WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Branch office VPN with IPSecFrom Policy Manager:1 Select Network => Branch Office VPN => Basic DVCP.2 Select the tunnel policy. Click Edit.The DVCP Client Wizard opens and displays the tunnel properties.3 Use the Next and Back buttons to move through the DVCP Client Wizard andreconfigure tunnel properties. When complete, click Finish.4 Save the configuration file to the Firebox.The next time the client contacts the server, it will automatically note the tunnel policy changeand download the modifications. If the network address range on a client has changed, the clientautomatically restarts.Removing a tunnel to a deviceWhen a tunnel is removed, the DVCP client can no longer communicate with theserver. The next time the DVCP client tries to contact the server, contact will bedenied. If these settings were never manually configured, the client will use192.168.111.0/24 as the DHCP network range.From Policy Manager:1 Select Network => Branch Office VPN => Basic DVCP.2 Select the tunnel policy. Click Remove.The policy is removed from the DVCP Configuration dialog box.Defining a Firebox as an Enhanced DVCP ClientIf a Firebox is part of a DVCP VPN setup, enable it as a client and configure itssettings.From Policy Manager:1 Select Network => Enhanced DVCP Client.2 Enable the Enable this Firebox as a DVCP Client checkbox.3 In the Firebox Name field, specify the name of the Firebox.4 To log messages for the DVCP client, enable the Enable debug log messages forthe DVCP Client checkbox.5 To add DVCP servers that the client can communicate with, click Add.6 Enter the IP address. Enter the scared secret. Click OK.Branch office VPN with IPSecIPSec is a protocol that encrypts and/or authenticates traffic at the IP level betweenany mix of arbitrary hosts and security gateways. For more information about IPSecand how WatchGuard implements branch office VPN with IPSec, see the NetworkSecurity Handbook.• Determine the tunnel and policy endpoints• Select an encryption method• Select an authentication method124
Branch office VPN with IPSecFrom Policy Manager:• Select Network => Branch Office VPN => IPSec.Configuring a gatewayA gateway specifies endpoints for one or more tunnels. The standard specified for agateway, such as isakmp automated key negotiation, becomes the standard fortunnels created with the gateway.Adding a gatewayFrom the IPSec Configuration dialog box:1 Click Gateways.2 To add a gateway, click Add.3 Enter the gateway name.This name identifies a gateway only within Policy Manager.4 Use the Key Negotiation Type drop list to select either isakmp (dynamic) orManual.For more information, see “Configuring a tunnel with dynamic security” on page 127 and“Configuring a tunnel with manual security” on page 125.5 In the Remote Gateway IP field, enter the IP address of the Firebox (or otherIPSec-compliant host) at the other end of the gateway.6 Enter the shared key.The Shared Key field is available only for ISAKMP-negotiated gateways. The same key must beentered at the remote gateway.7 Click OK.The Configure Gateways dialog box appears listing the newly configured gateway. Repeat the AddGateway procedure to add additional gateways.8 When you finish adding gateways, click OK to return to the IPSec Configurationdialog box.Editing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway. Click Edit.The IPSec Gateway dialog box appears.2 Make changes according to your security policy preferences.3 Click OK.Removing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway.2 Click Remove.Configuring a tunnel with manual securityA tunnel encapsulates packets between two gateways. It specifies encryption typeand/or authentication method. A tunnel also specifies endpoints. The followingUser Guide 125
- Page 83 and 84: Setting up the LiveSecurity Event P
- Page 85 and 86: Setting global logging and notifica
- Page 87 and 88: Customizing logging and notificatio
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
- Page 116 and 117: Working with log filesIP header len
- Page 118 and 119: Working with log files108
- Page 120 and 121: Specifying report sectionsCreating
- Page 122 and 123: Exporting reports6 Enter the number
- Page 124 and 125: Scheduling and running reportsDelet
- Page 126 and 127: Report sections and consolidated se
- Page 128 and 129: Report sections and consolidated se
- Page 130 and 131: 120
- Page 132 and 133: Using DVCP to connect to devices•
- Page 136 and 137: Branch office VPN with IPSecdescrib
- Page 138 and 139: Branch office VPN with IPSecbe acce
- Page 140 and 141: Configuring WatchGuard VPNConfiguri
- Page 142 and 143: Configuring WatchGuard VPN• Watch
- Page 144 and 145: Configuring shared servers for RUVP
- Page 146 and 147: Configuring the Firebox for Remote
- Page 148 and 149: Configuring the Firebox for Mobile
- Page 150 and 151: Configuring debugging optionsA prom
- Page 152 and 153: Preparing the client computers• P
- Page 154 and 155: Preparing the client computers10 Cl
- Page 156 and 157: Using Remote User PPTPInstalling a
- Page 158 and 159: Configuring debugging options148
- Page 160 and 161: CChangingan interface IP address 39
- Page 162 and 163: monitors 2, 32, 93BandwidthMeter 94
- Page 164 and 165: for blocked sites 44global preferen
- Page 166 and 167: pull-down menus 32services arena 32
- Page 168 and 169: introduction 37Routes 97network con
- Page 170: manager 17mobile user 18multiple-bo
Branch office VPN with IPSecFrom Policy Manager:• Select Network => Branch Office VPN => IPSec.Configuring a gatewayA gateway specifies endpoints for one or more tunnels. The standard specified for agateway, such as isakmp automated key negotiation, becomes the standard fortunnels created with the gateway.Adding a gatewayFrom the IPSec Configuration dialog box:1 Click Gateways.2 To add a gateway, click Add.3 Enter the gateway name.This name identifies a gateway only within Policy Manager.4 Use the Key Negotiation Type drop list to select either isakmp (dynamic) orManual.For more information, see “Configuring a tunnel with dynamic security” on page 127 and“Configuring a tunnel with manual security” on page 125.5 In the Remote Gateway IP field, enter the IP address of the <strong>Firebox</strong> (or otherIPSec-compliant host) at the other end of the gateway.6 Enter the shared key.The Shared Key field is available only for ISAKMP-negotiated gateways. The same key must beentered at the remote gateway.7 Click OK.The Configure Gateways dialog box appears listing the newly configured gateway. Repeat the AddGateway procedure to add additional gateways.8 When you finish adding gateways, click OK to return to the IPSec Configurationdialog box.Editing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway. Click Edit.The IPSec Gateway dialog box appears.2 Make changes according to your security policy preferences.3 Click OK.Removing a gatewayFrom the Configure Gateways dialog box:1 Click the gateway.2 Click Remove.Configuring a tunnel with manual securityA tunnel encapsulates packets between two gateways. It specifies encryption typeand/or authentication method. A tunnel also specifies endpoints. The following<strong>User</strong> <strong>Guide</strong> 125