remove a site from this list, right-click it andselect Remove Blocked Site. If the display is in continuousrefresh mode (that is, if the Continue button–shownat right–on the toolbar is active),selecting a site on the list stops the refresh mode.If you opened the Firebox with the status (read-only) passphrase,System Manager prompts you to enter the configuration(read/write) passphrase before removing a site fromthe list.96 WatchGuard Firebox System

HostWatchHostWatchHostWatch is a real-time display of active connectionsoccurring on a Firebox. It can also graphically represent theconnections listed in a log file, either playing back a previousfile for review or displaying connections as they arelogged into the current log file. HostWatch provides graphicalfeedback on network connections between the trustedand external networks as well as detailed informationabout users, connections, and network address translation.The HostWatch display uses the logging settings configuredwith Policy Manager. For instance, to see all deniedincoming Telnet attempts in HostWatch, configure the Fireboxto log incoming denied Telnet attempts.The line connecting the source host and destination host iscolor-coded to display the type of connection being made.These colors can be changed. The defaults are:• Red – The connection is being denied.• Blue – The connection is being proxied.• Green – The connection is using network addresstranslation (NAT).• Black – The connection falls into none of the firstthree categories.Representative icons appear next to the server entries forHTTP, Telnet, SMTP, and FTP.Name resolution might not occur immediately when youfirst start HostWatch. As names are resolved, HostWatchreplaces IP addresses with host or usernames, dependingon the display settings. Some machines might neverresolve and the IP addresses remain in the HostWatch window.To start HostWatch, click the HostWatch icon(shown at left) on the Firebox System Manager.User Guide 97

Chapter 6: Managing and Monitoring the FireboxHostWatch displayAs shown in the following figure, the upper pane of theHostWatch display is split into two sides, Inside and Outside.Double-click an item on either side to produce a popupwindow displaying detailed information about currentconnections for the item, such as IP addresses, port number,connection type, and direction.The lower pane displays the same information in tabularform, in addition to ports and the time the connection wasestablished.Connecting HostWatch to a FireboxFrom HostWatch:1 Select File => Connect.Or, on the Hostwatch toolbar, click the Connect icon(shown at right).2 Use the Firebox drop-down list to select aFirebox.You can also type the Firebox name or IP address.98 WatchGuard Firebox System

HostWatch3 Enter the Firebox status passphrase. Click OK.Replaying a log file in HostWatchYou can replay a log file in HostWatch in order to troubleshootand retrace a suspected break-in. From HostWatch:1 Select File => Open.Browse to locate and select the log file.By default, log files are stored in the WatchGuardinstallation directory at C:\ProgramFiles\WatchGuard\logs with the extension .wgl.HostWatch loads the log file and begins to replay theactivity.2 To pause the display, click Pause (shown at upperright).3 To restart the display, click Continue (shown atright).4 To step through the display one entry at a time,click the Pause icon. Click the right arrow to stepforward through the log. Click the left arrow to stepbackward through the log.Controlling the HostWatch displayYou can selectively control the HostWatch display. Thisfeature can be useful for monitoring the activities of specifichosts, ports, or users. From HostWatch:1 Select View => Filters.2 According to what you want to monitor, click theInside Hosts, Outside Hosts, Ports, or AuthenticatedUsers tab.3 Clear the checkbox marked Display All Hosts,Display All Ports, or Display All AuthenticatedUsers.4 Enter the IP address, port number, or user ID you wantto monitor. Click Add.Repeat for each entity that HostWatch should monitor.5 Click OK.User Guide 99

Chapter 6: Managing and Monitoring the FireboxModifying HostWatch view propertiesYou can change how HostWatch displays information. Forexample, HostWatch can display host names rather than IPaddresses. From HostWatch:1 Select View => Properties.2 Use the Host Display tab to modify host display andtext options.For a description of each control, right-click it and then selectWhat’s This?.3 Use the Line Color tab to choose colors for lines drawnbetween denied, dynamic NAT, proxy, and normalconnections.4 Use the Misc. tab to control the refresh rate of the realtimedisplay and the maximum number of connectionsdisplayed.100 WatchGuard Firebox System

CHAPTER 7Configuring NetworkAddress TranslationNetwork address translation (NAT) protects your networkby hiding its internal structure. It also providesan effective way to conserve public IP addresses whenthe number of addresses is limited.At its most basic level, NAT translates the address of apacket from one value to another. The “type” of NATperformed refers to the method of translation:Dynamic NATAlso called IP masquerading or port addresstranslation. The Firebox either globally, or on aservice-by-service basis, applies its public IPaddress to outgoing packets instead of usingthe IP address of the session behind theFirebox.Static NATAlso called port forwarding. Static NAT workson a port-to-host basis. Incoming packets fromthe external network destined for a specificpublic address and port are remapped to anaddress and port behind the firewall. Youmust configure each service separately forUser Guide 101

Chapter 7: Configuring Network Address Translationstatic NAT. Typically, static NAT is used for publicservices that do not require authentication such asWeb sites and email.1-to-1 NATThe Firebox uses private and public IP ranges thatyou specify, rather than the ranges assigned to theFirebox interfaces during configuration.Choosing which type of NAT to perform depends on theunderlying problem being solved, such as those regardingaddress security or preservation of public IP addresses. Formore information on NAT, see the following collection ofFAQs:https://support.watchguard.com/advancedfaqs/nat_main.aspDynamic NATDynamic NAT is the most commonly used form of NAT. Itworks by translating the source IP address of outboundsessions (those originating on the internal side of the Firebox)to the one public IP address of the Firebox. Hosts elsewhereonly see outgoing packets from the Firebox itself.This type of NAT is most commonly used to conserve IPaddresses. It allows multiple computers to access the Internetby sharing one public IP address. Even if the number ofpublic IP addresses is not a concern, dynamic NAT providesextra security for internal hosts that use the Internetby allowing them to use non-routable addresses.The WatchGuard Firebox System implements two forms ofoutgoing dynamic NAT:Simple dynamic NATUsing host aliases or host and network IPaddresses, the Firebox globally applies networkaddress translation to every outgoing packet. Thisis the most commonly used type of NAT.102 WatchGuard Firebox System

Using Simple Dynamic NATService-based dynamic NATEach service is configured individually foroutgoing dynamic NAT.NOTEMachines making incoming requests over a VPN connectionare allowed to access masqueraded hosts by their actualprivate addresses.Using Simple Dynamic NATIn the majority of networks, the preferred security policy isto globally apply network address translation to all outgoingpackets. Simple dynamic NAT provides a quickmethod to set a NAT policy for your entire network. Formore information on this type of NAT, see the followingFAQ:https://support.watchguard.com/advancedfaqs/nat_howdynamicnat.aspEnabling simple dynamic NATThe default configuration of simple dynamic NAT enablesit from all non-routable addresses to the external network.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears, as shown in the followingfigure.2 Select the checkbox marked Enable Dynamic NAT.The default dynamic entries are:• 192.168.0.0/16 - External• 172.16.0.0/12 - External• 10.0.0.0/8 - ExternalUser Guide 103

Chapter 7: Configuring Network Address TranslationAdding simple dynamic NAT entriesUsing built-in host aliases, you can quickly configure theFirebox to masquerade addresses from your trusted andoptional networks. If trusted hosts are already covered bythe default, non-routable ranges, no additional entries areneeded:• From: Trusted• To: ExternalThe default dynamic entries are listed in the previous section.Larger or more sophisticated networks may require additionalentries in the From or To lists of hosts or host aliases.The Firebox applies dynamic NAT rules in the order inwhich they appear in the Dynamic NAT Entries list. Watch-Guard recommends prioritizing entries based on the volumeof traffic that each represents. From the NAT Setupdialog box:1 Click Add.2 Use the From drop-down list to select the origin of theoutgoing packets.For example, use the trusted host alias to globally enable networkaddress translation from the Trusted network. For a definition ofbuilt-in Firebox aliases, see “Using Aliases” on page 162. Formore information on how to add a user-defined host alias, see“Adding an alias” on page 163.104 WatchGuard Firebox System

Using Simple Dynamic NAT3 Use the To drop-down list to select the destination ofoutgoing packets.4 To add either a host or network IP address, click the ...button. Use the drop-down list to select the addresstype. Enter the IP address or range. Network addressesmust be entered in slash notation.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For information on entering IP addresses, see “EnteringIP addresses” on page 43.5 Click OK.The new entry appears in the Dynamic NAT Entries list.Reordering simple dynamic NAT entriesTo reorder dynamic NAT entries, select the entry and clickeither Up or Down. There is no method to modify adynamic NAT entry. Instead, use the Remove button toremove existing entries and the Add button to add newentries.Specifying simple dynamic NAT exceptionsYou can set up ranges of addresses in dynamic NAT so thateach address in that range is a part of the NAT policy. Byusing the dynamic NAT exceptions option you can excludecertain addresses from that policy.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the Dynamic NAT Exceptions tab.4 Click Add.The Add Exception dialog box appears.5 In the From and To boxes, select Trusted, Optional,dvcp_nets, or dvcp_local_nets.The latter two choices are aliases for VPN Manager and appearif your Firebox is configured as a DVCP client. dvcp_nets refersto networks behind the DVCP client and dvcp_local_nets refers toUser Guide 105

Chapter 7: Configuring Network Address Translationnetworks behind the DVCP server. Under normal circumstances,you should not make dynamic NAT exceptions for these networks.6 Click the button next to the From box and enter thevalue of the host IP address, network IP address, orhost range. Click OK.7 Click OK to close the Advanced NAT Settings dialogbox.NOTEDynamic NAT exceptions allow the configuration ofexceptions to both forms of dynamic NAT. You will need tomake dynamic NAT exceptions for any 1-to-1 NAT addressthat would otherwise be subject to dynamic NAT.Using Service-Based Dynamic NATUsing service-based dynamic NAT, you can set outgoingdynamic NAT policy on a service-by-service basis. ServicebasedNAT is most frequently used to make exceptions to aglobally applied simple dynamic NAT entry.For example, use service-based NAT on a network withsimple NAT enabled from the trusted to the optional networkwith a Web server on the optional network thatshould not be masqueraded to the actual trusted network.Add a service icon allowing Web access from the trusted tothe optional Web server, and disable NAT. In this configuration,all Web access from the trusted network to the Webserver is made with the true source IP, and all other trafficfrom trusted to optional is masqueraded.You can also use service-based NAT instead of simpledynamic NAT. Rather than applying NAT rules globally toall outgoing packets, you can start from the premise that nomasquerading takes place and then selectively masqueradea few individual services.106 WatchGuard Firebox System

Using Service-Based Dynamic NATEnabling service-based dynamic NATService-based NAT is not dependent on enabling simpledynamic NAT. From Policy Manager:1 Select Setup => NAT. Click Advanced.2 Select the checkbox marked Enable Service-BasedNAT.3 Click OK to close the Advanced NAT Settings dialogbox. Click OK to close the NAT Setup dialog box.Configuring service-based dynamic NATBy default, services take on whatever dynamic NAT propertiesyou have set for simple NAT. However, you canoverride this setting in the service’s Properties dialog box.You have three options:Use Default (Simple NAT)Service-based NAT is not enabled for the service.The service uses the simple dynamic NAT rulesconfigured in the Dynamic NAT Entries list, asexplained in “Adding simple dynamic NATentries” on page 104.Disable NATDisables dynamic NAT for outgoing packets usingthis service. Use this setting to create service-byserviceexceptions to outgoing NAT.Enable NATEnables service-based dynamic NAT for outgoingpackets using this service regardless of how thesimple dynamic NAT settings are configured.From Policy Manager:1 Double-click the service icon. Click Outgoing.2 Use the Choose Dynamic NAT Setup drop-down listto select either the default (simple dynamic NAT),disable, or enable setting. Click OK.User Guide 107

Chapter 7: Configuring Network Address TranslationConfiguring a Service for Incoming Static NATFor more information on static NAT, see the followingFAQs:https://support.watchguard.com/advancedfaqs/nat_whenstatic.asphttps://support.watchguard.com/advancedfaqs/nat_outin.aspAdding external IP addressesStatic NAT converts a Firebox public IP and port into specificdestinations on the trusted or optional networks. Ifyou want to use an address other than that of the externalinterface itself, you must designate a new public IP addressusing the Add External IP dialog box. From Policy Manager:1 Select Network => Configuration. Click the Aliasesbutton.The Add External IP dialog box appears.2 At the bottom of the dialog box, enter the public IPaddress. Click Add.3 Repeat until all external public IP addresses are added.Click OK.Setting static NAT for a serviceStatic NAT, like service-based NAT, is configured on a service-by-servicebasis. Because of the way static NAT functions,it is available only for services based upon TCP orUDP, which use a specific port. A service containing anyother protocol cannot use incoming static NAT, and theNAT button in the service’s Properties dialog box is disabled.Static NAT also cannot be used with the Any ser-108 WatchGuard Firebox System

Configuring a Service for Incoming Static NATvice. See the following FAQ before configuring static NATfor a service:https://support.watchguard.com/advancedfaqs/nat_outin.asp1 Double-click the service icon in the Services Arena.The service’s Properties dialog box appears displaying theIncoming tab.2 Use the Incoming drop-down list to select Enabledand Allowed.To use static NAT, the service must allow incoming traffic.3 Under the To list, click Add.The Add Address dialog box appears.4 Click NAT.The Add Static NAT dialog box appears, as shown in thefollowing figure.5 Use the External IP Address drop-down list to selectthe “public” address to be used for this service.If the public address does not appear in the drop-down list, clickEdit to open the Add External IP dialog box and add the publicaddress.6 Enter the internal IP address.The internal IP address is the final destination on the Trustednetwork.7 If appropriate, select the checkbox marked Set internalport to different port than service.This feature is rarely required. It enables you to redirect packetsnot only to a specific internal host but also to an alternative port.If you select the checkbox, enter the alternative port number inthe Internal Port field.8 Click OK to close the Add Static NAT dialog box.The static NAT route appears in the Members and Addresses list.9 Click OK to close the Add Address dialog box. ClickOK to close the services’s Properties dialog box.User Guide 109

Chapter 7: Configuring Network Address TranslationUsing 1-to-1 NAT1-to-1 NAT uses a global NAT policy that rewrites andredirects packets sent to one range of addresses to a completelydifferent range of addresses. This address conversionworks in both directions. You can configure anynumber of 1-to-1 NAT addresses.A common reason to use 1-to-1 NAT is to map public IPaddresses to internal servers without needing to renumberthose servers. 1-to-1 NAT is also used for VPNs in whichthe remote network’s IP addressing scheme conflicts withthe local scheme. By translating the local network to arange that is not in conflict with the other end, both sidescan communicate. For more information on 1-to-1 NAT, seethe following FAQ:https://support.watchguard.com/advancedfaqs/nat_onetoone.aspEach NAT policy contains four configurable pieces of information:• The interface (External, Trusted, Optional, IPSec)• The public IP address• The internal IP address• The number of hosts to remapThe NAT base plus the range defines the NAT region whilethe real base plus the range defines the hidden or forwardedregion.For instance, the following policy:210.199.6.0–192.168.69.0:255 (NAT base to real baserange)means that all traffic addressed to hosts between210.199.6.0 and 210.199.6.255 is forwarded to the correspondingIP address between 192.168.69.0 and192.168.69.255.110 WatchGuard Firebox System

Using 1-to-1 NATA one-to-one mapping exists between each NAT addressand the forwarded (real) IP address: 210.199.6.0 becomes192.168.69.0.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the 1-to-1 NAT Setup tab.4 Select the checkbox marked Enable 1-1 NAT.5 Click Add.The 1-1 Mapping dialog box appears, as shown in the followingfigure.6 Select the appropriate interface (external, trusted,optional, or IPSec).7 Enter the number of hosts to be translated.8 In the NAT base field, enter the base address for theexposed NAT range.This will generally be the public IP address that will appearoutside the Firebox.9 In the Real base field, enter the base address for thereal IP address range. Click OK.This will generally be the private IP address directly assigned tothe server or client.10 Click the Dynamic NAT Exceptions tab.You must make dynamic NAT exceptions for any internal addressbeing used for 1-to-1 NAT; otherwise, the address will betranslated using dynamic NAT instead of 1-to-1 NAT.11 Click Add.The Add Exception dialog box appears.User Guide 111

Chapter 7: Configuring Network Address Translation12 In the To box, select the appropriate interface. In mostcases, you will choose the external interface.The dvcp_ choices are aliases for VPN Manager and appear ifyour Firebox is configured as a DVCP client. dvcp_nets refers tonetworks behind the DVCP client and dvcp_local_nets refers tonetworks behind the DVCP server.13 Click the button next to the From box and enter thevalue of the real IP address range, as entered in step 9.Click OK.14 Click OK to close the Advanced NAT Settings dialogbox. Click OK to close the NAT Setup dialog box.Proxies and NATThis table identifies each proxy and what types of NAT itsupports.SimpledynamicStaticService-based1-to-1HTTP yes yes yes yesSMTP yes yes yes yesFTP yes yes yes yesDCE-RPC yes no no noH323 no no no noRTSP yes yes no noRealNetworks no no no no112 WatchGuard Firebox System

CHAPTER 8Configuring FilteredServicesYou add filtered services–in addition to proxied services–tocontrol and monitor the flow of IP packetsthrough the Firebox. Services can be configured foroutgoing and incoming traffic, and they can be activeor inactive. When you configure a service, you set theallowable traffic end points and determine the filterrules and policies for each of these services. You canalso create services to customize rule sets, destinations,protocols, ports used, and other parameters.With both packet filters and proxies, you can determinewhich hosts within your LAN and on the Internetcan communicate with each other through thatprotocol, which events to log (such as rejected incomingpackets), and which series of events should initiatea notification of the network administrator.For information on the different types of servicesavailable, see Chapter 3, “Types of Services,” in theReference Guide. For information specifically on proxiedservices, see Chapter 9, “Configuring Proxied Services,”in this manual. See also the Services FAQ onthe WatchGuard Web site:User Guide 113

Chapter 8: Configuring Filtered Serviceshttps://support.watchguard.com/advancedfaqs/svc_main.aspSelecting Services for your Security PolicyObjectivesThe WatchGuard Firebox System, like most commercialfirewalls, discards all packets that are not explicitlyallowed, often stated as “that which is not explicitlyallowed is denied.”This stance protects against attacks based on new, unfamiliar,or obscure IP services. It also provides a safety netregarding unknown services and configuration errorswhich could otherwise threaten network security. This alsomeans that for the Firebox to pass any traffic, it must beconfigured to do so. You must actively select the servicesand protocols allowable, configure each one as to whichhosts can send and receive them, and set other propertiesindividual to the service.Every service brings tradeoffs between network securityand accessibility. When selecting services, balance theneeds of your organization with the requirement that computerassets be protected from attack.Incoming service guidelinesEnabling incoming services creates a conduit into your network.The following are some guidelines for assessingsecurity risks as you add incoming services to a Fireboxconfiguration:• A network is only as secure as the least secure serviceallowed into it.• Services you do not understand should not be trusted.• Services with no built-in authentication and those notdesigned for use on the Internet are risky.114 WatchGuard Firebox System

Selecting Services for your Security Policy Objectives• Services that send passwords in the clear (FTP, telnet,POP) are very risky.• Services with built-in strong authentication (such asssh) are reasonably safe. If the service does not havebuilt-in authentication, you can mitigate the risk byusing user authentication with that service.• Services such as DNS, SMTP, anonymous FTP, andHTTP are safe only if they are used in their intendedmanner.• Allowing a service to access only a single internal hostis safer than allowing the service to access several or allhosts.• Allowing a service from a restricted set of hosts issomewhat safer than allowing the service fromanywhere.• Allowing a service to the optional network is safer thanallowing it to the trusted network.• Allowing incoming services from a virtual privatenetwork (VPN), where the organization at the otherend is known and authenticated, is generally safer thanallowing incoming services from the Internet at large.Each safety precaution you implement makes your networksignificantly safer. Following three or four precautionsis much safer than following one or none.Outgoing service guidelinesIn general, the greatest risks come from incoming services,not outgoing services. There are, however, some securityrisks with outgoing services as well. Control of outgoingservices helps to protect your network from hostile actswithin your organization. For example, when configuringthe outgoing FTP service, you can make it read-only and/or restrict the destination hosts that can receive such atransmission. This prevents insiders from using FTP totransmit corporate secrets to a home computer or to a rivalorganization.User Guide 115

Chapter 8: Configuring Filtered ServicesAs another example, passwords used for some services(FTP, telnet, POP) are sent in the clear. If the passwords arethe same as those used internally, a hacker can hijack thatpassword and use it to gain access to your network.Adding and Configuring ServicesYou add and configure services using Policy Manager. TheServices Arena of Policy Manager contains icons that representthe services (filtered and proxied) currently configuredon the Firebox, as shown in the following figure. Youcan choose from many filtered and proxied services. Theseservices are configurable for outgoing or incoming traffic,and they can also be made active or inactive. When configuringa service, you set the allowable traffic sources anddestinations, as well as determine the filter rules and policiesfor the service. You can create services to customizerule sets, destinations, protocols, ports used, and otherparameters.You can also add unique or custom services. However, ifyou do, take steps to permit only the traffic flow in that servicethat is absolutely essential.Normal View of the Services ArenaTo display the detailed view of the Services Arena,select the Details icon (shown at right) at the far116 WatchGuard Firebox System

Adding and Configuring Servicesright of the toolbar. The detailed view appears, as shown inthe following figure.Detailed View of the Services ArenaTo return to the normal view of the Services Arena,select the Large Icons button (shown at right).Configurable parameters for servicesSeveral service parameters can be configured:Sources and DestinationsYou use separate controls for configuring incomingand outgoing traffic. The outgoing controls(sources) define entries in the From lists whileincoming controls (destinations) define entries inthe To lists.Logging and NotificationEach service has controls that enable you to selectwhich events for that service are logged, andwhether you want to be notified of these events.Adding a serviceYou use Policy Manager to add existing, preconfigured filteringand proxied services to your configuration file.User Guide 117

Chapter 8: Configuring Filtered ServicesTo add a new service to your firewall policy:1 On the Policy Manager toolbar, click the AddServices icon (shown at right).You can also select, from the menu bar, Edit => AddService. The Services dialog box appears, as shown in thefollowing figure. You use this dialog box to add, modify, andremove the filtered and proxed services you want.2 Expand either the Packet Filters or Proxies folder byclicking the plus (+) sign to the left of the folder.A list of pre-configured filters or proxies appears.3 Click the name of the service you want to add.When you click a service, the service icon appears in the areabelow the New, Edit, and Remove buttons. Also, the Details boxdisplays basic information about the service.4 Click Add.The Add Service dialog box appears, as shown in the followingfigure.118 WatchGuard Firebox System

Adding and Configuring Services5 (Optional) You can customize both the name and thecomments that appear when the service is beingconfigured. Click in the Name or Comment box andtype the name or comment you want.6 Click OK.The service’s Properties dialog box appears. For information onconfiguring service properties see, “Defining Service Properties”on page 124.7 Click OK to close the Properties dialog box.You can add more than one service while the Services dialog boxis open.8 Click Close.The new service appears in Policy Manager Services Arena.Adding multiple services of the same typeIn developing a security policy for your network, youmight want to add the same service more than once. Forexample, you might need to restrict Web access for themajority of your users while allowing complete Web accessto your executive team. To do this, you would create twoseparate HTTP services with different properties for theoutgoing rule.1 Add the first service, as described in steps 1 — 4 in“Adding a service” on page 117.2 Modify the name of the service to reflect its role withinyour security policy and add any relevent comments.Using the example of separate HTTP services describedpreviously, you might call the first HTTP service“restricted_web_access.”User Guide 119

Chapter 8: Configuring Filtered Services3 Click OK to bring up the service’s Properties dialogbox and define outgoing properties, as described in“Adding service properties” on page 125.Using the previous example, you might add an alias called“staff,” which includes a range of IP addresses or group ofauthenticated users. For more information on aliases, see “UsingAliases” on page 162.4 Add the second HTTP service.Using the previous example, you might call this second HTTPservice “full_web_access.”5 Click OK to bring up the service’s Properties dialogbox and define outgoing properties, as described in“Adding service properties” on page 125.Using the previous example, you might add an alias called“executives.”NOTEBe careful to avoid creating conflicting services; for example,one HTTP service that allows incoming traffic while the otheris set to deny incoming traffic.Creating a new serviceIn addition to built-in filtered services provided by Watch-Guard, you can create a new service or customize an existingservice. You might need to do this when a new productappears on the market that you would like to run behindyour firewall. Remember, however, that every new serviceyou configure and add to your firewall potentiallyincreases your vulnerability to hackers.From Policy Manager:1 On the Policy Manager toolbar, click the AddServices icon (shown at right).The Services dialog box appears.2 Click New.The New Service dialog box appears, as shown in the followingfigure.120 WatchGuard Firebox System

Adding and Configuring Services3 In the Name text box, type the name of the service.This name must be unique and not already listed in the Servicesdialog box.4 In the Description text box, type a description of theservice.This description appears in the Details section of the NewServices dialog box when you select the service.5 To begin setting the port used for this service, clickAdd.The Add Port dialog box appears.6 From the Protocol drop-down list, select the protocolused for this new service. The following options areavailable:TCPTCP-based servicesUDPUDP-based servicesHTTPServices examined by the HTTP proxyIPFilter a service using something other than TCP (IPprotocol 6) or UDP (IP protocol 17) for the nextlevelprotocol. Select IP to create a protocol numberservice.User Guide 121

Chapter 8: Configuring Filtered Services7 In the Client Port text box, select an option from thedrop-down list. Note that you can select a range ofport numbers. The following options are available:IgnoreSource port can be any number (0—65565). (If youare not sure which port setting to use, choose thisoption.)SecureSource port can range from 0—1024.PortSource port must be identical to the destinationport, as listed in the Port number field of thedestination service’s Properties dialog box,Properties tab (shown below).ClientSource port can range from 1025—65565.8 In the Port field, enter the port number. If you areentering a range, enter the lowest number of the range.9 In the To field, enter the highest number of the range.(If you are not entering a range, leave this field blank.)10 Click OK.Policy Manager adds the port configuration to the New Servicedialog box. An example of how this dialog box might lookappears in the following figure. Verify that the name, description,and configuration of this service are correct. If necessary, clickAdd to configure an additional port for this service. Repeat theprocess until all ports for the service are configured.122 WatchGuard Firebox System

Adding and Configuring Services11 Click OK.The Services dialog box appears with the new service displayedunder the User Filters folder. You can now add the custom serviceto the Services Arena just as you would an existing service.12 In the Services dialog box, expand the User Filterfolder, and then click the name of the service. ClickAdd and then click OK to close the Add Service dialogbox. Click OK to close the Properties dialog box. ClickClose to close the Services dialog box.The icon of the new service appears in the Services Arena.Deleting a serviceFrom Policy Manager:1 In the Services Arena, click the icon of the service youwant to delete.2 On the toolbar, click the Delete Service icon(shown at right).You can also select Edit => Delete or right-click the iconand select Delete.3 When asked to confirm, click Yes.The service is removed from the Services Arena.4 Save the configuration to the Firebox and reboot theFirebox. To do this, select File => Save => To Firebox.Enter the configuration passphrase when prompted. InUser Guide 123

Chapter 8: Configuring Filtered Servicesthe dialog box that appears, select the Save to Fireboxcheckbox.Defining Service PropertiesYou use the service’s Properties dialog box to configure theincoming and outgoing access rules for a given service.The Incoming tab defines:• The sources on the external network that use thisservice to initiate sessions with your protected users,hosts, and networks.• The destinations behind the Firebox to which incomingtraffic for this service can be bound.The Outgoing tab defines:• The sources behind the Firebox that use this service toinitiate sessions with an outside destination.• The destinations on the external network to whichoutgoing traffic for this service can be bound.In a given direction, a service can be in one of three states:DisabledThe traffic is handled by any other rules that mightapply to it. If none exists, the packets are denied bydefault packet handling and logged as such. Youcan make any service a one-directional filter byselecting Disabled on either the Incoming orOutgoing tab. This is generally used whenconfiguring multiple policies for the same service,such as HTTP.Enabled and DeniedNo traffic is allowed through this service, andpackets for this service will be blocked. The servicelogs the attempts to connect to it.124 WatchGuard Firebox System

Defining Service PropertiesEnabled and AllowedTraffic is allowed through this service in theselected direction according to the From and Toproperties.Accessing a service’s Properties dialog boxWhen you add a service, the service’s Propertiesdialog box automatically appears. You can bringup an existing service’s Properties dialog boxeither by double-clicking the service icon in the ServicesArena or by selecting the services icon and clicking the EditService icon (shown at right).Adding service propertiesThe method used to add incoming and outgoing serviceproperties is identical. Select the tab, click the Add buttonfor either the From or the To member list, and then definethe members for the category. The direction of traffic determineshow you select members of the From and To lists.Tab Member DefinesListIncoming From External users or hosts that the servicewill allow inIncoming To Destinations within the trustednetwork that can receive packetsthrough the serviceOutgoing From Users and hosts on the trusted networkthat can send packets out through theserviceOutgoing To Destinations on the external networkto which traffic for this service can befoundUser Guide 125

Chapter 8: Configuring Filtered ServicesAdding addresses or users to servicepropertiesBoth the Incoming and Outgoing properties include Fromand To address lists. Use the Add Address dialog box toadd a network, IP address, or specific user to a given service.1 In the Properties dialog box, use the Incoming serviceConnections Are drop-down list to select Enabled andAllowed.2 Click either the Incoming tab or Outgoing tab. Clickthe Add button underneath the From or the To list.The Add Address dialog box appears, as shown in the followingfigure.3 Click Add Other.The Add Member dialog box appears.4 From the Choose Type drop-down list, click the type ofaddress, range, host name, or user you want to add.5 In the Value text box, type the actual address, range, orname. Click OK.The member or address appears in the Selected Members andAddresses list.126 WatchGuard Firebox System

Defining Service Properties6 Click OK.The new selection appears in either the Incoming or Outgoing tabunder the appropriate From or To box.Working with wg_iconsService icons beginning with “wg_” are created automaticallywhen you enable features such as PPTP and authentication.Because the wg_ service icons rarely requiremodification, WatchGuard recommends leaving wg_ iconsin their default settings.The following wg_ services are available:wg_authenticationAdded when you enable authentication.wg_dhcp_serverAdded when you enable the DHCP server.wg_pptpAdded when you enable PPTP.wg_dvcpAdded when the device has been inserted intoVPN Manager.wg_sohomgtAdded when you enable the DVCP server.wg_caAdded when you enable the DVCP server, whichalso configures the Firebox as a certificateauthority.The wg_ icons appear in the Services Arena when youselect View => Hidden Services such that a checkmarkappears next to the menu option. To hide the wg_ icons,select View => Hidden Services again such that the checkmarkdisappears.User Guide 127

Chapter 8: Configuring Filtered ServicesCustomizing logging and notificationThe WatchGuard Firebox System allows you to create customlogging and notification properties for each filteredservice, proxied service, and blocking option. This level offlexibility allows you to fine-tune your security policies,logging only those events that require your attention andlimiting notification to truly high-priority events.You use the Logging and Notification dialog box to configurethe services, blocking categories, and packet handlingoptions you want. Consequently, once you master the controlsfor one type of service, the remainder are easy to configure.From the Properties dialog box:1 Click the Incoming tab.2 Click Logging.The Logging and Notification dialog box appears, as shown in thefollowing figure.3 Enable the options you want, as described below.The Logging and Notification dialog box contains the followingcontrols:CategoryThe list of event types that can be logged by theservice or option. This list changes depending on128 WatchGuard Firebox System

Defining Service Propertiesthe service or option you’ve selected. You click theevent name to display and set its properties.Enter it in the logWhen you select this checkbox, an entry appears inthe log file each time someone on the externalnetwork uses the service incorrectly. For example,if someone attempts to send a packet to an addressother than the host IP address you specified whendefining service properties, the packet is deniedand an entry made in the log file.Send notificationWhen you select this checkbox, a notification issent every time packets are denied. You setnotification criteria using the WatchGuard SecurityEvent Processor (WSEP). For more information, see“Customizing Logging and Notification by Serviceor Option” on page 215.The remaining controls are active when you select theSend notification checkbox:EmailTriggers an email message when the event occurs.Set the email recipient in the Notification tab of theWatchGuard Security Event Processor (WSEP) userinterface.PagerTriggers an electronic page when the event occurs.The Firebox must have a PCMCIA modem and beconnected to a phone service to make outgoingcalls. (If the pager is accessible by email, you canenable notification by email and then enter theemail address of the pager in the appropriate field.)Popup windowBrings up a window when the event occurs.User Guide 129

Chapter 8: Configuring Filtered ServicesCustom programRuns a program when the event occurs. Enter thepath of the executable file in the box provided, orbrowse to specify a path.Launch interval and repeat count work in conjunction tocontrol notification timing. For more information on thissetting, see “Setting Launch Interval and Repeat Count” onpage 217.Service PrecedencePrecedence is generally given to the most specific serviceand descends to the most general service. However, exceptionsexist. There are three different precedence groups forservices:• The “Any” service (see the Reference Guide for moreinformation about the “Any” filtered service). Thisgroup has the highest precedence.• IP and ICMP services and all TCP/UDP services thathave a port number specified. This group has thesecond highest precedence and is the largest of thethree.• “Outgoing” services that do not specify a port number(they apply to any port). This group includes OutgoingTCP, Outgoing UDP, and Proxy.“Multiservices” can contain subservices of more than oneprecedence group. “Filtered-HTTP” and “Proxied-HTTP,”for example, contain both a port-specific TCP subservicefor port 80 as well as a nonport subservice that covers allother TCP connections. When precedence is being determined,individual subservices are given precedenceaccording to their group (described previously) independentof the other subservices contained in the multiservice.Precedence is determined by group first. As shown in thefollowing diagram, services from a higher precedence130 WatchGuard Firebox System

Service Precedencegroup always have higher precedence than the services ofa lower precedence group, regardless of their individualsettings. For example, because the “Any” service is in thehighest precedence group, all incidences of the “Any” servicewill take precedence over the highest precedence Telnetservice.The precedences of services that are in the same precedencegroup are ordered from the most specific services(based on source and destination targets) to the least specificservice. The method used to sort services is based onthe specificity of targets, from most specific to least specific.User Guide 131

Chapter 8: Configuring Filtered ServicesThe following order is used:From To RankIP IP 0List IP 1IP List 2List List 3Any IP 4IP Any 5Any List 6List Any 7Any Any 8IP refers to exactly one host IP addressList refers to multiple host IP addresses, a network address, oran aliasAny refers to the special “Any” target (not “Any” services)When two icons are representing the same service (forexample, two Telnet icons or two Any icons), they aresorted using the above tables. The most specific one willalways be checked first for a match. If a match is not made,the next specific service will be checked, and so on, untileither a match is made or no services are left to check. Inthe latter case, the packet is denied. For example, if thereare two Telnet icons, telnet_1 allowing from A to B andtelnet_2 allowing from C to D, a Telnet attempt from C to Ewill first check telnet_1, and then telnet_2. Because nomatch is found, the rest of the rules are considered. If anoutgoing service allows from C to E, it will do so.When only one icon is representing a service in a precedencecategory, only that service is checked for a match. Ifthe packet matches the service and both targets, the servicerule applies. If the packet matches the service but fails tomatch either target, the packet is denied. For example, ifone Telnet icon allows from A to B, a Telnet attempt from Ato C will be blocked without considering any services fur-132 WatchGuard Firebox System

Service Precedencether down the precedence chain, including outgoing services.For more information on outgoing services, see the followingFAQ:https://support.watchguard.com/advancedfaqs/svc_outgoing.aspUser Guide 133

Chapter 8: Configuring Filtered Services134 WatchGuard Firebox System

CHAPTER 9Configuring ProxiedServicesProxy filtering goes a step beyond packet filtering byexamining a packet’s content, not just the packet’sheader. Consequently, the proxy determines whether aforbidden content type is hidden or embedded in thedata payload. For example, an email proxy examinesall SMTP packets to determine whether they containforbidden content types, such as executable programsor items written in scripting languages. Such items arecommon methods of transmitting computer viruses.The SMTP proxy knows these content types are notallowed, while a packet filter would not detect theunauthorized content in the packet’s data payload.Proxies work at the application level, while packet filterswork at the network and transport protocol level.In other words, each packet processed by a proxy isstripped of all network wrapping, analyzed,rewrapped, and forwarded to the intended destination.This adds several layers of complexity and processingbeyond the packet filtering process. What thismeans, of course, is that proxies use more processingbandwidth than packet filters. On the other hand, theyUser Guide 135

Chapter 9: Configuring Proxied Servicescatch dangerous content types in ways that packet filterscannot.To add or configure a proxied service, use the proceduresfor filtered services in the previous chapter, “ConfiguringFiltered Services.” For more information on proxies, see thefollowing collection of FAQs:https://support.watchguard.com/advancedfaqs/proxy_main.aspProtocol Anomaly DetectionAs attackers become more sophisticated, new tools are necessaryto counter their threats. Anomaly detection is apowerful new technology for protecting your networkfrom attacks.An anomaly–in the context of network security–is data,action, or behavior that deviates from what is expected fora given user, network, or system. Because network protocolsare normally very restrictive, strict models of expectedbehavior can be constructed and deviations easily noted.Protocol anomaly detection (PAD) can detect a wide rangeof anomalies within the protocol space.Using protocol anomaly detection, you can automaticallyadd originators of malformed packets to the auto-blockedsites list. You can specify the rules that determine whethera packet is malformed, such as “non-allowed query type”or “question length too long for DNS request.”Protocol anomaly detection is supported by the SMTP, FTP,and DNS proxies.136 WatchGuard Firebox System

Customizing Logging and Notification for ProxiesCustomizing Logging and Notification forProxiesFor more information on logging and notification and thevarious fields on the Logging and Notification dialog box,see “Customizing logging and notification” on page 128.From the Properties dialog box:1 Click the Incoming tab.2 Click Logging.The Logging and Notification dialog box appears, as shown in thefollowing figure.3 Customize logging and notification using the settingsin this dialog box, as described in “Customizinglogging and notification” on page 128.Configuring an SMTP Proxy ServiceThe SMTP proxy limits several potentially harmful aspectsof email. The proxy scans the content type and content dispositionheaders, and then compares them against a userdefinedlist of known hostile signatures. Email messagescontaining suspect attachments are stripped of their attachmentsand then sent to the intended recipient.User Guide 137

Chapter 9: Configuring Proxied ServicesThe proxy can limit message size and limit the number ofmessage recipients. For example, if the message exceedspreset limits for message size or number of recipients, theFirebox refuses the mail. The SMTP proxy also automaticallydisables non-standard commands such as DEBUG.The following SMTP keywords are supported:DATARCPTMAILQUITHELOVRFYEXPNHELPRSETONEXNOOPQSNDThe following ESMTP keywords are supported:AUTHBDATBINARYMIME8BITMIMECHUNKINGEHLOETRNSIZEFor more information on the SMTP proxy, see the followingFAQ:https://support.watchguard.com/advancedfaqs/proxy_smtp.aspConfiguring the Incoming SMTP ProxyUse the Incoming SMTP Proxy dialog box to set theincoming parameters of the SMTP proxy. You must alreadyhave an SMTP Proxy service icon in the Services Arena.(For information on how to add a service, see the previouschapter.) From the Services Arena:1 Double-click the SMTP Proxy icon to open the SMTPProperties dialog box.2 Click the Properties tab.138 WatchGuard Firebox System

Configuring an SMTP Proxy Service3 Click Incoming.The Incoming SMTP Proxy dialog box appears, displaying theGeneral tab.4 Modify properties on the General tab according toyour preferences.For a description of each control, right-click it, and then selectWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.Configuring ESMTPESMTP (Extended Simple Mail Transfer Protocol) providesextensions to SMTP for sending email that supports graphics,audio and video files, and text in various foreign languages.You use the ESMTP tab on the Incoming SMTPProxy dialog box to specify support for ESMTP extensions(keywords) and for entering AUTH types, which specifyvarious ways of authenticating to the SMTP server.From the Incoming SMTP Proxy Properties dialog box:1 Click the ESMTP tab.The ESTMP information appears, as shown in the followingfigure.2 Enable the extensions (keywords) you want byselecting their associated checkboxes.3 Use the text box provided to enter AUTH types. ClickAdd.All AUTH types are supported; DIGEST-MD5, CRAM-MD5,PLAIN, and LOGIN are provided as defaults.User Guide 139

Chapter 9: Configuring Proxied ServicesBlocking email attachmentsYou can use two methods to block email attachments.Either allow only save content types or deny file name patterns.These two methods can be used together to furtherprotect your network from malicious email attachments.Allowing safe content typesMIME stands for Multipurpose Internet Mail Extensions, aspecification about how to pass audio, video, and graphicscontent by way of email or HTML. The MIME formatattaches a header to content. The header describes the typeof multimedia content contained within an email or on aWeb site. For instance, a MIME type of "application/zip" inan email message indicates that the email contains a Zipfile attachment. By reading the MIME headers contained inan incoming email message, the Firebox can strip certainMIME types and admit only the types you want. Youdefine which types of attachments are admitted and whichare denied by using the Firebox’s HTTP and SMTP proxies.From the Incoming SMTP Proxy Properties dialog box:1 Click the Content Types tab. Specify whether youwant to block certain file-name patterns in emailattachments by selecting the checkbox marked Allowonly safe content types and block file patterns.140 WatchGuard Firebox System

Configuring an SMTP Proxy Service2 If you want to specify content types to allow, click theupper Add button in the dialog box.The Select MIME Type dialog box appears as shown in thefollowing figure.3 Select a MIME type. Click OK.User Guide 141

Chapter 9: Configuring Proxied Services4 To create a new MIME type, click New Type. Enter theMIME type and description. Click OK.The new type appears at the bottom of the Content Types dropdownlist. Repeat this process for each content type. For a list ofMIME content types, see the Reference Guide.You can use wildcard characters as follows:To allow content typesAn asterisk (*) matches any string, including anempty string.To deny file name patterns:An asterisk (*) matches any string, including anempty string.A question mark (?) matches any single character.Denying attachments based on file name patternsThe Content Types tab includes a list of file-name patternsdenied by the Firebox if they appear in email attachments.To add a file-name pattern to the list, enter a new pattern inthe text box to the left of the Add button. Click Add.Note that denying a particular attachment does not automaticallytrigger protocol anomaly detection (PAD) rules.You must specifically add the content type to the PADrules, as described in “Configuring the Incoming SMTPProxy” on page 138.Specifying a deny messageIn the Content Types tab, you can enter a message to beshown when a content type is denied–this message isshown to the recipient only and not the sender. A defaultmessage is provided. Use the variable %t to add the contenttype to the message. Use the variable %f to add the filename pattern to the message.142 WatchGuard Firebox System

Configuring an SMTP Proxy ServiceAdding address patternsAdding address patterns can be useful for reducing spamcontent. From the Incoming SMTP Proxy Properties dialogbox:1 Click the Address Patterns tab.2 Use the Category drop-down list to select a category.3 Type the address pattern in the text box to the left ofthe Add button.4 Click Add.The address pattern appears at the bottom of the pattern list.Protecting mail servers against relayingHackers and spammers may attempt to use an open relayto send mail from your servers. To prevent this, disableopen relay on your mail servers by restricting the destinationto only your own domain.To further increase protection from mail relaying, modifythe SMTP Proxy settings to allow addresses only from yourdomain. From the Incoming SMTP Proxy Properties dialogbox:1 Click the Address Patterns tab.2 Select Allowed To from the Category drop-down list.3 In the text box to the left of the Add button, enter yourown domain.4 Click Add.5 Save the new configuration to the Firebox.Select headers to allowThe Firebox allows certain headers by default. These arelisted on the Headers tab of the Incoming SMTP ProxyProperties dialog box. You can add more headers to thisUser Guide 143

Chapter 9: Configuring Proxied Serviceslist, or remove headers from the list. From the IncomingSMTP Proxy Properties dialog box:1 Click the Headers tab.The headers information appears, as shown in the followingfigure.2 To add a new header, type the header name in the textbox to the left of the Add button. Click Add.The new header appears at the bottom of the header list.3 To remove a header, select the header name in theheader list. Click Remove.The header is removed from the header list.Specifying logging for the SMTP proxyClick the Logging tab to specify whether to log the following:• Unknown headers that are filtered by the proxy.• Unknown ESMTP extensions that are filtered by theproxy.• Accounting and auditing information.144 WatchGuard Firebox System

Configuring an SMTP Proxy ServiceEnabling protocol anomaly detection forSMTPFor a description of protocol anomaly detection, see “ProtocolAnomaly Detection” on page 136.1 From the SMTP Properties dialog box, click theProperties tab.The SMTP Properties dialog box appears, as shown in thefollowing figure.2 Select the Enable auto-blocking of sites usingprotocol anomaly detection checkbox.3 To set rules for anomaly detection, click the AutoblockingRules button.The PAD Rules for SMTP Proxy dialog box appears, as shown inthe following figure.User Guide 145

Chapter 9: Configuring Proxied Services4 In the upper box, select the rules to determine whichpacket originators are automatically added to the autoblockedsites list.5 The next box lists the denied content types listed on theContent Types tab (“Allowing safe content types” onpage 140). By default, none of these content typestrigger protocol anomaly detection. If you want toenable protocol anomaly detection for these contenttypes, select the corresponding checkbox.To be able to select or clear several consecutive content types as agroup, select the first type, press Shift and select the last type,and then select one of the types between the two selections.To be able to select or clear several non-consecutive content typesas a group, press Ctrl and select each type you want.6 The next box lists the denied extension types listed onthe Content Types tab (“Allowing safe content types”on page 140). By default, none of these extension typestrigger protocol anomaly detection. If you want toenable protocol anomaly detection for these extensions,select the corresponding checkbox.146 WatchGuard Firebox System

Configuring an SMTP Proxy ServiceConfiguring the Outgoing SMTP ProxyUse the Outgoing SMTP Proxy dialog box to set theparameters for traffic going from the trusted and optionalnetworks to the world. You must already have an SMTPProxy service icon in the Services Arena to use this functionality.Double-click the icon to open the service’s Propertiesdialog box:1 Click the Properties tab.2 Click Outgoing.The Outgoing SMTP Proxy dialog box appears, displaying theGeneral tab, as shown in the following figure.3 To add a new header pattern, type the pattern name inthe text box to the left of the Add button. Click Add.4 To remove a header from the pattern list, click theheader pattern. Click Remove.5 In the Idle field, set a time-out value in seconds.6 To modify logging properties, click the Logging taband set the options you want.Add masquerading optionsSMTP masquerading converts an address pattern behindthe firewall into an anonymous, public address. For example,the internal address pattern might beUser Guide 147

Chapter 9: Configuring Proxied Servicesinside.salesdept.bigcompany.com, which would become thepublic address bigcompany.com.1 Click the Masquerading tab.The SMTP masquerading information appears, as shown in thefollowing figure.2 Enter the official domain name.This is the name you want visible to the outside world.3 In the Substitute the above for these address patternstext box (to the left of the Add button), type the addresspatterns that are behind your firewall that you wantreplaced by the official domain name. Click Add.All patterns entered here appear as the official domain nameoutside the Firebox.4 In the Don’t Substitute for these address patterns textbox (to the left of the Add button), type the addresspatterns that you want to appear “as is” outside thefirewall. Click Add.5 Select the checkbox marked Masquerade Message IDsto specify that message IDs in the Message-ID andResent-Message-ID header fields are converted to anew ID composed of an encoded version of the originalID, a time stamp, and the host name entered in thedomain name field described in step 2.148 WatchGuard Firebox System

Configuring an FTP Proxy Service6 Select the checkbox marked Masquerade MIMEboundary strings to specify that the firewall convertsMIME boundary strings in messages and attachmentsto a string that does not reveal internal host names orother identifying information.Configuring an FTP Proxy ServiceThe FTP proxy service enables you to access another computer(on a separate network) for the purposes of browsingdirectories and copying files. Consequently, FTP is inherentlydangerous. If configured incorrectly, the FTP serviceallows intruders to access your network and importantinformation such as passwords and configuration files.FTP is also potentially dangerous outbound because itenables users on your network to copy virtually anythingfrom outside the network to a location behind their firewall.Therefore, it is important to make the FTP service asrestrictive as possible. Ideally, try to isolate the inboundFTP servers to a single host (or hosts) on your optional network.Make sure you protect your trusted network fromFTP requests from the host or hosts on the optional networkas well. Like SMTP, the FTP proxy includes customizedfeatures that provide more complete control over thetraffic that passes through your firewall.For detailed information about the FTP proxy, see the followingFAQ:https://support.watchguard.com/advancedfaqs/proxy_ftp.aspFor troubleshooting information for the FTP proxy, see thefollowing FAQ:https://support.watchguard.com/advancedfaqs/proxy_ftptrouble.aspUser Guide 149

Chapter 9: Configuring Proxied ServicesFrom Policy Manager:1 If you have not done so already, use the Add Servicebutton to add the FTP proxy service. Expand theProxies tree and double-click the FTP service icon.2 Click the Properties tab. Click Settings.The Settings information appears as shown in the followingfigure.3 Enable FTP proxy properties according to yoursecurity policy preferences.For a description of each control, right-click it, and then selectWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.Note that the Make Incoming FTP Connections Read onlycheckbox is selected by default. If you have an FTP server thataccepts files, be sure to clear this checkbox.4 Click OK.Enabling protocol anomaly detection for FTPFor a description of protocol anomaly detection, see “ProtocolAnomaly Detection” on page 136.1 From the FTP Properties dialog box, click theProperties tab.2 Select the Enable auto-blocking of sites usingprotocol anomaly detection checkbox.3 To set rules for anomaly detection, click the AutoblockingRules button.The PAD Rules for FTP Proxy dialog box appears, as shown inthe following figure.150 WatchGuard Firebox System

Selecting an HTTP Service4 Select the rules to determine which packet originatorsare automatically added to the auto-blocked sites list.Selecting an HTTP ServiceBecause of the extensive security implications of HTTPtraffic, it is important to restrict the incoming service asmuch as possible. Many administrators set up public Webservers only on their optional interface. They restrictincoming HTTP traffic to the optional interface and prohibitincoming HTTP traffic from traveling from theoptional interface to the trusted interface. Outgoing trafficis generally less restrictive. For example, many companiesopen outgoing HTTP traffic from Any to Any.WatchGuard Firebox System offers three different types ofHTTP services. Choose the HTTP service that best meetsyour needs:• Proxied-HTTP is a multiservice that combinesconfiguration options for HTTP on port 80 with a rulethat allows (by default) all outgoing TCP connections.In other words, the Proxied-HTTP is not bilateralincoming and outgoing; this service controls incomingTCP traffic only on port 80, but allows outgoing TCPtraffic on all ports. The Proxied-HTTP service includesUser Guide 151

Chapter 9: Configuring Proxied Servicesa variety of custom options including specializedlogging features, definition of safe content types, andWebBlocker.• HTTP is a proxy service that functions very much likeProxied-HTTP, except that it controls both incomingand outgoing access only on port 80.NOTEThe WatchGuard service called “HTTP” is not to beconfused with an HTTP caching proxy. An HTTP cachingproxy refers to a separate machine that performs caching ofWeb data.• Filtered-HTTP is a multiservice that combinesconfiguration options for HTTP on port 80 with a ruleallowing (by default) all outgoing TCP connections. Asa filtered service, Filtered-HTTP is considerably fasterthan Proxied-HTTP or HTTP, but does not provideprotection that is as thorough or as effective. Inaddition, none of the custom options, includingWebBlocker, are available for Filtered-HTTP.Adding a proxy service for HTTPMost network administrators use the HTTP proxy servicewhen configuring Web traffic. Many administrators combinetheir HTTP service with an outgoing proxy serviceconfigured Any to Any to keep the HTTP service both easyto understand and control. In the following procedure, youdefine the content allowed to pass through the firewall.1 In Policy Manager, click the Add Service icon. Expandthe Proxies folder, double-click HTTP, and then clickOK.The HTTP Properties dialog box appears. The default stance is todeny incoming traffic and to allow outgoing traffic from Any toAny.2 Use the Incoming HTTP connections are drop-downlist to select Enabled and Allowed.3 Configure the service as you want. For example, toconfigure the HTTP proxy to allow incoming traffic152 WatchGuard Firebox System

Selecting an HTTP Servicefrom Any to the optional network, click Add beneaththe To list. In the Add Address dialog box, add theoptional Firebox group. Click OK.4 Click the Properties tab. Click Settings.5 On the Settings tab, enable HTTP proxy propertiesaccording to your security policy preferences.6 If you are using the HTTP proxy service because youwant to use WebBlocker, see Chapter 16, “ControllingWeb Site Access.”For a description of each control, right-click it, and then selectWhat’s This?. Or, refer to the Field Definitions chapter in theReference Guide.For detailed information about the HTTP proxy, see theonline support resources at http://support.watchguard.com.Restricting content types for the HTTP proxyYou can configure the HTTP proxy to allow only thoseMIME types you decide are acceptable security risks. Onthe Safe Content tab:1 To specify that you want to restrict content types thatcan pass through the HTTP proxy, select the checkboxmarked Allow only safe content types.User Guide 153

Chapter 9: Configuring Proxied Services2 If you want to specify content types to allow, click theupper Add button in the dialog box.The Select MIME Type dialog box appears.3 Select a MIME type. Click OK.4 To create a new MIME type, click New Type. Enter theMIME type and description. Click OK.The new type appears at the bottom of the Content Types dropdownlist. Repeat this process for each content type. For a list ofMIME content types, see the Reference Guide.5 If you want to specify unsafe path patterns to block,enter a path pattern next to the left of the Add button.Click Add.Only the path and not the host name are filtered. For example,with the Web site www.testsite.com/login/here/index.html, onlythe elements /login/ and /here/ can be added to the unsafe pathpatterns box, not *testsite*.If you want to disable content type filtering, click the Settingstab. Clear the checkbox marked Require ContentType.NOTEZip files are denied when you deny Java or ActiveX applets,because Zip files often contain these applets.Configuring a caching proxy serverBecause the Firebox’s HTTP proxy does no content caching,the Firebox has been designed to work with cachingproxy servers. Because company employees often visit thesame Web sites, this greatly speeds operations and reducesthe load on external Internet connections. All Fireboxproxy and WebBlocker rules that are in place still have thesame effect.The Firebox communicates with proxy servers exactly thesame way that clients normally do. Instead of a GETrequest from the Firebox to the Internet looking like this:GET / HTTP/1.1It ends up looking like this, and the request is sent to theconfigured caching proxy server instead:154 WatchGuard Firebox System

Configuring the DNS Proxy ServiceGET www.mydomain.com / HTTP/1.1The proxy server then forwards this request to the Webserver mentioned in the GET request.To set up an external caching proxy server:1 Configure an external proxy server, such as MicrosoftProxy Server 2.0.2 Open Policy Manager with your current configuration.3 Double-click the icon for your HTTP proxy service.This can be either Proxy, HTTP, or Proxied-HTTP.4 Click the Properties tab. Click the Settings button.5 Select the checkbox marked Use Caching Proxy Server.6 In the fields below the checkbox, enter the IP addressand TCP port of the caching proxy server. Click OK.7 Save this configuration to the Firebox.Configuring the DNS Proxy ServiceInternet domain names (such as WatchGuard.com) arelocated and translated into IP addresses by the domainname system (DNS). DNS lets users navigate the Internetwith easy-to-remember “dot-com” names by seamlesslytranslating the domain name into an IP address that servers,routers, and individual computers understand. Ratherthan try to maintain a centralized list of domain names andcorresponding IP addresses, smaller lists are distributedacross the Internet.The Berkeley Internet Name Domain (BIND) is a widelyused implementation of DNS. Some versions of BIND canbe vulnerable to attacks that cause a buffer overflow, whichcrash the targeted server and enable the attacker to gainunauthorized access to your network.One attack uses a flaw in the transaction signature (TSIG)handling code. When BIND encounters a request with aUser Guide 155

Chapter 9: Configuring Proxied Servicesvalid transaction signature but no valid key, processingsteps that initialize important variables (notably therequired buffer size) are skipped. Subsequent functioncalls make invalid assumptions about the size of therequest buffer, which can cause requests with legitimatetransaction signatures and keys to trigger a buffer overflow.Used in conjunction with other attack tools, this typeof attack results in a server crash and the attacker gainingunauthorized access to your root shell through an outboundTCP connection. Using this connection, the attackercan execute arbitrary code on your network.Some versions of BIND are also vulnerable to another typeof buffer overflow attack that exploits how NXT (or next)records are processed. Attackers can set the value of a keyvariable such that the server crashes and the attacker gainsunauthorized access. The DNS proxy protects your DNSservers from both the TSIG and NXT attacks, along with anumber of other types of DNS attacks. For more informationon the DNS proxy, see the DNS Proxy section of thefollowing collection of FAQs:https://support.watchguard.com/advancedfaqs/proxy_main.aspNOTEUnless you have a DNS server for public use, you should notuse this proxy.Adding the DNS Proxy ServiceWhen you add the DNS proxy, you can best protect yournetwork by applying the proxy to both inbound and outboundtraffic. You can also set up the DNS proxy so thatany denied packets (inbound or outbound) generate logrecords. You can use LogViewer to check your log files forrecords that indicate DNS attacks, which in turn lets yousee how often and from where you were attacked.1 On the toolbar, click the Add Services icon.2 Expand the Proxies folder.A list of pre-configured proxies appears.156 WatchGuard Firebox System

Configuring the DNS Proxy Service3 Click DNS-Proxy. Click Add.The Add Service dialog box appears. You can change the nameassigned to the DNS proxy or change the comment associatedwith the proxy.4 Click OK to close the Add Service dialog box.The DNS-Proxy Properties dialog box appears.5 Click the Incoming tab. Use the Incoming DNS-Proxyconnections are drop-down list to select Enabled andAllowed.6 Click the Outgoing tab. Use the Outgoing DNS-Proxyconnections are drop-down list to select Enabled andAllowed.7 Click OK to close the DNS-Proxy Properties dialogbox.8 Click Close.The Services dialog box closes. The DNS-Proxy icon appears inthe Services Arena.Enabling protocol anomaly detection forDNSFor a description of protocol anomaly detection, see “ProtocolAnomaly Detection” on page 136.1 From the DNS Properties dialog box, click theProperties tab.2 Select the Enable auto-blocking of sites usingprotocol anomaly detection checkbox.3 To set rules for anomaly detection, click the AutoblockingRules button.The PAD Rules for DNS Proxy dialog box appears, as shown inthe following figure.User Guide 157

Chapter 9: Configuring Proxied Services4 By default, all rules are enabled. You can enable ordisable the rules as you choose to determine whichpacket originators are automatically added to the autoblockedsites list.To be able to select or clear several consecutive rules as a group,select the first rule, press Shift and select the last rule, and thenselect one of the rules between the two selections.To be able to select or clear several non-consecutive rules as agroup, press Ctrl and select each rule you want.DNS file descriptor limitThe DNS proxy has only 256 file descriptors available forits use, which limits the number of DNS connections in aNAT environment. Every UDP request that uses dynamicNAT uses a file descriptor for the duration of the UDPtimeout. Every TCP session that uses dynamic, static, or 1-to-1 NAT uses a file descriptor for the duration of the session.The file descriptor limit is rarely a problem, but an occasionalsite may experience slow name resolution and manyinstances of the following log message:dns-proxy[xx] dns_setup_connect_udp: Unable to createUDP socket for port: Invalid argument158 WatchGuard Firebox System

Configuring the DNS Proxy ServiceYou can work around this problem in two ways (the firstmethod is the most secure):• Avoid using dynamic NAT between your clients andyour DNS server.• Disable the outgoing portion of the DNS proxiedservice and replace it with a filtered DNS service.User Guide 159

Chapter 9: Configuring Proxied Services160 WatchGuard Firebox System

CHAPTER 10Creating Aliases andImplementingAuthenticationAliases are shortcuts used to identify groups of hosts,networks, or users. The use of aliases simplifies serviceconfiguration.User authentication allows the tracking of connectionsbased on name rather than IP address. With authentication,it does not matter which IP address is used orfrom which machine a person chooses to work. Togain access to Internet services (such as outgoingHTTP or outgoing FTP), the user provides authenticatingdata in the form of a username and password.For the duration of the authentication, the sessionname is tied to connections originating from the IPaddress from which the individual authenticated. Thismakes it possible to track not only the machines fromwhich connections are originating, but the user aswell.User Guide 161

Chapter 10: Creating Aliases and Implementing AuthenticationNOTEBecause usernames are bound to IP addresses, userauthentication is not recommended for use in an environmentwith shared multiuser machines (such as Unix, Citrix, or NTterminal servers), because only one user per shared servercan be authenticated at any one time.The Firebox allows you to define permissions and groupsusing user names rather than IP addresses. This systemallows for situations where users may use more than onecomputer or IP address. Tracking activities by user ratherthan IP is especially useful on networks using DHCPwhere a user workstation may have several different IPaddresses over the course of a week. Authentication byuser is also useful in education environments, such asclassrooms and college computer centers where many differentpeople might use the same IP address over thecourse of the day. For more information on authentication,see the following collection of FAQs:https://support.watchguard.com/advancedfaqs/auth_main.aspUsing AliasesAliases provide a simple way to remember host IPaddresses, host ranges, and network IP addresses. Theyfunction in a similar fashion to email distribution lists–combining addresses and names into easily recognizablegroups. Use aliases to quickly build service filter rules.Aliases cannot, however, be used to configure the networkitself.WatchGuard automatically adds six aliases to the basicconfiguration:162 WatchGuard Firebox System

Using AliasesGroupfireboxtrustedoptionalexternaldvcp_netsdvcp_local_netsFunctionAddresses assigned to the three Firebox interfacesand any related networks or device aliasesAny host or network routed through the physicaltrusted interfaceAny host or network routed through the physicaloptional interfaceAny host or network routed through the physicalexternal interface; in most cases, the InternetAny network behind the DVCP clientAny network behind the DVCP serverA host alias takes precedence over a Windows NT orRADIUS group with the same name.Adding an aliasFrom Policy Manager:1 Select Setup => Aliases.The Aliases dialog box appears, as shown in the following figure.2 Click Add.3 In the Host Alias Name text box, enter the name usedto identify the alias when configuring services andauthentication.4 Click Add.The Add Address dialog box appears, as shown in the followingfigure.User Guide 163

Chapter 10: Creating Aliases and Implementing Authentication5 Define the alias by adding members. To add an existingmember, click the name in the Members list. ClickAdd.6 To configure a new member, click Add Other.The Add Member dialog box appears.7 Use the Choose Type drop-down list to select acategory. In the Value text box, enter the address,range, or host name. Click OK.8 When you finish adding members, click OK.The Host Alias dialog box appears listing the new alias. Click thealias to view its members.To modify an alias, select it, click Edit, and then add ordelete members.To remove an alias, select it, click Remove, and thenremove the alias from Properties box of any services configuredto use the alias. For more information, see “DefiningService Properties” on page 124.164 WatchGuard Firebox System

How User Authentication WorksHow User Authentication WorksA specialized HTTP server runs on the Firebox. To authenticate,clients must connect to the authentication serverusing a Java-enabled Web browser pointed to:http://IP address of any Firebox interface:4100/A Java applet loads a prompt for a username and passwordthat it then passes to the authentication server usinga challenge-response protocol. Once successfully authenticated,users minimize the Java applet and browser windowand begin using allowed network services.As long as the Java window remains active (it can be minimizedbut not closed) and the Firebox does not reboot,users remain authenticated until the session times out. Toprevent an account from authenticating, disable theaccount on the authentication server.Using external authenticationAlthough the authentication applet is primarily used foroutbound traffic, it can be used for inbound traffic as well.Authentication can be used outside the Firebox as long asyou have an account on that Firebox. For example, if youare working at home, you can point your browser to:http://public IP address of any Firebox interface:4100/The authentication applet appears to prompt you for yourlogin credentials. This can provide you access through variousservices such as FTP and Telnet, if you have preconfiguredyour Firebox to allow this.Enabling remote authenticationUse this procedure to allow remote users to authenticatefrom the external interface, which gives them access to servicesthrough the Firebox.1 In the Services Arena in Policy Manager, double-clickthe wg_authentication service icon.2 On the Incoming tab, select Enabled and Allowed.User Guide 165

Chapter 10: Creating Aliases and Implementing Authentication3 Under the From box, click Add.4 Click Add Under and add the IP addresses of theremote users you are allowing to authenticateexternally.Authentication Server TypesThe WatchGuard Firebox System can authenticate usersagainst any of five authentication server types:• A built-in authentication server on the Firebox• NT primary domain controllers• RADIUS-compliant authentication servers• CRYPTOCard authentication servers• SecurID authentication serversThe differences among the various authentication schemesare essentially transparent to the user; the user performsmany or all of the same tasks to authenticate against any ofthe five types of authentication.The difference for the Firebox administrator is that forbuilt-in authentication, the database of usernames, passwords,and groups are stored on the Firebox itself. In allother cases, the usernames, passwords, and groups arestored on the server performing the authentication.When the Firebox is not the authentication server, youmust set up the authentication server according to themanufacturer’s instructions and place it on the network ina location accessible to the Firebox. It is best placed on thetrusted side for security reasons.To specify authentication type:1 From Policy Manager, select Setup => FirewallAuthentication.The Firewall Authentication dialog box appears, as shown in thefollowing figure.166 WatchGuard Firebox System

Defining Firebox Users and Groups for Authentication2 In the Authentication Enabled Via box, select theauthentication server you want you use.3 In Logon Time-out, select how many seconds areallowed for an attempted logon before the time-outshuts down the connection.4 In Session Time-out, set how many hours a sessioncan remain open before the time-out shuts down theconnection. This is a set time limit regardless of endusertraffic.Defining Firebox Users and Groups forAuthenticationIn the absence of a third-party authentication server, youcan divide your company into groups and users forauthentication. Assign employees or members to groupsbased on factors such as common tasks and functions,access needs, and trustworthiness. For example, you mighthave a group for accounting, another for marketing, and athird for research and development. You also might createa probationary group with high restrictions for newemployees.User Guide 167

Chapter 10: Creating Aliases and Implementing AuthenticationWithin groups, you define users according to factors suchas the method they use to authenticate, the type of systemthey use, or the information they need to access. Users canbe either networks or individual computers. As your organizationchanges, you can add or remove users or systemsfrom groups.NOTEYou can define only a limited number of Firebox users. If youhave more than approximately 100 users to authenticate,WatchGuard recommends that you use a third-partyauthentication server.WatchGuard automatically adds two groups–intended forremote users–to the basic configuration file:ipsec_usersAdd the names of authorized users of MUVPN.pptp_usersAdd the names of authorized users of RUVPN withPPTP.You can use Policy Manager to add, edit, or delete othergroups to or from the configuration file or to add or modifythe users within a group.From Policy Manager:1 Select Setup => Authentication Servers.The Authentication Servers dialog box appears, as shown in thefollowing figure.168 WatchGuard Firebox System

Defining Firebox Users and Groups for Authentication2 To add a new group, click the Add button beneath theGroups list.The Add Firebox Group dialog box appears.3 Type the name of the group. Click OK.4 To add a new user, click the Add button beneath theUsers list.The Setup Firebox User dialog box appears, as shown in thefollowing figure.5 Enter the username and password.6 To add the user to a group, select the group name in theNot Member Of list. Click the left-pointing arrow tomove the name to the Member Of list.User Guide 169

Chapter 10: Creating Aliases and Implementing Authentication7 When you finish adding the user to groups, click Add.The user is added to the User list. The Setup Firebox User dialogbox remains open and cleared for entry of another user.8 To close the Setup Firebox User dialog box, clickClose.The Firebox Users tab appears with a list of the newly configuredusers.9 When you finish adding users and groups, click OK.The users and groups can now be used to configure services andauthentication.Configuring Windows NT ServerAuthenticationWindows NT Server authentication is based on WindowsNT Server Users and Groups. It uses the Users and Groupsdatabase already in place on your Windows NT network.Only end users are allowed to authenticate; the defaultWindows NT groups Administrators and Replicators willnot authenticate using this feature. From Policy Manager:1 Select Setup => Authentication Servers.The Authentication Servers dialog box appears.2 Click the NT Server tab.The information appears as shown in the following figure.170 WatchGuard Firebox System

Configuring RADIUS Server Authentication3 To identify the host, enter both the host name and theIP address of the Windows NT network. If you don’tknow the IP address of the host, click Find IP. The IPaddress is automatically entered.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.4 If you want, select the checkbox to use local groups.Windows NT defines two types of groups: global and local. Alocal group is local to the security system in which it is created.Global groups contain user accounts from one domain groupedtogether as one group name. A global group cannot containanother global group or a local group.5 Click OK.Configuring RADIUS Server AuthenticationThe Remote Authentication Dial-In User Service (RADIUS)provides remote users with secure access to corporate networks.RADIUS is a client-server system that storesauthentication information for users, remote access servers,and VPN gateways in a central user database that isavailable to all clients. Authentication for the entire networkoccurs from one location.RADIUS prevents hackers from intercepting and respondingto authentication requests because authenticationrequests transmit an authentication key that identifies it tothe RADIUS server. Note that it is the key that is transmitted,and not a password. The key resides on the client andserver simultaneously, which is why it is often called a“shared secret.”To add or remove services accessible by RADIUS authenticatedusers, add the RADIUS user or group in the individualservice properties dialog box and the IP address of theFirebox on the RADIUS authentication server.User Guide 171

Chapter 10: Creating Aliases and Implementing AuthenticationAlthough WatchGuard supports both CHAP and PAPauthentication, CHAP is considered more secure.From Policy Manager:1 Select Setup => Authentication Servers.The Authentication Servers dialog box appears.2 Click the RADIUS Server tab.The RADIUS information appears, as shown in the followingfigure.3 Enter the IP address of the RADIUS server.4 Enter or verify the port number used for RADIUSauthentication.The default is 1645. RFC 2138 states the port number as 1812,but many RADIUS servers still use port number 1645.5 Enter the value of the secret shared between theFirebox and the RADIUS server.The shared secret is case-sensitive and must be identical on theFirebox and the RADIUS server.6 Enter the IP address and port of the backup RADIUSserver. The RADIUS servers’ secret must be sharedbetween both the primary and backup servers.7 Click OK.8 Gather the IP address of the Firebox and the user orgroup aliases you want to authenticate using RADIUS.The aliases appear in the From and To listboxes for theindividual services.172 WatchGuard Firebox System

Configuring CRYPTOCard Server AuthenticationTo configure the RADIUS server1 Add the IP address of the Firebox where appropriateaccording to the RADIUS server vendor.Some RADIUS vendors may not require this. To determine if thisis required for your implementation, check the RADIUS servervendor documentation.2 Take the user or group aliases gathered from the AddAddress dialog box from each service (double-click theservice icon, select Incoming and Allowed on theIncoming tab, and click Add) and add them to thedefined Filter-IDs in the RADIUS configuration file.For more information, consult the RADIUS serverdocumentation.For example, to add the groups Sales, Marketing, andEngineering enter:Filter-Id=”Sales”Filter-Id=”Marketing”Filter-Id=”Engineering”NOTEThe filter rules for RADIUS user filter-IDs are case sensitive.Configuring CRYPTOCard ServerAuthenticationCRYPTOCard is a hardware-based authentication systemthat allows users to authenticate by way of the CRYPTO-Card challenge response system which includes off-linehashing of passwords. It enables you to authenticate individualsindependent of the hosts they are on.Configuring WatchGuard CRYPTOCard server authenticationassumes that you have acquired and installed a CRYP-TOCard server according to the manufacturer’sinstructions, and that the server is accessible for authenticationsto the Firebox.To add or remove services accessible by CRYPTOCardauthenticated users, add the CRYPTOCard user or groupUser Guide 173

Chapter 10: Creating Aliases and Implementing Authenticationin the individual service’s Properties dialog box, and the IPaddress of the Firebox on the CRYPTOCard authenticationserver.From Policy Manager:1 Select Setup => Authentication Servers.The Authentication Servers dialog box appears.2 Click the CRYPTOCard Server tab.You might need to use the arrow buttons in the upper-right cornerof the dialog box to bring this tab into view.3 Enter the IP address of the CRYPTOCard server.4 Enter or verify the port number used for CRYPTOCardauthentication.The standard is 624.5 Enter the administrator password.This is the administrator password in the passwd file on theCRYPTOCard server.6 Enter or accept the time-out in seconds.The time-out period is the maximum amount of time, in seconds,a user can wait for the CRYPTOCard server to respond to arequest for authentication. Sixty seconds is CRYPTOCard’srecommended time-out length.7 Enter the value of the shared secret between theFirebox and the CRYPTOCard server.This is the key or client key in the “Peers” file on theCRYPTOCard server. This key is case-sensitive and must beidentical on the Firebox and the CRYPTOCard server forCRYPTOCard authentication to work.8 Click OK.9 Gather the IP address of the Firebox and the user orgroup aliases to be authenticated by way of174 WatchGuard Firebox System

Configuring SecurID AuthenticationCRYPTOCard. The aliases appear in the From and Tolistboxes in the individual services’ Properties dialogboxes.On the CRYPTOCard server:1 Add the IP address of the Firebox where appropriateaccording to CRYPTOCard’s instructions.2 Take the user or group aliases from the serviceproperties listboxes and add them to the groupinformation in the CRYPTOCard configuration file.Only one group can be associated with each user.For more information, consult the CRYPTOCard serverdocumentation.Configuring SecurID AuthenticationFor SecurID authentication to work, the RADIUS andACE/Server servers must first be correctly configured. Inaddition, users must have a valid SecurID token and PINnumber. Please see the relevant documentation for theseproducts.NOTEWatchGuard does not support the third-party program SteelBelted RADIUS for use with SecurID. You should use theRADIUS program bundled with the RSA SecurID software.From Policy Manager:1 Select Setup => Authentication Servers.The Authentication Servers dialog box appears.2 Click the SecurID Server tab.You might need to use the arrow buttons in the upper-right cornerof the dialog box to bring this tab into view.User Guide 175

Chapter 10: Creating Aliases and Implementing Authentication3 Enter the IP address of the SecurID server.4 Enter or verify the port number used for SecurIDauthentication.The default is 1645.5 Enter the value of the secret shared between theFirebox and the SecurID server.The shared secret is case-sensitive and must be identical on theFirebox and the SecurID server.6 If you are using a backup server, select the Specifybackup SecurID server checkbox. Enter the IP addressand port number for the backup server.7 Click OK.To set up the RADIUS server, see “To configure theRADIUS server” on page 173.176 WatchGuard Firebox System

CHAPTER 11Intrusion Detectionand PreventionThe WatchGuard Firebox System can protect your networkfrom many types of attacks. In addition to theprotection provided through filtered and proxied services,the Firebox also gives you the following tools tostop attacks that services are not designed to defeat.Default packet handlingOptions for how the firewall handlesincoming communications that appear to beattacks on a network.Blocked sitesAn IP address outside the Firebox that isprevented from connecting to hosts behind theFirebox. The Blocked Sites feature of theFirebox helps you prevent unwanted contactfrom known or suspected hostile systems.Blocked portsPorts that are designated as vulnerable entrypoints to your network. A blocked port settingblocks packets that enter your networkthrough the external interface.User Guide 177

Chapter 11: Intrusion Detection and PreventionDefault Packet HandlingThe WatchGuard Firebox System provides default packethandling options to automatically block hosts that originateprobes and attacks. Logging options help you identifysites that exhibit suspicious behavior such as spoofing. Youcan use the information gathered to manually and permanentlyblock an offending site. In addition, you can blockports (by port number) to protect ports with known vulnerabilitiesfrom any incoming traffic. For more informationon log messages, see the following collection of FAQs:https://support.watchguard.com/advancedfaqs/log_main.aspThe Firebox System examines and handles packets accordingto default packet-handling options that you set. Thefirewall examines the source of the packet and its intendeddestination by IP address and port number. It also watchesfor patterns in successive packets that indicate unauthorizedattempts to access the network.The default packet-handling configuration determineswhether and how the firewall handles incoming communicationsthat appear to be attacks on a network. Packet handlingcan:• Reject potentially threatening packets• Automatically block all communication from a sourcesite• Add an event to the log• Send notification of potential security threatsBlocking spoofing attacksOne method that attackers use to gain access to your networkinvolves creating an electronic “false identity.” Withthis method, called “IP spoofing,” the attacker creates aTCP/IP packet that uses someone else’s IP address.Because routers use a packet’s destination address to forwardthe packet toward its destination, the packet’s sourceaddress is not validated until the packet reaches its destina-178 WatchGuard Firebox System

Default Packet Handlingtion. In conjunction with the false identity, the attacker mayroute the packet so that it appears to originate from a hostthat the targeted system trusts.If the destination system performs session authenticationbased on a connection’s IP address, the destination systemmay allow the packet with the spoofed address throughyour firewall. The destination system “sees” that thepacket apparently originated from a host that is trusted,and therefore doesn’t require validation or a password.When you enable spoofing defense, the Firebox preventspackets with a false identity from passing through to yournetwork. When such a packet attempts to establish a connection,the Firebox generates two log records. One logrecord shows that the attacker’s packet was blocked; theother shows that the attacker’s site has been added to theBlocked Sites list, a compilation of all sites blocked by theFirebox.You can block spoofing attacks using the DefaultPacket Handling dialog box. From Policy Manager:1 On the toolbar, click the Default Packet Handling icon,shown at right.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears, as shown in thefollowing figure.2 Select the checkbox marked Block Spoofing Attacks.User Guide 179

Chapter 11: Intrusion Detection and PreventionBlocking port space and address spaceattacksOther methods that attackers use to gain access to networksand hosts are known as probes. Port space probesare used to scan a host to find what services are running onit. Address space probes scan a network to see which servicesare running on the hosts inside that network. FromPolicy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block Port Space Probes.3 Select the checkbox marked Block Address SpaceProbes.Stopping IP options attacksAnother type of attack that can be used to disrupt your networkinvolves IP options in the packet header. IP optionsare extensions of the Internet Protocol that are usually usedfor debugging or for special applications. For example, ifyou allow IP options, the attacker can use the options tospecify a route that helps him or her gain access to your180 WatchGuard Firebox System

Default Packet Handlingnetwork. Although there is some gain to leaving IP optionsenabled, the risk generally outweighs the benefit.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block IP Options.Stopping SYN Flood attacksA SYN Flood attack is a type of Denial of Service (DoS)attack that seeks to prevent your public services (such asemail and Web servers) from being accessible to users onthe Internet.To understand how SYN Flood works, consider a normalTCP connection. A user tries to connect by way of a Webbrowser to your server by sending what is called a SYNsegment. Your Web server acknowledges the browser bysending what is called a SYN+ACK segment. When thebrowser sees the SYN+ACK, it sends an ACK segment. Theserver is ready to accept the URL request from the browserwhen it sees the ACK statement. However, until the ACKsegment has been received, the server is “stuck”; it knowsthe browser wants to communicate, but the connection isnot yet established. Many servers in use today can handleonly a finite number of these half-way completed connectionsat a time. They are stored in a backlog until they arecompleted or time out. When the server’s backlog is full,no new connections can be accepted.A SYN Flood attack attempts to fill up the victim server’sbacklog by sending a flood of SYN segments without eversending an ACK. When the backlog fills up, the server willbe unavailable to users.The WatchGuard Firebox System can help defend yourservers against a SYN Flood attack by tracking the numberof SYNs that are sent without a following ACK. If thisnumber exceeds the threshold you define, the SYN FloodUser Guide 181

Chapter 11: Intrusion Detection and Preventionprotection feature will self-activate. Once active, furtherconnection attempts from the external side of the Fireboxmust be verified before being allowed to reach your servers.Connections that cannot be verified are not allowedthrough, thus protecting your server from having a fullbacklog.The SYN Flood protection feature will self-deactivate whenit senses the attack is over.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block SYN Flood Attacks.Changing SYN flood settingsActive SYN flood defenses can occasionally prevent legitimateconnection attempts from being completed. If youfind that too many legitimate connection attempts failwhen your SYN flood defense is active, you can changeSYN flood settings to minimize this problem.You can set the maximum number of incomplete TCP connectionsthe Firebox allows before the SYN flood defense isactivated. The default setting of 60 means that when thenumber of TCP connections waiting to be validated climbsto 61 or above, SYN flood defense is activated. Conversely,when the number of connections waiting for validationdrops to 59 or less, SYN flood defense is deactivated. Youmight need to adjust this setting to custom-fit the SYN Floodprotection feature for your network. Every time the featureself-activates, a log message will be recorded statingSYN Validation: activated. When the feature selfdeactivates,the log message SYN Validation: deactivatedwill be recorded. If these messages occur frequentlywhen your server is not under attack, the MaximumIncomplete Connections setting may be too low. If the SYNFlood protection feature is not preventing attacks from182 WatchGuard Firebox System

Detecting Man-in-the-Middle Attacksaffecting your server, the setting may be too high. Consultyour server’s documentation for help choosing a newvalue, or experiment by adjusting the setting until theproblems disappear.The validation timeout controls how long the Firebox“remembers” clients that pass the validation test. Thedefault setting of 120 seconds means that a client thatdrops a legitimate connection has a two-minute window toreconnect without being challenged. Setting the validationtimeout to zero seconds means that legitimate connectionsare “forgotten” when dropped, so every connectionattempt is challenged.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Use the SYN Validation Timeout box to set how longthe Firebox “remembers” a validated connection afterthat connection is dropped.3 Use the Maximum Incomplete Connections box to setthe number of connections awaiting validation that areallowed to queue before the Firebox automaticallyactivates SYN flood defense.Detecting Man-in-the-Middle AttacksMan-in-the-middle attacks deceive two parties into thinkingthey are communicating with each other while they areactually both communicating with a third party. Theattacker can then intercept data passing through the connection.User Guide 183

Chapter 11: Intrusion Detection and PreventionTo detect whether a man-in-the-middle attack is inprogress:1 Bring up the user interface for the CertificateAuthority.The browser displays the fingerprint for the CA certificate.2 Verify the certificate against the one displayed inFirebox System Manager, Front Panel tab, as shown inthe following figure.Blocking SitesThe Blocked Sites feature of the Firebox helps you preventunwanted contact from known or suspected hostile systems.After you identify an intruder, you can block allattempted connections from them. You can also configurelogging to record all access attempts from these sources soyou can collect clues as to what services they are attemptingto attack.A blocked site is an IP address outside the Firebox that isprevented from connecting to hosts behind the Firebox. Ifany packet comes from a host that is blocked, it does notget past the Firebox.There are two kinds of blocked sites:184 WatchGuard Firebox System

Blocking Sites• Permanently blocked sites–which are listed in theconfiguration file and change only if you manuallychange them.• Auto-blocked sites–which are sites the Firebox addsor deletes dynamically based on default packethandling rules and service-by-service rules for deniedpackets. For example, you can configure the Firebox toblock sites that attempt to connect to forbidden ports.Sites are temporarily blocked until the auto-blockingmechanism times out.For information on auto-blocking sites using theprotocol anomaly detection (PAD) feature, see“Configuring the Incoming SMTP Proxy” on page 138.Firebox System auto-blocking and logging mechanismscan help you decide which sites to block. For example,when you find a site that spoofs your network, you canadd the offending site’s IP address to the list of permanentlyblocked sites.Note that site blocking can be imposed only to traffic onthe Firebox’s external interface. Connections between thetrusted and optional interfaces are not subject to theBlocked Sites feature.Blocking a site permanentlyYou may know of hosts on the Internet that pose constantdangers, such as a university computer that has been usedmore than once by student hackers who try to invade yournetwork.Use Policy Manager to block a site permanently. Thedefault configuration blocks three network addresses–10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These are theprivate (“unconnected”) network addresses. Because theyare for private use, backbone routers should never passtraffic with these addresses in the source or destinationfield of an IP packet. Traffic from one of these addresses isalmost certainly a spoofed or otherwise suspect address.RFCs 1918, 1627, and 1597 cover the use of these addresses.User Guide 185

Chapter 11: Intrusion Detection and PreventionNOTEThe Blocked Sites list applies only to traffic on the Externalinterface. Connections between the Trusted and Optionalinterfaces are not subject to the Blocked Sites list.From Policy Manager:1 On the toolbar, click the Blocked Sites icon(shown at right).You can also select Setup => Intrusion Prevention=>Blocked Sites. The Blocked Sites dialog box appears, as shown inthe following figure.2 Click Add.3 Use the Choose Type drop list to select a member type.The options are Host IP Address, Network IPAddress, or Host Range.4 Enter the member value.Depending on the member type, this can be an IP address or arange of IP addresses. When typing IP addresses, type the digitsand periods in sequence. Do not use the TAB or arrow key tojump past the periods. For more information on entering IPaddresses, see “Entering IP addresses” on page 43.5 Click OK.The Blocked Sites dialog box appears displaying the new site inthe Blocked Sites list.186 WatchGuard Firebox System

Blocking SitesUsing an external list of blocked sitesYou can create a list of blocked sites in an external file. Thisfile must be a .txt file. To load an external file into yourblocked sites list:1 In the Blocked Sites dialog box, click Import.2 Browse to locate the file. Double-click it, or select it andclick Open.The contents of the file are loaded into the Blocked Sites list.Creating exceptions to the Blocked Sites listA blocked site exception is a host that is not added to thelist of automatically blocked sites regardless of whether itfulfills criteria that would otherwise add it to the list. Thesite can still be blocked according to the Firebox configuration,but it will not be automatically blocked for any reason.From Policy Manager:1 Select Setup => Intrusion Prevention => Blocked SitesExceptions.The Blocked Sites Exceptions dialog box appears.2 Click Add.3 Enter the IP address of the site for which you want tocreate an exception. Click OK.4 Click OK to close the Blocked Sites Exceptions dialogbox.To remove an exception, select the IP address of the site toremove. Click Remove.Changing the auto-block durationFrom the Blocked Sites dialog box, either type or use thescroll control to change the duration, in minutes, that thefirewall automatically blocks suspect sites. Duration canrange from 1 to 32,000 minutes (about 22 days).User Guide 187

Chapter 11: Intrusion Detection and PreventionLogging and notification for blocked sitesFrom the Blocked Sites dialog box:1 Click Logging.The Logging and Notification dialog box appears.2 In the Category list, click Blocked Sites.3 Modify the logging and notification parametersaccording to your security policy preferences.For detailed instructions, see “Customizing Logging andNotification by Service or Option” on page 215.Blocking PortsYou can block ports to explicitly disable external networkservices from accessing ports that are vulnerable as entrypoints to your network. A blocked port setting takes precedenceover any of the individual service configuration settings.Like the Blocked Sites feature, the Blocked Ports featureblocks only packets that enter your network through theexternal interface. Connections between the optional andTrusted interfaces are not subject to the Blocked Ports list.You should consider blocking ports for several reasons:• Blocked ports provide an independent check forprotecting your most sensitive services, even whenanother part of the firewall is not configured correctly.• Probes made against particularly sensitive services canbe logged independently.• Some TCP/IP services that use port numbers above1024 are vulnerable to attack if the attacker originatesthe connection from an allowed well-known servicewith a port number below 1024. These connections canbe attacked by appearing to be an allowed connectionin the opposite direction. You can prevent this type ofattack by blocking the port numbers of services whoseport numbers are under 1024.188 WatchGuard Firebox System

Blocking PortsBy default, the Firebox blocks several destination ports.This measure provides convenient defaults which do notnormally require changing. Typically, the following servicesshould be blocked:X Window System (ports 6000-6063)The X Window System (or X-Windows) has severaldistinct security problems that make it a liability onthe Internet. Although several authenticationschemes are available at the X server level, the mostcommon ones are easily defeated by aknowledgeable attacker. If an attacker can connectto an X server, he or she can easily record allkeystrokes typed at the workstation, collectingpasswords and other sensitive information. Worse,such intrusions can be difficult or impossible todetect by all but the most knowledgeable users.The first X Window server is always on port 6000.If you have an X server with multiple displays,each new display uses an additional port numberafter 6000, up to 6063 for a maximum of 64 displayson a given host.X Font Server (port 7100)Many versions of X-Windows support font servers.Font servers are complex programs that run as thesuper-user on some hosts. As such, it is best toexplicitly disable access to X font servers.NFS (port 2049)NFS (Network File System) is a popular TCP/IPservice for providing shared file systems over anetwork. However, current versions have seriousauthentication and security problems which makeproviding NFS service over the Internet verydangerous.NOTEPort 2049 is not assigned to NFS; however, in practice, thisis the most common port used for NFS. The port assigned forNFS is assigned by the portmapper. If you’re using NFS, itUser Guide 189

Chapter 11: Intrusion Detection and Preventionwould be a good idea to verify that NFS is using port 2049on all your systems.OpenWindows (port 2000)OpenWindows is a windowing system from SunMicrosystems that has similar security risks to X-Windows.rlogin, rsh, rcp (ports 513, 514)These services provide remote access to othercomputers and are somewhat insecure on theInternet. Because many attackers probe for theseservices, it is a good idea to block them.RPC portmapper (port 111)RPC Services use port 111 to determine whichports are actually used by a given RPC server.Because RPC services themselves are veryvulnerable to attack over the Internet, the first stepin attacking RPC services is to contact theportmapper to find out which services areavailable.port 0Port 0 is reserved by IANA, but many programsthat scan ports start their search on port 0.port 1Port 1 is for the rarely used TCPmux service.Blocking it is another way to confuse port scanningprograms.Novell IPX over IP (port 213).If you use Novell IPX over IP internally, you mightwant to explicitly block port 213.NetBIOS services (ports 137 through 139)You should block these ports if you use NetBIOSinternally. Although such services are blockedimplicitly by default packet handling, blockingthem here provides additional security.190 WatchGuard Firebox System

Blocking PortsAvoiding problems with legitimate usersIt is possible for legitimate users to have problems becauseof blocked ports. In particular, some clients might temporarilyfail because of blocked ports.You should be very careful about blocking port numbersbetween 1000 through 1999, as these numbers are particularlylikely to be used as client ports.NOTESolaris uses ports greater than 32768 for clients.Blocking a port permanentlyFrom Policy Manager:1 On the toolbar, click the Blocked Ports icon,shown at right.You can also select Setup => Intrusion Prevention =>Blocked Ports. The Blocked Ports dialog box appears, as shownin the following figure.2 In the text box to the left of the Add button, type theport number. Click Add.The new port number appears in the Blocked Ports list.To remove a blocked port, select the port to remove. ClickRemove.User Guide 191

Chapter 11: Intrusion Detection and PreventionAuto-blocking sites that try to use blockedportsYou can configure the Firebox such that when an outsidehost attempts to access a blocked port, that host is temporarilyauto-blocked.In the Blocked Ports dialog box, select the checkboxmarked Auto-block sites that attempt to use blockedports.You can also auto-block sites using protocol anomalydetection. For more information, see “Configuring theIncoming SMTP Proxy” on page 138.Setting logging and notification for blockedportsYou can also adjust your event logs and notification toaccommodate attempts to access blocked ports. You canconfigure the Firebox to log all attempts to use blockedports, or notify a network administrator when someoneattempts to access a blocked port.From the Blocked Ports dialog box:1 Click Logging.The Logging and Notification dialog box appears.2 In the Category list, click Blocked Ports.3 Modify the logging and notification parametersaccording to your security policy preferences.For detailed instructions, see “Customizing Logging andNotification by Service or Option” on page 215.Blocking Sites Temporarily with ServiceSettingsUse service properties to automatically and temporarilyblock sites when incoming traffic attempts to use a deniedservice. You can use this feature to individually log, block,192 WatchGuard Firebox System

Integrating Intrusion Detectionand monitor sites that attempt access to restricted ports onyour network.Configuring a service to temporarily blocksitesConfigure the service to automatically block sites thatattempt to connect using a denied service. From PolicyManager:1 Double-click the service icon in the Services Arena.The Properties dialog box appears.2 Use the Incoming service Connections Are drop list toselect Enabled and Denied.3 Select the checkbox marked Auto-block sites thatattempt to connect via service, located at the bottom ofthe dialog box.Viewing the Blocked Sites listThe Blocked Sites list is a compilation of all sitescurrently blocked by the Firebox. Use FireboxMonitors to view sites that are automaticallyblocked according to a service’s property configuration.From System Manager, click the Blocked Site List tab atthe bottom of the graph. (You might need to use the arrowsto access this tab.)Integrating Intrusion DetectionIntrusion detection is an important component of adefense-in-depth security policy. A good intrusion detectionsystem (IDS) examines over time the source, destination,and type of traffic directed at your network andcompares it against known patterns of attack. When amatch occurs, it tells you the nature of the attack and recommendspossible courses of action.User Guide 193

Chapter 11: Intrusion Detection and PreventionThe WatchGuard Firebox System default packet handlingoptions provide a basic intrusion detection system byblocking common and readily recognizable attacks such asIP address spoofing and linear port space probes. Theintrusion detection capabilities of the Firebox, however, arenecessarily limited. The primary function of your firewallis to examine and either allow or deny packets. Little extrabandwidth is available to conduct sophisticated analysis oftraffic patterns.LiveSecurity Service subscribers can download a command-lineutility called the Firebox System IntrusionDetection System Mate (fbidsmate) that integrates the Fireboxwith most commercial and shareware IDS applications.You use the fbidsmate utility to configure your IDSto run scripts that query the Firebox for information.Because versions are available for Win32 (Windows NT,Windows 2000, and Windows XP), SunOS, and Linux operatingsystems, you can select whatever IDS application bestsuits your security policy and network environments.Working with an external IDS application, the Firebox canautomatically add sites to the Blocked Sites list. Timeoutsand blocked site exceptions work exactly as they do forsites blocked using default packet handling options. Sitesadded to the Blocked Sites list appear in the Firebox MonitorsBlocked Sites tab. In addition, you can use the utility toadd explanatory log messages to the log file which can subsequentlybe used for reports.Because the fbidsmate utility is external to the Firebox, nochanges in the configuration file are required, nor is thereanything additional to configure using Policy Manager.To obtain a copy of the fbidsmate command-line utility thatmatches the operating system on which your IDS applicationis running, log in to yourLiveSecurity Service account at:https://www.watchguard.com/support194 WatchGuard Firebox System

Integrating Intrusion DetectionUsing the fbidsmate command-line utilityThe fbidsmate utility works from the command line.Although you can execute the commands directly againstthe Firebox, the tool is used most frequently in the contextof an IDS application script. The command syntax is:fbidsmate firebox_address [rwpassphrase | -frwpassphrase_file] [add_hostile hostile_address] |[add_log_message priority(0-7) "message"]fbidsmate import_passphrase rwpassphraserwpassphrase_filenameadd_hostileThis command adds a site to the Auto-Blocked Sitelist, with the duration set by the administrator inPolicy Manager’s Blocked Sites dialog box. Iteffectively extends your control of the Auto-Blockmechanism inside the Firebox.add_log_messageThis command causes a message to be added to thelog stream emitted by the Firebox. Because thepriority is used by the Firebox to construct syslogmessages, its range is the standard syslog0=Emergency to 7=Debug. There is no limit onmessage length; the message is automaticallybroken into multiple messages if necessary.import_passphraseYou can store the Firebox configuration passphrasein encrypted form instead of putting it in clear textin your IDS scripts. This command stores thepassphrase in the designated file using 3DESencryption. Rather than using the configurationpassphrase, use the file name in your scripts. If youare managing multiple Fireboxes, you need onepassphrase file per Firebox.User Guide 195

Chapter 11: Intrusion Detection and PreventionReturn valueThe return value of fbidsmate is zero if the command executedsuccessfully; otherwise it is non-zero. This valueshould be checked upon return if calling fbidsmate from ashell script or through some other interface.ExamplesIn the following examples, the IP address of the Firebox is10.0.0.1 with a configuration passphrase of “secure1”.Example 1The IDS detects a port scan from 209.54.94.99 andasks the Firebox to block that site:fbidsmate 10.0.0.1 secure1 add_hostile209.54.94.99The 209.54.94.99 site appears on the auto-blockedsites list and remains there for the duration set inPolicy Manager. In addition, the following messageappears in the log file:Temporarily blocking host 209.54.94.99Example 2The IDS adds a message to the Firebox’s logstream:fbidsmate 10.0.0.1 secure1 add_log_message 3"IDS system temp. blocked 209.54.94.99"With the IDS running on host 10.0.0.2, thefollowing message appears in the Firebox log file:msg from 10.0.0.2: IDS system temp. blocked209.54.94.99Example 3Because you are running your IDS applicationoutside the firewall perimeter, you decide toencrypt the configuration passphrase used in yourIDS scripts. Note that even with encryption, youshould lock down the IDS host as tightly as196 WatchGuard Firebox System

Integrating Intrusion Detectionpossible. First, you must import the passphrase“secure1” to an encrypted file on the IDS host:fbidsmate import_passphrase secure1 /etc/fbidsmate.passphraseThen you could rewrite the previous examples as:fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase add_hostile209.54.94.99fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase add_log_message 3 "IDSsystem temp. blocked 209.54.94.99"User Guide 197

Chapter 11: Intrusion Detection and Prevention198 WatchGuard Firebox System

CHAPTER 12Setting Up Loggingand NotificationAn event is any single activity that occurs at the Firebox,such as denying a packet from passing throughthe Firebox. Logging is the recording of these events toa log host. A notification is a message sent to theadministrator by the Firebox when an event occursthat indicates a security threat. Notification can be inthe form of email, a popup window on the Watch-Guard Security Event Processor (WSEP), a call to apager, or the execution of a custom program.For example, WatchGuard recommends that you configuredefault packet handling to issue a notificationwhen the Firebox detects a port space probe. When theFirebox detects one, the log host sends notification tothe network security administrator about the rejectedpackets. At this point, the network security administratorcan examine the logs and decide what to do tofurther secure the organization’s network. Some possiblecourses of action would be to:• Block the ports on which the probe was attempted• Block the IP address that is sending the packets• Contact the ISP through which the packets arebeing sentUser Guide 199

Chapter 12: Setting Up Logging and NotificationLogging and notification are crucial to an effective networksecurity policy. Together, they make it possible to monitoryour network security, identify both attacks and attackers,and take action to address security threats and challenges.WatchGuard logging and notification features are bothflexible and powerful. You can configure your firewall tolog and notify a wide variety of events, including specificevents that occur at the level of individual services. Formore information on logging, see the following collectionof FAQs:https://support.watchguard.com/advancedfaqs/log_main.aspDeveloping Logging and Notification PoliciesWhen creating a logging policy, you spell out what getslogged and when an event or series of events warrantssending out a notification to the on-duty administrator.Developing these policies simplifies the setup of individualservices in the WatchGuard Firebox System. If you havefully mapped out a policy, you can more easily delegateconfiguration duties and ensure that individual efforts donot contradict the overall security stance or logging andnotification policies.Logging policySpecifically, the logging policy delineates:• Which events to log• Which service events to log• Which servers are allocated as log hosts• How large a log file is allowed to become and howoften a new log file is createdIn general, you want to log only the events that might indicatea potential security threat, and ignore events thatwould waste bandwidth and server storage space. Thisgenerally translates into logging spoofs, IP options, probes,200 WatchGuard Firebox System

Developing Logging and Notification Policiesand denied packets, and not logging allowed packets.Allowed packets should not be indicative of a securitythreat. Furthermore, allowed traffic usually far exceeds thevolume of denied traffic and would slow response times aswell as causing the log file to grow and turn over tooquickly.WatchGuard provides the option to log allowed events primarilyfor diagnostic purposes when setting up or troubleshootingan installation. Or, you might have a situationsuch as a very specialized service that uses an obscure,very high port number, and the service is intended for useonly by a small number of people in an organization. Inthat case you might want to log all traffic for that service soyou can monitor or review that service activity.Not all denied events need to be logged. For example, ifincoming FTP denies all incoming traffic from any sourceoutside to any destination inside, there is little point in loggingincoming denied packets. All traffic for that service inthat direction is blocked.Notification policyThe most important events that should trigger notificationare IP options, port space probes, address space probes,and spoofing attacks. These are configurable in the DefaultPacket Handling dialog box, described in “Default PacketHandling” on page 178.Other notifications depend on your Firebox configurationand how much time is available for interacting with it. Forexample, if you set up a simple configuration that enablesonly a few services and denies most or all incoming traffic,only a few circumstances warrant notification. On the otherhand, if you have a large configuration with many services;with many allowed hosts or networks for incoming traffic;popular protocols to specific, obscure ports; and several filteredservices added of your own design; you will need toset up a large, complex notification scheme. This type ofconfiguration is more vulnerable to attack. Not only areUser Guide 201

Chapter 12: Setting Up Logging and Notificationthere many more services that require a notification policy,the high number of routes through the Firebox increasesthe likelihood that the log host will issue frequent notifications.If you set up a very accommodating firewall, be preparedto spend a large amount of time interacting withyour security system or fixing security breaches.To formulate a notification policy, look at the number andnature of the services enabled for the Firebox, and howopen or limited each service is. In general, for the high-trafficproxies such as SMTP and FTP, you might activate arepeat notification if the service rejects five to ten packetswithin 30 seconds. If you have set up a specialized servicelimited to traffic between two or three hosts using a highport number, you might want to activate notification onthis service whenever it denies or passes a packet.Failover LoggingWatchGuard uses failover logging to minimize the possibilityof missing log events. With failover logging, you configurea list of log hosts to accept logs in the event of afailure of the primary log host. By default, the Fireboxsends log messages to the primary log host. If for any reasonthe Firebox cannot establish communication with theprimary log host, it automatically sends log messages tothe second log host. It continues through the list until itfinds a log host capable of recording events.Multiple log hosts operate in failover mode, not redundancymode–that is, events are not logged to multiple loghosts simultaneously; they are logged only to the primarylog host unless that host becomes unavailable. The logs arethen passed on to the next available log host according tothe order of priority.Except where Syslog is used, the WatchGuard SecurityEvent Processor software must be installed on each log202 WatchGuard Firebox System

WatchGuard Logging Architecturehost. For more information, see “Setting up the Watch-Guard Security Event Processor” on page 207.WatchGuard Logging ArchitectureBy default, Policy Manager and the log and notificationapplication–the WatchGuard Security Event Processor–are installed on the same computer. You can, however,install the event processor software on multiple computers.You must complete the following tasks to configure thefirewall for logging and notification:Policy Manager- Add log hosts- Customize preferences for services and packethandling options- Save the configuration file with loggingproperties to the FireboxWatchGuard Security Event Processor (WSEP)- Install the WSEP software on each log host- Set global logging and notification preferences forthe host- Set the log encryption key on each log hostidentical to the key set in Policy ManagerDesignating Log Hosts for a FireboxYou should have at least one log host to run the Watch-Guard Firebox System. The default primary log host is themanagement station that is set when you run the Quick-Setup Wizard. You can specify a different primary log hostas well as multiple backup log hosts. The typical mediumsizedoperation has two or three high-capacity log hosts.User Guide 203

Chapter 12: Setting Up Logging and NotificationMultiple log hosts operate in failover, not redundant mode.The primary log host handles the bulk of the loggingduties; others are called in as needed when the highestrankinglog host is unavailable to receive logs.Before setting up a log host, you need to have the followinginformation:• IP address of each log host• Encryption key to secure the connection between theFirebox and log hosts• Priority order of primary and backup log hostsFor log host troubleshooting information, see the followingFAQ:https://support.watchguard.com/advancedfaqs/log_troubleshootinghost.aspAdding a log hostFrom Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 Click Add.The Add IP Address dialog box appears, as shown in thefollowing figure.3 Enter the IP address to be used by the log host.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.4 Enter the encryption key that secures the connectionbetween the Firebox and the log host.The default encryption key is the status passphrase set in theQuickSetup Wizard. You must use the same log encryption keyfor both the Firebox and the WatchGuard Security EventProcessor.204 WatchGuard Firebox System

Designating Log Hosts for a Firebox5 Click OK.Repeat until all primary and backup log hosts appear in theWatchGuard Security Event Processors list.Enabling Syslog loggingNote that Syslog logging is not encrypted; therefore, do notset the Syslog server to a host on the external interface.From Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 Click the Syslog tab.The Syslog tab information appears as shown in the followingfigure.3 Select the checkbox marked Enable Syslog Logging.4 Enter the IP address of the Syslog server.5 Select a Syslog facility from the drop-down list. Youcan select a facility from LOG_LOCAL_0 throughLOG_LOCAL_7.6 Click OK.For more information on Syslog logging, see the followingFAQ:https://support.watchguard.com/advancedfaqs/log_syslog.aspChanging the log encryption keyEdit a log host entry to change the log encryption key.From Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.User Guide 205

Chapter 12: Setting Up Logging and Notification2 Click the host name. Click Edit.3 Type in the new log encryption key. Click OK.You must use the same log encryption key for both the Fireboxand the WatchGuard Security Event Processor. To change the logencryption key on the WSEP application, see “Setting the logencryption key” on page 211.Removing a log hostRemove a log host when you no longer want to use it forany logging purpose. From Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 Click the host name. Click Remove.3 Click OK.The Logging Setup dialog box closes and removes the log hostentry from the configuration file.Reordering log hostsLog host priority is determined by the order in which thehosts appear in the WatchGuard Security Event Processorlist. The host that is listed first receives log messages.Use the Up and Down buttons to change the order of thelog hosts. From the Logging Setup dialog box:• To move a host down, click the host name. ClickDown.• To move a host up, click the host name. Click Up.Synchronizing log hostsSynchronizing log hosts involves setting the clocks of allyour log hosts to a single common time source. This keepslogs orderly and prevents time discrepancies in the log fileif failovers occur.The Firebox sets its clock to the current log host. If the Fireboxand the log host times are different, the Firebox timedrifts toward the new time, which often results in a briefinterruption in the log file. Rebooting the Firebox resets the206 WatchGuard Firebox System

Setting up the WatchGuard Security Event ProcessorFirebox time to that of the primary log host. Therefore, youshould set all log hosts’ clocks to a single source. In a localinstallation where all log hosts are on the same domain, seteach log host to the common domain controller.For Windows NT log hosts1 Go to each log host. Open an MS-DOS CommandPrompt window. Type the following command:net time /domain:domainName /setwhere domainName is the domain in which the loghosts operate.The system returns a message naming the domain controller.2 Type Y.The time of the local host is set to that of the domain controller.Another method to set the log host (and domain controller)clocks is to use an independent source such as the atomicclock—based servers available on the Internet. One place toaccess this service is:http://www.bldrdoc.gov/timefreqSetting up the WatchGuard Security EventProcessorThe WatchGuard Security Event Processor application isavailable both as a command-line utility and, on a WindowsNT or Windows 2000 host, as a service. It is, bydefault, installed on the management station when youinstall the WatchGuard Firebox System. However, youmust manually install the WSEP on all log hosts.Running the WSEP application on WindowsNT, Windows 2000, or Windows XPIf the WSEP application is to run on a Windows NT, 2000,or XP operating system, you can choose between twomethods: interactive mode from a DOS window or as aUser Guide 207

Chapter 12: Setting Up Logging and NotificationWindows service. The default method is for the WSEPapplication to run as a Windows service.By default, the WSEP application is installed to run as aWindows service, starting automatically every time thehost computer restarts.1 To start the WatchGuard Security Event Processorservice:- In Windows NT, go to Start => Settings => ControlPanel => Services.- In Windows 2000, go to Start => Settings =>Control Panel => Administrative Tools =>Services.- In Windows XP, go to Start => Control Panel =>Administrative Tools => Services.2 Double-click or right-click WG Security EventProcessor. Click Start.- Or, right-click on the WSEP icon in the systemtray and select Start.- You can also restart your computer. The servicestarts automatically every time the host reboots.In addition, if the WSEP application is running as a serviceand you are using pop-up notifications, make sure the servicecan interact with the Desktop.1 Verify that the WatchGuard Security Event Processorservice is enabled to interact with the desktop:- In Windows NT, go to Start => Settings =>Control Panel => Services.- In Windows 2000, go to Start => Settings =>Control Panel => Administrative Tools =>Services.- In Windows XP, go to Start => Control Panel =>Administrative Tools => Services.2 Double-click WG Security Event Processor. Click theLog On tab.3 Verify that the Allow service to interact with desktopcheckbox is selected.208 WatchGuard Firebox System

Setting up the WatchGuard Security Event Processor4 If the WSEP application was running, restart it aftersaving the changes.As a service, using the Command PromptIf the WSEP application was not installed by the Watch-Guard Firebox System installation wizard, this must bedone from the Command Prompt DOS window.1 Select Start => Run and type: command.A Command prompt window appears.2 Change directories to the WatchGuard installationdirectory.The default installation directory is C:\ProgramFiles\WatchGuard.3 At the command line, type:controld -nt-installYou can perform other commands for the WSEP applicationfrom the Command Prompt:• To start the WSEP application, at the command line,type:- controld -nt-start• To stop the WSEP application, at the command line,type:- controld -nt-stop• To remove the WSEP application, at the command line,type:- controld -nt-removeInteractive mode from a Command PromptThe WSEP application can also run in interactive modefrom a Command Prompt window. To so this, type: controld–NT –interactiveNOTEYou can minimize the Command Prompt window. However,do not close it. Closing the Command Prompt window haltsthe WSEP application.User Guide 209

Chapter 12: Setting Up Logging and NotificationViewing the WSEP applicationWhile the WatchGuard Security Event Processor isrunning, a Firebox-and-traffic icon (shown at left)appears in the Windows Desktop tray. To view theWSEP application, right-click the tray icon and selectWSEP Status/Configuration. The status and configurationinformation appears as shown in the following figure.If the WatchGuard Security Event Processor icon is not inthe tray, in Firebox System Manager, select Tools => Logging=> Event Processor Interface. To start the Event Processorinterface when you log in to the system, add ashortcut to the Startup folder in the Start menu. The Watch-Guard installation program does this automatically if youset up logging.Starting and stopping the WSEPThe WSEP starts automatically when you start the host onwhich it resides. However, it is possible to stop or restartthe WSEP from its interface at any time. Open the Watch-Guard Security Event Processor interface:• To start the WSEP application, select File => StartService.• To stop the WSEP application, select File => StopService.210 WatchGuard Firebox System

Setting Global Logging and Notification PreferencesSetting the log encryption keyThe log connection (but not the log file) between the Fireboxand a log host is encrypted for security purposes. Boththe management station and the WSEP application musthave the same encryption key.NOTEYou must enter an encryption key for the log host to receivelogs from the Firebox. It must be the same key used whenadding a WSEP application to the management station.From the WatchGuard Security Event Processor user interface:1 Select File => Set Log Encryption Key.2 Enter the log encryption key in both text boxes. ClickOK.Setting Global Logging and NotificationPreferencesThe WatchGuard Security Event Processor lists the connectedFirebox and displays its status. It has three controlareas, which are used as follows:Log Files tabSpecify the maximum number of records stored inthe log file.Reports tabSchedule regular reports of log activity.Notification tabControl to whom and how notification takes place.Together, these controls set the general parameters for mostglobal event processing and notification properties.User Guide 211

Chapter 12: Setting Up Logging and NotificationLog file size and rollover frequencyYou can set the maximum size of the log file by number oflog entries or by time (such as daily, weekly, or monthly).When the log file reaches the maximum according to yoursettings, the log host creates a new file or overwrites theold file. Log rollover is the frequency at which log filesbegin overwriting.For example, suppose you have set your log file maximumto 100,000 entries. Operation of your Firebox begins on July21. By July 26, the log file has 100,000 entries. At this point,the log host starts writing July 27 log entries to a new fileand the other file becomes the old file.The ideal maximum log file size is highly individual: It willbe based on the storage space available, how many days oflog entries you want on hand at any time, and how long alog file is practical to keep, open, and view. How quickly afile hits its maximum size and is overwritten is also determinedby how many event types are logged and howmuch traffic the Firebox processes. For example, a smalloperation might not see 10,000 entries in two weeks,whereas a large one with many services enabled might easilylog 100,000 entries in a day.When considering your ideal maximum log file, considerhow often you plan to issue reports of the Firebox activity.WatchGuard Historical Reports uses a log file as its sourceto build reports. If you issue weekly reports to management,you would want a log file large enough to hold atypical eight or nine days’ worth of events. Watch your initiallog file configuration to see how many days’ events itcollects before turning over, and then adjust the size toyour reporting needs.Setting the interval for log rolloverYou can control when the WSEP application rolls overusing the Log Files tab in the WatchGuard Security EventProcessor. The WSEP application can be configured to roll212 WatchGuard Firebox System

Setting Global Logging and Notification Preferencesover by time interval, number of entries, or both. From theWatchGuard Security Event Processor interface:1 Click the Log Files tab.The Log Files tab information appears, as shown in the followingfigure.2 For a time interval, select the Roll Log Files By TimeInterval checkbox. Select the frequency. Use the NextLog Roll is Scheduled For drop-down list to select adate. Use the scroll control or enter the first time of day.3 For a record size, select the Roll Log Files By Numberof Entries checkbox. Use the scroll control or enter anumber of log record entries.The Approximate Size field changes to display the approximatefile size of the final log file. For a detailed description of eachcontrol, right-click it, and then select What’s This?. You can alsorefer to the “Field Definitions” chapter in the Reference Guide.4 Click OK.The WSEP interface closes and saves your entries. New settingstake effect immediately.Scheduling log reportsYou can use the WSEP application to schedule the automaticgeneration of network activity reports. For moreinformation, see “Scheduling a report” on page 245.User Guide 213

Chapter 12: Setting Up Logging and NotificationControlling notificationNotification occurs when the Firebox sends an email message,pops up a window on the log host, dials a pager, orexecutes a program to notify an administrator that the Fireboxhas detected a triggering event. Use the WSEP applicationto control when and to whom such notifications aresent. From the WatchGuard Security Event Processor interface:1 Click the Notification tab.The Notification tab information appears, as shown in thefollowing figure.2 Modify the settings according to your security policypreferences.For more information on individual settings, right-click thesetting, and then select What’s This?. You can also refer to the“Field Definitions” chapter in the Reference Guide.Setting a Firebox friendly name for log filesYou can give the Firebox a friendly name to be used in logfiles. If you do not specify a name, the Firebox’s IP addressis used. From Policy Manager:1 Select Setup => Name.The Firebox Name dialog box appears.2 Enter the friendly name of the Firebox. Click OK.All characters are allowed except blank spaces and forward orback slashes (/ or \).For more information on the log file names used by WFS,see the following FAQ:https://support.watchguard.com/advancedfaqs/log_filename.asp214 WatchGuard Firebox System

Customizing Logging and Notification by Service or OptionCustomizing Logging and Notification byService or OptionThe WatchGuard Firebox System allows you to create customlogging and notification properties for each serviceand blocking option. You can fine-tune your security policy,logging only those events that require your attentionand limiting notification to those of truly high priority.To make logging and notification configuration easier, services,blocking categories, and packet-handling optionsshare an identical dialog box, as shown in the followingfigure. Therefore, once you learn the controls for one typeof service, you can easily configure the remainder.You can define the following:CategoryThe event types that can be logged by the service oroption. This list changes depending on the serviceor option. Click the event name to display and setits properties.Enter it in the logSelect this checkbox to log the event type; clear it todisable logging for the event type. Because theFirebox must perform domain name resolution,User Guide 215

Chapter 12: Setting Up Logging and Notificationthere may be a time lag before logs appear in thelog file. All denied packets are logged by default.Send NotificationSelect this checkbox to enable notification for theevent type; clear it to disable notification for theevent type.The remaining controls are active when you select theSend Notification checkbox:EmailSends an email message when the event occurs. Setthe email recipient in the Notification tab of theWSEP user interface.PagerTriggers an electronic page when the event occurs.Set the pager number in the Notification tab of theWSEP user interface.If the pager is accessible by email, select the Emailoption, and then enter the email address of thepager in the Notification tab of the WSEP userinterface.Popup WindowMakes a pop-up window appear on the log hostwhen the event occurs.Custom ProgramTriggers execution of a custom program when theevent occurs. A custom batch file or programenables you to trigger multiple types ofnotification. Type the full path to the program inthe accompanying field, or use Browse to locateand select the program.NOTEWatchGuard allows only one notification type per event.216 WatchGuard Firebox System

Customizing Logging and Notification by Service or OptionSetting Launch Interval and Repeat CountTwo parameters work in conjunction with the Event ProcessorRepeat Interval to control notification timing:Launch IntervalThe minimum time (in minutes) between separatelaunches of a notifier. Set this parameter to preventthe launch of several notifiers in response to similarevents that take place in a short amount of time.Repeat CountThe threshold for how often an event can repeatbefore the Firebox activates the special repeatnotifier. The repeat notifier creates a log entrystating that the notifier in question is repeating.Notification repeats only after this number ofevents occurs.As an example of how these two values interact, supposeyou have set up notification with these values:• Launch interval = 5 minutes• Repeat count = 4A port space probe begins at 10:00 a.m. and continues onceper minute, triggering the logging and notification mechanisms.Here is the time line of activities that would resultfrom this event with the above timing and repeating setup:1 10:00–Initial port space probe (first event)2 10:01–First notification launched (one event)3 10:06–Second notification launched (reports fiveevents)4 10:11–Third notification launched (reports fiveevents)5 10:16–Fourth notification launched (reports fiveevents)The time intervals between activities 1, 2, 3, 4, and 5 arecontrolled by the launch interval, which was set to 5 minutes.User Guide 217

Chapter 12: Setting Up Logging and NotificationThe repeat count multiplied by the launch interval equalsthe amount of time an event must continuously happenbefore it is handled as a repeat notifier.Setting logging and notification for a serviceFor each service added to the Services Arena, you can controllogging and notification of the following events:• Incoming packets that are allowed• Incoming packets that are denied• Outgoing packets that are allowed• Outgoing packets that are deniedFrom Policy Manager:1 Double-click a service in the Services Arena.The Properties dialog box appears.2 Click Logging.The Logging and Notification dialog box appears. The options foreach service are identical; the main difference is based onwhether the service in question is for incoming, outgoing, orbidirectional communication.3 Modify logging and notification properties accordingto your security policy preferences. Click OK.Setting logging and notification for defaultpacket-handling optionsWhen this option is selected, you can control logging andnotification properties for the following default packethandlingoptions:• Spoofing attacks• IP options• Port probes• Address space probes• Incoming packets not handled• Outgoing packets not handled218 WatchGuard Firebox System

Customizing Logging and Notification by Service or OptionFrom Policy Manager:1 Select Setup => Intrusion Protection => Default PacketHandling.The Default Packet Handling dialog box appears.2 Click Logging.3 Modify logging and notification properties accordingto your security policy preferences. Click OK.Setting logging and notification for blockedsites and portsYou can control logging and notification properties forboth blocked sites and blocked ports. The process is identicalfor both operations. The procedure below is for blockedsites.From Policy Manager:1 Select Setup => Intrusion Protection => Blocked Sites.The Blocked Sites dialog box appears.2 Click Logging.3 Modify logging and notification properties accordingto your security policy preferences. Click OK.User Guide 219

Chapter 12: Setting Up Logging and Notification220 WatchGuard Firebox System

CHAPTER 13Reviewing andWorking with LogFilesLog files are a valuable tool for monitoring your network,identifying potential attacks, and taking actionto address security threats and challenges. This chapterdescribes the procedures you use to work with logfiles, including viewing log files, searching for entriesin them, and consolidating and copying logs.The WatchGuard Security Event Processor (WSEP)controls logging, report schedules, and notification. Italso provides timekeeping services for the Firebox. Formore information about the WatchGuard SecurityEvent Processor and configuring logging, see Chapter12, “Setting Up Logging and Notification.”For more information on specific log messages, see thefollowing collection of FAQs:https://support.watchguard.com/advancedfaqs/log_main.aspUser Guide 221

Chapter 13: Reviewing and Working with Log FilesLog File Names and LocationsLog entries are stored on the primary and backup Watch-Guard Security Event Processor (WSEP). By default, logfiles are placed in the WatchGuard installation directory ina subdirectory called \logs.The log file to which the WSEP is currently writing recordscan be named in two ways. If the Firebox has a friendlyname, the log files are named FireboxName timestamp.wgl.(You can give your Firebox a friendly name using theSetup => Name option in Policy Manager.) If the Fireboxdoes not have a friendly name, the log files are named FireboxIPtimestamp.wgl.In addition, the WSEP creates an index file using the samename as the log file, but with the extension .idx1. This fileis located in the same directory as the log file. Both the.wgl and .idx1 files are necessary if you want to use anymonitoring or log display tool. For more information onthe log file names, see the following FAQ:https://support.watchguard.com/advancedfaqs/log_filename.aspViewing Files with LogViewerThe WatchGuard Firebox System utility called LogViewerprovides a display of log file data. You can view all log datapage by page, or search and display by keyphrases or specificlog fields.Starting LogViewer and opening a log fileFrom Firebox System Manager:1 Click the LogViewer icon (shown at right).LogViewer opens and the Load File dialog box appears.222 WatchGuard Firebox System

Viewing Files with LogViewer2 Browse to select a log file. Click Open.By default, logs are stored in a subdirectory of the WatchGuardinstallation directory called \logs. LogViewer opens and displaysthe selected log file.Setting LogViewer preferencesYou can adjust the content and format of the display. FromLogViewer:1 Select View => Preferences.2 Configure LogViewer display preferences as youchoose.For a description of each control on the General tab, right-click itand then click What’s This?. You can also refer to the “FieldDefinitions” chapter in the Reference Guide.For information on the Filter Data tab, see “Displaying andHiding Fields” on page 225.Searching for specific entriesLogViewer has a search tool to enable you to find specifictransactions quickly by keyphrase or field. From Log-Viewer:By keyphrase1 Select Edit => Search => by Keyphrase.2 Enter an alphanumeric string. Click Find.LogViewer searches the entire log file and displays the results aseither marked records in the main window or a separate filterwindow based on your selection.By field1 Select Edit => Search => By Fields.2 Click directly under the Field column. Use the dropdownlist that appears to select a field name.3 Click the Value column. Either a text field or a dropdownlist will appear, depending on the field youchose in step 2. Use the drop-down list to select avalue, or type in a specific value.User Guide 223

Chapter 13: Reviewing and Working with Log Files4 Click Search.LogViewer searches the entire log file and displays the results aseither marked records in the main window or a separate filterwindow based on your selection.Copying and exporting LogViewer dataYou can transfer log file data from LogViewer into anotherapplication. The data you choose to transfer is converted toa text file (.txt).If you want to transfer specific log entries to another application,use the copy function. Use the export function ifyou want to transfer entire log files, or a filtered set ofrecords (see next paragraph), to another application.You can copy log entries to an interim window, called theLogViewer filter window, prior to exporting them. Withinthe filter window (shown on top of the LogViewer windowin the figure on the next page) you can perform the samesearch functions as described in “Searching for specificentries” on page 223.224 WatchGuard Firebox System

Displaying and Hiding FieldsCopying log data1 Select the log entries you want to copy.Use the SHIFT key to select a block of entries. Use the CTRL keyto select multiple, non-adjacent entries.2 To copy the entries for pasting into another application,select Edit => Copy to clipboard.To copy the entries to the filter window prior toexporting them, select Edit => Copy to Filter Window.Exporting log dataYou can export log records from either the main window(all records) or the filter window.1 Select File => Export.The Save Main Window dialog box appears.2 Select a location. Enter a file name. Click Save.LogViewer saves the contents of the selected window to a textfile.Displaying and Hiding FieldsThe following figure shows an example of the type of displayyou normally see in LogViewer. Log entries sent to theWatchGuard log state the time stamp, host name, processname, and the process ID before the log summary. Use thePreferences dialog box to show or hide columns displayedin LogViewer. From LogViewer:1 Select View => Preferences. Click the Filter Data tab.2 Select the checkboxes of the fields you would like todisplay. Clear the checkboxes of those columns youwould like to hide.User Guide 225

Chapter 13: Reviewing and Working with Log FilesThe following describes each column and whether thedefault is for the field to appear (Show) or not appear(Hide):NumberThe sequence number in the file. Default = HideDateThe date the record entered the log file. Default =ShowTimeThe time the record entered the log file. Default =ShowThe Firebox receives the time from the log host. Ifthe time noted in the log seems later or earlier thanit should be, it is usually because the time zone isnot set properly on either the log host or theFirebox. Because some installations containFireboxes in multiple time zones with a single loghost, the Firebox uses Greenwich Mean timereceived from the log host by way of the loggingchannel (controld). The local time for the log files is226 WatchGuard Firebox System

Displaying and Hiding Fieldsthen computed on the log host based on theFirebox’s time zone setting. To change the Fireboxtime zone, see “Setting the Time Zone” on page 55.The rest of the columns vary according to the type of eventdisplayed. The events of most frequency and interest, however,are packet events, which display data as shownbelow:deny in eth0 339 udp 20 128 192.168.49.40255.255.255.255 67 68 (bootpc)The packet event fields are described here in order, fromleft to right.DispositionDefault = Show. The disposition can be as follows:- Allow – Packet was permitted by the current setof filter rules.- Deny – Packet was dropped by the current set offilter rules.DirectionDetermines whether the packet was logged when itwas received by the interface (“in”) or when it wasabout to be transmitted by the Firebox (“out”).Default = HideInterfaceThe name of the network interface associated withthe packet.Default = ShowTotal packet lengthThe total length of the packet in octets. Default =HideProtocolProtocol name, or a number from 0 to 255. Default= ShowUser Guide 227

Chapter 13: Reviewing and Working with Log FilesIP header lengthLength, in octets, of the IP header for this packet. Aheader length that is not equal to 20 indicates thatIP options were present. Default = HideTTL (time to live)The value of the TTL field in the logged packet.Default = HideSource addressThe source IP address of the logged packet. Default= ShowDestination addressThe destination IP address of the logged packet.Default = ShowSource portThe source port of the logged packet, UDP or TCPonly.Default = ShowDestination portThe destination port of the logged packet, UDP orTCP only. Default = ShowDetailsAdditional information appears after thepreviously described fields, including data aboutIP fragmentation, TCP flag bits, IP options, andsource file and line number when in trace mode. IfWatchGuard logging is in debug or verbose mode,additional information is reported. In addition, thetype of connection may be displayed inparentheses. Default = ShowWorking with Log FilesThe Firebox continually writes messages to log files on theWatchGuard Security Event Processor (WSEP). Because228 WatchGuard Firebox System

Working with Log Filescurrent log files are always open, they cannot be copied,moved, or merged using traditional copy tools; you shoulduse WSEP utilities to work with active log files.Unlike other Firebox System utilities, you cannot access theWatchGuard Security Event Processor user interface fromFirebox System Manager. To open the WSEP Status/Configurationuser interface:• Right-click the WSEP icon (shown at right) inthe Windows system tray and select WSEPStatus/Configuration. If the WSEP icon doesnot appear in the system tray, you can launch theWSEP from System Manager by selecting Tools =>Logging => Event Processor Interface.Consolidating logs from multiple locationsYou can merge two or more log files into a single file. Thismerged file can then be used with Historical Reports, Log-Viewer, HostWatch, or some other utility to examine logdata covering an extended period of time. From the WSEPStatus/Configuration user interface:1 Select File => Copy or Merge log files.2 Click Merge all files to one file. Enter the name of themerged file.3 Enter the files to merge in the Files to Copy box.You can also use the Browse button to specify the files.4 Enter the destination for the files in the Copy to ThisDirectory box.5 Click Merge.The log files are merged and saved to the new file in thedesignated directory.Copying log filesYou can copy a single log file from one location to another,and you can copy the current, active log file. From theWSEP Status/Configuration user interface:1 Select File => Copy or Merge Log Files.User Guide 229

Chapter 13: Reviewing and Working with Log Files2 Click Copy each file individually.3 Enter the file to copy in the Files to Copy box.4 Enter the destination for the file in the Copy to ThisDirectory box.5 Click Copy.The log file is copied to the new directory with the same filename.Forcing the rollover of log filesLog rollover refers to new log files being created while oldones are deleted or archived. In general, log files roll overbased on WSEP Status/Configuration settings. For moreinformation, see “Setting the interval for log rollover” onpage 212. However, you may occasionally want to force therollover of a log file.• From the WSEP Status/Configuration user interface,select File => Roll Current Log File.The old log file is saved as Firebox IP Time Stamp.wgl or FireboxName Time Stamp.wgl. The Event Processor continues writingnew records to Firebox IP.wgl or Firebox Name.wgl.Saving log files to a new locationAlthough log files are, by default, stored in a subdirectoryof the WatchGuard installation directory called /logs, youcan change this destination by using a text editor to edit thecontrold.wgc file.1 Open a text editor, such as Microsoft Wordpad.2 Use the text editor to open the controld.wgc file inthe WatchGuard installation directory.The default location is C:\ProgramFiles\WatchGuard\controld.wgc.3 Look for a line reading logdir: logs. Change logsto the complete or relative path name of the newdestination.For example, to change the destination to an archive directorywith the subdirectory WGLogs on the D: drive, the syntax islogdir: D:\Archive\WGLogs.4 Save your changes and exit the text editor.230 WatchGuard Firebox System

Working with Log Files5 Stop and restart the WatchGuard Security EventProcessor: Right-click the WatchGuard Security EventProcessor in the Windows desktop tray. Select StopService. Right-click the icon again and select StartService.New log files will be created in the specified directory. You canalso move any existing log files from the old location to the newone to avoid confusion.Setting log encryption keysThe log connection (but not the log file) between the Fireboxand an event processor is encrypted for security purposes.Both the management station and the WatchGuardSecurity Event Processor must have the same encryptionkey. From the WSEP Status/Configuration user interface:1 Select File => Set Log Encryption Key.The Set Log Encryption Key dialog box appears.2 Enter the log encryption key in the first box. Enter thesame key in the box beneath it to confirm.Sending logs to a log host at anotherlocationBecause they are encrypted by the Firebox, you can sendlog files over the Internet to a log host at another office.You can even send this traffic over the Internet from theFirebox at one office to the log host behind a second Fireboxat a remote office. One application of this feature mightinvolve configuring the Firebox at a remote office to storeits logs on a log host behind the Firebox at the main office.To do this, you must configure the Firebox at the remoteoffice such that it knows where and how to send the logfiles. The main office Firebox must be configured to allowthe log messages through the firewall to the log host.On the main office Firebox:1 Open Policy Manager with the current configurationfile.User Guide 231

Chapter 13: Reviewing and Working with Log Files2 On the toolbar, click the Add Service icon(shown at right).You can also select Edit => Add Service. The Servicesdialog box appears.3 Expand Packet Filters.4 Select WatchGuard-Logging. Click Add. Click OK.5 On the Incoming tab, select Enabled and Allowed.6 Under the To list, click Add.7 Click NAT. Enter the external IP address of the mainoffice Firebox in the External IP Address box. Enter theIP address of the log host behind the main officeFirebox in the Internal IP Address box.8 Click OK to close the Add Static NAT dialog box. ClickOK to close the Add Address dialog box. Click OK toclose the WatchGuard-Logging Properties dialog box.9 Save the new configuration to the main office Firebox.On the remote office Firebox:1 Open Policy Manager with the current configurationfile.2 Select Setup => Logging. Click Add.3 Enter the external IP address of the main office Fireboxand log encryption key of the log host on the networkprotected by the main office Firebox.4 Click OK to close the Add IP Address dialog box. ClickOK again to close the Logging Setup dialog box.5 Save the new configuration to the remote officeFirebox.On the log host:You must use the same log encryption key on the remoteoffice Firebox as is configured on the log host protected bythe main office Firebox. To modify the log encryption keyon the log host, see “Setting log encryption keys” onpage 231.You should see the IP address for the remote office Fireboxin the list as soon as it connects. However, it will not232 WatchGuard Firebox System

Working with Log Filesappear until the remote office Firebox has been properlyconfigured.User Guide 233

Chapter 13: Reviewing and Working with Log Files234 WatchGuard Firebox System

CHAPTER 14Generating Reportsof Network ActivityAccounting for Internet usage can be a challengingnetwork administration task. One of the best ways toprovide hard data for accounting and managementpurposes is to generate detailed reports showing howthe Internet connection is being used and by whom.A good report generation facility should be able toidentify and summarize key issues such as:• When do I need a wider bandwidth connection tothe Internet and why?• What usage patterns are users developing andhow do those patterns relate to the security of thenetwork and the goals of the corporation?• How do current user patterns reflect the valuesand concerns of the corporation in regard tocreating a productive workplace?Historical Reports is a reporting tool that creates summariesand reports of Firebox log activity. It generatesthese reports using the log files created by and storedon the WatchGuard Security Event Processor (WSEP).You can customize reports to include exactly the informationyou need in a form that is most useful to you.User Guide 235

Chapter 14: Generating Reports of Network ActivityUsing the advanced features of Historical Reports, you candefine a precise time period for a report, consolidate reportsections to show activity across a group of Fireboxes, andset properties to display the report data according to yourpreferences.Creating and Editing ReportsTo start Historical Reports, from Firebox SystemManager, click the Historical Reports icon (shownat right). You can also start Historical Reports fromthe installation directory. The file name is WGReports.exe.Starting a new reportFrom Historical Reports:1 Click Add.The Report Properties dialog box appears.236 WatchGuard Firebox System

Creating and Editing Reports2 Enter the report name.The report name will appear in Historical Reports, theWatchGuard Security Event Processor, and the title of theoutput.3 Use the Log Directory text box to define the location oflog files.The default location for log files is the \logs subdirectory of theWatchGuard installation directory.4 Use the Output Directory text box to define thelocation of the output files.The default location for output files is the \reports subdirectory ofthe WatchGuard installation directory.5 Select the output type: HTML Report, WebTrendsExport, or Text Export.For more information on output types, see “Exporting Reports”on page 241.6 Select the filter.For more information on filters, see “Using Report Filters” onpage 243.7 If you selected the HTML output type and you want tosee the main page of the report upon completion, selectthe checkbox marked Execute Browser UponCompletion.8 Click the Firebox tab.9 Enter the Firebox IP address or a unique name. ClickAdd.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.10 Specify report preferences as explained in theremaining sections in this chapter.11 When you are done defining report properties, clickOK.The name of the report appears in the Reports list.User Guide 237

Chapter 14: Generating Reports of Network ActivityEditing an existing reportAt any time, you can modify the properties of an existingreport. From Historical Reports:1 Select the report to modify. Click Edit.The Report Properties dialog box appears.2 Modify report properties according to yourpreferences.For a description of each property, right-click it, and then clickWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.Deleting a reportTo remove a report from the list of available reports, highlightthe report. Click Remove. This command removes the.rep file from the reports directory.Viewing the reports listTo view all reports generated, click Reports Page. Thislaunches your default browser with the HTML file containingthe main report list. You can navigate through all thereports in the list.Specifying a Report Time SpanWhen running Historical Reports, the default is to run thereport across the entire log file. You can use the drop-downlist on the Time Filters dialog box to select from a group ofpre-set time periods, such as “yesterday” and “today.” Youcan also manually configure the start and end times so thereport covers only the specific time frame you want toexamine.1 From the Report Properties dialog box, click the TimeFilters tab.2 Select the time stamp option that will appear on yourreport: Local Time or GMT.238 WatchGuard Firebox System

Specifying Report Sections3 From the Time Span drop-down list, select the timeyou want the report to cover.If you chose anything but Specify Time Filters, click OK.If you chose Specify Time Filters, click the Start and End dropdownlists and select a start time and end time, respectively.4 Click OK.Specifying Report SectionsUse the Sections tab on the Report Properties dialog boxto specify the type of information you want to be includedin reports. From Historical Reports:1 Click the Sections tab.2 Select the checkboxes for sections to be included in thereport.For a description of each section, see “Report Sections andConsolidated Sections” on page 246.3 To run authentication resolution on IP addresses, selectthe checkbox marked Authentication Resolution on IPaddresses.If user authentication is not enabled, you will not have theinformation in your logs to perform authentication resolution onIP addresses. However, generating a report when resolution isenabled will take considerably more time.4 To run DNS resolution on IP addresses, select thecheckbox marked DNS Resolution on IP addresses.Consolidating Report SectionsThe Sections tab defines the types of information to beincluded in a report on each of a group of Fireboxes: a verticallook at the data. You can also specify parameters thatconsolidate information for a group of Fireboxes: a hori-User Guide 239

Chapter 14: Generating Reports of Network Activityzontal (cumulative) view of data. To consolidate report sections:1 From the Report Properties dialog box, select theConsolidated Sections tab.The tab contains a list of report sections that can be consolidated.Brief definitions of the contents of these sections are available in“Report Sections and Consolidated Sections” at the end of thischapter.2 Click the boxes next to the items you want to include inthe consolidated report or click a checked box to clearit.3 Click OK.Setting Report PropertiesReports contain either Summary sections or Detail sections.Each can be presented in different ways to betterfocus on the specific information you want to view. Detailsections are reported only as text files with a user-designatednumber of records per page. Summary sections canalso be presented as graphs whose elements are userdefined.To set report properties:1 From the Report Properties dialog box, select thePreferences tab.2 Enter the number of elements to graph in the report.The default is 10.3 Enter the number of elements to rank in the table.The default is 100.4 Select the style of graph to use in the report.5 Select the manner in which you want the proxiedsummary reports sorted: bandwidth or connections.6 Enter the number of records to display per page for thedetailed sections.The default is 1,000 records. A larger number than this mightcrash the browser or cause the file to take a long time to load.7 Click OK.240 WatchGuard Firebox System

Exporting ReportsSetting a Firebox friendly name for reportsYou can give the Firebox a friendly name to be used inreports. If you do not specify a name, the Firebox’s IPaddress is used. From Policy Manager:1 Select Setup => Name.The Firebox Name dialog box appears.2 Enter the friendly name of the Firebox. Click OK.Exporting ReportsReports can be exported to three formats: HTML, Web-Trends, and text.All reports are stored in the path drive:\WatchGuard InstallDirectory\Reports. Under the Reports directory are subdirectoriesthat include the name and time of the report. Eachreport is filed in one of these subdirectories.Exporting reports to HTML formatWhen you select HTML Report from the Setup tab on theReport Properties dialog box, the report output is createdas HTML files. A JavaScript menu is used to easily navigatethe different report sections. (JavaScript must beenabled on the browser so you can review the reportmenu.)The following figure shows how the report might appearin the browser.User Guide 241

Chapter 14: Generating Reports of Network ActivityExporting a report to WebTrends forFirewalls and VPNsHistorical Reports can export the log file into a format thatcan be imported into WebTrends for Firewalls and VPNs.WebTrends for Firewalls and VPNs calculates informationdifferently than WatchGuard Historical Reports. WhileHistorical Reports counts the number of transactions thatoccur on Port 80, WebTrends for Firewalls and VPNs calculatesthe number of URL requests. These numbers varybecause multiple URL requests may go over the same Port80 connection.NOTEWatchGuard HTTP proxy logging must be turned on tosupply WebTrends the logging information required for itsreports.When you select WebTrends Export from the Setup tab onthe Reports Properties dialog box, the report output is createdas a WebTrends Enhanced Log Format (WELF) file.The report appears as a .wts file in the following path:242 WatchGuard Firebox System

Using Report Filtersdrive:\WatchGuard Install Directory\ReportsExporting a report to a text fileWhen you select Text Export from the Setup tab on theReport Properties dialog box, the report output is createdas a comma-delimited format file, which you can then usein other programs such as databases and spreadsheets. Thereport appears as a .txt file in the following path:drive:\WatchGuard Install Directory\Reports\Report DirectoryUsing Report FiltersBy default, a report displays information on the entire contentof a log file. At times, however, you may want to viewinformation only about specific hosts, services, or users.Use report filters to narrow the range of data reported.Filters can be one of two types:IncludeCreates a report that includes only those recordsthat meet the criteria set in the Host, Service, orUser Report Filters tabs.ExcludeCreates a report that excludes all records that meetthe criteria set in the Host, Service, or User ReportFilter tabs.You can filter an Include or Exclude report based on threecriteria:HostFilter a report based on host IP address.PortFilter a report based on service name or portnumber.User Guide 243

Chapter 14: Generating Reports of Network ActivityUserFilter a report based on authenticated username.Creating a new report filterUse Historical Reports to create a new report filter. Filtersare stored in the WatchGuard installation directory, in thesubdirectory report-defs with the file extension .ftr.From Historical Reports:1 Click Filters. Click Add.2 Enter the name of the filter as it will appear in the Filterdrop-down list in the Report Properties Setup tab.This name should easily identify the filter.3 Select the filter type.An Include filter displays only those records meeting the criteriaset on the Host, Service and User tabs. An Exclude filter displaysall records except those meeting the criteria set on the Host,Service, and User tabs.4 Complete the Filter tabs according to your reportpreferences.For a description of each control, right-click it, and then clickWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.5 When you are finished modifying filter properties,click OK.The name of the filter appears in the Filters list. The FilterName.ftr file is created in the report-defs directory.Editing a report filterAt any time, you can modify the properties of an existingfilter. From the Filters dialog box in Historical Reports:1 Highlight the filter to modify. Click Edit.The Report Filter dialog box appears.2 Modify filter properties according to your preferences.For a description of each property, right-click it, and then clickWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.244 WatchGuard Firebox System

Scheduling and Running ReportsDeleting a report filterTo remove a filter from the list of available filters, highlightthe filter. Click Delete. This command removes the .ftrfile from the \report-defs directory.Applying a report filterEach report can use only one filter. To apply a filter, openthe report properties. From Historical Reports:1 Select the report for which you would like to apply afilter. Click Edit.2 Use the Filter drop-down list to select a filter.Only filters created using the Filters dialog box appear in theFilter drop-down list. For more information, see “Creating a newreport filter” on page 244.3 Click OK.The new report properties are saved to the ReportName.rep file inthe report-defs directory. The filter will be applied the next timethe report is run.Scheduling and Running ReportsWatchGuard offers two methods to run reports: manuallyat any time or scheduled automatically using the Watch-Guard Security Event Processor (WSEP).Scheduling a reportYou can schedule the WSEP to automatically generatereports about network activity. To schedule reports:1 Right-click the WSEP desktop tray icon. Select WSEPStatus/Configuration.2 Click the Reports tab.3 Select a report to schedule.User Guide 245

Chapter 14: Generating Reports of Network Activity4 Select a time interval.For a custom interval, select Custom and then enter the intervalin hours.5 Select the first date and time the report should run.The report will run automatically at the time selected and then ateach selected interval thereafter.6 Click OK.Manually running a reportAt any time, you can run one or more reports using HistoricalReports. From Historical Reports:1 Select the checkbox next to each report you would liketo generate.2 Click Run.Report Sections and Consolidated SectionsYou can use Historical Reports to build a report thatincludes one or more sections. Each section represents adiscrete type of information or network activity.You can consolidate certain sections to summarize particulartypes of information. Consolidated sections summarizethe activity of all devices being monitored as a group asopposed to individual devices.Report sectionsReport sections can be divided into two basic types:• Summary – Sections that rank information bybandwidth or connections.• Detailed – Sections that display all activity with nosummary graphs or ranking.The following is a listing of the different types of reportsections and consolidated sections.246 WatchGuard Firebox System

Report Sections and Consolidated SectionsFirebox StatisticsA summary of statistics on one or more log files fora single Firebox.Authentication DetailA detailed list of authenticated users sorted byconnection time. Fields include: authenticated user,host, start date of authenticated session, start timeof authenticated session, end time of authenticatedsession, and duration of session.Time Summary – Packet FilteredA table, and optionally a graph, of all acceptedconnections distributed along user-definedintervals and sorted by time. If you choose theentire log file or specific time parameters, thedefault time interval is daily. Otherwise, the timeinterval is based on your selection.Host Summary – Packet FilteredA table, and optionally a graph, of internal andexternal hosts passing packet-filtered trafficthrough the Firebox sorted either by bytestransferred or number of connections.Service SummaryA table, and optionally a graph, of traffic for eachservice sorted by connection count.Session Summary – Packet FilteredA table, and optionally a graph, of the topincoming and outgoing sessions, sorted either bybyte count or number of connections. The format ofthe session is: client -> server : service. If theconnection is proxied, the service is represented inall capital letters. If the connection is packetfiltered, Historical Reports attempts to resolve theserver port to a table to represent the service name.If resolution fails, Historical Reports displays theport number.User Guide 247

Chapter 14: Generating Reports of Network ActivityTime Summary – Proxied TrafficA table, and optionally a graph, of all acceptedconnections distributed along user-definedintervals and sorted by time. If you choose theentire log file or specific time parameters, thedefault time interval is daily. Otherwise, the timeinterval is based on your selection.Host Summary – Proxied TrafficA table, and optionally a graph, of internal andexternal hosts passing proxied traffic through theFirebox, sorted either by bytes transferred ornumber of connections.Proxy SummaryProxies ranked by bandwidth or connections.Session Summary – Proxied TrafficA table, and optionally a graph, of the topincoming and outgoing sessions, sorted either bybyte count or number of connections. The format ofthe session is: client -> server : service. If theconnection is proxied, the service is represented inall capital letters. If the connection is packetfiltered, Historical Reports attempts to resolve theserver port to a table to represent the service name.If resolution fails, Historical Reports displays theport number.HTTP SummaryTables, and optionally a graph, of the most popularexternal domains and hosts accessed using theHTTP proxy, sorted by byte count or number ofconnections.HTTP DetailTables for incoming and outgoing HTTP traffic,sorted by time stamp. The fields are Date, Time,Client, URL Request, and Bytes Transferred.248 WatchGuard Firebox System

Report Sections and Consolidated SectionsSMTP SummaryA table, and optionally a graph, of the mostpopular incoming and outgoing email addresses,sorted by byte count or number of connections.SMTP DetailA table of incoming and outgoing SMTP proxytraffic, sorted by time stamp. The fields are: Date,Time, Sender, Recipient(s), and Bytes Transferred.FTP DetailTables for incoming and outgoing FTP traffic,sorted by time stamp. The fields are Date, Time,Client, Server, FTP Request, and Bandwidth.Denied Outgoing Packet DetailA list of denied outgoing packets, sorted by time.The fields are Date, Time, Type, Client, Client Port,Server, Server Port, Protocol, and Duration.Denied Incoming Packet DetailA list of denied incoming packets, sorted by time.The fields are Date, Time, Type, Client, Client Port,Server, Server Port, Protocol, and Duration.Denied Packet SummaryMultiple tables, each representing data on aparticular host originating denied packets. Eachtable includes time of first and last attempt, type,server, port, protocol, and number of attempts. Ifonly one attempt is reported, the last field is blank.Denied Service DetailA list of times a service was attempted to be usedbut was denied. The list does not differentiatebetween Incoming and Outgoing.WebBlocker DetailA list of URLs denied due to WebBlockerimplementation, sorted by time. The fields areDate, Time, User, Web Site, Type, and Category.User Guide 249

Chapter 14: Generating Reports of Network ActivityDenied Authentication DetailA detailed list of failures to authenticate, sorted bytime. The fields are Date, Time, Host, and User.Consolidated sectionsNetwork StatisticsA summary of statistics on one or more log files forall devices being monitored.Time Summary – Packet FilteredA table, and optionally a graph, of all acceptedconnections distributed along user-definedintervals and sorted by time. If you choose theentire log file or specific time parameters, thedefault time interval is daily. Otherwise, the timeinterval is based on your selection.Host Summary – Packet FilteredA table, and optionally a graph, of internal andexternal hosts passing packet-filtered traffic, sortedeither by bytes transferred or number ofconnections.Service SummaryA table, and optionally a graph, of traffic for allservices sorted by connection count.Session Summary – Packet FilteredA table, and optionally a graph, of the topincoming and outgoing sessions, sorted either bybyte count or number of connections. The format ofthe session is: client -> server : service. If theconnection is proxied, the service is represented inall capital letters. If the connection is packetfiltered, Historical Reports attempts to resolve theserver port to a table to represent the service name.If resolution fails, Historical Reports displays theport number.250 WatchGuard Firebox System

Report Sections and Consolidated SectionsTime Summary – Proxied TrafficA table, and optionally a graph, of all acceptedproxied connections distributed along user-definedintervals and sorted by time. If you choose theentire log file or specific time parameters, thedefault time interval is daily. Otherwise, the timeinterval is based on your selection.Host Summary – Proxied TrafficA table, and optionally a graph, of internal andexternal hosts passing proxied traffic, sorted eitherby bytes transferred or number of connections.Proxy SummaryProxies ranked by bandwidth or connections.Session Summary – Proxied TrafficA table, and optionally a graph, of the topincoming and outgoing sessions sorted either bybyte count or number of connections. The format ofthe session is: client -> server : service. If proxied,connections show the service in all capital letters. Ifresolution fails, Historical Reports displays theport number.HTTP SummaryTables, and optionally graphs, of the mostfrequented external domains and hosts accessedusing the HTTP proxy, sorted by byte count ornumber of connections.User Guide 251

Chapter 14: Generating Reports of Network Activity252 WatchGuard Firebox System

CHAPTER 15 Controlling Web SiteAccessWebBlocker is a feature of the WatchGuard FireboxSystem that works in conjunction with the HTTPproxy to provide Web site filtering capabilities. Itenables you to exert fine control over the Web surfingin your organization. You can designate which hoursin the day users are free to access the Web and whichcategories of Web sites they are restricted from visiting.For more information on WebBlocker, see the followingcollection of FAQs:https://support.watchguard.com/advancedfaqs/web_main.aspGetting Started with WebBlockerYou must complete several tasks before you can configurethe Firebox to use WebBlocker.User Guide 253

Chapter 15: Controlling Web Site AccessInstalling the WebBlocker serverYou install the WebBlocker server when you first run thesetup program for the WatchGuard Firebox System, asdescribed in “Setting Up the Management Station” onpage 36. By default, the setup program installs the Web-Blocker server on the same server as the WatchGuard SecurityEvent Processor. However, to preserve performance ifyou are running WFS under high load conditions, considerinstalling the WebBlocker server on a dedicated server runningWindows NT 4.0. or Windows 2000.To install the WebBlocker server on a dedicated platform,rerun the setup program on the dedicated server and–onthe Select Components screen–unselect all componentsexcept the WebBlocker server.You must start the WebBlocker server for WebBlockerrequests from the Firebox to be processed.Downloading the database usingWebBlocker UtilityAfter you install the WebBlocker server, you are askedwhether you want to run the WebBlocker utility. Click Yes.The WebBlocker Utility dialog box appears, as shown inthe following figure. Select Download Database to downloadthe current database.NOTEThe WebBlocker database is over 60 MB in size and maytake 30 minutes or more to download.254 WatchGuard Firebox System

Getting Started with WebBlockerYou can run the WebBlocker utility at any time to:• Download a new version of the database.• View the current database status• Upload the database• View the current WebBlocker server status• Install or remove the server• Start or stop the serverTo run the WebBlocker utility, select Start => Programs =>WatchGuard => WebBlocker Utility.Configuring the WatchGuard service iconBecause WebBlocker relies on copying updated versions ofthe WebBlocker database to the event processor, you mustconfigure the WatchGuard service setting Allow Outgoingto Any. It is possible to narrow this setting and use the IPaddress of webblocker.watchguard.com. However, thisaddress may change without notice.Add an HTTP serviceTo use WebBlocker, add the Proxied-HTTP, Proxy, or HTTPservice. WatchGuard recommends using Proxied-HTTP,which provides filtering on all ports. (HTTP without theProxy service manages only port 80.) WebBlocker takesprecedence over other settings in the HTTP or Proxy ser-User Guide 255

Chapter 15: Controlling Web Site Accessvices. If the HTTP service allows outgoing from Any toAny but WebBlocker settings are set to “Block All URLs,”all Web access is blocked. For information on adding anHTTP proxy service, see “Adding a proxy service forHTTP” on page 152.Configuring the WebBlocker ServiceWebBlocker is a built-in feature of several services, includingHTTP, Proxied HTTP, and Proxy. When WebBlocker isinstalled, five tabs appear in the service’s Properties dialogbox:• WebBlocker Controls• WB: Schedule• WB: Operational Privileges• WB: Non-operational Privileges• WB: ExceptionsActivating WebBlockerTo start using WebBlocker, you must activate the feature.From Policy Manager:1 Double-click the service icon you are using for HTTP.Click the Properties tab. Click Settings.The service’s dialog box appears.2 Click the WebBlocker Controls tab.The tab appears, as shown in the following figure.256 WatchGuard Firebox System

Configuring the WebBlocker Service3 Select the checkbox marked Activate WebBlocker.4 Next to the WebBlocker Servers box, click Add.5 In the dialog box that appears, type the IP address ofthe server in the Value field. Click OK.If you want to add additional WebBlocker servers, see “InstallingMultiple WebBlocker Servers” on page 262.Allowing WebBlocker server bypassBy default, if the WebBlocker server does not respond,HTTP traffic (Outbound) is denied. To change this suchthat all outbound HTTP traffic is allowed if a WebBlockerserver is not recognized, on the WebBlocker Controls tab,select Allow WebBlocker Server Bypass.The Allow WebBlocker Server Bypass option is global. Ifyou set it in one HTTP service, it applies to all other HTTPproxy services you might have.Configuring the WebBlocker messageUse the field marked Message for blocked user to definethe text string displayed in end users’ browsers when theyUser Guide 257

Chapter 15: Controlling Web Site Accessattempt to open a blocked Web site. The text string must beplain text and cannot contain HTML or the greater than (>)or less than (

Configuring the WebBlocker ServiceFrom the proxy’s dialog box:1 Click the WB: Schedule tab.The tab appears, as shown in the following figure.2 Click hour blocks to toggle from Operational to Nonoperational.NOTEThe operational and non-operational hours schedule isdependent on the time zone settings. WebBlocker defaults toGMT unless you have set a Firebox time zone. Forinformation on setting the Firebox time zone, see “Settingthe Time Zone” on page 55.Setting privilegesWebBlocker differentiates URLs based on their content.Select the types of content accessible during operationaland non-operational hours using the Privileges tabs. Theoptions are identical for Operational and Non-operational.From the proxy’s dialog box:1 Click the WB: Operational Privileges tab or the WB:Non-operational Privileges tab.2 Select the content type checkboxes for the categoriesyou would like to block.User Guide 259

Chapter 15: Controlling Web Site AccessCreating WebBlocker exceptionsWebBlocker provides an exceptions control to override anyof the WebBlocker settings. Exceptions take precedenceover all other WebBlocker rules; you can add sites that youwant to be allowed or denied above and beyond otherWebBlocker settings. Sites listed as exceptions apply onlyto HTTP traffic and are not related to the Blocked Sites list.The exceptions option maintains a list of IP addresses thatyou want to either specifically allow or deny, regardless ofother WebBlocker settings. You can specify exceptions bydomain name, network address, or host IP address. Youcan also fine-tune your exceptions by specifying a portnumber, path name, or string which is to be blocked for aparticular Web site. For example, if you wanted to blockonly www.sharedspace.com/~dave, because Dave’s site containsnude pictures, you would enter “~dave” to block thatdirectory of sharedspace.com. This would still allow users tohave access to www.sharedspace.com/~julia, which containsa helpful article on increasing productivity.If you wanted to block any sexually explicit content thatmight be on sharedspace.com, you might enter *sex, toblock a Web page such as www.sharedspace.com/~george/sexy.htm. By placing an asterisk (*) in front of the string youwant to match, it will be matched if that string appearsanywhere in the location part of the URL. However, youcannot enter *sex in the pattern section, and expect toblock all URLs that contain the word “sex.” The * optioncan be used only to modify the exceptions within a specificURL. For example, you can block www.sharedspace.com/*sex and expect that www.sharedspace/sexsite.html will beblocked.NOTEThis WebBlocker features is applicable only for outboundrequests to access web sites. You cannot use WebBlockerexceptions to make an internal host exempt fromWebBlocker rules.260 WatchGuard Firebox System

Configuring the WebBlocker ServiceFrom the HTTP Proxy dialog box:1 Click the WB: Exceptions tab (you might need to usethe arrow keys at the right of the dialog box to see thistab).2 In the Allowed Exceptions section, click Add.The Define Exceptions dialog box appears.3 Select the type of exception: host address, networkaddress, or enter URL. You can also use the LookupDomain Name option to determine the IP address of adomain.4 To allow a specific port or directory pattern, enter theport or string to be allowed.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For more information on entering IP addresses, see“Entering IP addresses” on page 43.5 In the Denied Exceptions section, click Add. Specifythe host address, network address, or URL to bedenied.To block a specific string to be denied for a domain, select HostAddress. To block a specific directory pattern, enter the string tobe blocked (for example, “*poker”).6 To remove an item from either the Allow or the Denylist, select the address. Click the correspondingRemove button.User Guide 261

Chapter 15: Controlling Web Site AccessManaging the WebBlocker ServerThe WebBlocker server is installed as a Windows Serviceand can be started or stopped from the Services applicationlocated in the Windows Control Panel Program Group.Installing Multiple WebBlocker ServersYou can install two or more WebBlocker servers in afailover configuration. If the primary WebBlocker serverfails, the Firebox automatically fails over to the first serverin the WebBlocker Servers box, as shown in “ActivatingWebBlocker” on page 256.To add additional WebBlocker servers:1 On the WebBlocker Controls tab in the HTTP Proxydialog box, click Add.2 In the dialog box that appears, type the IP address ofthe server in the Value field. Click OK.You can use the Up and Down buttons to change the positionof the servers in the list.When operating two or more WebBlocker servers in afailover mode, the time between failovers may take up totwo minutes.Automating WebBlocker Database DownloadsThe most effective way to routinely download and updateyour WebBlocker database is to use Windows Task Scheduler.To do this, add a process called WebDBdownload.bat,262 WatchGuard Firebox System

Automating WebBlocker Database Downloadswhich appears in your WatchGuard directory under theWBServer folder:1 Open Control Panel and select Scheduled Tasks. (If itis not listed, see “Installing Scheduled Tasks,” in thefollowing section.)2 Select Add Scheduled Task.3 The Scheduled Tasks wizard launches. Click Next.4 On the next screen, which shows a list of programs toselect from, select Browse.5 Navigate to your WatchGuard directory and then intoWBServer. Select WebDBdownload.bat.6 Specify how often you want to perform this task.WatchGuard suggests you update your database everyday, although you can do it less often if you havebandwidth concerns. Click Next.7 Enter a start time for the process. Because thesedownloads are close to 60 megabytes, choose a timeoutside normal work hours.8 Select the frequency you want for this task.WatchGuard recommends you perform updates onweekdays, because the database is not updated onweekends.9 Select a suitable start date. Click Next.10 Enter the user name and passwords that this processrequires to run. Make sure this user has access to theproper files. Click Next.11 Review your entries. Click Finish.Installing Scheduled TasksIf you are running Windows NT 4.0, you might need tomanually install Scheduled Tasks:1 Open Control Panel and select Add/Remove Programs.2 From the list, select Microsoft Internet Explorer.3 When prompted, select Add a component.User Guide 263

Chapter 15: Controlling Web Site Access4 A list of software appears (this may take a fewminutes). If you’re using Internet Explorer 4.0, underAdditional Explorer Enhancements, select TaskScheduler. If you’re using Internet Explorer 5.0 or later,select Offline Browsing Pack.If the message “cannot find Windows Update Files on thiscomputer” appears, open Internet Explorer, go to the Toolsmenu, and select Windows Update. This takes you to theMicrosoft Web site, where you can download and installthe appropriate software.After installation, Scheduled Tasks appears under MyComputer.264 WatchGuard Firebox System

CHAPTER 16Connecting with Outof-BandManagementThe WatchGuard Firebox System out-of-band (OOB)management feature enables the management stationto communicate with a Firebox by way of a modem(not provided with the Firebox) and telephone line.OOB is useful for remotely configuring a Fireboxwhen access through the Ethernet interfaces isunavailable.Connecting a Firebox with OOB ManagementTo connect to the Firebox using OOB management,you must:• Connect the management station to a modem –Connect a modem between the serial port on themanagement station and an analog telephone line.• Connect the Firebox modem – Connect anexternal or PCMCIA (also known as PC card)modem to the Firebox. External modems must beattached to the Console port of the Firebox.User Guide 265

Chapter 16: Connecting with Out-of-Band Management• Enable the management station for dial-up networkingconnections.• Set Firebox network configuration properties.Enabling the Management StationFor a dial-up PPP connection to work between a managementstation and a Firebox, you must configure the managementstation to use a PPP connection. There areseparate procedures for configuring a PPP connection onthe Windows NT, Windows 2000, and Windows XP platforms.Preparing a Windows NT managementstation for OOBInstall the Microsoft Remote Access Server (RAS) on themanagement station.1 Attach a modem to your computer according to themanufacturer’s instructions.2 From the Windows NT Desktop, select Start =>Settings => Control Panel.3 Double-click Network.4 Click Add.The Select Network Service dialog box appears.5 Click Remote Access Server. Click OK.Follow the rest of the prompts to complete the installation. IfDial-Up Networking is not already installed, you will beprompted to install it.Preparing a Windows 2000 managementstation for OOBBefore configuring the management station, you must firstinstall the modem. If the modem is already installed, go tothe instructions for configuring the dial-up connection.266 WatchGuard Firebox System

Enabling the Management StationInstall the modem1 From the Desktop, click Start => Settings => ControlPanel => Phone and Modem Options.2 Click the Modems tab.3 Click Add. The Add/Remove Hardware Wizardappears.4 Follow the wizard through, completing theinformation requested.You will need to know the name and model of the Firebox modemand the modem speed.5 Click Finish to complete the modem installation.Configure the dial-up connection1 From the Desktop, click My Network Places =>Network and Dial-up Connections => Make NewConnection.The Network Connection wizard appears.2 Click Next. Select Dial up to Private Network. ClickNext.3 Enter the telephone number of the line connected to themodem in the Firebox. Click Next.4 Choose the proper designation for your connection.Click Next.5 Enter a name for your connection.This can be anything that reminds you of the icon’s purpose—OOB Connection, for example.6 Click Finish.7 Click either Dial or Cancel.A new icon is now in the Network and Dial-Up Connectionsfolder. To use this dial-up connection, double-clickthe icon in the folder.User Guide 267

Chapter 16: Connecting with Out-of-Band ManagementPreparing a Windows XP managementstation for OOBBefore configuring the management station, you must firstinstall the modem. If the modem is already installed, go tothe instructions for configuring the dial-up connection.Install the modem1 Click Start => Control Panel => Phone and ModemOptions.2 Click the Modems tab.3 Click Add. The Add Hardware Wizard appears.4 Follow the wizard through, completing theinformation requested.You will need to know the name and model of the Firebox modemand the modem speed.5 Click Finish to complete the modem installation.Configure the dial-up connection1 Click Start => Control Panel. Click NetworkConnections. Click New Connection Wizard.The New Connection Wizard appears.2 Click Next. Select Connect to the network at myworkplace. Click Next.3 Click Dialup connection. Click Next.4 Enter a name for your connection.This can be anything that reminds you of the icon’s purpose—OOB Connection, for example.5 Enter the telephone number of the line connected to themodem in the Firebox. Click Next.6 Click Finish.7 Click either Dial or Cancel.A new icon is now in the Network Connections folder. Touse this dial-up connection, double-click the icon in thefolder.268 WatchGuard Firebox System

Configuring the Firebox for OOBConfiguring the Firebox for OOBOOB management features are configured in Policy Managerusing the Network Configuration dialog box, OOBtab. The OOB tab is divided into two identical halves: thetop half controls the settings of any external modemattached; the lower half configures any PCMCIA modem ifone is present.The OOB management features are enabled by default onthe Firebox. When trying to connect to a Firebox by way ofOOB for the first time, the Firebox first tries to do so withthe default settings. From Policy Manager:1 Select Network => Configuration. Click the OOB tab.2 Modify OOB properties according to your securitypolicy preferences. Click OK.For a description of each control, right-click it, and then selectWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.Establishing an OOB ConnectionFrom the management station, command your dial-up networkingsoftware to call the Firebox modem. After themodems connect, the Firebox negotiates a PPP connectionwith the calling host, and IP traffic can pass. After the connectionis established, you can use System Manager byspecifying the dial-up PPP address of the Firebox. Thedefault address is 192.168.254.1.Configuring PPP for connecting to a FireboxIn its default configuration, Firebox PPP accepts connectionsfrom any standard client. The settings you use onyour management station are the same as if you were dialinginto a typical Internet service provider, except that youUser Guide 269

Chapter 16: Connecting with Out-of-Band Managementneed not specify a username or password; leave thesefields blank.OOB time-out disconnectsThe Firebox starts the PPP session and waits for a validconnection from Policy Manager on your management station.If none is received within the default period of 90 seconds,the Firebox terminates the PPP session.270 WatchGuard Firebox System

APPENDIX ATroubleshootingFirebox ConnectivityThis chapter provides four ways of connecting to yourFirebox should you lose connectivity. These proceduresassume that you have already created a configurationfile and will be restoring the Firebox with thatfile. If you have not yet created a configuration file,use the QuickSetup Wizard to create one, as describedin Chapter 3, “Getting Started.”Loss of connection to the Firebox can occur becauseyou lost or forgot your passphrases, you received anew Firebox as a replacement unit, or other reasons.But regardless of the reason you lost connectivity, youcan use any of these methods to reconnect to yourFirebox (although methods 3 and 4 are specific to certainFirebox models).User Guide 271

Appendix A: Troubleshooting Firebox ConnectivityMethod 1: Ethernet Dongle MethodThis method involves using a single crossover cable.1 Make sure the Firebox and the management station aredisconnected from the network.2 Connect one end of the crossover cable to the optionalinterface and the other end to the external interface,creating a loop. Power-cycle the Firebox.This cabling should produce the following light sequence on thefront of the Firebox:Armed light: steadySys A light: flickering(Do not be concerned with the lights on the Security TriangleDisplay indicating traffic between interfaces.)3 Disconnect the crossover cable from the optional andexternal interfaces. Now, connect one end to thetrusted interface and the other end to the managementstation. Do not turn off the Firebox.4 Make sure the management station has a static IPaddress. If it doesn’t, change the TCP/IP settings to astatic IP address. The computer designated as themanagement station should be on the same network asthe configuration file, preferably the trusted network,so you do not need to reassign an IP address to yourcomputer after the configuration file has beenuploaded.The following is an example of a typical IP address scheme:Management station: 192.168.0.5Subnet mask: 255.255.255.0Default gateway: 192.168.0.1Trusted network: 192.168.0.1 (from the configuration file)5 It is recommended that you double-check the IPaddress of the management station. To do this, open aDOS prompt and type ipconfig /all.6 Use the Ping command to assign the Firebox atemporary IP address so your management station cancommunicate with the Firebox. At the DOS prompt,type ping 192.168.0.1 (this is the default gatewayof your computer). You will then see a request timeout.Ping again. You should get four replies.272 WatchGuard Firebox System

Method 1: Ethernet Dongle Method7 Open Policy Manager from Firebox System Manager.Do not connect to the Firebox at this time.8 In Policy Manager, select File => Open =>Configuration File. Select the configuration file youwant to load onto the Firebox and load it into PolicyManager.9 In Policy Manager, select File => Save => To Firebox.You are then prompted for the IP address of theFirebox and the Firebox configuration passphrase. Usethe address you used to ping the Firebox and wg for thepassphrase.10 When the Firebox Flash Disk dialog box appears, asshown in the following figure, select the buttonmarked Save Configuration File and New FlashImage. Make sure the checkbox marked Make Backupof current flash image before saving is not selected.After the configuration has been uploaded and the Fireboxhas been rebooted, the Firebox light sequence should looklike this:Armed light: SteadySys A light: SteadyUser Guide 273

Appendix A: Troubleshooting Firebox ConnectivityYou should be able to ping the Firebox again with the sameIP address you used earlier. At this point, you should beable to connect back to the Firebox through System Managerand reinstall the Firebox back into the network.Method 2: The Flash Disk Management UtilityLike the first procedure, this method requires that you disconnectyour management station and Firebox from thenetwork.1 Make sure the management station has a static IPaddress. If it doesn’t, change the TCP/IP settings to astatic IP address. The computer designated as themanagement station should be on the same network asthe configuration file, preferably the Trusted network,so you do not need to reassign an IP address to yourcomputer after the configuration file has beenuploaded.The following is an example of a typical IP address scheme:Management station: 192.168.0.5Subnet mask: 255.255.255.0Default gateway: 192.168.0.1Trusted interface: 192.168.0.1 (from the configuration file)2 Connect the blue serial cable to the Console port of theFirebox and the other end to the open COM port of themanagement station.3 Connect the crossover cable from the Trusted interfaceon the Firebox to the management station.4 Access the Flash Disk Management utility: inSystem Manager, click the main menu button(shown at right). Select Tools => Advanced =>Flash Disk Managament.5 From the first screen in the Flash Disk Managementtool, select Boot from the System Area (FactoryDefault). Click Continue.274 WatchGuard Firebox System

Method 2: The Flash Disk Management Utility6 When prompted to enter an IP address, it isrecommended that you use the address that iscurrently configured as the default gateway on yourmanagement station. Click OK.7 Choose the COM port that is open on the managementstation. Click OK.This completes the Flash Disk Management utility.8 Power-cycle the Firebox and wait until the operationhas been completed.The Firebox light sequence should look like this:Armed light: SteadySys B light: Steady (Some Fireboxes may flicker but most will besteady.)(Do not be concerned with the lights on the Security TriangleDisplay indicating traffic between interfaces.)9 Open a DOS prompt and ping the IP address that youused for the temporary IP.Replies should follow, which means the Firebox is now ready foruploading a configuration.10 In Policy Manager, select File => Open =>Configuration File. Select the configuration file youwant to load onto the Firebox and load it into PolicyManager.11 In Policy Manager, select File => Save => To Firebox.You are then prompted for the IP address of theFirebox and the Firebox configuration passphrase. Usethe address you used as the temporary IP addressduring the flash disk management process and wg asthe passphrase.12 When the Firebox Flash Disk dialog box appears, clickthe button marked Save Configuration File and NewFlash Image.After the configuration has been uploaded and the Fireboxhas been rebooted, the Firebox light sequence should nowlook like this:Armed light: SteadySys A light: SteadyUser Guide 275

Appendix A: Troubleshooting Firebox ConnectivityYou should be able to ping the Firebox again with the sameIP address you used earlier. At this point, you should beable to connect back to the Firebox through System Managerand reinstall the Firebox into the network.Method 3: Using the Reset Button - FireboxModels 500, 700, 1000, 2500, 4500You can use the Reset button method only on the Fireboxmodels 500, 700, 1000, 2500, and 4500. Before you start,assign the IP address of your management station to be onthe 192.168.253.0 network. Do not use the 192.168.253.1address, which is being held by the Firebox as a default.The subnet is 255.255.255.0.It is recommended that you give your computer’s defaultgateway an IP address of 192.168.253.1.1 Disconnect the Firebox from the network.2 Start with the Firebox turned off. Hold down the Resetbutton on the back of the Firebox and turn on theFirebox power switch. Do not let go of the Reset buttonuntil you see this light sequence on the front of theFirebox:External light on Triangle: BlinksTrusted => Optional traffic (Activity): Flashing lightsSys B: FlickeringArmed: Steady3 Connect a crossover cable to the management stationand into the Firebox trusted interface.4 Open a DOS prompt, and ping the Firebox with192.168.253.1. You should get a reply.5 In Policy Manager, select File => Open =>Configuration File. Select the configuration file youwant to load onto the Firebox and load it into PolicyManager.276 WatchGuard Firebox System

Method 4: Serial Dongle (Firebox II only)6 In Policy Manager, select File => Save => To Firebox.When you are asked for the IP address of the Firebox,use 192.168.253.1 with wg as the passphrase.7 When the Firebox Flash Disk dialog box appears, clickthe button marked Save Configuration File and NewFlash Image.8 After the file has been restored on the Firebox, you willhave to reassign the IP address of your managementstation such that it is on the same network as thetrusted interface from configuration file that you justused. This will enable you to reconnect to the Firebox.After the configuration has been uploaded and the Fireboxhas been rebooted, the Firebox light sequence should nowlook like this:Armed light: steadySys A light: steadyMethod 4: Serial Dongle (Firebox II only)This option requires you to use a serial cable and a crossovercable. As with the previous procedures, you must disconnectyour management station and Firebox from thenetwork.Make sure that the management station is configured to beon the same network as 192.168.253.0. Do not use the192.168.253.1 address, which is being held by the Fireboxas a default.1 Connect one end of the serial cable to the serial port ofthe Firebox and the other end to the console port of theFirebox. Place the crossover cable into the trustedinterface and into the management station.User Guide 277

Appendix A: Troubleshooting Firebox Connectivity2 Power-cycle the Firebox. The light sequence shouldlook like this:Armed light: SteadySys B: Steady (On some Fireboxes, the Sys B light may flicker.)(Do not be concerned with the lights on the Security TriangleDisplay indicating traffic between interfaces.)3 Take out one end of the serial cable from the Firebox tobreak the loop effect.4 On the management station, open a DOS prompt. Pingthe Firebox with a 192.168.253.1.You should get a reply.5 In Policy Manager, select File => Open =>Configuration File. Select the configuration file youwant to load onto the Firebox and load it into PolicyManager.6 In Policy Manager, select File => Save => To Firebox.When you are prompted for an IP address, use192.168.253.1 with wg as the passphrase.7 When the Firebox Flash Disk dialog box appears,select the button marked Save Configuration File andNew Flash Image.8 After the file has been restored on the Firebox, you willhave to reassign the IP address of your managementstation such that it is on the same network as thetrusted interface from the configuration file that youjust used. This will enable you to reconnect to theFirebox with the trusted IP address that is listed in theconfiguration file and your status passphrase.278 WatchGuard Firebox System

IndexSymbols.cfg files 49.ftr files 244.idx files 222.rep files 238.wgl files 222.wts files 242Numerics1-1 Mapping dialog box 1111-to-1 NAT. See NAT, 1-to-1Aactive connections on Firebox,viewing 97ActiveX applets 154Add Address dialog box 109, 126, 163Add Exception dialog box 105, 111Add External IP Address dialogbox 109Add External IP dialog box 108Add Firebox Group dialog box 169Add IP Address dialog box 204Add Member dialog box 126, 164Add Port dialog box 121Add Route dialog box 70, 71Add Static NAT dialog box 109address space probes, blocking 180Advanced dialog box 61, 62Advanced NAT Settings dialogbox 105, 111aliasesadding 163deleting 164described 161, 162dvcp_local_nets 163dvcp_nets 163external 163firebox 163host 162modifying 164optional 163trusted 163Aliases dialog box 163anonymous FTP 115Any service, precedence 130ARP cache, flushing 83ARP table, viewing 95attacks, spoofing. See spoofingattacks.attacks, types of 177AUTH types for ESMTP 139authenticationCRYPTOCard server 173defining groups for 167described 161, 165for VPNs, viewing 79from External interface 165from outside Firebox 165Java applet for 165specifying server type 167viewing types used 90authentication serversCRYPTOCard 174network location for 166RADIUS 171SecurID on RADIUS server 175types 166viewing IP addresses of 90Windows NT 170Authentication Servers dialogbox 168, 170, 172, 174, 175auto-block duration, changing 187BBandwidth Meter tab 87bandwidth usage, viewing 87Berkeley Internet Name Domain(BIND) 155blocked portsauto-blocking sites that attempt touse 192avoiding problems with legitimateusers 191default 189described 188logging activity 192permanent 191reasons for 188setting logging and notificationfor 219User Guide 279

Blocked Ports dialog box 191, 192Blocked Ports list 191blocked servicesNetBIOS 190Novel IPX over IP 190OpenWindows 190rcp 190rlogin 190RPC portmapper 190rsh 190X Font server 189X Window 189blocked sitesand Firebox interfaces 185and IDS applications 194auto-block duration 187auto-blocked 185blocking with service settings 192changing auto block duration 187described 185dynamic 192exceptions to 187in System Manager 90logging and notification 188permanent 184, 185removing 187, 191storing in external file 187temporary 192viewing list of 193Blocked Sites dialog box 186, 187,219Blocked Sites Exceptions dialogbox 187Blocked Sites listdescribed 179, 193exceptions to 187viewing 96, 193BOVPN Upgrade 7Ccablesconnecting to Firebox 38included with Firebox 24certificate authority, Firebox as 127certificatesviewing CA fingerprint 77viewing expiration date and timeof 77viewing status of 77CHAP authentication 172configuration fileand Policy Manager 49basic 40customizing 44opening 49opening from Firebox 50opening from local drive 50rebooting Firebox after saving 51saving 51saving to Firebox 51saving to local drive 53starting new 58configuration modeschoosing 32, 41setting using Policy Manager 58Connect to Firebox dialog box 74, 84context-sensitive help 17controld 226controld.wgc 230CRYPTOCard serverauthentication 173, 174custom program, as notification 130,216DDCE 112DCE-RPC, and NAT 112default gatewaysentering 41for Firebox interfaces 59setting 60viewing IP address of 77default packet handlingand intrusion detection 194blocking address space probes 180blocking IP options attacks 180blocking port space probes 180blocking spoofing attacks 178blocking SYN Flood attacks 181described 178logging and notification for 218Default Packet Handling dialogbox 179, 180, 181, 182, 219Define Exceptions dialog box 261deny messagescopying 82issuing ping or traceroutecommand for 82SMTP proxy 140DHCP 66DHCP serveradding subnets 67280 WatchGuard Firebox System

default lease time for 67described 66enabling 127lease times 66maximum lease time for 67modifying subnets 68not using Firebox as 66removing subnets 68setting up Firebox as 66DHCP Server dialog box 66DHCP Subnet Properties dialogbox 67DHCP support on externalinterface 35, 41, 60, 61dialog boxes1-1 Mapping 111Add Address 109, 126, 163Add Exception 105, 111Add External IP 108Add External IP Address 109Add Firebox Group 169Add Member 126, 164Add Port 121Advanced 61, 62Advanced NAT Settings 105, 111Aliases 163Authentication Servers 168, 170,172, 174, 175Blocked Ports 192Blocked Sites 186, 187, 219Blocked Sites Exceptions 187Connect to Firebox 74, 84Default Packet Handling 179, 180,181, 182, 219default packet handling 179Define Exceptions 261DNS-Proxy Properties 157Firebox Authentication 166Firebox Flash Disk 54Firebox Name 55Host Alias 164HTTP Properties 152HTTP Proxy 261Incoming SMTP Proxy 138Incoming SMTP ProxyProperties 144Logging and Notification 128,188, 218Logging Setup 205, 206NAT Setup 105, 111Network Configuration 59, 64New Firebox Configuration 51, 54New Service 120Outgoing SMTP Proxy 147PAD Rules for DNS Proxy 157PAD Rules for FTP Proxy 150PAD Rules for SMTP Proxy 145Report Properties 238, 240service Properties 117, 120, 124,193Services 118, 120Set Log Encryption Key 231Setup Firebox User 169, 170Setup Routes 70SMTP Properties 145SMTP Proxy Properties 138, 140Time Filters 238WebBlocker Utility 254dial-up connection, for out-of-bandmanagement 267, 268DMZ (Demilitarized Zone) 29DNS proxyadding 156and file descriptor limit 158and NAT 158and security policy 115described 155enabling protocol anomalydetection 157DNS server addresses 65DNS-Proxy Properties dialog box 157drop-in configurationbenefits and drawbacks of 32characteristics 31described 30setting IP addresses in 59setting optional properties 62DVCP server, creating 127dvcp_local_nets 105, 112, 163dvcp_nets 105, 112, 163dynamic IP support. See DHCPsupport, PPPoE supportdynamic NAT. See NAT, dynamicdynamically blocked sites 192Eelectronic page, as notification 129emailas notification 129blocking address patterns 143blocking file-name patterns 142denying attachments 142protecting against relaying 143screening with SMTP proxy 137selecting headers to allow 143User Guide 281

sent after triggering event 214encryption 37, 38encryption for VPNs, viewing 79encryption keyentering 53when saving configuration file 52ESMTPAUTH types 139configuring 139keywords supported 138eth1, eth 2 94Ethernet dongle method fortroubleshooting 272event processor. See WatchGuardSecurity Event Processor or loghostevent, described 199external alias 163external caching proxy servers,configuring 154external interfacedescribed 28dynamic addressing on 60external network 28, 49Ffailover 6failover logging 202FAQs 7, 13fbd0 94fbidsmate utilitydescribed 194using 195, 196filter window in LogViewer 224filtered services. See services.Filtered-HTTP 152Firebox 500, and BOVPN Upgrade 7firebox alias 163Firebox Authentication dialogbox 166Firebox Flash Disk dialog box 54Firebox Installation Services 20Firebox interfacesadding secondary networks to 33described 28setting IP addresses of 58viewing IP addresses of 77Firebox kernal routing table,viewing 94Firebox Name dialog box 55, 214Firebox passphrases. See passphrasesFirebox Systemcomponents of 2described 1hardware requirements 4introduction 2requirements 3software requirements 3Web browser requirements 4Firebox System applications,launching 85Firebox System Manager. See SystemManagerFireboxesand IDS applications 194as certificate authority 127cables included with 24changing interface IP address 60changing polling rate 84choosing a configuration 32configuration modes 28configuring for logging 203configuring for out-of-band 269connecting cables 38connecting to 74, 84connecting via out-of-band 265defining as a DHCP server 66described 47designating log hosts 203entering encryption key for 53friendly names in log files,reports 55, 214gateways for interfaces 59interfaces. See Firebox interfaceslocation in network 48model 51, 54network cards in 89obtaining IP addressesdynamically 35opening configuration file 49opening configuration file from 50package contents 24reasons for loss of connection 271resetting pass phrase 53saving configuration file to 51setting clock to log host’s 206setting time zone for 55specifying model of 51, 54timeout value 50traffic sent through 76troubleshooting connectivity 271using out-of-band 265using Reset button 276282 WatchGuard Firebox System

viewing active connections on 97viewing bandwidth usage 87viewing basic status 74viewing everyone authenticatedto 95viewing log messages generatedby 80viewing memory usage of 90viewing uptime and version 89Flash Disk management tool 274FTPand optional network 49and security policy 115FTP proxyand NAT 112configuring 149described 149enabling protocol anomalydetection 150hazards of 149Ggateways. See default gatewaysgroupsassigning users to 169for authentication 167in Windows NT 171ipsec_users 168pptp_users 168HH323, and NAT 112hardware requirements 4hidden services, viewing 127High Availability 6, 24, 76Historical Reportsapplying a filter 245creating report filter 244deleting a filter 245described 3, 86editing a filter 244editing existing reports 238manually running a report 246opening 86starting 236starting new reports 236time spans for 238time zone 55Historical Reports. See also reportsHost Alias dialog box 164host aliases 162, 163host routes, configuring 71hostsviewing blocked 90viewing in HostWatch 99hosts, log. See log hostsHostWatchchoosing colors for display 100connecting to a Firebox 98described 2, 86, 97display 98modifying view properties 100opening 86replaying a log file 99setting display properties 99starting 97viewing authenticated users 99viewing hosts 99viewing ports 99HTTP Properties dialog box 152HTTP proxyand NAT 112restricting MIME types for 153HTTP Proxy dialog box 261HTTP servicesadding 152and security policy 115and WebBlocker 255described 151Filtered-HTTP 152HTTP 152Proxied-HTTP 151Iincoming servicessee entries under servicesIncoming SMTP Proxy dialogbox 138Incoming SMTP Proxy Propertiesdialog box 144Incoming tab 128, 137installationadding basic services after 69QuickSetup Wizard 40via serial cable 38via TCP/IP 40interfaces, monitoring 93internal network 29Internet Explorer 4User Guide 283

intrusion detection andprevention 177–197intrusion detection system (IDS)and fbidsmate utility 194described 193IP addressesadding to services 126and drop-in configuration 30and routed configuration 30and static NAT 108changing 60default gateways 77entering 43in example network 25netmask 77of authentication servers 90of Firebox interfaces 58of log hosts 89typing 84WINS/DNS servers 65IP alias 34IP options attacks, blocking 180IPSec tunnels, and DHCP/PPPoE 36ipsec_users 168ipsec0 94JJava appletsand Zip files 154for authentication 165Kknown issues 13Llaunch interval, setting 217license key certificates 24LiveSecurity Gold Program 19LiveSecurity Serviceactivating 12benefits of 9broadcasts 10described 3, 45Rapid Response Team 10lo (loopback interface) 94local drive, opening configuration filefrom 50log encryption key, setting 211, 231log filesconsolidating 229copying 229copying entries 224copying log entries 225default location of 222described 221displaying and hiding fields 225exporting records 225forcing rollover 230names of 222opening 222packet event fields 227replaying in HostWatch 99saving to a new location 230searching 223searching by field 223searing by keyphrase 223sending to another office 231setting Firebox names used in 55viewing with LogViewer 222working with 228log hostsadding 204as Windows 2000 service 208as Windows NT service 208as Windows XP service 208changing priority 206designating for Firebox 203editing settings 205primary 202removing 206reordering 206running on Windows 2000 207running on Windows NT 207running on Windows XP 207scheduling reports 213secondary 202setting clocks 206setting rollover interval 212starting 210stopping 210synchronizing 206synchronizing NT 207viewing 210viewing IP addresses of 89log messagescopying deny messages 82issuing ping or traceroute on denymessages 82log messages generated by Firebox 80284 WatchGuard Firebox System

log rollover 212loggingarchitecture 203blocked port activity 192described 199developing policies for 200enabling Syslog 205failover 202for blocked ports 192for blocked sites 188setting rollover interval 212specifying for SMTP proxy 144synchronizing NT log hosts 207logging and notificationconfiguring Firebox for 203customizing by blockingoption 215customizing by service 215default packet handling 218defining for services 128described 200designating log hosts 203for blocked sites and ports 219global preferences 211setting for a service 218Logging and Notification dialogbox 128, 188, 192, 218logging options, viewing 90Logging Setup dialog box 204, 205,206LogViewerconsolidating logs 229copying log data 224described 2, 86displaying and hiding fields 225exporting log file data 224filter window 224opening 86searching by field 223searching by keyphrase 223searching for entries 223setting preferences 223starting 222time zone 55viewing files with 222working with log files 228MMAC address of interfaces,viewing 77mail servers, protecting againstrelaying 143main menu button 75, 83, 84Make Backup of Current Flash Imagecheckbox 52management stationconnecting with out-of-band 269described 36, 48enabling for out-of-band 266setting up 36man-in-the-middle attacks 183manual IPSec tunnels, and DHCP/PPPoE 36masquerading, for SMTP proxy 147Maximum Incomplete Connectionssetting 183messages, deny. See deny messagesMIME typescreating new 142, 154described 140restricting for HTTP proxy 153minimum requirements 3Mobile User VPNand WINS/DNS serveraddresses 65described 6monitoring tunnels 79modems, installing for out-of-bandmanagement 267, 268monitoringactive connections on Firebox 97ARP table 95Firebox activity 88load average 90network interfaces 93processes 91routes 94MUVPNand WINS/DNS serveraddresses 65described 6monitoring tunnels 79Nname resolution, fixing slow 158NAT1-to-1and dynamic NATexceptions 106and PPPoE support 36described 102, 110using 110and DNS proxy 158User Guide 285

described 101dynamicdescribed 101, 102service-based dynamicconfiguring exceptions 107described 103disabling 107enabling 107using 106simple dynamicadding entries 104defining exceptions 105described 102enabling 103reordering entries 105using 103staticadding external IPaddresses 108configuring a service for 101,108described 101setting for a service 108typically used for 102types of 101types supported by proxies 112NAT Setup dialog box 103, 105, 111NetBIOS services 190netmask, viewing address of 77Netscape Communicator 4network address translation. See NATnetwork addresses, unconnected 185network cards in Firebox 89Network Configuration dialog box 59,60, 64network configurationschoosing 32diagram 29drop-in 30routed 29Network File System 189network interfaces, monitoring 93network routes, configuring 70networksexternal 28internal 29viewing blocked 90networks, secondary. See secondarynetworksNew Firebox Configuration dialogbox 51, 54New Service dialog box 120notation, slash 43notificationblocked port activity 192bringing up popup window as 129described 199developing policies for 200, 201example policy 202for blocked ports 192for blocked sites 188running custom program as 130sending email as 129setting launch interval 217setting repeat count 217settings for 214triggering electronic page as 129Novel IPX over IP 190NXT attacks 156OOnline Help 14, 15, 16online support servicesaccessing 14described 13OOB. See out-of band managementOpenWindows 190optional alias 163optional interface 29optional networkand FTP 49described 49Web server 49optional productsBOVPN Upgrade 7described 5High Availability 6Mobile User VPN 6purchasing 7SpamScreen 6VPN Manager 5outgoing servicessee entries under servicesOutgoing SMTP Proxy dialog box 147out-of-band managementand PPP connection 266configuring dial-up connectionfor 267, 268configuring Firebox for 269configuring PPP 269connecting Firebox using 265described 265enabling management stationfor 266286 WatchGuard Firebox System

Pestablishing connection 269installing modem 267, 268preparing NT Management Stationfor 266preparing Windows 2000Management Station for 266preparing Windows XPManagement Station for 268timeout disconnects 270packet filters, described 113packet handling, default. See defaultpacket handlingpacket-handling services. See servicespacketsviewing number allowed, denied,rejected 89viewing number sent andreceived 77PAD Rules for DNS Proxy dialogbox 157PAD Rules for FTP Proxy dialogbox 150PAD Rules for SMTP Proxy dialogbox 145PAD. See protocol anomaly detectionpager, as notification 129, 214PAP authentication 172passphrasesconfiguration 42described 42resetting for Firebox 53status 42tips for creating 54permanently blocked sites 185ping command for source of denymessages 82Policy Manageras view of configuration file 49described 2, 49, 85opening 85opening a configuration file 49Services Arena 85services displayed in 116using to create configurationfile 57polling rate, changing 84POP, and security policy 115popup window, as notification 129,216port space probesand default packet handling 194blocking 180ports0 1901 1901000-1999 191111 190137 through 139 1902000 190213 190513 190514 190viewing in HostWatch 99ports, blocked. See blocked ports.PPP connection, and out-of-bandmanagement 266, 269PPP user name and password 35, 59PPPoE support on Externalinterface 60PPPoE support on externalinterface 35, 41, 60, 61PPPoE, static 62pptp_users 168private LAN 29processes, viewing 91processor load indicator 75program, as notification 130protocol anomaly detectiondescribed 145enabling for DNS proxy 157enabling for FTP 150enabling for SMTP 136setting rules for 145Proxied-HTTP 151, 255proxiesdescribed 113types of NAT supported 112proxy ARP 31proxy servers, setting up 154Proxy service 255proxy servicesdescribed 135DNS 155FTP 149HTTP 151SMTP 137public servers, configuring 42User Guide 287

QQuickSetup Wizarddescribed 40launching 40rerunning 40running from System Manager 83steps 41RRADIUS server authentication 171Rapid Response Team 9, 10rcp service 190RealNetworks, and NAT 112red exclamation point, in VPNMonitor 79repeat count, setting 217Report Properties dialog box 238, 240reportsapplying a filter 245authentication details 247authentication resolution on IPaddresses 239consolidated sections 250consolidating sections 239, 246creating filters 244customizing 235deleting 238deleting a filter 245denied incoming/outgoing packetdetail 249denied packet summary 249denied service detail 249detail sections 240DNS resolution on IPaddresses 239editing 238, 239editing filters 244exporting to HTML 241exporting to text file 243exporting to WebTrends 242Firebox statistics 247FTP detail 249host summary 247, 248HTTP detail 248HTTP summary 248, 251key issues 235location of 241network statistics 250proxy summary 248reasons for generating 235running manually 246scheduling 245sections in 239, 246service summary 247session summary 247, 248setting Firebox names used in 55,241SMTP summary 249specifying sections for 239starting new 236summary sections 240time spans for 238time summary 248, 251using filters 243viewing list of 238WebBlocker detail 249requirementshardware 4software 3Reset button 276rlogin service 190routed configurationbenefits and drawbacks of 30characteristics of 30described 29setting IP addresses in 60routesconfiguring 70described 70host 71monitoring 94network 70RPC portmapper 190rsh service 190RTSP, and NAT 112RUVPN with PPTPand WINS/DNS serveraddresses 65monitoring tunnels 79SSave dialog box 53Save Main Window dialog box 225Scheduled Tasks, installing 263secondary networksadding 34, 35, 41, 64described 33SecurID authentication 175security applications 3security policyand DNS 115288 WatchGuard Firebox System

and FTP 115, 149and HTTP 115and POP 115and services 114and SMTP 115and telnet 115customizing 44described 44guidelines for services 114opening configuration file 49Security Triangle Display 75Select MIME Type dialog box 141serial dongle method fortroubleshooting 277service Properties dialog box 117,120, 124, 193service properties, using to blocksites 192service-based dynamic NAT. See NAT,service-based dynamicservicesadding 117adding addresses 126adding several of same type 119and your security policy 44, 114basic 69blocked. See blocked services.commonly added 45configurable parameters for 117configuring for incoming staticNAT 101configuring for Static NAT 108creating new 120custom 116customizing logging andnotification 128customizing logging for 215defining properties of 124deleting 123described 113disabled 124displayed in Policy Manager 116enabled and allowed 125enabled and denied 124guidelines for incoming 114guidelines for outgoing 115hidden 127HTTP 151icons for 116Novel IPX over IP 190OpenWindows 190overriding NAT setting 107precedence 130proxied-HTTP 255Proxy 255rcp 190rlogin 190RPC portmapper 190rsh 190setting logging and notificationfor 218setting static NAT for 108viewing number of connectionsby 88wg_ 127X Font service 189X Window 189Services Arenadescribed 85, 116displaying detailed view 116Services dialog box 118, 120Set Log Encryption Key dialogbox 231Setup Firebox User dialog box 169,170Setup Routes dialog box 70, 71shared secret 171sites, blocked. See blocked sites.slash notation 43SMTP Properties dialog box 145SMTP proxyadding address patterns 143adding content types 140adding masquerading options 147allowing headers 144and MIME types 140and NAT 112and security policy 115blocking file-name patterns 142blocking MIME types 140configuring 137, 138configuring outgoing 147denying attachments 142described 137email relaying 143enabling protocol anomalydetection 136keywords supported 138selecting headers to allow 143specifying logging for 144SMTP Proxy Properties dialogbox 138, 140SMTP, extended. See ESMTPsoftware requirements 3SpamScreen 6, 24spoofing attacksand System Manager 90User Guide 289

locking 179described 178static PPPoE 62Steel Belted RADIUS 175subnetsadding to DHCP server 67modifying 68removing 68SYN flood attacksblocking 181changing settings 182described 181preventing false alarms 182SYN Validation Timeout setting 183Syslog color 81Syslog loggingenabling 205facilities 205System ManagerARP table 95authentication host information 90authentication list 95basic Firebox status 75Blocked Sites list 96blocked sites list 90changing polling rate 84described 2, 73Firebox uptime 89front panel 75interfaces 93load average 90log and notification hosts 89logging options 90memory 90monitoring tunnels in 78network configuration 89packet counts 89processes 91routes 94running QuickSetup Wizardfrom 83ServiceWatch tab 88spoofing information 90starting 73Status Report tab 88version information 89viewing bandwidth usage 87system requirements 3TTCP/IP, cabling for 40TCPmux service 190Technical Supportassisted support 18described 9Firebox Installation Services 20frequently asked questions 9LiveSecurity Gold Program 19LiveSecurity Program 18users forum 14VPN Installation Services 20telnet, and security policy 115third-party authentication server. Seeauthentication or name of thirdpartyserverTime Filters dialog box 238time zone for Firebox, setting 55timeout duration for Firebox 50traceroute command for source ofdeny messages 82Traffic Monitorcopying deny messages in 82described 80issuing ping and traceroutecommand in 82limiting messages 81traffic volume indicator 75troubleshooting Fireboxconnectivity 271trusted alias 163trusted interface 29trusted network 49TSIG attacks 155tunnelsMobile User VPN 79monitoring 78RUVPN with PPTP 79viewing status of 76Uunconnected network addresses 185user authentication. Seeauthenticationusers, viewing in HostWatch 99Vvirus alerts 12VPN Installation Services 20VPN Manager290 WatchGuard Firebox System

and wg_dvcp service 127described 5VPNsallowing incoming servicesfrom 115and 1-to-1 NAT 110in routed configurations 30WWatchGuard Certified TrainingPartners (WCTPs) 21WatchGuard Firebox Systemadditional information on 84described 1documentation 18introduction 2Online Help 15options 5package contents 24WatchGuard installation directory,and log files 230WatchGuard security applications 3WatchGuard Security EventProcessoraccessing user interface 229and log files 222and notification 199and reports 235described 48, 86failover logging 202installing 207opening user interface 86running reports 245starting 210stopping 210user interface 210WatchGuard service 255WatchGuard users forum 15described 14Web browser, requirements forFirebox System 4Web server, and optional network 49Web sites, filtering 253WebBlockeractivating 256automatically downloadingdatabase 262configuring 256configuring message for 257creating exceptions for 260described 253manually downloadingdatabase 264prerequisites 253required services 255scheduling hours 258setting privileges 259time zone 55WebBlocker serverand setup program 37installing 254installing multiple 262managing 262viewing status of 255WebBlocker Server Bypass 257WebBlocker utility 254WebBlocker Utility dialog box 254WebTrends Enhanced Log Format(WELF) file 242WebTrends for Firewalls andVPNs 242wg_ servicesdescribed 127viewing 127wg_authentication 127wg_ca 127wg_dhcp_server 127wg_dvcp 127wg_pptp 127wg_sohomgt 127WGReports.exe 236What’s This? help 17Windows 2000and Firebox Systemrequirements 4preparing Management Station forout-of-band management 266running log host on 207Windows NTand Firebox Systemrequirements 4local and global groups 171preparing Management Station forout-of-band management 266running log host on 207Windows NT Serverauthentication 170Windows XPand Firebox Systemrequirements 4preparing Management Station forout-of-band management 268running log host on 207WINS server addresses 65User Guide 291

wizard.cfg 40WSEP. See WatchGuard SecurityEvent ProcessorXX Font server 189X Window 189ZZip files 154292 WatchGuard Firebox System