WatchGuard Firebox X Core User Manual [en, de, es]
I
N
T
E
G
R
A
T
E
D
A
P
P
L
I
A
N
C
E
E
X
P
A
N
D
A
B
L
E
P
L
A
T
F
O
R
M
I
N
T
E
L
L
I
G
E
N
T
L
A
Y
E
R
E
D
S
E
C
U
R
I
T
Y
I
N
T
U
I
T
I
V
E
U
S
E
R
E
X
P
E
R
I
E
N
C
E
E
X
P
E
R
T
G
U
I
D
A
N
C
E
&
S
U
P
P
O
R
T
WatchGuard®Firebox®X QuickStart Guide 2-8
WatchGuard®Firebox®X QuickStart-Anleitung 9-15
Guía de instalación rápida de WatchGuard®Firebox®X 16-22
23-29
30-36
W
Note:
Click on your language below
in the table of contents to
reach the section you need
atchGuard® Firebox® X QuickStart
WatchGuard® Firebox® X
2
WatchGuard®Firebox®X QuickStart Guide
Getting Started
WatchGuard® Firebox® X has the security you really need. A fully integrated appliance, it contains powerful
layered network security, intuitive management and premium support through LiveSecurity Service. This
QuickStart Guide covers the initial installation of WatchGuard Firebox X. Please refer to your Hardware Guide
and User Guide for hardware specifications and comprehensive setup instructions.
Check Package Contents
✔ WatchGuard Firebox X appliance
✔ QuickStart Guide
✔ User Documentation
✔ One serial cable (blue)
✔ Ethernet crossover cable (red)
✔ Three Ethernet cables (green)
✔ Power cable
✔ WatchGuard System Manager CD
✔ License Key Certificate
Selecting a Firewall Configuration Mode
Important! Before installing the WatchGuard Firebox X, you need
to decide how to incorporate the Firebox X into your network. To
begin, select the configuration mode that most closely reflects
your existing network. There are two possible options: Routed and
Drop-in Configuration. The choices you make here will be used in step 5.
Routed Configuration (Figure 1)
This configuration is necessary when the number of
public IP addresses is limited or when you have
dynamic IP addressing on the external interface. The
Firebox is put into place with separate logical networks and separate network addresses on each of its
interfaces. Most networks are best served by a
Routed configuration. Public servers behind the
Firebox use private addresses, and traffic is routed
using network address translation.
NOTE: Please read the
entire QuickStart Guide
before beginning the install
process.
Review Steps for Installation
✔ Selecting a firewall configuration mode
✔ Gathering network information
✔ Setting up a management station
✔ Cabling the Firebox X
✔ Running the QuickSetup Wizard
✔ Deploying the Firebox X into your network
✔ Registering your LiveSecurity® Service
1
Option 1: Routed Configuration
Internet
Router
24.4.5.1/24
24.4.5.7/24
Figure 1
External
Interface
Trusted Interface
10.10.10.254
Optional Interface
192.168.10.254
3
Drop-in Configuration (Figure 2)
This configuration is necessary when Public servers
behind the Firebox use public addresses, and traffic is
routed through the Firebox with no network address
translation. The Firebox is put in place with the same
network address on all interfaces. Because this configuration mode distributes the network’s logical address
space across the Firebox interfaces, you can “drop”
the Firebox between the router and the LAN without
reconfiguring any local machines.
Using a Secondary Network
(Figure 3)
Whether you have chosen Routed or Drop-in mode,
your configuration may require a secondary network
on the trusted interface. A secondary network is a
separate logical network connected to the Firebox
interface by a switch or hub.
Note: The IP address you declare as a secondary network becomes the default gateway for computers on
that network.
QUESTIONS
For more information about Routed or
Drop-in Configurations, please refer to the
Getting Started section of the User Guide.
FIREWALL CONFIGURATION MODE
Routed Drop-in
SECONDARY NETWORK
YES
NO
Option 2: Drop-in Configuration
Internet
Router
66.4.5.1/24
Figure 2
External
Interface
66.4.5.2/24
Trusted Interface
66.4.5.2/24
Optional Interface
66.4.5.2/24
Secondary Network
Primary
Network
Hub/
Switch
10.10.10.1
10.10.10.5
10.10.10.25
Secondary Network
Trusted Interface
10.10.10.254 (Primary)
172.16.1.254 (Secondary)
172.16.1.10
172.16.1.15
172.16.1.20
Figure 3
4
Gathering Network Information
Use the following tables to gather network information. This material will be required for steps 4
and 6. Please keep the QuickStart guide in a secure location for future reference.
Network Addresses (refer to Figure 6)
______________ . ______________ . ______________ . ______________
Default Gateway
______________ . ______________ . ______________ . ______________ /________________
External Inter face
______________ . ______________ . ______________ . ______________ /________________
Trusted Interface (routed only)
______________ . ______________ . ______________ . ______________ /________________
Optional Interface (routed only)
______________ . ______________ . ______________ . ______________
Management Station used for installation
Firebox X Serial Number, found on the back of your Firebox under the barcode.
________________________________________________________________________________
PPP Authentication (if using PPPoE on external interface) Provided by your ISP if
it uses PPPoE.
________________________________________________________________________________
PPP Username
________________________________________________________________________________
PPP Password
Additional Optional IP Addresses (refer to Figure 6)
______________ . ______________ . ______________ . ______________ /________________
Secondary Network on the Trusted Interface
______________ . ______________ . ______________ . ______________ /________________
Mail (SMTP) Server
______________ . ______________ . ______________ . ______________ /________________
Web (HTTP) Server
______________ . ______________ . ______________ . ______________ /________________
FTP Server
2
5
Setting Up the Management Station
You can administer the WatchGuard Firebox X from any
computer that you designate as the management station. By default, your Firebox logs will be saved to this
computer as well. Microsoft® Windows® NT/2000/XP
with Intel® Pentium® II 500 Mhz or higher is required.
25 MB hard disk space is required to install all
WatchGuard modules, plus 15 MB minimum for
log files.
To designate the management station, install the management software as follows:
1. Insert the WatchGuard System Manager CD-ROM. If the installation wizard does not appear
automatically, double-click install.exe in the root directory of the CD.
2. Click Download the Latest Software on the Firebox X Installation screen. This launches your Web browser
and connects you to the WatchGuard Website. (If you do not have an Internet connection, you can install
directly from the CD-ROM. However, you will not be eligible for support and VPN functionality until you
activate LiveSecurity Service.)
3. Follow the instructions on the screen to activate your LiveSecurity Service subscription.
4. Download the WatchGuard System Manager software. Download time will vary depending on your
connection speed.
NOTE: Make sure you write down the name and path of the file as you save it to your hard drive!
5. Execute self-extracting file, follow the screens until the “WatchGuard Firebox X Set-up:
Set-up Complete” screen.
6. By default, the QuickSetup Wizard will launch at the end of the software installation. You must first
cable the Firebox before continuing with the QuickSetup Wizard.
3
DOWNLOAD THE LATEST SOFTWARE!
ACTIVATE your LiveSecurity® Service
to get the latest version of the management station software!
www.watchguard.com/support
IMPORTANT
If you want to use virtual private networking (VPN) with IPSec, you must
download medium or strong encryption software. See the Getting Started section of the
User Guide for more information.
USING SLASH NOTATION
In slash notation, a single number indicates how many
bits of the IP address identify the network where the host
resides. A network mask of 255.255.255.0 has a slash equivalent of
8+8+8=24. For example, writing 192.168.42.23/24 is the same as
specifying the IP address 192.168.42.23 with a corresponding network mask of 255.255.255.0. Click the Help button in the
QuickSetup Wizard for more information.
6
Cabling the Firebox® X
Cable the Firebox X to your management station as
follows. (Refer to Figures 4, 5, 6 and 7 below.) Note:
All Firebox ports are NIC ports, not hub ports. Refer
to Figure 5 for details on unmarked ports.
Running the QuickSetup Wizard
After you finish setting up the Management Station and
cabling the Firebox X, use the QuickSetup Wizard to
create a basic configuration file. This enables the
Firebox X to function as a simple but immediately
effective firewall.
4
IMPORTANT
To set up the Firebox X using
TCP/IP, see the Getting Started
section of the User Guide.
5
■
Only the external port is labeled on the
Firebox X. Please review highlighted areas for
the trusted ports.
■
Plug the power cord into the Firebox power
input and into a power source. Leave the
power switch ‘off’ until the end of step 6.
■
Use the blue serial cable to connect the
Firebox Serial Port (CONSOLE) to the
management station COM port.
Use the red crossover cable to connect the
Firebox trusted interface to the management
station Ethernet port. (You can disconnect
your Internet connection if necessary.)
To test your connection to
the Firebox through the
Management Software before
deploying the Firebox on your
network, see the Getting Started
section of the User Guide.
Firebox X Front Panel
LCD
Display
Network Configuration Diagram
Trusted Optional
Management
Scrolling
Buttons
Internet
Network
Port
lights
Power
Light
Console
Router (optional)
External
HTTP
Server
Trusted
Interface
External
Interface
SMTP
Server
Removable
Hard Drive Slot
Optional
Interfaces
Server
Figure 4
Figure 6
FTP
Location of trusted ports
Figure 5
Trusted
Optional
Cabling for Provisioning
Management Station PC
(back)
Firebox X (front)
COM Port
Ethernet Port
Console
Figure 7
Trusted
7
If the QuickSetup Wizard is not already launched, launch it from the Windows desktop by selecting Start
=>Programs => WatchGuard =>QuickSetup Wizard. Provide the information as prompted by the
QuickSetup Wizard, referring to the tables and choices in steps 1 and 2 of this guide. Please note the
following:
■
IP Addressing
When entering an IP address, type the digits, periods,
and slashes in sequence. Do not use the Tab or Arrow
keys to jump past the periods.
■
Secondary “Non-routed” Networks
The QuickSetup Wizard checkbox labeled “I have an
additional non-routed network behind my Firebox”
refers to the Secondary Network on the Trusted
Interface entry in the network
configuration table in Step 3.
When you see the “Firebox Basic Configuration Complete” dialog box in the WatchGuard QuickSetup Wizard,
you have successfully completed the installation of your Firebox.
Deploying the Firebox® X
into Your Network
The Firebox X can now be used as a basic firewall with the following properties:
■
All outgoing traffic is allowed.
■
All incoming traffic is blocked unless you specified
a server in the QuickSetup Wizard.
■
Logs are sent to the WatchGuard Security Event
Processor on the Management Station.
Deploy the Firebox X into your network
■
Place the Firebox in its permanent location.
■
Connect the Firebox to your network.
NOTE: Be sure to avoid the network deployment
errors shown in Figure 8.
■
Change the default gateway setting on all
desktops connected behind the Firebox Trusted
or Optional interfaces.
■
Passphrases
Passphrases are case-sensitive and must be
at least seven characters long. They can be
any combination of letters, numbers, and
special characters. You will create two
passphrases. The status passphrase is used to
establish read-only connections to the
Firebox. The configuration passphrase is used
to establish read/write connections to
the Firebox.
6
Beware of inadvertently connecting Firebox
interfaces to one another; for example by
connecting them to the same hub or switch. This
is known as a “Looped Configuration” and will
bypass all firewalling capabilities, rendering
your Firebox useless.
IMPORTANT
The configuration file created using the QuickSetup
Wizard is a basic configuration. You should now
create a configuration file that meets your security policy
needs. Please refer to the Getting Started section of the
User Guide to begin this process.
Network Deployment Error
Internet
NO!
Router
External
Interface
Figure 8
NO!
WARNING!
Trusted
Interface
Optional
Interface
NO!
8
What’s Next?
Congratulations! You have successfully installed, configured, and deployed your new Firebox X on
your network. What’s next? Below are some things to remember as a new customer.
Customizing your security policy
You customize your security policy by adding services—application layer filters (called proxies) and packet filters—that broaden or restrict what you allow in and out of your firewall. Every service brings trade-offs
between network security and accessibility. When selecting services, balance the needs of your organization
with the requirement that computer assets be protected from attack. Some common services that organizations typically add are the following:
■
HTTP (Web Service)
■
SMTP (Email Service)
■
DNS (Domain Name Service)
■
FTP (File Transfer Service)
Set up Added Services
Please refer to the “Types of Services” chapter of the Reference Guide for a comprehensive list of services you
can add, and the “Configuring Filtered Services” and “Configuring Proxied Services” chapters of the User Guide
to learn more about adding services such as SpamScreen or WebBlocker and application layer filters.
What to Expect from Your LiveSecurity® Service
Your Firebox X includes a subscription to our award-winning LiveSecurity® Service. Your subscription:
✔ Provides up-to-date network protection with the latest software upgrades.
✔ Solves problems with comprehensive technical support including step-by-step tutorials and Frequently
Asked Questions (FAQs).
✔ Reduces downtime with alerts and configuration tips to combat the newest threats and vulnerabilities.
✔ Develops your expertise with detailed interactive training resources.
✔ Keeps you prepared for upcoming security threats with editorials and analysis from industry experts.
✔ Extends your network security with bundled software, utilities, and special offers.
7
+1.206.613.0456
(all other countries)
www.watchguard.com/support
Technical Support
1.877.232.3531
(U.S. and Canada)
9
WatchGuard®Firebox®X QuickStart-Anleitung
Getting Started
Die WatchGuard® Firebox® X ist ein vollständig integriertes Gerät und vereint leistungsstarke mehrschichtige
Netzwerksicherheit, intuitive Verwaltung und erstklassigen Support durch den LiveSecurity® Service. Diese
QuickStart-Anleitung beschreibt die Erstinstallation der WatchGuard Firebox X. Weitere Informationen zu den
Hardware-Spezifikationen sowie umfassende Installationsanweisungen finden Sie im Hardware Guide und im
User Guide.
Checkliste: Verpackungsinhalt
✔ WatchGuard Firebox X (Gerät)
✔ QuickStart-Anleitung
✔ Benutzerdokumentation
✔ 1 serielles Kabel (blau)
✔ Ethernet-Patchkabel, gekreuzt (rot)
✔ 3 Ethernet-Patchkabel (grün)
✔ Netzkabel
✔ WatchGuard System Manager-CD
✔ LiveSecurity® Service Key Dokument
Firewall-Konfigurationsmodus auswählen
Wichtig! Vor der Installation müssen Sie festlegen, wie die
Firebox X in Ihr Netzwerk integriert werden soll. Wählen Sie
zunächst den Konfigurationsmodus, der Ihrem vorhandenen
Netzwerk am besten entspricht. Es sind zwei Konfigurationsoptionen möglich: Routed und Drop-in. Die von Ihnen hier
gewählten Optionen kommen in Schritt 5 zum Einsatz.
Routed-Konfiguration (Abb. 1)
Diese Konfiguration ist erforderlich, wenn die Anzahl
der öffentlichen IP-Adressen begrenzt ist oder wenn
Sie an der externen Schnittstelle eine dynamische IPAdressierung einsetzen. Die Firebox wird dann für
jede ihrer Schnittstellen mit separaten logischen
Netzwerken und separaten Netzwerkadressen
konfiguriert. Für die meisten Netzwerke ist die
Routed-Konfiguration am besten geeignet.
Öffentliche Server hinter der Firebox verwenden
private Adressen, und der Datenverkehr wird über
NAT (Network Address Translation – Übersetzung von
Netzwerkadressen) geroutet.
HINWEIS: Bitte lesen Sie
die gesamte QuickStartAnleitung, bevor Sie mit dem
Installationsvorgang
beginnen.
Checkliste: Installationsschritte
✔ Firewall-Konfigurationsmodus auswählen
✔ Netzwerkinformationen zusammenstellen
✔ Management Station einrichten
✔ Firebox X anschließen
✔ QuickSetup-Assistenten ausführen
✔ Firebox X im Netzwerk einsetzen
✔ LiveSecurity® Service registrieren
1
Option 1: Routed-Konfiguration
Internet
Router
24.4.5.1/24
Sichere Schnittstelle
10.10.10.254
Optionale Schnittstelle
192.168.10.254
Abb. 1
Externe
Schnittstelle
24.4.5.7/24
10
Drop-in-Konfiguration (Abb. 2)
Diese Konfiguration ist erforderlich, wenn öffentliche
Server hinter der Firebox öffentliche Adressen
verwenden und der Datenverkehr ohne NAT durch die
Firebox geroutet werden muss. Die Firebox wird dann
für jede ihrer Schnittstellen mit derselben
Netzwerkadresse konfiguriert. Da bei diesem
Konfigurationsmodus der logische Adressraum des
Netzwerks auf die Firebox-Schnittstellen verteilt wird,
können Sie die Firebox zwischen dem Router und dem
LAN ohne Neukonfigurieren der lokalen Computer
einfügen.
Sekundäres Netzwerk verwenden
(Abb. 3)
Unabhängig vom gewählten Modus benötigt Ihre
Konfiguration möglicherweise ein sekundäres
Netzwerk an der sicheren Schnittstelle. Ein
sekundäres Netzwerk ist ein separates logisches
Netzwerk, das an die Firebox-Schnittstelle über einen
Switch oder Hub angeschlossen ist.
Hinweis: Die IP-Adresse, die Sie als sekundäres
Netzwerk deklarieren, wird das Standardgateway für
die Computer in diesem Netzwerk.
FRAGEN
Weitere Informationen zum Routedund zum Drop-in-Modus finden Sie im
Abschnitt „Getting Started“ des User Guide.
FIREWALL-KONFIGURATIONSMODUS
Routed-Modus Drop-in-Modus
SEKUNDÄRES NETZWERK
JA
NEIN
Option 1: Drop-in-Konfiguration
Internet
Router
66.4.5.1/24
Abb. 2
Externe
Schnittstelle
66.4.5.2/24
Sichere Schnittstelle
66.4.5.2/24
Optionale Schnittstelle
66.4.5.2/24
Sekundäres Netzwerk
Primäres
Netzwerk
Hub/
Switch
10.10.10.1
10.10.10.5
10.10.10.25
Sekundäres Netzwerk
Sichere Schnittstelle
10.10.10.254 (Primär)
172.16.1.254 (Sekundär)
172.16.1.10
172.16.1.15
172.16.1.20
Abb. 3
11
Netzwerkinformationen zusammenstellen
Verwenden Sie die folgenden Tabellen, um die Netzwerkinformationen zusammenzustellen. Diese
Angaben werden für die Schritte 4 und 6 benötigt. Bewahren Sie die QuickStart-Anleitung an
einem sicheren Ort auf, um später darauf zurückgreifen zu können.
Netzwerkadressen (siehe Abb. 6)
______________ . ______________ . ______________ . ______________
Standardgateway
______________ . ______________ . ______________ . ______________ /________________
Externe Schnittstelle
______________ . ______________ . ______________ . ______________ /________________
Sichere Schnittstelle (im Routed Mode)
______________ . ______________ . ______________ . ______________ /________________
Optionale Schnittstelle (im Routed Mode)
______________ . ______________ . ______________ . ______________
Management Station für die Installation
Seriennummer der Firebox X (an der Geräterückseite unterhalb des Barcodes)
________________________________________________________________________________
PPP-Authentifizierung (bei Verwendung von PPPoE über externe Schnittstelle): Vom ISP
bereitgestellt, falls PPPoE verwendet wird
________________________________________________________________________________
PPP-Benutzername
________________________________________________________________________________
PPP-Kennwort
Zusätzliche optionale IP-Adressen (siehe Abb. 6)
______________ . ______________ . ______________ . ______________ /________________
Sekundäres Netzwerk an der sicheren Schnittstelle
______________ . ______________ . ______________ . ______________ /________________
Mail-Server (SMTP)
______________ . ______________ . ______________ . ______________ /________________
Web-Server (HTTP)
______________ . ______________ . ______________ . ______________ /________________
FTP-Server
2
12
Management Station einrichten
Sie können einen beliebigen Computer als Management
Station für die WatchGuard Firebox X konfigurieren.
Auf diesem Computer werden standardmäßig auch die
Firebox-Protokolle gespeichert. Zu den
Systemvoraussetzungen gehören Microsoft® Windows®
NT/2000/XP und ein Intel® Pentium® II-Prozessor mit
500 MHz oder höher. Für die Installation aller
WatchGuard-Module werden 25 MB Festplattenspeicher
benötigt sowie zusätzlich mindestens 15 MB für Protokolldateien.
So installieren Sie die Verwaltungssoftware auf der gewählten Management Station:
1. Legen Sie die WatchGuard System Manager CD-ROM ein. Wenn der Installationsassistent nicht automatisch
startet, doppelklicken Sie im Stammverzeichnis der CD auf „install.exe“.
2. Klicken Sie im Installationsbildschirm der Firebox X auf „Download the Latest Software“. Hierdurch wird Ihr
Webbrowser gestartet und eine Verbindung zur WatchGuard-Website hergestellt. (Wenn Sie keinen
Internetzugriff haben, können Sie die Installation direkt von der CD-ROM ausführen. Allerdings verfügen Sie
erst nach der Registrierung des LiveSecurity® Service über Zugriff auf den Support und die VPN-Funktionalität.)
3. Folgen Sie den Bildschirmanweisungen zum Aktivieren Ihres LiveSecurity® Service-Abonnements.
4. Laden Sie die WatchGuard System Manager-Software herunter. Die Downloadzeit hängt von Ihrer
Verbindungsgeschwindigkeit ab.
HINWEIS: Notieren Sie sich den Namen und den Pfad, unter denen die Datei auf der Festplatte gespeichert
wird!
5. Verwenden Sie die selbstausführbare Datei und folgen Sie den Bildschirmanweisungen, bis der Bildschirm
„WatchGuard Firebox X Set-up: Set-up Complete“ angezeigt wird.
6. Nach Abschluss der Softwareinstallation wird standardmäßig der QuickSetup-Assistent gestartet. Bevor Sie
mit dem QuickSetup-Assistenten fortfahren können, müssen Sie die Firebox anschließen.
3
LADEN SIE DIE NEUESTE SOFTWARE
HERUNTER!
AKTIVIEREN Sie den LiveSecurity®
Service, um die neueste Version der
Management Station-Software zu
erhalten!
www.watchguard.com/support
WICHTIG
Wenn Sie virtuelle private Netzwerke
(VPN) mit IPSec verwenden möchten,
müssen Sie eine Verschlüsselungssoftware mit
mittlerer oder starker Verschlüsselung
herunterladen. Weitere Informationen finden
Sie im Abschnitt „Getting Started“ des User
Guide.
SLASH-NOTATION
Bei der Slash-Notation wird durch eine einzelne Zahl
angegeben, wie viele Bits in dem Netzwerk, in dem sich
der Host befindet, für den Netzanteil der IP-Adressen reserviert
sind. Die Netzwerkmaske 255.255.255.0 hat in der Slash-Notation
die Entsprechung 8+8+8=24. Beispielsweise entspricht die
Adressschreibweise 192.168.42.23/24 der IP-Adresse 192.168.42.23
mit der zugehörigen Netzwerkmaske 255.255.255.0. Um weitere
Informationen anzuzeigen, klicken Sie im QuickSetup-Assistenten
auf die Hilfeschaltfläche.
Loading...