WatchGuard Firebox System 4.6 User Guide

More documents

Recommendations

Info

Branch office VPN with IPSecdescribes how to configure a tunnel using a gateway with the manual key negotiationtype. From the IPSec configuration dialog box:1 Click Tunnels.2 To add a new tunnel, click Add.3 Click a gateway with manual key negotiation type to associate with this tunnel.Click OK.4 Type a tunnel name.Policy Manager uses the tunnel name as an identifier.5 Click the Manual Security tab.6 Click Settings.7 Click either the ESP or AH security method option. Configure the chosen securitymethod.For more information, see “Using Encapsulated Security Protocol (ESP)” on page 126 and“Using Authenticated Headers (AH)” on page 126.8 To use the same settings for both incoming and outgoing traffic, enable the UseIncoming Settings for Outgoing checkbox.If you enable this checkbox, you are done with the Security Association Setup dialog box and canproceed to the next step. If you clear this checkbox, click the Outgoing tab and configure thesecurity associations for outgoing traffic. The fields have the same rules and parameter ranges asthe Incoming tab.9 Click OK.The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnelcreation procedure until you have created all tunnels for this particular gateway.10 After you add all tunnels for this gateway, click OK.The Configure Gateways dialog box appears.11 To configure more tunnels for another gateway, click Tunnels. Select a newgateway and repeat the tunnel creation procedure for that gateway.12 When all the tunnels are created, click OK.Using Encapsulated Security Protocol (ESP)1 Type or use the SPI scroll control to identify the Security Parameter Index (SPI).You must select a number between 257 and 1023.2 Use the Encryption drop list to select an encryption method.Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit).3 Click Key.4 Type a passphrase. Click OK.The passphrase appears in the Encryption Key field. You cannot enter a key here directly.5 Use the Authentication drop list to select an authentication method.Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC(160-bit algorithm).6 Click Key. Enter a passphrase. Click OK.The passphrase appears in the Authentication Key field. You cannot enter a key here directly.Using Authenticated Headers (AH)1 Type or use the SPI scroll control to identify the Security Parameter Index (SPI).You must select a number between 257 and 1023.126
Branch office VPN with IPSec2 Use the Authentication drop list to select an authentication method.Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC(160-bit algorithm).3 Click Key. Enter a passphrase. Click OK.The passphrase appears in the Authentication Key field. You cannot enter a key here directly.If there are Fireboxes at both ends of the tunnel, the remote administratorcan also enter the encryption and authentication passphrases. If the remotefirewall host is an IPSec-compliant device of other manufacture, the remotesystem administrator must enter the literal keys displayed in the SecurityAssociation Setup dialog box when setting up the remote IPSec-compliantdevice.Configuring a tunnel with dynamic securityA tunnel encapsulates packets between two gateways. It specifies encryption typeand/or authentication method. A tunnel also specifies endpoints. The followingdescribes how to configure a tunnel using a gateway with the isakmp (dynamic) keynegotiation type. From the IPSec configuration dialog box:1 Click Tunnels.2 To add a new tunnel, click Add.3 Click a gateway with isakmp (dynamic) key negotiation type to associate with thistunnel. Click OK.4 Type a tunnel name.Policy Manager uses the tunnel name as an identifier.5 Click the Dynamic Security tab.6 Use the Type drop list to select a Security Association Proposal (SAP) type.Options include: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).7 Use the Authentication drop list to select an authentication method.Options include: None (no authentication), MD5-HMAC (128-bit algorithm), and SHA1-HMAC(160-bit authentication algorithm).8 Use the Encryption drop list to select an encryption method.Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit encryption).9 To have a new key generated periodically, enable the Force Key Expirationcheckbox.With this option, transparent to the user, the ISAKMP controller generates and negotiates a newkey for the session. For no key expiration, enter 0 (zero) here. If you enable the Force keyexpiration checkbox, set the number of kilobytes transferred or hours passed in the session beforea new key is generated for continuation of the VPN session.10 Click OK.The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnelcreation procedure until you have created all tunnels for this particular gateway.11 After you add all tunnels for this gateway, click OK.The Configure Gateways dialog box appears.12 To configure more tunnels for another gateway, click Tunnels. Select a newgateway and repeat the tunnel creation procedure for that gateway.13 When all the tunnels are created, click OK.Creating an IPSec policyPolicies are sets of rules, much like packet filter rules, for defining how outgoingIPSec packets are built and sent and determining whether incoming IPSec packets canUser Guide 127
Page 1 and 2:
WatchGuard ®Firebox SystemUser Gu
Page 3 and 4:
condition that you accept all of th
Page 5:
Declaration of ConformityWatchGuard
Page 8 and 9:
Resetting Firebox passphrases .....
Page 10 and 11:
CHAPTER 15 Reviewing and Working wi
Page 12 and 13:
WatchGuard Firebox System component
Page 14 and 15:
Minimum requirementsHardware requir
Page 17 and 18:
CHAPTER 1LiveSecurity ServiceNo Int
Page 19 and 20:
LiveSecurity broadcasts• The Lice
Page 21 and 22:
CHAPTER 2Technical SupportDevelopin
Page 23 and 24:
TrainingAfter you enter your LiveSe
Page 25 and 26:
Online Help• On any platform, bro
Page 27 and 28:
CHAPTER 3WatchGuard OptionsThe Watc
Page 29 and 30:
PART IIIConfiguring a SecurityPolic
Page 31 and 32:
CHAPTER 4Firebox BasicsThis chapter
Page 33 and 34:
Opening a configuration fileOpening
Page 35 and 36:
Setting the time zone• Use a comb
Page 37 and 38:
CHAPTER 5Using the WatchGuardContro
Page 39 and 40:
Control Center componentsThe first
Page 41 and 42:
Policy ManagerManipulating the Traf
Page 43 and 44:
Historical ReportsHistorical Report
Page 45 and 46:
CHAPTER 6Configuring a NetworkConfi
Page 47 and 48:
Setting up a routed network• All
Page 49 and 50:
Defining a host routeDefining a hos
Page 51 and 52:
Defining a Firebox as a DHCP server
Page 53 and 54:
CHAPTER 7Blocking Sites and PortsMa
Page 55 and 56:
Blocking a port permanently3 In the
Page 57 and 58:
CHAPTER 8Configuring ServicesThe Se
Page 59 and 60:
Defining service properties8 In the
Page 61 and 62:
Modifying a serviceThe following ex
Page 63 and 64:
Setting up proxy servicesSelecting
Page 65 and 66:
Setting up proxy servicesand transm
Page 67 and 68:
Service precedencecheck. In the lat
Page 69 and 70:
CHAPTER 9Controlling Web TrafficWeb
Page 71 and 72:
Configuring the WebBlocker serviceP
Page 73 and 74:
CHAPTER 10Setting Up NetworkAddress
Page 75 and 76:
Using service-based NATUsing servic
Page 77 and 78:
Configuring a service for incoming
Page 79 and 80:
CHAPTER 11Setting Up Logging andNot
Page 81 and 82:
Designating Event Processors for a
Page 83 and 84:
Setting up the LiveSecurity Event P
Page 85 and 86: Setting global logging and notifica
Page 87 and 88: Customizing logging and notificatio
Page 89 and 90: CHAPTER 12Connect with Out-of-Band
Page 91 and 92: Configuring the Firebox for OOB5 En
Page 93: PART IVAdministering a SecurityPoli
Page 96 and 97: Using host aliasesAdding a host ali
Page 98 and 99: Configuring Firebox authenticationC
Page 100 and 101: Configuring CRYPTOCard server authe
Page 102 and 103: Using authentication to define remo
Page 104 and 105: Firebox MonitorsSetting Firebox Mon
Page 106 and 107: Firebox MonitorsLogging optionsLogg
Page 108 and 109: HostWatchARP tableA snapshot of the
Page 110 and 111: HostWatch6 To change playback prope
Page 112 and 113: HostWatch102
Page 114 and 115: Viewing files with LogViewer2 Confi
Page 116 and 117: Working with log filesIP header len
Page 118 and 119: Working with log files108
Page 120 and 121: Specifying report sectionsCreating
Page 122 and 123: Exporting reports6 Enter the number
Page 124 and 125: Scheduling and running reportsDelet
Page 126 and 127: Report sections and consolidated se
Page 128 and 129: Report sections and consolidated se
Page 130 and 131: 120
Page 132 and 133: Using DVCP to connect to devices•
Page 134 and 135: Branch office VPN with IPSecFrom Po
Page 138 and 139: Branch office VPN with IPSecbe acce
Page 140 and 141: Configuring WatchGuard VPNConfiguri
Page 142 and 143: Configuring WatchGuard VPN• Watch
Page 144 and 145: Configuring shared servers for RUVP
Page 146 and 147: Configuring the Firebox for Remote
Page 148 and 149: Configuring the Firebox for Mobile
Page 150 and 151: Configuring debugging optionsA prom
Page 152 and 153: Preparing the client computers• P
Page 154 and 155: Preparing the client computers10 Cl
Page 156 and 157: Using Remote User PPTPInstalling a
Page 158 and 159: Configuring debugging options148
Page 160 and 161: CChangingan interface IP address 39
Page 162 and 163: monitors 2, 32, 93BandwidthMeter 94
Page 164 and 165: for blocked sites 44global preferen
Page 166 and 167: pull-down menus 32services arena 32
Page 168 and 169: introduction 37Routes 97network con
Page 170: manager 17mobile user 18multiple-bo
show all

WatchGuard Firebox System 4.6 User Guide

Create successful ePaper yourself

Delete template?

Save as template?