WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Configuring Policy PropertiesSetting advanced propertiesYou use the Advanced tab of the Edit Policy Properties dialog box to set a policy schedule, implementQuality of Service (QoS) settings, apply NAT rules, configure ICMP error handling for this policy, and set acustom idle time-out.Setting a scheduleYou can set an operating schedule for the policy. You can use the schedule templates in the Scheduledrop-down list or create a custom schedule. For information, see the “Basic Configuration Setup” chapterin this guide.Note that schedules can be shared by more than one policy.Applying a Quality of Service (QoS) actionIf you have Fireware® Pro on your Firebox, you can assign a Quality of Service action to the policy. Usethe button on the far right to create a new QoS action. After you create a new QoS action, it appears inthe QoS drop-down list. For more information, see “Creating QoS Actions” on page 323.Note that these actions can be shared by more than one policy.Applying NAT rulesYou can apply Network Address Translation (NAT) rules to a policy:1-to-1 NATWith this type of NAT, the Firebox uses private and public IP ranges that you set, as described in“Using 1-to-1 NAT” on page 116.Dynamic NATWith this type of NAT, the Firebox maps private IP addresses to public IP addresses. Select UseNetwork NAT Settings if you want to use the dynamic NAT rules set for the Firebox. Select Alltraffic in this policy if you want to apply NAT to all traffic in this policy.You also have the option to set a dynamic NAT source IP address for any policy that uses156 WatchGuard System Manager
Setting Policy Precedencedynamic NAT. This makes sure that any traffic that uses this policy shows a specified addressfrom your public or external IP address range as the source. You would most often do this toforce outgoing SMTP traffic to show your domain’s MX record address when the IP address onthe Firebox’s external interface is not the same as your MX record IP address.1-to-1 NAT rules have higher precedence than dynamic NAT rulesNoteIf you use multi-WAN, you cannot use the Set Source IP option. Use this option only when your Fireboxuses a single external interface.Setting ICMP error handlingYou can set the ICMP error handling settings associated with the policy.From the drop-down list, select:Use global settingUse the global ICMP error handling setting set for the Firebox. For information on this globalsetting, see “ICMP error handling” on page 76.Specify settingConfigure a parameter that overrides the global setting. Click ICMP Setting. From the ICMPError Handling Settings dialog box, select the check boxes to configure individual settings. Forinformation on these settings, see “ICMP error handling” on page 76.Setting a custom idle time-outTo set an idle time-out, click Specify Custom Idle Timeout and click the arrows to set the number ofseconds before time-out. This setting overrides the idle time-out of the policy.Setting Policy PrecedencePrecedence is the sequence in which the Firebox® examines network traffic and applies a policy rule. TheFirebox routes the traffic that uses the rules for the first policy that the traffic matches. Fireware® PolicyManager automatically sorts policies from the most detailed to the most general. You can also manuallyset the precedence.Using automatic orderFireware Policy Manager automatically sorts policies from the most detailed to the most general. Eachtime you add a policy, Policy Manager compares the new rule with all the rules in your configuration file.To set the precedence, Policy Manager uses these criteria:1 Protocols set for the policy typeUser Guide 157
- Page 124 and 125: Adding Secondary NetworksIf your Fi
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 132 and 133: Using Dynamic NATUsing Dynamic NATD
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 140 and 141: How User Authentication Worksvent a
- Page 142 and 143: Configuring the Firebox as an Authe
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 148 and 149: Configuring LDAP Authentication3 In
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 176 and 177: Setting Policy Precedence2 Traffic
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
- Page 182 and 183: Customizing Logging and Notificatio
- Page 184 and 185: Configuring the SMTP ProxyConfiguri
- Page 186 and 187: Configuring the SMTP Proxyand 8-bit
- Page 188 and 189: Configuring the SMTP ProxyDefining
- Page 190 and 191: Configuring the FTP Proxy2 For info
- Page 192 and 193: Configuring the HTTP ProxyConfiguri
- Page 194 and 195: Configuring the HTTP ProxyBrowsers
- Page 196 and 197: Configuring the HTTP ProxyThis rule
- Page 198 and 199: Configuring the DNS ProxyConfigurin
- Page 200 and 201: Configuring the DNS ProxyAdding a n
- Page 202 and 203: Configuring the TCP Proxy184 WatchG
- Page 204 and 205: Creating and Editing ReportsStartin
- Page 206 and 207: Setting Report Properties“yesterd
- Page 208 and 209: Exporting ReportsSetting report pro
- Page 210 and 211: Using Report FiltersExcludeTo make
- Page 212 and 213: Report Sections and Consolidated Se
- Page 214 and 215: Report Sections and Consolidated Se
- Page 216 and 217: WatchGuard Management Server Passph
- Page 218 and 219: Changing the Management Server Conf
- Page 220 and 221: Configuring the Certificate Authori
- Page 222 and 223: Backing up or Restoring the Managem
Configuring Policy PropertiesSetting advanced propertiesYou use the Advanced tab of the Edit Policy Properties dialog box to set a policy schedule, implementQuality of Service (QoS) settings, apply NAT rules, configure ICMP error handling for this policy, and set acustom idle time-out.Setting a scheduleYou can set an operating schedule for the policy. You can use the schedule templates in the Scheduledrop-down list or create a custom schedule. For information, see the “Basic Configuration Setup” chapterin this guide.Note that schedules can be shared by more than one policy.Applying a Quality of Service (QoS) actionIf you have Fireware® Pro on your Firebox, you can assign a Quality of Service action to the policy. Usethe button on the far right to create a new QoS action. After you create a new QoS action, it appears inthe QoS drop-down list. For more information, see “Creating QoS Actions” on page 323.Note that these actions can be shared by more than one policy.Applying NAT rulesYou can apply Network Address Translation (NAT) rules to a policy:1-to-1 NATWith this type of NAT, the Firebox uses private and public IP ranges that you set, as described in“Using 1-to-1 NAT” on page 116.Dynamic NATWith this type of NAT, the Firebox maps private IP addresses to public IP addresses. Select UseNetwork NAT Settings if you want to use the dynamic NAT rules set for the Firebox. Select Alltraffic in this policy if you want to apply NAT to all traffic in this policy.You also have the option to set a dynamic NAT source IP address for any policy that uses156 <strong>WatchGuard</strong> System Manager