WatchGuard Technologies Firebox X User Manual
®
WatchGuard
User Guide
WatchGuard System Manager v8.0
System Manager
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Complete copyright, trademark, patent, and licensing
information can be found in the appendix of this User
Guide.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Management Software: 8.0
Appliance Software: WFS 7.4 and Fireware Pro 8.0
Document Version: 8.0-050411
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com
ii WatchGuard System Manager
.
Contents
CHAPTER 1 Getting Started ......................................................................1
About WatchGuard System Manager ......................................................1
About Hardware and Appliance Software ................................................2
Upgrading the appliance software ..........................................................2
Installing WatchGuard System Manager .................................................2
Installation requirements .....................................................................3
Collecting network information ..............................................................3
Selecting a firewall configuration mode ...................................................4
Selecting where to install server software ................................................5
Setting up the management station ........................................................5
Backing up your previous configuration ...................................................6
Using the Quick Setup Wizard ................................................................6
Putting the Firebox into operation on your network ....................................6
Setting Up Your Management Server .....................................................6
Management Ser ver passwords .............................................................7
Using the Management Server Setup Wizard ............................................7
After Your Installation ...........................................................................8
Align your security policy ......................................................................8
Features of the LiveSecurity Service .......................................................8
Installation Topics ................................................................................8
Installing WatchGuard Servers on computers with desktop firewalls ..............8
WFS appliance software configuration modes ...........................................9
Adding secondary networks to your configuration ....................................11
Dynamic IP support on the external interface .........................................11
Entering IP addresses ........................................................................12
Installing the Firebox cables ................................................................13
CHAPTER 2 Service and Support ............................................................15
LiveSecurity Service Solutions ............................................................15
User Guide iii
LiveSecurity Service Broadcasts ..........................................................16
Activating the LiveSecurity Service .......................................................17
LiveSecurity Service Self Help Tools ....................................................17
WatchGuard Users Forum ...................................................................19
WatchGuard Users Group ...................................................................19
Online Help .......................................................................................19
Starting WatchGuard Online Help .........................................................19
Searching for information ...................................................................20
Copy the online help system to more computers .....................................20
Product Documentation ......................................................................20
Technical Support ..............................................................................20
LiveSecurity Service Technical Support ..................................................21
LiveSecurity Gold ..............................................................................21
Firebox Installation Service .................................................................21
VPN Installation Service .....................................................................22
Training and Certification ....................................................................22
CHAPTER 3 Monitoring Your Network .....................................................23
Starting WatchGuard System Manager .................................................23
About the WatchGuard System Manager Window ..................................23
Connecting to a Firebox ......................................................................24
Connecting to a Server .......................................................................25
Seeing Information about Devices .......................................................25
Connection status .............................................................................27
Seeing Information on Log Servers ......................................................27
Monitoring VPNs ................................................................................28
About the WatchGuard Toolbar ............................................................29
Starting Security Applications .............................................................29
CHAPTER 4 Setting Up Logging and Notification ....................................31
Setting Up the Log Server ...................................................................31
Changing the Log Server encryption key ................................................33
Setting Global Logging and Notification Preferences .............................33
Log file size and rollover frequency .......................................................33
Setting the interval for log rollover ........................................................34
Scheduling log reports .......................................................................34
Controlling notification .......................................................................35
Starting and stopping the Log Server ....................................................35
CHAPTER 5 Reviewing and Working with Log Files .................................37
Types of Log Messages ......................................................................37
Log File Names and Locations ............................................................38
Starting LogViewer .............................................................................38
iv WatchGuard System Manager
LogViewer Settings ............................................................................40
Changing LogViewer settings with Fireware appliance software ...................40
Changing LogViewer settings with WFS appliance software ........................41
Using LogViewer ................................................................................42
Creating a Search Rule ......................................................................42
Searching in LogViewer ......................................................................43
Viewing the current log file in LogViewer ................................................43
Copying LogViewer data .....................................................................43
Consolidating log files ........................................................................44
Updating .wgl log files to .xml format ....................................................44
CHAPTER 6 Generating Reports of Network Activity ...............................47
Creating and Editing Reports ..............................................................47
Starting a new report ........................................................................48
Editing an existing report ...................................................................49
Deleting a report ..............................................................................49
Viewing the reports list ......................................................................49
Specifying a Report Time Interval ........................................................49
Specifying Report Sections .................................................................50
Consolidating Report Sections .............................................................50
Setting Report Properties ...................................................................51
Exporting Reports ..............................................................................52
Exporting reports to HTML format ........................................................52
Exporting reports to NetIQ format ........................................................52
Using Report Filters ...........................................................................53
Creating a new report filter .................................................................53
Editing a report filter .........................................................................54
Deleting a report filter .......................................................................54
Applying a report filter .......................................................................54
Running Reports ................................................................................54
Report Sections and Consolidated Sections .........................................54
Report sections ................................................................................55
Consolidated sections ........................................................................57
CHAPTER 7 Managing Certificates and the Certificate Authority ............59
Public Key Cryptography and Digital Certificates ...................................59
PKI in a WatchGuard VPN ....................................................................59
MUVPN and certificates .....................................................................60
Managing the Certificate Authority .......................................................60
Managing certificates with the CA Manager ............................................61
CHAPTER 8 Managing the Firebox X Edge and Firebox SOHO 6 .............63
Importing Certificates .........................................................................63
Microsoft Internet Explorer 5.5 and 6.0 .................................................63
User Guide v
Netscape Communicator 4.79 .............................................................64
Netscape 6 ......................................................................................64
Managing the Firebox X Edge or SOHO Device ......................................65
Removing Certificates ........................................................................66
Microsoft Internet Explorer 5.5 and 6.0 .................................................67
Netscape Navigator 4.79 ....................................................................67
Netscape 6 ......................................................................................67
APPENDIX A Copyright and Licensing ......................................................69
Licenses ...........................................................................................72
SSL Licenses ...................................................................................72
Apache Software License, Version 2.0, January 2004 ...............................74
PCRE License ..................................................................................76
GNU Lesser General Public License ......................................................77
GNU General Public License ................................................................81
Sleepycat License .............................................................................85
APPENDIX B WatchGuard File Locations .................................................87
General File Locations ........................................................................87
Default File Locations .........................................................................88
Index ................................................................................................. 97
vi WatchGuard System Manager
CHAPTER 1 Getting Started
Historically, organizations used many tools, systems, and personnel to control the security of their networks. Different computer systems controlled access, authentication, virtual private networking, and network control. These expensive systems are not easy to use together or to keep up-to-date. WatchGuard®
System Manager (WSM) supplies an integrated solution to manage your network and control security
problems. This chapter tells you how to install WatchGuard System Manager into your network.
About WatchGuard System Manager
WatchGuard® System Manager (WSM) gives you an easy and efficient way to manage your network security. Use one computer as a management station to show, manage, and monitor all the Fireboxes in your
network.
WSM gives support for mixed environments. You can manage Firebox® III and Firebox X devices that use
different versions of appliance software. You can also manage Firebox X Edge devices.
WSM has three servers that do Firebox management functions:
WatchGuard Management Server
The WatchGuard Management Server operates on a Windows computer. With this server, you
can manage all Firewall devices and create VPN tunnels using a simple drag-and-drop
function. The basic functions of the Management Server are:
- Centralized management of VPN tunnel configurations
- The certificate authority for distributing certificates for IPSec tunnels
- Protocol translation in support of the WatchGuard SOHO and Firebox X Edge products
Log Server
The Log Server collects logs from each WatchGuard Firebox. The native storage format is
XML (plain text) for easy troubleshooting and reporting. Among the information collected
from firewall devices are traffic logs, event logs, alarms, and diagnostic messages.
WebBlocker Server
The WebBlocker Server operates with the Firebox HTTP proxy to deny user access to
applicable Web sites. The administrator sets the categories of permitted Web sites during
User Guide 1
About Hardware and Appliance Software
Firebox configuration. The HTTP proxy on the Firebox then works with the WebBlocker
Server to find if a Web site is in a category that is not allowed.
About Hardware and Appliance Software
Appliance software
The Firebox® uses the appliance software with the configuration file to operate. When you upgrade your
Firebox device, you write a new version of the appliance software to its memory. Although each Firebox
model is loaded with a default appliance software type, you can upgrade the appliance software independently of the hardware.
Two types of appliance software are available to WatchGuard® customers:
• WatchGuard Firebox System (WFS) — This is the default appliance software on Firebox III and
Firebox X Core devices. It is the standard version of the appliance software successfully used by
WatchGuard customers since 1998, with several new enhancements added.
• Fireware Pro — This is the default appliance software on Firebox X Peak devices. If you have a
Firebox X Core, you can purchase a Fireware upgrade. This software has the following advanced
features for more complex networks:
is a software program or operating system that is permanently kept on your hardware.
-Signature-based IDP
- Gateway AntiVirus for E-Mail
- Advanced networking options including QoS, dynamic routing, and support for multiple
WAN interfaces
When you install WatchGuard System Manager, it automatically installs the software tools you must have
to configure and manage a Firebox with any type of appliance software. These include:
• Firebox System Manager
•Policy Manager
• HostWatch
When you add a Firebox to be managed by WSM, the software automatically identifies which appliance
software the Firebox uses. If you select the Firebox and then click an icon on the toolbar, it automatically
starts the correct management tool.
For example, if you add a Firebox X700 operating with WFS appliance software to the Devices tab of WFS
and then click the Policy Manager icon on the WSM toolbar, Policy Manager for WFS automatically starts
and opens the configuration file. However, if you add a Firebox X700 operating with Fireware appliance
software and click the Policy Manager icon, Policy Manager for Fireware starts instead.
Upgrading the appliance software
If you have a Firebox X Core, the WFS appliance software is loaded on the box. Or, you can purchase an
upgrade to Fireware Pro. See the
Pro.
Migration Guide
for information on upgrading from WFS to Fireware
Installing WatchGuard System Manager
Note
This installation procedure is for new installations only. If you have an earlier version of
WatchGuard® System Manager, use the upgrade procedure in the Migration Guide.
2 WatchGuard System Manager
Installing WatchGuard System Manager
WatchGuard System Manager includes firewall appliance software and management software to protect
your network from attack. You put the Firebox® between the Internet and your trusted computers. You
then use the software installed on the management station to configure and to monitor your Firebox.
To install the WatchGuard System Manager software, you must:
• Collect your network addresses and information
• Select a network configuration mode, if you are using WFS appliance software only. This step is
not necessary if you use Fireware appliance software.
• Select to install the Management Server, Log Server, and WebBlocker Server on the same computer
as your management software, or on a different computer.
• Configure the management station
• Use the Quick Setup Wizard to make a basic configuration file
• Put the Firebox into operation on your network
Note
This chapter gives the default information for a Firebox with a three-interface configuration. If
your Firebox has more interfaces, use the same configuration tools and procedures as the
instructions for the optional interface to configure the other interfaces.
Installation requirements
Before you install WatchGuard System Manager, make sure that you have these items:
• WatchGuard Firebox security device
• WatchGuard System Manager CD-ROM
• A serial cable (blue)
• Three crossover Ethernet cables (red)
• Three straight Ethernet cables (green)
• Power cable
• LiveSecurity Service license key
Collecting network information
License Keys
Collect your license key certificates. WatchGuard System Manager comes with a LiveSecurity Service key
that enables your subscription to the LiveSecurity service. For more information about this service, see the
“Service and Support” chapter in this guide,
You get the license keys for any optional products when you purchase them. For more information about
optional products, see the
Network addresses
We recommend that you make two tables when you configure your Firebox. Use the first table for your
network IP addresses before you put the Firebox into operation.
WatchGuard uses slash notation to show the subnet mask.
Configuration Guide
for your version of appliance software.
User Guide 3
Installing WatchGuard System Manager
1Network IP Addresses Without the Firebox
Wide Area Network _____._____._____._____ / ____
Default Gateway _____._____._____._____
Local Area Network _____._____._____._____ / ____
Secondary Network
(if applicable)
_____._____._____._____ / ____
Public Server(s)
(if applicable)
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the Firebox into operation.
External interface
Connects to the external network (typically the Internet) that is the security problem.
Trusted interface
Connects to the private LAN or internal network that it is necessary to protect.
Optional interface(s)
Usually connects to the DMZ or the mixed trust area of your network. The number of
optional interfaces on your Firebox depend on the model you have purchased. Use optional
interfaces to create zones in your network with different levels of access. Usually, you install
the Web, e-mail, and FTP servers on an optional interface.
2Network IP Address With the Firebox
Default Gateway _____._____._____._____
External Network _____._____._____._____ / ____
Trusted Network _____._____._____._____ / ____
Optional Network _____._____._____._____ / ____
Secondary Network
(if applicable)
_____._____._____._____ / ____
Selecting a firewall configuration mode
Fireware appliance software users must use a routed firewall configuration mode. If you use WFS appliance software, you must make a decision on how to install the Firebox into your network before you
install WatchGuard System Manager. This decision controls the configuration of the Firebox interfaces. To
install the Firebox into your network, select the configuration mode—routed or drop-in—that matches the
needs of your current network.
For more information on finding which configuration mode to use with WFS appliance software, see
“WFS appliance software configuration modes” on page 9.
4 WatchGuard System Manager
Installing WatchGuard System Manager
Selecting where to install server software
During installation, you can select to install the management station and three WatchGuard System Manager Server components on the same computer. Or you can use the same installation procedure to install
the server components on other computers. To decide, you must examine the capacity of your management station and select the installation method that best matches your needs.
If you install the Management Server, Log Server, or WebBlocker Server on a computer with an active
desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users do not have to change their desktop firewall configuration. See “Installing WatchGuard Servers on computers with desktop firewalls” on page 8 for more
information.
Setting up the management station
The management station runs the System Manager software. This software shows the traffic through the
firewall. System Manager also shows connection and tunnel status. The WatchGuard Log Server records
information it receives from the Firebox. You can get access to this data using tools on the management
station.
Select one computer on your network as the management station and install the management software:
1 Insert the WatchGuard System Manager CD-ROM in the CD drive of your computer. If the installation
wizard does not appear automatically, double-click
2 Click Connect to LiveSecurity on the WatchGuard System Manager Installation screen. This
starts your Web browser and connects your computer to the WatchGuard Web site.
If you do not have an Internet connection, install the software from the CD-ROM. If you use this procedure, you
cannot get support, strong encryption, or VPN functions until you enable the LiveSecurity Service.
3 Use the instructions on the screen to start your LiveSecurity Service subscription.
4 Download the WatchGuard System Manager software. The speed of your Internet connection
controls the time to download the software.
Make sure that you write down the name and the path of the file when you save it to your hard drive.
5 When the download is complete, open the file and use the instructions on the screens to help
you through the installation.
The Setup program includes a screen in which you select the components of the software or the upgrades to
install. A different license is necessary when you install some software components.
If your management station is already operating with a Windows toolbar, some users can find it
necessary to stop and restart the toolbar before you can see the new toolbar components installed
for the WatchGuard Management System.
install.exe in the root directory of the CD.
Note
6 At the end of the installation wizard, a check box appears that you can select to start the Quick
Setup Wizard. Make sure you install the cables to your Firebox before you start the Quick Setup
Wizard.
Software encryption levels
The management station software is available in two encryption levels.
Base
Uses 40-bit encryption
Strong
Uses 128-bit 3DES encryption
A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking
with IPSec you must download the strong encryption software.
User Guide 5
Setting Up Your Management Server
Strong export limits apply to the strong encryption software. It is possible that it is not available for
download.
Backing up your previous configuration
If you have an earlier version of WatchGuard System Manager, you must make a backup of your security
policy configuration before you install a new version. For instructions on creating a backup of your configuration:
• If you are upgrading to a newer version of the WFS appliance software, refer to the
• If you are moving from WFS to Fireware appliance software, refer to the
Using the Quick Setup Wizard
After you configure the management station, install the Firebox cables, and (if applicable) make a back up
of your previous configuration, use the Quick Setup Wizard to make a basic configuration file. The Firebox uses this basic configuration file when it starts for the first time. This enables the Firebox to operate
as a basic firewall.
After the Firebox is configured with this basic configuration, you can use Policy Manager to expand or
change the Firebox configuration.
The Quick Setup Wizard uses a device discovery procedure to find the Firebox X model you are configuring. This procedure uses a UDP broadcast. Software firewalls, including the firewall in Microsoft Windows
XP SP2, can cause problems with the discovery procedure.
You can start the Quick Setup Wizard from the Windows desktop or from System Manager. The instructions in the wizard help you through the procedure.
From the desktop, select Start > Programs > WatchGuard System Manager 8 > Quick Setup Wizard.
Or, from System Manager, select Resources > Quick Setup Wizard.
Upgrade Guide
Migration Guide
.
.
Putting the Firebox into operation on your network
You have completed the installation of your Firebox. You can use the Firebox as a basic firewall that
allows all outgoing traffic.
Complete these steps to put the Firebox into operation on your network:
• Put the Firebox in its permanent physical location.
• In WatchGuard System Manager, use File > Connect To to connect the management station to the
Firebox.
• If you use a routed configuration, change the default gateway on all computers that you connect
to the Firebox trusted IP address.
• Configure the Log Server to start recording log messages.
• Open Policy Manager to change the basic configuration to meet your security needs.
Setting Up Your Management Server
You can select to install the Management Server on the your management station during installation. Or,
you can use the same installation procedure to install the Management Server on a different computer.
You must install the Management Server software on a computer that is behind a Firebox with a static
external IP address. The Management Server does not operate correctly if it is behind a Firebox with a
dynamic IP address on its external interface.
You use this server to:
• Start and stop the Management Server
• Set the server passphrases and license key
6 WatchGuard System Manager
Setting Up Your Management Server
• Set the CRL distribution point and publication period
• Set the client and root certificate lifetime
• Launch the CA Web GUI
For information on how to set up the other WatchGuard System Manager servers—Log Server and WebBlocker server, see the “Working with Log Files” chapter in this guide, and the
respectively.
Note
If you install the Management Server, Log Server, or WebBlocker Server on a computer with an
active desktop firewall other than Windows Firewall, you must open the ports necessary for the
servers to connect through the firewall. Windows Firewall users do not have to change their
configuration. See the section “Installing WatchGuard Servers on computers with desktop
firewalls” on page 8 for more information.
Configuration Guide
Management Server passwords
The WatchGuard Management Server uses passwords to protect sensitive information kept on disk or to
secure communications with client systems.
Master password
,
This password is used to protect all the passwords that are kept in the password file. You must use it when
you move the Management Server data to a new system or when you restore a lost or corrupt master key
file. Because you do not frequently use the master password, we recommend that you write it down and
lock it in a secure location.
The master password is not stored in the password file. An encryption key is derived from the master password and the key data is kept on disk. The default locations for the password file and encryption key are:
• C:\Documents and Settings\WatchGuard\wgauth\wgauth.ini
• C:\Documents and Settings\WatchGuard\wgauth\wgauth.key
Because these files are used by the Management Server software, you must never change them manually.
Admin password
The administrator uses the admin password frequently because it is necessary to use it to connect to the
Management Server using WatchGuard System Manager.
Using the Management Ser ver Setup Wizard
1 Right-click the Management Server icon in the WatchGuard toolbar at the bottom of the screen.
2Select Start Service.
The Management Server setup wizard starts. The instructions in the wizard help you through the procedure.
User Guide 7
After Your Installation
Note the following:
• When an interface whose IP address is bound to the Management Server goes down and then
restarts, we recommend that you restart the Management Server.
• If you change the computer’s IP address, you must remove the Management Server and install it
again.
After Your Installation
You have satisfactorily installed, configured, and put your new WatchGuard® System Manager into operation on your network. Here is some more information to think about.
Align your security policy
Your security policy controls who can get in to your network, where they can go, and who can get out.
The configuration file of your Firebox® makes the security policy.
The configuration file that you make with the Quick Setup Wizard is only a basic configuration. You can
make a configuration file that aligns your security policy with your requirements. To do this, add filtered
and proxied policies, in addition to the basic policies you are told about in the sections before. These policies expand what you let in and out of your network. Each policy can have an effect on your network.
The policies that increase your network security can decrease access to your network. The policies that
increase access to your network can decrease your network security. When you select these policies, you
must select a range of balanced policies. Your organization and the computer equipment to which you
give protection will control your selection. Some policies that organizations usually add are HTTP and
SMTP. Usually, for a new installation, we recommend that you use only packet filter policies until all your
systems operate correctly. Then, as necessary, you can add proxied policies when you know more about
them.
For more information about policies, see the
Configuration Guide
for your version of appliance software.
Features of the LiveSecurity Service
Your Firebox includes a subscription to our LiveSecurity® Service. Your subscription:
• Makes sure that you get the newest network protection with the newest software upgrades
• Gives solutions to your problems with full technical support resources
• Prevents downtime with messages and configuration help to prevent the newest network security
problems
• Helps you to find out more about network security through training resources
• Extends your network security with included software and other features
Installation Topics
The following sections give information that you can use while setting up your Firebox®.
Installing WatchGuard Servers on computers with desktop firewalls
Desktop firewalls can block the ports necessary for WatchGuard® Server components to operate. Before
installing the Management Server, Log Server, or WebBlocker Server on a computer with an active desktop
firewall, other than Windows Firewall, you might need to open the necessary ports on the desktop firewall. Windows Firewall users do not need to change their configuration.
8 WatchGuard System Manager
Installation Topics
This table shows you the ports you must open on a desktop firewall.
Server Type/Appliance Software Protocol/Port
Management Server TCP 4109, TCP 4110, TCP 4112, TCP 4113
Log Server
with Fireware appliance software
with WFS appliance software
WebBlocker Ser ver TCP 5003, UDP 5003
TCP 4115
TCP 4107
WFS appliance software configuration modes
There are two configuration modes available for users with WFS appliance software: a routed configuration or a drop-in configuration. (If you are using Fireware appliance software, drop-in mode is not available.) Many networks operate the best with a routed configuration. But we recommend the drop-in mode
if:
• You have a large number of public IP addresses
• You have a static external IP address
• You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses
The table below shows three conditions that can help you to select a firewall configuration mode. We
then give more information about each mode.
Routed Configuration Drop-in Configuration
Condition 1 All interfaces of the Firebox are on
different networks. The minimum
configured interfaces are external and
trusted.
Condition 2 Trusted and optional interfaces must be
on different networks. The two interfaces
must have an IP address on their
respective network.
Condition 3 Use static NAT to map public addresses
to private addresses behind the trusted
or optional interfaces.
All interfaces of the
Firebox are on the same
network and have the same
IP address (Proxy ARP).
The computers on the
trusted or optional
interfaces can have a
public IP address.
The machines that have
public access have public
IP addresses. Thus, no
static NAT is necessary.
Routed configuration
You use the routed configuration when you have a small number of public IP addresses or when your
Firebox gets its external IP address using PPPoE or DHCP. This configuration also makes it easier to configure virtual private networks.
User Guide 9
Installation Topics
In a routed configuration, you install the Firebox with different logical networks and network addresses
on each of its interfaces. The public servers behind the Firebox use private IP addresses. The Firebox uses
network address translation (NAT) to route traffic from the external network to the public servers.
The requirements for a routed configuration are:
• All interfaces of the Firebox must be on different logical networks. The minimum configuration
includes the external and trusted interfaces. You can also configure one or more optional
interfaces.
• All computers behind the trusted and optional interfaces must have an IP address from that
network. For example, a computer on a trusted interface in the previous figure could have an IP
address of 10.10.10.200 but not 192.168.10.200, which is on the optional interface.
Drop-in configuration
With a drop-in configuration, the Firebox uses the same network for all of its interfaces. You must configure all of the interfaces. When you install the Firebox between the router and the LAN, it is not necessary
to change the configuration of the local computers. The public servers behind the Firebox continue to use
public IP addresses. The Firebox does not use network address translation to route traffic from the external to your public servers.
The properties of a drop-in configuration are:
10 WatchGuard System Manager
Installation Topics
• You use one logical network for all three interfaces.
• The Firebox uses proxy ARP. The trusted interface ARP address replaces the ARP address of the
router. It then resolves the ARP data for those devices behind the Firebox that cannot receive the
transmitted data.
• During installation, it is not necessary to change the TCP/IP properties of computers on the trusted
and optional interfaces. The router cannot receive the transmitted ARP data from the trusted host,
but the Firebox continues to control ARP data for the router.
• Usually, the Firebox is the default gateway as an alternative to the router.
• You must flush the ARP cache of each computer on the trusted network.
• A large part of a LAN is on the trusted interface because there is a secondary network for the LAN.
With a drop-in configuration you do not have to change the configuration of each computer on the
trusted network that has a public IP address. But, a drop-in configuration is not easy to manage. It can
also be more difficult to troubleshoot problems.
Adding secondary networks to your configuration
A secondary network is a different network that connects to a Firebox interface with a switch or hub.
When you add a secondary network, you map an IP address from the secondary network to the IP address
of the Firebox interface. Thus, you make (or add) an IP alias to the network interface. This IP alias is the
default gateway for all the computers on the secondary network. The secondary network also tells the
Firebox that there is one more network on the Firebox interface.
To add a secondary networks, do one of these procedures:
Use the Quick Setup Wizard during installation
Enter an IP address for the secondary network in the Quick Setup Wizard, as described in “Using the
Quick Setup Wizard” on page 6. This is the default gateway for your secondary private network.
Add the secondary network after the Firebox installation is complete
Use Policy Manager to add secondary networks to an interface. For information on how to use Policy
Manager, see the
Configuration Guide
.
Dynamic IP support on the external interface
If you use dynamic IP addressing, you must select routed configuration.
User Guide 11
Installation Topics
If you select the Dynamic Host Configuration Protocol (DHCP), the Firebox tells a DHCP server controlled
by your Internet Service Provider (ISP) to give the Firebox its IP address, gateway, and netmask. This server
can also give WINS and DNS server information for your Firebox. If it does not give you that information,
you must add it manually to your configuration. If necessary, you can change the WINS and DNS values
that your ISP gives you.
Point-to-Point Protocol over Ethernet (PPPoE) is also available. As with DHCP, the Firebox makes a PPPoE
protocol connection to the PPPoE server of your ISP. This connection automatically configures your IP
address, gateway, and netmask. But, PPPoE does not supply you with DNS and WINS server information
as DHCP does.
If you use PPPoE on the external interface, you must have the PPP user name and password when you
configure your network. The user name and password each have a 256-byte capacity.
When you configure the Firebox to receive dynamic IP addresses, the Firebox cannot use these functions
(for which a static IP address is necessary):
• High Availability (not available on Firebox 500)
• Drop-in mode (if you are using WFS appliance software)
• 1-to-1 NAT
•MUVPN
• RUVPN with PPTP
If your ISP uses a DHCP or PPPoE connection to give out static IP address, the Firebox will allow
you to enable MUVPN and RUVPN with PPTP because the IP address is static.
Note
External aliases and 1-to-1 NAT are not available when the Firebox is a PPPoE client.
Entering IP addresses
When you enter IP addresses in the Quick Setup Wizard or WSM dialog boxes, type the digits and periods
in the correct sequence. Do not use the TAB key, arrow key, spacebar, or mouse to put your cursor after
the periods. For example, if you type the IP address 172.16.1.10, do not type a space after you type “16.”
Do not try to put your cursor after the subsequent period to type “1.” Type a period directly after “16,”
and then type “1.10.” Push the slash (/) key to move to the netmask.
About slash notation
Use slash notation to enter the netmask. In slash notation, one number shows how many bits of the IP
address identify the network that the host is on. A netmask of 255.255.255.0 has a slash equivalent of
8+8+8=24. For example, an IP address 192.168.42.23/24 is equivalent to an IP address of 192.168.42.23
with a netmask of 255.255.255.0.
This table shows the network masks and their slash equivalents:
Network mask Slash equivalent
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
12 WatchGuard System Manager
Installation Topics
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
Installing the Firebox cables
Connect the power cable to the Firebox power input and to a power source.
The Quick Setup Wizard recommends that you use a straight ethernet cable (green) to connect your man-
agement station to a hub or switch. Use another straight ethernet cable (green) to connect your Firebox
to the same hub or switch. Then, use the instructions in the Quick Setup Wizard to connect to the Firebox.
You can also use a red crossover cable to connect the Firebox trusted interface to the management station
Ethernet port.
User Guide 13
Installation Topics
14 WatchGuard System Manager
CHAPTER 2 Service and Support
No Internet security solution is complete without regular updates and security information. New threats
appear each day — from the newest hacker to the newest bug in an operating system — and each can
cause damage to your network systems. The LiveSecurity® Service sends security solutions directly to you
to keep your security system in the best condition. Training and technical support are available on the
WatchGuard® Web site to help you learn more about network security and your WatchGuard products.
LiveSecurity Service Solutions
The number of new security problems and the volume of information about network security continues
to increase. We know that a firewall is only the first component in a full security solution. The WatchGuard® Rapid Response Team is a dedicated group of network security personnel who can help you to
control this problem of too much information. They monitor the Internet security Web sites for you, to
identify new security problems as they start.
Threat responses, alerts, and expert advice
After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you
about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack.
Easy software updates
LiveSecurity® Service saves you time because you receive an e-mail when we release a new version of the
WatchGuard System Manager software. Installation wizards, release notes, and a link to the software
update make for a fast and easy installation. These continued updates make sure that you do not have to
use your time to find new software.
Access to technical support and training
You can find information about your WatchGuard products quickly with our many online resources. You
can also speak directly to one of the WatchGuard technical support personnel. Use our online training to
learn more about the WatchGuard System Manager software, Firebox, and network security.
User Guide 15
LiveSecurity Ser vice Broadcasts
LiveSecurity Service Broadcasts
The WatchGuard® Rapid Response Team regularly sends messages and software information directly to
your computer desktop by e-mail. We divide the messages into categories to help you to identify and
make use of incoming information immediately.
Information Alert
Information Alerts give you a fast view of the newest information and threats to Internet
security. The WatchGuard Rapid Response Team frequently recommends that you make a
security policy change to protect against the new threat. When necessary, the Information
Alert includes instructions on the procedure.
Threat Response
If a new security threat makes it necessary, the WatchGuard Rapid Response Team transmits
a software update for your Firebox®. The Threat Response includes information about the
security threat and instructions on how to download a software update and install it on your
Firebox and management station.
Software Update
When necessary, WatchGuard updates the WatchGuard System Manager software. Product
upgrades can include new features and patches. When we release a software update, you get
an e-mail with instructions on how to download and install your upgrade.
Editorial
Each week, top network security personnel come together with the WatchGuard Rapid
Response Team to write about network security. This continuous supply of information can
help you to keep your network safe and secure.
Foundations
The WatchGuard Rapid Response Team also writes information specially for security
administrators, employees, and other personnel that are new to this technology.
Loopback
At the end of each month LiveSecurity® Service sends you an e-mail with a summary of the
information sent that month.
Support Flash
These short training messages can help you to operate WatchGuard System Manager. They
are an added resource to the other online resources:
- Online Help
-FAQs
- Known Issues pages on the Technical Support Web site
Virus Alert
WatchGuard has come together with antivirus vendor McAfee to give you the most current
information about computer viruses. Each week, we send you a message with a summary of
the virus traffic on the Internet. When a hacker releases a dangerous virus on the Internet, we
send a special virus alert to help you protect your network.
16 WatchGuard System Manager
LiveSecurity Service Self Help Tools
New from WatchGuard
When WatchGuard releases a new product, we first tell you — our customers. You can learn
more about new features and services, product upgrades, hardware releases, and customer
promotions.
Activating the LiveSecurity Service
You can activate the LiveSecurity® Service through the Quick Setup Wizard on the CD-ROM. Or, you can
activate it through the activation section of the LiveSecurity Web pages. There is information about the
Quick Setup Wizard in the QuickStart Guide and in the “Getting Started” chapter of this book.
Note
To activate the LiveSecurity Service, you must enable JavaScript on your browser.
To activate the LiveSecurity Service through the Web:
1 Make sure that you have the LiveSecurity license key and the Firebox serial number. These are
necessary during the LiveSecurity activation procedure.
- You can find the Firebox serial number in two locations. First, on a small silver label on the
outer side of the Firebox package. Second, on a label on the rear side of the Firebox, below
the Universal Product Code (UPC) symbol.
- The license key number is on the WatchGuard LiveSecurity License Key certificate. Make
sure that you type it the same as it is shown on the key. Include the hyphens.
2 Using your Web browser, go to:
www.watchguard.com/account/register.asp
The Account page appears.
3 Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the
fields on the page.
You must complete all the fields to activate correctly. This information helps WatchGuard to send you the
information and software updates that are applicable to your products.
4 Make sure that your e-mail address is correct. After you complete the procedure, you get an e-
mail message that tells you that you activated the LiveSecurity Service satisfactorily. All your
LiveSecurity e-mail will come to this address.
5 Click Register.
LiveSecurity Service Self Help Tools
Online Self Help Tools enable you to get the best performance from your WatchGuard® products.
You must activate the LiveSecurity® Service before you can access online resources.
Basic FAQs
The Basic FAQs (frequently asked questions) give general information about the Firebox® and
the WatchGuard System Manager software. They are written for the customer who is new to
network security and to WatchGuard products.
User Guide 17
Note
LiveSecurity Service Self Help Tools
Advanced FAQs
The Advanced FAQs (frequently asked questions) give you important information about
configuration options and operation of systems or products. They add to the information
you can find in this User Guide and in the Online Help system.
Known Issues
We know that software products can have bugs. We keep a list of Known Issues to help you
find and to configure around these problems in our products until a software update repairs
them.
Interactive Support Forum
The WatchGuard Technical Support team operates a Web site where our customers can send
messages about WatchGuard products. Technical Support monitors this Web site and writes
messages when it is necessary to answer customer problems.
Online Training
Browse to the online training section to learn more about network security and WatchGuard
products. You can read training materials and get a certification in our products. The training
includes links to a wide range of documents and Web sites about network security. The
training is divided into parts which lets you use only the materials you feel necessary. To
learn more about online training, browse to:
www.watchguard.com/training/courses_online.asp
Learn About
This is a list of all resources available for a specified product or feature. It is a site map for
the feature.
Online Help
There is a copy of the online help system for all WatchGuard products on our Technical
Support Web site. You install a copy of the online help when you install WatchGuard System
Manager software. The version of online help on our Web site is the most current and
includes corrections of errors we find.
Product Documentation
We keep a copy of each user guide we release to customers on our Web site. This includes
user guides for versions of software which we do not continue to give technical support. The
user guides are in PDF format.
General Firebox X Edge and Firebox SOHO Resources
This section of our Web site shows basic information and links for Firebox X Edge and
Firebox SOHO customers. It can help you to install and use the Firebox X Edge and SOHO 6
hardware.
To get access to the LiveSecurity Service Self Help Tools:
1 Start your Web browser. In the address bar, type:
www.watchguard.com
2 Click Support.
3 Log in to the LiveSecurity Service.
4In the Self Help Tools section, click your selection.
18 WatchGuard System Manager
WatchGuard Users For um
The WatchGuard® Users Forum is an online group. It lets the users of WatchGuard products interchange
ideas, questions, and information about the product, for example:
• Configuration
• Connecting WatchGuard products and those of other companies
• Network policies
This forum has different categories that you can use to look for information. The WatchGuard Technical
Support team controls the forum during regular work hours. Do not use the forum to tell the WatchGuard
Technical Support team about problems you have with your Firebox®. You must use the Web interface or
the telephone to tell WatchGuard Technical Support directly.
Using the WatchGuard Users Forum
To use the WatchGuard Users Forum you must first create an account:
1 Browse to: www.watchguard.com. Click Support. Log in to the LiveSecurity Service.
2Below Self Help Tools, click Interactive Support Forum.
3 Click Create a User Forum account.
WatchGuard Users Forum
4 Type your information in the page. Click Create.
You must select a user name and password. They must be different from the user name and password for your
LiveSecurity Service.
WatchGuard Users Group
The WatchGuard® Users Group is an e-mail discussion list. It lets the users of WatchGuard products send
and receive messages from other users. Because WatchGuard does not control the group, you cannot use
the group to tell the WatchGuard Technical Support team about problems you have with your Firebox®.
You must use the Web interface or the telephone to tell WatchGuard Technical Support directly. To learn
more about the WatchGuard Users Group, browse to:
lists.watchguard.com/mailman/listinfo/wg-users
Online Help
WatchGuard® Online Help is a Web system that can operate on most computer operating systems. We
release each version of our software products with a full online help system. You can find these online
help systems at:
www.watchguard.com/help
A static version of the online help system is installed automatically with the WatchGuard System Manager
software. You can find it in a subdirectory of the installation folder with the name
of the online help on the Web site includes corrections to all errors found since we released the software.
Help. The live version
Starting WatchGuard Online Help
There are two methods to start the online help system:
• From the WatchGuard System Manager software, press F1. Your browser opens and an Online Help
page appears. The page has information about the feature you are using.
User Guide 19
Product Documentation
• Use Windows Explorer or the Run command to open the WatchGuard installation folder. Open the
Help folder. Double-click WFSHelp.htm. Your browser opens and the Online Help home page
appears. The default folder is:
C:\Program Files\WatchGuard\Help
Searching for information
There are three methods to search for information in the WatchGuard Online Help system:
Contents
The Contents tab shows a list of categories in the help system. Double-click a book to
expand a category. Click a page title to look at the contents of that category.
Index
The index shows a list of the words that are in the help system. Type the word, and the list
automatically goes to those words that start with the typed letters. Click a page title to look
at the contents.
Search
The Search feature is a full text search of the help system. Type a word and press ENTER. A
list shows the categories that contain the word. The Search feature does not operate with
AND, OR, or NOT operators.
Copy the online help system to more computers
You can copy WatchGuard Online Help from the management station to a second computer. When you
do this, copy the full online help folder from the WatchGuard installation directory on the management
station. You must include all subdirectories.
Software requirements
• Internet Explorer 4.0 or a subsequent version
• Netscape Navigator 4.7 or a subsequent version
Operating system
• Windows NT 4.0, Windows 2000, or Windows XP
•Sun Solaris
•Linux
Product Documentation
We copy all the user guides we release to our Web site at:
www.watchguard.com/help/documentation/
Technical Support
Your LiveSecurity Service subscription includes technical support for the WatchGuard® System Manager
software and Firebox® hardware. To learn more about WatchGuard Technical Support, browse to the
WatchGuard Web site at:
www.watchguard.com/support
20 WatchGuard System Manager
Technical Support
Note
You must activate the LiveSecurity Service before you can get technical support.
LiveSecurity Service Technical Support
All new Firebox products include the WatchGuard LiveSecurity® Technical Support Service. You can
speak with the WatchGuard Technical Support team when you have a problem with the installation, management, or configuration of your Firebox.
Hours
WatchGuard LiveSecurity Technical Support operates from 6:00 AM to 6:00 PM in your local
time zone, Monday through Friday.
Telephone Number
877.232.3531 in United States and Canada
+1.206.613.0456 in all other countries
Web Site
http://www.watchguard.com/support
Service Time
We try to supply a solution in a maximum time of four hours.
Type of Service
There is technical support available for special problems with the installation and continued
maintenance of the Firebox and SOHO systems.
Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are
also available. For more data about these upgrades, refer to the WatchGuard Web site at:
http://www.watchguard.com/support
LiveSecurity Gold
WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity Service. We recommend that you buy this upgrade if your company uses the Internet or VPN tunnels for most of your work.
With WatchGuard Gold LiveSecurity Technical Support you get:
• Live technical support 24 hours a day, seven days a week.
• The Priority Technical Support Team operates our support center continuously from 7 PM Sunday
to 7 PM Friday (Pacific Time).
• We try to supply a solution to your problem in a maximum time of one hour.
• If a technician is not immediately available to help you, an administrator records your problem. The
administrator gives you an incident number. The Priority Technical Support team will speak to you
when they become available.
Firebox Installation Ser vice
WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox. You can
schedule a two-hour time with one of our WatchGuard Technical Support team. During this time, the
technician helps you to:
• Do an analysis of your network and security policy
• Install the WatchGuard System Manager software and Firebox hardware
• Align your configuration with your company security policy
This service does not include VPN installation.
User Guide 21
Training and Certific ation
VPN Installation Service
WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can schedule
a two-hour time with one of the WatchGuard Technical Support team. During this time, the technician
helps you to:
• Do an analysis of your VPN policy
• Configure your VPN tunnels
• Do a test of your VPN configuration
You can use this service after you correctly install and configure your Fireboxes.
Training and Certification
WatchGuard® product training is available online to help you learn more about network security and
WatchGuard products. You can find training materials on our Technical Support Web site and prepare for
a certification exam. The training materials include links to books and Web sites with more information
about network security.
WatchGuard product training is also available at a location near you through a large group of WatchGuard Certified Training Partners (WCTPs). Training partners give training using certified training materials and with WatchGuard hardware. You can install and configure our products with an advanced
instructor and system administrator to help you learn.
22 WatchGuard System Manager
CHAPTER 3 Monitoring Your Network
To monitor a network, you must have real-time information on all the components of the network. The
current status of all VPN devices and tunnels appears in the WatchGuard® System Manager window. You
can use these tools to quickly find and troubleshoot problems with your network.
This chapter describes the procedures you can do directly from the WatchGuard System Manager window.
Starting WatchGuard System Manager
From the Windows Desktop:
• Select Start > Programs > WatchGuard® System Manager 8 > WatchGuard System Manager.
The WatchGuard System Manager window appears.
About the WatchGuard System Manager Window
The WatchGuard® System Manager window has three tabs at the bottom of the screen:
User Guide 23
Connecting to a Firebox
Device
A status page for all the devices in System Manager. The information that appears includes
the log host, MAC address, and IP address for the interfaces for each device. It also includes
the status of all VPN tunnels that are configured in System Manager.
VPN
Shows status information, endpoints, and security parameters for any VPN tunnels created
and managed with the WatchGuard Management Server.
Log
Shows the log status for devices managed by System Manager.
The WatchGuard System Manager window also has menus and icons you can use to start other tools, as
described in “Starting Security Applications” on page 29.
Connecting to a Firebox
1 Select File > Connect to > Device.
or
Click the Connect to Device icon on the WatchGuard® System Manager toolbar. The
icon is shown at left.
2From the Firebox drop-down list, select a Firebox
You can also type the IP address or host name. When you type an IP address, type all the numbers and the periods.
Do not use the TAB or arrow key.
® by its IP address or host name.
3 Type the Firebox status (read-only) passphrase.
Use the status passphrase to monitor traffic and Firebox condition. You must use the configuration passphrase to
save a new configuration to the Firebox.
4 If necessary, change the value in the Timeout field. This value sets the time (in seconds) that the
management station listens for data from the Firebox, before it sends a message that shows that
it cannot get data from the device.
If you have a slow network or Internet connection to the device, you can increase the timeout value. Decreasing
the value decreases the time you must wait for a timeout message if you are connecting to a Firebox that is not
accessible.
5 Click OK. The Firebox appears in the WatchGuard System Manager window.
Disconnecting from a Firebox
To disconnect, click on the first line of information for the Firebox to disconnect from and
select File > Disconnect. Or select the Firebox and then click the Disconnect icon shown at left.
24 WatchGuard System Manager
Loading...