WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Using Global SettingsEnable TOS for IPSecThe Type of Service (TOS) bits are a set of four-bit flags in the IP header that can tell routingdevices to give an IP datagram more or less priority than other datagrams. Fireware® gives youthe option to allow IPSec tunnels to pass T0S flagged packets. Some ISPs drop all packets thathave TOS flags set.If you do not select the Enable TOS for IPSec check box, all IPSec packets have no TOS bits set.If the TOS bits were set before, when Fireware encapsulates the packet in an IPSec header, theTOS bits are cleared.When the Enable TOS for IPSec check box is selected, if the original packet has TOS bits setthen Fireware keeps the TOS bits set when it encapsulates the packet in an IPSec header. If theoriginal packet does not have the TOS bits set, Fireware does not set the TOS bits when itencapsulates the packet in an IPSec header.ICMP error handlingInternet Control Message Protocol (ICMP) controls errors during connections. It is used for two types ofoperations:• To tell client hosts about error conditions.• To probe a network to find general characteristics about the network.The Firebox sends an ICMP error message each time an event occurs that matches one of the parametersyou selected. If you deny these ICMP messages, you can increase security by preventing networkprobes, but it can also cause time-out delays for incomplete connections and can cause applicationproblems. The global ICMP error handling parameters and their descriptions are:Fragmentation Req (PMTU)The IP datagram must be fragmented, but this is prevented because the Don’t Fragment bit inthe IP header is set.Time ExceededThe datagram was dropped because the Time to Live field expired.Network UnreachableThe datagram could not get to the network.Host UnreachableThe datagram could not get to the host.Port UnreachableThe datagram could not get to the port.Protocol UnreachableThe protocol piece of the datagram cannot be delivered.TCP SYN checkingThe global TCP SYN checking setting is:Enable TCP SYN checkingThis feature makes sure that the TCP three-way handshake is done before the Firebox allows a dataconnection.76 WatchGuard System Manager
Creating SchedulesTCP maximum segment size adjustmentThe TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead(like PPPoE, ESP, AH, and so on). If this size is not correctly configured, users cannot get access tosome web sites. The global TCP maximum segment size adjustment settings are:Auto AdjustmentThe Firebox examines all maximum segment size (MSS) negotiations and changes the MSSvalue to the applicable one.No AdjustmentThe Firebox does not change the MSS.Limit toYou set a size adjustment limit.Authentication settingsThe global authentication setting is:Idle TimeoutSet the authentication idle time-out in minutes. An authenticated user session stopsautomatically if the user does not make a connection that uses authentication before the timeoutoccurs.Creating SchedulesYou can use schedules to automate some Firebox® actions such as WebBlocker tasks. You can create aschedule for all days of the week, or create a different schedule for each day of the week. You can thenuse these schedules in policies that you create. For information on how to use schedules in policies, seethe “Configuring Policies” chapter.1 From Policy Manager, select Setup > Actions > Schedules.The Schedules dialog box appears.User Guide 77
- Page 44 and 45: WatchGuard Users ForumAdvanced FAQs
- Page 46 and 47: Product Documentation• Netscape N
- Page 48 and 49: Training and Certification30 WatchG
- Page 50 and 51: Firebox System Manager Menus and To
- Page 52 and 53: Seeing Basic Firebox and Network St
- Page 54 and 55: Seeing Basic Firebox and Network St
- Page 56 and 57: Monitoring Firebox TrafficMonitorin
- Page 58 and 59: Clearing the ARP CacheLearning more
- Page 60 and 61: Using the Performance Console2 From
- Page 62 and 63: Using the Performance ConsoleWorkin
- Page 64 and 65: Viewing Number of Connections by Po
- Page 66 and 67: Viewing Information About Firebox S
- Page 68 and 69: Viewing Information About Firebox S
- Page 70 and 71: Viewing Information About Firebox S
- Page 72 and 73: Using HostWatchWhile the top part o
- Page 74 and 75: Using HostWatchPausing the HostWatc
- Page 76 and 77: Working with Licenses3 Below Option
- Page 78 and 79: Working with Licenses2 Expand Licen
- Page 80 and 81: Setting a Friendly Name and Time Zo
- Page 82 and 83: Changing the Firebox Passphrases10
- Page 84 and 85: Recovering a FireboxTo manually res
- Page 86 and 87: Recovering a Firebox68 WatchGuard S
- Page 88 and 89: Opening a Configuration Fileto a se
- Page 90 and 91: About Firebox Backup ImagesSaving a
- Page 92 and 93: Working with AliasesAlias names are
- Page 96 and 97: Managing a Firebox from a Remote Lo
- Page 98 and 99: Managing a Firebox from a Remote Lo
- Page 100 and 101: Setting Up the Log ServerSetting Up
- Page 102 and 103: Setting up the Firebox for a Design
- Page 104 and 105: Setting Global Logging and Notifica
- Page 106 and 107: Setting Global Logging and Notifica
- Page 108 and 109: Types of Log MessagesTypes of Log M
- Page 110 and 111: LogViewer SettingsLogViewer Setting
- Page 112 and 113: Using LogViewerSearching in LogView
- Page 114 and 115: Using LogViewerTo convert a log fil
- Page 116 and 117: Changing Firebox Interface IP Addre
- Page 118 and 119: Changing Firebox Interface IP Addre
- Page 120 and 121: About Multiple WAN Support3 Under H
- Page 122 and 123: About Multiple WAN SupportConfiguri
- Page 124 and 125: Adding Secondary NetworksIf your Fi
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 132 and 133: Using Dynamic NATUsing Dynamic NATD
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 140 and 141: How User Authentication Worksvent a
- Page 142 and 143: Configuring the Firebox as an Authe
Creating SchedulesTCP maximum segment size adjustmentThe TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead(like PPPoE, ESP, AH, and so on). If this size is not correctly configured, users cannot get access tosome web sites. The global TCP maximum segment size adjustment settings are:Auto AdjustmentThe Firebox examines all maximum segment size (MSS) negotiations and changes the MSSvalue to the applicable one.No AdjustmentThe Firebox does not change the MSS.Limit toYou set a size adjustment limit.Authentication settingsThe global authentication setting is:Idle TimeoutSet the authentication idle time-out in minutes. An authenticated user session stopsautomatically if the user does not make a connection that uses authentication before the timeoutoccurs.Creating SchedulesYou can use schedules to automate some Firebox® actions such as WebBlocker tasks. You can create aschedule for all days of the week, or create a different schedule for each day of the week. You can thenuse these schedules in policies that you create. For information on how to use schedules in policies, seethe “Configuring Policies” chapter.1 From Policy Manager, select Setup > Actions > Schedules.The Schedules dialog box appears.<strong>User</strong> <strong>Guide</strong> 77