Fireware Essentials Student Guide (en US) v11 12

June 17, 2018 | Author: Gleidson Campos | Category: Firewall (Computing), Proxy Server, Ip Address, Virtual Private Network, Computer Network
Share Embed Donate


Short Description

Descripción: Fireware Essentials Student Guide (en US) v11 12...

Description

Fireware v11.12 Training Fireware Essentials Student Guide

WatchGuard Fireboxes Guide Revised For: Fireware v11.12 & Dimension v2.1.1 Revision Date: January 2017

ii

WatchGuard Technologies,Inc.

About the Fireware Essentials Student Guide Disclaimer Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information Copyright © 2016 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. All other trademarks and trade names are the property of their respective owners. Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available online at http://www.watchguard.com/wgrd-help/documentation/overview . Printed in the United States.

Fireware EssentialsStudentGuide

iii

Fireware EssentialsStudentGuide

iv

Table of Contents CoursIe ntroduction

1

Training Options

1

NecessaryEquipmentand Software

2

Training Scenario

3

Prerequisites

3

Training NetworkConfiguration

4

Fireware Web UIand Command Line Interface

7

Additional Resources Getting Started What You Will Learn

7 9 9

Management,Monitoring,and VisibilityTools

9

Activ ate Your Firebox

12

Configure Your Firebox

13

Exercises — Before You Begin

16

Exercise 1 — Use the Web Setup Wizard

17

Exercise 2 — Use the QuickSetup Wizard

24

Exercise 3 — Open WSMa nd Connectto Devicesand Servers Exercise 3 — Start Policy Manager

25 27

Test Your Knowledge

29

Notes

32

Administration What You Will Learn

33 33

Manage Configuration Filesand Device Properties Manage Usersand Roleson Your Firebox

33 35

Exercise 1 — Open and Save Configuration Files

37

Exercise 2 — Configure a Fireboxfor Remote Administration Exercise 3 — Add Device Management Users Exercise 4 — Examine and Update Feature Keys

Fireware EssentialsStudentGuide

39 41 43

v

Exercise 5 — Create a Device Backup Image

46

Exercise 6 — Add FireboxIdentification Information

48

Test Your Knowledge Notes NetwoS rketti ngs What You Will Learn

49 51 52 52

Propertiesand FeaturesofFireboxInterfaces

53

Exercise 1 —Configure the ExternalInterface

62

Exercise2 —C onfigurea TrustedI nterfacea saD HCPServer

66

Exercise 3 — Configure an Optional Interface

68

Exercise 4 —Configure WINS/DNSServer Information

69

Exercise 5 —Configure a SecondaryNetwork

70

Frequently Asked Questions

71

Test Your Knowledge

72

Notes

75

Set Up Logging & Servers What You Will Learn

76 76

Logging and Reporting Setup Process Overview

77

Maintain a Record of Device Activity

78

Exercise 1 — SetUp WatchGuard Server Center

82

Exercise 2 — Set Up a WSM Log Server

83

Exercise 3 — ControlDatabasea nd NotificationP roperties

85

Exercise4—C onfigureW heret heF irebox Sends LogM essages

89

Exercise 5 — Configure Logging and Notification for Policies

92

Exercise 6 — Configure a WSM Report Server Test Your Knowledge

95 100

Notes

103

Monitor Your Firewall What You Will Learn Regular Monitoring ImprovesSecurity Exercise 1 — ReviewNetworkStatusin WSM Exercise 2 — Use FireboxSystem Manager

vi

104 104 105 108 111

WatchGuard Technologies,Inc.

Exercise 3 — Use the Blocked SitesList

121

Exercise 4 — Use FireWatch

122

Exercise 5 — Use Geolocation

126

Exercise 6 — Use Mobile Security

129

Exercise 7 — Use NetworkDiscovery

131

Test Your Knowledge

134

Notes

136

NAT

137

What You Will Learn

137

NAT Overview

138

Static NAT

143

NAT Loopback

144

Exercise 1 — Add FirewallDynamicNAT Entries

145

Exercise2— ConfigureS tatic NATt oA llow Access toP ublic Servers

147

Exercise3—C onfigureN ATL oopback toa nI nternal WebS erver

150

Test Your Knowledge

153

Notes

155

Threat Protection

156

What You Will Learn

156

DefaultThreatProtectionM easuresBlockIntruders

156

Geolocation

160

Exercise1 —ConfigureD efaultPacketHandlingO ptions

163

Exercise 2— BlockPotentialSourcesofAttacks

164

Exercise 3 — Block Sites Automatically Your Knowledge Test Notes

166 167 169

Policies What You Will Learn Policiesare Rulesfor Your NetworkTraffic Exercise 1 —AddaP acket FilterP olicy andC onfigureA ccess Rules Exercise 2 — Use FQDN in a Policy Exercise 3— Create a CustomP acketFilter Template

Fireware EssentialsStudentGuide

170 170 171 176 181 183

vii

Exercise4 —C onfigureL ogginga ndN otificationf oraP olicy

186

Exercise 5 —Change PolicyPrecedence

187

Exercise 6 — Use Advanced PolicyProperties

189

Exercise7 —U seP olicy Tags andF ilters toG roupa ndS ort Policies

191

Test Your Knowledge

194

Notes

196

ProP xyolicies

197

What You Will Learn

197

Proxy Policies and ALGs

197

About the DNS Proxy

198

About the FTP Proxy

199

About H. 323 and SIP ALGs

201

About the TCP-UDP Proxy

201

Exercise 1 — Use the DNS-Outgoing ProxyAction

202

Exercise 2 — Configure an FTP-Server ProxyAction

205

Exercise 3 — SetAccessControlson H.323 Connections

209

Test Your Knowledge

211

Notes

213

Email Proxies anB dlockinS gpam

214

What You Will Learn Control the Flow of EmailYour In and Network Out of Stop Unwanted Emailatthe NetworkEdge

214 215 216

Exercise1— Uset heS MTP-ProxytoP rotectYourM ailServer

221

Exercise 2 — ControlOutgoing SMTPConnections Exercise 3 — Use a POP3-Client Policy

228 232

Exercise 4 — Activate spamBlocker

235

Exercise 5 — Configure the spamBlocker Service

236

Exercise 6 — Monitor spamBlocker Activity

239

Test Your Knowledge

240

Notes

243

Web Traffic What You Will Learn

viii

244 244

WatchGuard Technologies,Inc.

ControlWeb TrafficThrough Your Firewall

245

MonitorS ecuredH TTPTrafficwitht heH TTPS-ProxyPolicy

251

Bandwidth and Time Quotas

251

RestrictWeb Accesswith WebBlocker

251

About Reputation Enabled Defense

255

Monitor Reputation Enabled Defense

258

Exercise1 —C onfigureH TTP Connections fromT rustedU sers

259

Exercise2 —U seH TTP-Proxy Exceptions toA llow SoftwareU pdates

265

Exercise 3 — Configure an HTTP-Server ProxyAction

266

Exercise 4 — Enable Bandwidth and Time Quotas

268

Exercise5 —S electivelyBlockWebsites withW ebBlocker

272

Exercise 6 — Set Up Reputation Enabled Defense

276

Exercise 7 — See Reputation Enabled Defense Statistics

278

FrequentlyAsked Questions

279

Test Your Knowledge

280

Notes

284

SignatureServicesandAPTBl ocker

285

What You Will Learn

285

Identify and Stop Viruses at the Edge of Your Network

286

AntiVirus Scans User Traffic for Viruses and Trojans

287

BlockAdvanced Malware with APT Blocker

289

Control the Loss of Sensitive Data

291

IntrusionP revention ServiceB locksDirectAttacks

295

Control and Monitor Application Usage on Your Network Configure Application Control

296 297

Application Control Actions and Proxy Actions

299

Block Access to Botnet Sites with Botnet Detection Exercise Up1Gateway — Set AntiVirus

299 300

Exercise2 —C onfiguret heS MTP-Proxy Policy forG ateway AntiVirus

303

Exercise 3 — UseAPT Blocker with the SMTP-ProxyPolicy

305

Exercise 4 — Configure the FTP-Proxy for Data LossPrevention Exercise5 —C onfiguret heI ntrusionP reventionS ervice

Fireware EssentialsStudentGuide

307 312

ix

Exercise 6 — Configure Application Control

314

Exercise 7 — Use Different Application Control Actions forDi fferent Policies

319

Test Your Knowledge

322

Notes

324

Authentication

325

What You Will Learn

325

Monitor and ControlNetworkTrafficbyUser

326

Authentication Methods Available with Fireware

328

Use the FireboxAuthentication Server

328

About Third-Party Authentic ation Servers

329

About Authentication Timeout Values

331

Exercise 1 — Add a FireboxUser Group and Add Users

332

Exercise2 —E ditPoliciestoU seF ireboxAuthentication

336

Exercise 3 — SetGlobalAuthentication Values

338

Exercise 4 — Usea Web Server Certificate

341

Test Your Knowledge

342

Notes

345

Logging & Reporting

346

What You Will Learn

346

Review Log Messages

347

Build Reports from Log Messages

350

Exercise 1 — Send Log Messagesto Dimension

354

Exercise 2 — ViewLog Messagesin Dimension

355

Exercise 3 — Search Log Messagesin Dimension Exercise 4 — Log Export Messagesfrom Dimension

357 360

Exercise 5 — Create Device Groupsin Dimension Exercise 6 — View Reports in Dimension Exercise 7 — Export Reports from Dimension

361 362 363

Exercise8 —U seW SML ogM anagert oV iewLogM essages Exercise 9 — Use Report Manager to View&Run Reports Exercise 10 — Share Reports from Repor Manager t Test Your Knowledge

x

366 371 375 376

WatchGuard Technologies, Inc.

Notes BrancO hfficVePN What You Will Learn BOVPN Overview

378 379 379 379

IPSecVPNAlgorithmsand Protocols

383

VPN Negotiations

385

Policies and VPN Traffic

389

Global VPN Settings

390

VPNMonitoring and Troubleshooting

391

Requirementsfor VPNExercises

399

Exercise 1 — Configure a BOVPNGatewayand Tunnel

402

ConfigureDevice A

402

Configure Device B Check Tunnel Status

408 413

Exercise 2 — Use VPN Diagnostics

414

Exercise 3 — Use 1-to-1 NAT Through a BOVPNTunnel

415

Additional VPN Resources

420

Test Your Knowledge

421

Notes Mob ViP leN

424 425

What You Will Learn Connect Remote UsersSecurelyto the Network Select the Mobile VPN Type

425 426 428

Mobile VPN Setup Overview

430

Mobile VPNClientConfiguration Files

431

Mobile VPNNetworkand Resource Settings

433

Before You Begin

436

Exercise 1 — Configure Mobile VPN with IPSec and Generate Client Configuration Files

439

Exercise2— Get theM obileV PN Client ConfigurationF iles

447

Exercise 3 — Use an IPSec VPN Client Exercise 3A — Use the Shrew Soft IPS ec VPN Client Exercise3 B —U set heW atchGuardM obileV PN withI PSec Client

Fireware EssentialsStudentGuide

449 450 452

xi

Exercise 4 — SetUp Mobile VPNwith SSL

456

Exercise 5 — Use the Mobile VPNwith SSL Client

460

Test Your Knowledge Notes FirewaW reeUbI What You Will Learn

463 466 467 467

Introduction to Fireware Web UI

467

LimitationsofFireware Web UI

468

Connect to Fireware Web UI Control Access to the Web UI

468 478

Exercise1—C onnect tot heW ebU I witht heS tatus UserA ccount

482

Exercise2 —C onfigureaF irebox forR emoteW ebU I Administration

485

Test Your Knowledge Notes

xii

490 492

WatchGuard Technologies,Inc.

Course Introduction Firewall Essentials with Fireware v11.12 Devices

WatchGuard Fireboxes

DeviceO Sv ersions

Fireware®v 11.12

Managements oftwareve rsions

WatchGuard® SystemMan ager v11.12

Training Options If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options available to you: Classroom training with a WatchGuard Certified Training Partner (WCTP) WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list of training partners can be found on our website at: http://www.watchguard.com/training/partners_locate.asp Quick review presentation You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the Quick Setup Wizard, create basic security policies, and get more information about additional subscription services. Fireware Essentials Online Course Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature or function of configuration and security management. For more information, including configuration steps for advanced procedures, see Fireware Help.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Course Introduction

Necessary Equipment and Software For the majority of the training modules, you only need a default WatchGuard Fireware configuration file that you view and modify locally. You do not need to connect to a device to complete most of the exercises. The few modules that require additional hardware include instructions on what is needed and how to set it up. In some training modules, you will connect to one or more Fireboxes or a Management Server. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to a Firebox or Management Server on a production network. To complete the majority of the training modules, you must have this hardware and software: Management computer Your management computer must be a personal computer with the Microsoft® Windows XP, Microsoft Windows Vista, Microsoft Windows 7, or Microsoft Windows 8 operating system installed. For more information about management computer system requirements for WSM and Fireware v11.12, see the Fireware Help. WSM software and Fireware OS If you have a WatchGuard Support service account, you can download the WatchGuard System Manager software and Fireware OS from the WatchGuard website through the Software Downloads page. The software is also available from your instructor during classes delivered by WatchGuard Certified Training Partners. Firewall configuration file During the training exercises, you will open, modify, and save device configuration files. You can use Policy Manager to create new configuration files. You can also open the configuration file of your production Firebox and save it to your local hard drive. We recommend that you do not save any configuration files you make during the training exercises to a device in use on your network. Firebox (required for some exercises) For some exercises, particularly the exercises which introduce logging, monitoring, and reporting, it is useful to connect to a real Firebox on a production network. You do not need to change the configuration properties of this device. You can complete the exercises without access to a Firebox installed on a production network, but it is much easier to grasp some concepts when you can see log messages and information from a real network. For the branch office VPN and Mobile VPN exercises, to configure and demonstrate a working VPN tunnel, you must have access to Fireboxes. If you choose to connect to a Firebox, you can connect to any Firebox that supports Fireware OS v11.7 and higher. You cannot use an XTM 21, XTM 22, or XTM 23 device (these models only support Fireware OS v11.7 and lower).

2

WatchGuard Technologies,Inc.

Course Introduction

Training Scenario Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of the exercises using examples from your own network or a set of addresses and situations provided by your WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental.

Prerequisites This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard hardware devices is required.

Fireware EssentialsStudentGuide

3

Course Introduction

Training Network Configuration Most of the exercises in this courseware use the RFC 5737 documentation IP addresses to represent public network IP addresses. Most of the information in the training modules, as well as the VPN exercises, in this courseware use this network configuration:

To support all of the exercises in this course, your training environment must include this network equipment: n n n

4

One Firebox per student, and one for the instructor. One network hub or switch with enough interfaces to connect the instructor and all of the student Fireboxes. A management computer for each student and for the instructor.

WatchGuard Technologies,Inc.

Course Introduction

Student Firebox IP Addresse s Students may be assigned a number (10, 20, 30, etc.) to identify the last IP address octet for their external addresses, and the third octet for internal addresses in relation to their Fireboxes. This allows for similar configuration among devices and prevents IP address conflicts and subnet overlap. Each student will configure a device with these addresses, where X is the student number: n n

Eth0 – External — 203.0.113. X /24, Default Gateway 203.0.113.1 Eth1 – Trusted — 10.0. X .1/24

In most of the exercises, y our external interface and trusted interface IP addresses are determined by your student number. Replace the X in the exercises with your student number.

Instructor Firebox IP Addresse s Eth1 of the instructor Firebox must be connected to the switch and configured to act as the default gateway for the external network for student Fireboxes. The instructor Firebox must be configured with these addresses: n

n

Eth0 (External) — Use appropriate addressing for a training environment with an Internet connection. (This is optional. Internet access is not required for these exercises.) Eth1 (Trusted) — 203.0.113.1/24 This is the default gateway for the primary external interface on student Fireboxes.

To allow DNS to operate from the training environment, you must also configure a DNS server, in the Network > Configuration > WINS/DNS tab. For DNS to function for students, the student devices and computers must also be configured to use the DNS server.

Fireware EssentialsStudentGuide

5

Course Introduction

Configuration Changes for the Inst ructor Firebox To make the training network functional for these exercises, the instructor must make two more configuration changes to the instructor’s device. 1. Create an Any policy to allow traffic between the trusted interfaces.

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic entry for Any-Trusted - Any-External. Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic NAT rule for 203.0.113.0/24 – Any-External)

6

WatchGuard Technologies,Inc.

Course Introduction

Fireware Web UI and Command Line Interface You can use Fireware Web UI (Web UI) and the WatchGuard Command Line Interface (CLI) to complete many of the same tasks that y ou perform in WatchGuard System Manager and Policy Manager. Some advanced configuration options and features are not available with Fireware Web UI or the Command Line Interface. Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online configuration tools (you need a network connection to a Firebox to use them), most of the exercises in the training modules for this course do not use the Web UI, and none use the CLI.

Additional Resources For more information about how to install and configure WatchGuard System Manager see these resources: Fireware Help You can launch the Help system from your management computer after you install WSM. To view more information about the features in a dialog box or application window, click Help or press the F1 key. A topic that describes the features you see and provides links to additional information appears in your default web browser. For the most up to date information, browse to http://www.watchguard.com/help/documentation/and launch the Fireware Help. You can also download the Help system for offline use. WatchGuard Online Knowledge Base Browse to http://customers.watchguard.com/. For information about how to set up an XTMv virtual machine, see: WatchGuard XTMv Setup Guide Browse to http://www.w atchguard.com/help/documentation/ and download the WatchGuard XTMv Setup Guide.

Fireware EssentialsStudentGuide

7

Fireware EssentialsStudentGuide

8

Getting Started Set Up Your Firebox and Management Computer

What You Will Learn WatchGuard System Manager is the primary management software application used to monitor and manage Fireboxes and WatchGuard servers. In addition to the many management and monitoring tools available in WatchGuard System Manager, you can use WatchGuard Dimension to monitor your Firebox and see deep into the activity on your network. In this training module, you learn how to: n n

Use the Web Setup Wizard to configure a Firebox Quick Setup Wizard to make a basic Firebox configuration file

n

Start WatchGuard System Manager and connect to Fireboxes and servers

n

Start Policy Manager and open a device configuration file

Before you begin the exercises in this module, make sure you read the Course Introduction module.

Management, Monitoring, and Visibility Tools For all of your Fireboxes, you can use the rich suite of management, configuration, monitoring, and visibility tools available from WatchGuard. This includes W atchGuard System Manager (WSM) and all the WSM tools, WatchGuard Server Center and the WSM servers, and the many WatchGuard Dimension tools. These tools are described in the subsequent sections.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Getting Started

Start with WatchGuard System Manager Most of the procedures you complete in this training module start from WatchGuard System Manager (WSM), which is the primary software application you use to manage all the Fireboxes and WatchGuard servers in your network. You can use WSM to connect to any WatchGuard Firebox. This includes all Firebox and XTM device models. In this training module, we use only the latest Firebox models.

WSM Compo nents WatchGuard System Manager (WSM) includes severalmonitoringand configuration tools, including Policy Manager, Firebox System Manager, HostWatch, Log Manager, Report Manager, and CA Manager. You can start these tools after you open WSM. WatchGuard Server Center is the application you use to set up, configure, and manage the five WatchGuard servers, as well as configure users and groups for role-based administration. This diagram shows the components of WatchGuard System Manager and how you can get access to them.

If you take this course with a training partner, the servers are installed on the management computer.

10

WatchGuard Technologies,Inc.

Getting Started You install the WSM management software on a personal computer running Microsoft Windows 7 or higher. We refer to this computer as your management computer. When you install WSM on your management computer, you have the option to install any or all of the WatchGuard System Manager servers. When you select to install any of the servers, WatchGuard Server Center is automatically installed. n

n n

n

n

Management Server — Manages multiple Fireboxes at the same time and creates virtual private network (VPN) tunnels with a simple drag-and-drop method. Log Server — Collects log messages from Fireboxes and servers. Report Server — Periodically consolidates data collected by your WSM Log Servers and uses this data to generate the reports that you select. Quarantine Server — Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to have a virus byServ Gateway AntiVirusinformation or by spamBlocker’s Virus Outbreak feature. WebBlocker er — Provides for an HTTP-proxy to denyDetection user access to specified categories of websites.

You can install these servers on your management computer, or you can install them on other computers on your network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect to other servers, the Firebox, or the management computer. WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager, Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server, WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130. For more information, see the training module related to each server.

WatchGuard Dimension WatchGuard Dimension™ is a virtual solution you can use to capture the log data from your Fireboxes, FireClusters, and WatchGuard servers, generate reports of that data, and to manage your Fireboxes and FireClusters. You can use Dimension to see log data in real-time, track it across your network, view the source and destination of the traffic, view log message details of the traffic, monitor threats to your network, and view or generate reports of the traffic. From Dimension, you can open Fireware Web UI for Fireboxes and FireClusters that are managed by Dimension, take action on the information you see in the log messages, tools, and reports available in Dimension, and create managed huband-spoke VPN tunnels between the Fireboxes managed by Dimension. After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of Dimension. Then, you configure your Fireboxes and WatchGuard servers to send log messages to Dimension and add Fireboxes to Dimension for management. In this training course, we only discuss the logging and reporting aspects of Dimension. For more information, see Logging & Reporting, on page 346.

Fireware EssentialsStudentGuide

11

Getting Started

Activate Your Firebox You must activate your Firebox on the WatchGuard website before you can configure some Firebox features. When you activate the Firebox, you start the Support subscription for the Firebox. The Support subscription provides alerts, threat responses, and expert advice to help you keep your network secure and up-to-date. When you subscribe to Support, you also get the ability to install the latest software upgrades to your Firebox.

If you take this course with a training partner, your Firebox will already be activated and include the feature keys you need for the course.

To activate the Firebox, you must have: n n

Anaccount on the WatchGuard website The Firebox serial number

To create a new WatchGuard account, go to: https://www.watchguard.com/account/registration_gate.asp To activate your Firebox with an existing WatchGuard account, log in to the WatchGuard website. In the WatchGuard Support Center, click Activate Products.

12

WatchGuard Technologies,Inc.

Getting Started

Configure Your Firebox Your Firebox ships with factory-default settings that enable you connect to it for initial configuration, and for the Firebox to connect to the Internet to download its feature key. You connect to the Firebox and run a setup wizard to configure the Firebox with network settings and administrative passphrases you choose. If the Firebox uses Fireware v11.12 or higher, the setup wizards also add proxy policies and enable most security services with recommended settings.

About Factory-Default Settings Before you set up your new Firebox, it uses factory-default settings. You are canactive: also reset a Firebox to factory-default settings. When a Firebox uses factory-default settings, these interfaces Interface 0 (Eth0) Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If you use the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network that has a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Firebox feature key.

To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with Internet access. For more information about RapidDeploy, see Fireware Help.

Interface 1 (Eth1) Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1 or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard. To connect to the device when you use either setup wizard, your computer must have an IP address on the 10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same subnet as the IP address of Interface 1. For example, 10.0.1.2. Interface 32 (Eth32) — Firebox M5600 only The Firebox M5600 has only one built-in interface, interface 32. Interface 32 is c onfigured as a Trusted interface with the IP address 10.0.32.1. This interface has a DHCP Server enabled, and is configured to assign IP addresses on the 10.0.32.0/24 subnet. You must connect your computer to interface 32 or to a network connected to interface 32 when you run the Web Setup Wizard or Quick Setup Wizard to configure a Firebox M5600.

Fireware EssentialsStudentGuide

13

Getting Started

About Setup Wizards There are two setup wizards you can use to quickly create a functional configuration for your Firebox. To use either setup wizard, you must connect y our management computer to the trusted interface of the Firebox. Web Setup Wizard When a Firebox is started with factory-default settings, you can connect to the Firebox and use the Web Setup Wizard to set up the Firebox. You can use the Web Setup wizard to set up a Firebox from any computer that has a web browser. To start the Web Setup Wizard, in a web browser, type https://10.0.1.1:8080. The Web Setup wizard can activate the Firebox and download the required feature key, if the external interface is connected to a network with Internet access. Quick Setup Wizard The Quick Setup Wizard is a component of WatchG uard System Manager that you can use to discover and set up your Firebox. To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard. The Quick Setup Wizard does not help you with device activation, but does provide a couple of additional network configuration options (drop-in mode and optional interface configuration) that are not supported by the Web Setup Wizard. Both setup wizards help you to set up your device with a secure policy configuration and basic network settings. The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox.

Setup Wizard Default Policies and Services Configuration The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox. n

n

In Fireware v11.12 and higher, the Web Setup Wizard creates proxy policies and automatically enables most licensed subscription services with recommended settings. In Fireware v11.11.x and lower, the Web Setup Wizard creates packet filter policies and enables the Firebox to operate as a basic firewall. It does not enable licensed subscription services.

The setup wizards were improved in Fireware v11.12 to enable most licensed security services. This reduces the amount of manual configuration required to take advantage of the licensed services on the Firebox.

14

WatchGuard Technologies,Inc.

Getting Started

Setup Wizard Defaults Default Policies

Fireware v11.12 and Higher n n n n

n n n n

Configured Services (if licensed in the feature key)

n n

n

n

n

n

Proxy Actions used by default policies to enable recommended settings and services

n

n

n

FTP-proxy, HTTP-proxy HTTPS-proxy WatchGuard Web UI Ping DNS WatchGuard

Fireware v11.11.x and Lower n n

n n n

FTP WatchGuard Web UI Ping WatchGuard Outgoing

Outgoing WebBlocker Gateway AntiVirus Intrusion Prevention Application Control Reputation Enabled Defense APT Blocker

None

Default-FTPClient DefaultHTTP-Client DefaultHTTPS-Client

None

For all Fireware versions, the default policies configured by the setup wizards allow outgoing FTP, Ping, TCP and UDP connections, and do not allow incoming connections. With Fireware v11.12 and higher, the default FTP, HTTP, and HTTPS proxy actions enable services and enable logging for reports.

When you set up a new Firebox manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription services, even if they are licensed in the feature key. To enable the security services and proxy policies with recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings, and then run the setup wizard again.

Fireware EssentialsStudentGuide

15

Getting Started

Exercises — Before You Begin Your instructor will provide you with the information and files you need to configure your Firebox for the trainingenvironment.

For the exercises in this module, you need: n

A feature key — You receive the feature key when you activate your Firebox on the WatchGuard website. Each feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management computer before you start either setup wizard. You can finish the wizard without the feature key, but the feature key is required to enable all device functionality. If the Firebox does not have a feature key, it allows only one connection to the Internet. For this exercise it is best to use a feature key with Total Security Suite so that the setup wizards can configure security s ervices .

It is especially important to have the feature key before you run the setup wizards if your Firebox has licensed subscription services. The setup wizards do not configure licensed subscription services if there is no feature key that enables them. n

WSM and Fireware OS on the management computer — WSM is the software installed on the management computer and WatchGuard servers. Firewareis the operating system (OS) installed with a configuration file on the Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and Fireware are separate software downloads. You must download and install both packages on your management computer. The management computer must be on the same network subnet as the device.

n

Your network information — At a minimum, you must know the IP address of your gateway router and the IP addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use 203.0.113.1 as the default gateway. A Firebox — You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that has been reset to factory-default settings.

n

16

WatchGuard Technologies,Inc.

Getting Started

Exercise 1 — Use the Web Setup Wizard In this exercise, you use the Web Setup Wizard to set up a new Firebox. This is the procedure recommended in the printedQuick Start Guidethat ships with every Firebox. For this exercise, the Firebox must be in a factory-default state. The steps to reset a Firebox vary by device model. For information about reset, see Reset a Firebox in Fireware Help. Make sure your computer is configured to get an IP address through DHCP. To run the Web Setup Wizard: 1. Connect interface 0 of the Firebox to a network with Internet access. 2. Power on the Firebox. The Firebox attem pts to contact WatchGuard to download its feature key.

3. Connect your computer to interface 1 of the Firebox. The DHCP server on the Firebox assigns your computer an IP address on the 10.0.1.0/24 subnet.

4. In a web browser, type https://10.0.1.1:8080. The Fireware We b UI Login page appears.

5. Type the default administrator credentials for the Firebox n n

User name: admin Passphrase: readwrite

6. On the Welcome page, click Next to create a new device configuration. The License Agr eement page appears.

Fireware EssentialsStudentGuide

17

Getting Started 7. Accept the License Agreement and click Next.

8. SelectStatic to configure the External interface with a static IP address. Click Next.

9. Configure the external interface with these settings. Replace X with your student number. n n

IP Address: 203.0.113.X /24 Gateway: 203.0.113.1

10. Click Next. The DNS and WINS settings appear.

18

WatchGuard Technologies,Inc.

Getting Started

11. Because this Firebox uses a static IP address, it is important to specify at least one DNS server. Type the IP address of a DNS server in the DNS Servers text box. Click Next. The trusted interface sett ings appear.

12. Configure the trusted interface, with these settings: Replace X with your student number. n n

IP address: 10.0.X .1/24 DHCP enabled, address pool: 10.0.X .2 - 10.0.X .254

Fireware EssentialsStudentGuide

19

Getting Started 13. Click Next. 14. Set the passphrases for the status and admin accounts on your Firebox. click Next. The Enable Remot e Management page appears.

15. For this exercise, do not enable remote management. Click Next. The contact information and device feedback sett ings appear.

16. For this exercise, click Next to accept the default settings. The time zone setting appears.

17. Select the time zone for this Firebox. Click Next. If the Firebox does not have a feature key, the Onli ne Acfiv ation page provides opt ions to get a featur e key.

If the Firebox was already activated and successfully downloaded the feature key from WatchGuard, the wizard skips the feature key steps and goes to the Subscription Servicespage. If the Feature key does not include services, it goes directly to the Summary page.

18. For this exercise, the Firebox is already activated and you have a feature key to manually add in the wizard. To manually paste in the feature key, select Skip Online Activation. 19. Select Add the feature keyand click Next. The Add the feature key page appears .

20

WatchGuard Technologies,Inc.

Getting Started

20. Paste the feature key for your Firebox. Click Next. If the feature key includes subscription serv ices, the Subscription Services page appears.

21. Click Next to continue. If the feature key includes a WebBlocker subscription, the WebBlocker S ettings page a ppears.

Fireware EssentialsStudentGuide

21

Getting Started

22. Select the WebBlocker categories to block. Recommended categories are selected by default. Click Next. The Summary page appe ars with a summary of the configurat ion settings and enabled sub scription services.

23. Click Next to save this configuration. The Setup is Complete page appears, with a link to log in to Fireware Web UI.

22

WatchGuard Technologies,Inc.

Getting Started

When you are finished with the wizard, the Firebox allows all FTP, Ping, TCP, and UDP connections from the trusted network to the external network and blocks connections from the external network to the protected networks. If licensed in the feature key, Gateway AntiVirus, WebBlocker, Intrusion Prevention, Application Control, Reputation Enabled Defense, and APT Blocker are all enabled and configured. Because you changed the IP address of the trusted interface, the DHCP server on the Firebox will assign your computer a new IP address in the DHCP address pool you configured. It may take a few minutes for your computer to get a new IP address on the right network so that you can connect to Fireware Web UI. Log in to Fireware Web UI 1. To log in to Fireware Web UI, click the link at the bottom of the last page of the Wizard. or, in your browser, type https://10.0.1.1:8080. 2. Type the user name admin, and the password you configured in the wizard.

Fireware EssentialsStudentGuide

23

Getting Started

Exercise 2 — Use the Quick Setup Wizard In this exercise you use the Quick Setup Wizard, which is part of WatchGuard System Manager to set up a new Firebox. This results in a similar configuration to Exercise 1.

Before You Begin If you previously used the Web Setup Wizard to set up the Firebox, reset the Firebox to factory-default settings before you start this exercise. The steps to reset a Firebox vary by device model. For information about reset, see Reset a Firebox in Fireware Help.

Use the Quick Setup Wizard: 1. Connect your computer to interface 1 of the Firebox. 2. From the Windows desktop, select Start > All Programs > WatchGuard System Manager> Quick Setup Wizard. You can also click the Quick Setup Wizard icon on the WatchGuard System Manager toolbar. The Quick Setup Wizard start s and attempts to detect a Firebox on the same network as your computer.

3. From the list of devices, select the Firebox that you are using for this training session. 4. Configure the device name, location, and contact person. 5. Configure the external interface, Eth0, with these settings. Replace X with your student number. IP address: 203.0.113.X /24 Default Gateway: 203.0.113.1 6. Configure the trusted interface, Eth1, with these settings: Replace X with your student number. IP address: 10.0.X .1/24 DHCP enabled, address pool: 10.0. X .2 - 10.0.X .254 7. Inth e Activate the softwarestep, browse to the feature key file saved on your computer. 8. The Security Services page shows the security services in the feature key that the wizard will configure. 9. On the WebBlocker Settings page, select the WebBlocker categories to block. 10. Set the Status and Configurationpassphrases for your Firebox. You use the Status passphraseto connect to the device with the default Device Monitor user account, status. You use the Configuration passphrase to connect to the device with the default Device Management user account, admin. When you are finished with the wizard, you will have a Firebox which allows all traffic from the trusted and optional networks to the external network but blocks ever ything from the external network to the protected networks. Because you changed the IP address of the trusted interface, the DHCP server on the device will assign your computer a new IP address in the DHCP address pool you configured. It may take a few minutes for your computer to get a new IP address.

24

WatchGuard Technologies,Inc.

Getting Started

Exercise 3 — Open WSM and Connect to Devices and Servers When you open WatchGuard System Manager (WSM), you are not automatically connected to a Firebox. You must manually connect to a Firebox or to a Management Server to use many WSM features. You can connect to many Fireboxes and Management Servers at the same time. Before you start this exercise use the steps in Exercise 1 or Exercise 2 to configure your Firebox To connect to a Firebox in WSM: 1. From the Windows desktop, select Start > All Programs > WatchGuard System Manager > WatchGuard System Manager. WatchGuard System Manager a ppears.

. 2. On the main toolbar, click Or, you can select File > Connect To Device. 3. Inth e IP Address or Name text box, type the trusted IP address of the Firebox. Use your Firebox IP address, or get the IP address from your instructor.

To connect to a Firebox with read-only privileges, you use a Device Monitor user account. You can use the default status Device Monitor user account for this purpose. If you save the configuration file or add the Firebox to the Management Server as a managed device, you are prompted to type the credentials for a user account with Device Administrator privileges. The default Device Administrator user account for your device is the admin user account.

Fireware EssentialsStudentGuide

25

Getting Started 4. Inth e User Name and Passphrasetext boxes, type the credentials for a Device Management user account with a Device Monitor (read-only) role on your Firebox. The default status account is specified by default. 5. From the Authentication Server drop-down list, select the authentication server for the user you specified. If you select an Active Directory server, you must also specify the Domain for the server you selected. 6. If necessary, change the value in the Timeout text box. This value sets t he amount of time (in seconds) t hat WSM waits for an answer fr om the Firebox befor e WSM shows a message that it cannot connect. If you have a slow network or I nternet connection to th e device, you can increas e the timeout value. If you decreas e the value, you decr ease the time you mus t wait for a time out message if you try to connect to a device that is not available.

7. Click Login. WSM connects to the Fir ebox and shows the stat us of the Firebox on the Device Status t ab.

8. On the Device Statustab, click the plus sign (+) to expand the Firebox entry. Information about the Firebox appears.

26

WatchGuard Technologies,Inc.

Getting Started

Exercise 3 — Start Policy Manager Policy Manager is the WSM tool you use to build the security rules your Firebox uses to protect your network. You use Policy Manager to configure policies, set up VPNs, change Device Management user account passphrases, and configure logging and notification options. A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the connection. Policy Manager displays each policy as a group of rules, or a ruleset. You can view these policies in a list with detailed information about each policy, or as icons.

You can have more than one version of WSM installed on your computer. However, you can have only one version of the server components (Management Server, Log Server, Report Server, Quarantine Server, and WebBlocker Server) installed.

In WatchGuard System Manager: 1. On the Device Statustab, select your Firebox. If there is no device visible in WSM, select File > Connect To Device, and then connect to your device. 2. Click . Or, select Tools > Policy Manager. WSM checks the model and the OS (operat ing system) ver sion used by the device. If you have multiple versions of WSM software installed , WSM automatically opens the correct version of Policy Manager. If you launch Policy Manager f or a device that uses an older vers ion of Fireware OS , WSM might ask if you want to upgrade t he OS on th at device.

Fireware EssentialsStudentGuide

27

Getting Started Policy Manager opens in Details view by default.

3. Select Setup > OS Compatibility. The OS Compatibility dialog box appears.

4. Make sure that the selected version is 11.9 or higher. If you open the configuration file from a device, the OS Compatibility version is automatically set to match the OS version on the device. If you use Policy Manager to create a new configuration file, you must configure this setting before you can configure features that require a specific OS version. 5. Click OK.

28

WatchGuard Technologies,Inc.

Getting Started

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? You must have a WSM Management Server to use a simple drag-and-drop function for VPN creation. 2. Circle the best tool for each task: Task

Tool

A) Monitor the status of one device

WatchGuard System Manager Policy Manager

B) Change the device network interfaces WatchGuard System Manager Policy Manager C) Configure a policy for web traffic

WatchGuard System Manager Policy Manager

3. True or false? You must install WatchGuard System Manager to set up and manage a new Firebox. 4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device configuration file that allows more than one connection to the Internet? (Select all that apply.) o A)

An account on the WatchGuard website

o B)

The Firebox model number

o C)

The IP address of the gateway router this device will connect to

o D) A feature key o E) A live connection to the Internet o F)

A web browser

o G) An IP address to give to the external and trusted interfaces of the Firebox

5. Fill in the blank: A ________ is a set of rules that defines how the Firebox manages packets that come to its interfaces.

Fireware EssentialsStudentGuide

29

Getting Started 6. Which of the following are WatchGuard System Manager components? (Select all that apply.) o

A) Log Manager

o B) Router o C) o

Policy Manager

D) Appliance Monitor

o E) Windows Server o F) Report Server o G) Management Computer

7. True or false? You must install all WatchGuard servers on one management computer. 8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.

30

WatchGuard Technologies,Inc.

Getting Started

ANSWERS 1. True You can only use the drag-and-drop method to create a VPN tunnel between two Fireboxes managed by your WSM Management Server. 2. A) WatchGuard System Manager B) Policy Manager C) Policy Manager 3. False You can also use Fireware Web UI to set up and manage a Firebox. 4. A, C, D, and G 5. policy 6. A, C, and F 7. False 8. False

Fireware EssentialsStudentGuide

31

Notes

Fireware EssentialsStudentGuide

32

Administration Manage the Firebox Configuration

What You Will Learn After you install the Firebox in your network and use the Quick Setup Wizard to give it a basic configuration file, you can add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety of locations. In this training module, you learn how to: n

Open and save configuration files

n

Configure the Firebox for remote administration

n

Add Device Management user accounts

n

Add feature keys to the Firebox

n

Back up and restore the device configuration

n

Add Firebox identification information

Before you begin these exercises, make sure you read the Course Introduction module.

Manage Configuration Files and Device Properties A device configuration file includes all configuration data, options, IP addresses, and other information for the Firebox. On the Firebox, the configuration file works with the OS to control the flow of traffic through the Firebox. The file extension for a device configuration file is .xml. Policy Manager is a WatchGuard® software tool that you can use to create, change, and save configuration files. W hen you use Policy Manager, you see a version of your configuration file that is easy to examine and modify.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Administration Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no effect on Firebox operation until you save them to the Firebox.

About the OS Compatibility Ver sion Policy Manager can manage Fireboxes that use different versions of Fireware OS. Each device configuration has an OS Compatibility setting that controls which configuration options are available for some features. n

n

If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS version in the file is automatically set based on the OS version the Firebox uses. If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you can configure some features, such as network settings and Traffic Management.

To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.

About the Feature Key When you activate a Firebox or activate add-on services or features for a Firebox, a feature key is generated to enable features on your Firebox. You can download the feature key from the WatchGuard website when you activate your Firebox. You can then add this feature key to your Firebox from the Quick Setup Wizard, Web Setup Wizard, Policy Manager, or the Fireware Web UI. If you use the Web Setup Wizard, the Firebox can download the feature key automatically. You must install a feature key on your Firebox to enable full functionality. If your Firebox does not have a feature key, it allows only one user to connect to the Internet. The feature key contains a list of licensed features and capacities for your Firebox. For WatchGuard Support, and security services, t he feature key contains the service expiration date. For you to install updates to Fireware OS, the Firebox must have a feature key with an active Support subscription, which is called LiveSecurity Service in the feature key. To manage the feature key, in Policy Manager select Setup > Feature Key. When you renew subscription services, you must update the feature key on the Firebox for the subscription to remain active. To make sure that the feature key on the Firebox stays up to date, we recommend that you enable automatic feature key synchronization in the Feature Key settings. When automatic feature key synchronization is enabled, the Firebox automatically checks the expiration status of services once per day and downloads a new feature key from WatchGuard if a feature is expired or is within three days of expiration.

When you save the configuration to a local file, the feature key is sto red as a separate file, in the same directory as the configuration file. For example, if you save a device configuration with the file name Example, the configuration file is saved as a file named Example.xml and the feature key is saved in a file named Example_lic.tgz.

34

WatchGuard Technologies,Inc.

Administration

Saving a Configuration Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OS Compatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that is not compatible with the OS version on the Firebox.

Configuration Migration You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the configuration file. Before you can save the configuration to a different Firebox, you might also need to change other settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.

For a video demonstration of configuration migration, see the Configuration Migration video available in the Product Documentation section of the WatchGuard website.

Manage Users and Roles on Your Firebox You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the Firebox among several individuals in your organization. This enables you to run audit reports to monitor which administrators make which changes to your device configuration file. By default, your Firebox includes these default user accounts and roles: D efault User Account

Default R ole

Default Passphrase

admin

DeviceAd ministrator (read-writepe rmissions)

readwrite

status

DeviceMo nitor( read-only permissions)

readonly

wgsupport

Disabled

When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the option to allow more than one Device Administrator to log in to the Firebox at the same time. If you do not enable this option, only one Device Administrator can log in to the Firebox at a time.

Fireware EssentialsStudentGuide

35

Administration The wgsupport useraccount is disabled by default. This account is for WatchGuard Technical Support access to your Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard Technical Support. We will not enable or modify this user account in this course. You can use these authentication servers for Device Management user accounts on your Firebox: n n n n

Firebox-DB ActiveDirectory LDAP RADIUS

The default Device Management user accounts use the Firebox-DB authentication server. For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on your Firebox are case-sensitive and must match the user credentials as they are specified on the external authentication server.

36

WatchGuard Technologies,Inc.

Administration

Exercise 1 — Open and Save Configuration Files The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this configuration file as the base for all your configuration files. You can also use Policy Manager to make a new configuration file with only the default configuration properties. To create a new configuration file: 1. Open Policy Manager. 2. Select File > New . A ne w co nfiguration file appe ars w ith the default poli cies and settings.

Policy Manager is an offline configuration tool. Fireware Web UI and the CLI are online configuration tools. An offline configuration tool lets you make many changes to a configuration file without sending the changes to the Firebox. An online configuration tool is designed to immediately send all changes to the Firebox.

Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM) to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to work offline. In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive: 1. Open WatchGuard System Manager and connect to your Firebox. If you are not familiar wit h this proc edure, see the Getting Started module, or ask your instructor. 2. Click . Or, select Tools > Policy Manager. Policy Manager starts and loads the configuration file currently on your Firebox.

Fireware EssentialsStudentGuide

37

Administration 3. Select File > Save > As File . The Save dialog box appears.

4. Inth e File Name text box, type Basics-Start. 5. Click Save. By default, configuration files are saved to the My Documents\My WatchGuard\configs folder. The configuration file type is XML. 6. To save an updated configuration file to the Firebox and to a local file, select File > Save > To Firebox. To save the file to th e Firebox, you must specify a user name and passphrase for a user account with Device Adminis trator privi lege s. When you save a co nfiguration file to the Firebox, you can also save it to a local file .

If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with Device Administrator privileges, you cannot save configuration changes to the Firebox. If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings, and then use the default admin account, with the default passphrase readwriteto save the configuration to the Firebox from Policy Manager.

38

WatchGuard Technologies,Inc.

Administration

Exercise 2 — Configure a Firebox for Remote Administration This exercise is most useful for an instructor to connect to a student Firebox during a classroom session. If you are self-instructed and do not need to remotely manage your Firebox, you can skip to the next exercise.

When you use the Quick Setup Wizard to configure your Firebox, a policy tha t allows you to connect to and administer the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to allow administrative connections from your remote location. The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt. The Quick Setup Wizard adds this policy with the name WatchGuard. This policy controls access to the Firebox on TCP ports 4105, 4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these ports. Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good idea to consider these alternatives: n

Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you can connect with a VPN, then you do not need to allow connections from a computer external to your network. If it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an additional layer of security.

n

It is more secure to limit access from the external network to the smallest number of computers possible. For example, it is more secure to allow connections from a single computer than it is to allow connections from the alias Any-External.

To restrict or expand access to the Firebox, edit the From list in the WatchGuard policy. n

n

n

You can allow connections to the Firebox from external networks by adding the Any-Externalalias (or a specific IP address, user name or group name). You can restrict connections to the Firebox from internal locations by removing the Any-Trustedand AnyOptional aliases and replacing them with the specific IP addresses from which you want to allow access. You can remove all IP addresses and aliases, and replace them with user names or group names. When you do this, you force users to authenticate before they are allowed to connect to the Firebox.

If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.

Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.

Fireware EssentialsStudentGuide

39

Administration To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at a specific IP address: 1. Double-click the WatchGuardpolicy. Or, right-click theWatchGuardpolicy and select Edit. The Edit Policy Propert ies dialog box appears. The name of this policy is Watc hGuard, but the packet filter type is WG-Firebox- Mgmt. This policy is specific ally designed to be used for administrat ion of the Firebox.

2. 3. 4. 5. 6.

40

Inth e From section, click Add. To add the IP address of the external computer you want to use to connect to the Firebox, click Add Other. From the Choose type drop-down list, make sure Host IP is selected. Inth e Value text box, type the IP address of the remote administration computer. Click OK to close each dialog box.

WatchGuard Technologies,Inc.

Administration

Exercise 3 — Add Device Management Users To share the configuration and monitoring responsibilities for the Successful Company Firebox among several individuals in the Successful Company organization, in this exercise, you add two new Device Management users to the Firebox: a Device Administrator and a Device Monitor. When you add a Device Management user, you specify the authentication server where the user account is stored. If you specify an external authentication server, the user account credentials you specify in your Firebox configuration must match the user account credentials as they are specified on the authentication server. User account credentials are case-sensitive. For this exercise, you add user accounts to the internal Firebox authentication server, Firebox-DB. From Policy Manager: 1. Select File > Manage Users and Roles. The Login dialog box appears with the admin user specified by default.

2. Inth e Administrator Passphrase text box, type the default passphrase for the default admin user account, readwrite. 3. Click OK. The Manage Users and Roles dialog

Fireware EssentialsStudentGuide

box appears.

41

Administration 4. Click Add. The Add User dialog box appears.

5. 6. 7. 8.

Inth e User Name text box, type a name for the new Device Administrator user account, example-co_admin. From the Authentication Server drop-down list, keep the default selection, Firebox-DB. From the Role drop-down list, select Device Administrator. Inth e Passphraseand Confirm Passphrasetext boxes, type the passphrase for the new Device Administrator user account, passphrase. 9. Click OK. The example-co_admin user appears in the Manage Users and Roles list.

10. Click Add. The Add User dialog box appears.

11. 12. 13. 14.

In the User Name text box, typ e a name for the new Device Monitor user account, example-co_monitor. From the Authentication Server drop-down list, keep the default selection, Firebox-DB. From the Role drop-down list, select Device Monitor. In the Passphraseand Confirm Passphrasetext boxes, type the passphrase for the new Device Administrator user account, passphrase 15. Click OK. The example-co_monitor user appears in the Manage Users and Roles list.

16. Click OK to close the Manage Users and Rolesdialog box. The new user accounts are automatically saved to the Firebox.

17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM. 18. In WSM, connect to your Firebox with the new example-co_adminuser account credentials. 19. Start Policy Manager. Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when you make changes to your Firebox configuration file, t he audit trail will show that the example-co_adminuser account made the changes to the configuration.

42

WatchGuard Technologies,Inc.

Administration

Exercise 4 — Examine and Update Feature Keys When you purchase an option for your Firebox, you add a new feature key to your configuration file. You can use either Firebox System Manager or Policy Manager to see the current list of feature keys currently on your Firebox. To add a new feature key to a Firebox, you use Policy Manager.

View Feature Keys For Your Firebox To view your feature keys in Firebox System Manager: 1. Select View > Feature Keys. The Firebox Feature Keys dialog box appears.

2. To see more information about the feature key, click Details. The Feature Key Detail dialog box shows a list of the features in the feature key.

Fireware EssentialsStudentGuide

43

Administration

3. Click OK to close the Feature Key Detailsdialog box.

44

WatchGuard Technologies,Inc.

Administration

Add a Feature Key to the Firebox You use Policy Manager to add a feature key to your Firebox.

Complete this exercise in class only if your instructor requests that you do so and provides you with an updated feature key.

To add a feature key to your Firebox: 1. Open the configuration file you are editing for these exercises. 2. Select Setup > Feature Keys. The Firebox Feature Keys dialog box appears.

3. Click Import. The Import Firebox Feature Key dialog box appears.

4. Click Browse and select your feature key file. Or, open your feature key file, copy the contents, and in the Import Firebox Feature Keydialog box, click Paste. You can purchase this key f rom WatchGuard. If you attend a WatchGuard Certified T raining course, you will receive this key from your instructor.

5. Click OK to close the Import Firebox Feature keydialog box. 6. Click OK to close the Firebox Feature Keydialog box. 7. Save the configuration file to the Firebox. You cannot use an optional feature unt il you add the featur e key to the configuration f ile and save it to your Firebox.

Fireware EssentialsStudentGuide

45

Administration

Exercise 5 — Create a Device Backup Image A Firebox backup image is a saved copy of the working image from the Firebox flash disk. The backup image includes the Firebox OS, configuration file, feature keys, passphrases, DHCP leases, and certificates. The backup image also includes any event notification settings that you configured in Traffic Monitor. You can use Policy Manager to save an encrypted backup image to your management computer or to a directory on your network or other connected storage device. We recommend that you create a backup image of the Firebox before you make significant changes to your device configuration file, or upgrade your Firebox OS. It is especially important to save a device backup image before you upgrade the version of Fireware OS on the Firebox. The backup image is the easiest way to downgrade the Firebox, if you ever need to.

You can also use Firebox System Manager to create and restore a device backup image to a USB drive connected to the Firebox. For more information, see Fireware Help.

To create a device backup: 1. Select File > Backup. The Backup dialog box app ears. Because you connected to your Firebox with t he example-co_admin user accoun t, the Administrator User Name that appears in the Backup dialog box is example-co_ad min. If you connect with a Device Monitor user account, the default Device Administ rator user account, admin, appears in the Administrator User Name text box.

2. Inth e Administrator Passphrase text box, type Example4, the read-write passphrase for the example-co_ admin user account. 3. Click OK. The second Backup dialog box appears.

4. Type and confirm an Encryption Key. For this exercise, type MyStrongKey. This key is used t o encrypt the backu p file. If you lose or forget this enc ryption key, you cannot restore the backup f ile. The encryption key is case-sensitive.

5. Inth e Back up image to text box, select the location to save the backup file. 6. Click OK.

46

WatchGuard Technologies,Inc.

Administration On a Windows 10, 8, or Windows 7 computer, the default location for a backup file with a .fxi extension is:

C:\Users\Public\Shared WatchGuard\backups\-..fxi When you restore the backup image, you must specify a name and passphrase for a user with administrative privileges, and you must type the encryption key you specified when you created the backup image. For this exercise, do not restore the backup image to the Firebox.

Restoring a saved backup image is the only method to downgrade a Firebox without first resetting the Firebox to factory-default settings.

Fireware EssentialsStudentGuide

47

Administration

Exercise 6 — Add Firebox Identification Information You can save information about the Firebox in the configuration file, which helps you to identify the Firebox in reports, log messages, and WatchGuard management tools. The Firebox model is particularly important because some software features only function on certain models. You can use Policy Manager to give the Firebox a descriptive name to use in your log files and reports. You can use a Fully Qualified Domain Name if you register it with your authoritative DNS server. A descriptive Firebox name is also helpful if you use the Management Server to configure VPN tunnels and certificates for the Firebox. Though the external IP address of the Firebox appears in WSM tools, log messages, and reports for the Firebox, a descriptive name for the Firebox makes it easier to quickly identify each Firebox. The Firebox time zone controls the date and time that appears in the log messages and in management tools, including Log Manager, Report Manager, WatchGuard Dimension, and WebBlocker. Set the Firebox time zone to match the time zone for the physical location of the Firebox. This time zone setting ensures the time appears correctly in the log messages. A default configuration file sets the Firebox system time to Greenwich Mean Time (GMT). In this exercise, you set the Firebox device identification information for your student Firebox. If you are working alone, you can use the example of our fictional organization: Success ful Company. In other training modules, you see this information in reports and WatchGuard System Manager. From Policy Manager: 1. Select Setup > System. The Device Configuration dialog box appears.

2. Inth e Name text box, type SuccessfulMain. Your instructor might give you another name f or your student Firebox.

3. Inth e Location text box, type Seattle. This identifies the physical location of the Firebox.

4. Inth e Contact text box, type your name.

This is t he name of the pers on in your organiz ation who is responsi ble for the manag ement of the Firebox.

5. From the Time zone drop-down list, select your local time zone. Select the time zone of the Firebox itself. This enables you to sync hronize reports f rom Fireboxes in multiple timezones.

6. Click OK.

48

WatchGuard Technologies,Inc.

Administration

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? You can add only one Device Administrator user account to your Firebox. 2. Circle the correct answer: To save a device configuration file to your Firebox, you must use an account with the [Device Monitor | Device Administrator] role. 3. Select the correct answer: Corporate headquarters is in Detroit. The branch office Firebox is located in Tokyo. You should set the branch office Firebox time zone to: o

A) (GM-05:00) Eastern Time (US & Canada)

o

B) (GMT+09:00) Osaka, Sapporo, Tokyo

4. True or false? You can save the Firebox configuration file to a USB flash drive. 5. How frequently should you make a backup image of your Firebox? o A) Daily o B) Weekly o C) Monthly o D) Each time you make a substantial change to the configuration o E) Never

6. Which of the following information is used by WatchGuard System Manager applications to identify a Firebox? (Select all that apply.) o A) Firebox Name o B) System administrator name o C) Encryption key o D) Model number o E) External IP address

Fireware EssentialsStudentGuide

49

Administration

ANSWERS 1. False. You can add many Device Administrator user accounts to your Firebox. 2. Device Administrator 3. B (GMT+09:00) Osaka, Sapporo, Tokyo — Set the Firebox time zone to its physical location 4. True — You can save the device configuration file to any local disk drive, including a USB flash drive or a network share. 5. D 6. A, D, E

50

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

51

Network Settings Configure Firebox Interfaces

What You Will Learn A Firebox has four types of interfaces: external, trusted, optional, and custom. To use your Firebox in a network, you must configure the interface types and set the IP addresses of the interfaces. You can also enable routing features on some interfaces. In this training module, y ou learn how to: n

Configure external network interfaces using a static IP address, DHCP, or PPPoE

n

Configure trusted and optional network interfaces

n

Use the Firebox as a DHCP server

n

Add WINS/DNS server locations to the Firebox configuration

n

Set up a secondary network or address

n

Add a static route

Before you begin these exercises, make sure you read the Course Introduction module.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Network Settings

Properties and Features of Firebox Interfaces A firewall physically separates the networks on your local area network (LAN) from those on a wide area network (WAN) like the Internet. One of the basic functions of a firewall is to move packets from one side of the firewall to the other. This is known as routing. To route packets correctly, the firewall must know what networks are accessible through each of its interfaces. The Firebox provides additional functionality for some interfaces. You can configure external interfaces to work with Dynamic DNS. You can configure trusted, optional and custom interfaces to enable a DHCP (Dynamic Host Configuration Protocol) server. The Firebox has four types of network interfaces: External Interfaces An external interface connects your Firebox to a wide area network (WAN), s uch as the Internet, and can have either a static or dynamic IP address. The Firebox gets a dynamic IP address for the external interface from either a DHCP (Dynamic Host Configuration Protocol) server or PPPoE (Point-to-Point Protocol over Ethernet) server. With DHCP, the Firebox uses a DHCP server controlled by your Internet Service Provider (ISP) to get an IP address for the external interface, a gateway IP address, and a subnet mask. With PPPoE, the Firebox connects to your ISP’s PPPoE server to get the same information. Trusted Interfaces A trusted interface connects your Firebox to the private local area network (LAN) or internal network that you want to secure. User workstations and private servers which cannot be accessed from outside the network are usually found in trusted networks. Optional Interfaces Optional interfaces connects y our Firebox to your optional networks, w hich are mixed trust or DMZ environments separated from your trusted networks. Public web, FTP, and mail servers are usually found in optional networks. The settings for an optional interface are the same as for a trusted interface. The only difference is that optional interfaces are members of the alias Any-Optional. Custom Interfaces A custom interface connects your Firebox to an internal network with a custom level of trust different from trusted or optional. A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or AnyExternal, so traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies to allow it. A custom interface is included in alias All. Most users configure at least one external and one trusted interface on their Firebox. You can configure any interface as trusted, optional, external, or custom. Trusted, Optional, and Custom interfaces are all internal interfaces, and all have the same configurable settings. The IP address for an internal interface must be static. Us ually, internal interfaces use private or reserved IP addresses that conform to RFC 1918. When you configure the IPv4 addresses for interfaces on a Firebox, you must use slash notation to denote the subnet mask. For example, you enter the network range 192.168.0.0 with subnet mask 255.255.255.0 as 192.168.0.0/24, and a trusted interface with the IP address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.

53

WatchGuard Technologies,Inc.

Network Settings

Interface Types and Aliases For each interface, the interface name is an alias used in policies to refer to traffic sent or received through that interface. Each interface is also a member of one or more built-in aliases, which refer to network security zones. When you select an interface type, the interface becomes a member of one or more of the built-in aliases the define the different security zones. The built-in aliases for interfaces are: n n n n

Any-External— An alias for any network reachable through a Firebox interface configured as External Any-Trusted— An alias for any network reachable through a Firebox interface configured as Trusted Any-Optional— An alias for any network reachable through a Firebox interface configured as Optional Any — An alias for any address. This includes any IP address, interface, custom interface, tunnel or user group.

The only difference between trusted, optional, and custom interfaces is which aliases the interface is a member of.

The Any-External, Any-Trusted, and Any-Optional aliases do not include Firebox interface IP addresses.

Requirements for Firebox Interfaces Each Firebox interface can connect to a different network. The computers and servers protected by the Firebox can use either private or public IP addresses. The Firebox uses network address translation (NAT) to route traffic from the external network to computers on the trusted and optional networks. All devices behind the trusted and optional interfaces must have an IP address from the network assigned to that interface. To make this easy to remember, many administrators set the interface address to the first or last IP address in the range used for that network. In the image below, for example, the IPv4 address of the trusted interface could be 10.0.1.1/24 and the IPv4 address of optional interface could be 10.0.2.1/24.

Fireware EssentialsStudentGuide

54

Network Settings

About DHCP Server and DH CP Relay You can configure the Firebox to assign IP addresses automatically through DHCP to devices on the trusted or optional networks. When you enable the DHCP server, you specify a pool of IP address on the same subnet as the interface IP address. The DHCP server assigns these address to devices that connect.

Make sure to add enough IP addresses to the address pool to support the number of clients on your network. For example, in the configuration shown here, the DHCP server can assign IP addresses to a maximum of 99 DHCP clients. When the 100th client requests an IP address, that request fails, and that client cannot connect. You can also configure the Firebox for DHCP relay. When you use DHCP relay, computers behind the Firebox can use a DHCP server on a different network to get IP addresses. The Firebox sends the DHCP request to a DHCP server at a different location than the DHCP client. The Firebox sends the DHCP server reply to the computers on the trusted or optional network. This option lets computers in more than one office use the same IP address range.

About WINS/DNS Several Fireware features use Windows Internet Name Server (WINS) and Domain Name System (DNS) server IP addresses. These servers must be accessible from the trusted interface of the Firebox. For example, this information is used by mobile VPNs. Make sure that you use only an internal WINS and DNS server to make sure you do not create policies that have configuration properties that prevent users and services from connecting to the DNS server.

55

WatchGuard Technologies,Inc.

Network Settings

About Network Modes You can configure a Firebox in Mixed Routing, Drop-In, or Bridge mode. The most common configuration method is a routed configuration. We use a routed configuration to explain most of the features and examples in this training. When you use the Web Setup Wizard to create your initial network configuration, the Firebox is automatically configured in a routed configuration. When you use the Quick Setup Wizard in WatchGuard System Manager to create your initial network configuration, you can choose to configure the Firebox in a routed or drop-in configuration.

Drop-in Mode and Bridge mode are less commonly used, and have these characteristics: Drop-InMode

BridgeMode

All of the Firebox interfaces are on the same network and have the same IP address.

All of the Firebox interfaces are on the same network. You specify an IP address to use to manage the Firebox.

The computers on the trusted or optional interfaces can have a public IP address.

Traffic from all trusted or optional interfaces is examined and sent to the external interface. Interface IP addresses cannot be configured.

The computers can have public IP addresses. NAT is not necessary.

NAT is not used in Bridge mode. Traffic sent or received through the Firebox appears to come from its srcinal source.

About Dynamic DNS You can use Dynamic DNS to make sure that the IP address associated with your domain name changes when your ISP gives your Firebox a new IP address. DynDNS is the only dynamic DNS service supported by your Firebox. For more information, see the DynDNS website: http://www.dyndns.com.

Fireware EssentialsStudentGuide

56

Network Settings

About Secondary Networks A secondary network is a network that shares one of the same physical networks as one of the Firebox interfaces. When you add a secondary network, you add a second IP alias to the interface. This IP alias is the default gateway for all the computers on the secondary network. Secondary networks c an be used only in Mixed Routing or Drop-In mode.

Here are a some examples of situations when secondary networks can be useful: Network Consolidation If you want to remove a router from your network, you can add the router IP address as a secondary IP address on the firewall when the router is shut down. Any hosts or routers that are still sending traffic to the old router IP address would then send traffic to the firewall. Network Migration Secondary addresses can help you avoid a network outage if you want to migrate your trusted network from one subnet to another. For example, if you currently use 192.168.1.1/24 as the primary interface IP address, and you change the interface IP address to 10.0.10.1/24, this could cause a network outage, while the devices that use DHCP get an IP address on the new s ubnet. Also any devices that use a static IP address cannot connect until you reconfigure them with an IP address on the new subnet. To avoid the outage, add the old IP address as a secondary network, so that devices can still use IP addresses on the old subnet during the migration. When you configure a secondary network, the devices that use DHCP get an IP address on the new subnet when they renew their DHCP lease, without an outage. Devices that use a static IP address can continue to use the old subnet until you have time to update their IP addresses. After all devices have been migrated to the new subnet, you can remove the secondary IP address from the interface. Static NAT to Multiple Servers If your Firebox is uses a static external IP address, you can add an IP address that is on the same subnet as your primary external interface as a secondary network. You can then configure static NAT rules to send traffic to the appropriate devices on that network. For example, configure an external secondary network with a second public IP address if you have two public web servers and you want to configure a static NAT rule for each server. You can also add secondary networks to the external interface of a Firebox if the external interface is configured to get its IP address through PPPoE or DHCP. You can add up to 255 secondary networks per interface.

57

WatchGuard Technologies,Inc.

Network Settings

About Network Bridges You can use network bridges to merge two or more physical network interfaces on your Firebox. A bridge operates in the same way as any other network interface. For more information, see the Fireware Help.

About Static Routes You can add static routes to control how your Firebox sends traffic to other devices. For example, you can create a static route to specify that all traffic that goes to a server at another company is sent through a specific external interface. Or, for two devices connected to the same network, you can create a static route on one device for traffic to a private network behind another device. A route is the sequence of devices that network traffic must go through to get from its s ource to its destination. A packet can go through many network points with routers before it reaches its destination. Routes can be static or dynamic. n n

Static route — A manually configured route to a specific network or host. Dynamic route — A route automatically learned and updated by a router, based on communication with adjacent network routers.

For information about dynamic routing, see the Network and Traffic Management courseware.

A router, or a network device such as a Firebox, stores information about routes in a routing table. The device looks in the routing table to find a route to send each received packet towa rd its destination.

Fireware EssentialsStudentGuide

58

Network Settings To add a static route, in Policy Manager, select Network > Routes.

Each static route includes these attributes: n

n n n n

n

Route Type — This is automatically set to Static Route. If you have configured a BOVPN virtual interface, you can also select BOVPN Virtual Interface Route. Destination Type — Specifies whether the destination is an IPv4 or IPv6 network or host. Route To — The destination IP address. Gateway— The IP address to route the traffic through. The Firebox must have a route to this IP address. Metric — The metric sets the priority for the route. If the routing table includes more than one route to the same destination, the Firebox uses the route that has the lower metric. Interface— For a route to an IPv6 destination, you can optionally select the IPv6-enabled interface to use for the route. For a BOVPN Virtual Interface Route, the you must select the BOVPN virtual interface to use for the route.

You can see the routes for your Firebox in Firebox System Manager, on the Status Reporttab.

59

WatchGuard Technologies,Inc.

Network Settings The routing table includes: n n n n

Routes to networks for all enabled Firebox interfaces and BOVPN virtual interfaces Static network routes or host routes you add to your configuration Routes the Firebox learns from dynamic routing processes that are enabled on the device The default route, which is used when a more specific route to a destination is not defined. This is the gateway IP address you specify for your external interface

Each route in the routing table has an associated metric. If the routing table includes more than one route to the same destination, the Firebox uses the route that has the lower metric. For a static route, you manually set the metric, to control the priority of each route. If you use dynamic routing, the dynamic routing protocol automatically sets the metric for each route.

A configured static route does not appear in the route table if there is no route to the gateway specified in the static route.

About Other Networking Features The Firebox supports many other networking features that are outside the scope of this course. For more information, about these, see the Network and Traffic Management courseware or the Fireware Help. n

n

n

n

n

VLANs — VLANs (Virtual Local Area Networks) are an advanced network feature that allow you to group devices by traffic pa tterns instead of by physical network access. You can use VLANs to connect devices on different networks s o that they appear to be part of the same network. Link Aggregation — Link Aggregation is an advanced network feature that allows you to group physical interfaces together to work together as a single logical interface. You can use a link aggregation interface to increase the cumulative throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a physical link failure. Multi-WAN — The multi-WAN feature allows you to send network traffic to multiple external interfaces. This is useful when you want to have a backup Internet connection, or if you want to divide your outgoing network traffic between multiple physical interfaces. Multi-WAN settings do not apply to incoming network traffic, and you can only use this feature in Mixed Routing mode. Loopback interface — In Mixed Routing mode you can configure a loopback interface on the Firebox. The loopback interface is not tied to any physical interface. You can use it in the dynamic routing configuration when multi-WAN is enabled. FireCluster — If you have two Fireboxes of th e same model, you can configure them as a FireCluster for high availability and load sharing.

Fireware EssentialsStudentGuide

60

Network Settings

IPv6 Fireware supports IPv6 only when the Firebox is configured in mixed routing mode. You can configure IPv6 interface addresses, and you can use DHCPv6 on any interface that has IPv6 enabled. When IPv6 is enabled, you can: n n n n n

Connect to an interface IPv6 address for Firebox management. Connect to an interface IPv6 address for Firewall authentication. Use IPv6 addresses in packet filter policies, static routes, and blocked sites. Set the diagnostic log level for IPv6 advertisements. Configure IPv6 FireCluster management IP addresses

These features also apply to both IPv4 and IPv6 traffic: n n n n n n n

MAC access control Inspection of traffic received and sent by the same interface TCP SYN checking Blockedports Default packet handling settings for flood attack prevention Subscription Services Proxy policies

WatchGuard continues to add more IPv6 support to Fireware for all Firebox models. For the WatchGuard IPv6 roadmap, see http://www.watchguard.com/ipv6/index.asp.

Fireware supports basic routing and some filtering of IPv6 traffic. However, some security and networking features do not apply to IPv6 traffic. If you enable IPv6 on an interface, you should treat this as a bridged connection. The Fireware security features such as some default packet handling options and most security services to not apply to IPv6 traffic. For more information, about IPv6 support, see the Fireware Help. The exercises in this training focus on Firebox configuration in an IPv4-only environment.

61

WatchGuard Technologies,Inc.

Network Settings

Exercise 1 — Configure the External Interface You can configure the Firebox with a static IP address or you can configure it to get a dynamic IP address for an external interface with DHCP or Point-to-Point Protocol over Ethernet (PPPoE). This exercise contains three variations. Your instructor will tell you which exercise to complete. n n n

1A — Configure a static external IP address 1B — Configure the external interface to use DHCP to get a dynamic IP address 1C — Configure the external interface to use PPPoE to get a dynamic IP address

The external interface must be configured with a static IP address for the exercises in the VPN modules. If you configured the external interface for DHCP or PPPoE, at the end of this exercise set the external interface to use a static IP address.

Exercise 1A — Confi gure the Ext ernal Interface with a Static IP Address To configure an external interface with a static IP address, you must know the IP address, the subnet mask in slash notation, and the default gateway. In this exercise, you use Policy Manager to configure the primary external IP address of the Successful Company network to use a static IP address.

If you are in a classroom, get the address information for this exercise from your instructor.

If you used the Quick Setup Wizard to configure your Firebox in the Getting Started exercises, your Firebox already has a static IP address configuration. 1. Select Network > Configuration. The Network Configuration dialog box appears.

2. Select the Interfacestab. 3. Inth e Interfaceslist, select InternetConnection(Interface 0). Click Configure. The Interface Settings dialog box appears.

4. Select Use Static IP. 5. Inth e IP Address text box, type 203.0.113.X /24. Replace X with your student number. This is a fictit ious IP address. With a real world static IP address, the Internet Service Provider (I SP) provides the IP address , subnet, and default gateway.

Fireware EssentialsStudentGuide

62

Network Settings 6. Inth e Default Gatewaytext box, type 203.0.113.1.

7. Click OK. The external IP address appears in the Network Configuration dialog box.

8. Save the configuration to the Firebox.

Exercise 1B — Configure the Exter nal Interface for DHCP In this exercise, we use Policy Manager to configure an external interface of the Successful Company’s Firebox to get its IP address from a DHCP server. 1. Select Network > Configuration. The Network Configuration dialog box appears.

2. Inth e Interfaceslist, select External (Interface 0). Click Configure. The Interface Settings dialog box appears.

3. 4. 5. 6. 7.

Inth e Interface Nametext box, type InternetConnection. Inth e Interface Descriptiontext box, type Connect to the Cloud . Make sure that the Interface Type is set to External. Select Use DHCP Client . Select Obtain an IP Automatically.

For most DHCP c onnections, you do not need to configure any additional settings.

63

WatchGuard Technologies,Inc.

Network Settings

8. Click OK. DHCP appears in the IP Address column in the Network Configuration dialog box.

Fireware EssentialsStudentGuide

64

Network Settings

Exercise 1C — Configure the Exter nal Interface to Use PPPoE Another way to get a dynamically assigned address for a Firebox external interface is to use a PPPoE server. When you do this, your ISP gives you the user name and password. In this exercise, we configure a Successful Company interface to use PPPoE.

After you configure an external interface to use PPPoE, you can optionally configure secondary PPPoE interfaces on the PPPoE tab.

In the Network Configurationdialog box: 1. Inth e Interfaceslist, select Optional-2(Interface 3). Click Configure. The Interface Settings dialog box opens.

2. 3. 4. 5. 6.

Inth e Interface Type drop-down list, select External. Inth e Interface Nametext box, type BackupInternet. Inth e Interface Descriptiontext box, type Use when primary connection fails . Select Use PPPoE. Inth e User Name text box, type the PPPoE user name. For this exercise, type username. 7. Type and confirm the PPPoE passphrase. For this exercise, type passphrase.

8. Click OK. PPPoE appears in the IP address column in the Network Configuration dialog box.

The external interface must be configured with a static IP address for the exercises in the VPN modules later in this training. If you configured the external interface for DHCP or PPPoE, at the end of this exercise set the external interface to use a static IP address.

65

WatchGuard Technologies,Inc.

Network Settings

Exercise 2 — Configure a Trusted Interface as a DHCP Server In this exercise, we use Policy Manager to configure a trusted interface on the Successful Company Firebox as a DHCP server. The size of the IP address pool controls the number of hosts that the DHCP server can assign IP addresses to. In the IP addresses for this exercise, replace X with your student number. 1. Select Network > Configuration. 2. Inth e Interfaceslist, select Trusted(Interface 1). Click Configure. The Interface Settings dialog box opens.

3. 4. 5. 6. 7. 8. 9. 10. 11.

Inth e Interface Nametext box, type OurLAN. Inth e Interface Type drop-down list, make sure that Trustedis selected. Inth e IP address text box, type 10.0.X .1/24. ReplaceX with your student number. Select the Use DHCP Server radio button. Inth e Address Poolsection, s elect the existing address pool and click Delete. Click Add. Inth e Starting address text box, type 10.0.X .100. In the Ending addresstext box, type 10.0.X .200. Click OK.

Fireware EssentialsStudentGuide

66

Network Settings 12. From the Leasing Time drop-down list, select 24 hours.

13. Click OK. 14. Save the configuration to the Firebox. If you changed the IP address of the trusted interface you connect to, make sure your computer gets a new IP address on the same subnet. Then, reconnect to the Firebox on the new IP address. With this configuration, the DHCP server can assign up to 101 IP addresses to DHCP clients. After the DHCP server has assigned all 101 IP addresses, if any other DHCP client requests an IP address, the request fails, and that client cannot connect.

67

WatchGuard Technologies,Inc.

Network Settings

Exercise 3 — Configure an Optional Interface Optional interfaces are commonly used for servers which are used by both the public and members of your organization, such as HTTP and FTP servers. I n this exercise, we configure an optional network that Successful Com pany can use for their public servers. The settings for an optional interface are exactly the same as for a trusted interface. The only difference between trusted an optional interfaces is that the trusted interfaces belong to the alias Any-Trusted, and optional interfaces belong to the alias Any-Optional. 1. Select Network > Configuration. The Network Configuration dialog box appears.

2. Select the Interfacestab. 3. Inth e Interfaceslist, select Optional-1(Interface 2). Click Configure. The Interface Settings dialog box appears.

4. 5. 6. 7. 8.

From the Interface Type drop-down list, select Optional. Inth e Interface Nametext box, type PublicServers. Inth e Interface Descriptiontext box, type Servers used by customers and vendors . Inth e IP Address text box, keep the default network IP address of 10.0.2.1/24. Make sure Disable DHCP is selected. Because this network does not use DHCP, no further configuration is necessary.

9. Click OK. The new settings appear for Interface 2.

Fireware EssentialsStudentGuide

68

Network Settings

Exercise 4 — Configure WINS/DNS Server Information Several Fireware features operate correctly only if y ou use a WINS/DNS server on your trusted network. These features include Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, and Mobile VPN (Virtual Private Networks). In this exercise, we use Policy Manager to configure the Successful Company Firebox to use WINS/DNS servers on the OurLAN and PublicServers networks.

Your instructor may provide a WINS/DNS server on the training network.

In the IP addresses in this exercise, replace X with your student number. 1. Select Network > Configuration. The Network Configuration dialog box appears.

2. Select the WINS/DNS tab. 3. Inth e Domain Name text box, type example.com. 4. Inth e DNS Servers text box, type 10.0.X .53 and click Add. In the DNS Servers text box, type 10.0.2.53 and click Add. These are the IP addresses of the internal DNS servers for this exercise.

You are not required to enter more than one DNS server. However, we recommend that you add more than one DNS server to make sure that users can still get DNS name resolution when the primary server is not available. 5. Inth e WINS Servers text boxes, type 10.0.X .53 and 10.0.2.53. These are the IP addresses for the internal WINS servers for this exercise.

6. Click OK.

69

WatchGuard Technologies,Inc.

Network Settings

Exercise 5 — Configure a Secondary Network A secondary network is a network that shares one of the same physical networks as one of the Firebox interfaces. In this exercise, we use Policy Manager to add a secondary network to the Successful Company OurLAN trusted network. In the IP address in this exercise, replace X withyour student number. 1. Select Network > Configuration. The Network Configuration dialog box appears.

2. Select the Interfacestab. 3. Inth e Interfaceslist, select OurLAN (Interface 1). Click Configure. The Interface Settings dialog box appears.

4. Select the Secondarytab. 5. Click Add. The Add a secondary network dialog box appears.

6. Inth e IP Address text box, type 172.16.X .1/24. Click OK.

7. Click OK to close the Interface Settings dialog box. 8. Click OK to close the Network Configurationdialog box. 9. Save the configuration file.

Fireware EssentialsStudentGuide

70

Network Settings

Frequently Asked Questions Can I use any IPv4 address for my trusted and optional networks? You can, but we suggest you only use only IP addresses specified in RFC 1918. These private networks include any of these IP address ranges: n n n

10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 172.16.0.0 - 172.31.255.255 (172.16.0.0/12 192.168.0.0 -192.168.255.255(192.168.0.0/16)

If you use any other IP address range, you can have a conflict. For example, if you configure your trusted network with the IP address 206.253.208.100/24, any user on the trusted network that tried to go to the WatchGuard website would fail because 206.253.208.100 is the IP address of the WatchGuard website. The Firebox would route 206.253.208.100 traffic to the trusted interface instead of the external interface to get to the WatchGuard website server. What is slash notation? Slash notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a shorter way to write an IPv4 address and its subnet mask together. To find the subnet mask number: 1. Convert the IP address to binary. 2. Count each “1” in the subnet mask. Some of the most common network masks are:

71

Network Mask

Slash

255.0.0.0

/8

255.255.0.0

/16

255.255.255.0

/24

255.255.255.128

/25

255.255.255.192

/26

255.255.255.224

/27

255.255.255.240

/28

WatchGuard Technologies,Inc.

Network Settings

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. When you use a static IP address for the external interface, what information must you get from your ISP? (Select all that apply). o A)

An IP address

o B)

A default gateway address

o C) A subnet mask o D) A password or passphrase o E)

A user name

2. True or false? If you use DHCP on the external interface of the Firebox, you can configure a secondary network for the external interface. 3. True or false? You can configure the Firebox as a DHCP server. 4. What features use the WINS/DNS settings in the Network Configuration dialog box? (Select all that apply.) o A)

Mobile VPN connections to the Firebox

o B)

Your ISP to route to the Firebox

o C)

Computers on your trusted and optional networks

o D) Your WatchGuard Management Computer o E) DHCP

5. True or false? You can only add secondary networks in Bridge mode. 6. Which two interfaces are necessary to create a basic network configuration in Mixed Routing mode? (Select one.) o A)

External and optional

o B) Trusted and optional o C)

External and trusted

Fireware EssentialsStudentGuide

72

Network Settings 7. Which of these items is NOT a method used to assign an IP address to the external interface of a Firebox? (Select one.) o A)

Static addressing

o B) DHCP o C) PPPoE o D) PPPoA

8. True or false? Only the trusted interface of a Firebox is able to assign IP addresses as a DHCP Server. 9. True or false? Firewall proxy policies apply to both IPv4 and IPv6 network traffic.

73

WatchGuard Technologies,Inc.

Network Settings

ANSWERS 1. 2. 3. 4. 5. 6. 7. 8. 9.

A, B, C True True A, C, E False C D False True

Fireware EssentialsStudentGuide

74

Notes

Fireware EssentialsStudentGuide

75

Set Up Logging & Servers Set Up WatchGuard Servers & Configure Logging

What You Will Learn When you enable and configure logging for your Firebox, the Firebox sends log messages to the WatchGuard Log Servers that you specify. Those log messages provide data for reports, and trigger notifications and alerts. WatchGuard provides two options for logging and reporting: an instance of WatchGuard Dimension installed on a virtual machine (VM), or the WatchGuard System Manager (WSM) Log Server and Report Server installed on your management computer. If you install the WSM Log Server and Report Server on your management computer, you can use the Report Server to generate reports from the log messages sent to your WSM Log Server. You can then use the reports to troubleshoot problems on your network. From WatchGuard WebCenter, you can use Log Manager to view your log messages and Report Manager to view the reports that your Report Server generates, and to run other On-Demand Reports and Per Client reports. You can also choose to send log messages to your instance of WatchGuard Dimension. Dimension is a virtual solution that you can use to capture the log message data from your Fireboxes, FireClusters, and WatchGuard servers. You can use Dimension to see this log data in real-time, track it across your network, view the source and destination of the traffic, view log message details of the traffic, monitor threats to your network, and view reports of the traffic. For this training module, we will install both the WSM Log Server and Report Server on your management computer. We will not deploy a Dimension VM, however, if you already have an instance of Dimension deployed, and have already run the Dimension Setup Wizard, you can choose to send log messages from your Fireboxes to your instance of Dimension.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Set Up Logging & Servers In this training module, you learn how to: n

Set up WatchGuard Server Center

n

Set up a WSM Log Server and set up and configure a WSM Report Server

n n

Configure a Firebox to send log messages to a WSM Log Server Configure logging and notification preferences

In this module, you will connect to one or more Fireboxes, WatchGuard servers, and an instance of WatchGuard Dimension. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for the Fireboxes, servers, and instance of Dimension used in the exercises. Before you begin these exercises, make sure you read the Course Introduction module.

Logging and Reporting Setup Process Overview To setup logging and reporting for your network, you must configure the logging settings for your Fireboxes, and setup and configure your WatchGuard Log Server and Report Server or WatchGuard Dimension. The complete process includes: 1. Install and configure a logging and reporting solution: n An instance of WatchGuard D imension You install Dimension as a virt ual machine in a VMware or Hyper-V environment. Because Dimension is an integrated logging and report ing solution, you do not install separat e servers. n

Run the Dimension Setup Wizard to configure the settings for your instance of Dimension. WatchGuard System Manager Log Server and Report Server You can install your Log Server and Report Server on your management computer or anot her computer in your network. The servers can be installed on the same comput er or on different computers. You can install more t han one Log Server on your net work, but you can only inst all one Report Server.

a. Run the WatchGuard Server Center Setup Wizard to set up your Log Server and Report Server. If your Log Server and Report Server are on different computers, you must run the wizard on each comput er to set up each server separat ely.

b. Configure the settings for your Log Server. Specify database and notification settings.

c. Configure the settings for your Report Server. Specify databas es, notification, and logging sett ings, and create schedul es for report generat ion.

2. Configure your Firebox to send log messages to your Dimension server and/or WSM Log Server. Specify the IP addresses of one or more server s where your Fire box sends log messages, set the priorit y for your servers, and enable logging in your policies .

After you complete the installation and configuration process y ou can review log messages and reports for your Fireboxes: 1. Review log messages: n WatchGuar d Dimension n WatchGuard WebCenter Log Manager

77

WatchGuard Technologies,Inc.

Set Up Logging & Servers 2. Review reports: n Use Dimension to view the reports automatically generated from the log messages sent to Dimension, view Executive Summary and Dashboard reports, and schedule reports. n Use WebCenter Report Manager to view Available Reports, and generate new On-Demand and Per Client reports. Information about how to review log messages and reports appears later in this training courseware, in the Logging & Reporting module. For instructions to configure logging on your network, see the topic “Quick Start — Set Up Logging for Your Network” in Fireware Help. You can use role-based administration to enable users who do not have administrative rights to also connect to Dimension or WebCenter to view log messages and to see and generate reports. For more information about how to use WatchGuard Server Center to add a user account, see the topic “Define or Remove Users or Groups” in Fireware Help, and follow the instructions to add a user in WatchGuard Server Center. For more information about how to add a user account to Dimension, as well as the other visibility features available in Dimension, seeFireware Help.

Maintain a Record of Device Activity At its most basic level, loggingis the process of recording the activity that occur s at a Firebox or WatchGuard server. Notification is the process of telling an administrator when a specified activity has occurred. For example, when your Firebox denies a packet, this event is recorded as a log message in the log file. When the Firebox determines that a set of events indicates a threat that you have configured for notification, such as a port space probe, your network s ecurity administrator alerted. The types of notification t he devicecomputer, can send to network security administrator includes anis email message, a pop-up messagemessages on the management orthe an SNMP trap. When the network security administrator receives a notification message for a threat to the network, he or she can use that information to examine the log files and make decisions about how to make the network more secure. The network administrator could decide to block the ports on which the probe was used, block the IP address that sent the packets, or inform the ISP through which the packets were sent.

Logging and Notification Architecture To understand how logging and notification work, you must know the components of the WatchGuard logging and notification system. WatchGuard Management UIs You use WatchGuard System Manager (WSM) and Policy Manager or WatchGuard Dimension and Fireware Web UI to configure your Firebox to set rules for the types of events that prompt the Firebox to send log messages and notifications. WSM, Fireware Web UI, and Dimension supply the tools to see the log messages the Firebox creates, and to generate reports of Firebox events. With Policy Manager and Fireware Web UI, you specify which WSM Log Servers or instances of Dimension receive log messages from your Fireboxes.

Fireware EssentialsStudentGuide

78

Set Up Logging & Servers Fireboxes and WatchGuard Servers Your Fireboxes and WatchGuard servers generate log messages for each event that occurs, including events for the Firebox or server itself, and sends the messages to the configured Log Server according to the rules you configure in the security policy. If an event has a notification action associated with it, the Firebox or server sends a notification to the Log Server. Dimension or WSM Log Server The Log Server is the destination where your Fireboxes and WatchGuard servers send log messages. Each Log Server stores log messages in a PostgreSQL database. For Dimension, you use a Hyper-V or VMware virtual machine (VM) platform. For a WSM Log Server, you can use your management computer as the Log Server, or you useare a different computer. select or a location your Log Server, make sure that your Fireboxes and can servers able to send trafficWhen to theyou computer VM you for select.

j Connect to your Firebox k Configure your Fireboxto sendlog messagesto Dimension and/or your WSM Log Server l Connect to Dimension or WebCenter on your WSM Log Server to review log messagesand reports

79

WatchGuard Technologies,Inc.

Set Up Logging & Servers

Log Server Both Dimension and the WSM Log Server can collect log messages from your Fireboxes and WatchGuard servers. Dimension and the WSM Log Server can also send notification messages when a notification request is received from the Firebox. You can install the WSM Log Server software on your management computer, or on a different computer by selecting to install only the Log Server component when you install WSM. For Dimension, the server component that stores log messages is automatically installed when you deploy the Dimension VM and run the Dimension Setup Wizard. In addition to installing the software, you must configure the Dimension server or WSM Log Server with a Log Server encryption key. Your Fireboxes and WatchGuard servers use this key to encrypt log messages sent to Dimension or the WSM Log Server. The same key must be specified on both the Firebox or server, and on Dimension or the WSM Log Server. The encryption key must be no less than eight and no more than 32 characters. You set the Log Server encryption key when you configure the Log Server settings in the Dimension Setup Wizard or the WatchGuard Server Center Setup Wizard. One Dimension server or WSM Log Server can receive and store log messages from many Fireboxes and WatchGuard servers. If you install the WSM Log Server on a computer with a desktop firewall other than Windows Firewall, to enable the Log Server to connect through the firewall, you must open TCP ports 4107 and 4115 on that firewall. If you use the default Windows firewall, you do not have to change your configuration. To use Dimension, you must make sure that you can make connections to Dimension over TCP ports 22, 443, and 4115. Your Firebox can send log messages to one or more Dimension servers or WSM Log Servers at the same time. If you specify a backup server for the primary Dimension server or WSM Log Server, the backup server is used only when the primary server becomes unavailable.

Log Messages An important feature of a good network security policy is to collect log messages from your security systems, examine those messages frequently, and keep them in a log file archive. You can use these log files to monitor your network security and activity, identify any security risks, and address them. Both WatchGuard System Manager and WatchGuard Dimension include strong and flexible tools to help you monitor and examine your log messages. In addition to your Dimension server or your WSM Log Server, Fireboxes can send log messages to a syslog server or keep a limited number of log messages locally. You can choose to send log messages to one or more of these locations at the same time. A Firebox sends five types of log messages: Traffic, Alarm, Event, Debug, and Statistic. Each log message includes the name of the log type as part of the log message. Traffic Log Messages The Firebox sends traffic log messages as it applies packet filter and proxy policy rules to traffic that goes through the Firebox. If your Firebox runs Fireware OS v11.10.5 or higher, for packet filter allowed traffic, you can separately select to send log messages for logging purposes (which you can see in Traffic Monitor or Log Manager) or only for reporting purposes (these log messages are only used in reports and do not appear in Traffic Monitor or Log Manager).

Fireware EssentialsStudentGuide

80

Set Up Logging & Servers Alarm Log Messages Alarm log messages are sent when an event occurs that causes the Firebox to send a notification request. Event Log Messages The Firebox sends an event log message because of user activity. Debug Log Messages Debug log messages include information used to help troubleshoot problems. You can select the level of debug log messages to see in Traffic Monitor or send to a log file. Statistic Log Messages Statistic log messages include information about the performance of your Firebox. By default, the Firebox sends log messages about external interface performance and VPN bandwidth statistics to your log file. You can use these log messages to help you determine how to change your Firebox settings to improve performance.

Log Files The Firebox sends log messages to a primary or backup Dimension server or WSM Log Server. For a WSM Log Server, log messages are stored in a PostgreSQL database file in the location you specify when you run the setup wizard. We recommend that you select the built-in directory location for your operating system. For Windows 10, 8, and 7, the built-in directory location is:

C:\ProgramData\WatchGuard\logs For a Dimension server, log messages are also stored in a PostgreSQL database, which is automatically located in the default location when you deploy your Dimension VM and run the Dimension Setup Wizard. For both Dimension servers and WSM Log Servers, you can select to use an external PostgreSQL database.

81

WatchGuard Technologies,Inc.

Set Up Logging & Servers

Exercise 1 — Set Up WatchGuard Server Center Before you can configure your installed WatchGuard servers, you must complete the WatchGuard Server Center Setup Wizard. The Setup Wizard creates the WatchGuard servers you selected to install on your management computer. When you run the wizard, you only see the screens that correspond to the server components you have installed. For example, if you install only the Log Server and Report Server, but not the Quarantine Server, the pages used to create a domain list for the Quarantine Server do not appear in the wizard. For more information about the different WatchGuard WSM servers, see the training module for each server, or Fireware Help. In this exercise, we will use the WatchGuard Server Center Setup Wizard to set up the Management Server and the Log Server that we have installed on the management computer. Before you run the wizard, make sure you have this information: n n n n n

The passphrase you want the administrator to use (must be at least 8 characters) TheManagement Server license key The IP address of the Log Server The encryption key you want to use for the Log Server (8–32 characters, no spaces or slashes) The directory location where you want to keep your log files

To run the WatchGuard Server Center Setup Wizard: 1. Inthe Windows system tray, right-click

and select Open WatchGuard Server Center.

The WatchGuard Server Cen ter Setup Wizard starts.

2. Review the Welcome page to make sure you have all the information required to complete the wizard. Click Next. The General Settings - Identify your organization name page appears.

3. Type your Organization name. Click Next . The General Set tings - Set Administrator passphrase page appea rs. 4. Type and confirm the Administrator passphrase. Click Next. The Management Server - Identify the gateway Firebox page appe ars.

5. Select Yes. 6. Type the external IP address and passphrases for your gateway Firebox. Click Next. The Managem ent Server - Enter a license key page

appears.

7. Type the license key for your Management Server and click Add. Click Next. The Log Server - S et an encryption key and database location page appears.

8. Type and confirm the Encryption keyto use for the secure connection between the Firebox and the Log Server. 9. Select the Database locationfor your Log Server database. 10. Click Next. The Review Settings page appears.

11. Confirm your settings are correct and click Next. The wizard shows the server configuration progress.

12. Click Next. The WatchGuard Server Center Setup Wizard is complete page appears.

13. Click Finish. WatchGuard Server Center ap pears .

Fireware EssentialsStudentGuide

82

Set Up Logging & Servers

Exercise 2 — Set Up a WSM Log Server In this exercise, the Successful Company network administrator sets up a WSM Log Server. In most organizations, the Log Server is a dedicated computer on the trusted or optional network running Microsoft Windows. The network administrator can also configure the Log Server on the external network if he has many Fireboxes and wants to store log files in a central location. The logging channel is encrypted, so he does not need to use a VPN tunnel between the Firebox and the Log Server. If necessary, the administrator can use NAT (network address translation) to route from the external interface to the Log Server behind a firewall. Then, he can configure a WG-Logging policy to open TCP port 4115 (used by Fireboxes with Fireware OS).

Set Up the Log Server If attending a class, your instructor installed the Log Server on your management computer.

The first step after the Log Server is installed is to run the WatchGuard Server Center Setup Wizard. This wizard completes the basic setup for all the WatchGuard servers you have installed on this computer. After you set up WatchGuard Server Center, you can configure the Log Server.

83

WatchGuard Technologies,Inc.

Set Up Logging & Servers

Configure the Log Server On the computer that has the Log Server software installed: 1. Right-click

in the system tray and select Open WatchGuard Server Center.

The Connect to WatchGuard Server Center dialog box appears.

2. Type your Username and Administrator passphrase. Click Login. The WatchGuard Server C enter appears.

3. Inth e Servers tree, select Log Server. The Log Server Server Settings page appears.

4. Select a tab to configure the settings for your network. In the subsequent exercises, we use the Server Settingsand Database Maintenance tabs.

Fireware EssentialsStudentGuide

84

Set Up Logging & Servers

Exercise 3 — Control Database and Notification Properties In this exercise, we configure the WSM Log Server to comply with the Successful Company document archive policy. At Successful Company, the network administrator must back up critical network data, such as log messages, to a secure drive at least once a week. Because the Log Server and Report Server are installed on the same computer, they share a PostgreSQL database. We must make sure that the combined maximum database size settings of both the Log Server and the Report Server do not exceed 50% of the total disk space available on the primary operating system partition of the server computer. This is to make sure the two servers do not use more disk space than is available on the server computer. We will also select to use the Built-in PostgreSQL database that is installed with the Log Server.

Configure Database and Notification Settings We use Log Server database maintenance and notification settings to control how long we maintain log messages, as well as when and where we back them up to a location other than the Log Server. 1. In the WatchGuard Server Center Servers tree, select Log Server. The Log Server pages appear with the Server Settings tab selected.

2. Inth e Maximum Databasesize text box, type the maximum allowable size in gigabytes for the Log Server database. Make sure that this set ting, combined with the maximum size you specify fo r the Report Server database, does not exceed 50% of the disk space on t he server comput er.

3. Click Apply to save your settings.

85

WatchGuard Technologies,Inc.

Set Up Logging & Servers 4. Select the Database Maintenancetab.

5. Inth e Database Backup Settingssection, select the Backup log messages automaticallycheck box. 6. Inth e Backup log data everytext box, type or select 7. This sets the frequency of backups to once a week.

7. Inth e Database Settingssection, make sure Built-in databaseis s elected. This is the default setting.

8. Click Apply to save your settings.

To use an existing PostgreSQL database on another computer, select the External PostgreSQL databaseoption.

Fireware EssentialsStudentGuide

86

Set Up Logging & Servers

Send Log Notifications to a Network Administrator We also need to configure the Log Server to use the Successful Company email server to send messages to the network administrators’ group. 1. Select the Notification tab. 2. Inth e Events > Send an email notificationsection, select the When a failure event occurs on this Log Server and the When an event notification is received from any device or server check boxes. 3. Inth e SMTP Server Settingssection, in the Outgoing email server (SMTP)text box, type mail.myexample.com. To change the port for connections to the SMTP server, type the SMTP server address in this format

:. If the SMTP server you are using for this training accepts connections on a port other than port 25 (the default port for SMTP traffic), you can change the port.

4. Select the Send credentials to the email servercheck box. 5. Inth e User Name text box, type netadmingroup. 6. Inth e Password text box, type mailpassword.

7. Inth e Notification etupsection, in the Send email to text box, type [email protected]. 8. Inth e Send email from text box, type [email protected]. 9. Inth e Subject text box, type Log Server Notification.

10. Click Apply to save your changes.

87

WatchGuard Technologies,Inc.

Set Up Logging & Servers

Change the Encry ption Key When a network administrator at Successful Company moves to London to take a job with another company, the remaining staff recognize that they need to change all the firewall passwords. In this exercise, we use WatchGuard Server Center to change their Log Server encryption key, and update the encryption key for each Firebox logging to the WatchGuard Log Server. 1. Inth e Servers tree, select Log Server. The Log Server pages appear, with the Server S ettings tab selected.

2. Inth e Encryption Key Settingsection, click Modify. The Log Server Encryption Key dialog box appears.

3. Inth e New key text box, type myencryptionkey. Click OK.

The Log Server Encryption Key dialog box closes and the encryption key is changed.

4. Open Policy Manager for your Firebox. 5. Select Setup > Logging. The Logging Setup dialog box appears.

6. Inth e WatchGuard Log Serversection, click Configure. The Configure Log Servers dialog box appears.

7. Select the Log Server IP address in the list, and click Edit. The Edit Event Processor dialog box appears.

8. 9. 10. 11. 12. 13.

Inth e Encryption Keyand Confirm Key text boxes, type myencryptionkey. Click OK to close the Edit Event Processordialog box. Click OK to close the Configure Log Serversdialog box. Click OK to close the Logging Setup dialog box. Save the configuration file to the Firebox. Repeat Steps 4–12 for each device that sends log messages to this Log Server.

Fireware EssentialsStudentGuide

88

Set Up Logging & Servers

Exercise 4 — Configure Where the Firebox Sends Log Messages The Successful Company administrator must tell each Firebox in the network to send log messages to a WatchGuard Log Server. Because the Firebox can simultaneously send log messages to two WatchGuard Log Servers at the same time, he configures the Firebox to send log messages to both a Dimension server and a WSM Log Server. When he configures the logging settings for the Firebox, he adds the IP address for each Log Server where the Firebox will send log messages and the Log Server encryption key, and saves the configuration file to the Firebox. Then, after he sets up each server, the log encryption key on the Firebox matches the log encryption key on each server, and the server and Firebox can communicate. The Firebox waits until it sends its first log message to establish a connection with the server.

If the Firebox and Dimension server or WSM Log Server do not connect, add the encryption keys in the Firebox configuration again. The most common cause of connection problems is encryption keys that do not match.

Because the Firebox can send the same log messages to two Log Servers at the same time, the Successful Com pany administrator configures two different sets of Log Servers. For each set, he must configure a primary Log Server, but backup servers are optional. The administrator has both Dimension server and a WSM Log Server, so he configures his Firebox to send log messages to both servers simultaneously. In this exercise, we use Policy Manager to configure the Firebox to send log messages to both a Dimension server and a WSM Log Server. 1. Open the configuration file for your Firebox. 2. Select Setup > Logging. The Logging Setup dialog box appears.

89

WatchGuard Technologies,Inc.

Set Up Logging & Servers

3. Select the Send log messages to these WatchGuard Log Serverscheck box. Click Configure. The Configure Log Servers dialog box a ppears, with the Log Servers 1 tab select ed by default.

4. Click Add. The Add Event Processor dialog box appears.

5. Inth e Log Server Addresstext box, type the IP address for your WSM Log Server (your management c omputer IP address). For this exercise, we put the WSM Log Server on t he Successful Company trust ed network at 10.0.1.17.

6. Inth e Encryption Keytext box, type mylogserverkey. 7. Inth e Confirm Key text box, type mylogserverkey again. 8. Click OK to close the Add Event Processordialog box. The IP address for the Log Server appears in the Configure Log Servers dialog box on the Log Servers 1 tab.

Fireware EssentialsStudentGuide

90

Set Up Logging & Servers

9. Select the Log Servers 2tab. 10. Click Add. The Add Event Processor dialog box appears.

11. In the Log Server Addresstext box, type the IP address for your Dimension server. For this exercise, we put the Dimension server on t he Successful Company trust ed network at 10.0.1.27.

12. In the Encryption Keytext box, type mydimensionlogserverkey. 13. In the Confirm Key text box, type mydimensionlogserverkeyagain. 14. Click OK to close the Add Event Processordialog box. The IP address for the Dimension server appears in the Configure Log Servers dialog box on the Log Servers 2 tab.

15. Click OK again to close the Configure Log Serversdialog box. The Logging Setup dialog box appears.

91

WatchGuard Technologies,Inc.

Set Up Logging & Servers 16. Click OK to close the Logging Setup dialog box. The Firebox does not establish a connection with the Log Servers until you save the conf iguration file to the F irebox and it tries to send t he first log messag e.

17. If you have access to a Firebox for this lesson, save the configuration file to the Firebox.

Exercise 5 — Configure Logging and Notification for Policies Before the Successful Company administrators can see log messages for the traffic through their Fireboxes, and generate reports from these log messages, they must also enable logging in their firewall policies and proxies. The options they can select depend on the type of policy (packet filter or proxy) and the connection settings for packet filter policies. For a packet filter policy that allows connections through the Firebox, the administrator can select separate options to enable the Firebox to send log messages that can be viewed in Traffic Monitor and Log Manager, or to send log messages that are only used in reports. To both see the Firebox log messages and generate reports from log messages, the administrator can select both options. This enables the administrator to remove log messages for specific types of allowed traffic from the Traffic Monitor display, or to not generate log messages for reports for specific types of allowe d traffic.

Example of the Logging and Notification settings for a packet filter policythat allows connections.

For proxy policies or packet filter policies that deny or reset connections through the Firebox, the administrator can only select to send log messages that appear in both Traffic Monitor and Log Manager and are also used to generate reports.

Fireware EssentialsStudentGuide

92

Set Up Logging & Servers

Example of the Logging and Notification settings for a proxypolicy.

The Successful Company administrator can also set custom notification rules for each policy. These rules tell the Firebox which events should trigger a notification. Notifications can occur through email, a pop-up window on your management computer, or with a Simple Network Management Protocol (SNMP) trap. An SNMP trap is a notification event issued by a managed device to the network SNMP manager when a significant event occurs. For this exercise, the Successful Company administrator will edit a packet filter policy that allows connections to send log messages that can be viewed in Traffic Monitor and included in reports. Because the administrator wants to receive an email notification message, we will configure the notifications settings to send a notification by email. To enable logging in your policies: 1. Open the Firebox configuration file in Policy Manager. 2. Add or edit a packet filter policy. 3. Select the Propertiestab and click Logging. The Logging and Notification dialog box appears. The opti ons included in the dialog box will be diff erent depending on the type of policy you select ed.

93

WatchGuard Technologies,Inc.

Set Up Logging & Servers

4. To see log messages in Traffic Monitor and Log Manager, and to generate log messages to include in reports, select both the Send a log message and the Send a log message for reportscheck boxes. 5. To send email notification messages to the administrator, select the Send notificationcheck box and select the Email option. 6. Click OK to save the logging and notification settings in the policy. 7. Click OK to save the policy changes. 8. Save the configuration to the Firebox.

Fireware EssentialsStudentGuide

94

Set Up Logging & Servers

Exercise 6 — Configure a WSM Report Server Successful Company network administrators decide that, for performance reasons, they are going to install the WSM Report Server on a different computer than the management computer. In this exercise, we configure their Report Server. Before you configure the Report Server, you must run the WatchGuard Server Center Setup Wizard, which sets up the Report Server. After the Report Server is set up, you can finish your Report Server configuration in the WatchGuard Server Center.

Add a Log Server A Report Server can consolidate data from one or more WSM Log Servers. You must add the IP address of each WSM Log Server to the Report Server configuration. On the computer where the Report Server is installed: 1. Right-click

in the system tray and select Open WatchGuard Server Center.

The Connect to WatchGuard Server Center dialog box appears.

2. Type your Username and Administrator passphrase. Click Login. The WatchGuard Server C enter appears.

95

WatchGuard Technologies,Inc.

Set Up Logging & Servers 3. Inth e Servers tree, select Report Server. The Report Server pages appears, with the Server Settings tab selected.

4. Inth e Log Server Settingssection, click Add. The Add Log Server dialog box appears.

5. Inth e IP address text box, type the IP address of your WSM Log Server. In most training environments, this is the same IP address as your m anagement computer.

6. Inth e Password text box, type myadminpassphrase. This must be the same passphrase you selected when you ran the WatchG uard Server Center Setup Wizard.

7. Click OK. The IP addr ess of the WSM Log Serv er appears in the list of Log Server s. A single Report Server can consolidat e data from more than one Log Server.

Fireware EssentialsStudentGuide

96

Set Up Logging & Servers

Select Reports and Timing To specify which reports are generated and when they are generated, the Successful Company network administrator must create a Report Schedule and specify the reports to generate. By default, the Report Server automatically includes 50 records in each summary report. The Successful Company network administrator would prefer to include 75 records in summary reports and schedule the reports to be generated every Monday. He also has not purchased the WatchGuard Gateway AntiVirus or Intrusion Prevention Service options, so he disables those reports. Finally, Successful Company network administrator wants to generate a PDF of the report that he can send to senior management, so he configures the Advanced Settings to generate a PDF file of the report data. 1. Select the Report Generation tab.

2. Inth e Number of records included in each summary reporttext box, type 75. 3. Inth e Report Schedulessection, click Add. The New Schedule dialog box appears.

97

WatchGuard Technologies,Inc.

Set Up Logging & Servers

4. Inth e Schedule Nametext box, type the name for this schedule. For this example, type All Devices - No GAV-IPS . 5. Inth e Devices list, select the check box for each Firebox to include in this report generation schedule. For this example, select the All Devices check box. 6. Inth e Report types list, select the check box for each report to include in this schedule. For this example, clear the Gateway AntiVirus Reportsand Intrusion Prevention Service Reportscheck boxes. 7. Inth e Report Schedulesection, select Run recurrently. 8. 9. 10. 11.

From the Run recurrentlydrop-down list, select Weekly. From the Recur every week ondrop-down list, select Monday. In the Range of recurrencesection, keep the default setting of No end date. Select the Advanced Settingstab.

Fireware EssentialsStudentGuide

98

Set Up Logging & Servers 12. Select the Generate reports for external usecheck box. 13. Select an option to specify how reports are generated for device groups: n One report for each device in the group n One report with combined data for all devices in the group For this exercise, select One report with combined data for all devices in the group . 14. Select a format: HTML or PDF. For this exercise, select PDF. 15. From the Display dates and times using drop-down list, select the time zone you want to appear in the reports: My local time zone or UTC. 16. (Optional) From the Location drop-down list, select the location where you want the report to be saved. 17. Click OK. The schedule appears in the Report

Schedules list.

18. Click Apply to save your configuration changes to the Report Server.

99

WatchGuard Technologies,Inc.

Set Up Logging & Servers

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. What is the default location for a WatchGuard log file? 2. True or false? The Firebox can only send log messages to one WatchGuard Log Server at a time. 3. Which logging component is responsible for sending notification email messages when an event occurs on the Firebox that triggers notification? (Select one.) o

A) Firebox

o

B)

o C)

Log Server Policy Manager

4. Which of these log configuration settings are available in Policy Manager? (Select all that apply.) o

A) Scheduling reports

o B)

Setting the maximum size for a log database file

o

C) Setting the log encryption key

o

D) Selecting a backup Log Server for log messages

o

E)

o F)

Setting the mail host and email address for email notifications Configuring email notification for denied SMTP packets

5. True or false? The Firebox can generate some log messages that are only used in reports and are not available to see in Traffic Monitor. 6. Which of these log configuration settings are available in WatchGuard Server Center in the Log Server configuration pages? (Select all that apply.) o

A) Scheduling reports

o B) o

C) Setting the log encryption key

o D) o

Setting the maximum size for a log database file

E)

o F)

Selecting a backup server for log message database files Setting the mail host and email address for email notifications Configuring email notification for denied SMTP packets

7. True or false? Log files created by a Firebox with Fireware OS are stored in a proprietary format.

Fireware EssentialsStudentGuide

100

Set Up Logging & Servers 8. Which tool(s) are included in the WatchGuard reporting architecture? (Select all that apply.) o A)

WSM Report Server

o

B) Quarantine Server

o

C) WSM Log Server

o

D) Firebox

o E)

Active Directory Server

o

F)

WSM Log Manager

o

G ) WatchGuard Dimension

o H)

WSM Report Manager

9. Circle the WatchGuard System Manager tool you use to configure each of the following: Select the Log Server used by a Firebox

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Set number of HTML records per report

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Select Log Server polled by Report Server

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Set the frequency reports are generated

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Generate a PDF of a report

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Set the date range for a report

Policy Manager

Report Server

Log Server

Log Manager

Report Manager

Select reports to run on a daily or weekly Policy schedule Manager

Report Server

Log Server

Log Manager

Report Manager

10. True or false? You can install Dimension on any Windows computer with a 64-bit OS.

101

WatchGuard Technologies,Inc.

Set Up Logging & Servers

ANSWERS 1. Documents and Settings\WatchGuard\logs 2. False The Firebox can simultaneously send log messages to two WatchGuard Log Servers (WSM or Dimension), a syslog server, or the Firebox internal database. 3. B) Log Server. The Log Server sends a notification email in response to the log message it receives from the Firebox. 4. C, D, F 5. True For traffic allowed by packet filter policies, you can configure the logging settings for the policy to only generate log messages to use in reports. 6. B, C, E 7. False Log messages are stored in a PostgreSQL database file. 8. A, C, D, F, G, H 9. Select Log Server used by a Firebox — Policy Manager Set number of HTML records per report — Report Server Select Log Server polled by Report Server — Report Server Set the frequency reports are generated — Report Server Generate a PDF of a report — Report Server, Log Manager, and Report Manager Set the date range for a report — Report Server, Report Manager Select the reports to run on a daily or weekly schedule — Report Server 10. False You install Dimension as a virtual machine on a Hyper-V or VMware platform.

Fireware EssentialsStudentGuide

102

Notes

Fireware EssentialsStudentGuide

103

Monitor Your Firewall Monitor Activity Through Your Firebox

What You Will Learn WatchGuard System Manager (WSM) includes several tools to monitor the health of your Firebox and network. You can also use similar tools in Fireware Web UI (such as Traffic Monitor) to monitor your Firebox. Most of the exercises included in this module will address how to monitor your Firebox with WSM tools. For more information about how to use Fireware Web UI, see Fireware Web UI , on page 467. In this training module, you learn how to: n

Interpret the information in the Fireware Web UI and WatchGuard System Manager display

n

Modify the Security Traffic display to match your network configuration

n

Change Traffic Monitor settings and trace the source of a connection

n

Add and remove sites from the Bloc ked Sites list

n

How to use FireWatch to monitor activity on your network

n

Use Geolocation to view the source and destination countries of network traffic

n

Use Mobile Security to view the status of mobile device connections

n

Use Network Discovery to view your networks and devices

Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will connect to one or more Fireboxes. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for the Fireboxes used in the exercises. For selfinstruction, you can safely connect to a Firebox on a production network. You will not change the configuration files of any Firebox.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Monitor Your Firewall

Regular Monitoring Improves Security As with any security product, regular monitoring of your firewall improves both performance and security. When you use WatchGuard System Manager (WSM) or Fireware Web UI to connect to a Firebox, you are immediately presented with key information about the health of your firewall. If you use WSM, you can also monitor the WatchGuard servers on your network. WSM is particularly useful for networks with more than one Firebox because you can see many Fireboxes at the same time and you can monitor connections between Fireboxes. With Firebox System Manager and Fireware Web UI, you can quickly scan the configuration and status of a single Firebox, see unusual activity, and take immediate action. Firebox System Manger includes nine methods to monitor your Firebox, each presented on a separate tab. Fireware Web UI includes many of the same methods and some additional methods, each on a different page in the DASHBOARD and SYSTEM STATUS sections of the Web UI. For more information about the methods and tools available to help you monitor your Firebox with Fireware Web UI, see Fireware Web UI , on page 467.

Method

Description

Front Panel

Shows the status of Firebox interfaces; includes information about active VPN tunnels and Subscription Services.

Traffic Monitor

Shows a color-coded list of the log messages from the Firebox.

Bandwidth Meter

Provides a real-time graphical display of network activities across a Firebox. If you change the view

Firebox System Manager

Fireware Web UI

Dimension

from connections to bandwidth, Firebox System Manager remembers the setting the next time you start the application.

105

Service Watch

Shows a graph of the policies configured on a Firebox. The Y-axis (vertical) shows the number of connections or bandwidth used per policy. The Xaxis (horizontal) shows the time. To get more information about a policy at a point in time, click a location on the chart.

Status Report

Shows the technical details of the Firebox.

Authentication List

Identifies the IP addresses and user names of all the users that are authenticated to the Firebox. Includes aSummary section with the number of users authenticated for each authentication type, and the total number of authenticated users.

Blocked Sites

Shows all the sites currently blocked by the Firebox. From this page, you can remove a site from the temporary blocked sites list.

WatchGuard Technologies,Inc.

Monitor Your Firewall

Method

Description

Subscription Services

Shows the status of Gateway AntiVirus, Intrusion Prevention Service, Application Control, spamBlocker, WebBlocker, Botnet Detection, APT Blocker, Geolocation, Data Loss Prevention, and Reputation Enabled Defense. From here, you can also perform a manual update of the signature databases. In FSM, this tab is active only if you

Firebox System Manager

Fireware Web UI

Dimension

have purchased these services. Gateway Wireless Controller

Shows the connection status and activity of your WatchGuard AP devices. You can also monitor and manage the client connections to your WatchGuard AP devices.

FireWatch

Shows real-time, aggregate information about the traffic through your Firebox.

Network Discovery

Shows all the devices connected to your internal networks, in both a tree map view and a tabular list.

Mobile Security

Shows mobile devices that are connected to your network. You can see a list of connected mobile devices, see detailed information for each device, and see group information for each device. In Dimension, this is the Mobile Devices Dashboard.

Fireware EssentialsStudentGuide

106

Monitor Your Firewall

Method

Description

Geolocation

Shows a list of countries and the source and destination traffic for each country. Blocked countries are not displayed.

Threat Map

A visual representation of the source and destination locations around the world for the traffic through your Firebox.

Executive Dashboard

See a high-level view of the traffic through the selected Firebox, cluster, or group. If your Firebox is managed by Dimension, you can also add IP addresses and domains to the Blocked Sites List from the Executive Dashboard.

Security Dashboard

See the top threats in each security area protected by your configured Subscription Services, and take action on the threats. If your Firebox is managed by Dimension, you can also add IP addresses and domains to the Blocked Sites List and to the Blocked Botnet Site Exceptions List from the Security Dashboard.

Firebox System Manager

Fireware Web UI

Dimension

From the Firebox System Manager toolbar, you can also launch these tools to monitor your Firebox: n

n

Performance Console — Used to prepare graphs based on Firebox performance counters to better understand how your Firebox is functioning. HostWatch — Shows the network connections between the selected networks.

If any of your Subscription Services have expired, an expired service warning appears on the Front Panel tab in Firebox System Manager and on the Subscription Servicespage in Fireware Web UI for each expired service. The Renew Now button also appears at the top of Firebox System Manager. To renew your subscription to the expired services, you can click Renew Now. You can also choose to hide the expired service warnings. For more information, see Fireware Help.

107

WatchGuard Technologies,Inc.

Monitor Your Firewall

Exercise 1 — Review Network Status in WSM The Successful Company network administrator has now saved a basic configuration to his Firebox and has installed and configured a WSM Log Server and WSM Report Server. We can now look at this network security infrastructure with WatchGuard System Manager (WSM).

For this exercise, your instructor might have you connect to the training lab Firebox to provide more traffic for the exercises.

From the Windows desktop: 1. Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard System Manager 11.x . . 2. Click Or, select File > Connect To Device.

3. Type the trusted IP address of the Firebox you want to connect to. Use your Firebox IP address, or get the IP address from your instructor.

4. Inth e User Name and Passphrasetext boxes, type the credentials for a user account with Device Monitor privileges. The default Device Monitor user account user name is status. The Firebox appears in the WSM display.

Fireware EssentialsStudentGuide

108

Monitor Your Firewall

Interpret the Device Status Display Information about a Firebox you connect to appears in the WatchGuard System Manager Device Statustab. The information that appears includes the status, IP address, and MAC address for each Ethernet interface, and the installed certificates. It also includes the status of all virtual private network (VPN) tunnels that are configured in WSM.

Expanded information for each Firebox includes the IP address and subnet mask of each interface. It also includes: n n n

109

IP address and netmask of the default gateway (for external interfaces only). Media Access Control (MAC) address of the interface. Number of packets sent and received on each interface since the last Firebox restart.

WatchGuard Technologies,Inc.

Monitor Your Firewall Each Firebox can be in one of four possible operation modes. The current mode is shown by the appearance of the icon: — Usual operation. The device is successfully sending data to WatchGuard System Manager. — The device has a dynamic IP address and has not yet contacted the Management Server. — WatchGuard System Manager cannot make a network connection to the device at this time. — The device is being contacted for the first time or has not been contacted yet. The Device Statustab also includes information on Branch Office VPN Tunnels and Mobile VPN tunnels.

Fireware EssentialsStudentGuide

110

Monitor Your Firewall

Exercise 2 — Use Firebox System Manager The Firebox System Manager Front Panel tab has a group of indicator lights in the shape of a triangle or star to show the direction and volume of the traffic between the Firebox interfaces. The points of the star and triangle show the traffic that flows through the interfaces. Each point shows incoming and outgoing connections with different arrows. When traffic flows between the two interfaces, the arrows show the direction of the traffic. In the star figure, the location where the points come together can show one of two conditions: n n

Red (deny) — The Firebox denied a connection on that interface. Green (allow) — Traffic flows between this interface and a different interface (but not the center) on the star. When traffic flows from this interface to the center, the point between these interfaces shows as green arrows.

In the triangle, the network traffic shows in the points of the triangle. The points show only the idle and deny conditions. If you use the star figure, you can customize which interface is in the center. The default star figure shows the external interface in the center. When you put a different interface in the center, you can see all traffic between that interface and the other interfaces. All allowed and denied traffic is relative to the interface in the center of the diagram. You see no information about traffic between interfaces on the perimeter of the star. In this exercise, you start Firebox System Manager and change the status display.

111

WatchGuard Technologies,Inc.

Monitor Your Firewall

Connect to a Firebox and Change the Display to connect to your Firebox. 1. InWatchGuard System Manager, click 2. Type your Firebox trusted IP address and the user credentials for a Device Monitor user account. Click OK. 3. On the Device Statustab, select the Firebox. 4. Click

.

Firebox System Manager appears. It contacts your device and gets data about network traffic, interface settings, and other status information.

Fireware EssentialsStudentGuide

112

Monitor Your Firewall 5. As shown in the upper-left corner of the FSM window, the default mode shows the interfaces in a star shape.

6. To switch to the triangle display, click the triangle icon in the top-right corner above the star display. 7. In the star display, click the red ball adjacent to eth2. The eth2 interf ace moves to the center of the display. The other interfaces move in a clockwise direction.

8. Click the red ball adjacent to eth0 to move it back to the center of the display.

113

WatchGuard Technologies,Inc.

Monitor Your Firewall

Use Traffic Monitor Traffic Monitor is an application that displays a continuous list of log messages. The messages are refreshed every five seconds by default, which makes Traffic Monitor a good place to start troubleshooting problems you have with your Firebox. One unique feature of Traffic Monitor is the ability to ping or trace the source of a connection you see in the Traffic Monitor window. In this exercise, you use Traffic Monitor to trace the source of a connection through a Firebox that is accessible through the training lab. 1. Select the Traffic Monitortab.

2. Select an entry in Traffic Monitor and right-click it. 3. Inth e Source IP address menu, select traceroute. This executes the tracert command against the IP address identified as the source of the packet. The Diagnostic Tasks dialog box appears with the results of the traceroute. Traceroute is a utility that traces a packet from your computer to an Internet host. This shows how many hops t he packet need s to reach the h ost and how long each hop takes.

Fireware EssentialsStudentGuide

114

Monitor Your Firewall 4. Review the result of the traceroute. 5. Click Close.

The number of hops and the response time of each hop determines how long it will take for the results to appear. The results do not appear until the trace route is complete.

Run a TCP Dump Diagnostic Task and D ownload a PCAP File From Firebox System Manager, you ran run a variety of diagnostic tasks. In the previous exercise, we ran a traceroute task directly from Traffic Monitor to find how many hops a packet took and how much time each hop took to reach the destination IP address. In addition to traceroute tasks, you can also run Ping, DNS Lookup, and TCP Dump tasks. When you run a task, in addition to the standard parameters for each task, you can include arguments to help refine the search results. To help you diagnose problems with the traffic on your network, you can complete a TCP dump task and download a packet capture (PCAP) file, which includes the results of the last TCP dump task that you ran. You can then open the PCAP file in a third-party tool, such as Wireshark, and review the protocols in the PCAP file to find any issues in your network configuration. The maximum size of a PCAP file is 30 MB. If your Firebox has limited memory, the size of the PCAP file is automatically reduced to an appropriate size based on the memory available on your device. When you run the TCP dump task, you can choose to save the results on the Firebox to download later as a PCAP file, or you can save the results directly in a PCAP file. You can then open the PCAP file in a tool such as Wireshark, and review the protocols to diagnose the issues on your network. To run a TCP dump and save the results in a PCAP file: 1. In Traffic Monitor, right-click anywhere and select Diagnostic Tasks. Or, select Tools > Diagnostic Tasks. The Diagnostic Tasks dialog box appears, with the Network t ab selected.

2. From the Task drop-down list, select TCP Dump. The Interface drop-down list appears.

115

WatchGuard Technologies,Inc.

Monitor Your Firewall 3. Select the Advanced Optionscheck box.

4. Inth e Arguments text box, type the parameters for the search. You must include the interface to examine. For example, type -i eth0 to examine the eth0 interface. This can be a physic al interf ace on the Firebox (such as, eth0), a Link Aggregation int erface (such as, bond0), a wireless int erface (such as, ath0), or a VLAN interf ace (such as, vlan10).

5. Select the Stream data to a file check box. 6. Click Browse to specify a location to save the PCAP file and a name for the file. 7. Click Run Task. The TCP Dum p task runs. TCP dump data does not appear in the Results list .

Fireware EssentialsStudentGuide

116

Monitor Your Firewall You can also choose to run the TCP dump on the Firebox and later save the results to a PCAP file. In the Diagnostic Tasksdialog box: 1. From the Task drop-down list, select TCP Dump. The Interface drop-down list appears.

2. Select the Advanced Optionscheck box. 3. Inth e Arguments text box, type the parameters for the search. You must include the interface to examine. For example, type -i eth0 to examine the eth0 interface. This can be a physic al interf ace on the Firebox (such as, eth0), a Link Aggregation int erface (such as, bond0), a wireless int erface (such as, ath0), or a VLAN interf ace (such as, vlan10).

4. Select the Buffer data to save latercheck box. 5. Click Run Task.

The TCP Dump task runs and the details appear in the Results window.

6. When the TCP dump has collected enough results, click Stop Task. The TCP dump stops automatically if the file reaches either t he maximum allowed size for your computer, or the amount you specified in the Ar guments text box. The TCP dump task stops and the Save Pcap f ile button appears.

7. Click Save Pcap file and specify a file name and a location to save the PCAP file.

117

WatchGuard Technologies,Inc.

Monitor Your Firewall

Change Traffic Monitor Settings You can configure Traffic Monitor to use different colors to show different types of infor mation. In this exercise, we change the color of the source IP address for denied traffic to bright pink so that we can see it better. 1. Select File > Settings. The Settings dialog box appears.

2. Select the Traffic Denied tab. 3. From the Traffic Denied list, select source ip. 4. Click the Text Color button. The Text Color button shows t he current color selected f or source ip log messages.

5. Select bright pink and click OK .

The text color changes. All information for this message type now appe ars in the new color in Traf fic Monitor. A sample of how these messa ges will look in Traf fic Moni tor appears in the Sampl e window at the bottom of the dialog box.

6. Click OK to close the Settingsdialog box. For log mess ages of denied traf fic, the sour ce IP addres s is now a bright pink.

Check Bandwidth Usage and Servi ce Vol ume Firebox System Manager also has a way for you to quickly check your firewall bandwidth usage and the volume of traffic for your primary proxies. 1. Select the Bandwidth Metertab. The list of Firebox inter faces appears on the left. Each inte rface is a different color. The cent ral panel shows the relative volume of traffic through each i nterface.

Fireware EssentialsStudentGuide

118

Monitor Your Firewall

119

WatchGuard Technologies,Inc.

Monitor Your Firewall 2. Select the Service Watch tab. On the left is a list of policies conf igured for your Fi rebox. Each int erface is a different color to ident ify them. The cent ral pane l sh ows the re lative volume of traffic examined by e ach proxy policy.

When you connect to a training lab Firebox, you might not see lines form in these tabs. This is because your training Firebox is passing only a small amount of traffic.

Fireware EssentialsStudentGuide

120

Monitor Your Firewall

Exercise 3 — Use the Blocked Sites List The Blocked Sites list shows all the sites currently blocked as a result of the rules defined in your Firebox configuration. On the Blocked Sitestab, you can add sites to the list, or remove blocked sites. In this exercise, you remove a blocked site, then add a site to the list. 1. Select the Blocked Sites tab.

2. From the Blocked IP list, select the IP address you just blocked. Click Delete in the lower-right corner. The Delete Site(s) dialog box appears.

3. Click Yes and type the credentials for a user account with Device Administrator privileges. Click OK. 4. Toad d a site, click Add at the bottom of the dialog box. The Add Temporary Blocked Site dialog box appears.

5. Add the site 10.1.1.1 and block it for 24 hours. The site appears on the Blocked Sites list.

121

WatchGuard Technologies,Inc.

Monitor Your Firewall

Exercise 4 — Use FireWatch The FireWatch Dashboard page provides real-time, aggregate information about the traffic through your Firebox. You can use FireWatch to see: n n n n n n

Who uses the most bandwidth on your network Which is the most popular site that users visit Which sites use the most bandwidth Which applications use the most bandwidth Which sites has a particular user visited Which applications are most used by a particular user

In this exercise, you use FireWatch to monitor activity on your Firebox. 1. To connect to Fireware Web UI for your Firebox, open a web browser and type https://:8080, and specify your credentials. Make sure to replace with the IP address assigned to the trust ed or op tional interface of your Firebox.

2. Select Dashboard > FireWatch. The FireWatch page appears.

The FireWatch page is separated into tabs of data. Each tab presents the data in a treemap visualization. The treemap proportionally sizes blocks in the display to represent the data for that tab. The largest blocks on the tab represent the largest data users. The data is sorted by the tab you select and the type you select from the dropdown list at the top right of the page. On the Source tab, each block has the IP address of the source. If your computer is the only computer connected to the Firebox, the Source tab shows one large block.

Fireware EssentialsStudentGuide

122

Monitor Your Firewall 3. On the Source tab, move the mouse over the IP address in a block. A dialog box with summary information about traffic from that source appe ars.

4. Click View connections. A list of connections that srci nate from that IP address a ppea rs.

5. Click Close. 6. On the Source tab, move the mouse over an IP address in a block. A dialog box with summary information about traffic from that source appe ars.

123

WatchGuard Technologies,Inc.

Monitor Your Firewall 7. Click Filter. The Source tab disappears, and all other tabs show data only f rom the selected source. The current filter appears at the top of the page.

8. To remove the current filter, click FireWatch in the breadcrumbs at the top of the page. The Sourc e tab reappears, and the data is no longer filt ered by that source.

9. Select each of the other tabs to view traffic data by destination, application, policy, or interface. 10. Use a web browser to connect to different sites, and watch how the treemap view updates 11. From the drop-down list at the top-right of the page, select an option to pivot the data on, and change the information that appears on the page.

Fireware EssentialsStudentGuide

124

Monitor Your Firewall

125

WatchGuard Technologies,Inc.

Monitor Your Firewall

Exercise 5 — Use Geolocation The Geolocationdashboard page provides information about the source and destination locations of connections allowed through the Firebox. You can use Geolocation to: n n n

View top countries by source and destination of traffic See a list of connections from a specific country Look up specific IP addresses to find out their geographic location

In this exercise, you use Geolocation to see the source and destination of traffic to and from your Firebox. 1. To enable Geolocation, from Fireware Web UI, select Subscription Services > Geolocation.

2. Select the Enable Geolocationcheck box, then click Save. 3. Select Dashboard > Geolocation. The Geolocation page appears.

4. Select the Map tab.

Fireware EssentialsStudentGuide

126

Monitor Your Firewall

The country color indicates the number of connections: n n n

Dark green — Highest Light green — Lower Yellow — Lowest

3. Select the Country List tab. This page shows connection details by country, ranked by the number of hits.

127

WatchGuard Technologies,Inc.

Monitor Your Firewall 4. From the Map tab or Country List tab, select a country. For example, select USA . The count ry details appear, and include all incoming and outgoing connections , and the connection detail s.

5. Select the Lookup tab. 6. Type an IP address and click Look Up. For example, type the destination IP address from the connection in the USA country details page. The geolocation details of the IP address are displayed.

Fireware EssentialsStudentGuide

128

Monitor Your Firewall

Exercise 6 — Use Mobile Security When Mobile Security is enabled, from the Mobile SecurityDashboard page you can monitor the mobile devices that are connected to your network. You can use Mobile Security to: n n n n n

See a list of connected mobile devices See detailed information for each device See group information for each device View connections for the mobile device in FireWatch See traffic from the mobile device in Traffic Monitor

In this exercise, you use Mobile Security to view details of a mobile device. 1. To enable Mobile Security, from Fireware Web UI, select Subscription Services > Mobile Security .

2. Select the Enable Mobile Securitycheck box and click Save. 3. Select Dashboard > Mobile Security.

129

WatchGuard Technologies,Inc.

Monitor Your Firewall

4. Click a mobile device. The details page for that device appears.

5. To see connection details for a mobile device, at the top of the page, click FireWatch. The FireWatch page appears with the connection information for the selected mobile device.

6. To see the traffic generated by the mobile device, at the top of the page, click Traffic Monitor. The Traffic Monitor page appears with the traffic log messages for the mobile device.

Fireware EssentialsStudentGuide

130

Monitor Your Firewall

Exercise 7 — Use Network Discovery From the Network DiscoveryDashboard page you can see a visual map of your networks and connected devices, and view device details. In this exercise, you use Network Discovery to view details of a device on your network. 1. To enable Network Discovery, from Fireware Web UI, select Subscription Services > Network Discovery .

2. Select the Enable Network Discoverycheck box. 3. Inth e Interfaces to Scansection, select the network interfaces on your Firebox that you want to scan. You can also enable a scheduled sc an.

4. Click Save to save your settings. 5. Click Scan Now to start a scan. 6. Select Dashboard > Network Discovery. The Network Discovery Dashboard page appears, with a tree map view of your network organized by int erface.

131

WatchGuard Technologies,Inc.

Monitor Your Firewall

7. To see devices connected to the network, click a network subnet.

8. To see the details for a specific device, click the device.

Fireware EssentialsStudentGuide

132

Monitor Your Firewall

9. To see a list of all of the devices connected to your network, select the Device List tab.

133

WatchGuard Technologies,Inc.

Monitor Your Firewall

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? You can view the OS version of connected devices on the Network Discoverypage. 2. Which of the following monitoring tools can be viewed directly in a Firebox System Manager tab? (Select all that apply). o A)

CA Manager

o B)

Bandwidth Meter

o C) FireWatch o D) Policy Manager o E)

3. 4. 5. 6. 7.

Traffic Monitor

True or false? A PCAP file includes packet information about the protocols that manage traffic on your network. True or false? You can save a PCAP file and open it later in Traffic Monitor. True or false? You can add a site to the Blocked Sites list from Traffic Monitor. True or false? The Geolocation Dashboard map shows countries that you have blocked. Match the correct monitoring tool to each task: 1) Service Watch

a. Ping the source of a denied packet

2) HostWatch

b. Show real-time information about the traffic through yourFirebox

3) FireWatch

c. View the details of an Androidsma rt phone connected to your network

4) Subscription Services d. Add an IP address for the Firebox to block all traffic 5) Traffic Monitor

e. See which country is the top destination for traffic from yourFirebox

6) Blocked Sites List

f. See the volume of traffic generated by each proxy policy

7) Network Discovery

g. View a list of users connected through the Firebox

8) Geolocation

h. Learn the status of your IPS signature database

9) Mobile Security

i. View a tree map of your networks and devices

Fireware EssentialsStudentGuide

134

Monitor Your Firewall

ANSWERS 1. 2. 3. 4.

True B and E True False You can save a PCAP file and open it in a third-party tool, such as Wireshark. 5. True 6. False 7. 1) f 2) g 3) b 4) h 5) a 6) d 7) i 8) e 9) c

135

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

136

NAT Use Network Address Translation

What You Will Learn As with many routing devices, your Firebox can use network address translation (NAT) to conceal the IP address space of your network. In this training module, you learn how to: n

Learn the forms of NAT available with the Firebox

n

Add more IP addresses to which the device will apply dynamic NAT

n

Use static NAT to protect public servers Before you begin these exercises, make sure you read the Course Introduction module.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

NAT

NAT Overview NAT is an important tool for today’s network administrators. Fireware gives you great flexibility for controlling when and how NAT is applied. When a computer sends traffic through a Firebox interface and the traffic flow matches a NAT rule, the device changes the IP address to an assigned value before the traffic reaches its destination. When the Firebox sees the response, it restores the original IP address to send the response to the computer that made the request.

Static NAT for traffic from the optional network requires Fireware v11.8.1 or higher.

In general, these rules can help you understand the different types of NAT: n n

n

Dynamic NAT is used for traffic that goes out to the Internet from behind the Firebox. Static NAT is used for traffic that comes in to your network from the Internet, or for traffic from the optional network to the trusted network. 1-to-1 NAT is used for traffic in both directions.

Dynamic NAT When dynamic NAT is enabled, your Firebox changes the source IP address of each outgoing connection to match the IP address of the device interface that the connection goes out through. For traffic that goes to an external network, packets go out through the device external interface, so dynamic NAT changes the source IP address to the device external interface IP address. The Firebox tracks the private source IP address and destination address, as well as other IP header information such as source and destination ports, and protocol.

138

WatchGuard Technologies,Inc.

NAT Dynamic NAT is normally applied to connections that start from behind the device. When dynamic NAT is applied to a packet, Fireware tries to always k eep the same source port that the requesting client used. The source port is changed only if necessary. For example, if two internal clients use the same source port to access the same web server. However, the source IP address is always c hanged when dynamic NAT is applied. When the response returns to the same device interface from which the original connection exited, the firewall examines its connection state table and finds the original source IP address. It reverses the NAT process to send the packet to the correct host.

Dynamic NAT is also known as IP masquerading.

With Fireware, dynamic NAT is enabled by default in the NAT Setup dialog box. By default, dynamic NAT is applied to any connection that starts from one of the three reserved private address ranges and goes to an external network. To see the default dynamic NAT rules in Policy Manager, select Network > NAT.

Dynamic NAT is also enabled by default in each policy you create. You can override the global dynamic NAT settings in your individual policies.

About Dynamic NAT Source IP Addresse s In the default dynamic NAT configuration, the Firebox changes the source IP address for traffic that goes out an external interface to the primary IP address of the external interface the traffic leaves. You can optionally configure dynamic NAT to use a different source IP address. You can set the dynamic NAT source IP address in a network NAT rule or in the NAT settings for a policy. Wh en you select a source IP address, dynamic NAT uses the specified source IP address for any traffic that matches the dynamic NAT rule or policy.

Fireware EssentialsStudentGuide

139

NAT Set the Dynamic NAT Source IP Address in a Network Dynamic NAT rule If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any policies that apply to the traffic, select Network > NAT, and add a network dynamic NAT rule that specifies the source IP address. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface the traffic leaves. Set the Dynamic NAT Source IP Address in a Policy If you want to set the source IP address for traffic handled by a specific policy, configure the source IP address in the network settings of the policy. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the policy. Whether you specify the source IP address in a network dynamic NAT rule or in a policy, it is important that the source IP address is on the same subnet as the primary or secondary IP address of the interface from which the traffic is sent. It is also important to make sure that the traffic the rule applies to goes out through only one interface.

1-to-1 NAT When you enable 1-to-1 NAT, the Firebox changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. Consider a situation in which you have a group of internal servers with private IP addresses that must each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP addresses to the internal servers, and you do not need to change the IP addresses of your internal servers. To understand how to configure 1-to-1 NAT, we give this example: Successful Company has a group of three privately addressed servers behind the Optional interface of their Firebox. These addresses are: 10.0.2.11 10.0.2.12 10.0.2.13 The Successful Company administrator selects three public IP addresses from the same network address as the external interface of their device, and creates DNS records for the servers to resolve to. These addresses are: 203.0.113.11 203.0.113.12 203.0.113.13 Now the Successful Company administrator configures a 1-to-1 NAT rule for his servers. The 1-to-1 NAT rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this: 10.0.2.11 203.0.113.11 10.0.2.12 203.0.113.12 10.0.2.13 203.0.113.13 When the 1-to-1 NAT rule is applied, the device creates the bidirectional routing and NAT relationship between the pool of private IP addresses and the pool of public addresses.

140

WatchGuard Technologies,Inc.

NAT

To connect to a computer located on a different device interface that uses 1-to-1 NAT, you must use the private (NAT base) IP address for that computer. If you have problems with this method, you can disable 1-to-1 NAT and use Static NAT.

Define a 1-to-1 NAT rule In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. A 1-to-1 NAT rule always has precedence over dynamic NAT. In each rule, you specify: Interface The name of the device Ethernet interface on which 1-to-1 NAT is applied. The device will apply 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied to the external interface. Real base The IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the interface specified, the 1-to1 action is applied. In our example above, the real base is 10.0.2.11. NAT base The IP address that the real base IP address changes to when 1-to-1 NAT is applied. In our example above, the NAT base is 203.0.113.11. Number of hosts to NAT (for ranges only) The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In our example above, the number of hosts to apply NAT to is three.

Fireware EssentialsStudentGuide

141

NAT

Policy-based NAT With policy-based dynamic NAT, you can make an exception to the global NAT rules (the rules at Network > NAT in Policy Manager). Normally, the Firebox or XTM device uses the primary IP address of the Outgoing interface when it applies dynamic NAT to outgoing packets handled by a policy. Each policy has dynamic NAT enabled by default. You can disable dynamic NAT for all traffic handled by a policy, or you can configure the device to use a different IP address for dynamic NAT handled by the policy.

Both dynamic NAT and 1-to-1 NAT can also be controlled at the policy level. If traffic matches both 1to-1 NAT and dynamic NAT policies, the 1-to-1 NAT policy takes precedence.

To see the NAT settings for any policy: 1. Double-click a policy. 2. Select the Advanced tab. With these policy-based NAT settings, the global rules can be changed for traffic handled by an individual policy. To change the dynamic NAT configuration in a policy: 1. 2. 3. 4. 5.

Double-click a policy. Select the Advanced tab. Select the Dynamic NAT check box. To use the global dynamic NAT rules set for the device, select Use Network NAT Settings. To apply dynamic NAT to all traffic handled by this policy, select All traffic in this policy. This setting applies even if the source and destination IP addresses of the traffic flow do not match the source and destination ranges for any rule on the Dynamic NAT tab in Policy Manager (Network > NAT—the global dynamic NAT rules). 6. If you select All traffic in this policy, you can also select the Set source IPcheck box to set a different source IP address for traffic handled by this policy when dynamic NAT is applied. This makes sure t hat any traffic handled by this policy shows a specified add ress from your public or external IP address range as the source. A common reason to do this is to force outgoing SMTP t raffic to show the MX record address for your domain when the IP address on the external interf ace for the device is not the same as your MX record IP address.

If you have more than one external interface configured on your device, we recommend that you do not select Set source IP . If y ou select this option, you must add the specified IP address as a secondary IP address to the interface that the traffic goes out through.

Policy-based 1-to-1 NAT With this type of NAT, the Firebox uses the private and public IP address ranges that you set when you configured Global 1-to-1 NAT, but you can enable or disable the rules for each individual policy. 1-to-1 NAT is enabled in the default configuration of each policy. If traffi c matches both 1-to-1 NAT and dynamic NAT policies, the 1-to-1 NAT policy takes precedence.

142

WatchGuard Technologies,Inc.

NAT

Static NAT Static NAT, also known as port forwarding, allows inbound connections on specific ports to one or more public servers from a single external IP address. The Firebox changes the destination IP address of the packets and forwards them based on the original destination port number. You can also translate the original destination port to an alternative port on which the server is listening. Static NAT is typically used for public services such as websites and email. For example, you can use Static NAT to designate a specific internal server to receive all email. Then, when someone sends email to the device’s external IP address, the device can forward the connection to the private IP address of the designated email (SMTP) server.

About Static NAT Source IP Addresse s By default, a static NAT rule does not change the source IP address for inbound traffic. If you want to make the incoming traffic appear to come from a different source IP address, you can set the source IP address for each member of a static NAT action.

About SNAT Actions When you configure static NAT, the static NAT configuration is saved in an SNAT action. You can create or edit an SNAT action when you create or edit a policy. Or you can select Setup > Actions > SNAT to add, edit or delete SNAT actions. After you have created an SNAT action, you can use the same action in one or more policies.

Server Load Balancing requires Fireware with a Pro upgrade, and is not supported on Firebox T10 or XTM 2 Series and 3 Series devices.

Fireware EssentialsStudentGuide

143

NAT There are two types of SNAT actions: Static NAT A static NAT action forwards inbound traffic addressed to one IP address to a different IP address and port behind the firewall. Server Load Balancing A server load balancing SNAT action forwards inbound traffic addressed to one IP address to one of several servers behind the firewall. In the SNAT action you select the load balancing algorithm to use and you can optionally assign different weights to each server. To use static NA T, you add a static NA T action to the To section of the policy that handles each type of inbound traffic. To implement static NAT for the diagram above, you would add a different static NAT action to the FTP, SMTP, and HTTP policies that handle the inbound traffic to each of the three servers.

NAT Loopback NAT loopback allows a user on the Trusted or Optional networks to use the public IP address or domain name to get access to a public server that is on the same physical device interface. For example, you could use NAT loopback if you have an internal Web server and you want to allow users on the same network segment to access the Web server by its public domain name or IP address. There are no configuration settings in the user interface to enable NAT loopback, however, you must create a policy in your configuration to allow the traffic. The From section of the policy must list the Trusted or Optional networks from which access is allowed. The To section of the policy must contain a static NAT entry for each server to allow access with NAT loopback.

144

WatchGuard Technologies,Inc.

NAT

Exercise 1 — Add Firewall Dynamic NAT Entries The default configuration of dynamic NAT enables dynamic NAT for traffic that comes from any private IP address and goes to any external network. The default entries are: n n n

192.168.0.0/16 — Any-External 172.16.0.0/12 — Any-External 10.0.0.0/8 — Any-External

These three network addresses are the private networks reserved by the Internet Engineering Task Force (IETF) and are typically used for the IP addresses on private LANs. To enable dynamic NAT for other traffic flows, you must add an entry for them. For example, you could add a dynamic NAT rule for traffic that comes from a trusted network and goes to an optional network. In that c ase, all traffic sen t from the trusted network and going to the optional network would appear to come from the Optional interface IP address, because the Optional interface is the outgoing interface for that traffic. The Firebox or XTM device applies the dynamic NAT rules in the sequence that they appear in the Dynamic NAT Entries list. In this exercise, we use Policy Manager to configure the Successful Company Firebox to use dynamic NAT for traffic coming from only their trusted network and going to any external network. 1. Select Network > NAT. The NAT Setup dialog box appears.

2. On the Dynamic NAT tab, select the 10.0.0.0/8 - Any-Externaldynamic NAT rule. 3. Click Remove. A wa rning message appe ars.

4. Click Yes. 5. Click Add. The Add Dynamic NAT dialog box appears.

6. Inth e From text box, type 10.0.1.0/24. The From field defines the source o f the IP packets. In this exercise, the 10.0.1.0/24 network is the Successf ul Company trust ed network on interface #1. We have reduced the range of addresses from t he larger 10.0.0.0/ 8 to only those addresses that are actually in the Successf ul Company network.

7. From the To drop-down list, select Any-External. This sets the Firebox or XTM device to dynamically NAT all traffic coming from the trusted network and going to any external network.

Fireware EssentialsStudentGuide

145

NAT 8. Click OK. The new entry appears in the Dynamic NAT list.

9. Click OK.

146

WatchGuard Technologies,Inc.

NAT

Exercise 2 — Configure Static NAT to Allow Access to Public Servers In this exercise, you use Policy Manager to configure the Successful Company Firebox to use Static NAT for their SMTP server.

In this example, we create the SNAT action from within the policy. We could also have created the SNAT action before we created the policy. To create or edit SNAT actions from outside the policy, select Setup > Actions > SNAT . After you configure an SNAT action, you can select the SNAT action from the Add SNAT page in the policy.

To configure the device to use static NAT for the SMTP server: 1. Click . Or, select Edit > Add Policy. 2. Expand the Proxies list and select SMTP-proxy. Click Add. The New Policy Properties dialog box appears.

3. Inth e To section, click Add. The Add Address dialog box appears.

4. Click Add SNAT . The SNAT dialog box appears.

5. Click Add. The Add SNAT dialog box appears.

6. Inth e SNAT Name text box, yo u can edit the name for this SNAT action. For example, change the name to SMTP-SNAT.

Fireware EssentialsStudentGuide

147

NAT 7. Click Add. The Add Static NAT dialog box appears.

8. Make sure the External/Optional IP Addresstext box includes the external interface IP address or name. 9. Inth e Internal IP Addresstext box, type 10.0.2.25. This is the private IP address of the SMTP server located on the optional n etwork.

10. (Optional) To change the packet destination to a specified internal host and to a different port, select the Set internal port to a different portcheck box. 11. Click OK to close the Add Static NAT dialog box. The static NAT mapping i s added to the SNAT Members list for this SNAT ac tion.

12. Click OK to close the Add SNAT dialog box.

148

WatchGuard Technologies,Inc.

NAT 13. Click OK to close the SNAT dialog box. The selected SNAT action is added to the Selected Members and Addresses list.

14. Click OK twice to close the Add Address menu and the New Policy Propertiesdialog box. 15. Click Close in the Add Policies dialog box. The SMTP-proxy policy appears in the policy list. The Internal IP address you selected app ears in the range in the To column.

If y ou have set Policy Manager to use Manual-order mode, toggle the precedence back to Auto-order mode. 1. Select View > Auto-Order Mode. 2. Click Yes.

Fireware EssentialsStudentGuide

149

NAT

Exercise 3 — Configure NAT Loopback to an Internal Web Server In this exercise, you use Policy Manager to configure a policy to allow users on the trusted network to get access to a web server on the trusted or optional network by its public domain name or public IP address. You can create a separate policy for NAT loopback, or you can edit the policy that enables stati c NAT to the web server to allow NAT loopback. 1. Click . Or, select Edit > Add Policy. 2. Expand Proxies list and select TTP-proxy. Click Add. The Newthe Policy Properties dialog box H appears. 3. Inth e To list, select Any-External. Click Remove. 4. Inth e To section, click Add. The Add Address dialog box appears.

5. Click Add SNAT . The SNAT dialog box appears.

6. Click Add. The Add SNAT dialog box appears.

7. Inth e SNAT Name text box, yo u can edit the name for this SNAT action. For example, change the name to NAT-Loopback. 8. Click Add. The Add Static NAT dialog box appears.

9. Make sure the External IP Addresstext box includes the External interface IP address or name. 10. In the Internal IP Addresstext box, type 10.0.2.30. This is the private IP address of the HTTP server located on the optional n etwork.

11. Click OK to close the Add Static NAT dialog box. The static NAT mapping i s added to the SNAT Members list for this SNAT ac tion.

150

WatchGuard Technologies,Inc.

NAT 12. Click OK to close the Add SNAT dialog box. The new SNAT act ion is automatically selected in the list of configured SNAT actions.

13. Click OK to close the SNAT dialog box. The selected SNAT action is added to the Selected Members and Addresses list.

14. Click OK to close the Add Address dialog box. 15. Click OK to close the New Policy Propertiesdialog box. 16. Click Close in the Add Policies dialog box. The HTTP-proxy policy appears in the policy list. The Internal IP address you selected app ears in the range in the To column.

Fireware EssentialsStudentGuide

151

NAT

Other Reasons to Use N AT When you create a branch office VPN tunnel between two networks that use the same private IP address range, an IP address conflict occurs. To prevent this, both networks must apply 1-to-1 NAT to the VPN. This makes the IP addresses on your computers appear to be different from their true IP addresses when traffic goes through the VPN. You would also use 1-to-1 NAT through a VPN if the network to which you want to make a VPN already has a VPN to a network that uses the same private IP addresses you use.

152

WatchGuard Technologies,Inc.

NAT

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Fill in the blank: __________________ NAT conserves IP addresses and hides the internal topology of your network. 2. Fill in the blank: __________________ NAT is often used for policies that require more than one port or port numbers that change dynamically, such as for many messaging and video conferencing applications. 3. Fill in the blank: NAT ___________________ allows a user on the trusted or optional networks to get access to a public server that is on the same physical XTM device interface by its public IP address or domain name. 4. Complete the missing entries: The default dynamic NAT entries in Policy Manager are: ___________/____ Any-External 172.16.0.0/12

___________

___________/____ Any-External 5. Static NAT for a policy is also known as (select all that apply): o A)

IP masquerading

o B)

Port forwarding

o C)

Tunnel swapping

o D)

Quality of Service

o E)

All the above

6. True or false? Dynamic NAT rewrites the source IP address of packets to use the IP addresses of the outgoing interface.

Fireware EssentialsStudentGuide

153

NAT

ANSWERS 1. 2. 3. 4.

Dynamic 1-to-1 Loopback 192.168.0.0/16 Any-External 172.16.0.0/12 Any-External 10.0.0.0/8 Any-External 5. B 6. True

154

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

155

Threat Protection Defend Your Network From Intruders

What You Will Learn Firewalls provide both signature-based and default threat protection measures. In this training module, you learn how to: n

Understand the different types of intrusion protection available for the Firebox

n

Configure default packet handling options to stop many common attacks

n

Block IP addresses and ports used by hackers to attack your network

n

Automatically block IP addresses that send suspicious traffic Automatically block connections to or from IP addresses in specific geographical regions

n

Before you begin these exercises, make sure you read the Course Introduction module.

Default Threat Protection Measures Block Intruders You can use Policy Manager to configure your Firebox to have strict control over access to your network. While a detailed access policy helps to keep hackers out of your network, it cannot defeat some other types of attacks. An Intrusion Prevention Service (IPS) detects attacks from hackers. You can use your Firebox as an IPS device to detect and prevent attacks automatically. There are two categories of IPS defenses:

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Threat Protection Firewall-based IPS With this type of IPS defense, the Firebox combines protocol anomaly detection with traffic analysis to proactively block many common attacks. Protocol anomaly detection is the examination of a packet for compliance with RFC guidelines. Attackers can make packets that are different from RFC standards in ways that allow them to bypass standard packet filters and get access to your network. If you block non-compliant packets, you can also block the attack. This allows your Firebox to proactively protect you against attacks that are as yet unknown. Traffic pattern analysis examines a series of packets over time and matches them against known patterns of attack. For example, when an attacker launches a port space probe, they attempt to send packets through each port number until they identify which ports your firewall allows. If you can identify this patte rn, you can block the source of the probe. A firewall-based IPS can also protect your network from a zero-daythreat. In other words, before the network security community is even aware that the vulnerability exists, broad categories of attack types are automatically identified and blocked by a strong firewall-based IPS. Signature-based IPS You can configure this type of IPS defense (such as the Intrusion Prevention Service) to compare the contents of packets against a database of character strings that are known to appear in attacks. Each unique character string is called a signature. When there is a match, the Firebox can block the traffic and notify the network administrator. To remain protected, you must regularly update the signature database. Signature-based approaches use less computer processing time than firewall-based IPS options, however, to keep them current the database must be updated regularly. As a result, signature-based IPS is good for maintaining efficient, high performance protection while firewall-based IPS catches the zero-day threats. The rest of this training module focuses on the available firewall-based IPS options. For more information on signaturebased options, see the Signature Services and APT Blocker.

Use Defa ult Packet Handling Opti ons Default packet handling is a set of pattern analysis rules to help protect your Firebox from attacks, and to show the Firebox how to process packets when no other rules are specified. With default packet handling, a firewall examines the source and destination of each packet it receives. The firewall looks at the IP address and port number and monitors the packets for patterns that show y our network is at risk. If there is a risk and the device is properly configured, it automatically blocks the possible attack.

The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP flood attacks apply to both IPv4 and IPv6 traffic. All oth er options apply only to IPv4 traffic.

157

WatchGuard Technologies,Inc.

Threat Protection The default configuration of the default packet handling options stops attacks such as SYN flood attacks, spoofing attacks, and port scans or IP address scans. We do not recommend that y ou change the default packet handling settings in your Firebox configuration file. The default settings are carefully chosen to maximize security. If a particular setting interferes with the function of your network, or you want a more stringent defense, like that available with the Block source of packets not handledoption, you can change your device packet handling settings. Default packet handling:

n

Rejects packets that could be used to get information about your network Automatically blocks all traffic to and from a source IP address when a configured limit is reached Adds an event to the log file Sends an SNMP trap to the SNMP management server (when configured)

n

Sends a notification of possible security risks (when configured)

n n n

Unhandled Packets Packets that are denied by the firewall because they do not match any of the firewall policies are blocked as unhandled packets . The Default Packet Handling options give you the tools to block the source of any unhandled packet. This is an extremely aggressive security setting and is not enabled by default.

Automatically Block the Source of Suspicious Traffic The Blocked Sites feature helps stop network traffic from systems that you know or think are a security risk. After you identify the source of suspicious traffic, you can block all the connections to and from that IP address. You can also configure the Firebox to send a log message each time that source tries to connect to your network. A blocked site is an IP address that cannot make a connection through the device, even if the IP address is usually allowed to connect as part of your policy configuration. If a packet comes from, or is sent to, a system that is blocked, it does not get through the device. There are two types of blocked IP addresses: n

Permanent Blocked Sites — These are IP addresses that you manually add to your device configuration file because you want all connections to and from the IP address blocked. If an IP address consistently and repeatedly tries to violate your security policies, you can add it to the Permanent Blocked Sites list. You can add blocked sites in several ways: n n n

n

In Policy Manager, select Setup > Default Threat Protection > Blocked Sitesand click Add. In Firebox System Manager, on the Blocked Sitestab, click Add. In the Firebox System Manager Traffic Monitor tab, right click a connection, select the source or destination IP address, then click Block Site: [ip address].

Auto-blocked sites — These are IP addresses that the device adds to, and removes from, a list of sites that are temporarily blocked based on the packet handling rules specified in your device configuration. These IP addresses are blocked for a period of time you select. This feature is known as the Temporary Blocked Sites list. For example, if you configure the auto-block option for a policy set to deny traffic, the device can add the denied IP addresses to the Temporary Blocked Sites list. If a connection is blocked by your default packet handling

rules, the source IP address is also added to the Temporary Blocked Sites list. You can use the Temporary Blocked Sites list and your log messages to help make decisions about which IP addresses to permanently block.

Fireware EssentialsStudentGuide

158

Threat Protection

Block Ports Commonly Used by At tackers Another method you can use to protect your network is to block all traffic on ports commonly used by attackers. As attackers become more creative, this method has become less effective, however, it can still be used to protect against some of the most obvious vulnerabilities. Because a blocked port overrides all other service configurations, it can protect you from errors in your device configuration. It can also be used to make independent log entries for probes against sensitive services. The default configuration of the device blocks some destination ports. This is a basic configuration that you usually do not have to change. It blocks TCP and UDP packets for these ports: Port(s)

Service

Reason

0

NONE

Firebox always blocks this port and you cannot override this default.

1

TCPmux (infrequently)

Block to make it more difficult for port scanning tools.

111

RPC

Used by RPC Services tofi nd out whichpo rts an RPC server uses. Thesear e easy to attack through the Internet.

513, 514

rlogin, rsh, rcp

Because they give remote access to other computers, many attackers probe for these services.

2049

NFS

New versions of NFS have important authentication and security problems.

6000– 6005

X Window System

Client connection is not encrypted and dangerous t o use over the Internet.

7100

X Font Server

X Font Servers operate as the super-user on some hosts.

8000

159

Used by many vendors whose software is vulnerable to a variety of attacks.

WatchGuard Technologies,Inc.

Threat Protection

Geolocation Geolocation is the identification of the real-world geographic location of an object, such as a radar source, mobile phone, or a computer connected to the Internet. In Fireware, Geolocationis a subscription service that enables you to identify connections based on the geographic location of the connection source or destination. You can also configure Geolocation to block connections to or from IP addresses in specific geographical locations. Geolocation is licensed as part of Reputation Enabled Defense. Your Firebox must have Reputation Enabled Defense enabled in the feature key before you can use he Geolocation feature.

Geolocation Dashboard In Fireware Web UI, the Geolocation Dashboard enables you to see current connections through the Firebox based on geographic location. The Geolocation Dashboard page is available only in Fireware Web UI.

When Geolocation is enabled, the Firebox looks up the geographic location of an external source of traffic or the traffic destination IP address in a database. You can configure Geolocation to block connections to or from specified regions. You can also add exceptions for sites that you do not want to block, and configure update server settings.

Fireware EssentialsStudentGuide

160

Threat Protection From Policy Manager or Fireware Web UI: 1. Select Subscription Services > Geolocation. 2. Enable Geolocation.

3. Use the map or country list to select the regions to block. 4. Add exceptions for sites you always want to allow in blocked countries.

161

WatchGuard Technologies,Inc.

Threat Protection

Geolocation Statistics You can see Geolocation statistics in the Subscription Services tab of Firebox System Manager and in the Subscription Services dashboard in Fireware Web UI. Here is what the statistics look like on the Subscription SErvices dashboard in Fireware Web UI:

Geolocation and Log Messages When Geolocation is enabled, log messages show the geographic location of connections through the Firebox. For example, this log message shows a connection based on the destination: 2016-10-04 14:16:13 Deny 10.0.1.2 104.16.23.190 50802 80 1-Trusted 0-External blocked sites (geolocation destination) 52 127 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 1489658951 win 32" geo="geo_dst" geo_dst="IRL" This log message shows the destination of an allowed connection In Traffic Monitor, you can filter the log messages for information about connections blocked by Geolocation. n n n

To see log messages for all connections blocked by Geolocation, search for: geo= To see log messages for connections blocked based on the source, search for: geo="geo_src" To see log messages for connections blocked based on the destination, search for: geo="geo_dst"

Fireware EssentialsStudentGuide

162

Threat Protection

Exercise 1 — Configure Default Packet Handling Options Successful Company just signed a sponsorship of the popular podcast Diggnation. Surprisingly, the publicity generates an unusually high volume of traffic to their public web server. So high in fact that the Firebox mistakenly interprets the requests as a Distributed Denial of Service (DDoS) attack. In this exercise, we use Policy Manager to increase the Per Server Quota threshold to prevent this problem. 1. Select Setup > Default Threat Protection > Default Packet Handling . The Default Packet Handling dialog box appear s.

2. Inth e Distributed Denial-of-Service Preventionsection, in the Per Server Quotatext box, type or select 200.

This doubles the amount of connections that the Firebox allows before it triggers a DDoS block on additional connections. 3. Click OK.

163

WatchGuard Technologies,Inc.

Threat Protection

Exercise 2 — Block Potential Sources of Attacks The network administrator at Successful Company is more and more confident that his Firebox configuration policy is strong, strict, and effective at blocking most access to their network. However, the log files suggest that more can be done to reduce the impact of direct attacks on the performance of the firewall. He starts with blocking the potential sources of attacks.

Blo ck a Site Permanently The Successful Company administrator has been overwhelmed a scriptwe kiddy in the 192.136.15.0/24 network tonetwork run probes of the Successful network. In this by exercise, useusing Policyaddresses Manager to permanently block all connections from that network. 1. Select Setup > Default Threat Protection > Blocked Sites . The Blocked Sites Configuration dialog box opens.

2. On the Blocked Sitestab, click Add. The Add Site dialog box opens.

3. Inth e Choose Type drop-down list, select Network IPv4. 4. Inth e Value text box, type 192.136.15.0/24. 5. (Optional) In the Description text box, type a description. The member type shows if this is an IP address or a range of IP addresses. When you type an IP address, type all the numbers and the periods.

6. Click OK. The entry appears in the Blocked Sites list. With this configuration, the Firebox blocks all packets to and from the 192.136.15.0/ 24 n etwork range.

Fireware EssentialsStudentGuide

164

Threat Protection

Create Exceptions to the Blocked Si tes List An exception is an entry for which all other rules do not apply. For blocked sites, an exception is an IP address or network address that is never blocked. The automatic rules do not apply for this host. The rule also takes precedence over the manually blocked sites list.

Many Firebox users add the IP address of their own DNS servers to the Blocked Sites exception list to make sure connections are not blocked by traffic patterns that look like an attack.

In this exercise, we will add an exception to the 192.136.15.0/24 network we blocked in the previous exercise. We will configure the Firebox to allow c onnections to and from the single IP address: 192.136.15.22. In the Blocked Site Configurationdialog box: 1. Click the Blocked Sites Exceptionstab. 2. Click Add. The Add Site dialog box appears.

3. Inth e Choose Type drop-down list, select Host IPv4. 4. Inth e Value text box, type 192.136.15.22. 5. Inth e Description text box, type Joes home IP . The Description is optional but it can be helpful to you (and other network administrators ) when you later try t o figure out why an except ion was made.

6. Click OK.

7. Click OK again to close the Blocked Sites Configurationdialog box.

165

WatchGuard Technologies,Inc.

Threat Protection

Exercise 3 — Block Sites Automatically After reading a LiveSecurity Foundations article, the Successful Company network administrator decides to deny all RSH (Remote Shell) connections. In addition, he would like to automatically block the source of any incoming attempts to use RSH. 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. Expand the Packet Filtersfolder and select RSH . Click A dd. The New Policy Properties dialog box appears.

3. Inth e RSH Connections aredrop-down list, select Denied. 4. Configure the policy to deny connections: a. Inth e From list, add Any-External. b. Inth e To list, add Any-Trusted, Any-Optional, Any-BOVPN.

5. Select the Propertiestab. 6. Select the Auto-block sites that attempt to connectcheck box.

7. Click OK. The Firebox now automat ically adds the IP address of any source of RSH packets to the Blocked Sites list . With a default configuration, the IP address stays on the Blocked Sit es list for 20 minutes.

Fireware EssentialsStudentGuide

166

Threat Protection

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? A firewall-based IPS maintains a database of character strings that match known viruses and worms. 2. Select the type of intrusion prevention measure for each feature: A) Gateway AntiVirus

Firewall-Based | Signature-Based

B) Default Packet Handling Firewall-Based | Signature-Based C) Blocked Sites

Firewall-Based | Signature-Based

D) IPS Service

Firewall-Based | Signature-Based

E) Blocked Ports

Firewall-Based | Signature-Based

3. Which of these actions can the Firebox perform when it looks for patterns that show if your network is at risk? (Select all that apply.) o A)

Looks for packets which are not RFC compliant

o B)

Automatically blocks all traffic to and from a source IP address

o C) Sends a log message to the Log Server o D) o

Sends a notification of possible security risks

E) All of the above

4. True or false? An unhandled packet is a packet that does not match any rule created in Policy Manager. 5. Fill in the blank: To block all traffic to and from a network, you add the address to the Blocked ________ list.

167

WatchGuard Technologies,Inc.

Threat Protection

ANSWERS 1. False A signature-based IPS maintains a database. 2. Gateway AntiVirus — Signature-based Default Packet Handling — Firewall-based Blocked Sites — Firewall-based IPS Service — Signature-based Blocked ports — Firewall-based 3. All of the above 4. True 5. Sites

Fireware EssentialsStudentGuide

168

Notes

Fireware EssentialsStudentGuide

169

Policies Convert Network Policy to Device Configuration

What You Will Learn Your Firebox controls traffic to and from your trusted, optional, and external networks. You use a set of rules called policies todefine which traffic should be allowed or denied passage through your network. In this training module, you learn how to: n

Understand the difference between a packet filter policy and a proxy policy

n

Add a policy to Policy Manager and configure its access rules

n

Create a custom packet filter

n

Set up logging and notification rules for a policy

n

Use advanced policy properties

n

Understandhow the Firebox determines precedence

Before you begin these exercises, make sure you read the Course Introduction module.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Policies

Policies are Rules for Your Network Traffic When you add a policy to Policy Manager, you tell the Firebox what types of traffic to allow or deny. You can set a policy to allow or deny traffic based on criteria such as the source and destination of the packet, the TCP/IP port or protocol used to transmit the packet, or the time of day. You can use the same policy to give the Firebox more instructions on how to handle the packet. For example, you can define logging and notification parameters for the policy, or use network address translation (NAT). There are two types of policies: Packet Filter Policy A packet filter examines the IP header of each packet to control the network traffic into and out of your network. It is the most basic feature of a firewall. If the IP header information is valid, then the Firebox allows the packet. If the packet header information is not valid, the device drops the packet. Proxy Policy A proxy monitors and scans the entire connection, from the protocol commands to the data inside the packet. It examines the commands used in the connection to make sure they are in the correct syntax and order. It also examines the contents of each packet to make sure that connections are secure. A proxy operates at the application layer, as well as the network and transport layers of a TCP/IP packet, while a packet filter operates only at the network and transport protocol layers. Packet filters are an easy way to allow or deny large amounts of traffic. Proxies can prevent potential threats from reaching your network without blocking the entire connection. The device includes default sets of rules, called proxy actions, for each type of proxy policy. You can use the default settings for each type of proxy action, or you can customize them.

In this course, we refer to packet filters and proxies together as policies. Unless otherwise indicated, the procedures refer to both types of policies.

Add Policies Policy Manager uses either a list view or an icon view to show the policies that you configure for your Firebox. For each policy, you can: n n n n

171

Enable the policy Set the allowed sources and destinations for traffic managed by the policy Configure properties such as logging, notification, and advanced properties (described below) Apply policy tags to policies and use the policy tags to sort and filter the policy list

WatchGuard Technologies,Inc.

Policies

Sources and Destinations The policy configuration includes: n n

A From list (source) that specifies who can send (or cannot send) network traffic with this policy. A To list (destination) that s pecifies who the Firebox can route traffic to if the traffic matches (or does not match) the policy specifications.

The source and destination for the policy can be a host IP address, IP host range, host name, network address, user, group, alias, VPN tunnel, FQDN or any combination of those objects.

About Aliases An alias is a shortcut that identifies a group of hosts, networks, or interfaces, that enable you to simplify the creation of your security policies. There are several default aliases that you can use. The most common primary default aliases are: n

n n

n

n

Any — An alias for any address. This includes all IP addresses, interfaces, custom interfaces, tunnels, users, and groups. Firebox — An alias for all Firebox interfaces. Any-Trusted — An alias for all Firebox interfaces configured as Trusted interfaces, and any network you can get access to through these interfaces. Any-External — An alias for all Firebox interfaces configured as External, and any network you can get access to through these interfaces. Any-Optional — Aliases for all Firebox interfaces configured as Optional, and any network you can get access to through these interfaces.

You can create your own aliases that contain any combination of these items: n n n n

n

n

n

n n

Host IP address Network IP address A range of host IP addresses Host Name (DNS Lookup) — A one-time DNS lookup is performed on the host name and resolved IP addresses are added to the alias. FQDN — Performs forward DNS resolution and analyzes DNS replies for the specified FQDN (includes wildcard domains such as *.example.com). Resolved IP addresses from the primary domain and any subdomains are added to the alias. Tunnel address — Defined by a user or group, address, and name of the tunnel. This type lets you specify the address, and set two other conditions that traffic must meet in order to match the address. Custom address — Defined by a user or group, address, and Firebox interface. This type lets you specify the address, and set two other conditions that traffic must meet in order to match the address. Another alias An authorized user or group

Fireware EssentialsStudentGuide

172

Policies

About FQDN FQDN (Fully Qualified Domain Name) support in policies enables you to specify a specific host domain (host.example.com) or a wildcard domain (*.example.com). You can use FQDN in the From and To fields of a policy, aliases, blocked sites and blocked site exceptions, and quota exceptions. When you define an FQDN in your configuration, your Firebox performs forward DNS resolution for the specified domain and stores the IP mappings. For wildcard domains, the device analyzes DNS replies that match your FQDN configuration. As DNS traffic passes through the Firebox, it stores the IP mapping responses to relevant queries for the domain and any subdomains. With FQDN support, you can configure a wide variety of policy configurations. For example, you can allow traffic to software update sites such as windowsupdate.microsoft.comor antivirus signature update sites, even though all other traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses.

Predefined Poli cies and Custom Policy Templates The Firebox includes a default list of predefined packet filter and proxy policies for you to use. You can add one of these predefined policies and then change the settings to meet the needs of your organization, or just use the default settings. Based upon the access rules you configure, connections can be allowed, denied, or denied with a reset connection. To enable access through the device for an Internet protocol that is not included in the list of predefined policies, you must create a custom policy template. A custom policy can match traffic from one or more TCP or UDP ports, or other IP protocols such as GRE, AH, ESP, ICMP, IGMP, an d OSPF. A custom policy cannot match traffic from other protocol types, such as AppleTalk, ATM, Frame Relay, or IPX.

Configure Logging and Notification for a Policy You can set custom logging and notification rules for each policy. These rules tell the Firebox the events for which it needs to create log messages or trigger a notification. Notifications can occur through email, a pop-up window on your management computer, or with a Simple Network Management Protocol (SNMP) trap. An SNMP trap is a notification event issued by a managed device to the network SNMP manager when a significant event occurs.

Advanced Policy Properties You can also use several advanced property settings for each of your policies: Proxy Actions Each time you add a proxy policy to Policy Manager, you select a set of rules used to protect either clients or servers on your network. You can use the default proxy action settings, or you can modify them to meet the needs of your organization. Schedules You can set policies to only be active at the times of the day that yo u specify. You can also create schedule templates so that you can use the same schedule for more than one policy.

173

WatchGuard Technologies,Inc.

Policies Traffic Management A Traffic Management action can guarantee that a particular policy always has a certain amount of bandwidth through the Firebox, or it can limit the amount of bandwidth that the policy can use. Quality of Service (QoS) Marking QoS marking allows you to mark network traffic with bits that identify it to other devices that understand QoS. The Firebox and other QoS-capable devices can assign higher or lower priorities to each type of traffic with QoS marking. Network Address Translation (NAT) You can enable or selectively disable 1-to-1 and dynamic NAT in any policy. You can also configure incoming NAT properties to allow Internet connections to privately addressed servers protected by the Firebox. ICMP Error Handling You can customize the method the Firebox uses to handle ICMP errors for each policy. Custom Idle Timeout Use this feature to set the amount of time the Firebox waits before it drops a connection. Sticky Connections A sticky connection is a connection that continues to use the same interface for a defined period of time when your Firebox is configured with multiple WAN interfaces. Stickiness makes sure that, if a packet goes out through one external interface, any future packets between the source and destination address pair use the same external interface for a specified period of time. Policy-based Routing If your Firebox is configured with multi-WAN, you can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. Bandwidth and Time Quotas You can enable time and bandwidth usage quotas in a policy. This feature is useful for applying a daily limit to your user's Internet usage in an HTTP Proxy Policy to enforce corporate acceptable use policies. For more detailed information on bandwidth and time quotas, see the Web Traffic module.

About the Outgoing Policy The default Outgoing policy is a packet filter policy that is automatically added to your Firebox configuration when you run the Web Setup or Quick Setup Wizard to set up your device and create a basic device configuration file. The Outgoing policy allows all TCP and UDP connections from any trusted or optional source on your network to any external network. Because it is a packet filter policy, not a proxy policy, the Outgoing policy does not filter content when it examines the traffic through your Firebox. If you remove the Outgoing policy from your device configuration file, make sure that the Firebox configuration includes other policies that allow outbound traffic. You can either add a separate policy for each type of traffic that you want to

Fireware EssentialsStudentGuide

174

Policies allow out through your firewall, or you can add the TCP-UDP packet filter or TCP-UDP-proxy policy. For example, if you have removed the Outgoing policy, and you want to allow trusted users on your network to connect to web sites, you must create an HTTP-proxy policy for port 80, HTTPS-proxy policy for port 443, and a DNS policy for port 53 to allow DNS query resolution.

With Fireware v11.12 and higher, the Web Setup Wizard and Quick Setup Wizard automatically configure HTTP, HTTPS and FTP proxy policies and a DNS policy in addition to the Outgoing policy.

Policy Precedence Precedence refers to the order in which the Firebox examines network traffic and applies a policy rule. The Firebox sorts policies automatically, from the most specific to the most general. For example, a highly specific policy could be a policy that matches only traffic on TCP port 25 from one IP address, w hile a general policy c ould be one that matched all traffic on UDP ports 40,000-50,000. You can also set the precedence of each policy manually. For more information on policy precedence, including complete rules for specificity, s ee the Fireware Help. The Firebox uses the rules from the first policy that matches the traffic for routing. If no match is found, the traffic is denied as an unhandled packet.

Policy Tags and Filters A policy tag is a label you can apply to your policies to help you organize them into easy to manage groups. You can apply more than one policy tag to a policy and apply any policy tag to many policies. A policy filter uses the policy tags you have applied to your policies to specify which policies appear in the policy lists on the Firewall and Mobile VPN with IPSec pages. When you create a policy tag or filter, you must use some combination of these characters in the policy tag or filter name: n n n

175

Uppercase and lowercase letters Numerals Special characters: -, space, _, +, /, *

WatchGuard Technologies,Inc.

Policies

Exercise 1 — Add a Packet Filter Policy and Configure Access Rules Successful Company’s network administrator was told to stop employees from using Internet Relay Chat (IRC) at the office. The management team decided that I RC is too distracting for employees and a potential security risk. The administrator also wants to activate a Windows Terminal Services connection to the Successful Company public web server on the optional interface of the Firebox. He routinely administers the web server with a Remote Desktop connection. At the same time, he wants to make sure that no other network users can use the Remote Desktop Protocol through the Firebox. In this exercise, you open a basic Firebox device configuration file in Policy Manager. You add two predefined policies to the configuration and configure the access rules for each policy.

Add a Predefined Policy First, add policies to the Firebox to control IRC and RDP traffic. 1. Open the configuration file you are editing for these exercises. 2. Click . Or, select Edit > Add Policy. The Add P olicies dialog box appears . From here, you can add a predefined pack et filter policy, a proxy policy , or a custom policy y ou have created. You can also create a new policy tem plate.

Fireware EssentialsStudentGuide

176

Policies 3. Expand the Packet Filter list. Select IRC .

4. Click Add. The New Policy Properties dialog box appears.

5. Click OK. This adds a basic IRC policy t o your configu ration. If you do not change this polic y, it allows all IRC tr affic from any trusted computer to an y external computer.

6. In the packet filter list, select RDP . Click Add. Click OK. This adds a basic RDP policy t o your configur ation. If you do not change this polic y, it allows all RDP traf fic from any trusted computer to an y external computer.

7. Click Close to close the Add Policies dialog box. The IRC and RDP policies appear in Policy Manager.

177

WatchGuard Technologies,Inc.

Policies

Modify Policies to Restrict Traffic By default, a new policy allows traffic from any trusted interface to any external interface. To block all IRC traffic originating from computers on the Successful Company’s trusted and optional networks, we must modify the IRC policy. 1. Double-click the IRC policy. The Edit Policy Propert ies dialog box appears.

2. Select the Policy tab. 3. Inth e IRC connections aredrop-down list, select Denied. The policy now denies traffic from any computer t hat connects through the tr usted Firebox device interface t o any external comput er. To further restrict IRC traffic, you must also deny IRC from any computer on opt ional device interfaces.

4. Inth e From section, click Add. The Add Address dialog box appears.

5. Inth e Available Memberslist, select Any-Optional. Click Add. Any-Optional appe ars in the Sel ected Members and Addresses list.

6. Click OK. Any-Optional appe ars in the New Policy Properties dialog box in the From list.

The rule now denies IRC traffic from all computers behind the device to any external computer. Traffic that comes from the external interface is always denied by default unless you create a rule to allow it.

Fireware EssentialsStudentGuide

178

Policies 7. Click OK to close the Edit Policy Propertiesdialog box. The policy is now marke d with a red X in List View or a red top banner in Large Icon View. This indic ates a Deny poli cy.

Use a Policy to Allow Traffic We also want to allow RDP traffic to the Successful Company web server on the optional network. However, we want only our network administrator to be able to connect, so we will restrict this policy to allow only the static IP address of his home office computer. 1. Double-click the RDP policy. The Edit Policy Propert ies dialog box appears.

2. Inth e From list, select Any-Trusted. Click Remove. The policy srcinally allowed all RDP traffic from any computer on trusted networks to any computer on an external network.

3. Inth e From section, click Add. The Add Address dialog box appears.

4. Click Add Otherdialog . The Add Member box appears. 5. Inth e Value text box, type 50.51.200.22 as the IP address of the network administrator’s computer 6. Click OK. The IP address appears in the Add Address dialog box Selected Members and Addresses list.

7. Click OK to close the Add Address dialog box. The New Policy Properties dialog box appears with the IP address appears in the From list.

179

WatchGuard Technologies,Inc.

Policies 8. Inth e To section, select Any-External. Click Remove. 9. Inth e To section, click Add. The Add Address dialog box appears.

10. Click Add Other. The Add Member dialog box appears.

11. In the Value text box, type 10.0.2.80. This is the IP address of the Successful Company public web server on the PublicServers (Int erface 3) optional network.

12. Click OK. The rule appears in the Add Address dialog box Selected Member and Address list. This allows RDP connections from the IP address of the network administ rator’s desktop computer to t he IP address of the public web server.

13. Click OK. The New Policy Pr operties dialog box appears with the I P address in the To list . If the Outgoing policy is not present in this configuration, there is no default rule to allow general outgoing TCP connections. All other RDP traffic will be denied.

14. Click OK to close the Edit Policy Properties dialog box.

Fireware EssentialsStudentGuide

180

Policies

Exercise 2 — Use FQDN in a Policy The Successful Company has denied external web browsing access to the customer service representative (CSR) group. However, these computers still require HTTP access for software updates to the Microsoft Windows operating system (windowsupdate.com, microsoft.com, and windows.com), and client antivirus signature updates (avsignatureupdate.com). In this exercise, you learn how to use FQDN in a policy to make an exception for destination domains that can comprise many different subdomains and resolved IP addresses because the destinations may be hosted on content delivery networks (CDN). 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. 3. 4. 5. 6. 7. 8. 9.

Select Proxies > HTTP-proxy, then click Add. Inth e Name text box, type HTTP-Software-Updates. Make sure the HTTP-proxy connections are...option is set to Allowed. Inth e From section of the policy, select the Any-Trustedentry, then click Remove. Inth e From section of the policy, click Add, then click Add User, then select your CSR user group. Inth e To section of the policy, select the Any-Externalentry, then click Remove. Click Add, then click Add Other. From the Choose Type drop-down list, select FQDN.

10. In the Value text box, type *.avsignatureupdate.com, then click OK. 11. Repeat these steps and add other FQDN entries for *.windowsupdate.com, *.microsoft.com, and *.windows.com.

181

WatchGuard Technologies,Inc.

Policies

12. Click OK to add the new policy.

Fireware EssentialsStudentGuide

182

Policies

Exercise 3 — Create a Custom Packet Filter Template Successful Company’s network administrator frequently troubleshoots their public servers from the network s erver room. These public servers are all connected to the optional interface of the Firebox. The network administrator would like to be able to use VNC to view the files on his trusted desktop computer. To do this, he must create a custom VNC policy and allow access from any computer on the optional network to his desktop computer on the trusted network (10.0.1.201). To create a custom policy, we must know that VNC uses TCP p ort 5900. To find out which ports are used by different network services, refer to the documentation that accompanies each software product. In this exercise, you learn how to create a custom packet filt er to solve a problem in the Successful Company network.

Make a New Policy Template 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. Click New to create a new policy template. The New Policy Template dialog box appears.

3. 4. 5. 6.

Inth e Name text box, type VNC. Inth e Description text box, type Virtual Network Computing. For the Type option, make sure that Packet Filter is s elected. To define a protocol and ports for the new policy template, click Add. The Add Protocol dialog box appears.

7. From the Type drop-down list, select Single Port.

It is possible createinstead a new policy template serviceto that usesaaport portrange range. After you specify the Type as PorttoRange of Single Port,for theaoptions define are available.

8. From the Protocol drop-down list, select TCP. 9. Inth e Server Port text box, type 5900.

183

WatchGuard Technologies,Inc.

Policies 10. Click OK to close the Add Protocol dialog box. The TCP 5900 protocol appears in t he list of Protocols controlled by t his policy.

11. Click OK to close the New Policy Template dialog box. The VNC Policy appears in t he Custom list in the Add Policies dialog box.

Add and Configure the Cust om Policy Now that you have a custom policy template that controls VNC traffic, you can add it to the device configuration. 1. Inth e Add Policies dialog box, expand the Custom folder. 2. Select VNC . Click Add. The New Policy Propert ies dialog box app ears with the VNC packet filter.

3. Inth e From list, select Any-Trusted. Click Remove. 4. Inth e From section, click Add. The Add Address dialog box appears.

5. Double-click Any-Optional. Any-Optional appe ars in the Sel ected Members and Addresses list.

6. Click OK to close the Add Address dialog box. The New Policy Properties dialog box appears with Any-Optional in the From list. This enables the device to allow VNC traffic from any computer on an optional network.

7. Inth e To list, select Any-External. Click Remove. 8. Inth e To section, click Add. The Add Address dialog box appears.

9. Click Add Other. The Add Member dialog box appears.

10. From the Choose Type drop-down list, make sure that Host IP is selected. 11. In the Value text box, type 10.0.1.201. This address restrict s VNC traffic to only the desktop computer of the network administrator.

Fireware EssentialsStudentGuide

184

Policies 12. Click OK to close the Add Member dialog box. The IP address 10.0.1.201 appears in the Selected Members and Addresses list.

13. Click OK to close the Add Address dialog box. The IP address appears in the To list.

14. Click OK to close the New Policy Properties dialog box. 15. Click Close to close the Add Policies dialog box. The VNC policy appears in the list of configured policies.

185

WatchGuard Technologies,Inc.

Policies

Exercise 4 — Configure Logging and Notification for a Policy In this exercise, you make sure the Firebox creates a log message for any IRC connection denied by the IRC policy we created earlier in the lesson. 1. Double-click the IRC policy. The Edit Policy Propert ies dialog box appears.

2. Select the Propertiestab. 3. Click Logging. The Logging and Notification dialog box appears.

4. Select the Send log messagecheck box. 5. Select the Send Notificationcheck box and keep the default Email selection.

6. Click OK to close the Logging and Notificationdialog box. 7. Click OK to close the Edit Policy Propertiesdialog box. 8. Save the configuration file to your local hard drive as Policies-Configured.xml. The Firebox will now send a log message to the WatchGuard Log Server each time an IRC packet is denied. The device also sends a message to the Log Server that tells it to send an email notification to the specified email address. For more information, see the Set Up Logging & Servers module.

Fireware EssentialsStudentGuide

186

Policies

Exercise 5 — Change Policy Precedence When you define a new policy and configure the policy parameters, it is automatically sorted and placed in the proper order within Policy Manager. To illustrate the policy auto-ordering process, add the NetMeeting packet filter with the default properties and watch for the position in which it is placed. To set Policy Manager to the Details view: 1. Select View > Details. In this view, policies appe ar in the order the device will use to process traffic.

2. Click

.

The Add Policies dialog box appears.

3. Expand the Packet Filtersfolder and double-click N etMeeting. The New Policy Properties dialog box appears.

4. Do not modify the policy. 5. Click OK. Click Close. The device automatically places t he NetMeeting policy in the correct position according to its ordering criteria.

187

WatchGuard Technologies,Inc.

Policies

Override the Def ault Order of Policy Precedence You can override the order in which the Firebox automatically puts policies. To change the order of policies you switch to manual-order mode and select the policy whose order you want to change and drag it to its new location. In this exercise, we move the NetMeeting policy so it has the lowest precedence.

The Auto-order Mode feature can be enabled or disabled. When the menu item has an adjacent check mark, Policy Manager sets the precedence. When the check mark is missing, Policy Manager uses manual-order mode.

To change the order of a policy: 1. Select View > Auto-order Mode. 2. Click Yes to confirm that you want to switch from auto-order mode to manual-order mode. The policy order numbers now have a gray background to indicate t hat you can move them.

3. Drag-and-drop the NetMeeting policy to the bottom of the list.

Fireware EssentialsStudentGuide

188

Policies

Exercise 6 — Use Advanced Policy Properties After a few weeks of blocking all outgoing IRC traffic, the Successful Company managers notice that many of their engineering team are leaving at 5:00pm. A little research into the problem returns the surprising result that the engineers are perfectly willing to work late as long as they can chat on IRC with their friends outside the company. Productivity will increase if we schedule the IRC policy to let them chat in the evenings. 1. Double-click the IRC policy. The Edit Policy Propert ies dialog box appears.

2. Select the Advanced tab.

3. Adjacent to the Schedule drop-down list, click The Clone Schedule dialog box

.

appears .

4. Inth e Name text box, type Evenings.

189

WatchGuard Technologies,Inc.

Policies 5. Inth e Description text box, type Disable the policy in the evenings . You can use this schedule for other policies so you should describe it with the hours blocked or allowed rather t han the policy for which you are building it.

6. In the schedule grid, change the hours from 5:00 to 10:00 PM, Monday through Friday, to Non-operational hour.

7. Click OK to save the schedule and apply it to the IRC policy. 8. Click OK to close the Edit Policy Propertiesdialog box. 9. Save the configuration file as Policies-Done. You can compare your results with the Policies-Finish file included with the training.

Fireware EssentialsStudentGuide

190

Policies

Exercise 7 — Use Policy Tags and Filters to Group and Sort Policies The Successful Company administrator has added two sets of FTP, RDP, and IRC policies to his configuration file: one for remote office users and one for corporate office users. He wants to easily separate the two sets of policies into groups so that he can see all the policies in the two sets at one time. To do this, he creates two policy tags, Remote and Corp, and applies them to all the policies configured for each group. He then creates and applies a filter to the policy list so that only the policies with those two policy tags appear in the list.

Create and Apply a Policy Tag To create the policy tags and apply them to policies: 1. On the Firewall page, select all of the policies in the policy list for the remote office. 2. Right-click the selected policies and select Policy Tags > Add to policy > New. Or, select View > Policy Tags > Add to policy > New . The New Policy Tag dialog box appears.

3. Inth e Name text box, type a descriptive name for the tag for the remote policies. For this exercise, type Remote. 4. To specify a color for this policy tag, click Color and select a color from the palette. For this exercise, select blue. 5. Click OK. The Remote tag is applie d to the policies you selected and appe ars in blue text in the Tags column for t hose policies. The tag also appears in the T ag List in the Manage Policy Tags dialog box.

The policy tags you create are automatically added to the Tag List so you can apply them to any new policies you add to your configuration file in future.

6. Select all of the policies in the policy list for the corporate office. 7. Right-click the selected policies and select Policy Tags > Add to policy > New. The New Policy Tag dialog box appears.

8. Inth e Name text box, type Corp. 9. Click Color and select a red from the palette.

191

WatchGuard Technologies,Inc.

Policies 10. Click OK. The Corp tag is applied to the policies you sel ected and appears in red text in the Tags column for t hose policies.

After the Remote and Corp policy tags are applied to the policies, the Successful Company administrator can sort the policy list by the Tags column. If a policy has more than one tag applied to it, the policy is grouped alphabetically by the applied policy tags. To sort the policy list and organize it alphabetically by policy tags, click the Tags column header. The policy list is rearranged so all policies with the same t ag applied a re grouped together.

Fireware EssentialsStudentGuide

192

Policies

Filter the Policy List Because his device configuration file includes a large number of policies, the Successful Company administrator wants to filter the view of the policy list so only policies with the Remote and Corp policy tag s applied to them appear in the list. When he applies a filter, the administrator can select whether or not policies must include all of the specified policy tags to appear in the filtered policy list. To filter the policy list: 1. Inthe Tags column, click

.

The filter options list appears.

2. From the filter options list, select a filter option: n Match All — Only policies that include all the specified policy tags appear in the filtered policy list. This is the default option. n Match Any — Any policy that includes any of the specified policy tags appear in the filtered policy list. For this exercise, because we want to see policies that have either the Corp or the Remote policy tag applied, select Match Any. 3. From the filter options list, select the policy tags to include in the filter. For this exercise, select Remote and Corp. The selected filter is applied to the list.

4. Click anywhere on the policy list to save your selection and apply the filter to the policy list. The policy list is updated to show only the policies that

have either th e Remote or Corp filter applied.

To save a filter: 1. From the Filter drop-down list, select Custom. 2. Click

.

The Save Filter dialog box appears.

3. Inth e Name text box, type a descriptive name for the filter. For this exercise, type Remote and Corp . 4. Click OK. The filter name appears in the Filter drop-down list and the Manage Filters list.

Now that the filter is saved, the Successful Company administrator can apply the filter at any time to see only the policies with the Corp or Remote policy tags applied. To clear all filters from the policy list, from the Filter drop-down list, select None. All filters are removed from the policy list.

193

WatchGuard Technologies,Inc.

Policies

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Choose the appropriate policy type(s) for each task. (Select all that apply.) Packet Filter Proxy Examine the header information

o

o

Strip an attachment

o

o

Examine the application layer content

o

o

Check for RFC compliance

o

o

Block based on server command type

o

o

Check the source against a list of blocked sites

o

o

Verify that the destination is a valid location on the trusted

o

o

Send a log message if the packet is malformed

o

o

Generate a report on network traffic

o

o

2. True or false? You can use the same operating schedule for multiple policies. 3. Which of the following protocols can be used in a custom policy? (Select all that apply.) o A) TCP o B) Frame Relay o C) ATM o D) UDP o E) ICMP

4. 5. 6. 7. 8.

True or false? Policies are ordered primarily by name. True or false? You cannot use SNMP for policy event notifications. True or false? You can only apply a policy tag to a single policy. True or false? You cannot save a filter to apply it again later. True or false? If you select Match All when you apply a filter, all policies that have any of the policy tags you include in the filter will appear in the filtered policy list.

Fireware EssentialsStudentGuide

194

Policies

ANSWERS 1. Packet Filter Proxy

2. 3. 4. 5. 6. 7.

Examine the header information

n

n

Strip an attachment

o

n

Examine the application layer content

o

n

Check for RFC compliance

o

n

Block based on server command type

o

n

Check the source against a list of blocked sites

n

n

Verify that the destination is a real location on the trusted

n

n

Send a log message if the packet is malformed

n

n

Generate a report on network traffic

o

o

True A, D, and E False False False False

8. False. If you select Match All, only policies that have all of the policy tags you specify in the filter will appear in the filtered policy list.

195

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

196

Proxy Policies Use Proxy Policies and ALGs to Protect Your Network

What You Will Learn You can use proxy policies to protect servers and clients from threats. With a proxy policy, the Firebox examines the contents of each packet to determine whether the network traffic is safe. In this training module, you learn how to: n

Understand the purpose of each proxy policy or ALG (Application Layer Gateway)

n

Configure the DNS proxy to protect your DNS server

n

Prevent users from putting files on an external FTP server

n

Configure access control for VoIP calls

Before you begin these exercises, make sure you read the Course Introduction module.

Proxy Policies and ALGs A proxy policy is s imilar to a packet filter policy, except that it contains a set of additional rules called a proxy action to examine traffic. Application Layer Gateways (ALGs) are very similar to proxy policies, but also contain features that allow the Firebox to automatically manage some of the network connections necessary for Voice-over-IP (VoIP) sessions to operate correctly. There are nine proxy policies and ALGs that you can use: DNS, FTP, H.323, HTTP, HTTPS, POP3, SIP, SMTP, and TCP-UDP. Most proxy policies or ALGs have both a client and a server proxy action with different options. The exceptions are the DNS proxy, which has incoming and outgoing proxy actions, and the H.323-ALG and SIP-ALG, which only have client proxy actions. When you configure a new proxy policy, select the Client or Outgoing proxy action to protect users on your network, and the Server or Incoming proxy action to protect s ervers on your network. In this module, we discuss the DNS, FTP, H.323, SIP, and TCP-UDP proxy policies and ALGs. The HTTP, HTTPS, POP3, and SMTP proxy policies are discussed in other training modules.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Proxy Policies

About the DNS Proxy The Domain Name System (DNS) is a network s ystem of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa. This is what allows your computer network to understand that you want to reach the server at 200.253.208.100 or type the www.watchguard.com domain name into your browser. It is important to understand that the DNS proxy settings are useful only if the DNS request is routed through the Firebox. For example, if your network clients use a static IP address to connect directly to a DNS server on your network, the DNS proxy settings have no effect. The DNS proxy includes six categories: General The General category includes the basic DNS protocol anomaly detection rules to deny malformed and nonstandard DNS queries. We recommend that you do not change the default settings for these rules. OpCodes OPcodes (operational codes) are commands sent to a DNS server, such as query, update, or status requests. They operate on items such as registers, values in memory, values stored on the stack, I/O ports, and the bus. If you use Active Directory and your Active Directory configuration requires dynamic updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules. This is a security risk, but can be necessary for Active Directory to operate correctly. You use the OpCodes ruleset to allow or deny specific D NS OPcodes. Query Types Use the Query Types category to allow or deny DNS connections based on the type of DNS query sent in the connection. Query Names The Query Names category can be used to allow or deny DNS connections based on the fully qualified domain name sent in the connection. Proxy Alarm The Proxy Alarm category lets you define the type of alarm that is sent any time a notification is triggered by a DNS proxy action.

198

WatchGuard Technologies,Inc.

Proxy Policies

About the FTP Proxy The FTP protocol is used to transfer files from clients to servers. Because the FTP protocol does not use encryption, we recommend that you configure the FTP proxy to protect FTP servers on your network, or secure the use of external FTP servers by users on your network. Each FTP session uses a control channel to transmit commands and responses, and one or more optional data channels to send and receive files. The FTP proxy includes seven categories: General These rules control basic FTP parameters such as maximum user name, password, file name, and command line length. You can also configure the maximum number of times that a user can attempt to authenticate, and automatically block connections that exceed these limits. Commands You can configure rules to put limits on some FTP commands. Use the FTP-Server proxy action to put limits on commands that can be used on the FTP server protected by your Firebox. Use the FTP-Client proxy action to put limits on commands that users protected by the Firebox can use when they connect to external FTP servers. The default configuration of the FTP-Client proxy action is to allow all FTP commands.

The user interface allows or denies based on protocol commands and not client commands. For a full reference on FTP protocol commands, we recommend you refer to RFC 959, section 4.1.

You generally should not block these commands, because they are necessary for the FTP protocol to work correctly: Protocol Command

Client Command

USER

n/a

Sent withl oginn ame

PASS

n/a

Sent withp assword

PASV

pasv

Select passive mode for data transfer

SYST

syst

Print the server’s operating system and version. FTP clients use this information to correctly interpret and display server responses.

Fireware EssentialsStudentGuide

Description

199

Proxy Policies You can block these commands as necessary: Protocol Command

Client Command

RETR

get

Retrieveaf ilef romt hes erver

STOR

put

Put af ileo nt hes erver

DELE

delete

Deletea fileo nt hes erver

RMD

rmdir

Deletea directory onth ese rver

MDK

mkdir

Createa directory onth ese rver

PWD

pwd

Print the Present Working Directory (PWD) path

LIST

ls

List then ames inth ecu rrent directory path

NLST

dir

Detailed list of files in the current directory path

CDUP

cd..

Moveu pint he server’s directory tree

CWD

cd

Change toa specific directory on the server

SITE

site

Send a server-specific command. This command is associated with FTP denial of service attacks and is often blocked for all FTP-Server proxy configurations.

Description

Download The Download ruleset controls the file names, extensions, or URL paths that users can download with FTP. Use the FTP-Server proxy action to control download rules for the FTP server protected by your Firebox. Use the FTP-Client proxy actio n to set download rules for users connecting to external FTP servers. Upload The Upload ruleset controls the file names, extensions, or URL paths that users can use FTP to upload. Use the FTP-Server proxy action to control upload rules for the FTP server protected by your Firebox. Use the FTP-Client proxy action to set upload rules for users connecting to external FTP servers. The default configuration of the FTP-Client proxy action is to allow all files to be uploaded. AntiVirus If you have purchased and enabled the Gateway AntiVirus feature, you can configure the actions to take if a virus is found in a file that is uploaded or downloaded. For more information, see the Signature Services and APT Blocker module. Data Loss Prevention If you have purchased and enabled the Data Loss Prevention feature, you can configure the DLP sensor that the FTP-proxy uses to examine allowed traffic.

200

WatchGuard Technologies,Inc.

Proxy Policies Proxy and AV Alarms An alarm is a mechanism to tell a network administrator when network traffic matches criteria for suspicious traffic or content. W hen an alarm event occurs, the Firebox takes the action that you configure. For example, you can set a threshold value for file length. If the file is larger than the threshold value, the device can send a log message to the Log Server. APT Blocker If you have purchased and enabled the APT Blocker feature, you can enable it for use with the FTP-proxy to examine FTP traffic for advanced malware threats.

About H.323 and SIP ALGs Voice-over-IP (VoIP) software and devices use either the H.323 and SIP protocols to make network connections and transmit data. You can use the H.323 or SIP ALGs to deny connections that use unauthorized audio or video codecs, permit or deny specified users the ability to start or receive VoIP calls, and set other general security settings. The H.323 and SIP ALGs each have three categories: General The options in this category are used to prevent common VoIP attacks and ensure that VoIP connections follow accepted standards. We recommend that you do not c hange these settings unless it is necessary to operate with your VoIP devices, software, or service provider. Access Control Use the settings in this category to allow users on your network to start and/or receive VoIP calls. You can configure a different access level for each user with a hostname, IP address, or email address. Denied Codecs You can use this category to prevent users on your network from sending or receiving calls with a VoIP service that you have not authorized, or a VoIP service that has known security problems. Any connection that uses a codec from this list is automatically dropped.

About the TCP-UDP Proxy The TCP-UDP proxy is used to examine and filter HTTP, HTTPS, SIP, and FTP traffic that does not use the standard ports associated with those protocols. For example, when the TCP-UDP proxy recognizes HTTP traffic on a port other than TCP port 80, it uses the proxy action you specify to examine that traffic. The TCP-UDP proxy has one proxy action category: General This category enables the Firebox to examine HTTP, HTTPS, SIP, and/or FTP traffic sent on non-standard ports using the proxy actions you specify. You can also choose to allow or deny traffic from other protocols.

Fireware EssentialsStudentGuide

201

Proxy Policies

Exercise 1 — Use the DNS-Outgoing Proxy Action Because of problems associated with adware accidentally downloaded to their network, the Successful Company network administrator would like to block DNS requests to messenger.yahoo.com. This site has been associated with programs that also install malware, such as Gator. Malwarerefers to a group of software applications that are usually installed without a user’s knowledge or consent. Most malware programs are designed to capture private information or allow attackers to use resources on your network.

Add a DNS Outgoing Pro xy Policy 1. Click . Or, select Edit > Add Policies. The Add Policies dialog box appears.

2. Expand the Proxies folder and double-click DNS-proxy. The New Policy Properties dialog box appears with the Policy tab selected.

3. Inth e Name text box, type DNS-Outgoing-Proxy. You do not need to change the From and To sett ings because they are already set from your trusted networks to any computer on the external network.

4. From the Proxy Action drop-down list, make sure DNS-Outgoing is selected.

202

WatchGuard Technologies,Inc.

Proxy Policies

Blo ck a DNS Request by Query Name 1. Click

.

The DNS Proxy Action Configuration dialog box appears for the DNS-Outgoing actions.

2. Inth e Categories list, select Query Names. The Query Name s list appears wit h messeng er.yahoo.com alread y in the list , but it is not active. This rule was included in the default configuration for your use, but is not yet active.

3. To activate the rule, click Change View. The Rules (advanced view) page appears.

If the Enabled or Action settings are different for any of the rules in the list, you see a warning message when you try to select Simple View.

4. Select the messenger.yahoo.comcheck box. The default DNS proxy configuration does not deny DNS requests that contain messenger.yahoo.com. To edit the properties of this rule, click Edit.

Fireware EssentialsStudentGuide

203

Proxy Policies 5. Click OK to close the DNS Proxy Action Configurationdialog box. The Clone Predefin ed or DVCP-created Objec t dialog box appears. Because DNS-Out going is a template, you cannot change it . Instead, you mus t make a copy a nd use it for your policies . The default name for the cloned policy is DNS Outgoing.1.

6. Inth e Name text box, type a new name for this action. For example, type DNS-Outgoing-Deny-Yahoo-Messenger. 7. Click OK to clone the template. The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.

8. Click OK to close the New Policy Propertiesdialog box. 9. Click Close to close the Add Policy dialog box. The DNS-Outgoing-Proxy policy appears in your policy list.

204

WatchGuard Technologies,Inc.

Proxy Policies

Exercise 2 — Configure an FTP-Server Proxy Action In this exercise, the Successful Company administrator uses Policy Manager to edit the predefined FTP-Server proxy action to restrict the types of FTP connections to the Successful Company FTP server. Specifically, the administrator will: n n

Make sure that users cannot delete a file from the Successful Company FTP server. Restrict the type of files that users can upload to the FTP server to text files only, to help prevent abuse of the Successful Company FTP server.

Deny the Delete Command 1. Click . Or, select Edit > Add Policies. The Add Policies dialog box appears.

2. Expand the Proxies folder and double-click FTP-proxy. The New Policy Properties dialog box appears.

3. Inth e Name text box, type FTP-Proxy-Server. . Click 4. From the Proxy action drop-down list, select FTP-Server.Standard

.

The FTP Proxy Action Configuration dialog box appears.

5. From the Categorieslist, select Commands.

Fireware EssentialsStudentGuide

205

Proxy Policies 6. Click Change View. The Rules (advanc ed view) page appears. In the advanced view, you can change command order as well as add, remove, enable, and disable individu al commands.

7. Select the Allow DELE * list item. Click Edit. The Edit Command Rules dialog box appears for the DELE * rule.

206

WatchGuard Technologies,Inc.

Proxy Policies 8. From the Action drop-down list, select Deny.

9. Click OK to close the Edit Commands Rule dialog box. The FTP Proxy Action Configuration dialog box app ears again, with the Deny DELE* check box enabled. This rule tells the de vice to deny any FTP connections that try to del ete a file from the FTP server .

Fireware EssentialsStudentGuide

207

Proxy Policies

Restrict FTP File Upl oads to Text Only Now you configure settings to allow a user to save a text file to the Successful Company FTP server. 1. Inth e Categorieslist, select Upload. 2. Inth e Pattern text box, type *.txt. Click Add. The .txt item appears in t he Upload li st. This enables the device t o allow text files to be upload ed to the FTP server.

3. Click OK to close the FTP Proxy Configurationdialog box. The Clone Predefined or DV CP-created Object dialog box appears. Because FTP-Server is a template, you cannot change it. Instead, you must make a copy and use it for your policies . The default name for the cloned polic y is FTPServer.1

4. Inth e Name text box, type a new name for this action. For example, type FTP-Server-Deny-Delete-Upload-TXT. 5. Click OK to clone the template. The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.

6. Click OK to close the New Policy Properties dialog box. 7. Click Close to close the Add Policies dialog box. The FTP-Proxy-Server policy appears in Policy Manager.

208

WatchGuard Technologies,Inc.

Proxy Policies

Exercise 3 — Set Access Controls on H.323 Connections The Successful Company has recently invested in some VoIP devices as part of a network expansion. These devices use the H.323 protocol. However, some employees in the Sales department have installed their own VoIP software on their computers, and this has led to network congestion and other problems. In this exercise, the administrator creates an H.323 ALG that allows a few employees to start or receive VoIP calls, and prevents all other employees from using H.323 VoIP devices. 1. Click . Or, select Edit > Add Policies. The Add Policies dialog box appears.

2. Expand the Proxies folder and double-click H323-ALG. The New Policy Properties dialog box appears with the Policy tab selected.

3. Inth e Name text box, type H323-VoIP-Limited. 4. From the Proxy Action drop-down list, make sure H.323-Client is selected. 5. Click

.

The H323-ALG Action Configuration dialog box appears.

6. 7. 8. 9. 10.

Inth e Categorieslist, select Access Control. Select the Enable access control for VoIPcheck box. Inth e Address of Record text box, type [email protected]. From the Access level drop-down list, select Start and receive calls. Click Add. jsmith@exampl e.com ap pears in the Access Le vels list. The Log check box is se lected by default.

Fireware EssentialsStudentGuide

209

Proxy Policies 11. Repeat Steps 8–9 and add [email protected] and [email protected] the Access Levelslist.

12. Click OK to close the H323-ALG Action Configurationdialog box. The Clone Predef ined or DVCP-c reated Object dialog box appears. Because H323-Client is a templat e, you cannot change it . Instead, you mus t make a copy a nd use it for your policies . The default name for the cloned policy is H323 Client.1

13. In the Name text box, type a new name for this action. For example, type H323-Client-VoIP-Limited. 14. Click OK to clone the template. The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.

15. Click OK to close the New Policy Propertiesdialog box. The H323-VoIP-Limited ALG appears in Policy Manager.

16. Click Close to close the Add Policies dialog box.

210

WatchGuard Technologies,Inc.

Proxy Policies

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Fill in the blank: To protect your DNS server from attacks, you configure a DNS-proxy policy with the _________ ____ proxy action. 2. What is the function of a DNS server? (Select one.) o A)

Distribute IP addresses to computers when they connect to a network

o B)

Assign domain names to individual networks

o C)

Translate numeric IP address into readable Internet addresses

o D)

Distribute MAC addresses to computers when they connect to a network

o E)

Connect IP addresses to their associated MAC addresses

3. What is the best pattern match to block Adobe PDF document in FTP uploads? (Select one.) o A) *.pdf o B)

*PDF

o C) .*df o D) *.p*

4. True or false? An Application Layer Gateway (ALG) is the same as a packet filter policy. 5. What are some reasons to create a TCP-UDP-proxy? (Select all that apply.) o A)

Examine DNS traffic that is not sent over TCP port 53

o B)

Examine HTTP traffic that is not sent over TCP port 80

o C)

Block instant messaging and peer-to-peer applications

o D)

Block email viruses in SMTP and POP3 traffic

o E)

Filter FTP traffic sent through data channels

Fireware EssentialsStudentGuide

211

Proxy Policies

ANSWERS 1. 2. 3. 4.

DNS-Incoming. C A False An ALG is similar to a proxy policy and also manages some network connections used by that protocol. 5. B and E

212

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

213

Email Proxies and Blocking Spam Use the SMTP and POP3 Proxies to Protect Email

What You Will Learn Your Firebox uses two proxy policies to control email traffic: SMTP and POP3. In this training module, you learn how to: n

Restrict the types of connections to an SMTP server

n

Modify the allowable message size

n

Allow and deny different content types and filenames

n

Restrict email by attachment filename

n

Deny incoming SMTP traffic by domain

n

Prevent mail relay

n

Restrict outgoing POP3 traffic and lock attachments

n

Activate and configure spamBlocker

n

Specify the actions to take when spam is detected

n

Exclude email messages from certain sources

n

Monitor spamBlocker activity

Before you begin these exercises, make sure you read the Course Introduction module. For more information about the protocols used for email and controlled by the SMTP and POP3 proxies, see the RFC Archives: n n

SMTP — RFC 821 at http://tools.ietf.org/html/rfc821 POP3 — RFC 1939 at http://www.faqs.org/rfcs/rfc1939.html

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Email Proxies and Blocking Spam In this module, you will configure an optional feature of your Firebox. To view these settings, you must first purchase a license key for spamBlocker. To activate the license key you must have access to a Firebox. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide you with both a Firebox and a license key.

Control the Flow of Email In and Out of Your Network WatchGuard System Manager includes two proxy policy templates to manage email: SMTP (Simple Mail Transfer Protocol) and POP3 (Post Office Protocol). There are significant differences between the two protocols, so most organizations rely on either one or the other rather than using both in the same network. For example, you can deny or quarantine SMTP messages. With POP3, however, you can only strip or lock attachments but not stop the delivery of a message. This makes POP3 slightly less secure.

SMTP Ruleset s SMTP is a protocol used to send email messages between servers, or between clients and servers. The default port for SMTP traffic is TCP port 25. You can use the SMTP-proxy to control email messages and email content. The proxy scans SMTP messages and compares their contents to the rules in the proxy configuration. The SMTP-proxy checks the message for harmful content and RFC compliance. It examines the SMTP headers, message recipients, s enders, and content, as well as any attachments. The SMTP-proxy can restrict traffic from specific user names or domains. It can also strip unwanted or dangerous SMTP headers, filter attachments by filename or MIME content type, or deny the email based on an address pattern. The ability to strip header information is particularly v aluable to many network administrators. The SMTP-proxy requires no additional configuration for either your email server or your network clients. When you create an SMTP-proxy policy, you can choose from two default proxy actions: SMTP-Incoming.Standard This proxy action includes rulesets to protect your SMTP email server from external traffic. SMTP-Outgoing.Standard This proxy action includes rulesets to control outgoing SMTP connections from users on your trusted and optional networks.

215

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

POP3 Rulesets POP3 is a protocol that moves email messages from an email server to an email client. The POP3 protocol operates on TCP port 110. Most Internet-based email accounts use POP3. With POP3, an email client contacts the email server and checks for any new email messages. If it finds a new message, it downloads the email message to the local email client. After the message is received by the email client, the connection is closed. When you create a POP3-proxy policy, you can choose from two default proxy actions: POP3-Server.Standard This proxy action includes rulesets to protect your POP3 email server from external traffic. POP3-Client.Standard This proxy action includes rulesets to control outgoing POP3 connections from users on your trusted and optional networks to public POP3 servers. You can use the default settings for the SMTP and POP3 proxy actions, or you can modify the proxy action settings to match the needs of your organization. In this module, we will show you how to modify the incoming and outgoing proxy action rulesets.

Stop Unwanted Email at the Network Edge Unwanted email, also known as spam, fills the average Inbox at an amazing rate. A large volume of spam decreases the bandwidth available to other applications, degrades employee productivity, and wastes network resources. The WatchGuard spamBlocker™ service uses industry-leading anti-spam technology from CYREN (formerly Commtouch) to block spam at your Internet gateway. spamBlocker looks for patterns in spam traffic, instead of the contents of individual email messages. Because it uses a combination of rules, pattern matching, and sender reputation, it can find spam in any language, format, or encoding method.

You can also use APT Blocke r to stop malware threats from entering your network through the SMTPproxy or POP-proxy. For more information, see the Signature Services and APT Blocker training module.

Fireware EssentialsStudentGuide

216

Email Proxies and Blocking Spam

WatchGuard spamBlocker works with SMTP and POP3 proxy policies to examine up to 20,000 bytes of each inbound email message. You can configure the Firebox to take any of the following actions when spamBlocker determines that an email message processed by the SMTP proxy is spam: n

n

n n

n

Deny — Stops the spam email message from being delivered to the mail server. The Firebox sends this message to the sending email server: Delivery not authorized, message refused. Add subject tag — Identifies the email message as spam or not spam and allows spam email messages to go to the mail server. See the subsequent section for more information on spamBlocker tags. Allow — Allows spam email messages to go through the Firebox without a tag. Drop — Drops the connection immediately. Unlike the Deny option, the Firebox does not give any SMTP error messages to the sending server. Quarantine— Sends the message classified as spam to a Quarantine Server.

If you use spamBlocker with the POP3 proxy, you have only two actions to choose from: Add Subject Tagand Allow. You cannot use the Quarantine Server with the POP3 proxy.

spamBl ocker and DNS You must configure at least one DNS server so the Firebox can resolve the IP addresses of the CYREN servers. If you do not do this, spamBlocker will not operate.

If your spam catch rates have not improved after you enable spamBlocker, make sure that you have DNS configured on your Firebox device. DNS is required for connections to the CYREN servers.

217

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

spamBl ocker Tags The Firebox can add spamBlocker tags to the subject line of the email message. You can also configure spamBlocker to customize the tag that it adds. This example shows the subject line of an email message that was classified as spam. The tag added is the default tag: ***SPAM***.

Subject: ***SPAM*** Free auto insurance quote Here are some examples of other possible spamBlocker tags:

Subject: (SPAM) You've been approved! Subject: [POSSIBLE SPAM] Save 75% Subject: [JUNK EMAIL] Free shipping Subject: *SPAM/BULK* 10 lbs in 10 days!

spamBl ocker Categories spamBlocker puts potential spam email messages into two categories based on the classification of the mail envelope: n

n

n

Confirmed Spam — Includes email messages that come from known spammers. We recommend you use the Deny actio n for this type of email if you use spamBlocker with the SMTP proxy, or the Add subject tag if you use spamBlocker with the POP3 proxy. Bulk — Includes email messages that do not come from known spammers, but do match some known spam structure patterns. We recommend that you use the Add subject tag action for this type of email, or the Quarantineaction if you use spamBlocker with the SMTP proxy. Suspect— Includes email messages that could be associated with a new spam attack. Frequently, these messages are legitimate email messages. W e recommend that you use the Allow action for this type of email or the Quarantineaction if you use spamBlocker with the SMTP proxy.

spamBl ocker Exceptions The Firebox might sometimes identify a message as spam when it is not spam. If you know the address of the sender, you can configure the device with an exception that tells it not to examine messages from that source address or domain.

Fireware EssentialsStudentGuide

218

Email Proxies and Blocking Spam

Global spamBlocker Settings You can use global spamBlocker settings to optimize spamBlocker for your own installation. Because most of these parameters affect the amount of memory that spamBlocker uses on the Firebox, you must balance spamBlocker performance with other device functions. To configure these settings, click Settingsin the spamBlocker dialog box. Virus Outbreak Detection maximum file size to scan Virus Outbreak Detection (VOD) is a technology that identifies email virus outbreaks worldwide within minutes and then provides protection against those viruses. Provided by CYREN, VOD catches viruses even faster than signature-based system. Select the Enable Virus Outbreak Detection (VOD)check box to enable VOD. In the VOD toof scan text box, you settothe number of bytes an email message that VOD scans.maximum VOD usesfile thesize larger the Maximum filecan size scan and the VOD of maximum file size to scan . Maximum file size to scan In the Maximum file size to scan text box, you can set the number of bytes of an email message that will pass to spamBlocker to be scanned. Usually, 20–40K is sufficient for spamBlocker to correctly detect spam. However, if image-based spam is a problem for your organization, you can increase the maximum file size to block more image-based spam. Cache size In the Cache size text box, type or select the number of entries s pamBlocker caches locally for messages that have been categorized as spam and bulk. A local cache can improve performance because it reduces network traffic. Usually, you do not have to change this value. Proactive Patterns To disable the CYREN CT Engine Proactive Patterns feature, clear the Enable proactive patternscheck box. The Proactive Patterns feature allows spamBlocker to identify and block new spam messages even before the recurrent pattern is added to the CYREN database. For example, each day new types of spam tricks are introduced on the Internet. With Proactive Patterns enabled, spamBlocker blocks email messages that use the newly identified spam methods. When clear patterns are established for these new attacks, the pattern is added to the CYREN database. This feature is enabled by default. It requires large amounts of space while the local database on the Firebox is updated. If your Firebox has limited memory or processor resources, consider disabling this feature.

spamBlocker does not detect s pam in outgoing SMTP email. To prevent s pam from originating from your network and conserve network resources, you should disable email relay functionality on your email server and enable email relay protection to inbound email using the incoming SMTP proxy action.

219

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Use a n HTTP Proxy Ser ver To configure spamBlocker to use an HTTP proxy server to connect to the CYREN server through the Internet: 1. Select the HTTP Proxy Servertab. 2. Select the Contact the spamBlocker server using an HTTP proxy server check box. 3. In the remaining fields on this tab, select the parameters for the proxy server. This includes the address of the proxy server, the port the Firebox must use to contact the proxy server, and the authentication credentials the Firebox uses for proxy server connections (if required by the proxy server).

Adding Trusted Email Forwarders The spam score for an email message is calculated in part using the IP address of the server from which the message was received. If an email forwarding service is used, the IP address of the forwarding server is used to calculate the spam score. Because the forwarding server is not the initial source email server, the spam score can be inaccurate. To improve spam scoring accuracy, you can add one or more host names or domain names of email servers that you trust to forward email to your email server. With this feature, spamBlocker ignores the trusted email forwarder in the email message headers. The spam score is then calculated using the IP address of the source email server.

Fireware EssentialsStudentGuide

220

Email Proxies and Blocking Spam

Exercise 1 — Use the SMTP-Proxy to Protect Your Mail Server Successful Company is growing. With all the new employees, incoming email is increasingly a potential vector for malware. In this exercise, we use Policy Manager to configure an incoming SMTP-proxy policy to protect their SMTP server.

Add an Incoming SMTP-Proxy Policy In the NAT training module, we added an incoming SMTP-proxy policy so that we could use network address translation (NAT) to protect the Successful Company SMTP server. If you did not complete that exercise, you may need to add an SMTP-Incoming proxy policy. 1. Open the configuration file you are editing for these exercises. To use the policy you created in the NAT training module, open that configuration f ile, double-click the SMT P-proxy poli cy to edit it, and continue w ith Step 5.

2. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

3. Expand the Proxies folder. 4. Select SMTP-proxy and click Add. The New Policy Properties dialog box appears with the Policy tab selected.

5. Inth e Name text box, type SMTP-Incoming-Proxy. 6. From the Proxy Action drop-down list, select SMTP-Incoming.Standard. 7. Inth e To section, click Add. The Add Address dialog box appears.

8. Click Add SNAT . The SNAT dialog box appears.

9. Click Add. The Add SNAT dialog box appears.

10. In the SNAT Name text box, type SMTP-Incoming-SNAT. 11. Make sure the Static NAT option is selected. 12. Click Add. The Add Static NAT dialog box appears.

13. In the Internal IP Addresstext box, type 10.0.1.25. This is the IP address of the Successful Co mpany SMTP serv er on the trusted network.

14. Click OK to close the Add Static NAT dialog box. The new Static NAT entry appea rs in the SNAT Members list.

15. Click OK to close the Add SNAT dialog box. The SMTP-Incoming-SNAT entry appears in the SNAT list.

16. Click OK to close the SNAT dialog box. The SMTP-Incoming-SNAT entry appears in the Selected Members and Addresses list.

17. Click OK to close the Add Address dialog box. The New Policy Properties dialog box appears.

18. Adjacent to the Proxy action drop-down list, click

.

The SMTP Proxy Action Configuration dialog box appears.

19. In the Description text box, type Modified policy for email inbound.

221

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Decrease Maximum Message Size The default maximum email message size is 20 MB. In the past, Successful Com pany employees used email to exchange files with outside vendors. Now that Successful Company has a protected FTP server, the network administrator wants to discourage using the email server for large attachments. In this exercise we will reduce the maximum email size to 5 MB (5,000 kilobytes).

Encoding can increase the length of files by up to one-third.

In the SMTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, expand General and select General Settings. The General Settings page appears.

2. Inth e Limits section, select the Set the maximum email size to check box. In the adjacent text box, type 5000.

Fireware EssentialsStudentGuide

222

Email Proxies and Blocking Spam

223

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Allow and Deny Con tent Types an d Filenames Successful Company employees complain that they cannot receive certain email attachments that they need to do their jobs. By default, the SMTP incoming proxy is highly secure and allows very few types of email attachments. Because the network administrator does not have a comprehensive list of the MIME types that his organization’s employees use on a regular basis, he decides to turn content type filtering off but continue to filter email attachments by filename. He can do this until he understands better what content types are used. He understands this is a temporary reduction in security, but he accepts the business risk. At the same time, the Successful Company network administrator realizes that it is very important to carefully restrict email attachments by filename. He accepted the default list of filenames denied by the SMTP-Incoming ruleset. Now he must make two changes to meet the needs of his organization. He must configure the Firebox to allow Microsoft Access database files to go through the SMTP-proxy. He must also configure the device to deny MP4 files because of a recent vulnerability announced by Apple.

The SMTP-proxy c an also scan content types and filenames that are stored in compressed archived files such as ZIP files.

In the SMTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, expand Attachmentsand select Filenames. The Filenames page appears.

2. To switch to Advanced View, click Change View.

Fireware EssentialsStudentGuide

224

Email Proxies and Blocking Spam

3. Inth e Filenames list, double-click.mdb. The Edit Filenames Rule dialog box appears for the .m db filename extension. This filename ext ension is for Microsof t Access databases.

4. From the Action drop-down list, select Allow . Click OK. The SMTP Proxy Action Configuration dialog box appears.

5. Click Add. The New Filenames Rule dialog box appears.

6. Inth e Rule Name text box, type mp4. 7. Inth e Rule Settings text box, type *.mp4. 8. Inth e Action drop-down list, select Strip. Click OK. The SMTP proxy action is now con figured to deny all files with the Apple iTunes “.mp4” f ile extension sent to the SMTP server.

225

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Control Mail Domain Use fo r Incoming Traffic to Prevent Mail Relay Another way to protect your SMTP server is to restrict incoming traffic to only messages that use your company domain. This prevents external users from using your internal email server as a mail relay to send spam. In this example, we use the example.com domain.

Another way to keep your server from being used as a relay is to use the Rewrite Banner Domain and Rewrite HELO Domain options included in the SMTP-proxy action General Settings. This enables your Firebox to change the From and To components of y our email address to a different value. This feature is also known as SMTP masquerading.

In the SMTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, expand Address and select Rcpt To. The Rcpt To page appears .

2. Inth e Pattern text box, type *@example.com. Click Add. *@example.com appears in the Rules list. This denies any email mes sages sent to an address th at does not match the compan y domain.

Fireware EssentialsStudentGuide

226

Email Proxies and Blocking Spam 3. Click OK to close the SMTP Proxy Action Configurationdialog box. The Clone Predefined or DV CP-created Object dialog box appears.

Because SMTP-Incoming is a template, you cannot change it. You can only make a copy and use it for your policies. 4. Inth e Name text box, type SMTP-Incoming-Email. 5. Click OK to clone the template. The New Policy Properties dialog box appea rs, with SMTP-Incoming-Email in the Proxy action drop-down li st.

6. Click OK to close the New Policy Properties dialog box. 7. Click Close to close the Add Policies dialog box. The SMTP-Incoming-Proxy policy appears in your policy list.

227

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Exercise 2 — Control Outgoing SMTP Connections A network administrator at Successful Company has reviewed the default rulesets that are included with the SMTPOutgoing proxy action and wants to make these changes: n n

Removethe restriction on email size Prevent users from sending email with Microsoft Windows screensavers attached

Add an Outgoing SMTP-Proxy Policy To configure all outgoing SMTP traffic, the Successful Company first adds an outgoing SMTP-proxy policy. 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. Expand the Proxies folder and double-click SMTP-proxy. The New Policy Properties dialog box appears.

3. Inth e Name text box, type SMTP-Server-Outgoing. 4. Inth e From list, select Any-External. Click Remove. Any-External is re moved from the From lis t.

5. Click Add. The Add Address dialog box appears.

6. Click Add Other. The Add Member dialog box appears.

7. Inth e Value text box, type 10.0.1.25. 8. Click OK to close the Add Member dialog box. The IP address appears in the Selected Members and Addresses list.

9. Click to close the Add dialog box. dialog box in the From list. The Successful Company SMTP The IPOK address appears in theAddress New Policy Properties server on the trusted network is now added to the policy.

10. In the To section, click Add. The Add Address dialog box appears.

11. In the Available Memberslist, double-click Any-External. Any-External appe ars i n the Selected Members and Addresses li st.

12. Click OK. The policy now controls all traffic from the SMTP server to any computer on the external networks.

13. From the Proxy action drop-down list, select SMTP-Outgoing.Standard.

Fireware EssentialsStudentGuide

228

Email Proxies and Blocking Spam

Control Email Message Size Successful Company management requests that there not be limits on the size of outgoing email. To configure this setting, we will update the outgoing SMTP rulesets. In the New Policy Propertiesdialog box: 1. Onthe Policy tab, adjacent to the Proxy action drop-down list, click 2. Inth e Categorieslist, expand General and select General Settings.

.

The General Settings page appears. The setting changes made for the SMTP incoming proxy do not appear here. This policy controls only outgoing SMT P traffic.

3. Inth e Limits section, clear the Set the maximum e-mail size to check box. This removes any restrictions on email size.

229

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Restrict Email by Attachment Filename The Successful Company network administrators are aware that Windows screensavers are sometimes associated with viruses and have no positive effect on their business. These screensavers, with a filename extension of .scr , are denied by default in the SMTP-Incoming proxy action. To make sure that their users do not accidentally send out a virus-infected email message, and to make sure that no virus forwards infected messages with the SCR filename as an attachment, they want to deny the .scr file extension for outgoing email. They also want to make sure they are notified by email if anyone tries to send a Windows screensaver with the .scr file extension. In the SMTP Proxy Action Configurationdialog box: 1. Inth e Categories expand Attachmentsand select Filenames. The Filenames pagelist, appears. 2. Inth e Pattern text box, type *.scr*. Click Add. *.scr* appears in the Rules list. The ast erisk at the end of the pat tern makes sure that Windows screens avers wit h a trailing filename extension (such as *scr.txt) are also blocked.

3. From the If matched drop-down list, select Strip. This removes any att achment with .scr in the fi lename ext ension, but allows the res t of the email t hrough .

4. Adjacent to the If matched drop-down list, select the Alarm and Log check boxes.

5. Inth e Categorieslist, select Proxy and AV Alarms. The Proxy and AV Alarms page appears.

6. Select the Send Notification check box and the Email option

Fireware EssentialsStudentGuide

230

Email Proxies and Blocking Spam

7. Click OK to close the SMTP Action Proxy Configurationdialog box. The Clone Predefined or DV CP-created Object dialog box appears.

You can export custom proxy configurations from one configuration to an XML file, and then import the ruleset to another Firebox configuration file. You can see the Import and Export functions when you look at a proxy ruleset in the Advanced view.

8. (Optional) In the Name text box, type a unique name for the proxy action. The defau lt name for a clone is SMTP-Outgoing.1. You can also give it a friendly name to help you recognize it.

9. Click OK to clone the template. The New Policy Properties dialog box appears.

10. Click OK to close the New Policy Propertiesdialog box. The Add Policies dialog box appears.

11. Click Close. The new SMTP policy appears in the policies list.

231

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Exercise 3 — Use a POP3-Client Policy Successful Company’s network policy is to prohibit connections to all external POP3 servers. Unfortunately, the new CFO insists on downloading his personal mail from Impersonal ISP. He says he absolutely cannot do business without this service, and the CEO concurs. However, the CEO insists that the CFO cannot be able to download attachments with his POP3 account. In this exercise, we will use the POP3-proxy to allow the CFO to connect to his service provider. While we cannot quarantine his attachments, we can lock them. There is a small hope that this will prove so inconvenient, the CFO will want to switch to the company Exchange server.

Add a POP3 Client Policy 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. Expand the Proxies folder. 3. Double-click POP3-proxy. The New Policy Properties dialog box opens.

4. Inth e Name text box, type POP3-CFO. 5. Inth e From list, select Any-Trusted. Click Remove. Any-Trusted is re moved from the From list.

6. Click Add. The Add Address dialog box appears.

7. Click Add Other. The Add Member dialog box appears.

8. Inth e Value text box, type 10.0.1.202. 9. Click OK to close the Add Member dialog box. The Add Address dialog box appears with the IP Address in the Selected Members and Addresses list.

10. Click OK to close the Add Address dialog box.

The New Policy Properties dialog box appears. These actions add the Successful Company CFO’s desktop computer on the trusted network to the policy.

11. In the To list, select Any-External. Click Remove. Any-External is re moved from the To list.

12. Click Add. The Add Address dialog box appears.

13. Click Add Other. The Add Member dialog box appears.

14. From the Choose Type drop-down list, select Host Name (DNS lookup). 15. In the Value text box, type mail.yahoo.com. 16. Click OK to close the Add Member dialog box. The Add Addres s dialog box appears. Policy Manager does a one-time DNS lookup for the host name mail.yahoo.com . The IP Address for mail. yahoo.com appears in the Selected Members and Addresses li st.

Fireware EssentialsStudentGuide

232

Email Proxies and Blocking Spam 17. Click OK to close the Add Address dialog box. The New Policy Properties dialog box appea rs with the IP A ddress for mail.yahoo. com in the To list. Now the pol icy controls all traff ic from the CFO to the mail servers.

Configure the P OP3 Policy to Lock Attachments On the Policy tab: 1. From the Proxy action drop-down list, select POP3-Client.Standard. 2. Adjacent to the Proxy action drop-down list, click

.

The POP3 Proxy Action Configuration dialog box appears.

3. Inth e Categorieslist, expand Attachmentsand select Content Types. The Content Types page appears . By default , Content Type auto-det ection is enabled and attachments are allowed.

4. From the If matched drop-down list, select Lock. This setting enabl es the CFO to receive locked att achments that match the content types listed. All other attachments are stripped.

233

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam 5. Click OK to close the POP3 Proxy Action Configurationdialog box. The Clone Predefined or DV CP-created Object dialog box appears.

6. (Optional) In the Name text box, type a unique name for the proxy action. The defau lt name for th e clone is POP3-Client .1. You can also give it a friendly name to help you recognize it.

7. Click OK to clone the template. 8. Click OK to close the New Policy Properties dialog box. 9. Click Close to close the Add Policies dialog box. The POP3-CFO policy appears in your policy list.

10. Save the configuration file as EmailProxies-Done.

Fireware EssentialsStudentGuide

234

Email Proxies and Blocking Spam

Exercise 4 — Activate spamBlocker Before you can begin this exercise, you must have the spamBlocker feature key saved to the Firebox. For more information, see Administration, on page 33.

Successful Company decides to invest in spamBlocker to manage all the unwanted email its employees are receiving. In this exercise, we use the spamBlocker Wizard in Policy Manager to activate the spamBlocker service. 1. Select Subscription Services > spamBlocker > Activate . The Activate spamBlocker Wizard a ppears.

2. Click Next. If you are working through t he training modules sequentially, or taking the class with an inst ructor, you should have three email proxy policies configured.

3. Clearthe POP3-CFO and SMTP-Server-Outgoingpolicy check boxes. Click Next. 4. Click Finish. If you do not have an SMT P or POP3 proxy policy, the wizar d prompt s you to creat e one.

235

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Exercise 5 — Configure the spamBlocker Service After you complete the Activate spamBlocker Wizard, you need to configure the spamBlocker settings in your email proxy. In this exercise, you configure the spamBlocker service for SMTP. The procedure to configure spamBlocker for POP3 is the same.

Determine W hat Happen s to spam Email In this exercise, the Successful Company network administrator is new to this type of service and is a little nervous about losing valid messages. He decides to quarantine confirmed spam and tag the rest as spam, but still send it to the intended recipients. 1. Select Subscription Services > spamBlocker > Configure . The spamB locker dialog box appears . The spamB locker Polic ies list includes the curr ent policies and whether spamBlocker is active for each policy.

2. Select SMTP-Incoming-Proxy. Click Configure. The spamBlocker configuration dialog box appears.

3. From the Confirmed Spam drop-down list, select Quarantine. All email that spamBlocke r confirms as spam will now be held in quara ntine. The network administrator will have to review these messages before they go to the final recipient.

4. From the Suspect drop-down list, select Add subject tag. The text ***SUSPECT*** appears . You can replace thi s with any short text phrase.

Fireware EssentialsStudentGuide

236

Email Proxies and Blocking Spam 5. Clearthe Send a log message for each message classified as not spamcheck box. This is a useful tool for t roublesho oting, but receiving a log message for each email mess age sent to your employ ees can significantly increase the size of your log database.

Add spamBlocker Exceptions The network administration team at Successful Company all subscribe to the Security Now podcasts from TWIT.tv. However, like many companies that send useful newsletters and announcements to their customers, TWIT uses a bulk mail application. In this exercise, we configure the Successful Company spamBlocker service to allow these messages as an exception. In the spamBlocker Configurationdialog box: 1. Select the Exceptionstab.

spamBlocker is already configured to allow bulk messages from the Wat chGuard LiveSecurity servic e. This ensures that you can receive import ant announcem ents, security alert s, and threat respons es.

2. Click Add. The Add Exception Rule dialog box appears.

3. From the Action drop-down list, select Allow . 4. Inth e Sender text box, type *@twit.tv. 5. Inth e Recipient text box, type *. This will e xclude all messages that srcinate from the TW IT.tv domain from spamBlocker actions.

237

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam 6. Click OK to close the Add Exception Rule dialog box. 7. Click OK to close the spamBlocker Configurationdialog box.

Enable Ala rms Wh en a Virus is Detected One selling point of spamBlocker for the security team at Successful Company was the ability to receive alarms when a virus is detected. In this exercise, we enable the alarm feature.

You must also enable Virus Outbreak Detection in the global spamBlocker settings, if you want this feature to operate in policies.

1. Inth e spamBlocker Configurationdialog box, select the Virus Outbreak Detectiontab. 2. From the When a virus is detecteddrop-down list, select Drop.

3. Select the adjacent Alarm check box. 4. Click OK to close the spamBlocker Configuration dialog box.

Fireware EssentialsStudentGuide

238

Email Proxies and Blocking Spam

Exercise 6 — Monitor spamBlocker Activity You can use Firebox System Manager to monitor spamBlocker activity. 1. In WatchGuard System Manager, connect to the Firebox you want to monitor. 2. Click . Or, select Tools > Firebox System Manager. Firebox System Manager appears.

3. Select the Subscription Servicestab. The statistics for spamBlocker appear in the third section on this tab.

239

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

Test Your Knowledge Use the questions below to practice what you have learned and exercise new skills. 1. Which of the following can an SMTP-proxy check that an SMTP packet filter cannot? (Select all that apply.) o A)

Source IP Address

o B) Content o C)

RFC compliance

o D)

Packet Header

o E) Attachment

2. Choose the most appropriate SMTP-proxy action for each task. (Select one.) Task

SMTP-Incoming SMTP-Outgoing

Protect your company network from a virus

o

o

Reduce the number of very large files sent by email to your users

o

o

Reduce spam

o

o

Prevent your email server from being used as a spam relay

o

o

Keep your users from sending large files to their friends

o

o

3. Choose the actions that spamBlocker can take when you configure spamBlocker to work with SMTP. (Select all that apply.)

o

A) Deny

o

B) Tag

o

C) Ignore

Do not send the email to spamBlocker to process

o

D) Allow

Let spam messages go through the Firebox without a tag

o o

E) Drop F)

Stop the spam message without a reply Add a “spam” tag to the email subject line and allow spam messages to go to the recipient

Drop the connection immediately and send no error messages back to sending email server.

Quarantine Isolate the email on a Quarantine Server

Fireware EssentialsStudentGuide

240

Email Proxies and Blocking Spam 4. True or false? The Confirmed Spam category includes email messages that come from known spammers. 5. Which proxy works with spamBlocker? (Select all that apply.)

o A) HTTP o B) SMTP o C) POP3 o D) FTP

241

WatchGuard Technologies,Inc.

Email Proxies and Blocking Spam

ANSWERS 1. B, C, E 2. Task

SMTP-Incoming SMTP-Outgoing

Protect your company network from a virus

x

o

Reduce the number of very large files sent by email to your users

x

o

Reduce spam

x

o

Prevent your email server from being used as a spam relay

x

o

Keep your users from sending large files to their friends

o

x

3. A, B, D, E, F 4. True 5. B and C

Fireware EssentialsStudentGuide

242

Notes

Fireware EssentialsStudentGuide

243

Web Traffic Manage the Web Traffic Through Your Firewall

What You Will Learn The HTTP-proxy policy can protect your private and public web servers. It can also be used to protect your users from viruses and restrict unauthorized Web use. I n this module, y ou learn how to: n

Create a log message for each HTTP client connection

n

Block HTTP client connections by URL path

n n

Allow files through the HTTP-proxy by type Customize the deny message a user receives

n

Strip headers that specify a certain type of authentication

n

Use HTTP-proxy exceptions to allow software updates

n

Use time and bandwidth quotas to limit web usage

n

ActivateWebBlocker

n

Select categories of websites to block

n

Override WebBlocker rules for specific sites

n

Understand how Reputation Enabled Defense protects your network

n

Set up and configure Reputation Enabled Defense

n

See status and reports for Reputation Enabled Defense

Before you begin these exercises, make sure you read the Course Introduction module.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Web Traffic

Control Web Traffic Through Your Firewall HTTP (Hypertext Transfer Protocol) is a protocol used to send and display text, images, sound, video, and other multimedia files on the Internet. The WatchGuard HTTP-proxy is a high-performance content filter. It examines web traffic to identify suspicious content, which can be spyware, malformed content, or another type of attack. It can also protect your web server from attacks from the external network using protocol anomaly detection rules to identify and deny suspicious packets. The HTTP-proxy operates between a web server and a client web browser. It processes each HTTP packet from the server for any potentially harmful content before sending it to the client. It can also act as a buffer between your web server and potentially harmful web clients by enforcing compliance with the HTTP protocol and preventing potential buffer overflow attacks.

About the Expl icit HTTP Proxy You can also use an Explicit HTTP Proxy. In a normal proxy configuration, the Firebox transparently proxies and inspects client connections to servers. In an explicit proxy configuration, the Firebox accepts direct requests from clients, performs a DNS lookup and connects to specified servers, and then retrieves the information on behalf of the client. In this configuration, the client is specifically configured to use the Firebox as a proxy server. For more information about using an explicit proxy, see the Fireware Help.

HTTP Client and Server Proxy Actions When you add an HTTP-proxy policy to your Firebox configuration, you get access to two sets of rules that are included with the product: an HTTP-Server proxy action and an HTTP-Client proxy action. You can use the default proxy actions, or you can modify them. This module shows you how to customize the settings in these two proxy actions. HTTP-Client The HTTP-Client proxy action is configured to give comprehensive protection to your network from the content your trusted users download from web servers. HTTP-Server The HTTP-Server proxy action is c onfigured to allow most HTTP conn ections through to your public web server, but stops any attempts to upload or delete files. To further protect your network, both the HTTP-Client and HTTP-Server proxy actions can use these optional services: WebBlocker Controls the websites trusted users are allowed to browse to at different times of the day. WebBlocker is only available for the HTTP-Client proxy action. Gateway AntiVirus (Gateway AV) Scans HTTP traffic and can stop viruses before they connect to the client computers and HTTP servers on your network.

245

WatchGuard Technologies,Inc.

Web Traffic Reputation Enabled Defense (RED) Sends requested URLs to a cloud-based WatchGuard reputation server, that returns a reputation score. The HTTP-proxy uses the reputation score to determine whether to drop the traffic, allow the traffic and scan it locally, or allow the traffic without a local scan. APT Blocker Scans HTTP traffic and blocks APT (Advanced Persistent Threat) malware that takes advantage of zero-day exploits to gain access to your network. Files are sent to a cloud-based service and examined with full system emulation analysis to identify the characteristics and behavior of advanced malware.

Control Outgoing HTTP Requests You can control outgoing HTTP connections from HTTP client applications to prevent your user community from downloading many of the dangerous file types that hackers use to introduce viruses, malware, trojans, and worms to your network.

The HTTP-Client proxy settings give you complete control over the HTTP connections of your trusted users. You can strip files by file name or MIME content type. You can also restrict the use of cookies, ActiveX, Java, and other potential sources of infection. In Fireware v11.12 and higher, the Web Setup Wizard and Quick Setup Wizard can automatically enable WebBlocker and configure an HTTP-Client proxy action called Default-HTTP-Client. This proxy action has recommended settings, and blocks the WebBlocker categories you select in the setup wizard. For more information, see Getting Started.

Fireware EssentialsStudentGuide

246

Web Traffic

Protect Your Web Server Web servers are popular targets for attackers. Although vendors try to patch web server applications quickly, attacker s have a window of vulnerability between the time an attack is discovered and the opportunity you have to patch it. You can use the HTTP-Server proxy action as a way to prevent the attack until a patch is available. If you have a public web server, you must also make sure that people can still get access to it after you configure it to protect it against attacks. The default HTTP-Server ruleset allows most types of connections through the Firebox while it blocks the most common attacks.

247

WatchGuard Technologies,Inc.

Web Traffic

HTTP-Proxy Action Rulesets The HTTP-Client and HTTP-Server proxy actions have the same sets of rules, but the default settings are different. These rulesets appear in the Categorieslist in the HTTP Proxy Action Configurationdialog box.

Many web pages get information from site visitors, such as location, email address, and name. If you disable the POST command, the Firebox denies all POST operations to web servers on the external network. This feature can prevent your users from sending information to a website on the external network.

HTTP Request General Settings Use this ruleset to control the idle time out and maximum URL length HTTP parameters. You can configure the Firebox to create a log message with summary information for each HTTP connection request. Make sure the Enable logging for reportscheck box is selected to see bandwidth usage information in HostWatch and Report Manager. You can also enforce the strictest Safe Search settings for web browser search engines. Request Methods The Request Methodruleset lets you control the types of HTTP request methods allowed through the Firebox as part of an HTTP request. Some applications, such as Google Desktop and Microsoft FrontPage, require additional request methods. webDAV is used for collaborative online authoring and has a large number of additional request methods. TheHTTP-proxy supports webDAV request methodextensions by default, according to the specifications in RFC 2518. URL Paths Use this ruleset to filter the content of the host and path of a URL. For best results, use URL path filtering together with file header and content type filtering.

Usually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex pattern that uses regular expression syntax configured in the Advanced View of a ruleset. It is easier and better to filter header or body content types tha n it is to filter URL paths.

Header Fields This ruleset supplies content filtering for the full HTTP header name and its value. By default, the Firebox uses exact matching rules to strip Via and From headers, and allows all other headers. The Via header can be added to a client request by a proxy server to track message forwards and avoid request loops. Stripping the Via header can protectby client The From passes the client users' email address server,spam whichand can be harvested bulkprivacy. mail recipient lists.header Stripping this header helps reduce the chancetoofthe receiving maintains client anonymity and privacy. Authorization

Fireware EssentialsStudentGuide

248

Web Traffic This ruleset sets the criteria for content filtering of HTTP Request Header authorization fields. When a web server starts a WWW-Authenticate challenge, it sends information about which authentication methods it can use. The proxy puts limits on the type of authentication sent in a request. With a default configuration, the Firebox allows Basic, Digest, NTLM, and Passport 1.4 authentication. HTTP Response General Settings Use this ruleset to configure basic HTTP response parameters, including idle time out, maximum line length, and maximum total length of an HTTP response header. If you set a value control to zero (0) bytes, the Firebox ignores the size of HTTP response headers. Header Fields This ruleset controls which HTTP response header fields the Firebox allows. Response headers can be used to specify cookies, supply modification dates for caching, instruct the browser to reload the page after a specified time interval, and for several other tasks. Content Types This ruleset controls the types of MIME content allowed through the Firebox in HTTP response headers. This is a common way of restricting the types of files that users can download from websites. Cookies Use this ruleset to control cookies included in HTTP responses. The default ruleset allows all cookies. HTTP cookies are used to track and store information about users who visit particular sites. Body Content Types This ruleset gives you control of the content in an HTTP response. The Firebox is configured to deny Windows exe/dll files by default. It is a good idea to examine the file types used in your organization and allow only necessary file types. Use Web Cache Server If you have an existing HTTP caching proxy server on your network, you can forward HTTP requests from the Firebox to your proxy server. For more information, see the Fireware Help. HTTP-Proxy Exceptions All traffic to or from a domain listed in this ruleset will bypass the proxy completely. Only trusted sites that supply needed files that would be denied by other parts of the HTTP-proxy should be listed here. By default, the Microsoft Windows Update websites are ignored by the HTTP-proxy. Data Loss Prevention If you have purchased and enabled the Data Loss Prevention feature, you can configure the DLP sensor the HTTP-proxy uses to examine allowed traffic. WebBlocker See the subsequent section for more information on how to restrict Web access with a WebBlocker profile.

249

WatchGuard Technologies,Inc.

Web Traffic Antivirus This ruleset sets the actions necessary if a virus is found. Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For more information, see the Signature Services and APT Blocker. Reputation Enabled Defense If you have purchased the Reputation Enabled Defense Service, this ruleset enables you to immediately block URLs that have a bad reputation, and bypass any configured virus scanning for URLs that have a good reputation. You can also change the Good and Bad reputation thresholds. See the subsequent sections for more information on how to restrict Web access with Reputation Enabled Defense. Deny Message Use this feature to customize the default deny message that your trusted users will see if the Firebox denies HTML content. Proxy and AV Alarms This ruleset lets you define the type of alarm that is sent any time a notification is triggered by an HTTP ruleset. APT Blocker If you have purchased the APT Blocker subscription service, this ruleset lets you enable APT Blocker to analyze HTTP traffic for advanced malware.

Fireware EssentialsStudentGuide

250

Web Traffic

Monitor Secured HTTP Traffic with the HTTPS-Proxy Policy The HTTPS-proxy policy allows you to manage and filter secure HTTP (HTTPS) traffic on TCP port 443 to protect your network c lients, or an HTTPS server on your network. The HTTPS proxy uses a domain names rules list that allows you to block, inspect, or allow (bypass inspection) for HTTPS traffic for specific web site domains. SNI (Server Name Indication) or the certificate common name (CN) of the web site is used to match the domain in the rules. You can also specify a WebBlocker profile for HTTPS traffic to block web site categories or inspect specific allowed categories. You can enable content inspection of HTTPS content to decrypt s ecured HTTP traffic. When you enable this feature, the rules of the HTTP-proxy action you specify are applied to that traffic. This means that you can use all of the same features for HTTPS traffic that you already use in an HTTP-proxy, or create a new proxy action specifically for HTTPS. After your Firebox examines the traffic and determines that it can be allowed, it is re-encrypted, re-signed with a new certificate, and sent to its srcinal destination. Because the HTTPS-proxy configuration is considered an advanced feature, detailed configuration options for the HTTPS-proxy are not covered in this module. To use the content inspection feature, you must configure the Firebox and either your network clients or your HTTPS server to trust the same certificate. For more information, see the Certificates section in the Fireware Help.

Bandwidth and Time Quotas You can enable time and bandwidth usage quotas in your HTTP and HTTPS policies. This feature is useful for applying a daily limit to your user's Internet usage to enforce corporate acceptable use policies. When a user exceeds the quota limit, a notification message appears in their web browser and further access attempts are denied. You can set these types of quotas: n n

Time — The time quota is set in minutes per day. Bandwidth — The bandwidth quota is set in MB per day.

Quota limits are applied to users and groups based on authentication to the Firebox. You can create exceptions to quotas so that any traffic to a specific destination address is not counted towards the usage quota. Quotas cannot be enforced if a user is able to access websites without authentication.

Restrict Web Access with WebBlocker WebBlocker uses a database of websites, organized into categories based on their content. You configure WebBlocker to control which website categories your users can see. When a user on your network browses the Internet, the Firebox automatically checks the WebBlocker Server to see if the site is allowed. If the site is on the block list , the user receives a message that the site is not available.

251

WatchGuard Technologies,Inc.

Web Traffic

WebBloc ker Server Options When you configure WebBlocker, you have two options for the type of WebBlocker database the Firebox uses to filter web content. Websense cloud with Websense categories Websense cloud is a URL categorization database with over 130 categories, provided by Websense (now known as Forcepoint). The Websense cloud option does not use a locally installed WebBlocker server. When you enable WebBlocker for the first time, Websense cloud is selected by default. The Websense cloud option is available only for Fireboxes that use Fireware OS v11.7 and higher. URL categorization queries to the Websense cloud are sent over HTTP. WebBlocker Server with SurfControl categories The WebBlocker Server is a WatchGuard server that uses a URL categorization database with 54 categories, provided by SurfControl. If you use WebBlocker with the WebBlocker Server on any device other than an XTM 2 Series or XTM 33, you must first set up a local WebBlocker Server on your management computer. XTM 2 Series and XTM 33 devices can use a web a WebBlocker Server hosted and maintained by WatchGuard or a locally installed WebBlocker Server. URL categorization queries to the WebBlocker Server are sent over UDP port 5003. To use WebBlocker you must: n n n

Install and set up the WebBlocker Server (only if you want to use the SurfControl categories) Activate a WebBlocker license Configure an HTTP-proxy policy to use WebBlocker

In Fireware v11.12 and higher, if your Firebox has a WebBlocker subscription when you run the Web Setup Wizard or Quick Setup Wizard, the wizard automatically enables WebBlocker and adds an HTTP-proxy policy with an HTTPproxy action that blocks the WebBlocker categories you select in the wizard. For more information, see Getting Started.

WebBlocker Categories When you configure WebBlocker, you select the server to use for WebBlocker lookups and you select the content categories you want WebBlocker to block. The list of content categories you can configure depends on which type of server you choose. Both the Websense and SurfControl databases contain content categories such as News, Drugs, Gambling, or Adult/Sexually Explicit. The Websense database has more granular categories than the SurfControl database. After you select the type of WebBlocker server to use, you select which content categories you want to block. To see a description of any content category, click the category name in the WebBlocker configuration.

Fireware EssentialsStudentGuide

252

Web Traffic

WebBlocker Exceptions To override a WebBlocker action, you can add an exception to the WebBlocker categories to allow or deny a particular website. The exceptions are based on IP addresses, a pattern based on a URL, or a regular expression. To match a URL path on all websites, the pattern must have a trailing /* . The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.

The websites you block with WebBlocker exceptions apply only to HTTP traffic (not HTTPS). They are not added to the Blocked Sites list.

To create a WebBlocker pattern match exception, you can use of any part of a URL. You can set a port number, path name, or string that must be blocked for a special website. For example, if it is necessary to block only www.sharedspace.com/~davebecause it has inappropriate photographs, you type www.sharedspace.com/~dave/*. This gives users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see. To block URLs that contain the word sex in the path, you can type */*sex*. To block URLs that contain sex in the path or the host name, type *sex*. Such broad wildcards should be used cautiously, however, since a rule like this would also unintentionally block access to a website for the City of Middlesex.

Regular expressions are more efficient, in terms of CPU usage on the Firebox, than pattern matches. If you add many WebBlocker exceptions y ou can improve performance by configuring your WebBlocker exceptions as regular expressions rather than pattern matches. You can create a regular expression that is equivalent to a pattern match. For example, the regular expression ^[0-9a-zA-Z\\_]\.hostname\.com. is equivalent to the pattern match *.hostname.com/*. For more information about regular expressions, see the WatchGuard System Manager Help or User Guide.

You can also block ports in a URL. For example, for http://www.hackerz.com/warez/index.html:8080, the browser uses the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching*8080.

253

WatchGuard Technologies,Inc.

Web Traffic

WebBlocker Local Override If you want to allow certain users to temporarily override the WebBlocker rules, you can enable the WebBlocker local override feature. WebBlocker local override allows end-users to see a website blocked by WebBlocker if they know the override passphrase. This feature operates only with HTTP-proxy policies. In the WebBlocker configuration advanced settings, you can enable local override, and configure a local override passphrase and inactivity timeout. When WebBlocker local override is enabled, if a user navigates to a website that is blocked by WebBlocker, the WebBlocker request denied page includes a place the user can type the WebBlocker override password.

If the user types the correct password, WebBlocker allows access to the override destination. The user can also edit the override destination using wildcards to allow override access to more than one site, or to more pages in a site. You can use wildcards can in an override destination in the same way you use them to define a WebBlocker exception. In effect, WebBlocker local override allows the user to define a temporary WebBlocker exception. W ebBlocker enables access to the override destination until the WebBlocker local override inactivity timeout is reached or until the user logs out, if the user was authenticated. The default inactivity timeout for local override is five minutes.

WebBloc ker Schedules You can set an operating schedule for a set of Web Blocker rules. You use time periods to set rules for when to block different websites. For example, you can block sports websites during usual business hours of operation, but allow users to browse at lunch time, evenings, and weekends. To do this, you add a schedule to the HTTP-proxy policy that WebBlocker is assigned to. You can also configure two HTTP policies, but create a schedule for only one of them. Each policy uses one of the HTTP-proxy actions. Each of these HTTP-proxy actions points to one of at least two WebBlocker actions.

Fireware EssentialsStudentGuide

254

Web Traffic

WebBloc ker Server If you want to configure WebBlocker to use a WebBlocker Server with SurfControl, you must install a WebBlocker Server. If you use the Websense cloud for WebBlocker lookups, WebBlocker does not use a local WebBlocker Server. You install the WebBlocker Server when you install WatchGuard System Manager (WSM). If you did not originally install the WebBlocker Server when you installed WSM, you can do so at any time. Run the WSM installer again and select the check box for WebBlocker. Then, continue installation. After you first install the WebBlocker Server, you must download the full WebBlocker database to the WebBlocker Server. The WebBlocker Server automatically updates the WebBlocker database once per day.

About Reputation Enabled Defense In the Signature Services and APT Blocker section, we learned how the Gateway AntiVirus service scans web pages and any files downloaded from web pages for viruses. When you enable the Reputation Enabled Defense (RED) service, you can further improve performance and security of web browsing for users on your network. WatchGuard RED uses cloud-based WatchGuard reputation servers that assign a reputation score between 1 and 100 to every URL. Whe n a user goes to a website, RED sends the requested web address (or URL) to the WatchGuard reputation server. The WatchGuard server responds with a reputation score for that URL. Based on the reputation score, and on locally configured thresholds, RED determines whether the Firebox should drop the traffic, allow the traffic and scan it locally with Gateway AV, or allow the traffic without a local Gateway AV sc an. This increases performance, because Gateway AV does not need to scan URLs with a known good or bad reputation. The reputation score for a URL is based on feedback collected from devices around the world. It incorporates scan results from three leading anti-malware engines: MacAfee, Kaspersky and AVG. Reputation Enabled Defense uses the collective intelligence of the cloud to keep Internet browsing safe and to optimize performance at the gateway.

255

WatchGuard Technologies,Inc.

Web Traffic

Reputation Scores The WatchGuard reputation server assigns every URL a reputation score from 1 to 100. A reputation score closer to 100 indicates that the URL is more likely to contain a threat. A score closer to 1 indicates that the URL is less lik ely to contain a threat. If the RED server does not have feedback about a web address, it assigns a neutral score of 50. These factors can cause the reputation score of a URL to increase, or move toward a score of 100: n n

Negative scan results Negative scan results for a referring link

These factors can cause the reputation score of a URL to decrease, or move toward a score of 1: n n

Multiple clean scans Recent clean scans

Reputation scores change over time. For increased performance, the Firebox stores the reputation scores for recently accessed web addresses in a local cache.

Reputation Thresholds There are two reputation score thresholds you can configure: n

n

Bad reputation threshold — If the score for a URL is higher than the Bad reputation threshold, the HTTP proxy denies access without any further inspection. Good reputation threshold — If the score for a URL is lower than the Good reputation threshold and Gateway AntiVirus is enabled, the HTTP proxy bypasses the Gateway AV s can.

If the score for a URL is equal to or between the configured reputation thresholds and if you have enabled Gateway AV, the content is scanned for viruses.

Fireware EssentialsStudentGuide

256

Web Traffic

Reputation Lookups If the response comes back late, it is possible you will see the reputation score assigned as -1 in the Traffic Monitor.

The Firebox uses UDP port 10108 to send reputation queries to the WatchGuard reputation server. Make sure this port is open between your Firebox and the Internet. UDP is a best-effort s ervice. If the Firebox does not receive a response to a reputation query soon enough to make a decision based on the reputation score, the HTTP proxy does not wait for the response, but instead processes the HTTP request normally. In this case the content is scanned locally if Gateway AV is enabled. Reputation lookups are based on the domain and URL path, not just the domain. Parameters after escape or operator characters, such as & and ? are ignored. For example, for the URL:

http://www.example.com/example/default.asp?action=9¶meter=26 the reputation lookup is:

http://www.example.com/example/default.asp Reputation Enabled Defense does not do a reputation lookup for sites that have been added to the HTTP Proxy Exceptions list of the HTTP proxy action.

Reputation Enabled Defense Feedbac k When you enable Reputation Enabled Defense, you can choose if you want to send the results of local Gateway AV scans to the WatchGuard server. You can also choose to upload Gateway AV scan results to WatchGuard even if Reputation Enabled Defense is not enabled or licensed on your device. All communications between your network and the Reputation Enabled Defense server are encrypted. We recommend that you enable the upload of local scan results to WatchGuard to improve overall coverage and accuracy of Reputation Enabled Defense.

257

WatchGuard Technologies,Inc.

Web Traffic

Monitor Reputation Enabled Defense The Subscription Services tab of Firebox System Manager includes current statistics about Reputation Enabled Defense activity that occurred after the last device restart. The statistics include reputation score thresholds (based on your configuration settings) for each message type in these categories: Local bypass (good) The number and percentage of URL requests that bypassed local Gateway AV scanning because they have a reputation score lower than the Good reputation threshold. The number of URLs blocked (bad) The number and percentage of URL requests that were blocked without scanning because they have a reputation score higher than the Bad reputation threshold. Normal processing (inconclusive scores) The number and percentage of URL requests that were processed normally, because they have a reputation score equal to or between the Good reputation and Bad reputation thresholds. Local cache hits The number and percentage of URL requests for which the reputation score was found in the local cache, so no request to the Reputation Enabled Defense server was required. Reputation lookups The total number of reputation lookup attempts since the last system restart. If you have installed Report Manager, you can also see a summary of Reputation Enabled Defense actions in the Reputation Enabled Defense Summaryreport. This report shows a graphical representation of the percentage of URLs that were bypassed, blocked or required local scanning.

Fireware EssentialsStudentGuide

258

Web Traffic

Exercise 1 — Configure HTTP Connections from Trusted Users Successful Company network administrators are now ready to configure the Firebox to enforce the company’s policy on browsing the Web. In this exercise, you use Policy Manager to edit the predefined HTTP-Client ruleset to limit the types of HTTP connections that Successful Company employees can start. Specifically, you will: n n n n

Enable logging for HTTP client requests Block HTTP client connections to YouTube® Enable the web download of Microsoft® Word, Excel, and PowerPoint documents, as well as ZIP files Customize the message that users see when some of the content in their web requests is denied

Add an HTTP Client Proxy Po licy The HTTP packet filter cannot meet all the Successful Company web policy criteria. First, we use Policy Manager to add a HTTP-Client proxy policy. 1. Click . Or, select Edit > Add Policy. The Add Policies dialog box appears.

2. Expand the Proxies folder. 3. Select HTTP-proxy and click Add. The New Policy Propert ies dialog box app ears, with the Policy tab select ed.

4. Inth e Name text box, type HTTP-Employees. By default, the HTTP-proxy policy is outgoing and controls traffic from any trusted network to any computer on the external network. 5. Inth e Proxy action drop-down list, select HTTP-Client.

259

WatchGuard Technologies,Inc.

Web Traffic

Enable Lo gging for Each HTTP Client Connection The Successful Company network administrator wants to make sure that the Firebox records each HTTP connection initiated by an employee. He plans to use this data to prove internal compliance with the company’s Internet usage policy. It can also help to troubleshoot bandwidth problems if they occur in the future. In the default HTTP-Client proxy action, as in other proxy rulesets, allowed connections do not create log entries unless you activate the log option. If you do not activate the option to send a log message for each HTTP client connection, you do not see any allowed HTTP traffic in the log file or in reports. You also do not see HTTP connections in HostWatch. On the Policy tab: 1. Adjacent to the Proxy action drop-down list, click

.

The HTTP Proxy Action Configuration dialog box appears.

2. In the General Settings, select the Enable logging for reportscheck box.

Fireware EssentialsStudentGuide

260

Web Traffic

Blo ck HTTP Client Connections by U RL Path Because of concerns about employee productivity and bandwidth use, Successful Company’s network administrator was asked to have the Firebox stop all HTTP client connection requests to YouTube. To block all client connections that includeyoutube.com in the URL path: In the HTTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, expand HTTP Request and select URL Paths. The URL Paths page appears. The default configuration f or the HTTP-Client proxy action allows all URL paths.

2. Inth e Pattern text box, type www.youtube.com/*. Click Add. *.youtube.com appears in the URL Paths list.

3. Inth e If matched drop-down list, select Deny. 4. To send a log message when this rule denies a connection, select the Log check box.

261

WatchGuard Technologies,Inc.

Web Traffic

Allow Microsoft Office Documents and ZIP Files Thr ough the HTTP-Proxy Sometimes, Successful Company users must download certain Microsoft Office documents. Also, employees often use their browser to download files compressed in the ZIP file format, even though it is a security risk. After their network administrator educates users on the types of zipped files to avoid, they decide to allow zipped content through the HTTP-proxy as well. To allow these types of content, you must edit two of the HTTP Response rulesets: In the HTTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, expand HTTP Responseand select Content Types. The Content Types pag e appear s. The list of content types allowed by default includes PDF, XML, Flash, text, and image files.

2. To see some of the common MIME types, click Predefined. To find the MIME type for some of the content you want to allow or deny through the device, see your vendor documentation or go to http://www.iana.org/assignments/media-types/. 3. Click Change View. The Content Types Rules (advanc ed view) page appears.

4. Click Add. The New Content Type Rule dialog box appears.

5. 6. 7. 8.

Inth e Rule Name text box, type Excel. Inth e Rule Settings text box, type application/ms-excel. Inth e Action drop-down list, select Allow . Click OK. Excel files are now allowed by the HTTP-proxy.

9. Repeat Steps 2–7 for Microsoft PowerPoint (PPT) files. Use application/mspowerpointas the pattern. PowerPoint presentations are now allowed by the HTT P-proxy.

10. Repeat Steps 2–7 for Microsoft Word (DOC) files. Use application/msword as the pattern. Word documents are now allowed by the HTTP-proxy.

11. Repeat Steps 2–7 for zip archive (ZIP) files. Use application/zip as the pattern. Zip archives are now allowed by the HTTP-proxy.

12. In the Rules (advanced view)list, select application/*. Click Edit. The Edit Content Type Rule dialog box appears .

Fireware EssentialsStudentGuide

262

Web Traffic 13. From the Action drop-down list, select Deny. Click OK. All other content types n ot specifically allo wed are deni ed by the HTTP-proxy.

14. In the Categorieslist, expand HTTP Responsesand select Body Content Types. The Body Cont ent Types page appears.

15. Click Change View. The Rules (advanced view) page appears.

16. Select ZIP Archive. Click Edit. The Edit Body Cont ent Type Rule dialog box appears.

17. From the Action drop-down list, select Allow . Click OK. This act ion allows zip archives as a body conte nt type.

263

WatchGuard Technologies,Inc.

Web Traffic

Customize the Deny Message When a user on your network tries to browse to a website or to download a file that the HTTP-proxy blocks, that user sees a Deny Message. The default message includes the reason, method, host, and path. You can also add the Firebox name and serial number to the body of the Deny Message. In this exercise, you edit the message to also include the email address for the Successful Company help desk. In the HTTP Proxy Action Configurationdialog box: 1. Inth e Categorieslist, select Deny Message. The Deny Message page appears. The Deny Messag e uses HTML. The device accept s most valid HTM L code.

2. Inth e Deny Message text box, select the WatchGuard HTTP proxy phrase. 3. To replace the selected phrase, type Successful Company firewall. 4. At the end of the Path: %(url-path)% line, click to place your cursor and press Enter on your keyboard. 5. On the new line, press the space bar to align the new text with the text in the previous line. 6. On the new line, type: For more information, contact Dustin and Nandi at [email protected].

7. Click OK to close the HTTP Proxy Action Configurationdialog box. The Clone Predefined or DV CP-created Object dialog box appears.

8. (Optional) In the Name text box, type a unique name for the proxy action. The defau lt name for a clone is HTTP-Client.1. You can also give it a friendly name to help you recognize it.

9. Click OK to clone the template. The New Policy Properties dialog box appears.

10. Click OK to close the New Policy Propertiesdialog box. 11. Click Close to close the Add Policy dialog box. The HTTP-Employees policy appears in your policy list.

Fireware EssentialsStudentGuide

264

Web Traffic

Exercise 2 — Use HTTP-Proxy Exceptions to Allow Software Updates Frequently, software companies configure their software to contact one of their servers for software updates. This traffic can occur over HTTP. The update session can include many content types, file names and other properties that could cause the HTTP-proxy to deny the traffic. At Successful Company, many employees use the Mozilla Firefox browser. To allow the clients to update their browsers automatically, we use Policy Manager to add the Firefox servers to the list of HTTP-proxy exceptions. All traffic to a domain listed in the HTTP Proxy Exceptions list is not examined by the HTTP-proxy policy. 1. Double-click the HTTP-Employees policy. The Edit Policy Properties dialog box appears, with the Policy tab selected.

2. Adjacent to the Proxy action drop-down list, click

.

The Edit HTTP Proxy Action Configuration dialog box appe ars.

3. Inth e Categorieslist, select HTTP Proxy Exceptions. The HTTP Proxy Exceptions page appears. The list already includes the domains used by M icrosoft Windows to distribute updates to their software.

4. In the text box below the HTTP Proxy Exceptionslist, type *.mozilla.com and click Add. *.mozilla.com appears in the list

5. Click OK to close the Edit HTTP Proxy Action Configurationdialog box. 6. Click OK to close the Edit Policy Properties dialog box.

265

WatchGuard Technologies,Inc.

Web Traffic

Exercise 3 — Configure an HTTP-Server Proxy Action Successful Company has a web server on the optional network at 10.0.2.80. Initially, their network administrators find the default settings of the HTTP-Server ruleset sufficiently robust to protect their server. Later we will learn that sometimes you need to change that ruleset to provide additional protection.

Add the HTTP-Server Proxy Policy First, we will protect the Successful Company public web server. We will use Policy Manager to configure it to accept connections from both the trusted and external networks. This policy will use static NAT. 1. Click . The Add Policies dialog box appears.

2. Expand the Proxies list and select H TTP-proxy. Click Add. The New Policy Propert ies dialog box app ears, with the Policy tab select ed.

3. Inth e Name text box, type HTTP-Public Server. It is useful to have a separate policy for each web server on your network.

4. Inth e To list, select Any-External. Click Remove. 5. Inthe section, click Add. The Add Address dialog box appears.

6. Click Add SNAT . The SNAT dialog box appears.

7. Click Add. The Add SNAT dialog box appears.

8. Inth e SNAT Name text box, type a name for this SNAT action. 9. Click Add. The Add Static NAT dialog box appears.

10. In the Internal IP Addresstext box, type 10.0.2.80. 11. Click OK to close the Add Static NAT dialog box. The new Static NAT entry appea rs in the SNAT Members list.

12. Click OK to close the Add SNAT and the SNAT dialog boxes. The IP address appears in the Add Address dialog box in the Selected Members and Addresses list.

13. Click OK to close the Add Address dialog box. This restricts the policy to the Successful Company public web server on the optional network. The New Policy Properties dialog box appears.

14. In the From section, click Add. The Add Address dialog box appears.

15. Double-click Any-External. Any-External appe ars i n the Selected Members and Addresses di alog box.

16. Click OK. Any-External appe ars i n the From list. The policy now includes connections from the external and trusted networks.

17. From the Proxy action drop-down list, select H TTP-Server. Because we are going to acc ept the default ruleset, we do not need to edit the proxy action.

18. Click OK. Click Close to close the Add Policies dialog box. The HTTP-Public-Server policy appears in the policy list.

Fireware EssentialsStudentGuide

266

Web Traffic

Create a New Proxy Policy Ruleset Successful Company recently received a LiveSecurity alert that describes a vulnerability to Passport 1.4 authentication. In this exercise, you edit the HTTP-Server ruleset based upon this hypothetical LiveSecurity alert. Use the HTTP-Server proxy action rulesets to strip headers that specify Passport 1.4 authentication. This additional precaution can remain on the server until the network administrator applies and tests the patch the vendor provided, which was also described in the LiveSecurity Alert. First, we use Policy Manager to clone the HTTP-Server ruleset and modify it to block the Passport 1.4 authentication. Then we apply it to our public server policy. 1. Select Setup > Actions > Proxies The Prox y Actions dialog box appears.. This is a list of all the templa te ruleset s available.

The first portion of the list is in blue text and consists of the default policies. The second portion of the list is in black text and includes the templates we created during our exercises.

2. Select H TTP-Server and click Clone. The Clone HTTP Proxy Action Configuration dialog box appears.

3. Inth e Name text box, type HTTP-Server-BlockPassport. 4. Inth e Categorieslist, expand HTTP Request and select Authorization. The Authorization page appears.

5. Click Change View. The Rules (advanced view) page appe ars. In this view, we can change the sett ings for each rule rather t han apply a global sett ing to all of them.

6. Inth e Rules list, select Passport 1.4appears. . Click Edit. The Edit Authorization Rule dialog box 7. From the Action drop-down list, select Strip. Select the Log check box. This rule strips all headers that include Passport1.4 authent ication requests and sends a log message.

267

WatchGuard Technologies,Inc.

Web Traffic 8. Click OK to close the Edit Authorization Rule dialog box. The Clone HTTP P roxy Action Configuration dialog box Authorization page appears. The updated rule appears in the Rules list.

9. Click OK to close the Clone HTTP Proxy Action Configuration dialog box. The Proxy Actions dialog box appears with the cloned proxy action in the list.

10. Click Close.

This enables us to quickly apply this ruleset again in the future. You now have a ruleset which strips Passport 1.4 authorization requests.

11. Double-click the HTTP-Public-Serverpolicy. The Edit Policy Properties dialog box appears, with the Policy tab selected.

12. From the Proxy Action drop-down list, select HTTP-Server-BlockPassport.

13. Click OK to close the Edit Policy Propertiesdialog box.

Exercise 4 — Enable Bandwidth and Time Quotas The Successful Company administrator wants to enable bandwidth and time quotas for web access for all customer service representatives. The administrator wants to limit access to 1 hour a day or 1 GB of traffic usage. Exceptions must be made for an external company knowledge base web site (successfullKB.com) to which the CSRs require access for customer support. In this example, there is already an existing HTTP-proxy policy specifically for CSR web traffic, and an existing CSR team user group. 1. From Policy Manager, select Setup > Actions > Quotas. 2. Select the Enable bandwidth and time quotascheck box.

Fireware EssentialsStudentGuide

268

Web Traffic

3. 4. 5. 6.

To add a quota rule, click Add. Type a Name and Description for this rule. Inth e Users and Groupssection,click Add. In this example, select the CSR team Firebox group.

7. For the Quota Action, click the Add Quota Actionicon. 8. Type a Name and Description for this quota action. 9. Select the Bandwidth check box, th en set the value to 1000 MB. 10. Select the Time check box, th en set the value to 60 minutes.

269

WatchGuard Technologies,Inc.

Web Traffic

11. 12. 13. 14.

Click OK to save the quota action. Click OK to save the quota rule. In the Quotas dialog box, select the Policies tab. Select the HTTP-proxypolicy for your CSR group. Only polici es that have defined users and groups appear here.

15. From the Select Action drop-down list, select Enabled.

16. Click OK. To add a quota exception:

Fireware EssentialsStudentGuide

270

Web Traffic 1. 2. 3. 4.

From Policy Manager, select Setup > Actions > Quotas. Select the Quota Exceptions tab. From the Choose Type drop-down list, select FQDN. Inth e Value text box, type *.successfullKB.com. This value will make sure the exception applies to the primary domain and any subdomains.

5. Click OK.

271

WatchGuard Technologies,Inc.

Web Traffic

Exercise 5 — Selectively Block Websites with WebBlocker Successful Company is pleased with the results of their purchase of spamBlocker. The network administrators decide to purchase the WebBlocker feature to enforce HR restrictions on what web content can be viewed during work hours.

You must have a WebBlocker feature key to complete these exercises.

Add a WebBl ocker Action You can choose one of three methods to activate WebBlocker from Policy Manager: the first is from the Actions menu, the second is from within the HTTP-proxy setti ngs, and the third is with the Activate WebBlocker Wizard. In this exercise, we use the first method to configure the WebBlocker policy for the Successful Company network. To add a WebBlocker action: 1. Select Setup > Actions > WebBlocker . The WebBlocker Configurations dialog box appears.

2. Click Add. The New WebBlocker Configuration dialog box appe ars, with the Servers t ab selected.

3. Inth e Name text box, type General Employees. 4. Inth e Description text box, type Everyone but the Executives and IT .

Fireware EssentialsStudentGuide

272

Web Traffic The WebBlocker action uses the Websense cloud by default, so no other server configuration is necessary.

If you want the Firebox to connect to the Websense cloud through an HTTP proxy server, you can configure that in the WebBlocker Global Settings in Fireware v11.12 and higher. To configure the WebBlocker Global Settings, in Policy Manager select Subscription Services > WebBlocker > Configure > Settings.

Select Categories to Blo ck Successful Company is v ery strict about sexual harassment, and about bias or intolerance regarding race, religion, or political beliefs. Obviously, the network administrator should block the sexual and hate speech categories, however, sites that belong to other categories might be a problem for the company as well. 1. Select the Categories tab. 2. Select the Adult Material check box. This blocks all the subcategories in the Adult Material list.

3. Select the Racism and Hate check box. 4. Scroll through the categories and select any others you think might be blocked at your company. For example, you can also block Spyware and Malicious Web Sites to help protect your network from malware.

273

WatchGuard Technologies,Inc.

Web Traffic

Create an Exception A website about advertising principles that has a section on Ravel’s Bolero is in the Adult Content category. H owever, this is a useful site for the Successful Company Marketing department. The network administrator wants to create a WebBlocker exception for this site. In the New WebBlocker Configurationdialog box: 1. Select the Exceptions tab. 2. Click Add. The New WebBlocker Exception dialog box appears.

3. Inth e Match Type drop-down list, keep the default setting. 4. From the Type drop-down list, select Host IP Address. 5. Inth e Host IP Address text box, type 203.0.113.223. The Directory text box is automatically populated with /*. This unblocks all sites with t he selected address.

6. Click OK . The new exception appears in the list. WebBlocker now allows access to this sit e even though its IP address is in the Adult Content category.

7. Click OK to close the New WebBlocker Configurationdialog box. The new configuration appears in the WebBlocker Configurations dialog box

.

8. Click Close to close the WebBlocker Configurationsdialog box. Policy Manager appears. You can now apply the W ebBlocker act ion to any policy t hat uses the HTTP-proxy. You can apply the same WebB locker action t o more than one policy, or create different sets of WebBlocker rules for different groups in your organization.

9. Select Setup > Actions > Proxies. The Proxy Actions dialog box appears.

10. Select HTTP-Client.1. Click Edit. The Edit HTTP Proxy Action Configuration dialog box appears. In this exercise, we will add the General E mployees WebBlocker act ion to our primary HTTP-Client ruleset.

11. In the Categorieslist, select WebBlocker. The WebBlocker page appears.

Fireware EssentialsStudentGuide

274

Web Traffic 12. From the WebBlocker drop-down list, select General employees.

13. Click OK to close the Edit HTTP Proxy Action Configurationdialog box. The Proxy Actions dialog box appears.

14. Click Close to close the Proxy Actions dialog box. The change is automatically applied to all policies which use the HTTP-Client.1 proxy action ruleset.

15. Save the configuration file with the name WebTraffic-Done.

Enable WebBloc ker Local Override Successful Company has an employee who has a legitimate need to connect to websites that are blocked by the corporate WebBlocker policy. The network administrator decides to enable WebBlocker local override and give this user the local override password. 1. Select Setup > Actions > WebBlocker . 2. Select the General EmployeesWebBlocker configuration you created. Click Edit. 3. Inth e Edit WebBlocker Configurationdialog box, select the Advanced tab.

4. Select the Use this passphrase and inactivity timeout to control WebBlocker local override check box. 5. Type and confirm the local override Passphrase. The local overrid e passphrase must be between eight and 32 characters.

6. Click OK to close the Edit WebBlocker Configurationdialog box. 7. Click Close to close the WebBlocker Configurationsdialog box. 8. Save the configuration file.

275

WatchGuard Technologies,Inc.

Web Traffic

Exercise 6 — Set Up Reputation Enabled Defense The Successful Company administrator wants to install Reputation Enabled Defense to further improve the performance and security of web browsing. In this exercise you enable Reputation Enabled Defense on the Successful Company Firebox. Before you begin this exercise: n n

Make sure your device has a Reputation Enabled Defense feature key. Make sure the device has at least one HTTP proxy policy configured.

After the Successful Company network administrator adds the feature key and saves it to the Firebox, he opens the device configuration in Policy Manager to enable the service. 1. Select Subscription Services > Reputation Enabled Defense . The Reputation Enabled Defense dialog box appears.

2. Select an HTTP-proxy policy and click Enable. Reputation Enabled Defense is enabled f or this policy, with the default settings.

Fireware EssentialsStudentGuide

276

Web Traffic 3. Click Configure. The Reputation Enabled Defense settings for the selected policy appear.

When you enabled Reputation Enabled Defense for this policy, the Immediately block URLs that have a bad reputationcheck box and the Bypass any configured virus scanning for URLs that have a good reputationcheck box were both automatically selected. 4. Click Advanced.

You can change the reputation thresholds, but we recommend that you keep them at the default values initially. After you have used Reputation Enabled Defense for a period of time., you can adjust the thresholds, if you find that either setting is too aggressive.

5. Click OK toaccept the default reputation thresholds. 6. Click OK. The Reputation Enabled Defense dialog b ox closes.You must save your changes to the Firebox before t hey take effect.

277

WatchGuard Technologies,Inc.

Web Traffic

Exercise 7 — See Reputation Enabled Defense Statistics The Successful Company administrator has enabled Reputation Enabled Defense and wants monitor its effectiveness. In this exercise you look at the statistics that show Reputation Enabled Defense activity since the last system restart.

Make sure your Firebox can run queries over UDP port 10108 to the WatchGuard reputation server in the cloud.

In WatchGuard System Manager: . 1. Toconnect to your Firebox, click 2. Type your Firebox trusted IP address and the credentials for a user account with Device Monitor privileges. Click OK. The Firebox Sys tem Manager Front Panel tab appears.

3. Select the Subscription Servicestab. The Subscript ion Services stat istics page appears. Reputation Enabled Defense statis tics appear at the bottom.

In this example, we can see that 91% of all requested URLs had a good reputation score, and did not require local scanning by Gateway AV. We can also see that 67% of the URLs visited had a reputation score stored in the local cache. This means that the RED service did not need to request the score from the WatchGuard reputation server. If Gateway AV is enabled, it scans the content of websites that have an inconclusive reputation score. Those scan results are then sent to the Reputation Enabled Defense server as input for updated reputation scores for those URLs. This increases the likelihood that these URLs will have a more clearly good or bad reputation score in the future. In this example, you can see that the total number of Reputation lookupsis greater than the combined total number of URLs with good, bad or inconclusive scores. This is because the Reputation lookups statistic counts all lookup attempts, even if a response was not received in time to avoid a local AV scan. If The HTTP proxy does not receive a timely response to a reputation lookup request, it scans the content locally. W hen this happens, the lookup is added to the Reputation lookup total, but is not added to the total of good, bad, or inconclusive scores.

Fireware EssentialsStudentGuide

278

Web Traffic You can also see that the percentages shown in this example for good, bad and inconclusive scores do not add up to 100%. This is because these scores are calculated as a percentage of the total number of reputation lookups.

If your statistics show tha t the number of good, bad, and inconclusive scores are zero, but the number of Reputation lookups is high, this means that the reputation lookup attempts did not result in timely responses from the WatchGuard reputation server. Make sure your Firebox c an send queries over UDP port 10108 to the WatchGuard reputation servers.

Frequently Asked Questions Can I get a report of HTTP traffic on my Firebox device? Yes. In the General Settings category for the HTTP-proxy, select the Enable logging for reportscheck box. The Firebox creates a log message for each HTTP transaction. You can use Log and Report Manager to get detailed reports on HTTP traffic.

279

WatchGuard Technologies,Inc.

Web Traffic

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Circle the proxy action to use for each task: A)

Prevent users from downloading batch (*.bat) files from the HTTP-Client | HTTP-Server | Other Internet

B) Strip .zip files from email messages

HTTP-Client | HTTP-Server | Other

C) Block incoming HTTP GET requests

HTTP-Client | HTTP-Server | Other

Apply WebBlocker to prevent users from browsing to D) HTTP-Client | HTTP-Server | Other websites w ith nudity E)

Configure the message users see when they attempt to HTTP-Client | HTTP-Server | Other browse to blocked URLs

F) Resolve domain names forwe bsites

HTTP-Client | HTTP-Server | Other

2. Fill in the blank: For better security, place your public web server on the __________ network.

Fireware EssentialsStudentGuide

280

Web Traffic 3. In the subsequent image, all of the URL Path entries are set to Deny if matched.

With this configuration, which websites will the Firebox block? (Select all that apply.) o

A) terrificsex.com

o

B) allthemusic.bittorrent.com

o

C) sex.thegoodstuff.com

o

D) w ww.trumpets.org

o

E) prevent.pornography.org

o

F)

o

G) www.microsoft.com/patches/porno.exe

o

H) www.bittorrent.com

o

I)

singing.napster.com

o

J)

napster.communication.net

o

K) troubleshootingwinxp.hardcore.com

www.microsoft.com/porno/msupdate.asp

4. True or false? WebBlocker adds URL filtering to the SMTP-proxy policy. 5. How does the Firebox contact the Websense cloud server for URL categorization lookups? o

A) UD P

o

B) HTTP

o

C) S SL

o

D) P PTP

6. True or false? An exception to the WebBlocker rules allows a site that is normally blocked to be viewed, or a site that is normally viewed to be blocked. 7. Employees can view the website 10.0.1.19, except for its pages on politics. If the site’s pages on politics all have the word politics somewhere in the path, what do you type in the Pattern text box? 8. True or false? You can allow a user to bypass the WebBlocker restrictions.

281

WatchGuard Technologies,Inc.

Web Traffic 9. True or false? Users do not have to be authenticated to the Firebox to enforce bandwidth and time quotas on their web traffic. 10. The reputation score for a URL is based on which of the following? (Select all that apply.) o

A) Results from Kaspersky anti-virus scans.

o

B) Results from AVG anti-virus scans.

o

C) Feedback from devices around the world.

o

D) URLs on the Reputation Enabled Defense black list.

o

E) Results of local Gateway AV scans on your Firebox.

11. Which of the following URL reputation scores indicates that a site is most likely to contain a threat? (Select one.)

o

A) 9 5

o

B) 5 0

o

C) 5

Fireware EssentialsStudentGuide

282

Web Traffic

ANSWERS 1. A) HTTP-Client B) Other C) HTTP-Server D) HTTP-Client E) HTTP-Client F) Other 2. Optional (also known as a DMZ) 3. B, C, E, F, G, H, I, K 4. False 5. B 6. True 7. 10.0.1.19/*politics* 8. True 9. False 10. A, B, C, E 11. A

283

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

284

Signature Services and APT Blocker Block Threats with Signature Services and APT Blocker

What You Will Learn WatchGuard Gateway AntiVirus, Data Loss Prevention (DLP), Intrusion Prevention Service (IPS), Application Control, and Botnet Detection are signature-based services. Gateway AntiVirus and IPS identify and stop possible viruses and intrusions. Application Control enables you to monitor and control application usage on your network. DLP helps you to detect, monitor, and prevent accidental unauthorized transmission of confidential information outside your network. Botnet Detection uses a list of known botnet site IP addresses to block access to botnet servers from infected clients. APT Blocker uses non-signature cloud-based full syst em emulation analysis to find advanced malware in email, web, and FTP traffic. In this module, you learn how to: n

Understand how signature services work to protect your network

n

Set up and configure Gateway AntiVirus

n

Set up and configure APT Blocker

n

Set up and configure Data Loss Prevention

n

Set up and configure the Intrusion Prevention Service

n

Set up and configure Application Control

n

Set up and configure Botnet Detection

Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will configure optional features of the Firebox. To configure these services, you must first purchase a feature key for Gateway AntiVirus, Data Loss Prevention, Intrusion Protection Service, Application Control, APT Blocker, and Botnet Detection. In addition, to activate the key you must have access to a Firebox. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide you with both a Firebox and a feature key to enable these services.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Signature Services and APT Blocker

Identify and Stop Viruses at the Edge of Your Network In the Threat Protectionmodule, we learned that the Firebox includes methods to secure your network from zero-day threats using tools such as blocked sites, blocked ports, and default packet handling options. Often, these threat protection measures protect y our network, but at the cost of closing off an entire port and protocol. In our example, we turned off all RSH traffic to protect the Successful Company network from an RSH exploit. While this method is very effective, it is not gen erally a good long term solution. Yet, it may be weeks, even months, before a vendor builds a patch to fix the vulnerability. In the interim, you can use a signature-based service to identify and block the exploit code while otherwise allowing the traffic. Signature-based protection services are much quicker for a vendor to update because they do not require a fix to the vulnerability itself. All an engineer must do is identify a unique string of text or code that marks the exploit and then block it.

APT Blocker is a non-signature based service that supplements the signature-based services. Because APTs leverage the latest targeted malware techniques and zero-day exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network, traditional s ignature-based scan techniques do not provide adequate protection against these threats. APT Blocker is a subscription service that uses cloud-based full system emulation analysis by our solution partner Lastline to identify the characteristics and behavior of APT malware in files and email attachments that enter your network.

286

WatchGuard Technologies,Inc.

Signature Services and APT Blocker WatchGuard Gateway AntiVirus, Intrusion Prevention Service, APT Blocker, and Botnet Detection protect against these categories of threats: n

n n

n

AntiVirus — Identifies viruses and trojans brought into your network through email, web browsing, TCP connections, or FTP downloads. IPS — Identifies direct attacks on your network applications or operating system. APT Blocker — Identifies advanced malware brought into your network through email, web browsing, or FTP traffic. Botnet Detection — Stops infected botnet clients from communicating with botnet servers.

AntiVirus Scans User Traffic for Viruses and Trojans WatchGuard Gateway AntiVirus scans different types of traffic according to which proxy or proxies you use the feature with: n

n

n

n

Email — With the SMTP or POP3 proxy, Gateway AntiVirus finds viruses encoded with frequently used email attachment methods. These include base64, binary, 7-bit, 8-bit encoding, and uuencoding. Web — With the HTTP proxy, Gateway AntiVirus scans web pages and any uploaded or downloaded files for viruses. TCP — With the TCP proxy, Gateway AntiVirus can scan HTTP traffic on dynamic ports. It recognizes that traffic and forwards it to the default or user-defined HTTP proxy to perform antivirus scanning. FTP — With the FTP proxy, Gateway AntiVirus finds viruses in uploaded or downloaded files.

Configure Gateway AntiVirus Actions When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an email message (SMTP or POP3 proxies), web traffic (HTTP or TCP proxies), or uploaded or downloaded files (FTP proxy). The options for antivirus actions are: Allow Allows the packet to go to the recipient, even if the content contains a virus. Deny (FTP proxy only) Denies the file and sends a deny message to the sender. Lock (SMTP and POP3 proxies only) Locks the attachment. A file that is locked cannot be opened by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment. Quarantine (SMTP proxy only) If you use the SMTP proxy, you can send email messages with a virus or possible virus to the Quarantine Server. Remove (SMTP and POP3 proxies only) Removes the attachment and allows the message and any other safe attachments to go to the recipient.

Fireware EssentialsStudentGuide

287

Signature Services and APT Blocker Drop (not supported in POP3 proxy) Drops the packet and drops the connection. No information is sent to the source of the message. Block (not supported in POP3 proxy) Blocks the packet, and adds the IP address of the sender to the Blocked Sites list. In addition, Gateway AntiVirus can scan traffic that matches rules in several categories in each proxy. In the Proxy Configurationdialog box, in the Categories list, click one of these categories to get access to the ruleset: FTP Proxy

SMTP Proxy

POP3 Proxy

HTTP Proxy

Download

Content Types

Content Types

Requests: URL Paths

Upload

File names

File names

Responses: Content Types Responses: Body Content Types

TCP-UDP Proxy ports) (HTTP on dynamic Requests: URL Paths

Responses: Content Types Responses: Body Content Types

Use Gateway AntiVirus with Compressed Files In the Gateway AntiVirus configuration settings, you can select the number of compression levels to scan in a file during a virus scan. If you enable decompression, we recommend that you keep the default setting of three levels, unless your organization must use a larger value. If you specify a larger number, your Firebox could send traffic too slowly. Gateway AntiVirus supports the scanning of up to six c ompression levels. If Gateway AntiVirus detects that the archive depth is greater than the value set in this field, it generates a scan error for the content. The Firebox cannot scan encrypted files or files that use a type of compression that Gateway AV does not s upport, such as password-protected ZIP files.

288

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Block Advanced Malware with APT Blocker An Advanced Persistent Threat (APT) is a type of network attack where advanced malware is used to gain access to networks and access confidential data. APTs leverage the latest targeted malware techniques and zero-day exploits (flaws which software vendors have not yet disco vered or fixed) to infect and spread within a network. APT malware is designed to reside within a network for extended periods of time and evade detection by hiding its communications and removing evidence of its presence. APT Blocker uses cloud-based scanning with our partner Lastline to detect malware in attachments and files. You can use APT Blocker with these proxies: n Email — With the SMTP or POP3 proxy, APT Blocker finds advanced malware in email attachments. n Web — With the HTTP proxy, APT Blocker scans web content and any uploaded or downloaded files for advanced malware. n FTP — With the FTP proxy, APT Blocker detects advanced malware in uploaded or downloaded files.

APT Blocker and Gateway AntiVirus APT Blocker uses the same scan process as Gateway AntiVirus. You must enable Gateway AntiVirus on your Firebox to enable APT Blocker on the device. If a proxy policy is configured to enable Gateway AntiVirus to scan the traffic through the policy, you can also scan the traffic with APT Blocker. Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker. APT Blocker scans compatible file types if they are enabled in the Gateway AntiVirus configuration.

APT Blocker Threat Levels APT Blocker categorizes APT activity based on the severity of the threat: n n n n

High Medium Low Clean

The High, Medium, and Low threat levels indicate the severity of malware. We recommend you consider all these threat levels as malware and use the default action of Drop. The Clean threat level indicates the file was scanned by the initial file hash check or by upload to the Lastline cloud data center, and determined to be free of malware. The Clean threat level helps you track the status of files analyzed by Lastline that are determined to be clean and do not contain malware.

Fireware EssentialsStudentGuide

289

Signature Services and APT Blocker

Configure APT Blocker Actions When you enable APT Blocker, you must set the actions to be taken based on the threat level of the detected malware: Allow Allows and delivers the file or email attachment to the recipient, even if the content contains detected malware. Drop Drops the connection. No information is sent to the source of the message. For the SMTP-proxy and POP3proxy, the attachment is stripped before the message is delivered to the recipient. Block Blocks the connection, and adds the IP address of the sender to the Blocked Sites list. For the SMTP-proxy and POP3-proxy, the attachment is stripped before the message is delivered to the recipient. Quarantine (SMTP proxy only) When you use the SMTP-proxy with APT Blocker, you can send email messages to the Quarantine Server. The SMTP-proxy removes the part of the message that triggered APT Blocker and sends the modified message to the recipient. The removed part of the message is replaced with the deny message that is configured in the proxy action settings. For the HTTP-proxy and FTP-proxy, this action is converted to a Drop action. For the POP3-proxy, this action is converted to a Strip action.

APT Blocker Notifications and Alarms It is critical that you are made aware of any advanced malware that has entered your network. If a certain file has never been seen before, it is sent to the Lastline cloud service for advanced analysis. This analysis can take several minutes to complete before the results are returned. During this time the file is allowed through to its destination. Make sure you enable alarm notifications and logging options when you configure APT Blocker. When the scan results are returned, and advanced malware is detected, you need to know immediately when there is malware in your network.

APT Blocker Scan Limits The maximum size of files that APT Blocker sends to Lastline for analysis is based on the Gateway AntiVirus scan limit. The default scan limit is 1 MB for most Fireboxes. Firebox T10 and XTM 2 Series have a default of 512 KB. Although APT Blocker cannot scan and analyze partial files, most malware is delivered in files smaller than 1 MB in size. Larger files are less likely to spread quickly in a viral manner. Lastline accepts files of up to 10 MB in size for analysis. If you set the Gateway AntiVirus scan limit higher than 10 MB, APT Blocker does not send the file to Lastline and generates the log message "file size exceeds the submission size limit".

290

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Control the Loss of Sensitive Data Data Loss Prevention (DLP) is a security service that helps you to control the loss of confidential and sensitive data from your network. DLP can help prevent the loss (often accidental) of sensitive and personally identifiable information, such as credit cards, national identity numbers, bank account information, and health records. Like Gateway AV, DLP scans content for specific patterns and compares the content to signatures. DLP scans content that leaves your network. It does not scan files and messages that come in to your network from an external location. WatchGuard DLP works together with proxy policies on your Firebox to scan outbound content over email, web, and FTP. DLP uses content control rules to identify sensitive content. W hen DLP identifies content that matches enabled DLP content control rules, the content is treated as a DLP violation. You can choose what action the Firebox takes for DLP violations in email and non-email traffic. You can also configure DLP to take different actions based on the source and destination of the traffic.

DLP Content Control Rules DLP includes over 200 predefined rules you can use to identify personally identifiable data for 18 regions. A content control rule is a set of conditions that describes content that the rule can identify in a file. Content control rules are based on the DLP signature set, and are updated over time as the DLP signatures are updated. Some rules are global, and some apply to a specific region. Here are a few examples of content control rules: n n n n n n n n

Bank routingnumbers Confidential document markers Medical patient forms National identification numbers Social security numbers Drivers license numbers Postal addresses Telepho ne numbers

Each rule has an associated quantity. The quantity is a measure of the weighted number of matches the rule must find in a scanned object to trigger a DLP violation. You can see the quantities for each rule on the WatchGuard Security Portal, at http://www.watchguard.com/SecurityPortal/. DLP rules internally use weights to adjust the number of matches required, and to adjust the sensitivity of the rule to text that matches each of several expressions w ithin the rule. The quantity associated with a rule does not always correspond exactly to the number of text matches in the scanned content required to trigger the rule.

Fireware EssentialsStudentGuide

291

Signature Services and APT Blocker

DLP Custom Rule You can also define a custom rule with DLP to scan your network traffic for special phrases specific to your organization. This allows you to define any type of text to search for instead of being limited to the predefined rules. For example, your organization may use security classifications that appear in the header text of documents and email messages, such as Classification: C onfidential. You can use these classifications with a DLP custom rule to monitor your network traffic and make sure that s ensitive documents and messages that contain these phrases do not leave your network.

DLP Text Extraction and File Types DLP can extract and analyze text from over 30 different file types, to determine if content matches selected content control rules. DLP can extract and scan text from these file types: n n n n n n n n n n n n n n n

Adobe PDF, RTF Microsoft PowerPoint 2000, 2003, 2007, 2010 Microsoft Excel 2000, 2003, 2007, 2010 Microsoft Word2000, 2003, 2007, 2010 Microsoft Project 2000, 2003, 2007, 2010 Microsoft Visio2000, 2003, 2007, 2010 Microsoft Outlook .MSG Microsoft Outlook Express .EML OpenOffice Calc LibreOffice Calc OpenOffice Impress OpenOffice Writer LibreOffice Impress LibreOffice Writer HTML

DLP on XTM 2 Series and 3 Series does not include text extraction. W ithout text extraction, DLP scans the email message body and text files, but has a limited ability to read text from other file types.

292

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

DLP and Proxy Actions You can enable DLP for the WatchGuard SMTP, FTP, and HTTP proxy actions. DLP s cans different ty pes of traffic based on which proxy policies you use the proxy actio n with: n n n

SMTP proxy action — DLP scans content in email messages and attachments. FTP proxy action — DLP scans content in downloaded and uploaded files. HTTP proxy action — DLP scans HTTP and HTTPS traffic , including downloaded and uploaded files.

For DLP to scan HTTPS content, you must enable content inspection in the HTTPS proxy action, and configure the HTTPS proxy action to use an HTTP proxy action with Data Loss Prevention configured.

DLP Sensors To configure DLP, you define a DLP sensor. In each DLP sensor, you enable one or more of the predefined content control rules, and configure the action to take if data is detected that matches the selected rules. You can configure different actions for email and non-email traffic, and different actions based on the source or destination of the traffic. In the DLP sensor you also configure the scan limit, and the action to take for objects that cannot be scanned. You can use the same sensor for multiple proxy policies, or you can create different sensors to use for different policies. DLP includes two built-in sensors: n n

HIPAA Audit Sensor — Detects content related to compliance with HIPAA security standards PCI Audit Sensor — Detects content related to compliance with PCI security standards

These built-in sensors are configured to allow all traffic, and to create a log message each time they detect content that matches the content control rules.

Content Control Rul es For each DLP sensor, you select which of the predefined content control or custom rules to enable. Because DLP scanning can be very resource intensive, we recommend that you enable only the rules you need. If you enable a large number of rules in a DLP sensor, the performance of the Firebox could be noticeably affected.

Fireware EssentialsStudentGuide

293

Signature Services and APT Blocker

DLP Actions For each DLP sensor, you select actions to take for DLP violations detected in email and non-email content. If you enable both Gateway AV and DLP for the same policy, the Gateway AV scan result action takes precedence over the DLP action. The actions you can select in DLP are: n n n n

n

n n

Allow — Allows the connection or email Deny — Denies the request and drops the connection. A notification is sent to the source of the content. Drop — Denies the request and drops the connection. No information is sent to the source of the content. Block — Denies the request, drops the connection, and adds the IP address of the content source or sender to the Blocked Sites list. Lock — (Email content only) Locks the email attachment. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. Remove — (Email content only) Removes the attachment and allows the message to be sent to the recipient. Quarantine— (Email content only) Send the email message to the Quarantine Server.

When an email is quarantined by DLP, the message does not appear in the Quarantine Email Web UI for the recipient. The administrator can select Tools > Quarantine Server Clientin WatchGuard System Manager to see and manage messages quarantined by D LP.

DLP Settings For each DLP sensor, you can configure the scan limit, which controls how much of a file or object to scan. You can also configure the actions to take if content cannot be scanned for any of these reasons: n n n

content size exceeds the scan limit ascan error occurs content is password protected

For each of these three conditions, you can select a DLP action for content detected in email and non-email traffic. If Gateway AV and DLP are both enabled for the same policy, the Gateway AV scan result action takes precedence over the DLP action.

DLP and Gateway AV use the same scan engine. If you enable DLP and Gateway AV for the same proxy action, the larger configured scan limit is used for both services.

294

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Intrusion Prevention Service Blocks Direct Attacks An intrusion occurs when someone launches a direct attack on your computer. Usually the attack exploits a vulnerability in an application or operating system. These attacks are intended to cause damage to your network, get sensitive information, or use your computers to attack other networks. The Intrusion Prevention Service includes a set of signatures associated with specific commands or text found in commands that could be harmful. You configure the Intrusion Prevention Service globally, and then you can enable or disable it for individual policies in your configuration.

IPS Scan Modes IPS can operate in one of two modes. Full Scan IPS scans all packets for traffic handled by policies with IPS enabled. This mode is the most secure, but there is a trade-off with performance. Fast Scan IPS scans fewer packets to improve performance. This option greatly improves the throughput for scanned traffic, but does not provide the comprehensive coverage of Full Scan mode. This is the default mode.

IPS Threat Levels an d Actions IPS groups intruder threats into five threat levels: Critical, High, Medium, Low, and Information. When you enable IPS, you can configure the action that the Firebox takes for content that matches IPS signatures at different threat levels. The actions IPS can take for each threat level are: Allow Allows the content, even if the it matches an IPS signature. Drop Drops the content and drops the connection. No information is sent to the sender. Block Blocks the packet, and adds the source IP address to the Blocked Sites list. By default, IPS drops and logs all traffic that matches an IPS signature at the Critical, High, Medium, or Low threat level.

XTM 21, 22, and 23 devices do not support scanning of HTTPS content.

Fireware EssentialsStudentGuide

295

Signature Services and APT Blocker

IPS and Policies When you enable IPS, it is enabled for all policies by default. You can selectively disable it for specific policies, if needed. You can also configure exceptions, if an IPS signature blocks content that you want to allow. If you enable IPS for an HTTPS proxy policy, you must also enable content inspection HTTPS proxy action, in order for IPS to scan the HTTPS content.

Get Information About IPS Signatures To get information about IPS signatures and the threats they protect against, you can look up the IPS signature on the WatchGuard Intrusion Prevention server (IPS) Security Portal. On the IPS Security Portal you can search for a signature by name or ID, and see links to additional information about the threat.

Control and Monitor Application Usage on Your Network Application Control is a subscription service that enables you to monitor and control the use of web-based applications on your network. Application Control uses signatures that can identify and block over 1800 applications, organized by category. The Application Control signatures are updated frequently to identify new applications and to stay current with changes to existing applications. With Application Control, you can decide which applications to allow or block. You can block the use of specific applications, and you can report on application usage and usage attempts. For some applications, you can configure Application Control to selectively allow some application behaviors (such as chat), but block others (such as file transfer).

You can learn more about Traffic Management in the Advanced Networking course.

If you have configured Traffic Management actions, you can also use Traffic Management actions in the Application Control action to control the bandwidth used for allowed application traffic. When Application Control blocks HTTP content that matches an Application Control action, the user who requested the content sees an Application Control deny message in the browser. The deny message says that the content was blocked because the application was not allowed. The message is not configurable. For HTTPS or other types of content blocked by Application Control, the content is blocked, but the deny message is not displayed.

296

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Application Control Actions and Policies You configure Application Control globally, but it is not used by a policy unless you enable it. You can define several Application Control actions, then apply each Application Control action to one or more policies in your configuration. The flexibility offered by policy-based Application Control enables you to exercise granular control over the use of applications on your corporate network. For example, you can: n n n n

n n n

Block YouTube, Skype, and QQ Block P2P applications for users who are not part of the management team Allow the marketing department to use social networking sites such as Facebook and Twitter Allow use of Windows Live Messenger for instant messaging, but disallow file transfer over Windows Live Messenger Limit the use of streaming media application to specific hours Report on the use (or attempted use) of applications by any individual in the company Limit the bandwidth used by certain applications with traffic management

In addition to the per-policy Application Control actions, you also define a Global Application Control action that can be the default Application Control action if traffic does not match the Application Control action applied to a policy. In this way, you can implement a tiered Application Control strategy, with the Global Application Control action acting as the “fall-back” action to set policy for applications that do not match another specific Application Control action.

Configure Application Control When you define an Application Control action, you select which applications or application categories to control. Then you select an action for each application, and a default action to use if Application Control detects an application that does not have an action configured.

Per-Application Action For each application or application category selected in an Application Control action, you can select one of these actions: n n

Drop — Block the use of the selected application. Allow — Allow the use of the selected application.

If you have created Traffic Management actions, you can also use Traffic Management actions to control the bandwidth used for allowed application traffic.

Default Action In each Application Control action, you also define a default action, to take if the application does not match the applications configured in the Application Control action. Those actions are: n n n

Drop — Block the connection. Allow — Allow the connection. Global — Use the Global Application Control action.

Fireware EssentialsStudentGuide

297

Signature Services and APT Blocker When you set the default action to Global, if traffic does not match the applications specified in the Application Control action, Application Control compares the traffic to the applications specified in the Global Application Control action. If the traffic does not match the applications in the Global Application Control action, Application Control uses the default action in the Global Application Control action.

Apply the Appl ication Control Ac tion to a Policy After you define your Application Control actions, you must apply it to one or more policies. You can assign one Application Control action per policy. The specific policies you must apply an Application Control action to depend on which policies exist in your configuration, and which types of applications y ou want to block. To control many applications that use HTTP, y ou should apply the Application Control action to an HTTP policy. To block application that you know uses FTP, you must apply the Application Control action to the FTP policy. We recommend that you enable Application Control for these types of policies: n n n n n

Any outbound policy that handles HTTP or HTTPS traffic VPN policies that use 0.0.0.0/0 routes (default-route VPNs) Any outbound policy if you are not sure how the policy is used Policies that use the ‘Any’ protocol Policies that use an ‘Any-*’ alias, for example Allow ‘Any-Trusted’ to ‘Any-External’, on a specific port/protocol

It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the policy handles. Some examples of these types of policies include policies that handle traffic for POS systems, Intranet web applications, or internal databases and traffic in a DMZ. It also usually unnecessary to enable Application Control for policies that are restricted by port and protocol and that only allow a known service. Some examples of these types of policies: n n n n

Default WatchGuard policies DNS traffic RDP VoIP — SIP and H.323 application layer gateways

If you enable Application Control for an HTTPS proxy policy, you must also enable content inspection in the HTTPS proxy action. This is required for Application Control to detect applications over an HTTPS connection. Application Control scanning of HTTPS content is not supported on XTM 21, 21-W, 22, 22-W, 23, and 23-W devices.

Monitor Application Usage When you enable Application Control for a policy, the Firebox always identifies and creates a log message for applications dropped due to an Application Control action. If you want to monitor all application use, you must configure the Firebox to create a log message for all identified applications, even those that are not blocked. To do this, you must configure the policy to send a log message for allowed packets. After Application Control and logging of allowed packets have been enabled in your policies for a period of time, you can use Log and Report Manager to run Application Control reports that summarize information about the applications used on your network. WatchGuard recommends that you first use Application Control to monitor application use for a period of time to help you understand which applications are used on your network. Then you can decide which applications you want to block.

298

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Get Information About Applications When you configure Application Control, or when you look at Application Control reports, you might see application names you are not familiar with. To see information about any application that Application Control can identify, you can look up the application on the WatchGuard Application Control Security Portal at http://www.watchguard.com/SecurityPortal/AppDB.aspx.

Application Control Actions and Proxy Actions Application Control actions and proxy actions both can control access to application content. If there is a conflict between the action specified for application content in the Application Control action and the proxy action, the more restrictive action controls whether the application traffic is blocked. For example: n

n

If you configure an Application Control action to block an application, and you create a proxy action Content Types rule to allow the content ty pe for that application, the content is blocked by Application Control. If you configure an Application Control action to allow an application, and you create a proxy action Content Type rule to drop or deny that content type, the content is blocked by the Content Type rule in the proxy action.

Block Access to Botnet Sites with Botnet Detection A botnet comprises a large number of malware-infected client computers that are controlled by a remote server to perform malicious acts. A remote command and control server can control botnet computers to perform denial-ofservice attacks, send spam and viruses, and compromise private data. The Botnet Detection subscription service uses a feed of known botnet site IP addresses gathered by Reputation Enabled Defense (RED). These known botnet sites are added to the Blocked Sites List that allows the Firebox to prevent infected botnet clients from connecting to these botnet servers. Botnet Detection is enabled by default. You can create exceptions to the Botnet Detection sites list that ar e processed as Blocked Site Exceptions. Make sure your Botnet Detection sites list is configured to automatically update so that you always have the latest list of botnet site IP addresses.

Fireware EssentialsStudentGuide

299

Signature Services and APT Blocker

Exercise 1 — Set Up Gateway AntiVirus The Successful Company CIO decides to invest in signature-based intrusion prevention measures. The network administrator recommends WatchGuard Gateway AntiVirus and IPS. Because the services are both cost effective and the WatchGuard system is familiar, the expense is approved. In this exercise, we will activate Gateway AntiVirus and configure it to automatically get updates.

You must have the Gateway AntiVirus feature key saved to the Firebox before you can do this exercise. For more information, see Administration, on page 33.

Activate Gateway AntiVirus After the network administrator adds the feature key and saves it to the Firebox, he opens Policy Manager to activate the service. 1. Select Subscription Services > Gateway AntiVirus > Activate . The Activate Gateway AntiVirus Wizard a ppears.

2. Click Next. If you are completing t he training modules sequentially, or taking the class wit h an instructor, you should have several email, web, and FTP policies conf igured.

3. Clear the check box adjacent to the HTTP-Public-Serverspolicy. Click Next. 4. Click Finish.

300

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Configure Gateway AntiVirus Now, we enable decompression and configure the Gateway AntiVirus signature update settings. 1. When the wizard is complete, select Subscription Services > Gateway AntiVirus > Configure . The Gateway AntiVirus dialog box appears and shows your proxy policies and whether Gateway AntiVirus is enabled.

2. Click Settings. The Gateway AV Decompression Settings dialog box appears.

3. Select the Enable Decompressioncheck box. 4. Make sure the number of Levels to scan to is set to 3.

5. Click OK. 6. Click Update Server. The Update Server dialog box appears.

7. Select the Enable automatic updatecheck box. By default, the Firebox automatically updates signature database files every hour.

Fireware EssentialsStudentGuide

301

Signature Services and APT Blocker

8. Make sure the Gateway AntiVirus Signaturescheck box is selected to enable automatic updates for Gateway AV. 9. Click OK. 10. Click OK to close the Gateway AntiVirus dialog box. You must save your changes to the Firebox before they take effect.

302

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Exercise 2 — Configure the SMTP-Proxy Policy for Gateway AntiVirus Now that the Gateway AntiVirus service is activated for all email proxies and the signature database is set to update every two hours, we must configure each of the actions we want the Firebox to take when an exploit is detected. If you have more than one proxy policy, you must configure each policy. In this exercise, we will configure the Successful Company SMTP-Incoming-Proxy policy to: n

Drop email message attachments that contain viruses

n

Allow attachments that cannot be scanned Enable the automatic content type detection feature

n

Before you begin, open Policy Manager and make sure there is an SMTP proxy policy present in your configuration. If not, select Edit > Add Policies to add an SMTP proxy policy to your configuration. 1. Select Subscription Services > Gateway AntiVirus > Configure . The Gateway AntiVirus dialog box appears.

2. Select the SMTP-Incoming-Proxypolicy. Click Configure. The Gateway AntiVirus Configurat ion of Policy: SMTP-Incoming-Proxy dialog box appe ars.

3. From the When a virus is detecteddrop-down list, select Remove. 4. From the When a scan error occursdrop-down list, select Allow. 5. Select the adjacent Alarm check box.

Fireware EssentialsStudentGuide

303

Signature Services and APT Blocker 6. From the Categorieslist, select Attachments > Content Types. The Content Types settings appear.

Automatic c ontent type detection can improve virus detection rates. Often, the content ty pe value that appears in an email header is set incorrectly by email clients. With this feature enabled, the SMTP proxy tries to verify the content tytypes, pe of email attachments itself. hackers often trydetection to disguise executable files as other content we recommend that youBecause enable content type auto to make your installation more secure.

7. Make sure the Enable content type auto detectioncheck box is selected. If you do not select this che ck box, the SMTP proxy uses th e value stat ed in the email header , which client s sometimes set incorrectly. For exam ple, an attac hed PDF file might have a content type stated as applicat ion/octet-stream. If you enable content type auto detection, the SMTP proxy recognizes the PDF file and uses the act ual content type, applicat ion/pdf. If the proxy does not recogni ze the cont ent type after it examines the cont ent, it uses th e value stat ed in the email header, as it would if content type auto detection were not enabled.

8. From the If matched drop-down list, select AV Scan. 9. Click OK to close the Gateway AntiVirus Configurationdialog box. 10. Click OK to close the Gateway AntiVirusdialog box.

304

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Exercise 3 — Use APT Blocker with the SMTP-Proxy Policy The Successful Company wants to enable APT Blocker to provide an additional non-signature-based layer of defense to protect against advanced malware in the company’s email traffic. In this exercise, we will configure APT Blocker to scan the SMTP-Incoming-Proxy policy. 1. Select Subscription Services > APT Blocker . The APT Blocker dialog box appears.

2. Select the Enable APT Blocker check box. 3. For each Threat Level(High, Medium, Low), from the Action drop-down list, select Drop. This action drops the connection if advanced malware is detected.

4. For each Threat Level, select the Alarm and Log check boxes. This configuration ensures t hat the administrator receives notification in the event advanced malware is detect ed, and that APT activity can be moni tored.

5. To log files that were scanned and determined to be free of malware, select the Log check box for the Clean threat level. 6. Click Notification Settings. The Notification dialog box appears.

a. Select the Send Notificationcheck box. b. Click Email or Pop-up Window depending on the type of notification you want to receive. c. Click OK.

Fireware EssentialsStudentGuide

305

Signature Services and APT Blocker 7. Select the Policies tab.

8. Select the SMTP-Incoming-Proxypolicy. 9. From the Select action drop-down list, select Enabled. 10. Click OK.

306

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Exercise 4 — Configure the FTP-Proxy for Data Loss Prevention Successful Company manages personally identifiable data, including social insurance numbers. They want to use DLP to prevent users from sending this type of information to destinations outside of the corporate network. For this exercise we will enable DLP for the FTP-Proxy policy.

Configure Data Loss Preven tion 1. In Policy Manager, select Subscription Services > Data Loss Prevention . The Data Loss Prevention dialog box appears.

2. Select the Enable Data Loss Preventioncheck box.

Fireware EssentialsStudentGuide

307

Signature Services and APT Blocker 3. Click Add. The Data Loss Prevention wizard launches.

4. Inth e Name text box, type a name for this DLP Sensor. For this example, type BlockSocialInsurance. 5. Click Next. The list of configured p olicies that support DLP appear.

308

WatchGuard Technologies,Inc.

Signature Services and APT Blocker 6. If your configuration already includes an FTP-proxy policy, select it in this list. Click Next. The Create new proxy policies st ep appears. The step to create new proxy policies appears only if your configurat ion does not already inc lude one of the prox y policy t ypes that is support ed by DLP.

7. If you did not select an existing FTP proxy policy in the previous step of the wizard, select FTP to add the FTPproxy policy. 8. Click Next. The Rules lis t appears.

9. In the search text box, type National. The list is filtered for the rules tha t contain this word.

Fireware EssentialsStudentGuide

309

Signature Services and APT Blocker 10. Select the rule National identification numbers with qualifying terms [Global] . Click Next. The Actions sett ings ap pear.

11. Set the action for non-email traffic to Drop. Click Next. 12. Click Finish. The new Sensor is added to the Sensors tab.

13. Click OK. The wizard adds a new FTP-Proxy policy, and enabl es DLP for FTP-proxy policy.

14. Save the configuration to the Firebox. DLP is now active on the device for the FTP proxy policy.

310

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Trigger a DLP Violation For this exercise, we enabled a DLP rule that is easy to match with a short text file. If you have access to an FTP server, you can use an FTP connection to transfer the file, trigger the DLP acti on, and see what a DLP violation looks like. To test this DLP action, you first create a text file with the type of data that matches the selected content control rule. Then use FTP to send this file to an external location.

In instructor-led training, the file to use for testing might already be created for you. Your instructor will provide you with the information you need to connect to an FTP server in the training environment.

1. If you do not already have a DLP test file for this exercise, create a new text file, and copy this text into the file.

Social Social Social Social Social Social Social Social Social Social Social

insurance insurance insurance insurance insurance insurance insurance insurance insurance insurance insurance

number number number number number number number number number number number

1234 2345 3456 4567 5678 6789 1234 2345 3456 4567 5678

Social Social Social Social Social Social Social Social Social

insurance insurance insurance insurance insurance insurance insurance insurance insurance

number number number number number number number number number

6789 1234 2345 3456 4567 5678 6789 3456 4567

2. Connect to an FTP server that is on the Firebox external network. For example, in Windows Explorer, type ftp:\\. 3. Try to upload the DLP text file to the FTP server. DLP blocks the upload.

4. Open Firebox System Manager. 5. Select the Traffic Monitortab. 6. Press Ctrl-F, and search for the text DLP. The log messages t hat are related to DLP ar e highligh ted.

7. Find a message that contains the text DLP Violation Found. The log message shows that an FTP upload wa s blocked by the FT P-proxy due to a DLP violation.

Fireware EssentialsStudentGuide

311

Signature Services and APT Blocker

Exercise 5 — Configure the Intrusion Prevention Service Now the Successful Company network administrator is ready to enable IPS in the device configuration.

Enable Intrusion Prevention 1. Select Subscription Services > Intrusion Prevention . The Intrusion Prevention Service dialog box appears.

2. Select the Enable Intrusion Preventioncheck box. By default, IPS uses Fast Scan mode, and drops and logs all traffic that matches an IPS signature at the Critical, High, Medium, or Low threat level.

312

WatchGuard Technologies,Inc.

Signature Services and APT Blocker 3. Select the Policies tab. The IPS column shows that IPS has been au tomatically enabled for all policies.

4. Select the Settings tab. 5. Click Update Server.

6. Make sure the Intrusion Prevention and Application Control Signatures check box is selected. 7. Click OK.

Fireware EssentialsStudentGuide

313

Signature Services and APT Blocker

Exercise 6 — Configure Application Control The Successful Company network administrator is dismayed to learn that employees accidentally downloaded a nasty bot virus through the file sharing features of the Yahoo messenger client. In this exercise, we configure the Global Application Control action to block the use of Yahoo messenger and several other instant messaging applications. Then we apply this action to the HTTP-proxy policy.

The list of applications you can control is based on a set of signatures that Application Control uses to identify the applications. To make sure that Policy Manager has the most recent Application Control signatures from the Firebox, connect to your device with WatchGuard System Manager before you use Policy Manager to edit or update Application Control actions.

If you are completing the training modules sequentially, or taking the class with an instructor, you should have several DNS, email, HTTP, and FTP policies configured.

Configure the Global Application Control Action 1. Select Subscription Services > Application Control . The Application Control Actions dialog box appears.

The Global Application Control action is a predefined action. You configure the Global action to block applications you do not want to allow for all or most users. In this example, we want to block instant messaging applications for all users.

314

WatchGuard Technologies,Inc.

Signature Services and APT Blocker 2. Select the Global action. Click Edit to edit the Global action. The Application Control Action (predefined) dialog box appears. By default all applications you can control appear in the application list.

You can use the radio buttons to show all applications, or show only applications that have an action configured.

The Search feature is the quickest way to find a specific application by name. You can also use the Category drop-down list to filter the list by category, such as Instant Messaging. Search is generally quicker, since each category contains many applications, and some application may not be in the category you expect.

Fireware EssentialsStudentGuide

315

Signature Services and APT Blocker 3. To search for the Yahoo Messenger application by name, in the search text box, type messenger. The application list shows all applications that contain the word messenger.

4. Select the Yahoo Messenger application. ClickEdit. The Application Control Configuration dialog box appears.

316

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

To allow the use of Yahoo Messenger for instant messaging, but block file transfers, you could select the Set the action for specific behaviorsradio button. Then set the action for the Transferbehavior to Drop.

5. For this exercise, the administrator wants to block all use of the Yahoo Messenger application. Click OK to set the action for all behaviors to Drop. The Drop action appears in the action column for this application.

6. Click OK. The Global Application Control action now blocks Yahoo Messenger.

You can optionally repeat the steps above to add any other applications to the Global Application Control action. Or, you can click Select by Categoryto set the action for all applications in an application category. To remove the action configured for an application, select the configured application in the list and click Clear Action.

Fireware EssentialsStudentGuide

317

Signature Services and APT Blocker

Apply the Globa l Application Control Action to Policies After we define the Global Application Control action, we must apply this action to one or more policies. In this part of the exercise, we apply this Application Control action to the HTTP policies. 1. Inth e Application Control Actionsdialog box, select the Policies tab. If you are completing t he training modules sequentially, or taking the class wit h an instructor, you should already have created the HTTP policies used in this exercise .

2. Select the HTTP-Employees and HTTP-proxy policies. Use the Ctrl key to select multiple policies.

3. From the drop-down list, select the Global action. The Global action is applied to the selected policies.

4. Click OK. The Global Application Control action is now applied to the HTTP policies.

318

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

Exercise 7 — Use Different Application Control Actions for Different Policies After the Successful Company administrator blocked Yahoo Messenger in the Global Application Control rule, the management requested that employees be allowed to use Yahoo Messenger for chat, but not for file transfers. In this exercise, we create a new Application Control action to control specific application behaviors. Then we apply that Application Control action to the HTTP-Employees policy. You created the HTTP-Employees policy in the Web Traffic training module. The HTTP-proxy policy controls traffic from any trusted network to any computer on the external network. 1. Select Subscription Services > Application Control . The Application Control Actions dialog box appears.

2. Click Add to add a new Application Control action. The New Application Control Action dialog box appears.

3. Double-click the Yahoo Messenger application to set the action.

4. Select Set the action for specific behaviors . 5. Select the Transfercheck box. From the adjacent drop-down list, select the application behavior. The def ault action is Drop.

Fireware EssentialsStudentGuide

319

Signature Services and APT Blocker 6. Click OK. The Action for Yahoo Messenger is set to Drop, just for the Transfer application behavior.

7. From the When application does not matchdrop-down list, make sure Use Global actionis selected. This is the default setting.

8. Click OK. The new Application Control action appears in the Application Control Actions dialog box.

9. Select the Policies tab.

10. For the HTTP-Employees policy, change the Action to the new action you just created. 11. Click OK.

320

WatchGuard Technologies,Inc.

Signature Services and APT Blocker With this configuration: n

n

n

The HTTP-Employees policy uses the AppControl.1Application Control action as the primary action to control application usage. For these users, Yahoo messenger application traffic is not controlled, except for file transfer traffic, which is dropped. If HTTP traffic handled by the HTTP-Employees policy does not match the applications listed in the AppControl.1 action, the HTTP-Employees policy uses the GlobalApplication Control action to determine whether to allow or drop the application traffic. For HTTP traffic handled by the HTTP-proxy policy, the Global Application Control action is used to control application usage.

Fireware EssentialsStudentGuide

321

Signature Services and APT Blocker

Test Your Knowledge 1. Match the proxy action with the correct description of the Firebox action: A) Allow

Delete the attachment, send nothing to the sender or recipient, and add the sender to the Blocked Sites list.

B) Loc k

Delete the attachment, send nothing to the recipient, and send nothing to the sender.

C) Remove

Do not accept the file and notify the sender.

D) Drop

Let the attachment go to the recipient even if it contains a virus.

E) Block

Remove the attachment and delete it while sending the message to the recipient.

F)

Encode the attachment so that the recipient cannot open it without a network administrator.

Send

G) Deny

Send the message to the Quarantine Server.

H) Quarantine Not a Fireware proxy action 2. True or false? APT Blocker requires that you enable Gateway AntiVirus on the specified proxy. 3. True or false? Gateway AntiVirus can detect viruses in password-protected ZIP files. 4. True or false? The Intrusion Prevention Service is only compatible with the HTTP and TCP proxies. It cannot detect possible intrusions in the SMTP, POP3, DNS, or FTP proxies. 5. True or false? When you enable the Intrusion Prevention Service, IPS is automatically enabled for all policies. 6. True or false? The Global Application Control Action applies to all policies in your configuration. 7. True or false? If you want to report on the usage of applications that are not blocked, you must enable logging of allowed packets in each policy that has Application Control enabled. 8. True or false? If Gateway AV and DLP are both enabled for the same policy, the Gateway AV scan result action takes precedence over the DLP action. 9. True or false? DLP scans both incoming and outgoing SMTP messages and file transfers. 10. How does Botnet Detection protect your network?

322

o A)

Detects botnet activity based on signatures

o B)

Stops infected botnet clients from communicating with known botnet servers

o C)

Uses IPS to detect botnet activity

o D)

Uses rules to search content for botnet activity

WatchGuard Technologies,Inc.

Signature Services and APT Blocker

ANSWERS 1. A) Allow — Let the attachment go to the recipient even if it contains a virus B) Lock — Encode the attachment so that the recipient cannot open it without a network administrator. C) Remove — Remove the attachment and delete it while sending the message to the recipient. D) Drop — Delete the attachment, send nothing to the recipient and send nothing to the sender. E) Block — Delete the attachment, send nothing to the sender or recipient, and add the sender to the Blocker Sites list. F) Send — Not a Fireware proxy action. G) Deny — Do not accept the file and notify the sender. 2. 3. 4. 5. 6. 7. 8. 9. 10.

H) Quarantine — Send the message to the Quarantine Server. True False False True False True True False — DLP scans only outgoing messages and files. B

Fireware EssentialsStudentGuide

323

Notes

Fireware EssentialsStudentGuide

324

Authentication Verify a User’s Identity

What You Will Learn User authentication is a process that allows a device to verify the identity of someone who connects to a network resource. In this training module, you learn how to: n

Understand authentication and how it works with your Firebox

n

List the types of third-party authentication servers you can use with Fireware

n

Use Firebox authentication users and groups

n

Add a Firebox authentication group to a policy definition

n

Modify authentication timeout values

n

Use the Firebox to create a custom web server certificate

Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will configure the Firebox to use third-party authentication servers. If you take this course with a WatchGuard Certified Training Partner, your instructor may provide you with configuration details for authentication servers on a local network. For self-instruction, we encourage you to get the information needed to configure the Firebox for the authentication method used by your organization.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Authentication

Monitor and Control Network Traffic by User Because all traffic into and out of your network passes through the Firebox, you can use its authentication features to monitor and control connections on a user-by-user basis. The Firebox has its own authentication server, and can connect to several types of third-party authentication servers Authentication is very important when you use dynamic IP addressing (DHCP) for computers on trusted or optional networks. It is also important if you must identify your users before you let them connect to resources on the external network. You can use WatchGuard System Manager to configure authentication differently for each policy. For example, you can force some users to authenticate before they connect to an FTP server, but allow them to browse the Internet without authenticating first.

How Firebox User Authentication Works A special HTTPS server operates on the Firebox to accept authentication requests. To authenticate, a user must connect to the authentication portal on the Firebox. The address is: https://:4100/ On the authentication portal, the user must type a user name and password. The authentication page sends the name and password to the selected authentication server using a challenge and response protocol (PAP). After the authentication server responds that the user is authenticated, the user is allowed to use approved network resources. The user can close the browser window after authentication is completed. By default, each user stays authenticated for up to two hours after the last connection to a network resource for which authentication is necessary. A user can click Logout on the authentication web page to close their session before the two-hour timeout elapses. If the web page was previously closed, the user must open it again and click Logout to disconnect. To prevent a user from authenticating, you must disable the account on the authentication server. You can also require your users to authenticate to the authentication portal before they can get access to the Internet. You can choose to automatically send users to the portal, or have them manually navigate to the portal. This applies only to HTTP and HTTPS connections.

326

WatchGuard Technologies,Inc.

Authentication

User Authentication from the Exte rnal Netw ork The most common use of authentication is for outgoing traffic. You can also create policies that require external users to authenticate before they can get access to protected network resources. When you add a user or group to any policy, a WG-Auth policy, called WatchGuard Authentication, is automatically added to the configuration. By default, the WatchGuard Authentication policy allows users to authenticate to the Firebox only from the trusted or optional networks. If you want to allow users to authenticate from an external network, you must edit the WatchGuard Authentication policy to allow connections from Any-External, as shown in the subsequent image.

To authenticate from an external network, users type this URL in their browser to connect to the Firebox authentication portal: https:// :4100/ As an example, the previous image shows policies configured to allow users in the FB-Admingroup to connect to the Firebox for management. TheWatchGuard Authentication policy has been modified to allow users to authenticate from an external network. The WatchGuard policy allows management connections to the Firebox from authenticated users in the FB-Adminuser group, as well as from any user on the trusted or optional network. With this policy configuration, a user in the FB-Admin user group can use these steps to remotely manage the Firebox: 1. The external user authenticates to the Firebox on the external interface on TCP port 4100. 2. The user connects to the Firebox external interface IP address from WatchGuard System Manager.

Use Authentication through a Gateway Firebox to Another Device To send an authentication request through a gateway Firebox to a different Firebox, you must add a policy to allow the authentication traffic on the gateway Firebox. On the gateway Firebox, use Policy Manager to add the WG-Auth policy, which controls traffic on TCP port 4100. Configure the policy to allow traffic to the IP address of the destination Firebox.

Fireware EssentialsStudentGuide

327

Authentication

Authentication Methods Available with Fireware Fireware supports these authentication servers: n n n n n n

Firebox-DB ActiveDirectory LDAP (Lightweight DirectoryAccess Protocol) RADIUS SecureID VASCO

When you use a third-party authentication server, f ollow the instructions from the manufacturer to configure it correctly. The server must be accessible from the Firebox, which usually means that it is instal led on an optional network for greater security. You can configure a primary and backup authentication server. If the Firebox cannot connect to the primary authentication server after three attempts, the primary server is marked as unavailable and an alarm message is generated. The device then attempts to connect to the backup authentication server. If the device cannot connect to the backup authentication server, it waits ten minutes, and then tries to connect to the primary authentication server again.

Use the Firebox Authentication Server You can use the Firebox as an authentication server. This feature is often used by customers who do not have a thirdparty authentication server and do not need to manage user accounts centrally for multiple applications. You must perform these steps to prepare your Firebox as an authentication server: n n n

328

Divide your company into groups according to tasks people do and information they need Create users for the groups Assign groups and users to policies

WatchGuard Technologies,Inc.

Authentication

About Third-Party Authentication Servers The procedure to configure the Firebox to use a third-party authentication server is similar for each of the supported server types. Before you configure your authentication server: n

n

n n

You must have the configuration information for your server such as server port, IP address, and shared secret. If you use Active Directory or LDAP, you must also know the group membership attribute and Distinguished Name (DN) of the Organizational Unit (OU) that contains the user accounts. If it is available, you can configure the Firebox with a backup authentication server to contact if it cannot connect to the primary authentication server. The Firebox must able to connect to the authentication You must add the be WatchGua rd Authenticat ion policy. server(s).

RADIUS Authentication Servers Remote Authentication Dial-In User Service (RADIUS) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database. The authentication messages to and from the RADIUS server always use an authentication key. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, hacke rs cannot decrypt the authentication messages. Note that RADIUS sends a key, and not the password the user typed, during authentication. For web and Mobile VPN authentication, RADIUS supports only PAP (not CHAP) authentication. For authentication with PPTP, RADIUS supports only MSCHAPv2. To use RADIUS server authentication with the Firebox, you must: n

Add the IP address of the Firebox to the RADIUS server, as described in the RADIUS vendor documentation.

n

Enable and specify the RADIUS server in your device configuration. Add RADIUS user names or group names to the policies in Policy Manager.

n

VASCO server authentication also uses the RADIUS configuration user interface.

RADIUS Single Sign-On If you use RADIUS for user authentication to wireless access points or other RADIUS client, you can use RADIUS Single Sign-On (RSSO) to automatically authenticate those users to your Firebox. The wireless access points connect to the RADIUS server to authenticate users and send information about authenticated users to the Firebox. RADIUS SSO does not require that y ou enable RADIUS authentication on the Firebox. For more information, see the RADIUS Single Sign-On topics in Fireware Help.

SecurID Authentication Servers To use SecurID authentication, you must configure both the RADIUS and ACE/Server servers correctly. Each user must also have an approved SecurID token and a PIN (personal identification number). Refer to the RSA SecurID instructions for more information.

Fireware EssentialsStudentGuide

329

Authentication

LDAP Authentication Servers You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your users to the Firebox. LDAP is an open standard protocol for using online directory services, and it operates with Internet transport protocols, such as TCP. Before you configure your Firebox for LDAP authentication, make sure you check your LDAP vendor documentation to see if your installation requires case-sensitive attributes. When you configure the device to use LDAP authentication, you must set a search base to limit the server directories in which the device searches for an authentication match. The standard format for the search base setting is: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name appearing after the dot. For example, if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name is example.com, your search base is ou=accounts,dc=example,dc=com. LDAP is a hierarchical organization of objects. The hierarchy that defines the position of each object in the database and each variable associated to each object type is called the schema. Each LDAP server refers to a schema or a set of schema extensions. Microsoft Active Directory is also an LDAP server and has its own schema. Because the schema structure is hierarchical, the root of the tree, typically used as the search base for recurring searches that look for objects in the whole LDAP database, corresponds to the dc definition of the domain. For example if you specify the domain example.com as the root of the LDAP database, the root search base you specify to look for users and groups is dc=example,dc=com. In Microsoft Active Directory, users are stored under the cn Users object by default, for example cn=Users,dc=example,dc=com. You can also add other containers, s uch as Organizational Units (OUs), that enable you to group objects in a structured way. When the LDAP database contains a lot of objects, this hierarchical organization improves scalability and optimizes the query process. You can configure the Firebox to query the LDAP or Microsoft AD server starting at any level of the tree, based on how you specify the search base in the LDAP or Active Directory server settings on the Firebox.

Active Directory Authentication Servers Configuring the device to use Active Directory authentication is similar to the process for LDAP authentication. You must set a search base to limit the server directories in which the device searches for an authentication match. The standard format for the search base setting is the same as the LDAP format. You can add multiple Active Directory domains for user authentication, and add a primary and a backup Active Directory server for each domain.

Active Directory Single Sign-On If you use Active Directory for your authentication server, you can also configure Single Sign-On (SSO). SSO is a method of network access control that allows a user to enter credentials once to gain access to many resources. The WatchGuard SSO solution includes the SSO Agent, the SSO Client, the Event Log Monitor, and the Exchange Monitor. With SSO, when users try to connect to resources outside their own network, your Firebox automatically sends authentication requests to the SSO Agent. The WatchGuard SSO Agent caches the user name and password and then passes it to each network resource as needed. You can install the WatchGuard SSO Agent behind the Firebox on the trusted network. When you install the SSO Client software on your client computers, the SSO Client receives the call from the SSO Agent and returns accurate information about the user who is currently logged in to the workstation.

330

WatchGuard Technologies,Inc.

Authentication If you do not want to install the SSO Client on each client computer, you can instead install the Event Log Monitor on your domain controller, or the Exchange Monitor on your Microsoft Exchange Server computer, and configure the SSO Agent to get user login information from the Event Log Monitor or the Exchange Monitor. This is known as c lientless SSO. With clientless SSO, the Event Log Monitor collects login information from domain client computers and from the domain controller for users that have already logged on to the domain and sends them to the SSO Agent. The Exchange Monitor collects login and logout information from the users connection to the Exchange Server and sends the information to the SSO Agent. In this training module, we do not go into great detail about how to install and configure the SSO solution. For more information about how to configure SSO for your network, see the SSO topics in the Fireware Help or the Active Directory Authenticationadvanced training module.

About Authentication Timeout Values Users are authenticated for a period of time after they close their last authenticated connection. This timeout is set either as a global setting in the Authentication Settingsdialog box, or in the Setup Firebox Userdialog box. The global setting is used only if no Firebox User timeout value is set. For users authenticated by third-party servers, the timeouts set on those servers also override the global authentication timeouts.

Authentication timeout values do not apply to PPTP users.

Fireware EssentialsStudentGuide

331

Authentication

Exercise 1 — Add a Firebox User Group and Add Users In this exercise, we learn that Successful Company does not yet have an authentication server. The network administrator decides to use the Firebox for authentication. We will use Policy Manager to configure a group for the Marketing department and add four of the department employees.

Create a Firebox User Group 1. Select Setup > Authentication > Authentication Servers .

The Authentication Servers dialog box appea rs. The Firebox tab is selected by default.

2. Inth e User Groups section, click Add. The Setup Firebox Group dialog box appears.

3. Inth e Name text box, type Marketing. 4. (Optional) In the Description text box, type Marketing Department.

332

WatchGuard Technologies,Inc.

Authentication 5. Click OK. The new group appears in the User Groups list.

Add Firebox Users An authorized user is someone with access permission to your network. Each user must have a unique user name. When you use the Firebox authentication server, this information is saved in a database that is stored on the Firebox. 1. Inth e Authentication Servers dialog box, in the Users section, click Add. The Setup Firebox User dialog box appears.

2. Type this information: Name

allison

Description Allison Grayson Passphrase

allyscomputer

Confirm

allyscomputer

When the passphra se is set , you cannot see the passphra se in plain tex t again. If the pas sphras e is lost , you mus t set a new passphrase. A passphr ase must contain a minimum of eight charac ters.

3. To add Allison to the Marketing group, in the Available list, double-click Marketing. Marketing appears in the Member list.

Fireware EssentialsStudentGuide

333

Authentication

4. Click OK. Allison i s added to the User list.

5. Repeat Steps 1–4 to add these users to the Marketing group.

334

Name

Description

Passphrase

joe

Joe Uknalis

joescomputer

tim

Tim Warner

timscomputer

wyatt

Wyatt Hare

wyattscomputer

WatchGuard Technologies,Inc.

Authentication 6. After you add all users to the Marketing group, click OK . The Authentication Servers dialog box should look like this:

7. Click OK to close the Authentication Servers dialog box.

Fireware EssentialsStudentGuide

335

Authentication

Exercise 2 — Edit Policies to Use Firebox Authentication After you have configured at least one authentication server with user names and groups, you can use Policy Manager to add those users and groups to your policies. In this exercise, you give the Marketing group permission to connect to an FTP server on the optional network that Successful Company uses to share files with outside vendors. You also block all FTP connections from other users on the network. 1. Double-click the FTP policy. The Edit Policy Propert ies dialog box appears. The default configuration of the FTP proxy policy allows connectio ns from any computer on the trusted or optional networks to any FTP server on the external network.

2. Inth e From list, select Any-Trusted. Click Remove. Select Any-Optional. Click Remove. With the Any-Trusted and Any-Optional entries, any user on your optional or trusted network is able to start an FTP connection to the entr ies on the To list. When you remove these entries, you block FTP c onnections from y our optional and trusted n etworks.

3. Inth e To list, select Any-External. Click Remove. With the Any-External entry, users on your ne twork can connect to any FTP server on the external network.

4. Inth e From section, click Add. The Add Address dialog box appears .

5. Click Add User. The Add Authorized Users or Groups dialog box appears.

6. From the Type drop-down lists, select Firewall and Group. To open the Authorized Users and Groups dialog box to add more users and g Add.

roups to the Firebox database, click

7. Select the Marketing (Firebox-DB)group and click Select. The Add Address dialog box appears with the Marketing (Firebox-DB) group in the Selected Members and Addresses list. 8. Click OK to add the entry to the FTP policy. The Marketing group appears in the From list.

9. Inth e To section, click Add. The Add Address dialog box appears.

10. Click Add Other. The Add Member dialog box appears.

11. From the Choose Type drop-down, list selectHost IPv4.

336

WatchGuard Technologies,Inc.

Authentication 12. In the Value text box, type 10.0.2.21. This is the IP address of the FTP server on the optional network. In a real-world environment, you must activate NAT for external users to be able to connect to this FTP server because it has a private IP address. For more information, see NAT.

13. Click OK to close the Add Member dialog box. The IP address of the FTP server appears in the To list.

14. Click OK to close the Add Address dialog box. You have now configured the FTP policy to allow connections from anyone in the Marketing group to an FTP server on the optional netw ork. The Edit Policy Propert ies dialog box should look like this:

15. Click OK to close the Edit Policy Propertiesdialog box.

Fireware EssentialsStudentGuide

337

Authentication

Exercise 3 — Set Global Authentication Values In this exercise, you use Policy Manager to manage the authentication settings that the Firebox uses by default. If you set sessio n and idle timeouts in the Setup Firebox Userdialog box or on any third-party server that you use for authentication, these values override the global settings you configure in this exercise.

Set Global Timeout Values 1. Select Setup > Authentication > Authentication Settings . The Authentication Settings dialog box appears.

2. Inth e Session Timeouttext box, type or select 4. From the adjacent drop-down list, select Hours.

This is the maximum length of time the user can send traf fic to the external network. If you set this field to zero (0) seconds , minutes, hours, or days, no session tim eout is used and the user can stay connec ted indef initely.

3. Inth e Idle Timeout text box, type or select 10. From the adjacent drop-down list, select Minutes. This is the maxim um length of time the user can stay authenticat ed when idle (not passing any traff ic to the external network). If you set this field to zer o (0) secon ds, minutes, hours, or days, no idle tim eout is used and t he user can st ay idle for any length of time.

Set Other Global Values If you use the Firebox as an authentication server, you can allow more than one user to authenticate with the same user credentials, at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. This feature is enabled by default. But, the Successful Company network administrator does not want users to be able to log in to multiple computers at the same time. Instead, when a user tries to log in to another computer, the network administrator wants the first session to be logged off, and the user to be able to log in on the second computer. For more information about how to configure the device for Active Directory authentication, see Fireware Help. In this exercise, we configure the Active Directory authentication server settings on the Firebox to block concurrent authentication and set the browsers to automatically redirect users to the Successful Company authentication portal and then to the intranet web server. Automatic authentication redirect applies only to HTTP and HTTPS connections.

338

WatchGuard Technologies,Inc.

Authentication In the Authentication Settingsdialog box: 1. Select the Limit concurrent user sessions tooption and keep the default setting of 1.

2. From the When the limit is reached drop-down list, select Allow subsequent login attempts and log off the first session.. 3. Select the Automatically redirect users to authentication pagecheck box. All users who have not yet authenticated a re a utomatically redirected to the authentication logi n p ortal when they u se try to make an HTTP or HTTPS connection to the Internet. If you do not select this check box, unauthenticated users must manually navigate to the authenticat ion login portal before they can browse to ext ernal websites.

Fireware EssentialsStudentGuide

339

Authentication 4. Select the Redirect traffic sent to the IP address of the XTM device to this host name check box. In the text box, type the host name to use for the Firebox. Make sure the host name matches t he Common Name from t he web server certificat e and the host name specified in the DNS settings for your organization.

5. Select the Send a redirect to the browser after successful authentication check box. In the text box, type http://10.0.1.80/home.html. This is the home page of the Successful Company int ranet web server, which is located on t he trusted network.

6. Click OK to close the Authentication Settings dialog box.

340

WatchGuard Technologies,Inc.

Authentication

Exercise 4 — Use a Web Server Certificate The WatchGuard authentication applet is a web page. If your organization uses a very s trict browser security policy, it will verify that the page certificate is from a trusted source. Each time the authentication applet loads, the user is presented with a security alert to let them know that the certificate is not from a trusted source. To avoid this problem, you can import to your Firebox a custom self-signed certificate, or a third-party certificate, for the device to use for all secure HTTP connections. Then, you must import the same certificate to all client computers or web browsers. In this exercise, we use Policy Manager to configure the device to generate and use a custom self-signed certificate: 1. Select Setup > Authentication > Web Server Certificate . The Web Server Certificate dialog box appears . 2. Select Custom certificate signed by Firebox . 3. Inth e Common Name text box, type successfulco. You should always choose a value that

corresponds t o your Firebox , such as the domain name of the URL.

4. Inth e Organization Nametext box, type Successful Company, Inc. 5. Inth e Organization Unittext box, type Corporate Headquarters. You should always choose a value that helps the user verif y that the certificate srcinates with your organization.

6. Click OK. The Web Server Certificate dialog box closes.

7. Save the configuration file to the device. The certificate is not created until you save the configuration file to the device.

8. Save the configuration file as Authentication-Done.

Fireware EssentialsStudentGuide

341

Authentication

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which of the following statements are good reasons to set up user authentication? (Select all that apply.) o A)

Monitor users who connect through your network

o

B)

Restrict who can connect to resources on the Internet

o

C)

Block incoming connections from specific websites

o

D)

Identify connections in monitoring tools by IP address

o

E)

Reduce the total number of public IP addresses you need

o

F)

Prevent unauthorized users from accessing network resources

o G)

All of the above

2. True or false? You can configure a policy to allow a single user. 3. Which of these Authentication Servers are compatible with Fireware OS? (Select all that apply.) o

A)

Kerberos

o

B)

SecurID

o C)

Linux Authentication

o D)

AppleTalk Authorization

o

Lightweight Directory Access Protocol (LDAP)

E)

o F)

342

Active Directory

o G)

Firebox Users and Groups

o

RADIUS

H)

WatchGuard Technologies,Inc.

Authentication 4. What is the URL for the Firebox Authentication web page? (Select one.) o A)

https://auth.watchguard.com:4100/

o

B)

http:// ip address of device interface:411/

o

C) https:// gateway IP address of Firebox:4000/

o

D) https:// :4100/

Fireware EssentialsStudentGuide

343

Authentication

ANSWERS 1. 2. 3. 4.

344

A, B, F True B, E, F, G, H D

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

345

Logging & Reporting View Log Messag es & Reports

What You Will Learn After you configure logging for your Firebox, and the Firebox sends log messages to the WatchGuard Log Servers that you specify, you can review the log messages generated by your Firebox and view or generate reports from those log messages. To review log messages and reports, you can use either the instance of WatchGuard Dimension that you installed on a virtual machine (VM), or the WatchGuard System Manager (WSM) Log Server and Report Server that you installed on your management computer. If you choose to send log messages to your WatchGuard Dimension server, you can use Dimension to see the log data from your Fireboxes in real-time, track it across y our network, v iew the source and destination of the traffic, view log message details of the traffic, monitor threats to your network, and view reports of the traffic. If you have configured your Firebox to be managed by Dimension, you can also open Fireware Web UI from Dimension to take action on some of the details you find in the Dimension Dashboard pages. This module does not include instructions to manage your Firebox with Dimension or to take action on information for Fireboxes managed by Dimension. If you installed the WatchGuard Log Server and Report Server on your management computer, you can use the Report Server to generate reports from the log messages your Fireboxes generated. You can then use the reports to troubleshoot problems on your network. From WatchGuard WebCenter, you can use Log Manager to view your log messages and Report Manager to view the reports that your Report Server generates, and to run other On-Demand Reports and Per Client reports. For this training module, we will use both the WatchGuard Dimension (if you already have an instance of Dimension deployed and set up) and the WSM Log Server and Report Server that you installed on your management computer.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Logging & Reporting In this training module, you learn how to: n

Configure a Firebox to send log messages to Dimension

n

Use Dimension to search log messages

n

View reports in Dimension

n

Export a report from Dimension as a CSV or PDF file

n

Use WebCenter Log Manager to search log messages

n

Export log messages in a CSV file

n

Generate and save reports at regular intervals

n

Change report settings

n

Save, print, and share reports

In this module, you will connect to one or more Fireboxes, an instance of WatchGuard Dimension, and WatchGuard WebCenter. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for the Fireboxes, servers, and instance of Dimension used in the exercises. Before you begin these exercises, make sure you read the Course Introduction and the Set Up Logging & Servers modules.

Review Log Messages From WatchGuard System Manager (WSM), Fireware Web UI, and Dimension, you can use a variety of tools to see the log messages generated by your Fireboxes. From Dimension, you can use these tools to see log messages from your Fireboxes and servers: Dashboards The Dashboard pages in Dimension show high-level information about the traffic through your Firebox. From any D ashboard page, you can click on the information you see on the page to pivot the page data on the selected information and drill-down to see additional details. The available Dashboard pages are: n

n

n

n

n

Executive Dashboard — Includes a high-level view of the traffic through the selected Firebox or group. This includes top clients, top domains, top URL categories, top destinations, top applications, top application categories, and top protocols. Security Dashboard — Includes a high-level view of the top threats in each security area protected by your Subscription Services. Subscription Services — Includes a high-level view of all the Subscription Services that are enabled on your Firebox for the date and time range you select. Threat Map — A visual representation of the dangerous attacks on your network and from which countries the threats originate. FireWatch — A real-time, interactive report tool, that groups, aggregates, and filters statistic s about the traffic through your devices.

347

WatchGuard Technologies,Inc.

Logging & Reporting

n

n

n

Policy Map — An offline interactive report tool that aggregates the allowed traffic through your Fireboxes and shows that allowed traffic in a visualization of the traffic flows. Each traffic flow is defined by the unique path a connection takes internally through the Firebox as it is processed by policies and configuration settings on the Firebox. The thickness of a traffic flow ribbon indicates how much traffic is included in that traffic flow: thicker ribbons have more bytes or connections. The color of the ribbons and nodes indicate the type and disposition of the traffic. AP Devices — An interactive report tool with details about the AP device deployment for this Firebox. This includes a chart for the selected period, with pivot options to see the number of bytes or number of clients for an AP device. Mobile Devices — An interactive report tool that appears if your Firebox has Mobile Security enabled and connected mobile devices with the necessary log message data to populate the Dashboard. This Dashboard includes an overview of the mobile devices connected to your Firebox with this summary information for the specified time range: compliance status, device types, all the VPN types in use.

Log Manager Select a date and time range to see log messages from your Firebox or server for the period of time you specify, if log messages were generated in the selected time frame. Log Search Run a search to refine the log messages that appear for the selected Firebox. You can run simple or complex search queries to find specific details in your Firebox log messages. From Fireware Web UI, you can use the Traffic MonitorDashboard page to see log messages from your Firebox. Traffic Monitor On the Traffic Monitor page, you can see the log messages generated by your Firebox in real-time. You can sort the log messages by type, filter the log messages on specific details, and choose whether the log messages appear in color or black and white. From WSM, you can use two different tools to see log messages from your Fireboxes: Log Manager To see log file data from WSM, you use Log Manager in the WatchGuard WebCenter web UI. It can show the log data page by page, or you can search log messages for specific details, such as key words or log fields. Log Manager is available to you after you install the Log Server software. Traffic Monitor For a quick look at the log messages generated by your Firebox, use the Firebox System Manager Traffic Monitor tab. With Traffic Monitor, you can apply color to different types of messages, and ping or traceroute to the IP addresses of computers included in the log messages.

Fireware EssentialsStudentGuide

348

Logging & Reporting

About Log Messa ges Both WatchGuard Dimension and WatchGuard System Manager include strong and flexible log message tools. An important feature of a good network security policy is to collect log messages from your security systems, examin e those messages frequently, and keep them in an archive. You can use log files to monitor your network security and activity, identify any security risks, and address them. In addition to your instance of Dimension or your WSM Log Server, Fireboxes can send log messages to a syslog server or keep a limited number of log messages locally on your Firebox. You can choose to send log messages to one or more of these locations. A Firebox sends five types of log messages: Traffic, Alarm, Event, Debug, and Statistic. Each log message includes the name of the log type as part of the log message. Traffic Log Messages The Firebox sends traffic log messages as it applies packet filter and proxy policy rules to traffic that goes through the Firebox. If your Firebox runs Fireware OS v11.10.5 or higher, for packet filter allowed traffic, you can separately select to send log messages for logging purposes (which you can see in Traffic Monitor or Log Manager) or only for reporting purposes (these log messages are only used in reports and do not appear in Traffic Monitor or Log Manager), Alarm Log Messages Alarm log messages are sent when an event occurs that causes the Firebox to send a notification request. Event Log Messages The Firebox sends an event log message because of user activity. Actions that cause the Firebox to send an event log message include: n Firebox start up and shut down n Firebox and VPN authentication n Process start up and shut down n Problems with the Firebox hardware components n Tasks completed by the Firebox administrator Debug Log Messages Debug log messages include information used to help troubleshoot problems. You can select the level of debug log messages to see in Traffic Monitor or write to a log file. Statistic Log Messages Statistic log messages include information about the performance of your Firebox. By default, the Firebox sends log messages about external interface performance and VPN bandwidth statistics to your log file. You can use these log messages to help you determine how to change your Firebox settings to improve performance.

349

WatchGuard Technologies,Inc.

Logging & Reporting

Build Reports from Log Messages From both WatchGuard Dimension and WSM Report Manager, you can view and generate reports of the log messages that your Fireboxes and WatchGuard servers send to your Log Server.

Dimension Reports Dimension uses a single server to collect log messages and generate reports. Because only one server is involved, the time it takes to generate reports from the log messages Dimension receives from your Fireboxes and WatchGuard servers greatly reduced, to as little as a five minute delay. You can view reports in Dimension for a single Firebox, a group ofis Fireboxes, or a single WatchGuard server. After your Fireboxes and servers send log messages to Dimension, any reports related to the available log messages are automatically generated by the Dimension server and appear in the Reports list for the Firebox or server.

Because all possible reports are automatically generated from the log messages available for any time range, you do not have to manually generate any reports from Dimension. You can, however, schedule reports to be generated and sent as a PDF file to an email address or to ConnectWise. For more information, see the Dimension section of the Fireware Help.

Fireware EssentialsStudentGuide

350

Logging & Reporting

View Reports with Dimension Approximately five minutes after Dimension receives log messages from a Firebox or server, the reports related to those log messages are automatically generated for the Firebox or server. You can connect to the Dimension web UI and select a Firebox or server to view the reports that have been generated from the log messages received from that Firebox or server. Per Client reports are available on the Tools tab for a Firebox. All other reports are found on the Reports tab.

Dimension Report List From WatchGuard Dimension, you can only view reports for which there is available log message data on your Dimension server. The reports types available from Dimension are included in the subsequent list. For a complete list of all the reports available from Dimension, see About Dimension Reports in Fireware Help. n

n

n n n n n n

n

n

n

n

351

Executive Summary Report — The Executive Summary Report shows a high level summary of network use and blocked threats for the selected time frame. Some of the report data can be viewed in the Dashboard widgets or the complete data set can be scheduled for export as a PDF of the complete report. Per Client Reports — You can navigate directly to Per Client reports, or open them from the client report pivots in some of the other reports, as specified in the subsequent sections. Traffic — You can view Traffic reports or export them as a PDF file. Some traffic reports include bandwidth data. Web — You can view Web reports or export them as a PDF file. Mail — You can view Mail reports or export them as a PDF file. Services —You can view Services reports or export them as a PDF file. Device — You can view Device reports or export them as a PDF file. Detail — Detail reports provide a textual, grid-based view of detail information. Detail reports can be viewed and exported as a CSV file. Health — Health reports include statistics about the health of your connected Fireboxes. Reports can be viewed and downloaded as a PDF file, or scheduled for delivery. AP Devices — When you enable logging for reports in the Gateway Wireless Controller and you configure your Firebox to send log messages to Dimension, your Firebox also captures log messages for your connected AP devices and sends them to Dimension. Dimension then generates the subsequent reports about your AP devices. AP device s reports can be exported as PDF or CSV file, dependent on the report type. Compliance— Compliance report groups combine other reports, but include information specific to HIPAA and PCI reports. You can view the combined report or export it as a PDF. Available Reports for Servers — From any Server page, you can see the reports that were automatically generated from the available log message data for the selected server. When you create a report schedule for your WatchGuard servers, you can select the Audit Summary or Authentication Audit reports.

WatchGuard Technologies,Inc.

Logging & Reporting

WSM Report Manager For the WSM Report Manager, when you run the WatchGuard System Manager installer, you have the option to install the WatchGuard Report Server on either the management computer or another computer with Microsoft Windows. The Report Server periodically collects data from one or more of your WSM Log Servers. From WatchGuard WebCenter, you can then use Report Manager to review the collected data and generate reports. Report Manager is automatically available when you install the Report Server.

To use Report Manager from a computer that is external to your Firebox when your Report Server is behind the Firebox, you must have a port open to allow the Report Manager traffic between the Report Server and the IP address of your external computer. To make sure the correct port (4130) is open, the WG-LogViewer-ReportMgrpacket filter policy must be included in the configuration file of the Firebox that is your gateway Firebox. This policy should be added automatically when you configure the logging settings for the Firebox. If it is missing from your gateway Firebox configuration file, you must add it before you can connect to WebCenter. For more information about how to add a policy to your configuration, see the Policies, on page 170 module or the Fireware Help. The WatchGuard Web Services API for Reporting is also automatically installed with the Log Server or Report Server. You can use the WatchGuard Web Services API to extract Log Server and Report Server data for custom reports. For more information about this tool, see the Fireware Help.

Fireware EssentialsStudentGuide

352

Logging & Reporting

WatchGuard Reports From WSM Report Manager, you can view and generate WatchGuard Reports, which are the summaries of the log data that you have selected to collect from your Firebox log files. Report Manager consolidates the log data from your Fireboxes into a variety of predefined reports so you can quickly and easily locate and review the actions and events that occur at your Fireboxes. For a complete list of all the predefined reports available from your WSM Report Manager, see Predefined Reports List in Fireware Help.

View Reports with Report Manager From any web browser, you can connect to WatchGuard WebCenter to use Report Manager to view the Available Reports that y ou schedule your Report Server to generate, or to generate new On-Demand Reports and Per Client reports. With Report Manager, you can: n

n n

353

Select report parameters, such as date ranges and times for reports, and the Fireboxes or servers to include in reports. View a report in HTML format or export it to a PDF file. Print or save a report.

WatchGuard Technologies,Inc.

Logging & Reporting

Exercise 1 — Send Log Messages to Dimension For this exercise, we will connect to an existing instance of Dimension that has already been deployed on a VM and has completed the Dimension Setup Wizard. Before you start this exercise, make sure you have this information for this instance of Dimension: n n

Public IP address to use to connect to Dimension Log Server Encryption Key

Before you can see log messages in Dimension, you must make sure your Firebox is configured to send log messages to Dimension. If you did not specify Dimension in the second set of Log Servers in the Set Up Logging & Servers module, you can add it now. You do not have to remove the WSM Log Server from the logging settings for your Firebox, or change the priority of the WSM Log Server. If you did not already add your instance of Dimension to the Logging settings for your Firebox, you can add it to the Log Servers 2 list: 1. Open the configuration file for your Firebox in Policy Manager. 2. Select Setup > Logging. The Logging Setup dialog box appears with the Log Servers 1 tab selected.

3. Select the Log Servers 2tab and verify that the IP address of y our Dimension server does not appear as the first server in the list. 4. Click Configure. The Configure Log Servers dialog box appears with the Log Servers 1 tab selected.

5. Select the Log Servers 2tab. 6. Click Add. The Add Event Processor dialog box appears.

7. Inth e Log Server Addresstext box, type the IP address for your instance of Dimension. 8. Inth e Encryption Keyand Confirm Key text boxes, type the Encryption Key for the Dimension server. 9. Click OK to close the Add Event Processordialog box. The IP addre ss of your Dimens ion server appears in the Log

Servers 2 list in the Configure Log Server s dialog box.

10. Click OK to save your changes and close the Configure Log Serversdialog box. The Logging Setup dialog box appears with the Dimension server on the Log Servers 2 tab.

11. Click OK to close the Logging Setup dialog box. The Firebox does not establish a connection with the Dimension Log Server until you save the configuration file t Firebox and it tries to send the f irst log message.

o the

12. If you have access to a Firebox for this lesson, save the configuration file to the Firebox.

If you are attending a class, your instructor might have all the students send log messages to the same Dimension server, which increases the amount of traffic and thus the number of log messages you can view in Dimension.

After you configure your Firebox to send log messages to Dimension, you must wait a few minutes for log messages to be generated and sent to Dimension.

Fireware EssentialsStudentGuide

354

Logging & Reporting

Exercise 2 — View Log Messages in Dimension After you have configured your Firebox to send log messages to Dimension, and have waited sufficient time for your Firebox to send log messages to Dimension (about five minutes), you can log in to Dimension to see all the log messages generated by the devices connected to Dimension.

Connect to Dimension 1. Open a web browser and type https://. The WatchGuard Dimension login page appears.

2. Inth e User Name text box, type admin. 3. Inth e Passphrasetext box, type the passphrase for the admin user account. If you are attending a class, your instructor will provide you with the credentials f or an administrator user account .

4. Click Log In. The Dimension Home page appears with the Devices tab selected.

355

WatchGuard Technologies,Inc.

Logging & Reporting

View Log Messa ges When you first connect to Dimension, the Home page automatically appears with the Devices tab selected by default. On this page, you can see all the Fireboxes that send log messages to Dimension and select a Firebox to view the log messages or reports available for that Firebox. 1. Inth e Devices list, click the Name of a Firebox. You must click the name of the Firebox spec ified in the Name column; if you click any where else in the row, you only select the Firebox row in the list. The Executive Dashboard page appears for the selected Firebox.

2. Inth e Start and End text boxes, specify the date and time range for the list of log messages. The Executive Dashboard refreshes with the log message data for the time range you selected.

3. On the Tools tab, in the LOGS section, select Log Manager.

The log messages for t he selected Firebox and time range appear. By default, only traffic log messages appear.

4. Tosee all log message types, click

.

The list of log messages updat es to include log messages from all log types.

5. To change the log message data display from a bar chart to a line chart, click . 6. To change the log message data display back to a bar chart, click . 7. To see a timeslice analysis of the log message data, from the Actions drop-down list, select Timeslice Analysis. The Timeslice Analy sis dialog box appears with a

Fireware EssentialsStudentGuide

pie chart of all the select ed log message data.

356

Logging & Reporting

Exercise 3 — Search Log Messages in Dimension You can start a simple search of the log messages for a Firebox from the Log Manager page or start a complex from the Log Search page. You can search on any text that is incl uded in a log message, such as a port, source or destination IP address, user name, or disposition. If y ou start the search from the Log Search page, you can run a complex search that includes multiple OR and AND operators. The Successful Company administrator wants to review all the traffic that was den ied by the HTTPS-proxy. In the first part of this exercise, we’ll run a simple search to find all the log messages generated for traffic through the HTTPSproxy. In the second part of this exercise, we’ll run a complex search to find all the traffic that was denied by the HTTPS-proxy.

Run a Simple Search To start a simple search from the Log Manager page: 1. Inth e Search text box, type the text to search on. For example, type HTTPS to search for log messages generated by the HTTPS-proxy. 2. Click

Search.

The Log Search page appears with the log messages list refined to only include the log messages t hat match the search pa rameters.

357

WatchGuard Technologies,Inc.

Logging & Reporting

Run a Complex Search To start a complex search from the Log Search page: 1. On the Tools tab, select Log Search. The Log Search page appears.

Fireware EssentialsStudentGuide

358

Logging & Reporting 2. To select which log types to search on, click an option at the top of the page: — Traffic — Alarm — Event — Diagnostic — Statistic — All 3. From the drop-down list, select a search option: n ANY of these words n ALL of these words n EXACT Match n NONE of these words For this exercise, select ALL of these words. The search results will only include log messages with the word or phrase you specify.

4. In the text box, type the text to search on. For this exercise, type HTTPS. 5. Click

toa dd an AND operator.

A ne w AND b lock appe ars.

6. From the drop-down list, select the All of these words search option. 7. In the text box, type disp=Deny. 8. Click Search. The search query runs and the results that include log messages denied by the HTTPS -proxy policy appear in the Log Search list.

359

WatchGuard Technologies,Inc.

Logging & Reporting

Exercise 4 — Export Log Messages from Dimension The Successful Company Administrator wants to export a copy of the log messages from his instance of Dimension to a CSV file that he can examine with other applications. From the Log Manager and Log Search pages, y ou can export the log messages for a Firebox from a specified time range to a CSV file. To export log messages from the Log Manager page: 1. Inth e Start and End text boxes, s pecify the time range. The log messages for the specified time range appear.

2. From the Action drop-down list, select Export Logs (.csv). 3. Specify a name for the file and a location to save the file. 4. Click Save. You can also export the log messages specified in a search that you have run to a CSV file. To export log messages from the Log Search page: 1. 2. 3. 4.

Specify the search parameters and run the search. Click Export. Specify a name for the file and a location to save the file. Click Save.

Fireware EssentialsStudentGuide

360

Logging & Reporting

Exercise 5 — Create Device Groups in Dimension To see the log messages and reports for more than one Firebox at the same time, you can create device groups. You can only add Fireboxes that are connected to Dimension to a device group. To add a device group, you must log in to Dimension with a user account that has administrative privileges. To create a new group of devices: 1. On the Dimension Home page, select theGroups tab. The Groups page appears.

2. Click

.

The Dimension configuration is unlocked and the group modification buttons appear.

3. Click Add. The Add Group dialog box appears.

4. Inth e Group Name text box, type the name for this group. For this exercise, type Training Group 1 . 5. (Optional) In the Description text box, type a description of the devices in this group. . 6. Toad d a device to the group, click The Selec t Devices page appears.

7. From the Available list, select the devices to include in the group and click

.

The devices you selected appear in the Selected list.

8. Click OK. The devices you selected for the group appear in the Selected Devices list.

9. Click Save. The new group appears in the Groups list.

10.Click

361

.

WatchGuard Technologies,Inc.

Logging & Reporting

Exercise 6 — View Reports in Dimension After reviewing the log messages for specific web traffic, the Successful Company administrator now wants to review the reports of all the activity on his company’s network. He can review reports for a single Firebox or, to see reports of activity on more than one Firebox at a time, review reports for a group of devices. To see reports for a single Firebox: 1. On the Dimension Home page, select theDevices tab. The Devices page appears.

2. From the Devices list, click the Name of a Firebox. The Executive Dashboard page appears for the selected Firebox.

3. Inth e Start and End text boxes, s pecify the time range. The Executive Dashboard is updated with information for the specified time range.

4. Select the Reports tab. The reports that are availabl e for the selected time f rame appear for your Firebox.

5. From the Reports list, select a report. The data appears f or the report you selected.

6. (Optional) From the drop-down list at the top of the report, select an option to pivot the report data on. The repor t data display is updated based on the pivot

you select ed.

To see reports for a group of Fireboxes: 1. On the Dimension Home page, select theGroups tab. The Groups page appears.

2. From the Groups list, click the Name of a group. The Executive Dashboard page appears for the selected group.

3. Inth e Start and End text boxes, s pecify the time range. The Executive Dashboard is updated with information for the specified time range.

4. Select the Reports tab.

The reports that are available for the selected time f rame appear for your group.

5. From the Reports list, select a report. The data appears f or the report you selected.

Fireware EssentialsStudentGuide

362

Logging & Reporting

Exercise 7 — Export Reports from Dimension Many reports that you view in Dimension can be exported as a PDF file and a few can be exported as a CSV file. For example, most client, trend, and summary reports can be exported as a PDF file, while statistical reports can exported as a CSV file. When you export report data, each file is automatically given a file name with the name of the Firebox, the report name, and the time frame of the report data. You can change this file name when you save the report data file.

Export a Repo rt as a PDF File At the Successful Company, the administrator wants to save the report data from the Most Active Clients report as a PDF file that he can send to the various company department heads, so they can review which of their workers use the most network bandwidth. 1. On the Dimension Home page, select theDevices tab. The Devices page appears.

2. From the Devices list, select the Name of a Firebox. The Executive Dashboard page appears for the selected Firebox.

3. Inth e Start and End text boxes, s pecify the time range. The Executive Dashboard is updated with information for the specified time range.

4. Select the Reports tab. The reports that are availabl e for the selected time f rame appear for your Firebox.

363

WatchGuard Technologies,Inc.

Logging & Reporting 5. From the Reports list, select Most Active Clients. The data for the Most Active Clients report appears.

6. (Optional) From the drop-down list at the top of the report, select a pivot option: Hits or Bytes. The repor t data display is updated based on the pivot

you select ed.

7. To export the report as a PDF file, at the top of the report, click

.

The Save As dialog box appears.

8. Specify a name and location to save the PDF file.

Fireware EssentialsStudentGuide

364

Logging & Reporting

Export a Repo rt as a CSV File The Successful Company administrator also wants to export a report of statistical data for the Firebox to a CSV file that he can use in a third-party program. On the Reports tab for a Firebox: 1. From the Reports list, select Device Statistics. The Device Statistics report appears.

2. At the top of the report, click

.

The Save As dialog box appears.

3. Specify a name and location to save the CSV file.

365

WatchGuard Technologies,Inc.

Logging & Reporting

Exercise 8 — Use WSM Log Manager to View Log Messages Log Manager is the WatchGuard System Manager tool that you can use to find details about the traffic through your network. You can choose to see the data in your log files page-by-page, or you can search by key wor ds or specific log fields to find a particular log message. This is helpful when you want to troubleshoot a problem on your network. Log Manager is available to you in the WatchGuard WebCenter web UI after you install the WSM Log Server software. If you install your Log Server and your Report Server on the same computer, both Log Manager and Report Manager are available in WatchGuard WebCenter at the same server location, so you can log in to one WebCenter web UI to look at both your log messages and your reports. If you install them on separate computers, you must connect to WebCenter for each server separately. To use WatchGuard WebCenter from a computer that is external to your Firebox when your Log Server is behind the Firebox, you must open a port to allow the Log Manager traffic between the Log Server and the IP address of your external computer. To make sure the correct port is open, the WG-LogViewer-ReportMgrpacket filter policy must be included in the configuration file of the Firebox that is your gateway Firebox. This policy shou ld be added automatically when you configure the logging settings for the Firebox. If it is missing from your gateway Firebox configuration file, you must add it before you can connect to WebCenter. For more information about how to add a policy to your configuration, see the Policies. In this exercise, we will enable certain Successful Company users to connect to WatchGuard WebCenter to view log messages and reports, use the Log Manager Search tool to troubleshoot a problem with email reception on the Successful Company network, and export log messages to a CSV file.

Connect to WebC enter to View Log Mess ages There are two ways to connect to WebCenter for your Log Server: directly to the web UI in a web browser, or from WatchGuard System Manager. To connect to WebCenter in a web browser: 1. Open a web browser and go to https://:4130 . The WatchGuard WebCenter web UI login page app ears.

2. Type your Username and Passphrase. 3. Click Log In. WatchGuard WebCenter appears, with the LOG MANAGER > Devices page selected.

4. Inth e Devices list, select your Firebox. The Firebox page appears for your Firebox, with all the Log Messages from t his Firebox from the last 60 minutes.

To connect to Log Manager from WatchGuard System Manager: 1. Open WatchGuard System Manager and click Or, select Tools > Log Manager.

.

The Server Login dialog box appears.

2. Type the Server IP address, Port, User Name, and Passphrasefor your Log Server. 3. Click Login. WatchGuard WebCenter appears, with the LOG MANAGER > Devices page selected.

Fireware EssentialsStudentGuide

366

Logging & Reporting

View Log Messa ges 1. From the Devices list, select your Firebox. The Firebox page appears for your Firebox, with all the log messages from t his Firebox from t he last 60 minutes. Traffic log messages are displayed by default.

2. Select a log message from the list. The log message details dialog box appears with additional information about

the log message you selected.

3. To sort the log messages by a column, click that column header. The log messages are sorted by the column header you selected.

4. Tovie w all log types, at the top of the page, select

.

All of the log message types a ppea r in the log messages list.

5. To view a specific log type, at the top of the page, select the tab for the log type. The log messages list is updated to include only log

messages of the type you selected.

Run a Search The Successful Company support team manager has contacted you because the support team is not receiving email requests from Big Client A. To find out what is happening to email from Big Client A, you will run a search query to see if traffic from Big Client A’s email server is passing through your Firebox to your email server. You can use Log Manager to search for any details included in the log messages for your devices that are logging to your Log Server. You can start a search from either the main LOG MANAGER > Search page or from any Firebox page. From the Firebox page, when you specify the text to search on and click Search, the web UI automatically switches to the Search page and populates the form with the text you specified. When you run a search, you can search the log messages for only one Firebox at a time. You can save your search parameters for each Firebox so you can run them again for that Firebox, but you cannot run saved search parameters for a different Firebox. Each time you want to run a new search for a different Firebox, you must specify the parameters to search on. To refine your search, you can specify the time range and select a log type to search for. By default, the Search page includes one search query block. To run a simple search, just type the text to search on in one text box in the default search query block. To run a complex search with an AND operator, specify text to search on in more than one text box in a single search query block. To run a complex search that includes an OR operator, add another search query block. You can add up to nine search query blocks to your search. When you define a search query, you can include the name of one or more columns in the log file in your search parameters. Though you can search for any column included in your log files, some of the columns that are most often searchedare: policy, protocol, src_ip, src_port, dst_ip, dst_port, src_intf, dst_intf , app_name, and app_cat_name. For more information about how to use Log Manager, see the “Logging and Reporting” topics in the Fireware Help. For this exercise, we will use Log Manager to run a search query that inspects the traffic from Big Client A that was not allowed through the firewall. To search the Traffic log messages on the Log Server to find all traffic from Big Client A’s source IP address that was denied, we will include the src_ip and the disp columns in the query text.

367

WatchGuard Technologies,Inc.

Logging & Reporting

If you are attending a class, your instructor will provide the source IP address for your search. If you want to test this outside of a class, you can search on any IP address in the Source column.

To run a search from the Log Manager Search page: 1. Select LOG MANAGER > Search. The Sear ch page appears with a list of all the devices logging t o your Log Server.

2. Select a Firebox. The Search page appears with the one search query block displayed.

3. From the Time Range drop-down list, select the amount of time to include in your search. For this example, select Last 6 Hours. 4. Inth e Log Type drop-down list, Trafficis s elected by default. Do not change this selection. 5. Inth e ANY of these words text box, type the IP address to search for. For this example, we type the column to search in and the IP address to search for in this format: src_ip=. 6. Inth e ALL of these wordstext box, type the disposition of the traffic. For this example, we want to find all traffic from the specified IP address that was denied, so we type disp=Deny. 7. Click Search. The Search results are refined to include onl y log messages for traff ic from the specified source IP address that was denied access through the firewall.

Fireware EssentialsStudentGuide

368

Logging & Reporting Because the Successful Company Administrator might want to run this search again later, he decides to save the search. To save search parameters for a specific Firebox: 1. From the LOG MANAGER > Search page for a Firebox, click Save. The Opening search.query dialog box appears.

2. Select Save File and click OK. 3. Browse to select a location to save the search query file and type a descriptive name for the search query file. For this example, type search1.query. Make sure t o choose a file name that will make it easy to ident ify the search query when you want to run the sear ch again.

4. Click Save.

The search1.query file is saved in the location you selected.

When the Successful Company Administrator wants to run a saved query for a Firebox again, he simply loads the search query file and runs the search again. 1. From the LOG MANAGER > Search page for a Firebox, click Load. The Load Search Query dialog box appears.

2. Click Browse to select the search1.query file and click Open. The path to the search.query file appears in the Load Search Query dialog box.

3. Click OK. The Search page is refreshed to include the details specified in the search query file and the search results are updated to include only those results that match the specified search query.

Export Log Messa ges The network administrator from Successful Company wants to take the log messages from one of his XTM devices that was not passing traffic correctly over a Monday afternoon andand review in a third-party application. To do this, he can export the log messages from one Firebox for a specific date timethem to a CSV file. The file name of this CSV file is the date and time range for the log messages in the file. When you export the CSV file, it is automatically added to a ZIP file. The ZIP file name is the serial number of the Firebox, as well as the date and time range for the log messages. If you choose to save the ZIP file to a location on your computer, you can specify any file name. 1. Select LOG MANAGER > Devices. The Devic es list appears.

2. Select the Name of a Firebox. The log messages page for the selected Firebox appears.

3. From the Actions drop-down list, select Custom Timerange. The Custom Date-Time Range dialog box appears.

4. Select the Start date and time, and End date and time. For this exercise, select last Mon day from 12:00 to 22:00. 5. Click OK. The Log Messages page is updated with only the log messages for the specified date and time.

6. From the Actions drop-down list, select Export The Opening file dialog box appears for the ZIP file. logs (.csv). 7. Select whether to open the ZIP file or save it to a location on your computer. Click OK. 8. If you save the file, browse to select a location.

369

WatchGuard Technologies,Inc.

Logging & Reporting 9. (Optional) Type a file name for the ZIP file. 10. Click Save. The ZIP file is saved to the specified location on your computer.

11. Browse to the location where you saved the ZIP file, open the file, and extract the CSV file. The Successful Company administrator can now open the CSV file and review the log messages, or import the CSV file to another program or to the WatchGuard Log Server.

Fireware EssentialsStudentGuide

370

Logging & Reporting

Exercise 9 — Use Report Manager to View & Run Reports After you create a report schedule on your Report Server to generate specific reports, which we already completed in the Set Up Logging & Servers module, you can use Report Manager to review and share the reports created from log message data. You can review the Available Reports that you configured your Report Server to generate on the Daily or Weekly tabs. You can also generate real-time On-Demand or Per Client reports. In this exercise, the Successful Company network administrator connects to WatchGuard WebCenter and uses Report Manager to review an Available Report and to generate an On-Demand report.

Connect to WSM Rep ort Manager to View Reports There are two ways to connect to WatchGuard WebCenter to use Report Manager to view and generate reports: directly to WebCenter in a web browser, or from WatchGuard System Manager. To connect to WatchGuard WebCenter in a web browser: 1. Open a web browser and go to https://:4130 . The WatchGuard WebCenter login page appears.

2. Type your Username and Passphrase. 3. Click Log In. WatchGuard WebCenter app ears. If your Log Server is inst alled on the same computer, the LOG MANAGER > Devices page is selected. If your Log Server is not installed on the same comput er, the REPORT MANAGER > Devices page is selected.

4. If necessary, select REPORT MANAGER > Devices. 5. Inth e Devices list, select your Firebox. The Firebox page appears f or your Firebox , with all of the Avai lable Reports t hat have been scheduled for this Fi rebox.

If you are attending a class, your instructor will provide the credentials for the Report Server.

To connect to WatchGuard WebCenter from WatchGuard System Manager: 1. Open WatchGuard System Manager and click Or, select Tools > Report Manager.

.

The Server Login dialog box appears.

2. Type the Server IP address, Port, User Name, and Passphrasefor your Report Server. 3. Click Login. WatchGuard WebCenter app ears. If your Log Server is inst alled on the same computer, the LOG MANAGER > Devices page is selected. If your Log Server is not installed on the same comput er, the REPORT MANAGER > Devices page is selected.

371

WatchGuard Technologies,Inc.

Logging & Reporting

View Reports After you connect to Report Manager, you can select the reports to view or generate. 1. Select REPORT MANAGER > Devices. The Devices page appears.

Fireware EssentialsStudentGuide

372

Logging & Reporting 2. From the Devices list, select a Firebox. The Available Reports page appears for t he selected Firebox, with the Daily t ab selected and the report data sorted by Users.

3. From the Daily calendar, select a date to see the Available Reports for that day. 4. From the Available Reportslist, select a report to view. The select ed report appears.

5. To view the report data by hosts instead of by users, select Hosts. 6. If the report includes links to client data, you can click the client data detail to open a Per Client report.

373

WatchGuard Technologies,Inc.

Logging & Reporting To generate an On-Demand report: 1. At the top right of the page, select On-Demand. The On-Demand Reports page appears for the selected Firebox.

2. Put yourcur sor in the Start text box to select the start date and time for the report. The date and time selection calendar appears.

3. Select a month and day from the calendar. Slide the time selectors to specify the hour and minute. Or, click Now to select the current date and time. 4. Click Done. The selected date and time appears in the S tart text box.

5. Put yourcur sor in the End text box and select the end date and time for the report. Click Done. 6. From the Select a report typedrop-down list, select the type of report to generate. 7. Click Run Report. The select ed report is generated.

It can take a few moments to generate the report. The longer the time range for the report, the longer it takes to generate the report.

Fireware EssentialsStudentGuide

374

Logging & Reporting

Exercise 10 — Share Reports from Report Manager In this exercise, the Successful Company network administrator uses Report Manager to view a weekly report, and then generates a PDF of the report to send to his manager. He also makes a hard copy for the Sarbanes-Oxley auditors. 1. From any report page, at the top right of the page, click

.

The Opening file dialog box appears.

2. Select the Save file option. 3. Click OK. 4. Select a location to save the PDF file. 5. Click Save . The PDF is saved in the selected location. The network administrator can now send the PDF to his manager and print a copy for the auditors.

375

WatchGuard Technologies,Inc.

Logging & Reporting

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? To configure your Firebox to send log messages to Dimension, in the Logging Settings for your Firebox, you add the IP address and encryption key for the Dimension Log Server, just as you would for a WSM Log Server. 2. True or false? After you install Dimension and configure your devices to send log messages to Dimension, you must wait 24–48 hours before you can see any reports in Dimension. 3. True or false? You can only run a search of log messages in Dimension from the Log Search page. 4. True or false? You can export log messages from Dimension to a CSV file. 5. True or false? You can create groups of Fireboxes in Dimension. 6. True or false? When you view reports for groups of devices, data for each Firebox is included in a separate report. 7. True or false? You can only export report data from Dimension to a PDF file or CSV file if you create a report schedule. 8. True or false? WSM Log Manager automatically saves the search queries you run. 9. True or false? When you run a search query from WSM Log Manager, it applies to all the devices that are connected to your Log Server. 10. True or false? From WSM Log Manager, you can export log messages for more than one Firebox at the same time. 11. True or false? You can use WSM Report Manager to generate an On-Demand Report about more than one Firebox at the same time. 12. True or false? From WSM Log Manager, you can save a search query for a specific Firebox to run it again for only that Firebox. 13. True or false? You can use WSM Report Manager to configure any report and send it in an email. 14. True or false? To connect to WatchGuard WebCenter, use the IP address of your Firebox. 15. True or false? You can email a PDF of a report directly from WSM Report Manager.

Fireware EssentialsStudentGuide

376

Logging & Reporting

ANSWERS 1. True The configuration settings to send log messages from your Firebox to a Dimension Log Server are the same as for a WSM Log Server. 2. False After you have installed Dimension and configured your devices to sent log messages to Dimension, you can view those log messages and see reports of the log message data, usually within five minutes. 3. False You can run a search from both the Log Manager (simple search) and the Log Search (complex search) pages in Dimension. 4. True You can export log messages for a single Firebox or a group of devices from Dimension to a CSV file. 5. True You can create groups of Fireboxes in Dimension that you can use to see log messages and reports for multiple devices at the same time. 6. False When you create a Device group in Dimension, data for all the devices in the group are included in one report. 7. False You can export reports from Dimension as a PDF or a CSV file when you view an automatically generated report. 8. False You cannot save a search query to run it again later. 9. False You can only run a search query on one Firebox at a time. 10. False You can export the log messages for only one Firebox at a time. 11. False From WSM Report Manager, you can only generate an On-Demand report for one Firebox at a time. 12. True You can save a search query for a Firebox to run it again later for the same Firebox. You cannot save search query parameters to run the same search for a different Firebox. 13. False You can run On-Demand and Per Client reports from WSM Report Manager and generate a PDF of each report, but WSM Report Manager cannot connect to your email program to open an email message and attach the PDF the message. 14. False Use the IP address of your WSM Log Server or Report Server to connect to WatchGuard WebCenter over port 4130. 15. False You can generate a PDF of a report from WSM Report Manager, but you must save it and attach it to an email message in your own email editor.

377

WatchGuard Technologies,Inc.

Notes

Fireware EssentialsStudentGuide

378

Branch Office VPN Create IPSec VPNs Between Devices

What You Will Learn Fireware offers three methods to manually c reate a secure branch office virtual private network (BOVPN) connection between networks at different sites. In this module you learn: n

How branch office VPNs and VPN negotiations work.

n

The differences between BOVPN types.

n n

How to configure a manual BOVPN between two Fireboxes. How to monitor a manual BOVPN and do basic BOVPN troubleshooting.

Before you begin these exercises, make sure you read the Course Introduction module.

BOVPN Overview Ben efits of a Branch Office VPN A branch office VPN (BOVPN) is an encrypted and authenticated connection between two networks, where data is sent through an untrusted network, such as the Internet. The BOVPN connection is also called a tunnel. The gateways, which are endpoints of the tunnel on both networks, send and receive VPN data. A branch office VPN provides these benefits: n

Privacy or confidentiality of the data — The VPN uses encryption to guarantee that traffic between the two

n

private networks is s ecret. An attacker who intercepts the traffic cannot understand it. Data integrity — The VPN guarantees that the data that passes through it has not been changed after it was sent.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Branch Office VPN

n

n

Data authentication — The VPN guarantees that data that passes through the tunnel actually comes from one of the two endpoints of the VPN, and not from some attacker on the Internet. Direct private IP address to private IP address communication — The computers at the two offices communicate as if they were not behind devices configured with Network Address Translation (NAT). The data tunnels through NAT for a transparent connection between the devices.

The Firebox examines traffic to and from computers on its protected networks. It uses the source and destination IP address of the traffic and the VPN settings to decide what traffic to encrypt and send to the remote VPN gateway. In this module, you use two Fireboxes as the gateway endpoints. You can create a VPN between your Firebox and any other device that supports the IPSec standard.

The configuration on your Firebox must be the same on both gateway devices.

380

WatchGuard Technologies,Inc.

Branch Office VPN

Branch Office VP N Types Fireware supports three types of branch office VPNs. In this module, we use the first type. Manual BOVPN gateway and associated tunnels You can manually create a BOVPN gateway and its associated tunnels. When you configure a manual BOVPN gateway, you can use a second Firebox as the other BOVPN gateway, or a third-party VPN device that supports IPSec. When you add a BOVPN gateway and tunnels to configure a BOVPN, you set both the source and destination for the traffic you want to send through the tunnel. The device routes a packet through the BOVPN tunnel if the source and destination of the packet match a configured VPN tunnel route. BOVPN virtual interface A BOVPN virtual interface is a manual BOVPN configuration option for a VPN between two Fireboxes that use Fireware v11.8 or higher. Fireware 11.11 and higher also supports BOVPN virtual interface connections to any third-party device that supports IPSec over GRE. In Fireware v11.12 and higher, you can also use the BOVPN virtual interface to configure an IPSec tunnel without GRE. This type of VPN offers more flexibility in configuration, because the device decides whether to route a packet through the virtual interface tunnel based on the outgoing interface specified for the packet. You can specify a BOVPN virtual interface as the destination for traffic in a policy. You can also specify a BOVPN virtual interface when you configure static routes, dynamic routing, and policy-based routing. You can select any internal or external interface as the gateway endpoint for a BOVPN virtual interface. Managed VPN tunnel A managed VPN tunnel is a BOVPN tunnel that you create between two centrally managed Fireboxes. From your WatchGuard Management Server, you can drag and drop one managed Firebox onto another managed Firebox to quickly configure a VPN tunnel between the two Fireboxes, based on templates and VPN resources defined on the Management Server. You can also use the hub-and-spoke method to create a managed VPN tunnel between two Fireboxes managed by Dimension. Managed VPN tunnels are not discussed in detail in this course, but use the same security settings and protocols as a manual VPN tunnel. For more information about managed VPN tunnels, see the Fireware Help.

A managed VPN tunnel is equivalent to a manual BOVPN gateway with an associated BOVPN tunnel. You cannot use the Management Server to configure a BOVPN virtual interface.

Fireware EssentialsStudentGuide

381

Branch Office VPN

Select a VPN Typ e How do you decide which VPN type to use? Here are some guidelines to consider. VPN Type

When to Use It

Manual BOVPN

With a manual BOVPN, traffic is always r outed through the tunnel if the source and destination IP addresses match a tunnel route in the VPN configuration. Use this type of VPN for: n

n

BOVPN Virtual Interface

A VPN tunnel between a Firebox and a third-party device that does not support IPSec over GRE A VPN tunnel between any two Fireboxes, that use any version of Fireware OS

With a BOVPN virtual interface, traffic is routed through the VPN if the VPN route has the route metric with the highest priority to the destination. You assign a route metric from 1 to 254 to each BOVPN virtual interface route. A route metric of 1 has highest priority. You can use this type of tunnel in many different network routing scenarios, such as policy-based routing, metric-based failover and failback, dynamic routing, and routing of IPv6 traffic through an IPv4 tunnel. Use this type of VPN for: n n

n

A VPN tunnel between two Fireboxes that use Fireware v11.8 or higher A VPN tunnel between a Firebox that uses Fireware v11.11 or higher and a third-party device that supports IPSec over GRE A VPN tunnel between a Firebox that uses Fireware v11.12 and higher and third-party device that IPSec without GRE. This type of tunnel supports wildcard traffic selectors.

Use this type of VPN if you want to separate the routing from the VPN security association. The VPN security association is the secure, authenticated channel between two gateway endpoints. Managed BOVPN

Managed BOVPN tunnels are useful if you want to create and manage a large number of tunnels between Fireboxes managed by a WatchGuard Management Server. On the Management Server, you can create Security Templates and VPN Firewall Policy Templates that can be used for one or more managed VPN tunnels. The templates make it easier to configure a large number of VPN tunnels with consistent settings. Use this type of VPN for VPN tunnels between Fireboxes managed by a WatchGuard Management Server

All branch office VPN methods use the same IKEv1 protocols and tunnel negotiation procedure. Manual BOVPN and BOVPN virtual interfaces also support IKEv2. In this module, we focus on what you must know to configure and monitor manual BOVPN gateways and tunnels.

382

WatchGuard Technologies,Inc.

Branch Office VPN

VPN Tunnel Capacity The maximum number of active VPN tunnels your Firebox supports depends on the device model. You can see the maximum number of tunnels in the feature key for your device.

The value in the feature key limits the number of VPN tunnels that can be active at the same time. The feature key does not limit the number of tunnel routes you can configure for branch office VPNs.

IPSec VPN Algorithms and Protocols IPSec is a collection of cryptography-based services and security protocols that protect communication between devices that send traffic through an untrusted network. Because IPSec is built on a collection of widely known protocols and algorithms, y ou can create an IPSec VPN between your Firebox and many other devices that support these standard protocols. For a VPN to function successfully, each VPN gateway must be configured to use the same algorithms and protocols. The algorithms and protocols used by IPSec are described in the subsequent sections.

Encryption Algorithms Encryption algorithms protect the data so it cannot be read by a third-party while in transit. Fireware BOVPNs support three encryption algorithms. Longer keys are more secure. n DES (Data Encryption Standard) — Uses an encryption key that is 56 bits long. This is the weakest of the three algorithms. n 3DES (Triple-DES) — An encryption algorithm based on DES that uses the DES cipher algorithm three times to encrypt the data. n AES (Advanced Encryption Standard) — The strongest encryption algorithm available. Fireware can use AES encryption keys of these lengths: 128, 192, or 256 bits.

Fireware EssentialsStudentGuide

383

Branch Office VPN

Authentication Algorithms Authentication algorithms are used to verify that data packets are complete and not sent by a third-party. Each algorithm produces a message digest, also called a hash, which represents a set of data packets. When the data packets are received by the other BOVPN gateway, that device can use the same authentication algorithm to verify the data. Longer hashes are more secure. SHA-2 (Secure Hash Algorithm 2) SHA-2 is the most secure authentication algorithm supported, and it is the most computationally intensive. Fireware supports these types of SHA2: SHA2-256 — Produces a 265-bit (32 byte) message digest SHA2-384 — Produces a 384-bit (48 byte) message digest SHA2-512 — Produces a 512-bit (64 byte) message digest

SHA-2 is not supported on XTM 21, 22, 23, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices.

SHA-1 (Secure Hash Algorithm 1) SHA1 produces a 160-bit (20 byte) message digest. MD5 (Message Digest Algorithm 5) MD5 produces a 128-bit (16 byte) message digest, which makes it faster than SHA1 or SHA2. This is the least secure algorithm.

Diffie-Hellman Key Exchange Algori thms The Diffie-Hellman (DH) key exchange algorithm is a method for two VPN gateways to share an encryption key, without sending the key itself as unencrypted information. When the key exchange is complete, both VPN gateways can use the same key to encrypt VPN data. A Diffie-Hellman key group is a group of integers used for the Diffie-Hellman key exchange. Fireware can use DH groups 1, 2, 5, 14, 15, 19, and 20. Higher group numbers are more secure, but require additional time to compute the key.

AH (Authentication Header) Defined in RFC 2402, AH is a protocol that you can use in manual BOVPN Phase 2 VPN negotiations. To provide security, AH adds authentication information to the VPN data. While AH provides better protection against spoofed packets, most VPN tunnels do not use AH because it does not provide encryption.

384

WatchGuard Technologies,Inc.

Branch Office VPN

ESP (Encapsul ating Security Payload) Defined in RFC 2406, ESP provides authentication and encryption of data. ESP takes the original payload of a data packet and replaces it with encrypted data. It adds integrity checks to make sure that the data is not altered in transit. We recommend that you use ESP in BOVPN Phase 2 negotiations because ESP is more secure than AH.

VPN Negotiations When two IPSec gateway devices attempt to establish a VPN connection, they exchange a series of messages about encryption and authentication, and agree on many different parameters. This process of agreeing on the VPN parameters is calledVPN negotiations. VPN negotiations happen in two distinct phases: Phase 1 and Phase 2. Phase 1 The main purpose of Phase 1 is to set up a secure authenticated channel through which the two devices can negotiate Phase 2. If Phase 1 fails, the devices cannot begin Phase 2. Phase 2 The purpose of Phase 2 negotiations is for the two VPN gateways to agree on a set of parameters that define what traffic can go through the VPN tunnel, and how to encrypt and authenticate the traffic. This agreement is called a Security Association.

IKEv2 is supported in Fireware v11.11.2 and higher for manual BOVPNs and BOVPN virtual interfaces. It is not supported for managed BOVPNs.

Both VPN gateway devices must use the same Phase 1 and Phase 2 settings to negotiate a VPN tunnel.

Fireware EssentialsStudentGuide

385

Branch Office VPN

IKEv1 and IKEv2 Fireware 11.11.2 and higher supports two versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. The IKE version you select determines the available phase 1 settings and the negotiation procedure. n n

IKEv1 is defined in RFC 2409 IKEv2 is defined in RFC 7296

IKEv2 is different from IKEv1 in several ways: n

IKEv2 has a simpler phase 1 message exchange o IKEv2 requires only four messages to establish a tunnel o

n

n

IKEv1 requires six to nine messages to establish a tunnel, depending on the exchange mode (main/aggressive)

IKEv2is more reliable than IKEv1: o Better negotiation when a settings mismatch occurs o

Cryptographic enhancements

o

Payload enhancements

IKEv2 interoperates with third-party gateways that use IKEv2

For IKEv1 and IKEv2, the gateway general settings for credential method and gateway endpoints are the same. There are some differences in the configurable phase 1 settings: Phase 1 Setting

IKEv1

Modes

IKEv2

in or Ma

Only one mode

Aggressive NAT Traversal

Can be enabled or disabled

Always enabled

IKE Keep-alive

Supported

Not supported

Dead Peer Detection (DPD)

Can be enabled or disabled

Always enabled

Shared Settings

Always trafficbased

None

Can be traffic-based or time-based (as described in RFC 3706) n

Traffic-Based — the Firebox sends a DPD message only if no traffic is received from the remote gateway for a specified length of time and a packet is waiting to be sent to the remote gateway.

n

Timer-Based — the Firebox sends a DPD message at a specified interval, regardless of any other traffic received from the remote gateway.

Some IKEv2 settings are shared for all BOVPN gateways that have a peer with a dynamic IP address. Shared settings include: n n

386

NAT Traversal Keep-alive interval Phase 1 transforms

WatchGuard Technologies,Inc.

Branch Office VPN

What Happens During Phase 1 Negotiations In Phase 1 negotiations, the two VPN gateway devices exchange credentials. The devices identify each other and negotiate to find a common set of Phase 1 settings to use. When Phase 1 negotiations are completed, the two devices have a Phase 1 Security Association (SA). This SA is valid for a specified amount of time. If the two VPN gateways do not c omplete Phase 2 negotiations before the Phase 1 SA expires, then they must complete Phase negotiations again. The phase 1 negotiation process depends on which version of IKE the gateway endpoints use. For IKEv1, phase 1 negotiations include these steps: 1. The devices exchange credentials. The credentials can be a certificate or a pre-shared key. Both gateway endpoints must use the same credential method, and the credentials must match. 2. The devices identify each other. Each device provides a Phase 1 identifier, which can be an IP address, domain name, domain information, or an X500 name. The VPN configuration on each device specifies the Phase 1 identifier of the local and the remote device, and the configurations must match. 3. The devices agree on the IKE version to use. Each device can use IKEv1 or IKEv2. The IKE version for both devices must match. 4. For IKEv1, the VPN gateways decide whether to use Main Mode or Aggressive Mode for Phase 1 negotiations. The VPN gateway that starts t he IKE negotiations s ends either a Main Mode proposal or an Aggressive Mode proposal. The other VPN gateway can reject the proposal if it is not configured to use that mode. n

Main Mode ensures the identity of both VPN gateways, but can be used only if both devices have a static IP address.

n

Aggressive Mode is faster but less secure than Main Mode, because requires fewerused exchanges between two VPN gateways. In Aggressive Mode, the exchange relies mainly iton the ID types in the exchange by both VPN gateways. Aggressive Mode does not ensure the identity of the VPN gateway. 5. The VPN gateways agree on Phase 1 parameters. n n n

Whether to use NAT traversal Whether to use IKE keep-alive (between Fireboxes only) Whether to use Dead Peer Detection (RFC 3706)

For IKEv2, NAT Traversal and DPD are always enabled, and IKE keep-alive is not supported. 6. The VPN gateways agree on Phase 1 Transform settings. The settings in the Phase 1 transform on each IPSec device must exactly match, or IKE negotiations fail. The items you can set in the Phase 1 transform are: n n n n

Authentication— The type of authentication (SHA-2, SHA-1, or MD5). Encryption — The type of encryption algorithm (DES, 3DES or AES) and key length. SA Life — The amount of time until the Phase 1 Security Association expires. Key Group — The Diffie-Hellman key group.

Fireware EssentialsStudentGuide

387

Branch Office VPN

What Happens During Phase 2 Negotiations After the two IPSec VPN gateways s uccessfully complete Phase 1 negotiations, Phase 2 negotiations begin. The purpose of Phase 2 negotiations is to establish the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of traffic specifications that tell the device what traffic to send over the VPN, and how to encrypt and authenticate that traffic. Phase 2 negotiations include these steps: 1. The VPN gateways use the Phase 1 SA to secure Phase 2 negotiations. 2. The VPN gateways exchange Phase 2 identifiers (IDs). You can specify the Phase 2 IDs for the local and remote VPN gateway as a host IP address, a network IP address, or an IP address range. Phase 2 IDs are always sent as a pair in a Phase 2 proposal: one indicates which IP addresses behind the local device can send traffic over the VPN, and the other indicates which IP addresses behind the remote device can send traffic over the VPN. This is also known as a tunnel route. 3. The VPN gateways agree on whether to use Perfect Forward Secrecy (PFS). VPN encryption keys are changed at regular intervals. PFS prevents an attacker from using old VPN encryption keys to find newer keys. We recommend that you use PFS to keep your data secure. If you want to use PFS, it must be enabled on both VPN gateways, and both gateways must use the same Diffie-Hellman key groups. 4. The VPN gateways agree on a Phase 2 proposal. The Phase 2 proposal includes the algorithm to use to authenticate data, the algorithm to use to encrypt data, and how often to make new Phase 2 encryption keys. The items you can set in a Phase 2 proposal include: n

n

n

n

388

Type — For a manual BOVPN, you can select the type of protocol to use: Authentication Header (AH) or Encapsulating Security Payload (ESP). ESP encrypts the data, while AH protects against spoofing. We recommend that you use ESP, because you can protect against spoofing in other ways. Managed BOVPN and Mobile VPN with IPSec always use ESP. Authentication— Authentication makes sure that the information received is exactly the same as the information sent. You can use SHA or MD5 as the algorithm the VPN gateways use to authenticate IKE messages from each other. SHA-1 is more secure. Encryption — Encryption keeps the data confidential. You can select DES, 3DES, or AES. AES is the most secure. Force Key Expiration — To make sure Phase 2 encryption keys change periodically, always enable key expiration. The longer a Phase 2 encryption key is in use, the more data an attacker can collect to use to mount an attack on the key.

WatchGuard Technologies,Inc.

Branch Office VPN

Policies and VPN Traffic Fireware allows traffic to and from your network only if the configuration file includes a policy to allow the traffic. In this section we examine four methods you can use to add policies that allow traffic ove r your Branch Office VPNs.

Automatically Add Polic ies That Allow All Traffic When you add a BOVPN tunnel, Policy Manager automatically adds two Any policies to your configuration to allow all traffic through the VPN. If you do not want the tunnel to use these policies, clear the Add this tunnel to the BOVPNAllow policies check box in the branch office tunnel configuration.

Use the BOVP N Policy Wizard Use the BOVPN Policy Wizard to add custom policies that allow traffic through the VPN over specific ports and protocols. This adds new aliases which identify the names of the BOVPN or BOVPNs you selected in the wizard. To start the wizard, select VPN > Create VPN Policy. The BOVPN policy wizard adds two policies of the type you select. For example, if you select HTTP in the BOVPN policy wizard, it creates two policies, one for inbound HTTP traffic through the tunnel, and one for outbound HTTP traffic through the tunnel.

Manually Add Policies You can add your own policies to allow traffic from the remote VPN gateway. n n

From — Specific addresses on the other side of the VPN, or a BOVPN virtual interface name To — Specific addresses behind your Firebox

You can also add your own policies to allow traffic to the remote VPN gateway. n n

From — Specific addresses behind your Firebox To — Specific addresses on the other side of the VPN, or a BOVPN virtual interface name

Use a Tunnel Alias in Policies To use a tunnel name in a policy, choose the tunnel name, or choose an alias created by the BOVPN Policy Wizard.

Fireware EssentialsStudentGuide

389

Branch Office VPN

Global VPN Settings Global VPN settings apply to IPSec VPN tunnels, including BOVPN tunnels and Mobile VPN with IPSec tunnels. To edit the global VPN settings, select VPN > VPN Settings.

By default, only the Enable built-in IPSec policy setting is enabled. This option enables a hidden policy that allows IPSec traffic from Any-Externalto Firebox. This hidden policy enables the Firebox to function as an IPSec VPN gateway, and has a higher precedence than any manually created IPSec policy. For information about when to change these settings, see the WatchGuard System Manager Help. For a basic branch office VPN configuration, you do not need to change these settings.

390

WatchGuard Technologies,Inc.

Branch Office VPN

VPN Monitoring and Troubleshooting After you configure a VPN between two devices, how do you know that the tunnel is working? And if it is not working, how do you determine what is wrong? A Firebox does not negotiate a VPN tunnel until there is traffic that needs to use it. To test a new VPN tunnel, you must try to send data to an IP address on the remote network. The VPN tunnel is not created until you attempt to send data. The source and destination for the data you send must be allowed by the tunnel route configured for that VPN. For example, when you ping a device on the remote network, the ping fails if the tunnel is down, if the source or destination IP address is not allowed by the tunnel route in the VPN configuration, or if the remote device is offline.

Monitor VPN Tunnel Sta tus After you send traffic through the tunnel, check the status of c onfigured BOVPN tunnels in Firebox System Manager. On the Front Panel tab, expand the Branch Office VPN Tunnelsentry for the device to see information about the configured BOVPN gateways and tunnels.

n n

Expand a gateway or VPN interface to see statistics and other status information. Expand a tunnel to see statistics and information for that tunnel.

Fireware EssentialsStudentGuide

391

Branch Office VPN

Troubles hoot a VPN Common causes of branch office VPN failure include: n n n n

Lack of connectivity between the external interfaces of both devices Pre-shared key does not match Mismatch in Phase1 or Phase 2 settings For a manual BOVPN: incorrect IP addresses or subnet masks in the tunnel routes on either device o The local IP address must match the IP address of a local host or network o The remote IP address must be the IP address of a host or private network on the remote VPN gateway o The tunnel routes on the two devices should look reversed, when viewed side-by-side

If a branch office VPN tunnel cannot be established, a VPN diagnostic error appears below the gateway.

VPN diagnostic messages can indicate a problem with the VPN tunnel or gateway configuration. VPN diagnostic messages for a tunnel include the tunnel name, and indicate a problem with tunnel route or Phase 2 settings. VPN diagnostic messages related to a VPN gateway refer to the gateway endpoint by number. For example, if a gateway has two gateway endpoint pairs, VPN diagnostic messages refer to the first gateway endpoint as Endpoint 1, and the second as Endpoint 2. VPN diagnostic messages can be errors or warnings. n n

Errors — indicate the VPN failed because of a configuration or connection issue. Warnings — indicate that a VPN is down because of an abnormal condition, such as dead peer detection (DPD) failure.

In any VPN negotiation, one gateway endpoint is the initiator, and the other is the responder. The initiator sends proposed gateway and tunnel s ettings, and the responder accepts or rejects those, based on comparison with locally configured settings. When you troubleshoot IKEv1 VPN negotiations, it is most useful to look at the VPN diagnostic messages and VPN Diagnostic Report on the responder, because the responder has information about the settings on both devices. For example, if a VPN between two devices is configured with mismatched settings in the Phase 2 proposal, the VPN diagnostics messages that appear in Firebox System Manager the two devices are very different:

392

WatchGuard Technologies,Inc.

Branch Office VPN VPN diagnostic message on the initiator: Received 'No Proposal Chosen' message. Check VPN IKE diagnostic log messages on the remote gateway endpoint for more information. VPN diagnostic message on the responder: Received ESP encryption 3DES, expecting AES The VPN diagnostic messages on the responder often contain more useful information for VPN troubleshooting. When a VPN setting does not match, the responder does not tell the initiator what setting is expected. This is to make sure that a remote device cannot learn about your VPN configuration by trial and error. The VPN diagnostic messages that show which setting does not match only appear for the device that received and rejected the proposal. To initiate or restart tunnel negotiations from one endpoint, you can rekey the tunnel. You can then look at the error message on the other gateway endpoint to see why the tunnel negotiation failed.

To troubleshoot a new branch office VPN: 1. 2. 3. 4.

Compare the VPN settings on both devices to make sure they match. Look for VPN diagnostic log messages. Run the VPN Diagnostic Report in Firebox System Manager, as described in the next section. Review the log messages for each device during tunnel negotiation. You may see more useful log messages for troubleshooting on the device that receives the IKE negotiation because the receiving device is the one that authorizes the completion of IKE negotiation. The initiating device must prove that it has valid credentials before the receiving device allows the VPN tunnel to be built.

To use ping to verify basic connectivity to the external interface of the remote device, make sure the remote device is configured to respond to pings. To enable a Firebox to respond to a ping to the external interface, you must edit the Ping policy to allow pings from the External interface.

Fireware EssentialsStudentGuide

393

Branch Office VPN

VPN Diagnostic Report Firebox System Manager includes a VPN Diagnostic Report you can use for VPN troubleshooting. When you run the VPN Diagnostic Report, Firebox System Manager temporarily increases the diagnostic log level for VPN IKE messages so any useful log messages can be captured in the report.

Because the VPN Diagnostic Report temporarily increases the log level, you do not need to change the log level yourself before you run the report.

To run the VPN Diagnostic report: 1. In Firebox System Manager, select the Front Panel tab and right-click the gateway name. 2. Select VPN Diagnostic Report. The Diagnost ic Tasks dialog box > VPN tab appears. The report runs autom atically, for 20 seconds.

The report shows the gateway and tunnel configuration, and information about the status of any active tunnels for the selected gateway. The VPN Diagnostic Report has seven sections. The top section summarizes the report. n

394

[Conclusion] — This section summarizes what was observed and lists any VPN diagnostic errors. It might also include suggestions of next steps to take to troubleshoot the VPN.

WatchGuard Technologies,Inc.

Branch Office VPN The next two sections show the configured settings for the selected gateway and all tunnels that use it. n

n

Gateway Summary — Shows a summary of the gateway configuration, including the configuration of each configuredgateway endpoint Tunnel Summary— Shows a summary of the tunnel configuration for all tunnels that use the selected gateway

The last seven sections show run-time information based on the log message data collected when the report was run. n

n

n

n

n

n

n

Run-time Info (bvpn routes)— For a BOVPN virtual interface, s hows the static and dynamic routes that use the selected BOVPN virtual interface, and the metric for each route. Run-time Info (gateway IKE_SA) — Shows the status of the IKE (Phase 1) security association for the selected gateway Run-time Info (tunnel IPSEC_SA) — Shows the status of the IPSec tunnel (Phase 2) security association for active tunnels that use the selected gateway Run-time Info (tunnel IPSec_SP) — Shows the status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the selected gateway Related Logs — Shows tunnel negotiation log messages, if a tunnel negotiation occurs during the time period that you run the diagnostic report [Address Pairs in Firewalld] — This section shows the address pairs and the traffic direction (IN, OUT, or BOTH). [Policy checker result] — This section shows policy checker results for policies that manage traffic for each tunnel route.

The VPN Diagnostic Report can help you see the status of tunnel negotiations, and help you determine what caused the tunnel negotiations to fail. It is especially helpful if you have many BOVPN gateways, because it enables you to focus on just the one you want to troubleshoot.

Fireware EssentialsStudentGuide

395

Branch Office VPN

Filter Log Messa ges by Gateway IP Address You can also look at the log messages directly in Traffic Monitor. You might need to increase the diagnostic log level for VPN Internet Key Exchange (IKE) traffic to see enough detailed log information for BOVPN troubleshooting. If you have several VPN gateways, you can filter the log messages by the gateway IP address to see only the log messages for a specific gateway.

Each log message related to a branch office VPN tunnel has a header that shows the IP addresses of the local and remote gateway. The format of the header is: (local_gateway_ipremote_gateway_ip) Where: local_gateway_ipis the IP address of the local gateway remote_gateway_ipis the IP address of the remote gateway

If your device sends log messages to a Dimension Server or a WSM Log Server, you can also filter log messages by gateway IP address in Dimension or WatchGuard WebCenter.

396

WatchGuard Technologies,Inc.

Branch Office VPN

IKE Log Messages If your VPN tunnel is not working, you can look at IKE log messages for more information about what is happening during tunnel negotiations. You can see IKE log messages in the VPN Diagnostic Report, or in Traffic Monitor. To see more detailed IKE log messages in Traffic Monitor, you must increase the diagnostic log level for IKE log messages to Information.

If you increase the IKE diagnostic log level for VPN troubleshooting, don’t forget to reset it to a lower level after you have finished.

To change the IKE diagnostic log level: 1. Select Setup > Logging. 2. Click Diagnostic Log Level. 3. Set the VPN > IKE log level to Information.

4. Save the configuration to the device. After you set the log level, when you try to send traffic through a VPN tunnel you can see more detailed iked log messages in the Firebox System Manager Traffic Monitortab. iked is the Fireware daemon that handles Internet key exchange. As mentioned earlier in relation to VPN diagnostic messages, log messages on the responder often contain more useful information for VPN troubleshooting. When a VPN setting does not match, the responder does not tell the initiating VPN gateway what setting is expected. The log messages that show which setting does not match only appear in the log file for the device that received and rejected the proposal.

Fireware EssentialsStudentGuide

397

Branch Office VPN While detailed VPN troubleshooting is beyond the scope of this module, here a few of the more common log messages that can help you identify specific types of VPN problems: Retry Timeout Indicates that the IP address of the remote gateway was not reachable. This could be caused by network connectivity problems, or if UDP 500 is not open. Example log message:

2014-07-23 13:14:13 iked (203.0.113.20203.0.113.10)Drop negotiation to peer 203.0.113.10:500 due to phase 1 retry timeout Mismatched ID settings Indicates a problem with the ID specified in the gateway endpoint settings. Example log message:

2014-07-23 13:22:17 iked (203.0.113.20203.0.113.10)WARNING: Mismatched ID settings at peer 203.0.113.10:500 caused an authentication failure No Proposal Chosen Indicates a problem with mismatched settings in the Phase 1 or Phase 2 proposal. The receiving device rejects the proposal, because a setting received from the remote device did not match what was expected based on the local VPN configuration. Example log message on initiating device:

2014-07-23 11:49:34 iked (203.0.113.20203.0.113.10)Received No Proposal Chosen message from 203.0.113.10:500 for To_Device_A gateway Example log message on receiving device:

2014-07-23 11:47:39 iked (203.0.113.10203.0.113.20)Sending NO_PROPOSAL_ CHOSEN message to 203.0.113.20:500 On the receiving device, log messages near the NO PROPOSAL CHOSEN log message can indicate why the proposal was rejected. The log messages show which setting did not match. Example for mismatched Phase 1 proposal on receiving device:

2014-07-23 12:29:15 iked (203.0.113.10203.0.113.20)Peer proposes phase one encryption 3DES, expecting AES Example for mismatched Phase 2 proposal on receiving device:

2014-07-23 13:11:04 iked (203.0.113.10203.0.113.20)Peer proposes phase 2 ESP authentication MD5-HMAC, expecting SHA1-HMAC

398

WatchGuard Technologies,Inc.

Branch Office VPN

Requirements for VPN Exercises This section describes the training environment and includes a list of the equipment and software necessary to complete the exercises, along with initial basic configuration information.

Training Environment The exercises in this module assume this network configuration:

For instructor-led training, the training environment must include the network equipment described in the Course Introductionmodule. If you use these materials for self-study, connect your device directly to the Internet.

Fireware EssentialsStudentGuide

399

Branch Office VPN

Necessary Equipment And Software The VPN exercises require two students to work together to configure a VPN between two Fireboxes. To complete the exercises, each student must have this equipment and software: n n n

Management computer with WatchGuard System Manager v11.9 or higher installed. Firebox with Fireware OS v11.10 or higher installed. Two Ethernet cables: o One Ethernet cable to connect a computer directly to a student Firebox interface o One Ethernet cable to connect the student Firebox to a switch or router

Management Computer Configuration Before you begin the exercises, make sure your management computer is configured correctly. n n

Connect the management computer directly to the trusted interface (Eth1) on the student Firebox. Make sure your management computer has an IP address in the same subnet as the trusted interface, with the correct subnet mask. Use the trusted interface IP address as the default gateway of the computer.

Network Topology This diagram shows the two student devices and their external interfaces connected to the Internet.

For instructor-led training, the training environment simulates the Internet connection for each student Firebox.

400

WatchGuard Technologies,Inc.

Branch Office VPN To complete these exercises you work with a partner. In these exercises, we assume each device is configured by a different student. Each student configures a Firebox with one external interface. Student A configures Firebox A. Student B configuresFirebox B. The student numbers in the IP addresses are represented as A and B. In the network configuration required for these exercises, use the student numbers your instructor gives you. n n

Replace the A in the IP address with the number of the student who manages Device A. Replace the B in the IP address with the number of the student who manages Device B.

Network Configuration Make sure the interfaces on the two devices are configured with these settings: Interface

DeviceA

D eviceB

Interface 0 (External)

IP address: 203.0.113.A /24

IP address: 203.0.113.B/24

Default Gateway: 203.0.113.1

Default Gateway: 203.0.113.1

Interface 1 (Trusted)

IP address: 10.0.A .1/24

IP address: 10.0.B.1/24

DHCP enabled

DHCP enabled

DHCP pool: 10.0.A .2 - 10.0.A .254

DHCP pool: 10.0.B.2 - 10.0.B.254

These are the same network settings you configured in the Network Settings module.

Fireware EssentialsStudentGuide

401

Branch Office VPN

Exercise 1 — Configure a BOVPN Gateway and Tunnel In this exercise you use Policy Manager to configure a manual BOVPN between the trusted networks on both devices.

Before You Begin n n

Configure the network interfaces on both devices as described in the previous section. Make sure all cables are connected as shown in the diagram in the previous section.

Configure Device A Add a Branch Office Gateway to the Site A Device Confi guration 1. In Policy Manager, select VPN > Branch Office Gateways. 2. Click Add. The New Gateway dialog box appears.

3. Inth e Gateway Name text box, type a name to identify this gateway in your configuration. For this exercise, type To_Device_B. 4. Inth e Credential Methodsection, select Use Pre-Shared Key. 5. Inth e Use Pre-Shared Keytext box, type shh-secret!, or another key that you and your partner agree on.

402

WatchGuard Technologies,Inc.

Branch Office VPN 6. Click Add to add a new gateway endpoints pair. The New Gateway Endpoints Settings dialog box appears.

7. Inthe Local Gatewaysection, IP Address text box, type or select 203.0.113.A, the external interface IP address. 8. The External Interface drop-down list has only one item because this device has only one external interface. If your device has multiple external interfaces, you must select the external interface to use for this gateway. 9. Inth e Remote Gateway section, select Static IP address. 10. Inthe IP Address text box, type or select the IP address of Device B’s external interface, 203.0.113.B. 11. In the Remote Gateway section, select By IP Address. 12. Inthe IP Address text box, type or select 203.0.113.B.

Fireware EssentialsStudentGuide

403

Branch Office VPN 13. Click OK. The new gateway endpoints pair appears in the Gateway Endpoints list.

14. Select the Phase1 Settingstab to see the settings for Phase 1 negotiations. For a new BOVPN gateway between two Fireboxes, we recommend you use the default IKEv1 or IKEv2 Phase 1 settings on both devices. If you change a gateway setti ng, your partner must make the same change to the gateway configuration on the other device.

A new BOVPN uses IKEv1 by default, and the mode is set to Main Mode. You can use Main Mode for this exercise because both VPN gateways have static IP addresses. If one of the devices had a dynamic external IP address, you would use Aggressive Mode in the IKEv1 settings.

404

WatchGuard Technologies,Inc.

Branch Office VPN

15. Select the Phase1 Transform, and click Edit to see the authentication and encryption settings. For this exercise, do not change the Phase 1 settings. If you do change these settings, make sure your partner makes the same change on the other device.

16. Click OK twice, an d then click Close to exit the Gateway configuration.

Fireware EssentialsStudentGuide

405

Branch Office VPN

Add a Branch Office Tunnel to the Device A Configuration 1. Select VPN > Branch Office Tunnels. The Branch Office IPSec Tunnels dialog box appears.

2. Click Add. The New Tunnel dialog box appears.

3. Inth e Tunnel Name text box, type a friendly name for the tunnel. Do not give your tunnel the same name as the branch office gateway. For this exercise, type Tunnel_to_Device_B. 4. Click Add and add a new tunnel route. The Tunnel Route Settings dialog box appears.

5. Inth e Local text box, type the network address of the trusted interface on your device in slash notation. Type 10.0.A.0/24. 6. Inth e Remote text box, type the trusted network address at the remote device in slash notation. Type 10.0.B.0/24. 7. Click OK. The new tunnel route appears in the New Tunnel dialog box in the Addresses list.

You can add more than one tunnel route to the tunnel configuration. For example, if Device B had a second trusted network, you could add another tunnel route from your trusted network (Local) to the network IP address of the second trusted network at Device B (Remote). Device B would also need to add the same route, reversing the local and remote IP addresses.

406

WatchGuard Technologies,Inc.

Branch Office VPN 8. Make sure the Add this tunnel to the BOVPN-Allow policies check box is selected. When the Add this tunnel to the BOVPN-Allow policies check box is selected, Policy Manager automatically adds theBOVPN-Allow.out and BOVPN-Allow.inpolicies that allow all traffic to flow between the two trusted networks. If you do not select this check box, you must add policies to allow specific traffic through the tunnel in both directions. You can use the BOVPN Policy Wizard, create your own policies, or use policybased routing to allow traffic through the tunnel. 9. Select the Phase2 Settingstab to examine the settings used for Phase2 negotiations. For a tunnel between two Fireboxes, we recommend you use the default Phase 2 settings. If you decide to change a setting here, make sure your partner changes the same setting on the other device.

10. Click OK. The new tunnel appears in the Branch Office IPSec Tunnels dialog box.

11. Click Close. The new BOVPN-Allow.out and BOVPN-Allow.in policies appear in Policy Manager. The BOVPN configuration for Device A is complete.

12. Save the configuration to your device.

Fireware EssentialsStudentGuide

407

Branch Office VPN

Configure Device B Add a Branch Office Gateway to the Dev ice B Configuration 1. Select VPN > Branch Office Gateways. 2. Click Add. The New Gateway dialog box appears.

3. Inth e Gateway Name text box, type a name to identify this gateway in your configuration. For this exercise, type To_Device_A. 4. Inth e Credential Methodsection, select Use Pre-Shared Key. 5. Inth e Use Pre-Shared Keytext box, type shh-secret!, or another key that you and your partner agree on. 6. To add a new gateway endpoints pair, click Add. The New Gateway Endpoints Settings dialog box appears.

408

WatchGuard Technologies,Inc.

Branch Office VPN 7. Inthe Local Gatewaysection, in the IP Address text box, type or select 203.0.113.B, the external interface IP address. The External Interface drop-down list has only one item because this device has only one external interface. If the device has multiple external interfaces, you must select the external interface to use for this gateway. 8. Inth e Remote Gateway section, select Static IP address. 9. Inthe IP Address text box, type or select the IP address of Device A’s external interface, 203.0.113.A. 10. In the Remote Gateway section, select By IP Address. 11. Inthe IP Address text box, type or select 203.0.113.A. 12. Click OK. The new gateway endpoints pair appears in the Gateway Endpoints list.

13. To review the settings for Phase 1 negotiations, select the Phase1 Settings tab. Do not change the settings for this exercise. 14. Click OK, and then Close to exit the gateway configuration.

Fireware EssentialsStudentGuide

409

Branch Office VPN

Add a Branch Office Tunn el to the Device B Configu ration 1. Select VPN > Branch Office Tunnels. The Branch Office IPSec Tunnels dialog box appears.

2. Click Add. The New Tunnel dialog box appears.

Do not give your tunnel the same name as the branch office gateway.

3. Inth e Tunnel Name text box, type a friendly name for the tunnel. For this exercise, type Tunnel_to_Device_A. 4. Click Add and add a new tunnel route. The Tunnel Route Settings dialog box appears.

5. Inth e Local text box, type the network address of the trusted interface on your device in slash notation. Type 10.0.B.0/24. 6. Inth e Remote text box, type the trusted network address at the remote device in slash notation. Type 10.0.A.0/24.

You can add more than one tunnel route to the tunnel configuration. For example, if Site B had a second trusted network, you could add another tunnel route from your second trusted network (Local) to the network IP address of the trusted network at Site A (Remote). Site A would also need to add the same route, reversing the Local and Remote IP addresses.

7. Click OK. The new tunnel route appears in the New Tunnel dialog box in the Addresses list.

410

WatchGuard Technologies,Inc.

Branch Office VPN

8. Make sure the Add this tunnel to the BOVPN-Allow policies check box is selected. When this check box is s elected, Policy Manager automatically adds the BOVPN-Allow.out and BOVPNAllow.in policies that allow all traffic to flow between the two trusted networks. 9. To review the settings for Phase2 negotiations, select the Phase2 Settingstab. For a tunnel between two Fireboxes, we recommend you use the default Phase 2 settings. If you decide to change a setting here, make sure your partner configures the same setting on the remote device. 10. Click OK. The new tunnel appears in the Branch Office IPSec Tunnels dialog box.

11. Click Close. The new BOVPN-Allow.out and BOVPN-Allow.in policies appear in Policy Manager. The BOVPN configuration for Device B is complete.

12. Save the configuration to your device.

Test the Tunnel Configuration A BOVPN tunnel is not created between two VPN gateways until there is traffic that needs to use it. This is true for all VPN tunnels, and is not unique to WatchGuard devices. When the Firebox receives traffic to a destination that matches a tunnel route, the device sends it through the tunnel or initiates the tunnel, if the tunnel is not already established. One easy way to generate traffic through the tunnel is to use the ping command. The first few pings may fail because the tunnel is not established, but subsequent pings should succeed, which indicates that traffic is flowing through the tunnel. You can use either of these ping methods to test the VPN tunnel.

Fireware EssentialsStudentGuide

411

Branch Office VPN

Ping From One Management Computer to Another Through the Tunnel 1. Get the IP address of your partner’s management computer. 2. From your computer, start a continuous ping to that IP address. For example, if your partner’s management computer IP address is 10.0.20.2, open a Windows command prompt and type: ping 10.0.20.2 -t

Ping From a Device Interface to the Trusted In terface on the Other Device The source IP address you use for the ping in Tools > Diagnostic Tasksmust be an IP address assigned to the local device, and must be within the tunnel route local address range. 1. Connect to your device with Firebox System Manager. 2. Select Tools > Diagnostic Tasks. The Diagnostic Tasks dialog box appears.

3. Select the Advanced Options check box. The Arguments text box appears.

412

WatchGuard Technologies,Inc.

Branch Office VPN

You can hover the mouse over the Arguments text box to see a list of available command arguments.

4. Inth e Arguments text box, type -I For example, if Device A is configured by student 10, and Device B is configured by student 20: To ping from Device A to Device B, typ e: -I 10.0.10.1 10.0.20.1 To ping from Device B to Device A, typ e: -I 10.0.20.1 10.0.10.1 5. Click Run Task.

Check Tunnel Status After you try to send traffic through the tunnel, use Firebox System Manager to see the tunnel status. 1. Connect to your device with Firebox System Manager. 2. On the Front Panel tab, double-click theBranch Office VPN Tunnelsentry to expand it. The name of the conf igured gateway appears.

3. Double-click the gateway to expand it. A list of active tunnels for this g ateway appe ars.

4. Double-click the tunnel to see tunnel status and statistics.

Fireware EssentialsStudentGuide

413

Branch Office VPN

Exercise 2 — Use VPN Diagnostics After you configure a BOVPN, you can use VPN diagnostic messages and the VPN Diagnostic Report to help troubleshoot problems with your tunnel, or to see a summary of the gateway and tunnel settings. To see log messages about tunnel negotiation, the tunnel negotiation must occur during the short time frame the report collects log messages. While a device at the remote end of the tunnel attempts to send traffic, click Start Report, so that tunnel negotiation happens while you run the report. It could take several tries to get useful log messages when tunnel negotiation fails. 1. Connect to your device with Firebox System Manager. 2. On the Front Panel tab, right-click the gateway name. 3. Select VPN Diagnostic Report. The repor t runs aut omatically, with a durat ion of 20 seconds.

4. To run the report again with a longer duration, change the Duration to 60 seconds. Click Start Report. To see a VPN diagnostic messages, you can change a setting in the VPN configuration on one of the devices to intentionally create an error. When you try to establish the tunnel, you can look at and compare the VPN diagnostic messages that appear in Firebox System Manager for each endpoint.

In this part of the exercise you intentionally break the working VPN configuration. Make sure you remember what setting you changed so that you can change it back at the end of the exercise.

1. Connect to either device in Policy Manager. 2. Edit a gateway or tunnel setting so that it no longer matches the setting configured on the peer device. For

3. 4. 5. 6. 7. 8.

example, you could make any of these changes: n In the Gateway settings, change the pre-shared key n In the Gateway Phase 1 settings, change the authentication or encryption method in the Phase 1 transform n In the tunnel settings, change the tunnel route to specify a different local or remote IP address Save the configuration to the device. Connect to both of the devices in Firebox System Manager. In Firebox System Manager for one device, right-click the gateway, and select Rekey Selected BOVPN Tunnel. In Firebox System Manager, compare the VPN diagnostic messages on the initiator (the device which issued the rekey), and the responder. Run the VPN Diagnostic Report on each device. Repeat steps 5 - 8, initiating the rekey from the other device.

At the end of this exercise: 1. Set the gateway and tunnel settings for both devices to the settings described in Exercise 1. 2. Use ping through the tunnel, or a tunnel rekey to establish the tunnel. 3. Check the tunnel status in Firebox System Manager.

414

WatchGuard Technologies,Inc.

Branch Office VPN

Exercise 3 — Use 1-to-1 NAT Through a BOVPN Tunnel 1-to-1 NAT is a form of network address translation. When you enable 1-to-1 NAT, the Firebox changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. You can use 1-to-1 NAT in a BOVPN tunnel to create a tunnel between two private networks that use the same IP addresses.

For a more complete description of 1-to-1 NAT, see the NAT module in this courseware.

Suppose two companies, Site A and Site B, use the same IP addresses for their trusted networks, 192.168.1.0/24. To create a VPN tunnel between these networks, the two network administrators can use 1-to-1 NAT in the tunnel configuration to translate these addresses to different IP addresses for traffic through the tunnel. The two administrators must first agree on a virtual IP address range to use for each site, for traffic through the VPN tunnel. For this exercise, we assume that: n

n

Site A will make its trusted network appear to come from the 192.168.100.0/24 range when traffic goes through the VPN. This is Site A’s virtual IP address range for this VPN. Site B will make its trusted network appear to come from the 192.168.200.0/24 range when traffic goes through the VPN. This is Site B’s virtual IP address range for this VPN.

Before You Begin This exercise builds on the gateway and tunnel configuration in Branch Office VPN. If you have not already completed Branch Office VPN, you must complete that exercise first.

Configure Duplicate Local Network IP Addresses For this exercise, you must configure both devices with a local network that uses the same IP address. This is to simulate the situation where two sites have local networks that use the same IP addresses. If you completed the exercises in the Network Settings module, interface 2 is already configured with these settings. 1. 2. 3. 4.

Start Policy Manager for Device A. Select Network > Configuration. Configure interface 2 as an Optional interface with the IP address 10.0.2.1. Make sure Disable DHCP is selected. Because this network does not use DHCP, no further configuration is necessary.

Fireware EssentialsStudentGuide

415

Branch Office VPN 5. Save the configuration to the device. 6. Repeat these steps for Device B to configure interface 2 with the same settings.

Add a Tunnel Route with 1-to-1 NAT Enabled Because you have already configured one BOVPN gateway and tunnel between these two devices in Branch Office VPN, you can add a second tunnel route to the existing tunnel configuration to create a tunnel between the two private networks that use the same IP addresses.

Configure Device A 1. 2. 3. 4. 5. 6.

Select VPN > Branch Office Tunnels. Select the tunnel you created in Branch Office VPN. Click Edit. To add a new tunnel route, click Add. Inth e Local text box, type the IP address of interface 2, 10.0.2.0/24. Inth e Remote text box, type or select the virtual network IP address for Site B, 10.0.200.0/24. Select the 1:1 NAT check box. In the adjacent text box, type or select the virtual IP address range for Site A, 192.168.100.0/24. Fireware translates the local network IP addresses to the specified IP address range for this tunnel.

416

WatchGuard Technologies,Inc.

Branch Office VPN 7. Click OK. The tunnel route is added. You can resize the Local column to see the NAT mapping for t he local network.

8. Save the configuration to the device.

Configure Device B 1. 2. 3. 4. 5. 6.

Select VPN > Branch Office Tunnels. Select the tunnel you created in Branch Office VPN. Click Edit. Click Add to add a new tunnel route. Inth e Local text box, type or select the IP address of interface 2, 10.0.2.0/24. Inth e Remote text box, type or select the virtual IP address range for Site A, 10.0.100.0/24. Select the 1:1 NAT check box. In the adjacent text box, type the virtual IP address range for Site B, 10.0.200.0/24. Fireware translates the local network IP addresses to the specified IP address range for this tunnel.

Fireware EssentialsStudentGuide

417

Branch Office VPN 7. Click OK. The tunnel route is added. You can resize the Local column to see the NAT mapping for t he local network.

8. Save the configuration to the device.

Test the VPN Just as you did in Branch Office VPN, you can use ping to send traffic through the tunnel to start the tunnel negotiation. The first few pings might fail because the tunnel is not established, but subsequent pings should succeed, which shows that traffic is flowing through the tunnel. Use Firebox System Manager to ping one device from the other. In this NAT configuration, the destination IP address you ping must be the virtual IP address of the interface on the remote device.

If this were an actual network with servers, you could ping one of the servers on the remote network.

1. 2. 3. 4.

Connect to your device with Firebox System Manager. Select Tools > Diagnostic Tasks. The Diagnostic Tasks dialog box appears. Select the Advanced Optionscheck box. The Arguments text box appears. Inth e Arguments text box, type -I For example, if Device A is configured by student 10, and Device B is configured by student 20: To ping from Device A to Device B, typ e: -I 10.0.2.1 10.0.200.1 To ping from Device B to Device A, typ e: -I 10.0.2.1 10.0.100.1

5. Click Run Task.

418

WatchGuard Technologies,Inc.

Branch Office VPN

Verify the Tunnel Status 1. Select the Front Panel tab. 2. Expand the Branch Office VPN Tunnelslist and expand the Gatewaylist. The NAT IP addresses appear in the status of the active tunnel that uses NAT.

To see both tunnels active in FSM, you might need to send another ping through the first tunnel to make it active again.

Do not configure more than one tunnel to use 1-to-1 NAT for the same IP addresses. If you must create BOVPN tunnels to multiple sites, we recommend that you configure the private networks so that each site uses different private IP addresses.

Fireware EssentialsStudentGuide

419

Branch Office VPN

Additional VPN Resources VPN configuration is a large topic, and this module focused primarily on how to set up a single VPN tunnel between two Fireboxes. Fireware Help provides information about other VPN configuration options not covered in this module. The subsequent sections include some additional resources you can use to learn about branch office VPN configuration.

VPN Configuration Examples The Configuration Examples page on the WatchGuard website includes several VPN examples with configuration files you can open with Policy Manager: n n n n

Branch Office VPN failover from a private network link Centralized VPN Architecture (Hub and Spoke) Decentralized VPN Architecture (Full Mesh) Hybrid VPN Architecture (Partial Mesh)

You can download the examples and configuration files from:

http://www.watchguard.com/help/configuration-examples/index.asp

VPN Interoperability with Third-Party Devices The VPN Interoperabilitysection of the Fireware Help provides detailed instructions to help you set up VPNs between a Firebox and third-party devices such as Cisco, SonicWALL, Fortinet, and Cyberoam. For more information, see: http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/bovpn/manual/manual_bovpn_ interoperability_c.html The BOVPN Virtual Interface Examplessection of the Fireware Help provides examples of how to configure a BOVPN virtual interface for different types of routing, and includes an example of how to set up a VPN between a Firebox and a Cisco device that supports IPSec over GRE. For more information, see: http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/bovpn/manual/bovpn_vif_use_ cases_c.html

420

WatchGuard Technologies,Inc.

Branch Office VPN

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which of these BOVPN methods can you use between a Firebox and a third-party device? (Select two.) o A) Managed VPN o B)

BOVPN virtual interface

o C)

Manual BOVPN

2. True or false? If you configure a VPN as a BOVPN virtual interface, the VPN on the remote VPN gateway must also be configured as a BOVPN virtual interface. 3. To use policy-based routing to send traffic through a VPN tunnel, which type of VPN must yo u use? (Select all that apply.) o A) Managed VPN o B)

BOVPN virtual interface

o C)

Manual BOVPN

4. What must you know to set up a branch office VPN between two devices? (Select all that apply.) o A)

The public IP address or domain information for the remote VPN gateway

o B)

The private network address on the remote device where you want to send traffic

o C) The gateway name and tunnel name on the remote VPN gateway o D) The phase 1 and phase 2 settings on the remote VPN gateway o E)

The pre-shared key or IPSec certificate

Fireware EssentialsStudentGuide

421

Branch Office VPN 5. You have configured a BOVPN and have just saved the configuration to both devices. When you look at the tunnel status in Firebox System Manager, the tunnel does not appear to be active. What could cause this? (Select all that apply.) o A)

No traffic has been sent to an IP address at the other end of the tunnel.

o B)

There is a mismatch in Phase 1 or Phase 2 settings in the VPN configuration.

o C)

There is no connection between the external interface IP addresses on each device.

o D) The gateway name or tunnel name is not the same on the remote device.

6. Which of these methods would you use to troubleshoot a VPN tunnel that is not working? (Select all that apply.) o A)

Restart the firewall and other routers

o B)

Check the user groups on the authentication server

o C)

Increase the IKE diagnostic log level

o D)

Run the VPN Diagnostic Report in Firebox System Manager

o E) Change the local device to use Bridge Mode.

422

WatchGuard Technologies,Inc.

Branch Office VPN

ANSWERS 1. 2. 3. 4. 5. 6.

b, c True b, c a, b, d, e a, b, c c, d

Fireware EssentialsStudentGuide

423

Notes

Fireware EssentialsStudentGuide

424

Mobile VPN Securely Connect Mobile Users

What You Will Learn A Mobile VPN (Virtual Private Network) enables trusted mobile or remote users to connect and log on from an external network. Fireware supports four types of mobile VPNs: Mobile VPN with IPSec, Mobile VPN with SSL, Mobile VPN with L2TP, and Mobile VPN with PPTP. In this training module, you learn how to: n n n n

Select the mobile VPN (virtual private network) type(s) appropriate for your network Configure the Firebox to allow mobile VPN connections Generate Mobile VPN client configuration files Install and use the Mobile VPN client on a remote device

In this module, you connect to one or more Fireboxes. If you take this course with a WatchGuard Certified Training Partner, y our instructor provides the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to a Firebox on a production network. It is helpful to conduct a portion of this exercise from a computer connected to the external network.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Mobile VPN

Connect Remote Users Securely to the Network A VPN tunnel is a secure connection between a mobile user and resources on your network. A VPN client on the remote user’s computer sends traffic for your network through the VPN tunnel. When your Firebox receives traffic through a VPN tunnel, it forwards that traffic to the correct devices.

To use Mobile VPN, you must first enable VPN connections on your Firebox. You use Policy Manager to configure the VPN settings for each user or group of users. Mobile VPN users authenticate either to the Firebox user database on the Firebox or to an external authentication server. In this module, we use the Firebox authentication method to illustrate the authentication process.

Mobile VPN Types Fireware supports four types of Mobile VPNs. Each type uses different ports, protocols, and encryption algorithms to establish a connection. For each of these mobile VPN types. the required ports and protocols must be open between the mobile device and your Firebox for the mobile VPN to function. Mobile VPN with PPTP Requiredp orts

TCPport1723

Transport and authentication protocols

PPTP (Point-to-Point TunnelingProtocol)

Encryption protocols

MPPE (Microsoft Point-to-Point Encryption)

GRE (Generic RoutingEncapsulation)

MS-CHAP-v2 (Microsoft Challenge-Handshake Authentication Protocol) Encryptionst rength

426

40-bit or1 28-bit

WatchGuard Technologies,Inc.

Mobile VPN Mobile VPN with IPSec Requiredp orts

UDPport 500f orI KE UDP port 4500 for NAT traversal (NAT-T)

Transport and authentication protocols

IPSec (Internet Protocol Security) IKE (Internet Key Exchange) ESP (Encapsulating Security Payload)

Encryptionp rotocols

DES, 3DES, AES

Encryptionst rength

DES and3 DES: 56-bit AES: 128-, 192-, or 256-bit

Mobile VPN with SSL Requiredp orts

TCPport443 UDP port 443 (You can optionally use a different port and protocol)

Transport and authentication protocols

SSL (Secure Sockets Layer) TLS (Transport Layer Security) - requires TLS 1.1 or higher

Encryption protocols

Blowfish, DES, 3DES, or AES

Encryptionst rength

DES and3 DES: 56-bit AES: 128-, 192-, or 256-bit

Mobile VPN with L2TP, with IPSec enabled Requiredp orts

UDPport1701 UDP port 500 for IKE

Transport and authentication protocols

L2TP (Layer 2 Tunneling Protocol) IPSec (Internet Protocol Security) IKE (Internet Key Exchange) ESP (Encapsulating Security Payload)

Encryptionp rotocols

DES, 3DES, AES

Encryptionst rength

DES and3 DES: 56-bit AES: 128-, 192-, or 256-bit

Fireware EssentialsStudentGuide

427

Mobile VPN

Select the Mobile VPN Type You can enable more than one type of mobile VPN at a time. Some types of mobile VPN have are more secure, faster, or use fewer network resources. We recommend that you check the encryption support, authentication server compatibility, VPN tunnel capacity, client OS support, and ease of client deployment for each VPN type before you make a decision.

Encryption Support Encryption algorithms the data so it cannot beencryption read by a third-party in transit through the VPN. VPN type supports differentprotect encryption algorithms. Larger key sizes while are more secure. AES is the mostEach secure encryption algorithm, and it is supported by all VPN types except Mobile VPN with PPTP.

Authentication Server Compatibility Authentication server support differs by VPN ty pe and VPN client.

MobileVPN

Firebox-D B

R ADIU S

Vasco/ RA DI US

SecurID





LDA P

Active Directory

WatchGuard Mobile VPN with SSL client WatchGuard IPSec Mobile VPN clients for Windows and Mac OS X Shrew Soft IPSec VPN client for Windows WatchGuard Mobile VPN app for Android







Mobile VPN with IPSec from the Mac OS X or iOS native VPN client







Mobile VPN with PPTP







*

Mobile VPN with L2TP







*

* You can use Active Directory authentication for PPTP and L2TP through a RADIUS server.

VPN Tunnel Capacity The tunnel capacity of your Firebox determines the number of mobile VPN users that can connect at the same time. On all device models, Mobile VPN with PPTP supports a maximum of 50 tunnels. The maximum number of IPSec, SSL, and L2TP mobile VPN tunnels depends on the device model. On some device models, you must purchase additional licenses to enable the maximum tunnel capacity your device supports. You can see the current Mobile VPN tunnel capacity of your device in the device feature key.

428

WatchGuard Technologies,Inc.

Mobile VPN To see the feature key for your device in Policy Manager, select Setup > Feature Keys.

Client OS Support and VPN Client Installation Depending on the client OS your mobile users use, and the VPN type, you can either install a VPN client, or manually configure connection settings in the native VPN client. VPN Type

W indows

OSX

Android/iOS

IPSec

Distribute and install the WatchGuard or Shrew Soft VPN client and client configuration file.

Distribute and install the WatchGuard VPN client and client configuration file, or manually configure the native VPN client.

Install the WatchGuard VPN app and import the client configuration file.

L2TP

Users manually configure the native VPN client or any L2TP

Users manually c onfigure the native VPN client or any L2TP v2 client that complies

Install the WatchGuard VPN app and import the client configuration file.

v2 client that complies with RFC 2661.

with RFC 2661.

Users authenticate to the Firebox to download and install the client and configuration.

Users authenticate to the Firebox to download and install the client and configuration.

SSL

The client computer must support TLS 1.1 or higher PPTP

The client computer must support TLS 1.1 or higher

Users must install an OpenVPN client. Users can authenticate to the Firebox to download the Mobile VPN with SSL client configuration file to import to the OpenVPN client.

Use any PPTP client, and manually configure the settings to connect.

For instructions on how to configure the native VPN client on Windows, Mac OS X, and Android to make an L2TP connection, see the WatchGuard System Manager Help.

Fireware EssentialsStudentGuide

429

Mobile VPN

Other Considerations n

n

n

Mobile VPN with IPSec is the only VPN type for which you can have different VPN configuration profiles for different groups of users. Mobile VPN with SSL is the simplest VPN type to deploy. When users authenticate with your Firebox, they can download an installer that includes both an SSL VPN client and the client configuration file. Mobile VPN with L2TP is similar to Mobile VPN with IPSec, but Mobile VPN with L2TP uses additional processing power on your Firebox, and NAT often does not work correctly. However, a Mobile VPN with L2TP tunnel can send and receive network traffic from protocols such as IPX or AppleTalk.

Mobile VPN Setup Overview Regardless of which type of Mobile VPN you choose, you must complete the same configuration steps. The details for each step are different for each type of VPN. 1. Activate Mobile VPN. To allow Mobile VPN connections to your network, you must activate Mobile VPN on the Firebox. 2. Define VPN tunnel settings. Each type of Mobile VPN includes settings such as encryption method and timeout interval. The settings you configure on the Firebox must match the settings on the VPN client. 3. Configure VPN authentication settings for Mobile VPN users. Before a Mobile VPN user can connect to resources on the company network, the user must authenticate. Select a configured authentication server, and specify a user group on that server for VPN users. Users must belong to this group to use the VPN. The required groups on the authentication server for each VPN type are: n n n

n

Mobile User VPN with PPTP — PPTP-Users Mobile VPN with IPSec — The group name in the Mobile VPN with IPSec configuration Mobile VPN with SSL — SSLVPN-Users or the group specified in the Mobile VPN with SSL configuration Mobile VPN with L2TP — L2TP-Usersor the group name in the Mobile VPN with L2TP configuration

If you use Firebox-DB authentication, Policy Manager automatically adds the required Firebox user group when you activate Mobile VPN. You must add the VPN users to that group.

For Mobile VPN with SSL and Mobile VPN with L2TP, if you use non-default group names, the group names do not appear in the automatically generated policy. However, the policy does apply to all users and groups in the Mobile VPN configuration.

For RADIUS, LDAP, and Active Directory authentication, manually add the required VPNthe user group to your authentication server, and add VPN users to you that must group. For RADIUS authentication, RADIUS server must return a Filter-Id attribute where the value of the attribute matches the name of the group.

430

WatchGuard Technologies,Inc.

Mobile VPN 4. Define policies and resources. When you activate and configure Mobile VPN with IPSec, SSL, or L2TP, a policy is automatically added to allow all traffic from the users in the group to the resources available through the tunnel. Even though the Mobile VPN connection is secure, you may want to create custom policies to limit the types of traffic allowed through the Mobile VPN tunnel. For Mobile VPN with PPTP, you must manually create policies to allow access to network resources. 5. Configure the client computers. After you configure Mobile VPN on the Firebox, you must configure the clients.

Mobile VPN Client Configuration Files Mobile VPN client configuration files contain the settings necessary for VPN clients to connect.

Mobile VPN with IPSec You can configure Mobile VPN with IPSec for multiple user groups. For each group, Policy Manager creates a Mobile VPN profile that contains the shared key, user identification, IP addresses, and VPN tunnel settings. The profile is saved in four file formats for use by different clients. .wgx Use this file to configure the Mobile VPN with IPSec client. The .wgx file is encrypted with the tunnel passphrase. We recommend that y ou distribute this configuration file instead of the .ini file, because the encrypted file is more secure. .ini Use this file to configure the Mobile VPN with IPSec client. The .ini file is not encrypted. Use this file format only if you modify the Line Management settings to change client reconnection behavior. Make sure that you use a secure method to distribute this file to your mobile users.

Line Management controls whether the client automatically tries to restart the VPN tunnel. By default, the VPN tunnel does not automatically restart.

.vpn Use this file to configure the Shrew Soft IPSe c VPN clie nt. The .vpn file is not encrypted. Make sure you use a secure method to distribute this file. The Shrew Soft VPN client does not support some Mobile VPN with IPSec configuration settings and features. .wgm Use the .wgm file to configure the WatchGuard VPN apps for iOS and Android. The .wgm file is encrypted with the tunnel passphrase.

Fireware EssentialsStudentGuide

431

Mobile VPN

Fireware Web UI can generate only the .ini, .vpn, and .wgm mobile user client configuration files. To generate a .wgx file, you must use Policy Manager.

Mobile VPN with SSL When you configure Mobile VPN with SSL, a client configuration file is automatically created and saved on the Firebox. When a user downloads the Mobile VPN with SSL client from the Firebox, the client configuration file is included with the VPN client installer. OpenVPN users can also download a Mobile VPN with SSL client profile (.ovpn file) from your Firebox. To download the Mobile VPN with SSL software and client configuration file, or the .ovpn configuration file, mobile users browse to https://[external interface IP address]/ss lvpn.html. For example, if your device has an external IP address of 203.0.113.20, type:

https://203.0.113.20/sslvpn.html

If you use another method to distribute the Mobile VPN with SSL client to your users, you can also extract the SSL client configuration file from the support.tgz file on the device, and then distribute it to your users. For more information, see the WatchGuard System Manager Help.

Mobile VP N with L2TP There is no client configuration file for L2TP connections for most client platforms. Mobile users must manually configure the native VPN client of their OS to connect using L2TP. The one exception is for connections from the WatchGuard VPN app for iOS. For those users, you can generate a .wgm Mobile VPN with L2TP client configuration file. The .wgm file is encrypted with the passphrase you specify when you generate the client configuration file. Mobile users can use the .wgm file to add the connection profile to the WatchGuard VPN app for iOS.

You cannot use the .wgm file to configure L2TP connections from the WatchGuard VPN app for Android.

Mobile VPN with PPTP There is no client configuration file for Mobile VPN with PPTP. Mobile users must manually configure the native VPN client of their OS to connect using PPTP.

432

WatchGuard Technologies,Inc.

Mobile VPN

Mobile VPN Network and Resource Settings Default Route VPN and Split Tunnel VPN There are two ways a Mobile VPN client can route traffic to the Internet for Mobile VPN users. You select which option to use when you configure the VPN. Split tunnel VPN In a split tunnel VPN, the VPN client splits the traffic that is destined for your private network from traffic that is destined for the Internet. Only traffic that is addressed to your private network goes through the VPN tunnel. Split tunneling provides better network performance, but less security because policies are not applied to the Internet traffic. Split tunneling is the default configuration. If you use split tunneling, we recommend that each client computer have a software firewall. Default route VPN In a default route VPN, all remote user Internet traffic is routed through the VPN tunnel to the Firebox before it goes to the Internet. This enables the device to examine all traffic, and provides increased security, although it uses more processing power and bandwidth. Another detractor for default route VPN is that it can dramatically increase latency for systems like VoIP.

Split tunneling makes sense as a default setting, because most mobile users also browse the Internet when the tunnel is not connected, and therefore should have a software firewall installed.

Virtual IP Address Pool When you configure mobile VPN on the Firebox, you define a pool of virtual IP addresses. Fireware assigns an IP address from the virtual IP address pool to each Mobile VPN user, until all of the addresses are in use. When a user closes a VPN session, the IP address used by that session becomes available again. Guidelines for assigning a virtual IP address pool: n n

n

n

Use a private IP address range that is not used for anything else on your network. If you configure Mobile VPN with SSL to bridge VPN traffic to a bridge interface, the virtual IP addresses must be on the same subnet as the bridge interface. For all other Mobile VPN types, the virtual IP addresses do not have to be on the same subnet as the trusted network. To enable the maximum number of concurrent VPN connections, make sure the virtual IP address pool contains the same number of IP addresses as the maximum number of VPN connections your device supports.

Fireware EssentialsStudentGuide

433

Mobile VPN

Allowed Resources When you configure mobile VPN, you configure the resources on your network you want to allow the mobile VPN users to access. You can allow mobile VPN users to have access to all network resources, or you can restrict access to a specific list of network resources. For Mobile VPN with IPSec, SSL, or L2TP, you specify the allowed resources in the VPN settings. When you save the VPN configuration, Policy Manager automatically creates policies that allow access to the network resources you specified. For Mobile VPN with PPTP, you do not specify the allowed resources in the VPN settings. Instead, you must create policies to allow members of the PPTP-Users group to access resources on your network.

Mobile VPN with IPSec Policies When you configure Mobile VPN with IPSec, Policy Manager automatically creates a Mobile VPN with IPSec policy. Mobile VPN with IPSec policies are different from firewall policies. They appear in a separate policy list, in the Mobile VPN with IPSec tab of Policy Manager. By default, Policy Manager adds an Any policy for each Mobile VPN with IPSec group you configure. This policy allows all traffic from the users in a Mobile VPN with IPSec group to the Allowed Resources specified in the VPN setti ngs for that group. To restrict VPN user traffic by port and protocol: 1. On the Mobile VPN with IPSec tab, disable or delete the Any policy. 2. Add new policies that enable more restricted access. In Mobile VPN with IPSec policies, the settings that control the source and destination are different than in firewall policies.

434

WatchGuard Technologies,Inc.

Mobile VPN The differences are on the Policy tab: n

n

The Group specifies the source of traffic this policy handles. The Group is set of use rs that is configured to use Mobile VPN with IPSec. When you use the Add Mobile VPN with IPSec Wizard to configure Mobile VPN with IPSec, it automatically adds a policy to allow traffic from the group you specify to the resources you specify. If you create a new Mobile VPN with IPSec policy, you select the group when you first create the policy. To edit the Mobile VPN with IPSec configuration for the group, adjacent to the group, click Edit. To select the users in the group, click Specify Users. You can only select users that use the authentication method configured for the Mobile VPN group. The Allowed Resourceslist specifies the resources this policy allows access to. The Allowed Resources in the policy must be all, or a subset of, the Allowed Resources you added to the Mobile VPN with IPSec configuration. In the default Mobile VPN with IPSec policy, the list of Allowed Resources in the policy matches the Allowed Resources in the Mobile VPN with IPSec configuration for the group. To add all the Allowed Resources from the Mobile VPN with IPSec group VPN configuration to this policy, click Copy from Group.

Most other policy settings are the same as for firewall policies.

Mobile VPN with SSL Firewall Policies When you enable Mobile VPN with SSL, Policy Manager creates two policies on the Firewall tab: n n

WatchGuard SSLVPN — This SSLVPN policy allows connections from an SSL VPN client on TCP port 443. Allow SSLVPN Users — This Any policy allows the groups and users you configure for SSL authentication to get access to resources on your network.

To restrict VPN user traffic by port and protocol, you can disable or delete the automatically generated Any policy and create new policies that enable more limited access.

Mobile VPN with L2TP Firewall Po licies When you enable Mobile VPN with L2TP, Policy Manager creates two policies in the Firewall tab: n n

WatchGuard L2TP — This L2TP policy allows connections from an L2TP client on UDP port 1701. Allow L2TP Users — This Any policy allo ws the groups and users you configured for L2TP authentication to get access to resources on your network.

To restrict VPN user traffic by port and protocol, you can disable or delete the automatically generated Any policy and create new policies that enable more limited access.

Fireware EssentialsStudentGuide

435

Mobile VPN

Mobile VPN with PPTP Firewall Pol icies When you enable Mobile VPN with PPTP, Policy Manager creates one policy in the Firewall tab: WatchGuard PPTP— This PPTP policy allows connections from a PPTP VPN client on TCP port 1723. Policy Manager does not automatically create an Any policy for Mobile VPN with PPTP. You must manually add policies to enable traffic from the PPTP users to resources on your network. For example, you could add an Any policy for traffic from the group PPTP-Users to the alias Any-Trusted.

Before You Begin This section describes the training environment and includes a list of all the equipment and software necessary to complete the exercises, along with initial basic configuration information.

Training Environment The exercises in this module assume the following network configuration:

For instructor-led training, the training environment must include the network equipment described in the Course Introductionmodule. If you use these materials for self-study, connect your Firebox directly to the Internet.

436

WatchGuard Technologies,Inc.

Mobile VPN

Necessary Equipment And Software To complete the exercises, each student must have this equipment and software: n n n

Management computer with WatchGuard System Manager v11.12 or higher installed. WatchGuard Firebox with Fireware OS v11.12 or higher installed. Two Ethernet cables: o o

One Ethernet cable to connect a computer directly to a student Firebox interface One Ethernet cable to connect the student Firebox to a switch or router

Management Computer Configuration Before you begin the exercises, make sure your management computer is configured correctly. n

n

Use an Ethernet cable to connect the management computer directly to the trusted interface (Eth1) on the student Firebox. Make sure your management computer has an IP address in the same subnet as the trusted interface with the correct subnet mask. Use the Firebox trusted interface IP address as the default gateway of the computer.

Network Topology This diagram shows the two student devices and their external interfaces connected to the Internet.

For instructor-led training, the training environment is s et up to simulate the Internet connection for each student Firebox.

Fireware EssentialsStudentGuide

437

Mobile VPN To complete these exercises you work with a partner. In these exercises, we assume each device is configured by a different student. Each student configures a Firebox with one external interface. Student A configures Device A. Student B configures Device B. The student numbers in the IP addresses are represented as A and B. In the network configuration required for these exercises, use the student numbers your instructor gives you. n n

Replace the A in the IP address with the number of the student who manages Device A. Replace the B in the IP address with the number of the student who manages Device B.

Network Configuration Make sure the interfaces on the two devices are configured with these settings: Interface

D eviceA

D eviceB

Interface 0 (External)

IP address: 203.0.113.A /24

IP address: 203.0.113.B/24

Default Gateway: 203.0.113.1

Default Gateway: 203.0.113.1

Interface 1 (Trusted)

IP address: 10.0.A .1/24

IP address: 10.0.B.1/24

DHCP enabled

DHCP enabled

DHCP pool: 10.0.A .2 - 10.0.A .254

DHCP pool: 10.0.B.2 - 10.0.B.254

These are the same network settings you configured in the Network Settings module.

The network configuration for the Mobile VPN exercises is the same as for the Branch Office VPN exercises.

BOVPN Configuration Remove any branch office VPN tunnels, gateways, and BOVPN virtual interfaces that you configured for exercises in the Branch Office VPN module. In the subsequent exercises, you use various mobile VPN clients to connect to your partner’s private network.

438

WatchGuard Technologies,Inc.

Mobile VPN

Exercise 1 — Configure Mobile VPN with IPSec and Generate Client Configuration Files In this exercise, you use Policy Manager to create a Mobile VPN profile that a remote user can use to connect securely to your trusted network. The remote user will be your partner.

Make sure that your network settings are configured as described in the Network Topology section, and that you have removed any branch office VPN tunnels, gateways, and BOVPN v irtual interfaces from your configuration.

Create a Mobile VPN with IPSec Configuration 1. Select VPN > Mobile VPN > IPSec . The Mobile VPN with IPSec Configuration dialog box appears.

2. Click Add. The Add Mobile VPN with IPSec Wizard appears.

3. Click Next. The Select a user authent ication server page appears.

4. From the Authentication Server drop-down list, select Firebox-DB. 5. Inth e Group Name text box, type IPSec-VPN-Users. The Group Name can be an existing group or a new group. This group name is also the name of this VPN connection that appears in the Shrew Soft or WatchGuard VPN client. In a production network, use a name that your mobile users will recognize as a connection to your network, such as Your Organization VPN . If y ou use Firebox-DB as the authentication server, Policy Manager automatically adds a user group with the name you specify here to Firebox-DB, if it does not already exist. You must add all users that you want to use these VPN settings to this group.

Fireware EssentialsStudentGuide

439

Mobile VPN

If you use an external authentication server (not the Firebox-DB internal user database), make sure that the authentication server has a user group with the same name, and that VPN users are members of this group.

6. Click Next. The Select a tunnel authent ication method page appears.

7. Select Use this passphrase. 8. Inth e Tunnel Passphrase and Retype Passphrase text boxes, type successfulremote.

440

WatchGuard Technologies,Inc.

Mobile VPN 9. Click Next. The Direct the flow of internet traffic page appears. This is where you choose whether to conf igure this tun nel as a default route or a split tunnel VPN. The split tunnel conf iguration, which allows Int ernet traffic to go directly to the mobile user’s ISP , is selected by def ault.

If you choose the option to force all Internet traffic through the tunnel, the resources list automatically includes the default route (0.0.0.0/0), and the Any-External alias.

10. Click Next to accept the default VPN configuration. The Identify the resources accessible through the tunnel page app ears. This is where you define which ne twork resources you want to be accessible through the t unnel.

11. To specify a host or network IP address that users can connect to through the tunnel, click Add. The Add Address dialog box appears.

Fireware EssentialsStudentGuide

441

Mobile VPN 12. From the Choose Type drop-down list, select Network IPv4. 13. In the Value text box, type the network I P address of your trusted network. For example, if you are Student 10, type 10.0.10.0/24. This enables members of the IPSec-VPN-Users group to access your trusted network, 10.0.10.0/24, through the VPN tunnel. 14. Click OK. Network IP address is added to the list

of resources in the Wizard.

15. Click Next. The Create the virt ual IP address pool step appears. This is where you reserve a pool o f virtual IP addresses to assign to VPN clients that connect.

At the bottom of this dialog box, you can see the maximum number of Mobile VPN with IPSec users that can connect. That is the number of IP addresses you should add to the virtual IP address pool. 16. Click Add. The Add Address dialog box appears.

17. From the Choose Type drop-down list, select Host Range IPv4. 18. In the Value and To text boxes, type the starting and ending IP addresses to define a range of IP addresses to assign to mobile VPN users while connected. These can be any private IP addresses not used elsewhere on your network. For this exercise, use these IP addresses: Value: 10.50.1.1 To: 10.50.1.25

442

WatchGuard Technologies,Inc.

Mobile VPN 19. Click OK. The IP address range is added to the virtual IP address pool.

20. Click Next. The Wizard completion page appears.

21. Make a note of the location of the VPN configuration files on the last page of the wizard. You must know this location later to retrieve the files f or the client.

22. Select the Add users to IPSec-VPN-Userscheck box. When you select this option, the wizard automat ically opens the Authent ication Servers dialog box so you can add users to the group after you exit the wizard.

23. Click Finish.

The Add Mobile VPN with IP Sec Wizard closes, and the Authenticat ion Servers dialog box a ppears .

If you did not select the check box at th e end of the wizard, or if you want to add or remove users later, select Setup > Authentication > Authentication Servers .

24. On the Firebox tab, in the Users section, click Add. The Setup Firebox User dialog box appears.

Fireware EssentialsStudentGuide

443

Mobile VPN

25. In the User Informationsection, type a Name, Description, and Passphrasefor this user. Remember the name and passphrase; your partner needs to use these credentials t o connect.

26. In the Available list, double-click the IPSec-VPN-Usersgroup to add the user to the group. IPSec-VPN-Users is moved to the Member list.

27. Click OK to close the Authentication Serversdialog box. The user is added to the IPS ec-VPN-Users group. The configured user name and passphrase can no w be used to authenticate.

28. Save the configuration to your device.

444

WatchGuard Technologies,Inc.

Mobile VPN

Review and Edi t the Mobile VPN with IPSec Profile The Mobile VPN with IPSec Wizard does not expose every setting you can configure. Many settings are automatically set to default settings that match the settings on the Mobile VPN with IPSec client. To see all of the settings, or to change the settings you initially configured, you can edit the Mobile VPN with IPSec configuration for that group. For this exercise, review the settings, but do not change anything.

To configure a VPN for connections from non-WatchGuard IPSec clients, such as the Mac OS X, iOS, or Android native IPSec VPN clients, you must edit some of the tunnel settings to match the settings on the client. See the Help for the settings for each client.

1. To open the Mobile VPN with IPSec Configuration dialog box, select VPN > Mobile VPN > IPSec .

Fireware EssentialsStudentGuide

445

Mobile VPN 2. Select IPSec-VPN-Usersand click Edit.

3. Select each tab to examine all of the VPN settings. Do not edit any settings for this exercise. 4. Click OK to close the Edit Mobile VPN with IPSec dialog box.

446

WatchGuard Technologies,Inc.

Mobile VPN

Exercise 2 — Get the Mobile VPN Client Configuration Files After you configure Mobile VPN with IPSec, you must distribute the client configuration file to your mobile users. In this module, you connect to your partner's device with WSM, and then use Policy Manager to generate and save their client configuration files to your computer. If you use email or a network server to distribute the client configuration files, you do not have to complete this exercise.

Enabling remote management is not required for the VPN configuration. It is a method we use in the training environment t o enable each student to get t he necessary files from their partner’s device. In an actual network environment, you would use email, or another method to distribute the client configuration file to your mobile users.

Enable Remote Management To allow your partner to connect to your device, you must edit the WatchGuard policy to allow management connections from the external network. 1. 2. 3. 4.

Start Policy Manager for your device. Double-click the WatchGuardpolicy. Add Any-Externalto the From list. Save the configuration to the device.

Fireware EssentialsStudentGuide

447

Mobile VPN

Get the Client Configuration Files Now you can connect to your partner’s device to get the client configuration files. 1. In WatchGuard System Manager, connect to your partner’s device on the external interface IP address. For example, if your partner is Student 20, connect to 203.0.113.20. 2. In WatchGuard System Manager, select your partner’s device, and start Policy Manager. 3. In Policy Manager, select VPN > Mobile VPN > IPSec.

4. Select the IPSec-VPN-Usersconfiguration. ClickGenerate. Policy Manager generates configuration files and saves them to your computer in the specified location.

5. Use Windows Explorer to browse to the specified folder on your computer. 6. Copy the configuration files to your desktop, so you can easily find them for the next exercise. 7. Close Policy Manager, and disconnect from your partner’s device in WSM.

448

WatchGuard Technologies,Inc.

Mobile VPN

Exercise 3 — Use an IPSec VPN Client In this exercise, you install either the WatchGuard VPN client or the Shrew Soft IPSec VPN c lient, import a client configuration file, and connect to your network through a VPN. n n

To install and connect with the Shrew Soft IPSec VPN client, complete exercise 3A. To install and connect with the WatchGuard IPSec VPN client, complete exercise 3B.

Before You Begin Before you start the installation, make sure you have the necessary installation components and information. You can get the client installers from your instructor, or from the Software Downloads page for your device on the WatchGuard website. To get the client c onfiguration file, f ollow the steps in the previous exercise.

Required Files To complete exercise 3A, you must have these files: n n

vpn-client-2.2.2-release.zip — Shrew Soft VPN Client installer IPSec-VPN-Users.vpn — The client configuration file for the Shrew Soft VPN client

To complete exercise 3B, you must have these files: n

n

WatchGuard IPSec VPN Client installer for the 32-bit or 64-bit Windows o WG-MobileVPN-Win-x86-1200-21567.exe — for 32-bit Windows o WG-Mob ileVPN-Win-x86-64-1200-21567.exe— for 64-bit Windows IPSec-VPN-Users.wgx — The client configuration file for the WatchGuard IPSec VPN client

Other Important Information In addition to the files listed in the previous section, you must also have this information to use the client after it is installed. n

n

The tunnel passphrasethat your partner set in the Mobile VPN with IPSec configuration. You must know the tunnel passphrase to import the client configuration file to the Mobile VPN with IPSec client. If you followed the instructions in the previous exercise, the tunnel passphrase is successfulremote. The user name and password for a Mobile VPN with IPSec user on your partner’s device. Use the user name and password that your partner specified in the previous exercise.

Fireware EssentialsStudentGuide

449

Mobile VPN

Exercise 3A — Use the Shrew Soft IPSec VPN Client Install th e Shrew Soft VPN Client To install the VPN client software: 1. Copy the Shrew Soft installation file to your computer. If the installer is in a .zip file, extract the installer first. 2. Double-click the .exe file to start the installer. 3. Select the option to install the Standard Edition. 4. Accept the license agreement and all default settings.

Import the Mobile VPN Client Configuration File 1. From the Windows Start menu, select VPN Access Manager. The Shrew Soft VPN Access Manager appears.

2. Select File > Import. 3. Browse to select the location of the .vpn file. If the file is not on your desktop, you must first complete Mobile VPN of this training module. 4. Click Open. The VPN client c onfiguration is imported and a new s ite configuration appears in the VPN Access Manager.

If you use certificates for authentication and you use the Fireware Web UI to generate the .vpn file, the certificates are not included in the .vpn file and must be imported to the Shrew Soft client as a separate step. See the WatchGuard System Manager Help for more information.

450

WatchGuard Technologies,Inc.

Mobile VPN

Connect and Disconnect 1. In VPN Access Manager, double-click the IPSec-VPN-Usersconfiguration. The VPN Connect dialog box appears.

2. Type the Username and Passwordfor a valid user on your partner’s device. 3. Click Connect. The VPN tunnel status appears in the Connect tab.

The VPN Connect client can take several seconds to connect. After the VPN client connects, the message tunnel enabledappears on the Connect tab. A status icon also appears in the Windows taskbar. After the VPN client connects, do not close the VPN Connect dialog box until you are ready to disconnect. You can minimize the VPN Connect dialog box and close the Access Manager dialog box. 4. To end the Shrew Soft VPN connection, in the VPN Connect dialog box, click Disconnect. Or, close the VPN Connect client.

Fireware EssentialsStudentGuide

451

Mobile VPN

Exercise 3B — Use the WatchGuard Mobile VPN with IPSec Client Your instructor might provide a client license if necessary to use the client in the training environment.

Install the Mobile VPN Client To install the Mobile VPN client software: 1. Copy the installation file to your computer. Install the 32-bit or 64-bit version that matches your system type. You can see the syst em type in Windows Control Panel, in the System settings.

2. Double-click the .exe file to start the WatchGuard Mobile VPN installer. 3. Accept the license agreement and the default setup type. Reboot yourcomputer, if prompted. 4. Inth e two Windows Securitydialog boxes, click Install toinstall the necessary drivers. 5. Allow the installer to reboot your computer to complete the installation. After the reboot, the WatchGuard Mobile VPN client starts automatically. 6. Inth e WatchGuard Mobile VPNdialog box , click Yes to start the 30 day trial period for the client. After 30 days, the client does not function unless it is activated with a license. 7. Inth e WatchGuard Mobile VPNdialog box, click No to not create a profile.

452

WatchGuard Technologies,Inc.

Mobile VPN

Import the Mobile VPN Client Configuration File and Conne ct 1. If the client is not already started, from the Windows Start menu, select All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor. 2. In the WatchGuard Mobile VPN client, select Configuration > Profiles. 3. Click Add/Import. 4. Select Profile Import. Click Next. The New Profile Wizard appears.

5. Browseto the IPSec-VPN-Users.wgxfile on your desktop.

6. Click Open. 7. Click Next. The Decrypt User Prof ile page appears.

8. Inth e Key or Passphrasetext box, type the passphrase set in the Mobile VPN with IPSec configuration. The correct passphrase should be successfulremote. 9. Click Next to continue.

Fireware EssentialsStudentGuide

453

Mobile VPN 10. Click Next again to allow the installer to overwrite any existing profile that has the same name. The Authentication page appears.

11. 12. 13. 14. 15.

Type the User name and Password for a valid user on your partner’s device. Click Next. Click Finish to import the profile and close the wizard. Click the profile you just imported. Select the Default check box. Click OK to close the Profiles dialog box. The IPSec-VPN-Users profile is added to the Connection Profile drop-down list.

454

WatchGuard Technologies,Inc.

Mobile VPN

Connect and Disconnect 1. Click the Connection slider to start the connection. The network image updates to show the connection status.

2. Click the Connection slider again to disconnect the client.

Fireware EssentialsStudentGuide

455

Mobile VPN

Exercise 4 — Set Up Mobile VPN with SSL For security and ease of use, many organizations use Mobile VPN with SSL. With Mobile VPN with SSL, remote users connect to the Firebox using HTTPS to download client software and a client configuration file to their computers. In this exercise, you use Policy Manager to activate the device for Mobile VPN with SSL and create a user in the SSLVPNUsers group.

Make sure that your network settings are configured as described in the Network Topology section and that the client computer is not connected with any other VPN client.

Activate the Devi ce for SSL VPN In this exercise, you configure Mobile VPN with SSL to route VPN traffic. If you select the other option, Bridge VPN traffic, you can bridge the VPN traffic to a trusted or optional LAN bridge. You must first configure the bridge before you use this option. 1. Select VPN > Mobile VPN > SSL . The Mobile VPN with SSL Configuration dialog box appears.

456

WatchGuard Technologies,Inc.

Mobile VPN

2. Select the Activate Mobile VPN with SSL check box. 3. From the Primary drop-down list, select the IP address of the external interface mobile VPN users will connect to. 4. Inth e Networking and IP Address Poolsection, from the drop-down list, select Routed VPN traffic. 5. Select the Force all client traffic through the tunnelcheck box. This ensures that all traffic both to and from the remote user computers must pass through the device. This method is more secure, however, it uses more processing power and bandwidth on the device. 6. Notice that the Virtual IP Address Pool is automatically set to the network IP address 192.168.113.0/24. For this exercise you can use the default IP address pool. If you had already used that subnet elsewhere in your network, you would specify a different subnet here.

Fireware EssentialsStudentGuide

457

Mobile VPN 7. Select the Authenticationtab. The list of configured authent ication methods appears.

If you select other authentication servers, such as LDAP, or Active Directory, you must add the users and groups that exist on those servers to the Users and Groups list if you want users in those groups to use Mobile VPN with SSL.

8. Make sure the check box for the Firebox-DB authentication server is selected. This option is selected by default. The group SSLVPN-Users is also added to the configuration by default. 9. Click OK.

458

WatchGuard Technologies,Inc.

Mobile VPN After you activate Mobile VPN with SSL, you can see two new firewall policies for SSLVPN: n n

WatchGuard SSLVPN — This SSLVPN policy allows SSLVPN traffic to the device on UDP port 443. Allow SSLVPN Users — This Any policy allows the groups and users you configure for SSL authentication to get access to resources on your network.

Add Users to the SSLVPN-Users Group Because you selected Firebox-DB as the authentication server, you must add a user to the SSLVPN-Users group. 1. Select Setup > Authentication > Authentication Servers . The Authentication Servers dialog box appears.

2. Select the Firebox tab. 3. Inth e Users section, click Add. The Setup Firebox User dialog box appears.

4. Type the Name and a Description of the new user. 5. Type and confirm the Passphrasefor the user. 6. Inth e Firebox Authentication Groupssection, in the Available list, double-click SSLVPN-Users to add the user to the group. The SSLVPN-Users group appears in the Member list.

7. Click OK. The user is added to the SSLVP N-Users group. The configured username and passphrase can no w be used to authenticate.

Fireware EssentialsStudentGuide

459

Mobile VPN

Exercise 5 — Use the Mobile VPN with SSL Client In this exercise you use the SSL VPN user credentials to connect to your partner’s Firebox, and download and install the SSL VPN client for Windows. Then you use the client to authenticate to the device.

Install the Mobile VPN with SSL Client 1. Open a web browser and go to: https://[external interface IP address]/sslvpn.html For example, if your partner’s device has an external IP address of 203.0.113.20, type: https://203.0.113.20/sslvpn.html . 2. Type the Username and Passwordof a valid user on your partner’s device. Click Login. The client software download page appears.

3. Click Download for the Mobile VPN with SSL client software for Windows. This client download also includes the Mobile VPN with SSL client

4. 5. 6. 7.

configuration file.

Save the file to your desktop. Double-click the WG-MVPN-SSL.exeinstallation file. Accept the default settings on each page of the installation wizard. At the end of the wizard, select the check box to create a desktop icon. The Mobile VPN with SSL client installation is c omplete, and the client configuration f ile is automatically installed.

460

WatchGuard Technologies,Inc.

Mobile VPN

Connect with the Mobile VPN with SSL Client Each time the WatchGuard Mobile VPN with SSL client connects, it checks for updates to the client configuration. To start the Mobile VPN with SSL client: 1. Double-click the Mobile VPN with SSL client desktop icon. Or, from the Windows Start menu, select All Programs > WatchGuard > Mobile VPN with SSL client > Mobile VPN with SSL client. The WatchGuard Mobile VPN with SSL authentication dialog box appears.

2. Inth e Server text box, type the external interface IP address of your partner’s device. 3. Type the Username and Passwordof the user your partner added to the SSLVPN-Users group. 4. Click Connect. When the Mobile VPN with SSL connection is active, the Mobile VPN with SSL icon in the Windows task bar is green ( ). You can position the mouse over this icon to see the IP address of the device to which you are connected.

If you change the data channel for SSL VPN, for example to port 444, the user must type 203.0.113.2:444instead of 203.0.113.2 in the Server text box. If Firebox-DB is not the default SSL VPN authentication server, the user must type Firebox-DB\j_ smith instead of j_smith in the Username text box.

Fireware EssentialsStudentGuide

461

Mobile VPN

Other Client Authentication Options When you connect, the WatchGuard Mobile VPN with SSL client can also have options to automatically reconnect and remember your password. To make these options available to end users, change the Mobile VPN with SSL authentication settings on your device.

In the Mobile VPN with SSL authentication settings: Auto reconnect after a connection is lost This option enables the Automatically reconnectcheck box in the Mobile VPN with SSL client. The user can choose whether to automatically reconnect. If you select the Force users to authenticate after a connection is lost check box, the user must type the password again for each reconnection. Allow the Mobile VPN with SSL client to remember password This option enables the Remember passwordcheck box in the Mobile VPN with SSL client. The user can choose whether the client remembers the password.

462

WatchGuard Technologies,Inc.

Mobile VPN

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. When you enable Mobile VPN with IPSec for the group VPNusers, which policy or policies are automatically created? (Select one.) o A) Two firewall policies: Allow-IPSec-Usersand WatchGuard IPSec. o B) Two firewall policies: Allow-VPNusersand WatchGuard IPSec. o C) A single Mobile VPN with IPSec policy: VPNusers-Any. o D) A single Mobile VPN with IPSec policy: Allow-VPNusers. o E)

A single firewall policy: Allow-VPNusers.in

2. True or false? If you use a third-party server for VPN authentication, that server must have a user group with a name that exactly matches the group name in the VPN configuration. 3. True or false? Split tunnel is more secure than default route VPN. 4. True or false? If you add a new Allowed Resource in a Mobile VPN with IPSec policy, that resource is automatically added to the VPN configuration. 5. Which Mobile VPN clients can users download from a Firebox? (Select one.) o A)

Mobile VPN with SSL

o B)

Mobile VPN with L2TP

o C) Mobile VPN with IPSec o D) Mobile VPN with PPTP

Fireware EssentialsStudentGuide

463

Mobile VPN 6. When must a user know the Mobile VPN with IPSec tunnel passphrase? (Select one.) o A)

To start a VPN connection from the Mobile VPN with IPSec client

o B)

To log into the web page to download the VPN client

o C) To import the client configuration file to the Mobile VPN with IPSec client o D)

To import the client configuration file to the Shrew Soft VPN client

7. True or false? Mobile VPN with IPSec is the only VPN type that can use different VPN configurations for different user groups at the same time. 8. Which of these VPN connection types can you configure in the native VPN client in Windows? o A)

IPSec

o B) SSL o C) PPTP o D) L2TP

464

WatchGuard Technologies,Inc.

Mobile VPN

ANSWERS 1. 2. 3. 4.

5. 6. 7. 8.

c True False False You cannot add a resource to a Mobile VPN with IPSec policy if it is not already in the Allowed Resourceslist in the VPN configuration for the Mobile VPN with IPSec group. a c True c, d

Fireware EssentialsStudentGuide

465

Notes

Fireware EssentialsStudentGuide

466

Fireware Web UI Explore Fireware Web UI

What You Will Learn You can use Fireware Web UI for many tasks to monitor and manage your Firebox. In this training module, you learn: n

How to log in to Fireware Web UI

n

The limitations of the Web UI

n

How to manage timeouts for Web UI management sessions

Before you begin these exercises, make sure you read the Course Introduction module.

Introduction to Fireware Web UI With Fireware Web UI, y ou can monitor and manage any Firebox that runs Fireware OS, without installing any extra software on your computer. The only software you need is a web browser. This means you can manage your Firebox from a computer that runs Windows, Linux, Mac OS, and from mobile devices that run iOS or Android, or any other platform.

Fireware OS versions lower than v11.8 also require Adobe Flash Player 9.

Copyrigh t © 2016 Watc hGuard Technologies, Inc. All rights reser ved.

Fireware Web UI Fireware Web UI is a real-time management tool. This means that when you use the Web UI to make changes to a Firebox, the changes you make generally take effect immediately. With the Web UI, you do not have to build a list of changes to a locally-stored configuration file, and then apply those changes to the Firebox all at once. This is different from Policy Manager, which is an offline configuration tool. Changes you make to a locally-stored configuration file with Policy Manager do not take effect until you save the configuration file to the Firebox. If you are familiar with Policy Manager, because Fireware Web UI has similar menu items and tools, you can easily find what you need and understand how the configuration options operate in Fireware Web UI.

Limitations of Fireware Web UI

Before you connect to your Firebox in Fireware Web UI to make changes to the configuration, you should understand that there are several device configuration changes you cannot make with Fireware Web UI. Some of the things you can do with Policy Manager, but not with the Web UI include: n n n n n

Change the name of a policy Change the logging settings for default packet handling options Adda custom address to a policy Use a host name (DNS lookup) to add an IP address to a policy Enable FireCluster or change the FireCluster configuration settings After you have configured a FireCluster, you can use the Web UI to moni tor the cluster and update po licies and other configuration settings.

n

Add or edit a secondary PPPoE interface

Connect to Fireware Web UI Connections to Fireware Web UI are always encrypted with HTTPS, the same high-strength encryption used by banking and shopping websites. Because of this, when you type the URL for Fireware Web UI in the address bar of your web browser, you must type https instead of http. By default, the port used for the Web UI is 8080. The default URL used to connect to the Web UI is:

https://:8080 The segment of the address is the IP address assigned to the trusted or optional interface.

In the Global Settings for your Firebox, you can optionally change the port used to connect to Fireware Web UI.

468

WatchGuard Technologies,Inc.

Fireware Web UI When you make this connection, the login page appears:

About Certificate Warnings When you connect to Fireware Web UI, you can see a warning from your web browser. This is the warning you see with Google Chrome:

If you know that the IP address shown in the browser address bar is correct, you can safely click Advanced, and then click Proceed.

Fireware EssentialsStudentGuide

469

Fireware Web UI This is the warning you see with Internet Explorer 11:

You can safely click Continue to this websiteif you know that the IP address shown in your browser address bar is correct. This is the warning you see with Mozilla Firefox 32:

If you know that the IP address shown in the browser address bar is correct, you can safely click I Understand the Risks and follow the prompts to add a certificate exception. This c ertificate warning appears because your browser does not trust the certificate. There are two reasons for this: Your browser does not trust the entity that signed the Firebox certificate. Fireware Web UI uses a self-signed certificate. Your browser trusts only certificates signed by a trusted Certificate Authority, and certificates that you explicitly import into the browser as trusted certificates. The Common Name on the certificate does not match what you typed into the browser address bar. For a certificate to be trusted automatically, its common name must match the server name. To correct both problems you can manually import the certificate. For more information, see the documentation from your browser or operating system vendor.

470

WatchGuard Technologies,Inc.

Fireware Web UI To avoid these warnings for all users, replace the certificate used by Fireware Web UI with a certificate trusted by all of your network clients. This could be a certificate you purchase from a commercial vendor such as VeriSign or Thawte, or one you generate from a local CA used in your organization such as Microsoft Certificate Services on a Windows server. You can also create a custom certificate signed by the Firebox. This certificate can have multiple names on it, so that users can type the Firebox IP address or a domain name (if the domain name has a record in the DNS syste m that resolves to the Firebox IP address). Users must st ill import the certificate into their operating system or browser certificate store, however, because this is a self-signed certificate. For more information on this process, see Fireware Help.

Log In You can log in to the Web UI with the default adminor status user accounts, or another Device Management user account defined in the Firebox configuration. When you use the default user accounts, the authentication server is Firebox-DB.

Navigate Fireware Web UI At the left side of Fireware Web UI is a navigation menu that you can use to move between different configuration areas. The heading items shown by default in this area automatically expand to show additional options when you select them. You can select any item beneath a heading to see the available configuration settings.

Fireware EssentialsStudentGuide

471

Fireware Web UI

About the Dashboard Pages The top section of the Web UI navigation menu contains several dashboards. The dashboards show real-time information that help you see at a glance the activity and status of the Firebox. Front Panel This dashboard page shows basic information about your Firebox, your network, and network traffic. The Front Panel page is separated into two parts: widgets and top panels. Widgets show specific, historical information about your device. Top panels show connection data for your device. Subscription Services This dashboard page shows activity and signature update status for Fireware subscription services: Gateway AntiVirus, Intrusion Prevention Service, Reputation Enabled Defense, WebBlocker, spamBlocker, and Data Loss Prevention. FireWatch This dashboard page provides real-time, aggregate information about the traffic through your Firebox. You can use FireWatch to answer these questions: n

n

n

n

n

n

Who uses the most bandwidth on your network? Which is the most popular site that users visit? Which sites use the most bandwidth? Which applications use the most bandwidth? Which sites has a particular user visited? Which applications are most used by a particular user?

Interfaces This dashboard page shows current bandwidth and other information for the active interfaces. You can also release or renew the DHCP lease for any external interface with DHCP enabled.

472

WatchGuard Technologies,Inc.

Fireware Web UI Traffic Monitor This dashboard page shows log messages from your Firebox as they occur. This can help you troubleshoot network performance. For example, you can see which policies are used most, or whether external interfaces are constantly used to their maximum capacity. Gateway Wireless Controller This dashboard page shows the connection status and activity on your WatchGuard wireless AP (access point) devices. You can also monitor and manage the client connections to your WatchGuard AP devices. Geolocation This dashboard page shows connections allowed by the Geolocation feature by country. Blocked connections are not displayed. The Map tab visually displays a map of the source and destination locations of connections allowed through the Firebox. The Country List tab shows connection details by country, ranked by the number of hits. In the Lookup tab, you can type an IP address and see the location of a specific IP address. Mobile Security This dashboard page shows the mobile devices that are connected to your Firebox. You can see a list of connected mobile devices, see detailed information for each device, and see group information for each device. You can also view connections for the mobile device in FireWatch and see traffic from the mobile device in Traffic Monitor. Network Discovery This dashboard page shows all the devices connected to your internal networks. You can see a tree map view of all the connected devices and see detailed information for each device. The Network Map tab is organized by interface, with interfaces on the first level, subnets on the second level, and devices on the third level. Each interface can have several subnets. The Device List tab shows all of the devices connected to your network in a tabular list format.

Get Help The header at the top of each page has an icon that takes you to the Fireware Help.

To open to the context-sensitive Help topic for the current page in the Web UI, click

Fireware EssentialsStudentGuide

.

473

Fireware Web UI

About the Status and Admin User Accounts When you log in to Fireware Web UI, you must type the credentials for a user account in the User Name text box. Your Firebox includes two default Device Management user accounts: status and admin. You can also add other user accounts to your Firebox. The user name is case-sensitive. status This default user account has Device Monitor (read-only) privileges. You can use this account to log in to the Web UI when you want to only monitor the Firebox status or see connection information. Multiple users can log in to the Web UI with the status account at the same time. You cannot make changes to the Firebox configuration file with this user account. You can also use this user account to connect to the Firebox with Policy Manager. admin This default user account has Device Administrator (read-write) privileges. You can use this account to make changes to the device configuration file. Multiple users can log in to the Web UI with the admin user account, if the option to allow more than one Device Administrator to log in to the Firebox at the same time has been enabled on the Firebox.

When a user is logged in to the Web UI with a Device Administrator user account, and that user has unlocked the configuration file to make changes, Fireware does not allow changes to the device configuration from any other connection, including Policy Manager or the Command Line Interface.

You also use this passphrase to save your configuration file to the Firebox with Policy Manager. The header section of the Web UI interface shows which account you used to log in:

To log out of the Web UI, at the top of the page, place your cursor over

474

and click Logout.

WatchGuard Technologies,Inc.

Fireware Web UI

About Timeouts for Management Sessions If your Firebox is configured to only allow one Device Administrator to log in to the Firebox at the same time, when a user account with Device Administrator privileges is logged in to the Web UI, Fireware prevents all other users from making read-write connections to the Firebox. Specifically, other users cannot: n n n n

Log in to the Web UI wit h a Device Administrator user account Save configuration changes to the Firebox with Policy Manager Update the OS on the Firebox Log in to the CLI with a Device Administrator user account; this includes console connections with the serial port and SSH connections over port 4118

When you try to complete any of these tasks when another user is logged in with a Device Administrator user account, and your Firebox is not configured to enable more than one Device Administrator to log in at the same time, you see a message that shows the IP address of the current user. Policy Manager:

Web UI:

Fireware EssentialsStudentGuide

475

Fireware Web UI CLI:

There are two timeout s ettings that control administrator account access. These settings help make sure the admin account is not locked for a large amount of time. To change these timeout setti ngs in the Web UI, select Authentication > Settings.

476

WatchGuard Technologies,Inc.

Fireware Web UI

The timeout settings for management s essions include: Session Timeout The maximum amount of time that an administrator session can last.

Fireware EssentialsStudentGuide

477

Fireware Web UI Idle Timeout The amount of time with no activity in the Web UI. Activity means that you do something in the browser that causes the browser to get data from the Firebox, or causes the browser to send data to the Firebox. The Web UI sends a keep-alive message to the Firebox every 20 seconds. If the Firebox does not receive this message from your browser for over 60 seconds, the Firebox closes your session. However, the keep-alive message does not reset the idle timeout timer for management sessions. This lets the Firebox close a management session quickly if you close the browser without first logging out of the Web UI. The Firebox will keep a management session open for the full idle timeout if you keep the browser open but you do nothing with it.

Control Access to the Web UI By default, the Firebox allows connections to the Web UI from any computer on a trusted or optional network. Access to the Web UI is controlled by the WatchGuard Web UI policy. This policy is automatically added to your device configuration when you run the Quick Setup Wizard. To see the policy: 1. Select Firewall > Firewall Policies:

478

WatchGuard Technologies,Inc.

Fireware Web UI 2. To edit the WatchGuard Web UI policy, click the policy name. Or, select the check box for the policy and select Action > Edit Policy. The policy appears.

3. If your Firebox is configured to allow more than one Device Administrator to log in at the same time, to unlock the configuration and make changes, click

.

You can restrict or expand access to the Web UI by adding or removing entries in the From list: n

n

n

You can allow access to the Web UI from external networks by adding the Any-Externalalias (or an appropriate IP address). You can restrict access to the Web UI from internal locations by removing the Any-Trustedand Any-Optional aliases. Make sure to keep at least one IP address from which you want to allow access so that you can manage the Firebox from that computer. You can remove all IP addresses and aliases, and replace them with user names or group names. When you do this, you force users to authenticate before they are allowed access to the Web UI.

Fireware EssentialsStudentGuide

479

Fireware Web UI The port and protocol the WatchGuard Web UIpolicy controls appears on the Settings tab.

About the Po rt for the We b UI You can change the port to use to connect to the Fireware Web UI. The port controlled by the WatchGuard Web UI policy is automatically changed if you change the port for the Web UI.

If you change this port, the URL you use to access the Web UI also changes. For example, if you change the port to 8888, to connect to the Web UI, type https://:8888 in your browser address bar.

In Policy Manager: 1. Select Setup > Global Settings. The Global Settings dialog box appears.

2. Inth e Web UI Port text box, type or select the port.

3. Click OK.

480

WatchGuard Technologies,Inc.

Fireware Web UI In the Web UI: 1. Select System > Global Settings. 2. Tounlock the configuration file and make changes, click . 3. On the General tab, in the Web UI Port text box, type or select the port.

4. Click Save. 5. Tolo ck the configuration file, click

Fireware EssentialsStudentGuide

.

481

Fireware Web UI

Exercise 1 — Connect to the Web UI with the Status User Account In this exercise, you use the default Device Monitor user account (status) to connect to the Web UI with read-only permissions. 1. From a computer on the Trusted network, open a web browser and go to https://:8080. Replace in the address with the IP address of your Firebox. 2. If a certificate warning appears, choose the option to accept the warning and continue to the website. The Web UI login dialog box appears.

3. Inth e User Name text box, type status. 4. Inth e Passphrasetext box, type the passphrase for the status user account. Click Login. The Fireware We b UI Front Panel Dashboar d page appears.

482

WatchGuard Technologies,Inc.

Fireware Web UI

5. Select Firewall > Firewall Policies. The Policies configuration page appears.

Note that there are no options available on the page that enable you to make changes to the Policies list.

Fireware EssentialsStudentGuide

483

Fireware Web UI 6. Navigate to other pages in the Web UI and note that you cannot change any settings. 7. At the top of the Web UI, place your cursor over

and click Logout.

You are logg ed out of the Web UI and the lo gin dialog box appear s again.

484

WatchGuard Technologies,Inc.

Fireware Web UI

Exercise 2 — Configure a Firebox for Remote Web UI Administration This exercise is useful in situations where an instructor must connect to a student Firebox during a classroom presentation. If you are self-instructed and do not need to remotely manage your Firebox, you can skip this exercise.

When you configure a Firebox with the Quick Setup Wizard, a policy that allows you to connect to the Web UI from any computer on the trusted or optional networks is automatically created. To manage the Firebox from a remote location (any location on an external network), you must change your configuration to allow connections to the Web UI from that location. Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good idea to consider these alternatives: Is it possible to connect to the Firebox with a VPN? This option greatly increases the security of the connection. If you can connect with a VPN, then you do not need to allow other connections. If it is not possible to connect to the Firebox with a VPN, we recommend that you use authentication for additional security. It is more secure to limit access from the external network to the smallest number of computers possible. For example, it is more secure to allow connections from a single computer than it is to allow connections from the Any-External alias. If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong passphrases. It is also a good idea to change your passphrases at regular intervals.

Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.

Fireware EssentialsStudentGuide

485

Fireware Web UI To configure the WatchGuard Web UI policy to allow access to the Web UI from an external computer: 1. From a computer on the trusted network, open a web browser and go to https://:8080. Replace in the address with the Firebox trusted interface IP address. 2. If a certificate warning appears, choose the option to accept the warning and continue to the website. The Fireware We b UI Login page appears.

3. Inth e User Name text box, type admin. In the Passphrasetext box, type the passphrase for the admin user account. The Web UI Dashboar d > Front Panel page appears.

486

WatchGuard Technologies,Inc.

Fireware Web UI

4. Select Firewall > Firewall Policies. The Firewall Policies page appears.

5. Click the name of the WatchGuard Web UIpolicy to edit it. 6. Tounlock the configuration file, click

.

7. Below the From list, click Add. The Add Member dialog box appears.

8. From the Member Type drop-down list, select Alias.

Fireware EssentialsStudentGuide

487

Fireware Web UI

9. Select Any-Externaland click OK. Any-External is a dded to the From list in the p olicy definition.

488

WatchGuard Technologies,Inc.

Fireware Web UI 10. Click Save to apply this change to your Firebox. 11. Tolo ck the configuration file, click . 12. From a computer on the external network, try to connect to the Web UI. Type https://:8080in the browser address bar. You should be able to connect to the Firebox.

Fireware EssentialsStudentGuide

489

Fireware Web UI

Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which Device Management user account type do you use to log in to the Web UI to change the configuration? (Select one.) o A) Device Administrator o B) Device Monitor o C) configuration o D) administrator

2. What is the default port for the Web UI? (Select one.) o A) 8100 o B) 8088 o C) 8080 o D) 8000

3. True or false? You can save the Firebox configuration file to a local disk drive from the Web UI. 4. True or false? You must install WSM software to use the Web UI. 5. How many users can simultaneously log in to the Web UI with the admin user account? (Select one.) o

A) 1

o

B) 2

o

C) 4

o D) unlimited

6. How many users can simultaneously log in to the Web UI with the status user account? (Select one.) o

A) 1

o

B) 2

o

C) 4

o D) unlimited

490

WatchGuard Technologies,Inc.

Fireware Web UI

ANSWERS 1. 2. 3. 4. 5. 6.

A C True False D D

Fireware EssentialsStudentGuide

491

Notes

Fireware EssentialsStudentGuide

492

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF