Watchguard V10, Firebox Vclass V100, Firebox Vclass V200, V60, V80 User Manual

...

Download

Page 1

WatchGuard

Firebox Vclass User Guide

Vcontroller 5.0

Page 2

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright© 1998 - 2003 WatchGuard Technologies, Inc. All rights reserved. AppLock®, AppLock®/Web, Designing peace of mind®, Firebox®, Firebox® 1000, Firebox® 2500, Firebox® 4500, Firebox® II, Firebox® II Plus, Firebox® II FastVPN, Firebox® III, Firebox® SOHO, Firebox® SOHO 6, Firebox® SOHO 6tc, Firebox® SOHO|tc, Firebox® V100, Firebox® V80, Firebox® V60, Firebox® V10, LiveSecurity®, LockSolid®, RapidStream®, RapidCore®, ServerLock®, WatchGuard®, WatchGuard® Technologies, Inc., DVCP™ technology, Enforcer/ MUVPN™, FireChip™, HackAdmin™, HostWatch™, Make Security Your Strength™, RapidCare™, SchoolMate™, ServiceWatch™, Smart Security. Simply Done.™, Vcontroller™, VPNforce™ are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.Smart Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries.

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries. Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved.

© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved. © 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

ii Vcontroller

Page 3

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)” THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

© 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)” The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)” THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Firebox Vclass User Guide iii

Page 4

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/).”

4. The names “mod_ssl” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact rse@engelschall.com.

5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their names without prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/).”

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: “This product includes software developed by the Apache Software Foundation (http:// www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.

4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org.

iv Vcontroller

Page 5

5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, UrbanaChampaign.

This product includes software developed by Ralf S. Engelschall <rse@engelschall.com>.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S. Engelschall <rse@engelschall.com>."

4. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Ralf S. Engelschall <rse@engelschall.com>."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

Firebox Vclass User Guide v

Page 6

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes the Expat XML parser

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. Source code for the PCRE library can be obtained via ftp: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language.

Written by: Philip Hazel <ph10@cam.ac.uk>

University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.

This product includes the SCEW wrapper for Expat.

SCEW is freely available for download under the terms of the GNU Lesser General Public License (LGPL).

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

vi Vcontroller

Page 7

This product uses the Python language interpreter.

PSF LICENSE AGREEMENT FOR PYTHON 2.2.2

--------------------------------------

1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 2.2.2 software in source or binary form and its associated documentation.

2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 2.2.2 alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002 Python Software Foundation; All Rights Reserved" are retained in Python 2.2.2 alone or in any derivative version prepared by Licensee.

3. In the event Licensee prepares a derivative work that is based on or incorporates Python 2.2.2 or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python 2.2.2.

4. PSF is making Python 2.2.2 available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 2.2.2 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.

5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 2.2.2 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 2.2.2, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.

6. This License Agreement will automatically terminate upon a material breach of its terms and conditions.

7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party.

8. By copying, installing or otherwise using Python 2.2.2, Licensee agrees to be bound by the terms and conditions of this License Agreement.

PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU Lesser General Public License (LGPL). To obtain the source code covered under the LGPL, please contact WatchGuard Technical Support at:

877.232.3531 in the United States and Canada +1.360.482.1083 from all other countries

This source code is free to download. There is a $35 charge to ship the CD.

Firebox Vclass User Guide vii

Page 8

This product includes software covered by the LGPL.

GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999

Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of

viii Vcontroller

Page 9

any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.

In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License Agreement applies to any software library or other

program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License").

Firebox Vclass User Guide ix

Page 10

Each licensee is addressed as "you".

A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)

"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) The modified work must itself be a software library.

b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.

c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.

d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.

(For example, a function in a library to compute square roots has

x Vcontroller

Page 11

a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.

In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may opt to apply the terms of the ordinary GNU General Public

License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

4. You may copy and distribute the Library (or a portion or

derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

5. A program that contains no derivative of any portion of the

Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

Firebox Vclass User Guide xi

Page 12

However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.

When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.

If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)

Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)

b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.

c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials

xii Vcontroller

Page 13

specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.

e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

7. You may place library facilities that are a work based on the

Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:

a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.

b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.

8. You may not copy, modify, sublicense, link with, or distribute

the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

9. You are not required to accept this License, since you have not

signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.

10. Each time you redistribute the Library (or any work based on the

Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further

Firebox Vclass User Guide xiii

Page 14

restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.

11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.

14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status

xiv Vcontroller

Page 15

of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO

WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO

IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.

END OF TERMS AND CONDITIONS

PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU General Public License (GPL). To obtain the source code covered under the GPL, please contact WatchGuard Technical Support at:

877.232.3531 in the United States and Canada +1.360.482.1083 from all other countries

This source code is free to download. There is a $35 charge to ship the CD.

GNU GENERAL PUBLIC LICENSE Version 2, June 1991

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

Firebox Vclass User Guide xv

Page 16

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a

xvi Vcontroller

Page 17

notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in

object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly

provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However,

nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore,

Firebox Vclass User Guide xvii

Page 18

by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

xviii Vcontroller

Page 19

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO

WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO

IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

WatchGuard Technologies, Inc. Firebox Vclass Software End-User License Agreement

IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE:

This Firebox Vclass Software End-User License Agreement (‘AGREEMENT’) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (‘WATCHGUARD’) for the WATCHGUARD Firebox Vclass software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the WATCHGUARD hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity Service (or its equivalent), (the ‘SOFTWARE PRODUCT’). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid.

1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright

laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and

Firebox Vclass User Guide xix

Page 20

WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.

2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT:

(A) You may install and use the SOFTWARE PRODUCT on any single WATCHGUARD hardware product at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers. (B) To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once, you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it. To the extent that you install copies of the SOFTWARE PRODUCT on additional WATCHGUARD hardware products in accordance with the prior sentence without installing the additional copies of the SOFTWARE PRODUCT included with such WATCHGUARD hardware products, you agree that use of any software provided with or included on the additional WATCHGUARD hardware products that does not require installation will be subject to the terms and conditions of this AGREEMENT. You must also maintain a current subscription to the WatchGuard LiveSecurity Service (or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the SOFTWARE PRODUCT received through the WatchGuard LiveSecurity Service (or its equivalent). (C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only.

3. Prohibited Uses. You may not, without express written permission from WATCHGUARD:

(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT; (B) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective; (C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT; (D) Transfer this license to another party unless

(i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this

AGREEMENT, and

(iii) you do not retain any copies of the SOFTWARE

(E) Reverse engineer, disassemble or decompile the

PRODUCT; or

SOFTWARE PRODUCT.

4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer:

(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to WATCHGUARD with a dated proof of purchase.

(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election.

xx Vcontroller

Page 21

Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ITS LICENSORS AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD AND ITS LICENSORS, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ITS LICENSORS AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).

Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.

5.United States Government Restricted Rights. The SOFTWARE PRODUCT is

provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite 500, Seattle, WA 98104.

6.Export Controls. You agree not to directly or indirectly transfer the SOFTWARE

PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.

7.Termination. This license and your right to use the SOFTWARE PRODUCT will

automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.

8.Miscellaneous Provisions. This AGREEMENT will be governed by and construed in

accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the SOFTWARE PRODUCT,

Firebox Vclass User Guide xxi

Page 22

and supersedes any prior purchase order, communications, advertising or representations concerning the SOFTWARE PRODUCT AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY, THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT (A) SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS AGREEMENT; (B) THE ENTITY HAS THE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT AND; (C) THIS AGREEMENT AND THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. Part No: 0150-00

xxii Vcontroller

Page 23

Contents

CHAPTER 1 Introduction ................................................1

Welcome to WatchGuard® ...............................................1

WatchGuard Firebox Vclass Components ...........................2

Minimum Requirements for the WatchGuard Vcontroller .....3

Software License Keys ......................................................5

WatchGuard Firebox Vclass Appliance Options ..................5

High Availability ............................................................6

Mobile User VPN ...........................................................6

About This Guide .............................................................6

CHAPTER 2 Service and Support ...................................9

Benefits of LiveSecurity® Service ......................................9

LiveSecurity® Broadcasts ................................................10

Activating the LiveSecurity® Service ...............................12

LiveSecurity® Self Help Tools ..........................................14

Interactive Support Forum ..............................................15

Product Documentation ..................................................16

Assisted Support ............................................................16

LiveSecurity® Program .................................................16

LiveSecurity® Gold Program ..........................................17

User Guide xxiii

Page 24

Firebox Vclass Installation Services ................................. 18

VPN Installation Services .............................................. 18

Training and Certification ............................................... 18

Using the Online Help ................................................... 19

CHAPTER 3 Getting Started ........................................ 21

Gathering Network Information ...................................... 22

Setting up the Management Station ............................... 23

Installing Vcontroller on a Windows workstation ................ 23

Installing Vcontroller on a Solaris workstation ................... 24

Installing Vcontroller on a Linux workstation ..................... 25

Cabling the Appliance ................................................... 27

Start a Firebox Vclass Security Appliance ......................... 27

If problems occur ........................................................ 28

Using Appliance Discovery ............................................. 29

If no appliance is discovered ......................................... 30

If an appliance is discovered ......................................... 31

Setting the IP address of Interface 0 or the System IP ......... 32

Running the Vcontroller Installation Wizard ...................... 34

Before You Begin ........................................................ 34

Starting the Installation Wizard ...................................... 35

Edit the General information ......................................... 36

Configure the Interfaces in Router Mode ......................... 39

Configure Interface 2 and 3 (DMZ) ................................. 44

Configure the Interfaces in Transparent Mode .................. 45

Configure Routing ...................................................... 47

Define the DNS servers ................................................ 48

Define a Default Firewall Policy ...................................... 50

Using Dynamic Network Address Translation (DNAT) ......... 54

Change the Password .................................................. 54

Deploying the Firebox Vclass into your Network .............. 57

CHAPTER 4 Firebox Vclass Basics ............................... 59

What is a Firebox Vclass Appliance? ............................... 59

Firebox Vclass Features .................................................. 60

Where the Information is Stored ..................................... 61

xxiv Vcontroller

Page 25

Launching the WatchGuard Vcontroller ............................62

The Vcontroller Main Page ..............................................64

Activities column buttons ..............................................64

Policy column buttons ..................................................65

Administration column buttons ......................................66

Page-top buttons ........................................................68

The status viewer ........................................................68

Logging out of Vcontroller ............................................69

Shutting Down and Rebooting ........................................70

Restarting the appliance ...............................................72

Upgrading and Downgrading the Software Version ..........72

The Upgrade History ....................................................75

Transferring from Vcontroller to WatchGuard

Central Policy Manager (CPM)

................................76

CHAPTER 5 Router and Transparent Mode ................79

Router Mode .................................................................79

Transparent Mode ..........................................................81

Unsupported features in Transparent Mode ......................82

Setting a Vclass Appliance to Transparent Mode ..............82

Setting an Appliance to Transparent Mode using Device

Discovery

Setting an Appliance to Transparent Mode using the

Installation Wizard

...........................................................83

................................................87

CHAPTER 6 System Configuration ..............................89

General Configuration ....................................................90

Interface Configuration ...................................................93

Configuring Interface 0 .................................................96

Configuring Interface 1 .................................................99

Configuring Interface 2 or 3 .........................................104

Configuring the HA Interfaces ......................................106

Routing Configuration ..................................................107

Configuring static routing ...........................................107

Configuring dynamic routing .......................................109

DNS Configuration .......................................................112

User Guide xxv

Page 26

SNMP Configuration .................................................... 114

Log Configuration ....................................................... 116

Certificate Configuration .............................................. 116

Importing a certificate or CRL file ................................. 123

LDAP Server Configuration ........................................... 125

NTP Server Configuration ............................................ 127

Advanced Configuration .............................................. 129

Hacker Prevention Configuration .................................. 132

CPM Management Configuration ................................. 136

License Configuration .................................................. 137

Add a single license .................................................. 137

Install licenses from a license package .......................... 140

VLAN Forwarding Option ............................................. 142

Blocked Sites Configuration ......................................... 145

High Availability Configuration ..................................... 148

CHAPTER 7 Using Account Manager ........................ 149

Configuring Accounts .................................................. 149

End-user accounts for authentication ............................ 152

Managing accounts ................................................... 154

External Access for Remote Management ..................... 155

Account Access Conflicts ............................................. 156

Resolving login conflicts ............................................. 156

CHAPTER 8 About Security Policies ......................... 159

About Security Policies ................................................ 159

Security policy components ........................................ 160

Types of policies ....................................................... 161

Using Policy Manager .................................................. 164

How policy order governs policy application .................. 173

Applying system-wide QoS port shaping ....................... 174

Using tunnel switching ............................................... 175

Using Policy Checker ................................................. 175

Default policies ........................................................ 178

Defining a Security Policy ............................................. 178

Defining source and destination .................................. 179

xxvi Vcontroller

Page 27

Defining an address group ..........................................180

Defining a service ......................................................182

Defining the incoming interface ...................................185

Using Tenants ..............................................................186

About VLANs and tenants ...........................................187

User domain tenant authentication ...............................188

Defining tenants ........................................................189

Using the Firewall Options ............................................192

Defining the firewall action ..........................................193

Using Quality of Service (QoS) ......................................194

Defining a QoS action ................................................196

Activating TOS marking ..............................................197

About NAT ..................................................................198

Static NAT ...............................................................198

Dynamic NAT ...........................................................199

About Load Balancing ..................................................200

Defining a NAT Action ..................................................200

Defining a Load-Balancing Action .................................203

Using Policy Schedules .................................................205

Defining a Schedule ...................................................205

Using the Advanced Settings ........................................207

CHAPTER 9 Security Policy Examples .......................211

Firewall Policy Examples ...............................................211

Example 1: Allowing Internet access .............................211

Example 2: Restricting Internet access ...........................212

Example 3: Allowing unlimited access for authorized users 214 Example 4: Allowing communication between branch

offices

Example 5: Defining policies for an ISP ..........................218

Example 6: Controlling access at corporate headquarters ..219

.............................................................216

VLAN Policy Examples ..................................................222

Using a Firebox Vclass appliance in a VLAN setting ..........224

Creating policies for user-domain tenants .......................224

An example of a user-domain policy in use .....................225

User Guide xxvii

Page 28

QoS Policy Examples ................................................... 226

Example 1: .............................................................. 226

Example 2: .............................................................. 226

Static NAT Policy Examples .......................................... 227

Example 1: Translating IP addresses into aliases .............. 227

Example 2: Preventing conflicts between IP addresses ..... 228

Load Balancing Policy Examples ................................... 231

Configuring Load Balancing for a Web Server ................ 231

Configuring Load Balancing for an E-commerce Site ........ 232

CHAPTER 10 Using Proxies ......................................... 237

In This Chapter ............................................................ 238

Proxy Description ........................................................ 238

HTTP Client Proxy ..................................................... 238

SMTP Proxy ............................................................. 239

Rules and Rulesets .................................................... 239

General Proxy Configuration ........................................ 241

Using a Proxy Action in the Policy Manager .................... 241

Creating a Proxy Action ............................................. 241

Editing an existing Proxy Action ................................... 243

Configuring proxy rules .............................................. 245

Ordering listed Rules in a Proxy Action .......................... 249

Proxy Parameters Reference ......................................... 251

HTTP Client Proxy ..................................................... 251

SMTP Incoming Proxy ................................................ 272

SMTP Outgoing Proxy ............................................... 286

Reference Sources ....................................................... 297

CHAPTER 11 Using Virtual Private Networks (VPN) 299

Tunneling Protocols ..................................................... 300

IPSec ...................................................................... 301

Authentication ............................................................. 301

Internet Key Exchange (IKE) ......................................... 302

NAT Traversal (UDP Encapsulation) ............................... 303

Firebox Vclass appliance VPN Solutions ........................ 304

Mobile User VPN ...................................................... 304

xxviii Vcontroller

Page 29

VPN to other IPSec compliant devices ...........................305

About VPN Policies ......................................................305

VPN policies and IPSec actions ....................................305

Using Authentication and Encryption .............................306

Defining an IKE Policy ..................................................307

Defining an IKE action ................................................310

Defining a VPN Security Policy ......................................314

Defining an IPSec action .............................................315

Using Tunnel Switching .................................................323

Enabling tunnel switching ...........................................326

CHAPTER 12 Creating a Remote User VPN Policy ....327

About Remote User VPN ..............................................328

Configuring the Remote Users Authentication Policy ......328

Using an internal authentication database ......................333

Using a RADIUS authentication database .......................335

Editing and deleting a user group profile .......................337

Removing the backup server ........................................338

Defining an IKE Policy and IKE Action ............................339

Defining an IKE action for RUVPN .................................339

Defining an IKE policy ................................................341

Defining an RUVPN Security Policy and an IPSec Action ..343

Defining an IPSec action for RUVPN ..............................343

Defining a security policy for RUVPN .............................345

Controlling a remote user’s access privileges ..................348

Monitoring Remote User Activity ...................................348

CHAPTER 13 Using Alarm Manager ............................351

Alarm Definitions .........................................................352

Defining a single-condition alarm .................................354

Defining a multiple-condition alarm ..............................356

Managing alarm definitions .........................................359

Responding to an Alarm Notification .............................360

CHAPTER 14 Monitoring the Firebox Vclass ..............363

Using the Real-Time Monitor .........................................363

Defining probes ........................................................365

User Guide xxix

Page 30

Monitoring configured probes ..................................... 366

A Catalog of Real-time Monitor Probe Counters ............ 368

System Counters ...................................................... 368

Aggregate counters for all VPN end-point pairs ............. 374

IPSec counters per VPN end-point pair ......................... 374

Policy counters for all policies ...................................... 375

Policy counters per policy ........................................... 376

CHAPTER 15 Using Log Manager ............................... 379

Viewing the Logs ......................................................... 380

Filtering a current log ................................................ 382

Log Settings ................................................................ 383

Activating the remote logging feature ........................... 385

Log Archiving .............................................................. 387

CHAPTER 16 System Information ............................... 389

General Information ..................................................... 389

VPN Tunnel Information ............................................... 390

Viewing tunnel details ................................................ 392

Traffic Information ........................................................ 393

Route Information ........................................................ 394

RAS User Information ................................................... 395

Viewing RAS user information and tunnel details ............. 396

Interface 1 (Public) Information ..................................... 397

DHCP Server Information ............................................. 398

Runtime Blocked IP List ................................................ 399

CHAPTER 17 Backing Up and Restoring

Configurations ...................................... 403

Create a Backup File .................................................... 404

Restoring an Archived Configuration ............................. 405

Restoring to Factory Default ......................................... 407

Resetting an Appliance Completely .............................. 408

What you need ......................................................... 408

Restoring the appliance ............................................ 408

Exporting and Importing Configuration Files ................. 410

xxx Vcontroller

Page 31

Importing a configuration file using Appliance Discovery ...411

Editing an exported configuration file ............................412

CHAPTER 18 Using the Diagnostics/CLI Feature .......415

Using Connectivity to Test Network Connections ............415

Using the Support Features ..........................................417

Configuring debugging support ...................................418

Saving a Policy to a text file .........................................419

Executing a CLI Script ..................................................421

Saving Diagnostic Information ......................................422

CHAPTER 19 Setting Up a High Availability System .425

High Availability Modes ................................................425

Active/Standby .........................................................426

Active/Active ............................................................426

In this chapter ...........................................................426

How High Availability works .........................................427

Prerequisites for a High Availability System ....................427

Connecting the Appliances ...........................................428

Configuring a Standby Appliance ..................................428

Customizing HA System Parameters ..............................432

Checking your HA System Status ...................................435

Detailed system status ................................................435

Additional Preparation for Failover ................................436

Index .....................................................................437

User Guide xxxi

Page 32

xxxii Vcontroller

Page 33

CHAPTER 1 Introduction

Welcome to WatchGuard

The WatchGuard Firebox Vclass series of security appliances brings high speed network security to enterprise-class businesses, remote offices, service providers, and data centers.

In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis. These costly systems were difficult to integrate and not easy to update. The WatchGuard Firebox Vclass appliance combines firewall security, VPN support, and powerful traffic management with Fast Ethernet and Gigabit Ethernet connections. The Vclass security ASIC architecture delivers scalable support up to 20,000 tunnels in a single rack space device (V100) or 40,000 VPN tunnels in a large enterprise device (V200). An Install Wizard and Device Discovery utility shorten the installation time to minutes. Firebox Vclass security appliances include an intuitive, multi-platform Java®-based GUI

Firebox Vclass User Guide 1

Page 34

CHAPTER 1: Introduction

management console for flexible and effective centralized management.

WatchGuard Firebox Vclass Components

All Firebox Vclass models are fully IPSec-compliant, with built-in core software and management tools designed to provide consistent network security. Every Firebox Vclass is a system made up of the following components:

Firebox Vclass appliance

The security appliance hardware.

WatchGuard Vcontroller

™

A comprehensive management and monitoring software suite.

LiveSecurity Service

A security-related broadcast service.

RapidCore™ hardware ensemble

A well-integrated chip set and memory system powers every Firebox Vclass appliance in its primary duties: protecting your network and efficiently managing legitimate data.

WatchGuard Firebox Vclass Operating System™ (OS)

Every Firebox Vclass security appliance is preinstalled with the latest version of the Firebox Vclass Operating System–which is identified on the packaging by a version number. This operating system includes all the software resources that make the appliance fully functional.

WatchGuard Firebox Vclass administrative client applications

The WatchGuard Vcontroller (or the companion WatchGuard CPM client software) gives you full control of all the customizable operating system parameters, including basic system configurations,

2 Vcontroller

Page 35

Minimum Requirements for the WatchGuard Vcontroller

security policies, maintenance, and activity logging.

Minimum Requirements for the WatchGuard Vcontroller

This section describes the minimum hardware and software requirements necessary to successfully install, run, and administer the WatchGuard Vcontroller.

OTE

For the most current information on Vclass hardware and operating system requirements, see the Readme file on the Firebox Vcontroller CD. In addition, updates are frequently posted on the WatchGuard Web site.

Windows workstation

Operating System

Windows NT 4.0/2000/XP

CPU

Pentium II or later

Processor speed

500 MHz or faster

Memory

64 MB minimum (128 MB is recommended)

Input device

CD-ROM or DVD

Hard disk space

10 MB minimum

Additional space as required for log files

Additional space as required for backup and archive configuration files

Firebox Vclass User Guide 3

Page 36

CHAPTER 1: Introduction

Network interface

Network Interface Cards (NICs) or embedded network connections

Linux workstation

Operating system

Linux kernel v2.2.12 and glibc v2.1.2-11 or later. The officially supported Linux platform for JRE 1.4 is RedHat Linux 6.2. Because of localization issues involving Linux platforms, see the Sun Web site.

CPU

Pentium II or later

Processor speed

500 MHz or faster

Memory

64 MB minimum (128 MB is recommended)

Input device

CD-ROM or DVD

Hard disk space

10 MB minimum

Network interface

NICs or embedded network connections

Sun/Solaris workstation

Operating system

Solaris v2.6 or later

Memory

64 MB minimum (128 MB recommended)

Input device

CD-ROM or DVD

Hard disk space

10 MB minimum

Network interface

NICs or embedded network connections

4 Vcontroller

Page 37

Software License Keys

Keep track of your license key certificates. Your WatchGuard Firebox Vclass comes with a LiveSecurity Service key that activates your subscription to the LiveSecurity Service. For more information on this service, see “Service and Support” on page 9.

Some features of the WatchGuard Firebox Vclass series of appliances must be licensed for use, and others can be expanded by licensing additional capacity. Licensing increases or extends the Firebox Vclass capability in three ways:

• Adding new functionality through optional products

• Increasing the capacity of a particular feature

• Extending the duration of a limited-term feature or service

Software License Keys

High Availability and WatchGuard Mobile User VPN are optional products, and you receive those license keys upon purchase. For more information on optional products, see “WatchGuard Firebox Vclass Appliance Options” on page 5. For more information on increasing the capacity or lengthening the duration of a feature, see the WatchGuard Web site.

For information on adding and managing software licenses, see “License Configuration” on page 137.

WatchGuard Firebox Vclass Appliance Options

The WatchGuard Firebox Vclass appliance is enhanced by several optional products. For more information on any of these options, see the WatchGuard Web site at www.watch- guard.com.

Firebox Vclass User Guide 5

Page 38

CHAPTER 1: Introduction

High Availability

WatchGuard High Availability software lets you install a second, standby Firebox on your network. If your primary Firebox fails, the second Firebox automatically takes over to give your customers, business partners, and employees virtually uninterrupted access to your protected network.

Mobile User VPN

Mobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile User VPN connects an employee on the road or working from home to the trusted and optional networks behind a Firebox Vclass using a standard Internet connection, without compromising security. VPN traffic is encrypted using DES or 3DES.

About This Guide

The purpose of this guide is to help users of the WatchGuard Firebox Vclass appliance set up and configure a basic network security system and maintain, administer, and enhance the configuration of their network security.

The audience for this guide represents a wide range of experience and expertise in network management and security. The end user of the WatchGuard Firebox Vclass is generally a network administrator for a large enterprise with multiple offices around the world.

The following conventions are used in this guide:

• Within procedures, visual elements of the user interface, such as buttons, drop-down list items, dialog boxes, fields, and tabs, appear in boldface.

• Drop-down list items separated by arrows (=> ) are selected in sequence from subsequent drop-down lists. For example, File => Open =>

6 Vcontroller

Page 39

About This Guide

Configuration File means to select Open from the File drop-down list, and then Configuration File from the Open drop-down list.

• URLs and email addresses appear in sans serif font; for example, wg-users@watchguard.com.

• Code, messages, and file names appear in monospace font; for example:

.wgl and.idx files

• In command syntax, variables appear in italics; for example: fbidsmate

import_passphrase

• Optional command parameters appear in square brackets.

Firebox Vclass User Guide 7

Page 40

CHAPTER 1: Introduction

8 Vcontroller

Page 41

CHAPTER 2 Service and Support

No Internet security solution is complete without systematic updates and security intelligence. From the latest hacker techniques to the most recently discovered operating system bug, the daily barrage of new threats poses a perpetual challenge to any network

security solution. LiveSecurity

Service keeps your security system up-to-date by providing solutions directly to you.

In addition, the WatchGuard Technical Support team and Training department offer a wide variety of methods to answer your questions and assist you with improving the security of your network.

Benefits of LiveSecurity® Service

As the frequency of new attacks and security advisories continues to surge, the task of ensuring that your network is secure becomes an even greater challenge. The WatchGuard Rapid Response Team, a dedicated

Firebox Vclass User Guide 9

Page 42

CHAPTER 2: Service and Support

group of network security experts, helps absorb this burden by monitoring the Internet security landscape for you in order to identify new threats as they emerge.

Threat alerts and expert advice

After a new threat is identified, you’ll receive a LiveSecurity broadcast via an email message from our Rapid Response Team alerting you to the threat. Each alert includes a complete description of the nature and severity of the threat, the risks it poses, and what steps you should take to make sure your network remains continuously protected.

Easy software updates

Your WatchGuard LiveSecurity Service subscription saves you time by providing the latest software to keep your WatchGuard Firebox Vclass up-to-date. You receive installation wizards and release notes with each software update for easy installation. These ongoing updates ensure that your WatchGuard Firebox Vclass without your having to take time to track new releases.

remains state-of-the-art,

Access to technical support and training

When you have questions about your WatchGuard Firebox Vclass, you can quickly find answers using our extensive online support resources, or by talking directly to one of our support representatives. In addition, you can access WatchGuard courseware online to learn about WatchGuard Vclass features.

LiveSecurity® Broadcasts

The WatchGuard LiveSecurity Rapid Response Team periodically sends broadcasts and software information directly to your desktop via email. Broadcasts are divided

10 Vcontroller

Page 43

LiveSecurity® Broadcasts

into channels to help you immediately recognize and process incoming information.

Information Alert

Information Alerts provide timely analysis of breaking news and current issues in Internet security combined with system configuration recommendations necessary to protect your network.

Threat Response

After a newly discovered threat is identified, the Rapid Response Team transmits an update specifically addressing this threat to make sure your network is protected.

Software Update

You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox Vclass.

Editorial

Leading security experts join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.

Foundations

Articles specifically written for novice security administrators, non-technical co-workers, and executives.

Loopback

A monthly index of LiveSecurity Service broadcasts.

Support Flash

These technical tutorials provide tips for managing the WatchGuard Firebox Vclass. Support Flashes supplement other resources such as FAQs and Known Issues on the Technical Support Web site.

Firebox Vclass User Guide 11

Page 44

CHAPTER 2: Service and Support

Virus Alert

In cooperation with McAfee, WatchGuard issues weekly broadcasts that provide the latest information on new computer viruses.

New from WatchGuard

To keep you abreast of new features, product upgrades, and upcoming programs, WatchGuard first announces their availability to our existing customers.

Activating the LiveSecurity® Service

The LiveSecurity Service can be activated using the activation section of the WatchGuard LiveSecurity Web pages.

To activate the LiveSecurity Service:

1 Be sure that you have the Firebox Vclass serial number

handy. You will need this during the activation process.

- The Firebox Vclass serial number is displayed in two locations: a small silver sticker on the outside of the shipping box, and a sticker on the back of the Firebox Vclass just below the UPC bar code

2 Using your Web browser, go to:

http:\\www.watchguard.com\activate

OTE

You must have JavaScript enabled on your browser to be able to activate LiveSecurity Service.

3 Complete the Account Profile page.

All of the fields are required for successful registration. The profile information helps WatchGuard target information and updates to your needs.

4 Click Register.

The Product Selection page appears.

5 Select your product and click Next.

The Activation page appears.

12 Vcontroller

Page 45

LiveSecurity® Broadcasts

6 Verify that your email address is valid. You will receive

your activation confirmation mail and all of your LiveSecurity broadcasts at this address.

7 Enter the serial number of your product. 8 Select the language you prefer. 9 Review the EULA and click Continue.

The Feature Key page appears.

10 The Feature Key page displays the unique feature key

for your unit.

OTE

To enable VPN 3DES encryption for your unit, you must copy this feature key information into Vcontroller software. For information on copying the feature key into Vcontroller software, see “Importing LiveSecurity Feature Key” on page 13.

11 Click Continue.

The Confirmation Web page appears.

Importing LiveSecurity Feature Key

To import a feature key from the LiveSecurity Service Web site to Vcontroller software:

1 Launch Vcontroller software. 2 Click System Configuration.

3 Click on the License tab. 4 Click Add.

The Import License window appears.

5 Copy the feature key information generated on Feature

Key page from the LiveSecurity Service Web site.

OTE

If you closed the Feature Key page, you can regenerate your Feature Key by logging back into LiveSecurity Service on the WatchGuard Web site at:

https://www3.watchguard.com/archive/login.asp

Once logged into the LiveSecurity Service, you can regenerate your unit’s unique Feature Key by selecting Get Feature Key.

Firebox Vclass User Guide 13

Page 46

CHAPTER 2: Service and Support

6 Click Paste in the Import License window. 7 Click Import License to add the license.

You completed importing the LiveSecurity feature key. Click Active Features to check what features are activated.

LiveSecurity® Self Help Tools

Online support services help you get the most out of your WatchGuard products.

OTE

You must register for LiveSecurity Service before you can access the online support services.

Advanced FAQs (frequently asked questions)

Detailed information about configuration options and interoperability.

Known Issues

Confirmed issues and fixes for current software.

Interactive Support Forum

A moderated Web board about WatchGuard products.

Online Training

Information on product training, certification, and a broad spectrum of publications about network security and WatchGuard products. These courses are designed to guide users through all components of WatchGuard products. These courses are modular in design, allowing you to use them in a manner most suitable to your learning objectives. For more information, go to:

www.watchguard.com/training/courses_online.asp

Learn About

A listing of all resources available for specific products and features.

14 Vcontroller

Page 47

Product Documentation

A listing of current product documentation from which you can open PDF files.

To access the online support services:

1 From your Web browser, go to http://

www.watchguard.com/

and select Support.

2 Log in to LiveSecurity Service.

Interactive Support Forum

The WatchGuard Interactive Support forum is an online group in which the users of the WatchGuard Firebox Vclass and Firebox System exchange ideas, questions, and tips regarding all aspects of the product, including configuration, compatibility, and networking. This forum is categorized and searchable. The forum is moderated during regular business hours by WatchGuard engineers and Technical Support personnel. However, this forum should not be used for reporting support issues to WatchGuard Technical Support. Instead, contact WatchGuard Technical Support directly via the Web interface or telephone.

Interactive Support Forum

Joining the WatchGuard users forum

To join the WatchGuard users forum:

1 Go to www.watchguard.com. Click Support. Log into

LiveSecurity Service.

2 Under Self-Help Tools, click Interactive Support

Forum.

3 Click Create a user forum account. 4 Enter the required information in the form. Click

Create.

The username and password should be of your own choosing. They should not be the same as that of your LiveSecurity Service.

Firebox Vclass User Guide 15

Page 48

CHAPTER 2: Service and Support

5 When you are done, click anywhere outside the box to

close it.

Product Documentation

WatchGuard products are fully documented on our Web site at:

http://help.watchguard.com/documentation/default.asp.

Assisted Support

WatchGuard offers a variety of technical support services for your WatchGuard products. Several support programs, described throughout this section, are available through WatchGuard Technical Support. For a summary of the current technical support services offered, please refer to the WatchGuard Web site at:

http://support.watchguard.com/aboutsupport.asp

OTE

You must register for LiveSecurity Service before you can receive technical support.

LiveSecurity® Program

WatchGuard LiveSecurity Technical Support is included with every new Firebox Vclass. This support program is designed to assist you in maintaining your enterprise security system involving our Firebox Vclass, Firebox System, SOHO, ServerLock, AppLock, and VPN products.

Hours

WatchGuard LiveSecurity Technical Support business hours are 4:00 AM to 7:00 PM PST (GMT -

7), Monday through Friday.

16 Vcontroller

Page 49

Assisted Support

(Exception: SOHO Program is 24 hours a day, 7 days a week.)

Phone Contact

877.232.3531 in U.S. and Canada +1.360.482.1083 all other countries

Web Contact

http://www.watchguard.com/support

Response Time

Four (4) business hours maximum target

Type of Service

Technical assistance for specific issues concerning the installation and ongoing maintenance of Firebox Vclass, Firebox System, SOHO, and ServerLock enterprise systems

Single Incident Priority Response Upgrade (SIPRU) and Single Incident After-hours Upgrade (SIAU) are available. For more information, please refer to WatchGuard Web site at:

http://support.watchguard.com/lssupport.asp

LiveSecurity® Gold Program

This premium program is designed to meet the aggressive support needs of companies that are heavily dependent upon the Internet for Web-based commerce or VPN tunnels.

WatchGuard Gold LiveSecurity Technical Support offers support coverage 24 hours a day, seven days a week. Our Priority Support Team is available continuously from 7 PM Sunday to 7 PM Friday Pacific Time (GMT — 7), and can help you with any technical issues you might have during these hours.

We target a one-hour maximum response time for all new incoming cases. If a technician is not immediately available to help you, a support administrator will log your call in

Firebox Vclass User Guide 17

Page 50

CHAPTER 2: Service and Support

our case response system and issue a support incident number.

Firebox Vclass Installation Services

WatchGuard Remote Firebox Vclass Installation Services are designed to provide you with comprehensive assistance for basic Firebox Vclass installation. You can schedule a dedicated two-hour time slot with a WatchGuard technician to help you review your network and security policy, install the LiveSecurity software and Firebox Vclass hardware, and build a configuration in accordance with your company security policy. VPN setup is not included as part of this service.

VPN Installation Services

WatchGuard Remote VPN Installation Services are designed to provide you with comprehensive assistance for basic VPN installation. You can schedule a dedicated two-hour time slot with one of our WatchGuard technicians to review your VPN policy, help you configure your VPN tunnels, and test your VPN configuration. This service assumes you have already properly installed and configured your Firebox Vclass appliances.

Training and Certification

WatchGuard offers training, certification, and a broad spectrum of publications to customers and partners who want to learn more about network security and WatchGuard products. No matter where you are located or which products you own, we have a training solution for you.

WatchGuard classroom training is available worldwide through an extensive network of WatchGuard Certified Training Partners (WCTPs). WCTPs strengthen our rela-

18 Vcontroller

Page 51

tionships with our partners and customers by providing top-notch instructor-led training in a local setting.

WatchGuard offers product and sales certification, focusing on acknowledging the skills necessary to configure, deploy and manage enterprise security solutions.

Using the Online Help

Online help is available from almost all WatchGuard Vcontroller windows. Because the online help uses Web browsers for display, you should be aware of a problem in opening help in Netscape browsers. If you use a Netscape browser on a workstation running any Microsoft Windows operating system, version 4.7.3 or later is required for online help to work properly.

Using the Online Help

Firebox Vclass User Guide 19

Page 52

CHAPTER 2: Service and Support

20 Vcontroller

Page 53

CHAPTER 3 Getting Started

The Firebox Vclass appliance acts as a barrier between your networks and the public Internet, protecting them from security threats. This chapter explains how to install the Firebox Vclass appliance into your network. You must complete the following steps in the installation process:

• “Gathering Network Information” on page 22

• “Setting up the Management Station” on page 23

• “Cabling the Appliance” on page 27

• “Start a Firebox Vclass Security Appliance” on page 27

• “Using Appliance Discovery” on page 29

• “Running the Vcontroller Installation Wizard” on page 34

• “Deploying the Firebox Vclass into your Network” on page 57

For a quick summary of this information, see the WatchGuard Firebox Vclass QuickStart Guide included with your Firebox Vclass appliance.

Firebox Vclass User Guide 21

Page 54

CHAPTER 3: Getting Started

This chapter is intended for new WatchGuard Firebox Vclass installations only. If you have a previously installed appliance with a prior software version, connect to it with Vcontroller, and then follow the upgrade instructions as described in “Upgrading and Downgrading the Software Ver sion” o n pa ge 72.

If you already have one or more operational Firebox Vclass appliances in your network with the current software version, you can shortcut the installation and configuration process on a new factory-default appliance. For more information, see “Exporting and Importing Configuration Files” on page 410.

Before installing the Firebox Vclass appliance, verify the package contents. Consult the Firebox Vclass Hardware Guide to make sure you have received all of the proper contents.

Gathering Network Information

One good way to set up your network is to write down two sets of basic network information: the first set of information describes your current network–before deploying the Firebox Vclass appliance–and the second set represents your network after the Firebox Vclass appliance is deployed.

OTE

Gathering network information is important for appliances deployed in Router Mode. Appliances deployed in Transparent Mode can integrate more easily into many areas of your existing network. For more information on these deployment modes, see “Router and Transparent Mode” on page 79.

22 Vcontroller

Page 55

Setting up the Management Station

The Management Station runs Vcontroller software, which is the primary administrative access to the appliance. The Management Station can also

sages generated by the Log Manager. For more information on the Log Manager, see “Using Log Manager” on page 379.

You can use any computer or computers on your network as Management Stations.

Installing Vcontroller on a Windows workstation

Before you install Vcontroller software, make sure you gather all of the network addressing information that represents your new Firebox Vclass security appliance. Use the notes you completed in the previous section, “Gathering Network Information” on page 22.

be used to archive log mes-

OTE

The installer installs a local copy of the correct version of the Java Runtime Environment, to enable the software to run. This installation of the JRE is independent of any other JRE or JDK you install on your system. For additional updates, check the WatchGuard Web site.

To install Vcontroller:

1 Remove the Vcontroller CD from the package and

insert it in the workstation CD-ROM.

2 Locate and double-click the CD-ROM drive icon

(usually found in the My Computer window). If AutoRun is enabled on the CD drive, the Installer launches automatically.

3 When the CD window contents appear, double-click

the Windows folder.

Firebox Vclass User Guide 23

Page 56

CHAPTER 3: Getting Started

4 When that window’s contents appear, double-click the

setup.exe icon to start the installation of the Vcontroller software.

5 If the installer detects an older version of the software,

it will prompt you to remove the older version. Remove all installed components, and when the installer has finished removing the components, run setup.exe again.

6 When the process is finished, a window appears,

prompting you to start Vcontroller.

Installing Vcontroller on a Solaris workstation

Before you install Vcontroller software, make sure you gather all of the network addressing information that will represent your new Firebox Vclass security appliance. Use the notes you completed in the previous section, “Gathering Network Information” on page 22.

OTE

Be sure to review the release notes that were included in this package for information about Solaris-Java issues, including the Solaris and JRE versions. For additional updates, check the WatchGuard Web site.

To install Vcontroller:

1 Insert the WatchGuard CD into the CD-ROM (in

Solaris, the CD should automatically mount at / cdrom).

2 Start the installer application by entering the following

commands:

cd /cdrom/watchguard ./setup.sh

3 The installer asks whether you have already installed

the latest versions of the Java Run-time Environment (JRE) and Java Software Development Kit (JDK). If you have, type Y and then type the pathways of the JRE and JDK directories.

24 Vcontroller

Page 57

Setting up the Management Station

OTE

If you have an older version of the JDK, the installer asks whether you prefer to use it instead of a more recent version. WatchGuard recommends that you install the most recent version.

4 If you have not installed JRE or JDK, type N. The

installer quits, but provides information on where to obtain the most current versions of JRE and JDK software from the Sun Web site.

5 When the JRE and JDK software have been installed

and any required Solaris updates are completed, execute the installer application again by entering the following commands:

cd /cdrom/watchguard ./setup.sh

6 When asked by the installation script for the directory

location of the JRE and JDK software, enter the appropriate pathway.

7 Vcontroller installation is complete. To launch

Vcontroller execute the following command:

Vcontroller

Be certain the directory containing Vcontroller software is listed in the PATH environment variable.

Installing Vcontroller on a Linux workstation

Before proceeding, make sure you have all of the network addressing information that represents your new Firebox Vclass security appliance. Use the worksheet you filled out in the previous section, “Gathering Network Information” on page 22.

OTE

Be sure to review the release notes that were included in this package for information about Linux-Java issues, including the Linux and JRE versions. For additional updates, check the WatchGuard Web site.

Firebox Vclass User Guide 25

Page 58

CHAPTER 3: Getting Started

To install Vcontroller:

1 Insert the WatchGuard CD into the CD-ROM.

2 Start the installer application by entering the following

commands:

mount /dev/cdrom -t iso9660 /mnt/cdrom cd /mnt/cdrom ./setup.sh

3 The installer asks whether you have already installed

the latest versions of the Java Run-time Environment (JRE) and JDK. If you have, type Y and then type the pathways of the JRE and JDK directories.

If you have an older version of JDK, the installer asks whether you prefer to use it instead of a more recent version. WatchGuard recommends that you install the most recent version.

OTE

4 If you have not installed JRE or JDK, type N. The

installer quits, but provides information on where to obtain the most current versions of JRE and JDK software from the Sun Web site.

5 When the JRE and JDK software has been installed and

any required Linux updates are completed, start the installer application again by entering the following commands:

cd /cdrom/watchguard ./setup.sh

6 When asked by the installation script for the directory

location of the JRE and JDK, enter the appropriate pathway.

7 Vcontroller installation is complete. To launch

Vcontroller enter the following command:

Vcontroller

Be certain the directory containing Vcontroller software is listed in the PATH environment variable.

26 Vcontroller

Page 59

Some versions of the JRE and JDK for Linux may display fonts incorrectly. In addition, you may encounter a “font not found” error.

Cabling the Appliance

The next procedure in the installation process is cabling the appliance to the Management Station. Refer to the Firebox Vclass Hardware Guide to make sure you have received all of the necessary cables.

1 Remove the Firebox Vclass appliance from its

packaging.

2 Place the appliance on any stable flat surface near the

Management Station.

Cabling the Appliance

OTE

3 Connect the appliance through interface 0 (Private) to

the Management Station using the red crossover Ethernet cable (or corresponding optical cable depending upon the Firebox model).

4 Connect the appliance to a nearby power source using

the power cord. If connecting the appliance to a UPS device, be sure to use the WatchGuard-supplied cable to connect the two devices through their respective RS232 ports.

Start a Firebox Vclass Security Appliance

After you have placed the appliance on a surface near the Management Station and have made the network connections, you can power up the Firebox Vclass appliance.

Firebox Vclass User Guide 27

Page 60

CHAPTER 3: Getting Started

All models except the V10

After you have plugged in the appliance, start the appliance using the switch on the back. The Ready LED will blink while the appliance initializes. When the appliance is ready, the light will stop blinking and remain lit. This may take two or three minutes.

Firebox V10

Connect the appliance end of the power cable to the jack on the V10 before you connect the plug end of the power cable to the AC outlet.

When your appliance has been started and initialized, the following lights on the front of the device should be lit:

•The Power LED

•The Ready LED

• One of the Private, Public, and DMZ interface speed indicator lights, if those connections have been made.

If problems occur

If the expected lights are not lit, check the following:

• If the Power LED is not lit, disconnect and reconnect the power cord. For the V10, disconnect the power cord from the outlet, not from the appliance.

• If the Ready LED is still blinking after more than five minutes, use the power switch on the back of the appliance to turn off the power, and then restart the appliance and reinitiate the startup process.

• Make sure all data cables and the power cord are fully seated in their sockets.

28 Vcontroller

Page 61

Using Appliance Discovery

After the WatchGuard Vcontroller is installed on the Management Station, you can use Vcontroller to discover any new factory default appliance on the network.

This appliance must be connected to the same LAN seg- ment or subnet as the Management Station through interface 0 (Private).

1 Launch Vcontroller.

The Vcontroller Login dialog box appears.

2 Click the binoculars icon to the right of the Server/IP

Name drop-down list.

Using Appliance Discovery

The WatchGuard Security Appliance Discovery dialog box appears.

3 Click Find to start the process.

If the Management Station has more than one NIC, you must select the IP address of the appropriate card from the drop-down list before proceeding.

Firebox Vclass User Guide 29

Page 62

CHAPTER 3: Getting Started

A status dialog box appears and remains displayed until the discovery process is complete.

If no appliance is discovered

If no appliances are discovered, a Devices Not Found dia- log box appears.

Check the Firebox Vclass appliance for the following:

- Verify that the appliance has been properly connected to the network.

- Verify that all cable connections are secure.

- Make sure that the appliance is turned on. The Ready LED should be lit.

Click Find Again to attempt another discovery.

30 Vcontroller

Page 63

Using Appliance Discovery

If an appliance is discovered

When an appliance is discovered, the Devices Found dialog box appears, displaying all discovered appliances with their models and serial numbers.

This window provides the following features:

• A large list area that displays all of the appliances discovered in the local subnet. In this case, only your new Firebox Vclass appliance will be listed. You can set interface 0 (Private) IP addresses or import profiles into more than one appliance at the same time.

• A collection of options that enable you to set the identity of a selected appliance’s Private interface or import an existing appliance profile into a selected device.

You set the IP address of the Interface 0 as described in the following section. This is the task you perform with a new appliance.

Firebox Vclass User Guide 31

Page 64

CHAPTER 3: Getting Started

If you have already installed and configured at least one Firebox Vclass appliance, you can import its configuration information into a new factory default appliance using an XML profile. For more information, see “Exporting and Importing Configuration Files” on page 410.

Setting the IP address of Interface 0 or the System IP

If you are deploying the Vclass appliance in Router Mode, you must now define a temporary IP address to interface 0 (Private) for use in the initial configuration. If you are deploying the device in Transparent Mode, you must set the System IP. After this is complete, you can log in with Vcontroller and perform further configuration.

1 From the Devices Found field, select the appliance you

want to configure.

OTE

2 Click the Set Interface IP button. 3 Click Router Mode or Transparent Mode to set the

System Mode.

4 For Router Mode, in the Interface 0 IP field, type an

unused IP address from the same subnet as the Management Station. This IP address will apply only to Interface 0 (Private).

In the Interface 0 Mask field, type the subnet mask for this IP address.

5 For Transparent Mode, in the System IP field, type an

unused IP address from the same subnet as the Management Station. This IP address will apply to all interfaces on the appliance.

32 Vcontroller

Page 65

Using Appliance Discovery

In the System Mask field, type the subnet mask for this IP address.

6 Click Update.

If more than one appliance is listed in this window, you can set an IP address for each appliance at this time, prior to clicking Apply All.

7 If there are no more appliances to be set, click Apply

All.

A confirmation window appears.

8 Click Yes .

The Result window appears.

Firebox Vclass User Guide 33

Page 66

CHAPTER 3: Getting Started

9 Wait for the Result window to display “ALL DONE”

and then click Close to return to the Set Interface window.

You can now use Vcontroller to edit the interface for this appliance and continue the installation process.

Running the Vcontroller Installation Wizard

This section guides you through the Installation Wizard, a component of the Vcontroller application. The Installation Wizard provides the basic configuration for a new appliance and prepares the Vcontroller software for use with this and other Firebox Vclass appliances.

Before You Begin

To complete the initial installation of a new Firebox Vclass appliance, you need the following network address information:

• Unused IP addresses and network masks to assign to all interfaces of this appliance that you will use (Router Mode), or a single unused IP address and network mask that will govern all interfaces on the appliance (Transparent Mode)

• A domain name for this appliance

• Any basic network routing information (static and dynamic)

• The IP addresses of all DNS servers that will be used by this appliance

• The IP addresses of any SNMP management stations

• The VPN client user name and password (for Firebox V10 setup)

If you need to make any changes to the configuration at a later date, you can do so with the System Configuration

34 Vcontroller

Page 67

Running the Vcontroller Installation Wizard

window, as described in “System Configuration” on page 89.

Starting the Installation Wizard

1 Start the Firebox Vclass appliance (see “Start a Firebox

Vclass Security Appliance” on page 27).

2 Launch Vcontroller and click Login.

The Login dialog box appears.

3 Type the IP address or host name of the Firebox Vclass

in the Server IP/Name field or select it from the dropdown list.

4 Type your administrator login name and password in

the appropriate fields. The default name and password for the Firebox Vclass appliance is admin.

OTE

All data traffic between the Management Station and the Firebox Vclass appliance, including all configuration exchanges, is protected by SSL, using 128-bit RC4 and SHA1.

5 Click OK.

The Installation Wizard Welcome page appears.

Firebox Vclass User Guide 35

Page 68

CHAPTER 3: Getting Started

6 Read the qualifications and instructions.

Edit the General information

1 Click Next to proceed.

The General Information window appears.

36 Vcontroller

Page 69

Running the Vcontroller Installation Wizard

2 In the System Name field, type either the assigned

DNS name for the appliance or another arbitrary name.

3 In the System Location field, type a description of

where your appliance will be used. This can be a building, floor number, office name, or other simple description.

4 In the System Contact field, enter the name and phone

number or email address of the principal administrator or department responsible for management of the appliance.

Changing the System Time, Date and Time Zone

Click Change to open the Date, Time, and Time Zone window. Make any necessary adjustments, and click OK.

Firebox Vclass User Guide 37

Page 70

CHAPTER 3: Getting Started

38 Vcontroller

Page 71

Running the Vcontroller Installation Wizard

Configure the Interfaces in Router Mode

This procedure describes how to configure an interface using the Installation Wizard for an appliance running in Router Mode.

Configure Interface 0 (Private)

1 Click Next.

The Interface Information window appears. The appliance is in Router Mode by default.

Firebox Vclass User Guide 39

Page 72

CHAPTER 3: Getting Started

2 Double-click on Interface 0 to edit it. The Edit Interface

window appears.

3 Enter the IP address and network mask for the

interface in the appropriate fields. If you wish to change the size of the Maximum Transmission Unit (MTU), type a number in the MTU field. This number represents the maximum size (in bytes) of a packet.

4 If you want to enable the appliance as a DHCP server,

click Enable DHCP Server.

40 Vcontroller

Page 73

Running the Vcontroller Installation Wizard

5 Enter the maximum number of potential clients that

will be assigned IP addresses in the Number of Clients field.

6 Select either Days or Hours from the Leasing Time

drop-down list, and type the number of hours or days that an IP address will be loaned to a DHCP client.

7 You can use a separate DHCP Server with the Vclass

appliance using DHCP relay. This option makes the Vclass act as a DHCP agent, requesting DHCP leases from a separate DHCP server. Click DHCP Relay to use this option.

A Remote DHCP Server IP field appears.

8 In the Remote DHCP Server IP field, type the

appropriate IP address.

Firebox Vclass User Guide 41

Page 74

CHAPTER 3: Getting Started

Configure Interface 1 (Public)

1 To configure Interface 1 (Public) for Static, DHCP, or

PPPoE addressing, choose the appropriate interface option and provide the relevant entries as follows:

Static IP

Enter the IP address and network mask in the appropriate fields.

DHCP

Enter the IP address or DNS host name of the DHCP server assigned by your ISP in the Host ID field. (This entry is optional.)

PPPoE

Enter the user name and password assigned to you by your ISP in the appropriate fields.

42 Vcontroller

Page 75

Running the Vcontroller Installation Wizard

2 Click Backup Connection to configure WAN Interface

Failover, if desired. This allows you to specify a backup ISP to provide internet service to interface 1, in the event of a primary ISP failure.

The Edit Backup Connection screen appears.

3 Select the Enable Wan Interface Failover checkbox to

enable failover to another ISP. Configure the interface as previously described, by clicking Static, DHCP, or PPPoE and entering the required values.

For the Backup WAN connection, PPPoE is only available in an Always On state. Dial-on-Demand is not available.

4 Establish Connection Failure Detection criteria.

This section of the screen allows you to enter 3 different IP addresses that the appliance should be able to ping, to determine whether the network is up or down, and timing values to determine when the ISP has failed.

5 Type up to three IP addresses for public, well-known

and robust internet sites that allow ping. Examples include Yahoo, Google, and eBay. Do a DNS lookup for

Firebox Vclass User Guide 43

Page 76

CHAPTER 3: Getting Started

IP addresses for these sites, and remember that they change frequently, so you might want to check that these addresses are valid periodically.

6 Type the Polling Interval in seconds to determine

failover. This determines the amount of time between ping sessions to test the servers listed in the previous step. The default is 30 seconds.

7 Type the Polling Timeout in seconds to determine

failover. The default is 5 seconds. If none of the listed servers respond to a ping request within this interval, the connection is considered failed, and a failover occurs.

Configure Interface 2 and 3 (DMZ)

1 To configure Interface 2 and 3 (if applicable), enter the

IP address and network mask in the appropriate fields.

2 When you have finished with the Interface window

entries, click Next.

The Interface Change dialog box appears providing two options, Save Only and Apply.

3 Click Save Only. Click OK to proceed.

WatchGuard recommends selecting Save Only in order to continue with the Installation Wizard.

If you select Apply, and then click OK, the Wizard prompts you to stop the installation process and restart the Firebox Vclass appliance to apply the changes. You

44 Vcontroller

Page 77

Running the Vcontroller Installation Wizard

will need to login again, using the new IP address information, to continue configuring the appliance. For information on configuring the appliance without using the Installation Wizard, see “System Configuration” on page 89.

Configure the Interfaces in Transparent Mode

In Transparent Mode, the Firebox Vclass is given a single System IP and System Subnet Mask. These addresses are used for all interfaces on the system. For more information on Transparent Mode, see “Router and Transparent Mode” on page 79.

To configure interfaces in Transparent Mode:

1 Click Next from the General window of the installation

wizard, or click the Interfaces tab.

Firebox Vclass User Guide 45

Page 78

CHAPTER 3: Getting Started

2 Click Transparent Mode.

The appliance must be in factory default configuration to switch to Transparent Mode. If the device has already been configured, you must restore it to factory default before taking this step. See “Restoring to Factory Default” on page 407.

3 In the System IP field, type the IP address that will be

used for all interfaces on the appliance.

4 In the System Mask field, type the Subnet Mask

address that will be used for all interfaces on the appliance.

You can change the link speed and MTU (Maximum Transmission unit size) for each physical interface, or leave the defaults (Auto Negotiate/1500 bytes).

5 To change the link speed and MTU values for an

interface, double-click the interface entry in the table under System IP.

46 Vcontroller

Page 79

Running the Vcontroller Installation Wizard

Configure Routing

1 From the Interface Information window, click Next.

The Routing screen appears.

All entries made to configure routing are optional for completing the Installation Wizard and are dependent upon your network environment.

2 In the Specify Default Route field, type the IP address

of the default gateway.

3 If you want to enter any additional network routes for

this appliance, click Add.

The Add Route dialog box appears.

Firebox Vclass User Guide 47

OTE

Page 80

CHAPTER 3: Getting Started

4 Type the destination IP address, network mask, and

gateway of the route in the appropriate fields.

5 Select the interface–0, 1, 2, or 3–through which traffic

will be exchanged, from the Interface/Port drop-down list.

6 Type the Metric number in the appropriate field.

7 Click OK. 8 Repeat this process as needed.

Define the DNS servers

1 When you have finished adding routes, click Next to

proceed to the next step of the Installation Wizard. If you added any new routes, a confirmation window appears, click OK.

The Setup DNS Servers window appears.

48 Vcontroller

Page 81

Running the Vcontroller Installation Wizard

OTE

All entries made to configure DNS servers are optional for completing the Installation Wizard, and will differ based on your network configuration.

1 Type the domain name of the Firebox Vclass appliance

in the Domain Name field.

2 To add a DNS server, click Insert.

The DNS Server window appears.

Firebox Vclass User Guide 49

Page 82

CHAPTER 3: Getting Started

3 Type the DNS server IP address in the appropriate

field and then click Add.

Repeat this process if needed to add more DNS servers.

Define a Default Firewall Policy

1 When you have finished listing the DNS servers, click

Next to proceed.

The Default Firewall Policy window appears.

All entries made to configure the default firewall policy are optional for completing the Installation Wizard and are dependent upon your network environment.

2 Determine your default firewall policy or select the No

Change option.

3 If you decide to activate the default firewall policy,

select the Select the predefined Firewall Policies

50 Vcontroller

OTE

Page 83

Running the Vcontroller Installation Wizard

checkbox and then determine which of the following predefined policies you want to enable.

Allow ping to the device

Allows ping traffic to the private interface of this appliance from other workstations within the network.

Allow all Out-bound traffic from the Private Port

Allows all internal network users to have unlimited access to all external network connections.

Deny all In-bound traffic from the Public Port

Blocks all incoming traffic from external networks to Interface 1 (Public). If you want to permit particular types of traffic to gain access to part or all of your network, activate the relevant policy. You can later customize your firewall policies to provide further protections. For more information on configuring firewall policies, see “About Security Policies” on page 159.

OTE

If you do not activate any predefined policy, you must configure a customized security policy. Otherwise, the Firebox Vclass appliance will not permit any traffic to pass through in any direction.

4 To enable a variety of measures to counteract hackers,

click the Hacker Prevention button at the bottom of the screen.

The Hacker Prevention dialog box appears.

Firebox Vclass User Guide 51

Page 84

CHAPTER 3: Getting Started

Denial of service options

These options safeguard your servers from Denial of Service (DoS) attacks. Denial of Service attacks flood your network with requests for information, clogging your servers and possibly shutting down your sites.

ICMP Flood Attack

Protects against a sustained flood of ICMP pings. Select this checkbox, then type the threshold number in the text field.

SYN Flood Attack

Protects against a sustained flood of TCP SYN requests without the corresponding ACK response. Select this checkbox, then type the threshold number in the text field.

UDP Flood Attack

Protects against a sustained flood of UDP packets. Select this checkbox, then type the threshold number in the text field.

Ping of Death

Protects against user-defined large data-packet pings.

52 Vcontroller

Page 85

Running the Vcontroller Installation Wizard

IP Source Route

Protects against a flood of false client IP addresses, designed to bypass firewall security.

Distributed denial of service options

As a subset of Denial of Service attacks, Distributed DoS (DDoS) attacks occur when hackers coordinate a number of compromised computers for malicious purposes and program them to simultaneously assault a network with information requests. If this type of attack is allowed to pass through, your servers can be overwhelmed, causing them to crash.

Per Server Quota

Safeguards your servers against attacks from any client to any single server. Select this checkbox, then type the threshold number in the text field. The number here represents the maximum request capacity per second of the server. If more than the specified number of connection requests are received, the Firebox Vclass appliance drops the excess requests.

Per Client Quota

Restricts the number of connection requests from a single client in one second. Select this checkbox, then type the threshold number in the appropriate text field. This number represents the maximum number of requests per second from a single client. If more than the specified number of connection requests are received, the Firebox Vclass appliance drops the excess requests.

For a brief overview of the distributed denial-of-service options, click How does this work? An online Help win- dow displays more information about these options.

Firebox Vclass User Guide 53

Page 86

CHAPTER 3: Getting Started

Using Dynamic Network Address Translation (DNAT)

1 When you have configured the preferred levels of

hacker defense, click OK to close this window, and click Next to proceed.

If you enabled the Allow all outbound traffic from the Interface 0 (private) option, a DNAT window appears.

2 If you want to use dynamic NAT, click Ye s.

A default dynamic NAT policy is added to the outbound traffic policy.

Change the Password

The Change Password screen appears. This step requires you to replace the default root admin account password with a new, secure password of your choosing.

54 Vcontroller

Page 87

Running the Vcontroller Installation Wizard

1 In the Password field, type a new password.

Passwords must be between 6 and 20 characters, can include letters or numbers, and are case-sensitive.

2 Confirm the password by retyping it in the provided

field.

3 Click Next to proceed.

The completion window appears.

Firebox Vclass User Guide 55

Page 88

CHAPTER 3: Getting Started

4 Click Finish. 5 If you changed the IP address for interface 0 (Private), a

window appears, asking if you want to restart the Firebox Vclass appliance. Click Ye s.

The Firebox Vclass appliance reboots and reinitializes itself.

56 Vcontroller

Page 89

Deploying the Firebox Vclass into your Network

After the appliance reboots, restart Vcontroller and perform a complete shutdown of the appliance. When the shutdown is complete, you can turn off the appliance and move it to a permanent network setting, if it is not already there.

1 Launch Vcontroller. 2 In the Server IP Name field, type the IP address of

interface 0 (Router Mode), the System IP (Transparent Mode), or the fully qualified host name.

Vcontroller remembers the IP addresses of all appliances and stores them in this drop-down list. You will, however, need to remember all the separate passwords.

3 In the Name field, type admin .

4 In the Password field, type your newly created secure

password .

5 Click OK to connect to the appliance.

The main Vcontroller window appears.

6 Click Shut down. 7 When the shutdown confirmation window appears,

click OK.

The appliance performs a full shutdown. The Ready LED blinks for a short interval and then turns off when shutdown is complete.

OTE

Do not power down the appliance until the Power and Ready LEDs have been off for 30 seconds.

8 Using the switch on the back of the appliance to turn

off the Firebox; –or–

Firebox Vclass User Guide 57

Page 90

CHAPTER 3: Getting Started

If you have a V10, disconnect the power cord to turn off the appliance.

9 Disconnect all the cables and move the appliance to its

permanent network setting.

After you place the appliance in its permanent location and make the necessary physical network connections, you can restart the appliance.

• Use the power cord to connect the appliance to a UPS device or to a protected outlet.

• For a V10, make sure that you connect the power cord to the V10 before you connect it to the AC outlet or the UPS device. This will start the V10 appliance.

• For all other models, turn on the power with the switch on the back of the appliance.

When the appliance has started, the Ready LED blinks while the initialization process occurs. When initialization is complete, the Ready LED remains lit.

58 Vcontroller

Page 91

CHAPTER 4 Firebox Vclass Basics

This chapter provides an overview of the Firebox Vclass hardware and the companion Vcontroller software.

What is a Firebox Vclass Appliance?

Every Firebox Vclass appliance is a combination of powerful network-monitoring hardware and software policies that you, the administrator, set up and maintain. With every incoming or outgoing data stream that it detects, the appliance performs a two-stage task:

• It analyzes the initial packet for key traffic specifications, including source, destination, type of service, and specific appliance interface used by the data stream.

• If the data matches all the specifications established in a given policy, the appliance takes action–directing that packet and the stream that follows to the desired destination. It can also block

Firebox Vclass User Guide 59

Page 92

CHAPTER 4: Firebox Vclass Basics

traffic, deny traffic, or strip out offending parts of a message or stream.

A policy can also prompt the Firebox Vclass appliance to take other actions with the same data stream.

You can create policies for the Firebox Vclass that watch for varying combinations of traffic specifications. After a set of traffic specifications are defined, you can set up one or more actions that the Firebox Vclass appliance should take with any qualifying data.

You can create proxies for the Firebox Vclass that inspect the contents of packets, beyond the headers and traffic specifications, for a deeper level of security.

Firebox Vclass Features

The Firebox appliances provide the following features:

Firewall

Protects your network from unauthorized access and use.

Load balancing (except the V10 model)

Distributes incoming data to specific internal destinations.

Quality of Service

Makes data exchanges more efficient. Prioritizes and enhances user-specified data exchange.

Anti-hacker protection

Protects your network from a variety of potentially destructive hacker attacks.

VPN (Virtual Private Networking)

Provides secure communications with remote sites.

Dynamic NAT (Network Address Translation)

Also called IP masquerading. Maps outgoing private IP addresses to the Firebox’s external IP

60 Vcontroller

Page 93

Where the Information is Stored

address, meaning outgoing source IP addresses are translated into the IP address of the box’s external interface. This prevents outsiders from “seeing” your private internal IP addresses. Incoming packets are translated from the external interface's IP address into the appropriate private IP address.

Static NAT (except the V10 model)

Also called port forwarding. Assigns a port specific to a given service (such as port 80 for HTTP) to another port internally, so that originators of incoming traffic never know which host is actually receiving the packets.

Multi-tenant domains (except the V10 model)

Manages traffic routed to and from both kinds of multiple-tenant virtual domains: user domains and VLANs.

Where the Information is Stored

When you use Vcontroller to connect to a Firebox Vclass appliance, Vcontroller accesses a specialized database stored in the Firebox Vclass appliance. This storage capacity is an integral part of the appliance hardware. All your configuration and policy entries are stored in this database.

Certain files, such as backup configuration files, log files, and archive files, can be stored in a location of your choosing, such as the Management Station hard drive or a syslog server.

Changes or additions to the configuration settings in Vcontroller reside on the Management Station and are not automatically applied to the appliance.

Firebox Vclass User Guide 61

Page 94

CHAPTER 4: Firebox Vclass Basics

Launching the WatchGuard Vcontroller

The WatchGuard Vcontroller can be used to administer one or more Firebox Vclass appliances as well as any legacy RapidStream security appliances. This Java application offers a basic set of system indicators and three collections of button-activated features that provide complete control over all the operations of a Firebox Vclass appliance.

OTE

WatchGuard Vcontroller times out after 30 minutes of inactivity. If this occurs, you are prompted to log in again.

1 Launch Vcontroller according to the operating system

you are using:

Microsoft Windows

Double-click the WatchGuard Vcontroller icon on the desktop, or select Start => Programs =>

WatchGuard Vcontroller => WatchGuard Vcontroller.

Solaris/Linux

Navigate to the appropriate directory and type

Vcontroller at the command prompt.

Vcontroller launches and a login window appears.

If you have used Vcontroller before to access a Firebox Vclass appliance, the Server IP/Name field displays the IP address or host name of the last accessed appliance. The IP addresses or host names of other previously accessed devices are listed in the Server IP/Name drop-down list.

62 Vcontroller

Page 95

Launching the WatchGuard Vcontroller

2 Type the IP address or host name of the Firebox Vclass

in the Server IP/Name field or select it from the dropdown list.

3 Type your administrator login name in the Name field.

OTE

For information on creating administrator accounts, see “Using Account Manager” on page 149.

4 In the Password field, type the password for your

administrator account.

5 Click OK.

The main Vcontroller window appears.

Firebox Vclass User Guide 63

Page 96

CHAPTER 4: Firebox Vclass Basics

The Vcontroller Main Page

This section describes the buttons displayed in Vcontroller.

Activities column buttons

The Activities column contains a series of buttons that, when clicked, provide dialog boxes that update you on system activities. This includes outstanding alarms, recent events, and the current status of the appliance. You can also open a dialog box that displays system logs and another dialog box with a set of useful diagnostic tools.

Alarm

Click this button to open the Alarm Manager window, in which you can define a set of alarms that trigger when system or policy thresholds are exceeded. This window also allows you to view newly triggered alarms, diagnose alarm conditions, and clear resolved alarms. For more information, see “Using Alarm Manager” on page 351.

Monitor

Click this button to open the Real-time Monitor window, which provides a detailed view of the security appliance activities. You can use existing probes, or create your own, to measure system activity as well as to gauge data and policy usage. For more information, see “Monitoring the Firebox Vclass” on page 363.

Log Manager

Click this button to open the Log Manager window, which enables you to activate log files that record certain types and levels of system activity. You can also use this window to view a particular log, and then archive your logs as text files for future reference. For more information, see “Using Log Manager” on page 379.

64 Vcontroller

Page 97

The Vcontroller Main Page

System Information

Click this button to open the System Information window, which provides several distinct views of the current appliance’s status and activity. The various tabbed displays are detailed in separate chapters within this guide, depending upon your choice of view. For more information, see “Monitoring the Firebox Vclass” on page 363.

Policy column buttons

The Policy column contains a series of buttons that, when clicked, enable you to create, apply, and manage the security policies used by the Firebox Vclass appliance. For more information on creating and configuring security policies, see “About Security Policies” on page 159.

Security Policy

Click this button to open the Policy Manager window, which lists the current catalog of security policies. This window allows you to view, edit, add, and remove policies. The Policy Manager is also used to view, edit, add, and remove security proxies.

IKE Policy

Click this button to open another view of the Policy Manager window that lists the current catalog of IKE (Internet Key Exchange) policies.

Address Group

Click this button to open a window showing the existing address group objects. These are used by both security and IKE policies in determining traffic specifications.

IPSec Action

Click this button to open a window listing the existing IPSec actions, used by security policies to enforce encryption/authentication protections.

Firebox Vclass User Guide 65

Page 98

CHAPTER 4: Firebox Vclass Basics

NAT/LB Action (Network Address Translation/Load Balancing Action)

Click this button to open a window listing the existing NAT action objects, which are used in policies that affect dynamic IP, virtual IP, and other load-balancing actions on data.

This button is grayed out and does not function in Transparent Mode. NAT and Load Balancing are not supported in Transparent Mode. For more information on Transparent Mode, see “Router and Transparent Mode” on page 79.

Remote Users

Click this button to open the RAS Configuration dialog box, which assists in the setup of remote access service (RAS) connections. This feature is not available on the V10 model.

OTE

Proxies

Click this button to open a dialog box that lists all existing Proxy Actions, and allows you to add, delete, and edit them. Proxies are a licensed feature, which are available on your system after you complete the initial LiveSecurity registration process.

Administration column buttons

This column lists a series of buttons that, when clicked, can help you customize, monitor, and maintain a Firebox Vclass appliance.

System Configuration

Click this button to open the System Configuration window, which helps you change

the system configurations of a Firebox Vclass appliance. For more information, see “System Configuration” on page 89.

66 Vcontroller

Page 99

The Vcontroller Main Page

Install Wizard

Click this button to reopen the Installation Wizard, which you can use to reestablish the basic configuration for a Firebox Vclass appliance if required. For more information, see “Getting Started” on page 21.

Account

Click this button to open the Account Manager window, which you can use to modify or add new administrative accounts, and end-user accounts to allow internal users to bypass any firewall policies you create. For more information, see “Using Account Manager” on page 149.

Backup/Restore

Click this button to open the Backup/Restore window, which enables you to back up the current system configuration. You can also use this window to restore previously archived configurations as needed. For more information, see “Backing Up and Restoring Configurations” on page 403.

Upgrade

Click this button to open the Upgrade window, which allows you to view the current software version, download and install any recent upgrades, and view the recent upgrade history.

You can also use the features of this window to downgrade an appliance to a previous software version. For more information about the Upgrade window, see “Upgrading and Downgrading the Software Version” on page 72.

Shutdown/Reboot

Click this button to open a window from which you can restart the software, reboot the appliance, or completely shut down the appliance. For more information, see “Shutting Down and Rebooting” on page 70.

Firebox Vclass User Guide 67

Page 100

CHAPTER 4: Firebox Vclass Basics

Diagnostics/CLI

Click this button to open the Diagnostics window, which includes testing tools, connectivity probes, and a workspace for importing CLI scripts. For more information, see “Monitoring the Firebox Vclass” on page 363.

Page-top buttons

The page-top title area includes the Log Out and Help but- tons, as well as an alarm indicator that is displayed when an alarm has been triggered.

Log Out

Click this button to log out of Vcontroller and disconnect the Management Station from the Firebox Vclass appliance.

Help

Click this button to open the main online Help window. Right-click this button to see the Help version and copyright information.

Alarm Bell

If you see an animated ringing bell, this indicates that an alarm condition was triggered. Click the alarm bell icon to open the Alarm Manager window. For more information, see “Using Alarm Manager” on page 351.

The status viewer

When you log into Vcontroller, the status area in the lowerleft corner provides a snapshot of the system status, including interface link status and active VPN connections.

From the main Vcontroller window, look for the status indicators in the lower-left corner.

68 Vcontroller

Watchguard V10, Firebox Vclass V100, Firebox Vclass V200, V60, V80 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual