WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Service precedenceService precedencePrecedence is generally given to the most specific service and descends to the mostgeneral service. However, exceptions exist. There are three different precedencegroups for services:• The “Any” service (see the Online Help system for information about the “Any”packet filter service). This group has the highest precedence.• IP and ICMP services and all TCP/UDP services that have a port numberspecified. This group has the second highest precedence and is the largest of thethree.• “Outgoing” services that do not specify a port number (they apply to any port).This group includes Outgoing TCP, Outgoing UDP, and Proxy.“Multiservices” can contain subservices of more than one precedence group.“Filtered-HTTP” and “Proxied-HTTP,” for example, contain both a port-specific TCPsubservice for port 80 as well as a nonport subservice that covers all other TCPconnections. When precedence is being determined, individual subservices are givenprecedence according to their group (described previously) independent of the othersubservices contained in the multiservice.Precedence is determined by group first. Services from a higher precedence groupalways have higher precedence than the services of a lower-precedence group,regardless of their individual settings (for example, the lowest precedence “Any”service will take precedence over the highest precedence Telnet service).The precedences of services that are in the same precedence group are ordered fromthe most specific services (based on source and destination targets) to the leastspecific service. The method used to sort services is based on the specificity of targets,from most specific to least specific. The following order is used:From To RankIP IP 0List IP 1IP List 2List List 3Any IP 4IP Any 5Any List 6List Any 7Any Any 8“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, anetwork address, or an alias; and “Any” refers to the special “Any” target (not “Any”services).When two icons are representing the same service (for example, two Telnet icons ortwo Any icons) they are sorted using the above tables. The most specific one willalways be checked first for a match. If a match is not made, the next specific servicewill be checked, and so on, until either a match is made or there are no services left to56
Service precedencecheck. In the latter case, the packet is denied. For example, if there are two Telneticons, telnet_1 allowing from A to B and telnet_2 allowing from C to D, a Telnetattempt from C to E will first check telnet_1, and then telnet_2. Because no match isfound, the rest of the rules are considered. If an Outgoing service will allow from C toE, it will do so.When only one icon is representing a service in a precedence category, only thatservice is checked for a match. If the packet matches the service and both targets, theservice rule applies. If the packet matches the service but fails to match either target,the packet is denied. For example, if there is one Telnet icon allowing from A to B, aTelnet attempt from A to C will be blocked without considering any services furtherdown the precedence chain, including Outgoing services.User Guide 57
- Page 17 and 18: CHAPTER 1LiveSecurity ServiceNo Int
- Page 19 and 20: LiveSecurity broadcasts• The Lice
- Page 21 and 22: CHAPTER 2Technical SupportDevelopin
- Page 23 and 24: TrainingAfter you enter your LiveSe
- Page 25 and 26: Online Help• On any platform, bro
- Page 27 and 28: CHAPTER 3WatchGuard OptionsThe Watc
- Page 29 and 30: PART IIIConfiguring a SecurityPolic
- Page 31 and 32: CHAPTER 4Firebox BasicsThis chapter
- Page 33 and 34: Opening a configuration fileOpening
- Page 35 and 36: Setting the time zone• Use a comb
- Page 37 and 38: CHAPTER 5Using the WatchGuardContro
- Page 39 and 40: Control Center componentsThe first
- Page 41 and 42: Policy ManagerManipulating the Traf
- Page 43 and 44: Historical ReportsHistorical Report
- Page 45 and 46: CHAPTER 6Configuring a NetworkConfi
- Page 47 and 48: Setting up a routed network• All
- Page 49 and 50: Defining a host routeDefining a hos
- Page 51 and 52: Defining a Firebox as a DHCP server
- Page 53 and 54: CHAPTER 7Blocking Sites and PortsMa
- Page 55 and 56: Blocking a port permanently3 In the
- Page 57 and 58: CHAPTER 8Configuring ServicesThe Se
- Page 59 and 60: Defining service properties8 In the
- Page 61 and 62: Modifying a serviceThe following ex
- Page 63 and 64: Setting up proxy servicesSelecting
- Page 65: Setting up proxy servicesand transm
- Page 69 and 70: CHAPTER 9Controlling Web TrafficWeb
- Page 71 and 72: Configuring the WebBlocker serviceP
- Page 73 and 74: CHAPTER 10Setting Up NetworkAddress
- Page 75 and 76: Using service-based NATUsing servic
- Page 77 and 78: Configuring a service for incoming
- Page 79 and 80: CHAPTER 11Setting Up Logging andNot
- Page 81 and 82: Designating Event Processors for a
- Page 83 and 84: Setting up the LiveSecurity Event P
- Page 85 and 86: Setting global logging and notifica
- Page 87 and 88: Customizing logging and notificatio
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
Service precedencecheck. In the latter case, the packet is denied. For example, if there are two Telneticons, telnet_1 allowing from A to B and telnet_2 allowing from C to D, a Telnetattempt from C to E will first check telnet_1, and then telnet_2. Because no match isfound, the rest of the rules are considered. If an Outgoing service will allow from C toE, it will do so.When only one icon is representing a service in a precedence category, only thatservice is checked for a match. If the packet matches the service and both targets, theservice rule applies. If the packet matches the service but fails to match either target,the packet is denied. For example, if there is one Telnet icon allowing from A to B, aTelnet attempt from A to C will be blocked without considering any services furtherdown the precedence chain, including Outgoing services.<strong>User</strong> <strong>Guide</strong> 57