fireware essentials student guide (en us) v11!10!1

8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1

1/509

Fireware v11.10 Training

Fireware Essentials Student Guide

WatchGuard Firebox Devices

Guide Revised For: Fireware v11.10.1

Revision Date: June 2015


2/509

ii WatchGuard Technologies, Inc.


3/509

About the Fireware Essentials Student Guide

Disclaimer

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information

Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.

WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of

WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more

pending patent applications.

All other trademarks and trade names are the property of their respective owners.

Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available

online at http://www.watchguard.com/wgrd-help/documentation/overview.

Printed in the United States.

Fireware Essentials Student Guide iii

http://www.watchguard.com/wgrd-help/documentation/overviewhttp://www.watchguard.com/wgrd-help/documentation/overview


4/509

Fireware Essentials Student Guide iv


5/509

Table of Contents

About the Fireware Essentials Student Guide iii

Table of Contents v

Course Introduction 1

Training Options 1

Necessary Equipment and Software 2

Training Scenario 3

Prerequisites 3

Training Network Configuration 4Student Firebox IP Addresses 5

Instructor Firebox IP Addresses 5

Configuration Changes for the Instructor Firebox 6

Fireware Web UI and Command Line Interface 7

Additional Resources 7

Getting Started 9

What You Will Learn 9

Management, Monitoring, and Visibility Tools 9

Start with WatchGuard System Manager 10

WSM Components 10

WatchGuard Dimension 11

Activate Your Device 12

Use the Setup Wizards 12

About Factory-Default Settings 13

Exercise 1 — Create a Configuration File with the Quick Setup Wizard 14

Exercise 2 — Open WSM and Connect to Devices and Servers 16

Connect to a Firebox 16

Exercise 3 — Start Policy Manager 19

Test Your Knowledge 21

ANSWERS 23

Notes 24

Fireware Essentials Student Guide v


6/509

Administration 25


Manage Configuration Files and Device Properties 25

About the OS Compatibility Version 26

About the Feature Key 26

Saving a Configuration 27

Configuration Migration 27

Manage Users and Roles on Your Firebox 27

Exercise 1 — Open and Save Configuration Files 29

Exercise 2 — Configure a Firebox for Remote Administration 31

Exercise 3 — Add Device Management Users 33

Exercise 4 — Examine and Update Feature Keys 35

View Feature Keys For Your Firebox 35

Add a Feature Key to the Firebox 37

Exercise 5 — Create a Device Backup Image 38

Exercise 6 — Add Firebox Identification Information 40


ANSWERS 42

Notes 43

Network Settings 44


Properties and Features of Device Interfaces 45

Interface Types and Aliases 46

Requirements for Device Interfaces 46

About DHCP Server and DHCP Relay 46

About WI NS/DNS 47

About Network Modes 48

About Dynamic DNS 48

About Secondary Networks 49

About Network Bridges 50

About Static Routes 50

About Other Networking Features 52

Table of Contents

vi WatchGuard Technologies, Inc.


7/509

Table of Contents

Fireware Essentials Student Guide vii

IPv6 53

Exercise 1 — Configure the External Interface 54

Exercise 1A — Configure t he External Interface w ith a Static IP Address 54

Exercise 1B — Configure the External Interface for DHCP 55

Exercise 1C — Configure the External Interface to Use PPPoE 57

Exercise 2 — Configure a Trusted Interface as a DHCP Server 58

Exercise 3 — Configure an Optional Interface 60

Exercise 4 — Configure WINS/DNS Server Information 61

Exercise 5 — Configure a Secondary Network 62

Frequently Asked Questions 63


ANSWERS 66

Notes 67

Set Up Logging & Servers 68


Logging and Reporting Setup Process Overview 69

Maintain a Record of Device Activity 70

Logging and Notification Architecture 70

Log Server 72

Log Messages 72

Log Files 73

Exercise 1 — Set Up WatchGuard Server Center 74

Exercise 2 — Set Up a WSM Log Server 75

Set Up the Log Server 75

Configure the Log Server 76

Exercise 3 — Control Database and Notification Properties 77

Configure Database and Notification Settings 77

Send Log Notifications to a Network Administrator 79

Change the Encryption Key 80

Exercise 4 — Configure Where the Firebox Sends Log Messages 81

Exercise 5 — Configure a WSM Report Server 85

Add a Log Server 85


8/509

Select Reports and Timing 87


ANSWERS 92

Notes 93

Monitor Your Firewall 94


Regular Monitoring Improves Security 95

Exercise 1 — Review Network Status in WSM 97

Interpret the Device Status Display 98

Exercise 2 — Use Firebox System Manager 100

Connect to a Firebox and Change the Display 101

Use Traffic Monitor 103

Run a TCP Dump Diagnostic Task and Download a PCAP File 104

Change Traffic Monitor Settings 107

Check Bandwidth Usage and Service Volume 108

Exercise 3 — Create a Performance Console Graph 110

Exercise 4 — Use HostWatch to View Network Activity 113

Exercise 5 — Use the Blocked Sites List 114


ANSWERS 116

Notes 117

NAT 118


NAT Overview 119

Dynamic NAT 119

1-to-1 NAT 121

Policy-based NAT 123

Policy-based 1-to-1 NAT 123

Static NAT 124

About Static NAT Source IP Addresses 124

About SNAT Actions 124

NAT Loopback 125

Table of Contents

viii WatchGuard Technologies, Inc.


9/509

Table of Contents

Fireware Essentials Student Guide ix

Exercise 1 — Add Firewall Dynamic NAT Entries 126

Exercise 2 — Configure Static NAT to Allow Access to Public Servers 128

Exercise 3 — Configure NAT Loopback to an Internal Web Server 131

Other Reasons to Use NAT 133


ANSWERS 135

Notes 136

Threat Protection 137


Default Threat Protection Measures Block Intruders 137

Use Default Packet Handling Options 138

Unhandled Packets 139

Automatically Block the Source of Suspicious Traffic 139

Block Ports Commonly Used by Attackers 140

Exercise 1 — Configure Default Packet Handling Options 141

Exercise 2 — Block Potential Sources of Attacks 142

Block a Site Permanently 142

Create Exceptions to the Blocked Sites List 143

Exercise 3 — Block Sites Automatically 144


ANSWERS 146

Notes 147

Policies 148


Policies are Rules for Your Network Traffic 149

Add Policies 149

Predefined Policies and Custom Policy Templates 151

Configure Logging and Notification for a Policy 151

Advanced Policy Properties 151

About the Outgoing Policy 152

Policy Precedence 152

Policy Tags and Filters 153


10/509

Exercise 1 — Add a Packet Filter Policy and Configure Access Rules 154

Add a Predefined Policy 154

Modify Policies to Restrict Traffic 156

Use a Policy to Allow Traffic 157

Exercise 2 — Use FQDN in a Policy 159

Exercise 3 — Create a Custom Packet Filter Template 161

Make a New Policy Template 161

Add and Configure the Custom Policy 162

Exercise 4 — Configure Logging and Notification for a Policy 166

Exercise 5 — Change Policy Precedence 167

Override the Default Order of Policy Precedence 168

Exercise 6 — Use Advanced Policy Properties 169

Exercise 7 — Use Policy Tags and Filters to Group and Sort Policies 171

Create and Apply a Policy Tag 171

Filter the Policy List 173


ANSWERS 175

Notes 176

Proxy Policies 177


Proxy Policies and ALGs 177

About the DNS Proxy 178

About the FTP Proxy 179

About H. 323 and SIP ALGs 181

About the TCP-UDP Proxy 181

Exercise 1 — Use the DNS-Outgoing Proxy Action 182

Add a DNS Outgoing Proxy Policy 182

Block a DNS Request by Query Name 183

Exercise 2 — Configure an FTP-Server Proxy Action 185

Deny the Delete Command 185

Restrict FTP File Uploads to Text Only 188

Exercise 3 — Set Access Controls on H.323 Connections 189

Table of Contents

x WatchGuard Technologies, Inc.


11/509

Table of Contents

Fireware Essentials Student Guide xi


ANSWERS 192

Notes 193

Email Proxies and Blocking Spam 194


Control the Flow of Email In and Out of Your Network 195

SMTP Rulesets 195

POP3 Rulesets 195

Stop Unwanted Email at the Network Edge 196

spamBlocker and DNS 197

spamBlocker Tags 197

spamBlocker Categories 197

spamBlocker Exceptions 197

Global spamBlocker Settings 198

Use an HTTP Proxy Server 199

Adding Trusted Email Forwarders 199

Exercise 1 — Use the SMTP-Proxy to Protect Your Mail Server 200

Add an Incoming SMTP-Proxy Policy 200

Decrease Maximum Message Size 201

Allow and Deny Content Types and Filenames 203

Control Mail Domain Use for Incoming Traffic 205

Exercise 2 — Control Outgoing SMTP Connections 207

Add an Outgoing SMTP-Proxy Policy 207

Control Email Message Size 208

Control Mail Domain Use for Outbound SMTP 209

Restrict Email by Attachment Filename 211

Exercise 3 — Use a POP3-Client Policy 213

Add a POP3 Client Policy 213

Configure the POP3 Policy to Lock Attachments 214

Exercise 4 — Activate spamBlocker 216

Exercise 5 — Configure the spamBlocker Service 217

Determine What Happens to spam Email 217


12/509

Add spamBlocker Exceptions 218

Enable Alarms When a Virus is Detected 219

Exercise 6 — Monitor spamBlocker Activity 220


ANSWERS 223

Notes 224

Web Traffic 225


Control Web Traffic Through Your Firewall 226

Control Outgoing HTTP Requests 227

Protect Your Web Server 227

HTTP-Proxy Action Rulesets 228

Monitor Secured HTTP Traffic with the HTTPS-Proxy Policy 231

Bandwidth and Time Quotas 231

Restrict Web Access with WebBlocker 231

WebBlocker Server Options 232

WebBlocker Categories 232

WebBlocker Exceptions 232

WebBlocker Local Override 233

WebBlocker Schedules 234

WebBlocker Server 234

About Reputation Enabled Defense 235

Reputation Scores 236

Reputation Thresholds 236

Reputation Lookups 237

Reputation Enabled Defense Feedback 237

Monitor Reputation Enabled Defense 238

Exercise 1 — Configure HTTP Connections from Trusted Users 239

Add an HTTP Client Proxy Policy 239

Enable Logging for Each HTTP Client Connection 240

Block HTTP Client Connections by URL Path 241

Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy 242

Table of Contents

xii WatchGuard Technologies, Inc.


13/509

Table of Contents

Fireware Essentials Student Guide xiii

Customize the Deny Message 244

Exercise 2 — Use HTTP-Proxy Exceptions to Allow Software Updates 245

Exercise 3 — Configure an HTTP-Server Proxy Action 246

Add the HTTP-Server Proxy Policy 246

Create a New Proxy Policy Ruleset 247

Exercise 4 — Enable Bandwidth and Time Quotas 248

Exercise 5 — Selectively Block Websites with WebBlocker 252

Add a WebBlocker Action 252

Select Categories to Block 253

Create an Exception 254

Enable WebBlocker Local Override 255

Exercise 6 — Set Up Reputation Enabled Defense 256

Exercise 7 — See Reputation Enabled Defense Statistics 258

Frequently Asked Questions 259


ANSWERS 263

Notes 264

Signature Services and APT Blocker 265


Identify and Stop Viruses at the Edge of Your Network 266

AntiVirus Scans User Traffic for Viruses and Trojans 267

Configure Gateway AntiVirus Actions 267

Use Gateway AntiVirus with Compressed Files 268

Block Advanced Malware with APT Blocker 268

APT Blocker and Gateway AntiVirus 269

Supported File Types 269

APT Blocker Threat Levels 269

Configure APT Blocker Actions 270

APT Blocker Notifications and Alarms 270

Control the Loss of Sensitive Data 271

DLP Content Control Rules 271

DLP Custom Rule 272


14/509


15/509

Table of Contents

Fireware Essentials Student Guide xv

Apply the Global Application Control Action to Policies 299

Exercise 7 — Use Different Application Control Actions for D ifferent Policies 300


ANSWERS 304

Notes 305

Authentication 306


Monitor and Control Network Traffic by User 307

How Firebox User Authentication Works 307

Use Authentication from the External Network 307

Use Authentication through a Gateway Firebox to Another Device 308

Authentication Methods Available with Fireware 308

Use the Firebox Authentication Server 308

About Third-Party Authentication Servers 309

RADIUS Authentication Servers 309

SecurID Authentication Servers 309

LDAP Authentication Servers 310

Active Directory Authentication Servers & Single Sign-On 310

About Authentication Timeout Values 311

Exercise 1 — Add a Firebox User Group and Add Users 312

Create a Firebox User Group 312

Add Firebox Users 313

Exercise 2 — Edit Policies to Use Firebox Authentication 316

Exercise 3 — Set Global Authentication Values 318

Set Global Timeout Values 318

Set Other Global Values 318

Exercise 4 — Use a Web Server Certificate 321


ANSWERS 324

Notes 325

Logging & Reporting 326



16/509

Review Log Messages 327

About Log Messages 329

Build Reports from Log Messages 330

WSM Report Manager 330

WatchGuard Reports 331

View Reports with Report Manager 335

Dimension Reports 336

View Reports with Dimension 336

Dimension Report List 337

Exercise 1 — Use WSM Log Manager to View Log Messages 349

Connect to WebCenter to View Log Messages 349

View Log Messages 350

Run a Search 350

Export Log Messages 352

Exercise 2 — Use Report Manager to View and Run Reports 354

Connect to WSM Report Manager to View Reports 354

View Reports 355

Exercise 3 — Share Reports from Report Manager 358

Exercise 4 — Send Log Messages to Dimension 359

Exercise 5 — View Log Messages in Dimension 360

Connect to Dimension 360

View Log Messages 361

Exercise 6 — Search Log Messages in Dimension 362

Run a Simple Search 362

Run a Complex Search 362

Exercise 7 — Export Log Messages from Dimension 364

Exercise 8 — Create Device Groups in Dimension 365

Exercise 9 — View Reports in Dimension 366

Exercise 10 — Export Reports from Dimension 367

Export a Report as a PDF File 367

Export a Report as a CSV File 369


Table of Contents

xvi WatchGuard Technologies, Inc.


17/509

Table of Contents

Fireware Essentials Student Guide xvii

ANSWERS 371

Notes 372

Branch Office VPN Tunnels 373


BOVPN Overview 373

Benefits of a Branch Office VPN 373

Branch Office VPN Types 375

Select a VPN Type 376

VPN Tunnel Capacity 377

IPSec VPN Algorithms and Protocols 377

Encryption Algorithms 377

Authentication Algorithms 378

Diffie-Hellman Key Exchange Algorithms 378

AH (Authentication Header) 378

ESP (Encapsulating Security Payload) 379

VPN Negotiations 379

What Happens During Phase 1 Negotiations 379

What Happens During Phase 2 Negotiations 381

Policies and VPN Traffic 382

Automatically Add Policies That Allow All Traffic 382

Use the BOVPN Policy Wizard 382

Manually Add Policies 382

Use a Tunnel Alias in Policies 382

Global VPN Settings 383

VPN Monitoring and Troubleshooting 384

Monitor VPN Tunnel Status 384

Troubleshoot a VPN 385

VPN Diagnostic Report 387

Filter Log Messages by Gateway IP Address 389

IKE Log Messages 390

Requirements for VPN Exercises 392

Training Environment 392


18/509

Necessary Equipment And Software 393

Management Computer Configuration 393

Network Topology 393

Network Configuration 394

Exercise 1 — Configure a BOVPN Gateway and Tunnel 395

Before You Begin 395

Configure Device A 395

Add a Branch Office Gateway to the Site A Device Configuration 395

Add a Branch Office Tunnel to the Device A Configuration 399

Configure Device B 401

Add a Branch Office Gateway to the Device B Configuration 401

Add a Branch Office Tunnel to the Device B Configuration 403

Test the Tunnel Configuration 404

Ping From One Management Computer to Another Through the Tunnel 405

Ping From a D evice I nterface t o the Trusted I nterface on t he Other D evice 405

Check Tunnel Status 406

Exercise 2 — Use VPN Diagnostics 406

Exercise 3 — Use 1-to-1 NAT Through a BOVPN Tunnel 408


Configure Duplicate Local Network IP Addresses 408

Add a Tunnel Route with 1-to-1 NAT Enabled 409

Configure Device A 409

Configure Device B 410

Test the VPN 411

Verify the Tunnel Status 412

Additional VPN Resources 413

VPN Configuration Examples 413

VPN Interoperability with Third-Party Devices 413


ANSWERS 416

Notes 417

Mobile VPN 418

Table of Contents

xviii WatchGuard Technologies, Inc.


19/509


20/509

Review and Edit the Mobile VPN with IPSec Profile 438

Exercise 2 — Get the Mobile VPN Client Configuration Files 440

Enable Remote Management 440

Get the Client Configuration Files 441

Exercise 3 — Use an IPSec VPN Client 442


Required Files 442

Other Important Information 442

Exercise 3A — Use the Shrew Soft IPSec VPN Client 443

Install the Shrew Soft VPN Client 443

Import the Mobile VPN Client Configuration File 443

Connect and Disconnect 444

Exercise 3B — Use the WatchGuard Mobile VPN with IPSec Client 445

Install the Mobile VPN Client 445

Import the Mobile VPN Client Configuration File and Connect 446

Connect and Disconnect 448

Exercise 4 — Set Up Mobile VPN with SSL 449

Activate the Device for SSL VPN 449

Add Users to the SSLVPN-Users Group 452

Exercise 5 — Use the Mobile VPN with SSL Client 453

Install the Mobile VPN with SSL Client 453

Connect with the Mobile VPN with SSL Client 454

Other Client Authentication Options 455


ANSWERS 458

Notes 459

Fireware Web UI 460


Introduction to Fireware Web UI 460

Limitations of Fireware Web UI 461

Connect to Fireware Web UI 461

About Certificate Warnings 462

Table of Contents

xx WatchGuard Technologies, Inc.


21/509

Table of Contents

Fireware Essentials Student Guide xxi

Log In 464

Navigate Fireware Web UI 465

About the Dashboard Pages 466

Get Help 466

About the Status and Admin User Accounts 467

About Timeouts for Management Sessions 468

Control Access to the Web UI 471

About the Port for the Web UI 473

Exercise 1 — Connect to the Web UI with the Status User Account 475

Exercise 2 — Configure a Device for Remote Web UI Administration 478

Exercise 3 — Use FireWatch 482


ANSWERS 487

Notes 488


22/509

Fireware Essentials Student Guide xxii


23/509


Course IntroductionFirewall Essentials with Fireware v11.10

Devices WatchGuard Firebox devices

Device OS versions Fireware® v11.10

Managementsoftwareversions WatchGuard® SystemManager v11.10

Training Options

If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options

available to you:

Classroom training with a WatchGuard Certified Training Partner (WCTP)

WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list

of training partners can be found on our website at:

http://www.watchguard.com/training/partners_locate.asp

Quick review presentation

You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an

overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the

Quick Setup Wizard, create basic security policies, and get more information about additional subscription

services.

Fireware Essentials Online Course

Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature

or function of configuration and security management.

For more information, including configuration steps for advanced procedures, see Fireware Help.

http://www.watchguard.com/training/partners_locate.asphttp://www.watchguard.com/training/partners_locate.asp


24/509


25/509

Course Introduction

Fireware Essentials Student Guide 3

Training Scenario

Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this

course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of

the exercises using examples from your own network or a set of addresses and situations provided by your

WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company

and a real company are purely coincidental.

Prerequisites

This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP

networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard

hardware devices is required.


26/509

Training Network Configuration

Most of the exercises in this courseware use the RFC 5737 documentation IP addresses to represent public network IP

addresses. Most of the information in the training modules, as well as the VPN exercises, in this courseware use this

network configuration:

To support all of the exercises in this course, your training environment must include this network equipment:

n One Firebox per student, and one for the instructor.

n One network hub or switch with enough interfaces to connect the instructor and all of the student Firebox

devices.

n A management computer for each student and for the instructor.

Course Introduction

4 WatchGuard Technologies, Inc.


27/509

Course Introduction


Student Firebox IP Addresses

Students may be assigned a number (10, 20, 30, etc.) to identify the last IP address octet for their external addresses,

and the third octet for internal addresses in relation to their Firebox devices. This allows for similar configuration among

devices and prevents IP address conflicts and subnet overlap.

Each student will configure a device with these addresses, where X is the student number:

n Eth0 – External — 203.0.113. X /24, Default Gateway 203.0.113.1

n Eth1 – Trusted — 10.0. X .1/24

In most of the exercises, your external interface and trusted interface IP addresses are determined by your student

number. Replace the X in the exercises with your student number.

Instructor Firebox IP Addresses

Eth1 of the instructor Firebox must be connected to the switch and configured to act as the default gateway for the

external network for student Firebox devices. The instructor Firebox must be configured with these addresses:

n Eth0 (External) — Use appropriate addressing for a training environment with an Internet connection. (This is

optional. Internet access is not required for these exercises.)

n Eth1 (Trusted) — 203.0.113.1/24

This is the default gateway for the primary external interface on student Firebox devices.

To allow DNS to operate from the training environment, you must also configure a DNS server, in the

Network > Configuration > WINS/DNS tab.

For DNS to function for students, the student devices and computers must also be configured to use

the DNS server.


28/509

Configuration Changes for the Instructor Firebox

To make the training network functional for these exercises, the instructor must make two more configuration changes

to the instructor’s device.

1. Create an Any policy to allow traffic between the trusted interfaces.

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic

entry for Any-Trusted - Any-External.

Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic

NAT rule for 203.0.113.0/24 – Any-External)

Course Introduction



29/509

Course Introduction


Fireware Web UI and Command Line Interface

You can use Fireware Web UI (Web UI) and the WatchGuard Command Line Interface (CLI) to complete many of the

same tasks that you perform in WatchGuard System Manager and Policy Manager. Some advanced configuration

options and features are not available with Fireware Web UI or the Command Line Interface.

Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online

configuration tools (you need a network connection to a Firebox to use them), most of the exercises in the training

modules for this course do not use the Web UI, and none use the CLI.

Additional Resources

For more information about how to install and configure WatchGuard System Manager see these resources:

Fireware Help

You can launch the Help system from your management computer after you install WSM. To view more

information about the features in a dialog box or application window, click Help or press the F1 key. A topic that

describes the features you see and provides links to additional information appears in your default web browser.

For the most up to date information, browse to http://www.watchguard.com/help/documentation/ and launch the

Fireware H elp. You can also download the Help system for offline use.

WatchGuard Online Knowledge Base

Browse to http://customers.watchguard.com/ .

For information about how to set up an XTMv virtual machine, see:

WatchGuard XTMv Setup GuideBrowse to http://www.watchguard.com/help/documentation/ and download theWatchGuard XTMv Setup

Guide.

http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/https://www.watchguard.com/help/documentation/https://www.watchguard.com/help/documentation/http://customers.watchguard.com/


30/509



31/509


Getting StartedSet Up Your Management Computer and Device

What You Will Learn

WatchGuard System Manager is the primary management software application used to monitor and manage Firebox

devices and WatchGuard servers. In addition to the many management and monitoring tools available in WatchGuard

System Manager, you can use WatchGuard Dimension to monitor your device and see deep into the activity on your

network.

In this training module, you learn how to:

n

Use the Quick Setup Wizard to make a basic Firebox device configuration filen Start WatchGuard System Manager and connect to Firebox devices and servers

n Start Policy Manager and open a device configuration file

Before you begin the exercises in this module, make sure you read the Course Introduction module.

Management, Monitoring, and Visibility Tools

For all of your Firebox devices, you can use the rich suite of management, configuration, monitoring, and visibility tools

available from WatchGuard. This includes WatchGuard System Manager (WSM) and all the WSM tools, WatchGuard

Server Center and the WSM servers, and the many WatchGuard Dimension tools. These tools are described in the

subsequent sections.


32/509

Start with WatchGuard System Manager

Most of the procedures you complete in this training module start from WatchGuard System Manager (WSM), which is

the primary software application you use to manage all the Firebox devices and WatchGuard servers in your network.

You can use WSM to connect to any

WatchGuard Firebox. This includes all

Firebox and XTM device models, as well as

the SOHO device models. In this training

module, we use only the latest Firebox

devices.

WSM Components

WatchGuard System Manager (WSM)

includes several monitoring and

configuration tools, including Policy

Manager, Firebox System Manager,

HostWatch, Log Manager, Report

Manager, and CA Manager. You can start

these tools after you open WSM.

WatchGuard Server Center is the

application you use to set up, configure,

and manage the five WatchGuard servers,

as well as configure users and groups for

role-based administration.

This diagram shows the components of WatchGuard System Manager and how you can get access to them.

If you take this course with a training partner, the servers are installed on the management computer.

Getting Started



33/509

Getting Started


You install the WSM management software on a personal computer running Microsoft Windows XP or later. We refer to

this computer your management computer . When you install WSM on your management computer, you have the option

to install any or all of the WatchGuard servers. When you select to install any of the servers, WatchGuard Server

Center is automatically installed.

n Management Server — Manages multiple Firebox devices at the same time and creates virtual private network

(VPN) tunnels with a simple drag-and-drop method.n Log Server — Collects log messages from Firebox devices and servers.

n Report Server — Periodically consolidates data collected by your Log Servers and uses this data to generate

the reports that you select.

n Quarantine Server — Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to

have a virus by Gateway AntiVirus or by spamBlocker’s Virus Outbreak Detection feature.

n WebBlocker Server — Provides information for an HTTP-proxy to deny user access to specified categories of

websites.

You can install these servers on your management computer, or you can install them on other computers on your

network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect

to other servers, the Firebox, or the management computer.

WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager,

Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server,

WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to

WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130.

For more information, see the training module related to each server.

WatchGuard Dimension

WatchGuard Dimension™ is a virtual solution you can use to capture the log data from your Firebox devices,

FireClusters, and WatchGuard servers and create a management connection to your Firebox devices and FireClusters.

You can use Dimension to see log data in real-time, track it across your network, view the source and destination of thetraffic, view log message details of the traffic, monitor threats to your network, and view or generate reports of the

traffic. From Dimension, you can open Fireware Web UI for Firebox devices and FireClusters that are managed by

Dimension and also take action on the information you see in the log messages, tools, and reports available in

Dimension.

After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of

Dimension. Then, you configure your Firebox devices and WatchGuard servers to send log messages to Dimension

and add Firebox devices to Dimension for management.

In this training course, we only discuss the logging and reporting aspects of Dimension. For more information about

Dimension, see Logging & Reporting on page 326.


34/509

Activate Your Device

You must activate your Firebox on the WatchGuard website before you can configure the device. When you activate the

Firebox, you start the Support subscription for the Firebox. The Support subscription provides alerts, threat responses,

and expert advice to help you keep your network secure and up-to-date. When you subscribe to Support, you also get

access to the latest software upgrades for your Firebox, as well as access to technical support and training resources.

If you take this course with a training partner, your Firebox will already be activated and include the

feature keys you need for the course.

To activate the Firebox, you must have:

n An account on the WatchGuard website

n The Firebox serial number

To create a new WatchGuard account, go to:

https://www.watchguard.com/account/registration_gate.asp

To activate your device with an existing WatchGuard account, log in to the WatchGuard website. In the WatchGuard

Support Center, click Activate a Product.

Use the Setup Wizards

There are two setup wizards you can use to quickly create a functional configuration file for your Firebox. To use either

setup wizard, you must connect your management computer to the trusted interface (eth1) of the Firebox.

Quick Setup Wizard

You can use the Quick Setup Wizard to discover and set up your Firebox. To start the Quick Setup Wizard, in

WatchGuard System Manager, select Tools > Quick Setup Wizard.

Web Setup Wizard

You can use the Web Setup wizard to set up a Firebox from any computer that has a web browser. To start the

Web Setup Wizard, in a web browser, type https://10.0.1.1:8080.

Both setup wizards help you to set up your device with a secure policy configuration and basic network settings. The

Web Setup wizard can also activate the device and download the required feature key, if the external interface is

connected to a network with Internet access. The Quick Setup Wizard does not help you with device activation, but

does provide a couple of additional network configuration options (drop-in mode and optional interface configuration).

The Quick Setup Wizard also includes an option to install software on a device started in recovery mode. The main

reason to use the Quick Setup Wizard with a device in recovery mode is to install an older version of software if you do

not have a device backup. If you use recovery mode to install an older OS version, you must first uninstall any newer

versions of Fireware OS from your management computer.

See Fireware Help for more information about how to use recovery mode with the Quick Setup Wizard.

Getting Started


https://www.watchguard.com/account/registration_gate.asphttps://www.watchguard.com/activate/activationtype.asphttps://www.watchguard.com/activate/activationtype.asphttps://www.watchguard.com/account/registration_gate.asp


35/509

Getting Started


About Factory-Default Settings

Each new Firebox uses factory-default settings. You can also reset a Firebox to factory-default settings. When a

Firebox uses factory-default settings, only two interfaces are active:

Interface 0 (Eth0)

Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If you

use the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network that

has a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Firebox

feature key.

To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with

Internet access. For more information about RapidDeploy, see Fireware Help.

Interface 1 (Eth1)

Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and

is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1

or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard.

To connect to the device when you use either setup wizard, your computer must have an IP address on the

10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to

interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same

subnet as the IP address of Interface 1. For example, 10.0.1.2.


36/509

Exercise 1 — Create a Configuration File with the Quick

Setup Wizard

You can use either the Web Setup Wizard or the Quick Setup Wizard to create a basic configuration file for a new

Firebox, or a Firebox that has been reset to factory-default settings. The Quick Start Guide that ships with your Firebox

describes how to use the Web Setup Wizard. In this exercise you use the Quick Setup Wizard, which is part of Firebox

System Manager.

Your instructor will provide you with the information and files you need to configure your Firebox for the

training environment.

For this exercise you need:

n A feature key — You receive the feature key when you activate your Firebox on the WatchGuard website. Each

feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management

computer before you start the Quick Setup Wizard. You can finish the wizard without the feature key, but the

feature key is required to enable all device functionality.

If the Firebox does not have a feature key, it allows only one connection to the Internet.

n WSM and Fireware OS on the management computer — WSM is the software installed on the management

computer and WatchGuard servers. Fireware is the operating system (OS) installed with a configuration file onthe Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and

Fireware are separate software downloads. You must download and install both packages on your management

computer. The management computer must be on the same network subnet as the device.

n Your network information — At a minimum, you must know the IP address of your gateway router and the IP

addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use

203.0.113.1 as the default gateway.

n A Firebox— You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that

has been reset to factory-default settings.

For an XTMv device, Fireware OS is included in the XTMv virtual appliance Open Virtual MachineFormat (OVF) file. For more information, see the WatchGuard XTMv Setup Guide at

www.watchguard.com/help/documentation/

When you configure the Firebox with the Quick Setup Wizard or Web Setup Wizard, the wizard adds five basic policies:

Outgoing, FTP packet filter, Ping, WatchGuard WebUI, and WatchGuard. It also sets interface IP addresses.

Getting Started


https://www.watchguard.com/help/documentation/https://www.watchguard.com/help/documentation/


37/509


38/509


39/509

Getting Started


To connect to a device with read-only privileges, you use a Device Monitor user account. You can use

the default status Device Monitor user account for this purpose. If you save the configuration file or

add the Firebox to the Management Server as a managed device, you are prompted to type the

credentials for a user account with Device Administrator privileges. The default Device Administrator

user account for your device is the admin user account.

4. Inthe User Name and Passphrase text boxes, type the credentials for a Device Management user account with

a Device Monitor (read-only) role on your Firebox. The default status account is specified by default.

5. From the Authentication Server drop-down list, select the authentication server for the user you specified.

If you select an Active Directory server, you must also specify the Domain for the server you selected.

6. If necessary, change the value in the Timeout text box.

This value sets the amount of time (in seconds) that WSM waits for an answer from the Firebox before WSM shows a

message that it cannot connect.

If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the

value, you decrease the time you must wait for a time out message if you try to connect to a device that is not available.7. Click Login.

WSM connects to the Firebox and shows the status of the Firebox on the D evice Status tab.

8. On the Device Status tab, click the plus sign (+) to expand the Firebox entry.

Information about the Firebox appears.


40/509

Getting Started



41/509

Getting Started


Exercise 3 — Start Policy Manager

Policy Manager is the WSM tool you use to build the security rules your Firebox uses to protect your network. You use

Policy Manager to configure policies, set up VPNs, change Device Management user account passphrases, and

configure logging and notification options.

A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies

the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It

includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the

connection. Policy Manager displays each policy as a group of rules, or a ruleset . You can view these policies in a list

with detailed information about each policy, or as icons.

You can have more than one version of WSM installed on your computer. However, you can have only

one version of the server components (Management Server, Log Server, Report Server, Quarantine

Server, and WebBlocker Server) installed.

In WatchGuard System Manager:

1. On the Device Status tab, select your Firebox.

If there is no device visible in WSM, select File > Connect To Device, and then connect to your device.

2. Click .

Or, select Tools > Policy Manager .

WSM checks the model and the OS (operating system) version used by the device. If you have multiple versions of

WSM software installed, WSM automatically opens the correct version of Policy Manager. If you launch Policy

Manager for a device that uses an older version of Fireware OS , WSM might ask if you want to upgrade the OS on that

device.


42/509

Policy Manager opens in Details view by default.

3. Select Setup > OS Compatibility.

The OS Compatibility dialog box appears.

4. Make sure that the selected version is 11.9 or higher.

If you open the configuration file from a device, the OS Compatibility version is automatically set to match the

OS version on the device. If you use Policy Manager to create a new configuration file, you must configure this

setting before you can configure features that require a specific OS version.

5. Click OK.

Getting Started



43/509

Getting Started


Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.

1. True or false? You must have a WatchGuard Management Server to use a simple drag-and-drop function for

VPN creation.2. Circle the best tool for each task:

Task Tool

A) Monitor the status of one device WatchGuard System Manager Policy Manager

B) Change the device network interfaces WatchGuard System Manager Policy Manager

C) Configure a policy for web traffic WatchGuard System Manager Policy Manager

3. True or false? When connecting to your Firebox, you should decrease the Timeout setting if you have a slow

network or Internet connection to your Firebox.

4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device

configuration file that allows more than one connection to the Internet? (Select all that apply.)

o A) An account on the WatchGuard website

o B) The Firebox model number

o C) The IP address of the gateway router this device will connect to

o D) A feature key

o E) A live connection to the Internet

o F) A web browser

o G) An IP address to give to the external and trusted interfaces of the Firebox

5. Fill in the blank: A ________ is a set of rules that defines how the Firebox manages packets that come to its

interfaces.


44/509

6. Which of the following are WatchGuard System Manager components? (Select all that apply.)

o A) LogViewer

o B) Router

o C) Policy Manager

o D) Appliance Monitor

o E) Windows NT Server

o F) Report Server

o G) Management Computer

7. True or false? You must install all WatchGuard servers on one management computer.

8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.

Getting Started



45/509

Getting Started


ANSWERS

1. True

You cannot centrally manage a device unless you configure a WatchGuard Management Server.

2. A) WatchGuard System Manager

B) Policy Manager C) Policy Manager

3. False

You should increase the Timeout setting if you have a slow network or Internet connection to the Firebox.

4. A, C, D, and G

5. policy

6. A, C, F, and G

7. False

8. False


46/509

Notes



47/509


AdministrationManage the Device Configuration

What You Will Learn

After you install the Firebox in your network and use the Quick Setup Wizard to give it a basic configuration file, you can

add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety

of locations.

In this training module, you learn how to:

n Open and save configuration files

n Configure the Firebox for remote administration

n Add Device Management user accounts

n Add feature keys to the Firebox

n Back up and restore the device configuration

n Add Firebox identification information

Before you begin these exercises, make sure you read the Course Introduction module.

Manage Configuration Files and Device Properties

A device configuration file includes all configuration data, options, IP addresses, and other information for the Firebox.

On the Firebox, the configuration file works with the OS to control the flow of traffic through the Firebox. The file

extension for a device configuration file is .xml.

Policy Manager is a WatchGuard® software tool that you can use to create, change, and save configuration files. When

you use Policy Manager, you see a version of your configuration file that is easy to examine and modify.


48/509

Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file

with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no

effect on Firebox operation until you save them to the Firebox.

About the OS Compatibility Version

Policy Manager can manage Firebox devices that use different versions of Fireware OS. Each device configuration has

an OS Compatibility setting that controls which configuration options are available for some features.

n If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS

version in the file is automatically set based on the OS version the Firebox uses.

n If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you

can configure some features, such as network settings and Traffic Management.

To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.

About the Feature Key

When you activate a Firebox or activate add-on services or features for a Firebox, a feature key is generated to enable

features on your Firebox. You can download the feature key from the WatchGuard website when you activate your

Firebox. You can then add this feature key to your Firebox from the Quick Setup Wizard, Web Setup Wizard, Policy

Manager, or the Fireware Web UI. If you use the Web Setup Wizard, the Firebox can download the feature key

automatically.

You must install a feature key on your Firebox to enable full functionality. If your Firebox does not have a feature key, it

allows only one user to connect to the Internet. The feature key contains a list of licensed features and capacities for

your Firebox. For the LiveSecurity Service, and security services, the feature key contains the service expiration date.

To manage the feature key, in Policy Manager select Setup > Feature Key.

When you renew subscription services, you must update the feature key on the Firebox for the subscription to remainactive. To make sure that the feature key on the Firebox stays up to date, we recommend that you enable automatic

feature key synchronization in the Feature Key settings. When automatic feature key synchronization is enabled, the

Firebox automatically checks the expiration status of services once per day and downloads a new feature key from

WatchGuard if a feature is expired or is within three days of expiration.

When you save the configuration to a local file, the feature key is stored as a separate file, in the same

directory as the configuration file. For example, if you save a device configuration with the file name

Example, the configuration file is saved as a file named Example.xml and the feature key is saved in a

file named Example_lic.tgz .

Administration



49/509

Administration


Saving a Configuration

Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you

can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make

sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager

displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OSCompatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that

is not compatible with the OS version on the Firebox.

Configuration Migration

You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different

Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the

new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the

configuration file. Before you can save the configuration to a different Firebox, you might also need to change other

settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS

Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.

For a video demonstration of configuration migration, see the Configuration Migration video available

in the Product Documentation section of the WatchGuard website.

Manage Users and Roles on Your Firebox

You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the

Firebox among several individuals in your organization. This enables you to run audit reports to monitor which

administrators make which changes to your device configuration file.

By default, your Firebox includes these default user accounts and roles:

Default User Account Default Role Default Passphrase

admin DeviceAdministrator (read-writepermissions) readwrite

status Device Monitor (read-only permissions) readonly

wgsupport Disabled

When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts

to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the

Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that

are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the

Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the

option to allow more than one Device Administrator to log in to the Firebox at the same time. If you do not enable this

option, only one Device Administrator can log in to the Firebox at a time.


50/509

The wgsupport user account is disabled by default. This account is for WatchGuard Technical Support access to your

Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard

Technical Support. We will not enable or modify this user account in this course.

You can use these authentication servers for Device Management user accounts on your Firebox:

n Firebox-DB

n Active Directory

n LDAP

n RADIUS

The default Device Management user accounts use the Firebox-DB authentication server.

For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server

before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on

your Firebox are case-sensitive and must match the user credentials as they are specified on the external

authentication server.

Administration



51/509

Administration


Exercise 1 — Open and Save Configuration Files

The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this

configuration file as the base for all your configuration files. You can also use Policy Manager to make a new

configuration file with only the default configuration properties.

To create a new configuration file:

1. Open Policy Manager.

2. Select File > New.

A ne w co nfiguration file appears with the default poli cies and settings.

Policy Manager is an offline configuration tool. The Web UI and the CLI are online configuration tools.

An offline configuration tool lets you make many changes to a configuration file without sending the

changes to the Firebox.

An online configuration tool is designed to immediately send all changes to the Firebox.

Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM)

to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file

in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to

work offline.

In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive:

1. Open WatchGuard System Manager and connect to your Firebox.

If you are not familiar with this procedure, see the Getting Started or ask your instructor.

2. Click .

Or, select Tools > Policy Manager .

Policy Manager starts and loads the configuration file currently on your Firebox.


52/509

3. Select File > Save > As File.

The Save dialog box appears.

4. Inthe File Name text box, type Basics-Start.

5. Click Save.

By default, configuration files are saved to the My Documents\My WatchGuard\configs folder. The

configuration file type is XML.

6. To save an updated configuration file to the Firebox and to a local file, select File > Save > To Firebox.

To save the file to the Firebox, you must specify a user name and passphrase for a user account with Device

Administrator privi leges. When you save a configuration file to the Firebox, you can also save it to a local file.

If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with

Device Administrator privileges, you cannot save configuration changes to the Firebox.

If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to

the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings,

and then use the default admin account, with the default passphrase readonly to save the configuration to the Firebox

from Policy Manager.

Administration



53/509

Administration


Exercise 2 — Configure a Firebox for Remote

Administration

This exercise is most useful for an instructor to connect to a student Firebox during a classroom

session. If you are self-instructed and do not need to remotely manage your Firebox, you can skip to

the next exercise.

When you use the Quick Setup Wizard to configure your Firebox, a policy that allows you to connect to and administer

the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the

Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to

allow administrative connections from your remote location.

The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt . The Quick Setup

Wizard adds this policy with the name WatchGuard . This policy controls access to the Firebox on TCP ports 4105,

4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these

ports.

Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good

idea to consider these alternatives:

n Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you

can connect with a VPN, then you do not need to allow connections from a computer external to your network. If

it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an

additional layer of security.

n It is more secure to limit access from the external network to the smallest number of computers possible. For

example, it is more secure to allow connections from a single computer than it is to allow connections from thealias Any-External .

To restrict or expand access to the Firebox, edit the From list in the WatchGuard policy.

n You can allow connections to the Firebox from external networks by adding theAny-External alias (or an

appropriate IP address).

n You can restrict connections to the Firebox from internal locations by removing theAny-Trusted and Any-

Optional aliases and replacing them with the specific IP addresses from which you want to allow access.

n You can remove all IP addresses and aliases, and replace them with user names or group names. When you do

this, you force users to authenticate before they are allowed to connect to the Firebox.

If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong

Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.

Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot

configuration issues from his computer later in the class.


54/509

To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at

a specific IP address:

1. Double-click the WatchGuard policy.

Or, right-click the WatchGuard policy and select Edit.

The Edit Policy Properties dialog box appears.

The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is specifically designed to be used for administration of the Firebox.

2. Inthe From section, click Add.

3. To add the IP address of the external computer you want to use to connect to the Firebox, click Add Other .

4. From the Choose type drop-down list, make sure Host IP is selected.

5. Inthe Value text box, type the IP address of the remote administration computer.

6. Click OK to close each dialog box.

Administration



55/509


56/509

4. Click Add.

The Add User dialog box appears.

5. Inthe User Name text box, type a name for the new Device Administrator user account, example-co_admin.

6. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.

7. From the Role drop-down list, select Device Administrator.

8. Inthe Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator

user account, passphrase.

9. Click OK.

The example-co_admin user appears in the Manage Users and Roles list.

10. Click Add.

The Add User dialog box appears.

11. In the User Name text box, type a name for the new Device Monitor user account, example-co_monitor.

12. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.

13. From the Role drop-down list, select Device Monitor.

14. In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator

user account, passphrase

15. Click OK.

The example-co_monitor user appears in the Manage Users and Roles list.

16. Click OK to close theManage Users and Roles dialog box.

The new user accounts are automatically saved to the Firebox.

17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM.

18. In WSM, connect to your Firebox with the new example-co_adminuser account credentials.

19. Start Policy Manager.

Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when

you make changes to your Firebox configuration file, the audit trail will show that the example-co_admin user account

made the changes to the configuration.

Administration



57/509

Administration


Exercise 4 — Examine and Update Feature Keys

When you purchase an option for your Firebox, you add a new feature key to your configuration file. You can use either

Firebox System Manager or Policy Manager to see the current list of feature keys currently on your Firebox. To add a

new feature key to a Firebox, you use Policy Manager.

View Feature Keys For Your Firebox

To view your feature keys in Firebox System Manager:

1. Select View > Feature Keys.

The Firebox Feature Keys dialog box appears.


58/509

2. To see more information about the feature key, click Details.

The Feature Key Detail dialog box shows a list of the features in the feature key.

3. Click OK to close the Feature Key Details dialog box.

Administration



59/509


60/509

Exercise 5 — Create a Device Backup Image

A Firebox backup image is a saved copy of the working image from the Firebox flash disk. The backup image includes

the Firebox OS, configuration file, feature keys, passphrases, DHCP leases, and certificates. The backup image also

includes any event notification settings that you configured in Traffic Monitor. You can use Policy Manager to save an

encrypted backup image to your management computer or to a directory on your network or other connected storage

device.

We recommend that you create a backup image of the Firebox before you make significant changes to your device

configuration file, or upgrade your Firebox OS. It is especially important to save a device backup image before you

upgrade the version of Fireware OS on the Firebox. The backup image is the easiest way to downgrade the Firebox, if

you ever need to.

You can also use Firebox System Manager to create and restore a device backup image to a USB

drive connected to the Firebox. For more information, see Fireware Help.

To create a device backup:

1. Select File> Backup.

The Backup dialog box app ears. Because you connected to your Firebox with the example-co_admin user account,

the Administrator User Name that appears in the Backup dialog box is example-co_admin. If you connect with a

Device Monitor user account, the default Device Administrator user account, admin, appears in the Administrator User

Name text box.

2. Inthe Administrator Passphrase text box, type Example4, the read-write passphrase for the example-co_

admin user account.

3. Click OK.The second Backup dialog box appears.

4. Type and confirm an Encryption Key. For this exercise, type MyStrongKey.

This key is used to encrypt the backup file. If you lose or forget this encryption key, you cannot restore the backup file.

The encryption key is case-sensitive.

5. Inthe Back up image to text box, select the location to save the backup file.

6. Click OK.

The default location for a backup file with a .fxi extension is:

Administration



61/509

Administration


n Windows 8 and Windows 7 — C:\Users\Public\Shared WatchGuard\backups\-

..fxi.

n Windows XP — C:\Documents and Settings\All Users\Shared WatchGuard\backups\-

..fxi.

When you restore the backup image, you must specify a name and passphrase for a user with administrative privileges,

and you must type the encryption key you specified when you created the backup image. For this exercise, do notrestore the backup image to the Firebox.

Restoring a saved backup image is the only method to downgrade a Firebox without first resetting the

Firebox to factory-default settings.


62/509

Exercise 6 — Add Firebox Identification Information

You can save information about the Firebox in the configuration file, which helps you to identify the Firebox in reports,

log messages, and WatchGuard management tools. The Firebox model is particularly important because some

software features only function on certain models.

You can use Policy Manager to give the Firebox a descriptive name to use in your log files and reports. You can use a

Fully Qualified Domain Name if you register it with your authoritative DNS server. A descriptive Firebox name is also

helpful if you use the Management Server to configure VPN tunnels and certificates for the Firebox. Though the external

IP address of the Firebox appears in WSM tools, log messages, and reports for the Firebox, a descriptive name for the

Firebox makes it easier to quickly identify each Firebox.

The Firebox time zone controls the date and time that appears in the log messages and in management tools, including

Log Manager, Report Manager, WatchGuard Dimension, and WebBlocker. Set the Firebox time zone to match the time

zone for the physical location of the Firebox. This time zone setting ensures the time appears correctly in the log

messages. A default configuration file sets the Firebox system time to Greenwich Mean Time (GMT).

In this exercise, you set the Firebox device identification information for your student Firebox. If you are working alone,

you can use the example of our fictional organization: Successful Company . In other training modules, you see this

information in reports and WatchGuard System Manager.

From Policy Manager:

1. Select Setup > System.

The Device Configuration dialog box appears.

2. Inthe Name text box, type SuccessfulMain.

Your instructor might give you another name for your student Firebox.

3. Inthe Location text box, type Seattle.

This identifies the physical location of the Firebox.

4. Inthe Contact text box, type your name.

This is the name of the person in your organization who is responsible for the management of the Firebox.5. From the Time zone drop-down list, select your local time zone.

Select the time zone of the Firebox itself. This enables you to synchronize reports from Firebox devices in multiple

timezones.

6. Click OK.

Administration



63/509

Administration


Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.

1. True or false? You can add only one Device Administrator user account to your Firebox.

2. Circle the correct answer: To save a device configuration file to your Firebox, you must use an account with the[Device Monitor | Device Administrator] role.

3. Select the correct answer: Corporate headquarters is in Detroit. The branch office Firebox is located in Tokyo.

You should set the branch office Firebox time zone to:

o A) (GM-05:00) Eastern Time (US & Canada)

o B) (GMT+09:00) Osaka, Sapporo, Tokyo

4. True or false? You can save the Firebox configuration file to a USB flash drive.

5. How frequently should you make a backup image of your Firebox?

o A) Daily

o B) Weekly

o C) Monthly

o D) Each time you make a substantial change to the configuration

o E) Never

6. Which of the following information is used by WatchGuard System Manager applications to identify a Firebox?

(Select all that apply.)

o A) Firebox Name

o B) System administrator name

o C) Encryption key

o D) Model number

o E) External IP address


64/509

ANSWERS

1. False.

You can add many Device Administrator user accounts to your Firebox.

2. Device Administrator

3. B (GMT+09:00) Osaka, Sapporo, Tokyo — Set the Firebox time zone to its physical location4. True — You can save the device configuration file to any local disk drive including a USB flash drive or a network

share.

5. D

6. A, D, E

Administration



65/509

Notes



66/509


Network SettingsConfigure Firebox Interfaces

What You Will Learn

A Firebox has four types of interfaces: external, trusted, optional, and custom. To use your device in a network, you

must configure the interface types and set the IP addresses of the interfaces. You can also enable routing features on

some interfaces. In this training module, you learn how to:

n Configure external network interfaces using a static IP address, DHCP, or PPPoE

n Configure trusted and optional network interfaces

n

Use the Firebox device as a DHCP server n Add WINS/DNS server locations to the device configuration

n Set up a secondary network or address

n Add a static route

Before you begin these exercises, make sure you read the Course Introduction module.


67/509

Properties and Features of Device Interfaces

A firewall physically separates the networks on your local area network (LAN) from those on a wide area network

(WAN) like the Internet. One of the basic functions of a firewall is to move packets from one side of the firewall to the

other. This is known as routing . To route packets correctly, the firewall must know what networks are accessible

through each of its interfaces.

The device provides additional functionality for some interfaces. External interfaces can be configured to work with

Dynamic DNS. Trusted, optional and custom interfaces can be set up with the device as a DHCP (Dynamic Host

Configuration Protocol) server.

The device has four types of network interfaces:

External Interfaces

A device external interface connects to a wide area network (WAN), such as the Internet, and can have either a

static or dynamic IP address. The device gets a dynamic IP address for the external interface from either a

DHCP (Dynamic Host Configuration Protocol) server or PPPoE (Point-to-Point Protocol over Ethernet) server.

With DHCP, the device uses a DHCP server controlled by your Internet Service Provider (ISP) to get an IPaddress for the external interface, a gateway IP address, and a subnet mask. With PPPoE, the device connects

to your ISP’s PPPoE server to get the same information.

Trusted Interfaces

A trusted interface connects the private local area network (LAN) or internal network that you want to secure.

User workstations and private servers which cannot be accessed from outside the network are usually found in

trusted networks.

Optional Interfaces

Optional interfaces connect to your optional networks, which are mixed trust or DMZ environments separated

from your trusted networks. Public web, FTP, and mail servers are usually found in optional networks. Thesettings for an optional interface are the same as for a trusted interface. The only difference is that optional

interfaces are members of the alias Any-Optional.

Custom Interfaces

A custom interface defines a custom internal security zone that has a level of trust different from trusted or

optional. A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External,

so traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies to

allow it. A custom interface is included in alias All.

Most users configure at least one external and one trusted interface on their device. You can configure any interface as

trusted, optional, external, or custom.

Trusted, Optional, and Custom interfaces are all internal interfaces, and all have the same configurable settings. The IP

address for an internal interface must be static. Usually, internal interfaces use private or reserved IP addresses that

conform to RFC 1918.

When you configure the IPv4 addresses for interfaces on a device, you must use slash notation to denote the subnet

mask. For example, you enter the network range 192.168.0.0 with subnet mask 255.255.255.0 as 192.168.0.0/24, and a

trusted interface with the IP address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.

Network Settings


http://www.ietf.org/rfc/rfc1918.txthttp://www.ietf.org/rfc/rfc1918.txt


68/509

Network Settings


Interface Types and Aliases

For each interface, the interface name is an alias used to refer to that interface in policies. Each interface is also a

member of one or more built-in aliases, which refer to network security zones. When you select an interface type, the

interface becomes a member of one or more of the built-in aliases.

The built-in aliases for interfaces are:

n Any-External — An alias for all external interface

n Any-Trusted — An alias for all trusted interfaces

n Any-Optional — An alias for all optional interfaces

n Any— An alias for all users, groups, interfaces, addresses,and tunnels, including custom interfaces.

The only difference between trusted, optional, and custom interfaces is which aliases the interface is a member of.

Requirements for Device Interfaces

Each Firebox interface can connect to a different network. The computers and servers protected by the device can use

either private or public IP addresses. The device uses network address translation (NAT) to route traffic from the

external network to computers on the trusted and optional networks.

All devices behind the trusted and optional interfaces must have an IP address from the network assigned to that

interface. To make this easy to remember, many administrators set the interface address to the first or last IP address

in the range used for that network. In the image below, for example, the IPv4 address of the trusted interface could be

10.0.1.1/24 and the IPv4 address of optional interface could be 10.0.2.1/24.

About DHCP Server and DHCP Relay

You can configure the Firebox to assign IP addresses automatically through DHCP to devices on the trusted or optional

networks. When you enable the DHCP server, you