WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 9: Configuring Proxied ServicesFrom Policy Manager:1 If you have not done so already, use the Add Servicebutton to add the FTP proxy service. Expand theProxies tree and double-click the FTP service icon.2 Click the Properties tab. Click Settings.The Settings information appears as shown in the followingfigure.3 Enable FTP proxy properties according to yoursecurity policy preferences.For a description of each control, right-click it, and then selectWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference Guide.Note that the Make Incoming FTP Connections Read onlycheckbox is selected by default. If you have an FTP server thataccepts files, be sure to clear this checkbox.4 Click OK.Enabling protocol anomaly detection for FTPFor a description of protocol anomaly detection, see “ProtocolAnomaly Detection” on page 136.1 From the FTP Properties dialog box, click theProperties tab.2 Select the Enable auto-blocking of sites usingprotocol anomaly detection checkbox.3 To set rules for anomaly detection, click the AutoblockingRules button.The PAD Rules for FTP Proxy dialog box appears, as shown inthe following figure.150 WatchGuard Firebox System
Selecting an HTTP Service4 Select the rules to determine which packet originatorsare automatically added to the auto-blocked sites list.Selecting an HTTP ServiceBecause of the extensive security implications of HTTPtraffic, it is important to restrict the incoming service asmuch as possible. Many administrators set up public Webservers only on their optional interface. They restrictincoming HTTP traffic to the optional interface and prohibitincoming HTTP traffic from traveling from theoptional interface to the trusted interface. Outgoing trafficis generally less restrictive. For example, many companiesopen outgoing HTTP traffic from Any to Any.WatchGuard Firebox System offers three different types ofHTTP services. Choose the HTTP service that best meetsyour needs:• Proxied-HTTP is a multiservice that combinesconfiguration options for HTTP on port 80 with a rulethat allows (by default) all outgoing TCP connections.In other words, the Proxied-HTTP is not bilateralincoming and outgoing; this service controls incomingTCP traffic only on port 80, but allows outgoing TCPtraffic on all ports. The Proxied-HTTP service includesUser Guide 151
- Page 121 and 122: HostWatch3 Enter the Firebox status
- Page 123 and 124: CHAPTER 7Configuring NetworkAddress
- Page 125 and 126: Using Simple Dynamic NATService-bas
- Page 127 and 128: Using Simple Dynamic NAT3 Use the T
- Page 129 and 130: Using Service-Based Dynamic NATEnab
- Page 131 and 132: Configuring a Service for Incoming
- Page 133 and 134: Using 1-to-1 NATA one-to-one mappin
- Page 135 and 136: CHAPTER 8Configuring FilteredServic
- Page 137 and 138: Selecting Services for your Securit
- Page 139 and 140: Adding and Configuring Servicesrigh
- Page 141 and 142: Adding and Configuring Services5 (O
- Page 143 and 144: Adding and Configuring Services3 In
- Page 145 and 146: Adding and Configuring Services11 C
- Page 147 and 148: Defining Service PropertiesEnabled
- Page 149 and 150: Defining Service Properties6 Click
- Page 151 and 152: Defining Service Propertiesthe serv
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171: Configuring an FTP Proxy Service6 S
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
- Page 177 and 178: Configuring the DNS Proxy ServiceGE
- Page 179 and 180: Configuring the DNS Proxy Service3
- Page 181 and 182: Configuring the DNS Proxy ServiceYo
- Page 183 and 184: CHAPTER 10Creating Aliases andImple
- Page 185 and 186: Using AliasesGroupfireboxtrustedopt
- Page 187 and 188: How User Authentication WorksHow Us
- Page 189 and 190: Defining Firebox Users and Groups f
- Page 191 and 192: Defining Firebox Users and Groups f
- Page 193 and 194: Configuring RADIUS Server Authentic
- Page 195 and 196: Configuring CRYPTOCard Server Authe
- Page 197 and 198: Configuring SecurID AuthenticationC
- Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
- Page 201 and 202: Default Packet Handlingtion. In con
- Page 203 and 204: Default Packet Handlingnetwork. Alt
- Page 205 and 206: Detecting Man-in-the-Middle Attacks
- Page 207 and 208: Blocking Sites• Permanently block
- Page 209 and 210: Blocking SitesUsing an external lis
- Page 211 and 212: Blocking PortsBy default, the Fireb
- Page 213 and 214: Blocking PortsAvoiding problems wit
- Page 215 and 216: Integrating Intrusion Detectionand
- Page 217 and 218: Integrating Intrusion DetectionUsin
- Page 219 and 220: Integrating Intrusion Detectionposs
- Page 221 and 222: CHAPTER 12Setting Up Loggingand Not
Chapter 9: Configuring Proxied ServicesFrom Policy Manager:1 If you have not done so already, use the Add Servicebutton to add the FTP proxy service. Expand theProxies tree and double-click the FTP service icon.2 Click the Properties tab. Click Settings.The Settings information appears as shown in the followingfigure.3 Enable FTP proxy properties according to yoursecurity policy preferences.For a description of each control, right-click it, and then selectWhat’s This?. You can also refer to the “Field Definitions”chapter in the Reference <strong>Guide</strong>.Note that the Make Incoming FTP Connections Read onlycheckbox is selected by default. If you have an FTP server thataccepts files, be sure to clear this checkbox.4 Click OK.Enabling protocol anomaly detection for FTPFor a description of protocol anomaly detection, see “ProtocolAnomaly Detection” on page 136.1 From the FTP Properties dialog box, click theProperties tab.2 Select the Enable auto-blocking of sites usingprotocol anomaly detection checkbox.3 To set rules for anomaly detection, click the AutoblockingRules button.The PAD Rules for FTP Proxy dialog box appears, as shown inthe following figure.150 <strong>WatchGuard</strong> <strong>Firebox</strong> <strong>System</strong>