WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Branch office VPN with IPSecbe accepted. Policies are defined by their endpoints. These are not the same as tunnelor gateway endpoints–they are the specific hosts or networks attached to thetunnel’s Fireboxes (or other IPSec-compliant device) that communicate through thetunnel.From the IPSec Configuration dialog box:1 Click Add.2 Use the Local drop list to select the tunnel type of the IP address behind the localFirebox.The tunnel type can be an entire network or a single host.3 Enter the IP or network address in slash notation for the local host or network.4 Use the Remote drop list to select the tunnel type of the IP address of the remoteFirebox or IPSec-compliant device.5 Enter the IP address or network address in slash notation for the remote host ornetwork.6 Use the Disposition drop list to select a bypass rule for the tunnel:SecureIPSec will encrypt all traffic that matches the rule in associated tunnel policies.BlockIPSec will not allow traffic that matches the rule in associated tunnel policies.BypassIPSec will not allow traffic that matches the rule in associated tunnel policies. Youcannot bypass a policy that has a network at either endpoint.For every tunnel created to a dropped-in device, you must create a host policyfor both sides’ external IP addresses with protection set to Bypass. Otherwise,traffic to and from the dropped-in device’s external IP address will conflictwith any network policy associated with the VPN.7 If you chose Secure as your disposition, use the Tunnel drop list to select aconfigured tunnel.To configure a new tunnel, see “Configuring a tunnel with manual security” on page 125 or“Configuring a tunnel with dynamic security” on page 127. To display additional informationabout the selected tunnel, click More.8 In the Dst Port field, enter the remote host port.The remote host port number is optional and is the port to which WatchGuard sendscommunication for the policy. To enable communications to all ports, enter 0.9 Use the Protocol drop list to limit the protocol used by the policy.Options include: * (specify ports but not protocol), TCP, and UDP.10 In the Src Port field, enter the local host port.The local host port number is optional and is the port from which WatchGuard sends allcommunication for the policy. To enable communication from all ports, enter 0.11 Click OK.The IPSec Configuration dialog box appears listing the newly created policy. Policies are initiallylisted in the order in which they were created.Changing IPSec policy orderWatchGuard handles policies in the order listed, from top to bottom, on the IPSecconfiguration dialog box. Initially, the policies are listed in the order created. You128
Branch office VPN with IPSecmust manually reorder the policies from more specific to less specific to ensure thatsensitive connections are routed along the higher-security tunnels. In general,WatchGuard recommends the following policy order:• Host to host• Host to network• Network to host• Network to networkPolicies must be set to the same order at both ends of the tunnel. For moreinformation about IPSec policy order, see the Network Security Handbook.From the IPSec Configuration dialog box:• To move a policy up in the list, click the policy. Click Move Up.• To move a policy down in the list, click the policy. Click Move Down.Configuring services for branch office VPN with IPSecUsers on the remote Firebox are technically outside the trusted network; you musttherefore configure the Firebox to allow traffic through the VPN connection. A quickmethod is to create a host alias corresponding to the VPN remote networks and hosts.Then, use either the host alias or individually enter the remote VPN networks andhosts when configuring the following service properties:Incoming• Enabled and Allowed• From: Remote VPN network, hosts, or host alias• To: trusted or selected hostsOutgoing• Enabled and Allowed• From: trusted network or selected hosts• To: Remote VPN network, hosts, or host aliasFor more information, see “Defining service properties” on page 49, and “Adding ahost alias” on page 86.Allow VPN access to any servicesTo allow all traffic from VPN connections, add the Any service to the Services Arenaand configure it as described above.Allow VPN access to selective servicesTo allow traffic from VPN connections only for specific services, add each service tothe Services Arena and configure each as described above.Access control is a critical part of configuring a secure VPN environment. Ifmachines on the branch office VPN network are compromised, attackersobtain a secure tunnel to the trusted network.User Guide 129
- Page 87 and 88: Customizing logging and notificatio
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
- Page 116 and 117: Working with log filesIP header len
- Page 118 and 119: Working with log files108
- Page 120 and 121: Specifying report sectionsCreating
- Page 122 and 123: Exporting reports6 Enter the number
- Page 124 and 125: Scheduling and running reportsDelet
- Page 126 and 127: Report sections and consolidated se
- Page 128 and 129: Report sections and consolidated se
- Page 130 and 131: 120
- Page 132 and 133: Using DVCP to connect to devices•
- Page 134 and 135: Branch office VPN with IPSecFrom Po
- Page 136 and 137: Branch office VPN with IPSecdescrib
- Page 140 and 141: Configuring WatchGuard VPNConfiguri
- Page 142 and 143: Configuring WatchGuard VPN• Watch
- Page 144 and 145: Configuring shared servers for RUVP
- Page 146 and 147: Configuring the Firebox for Remote
- Page 148 and 149: Configuring the Firebox for Mobile
- Page 150 and 151: Configuring debugging optionsA prom
- Page 152 and 153: Preparing the client computers• P
- Page 154 and 155: Preparing the client computers10 Cl
- Page 156 and 157: Using Remote User PPTPInstalling a
- Page 158 and 159: Configuring debugging options148
- Page 160 and 161: CChangingan interface IP address 39
- Page 162 and 163: monitors 2, 32, 93BandwidthMeter 94
- Page 164 and 165: for blocked sites 44global preferen
- Page 166 and 167: pull-down menus 32services arena 32
- Page 168 and 169: introduction 37Routes 97network con
- Page 170: manager 17mobile user 18multiple-bo
Branch office VPN with IPSecmust manually reorder the policies from more specific to less specific to ensure thatsensitive connections are routed along the higher-security tunnels. In general,<strong>WatchGuard</strong> recommends the following policy order:• Host to host• Host to network• Network to host• Network to networkPolicies must be set to the same order at both ends of the tunnel. For moreinformation about IPSec policy order, see the Network Security Handbook.From the IPSec Configuration dialog box:• To move a policy up in the list, click the policy. Click Move Up.• To move a policy down in the list, click the policy. Click Move Down.Configuring services for branch office VPN with IPSec<strong>User</strong>s on the remote <strong>Firebox</strong> are technically outside the trusted network; you musttherefore configure the <strong>Firebox</strong> to allow traffic through the VPN connection. A quickmethod is to create a host alias corresponding to the VPN remote networks and hosts.Then, use either the host alias or individually enter the remote VPN networks andhosts when configuring the following service properties:Incoming• Enabled and Allowed• From: Remote VPN network, hosts, or host alias• To: trusted or selected hostsOutgoing• Enabled and Allowed• From: trusted network or selected hosts• To: Remote VPN network, hosts, or host aliasFor more information, see “Defining service properties” on page 49, and “Adding ahost alias” on page 86.Allow VPN access to any servicesTo allow all traffic from VPN connections, add the Any service to the Services Arenaand configure it as described above.Allow VPN access to selective servicesTo allow traffic from VPN connections only for specific services, add each service tothe Services Arena and configure each as described above.Access control is a critical part of configuring a secure VPN environment. Ifmachines on the branch office VPN network are compromised, attackersobtain a secure tunnel to the trusted network.<strong>User</strong> <strong>Guide</strong> 129