WatchGuard Technologies Firebox SOHO 6, Firebox SOHO 6.1 User Manual

WatchGuard

Firebox® SOHO 6 User Guide

SOHO 6.1

Using this Guide

To use this guide you need to be familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual.

The following conventions are used in this guide.

Convention Indication

Bold type Menu commands, dialog box options, Web page

options, Web page names. For example: “On the System Information page, select Disabled.”

NOTE Important information, a helpful tip or additional

instructions.

ii WatchGuard Firebox SOHO 6.1

Certifications and Notices

FCC Certification

This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions:

• This appliance may not cause harmful interference.

• This appliance must accept any interference received, including interference that may cause undesired operation.

CE Notice

The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU).

Industry Canada

This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations.

Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada.

User Guide iii

VCCI Notice Class A ITE

iv WatchGuard Firebox SOHO 6.1

Declaration of Conformity

User Guide v

WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT

IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. ("WATCHGUARD") for the WATCHGUARD SOHO software product, which includes computer software (whether installed separately on a computer workstation or on the WatchGuard hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity service (or its equivalent) (the "SOFTWARE PRODUCT"). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this EULA. Please read this EULA carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid.

1. Ownership and License.

The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the SOFTWARE PRODUCT are as specified in this EULA, and WATCHGUARD retains all rights not expressly granted to you in this EULA. Nothing in this EULA constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.

2. Permitted Uses.

You are granted the following rights to the SOFTWARE PRODUCT: (A) You may use the SOFTWARE PRODUCT solely for the purpose of operating the SOHO hardware product in accordance with the SOHO or user documentation. If you are accessing the SOFTWARE PRODUCT via a Web based installer program, you are granted the following additional rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any computer with an associated connection to the SOHO hardware product in accordance with the SOHO user documentation; (B) You may install and use the SOFTWARE PRODUCT on more than one computer at once without licensing an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it, provided that each computer on which you install the SOFTWARE PRODUCT has an associated connection to the same SOHO hardware product ; and (C) You may make a single copy of the SOFTWARE PRODUCT for backup or

vi WatchGuard Firebox SOHO 6.1

archival purposes only.

3. Prohibited Uses.

You may not, without express written permission from WATCHGUARD: (A) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT; (B) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this EULA; (C) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective; (D) Sublicense, lend, lease or rent the SOFTWARE PRODUCT; or (E) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this EULA, and (iii) you do not retain any copies of the SOFTWARE PRODUCT.

4. Limited Warranty.

WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer; (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to us with a dated proof of purchase; and (B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund at their election.

Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ITS LICENSORS AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD AND ITS LICENSORS, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THIS SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).

User Guide vii

Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS WILL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS WILL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.

5. United States Government Restricted Rights.

The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 5th Ave. South, Suite 500,Seattle, WA 98104.

6. Export Controls.

You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.

7. Termination.

This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this EULA, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.

8. Miscellaneous Provisions. This EUL A will be governed by and construed

in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire EULA between us relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the SOFTWARE PRODUCT AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY, THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT (A) SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS EULA ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS EULA; (B) THE ENTITY HAS THE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS EULA AND PERFORM ITS OBLIGATIONS UNDER THIS EULA AND; (C) THIS EULA AND THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS EULA DO NOT VIOLATE ANY THIRDPARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY.

viii WatchGuard Firebox SOHO 6.1

No change or modification of this EUL A will be valid unless it is in writing, and is signed by WATCHGUARD.

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved. AppLock®, AppLock®/Web, Designing peace of mind®, Firebox®, Firebox® 1000, Firebox® 2500, Firebox® 4500, Firebox® II, Firebox® II Plus, Firebox® II FastVPN, Firebox® III, Firebox® SOHO, Firebox® SOHO 6, Firebox® SOHO 6tc, Firebox® SOHO|tc, Firebox® V100, Firebox® V80, Firebox® V60, Firebox® V10, LiveSecurity®, LockSolid®, RapidStream®, RapidCore®, ServerLock®, WatchGuard®, WatchGuard® Technologies, Inc., DVCP™ technology,, Enforcer/MUVPN™, FireChip™, HackAdmin™, HostWatch™, Make Security Your Strength™, RapidCare™, SchoolMate™, ServiceWatch™, Smart Security. Simply Done.™, Vcontroller™, VPNforce™ are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows® 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries.

RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher, BSAFE, TIPEM, RSA Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.

RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries. Java and all Jave-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reser ved.

© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved. © 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products

derived from this software without prior written permission. For written permission, please contact opensslcore@openssl.org.

User Guide ix

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names

without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes

software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

© 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-).

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code)

you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

x WatchGuard Firebox SOHO 6.1

The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: "This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/)."

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without

prior written permission. For written permission, please contact rse@engelschall.com.

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names

without prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes

software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/)."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following

disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following

acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products

derived from this software without prior written permission. For written permission, please contact apache@apache.org.

User Guide xi

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name,

without prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntar y contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Sof tware Foundation, please see <http://www.apache.org/>.

Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. Part No 0814-000

xii WatchGuard Firebox SOHO 6.1

CHAPTER 1 Introduction ..................................................1

The Package Contents ..............................................2

How Does a Firewall Work? ......................................3

How Does Information Travel on the Internet? .........4

IP addresses ............................................................4

Protocol ..................................................................4

Port numbers ..........................................................5

How Does the SOHO 6 Process Information? .......... 5

Services ..................................................................5

Network Address Translation ....................................5

The SOHO 6 Hardware Description .......................... 6

The SOHO 6 front and rear views .............................6

CHAPTER 2 Installation .................................................. 11

Before You Begin ....................................................12

Review and record your current TCP/IP settings .......12

User Guide xiii

Disable the HTTP proxy setting of your Web

browser

Enable your computer for DHCP .............................16

............................................................14

Physically connect the SOHO 6 .............................. 18

Cabling the SOHO 6 for one to four appliances .......19

Cabling the SOHO 6 for more than four computers .20

CHAPTER 3 SOHO 6 Basics ...........................................23

The SOHO 6 Home Page—System Status ..............23

Default Factory Settings .......................................... 25

Reset a SOHO 6 to factory default .......................... 26

The base model SOHO 6 .......................................27

LiveSecurity Service ............................................27

Reboot the SOHO 6 ............................................... 28

CHAPTER 4 Configure the Network Interfaces ........... 31

Configure Your External Network ...........................31

Network addressing ...............................................31

Configure the SOHO 6 External Network for dynamic

addressing

Configure the SOHO 6 External Network for static

addressing

Configure the SOHO 6 External Network for PPPoE .34

........................................................32

........................................................33

Configure the Trusted Network .............................. 36

Configure DHCP Server and DHCP Relay ................36

Configure additional computers on the Trusted

Network

Configure the Trusted Network with static addresses 39

...........................................................38

Configure Static Routes .......................................... 40

View Network Statistics ...........................................42

xiv WatchGuard Firebox SOHO 6.1

Configure the Dynamic DNS Service ......................43

Configure OPT Port Upgrades ................................44

Configure Dual ISP Port ......................................... 44

Configure VPNforce™ Port ....................................47

CHAPTER 5 Administrative Options ............................. 51

The System Security Page .......................................52

System management .............................................52

SOHO Remote Management .................................54

Set up VPN Manager Access .................................. 54

Update Your Firmware ............................................56

Redeem your SOHO 6 Upgrade Options ..............57

View the Configuration File ....................................60

CHAPTER 6 Configure the Firewall Settings ................61

Firewall Settings ......................................................61

Configure Incoming and Outgoing Services .......... 62

Pre-configured Services .........................................62

Create a Custom Service ........................................63

Block External Sites .................................................65

Firewall Options ......................................................67

Ping requests received on the External Network ......68

Denying FTP access to the Trusted Network

interface

SOCKS implementation for the SOHO 6 .................68

Logging all allowed outbound traffic .......................70

Enable override MAC address for the External

Network

...........................................................68

...........................................................71

Create an Unrestricted Pass Through ..................... 72

User Guide xv

CHAPTER 7 Configure Logging ....................................75

View SOHO 6 Log Messages ..................................76

Set up Logging to a WatchGuard Security Event

Processor Log Host .............................................77

Set up Logging to a Syslog Host ............................79

Set the System Time ...............................................80

CHAPTER 8 VPN—Virtual Private Networking ............ 83

Why Create a Virtual Private Network? .................... 83

What You Need .......................................................84

Enable the VPN Upgrade .......................................86

Step-by-step Instructions for Configuring a

SOHO 6 VPN Tunnel ..........................................86

Special Considerations ...........................................87

Frequently Asked Questions ...................................87

Set Up Multiple SOHO-SOHO VPN Tunnels .......... 89

Configure Split Tunneling .......................................93

MUVPN Clients .......................................................93

View the VPN Statistics ...........................................94

CHAPTER 9 SOHO 6 WebBlocker ................................95

How WebBlocker Works .........................................95

Web site not in the WebBlocker database ............... 96

Web site in the WebBlocker database .....................96

WatchGuard WebBlocker database unavailable ....... 96

WebBlocker users and groups ................................97

Bypass the SOHO 6 WebBlocker ............................97

Purchase and Activate SOHO 6 WebBlocker .......... 97

Configure the SOHO 6 WebBlocker .......................98

xvi WatchGuard Firebox SOHO 6.1

WebBlocker Categories ........................................103

CHAPTER 10 Support Resources ..................................107

Troubleshooting Tips ............................................107

General ..............................................................107

Configuration ......................................................111

VPN Management ...............................................114

Contact Technical support .................................... 116

Online Documentation and In-Depth FAQs ......... 116

Special Notices ..................................................... 116

Index ................................................................. 117

User Guide xvii

xviii WatchGuard Firebox SOHO 6.1

CHAPTER 1 Introduction

Welcome

Congratulations on purchasing the ideal solution for providing secure access to the Internet–the WatchGuard

Firebox® SOHO 6

or SOHO 6tc security appliance.

User Guide 1

Chapter 1: Introduction

This User Guide is for both the SOHO 6 and the SOHO 6tc–the name SOHO 6 refers to both these appliances throughout this guide. The only difference between them is the ability to create and use a Virtual Private Network (VPN). The VPN option is added to the SOHO 6, while the SOHO 6 tc comes with the VPN option preinstalled.

Your new SOHO 6 provides peace of mind when connecting to the Internet using a high-speed cable or DSL modem, a leased line, or ISDN.

The most current installation and user information is available at the WatchGuard Web site:

http://support.watchguard.com/sohoresources/

The Package Contents

First things first, check the package contents to make sure you have the following.

• Firebox SOHO 6 QuickStart Guide

• User documentation

• AC adapter (12v, 1.0-1.2A)

• Straight-through Ethernet cable

• SOHO 6 security appliance

2 WatchGuard Firebox SOHO 6.1

How Does a Firewall Work?

Fundamentally, a firewall is a way of distinguishing between, as well as protecting, “us” and “them”. On the external side of your SOHO 6 firewall is the entire Internet. The Internet offers many resources such as the Web, email, and video/audio conferencing. It also presents dangers to the privacy and security of your computer. On the trusted side of your SOHO 6 firewall are all the appliances you want to protect from these dangers. As is illustrated in the image below, the SOHO 6 physically separates your trusted network from the Internet.

Using rules or policies outlined in Chapter 3: “Configure Incoming and Outgoing Services” on page 62, the WatchGuard SOHO 6 evaluates all traffic between the external network (the Internet)

User Guide 3

Chapter 1: Introduction

and the trusted network (your computer) and blocks any suspicious activity.

How Does Information Travel on the Internet?

All information transported over the Internet is packaged in a special manner to ensure that it travels from one computer to the next. The program responsible for this task is known as TCP/IP. TCP (Transmission Control Protocol) manages the assembly and reassembly of data, for example an email message or program file, into smaller chunks of data called packets. IP (Internet Protocol) takes these packets and wraps them up with a header identifying both where the information is going and how it is handled en route.

IP addresses

An IP address defines the specific computer on the Internet that sends or receives a packet. Every computer on the Internet has a unique address, including your SOHO 6. When defining a service behind a firewall, you need to include the trusted, network address for the computer hosting the application.

On the Internet, IP addresses are identified using a string of numbers that have been translated from a URL (Uniform Resource Locator) name such as, www.watchguard.com.

Protocol

A protocol defines how a packet is bundled and packaged for shipment across a network. The most commonly used protocols are TCP and UDP (User Datagram Protocol). In addition, there are a variety of IP protocols that are less frequently used.

4 WatchGuard Firebox SOHO 6.1

How Does the SOHO 6 Process Information?

Port numbers

The port numbers are used by computers at both the sending and receiving end to determine the particular program or application for each connection.

How Does the SOHO 6 Process Information?

Services

A service is the combination of protocol(s) and port numbers associated with a specific program or application type. To simplify configuration of your SOHO 6, WatchGuard configured versions of several common services are available for your use.

Network Address Translation

All outgoing connections through a SOHO 6 automatically use a feature called dynamic NAT (Network Address Translation). Without dynamic NAT, your trusted, private addresses are passed along the Internet to their destination.

In addition, the SOHO 6 protects your trusted network by disguising private IP addresses. During an Internet connection, all traffic passed between computers includes IP address information. However, because of the dynamic NAT feature, applications and servers on the Internet only see the public, external IP address of the SOHO 6 itself and are never aware of the addresses in your trusted, network address range.

Imagine that you install a computer behind the SOHO 6 with the IP address 206.253.208.100. If this address were broadcast to the Internet, hackers could easily direct an attack on the computer itself. Instead, the SOHO 6 converts the address automatically to

User Guide 5

Chapter 1: Introduction

the external address of the SOHO 6. When a hacker tries to violate the computer, they are stopped at the SOHO 6, never learning the true address of your computer.

The SOHO 6 Hardware Description

The SOHO 6 has significant improvements to the hardware platform from those of previous SOHO models.

Faster Processor

The SOHO 6 has a new network processor running at a speed of 150MHz. It also includes built in Ethernet and encryption technology.

Ethernet ports

The SOHO 6 has six 10/100 Base TX ports labeled OPT, WAN and numbered 0-3.

The SOHO 6 front and rear views

The SOHO 6 has fourteen indicator lights on the front panel of the appliance. The following photograph shows the entire front view.

PWR

When illuminated, this light indicates that the SOHO 6 is currently powered up.

6 WatchGuard Firebox SOHO 6.1

The SOHO 6 Hardware Description

Status

When illuminated, this light indicates that a management connection has been made.

Link

The link indicator illuminates when there is a good physical connection to any of the numbered (0-3) interfaces of the trusted network. The link indicator blinks when traffic is passing through the interface.

100

When a trusted network interface runs at 10Mb, the 100 indicator is not illuminated. When the network interface runs at 100 Mb, the 100 indicator is yellow.

WAN

Indicates a good physical connection to the external (WAN) port. The indicator blinks when traffic is passing through the interface.

Mode

Indicates that the SOHO 6 is operational and has connected to the Internet when illuminated.

User Guide 7

Chapter 1: Introduction

The SOHO 6 has six Ethernet ports, a reset button, and a power input located on the rear of the appliance. The following photograph shows the entire rear view.

OPT port

This Ethernet port corresponds to the Optional interface. This interface is activated when you purchase the Dual ISP Port upgrade or VPNforce™ Port Upgrade. For more information on the Dual ISP Port and VPNforce Port upgrade , see “Configure OPT Port Upgrades” on page 44.

8 WatchGuard Firebox SOHO 6.1

The SOHO 6 Hardware Description

NOTE

The OPT port is only available if you purchase the Dual ISP Port or VPNforce Port upgrades. You can not use the OPT port as another Ethernet port on the Trusted network.

RESET button

Using the reset button, you can return to the SOHO 6 to the factory defaults. For more information on performing this function, see “Reset a SOHO 6 to factory default” on page 26.

NOTE

The OPT port is only available if you purchase the software upgrades. You can not use the OPT port as another internet port on the Trusted network.

WAN port

This Ethernet port corresponds to the external interface.

4 numbered ports (0-3)

These Ethernet ports correspond to the trusted interface.

Power input

Accepts the 12 volt AC adapter supplied with the SOHO 6.

User Guide 9

Chapter 1: Introduction

10 WatchGuard Firebox SOHO 6.1

CHAPTER 2 Installation

This chapter explains how to install the SOHO 6 into your network. You must complete the following steps:

• Review and record your current TCP/IP settings

• Disable the HTTP proxy setting of your Web browser

• Enable your computer for DHCP

• Physically connect the SOHO 6 to your network

For a quick summary of this information, see the Firebox SOHO 6 QuickStart Guide included with your SOHO 6.

User Guide 11

Chapter 2: Installation

Before You Begin

Before installing your new SOHO 6, be certain that you have the following items:.

• A 10/100BaseT Ethernet I/O network card installed in your computer.

• A cable or DSL modem with a 10/100BaseT port or an ISDN router. This is unnecessary if you connect to the Internet using a LAN connection.

• Two Ethernet network cables with RJ45 connectors. These must not be “crossover cables” (often red or orange). One cable is furnished with your SOHO 6. Make certain that both cables are long enough to comfortably connect the modem or router to the SOHO 6 and the SOHO 6 to your computer.

• A functioning Internet connection. If your connection does not work, please contact your ISP (Internet Service Provider).

• Call your ISP to find out which method they use to issue your network addressing–static addresses, DHCP, or PPPoE. You need this information later in the installation process, see “Configure Your External Network” on page 31.

• An installed Web browser–either Netscape Navigator 4.77 (or higher) or Internet Explorer 5.0 (or higher).

• The SOHO 6 serial number.

Review and record your current TCP/IP settings

For your reference, record the computer’s current TCP/IP settings in the chart at the end of this section. Access to this information depends on your computer operating system.

Microsoft Windows 2000 and Windows XP

1 Click Start => Programs => Accessories => Command Prompt.

12 WatchGuard Firebox SOHO 6.1

+ 110 hidden pages

WatchGuard Technologies Firebox SOHO 6, Firebox SOHO 6.1 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

FCC Certification

CE Notice

Industry Canada

VCCI Notice Class A ITE

Declaration of Conformity

Contents

CHAPTER 1 Introduction

The Package Contents

How Does a Firewall Work?

How Does Information Travel on the Internet?

IP addresses

Protocol

Port numbers

Services

Network Address Translation

CHAPTER 2 Installation

Before You Begin

Review and record your current TCP/IP settings