WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 10: Creating Aliases and Implementing Authentication5 Define the alias by adding members. To add an existingmember, click the name in the Members list. ClickAdd.6 To configure a new member, click Add Other.The Add Member dialog box appears.7 Use the Choose Type drop-down list to select acategory. In the Value text box, enter the address,range, or host name. Click OK.8 When you finish adding members, click OK.The Host Alias dialog box appears listing the new alias. Click thealias to view its members.To modify an alias, select it, click Edit, and then add ordelete members.To remove an alias, select it, click Remove, and thenremove the alias from Properties box of any services configuredto use the alias. For more information, see “DefiningService Properties” on page 124.164 WatchGuard Firebox System
How User Authentication WorksHow User Authentication WorksA specialized HTTP server runs on the Firebox. To authenticate,clients must connect to the authentication serverusing a Java-enabled Web browser pointed to:http://IP address of any Firebox interface:4100/A Java applet loads a prompt for a username and passwordthat it then passes to the authentication server usinga challenge-response protocol. Once successfully authenticated,users minimize the Java applet and browser windowand begin using allowed network services.As long as the Java window remains active (it can be minimizedbut not closed) and the Firebox does not reboot,users remain authenticated until the session times out. Toprevent an account from authenticating, disable theaccount on the authentication server.Using external authenticationAlthough the authentication applet is primarily used foroutbound traffic, it can be used for inbound traffic as well.Authentication can be used outside the Firebox as long asyou have an account on that Firebox. For example, if youare working at home, you can point your browser to:http://public IP address of any Firebox interface:4100/The authentication applet appears to prompt you for yourlogin credentials. This can provide you access through variousservices such as FTP and Telnet, if you have preconfiguredyour Firebox to allow this.Enabling remote authenticationUse this procedure to allow remote users to authenticatefrom the external interface, which gives them access to servicesthrough the Firebox.1 In the Services Arena in Policy Manager, double-clickthe wg_authentication service icon.2 On the Incoming tab, select Enabled and Allowed.User Guide 165
- Page 135 and 136: CHAPTER 8Configuring FilteredServic
- Page 137 and 138: Selecting Services for your Securit
- Page 139 and 140: Adding and Configuring Servicesrigh
- Page 141 and 142: Adding and Configuring Services5 (O
- Page 143 and 144: Adding and Configuring Services3 In
- Page 145 and 146: Adding and Configuring Services11 C
- Page 147 and 148: Defining Service PropertiesEnabled
- Page 149 and 150: Defining Service Properties6 Click
- Page 151 and 152: Defining Service Propertiesthe serv
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
- Page 177 and 178: Configuring the DNS Proxy ServiceGE
- Page 179 and 180: Configuring the DNS Proxy Service3
- Page 181 and 182: Configuring the DNS Proxy ServiceYo
- Page 183 and 184: CHAPTER 10Creating Aliases andImple
- Page 185: Using AliasesGroupfireboxtrustedopt
- Page 189 and 190: Defining Firebox Users and Groups f
- Page 191 and 192: Defining Firebox Users and Groups f
- Page 193 and 194: Configuring RADIUS Server Authentic
- Page 195 and 196: Configuring CRYPTOCard Server Authe
- Page 197 and 198: Configuring SecurID AuthenticationC
- Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
- Page 201 and 202: Default Packet Handlingtion. In con
- Page 203 and 204: Default Packet Handlingnetwork. Alt
- Page 205 and 206: Detecting Man-in-the-Middle Attacks
- Page 207 and 208: Blocking Sites• Permanently block
- Page 209 and 210: Blocking SitesUsing an external lis
- Page 211 and 212: Blocking PortsBy default, the Fireb
- Page 213 and 214: Blocking PortsAvoiding problems wit
- Page 215 and 216: Integrating Intrusion Detectionand
- Page 217 and 218: Integrating Intrusion DetectionUsin
- Page 219 and 220: Integrating Intrusion Detectionposs
- Page 221 and 222: CHAPTER 12Setting Up Loggingand Not
- Page 223 and 224: Developing Logging and Notification
- Page 225 and 226: WatchGuard Logging Architecturehost
- Page 227 and 228: Designating Log Hosts for a Firebox
- Page 229 and 230: Setting up the WatchGuard Security
- Page 231 and 232: Setting up the WatchGuard Security
- Page 233 and 234: Setting Global Logging and Notifica
- Page 235 and 236: Setting Global Logging and Notifica
How <strong>User</strong> Authentication WorksHow <strong>User</strong> Authentication WorksA specialized HTTP server runs on the <strong>Firebox</strong>. To authenticate,clients must connect to the authentication serverusing a Java-enabled Web browser pointed to:http://IP address of any <strong>Firebox</strong> interface:4100/A Java applet loads a prompt for a username and passwordthat it then passes to the authentication server usinga challenge-response protocol. Once successfully authenticated,users minimize the Java applet and browser windowand begin using allowed network services.As long as the Java window remains active (it can be minimizedbut not closed) and the <strong>Firebox</strong> does not reboot,users remain authenticated until the session times out. Toprevent an account from authenticating, disable theaccount on the authentication server.Using external authenticationAlthough the authentication applet is primarily used foroutbound traffic, it can be used for inbound traffic as well.Authentication can be used outside the <strong>Firebox</strong> as long asyou have an account on that <strong>Firebox</strong>. For example, if youare working at home, you can point your browser to:http://public IP address of any <strong>Firebox</strong> interface:4100/The authentication applet appears to prompt you for yourlogin credentials. This can provide you access through variousservices such as FTP and Telnet, if you have preconfiguredyour <strong>Firebox</strong> to allow this.Enabling remote authenticationUse this procedure to allow remote users to authenticatefrom the external interface, which gives them access to servicesthrough the <strong>Firebox</strong>.1 In the Services Arena in Policy Manager, double-clickthe wg_authentication service icon.2 On the Incoming tab, select Enabled and Allowed.<strong>User</strong> <strong>Guide</strong> 165