WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Setting up proxy services2 Click Outgoing.The Outgoing SMTP Proxy dialog box appears, displaying the General tab.3 To add a new header pattern, type the pattern name in the text box to the left of theAdd button. Click Add.4 To remove a header from the pattern list, click the header pattern. Click Remove.5 Set a time-out value in seconds.6 To modify logging properties, click the Logging tab.Add masquerading optionsSMTP masquerading converts an address pattern behind the firewall into ananonymized public address. For example, the internal address pattern might beinside.salesdept.bigcompany.com, which would be anonymized to their publicaddress bigcompany.com.1 Click the Masquerading tab.2 Enter the official domain name.This is the name you want visible to the outside world.3 In the Substitute text box, type the address patterns that are behind your firewallthat you want replaced by the official domain name.All patterns entered here appear as the official domain name outside the Firebox.4 In the Don’t Substitute text box, type the address patterns that you want to appear“as is” outside the firewall.5 Enable other masquerading properties according to your security policypreferences.Configuring an FTP proxy serviceTo enable the FTP proxy, add the FTP icon to the Services Arena. From the PolicyManager Services Arena:1 Double-click the FTP Proxy service icon to open the FTP Proxy Properties dialogbox.Outgoing FTP does not work without an FTP icon in the Services Arena totrigger the FTP proxy.2 Click the Properties tab.3 Click Settings.4 Enable FTP proxy properties according to your security policy preferences.For a description of each control, right-click it, and then click What’s This?5 Click OK.6 Click File => Save => To Firebox to save your changes to the Firebox. Specify thelocation and name of the new configuration file.Configuring an HTTP proxy serviceHyperText Transfer Protocol (HTTP) is the protocol used by the World Wide Web tomove information around the Internet. HTTP defines how messages are formatted54
Setting up proxy servicesand transmitted, and what actions Web servers and browsers take in response tocommands. For example, when you enter a URL into your browser, you are sendingan HTTP command to the Web server, directing it to find and send you the requestedWeb page.The HTTP proxy does content-based filtering on outgoing connections only, with aset of options that you can easily configure according to your own requirements. TheHTTP proxy does not process incoming connections. In addition, the HTTP proxy canserve as a content filter for Web browsers. For more information, see “Configuringthe WebBlocker service” on page 60.You can use two types of HTTP services:• Proxied-HTTP service allows outbound HTTP on TCP port 80 to be proxiedthrough the Firebox. The proxy has the capability of performing HTTP-specificcontent filtering of each connection. Such content filtering can include denying orremoving “unsafe” content types (such as Java or ActiveX) and performinggeneral verifications on the HTTP exchange.• Filtered-HTTP service allows outbound HTTP on all TCP ports, but incomingaccess only on port 80. Filtered HTTP is filtered by the standard packet filter,which can restrict access by IP address or alias only. No proxy is used with thisservice, meaning that Filtered-HTTP cannot make use of any of the advancedHTTP-specific content-filtering options provided by the proxy. You must useproxied-HTTP if you want accounting logs – for example, byte counts.With either type of HTTP service, you should have a single icon that allows forgeneral outgoing HTTP access (for most internal users) and incoming HTTP access toa limited set of Web servers.The WatchGuard service called “HTTP” is not to be confused with an HTTPcaching proxy. An HTTP caching proxy refers to a separate machine thatperforms caching of Web data.From Policy Manager:1 Double-click the HTTP Proxy service icon to open the HTTP Proxy Propertiesdialog box.2 Click the Properties tab. Click Settings.3 If you are using the HTTP proxy service because you want to use WebBlocker,follow the procedure in the next section. Otherwise, enable HTTP proxy propertiesaccording to your security policy preferences.For detailed descriptions of HTTP proxy options, see the Reference Guide.Zip files are denied when you deny Java or ActiveX applets, because zip filesoften contain these applets.4 Click the Safe Content tab.5 Add or remove properties according to your security policy preferences. Click OK.User Guide 55
- Page 14 and 15: Minimum requirementsHardware requir
- Page 17 and 18: CHAPTER 1LiveSecurity ServiceNo Int
- Page 19 and 20: LiveSecurity broadcasts• The Lice
- Page 21 and 22: CHAPTER 2Technical SupportDevelopin
- Page 23 and 24: TrainingAfter you enter your LiveSe
- Page 25 and 26: Online Help• On any platform, bro
- Page 27 and 28: CHAPTER 3WatchGuard OptionsThe Watc
- Page 29 and 30: PART IIIConfiguring a SecurityPolic
- Page 31 and 32: CHAPTER 4Firebox BasicsThis chapter
- Page 33 and 34: Opening a configuration fileOpening
- Page 35 and 36: Setting the time zone• Use a comb
- Page 37 and 38: CHAPTER 5Using the WatchGuardContro
- Page 39 and 40: Control Center componentsThe first
- Page 41 and 42: Policy ManagerManipulating the Traf
- Page 43 and 44: Historical ReportsHistorical Report
- Page 45 and 46: CHAPTER 6Configuring a NetworkConfi
- Page 47 and 48: Setting up a routed network• All
- Page 49 and 50: Defining a host routeDefining a hos
- Page 51 and 52: Defining a Firebox as a DHCP server
- Page 53 and 54: CHAPTER 7Blocking Sites and PortsMa
- Page 55 and 56: Blocking a port permanently3 In the
- Page 57 and 58: CHAPTER 8Configuring ServicesThe Se
- Page 59 and 60: Defining service properties8 In the
- Page 61 and 62: Modifying a serviceThe following ex
- Page 63: Setting up proxy servicesSelecting
- Page 67 and 68: Service precedencecheck. In the lat
- Page 69 and 70: CHAPTER 9Controlling Web TrafficWeb
- Page 71 and 72: Configuring the WebBlocker serviceP
- Page 73 and 74: CHAPTER 10Setting Up NetworkAddress
- Page 75 and 76: Using service-based NATUsing servic
- Page 77 and 78: Configuring a service for incoming
- Page 79 and 80: CHAPTER 11Setting Up Logging andNot
- Page 81 and 82: Designating Event Processors for a
- Page 83 and 84: Setting up the LiveSecurity Event P
- Page 85 and 86: Setting global logging and notifica
- Page 87 and 88: Customizing logging and notificatio
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
Setting up proxy servicesand transmitted, and what actions Web servers and browsers take in response tocommands. For example, when you enter a URL into your browser, you are sendingan HTTP command to the Web server, directing it to find and send you the requestedWeb page.The HTTP proxy does content-based filtering on outgoing connections only, with aset of options that you can easily configure according to your own requirements. TheHTTP proxy does not process incoming connections. In addition, the HTTP proxy canserve as a content filter for Web browsers. For more information, see “Configuringthe WebBlocker service” on page 60.You can use two types of HTTP services:• Proxied-HTTP service allows outbound HTTP on TCP port 80 to be proxiedthrough the <strong>Firebox</strong>. The proxy has the capability of performing HTTP-specificcontent filtering of each connection. Such content filtering can include denying orremoving “unsafe” content types (such as Java or ActiveX) and performinggeneral verifications on the HTTP exchange.• Filtered-HTTP service allows outbound HTTP on all TCP ports, but incomingaccess only on port 80. Filtered HTTP is filtered by the standard packet filter,which can restrict access by IP address or alias only. No proxy is used with thisservice, meaning that Filtered-HTTP cannot make use of any of the advancedHTTP-specific content-filtering options provided by the proxy. You must useproxied-HTTP if you want accounting logs – for example, byte counts.With either type of HTTP service, you should have a single icon that allows forgeneral outgoing HTTP access (for most internal users) and incoming HTTP access toa limited set of Web servers.The <strong>WatchGuard</strong> service called “HTTP” is not to be confused with an HTTPcaching proxy. An HTTP caching proxy refers to a separate machine thatperforms caching of Web data.From Policy Manager:1 Double-click the HTTP Proxy service icon to open the HTTP Proxy Propertiesdialog box.2 Click the Properties tab. Click Settings.3 If you are using the HTTP proxy service because you want to use WebBlocker,follow the procedure in the next section. Otherwise, enable HTTP proxy propertiesaccording to your security policy preferences.For detailed descriptions of HTTP proxy options, see the Reference <strong>Guide</strong>.Zip files are denied when you deny Java or ActiveX applets, because zip filesoften contain these applets.4 Click the Safe Content tab.5 Add or remove properties according to your security policy preferences. Click OK.<strong>User</strong> <strong>Guide</strong> 55