WatchGuard Technologies FireboxTM System 4.6 User Manual
WatchGuard
®
Firebox™ System
User Guide
Firebox System 4.6
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright© 1998 - 2001 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, LiveSecurity, and SpamScreen are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product
is covered by one or more pending patent applications.
Red Hat® is a registered trademark of Red Hat, Inc. This product is not a product of Red Hat, Inc.
and is not endorsed by Red Hat, Inc. This is a product of WatchGuard and we have no relationship
with Red Hat, Inc.
Adobe, Acrobat, the Acrobat logo, and PostScript are trademarks of Adobe Systems Incorporated.
© 1999 BackWeb Technologies, Inc. All rights reserved. BackWeb is a registered trademark of
BackWeb Technologies, Inc.
CyberNOT, CyberNOT List, CyberYES, and CyberYES List are trademarks of Learning Company
Properties Inc.
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and
5146221 and other patents pending.
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.
© 1998-1999 The OpenSSL Project. All rights reserved.
Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc.
in the United States and other countries.
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and Windows®
2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications
Corporation in the United States and other countries.
RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block Cipher,
BSAFE, TIPEM, RSA Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks
or registered trademarks of RSA Data Security, Inc. Certain materials herein are Copyright ©
1992-1999 RSA Data Security, Inc. All rights reserved.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of
RealNetworks, Inc. in the United States and/or other countries.
VPCom™ Copyright © 1997-1999 Ashley Laurent, Inc. All rights reserved.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States of America.
DocVer: WatchGuard Firebox Security System 4.6 User Guide - 4.6.1
ii
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Firebox System (WFS) End-User License Agreement
IMPORTANT — READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE:
This WFS End-User License Agreement (“AGREEMENT”) is a legal agreement between you (either
an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”)for the
WATCHGUARD WFS software product identified above, which includes computer software and may
include associated media, printed materials, and on-line or electronic documentation (“SOFTWARE
PRODUCT”). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the
condition that you accept all of the terms contained in this Agreement. Please read this Agreement
carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of
this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not
license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE
PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment,
to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the
price you paid.
1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and
international copyright treaties, as well as other intellectual property laws and treaties. This is a
license agreement and NOT an agreement for sale. All title and copyrights in and to the
SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video,
audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying
printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or
its suppliers. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT,
and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing
in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or
treaty.
2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT:
(A) You may install and use the SOFTWARE PRODUCT on any single computer at any single
location. If you wish to use the SOFTWARE PRODUCT on a different computer, you must erase the
SOFTWARE PRODUCT from the first computer on which you installed it before you install it onto
a second.
(B) To use the SOFTWARE PRODUCT on more than one computer at once, you must license an
additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to
use it.
(C)You may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only.
3. Prohibited Uses. You may not, without express written permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials
except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the SOFTWARE PRODUCT(or allow someone else to use
such a copy) for any purpose other than to replace the original copy in the event it is destroyed or
becomes defective;
(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;
User Guide iii
(D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party
recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the
SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of
ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WatchGuard
Technologies or an authorized dealer:
(A) Media. The disks and documentation will be free from defects in materials and workmanship
under normal use. If the disks or documentation fail to conform to this warranty, you may, as your
sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or
documentation to us with a dated proof of purchase.
(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the
documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance
with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE
PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a
dated proof of purchase, specifying the problems, and they will provide you with a new version of the
SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B)
ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND
LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU
MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE
SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED
WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR
USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT
THIS SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF
UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,
CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE
(WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR
CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).
Limitation of Liability. WATCHGUARD’ liability (whether in contract, tort, or otherwise; and
notwithstanding any fault, negligence, strict liability or product liability) with regard to THE
SOFTWARE Product will in no event exceed the purchase price paid by you for such Product. IN
NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER
ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE
OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT,
SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT
LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF
BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY
OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF
WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. United States Government Restricted Rights. The enclosed SOFTWARE PRODUCT and
documentation are provided with Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is subject to restrictions as set forth in
iv
subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted
Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies,
Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.
6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or
documentation to any country to which such transfer would be prohibited by the U.S. Export
Administration Act and the regulations issued thereunder.
7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically
terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the
SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to
WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and
documentation remaining in your control or possession.
8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance
with the substantive laws of Washington excluding the 1980 United National Convention on
Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between
us relating to the contents of this package, and supersedes any prior purchase order,
communications, advertising or representations concerning the contents of this package AND BY
USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. No change or
modification of this AGREEMENT will be valid unless it is in writing, and is signed by
WATCHGUARD.
9. Canadian Transactions: If you obtained this SOFTWARE PRODUCT in Canada, you agree to
the following:
The parties hereto have expressly required that the present AGREEMENT and its Exhibits be drawn
up in the English language. / Les parties aux presentes ont expressement exige que la presente
conventions et ses Annexes soient redigees en la langue anglaise.
Declaration of Conformity
WatchGuard Technologies, Inc.
505 Fifth Avenue South
Suite 500
Seattle, WA 98104-3892
Declares the CE-marked product:
Product: Firebox family of appliances
Complies with: 73/23/EEC Low Voltage Directive 89/336/EEC
Compliance
Standards:
Electromagnetic Compatibility Directive
EN60950:1992 Electrical Safety A1:1993, A2:1993,
EN55022,Class A RF Emissions Information Technology
EN50082-1 EMC Immunity Standard
A3:1995, A4:1997, A11:1997
User Guide v
FCC Certification
This device has been tested and found to comply with limits for a Class A digital
device, pursuant to Part 15 of the FCC Rules. Operation is subject to the following
two conditions:
1 This device may not cause harmful interference.
2 This device must accept any interference received, including interference that
may cause undesired operation.
CE Notice
The official CE symbol indicates compliance of this WatchGuard Technologies, Inc.
product to the EMC directive of the European Community. The CE symbol found
here or elsewhere indicates that this WatchGuard product meets or exceeds the
following standards:
EN60950:1992 Electrical Safety A1:1993, A2:1993, A3:1995,
EN55022,Class ARF Emissions Information Technology
EN50082-1 EMC Immunity Standard
A4:1997, A11:1997
CSA Statement
This Class A digital apparatus meets all requirements of the Canadian InterferenceCausing Equipment Regulations.
Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur
le materiel broulleur du Canada.
vi
Table of Contents
PART I
PART II
CHAPTER 1 LiveSecurity Service .......................................................... 7
CHAPTER 2 Technical Support ........................................................... 11
CHAPTER 3 WatchGuard Options ...................................................... 17
Introduction ................................................................................1
Welcome to WatchGuard ............................................................... 1
WatchGuard Firebox System components .....................................1
Minimum requirements .................................................................. 3
WatchGuard Services ..................................................................5
LiveSecurity broadcasts ..................................................................7
Accessing frequently asked questions (FAQ) ...............................11
Getting Internet technical support ............................................... 12
Getting telephone support .......................................................... 12
Training .........................................................................................13
WatchGuard users group ..............................................................14
Online Help .................................................................................. 14
Currently available options ........................................................... 17
Obtaining WatchGuard options ...................................................18
PART III
User Guide vii
Configuring a Security Policy ....................................................19
CHAPTER 4 Firebox Basics .................................................................. 21
What is a Firebox? ........................................................................ 21
Opening a configuration file ........................................................ 23
Saving a configuration file ............................................................ 23
Resetting Firebox passphrases .....................................................24
Setting the time zone ...................................................................25
Reinitializing a misconfigured Firebox ..........................................25
CHAPTER 5 Using the WatchGuard Control Center .........................27
Navigating the WatchGuard Control Center ................................27
Control Center components .........................................................27
Working with the Control Center ..................................................30
Policy Manager .............................................................................31
Firebox Monitors ...........................................................................32
LogViewer .....................................................................................32
HostWatch ....................................................................................33
Historical Reports ..........................................................................33
LiveSecurity Event Processor ........................................................33
CHAPTER 6 Configuring a Network ...................................................35
Running the QuickSetup wizard ....................................................35
Setting up a drop-in network ........................................................36
Setting up a routed network .........................................................37
Adding a secondary network ........................................................38
Defining a network route ..............................................................38
Defining a host route ....................................................................39
Changing an interface IP address .................................................39
Setting the default gateway ..........................................................39
Entering WINS and DNS server addresses ...................................40
Defining a Firebox as a DHCP server ............................................40
CHAPTER 7 Blocking Sites and Ports .................................................43
Configuring default packet handling ............................................43
Blocking a site permanently .........................................................44
Blocking a port permanently ........................................................45
Blocking sites temporarily with service settings ...........................46
CHAPTER 8 Configuring Services .......................................................47
Adding an existing service ............................................................47
Creating a new service ..................................................................48
Defining service properties ...........................................................49
Configuring services for authentication ........................................51
Modifying a Service ......................................................................51
viii
Deleting a service .........................................................................51
Setting up proxy services ..............................................................52
Service precedence ...................................................................... 56
CHAPTER 9 Controlling Web Traffic .................................................. 59
How WebBlocker works ................................................................59
Configuring the WebBlocker service ............................................ 60
Manually downloading the WebBlocker database ....................... 62
CHAPTER 10 Setting Up Network Address Translation ..................... 63
What is dynamic NAT? .................................................................63
Using simple dynamic NAT .......................................................... 64
Using service-based NAT .............................................................65
Configuring a service for incoming static NAT .............................66
CHAPTER 11 Setting Up Logging and Notification ...........................69
Ensure logging with failover logging ...........................................69
WatchGuard logging architecture ................................................70
Designating Event Processors for a Firebox ................................. 70
Setting up the LiveSecurity Event Processor ................................ 73
Setting global logging and notification preferences ....................75
Customizing logging and notification by service or option ......... 76
CHAPTER 12 Connect with Out-of-Band Management .................... 79
PART IV
CHAPTER 13 Creating Aliases and Implementing Authentication .. 85
CHAPTER 14 Monitoring Firebox Activity ...........................................93
Connecting a Firebox with OOB management ............................79
Enabling the Management Station ............................................... 79
Configuring the Firebox for OOB ................................................. 81
Establishing an OOB connection ................................................. 81
Administering a Security Policy ................................................83
Using host aliases ......................................................................... 85
What is user authentication? ........................................................87
Configuring Firebox authentication .............................................88
Configuring Windows NT Server authentication ..........................88
Configuring RADIUS server authentication ..................................89
Configuring CRYPTOCard server authentication ......................... 90
Configuring SecurID authentication ............................................. 91
Using authentication to define remote user VPN access ............. 92
Firebox Monitors .......................................................................... 93
HostWatch .................................................................................... 98
User Guide ix
CHAPTER 15 Reviewing and Working with log files ........................103
Viewing files with LogViewer ......................................................103
Displaying and hiding fields .......................................................105
Working with log files .................................................................106
CHAPTER 16 Generating Reports of Network Activity ....................109
Starting Historical Reports ..........................................................109
Creating and editing reports ......................................................109
Specifying report sections ..........................................................110
Specifying a report time span .....................................................111
Consolidating report sections .....................................................111
Setting report properties ............................................................111
Exporting reports ........................................................................112
Using report filters ......................................................................113
Scheduling and running reports .................................................114
Report sections and consolidated sections ................................115
PART V
CHAPTER 17 Configuring Branch Office Virtual Private Networking.121
CHAPTER 18 Configuring the Firebox for Remote User VPN .........133
CHAPTER 19 Preparing a Host for Remote User VPN .....................141
WatchGuard® Virtual Private Networking ............................ 119
Configuration checklist ...............................................................121
Using DVCP to connect to devices .............................................122
Branch office VPN with IPSec ......................................................124
Configuring WatchGuard VPN ....................................................130
Configuration checklist ...............................................................133
Configuring shared servers for RUVPN .......................................134
Adding remote access users .......................................................134
Configuring services to allow incoming RUVPN .........................135
Configuring the Firebox for Remote User PPTP .........................136
Configuring the Firebox for Mobile User VPN ............................137
Configuring debugging options .................................................140
Preparing the client computers ..................................................141
Configuring the remote host for RUVPN with PPTP ...................145
Using Remote User PPTP ............................................................146
Configuring debugging options .................................................147
Index ............................................................................................. 149
x
PART I
Introduction
Welcome to WatchGuard
The WatchGuard Firebox System consists of:
• A suite of management and security software tools
• A Plug and Play network appliance called the WatchGuard Firebox
• A security-related broadcast service
In the past, a connected enterprise needed a complex set of tools, systems, and
personnel for access control, authentication, virtual private networking, network
management, and security analysis. These costly systems were difficult to integrate
and not easy to update. Today, the WatchGuard Firebox System delivers a complete
network security solution to meet modern security challenges:
• Keep network defenses current
• Protect every office connected to the Internet
• Encrypt communications to remote offices and traveling users
• Manage the security system from a single site
The WatchGuard Firebox System is a reliable, flexible, scalable, and inexpensive
network security solution. Its setup and maintenance costs are small, and it supports
a rich feature set. When properly configured and administered, the Firebox System
reliably defends any network against external threats.
WatchGuard Firebox System components
The WatchGuard Firebox System has all of the components needed to conduct ebusiness safely. It is made up of the following:
• Security appliance (the WatchGuard Firebox)
• Control Center
User Guide 1
WatchGuard Firebox System components
•Security suite
• LiveSecurity Service
WatchGuard Firebox
The Firebox family of appliances are specially designed and optimized machines.
They are small, efficient, and reliable. The Firebox is a low-profile component with an
indicator display panel in front and physical interfaces in back.
For detailed Firebox specifications, see the Reference Guide.
WatchGuard Control Center
WatchGuard Control Center is a toolkit of applications run from a single location,
enabling you to configure, manage, and monitor your network security policy.
Control Center includes:
Policy Manager
Used to design, configure, and manage the electronic portion of a network
security policy.
Firebox Monitors
Combines the WatchGuard set of monitoring tools into a single user interface.
LogViewer
Displays a static view of the log data, which you can filter by type, search for
keywords and fields, and print and save to a separate file.
HostWatch
Displays active connections occurring on a Firebox in real time or represents
the connections listed in a log file. HostWatch either plays back a previous file
for review or displays connections in real time, as they are added to the
current log file.
Historical Reports
Creates HTML reports that display session types, most active hosts, most used
services, URLs, and other data useful in monitoring and troubleshooting your
network.
WatchGuard security suite
In addition to basic security policy configuration, the Firebox System includes a suite
of advanced software features. These include:
• User authentication
• Network address translation
• Remote user virtual private networking
• Branch office virtual private networking
• Selective Web-site blocking
2
Minimum requirements
LiveSecurity Service
The innovative LiveSecurity Service subscription makes it easy to maintain the
security of an organization’s network. WatchGuard’s team of security experts publish
alerts and software updates, which are broadcast to your e-mail client.
Minimum requirements
This section describes the minimum hardware and software configurations necessary
to successfully install, run, and administer version 4.6 of the WatchGuard Firebox
System.
Software requirements
WatchGuard Firebox System software version 4.6 can run on Microsoft Windows 95,
Windows 98, Windows NT 4.0, or Windows 2000, as specified below:
Windows 95 requirements
•Microsoft Windows 95
• Service Release 2 or later
Windows 98 requirements
•Microsoft Windows 98
Windows NT requirements
•Microsoft Windows NT 4.0
• Microsoft Service Pack 4, Service Pack 5, or Service Pack 6a for Windows NT 4.0
Windows 2000 requirements
• Microsoft Windows 2000
Web browser requirements
You must have Microsoft Internet Explorer 4.0 or later to run the installation from the
CD. The following HTML-based browsers are recommended to view WatchGuard
Online Help:
• Netscape Communicator 4.7 or later
• Microsoft Internet Explorer 5.01 or later
Microsoft Internet Explorer 5.5 is not currently supported.
User Guide 3
Minimum requirements
Hardware requirements
Minimum hardware requirements are the same as for the operating system on which
the WatchGuard Firebox System 4.6 runs. The recommended hardware ranges are
listed below.
Hardware
feature
CPU Pentium II
Memory Same as for operating system.
Hard disk space 25 MB to install all WatchGuard modules
CD-ROM drive
(optional)
Minimum requirement
Recommended:
32 MB for Windows 95a
64 MB for Windows 98
64 MB for Windows NT 4.0
64 MB for Windows 2000 Professional
256 MB for Windows 2000 Server
15 MB minimum for log file
Additional space as required for log files
Additional space as required for multiple
configuration files
One CD-ROM drive to install WatchGuard from
its CD-ROM distribution disk, or download the
software from the LiveSecurity Web site
4
PART II
The WatchGuard Firebox System is considerably more than a piece of hardware. This
section describes two WatchGuard service components that address your security
requirements, and the optional features available to you.
WatchGuard® Services
LiveSecurity Service
The key to a high quality, effective network security policy is rapid response
to challenges and threats. The LiveSecurity Service enables network security
experts to provide quick responses to the changing Internet security
environment. Information such as alerts, editorials, threat responses, and
software updates are sent through your e-mail client.
Technical Support
The WatchGuard Technical Support team offers services to assist
configuration and administration of the Firebox System. Services include
Frequently Asked Questions, a WatchGuard user-group mailing list, Internet
and telephone support, and training.
WatchGuard Optional Features
WatchGuard expands its network security package with additional features
suited to some company and office environments. Current offerings include
VPN Manager, High Availability, Mobile User VPN, and SpamScreen.
User Guide 5
6
CHAPTER 1 LiveSecurity Service
No Internet security solution is complete without systematic updates. From the latest
hacker techniques to the most recently discovered operating system bug, the daily
barrage of new threats poses a perpetual challenge to any Internet security solution.
The LiveSecurity Service keeps your security system up-to-date by delivering
solutions to you. Software Updates, Threat Responses, and other broadcasts are emailed directly to your desktop.
LiveSecurity broadcasts
The WatchGuard LiveSecurity Rapid Response Team periodically broadcasts
information and software directly to your desktop through e-mail. Broadcasts are
divided into several channels to help you immediately recognize and process
incoming information.
Information Alert
Information Alerts provide timely notification of breaking news and current
issues in Internet security. By the time the mass media report on a new hacker
threat, you have already been briefed on its impact and the proper system
configuration necessary to protect against it.
Threat Response
After a newly discovered threat is identified, the Rapid Response Team
transmits an update specifically addressing this threat to make sure your
network is continuously protected. Each Threat Response includes a
description detailing the nature and severity of the threat, the risks it poses,
and what steps you should take.
Software Update
In addition to Threat Responses that address security challenges, you receive
functional software enhancements on an ongoing basis that cover your entire
WatchGuard Firebox System. An installation wizard and release notes
User Guide 7
LiveSecurity broadcasts
accompany each transmission for easy installation. These convenient
transmissions relieve you of the burden of tracking the latest software version
to keep your system state of the art.
Editorial
Leading security experts from around the world join the WatchGuard Rapid
Response Team in contributing useful editorials to provide a source of
continuing education on this rapidly changing subject.
Support Flash
These technical tutorials provide tips for managing the WatchGuard Firebox
System. Support Flashes supplement other resources such as online Help,
FAQs, and Known Issues pages on the Technical Support Web site.
Virus Alert
In cooperation with TrendMicro, WatchGuard issues weekly broadcasts that
provide the latest information on new computer viruses. WatchGuard also
issues special virus-specific alerts as conditions warrant.
New from WatchGuard
To keep you abreast of new features, product upgrades, and upcoming beta
programs, WatchGuard announces their availability first to our existing
customers.
Activating the LiveSecurity Service
The LiveSecurity Service can be activated two ways: through the setup wizard on the
CD-ROM, and through the activation section of the WatchGuard LiveSecurity Web
pages. The setup wizard is detailed thoroughly in the Install Guide. Refer to that
document for further information.
To activate the LiveSecurity Service through the Web:
1 Be sure that you have the LiveSecurity license key and the Firebox serial number
handy. You will need these during the activation process.
2 Using your Web browser, go to
http:\\www.watchguard.com\activation
The “Activate Your LiveSecurity Service Subscription” page appears.
You must have JavaScript enabled on your browser to be able
to activate LiveSecurity Service.
3 Complete the LiveSecurity Activation form.
All of the fields are required for successful registration. The profile information helps
WatchGuard to target information and updates to your needs. The following tips may assist you
in completing the form:
• Navigate fields using either the TAB key or the mouse.
• The Firebox serial number is displayed in two locations:
- A small silver sticker on the outside of the shipping box.
- A sticker on the back of the Firebox, just below the UPC bar code.
8
LiveSecurity broadcasts
• The License Key number is located on the WatchGuard LiveSecurity
Agreement License Key Certificate. Enter the number in the exact form shown
on the key, including the hyphens.
• Verify that your e-mail address is correct. You will receive your activation
confirmation mail and all of your LiveSecurity broadcasts at this address.
4Click Submit.
5 Select a download site.
WatchGuard recommends selecting the server that is geographically closest to you. After you
select a server, a scrollable list of WatchGuard software and documentation appears.
6 Minimize or close your Web browser.
User Guide 9
LiveSecurity broadcasts
10
CHAPTER 2 Technical Support
Developing and implementing a network security policy can be a challenge. In
addition to familiarity with the WatchGuard Firebox System, it requires experience
with advanced networking concepts, programs, and protocols.
The WatchGuard Technical Support team has a variety of methods to answer your
questions and assist you with improving the security of your network, including:
•FAQs
• Internet support
• Telephone support
• Training
•Online Help
Accessing frequently asked questions (FAQ)
The WatchGuard Technical Support team listens to our customers. When a question
about firewall configuration or administration occurs repeatedly, we pull together an
FAQ to document the issue and provide explanation and clarification. Where
appropriate, the FAQs also include workarounds and troubleshooting tips.
From the Control Center:
1Click the
Or, from your Web browser, go to http://www.watchguard.com/FAQS.
2 Select On the Web. Select Frequently Asked Questions.
If you would like WatchGuard to produce a new FAQ on a particular
topic, send e-mail to
LiveSecurity Control Center button (shown at right).
faq@watchguard.com with “FAQ Request” in the subject line.
User Guide 11
Getting Internet technical support
Known issues
Another source of information about the WatchGuard Firebox System is the Known
Issues page on the Technical Support Web. When our engineering or Technical
Support team discovers a limitation or problem with our product, we immediately
post the information on the Known Issues page. We provide a description of the issue
as well as workarounds and, where appropriate, the software version where a
permanent fix will be implemented. To access the Known Issues page:
1Open your Web browser to
https://www.watchguard.com/support/
2Log in.
3Click the Technical Support link on the left.
The Customer Support page appears.
4Click the LSS/SOHO Known Issues link on the left.
The Known Issues page opens.
Getting Internet technical support
Our Technical Support team developed a Web page to assist with framing and
submitting a technical support issue. The information you provide allows us to route
the question to the appropriate support technician. It also enables us to link the
question with information you report about your network as well as our database of
all the support issues you have brought to our attention.
To access Internet technical support, you must have your LiveSecurity License key.
To access Technical Support and its Web interface, from the Control Center:
1Click the
2 Select
Or, open your Web browser and connect to the secure WatchGuard support site
at https://www.watchguard.com/support/.
LiveSecurity Control Center button (shown at right).
On the Web. Select Product Support.
3Log in.
4Click
Create New Incident.
5 Complete the Support Incident form. Click
Your issue is entered in the WatchGuard Technical Support database and routed to the
appropriate support technician.
Getting telephone support
If you have a problem, please contact us via the Web to submit a profile of your case.
Follow up with a phone call only if the need is too time-critical to wait for a Web
response.
Submit.
12
The WatchGuard Technical Support team recognizes that no one likes to be put on
hold. We make it our policy to answer every call. If we cannot answer your question
immediately, we request your telephone number and call you back as soon as we
have an answer.
Training
When you call WatchGuard Technical Support, you are prompted for your
LiveSecurity License key. We use this key to track the information you report about
your network, and to add this issue to our database of all the support issues you have
brought to our attention.
After you enter your LiveSecurity License key, you are automatically routed to a
support technician familiar with your WatchGuard product. If no one is available,
our call manager will speak with you, logging your call and a description of your
issue to ensure the fastest possible response. The call manager may be aware of new
documentation or FAQs that can aid you immediately.
Before calling Technical Support, you should:
• Check online for an FAQ.
• Document your question.
• Be prepared with your LiveSecurity key.
• Have completed the Network Configuration Worksheet.
Often, the Technical Support team requires access to your Firebox to assist with
troubleshooting the problem. Please have this service configured to allow for remote
WatchGuard troubleshooting prior to calling Technical Support. To open your
Firebox for remote access by WatchGuard Technical Support, edit the Incoming
service properties for the WatchGuard service icon to allow:
WatchGuard Technical Support numbers are:
(877) 232-3531 (U.S. end-user support)
(206) 521-8375 (U.S. authorized reseller support)
(360) 482-1083 (International support)
Training
WatchGuard is committed to providing you with accessible and comprehensive
training covering our entire product line. Although WatchGuard products are
designed for ease of use, understanding how to correctly install, configure, manage,
and troubleshoot these products is an important component of effective Internet
security.
WatchGuard Interactive Training System (WITS)
WatchGuard Training offers the WatchGuard Interactive Training System (WITS), a
freely available online training system. WITS is designed to guide students through
all components of the Firebox System. Courseware features Basic and Advanced
curriculums, and is divided into training modules and units for self-paced
instruction. WITS is available to all current LiveSecurity subscribers. To access WITS,
log in to your LiveSecurity account and click the link to Training.
• From: network address 208.146.43.0/24
•To: Any
User Guide 13
WatchGuard users group
Instructor-led courses
WatchGuard offers a series of courses supporting our product line. Current titles
include a two-day course on firewalling basics with the WatchGuard Firebox System
and a one-day course on virtual private networking. These courses are delivered by
certified WatchGuard trainers, both at our facility in Seattle and by our partners
around the country. For more information on upcoming training dates, please send a
request to traininginfo@watchguard.com or visit our Web site at
http://www.watchguard.com/training/main.html.
WatchGuard users group
The WatchGuard users group is an online forum in which the users of the
WatchGuard Firebox System exchange ideas, questions, and tips regarding all aspects
of the product, including configuration, compatibility, and networking. Although
WatchGuard engineers and Technical Support monitor the users group, the forum
should not be used for reporting support issues to WatchGuard Technical Support.
Instead, contact WatchGuard Technical Support directly via the Web interface or
telephone.
Subscribing to wg-users@watchguard.com
To join the WatchGuard users group, send e-mail to wg-users-
request@watchguard.com
message (not the subject line).
Unsubscribing from wg-users@watchguard.com
To remove yourself from the WatchGuard users group, send e-mail to wg-users-
request@watchguard.com
(not the subject line). This removes your e-mail address from the wg-users list, and
you will no longer receive e-mail from the group.
Contributing to wg-users@watchguard.com
To post a message to the WatchGuard Users Group, send e-mail to
wg-users@watchguard.com.
Online Help
WatchGuard Online Help is a Web-based system with cross-platform functionality
that enables you to install a copy on virtually any computer. A static version of the
Online Help system is installed automatically with the Firebox System software in a
subdirectory of the installation directory called Help. In addition, a “live,”
continually updated version of Online Help is available at:
with the word “subscribe” anywhere in the body of the
with the word “unsubscribe” in the body of the message
14
http://help.watchguard.com/lss/46
Online Help
Starting WatchGuard Online Help
WatchGuard Online Help can be started either from the WatchGuard Management
Station or directly from a browser.
Searching for topics
You can search with WatchGuard Online Help three ways:
• In the Management Station software, press F1.
• On any platform, browse to the directory containing WatchGuard Online Help.
Open
LSSHelp.html. The default installation directory is C:/Program Files/
WatchGuard/Help .
Contents
The Contents tab displays a list of topics within the Help system. Double-click
a book to expand a category. Click a page title to view topic contents.
Index
The index provides a list of keywords found within Help. Begin typing the
keyword and the index list will automatically scroll to entries beginning with
those letters. Click a page title to view topic contents.
Search
The Search feature offers a full-text search of the entire Help system. Enter a
keyword. Press ENTER to display a list of topics containing the word. The
Search feature does not support Boolean searches.
Copying the Help system to additional platforms
WatchGuard Online Help can be copied from the Management Station to additional
workstations and platforms. When doing so, copy the entire Help directory from the
WatchGuard installation directory on the Management Station. It is important to
include all subdirectories exactly as they appear in the original installation.
Online Help system requirements
Web browser
• Internet Explorer 4.0 or higher
• Netscape Navigator 4.7 or higher
Microsoft Internet Explorer 5.5 is currently not supported.
Operating system
• Windows 95/98, Windows NT 4.0, or Windows 2000
•Sun Solaris
•Linux
User Guide 15
Online Help
Context-sensitive Help
In addition to the regular online Help system, context-sensitive or What’s This? Help
is also available. What’s This? Help provides a definition and useful information on
fields and buttons in the dialog boxes. To access What’s This? Help:
1 Right-click any field or button.
2Click
What’s This? when it appears.
A box appears with the field name on the top and information about the field beneath it.
3 To print or save the Help box as a separate file, right-click the Help field.
A menu offering Copy or Print appears.
4 Select the menu item you want.
5 When you are done, left-click anywhere outside the box to dismiss it.
Context-sensitive Help does not currently support the question
mark icon.
16
CHAPTER 3 WatchGuard Options
The WatchGuard Firebox System is enhanced by optional features designed to
accommodate the needs of different customer environments and security
requirements.
Currently available options
VPN Manager
WatchGuard VPN Manager is a centralized module for creating and managing the
network security of an organization that uses the Internet to conduct business. VPN
Manager can administer and monitor an enterprise’s sum total of Fireboxes, log hosts,
networks, and VPN tunnels. VPN Manager also contains the controls to launch the
applications of the WatchGuard Firebox System.
High Availability
High Availability enables one Firebox to take over when another fails. When using
High Availability, you place two Fireboxes and the Management Station on the
trusted network and provide each Firebox with the same configuration file. The first
Firebox manages traffic and protects the network while the second waits in a passive,
listening mode. If the first Firebox fails for any reason, the second Firebox
immediately takes over. When the first Firebox returns to functioning capacity, the
second Firebox again takes the passive role, ensuring that your network is constantly
protected.
To use High Availability, purchase the High Availability option as well as a second
Firebox of the same model as your first.
User Guide 17
Obtaining WatchGuard options
Mobile User VPN
Mobile User VPN is the WatchGuard IPSec implementation of remote user virtual
private networking. Mobile User VPN connects an employee on the road or working
from home to trusted and optional networks behind a Firebox using a standard
Internet connection, without compromising security.
Mobile User VPN licenses are available in packs of five. Each license enables a
connection for one remote host IP address.
SpamScreen
SpamScreen helps to control “spam”–e-mail sent to you or your end users without
permission. Spam consumes valuable bandwidth on your Internet connection and on
the hard disk space and CPU time of your mail server. If allowed to enter your
network unchecked, spam consumes workers’ time to read and remove. WatchGuard
SpamScreen identifies spam as it comes through the Firebox. You can choose to either
block the spam at the Firebox or tag it for easy identification or sorting.
Obtaining WatchGuard options
WatchGuard options are available from your local reseller. For more information
about purchasing WatchGuard products visit
http://www.watchguard.com/sales/
18
PART III
This section describes how to configure your security system. Its primary focus is on
using the WatchGuard Control Center and Policy Manager to develop and
implement a network security policy. It includes chapters on:
Configuring a Security Policy
WatchGuard Control Center
The WatchGuard Control Center is an intuitive management, monitoring, and
reporting package that puts everything you need at your fingertips. From a
single location, you can configure your system, implement security policies,
and monitor all of your protected systems.
Firebox basics
Complete basic tasks related to setting up and using the Firebox hardware,
including opening and saving configuration files, and setting the Firebox time
zone.
Configure a network
After installation, the next step in implementing a security policy is to
delineate your network. Set up either a drop-in or routed network, add
secondary networks, and define network and host routes.
Block sites and ports
Use default packet handling to establish a global policy for dynamically
blocking packets and sites. Alternatively, configure your network to
permanently block individual sites and ports.
Configure services
With the network configured, apply protection for individual services such as
SMTP and FTP. Define both incoming and outgoing traffic rules as well as
specific service properties.
Control Web traffic
Use the WebBlocker feature of the WatchGuard Firebox System in conjunction
with the HTTP proxy to provide Web-site filtering capabilities. This enables
User Guide 19
you to exert fine control over the type of Web sites users on your Trusted
network are allowed to view.
Set up network address translation (NAT)
Hide the real IP addresses of the hosts and networks behind your firewall
through the use of network address translation. You can set NAT policy at
both the global and the individual service levels.
Set up logging and notification
What events are logged and how and when a network administrator is
notified is an important component of a security policy. Assign and configure
the LiveSecurity Event Processor and set both global and service-specific log
and notification preferences.
Connect with out-of-band management
Configure a Firebox over a modem connection using out-of-band (OOB)
management.
20
Loading...