WatchGuard Firebox System 4.6 User Guide
Share Embed Flag
Download ePaper

WatchGuard Firebox System 4.6 User Guide

WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide

watchguard.com
from watchguard.com More from this publisher
13.07.2015 Views

Configuring WatchGuard VPNConfiguring WatchGuard VPNUse WatchGuard VPN to implement branch office VPN between two Fireboxes.WatchGuard VPN uses udp port 4104.WatchGuard VPN offers 40-bit encryption. WatchGuard VPN with 128-bitencryption can be used when both ends of the tunnel are licensed for enhancedencryption. Other encryption standards are available (128-bit DES and 3-DES).WatchGuard VPN configuration modelsThere are two models for configuring WatchGuard VPN:Two-box configurationConnect two networks over the Internet using two Fireboxes.Multiple box configurationConnect one central Firebox to multiple remote networks over the Internet.- Add multiple VPN configurations to the central Firebox, and configure remoteFireboxes accordingly.- Make sure that passphrases are unique to a single VPN connection.- On the central Firebox, use the same IP address for multiple remote Fireboxes.However, the address can not be used for another purpose on either the centralor remote networks.Setting up WatchGuard VPNFrom Policy Manager:1 Select Network => Branch Office VPN => WatchGuard VPN.2 To set up a branch office, click Add.3 In the Remote Firebox IP field, enter the IP address of the External interface of theremote Firebox.4 In the Local Firebox IP field, enter an IP address from a reserved network not inuse on the local or remote networks.More information on reserved networks can be found in RFC 1918. You canuse the same local VPN IP address for multiple VPN connections whenspecifying more than one—for example, when there are several branch officesconnecting to a central office.5 In the text box to the left of the Add button, enter the IP address in slash notationof any remote network to which access should be granted from the local Firebox .Click Add.The remote Firebox must reciprocate by adding the local networks in its Remote Networks box.Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other’snetwork listed.6 Click the Encryption tab.7 Under Encryption, select the number of bits used to encrypt the tunnel.The greater the number of bits, the stronger the encryption.130

Configuring WatchGuard VPN8 Enter the encryption key. Click Make Key.WatchGuard hashes the encryption key and then displays a key in the bottom panel.The hashed key must be identical on both Fireboxes. If you are runningdifferent versions of WatchGuard Security System software, verify that thehashes match exactly on the two Fireboxes.9 Click the Options tab.10 Enable the Activate WatchGuard VPN checkbox.11 To automatically block sites when the source fails to properly connect to theFirebox, enable the Add Source to Blocked List When Denied checkbox.12 Enable Logging options according to your security policy preferences.Activating logging often generates a high volume of log entries, significantly slowing the passageof VPN traffic. WatchGuard recommends logging only for debugging purposes.Changing remote network entriesYou cannot edit a remote network entry. You must remove the original and add thenew remote network address. From the WatchGuard VPN Setup dialog box:1 Click the network address. Click Remove.2 Click Add.Add the new network configuration.Preventing IP spoofing with WatchGuard VPNThere is a potential IP spoofing problem if the remote Firebox IP is on the samenetwork as a remote network. It is theoretically possible to spoof packets from thatsingle IP address (the remote Firebox IP). Although this situation is relatively rare,you can prevent it by disallowing access to internal servers from the remote FireboxIP.Configuring incoming services to allow VPNBecause users on the remote Firebox are technically outside the trusted network, youmust configure services to allow traffic through the VPN connection. WatchGuardrecommends the following method:1 Create a host alias corresponding to the VPN remote networks.For more information see “Adding a host alias” on page 86.2 Add the VPN host alias to Incoming and From Outgoing to properties of allowedservices.For more information, see “Defining service properties” on page 49.An alternative method is to add the Any service with the following incomingproperties:• Enabled and allowed• From: VPN host alias• To: AnyVerifying successful WatchGuard VPN configurationTo determine whether a configuration has been successful:User Guide 131

Configuring <strong>WatchGuard</strong> VPN8 Enter the encryption key. Click Make Key.<strong>WatchGuard</strong> hashes the encryption key and then displays a key in the bottom panel.The hashed key must be identical on both <strong>Firebox</strong>es. If you are runningdifferent versions of <strong>WatchGuard</strong> Security <strong>System</strong> software, verify that thehashes match exactly on the two <strong>Firebox</strong>es.9 Click the Options tab.10 Enable the Activate <strong>WatchGuard</strong> VPN checkbox.11 To automatically block sites when the source fails to properly connect to the<strong>Firebox</strong>, enable the Add Source to Blocked List When Denied checkbox.12 Enable Logging options according to your security policy preferences.Activating logging often generates a high volume of log entries, significantly slowing the passageof VPN traffic. <strong>WatchGuard</strong> recommends logging only for debugging purposes.Changing remote network entriesYou cannot edit a remote network entry. You must remove the original and add thenew remote network address. From the <strong>WatchGuard</strong> VPN Setup dialog box:1 Click the network address. Click Remove.2 Click Add.Add the new network configuration.Preventing IP spoofing with <strong>WatchGuard</strong> VPNThere is a potential IP spoofing problem if the remote <strong>Firebox</strong> IP is on the samenetwork as a remote network. It is theoretically possible to spoof packets from thatsingle IP address (the remote <strong>Firebox</strong> IP). Although this situation is relatively rare,you can prevent it by disallowing access to internal servers from the remote <strong>Firebox</strong>IP.Configuring incoming services to allow VPNBecause users on the remote <strong>Firebox</strong> are technically outside the trusted network, youmust configure services to allow traffic through the VPN connection. <strong>WatchGuard</strong>recommends the following method:1 Create a host alias corresponding to the VPN remote networks.For more information see “Adding a host alias” on page 86.2 Add the VPN host alias to Incoming and From Outgoing to properties of allowedservices.For more information, see “Defining service properties” on page 49.An alternative method is to add the Any service with the following incomingproperties:• Enabled and allowed• From: VPN host alias• To: AnyVerifying successful <strong>WatchGuard</strong> VPN configurationTo determine whether a configuration has been successful:<strong>User</strong> <strong>Guide</strong> 131

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!