WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
How User Authentication Worksvent a user from authenticating, the administrator must disable that user’s account on the authenticationserver.Using authentication from the external networkThe primary function of the authentication tool is to authenticate outgoing traffic. You can also use it torestrict incoming network traffic. When you have an account on the Firebox, you can always use externalauthentication. For example, you can type this address in your browser at home:https://IP address of Firebox external interface:4100/After you authenticate, you can use the policies that are configured for you on the Firebox.Use this procedure to let a remote user authenticate from the external network. This lets the person useresources through the Firebox.1 From Policy Manager, double-click the WatchGuard Authentication policy icon. This policyappears after you add a user or group to a policy configuration.You see a warning to be careful when you edit an automatically configured policy.2 Click the Policy tab.3 From the WG-Auth connections are drop-down list, select Allowed.4 Below the From box, click Add. Select Any from the list and click Add. Click OK.5 Below the To box, click Add. Select Firebox from the list and click Add. Click OK.Using authentication through a gateway Firebox to another FireboxTo send an authentication request through a gateway Firebox to a different Firebox, you must add a policythat allows the authentication traffic on the gateway Firebox. On the gateway Firebox, use PolicyManager to add the WatchGuard Authentication policy. This policy controls traffic on TCP port 4100.Configure the policy to allow traffic to the IP address of the destination Firebox.122 WatchGuard System Manager
Configuring the Firebox as an Authentication ServerAuthentication server typesWith Fireware®, there are five authentication methods:• Firebox• RADIUS• SecurID• LDAP• Active DirectoryYou can configure one or more authentication server types for a Firebox. Authentication to differentserver types is almost the same for the user. For the Firebox administrator, the difference is that the userdatabase can be on the Firebox or on a dedicated authentication server.When you use an authentication server, you configure it with the instructions from its manufacturer. Youinstall the server with access to the Firebox and put it behind the Firebox for security.Using a backup authentication serverYou can configure a backup authentication server with all types of third-party authentication. If the Fireboxcannot connect to the primary authentication server (after three attempts), it connects to thebackup authentication server. If the Firebox cannot connect to the backup authentication server, it waitsten minutes, and then tries to connect to the primary authentication server again. This cycle continuesuntil the Firebox connects with an authentication server.Configuring the Firebox as an Authentication ServerIf you do not use a third-party authentication server, you can use the Firebox® as an authenticationserver. This procedure divides your company into groups and users for authentication. The group towhich you assign a person is controlled by the tasks they do and information they use. For example, youcan have an accounting group, a marketing group, and a research and development group. You can alsohave a new employee group, with controlled access to the Internet.In a group, you set the authentication procedure for the users, the system type, and the information towhich they have access. A user can be a network or a computer. If your company changes, you can addor remove users or systems from your groups.Use Policy Manager to:• Add, change, or delete the groups in the configuration• Add or change the users in a groupAbout Firebox authenticationYou can configure the Firebox to authenticate users for three different types of authentication:• Firewall authentication• PPTP connections• MUVPN connectionsWhen the authentication is successful, the Firebox makes a mapping between these items:• User name• Firebox User group (or groups) of which the user is a member• IP address on the user’s computer when the user authenticatesUser Guide 123
- Page 90 and 91: About Firebox Backup ImagesSaving a
- Page 92 and 93: Working with AliasesAlias names are
- Page 94 and 95: Using Global SettingsEnable TOS for
- Page 96 and 97: Managing a Firebox from a Remote Lo
- Page 98 and 99: Managing a Firebox from a Remote Lo
- Page 100 and 101: Setting Up the Log ServerSetting Up
- Page 102 and 103: Setting up the Firebox for a Design
- Page 104 and 105: Setting Global Logging and Notifica
- Page 106 and 107: Setting Global Logging and Notifica
- Page 108 and 109: Types of Log MessagesTypes of Log M
- Page 110 and 111: LogViewer SettingsLogViewer Setting
- Page 112 and 113: Using LogViewerSearching in LogView
- Page 114 and 115: Using LogViewerTo convert a log fil
- Page 116 and 117: Changing Firebox Interface IP Addre
- Page 118 and 119: Changing Firebox Interface IP Addre
- Page 120 and 121: About Multiple WAN Support3 Under H
- Page 122 and 123: About Multiple WAN SupportConfiguri
- Page 124 and 125: Adding Secondary NetworksIf your Fi
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 132 and 133: Using Dynamic NATUsing Dynamic NATD
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 142 and 143: Configuring the Firebox as an Authe
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 148 and 149: Configuring LDAP Authentication3 In
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 174 and 175: Configuring Policy PropertiesSettin
- Page 176 and 177: Setting Policy Precedence2 Traffic
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
- Page 182 and 183: Customizing Logging and Notificatio
- Page 184 and 185: Configuring the SMTP ProxyConfiguri
- Page 186 and 187: Configuring the SMTP Proxyand 8-bit
- Page 188 and 189: Configuring the SMTP ProxyDefining
How <strong>User</strong> Authentication Worksvent a user from authenticating, the administrator must disable that user’s account on the authenticationserver.Using authentication from the external networkThe primary function of the authentication tool is to authenticate outgoing traffic. You can also use it torestrict incoming network traffic. When you have an account on the Firebox, you can always use externalauthentication. For example, you can type this address in your browser at home:https://IP address of Firebox external interface:4100/After you authenticate, you can use the policies that are configured for you on the Firebox.Use this procedure to let a remote user authenticate from the external network. This lets the person useresources through the Firebox.1 From Policy Manager, double-click the <strong>WatchGuard</strong> Authentication policy icon. This policyappears after you add a user or group to a policy configuration.You see a warning to be careful when you edit an automatically configured policy.2 Click the Policy tab.3 From the WG-Auth connections are drop-down list, select Allowed.4 Below the From box, click Add. Select Any from the list and click Add. Click OK.5 Below the To box, click Add. Select Firebox from the list and click Add. Click OK.Using authentication through a gateway Firebox to another FireboxTo send an authentication request through a gateway Firebox to a different Firebox, you must add a policythat allows the authentication traffic on the gateway Firebox. On the gateway Firebox, use PolicyManager to add the <strong>WatchGuard</strong> Authentication policy. This policy controls traffic on TCP port 4100.Configure the policy to allow traffic to the IP address of the destination Firebox.122 <strong>WatchGuard</strong> System Manager