WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Configuring WatchGuard VPNConfiguring WatchGuard VPNUse WatchGuard VPN to implement branch office VPN between two Fireboxes.WatchGuard VPN uses udp port 4104.WatchGuard VPN offers 40-bit encryption. WatchGuard VPN with 128-bitencryption can be used when both ends of the tunnel are licensed for enhancedencryption. Other encryption standards are available (128-bit DES and 3-DES).WatchGuard VPN configuration modelsThere are two models for configuring WatchGuard VPN:Two-box configurationConnect two networks over the Internet using two Fireboxes.Multiple box configurationConnect one central Firebox to multiple remote networks over the Internet.- Add multiple VPN configurations to the central Firebox, and configure remoteFireboxes accordingly.- Make sure that passphrases are unique to a single VPN connection.- On the central Firebox, use the same IP address for multiple remote Fireboxes.However, the address can not be used for another purpose on either the centralor remote networks.Setting up WatchGuard VPNFrom Policy Manager:1 Select Network => Branch Office VPN => WatchGuard VPN.2 To set up a branch office, click Add.3 In the Remote Firebox IP field, enter the IP address of the External interface of theremote Firebox.4 In the Local Firebox IP field, enter an IP address from a reserved network not inuse on the local or remote networks.More information on reserved networks can be found in RFC 1918. You canuse the same local VPN IP address for multiple VPN connections whenspecifying more than one—for example, when there are several branch officesconnecting to a central office.5 In the text box to the left of the Add button, enter the IP address in slash notationof any remote network to which access should be granted from the local Firebox .Click Add.The remote Firebox must reciprocate by adding the local networks in its Remote Networks box.Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other’snetwork listed.6 Click the Encryption tab.7 Under Encryption, select the number of bits used to encrypt the tunnel.The greater the number of bits, the stronger the encryption.130
Configuring WatchGuard VPN8 Enter the encryption key. Click Make Key.WatchGuard hashes the encryption key and then displays a key in the bottom panel.The hashed key must be identical on both Fireboxes. If you are runningdifferent versions of WatchGuard Security System software, verify that thehashes match exactly on the two Fireboxes.9 Click the Options tab.10 Enable the Activate WatchGuard VPN checkbox.11 To automatically block sites when the source fails to properly connect to theFirebox, enable the Add Source to Blocked List When Denied checkbox.12 Enable Logging options according to your security policy preferences.Activating logging often generates a high volume of log entries, significantly slowing the passageof VPN traffic. WatchGuard recommends logging only for debugging purposes.Changing remote network entriesYou cannot edit a remote network entry. You must remove the original and add thenew remote network address. From the WatchGuard VPN Setup dialog box:1 Click the network address. Click Remove.2 Click Add.Add the new network configuration.Preventing IP spoofing with WatchGuard VPNThere is a potential IP spoofing problem if the remote Firebox IP is on the samenetwork as a remote network. It is theoretically possible to spoof packets from thatsingle IP address (the remote Firebox IP). Although this situation is relatively rare,you can prevent it by disallowing access to internal servers from the remote FireboxIP.Configuring incoming services to allow VPNBecause users on the remote Firebox are technically outside the trusted network, youmust configure services to allow traffic through the VPN connection. WatchGuardrecommends the following method:1 Create a host alias corresponding to the VPN remote networks.For more information see “Adding a host alias” on page 86.2 Add the VPN host alias to Incoming and From Outgoing to properties of allowedservices.For more information, see “Defining service properties” on page 49.An alternative method is to add the Any service with the following incomingproperties:• Enabled and allowed• From: VPN host alias• To: AnyVerifying successful WatchGuard VPN configurationTo determine whether a configuration has been successful:User Guide 131
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
- Page 116 and 117: Working with log filesIP header len
- Page 118 and 119: Working with log files108
- Page 120 and 121: Specifying report sectionsCreating
- Page 122 and 123: Exporting reports6 Enter the number
- Page 124 and 125: Scheduling and running reportsDelet
- Page 126 and 127: Report sections and consolidated se
- Page 128 and 129: Report sections and consolidated se
- Page 130 and 131: 120
- Page 132 and 133: Using DVCP to connect to devices•
- Page 134 and 135: Branch office VPN with IPSecFrom Po
- Page 136 and 137: Branch office VPN with IPSecdescrib
- Page 138 and 139: Branch office VPN with IPSecbe acce
- Page 142 and 143: Configuring WatchGuard VPN• Watch
- Page 144 and 145: Configuring shared servers for RUVP
- Page 146 and 147: Configuring the Firebox for Remote
- Page 148 and 149: Configuring the Firebox for Mobile
- Page 150 and 151: Configuring debugging optionsA prom
- Page 152 and 153: Preparing the client computers• P
- Page 154 and 155: Preparing the client computers10 Cl
- Page 156 and 157: Using Remote User PPTPInstalling a
- Page 158 and 159: Configuring debugging options148
- Page 160 and 161: CChangingan interface IP address 39
- Page 162 and 163: monitors 2, 32, 93BandwidthMeter 94
- Page 164 and 165: for blocked sites 44global preferen
- Page 166 and 167: pull-down menus 32services arena 32
- Page 168 and 169: introduction 37Routes 97network con
- Page 170: manager 17mobile user 18multiple-bo
Configuring <strong>WatchGuard</strong> VPN8 Enter the encryption key. Click Make Key.<strong>WatchGuard</strong> hashes the encryption key and then displays a key in the bottom panel.The hashed key must be identical on both <strong>Firebox</strong>es. If you are runningdifferent versions of <strong>WatchGuard</strong> Security <strong>System</strong> software, verify that thehashes match exactly on the two <strong>Firebox</strong>es.9 Click the Options tab.10 Enable the Activate <strong>WatchGuard</strong> VPN checkbox.11 To automatically block sites when the source fails to properly connect to the<strong>Firebox</strong>, enable the Add Source to Blocked List When Denied checkbox.12 Enable Logging options according to your security policy preferences.Activating logging often generates a high volume of log entries, significantly slowing the passageof VPN traffic. <strong>WatchGuard</strong> recommends logging only for debugging purposes.Changing remote network entriesYou cannot edit a remote network entry. You must remove the original and add thenew remote network address. From the <strong>WatchGuard</strong> VPN Setup dialog box:1 Click the network address. Click Remove.2 Click Add.Add the new network configuration.Preventing IP spoofing with <strong>WatchGuard</strong> VPNThere is a potential IP spoofing problem if the remote <strong>Firebox</strong> IP is on the samenetwork as a remote network. It is theoretically possible to spoof packets from thatsingle IP address (the remote <strong>Firebox</strong> IP). Although this situation is relatively rare,you can prevent it by disallowing access to internal servers from the remote <strong>Firebox</strong>IP.Configuring incoming services to allow VPNBecause users on the remote <strong>Firebox</strong> are technically outside the trusted network, youmust configure services to allow traffic through the VPN connection. <strong>WatchGuard</strong>recommends the following method:1 Create a host alias corresponding to the VPN remote networks.For more information see “Adding a host alias” on page 86.2 Add the VPN host alias to Incoming and From Outgoing to properties of allowedservices.For more information, see “Defining service properties” on page 49.An alternative method is to add the Any service with the following incomingproperties:• Enabled and allowed• From: VPN host alias• To: AnyVerifying successful <strong>WatchGuard</strong> VPN configurationTo determine whether a configuration has been successful:<strong>User</strong> <strong>Guide</strong> 131