WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Using Dynamic NATUsing Dynamic NATDynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoingconnection to the public IP address of the Firebox®. Outside the Firebox, you see only the IP address ofthe Firebox on outgoing packets.Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more securityfor internal hosts that use the Internet, because it hides the IP addresses of hosts on your network.With Dynamic NAT, all connections must start from behind the Firebox. Malicious hosts cannot startconnections to the computers behind the Firebox when the Firebox is configured for dynamic NAT.In most networks, the recommended security policy is to apply NAT to all outgoing packets. With Fireware®,dynamic NAT is enabled by default in the Network > NAT dialog box. It is also enabled by defaultin each policy you create. You can override the firewall setting for Dynamic NAT in your individual policies.Adding firewall dynamic NAT entriesThe default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to theexternal network. The default entries are:• 192.168.0.0/16 - Any-External• 172.16.0.0/12 - Any-External• 10.0.0.0/8 - Any-ExternalThese three network addresses are the private networks reserved by the Internet Engineering Task Force(IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private IP addressesother than these, you must add an entry for them. The Firebox applies the dynamic NAT rules in thesequence that they appear in the Dynamic NAT Entries list. We recommend that you put the rules in asequence that matches the volume of traffic the rules apply to.1 From Policy Manager, select Network > NAT.The NAT Setup dialog box appears.114 WatchGuard System Manager
Using Dynamic NAT2 On the Dynamic NAT tab of the NAT Setup dialog box, click Add.The Add Dynamic NAT dialog box appears.3 Use the From drop-down list to select the source of the outgoing packets.For example, use the trusted host alias to enable NAT from all of the trusted network. For more information on builtinFirebox aliases, see “Working with Aliases” on page 73.4 Use the To drop-down list to select the destination of the outgoing packets.5 To add a host or a network IP address, click the Add Device button shown at the right. Use thedrop-down list to select the address type. Type the IP address or the range. You must type anetwork address in slash notation.When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.6 Click OK.The new entry appears in the Dynamic NAT Entries list.Reordering dynamic NAT entriesTo change the sequence of the dynamic NAT entries, select the entry to change. Then click Up or Down.You cannot change a dynamic NAT entry. If a change is necessary, you must delete the entry withRemove. Use Add to enter it again.Policy-based dynamic NAT entriesWith this type of NAT, the Firebox uses the primary IP address of the outgoing interface for the outgoingpackets for this policy. Each policy has dynamic NAT enabled by default, which uses the global dynamicNAT table. You can disable dynamic NAT for all traffic in a policy.Disabling policy-based dynamic NAT1 From Policy Manager, right-click a policy and select Edit.The Edit Policy Properties window appears.2 Click the Advanced tab.3 Clear the check box in front of Dynamic NAT to turn NAT off for the traffic this policy controls.User Guide 115
- Page 82 and 83: Changing the Firebox Passphrases10
- Page 84 and 85: Recovering a FireboxTo manually res
- Page 86 and 87: Recovering a Firebox68 WatchGuard S
- Page 88 and 89: Opening a Configuration Fileto a se
- Page 90 and 91: About Firebox Backup ImagesSaving a
- Page 92 and 93: Working with AliasesAlias names are
- Page 94 and 95: Using Global SettingsEnable TOS for
- Page 96 and 97: Managing a Firebox from a Remote Lo
- Page 98 and 99: Managing a Firebox from a Remote Lo
- Page 100 and 101: Setting Up the Log ServerSetting Up
- Page 102 and 103: Setting up the Firebox for a Design
- Page 104 and 105: Setting Global Logging and Notifica
- Page 106 and 107: Setting Global Logging and Notifica
- Page 108 and 109: Types of Log MessagesTypes of Log M
- Page 110 and 111: LogViewer SettingsLogViewer Setting
- Page 112 and 113: Using LogViewerSearching in LogView
- Page 114 and 115: Using LogViewerTo convert a log fil
- Page 116 and 117: Changing Firebox Interface IP Addre
- Page 118 and 119: Changing Firebox Interface IP Addre
- Page 120 and 121: About Multiple WAN Support3 Under H
- Page 122 and 123: About Multiple WAN SupportConfiguri
- Page 124 and 125: Adding Secondary NetworksIf your Fi
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 140 and 141: How User Authentication Worksvent a
- Page 142 and 143: Configuring the Firebox as an Authe
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 148 and 149: Configuring LDAP Authentication3 In
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 174 and 175: Configuring Policy PropertiesSettin
- Page 176 and 177: Setting Policy Precedence2 Traffic
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
Using Dynamic NAT2 On the Dynamic NAT tab of the NAT Setup dialog box, click Add.The Add Dynamic NAT dialog box appears.3 Use the From drop-down list to select the source of the outgoing packets.For example, use the trusted host alias to enable NAT from all of the trusted network. For more information on builtinFirebox aliases, see “Working with Aliases” on page 73.4 Use the To drop-down list to select the destination of the outgoing packets.5 To add a host or a network IP address, click the Add Device button shown at the right. Use thedrop-down list to select the address type. Type the IP address or the range. You must type anetwork address in slash notation.When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.6 Click OK.The new entry appears in the Dynamic NAT Entries list.Reordering dynamic NAT entriesTo change the sequence of the dynamic NAT entries, select the entry to change. Then click Up or Down.You cannot change a dynamic NAT entry. If a change is necessary, you must delete the entry withRemove. Use Add to enter it again.Policy-based dynamic NAT entriesWith this type of NAT, the Firebox uses the primary IP address of the outgoing interface for the outgoingpackets for this policy. Each policy has dynamic NAT enabled by default, which uses the global dynamicNAT table. You can disable dynamic NAT for all traffic in a policy.Disabling policy-based dynamic NAT1 From Policy Manager, right-click a policy and select Edit.The Edit Policy Properties window appears.2 Click the Advanced tab.3 Clear the check box in front of Dynamic NAT to turn NAT off for the traffic this policy controls.<strong>User</strong> <strong>Guide</strong> 115