WatchGuard Firebox System 7.0 User Guide

More documents

Recommendations

Info

Chapter 11: Intrusion Detection and PreventionThe WatchGuard Firebox System default packet handlingoptions provide a basic intrusion detection system byblocking common and readily recognizable attacks such asIP address spoofing and linear port space probes. Theintrusion detection capabilities of the Firebox, however, arenecessarily limited. The primary function of your firewallis to examine and either allow or deny packets. Little extrabandwidth is available to conduct sophisticated analysis oftraffic patterns.LiveSecurity Service subscribers can download a command-lineutility called the Firebox System IntrusionDetection System Mate (fbidsmate) that integrates the Fireboxwith most commercial and shareware IDS applications.You use the fbidsmate utility to configure your IDSto run scripts that query the Firebox for information.Because versions are available for Win32 (Windows NT,Windows 2000, and Windows XP), SunOS, and Linux operatingsystems, you can select whatever IDS application bestsuits your security policy and network environments.Working with an external IDS application, the Firebox canautomatically add sites to the Blocked Sites list. Timeoutsand blocked site exceptions work exactly as they do forsites blocked using default packet handling options. Sitesadded to the Blocked Sites list appear in the Firebox MonitorsBlocked Sites tab. In addition, you can use the utility toadd explanatory log messages to the log file which can subsequentlybe used for reports.Because the fbidsmate utility is external to the Firebox, nochanges in the configuration file are required, nor is thereanything additional to configure using Policy Manager.To obtain a copy of the fbidsmate command-line utility thatmatches the operating system on which your IDS applicationis running, log in to yourLiveSecurity Service account at:https://www.watchguard.com/support194 WatchGuard Firebox System
Integrating Intrusion DetectionUsing the fbidsmate command-line utilityThe fbidsmate utility works from the command line.Although you can execute the commands directly againstthe Firebox, the tool is used most frequently in the contextof an IDS application script. The command syntax is:fbidsmate firebox_address [rwpassphrase | -frwpassphrase_file] [add_hostile hostile_address] |[add_log_message priority(0-7) "message"]fbidsmate import_passphrase rwpassphraserwpassphrase_filenameadd_hostileThis command adds a site to the Auto-Blocked Sitelist, with the duration set by the administrator inPolicy Manager’s Blocked Sites dialog box. Iteffectively extends your control of the Auto-Blockmechanism inside the Firebox.add_log_messageThis command causes a message to be added to thelog stream emitted by the Firebox. Because thepriority is used by the Firebox to construct syslogmessages, its range is the standard syslog0=Emergency to 7=Debug. There is no limit onmessage length; the message is automaticallybroken into multiple messages if necessary.import_passphraseYou can store the Firebox configuration passphrasein encrypted form instead of putting it in clear textin your IDS scripts. This command stores thepassphrase in the designated file using 3DESencryption. Rather than using the configurationpassphrase, use the file name in your scripts. If youare managing multiple Fireboxes, you need onepassphrase file per Firebox.User Guide 195
Page 1:
WatchGuard ®Firebox ® SystemUser
Page 7 and 8:
somewhere reasonably visible in you
Page 9 and 10:
(B) Use any backup or archival copy
Page 11 and 12:
8.Miscellaneous Provisions. This AG
Page 13 and 14:
ContentsCHAPTER 1 Introduction ....
Page 15 and 16:
Testing the connection ............
Page 17 and 18:
Controlling the HostWatch display .
Page 19 and 20:
Detecting Man-in-the-Middle Attacks
Page 21 and 22:
Deleting a report .................
Page 23 and 24:
CHAPTER 1IntroductionWelcome to Wat
Page 25 and 26:
Minimum RequirementsHistorical Repo
Page 27 and 28:
.WatchGuard OptionsHardwarefeatureC
Page 29 and 30:
About this Guideallowed to enter yo
Page 31 and 32:
CHAPTER 2Service and SupportNo Inte
Page 33 and 34:
LiveSecurity® Broadcastsdivided in
Page 35 and 36:
LiveSecurity® Self Help Tools3 Com
Page 37 and 38:
WatchGuard Users GroupGuard Technic
Page 39 and 40:
Online Helpto display a list of top
Page 41 and 42:
Assisted Supportto assist you in ma
Page 43 and 44:
Training and Certificationto speed
Page 45 and 46:
CHAPTER 3Getting StartedThe WatchGu
Page 47 and 48:
Gathering Network InformationNetwor
Page 49 and 50:
.Gathering Network InformationThe f
Page 51 and 52:
Selecting a Firewall Configuration
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Setting Up the Management Station4
Page 61 and 62:
Cabling the FireboxUser Guide 39
Page 63 and 64:
Running the QuickSetup WizardProvid
Page 65 and 66:
Entering IP addressesRunning the Qu
Page 67 and 68:
What’s Nextservices, in addition
Page 69 and 70:
CHAPTER 4Firebox BasicsThis chapter
Page 71 and 72:
Opening a Configuration FileTrusted
Page 73 and 74:
Saving a Configuration File3 From t
Page 75 and 76:
Resetting Firebox Passphrasesenter
Page 77 and 78:
Setting the Time Zone2 Select the m
Page 79 and 80:
CHAPTER 5Using PolicyManager toConf
Page 81 and 82:
Setting IP Addresses of Firebox Int
Page 83 and 84:
Setting DHCP or PPPoE Support on th
Page 85 and 86:
Defining External IP Aliases2 Confi
Page 87 and 88:
Entering WINS and DNS Server Addres
Page 89 and 90:
Defining a Firebox as a DHCP Server
Page 91 and 92:
Adding Basic Services to Policy Man
Page 93 and 94:
Configuring Routes3 Click the Net o
Page 95 and 96:
CHAPTER 6Managing andMonitoring the
Page 97 and 98:
Viewing Basic Firebox StatusThe top
Page 99 and 100:
Viewing Basic Firebox Statusbut the
Page 101 and 102:
Viewing Basic Firebox Status• The
Page 103 and 104:
Monitoring Firebox TrafficSetting t
Page 105 and 106:
Performing Basic Tasks with System
Page 107 and 108:
Performing Basic Tasks with System
Page 109 and 110:
Viewing Bandwidth Usage(shown above
Page 111 and 112:
Viewing Details on Firebox Activity
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
HostWatchHostWatchHostWatch is a re
Page 121 and 122:
HostWatch3 Enter the Firebox status
Page 123 and 124:
CHAPTER 7Configuring NetworkAddress
Page 125 and 126:
Using Simple Dynamic NATService-bas
Page 127 and 128:
Using Simple Dynamic NAT3 Use the T
Page 129 and 130:
Using Service-Based Dynamic NATEnab
Page 131 and 132:
Configuring a Service for Incoming
Page 133 and 134:
Using 1-to-1 NATA one-to-one mappin
Page 135 and 136:
CHAPTER 8Configuring FilteredServic
Page 137 and 138:
Selecting Services for your Securit
Page 139 and 140:
Adding and Configuring Servicesrigh
Page 141 and 142:
Adding and Configuring Services5 (O
Page 143 and 144:
Adding and Configuring Services3 In
Page 145 and 146:
Adding and Configuring Services11 C
Page 147 and 148:
Defining Service PropertiesEnabled
Page 149 and 150:
Defining Service Properties6 Click
Page 151 and 152:
Defining Service Propertiesthe serv
Page 153 and 154:
Service Precedencegroup always have
Page 155 and 156:
Service Precedencether down the pre
Page 157 and 158:
CHAPTER 9Configuring ProxiedService
Page 159 and 160:
Customizing Logging and Notificatio
Page 161 and 162:
Configuring an SMTP Proxy Service3
Page 163 and 164:
Configuring an SMTP Proxy Service2
Page 165 and 166: Configuring an SMTP Proxy ServiceAd
Page 167 and 168: Configuring an SMTP Proxy ServiceEn
Page 169 and 170: Configuring an SMTP Proxy ServiceCo
Page 171 and 172: Configuring an FTP Proxy Service6 S
Page 173 and 174: Selecting an HTTP Service4 Select t
Page 175 and 176: Selecting an HTTP Servicefrom Any t
Page 177 and 178: Configuring the DNS Proxy ServiceGE
Page 179 and 180: Configuring the DNS Proxy Service3
Page 181 and 182: Configuring the DNS Proxy ServiceYo
Page 183 and 184: CHAPTER 10Creating Aliases andImple
Page 185 and 186: Using AliasesGroupfireboxtrustedopt
Page 187 and 188: How User Authentication WorksHow Us
Page 189 and 190: Defining Firebox Users and Groups f
Page 191 and 192: Defining Firebox Users and Groups f
Page 193 and 194: Configuring RADIUS Server Authentic
Page 195 and 196: Configuring CRYPTOCard Server Authe
Page 197 and 198: Configuring SecurID AuthenticationC
Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
Page 201 and 202: Default Packet Handlingtion. In con
Page 203 and 204: Default Packet Handlingnetwork. Alt
Page 205 and 206: Detecting Man-in-the-Middle Attacks
Page 207 and 208: Blocking Sites• Permanently block
Page 209 and 210: Blocking SitesUsing an external lis
Page 211 and 212: Blocking PortsBy default, the Fireb
Page 213 and 214: Blocking PortsAvoiding problems wit
Page 215: Integrating Intrusion Detectionand
Page 219 and 220: Integrating Intrusion Detectionposs
Page 221 and 222: CHAPTER 12Setting Up Loggingand Not
Page 223 and 224: Developing Logging and Notification
Page 225 and 226: WatchGuard Logging Architecturehost
Page 227 and 228: Designating Log Hosts for a Firebox
Page 229 and 230: Setting up the WatchGuard Security
Page 231 and 232: Setting up the WatchGuard Security
Page 233 and 234: Setting Global Logging and Notifica
Page 235 and 236: Setting Global Logging and Notifica
Page 237 and 238: Customizing Logging and Notificatio
Page 243 and 244: CHAPTER 13Reviewing andWorking with
Page 245 and 246: Viewing Files with LogViewer2 Brows
Page 247 and 248: Displaying and Hiding FieldsCopying
Page 249 and 250: Displaying and Hiding Fieldsthen co
Page 251 and 252: Working with Log Filescurrent log f
Page 253 and 254: Working with Log Files5 Stop and re
Page 255 and 256: Working with Log Filesappear until
Page 257 and 258: CHAPTER 14Generating Reportsof Netw
Page 259 and 260: Creating and Editing Reports2 Enter
Page 261 and 262: Specifying Report Sections3 From th
Page 263 and 264: Exporting ReportsSetting a Firebox
Page 265 and 266: Using Report Filtersdrive:\WatchGua
Page 267 and 268:
Scheduling and Running ReportsDelet
Page 269 and 270:
Report Sections and Consolidated Se
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
CHAPTER 15 Controlling Web SiteAcce
Page 277 and 278:
Getting Started with WebBlockerYou
Page 279 and 280:
Configuring the WebBlocker Service3
Page 281 and 282:
Configuring the WebBlocker ServiceF
Page 283 and 284:
Configuring the WebBlocker ServiceF
Page 285 and 286:
Automating WebBlocker Database Down
Page 287 and 288:
CHAPTER 16Connecting with Outof-Ban
Page 289 and 290:
Enabling the Management StationInst
Page 291 and 292:
Configuring the Firebox for OOBConf
Page 293 and 294:
APPENDIX ATroubleshootingFirebox Co
Page 295 and 296:
Method 1: Ethernet Dongle Method7 O
Page 297 and 298:
Method 2: The Flash Disk Management
Page 299 and 300:
Method 4: Serial Dongle (Firebox II
Page 301 and 302:
IndexSymbols.cfg files 49.ftr files
Page 303 and 304:
default lease time for 67described
Page 305 and 306:
viewing active connections on 97vie
Page 307 and 308:
log rollover 212loggingarchitecture
Page 309 and 310:
Pestablishing connection 269install
Page 311 and 312:
and FTP 115, 149and HTTP 115and POP
Page 313 and 314:
and wg_dvcp service 127described 5V
show all

WatchGuard Firebox System 7.0 User Guide

Create successful ePaper yourself

Delete template?

Save as template?