WatchGuard® Firebox® X Edge User Guide Firebox X Edge - Firmware Version 7.
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: - This appliance may not cause harmful interference. - This appliance must accept any interference received, including interference that may cause undesired operation.
Certifications and Notices CANADA RSS-210 The term “IC:” before the radio certification number only signifies that Industry of Canada technical specifications were met. Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
Declaration of Conformity iv WatchGuard Firebox X Edge
Notice to Users Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
(C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only. 3. Prohibited Uses.
Copyright, Trademark, and Patent Information INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. 5. United States Government Restricted Rights. The SOFTWARE PRODUCT is provided with Restricted Rights. Use, duplication or disclosure by the U.S.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved. © 1995-1998 Eric Young (eay@cryptsoft). All rights reserved. © 1998-2003 The OpenSSL Project. All rights reserved.
Copyright, Trademark, and Patent Information 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Apache Software License, Version 1.1 Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Copyright, Trademark, and Patent Information 1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission.
too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price.
Copyright, Trademark, and Patent Information The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0.
then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Copyright, Trademark, and Patent Information execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License.
these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11.
Copyright, Trademark, and Patent Information Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
Copyright, Trademark, and Patent Information If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
Limited Hardware Warranty AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR
Abbreviations Used in this Guide xxii 3DES Triple Data Encryption Standard BOVPN Branch Office Virtual Private Network DES Data Encryption Standard DNS Domain Name Service DHCP Dynamic Host Configurationl Protocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point-to-Poin
Contents CHAPTER 1 Introduction to Network Security ........................1 Network Security .....................................................................1 About Networks .......................................................................2 Clients and servers ...............................................................2 Connecting to the Internet .......................................................2 Protocols ..............................................................................
Disabling the HTTP Proxy Setting ...........................................15 Connecting the Firebox X Edge ...............................................17 Cabling the Firebox X Edge for more than seven devices .........18 Connecting to the System Configuration Pages ......................20 Setting your computer to use DHCP ......................................20 Setting your computer with a static IP address ......................21 Browsing to the System Status page ..................................
Changing the IP address of the trusted network .....................51 Using DHCP on the trusted network ......................................51 Setting trusted network DHCP address reservations ...............53 Configuring the trusted network for DHCP relay .....................53 Using static IP addresses for trusted computers ....................54 Adding computers to the trusted network ..............................54 Configuring the Optional Network ...........................................
Adding a custom policy using the wizard ...............................81 Adding a custom policy .......................................................82 Adding a Policy for the Optional Interface ...............................83 Blocking External Sites ..........................................................84 Configuring Firewall Options ...................................................85 Responding to ping requests ...............................................
CHAPTER 10 Configuring the MUVPN Client .......................121 Preparing Remote Computers to Use the MUVPN Client .......122 System requirements ........................................................122 Windows 98/ME setup ......................................................122 Windows NT setup ............................................................125 Windows 2000 setup ........................................................126 Windows XP setup ................................................
Setting a WebBlocker profile for a user ...............................154 Enabling MUVPN for a user ...............................................154 The Administrator account .................................................154 Terminating a session .......................................................155 Changing a user account name or password .......................155 About Seat Licenses ...........................................................156 Selecting HTTP or HTTPS for Firebox Management ..
CHAPTER 1 Introduction to Network Security Congratulations on your purchase of the WatchGuard Firebox® X Edge. Your new security device provides peace of mind when countering today’s network security threats. To provide context for the many features described throughout this user guide, this chapter explains basic concepts of networking and network security.
Introduction to Network Security Computer security must always be kept up-to-date. Intruders are always discovering new vulnerabilities to exploit in computer software. About Networks A network is a connected group of computers and other devices. It can consist of anything from two computers connected by a serial cable to thousands of computers connected by high-speed data communication links located throughout the world.
Protocols share the same bandwidth. Because of this "shared-medium" topology, cable modem users might experience somewhat slower network access during periods of peak demand, and can be more susceptible to certain types of attacks more than users with other types of connectivity. Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, provides the user with dedicated bandwidth.
Introduction to Network Security Internet, the file is divided into chunks of data. Each chunk, or packet, is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file. To make sure that the packets are received at the destination, information is added to the packets.
IP Addresses IP Addresses IP addresses are like street addresses—when you want to send some information to someone, you must first know his or her address. Similarly, when a computer connected to the Internet needs to send data to another computer, it must first know its IP address. Each computer on the Internet has its own unique IP address. An IP address consists of four sets of numbers separated by decimal points. Examples of IP addresses are: • 192.168.0.11 • 10.1.20.18 • 208.15.15.
Introduction to Network Security About PPPoE Some ISPs assign the IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE emulates a standard dial-up connection to provide some of the features of Ethernet and PPP. This system allows the ISP to use the billing, authentication, and security systems designed for dial-up, DSL modem, and cable modem service. Domain Name Service (DNS) If you don’t know a person’s street address, you can look it up in the telephone directory.
Ports Although some services are essential, they can also be a security risk. To send and receive data, you must “open a door” in your computer, which makes your network vulnerable. One of the most common ways networks are broken into is by intruders exploiting services. Ports On computers and other telecommunication devices, a port is a specific place for physically connecting another device, usually with a socket and plug. A computer usually has one or more serial ports and one parallel port.
Introduction to Network Security Firewalls A firewall divides your internal network from the Internet to reduce this danger. The computers on the “trusted” (internal) side of a firewall are protected. The illustration below shows how a firewall physically divides the trusted network (your computers) from the Internet. Firewalls allow the user to define access policies for the Internet traffic going to the computers they are protecting.
Firebox® X Edge and Your Network needs. Firewalls are implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Introduction to Network Security 10 WatchGuard Firebox X Edge
CHAPTER 2 Installing the Firebox® X Edge To install the WatchGuard® Firebox® X Edge in your network, you must complete these steps: • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy properties of your Web browser. • Connect the Firebox X Edge to your network. • Enable your computer for DHCP. • Activate the LiveSecurity® Service.
Installing the Firebox® X Edge Package Contents Make sure that the package for your Firebox® X Edge includes this User Guide and these items: • The Firebox X Edge QuickStart Guide • A LiveSecurity® Service activation card • A Hardware Warranty Card • An AC adapter (12 V) • Power cable clip, to attach to the cable and connect to the side of the Edge. This releases tension on the power cable.
Identifying Your Network Settings • An Internet connection that operates. The external network connection can be a cable or DSL modem with a 10/100BaseT port, an ISDN router, or a direct LAN connection. If the Internet connection does not operate, speak to your Internet Service Provider (ISP). Identifying Your Network Settings You use an Internet Service Provider (ISP) to connect to the Internet. These ISPs give all computers an Internet Protocol (IP) address.
Installing the Firebox® X Edge NOTE NOTE If your ISP gives your computer an IP address of 10.0.0.0/8 or one that starts with 192.168 or 172.16 to 172.31, then your ISP uses network address translation (NAT). You must get a public IP address and disable NAT on your intranet router for full functionality. Get instructions from your ISP. Your TCP/IP Properties Table TCP/IP Property Value IP Address . . . . . . . . . Subnet Mask Default Gateway DHCP Enabled DNS Server(s) Yes No Primary . . .
Disabling the HTTP Proxy Setting 3 Record the values in the Your TCP/IP Properties Table on page 14. 4 Close the window. Microsoft Windows 98 or ME 1 Click Start > Run. 2 At the MS-DOS prompt, type winipcfg and then press Enter. 3 Click OK. 4 Select the Ethernet Adapter. 5 Record the values in the Your TCP/IP Properties Table on page 14. 6 Click Cancel. Macintosh 1 Click the Apple menu > Control Panels > TCP/IP. 2 Record the values in the Your TCP/IP Properties Table on page 14. 3 Close the window.
Installing the Firebox® X Edge You can use the instructions below to disable the HTTP proxy in Netscape or Internet Explorer. If you are using a different browser, try using the browser Help system to find the necessary information. Many opensource browsers automatically disable the HTTP proxy feature. Netscape 1 Open Netscape. 2 Click Edit > Preferences. The Preferences window appears. 3 A list of options appears at the left side of the window.
Connecting the Firebox X Edge Connecting the Firebox X Edge Use this procedure to connect your Firebox® X Edge Ethernet and power cables: 1 2 Shut down your computer. 3 Find the Ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the Edge external interface (WAN 1). 4 Find the Ethernet cable supplied with your Edge. Connect this cable to a trusted interface (0-6) on the Edge.
Installing the Firebox® X Edge 6 Find the AC adapter supplied with your Edge. Connect the AC adapter to the Edge and to a power source. The Edge power indicator light comes on and the external interface indicator lights flash and then come on. The Edge is ready. NOTE NOTE Use only the Firebox X Edge AC adapter. 7 When the Edge is ready, start your computer.
Connecting the Firebox X Edge • A straight-through Ethernet cable to connect each hub to the Firebox X Edge. To connect more than seven devices to the Firebox X Edge: 1 Shut down your computer. If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply from this device. 2 Disconnect the Ethernet cable that runs from your DSL modem, cable modem, or other Internet connection to your computer. Connect the Ethernet cable to the WAN port on the Firebox X Edge.
Installing the Firebox® X Edge If your ISP uses static IP addressing, or uses PPPoE, then do the following additional steps: 1 From your Web browser, select File > Open Location, type https://192.168.111.1/ into the URL entry field of your browser, and press Enter. Log on using the default user name (admin) and password (admin). 2 From the navigation bar, expand Network (click the plus sign) and select External.
Connecting to the System Configuration Pages the documentation for instructions to set your computer to use DHCP. 1 Click Start > Control Panel. The Control Panel window appears. 2 3 4 Double-click the Network Connections icon. Double-click the Local Area Connection icon. Double-click the Internet Protocol (TCP/IP) item. The Internet Protocol (TCP/IP) Properties dialog box appears. 5 Select the Obtain an IP address automatically and the Obtain DNS server address automatically options.
Installing the Firebox® X Edge 8 In the Default Gateway field, type the IP address of the Edge trusted interface. The default Edge trusted interface address is 192.168.111.1. 9 Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. 10 Click OK to close the Local Area Network Connection Properties dialog box. Close the Network Connections and Control Panel windows. Your computer is now connected to the Firebox X Edge.
Configuring the External Interface Configuring the External Interface Your Internet Service Provider (ISP) uses DHCP, PPPoE, or static IP addressing to identify your computer on their network. After you connect the Edge, you must configure the external interface with the information from your ISP. Setting the Edge to use DHCP A new Edge uses DHCP to get an IP address for the external interface.
Installing the Firebox® X Edge Setting a Static IP Address If your ISP uses static IP addressing, you must set the Edge external interface address. Use the information in the Your TCP/IP Properties Table on page 14 to do this procedure. 1 Open your Web browser. Browse to the System Status page at https://192.168.111.1. Type the URL in the Address bar of your browser and press the [Enter] key. 2 From the navigation bar on the left side, click the plus sign (+) to the left of Network. Click External.
Configuring the External Interface PPPoE Address Settings PPPoE Setting Value Login Name Domain Password For more information in PPPoE, see “About PPPoE” on page 6. To configure the Edge for PPPoE: 1 Open your Web browser and click Stop. Because the Internet connection is not configured, the browser cannot show your home page from the Internet. The browser can only open the configuration pages saved on the Edge.
Installing the Firebox® X Edge 5 Type the PPPoE login name and domain as well as the PPPoE password supplied by your service provide in the applicable fields. 6 Type the time delay before inactive TCP connections are disconnected. 7 If appropriate, select the Automatically restore lost connections checkbox. This option keeps a constant traffic flow between the Edge and the PPPoE server. Thus the Edge keeps the PPPoE connection open during a period of frequent packet loss.
Registering Your Edge and Activating LiveSecurity Service NOTE NOTE To activate the LiveSecurity Service, your browser must have JavaScript enabled. 2 If you have a user profile on the WatchGuard Web site, enter your user name and password. If you have not registered before, you must create a user profile. To do this, follow the instructions on the Web site. 3 Record your LiveSecurity Service user profile information in the table below. Keep this information confidential.
Installing the Firebox® X Edge 28 WatchGuard Firebox X Edge
CHAPTER 3 Configuration and Management Basics When you configure a Firebox, you make the WatchGuard® Firebox® X Edge appropriate for the specific security needs of your organization. This is your main task after you install your Firebox. You use Web pages inthe Firebox to create the configuration of the Firebox X Edge. You connect to these configuration pages with your Web browser.
Configuration and Management Basics The purpose of the step is to open your Firebox system configuration pages. Your computer must be connected to the Firebox with an Ethernet cable. You can change the IP address of the trusted network from https://192.168.111.1 to an IP address of your choice. For more information, see “Configuring the Trusted Network” on page 50. For example, if you use Internet Explorer to configure your Firebox: 1 2 Start Internet Explorer. Click File > Open, type https://192.168.
Navigating the Configuration Pages Using the navigation bar On the left side of the System Status page is a navigation bar that you use to see other Firebox X Edge configuration and status pages. To see the main page for each area, click the appropriate menu item on the navigation bar. For example, to see how logging is currently configured for your Firebox and to see the current event log, click Logging. Each area contains submenus that you use to configure various settings within that area.
Configuration and Management Basics Configuration Overview You use the Firebox X Edge system configuration pages to set up your Edge and make it work for your network and security requirements. This section gives a brief introduction to each category of pages and tells you which chapters in this User Guide contain detailed information about each feature. Firebox System Status Page The System Status page is the main configuration page of the Firebox X Edge.
Configuration Overview Network Page The Network page shows the configuration of each network interface. It also shows any configured routes and has buttons you can to change configurations and to see network statistics. For more information, see Chapter 4, “Changing Your Network Settings.
Configuration and Management Basics Firebox Users Page The Firebox Users page shows statistics on the active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that are available for download. If you cannot yet use your Firebox for MUVPN clients, the page has a button for you to make your Firebox have MUVPN client support.
Configuration Overview Administration Page The Administration page shows whether the Firebox uses HTTP or HTTPS for its configuration pages, whether VPN Manager access is enabled, and which upgrades are enabled. It has buttons to change configurations, add upgrades, and view the configuration file. For more information, see Chapter 11, “Managing the Firebox X Edge.
Configuration and Management Basics Firewall Page The Firewall page shows the incoming and outgoing services, blocked sites, as well as other firewell settings. This page also has buttons to change these settings. For more information, see Chapter 6, “Configuring Firewall Settings.
Configuration Overview Logging Page The Logging page shows the current event log, status of WSEP and Syslog logging, and the system time. It also has buttons to change these settings and to set your system time so that it is the same as your local computer. For more information, see Chapter 7, “Configuring Logging.
Configuration and Management Basics WebBlocker Page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites. It also has buttons to change the current settings. For more information, see Chapter 8, “Configuring WebBlocker.
Configuration Overview VPN Page The VPN page shows information on managed VPNs, manual VPN gateways, and echo hosts along with buttons to change the configuration of VPN tunnels. It also has a button for you to see statistics on active tunnels. For more information, see Chapter 9, “Configuring VPNs. Wizards Page The Wizards page shows the wizards available to help you quickly and easily set up key Firebox X Edge features: • Network Interface Wizard Configure all interfaces, including WAN failover.
Configuration and Management Basics Updating Firebox X Edge Software One benefit of your LiveSecurity® Service is ongoing software updates. As new threats appear and WatchGuard adds product enhancements, you receive alerts to let you know about new versions of your Firebox® X Edge software. When you receive the alert, WatchGuard gives you instructions on how to download the software to your personal computer.
Factory Default Settings 3 Read the text of the EULA. If you agree, select the I accept the above license agreement checkbox. 4 Type the name of the file containing the new Firebox X Edge software in the Select file box or click Browse to find the file on your local computer. 5 Click Update. The Firebox makes sure the software package is a legimate software upgrade. It then copies the new software to the system and reboots. This can take 15 to 45 seconds.
Configuration and Management Basics - VPN Manager Access is disabled. - Remote logging is not configured. WebBlocker - The WebBlocker feature is disabled and the settings are not configured. Upgrade Options - The upgrade options are disabled until you type the license keys into the configuration page. Resetting the Firebox to the factory default settings You might have a reason to set the Firebox to the factory default settings.
Rebooting the Firebox The Firebox reboot cycle is up to 30 seconds. During the reboot cycle, the mode light on the front of the Firebox turns off and then turns on again. Local reboot You can locally reboot the Firebox X Edge either with the Web browser or by disconnecting the power supply. Using the Web browser 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 2 Click Reboot.
Configuration and Management Basics https://www.watchguard.com/support/tutorials/ stepsoho_remotemanage.asp 44 1 Type the external network IP address of the remote Firebox X Edge in your browser window to connect to its System Status page. 2 Click Reboot.
CHAPTER 4 Changing Your Network Settings A primary task to set up your WatchGuard® Firebox® X Edge is to configure the network IP addresses. At a minimum, you must configure the external network and the trusted network to let traffic flow through the Edge. You can also set up the optional interface. Many customers use the optional network for public servers. An example of a public server is a Web server. You can use the Quick Setup Wizard to set up your network IP addresses.
Changing Your Network Settings 4 Work through the wizard, following the instructions on the screens. Steps associated with optional functionality you decide not to enable are automatically skipped by the wizard. The Network Setup Wizard consists of the following steps: Step 1: Welcome The first screen describes the purpose of the wizard. Step 2: Configure the External Interface of your Firebox The next screen asks the method your ISP uses to set your IP address.
Configuring the External Network When you configure the external network, set how your Internet Service Provider (ISP) gives an IP address to your Firebox. There are three methods to give IP addresses: • DHCP - Network administrators use the Dynamic Host Configuration Protocol (DHCP) to give IP addresses to computers on their network automatically. With DHCP, your Firebox can receive a new external address each time it connects to the ISP network.
Changing Your Network Settings If your ISP uses static IP addresses If your ISP uses static IP addresses, you must enter the address information into your Edge before it can send traffic through the external interface. To set your Edge to use a static IP address for the external interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > External. The External Network Configuration page appears.
Configuring the External Network To set your Firebox to use PPPoE on the external interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > External. The External Network Configuration page appears. 2 From the Configuration Mode drop-down list, select PPPoE Client. 3 Type the Name and Password in the related fields. Get this information from your ISP. If your ISP gives you a domain name, type it into the Domain field.
Changing Your Network Settings option on, the Firebox makes a file which you can send to Technical Support. Only use this option when Technical Support tells you. This option decreases Firebox performance. 7 Click Submit. Configuring the Trusted Network You must configure your trusted network manually if you choose not to use the Network Setup wizard. You can use static IP addresses or DHCP for your trusted network.
Configuring the Trusted Network Changing the IP address of the trusted network If necessary, you can change the trusted network address. For example, if you connect two or more Firebox devices in a virtual private network, each Firebox must use a different trusted network address. For more information, see “What You Need to Create a VPN” on page 107. To change the IP address of the trusted network: 1 To connect to the System Status page, type the IP address of the trusted network in the browser.
Changing Your Network Settings To use DHCP on the trusted network: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2 Select the Enable DHCP Server on the Trusted Network check box. 3 Type the first available IP address for the trusted network. Type last IP address. The IP addresses must be on the same network as the trusted IP address. For example, if your trusted IP address is 192.168.200.
Configuring the Trusted Network Setting trusted network DHCP address reservations You can manually give an IP address to a specified computer on your trusted network. The Firebox identifies the computer by its MAC address. 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears.
Changing Your Network Settings network. This option lets computers in more than one office use the same network address range. This procedure makes the Firebox a DHCP relay agent. To configure the Firebox as a DHCP relay agent for the trusted interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. 2 3 4 Select the Enable DHCP Relay check box.
Configuring the Optional Network 3 Connect each computer to the network. Use the procedure “Cabling the Firebox X Edge for more than seven devices” on page 18. 4 Restart each computer. Configuring the Optional Network The optional network is an isolated network for less secure public resources. Many customers use the optional network for public computers such as a Web, e-mail, or FTP server. A factory default Firebox does not connect the trusted network to the optional network.
Changing Your Network Settings work. A factory default Firebox has the trusted network and the optional network on 2 different subnets. To change the IP address of the optional network: 1 To connect to the System Status page, type the IP address of the trusted network in the browser. The default IP address is: https://192.168.111.1 2 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears.
Configuring the Optional Network To use DHCP on the optional network: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2 Select the Enable DHCP Server on the Optional Network check box. 3 Type the first available IP address for the optional network. Type last IP address. The IP addresses must be on the same network as the optional IP address. For example, if your optional IP address is 192.
Changing Your Network Settings Setting optional network DHCP address reservations You can manually give an IP address to a specified computer on your optional network. The Firebox identifies the computer by its MAC address. 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears. 2 Click the DHCP Reservations button. The DHCP Address Reservations page appears.
Configuring the Optional Network location. It gives the reply to the computers on the Firebox optional network. This option lets computers in more than one office use the same network address range. This procedure makes the Firebox a DHCP relay agent. To configure the Firebox as a DHCP relay agent for the optional interface: 1 Use your browser to connect to the System Status page. From the navigation bar, select Network > Optional. The Optional Network Configuration page appears.
Changing Your Network Settings 3 Connect each computer to the network. Use the procedure “Cabling the Firebox X Edge for more than seven devices” on page 18. 4 Restart each computer. NOTE NOTE All changes to the Optional Network Configuration page require that you click Submit and then reboot the Firebox before they take effect. But you can make all the changes you want to make and then reboot just once when you are done. You can either enable or disable the DHCP server on the optional network.
Making Static Routes 2 From the navigation bar, select Network > Routes. The Routes page appears. 3 Click Add. The Add Route page appears. 4 From the Type drop-down list, select either Host or Network. A host is 1 computer. A network is more than one computer which use a range of IP addresses. 5 Type the destination IP address and the gateway in the related fields. The Gateway is the ylocal interface of the router. 6 Click Submit. To remove a static route, click the IP address and click Remove.
Changing Your Network Settings Viewing Network Statistics The Firebox® X Edge Network Statistics page shows information about the performance. Network administrators frequently use this page to troubleshoot a problem with the Firebox or network. 1 To connect to the System Status page, type the IP address of the trusted network in the browser. The default IP address is: https://192.168.111.1 2 From the navigation bar, select Network > Network Statistics. The Network Statistics page appears.
Registering with the Dynamic DNS Service After you click this link, log into your LiveSecurity Service account to see the FAQ. NOTE NOTE WatchGuard is not affiliated with DynDNS.org. 1 Create a dynamic DNS account. For more information, see the Technical Support FAQ “How do I set up Dynamic DNS? 1 To connect to the System Status page, type the IP address of the trusted network in the browser. The default IP address is: https://192.168.111.1 2 From the navigation bar, select Network > Dynamic DNS.
Changing Your Network Settings Enabling the WAN Failover Option The WAN Failover option adds redundant support for the external interface. With this option, the Firebox® X Edge starts a connection through the WAN2 port when the primary external interface (WAN1) can not send traffic. Companies use this option if they must have a constant connection. You must get a second Internet connection to use this option. It is not necessary to configure new services to use this option.
Enabling the WAN Failover Option through the WAN1 port first. If a connection is made, the WAN1port is used. If the WAN1 port is not available, the Firebox connects through the WAN2 port. To configure the WAN failover network: 1 Connect one end of a straight through Ethernet cable to the WAN2 interface. Connect the other end to the source of the secondary external network connection. This connection can be a cable modem or a hub.
Changing Your Network Settings 5 From the drop-down list, select the interface for the feature: Ethernet or modem (see the next section for additional information on using a modem). 6 Type the IP addresses of the hosts to ping for WAN1 and WAN2 interfaces in the applicable fields. 7 Type the number of seconds between pings and the number of seconds to wait for a reply in the applicable fields. 8 Type the limit number of pings before timeout in the applicable field. 9 Click Submit.
Enabling External Modem Failover DNS settings If your server is not using DHCP and doesn’t specify the location of the DNS server, you must manually enter IP addresses for your DNS server: 1 Select the Manually configure DNS server IP addresses checkbox. 2 In the Primary DNS Server text box, enter the IP address of the primary DNS server. 3 (Optional) In the Secondary DNS Server text box, enter the IP address of the secondary DNS server.
Changing Your Network Settings Dialup settings 68 1 In the Dial up timeout field, enter the number of seconds before timeout if your modem doesn’t connect. 2 In the Redial attempts field, enter the number of attempts made if your modem doesn’t connect 3 In the Inactivity timeout field, enter the number of seconds before timeout if no traffic passes through the modem. 4 In the Speaker volume field, set your modem speaker’s volume to off, low, medium, or high.
CHAPTER 5 Setting up the Firebox X Edge Wireless The Firebox X Edge Wireless protects the computers that are connected to your network. The Firebox X Edge Wireless also protects network wireless connections. This chapter shows how to install the Firebox X Edge Wireless and set up the wireless network. WatchGuard is concerned about the security of your network so the wireless feature of the Firebox X Edge Wireless is disabled until you are ready to use it.
Setting up the Firebox X Edge Wireless • • Configure the Wireless Access Point (WAP) Configure the wireless card on your computer How Wireless Networking Works Wireless networking uses radio-frequency signals to communicate with computers and the Firebox X Edge Wireless. The Firebox X Edge Wireless complies with 802.11b and 802.11g standards defined by the Institute of Electrical and Electronics Engineers (IEEE). You must protect a wireless network from unauthorized access.
Connecting to the Firebox X Edge Wireless mum of seven devices, use the Firebox X Edge Wireless as a network hub. 1 2 Shut down your computer. 3 Disconnect the Ethernet cable that connects your DSL modem, cable modem or other Internet connection to your computer. Connect this cable to the WAN port on the Firebox X Edge Wireless. If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply to this device.
Setting up the Firebox X Edge Wireless a devices connects to the Internet and is free when the connection ends. License upgrades are available from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.asp To connect more than seven devices to the Firebox X Edge Wireless, you need: • An Ethernet hub • A straight-through Ethernet cable, with RJ-45 connectors, for each computer • A straight-through Ethernet cable to connect each hub to the Firebox X Edge Wireless.
Using the Wireless Network Wizard Using the Wireless Network Wizard The Wireless Network Wizard is a tool that you use to automatically configure your wireless network. Setting up the Wireless Access Point WatchGuard is concerned about the security of your network so the wireless feature of the Firebox X Edge Wireless is disabed until you are ready to use it. Activate the wireless feature when you configure the security of the wireless connections.
Setting up the Firebox X Edge Wireless 3 4 Select the Wireless Networks tab In the Preferred networks section, click Add. The Wireless Network Properties dialog box appears. 5 Type the SSID in the Network Name (SSID) text box. This is the same number that you recorded from the Wireless Network Configuration page. 6 7 Click OK to close the Wireless Network Properties dialog box. Click Refresh. All available wireless connections are shown in the Available Networks text box.
Wireless Security Options A wired LAN is normally protected by measures such as login credentials, which are only effective for a controlled physical environment. Because the radio transmissions of a WLAN are not bound by the walls containing the network, these measures are insufficient for a wireless network. WPA and WEP encrypt the transmissions over the WLAN to provide physical security for the wireless connections between the computers and the access points.
Setting up the Firebox X Edge Wireless To change the channel: • Select a value from the Channel drop-down list. There are four options to choose from in order to set the proper operating region: North America, Europe, France, and Japan. It is very important that you select the proper region because this setting applies to the certification requirements of your region. To configure the operating region select an option from the Operating Region drop-down list.
Wireless Security Options 3 If you have typed more than one key, select the key you want to use as the default key from the Default Key drop-down list. Configuring advanced settings You can configure how the Firebox X Edge Wireless communicates with your wireless computer. If you want the Firebox X Edge Wireless to broadcast the SSID in the beacon frames, select the Broadcast SSID in AP Beacon Frames checkbox.
Setting up the Firebox X Edge Wireless 802.11g and 802.11b This mode allows Firebox X Edge Wireless to connect with wireless devices using both wireless protocols 802.11b only This mode allows the Firebox X Edge Wireless to connect to devices using this wireless protocol. Configuring Static Routes To send the specified packets to different segments of the trusted network connected through a router or switch, configure static routes.
CHAPTER 6 Configuring Firewall Settings The Firebox X Edge uses firewall properties to control the flow of traffic between the trusted interface and external interfaces. The firewall properties you use show how much risk you can accept. Configuring Incoming and Outgoing Policies Your network receives incoming traffic and sends outgoing traffic. Traffic that does not start in your network is incoming traffic. Traffic that starts in your network is outgoing traffic.
Configuring Firewall Settings server (the internal computer that will receive the requests for Web pages). You must be careful when you add policies because when you add a policy, you open your Edge to more traffic. When you do this, you increase your risk. Make sure that you compare the value of added access to the security risk. When you add a policy, you identify the source and destination IP addresses, and set the policy properties.
Configuring Incoming and Outgoing Policies 3 Find a standard policy, such as FTP, Web, or Telnet. From the drop-down list adjacent to the Policy (Service) name, click Allow or Deny. Repeat to add more policies. 4 5 For incoming policies, enter the IP address of the service host. Click Submit. Adding a custom policy using the wizard You can add a custom policy using a TCP port, a UDP port, or a protocol. 1 From the Navigation Bar, click Wizards. 2 Next to Define a custom service... click Go.
Configuring Firewall Settings to expose a service such as HTTP (a Web server) to the external network. Step 6: Summary The wizard’s last screen displays a summary of the settings you have made using the wizard. Adding a custom policy You can add a custom policy without using the wizard. 1 2 In your Web browser, type the IP address of the trusted interface to show the System Status page. The default IP address is: https//192.168.111.1 On the Filter Traffic page, click Add Service.
Adding a Policy for the Optional Interface 5 In the text box adjacent to the Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box. NOTE If you use an IP protocol, do not type a port number. Some of the IP protocol numbers you can use include: 6 Click Add. The following steps determine how the service is filtered. 7 From the Incoming Filter and Outgoing Filter drop-down lists, click Allow or Deny.
Configuring Firewall Settings Blocking External Sites The Blocked Sites feature helps prevent unwanted traffic from hostile sites. When you identify a hacker, you can stop all connections that hacker tries to make. When hackers try to connect to your network, the Edge records data about the hacker. You can examine the data to identify attacks. A blocked site is an external IP address that is blocked from connecting to computers behind the Edge.
Configuring Firewall Options 2 From the drop-down list, click Host IP Address, Network IP Address, or Host Range. 3 In the text box, type a host IP address, a network IP address, or a range of host IP addresses. 4 Click Add. The address information appears in the Blocked Sites list. 5 Click Submit. Configuring Firewall Options The sections before this one tell how to create a policy that allows, or denies, a specified type of traffic.
Configuring Firewall Settings Responding to ping requests You can configure the Firebox X Edge to deny pings. 1 Select the Do not respond to PING requests received on External Network checkbox or the Do not respond to PING requests received on Trusted Network checkbox. 2 Click Submit. Denying FTP access to the trusted network interface You can configure the Firebox X Edge to stop FTP traffic from the trusted interface or external interface.
Configuring Firewall Options a SOCKS-compatible program, configure the program with the necessary information about the Firebox X Edge. The Firebox X Edge uses SOCKS version 5. The Firebox X Edge users do not authenticate before using the Edge configuration pages. Your Firebox X Edge does not speak with software that finds only DNS (domain name server) names. Configure the SOCKS-compatible software to connect to IP addresses and not connect to domain names.
Configuring Firewall Settings To use the SOCKS-compatible application: 1 Clear the Disable SOCKS proxy checkbox. The SOCKS proxy is enabled. 2 Click Submit. Logging all allowed outbound traffic If you use the standard property settings, the Firebox X Edge records only unusual events. When traffic is denied, the Edge records the information in the log file. You can configure the Edge to record information about all the outgoing traffic in the log file.
Configuring Firewall Options To stop using the current MAC address: 1 Select the Enable override MAC address for the External Network checkbox, or select the Enable override MAC address for the Failover Network checkbox. You can select the checkboxes together. 2 In the External network override AC address or Failover network override AC address text box, type the new MAC address for the Firebox X Edge external or failover network. 3 Click Submit.
Configuring Firewall Settings 90 WatchGuard Firebox X Edge
CHAPTER 7 Configuring Logging A log file is a record of all the events that occur on the Firebox® X Edge. An event is any single activity, such as the denial of a packet entering the Firebox. Logging records and saves information about these events. Log records give a list of possible security problems. An event log is an important part of a network security policy. A sequence of denied packets can show a pattern of inappropriate network activity.
Configuring Logging Each log message contains this information: Time The time of the event that created the log message. Category The category of the message. For example, whether the message came from an IP address or from a configuration file. Message The text of the message This procedure shows how to view the event log: 1 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address: https://192.168.111.
Logging to a Syslog Host 2 From the navigation bar, select Logging > WSEP Logging. The WatchGuard Security Event Processor Logging page appears. 3 The Enable WatchGuard Security Event Processor Logging checkbox should contain a checkmark. If it does not, select it. 4 In the Log Host IP Address field, type the IP address of the WSEP server that is your log host. 5 Type a passphrase in the Log Encryption Key field and confirm the passphrase in the Confirm Key field.
Configuring Logging Configure a Syslog host: 1 Type the IP address of the trusted network in your browser window. The default IP address: https://192.168.111.1 2 From the navigation bar, select Logging > Syslog Logging. The Syslog Logging page appears. 3 4 Select the Enable Syslog output checkbox. Next to Address of Syslog host, type the IP address of the computer running Syslog. 5 (Optional) Select the Include local time in syslog message checkbox to include the local time in the Syslog messages.
Setting the System Time Set the system time: 1 2 3 4 5 6 User Guide Type the IP address of the trusted network in your browser window. The default IP address: https://192.168.111.1 From the navigation bar, select Logging > System Time. The System Time page appears. Select a time zone from the drop-down list. (Optional) Select Adjust for daylight savings time. Select the method to set system time. Click Submit.
Configuring Logging Setting time using NTP Network Time Protocol (NTP) synchronizes the clocks of computers on a network. For more information on NTP, see http:// www.ntp.org. 1 From the System Time page, select Use NTP to periodically automatically set system time. 2 Select an NTP server from the list. Or, type the name of a new server and click Add. You can add a maximum of 16 NTP servers. Setting time manually 96 1 2 From the System Time page, select Set date and time manually.
CHAPTER 8 Configuring WebBlocker Security is one of the most important reasons to purchase and install a firewall. The Firebox X Edge, when used with the WebBlocker feature, is one of the most secure firewalls available. All companies face web content threats such as: Productivity Recreational Web surfing decreases overall productivity. Legal Concerns Employees can sue if they do not have a work environment free of gender and minority harassment.
Configuring WebBlocker NOTE NOTE You must purchase the WebBlocker upgrade to use this feature. For information on activating upgrade options, see “Activating Upgrade Options” on page 161. How WebBlocker Works WebBlocker uses a database of Web site addresses maintained by SurfControl®. When a user on your network tries to open a Web site, the Firebox® queries the database. If the Web site is not in the WatchGuard WebBlocker database or not blocked the page opens.
Creating WebBlocker Profiles 2 From the navigation bar, select WebBlocker > Settings. The WebBlocker Settings page appears. 3 4 Select the Enable WebBlocker check box. 5 6 Type a password in the Full Access Password field. The full access password gives access all Web sites until the password expires or the browser is closed. Type the same password again in the Confirm Password field. Type a number, in minutes, in the Inactivity Timeout field.
Configuring WebBlocker After you define profiles, you can apply them when you set up accounts. This procedure appears in Chapter 10, “Managing the Firebox X Edge.” 1 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox® X Edge. The default IP address: https://192.168.111.1 From the navigation bar, select WebBlocker > Profiles. The Profiles page appears. 3 4 5 Click New. The New Profile page appears.
WebBlocker Categories WebBlocker Categories The WebBlocker database contains 14 categories. A Web site is added to a category when the contents of the Web site meet the correct criteria. Web sites that give opinion or educational material about the subject matter of the category are not included. For example, the drugs/drug culture category denies sites that tell how to grow and use marijuana. They do not deny sites with information about the historical use of marijuana.
Configuring WebBlocker Satanic/cult Pictures or text advocating devil worship, an affinity for evil, wickedness, or the advocacy to join a cult. A cult is a closed society that is headed by an individual, loyalty is demanded and leaving is forbidden. Intolerance Pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another.
Allowing Certain Sites to Bypass WebBlocker masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos. Full Nudity Pictures exposing any or all portions of human genitalia.
Configuring WebBlocker NOTE NOTE This WebBlocker feature is applicable only for outbound Web accesss. You cannot use WebBlocker exceptions to not include an internal host in WebBlocker rules. 1 2 From the navigation bar, select WebBlocker > Allowed Sites. The WebBlocker Allowed Sites page appears. From the drop-down list, specify a host IP address, network IP address or host range. 3 Type the host or network IP address of the allowed site. If it is a range, type the start and end point of the range.
Blocking Additional Web Sites 2 From the drop-down list, specify a host IP address, network IP address or host range. 3 Type the host or network IP address of the denied site. If it is a range, type the start and end point of the range. Click Add. 4 Do step 3 for other denied sites. When you have no more sites to add, click Submit. To subtract an item from the list, select the address. Click Remove.
Configuring WebBlocker Allowing Internal Hosts to Bypass WebBlocker You can make a list of internal hosts that bypass WebBlocker settings: 1 From the navigation bar, select WebBlocker > Trusted Hosts. The WebBlocker Trusted Hosts page appears. 2 In the text box at the bottom of the page, type the host IP address of the site to allow. Click Add. 3 Do step 3 again for other allowed hosts. When you have no more hosts to add, click Submit. To subtract an item from the list, select the address.
CHAPTER 9 Configuring Virtual Private Networks You use a virtual private network (VPN) to create secure connections between computers or networks in different locations. The networks and hosts on a VPN can be corporate headquarters, branch offices, remote users, and telecommuters. VPN tunnels are secured, and the identity of the sender and the receiver are authenticated. Data on the tunnel is encrypted. Only the sender and the receiver of the message can read it.
Configuring Virtual Private Networks • • The static IP address of each Firebox X Edge external interface. The network address of the private (trusted) network located behind each Firebox X Edge (the networks that will communicate through the), and their subnet masks. The base trusted IP address of each Firebox X Edge must be static and unique. • The DNS and WINS server IP addresses, if used. • The shared key (passphrase) for the tunnel. The same shared key must be used by both devices.
What You Need to Create a VPN VPN requirements Before you configure your WatchGuard Firebox X Edge VPN network: • You can connect a maximum of 10 Firebox X Edge devices together in a star configuration. To configure more VPN tunnels, a WatchGuard Firebox III or Firebox X and WatchGuard VPN Manager is necessary. • WatchGuard recommends that each VPN device has a static IP address. Configuring a VPN tunnel between devices that use dynamic IP addresses can cause problems.
Configuring Virtual Private Networks Sample VPN Address Information Table Item Description Assigned By External IP Address The IP address that identifies the IPSeccompatible device on the Internet. ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The bitmask that shows which part of the IP address identifies the local network. For example, a class C address includes 256 addresses and has a netmask of 255.255.255.0.
Using a DVCP server to create your VPN tunnels Item Description Assigned By Encryption Method DES uses 56-bit encryption. 3DES uses 168-bit encryption. The 3DES encryption method is more secure, but slower. The two devices must use the same encryption method. You Site A: 3DES Site B: 3DES Authentication The two devices must use the same authentication method.
Configuring Virtual Private Networks 2 From the navigation bar, select VPN > Managed VPN. The Managed VPN page appears. 3 4 5 Select the Enable Managed VPN checkbox. 6 Click Submit. Type the IP address of the DVCP server. Type the client name and the shared key. If you have a Basic DVCP server, use the client name. If you have a VPN Manager DVCP server, use the host name.
Setting Up Manual VPN Tunnels 4 5 Type the IP address of the DVCP server. 6 Click Submit. Type the client name and the shared key. Use the Client Name you entered on the Basic DVCP server. Setting Up Manual VPN Tunnels You can configure a maximum of 10 tunnels from the Firebox X Edge to other Firebox X Edge devices. The VPN Manager software can configure a larger number of Firebox X Edge to Firebox X Edge tunnels.
Configuring Virtual Private Networks 4 Type the Name and Shared Key for the VPN tunnel. The shared key is a passphrase that the devices use to encrypt and decrypt the data on the VPN tunnel. The two devices use the same passphrase. If the devices do not have the same passphrase, they cannot encrypt and decrypt the data correctly. Phase 1 settings Internet Key Exchange (IKE) is a protocol used with VPNs to manage keys automatically. IKE negotiates keys and changes keys.
Setting Up Manual VPN Tunnels To change Phase 1 configuration: 1 Select the negotiation mode for Phase 1 from the drop-down list. You can use main mode only when both devices have static IP addresses. If one VPN or both devices have IP addresses that are dynamically assigned, you must use aggressive mode. 2 3 Enter the local ID and remote ID. Select the ID types—IP Address or Domain Name—from the drop-down lists. Make sure this configuration is the same as the configuration on the remote device.
Configuring Virtual Private Networks NOTE NOTE The IKE Keep Alive feature is different from the VPN Keep Alive feature described in“VPN Keep Alive,” on page 117. Phase 2 settings Phase 2 negotiates the data management security association for the tunnel. The tunnel uses this phase to create IPSec tunnels and encapsulate and decapsulate data packets. You can use the default Phase 2 settings to simplify configuration. NOTE NOTE Make sure that the Phase 2 configuration is the same on both devices.
VPN Keep Alive 7 Click Submit. VPN Keep Alive To keep the VPN tunnel open when there is no communication across it, you can use the IP address of a computer at the other end of the tunnel. The Firebox® X Edge will send a ping once a minute to the specified host. Use the IP address of a host that is always up, and that responds to ping messages.
Configuring Virtual Private Networks 2 From the navigation bar, select VPN > Keep Alive. The VPN Keep Alive page appears. 3 4 Type the IP address of an echo host. Click Add. Click Submit. Viewing VPN Statistics You can monitor VPN traffic and troubleshoot the VPN configuration. with the VPN Statistics page. To view the VPN Statistics page: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge.
Frequently Asked Questions This issue can be resolved with Dynamic DNS. For information, see “Registering with the Dynamic DNS Service” on page 62. How do I get a static external IP address? You get the external IP address for your computer or network from your ISP or an administrator. Many ISPs use dynamic IP addresses to make their networks easier to configure and easier to use with many users. Most ISPs can give you a static IP address as an option.
Configuring Virtual Private Networks page. Select the checkbox Compatible with pre WFS v.3 VPN Manager.
CHAPTER 10 Configuring the MUVPN Client The MUVPN client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network on an unsecured network. The MUVPN client uses Internet Protocol Security (IPSec) to secure the connection. This example shows how the MUVPN client is used. • The MUVPN client is installed on a remote computer. • The user connects to the Internet with the remote computer.
Configuring the MUVPN Client Preparing Remote Computers to Use the MUVPN Client Install the MUVPN client only on computers that have these minimum requirements. System requirements • • A computer with a Pentium processor (or equivalent) Compatible operating systems and minimum RAM: - Microsoft Windows 98: 32 MB - Microsoft Windows ME: 64 MB - Microsoft Windows NT 4.
Preparing Remote Computers to Use the MUVPN Client 2 Double-click the Network icon. The Network window appears. 3 Make sure the Client for Microsoft Networks is installed. Install the Client for Microsoft Networks before you use this procedure to configure network names. See “Installing the Client for Microsoft Networks” on page 123 for more information. 4 5 Click the Identification tab. Type a name for the remote computer. This name must be unique on the remote network.
Configuring the MUVPN Client 2 Double-click the Add/Remove Programs icon. The Add/Remove Properties window appears. 3 Click the Windows Setup tab. The Windows Setup dialog box appears. Windows looks for installed components. 4 Select the Communications checkbox and then click OK. The Copying Files dialog box appears. The operating system copies the necessary files. 5 The Dial-Up Networking Setup window appears. Click OK to restart the computer. The computer reboots. The Dial-up Networking 1.
Preparing Remote Computers to Use the MUVPN Client 8 Type the IP address of the WINS server in the WINS Server Search Order text field and click Add. If you have more than one remote WINS server, repeat steps 7 and 8 for each server. 9 Click OK to close the TCP/IP Properties window. Click OK to close the Network window. The System Settings Change dialog box appears. 10 Click Yes to restart the computer. The computer restarts.
Configuring the MUVPN Client 10 Restart the computer. Configuring the WINS and DNS settings The remote computer must be able to contact the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the Firebox X Edge. From the Windows desktop: 1 Select Start > Settings > Control Panel. 2 Double-click the Network icon. The Network window appears. 3 4 Click the Protocols tab and select the TCP/IP protocol. Click Properties.
Preparing Remote Computers to Use the MUVPN Client 4 Make sure the following components are installed and enabled: - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) network component From the connection window Networking tab: 1 2 3 Click Install. The Select Network Component Type window appears. Double-click the Protocol network component. The Select Network Protocol window appears.
Configuring the MUVPN Client From the connection window Networking tab: 1 2 3 Select the Internet Protocol (TCP/IP) component and click Properties. The Internet Protocol (TCP/IP) Properties window appears. Click Advanced. The Advanced TCP/IP Settings window appears. Click the DNS tab and from the section labeled DNS server addresses, in order of use, click Add. The TCP/IP DNS Server window appears. 4 Type the IP address of the DNS server and click Add. To add more DNS servers, repeat steps 3 and 4.
Preparing Remote Computers to Use the MUVPN Client 2 3 Double-click the Network Connections icon. Double-click the connection you use to get Internet access. The connection window appears. 4 5 Click Properties and then click the Networking tab.
Configuring the MUVPN Client Configuring the WINS and DNS settings The remote computer must be able to contact the WINS and DNS servers. These servers are on the trusted network of the Firebox X Edge. From the connection window, Networking tab: 1 2 Select the Internet Protocol (TCP/IP) component. Click Properties. The Internet Protocol (TCP/IP) Properties window appears. 3 Click Advanced. The Advanced TCP/IP Settings window appears.
Installing and Configuring the MUVPN Client Installing and Configuring the MUVPN Client Get the MUVPN installation files from the WatchGuard Web site: http://www.watchguard.com/support NOTE To install and configure the MUVPN client, you must have local administrator rights on the remote computer. Installing the MUVPN client To install the MUVPN client: 1 2 Copy the MUVPN installation file to the remote computer. 3 Click Next.
Configuring the MUVPN Client 13 The MUVPN client is installed. Make sure the option Yes, I want to restart my computer now is selected. Click Finish. The computer restarts. NOTE The ZoneAlarm personal firewall may prevent you from conencting to the network after the computer restarts. If this occurs, log on to the computer locally the first time after installation. For more information, see “The ZoneAlarm Personal Firewall” on page 140. Importing the .
Enabling MUVPN for Edge Users Disconnect all existing tunnels and dial-up connections. Reboot the remote computer. From the Windows desktop: 1 Select Start > Settings > Control Panel. The Control Panel window appears. 2 Double-click the Add/Remove Programs icon. The Add/Remove Programs window appears. 3 Select Mobile User VPN and click Change/Remove. The InstallShield wizard appears. 4 Select Remove. Click Next. The Confirm File Deletion dialog box appears.
Configuring the MUVPN Client Configuring MUVPN client settings The MUVPN client settings apply to all of the Edge’s MUVPN connections. For information on these settings, see “Configuring MUVPN client settings” on page 151. Enabling MUVPN access for an Edge user account 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default trusted IP address is https://192.168.111.1.
Connecting and Disconnecting the MUVPN Client Configuring the Firebox for MUVPN Clients Using Pocket PC To create a MUVPN tunnel between the Firebox X Edge and your Pocket PC, you must configure the MUVPN Clients feature on the Firebox. Follow the previous procedure, except select Pocket PC from the VPN Client Type drop-down list. For additional information about configuring your Pocket PC to serve as an MUVPN client, go to the WatchGuard Web site: https://www.watchguard.
Configuring the MUVPN Client 2 If the MUVPN client is not active, right-click the icon and select Activate Security Policy. For information about the MUVPN icon, see “The MUVPN client icon” on page 136. From the Windows desktop: 3 Select Start > Programs > Mobile User VPN > Connect. The WatchGuard Mobile User Connect window appears. 4 Click Yes. The MUVPN client icon The MUVPN icon appears in the Windows desktop system tray. The icon image provides information about the status of the connection.
Connecting and Disconnecting the MUVPN Client The MUVPN client started one or more secure MUVPN tunnel connections. The red bar on the right of the icon tells you that the client is sending data that is not secure. Activated, Connected and Transmitting Secured Data The MUVPN client started one or more secure MUVPN tunnels. The green bar on the right of the icon tells you that the client is only sending data that is secure.
Configuring the MUVPN Client 2 Set the Remember this answer the next time I use this program check box and then click Yes. This option lets the ZoneAlarm personal firewall allow Internet access for this program each time you start a MUVPN connection. Disconnecting the MUVPN client From the Windows desktop system tray: 1 Right-click the MUVPN client icon and select Deactivate Security Policy. The MUVPN client icon with a red bar is displayed.
Monitoring the MUVPN Client Connection Using Connection Monitor The Connection Monitor shows statistical and diagnostic information for connections in the security policy. This window shows the security policy settings and the security association (SA) information. The monitor records the information that appears in this window during the phase 1 IKE negotiations and the phase 2 IPSec negotiations. From the Windows desktop system tray: 1 2 Right-click the Mobile User VPN client icon.
Configuring the MUVPN Client • A single SA icon with several key icons above it indicates a single phase 1 SA to a gateway that protects multiple phase 2 SAs. The ZoneAlarm Personal Firewall ZoneAlarm Personal firewall protects your computer and network by following a simple rule: Block all incoming and outgoing traffic unless you explicitly allow that traffic for trusted programs. When you use ZoneAlarm you often see New Program alert windows.
The ZoneAlarm Personal Firewall MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.exe services.exe svchost.exe winlogon.exe Shutting down ZoneAlarm From the Windows desktop system tray: 1 Right-click the ZoneAlarm icon shown at right. 2 Select Shutdown ZoneAlarm. The ZoneAlarm window appears. 3 Click Yes.
Configuring the MUVPN Client Troubleshooting Tips Get additional information about the MUVPN client from the WatchGuard Web site: www.watchguard.com/support The answers to several frequently asked questions about the MUVPN client are answered below. My computer hangs immediately after installing the MUVPN client... This problem can be caused by one of the following two problems: • The ZoneAlarm personal firewall application is stopping normal traffic on the local network.
Troubleshooting Tips I am not prompted for my user name and password when I turn my computer on... The ZoneAlarm personal firewall application can cause this problem. This program is very good at what it does. ZoneAlarm keeps your computer secure from unauthorized incoming and outgoing traffic. Unfortunately, it can prevent your computer from broadcasting its network information. This prevents your computer from sending the login information.
Configuring the MUVPN Client I am sometimes prompted for a password when I am browsing the company network... Due to a Windows networking limitation, remote user virtual private networking products can allow access only to a single network domain. If your company has multiple networks connected together, you will only be able to browse your own domain. If you try to connect to other domains, a password prompt will appear.
CHAPTER 11 Managing the Firebox® X Edge The Firebox® X Edge includes tools to help you manage your network and your users. You can: • Examine current users and properties • Configure user profiles and customize user accounts • Upgrade the Edge and activate new features • Examine the current configuration file in a text format Viewing Current Sessions and Users A session is a connection between a computer on the trusted or optional network and a computer on the external network.
Managing the Firebox® X Edge 2 From the navigation bar, select Firebox Users. The Firebox Users page appears. Firebox User Settings Below Firebox User Settings, you can see the current values for all global user and session settings. Click the Configure button to open the Settings page. For more information, see “Changing authentication options for all users” on page 149 and “Configuring MUVPN client settings” on page 151.
Viewing Current Sessions and Users • • The total length of time of the session The time between the last packet and the session expiration. This is known as the idle time. If you set the idle time to 0 hours and 0 minutes, the Firebox does not disconnect the session. Closing a session To disconnect an active session, click the X for the session. A dialog box appears. Click Yes to disconnect the session. To disconnect all active sessions, click Close All.
Managing the Firebox® X Edge Editing a user account To edit a user account, click its Edit icon. For descriptions of the fields you can configure, see “Adding or Editing a User Account,” on page 152. Deleting a user account To remove a user account, click the X for the account. A dialog box appears. Click Yes to remove the account. About User Authentication The Firebox® X Edge uses advanced authentication options to increase network security.
About User Authentication • • Read-Only -- Use to see Edge configuration properties and status. A user with this access level can not change the configuration file. Full -- Use to see and to change Edge configuration properties. You can also activate options, disconnect active sessions, restart the Edge, and add or edit user accounts. A user with this access level can change the passphrase for all user accounts.
Managing the Firebox® X Edge 3 Use the definitions below to help you change your settings. Click Submit. • Require User Authentication – You must select this check box to use the authentication options. External Network Access Restrictions – Enable this check box if it is necessary for your users to authenticate before they connect to computers on the external network. The external network is frequently the Internet.
About User Authentication Edge, the clock starts on the session. After the specified interval, the user must authenticate again or the Edge closes the session. Reset Idle Timer on Embedded Web Site Access – The Edge will not disconnect a session when an idle time-out occurs if the Login Status dialog box is on the desktop. Disable this check box to override the Login Status dialog box.
Managing the Firebox® X Edge 5 You can also enter a WINS Server Address and DNS Server Address. Type the server IP addresses in the related field. Adding or Editing a User Account Firebox X Edge users When you create a user for the Firebox X Edge, you select the Administrative Access Level for that user. You can also configure a WebBlocker account and MUVPN restrictions. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox.
Adding or Editing a User Account 6 In the Description field, enter a description for the user. This is for your information only. 7 In the Password field, enter a password with a maxium of eight characters. Mix eight letters, numbers, and symbols. Do not use a word you could find in a dictionary. For increased security use a minimum of one special symbol, a number, and a mixture of uppercase and lowercase letters. 8 9 Enter the password again in the Confirm Password field.
Managing the Firebox® X Edge • • • • • • Change the configuration mode on the External page. Click the Reset Event Log and Sync Time with Browser Now buttons on the Logging page. Click the Synchronize Now button on the System Time page. Click the Regenerate IPSec Keys button on the VPN page. Change the configuration mode on the Managed VPN page. Click the Launch Wizard button from the Wizard page. To create a read-only user account, edit the user account.
Adding or Editing a User Account bol, a number, and a mixture of upper case and lower case letters for increased security. Terminating a session A Firebox uses a session when it makes a connection between a computer on the trusted interface and a computer on the external interface.
Managing the Firebox® X Edge 6 Click Submit. About Seat Licenses The Firebox X Edge is enabled with a set number, or "pool,” of seat licenses. The number of seat licenses limits how many users can get out to the Internet at one time. The total number of available seat licenses in the pool is determined by the Edge model you have and any upgrade licenses you apply.
Selecting HTTP or HTTPS for Firebox Management allow the traffic to pass. A seat license is consumed only when traffic is allowed to pass from behind the Edge to the external network. Selecting HTTP or HTTPS for Firebox Management HTTP (Hypertext Transfer Protocol) is the “language” used for transferring files (text, graphic images, and multimedia files) on the Internet.
Managing the Firebox® X Edge Changing the HTTP Server Port To connect to the Firebox X Edge to view its configuration pages, or for a user to authenticate to the Edge, the browser's connection must use the same port as the Edge’s HTTP server port. Because HTTPS uses TCP port 443 (HTTP uses TCP port 80), the default HTTP server port for the Edge is 443. To change the port over which you communicate with the Firebox X Edge, type a new value in the HTTP Server Port field, as shown in the previous figure.
Updating the Firmware 2 From the navigation bar, select Administration > VPN Manager Access. The VPN Manager Access page appears. 3 4 5 Select the Enable VPN Manager Access checkbox. Type the status passphrase and then type it again to confirm in the applicable fields. Type the configuration passphrase and then type it again to confirm in the applicable fields. NOTE NOTE These passphrases must match the passphrases used in the VPN Manager software or the connection will fail.
Managing the Firebox® X Edge you to update the firmware through the Firebox X Edge Web pages. If you configure your Firebox X Edge from a computer that does not use the Windows operating system, such as Macintosh or Linux, you must update your firmware with the second procedure because those operating systems cannot run Windows executable files. Method 1 The first method uses an auto-executable file and is the preferred method for updating the Firebox X Edge firmware from a Windows computer.
Activating Upgrade Options 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 3 From the navigation bar, select Administration > Update. The Administration Page appears with the End User License Agreement (EULA). 4 Read the text of the EULA. If you agree, select the I accept the above license agreement checkbox.
Managing the Firebox® X Edge 6 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 7 From the navigation bar, select Administration > Upgrade. The Upgrade page appears. 8 Paste the feature key in the applicable field. 9 Click Submit. Upgrade options User licenses A seat license upgrade allows more connections between the trusted network and the external network.
Configuring Additional Options licenses, more concurrent sessions, and more VPN tunnels. For a datasheet showing the capabilities of the different Firebox X Edge models, go to: http://www.watchguard.com/docs/datasheet/edge_ds.asp You can upgrade an X5 or an X15 to any higher model. 1 Go to the Activation Center on the WatchGuard Web site (www.watchguard.com/upgrade) and log into your LiveSecurity Service account.
Managing the Firebox® X Edge Viewing the Configuration File You can view the contents of the Firebox® X Edge configuration file in text format from the View Configuration page. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the Firebox X Edge. The default IP address is: https://192.168.111.1 2 164 From the navigation bar on the left side, select Administration > View Configuration File.
APPENDIX A Firebox®X Edge Hardware The WatchGuard® Firebox® X Edge is a firewall for small organizations and branch offices. The WatchGuard Firebox X Edge wireless has a built-in access point for connecting computers with wireless capability.
• • • • 166 A Hardware Warranty Card An AC adapter (12 V) Power cable clip, to attach to the cable and connect to the side of the Edge. This releases tension on the power cable.
Specifications Specifications Processor 64 bit MIPS Memory - Flash 16 MB Memory - RAM 64 MB Ethernet interfaces 10 each 10/100 Serial ports 1 DB9 Power supply 12V DC Operating Temperature 0 - 40C Dimensions Depth = 5.75 inches Width = 8.75 inches Height = 1.25 inches Weight 1.9 U.S. pounds Hardware Description The Firebox X Edge has a simple hardware architecture. All indicator lights appear on the front panel while all ports and connectors are on the rear of the device.
WAN 1, 2 Shows a physical connection to the external Ethernet interfaces. The indicator light is yellow when traffic goes through the related interface. WAP Shows a wireless connection to the Edge. The indicator light is green when traffic goes through the wireless interface on a Firebox X Edge Wireless model. F/O Shows a WAN failover. The indicator light is green when there is a WAN failover from WAN1 to WAN2. The indicator light goes off when the external interface connection goes back to WAN1.
Hardware Description RESET button Push the RESET button to set the Firebox X Edge to the factory default configuration. For more information, see “Factory Default Settings” on page 41. Back view Serial port (DB9) Use the serial port to connect an external modem to the Edge. Ethernet interfaces 0 through 6 The 7 Ethernet interfaces with the marks 0 through 6 are for the trusted network. OPT interface This Ethernet interface is for the optional network.
Antennae (wireless model only) There are wireless antennae on the two side panels of the Firebox X Edge wireless models.
Index Symbols C .wgx files 132 cable modem 2 cables included in package 12, 166 cabling for 0-6 devices 17 for 1 - 4 appliances 70 for 5+ appliances 71 for 7+ devices 18 CIDR notation 116 Classless Inter Domain Routing 116 Client for Microsoft Networks, installing 123, 127 client, described 2 configuration file, viewing 164 configuration pages connecting to 20 description 29–39 navigating 29 opening 30 configuration pages.
D E daylight savings time 95 default factory settings 41–42 Denied Sites page 104 DHCP described 5, 47 setting the Firebox to use 23 setting your computer to use 20 DHCP address reservations setting on the optional network 58 setting on the trusted network 53 DHCP Address Reservations page 53, 58 DHCP relay configuring the optional network 58 configuring the trusted network 53 DHCP relay agent, configuring Firebox as 54 DHCP relay agent, configuring the optional network as 59 DHCP server configuring Fireb
registering 26 resetting to factory default 42 updating software 40 upgrade options 161 viewing log messages for 91 Web pages.
disconnecting 138 icon for 136–137 installing 131 monitoring 138–140 preparing remote computers for Optional Network Configuration page 55, 56, 57, 58, 59 troubleshooting 142–144 uninstalling 132 MUVPN Clients upgrade 162 options Managed VPN 163 Manual VPN 163 MUVPN Clients 162 seat license upgrade 162 WAN failover 163 WebBlocker 162 N P navigation bar 31 netmask 13 network address translation (NAT) 14 Network Interface Wizard, see Quick Setup Wizard network interfaces, configuring 45–66 Network page
Trusted Hosts 106 Trusted Network Configuration 51, 52, 53, 54, 146 Upgrade 162 VPN 39 VPN Keep Alive 118 VPN Manager Access 158, 159 VPN Statistics 118 WAN Failover 65 WatchGuard Security Event Processor Logging 93 WebBlocker 38 WebBlocker Settings 99, 100 Wireless Network Configuration 73, Q Quick Setup Wizard 45 R rebooting 42–44 Remote Access Services, installing 125 RESET button 169 resetting to factory default 42 Routes page 61, 78 routes, configuring static 78 75 Wizards 39 passphrases, describe
static IP addresses and VPNs 118 obtaining 119 static routes making 60 removing 61 static routes, configuring 78 SurfControl 98 Syslog Logging page 94 Syslog, described 93 Syslost host, logging to 93 system configuration pages.
W WAN Failover configuring 65 described 64, 163 WAN Failover page 65 WAN ports 169 WAN1 port 64 WAN2 port 64 WatchGuard Security Event Processor 92 WatchGuard Security Event Processor Logging page 93 Web sites, blocking specific 104 WebBlocker allowing internal hosts to bypass 106 wireless networks described ??–70 security 74 wizards Quick Setup 45 Wizards page 39 WSEP 92 Z ZoneAlarm allowing traffic through 140 described 121, 140 icon for 138 shutting down 141 uninstalling 141 allowing sites to bypass
178 WatchGuard Firebox X Edge