fireware essentials student guide (en us) v11!10!1
TRANSCRIPT
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
1/509
Fireware v11.10 Training
Fireware Essentials Student Guide
WatchGuard Firebox Devices
Guide Revised For: Fireware v11.10.1
Revision Date: June 2015
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
2/509
ii WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
3/509
About the Fireware Essentials Student Guide
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more
pending patent applications.
All other trademarks and trade names are the property of their respective owners.
Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available
online at http://www.watchguard.com/wgrd-help/documentation/overview.
Printed in the United States.
Fireware Essentials Student Guide iii
http://www.watchguard.com/wgrd-help/documentation/overviewhttp://www.watchguard.com/wgrd-help/documentation/overview
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
4/509
Fireware Essentials Student Guide iv
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
5/509
Table of Contents
About the Fireware Essentials Student Guide iii
Table of Contents v
Course Introduction 1
Training Options 1
Necessary Equipment and Software 2
Training Scenario 3
Prerequisites 3
Training Network Configuration 4Student Firebox IP Addresses 5
Instructor Firebox IP Addresses 5
Configuration Changes for the Instructor Firebox 6
Fireware Web UI and Command Line Interface 7
Additional Resources 7
Getting Started 9
What You Will Learn 9
Management, Monitoring, and Visibility Tools 9
Start with WatchGuard System Manager 10
WSM Components 10
WatchGuard Dimension 11
Activate Your Device 12
Use the Setup Wizards 12
About Factory-Default Settings 13
Exercise 1 — Create a Configuration File with the Quick Setup Wizard 14
Exercise 2 — Open WSM and Connect to Devices and Servers 16
Connect to a Firebox 16
Exercise 3 — Start Policy Manager 19
Test Your Knowledge 21
ANSWERS 23
Notes 24
Fireware Essentials Student Guide v
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
6/509
Administration 25
What You Will Learn 25
Manage Configuration Files and Device Properties 25
About the OS Compatibility Version 26
About the Feature Key 26
Saving a Configuration 27
Configuration Migration 27
Manage Users and Roles on Your Firebox 27
Exercise 1 — Open and Save Configuration Files 29
Exercise 2 — Configure a Firebox for Remote Administration 31
Exercise 3 — Add Device Management Users 33
Exercise 4 — Examine and Update Feature Keys 35
View Feature Keys For Your Firebox 35
Add a Feature Key to the Firebox 37
Exercise 5 — Create a Device Backup Image 38
Exercise 6 — Add Firebox Identification Information 40
Test Your Knowledge 41
ANSWERS 42
Notes 43
Network Settings 44
What You Will Learn 44
Properties and Features of Device Interfaces 45
Interface Types and Aliases 46
Requirements for Device Interfaces 46
About DHCP Server and DHCP Relay 46
About WI NS/DNS 47
About Network Modes 48
About Dynamic DNS 48
About Secondary Networks 49
About Network Bridges 50
About Static Routes 50
About Other Networking Features 52
Table of Contents
vi WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
7/509
Table of Contents
Fireware Essentials Student Guide vii
IPv6 53
Exercise 1 — Configure the External Interface 54
Exercise 1A — Configure t he External Interface w ith a Static IP Address 54
Exercise 1B — Configure the External Interface for DHCP 55
Exercise 1C — Configure the External Interface to Use PPPoE 57
Exercise 2 — Configure a Trusted Interface as a DHCP Server 58
Exercise 3 — Configure an Optional Interface 60
Exercise 4 — Configure WINS/DNS Server Information 61
Exercise 5 — Configure a Secondary Network 62
Frequently Asked Questions 63
Test Your Knowledge 64
ANSWERS 66
Notes 67
Set Up Logging & Servers 68
What You Will Learn 68
Logging and Reporting Setup Process Overview 69
Maintain a Record of Device Activity 70
Logging and Notification Architecture 70
Log Server 72
Log Messages 72
Log Files 73
Exercise 1 — Set Up WatchGuard Server Center 74
Exercise 2 — Set Up a WSM Log Server 75
Set Up the Log Server 75
Configure the Log Server 76
Exercise 3 — Control Database and Notification Properties 77
Configure Database and Notification Settings 77
Send Log Notifications to a Network Administrator 79
Change the Encryption Key 80
Exercise 4 — Configure Where the Firebox Sends Log Messages 81
Exercise 5 — Configure a WSM Report Server 85
Add a Log Server 85
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
8/509
Select Reports and Timing 87
Test Your Knowledge 90
ANSWERS 92
Notes 93
Monitor Your Firewall 94
What You Will Learn 94
Regular Monitoring Improves Security 95
Exercise 1 — Review Network Status in WSM 97
Interpret the Device Status Display 98
Exercise 2 — Use Firebox System Manager 100
Connect to a Firebox and Change the Display 101
Use Traffic Monitor 103
Run a TCP Dump Diagnostic Task and Download a PCAP File 104
Change Traffic Monitor Settings 107
Check Bandwidth Usage and Service Volume 108
Exercise 3 — Create a Performance Console Graph 110
Exercise 4 — Use HostWatch to View Network Activity 113
Exercise 5 — Use the Blocked Sites List 114
Test Your Knowledge 115
ANSWERS 116
Notes 117
NAT 118
What You Will Learn 118
NAT Overview 119
Dynamic NAT 119
1-to-1 NAT 121
Policy-based NAT 123
Policy-based 1-to-1 NAT 123
Static NAT 124
About Static NAT Source IP Addresses 124
About SNAT Actions 124
NAT Loopback 125
Table of Contents
viii WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
9/509
Table of Contents
Fireware Essentials Student Guide ix
Exercise 1 — Add Firewall Dynamic NAT Entries 126
Exercise 2 — Configure Static NAT to Allow Access to Public Servers 128
Exercise 3 — Configure NAT Loopback to an Internal Web Server 131
Other Reasons to Use NAT 133
Test Your Knowledge 134
ANSWERS 135
Notes 136
Threat Protection 137
What You Will Learn 137
Default Threat Protection Measures Block Intruders 137
Use Default Packet Handling Options 138
Unhandled Packets 139
Automatically Block the Source of Suspicious Traffic 139
Block Ports Commonly Used by Attackers 140
Exercise 1 — Configure Default Packet Handling Options 141
Exercise 2 — Block Potential Sources of Attacks 142
Block a Site Permanently 142
Create Exceptions to the Blocked Sites List 143
Exercise 3 — Block Sites Automatically 144
Test Your Knowledge 145
ANSWERS 146
Notes 147
Policies 148
What You Will Learn 148
Policies are Rules for Your Network Traffic 149
Add Policies 149
Predefined Policies and Custom Policy Templates 151
Configure Logging and Notification for a Policy 151
Advanced Policy Properties 151
About the Outgoing Policy 152
Policy Precedence 152
Policy Tags and Filters 153
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
10/509
Exercise 1 — Add a Packet Filter Policy and Configure Access Rules 154
Add a Predefined Policy 154
Modify Policies to Restrict Traffic 156
Use a Policy to Allow Traffic 157
Exercise 2 — Use FQDN in a Policy 159
Exercise 3 — Create a Custom Packet Filter Template 161
Make a New Policy Template 161
Add and Configure the Custom Policy 162
Exercise 4 — Configure Logging and Notification for a Policy 166
Exercise 5 — Change Policy Precedence 167
Override the Default Order of Policy Precedence 168
Exercise 6 — Use Advanced Policy Properties 169
Exercise 7 — Use Policy Tags and Filters to Group and Sort Policies 171
Create and Apply a Policy Tag 171
Filter the Policy List 173
Test Your Knowledge 174
ANSWERS 175
Notes 176
Proxy Policies 177
What You Will Learn 177
Proxy Policies and ALGs 177
About the DNS Proxy 178
About the FTP Proxy 179
About H. 323 and SIP ALGs 181
About the TCP-UDP Proxy 181
Exercise 1 — Use the DNS-Outgoing Proxy Action 182
Add a DNS Outgoing Proxy Policy 182
Block a DNS Request by Query Name 183
Exercise 2 — Configure an FTP-Server Proxy Action 185
Deny the Delete Command 185
Restrict FTP File Uploads to Text Only 188
Exercise 3 — Set Access Controls on H.323 Connections 189
Table of Contents
x WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
11/509
Table of Contents
Fireware Essentials Student Guide xi
Test Your Knowledge 191
ANSWERS 192
Notes 193
Email Proxies and Blocking Spam 194
What You Will Learn 194
Control the Flow of Email In and Out of Your Network 195
SMTP Rulesets 195
POP3 Rulesets 195
Stop Unwanted Email at the Network Edge 196
spamBlocker and DNS 197
spamBlocker Tags 197
spamBlocker Categories 197
spamBlocker Exceptions 197
Global spamBlocker Settings 198
Use an HTTP Proxy Server 199
Adding Trusted Email Forwarders 199
Exercise 1 — Use the SMTP-Proxy to Protect Your Mail Server 200
Add an Incoming SMTP-Proxy Policy 200
Decrease Maximum Message Size 201
Allow and Deny Content Types and Filenames 203
Control Mail Domain Use for Incoming Traffic 205
Exercise 2 — Control Outgoing SMTP Connections 207
Add an Outgoing SMTP-Proxy Policy 207
Control Email Message Size 208
Control Mail Domain Use for Outbound SMTP 209
Restrict Email by Attachment Filename 211
Exercise 3 — Use a POP3-Client Policy 213
Add a POP3 Client Policy 213
Configure the POP3 Policy to Lock Attachments 214
Exercise 4 — Activate spamBlocker 216
Exercise 5 — Configure the spamBlocker Service 217
Determine What Happens to spam Email 217
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
12/509
Add spamBlocker Exceptions 218
Enable Alarms When a Virus is Detected 219
Exercise 6 — Monitor spamBlocker Activity 220
Test Your Knowledge 221
ANSWERS 223
Notes 224
Web Traffic 225
What You Will Learn 225
Control Web Traffic Through Your Firewall 226
Control Outgoing HTTP Requests 227
Protect Your Web Server 227
HTTP-Proxy Action Rulesets 228
Monitor Secured HTTP Traffic with the HTTPS-Proxy Policy 231
Bandwidth and Time Quotas 231
Restrict Web Access with WebBlocker 231
WebBlocker Server Options 232
WebBlocker Categories 232
WebBlocker Exceptions 232
WebBlocker Local Override 233
WebBlocker Schedules 234
WebBlocker Server 234
About Reputation Enabled Defense 235
Reputation Scores 236
Reputation Thresholds 236
Reputation Lookups 237
Reputation Enabled Defense Feedback 237
Monitor Reputation Enabled Defense 238
Exercise 1 — Configure HTTP Connections from Trusted Users 239
Add an HTTP Client Proxy Policy 239
Enable Logging for Each HTTP Client Connection 240
Block HTTP Client Connections by URL Path 241
Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy 242
Table of Contents
xii WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
13/509
Table of Contents
Fireware Essentials Student Guide xiii
Customize the Deny Message 244
Exercise 2 — Use HTTP-Proxy Exceptions to Allow Software Updates 245
Exercise 3 — Configure an HTTP-Server Proxy Action 246
Add the HTTP-Server Proxy Policy 246
Create a New Proxy Policy Ruleset 247
Exercise 4 — Enable Bandwidth and Time Quotas 248
Exercise 5 — Selectively Block Websites with WebBlocker 252
Add a WebBlocker Action 252
Select Categories to Block 253
Create an Exception 254
Enable WebBlocker Local Override 255
Exercise 6 — Set Up Reputation Enabled Defense 256
Exercise 7 — See Reputation Enabled Defense Statistics 258
Frequently Asked Questions 259
Test Your Knowledge 260
ANSWERS 263
Notes 264
Signature Services and APT Blocker 265
What You Will Learn 265
Identify and Stop Viruses at the Edge of Your Network 266
AntiVirus Scans User Traffic for Viruses and Trojans 267
Configure Gateway AntiVirus Actions 267
Use Gateway AntiVirus with Compressed Files 268
Block Advanced Malware with APT Blocker 268
APT Blocker and Gateway AntiVirus 269
Supported File Types 269
APT Blocker Threat Levels 269
Configure APT Blocker Actions 270
APT Blocker Notifications and Alarms 270
Control the Loss of Sensitive Data 271
DLP Content Control Rules 271
DLP Custom Rule 272
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
14/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
15/509
Table of Contents
Fireware Essentials Student Guide xv
Apply the Global Application Control Action to Policies 299
Exercise 7 — Use Different Application Control Actions for D ifferent Policies 300
Test Your Knowledge 303
ANSWERS 304
Notes 305
Authentication 306
What You Will Learn 306
Monitor and Control Network Traffic by User 307
How Firebox User Authentication Works 307
Use Authentication from the External Network 307
Use Authentication through a Gateway Firebox to Another Device 308
Authentication Methods Available with Fireware 308
Use the Firebox Authentication Server 308
About Third-Party Authentication Servers 309
RADIUS Authentication Servers 309
SecurID Authentication Servers 309
LDAP Authentication Servers 310
Active Directory Authentication Servers & Single Sign-On 310
About Authentication Timeout Values 311
Exercise 1 — Add a Firebox User Group and Add Users 312
Create a Firebox User Group 312
Add Firebox Users 313
Exercise 2 — Edit Policies to Use Firebox Authentication 316
Exercise 3 — Set Global Authentication Values 318
Set Global Timeout Values 318
Set Other Global Values 318
Exercise 4 — Use a Web Server Certificate 321
Test Your Knowledge 322
ANSWERS 324
Notes 325
Logging & Reporting 326
What You Will Learn 326
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
16/509
Review Log Messages 327
About Log Messages 329
Build Reports from Log Messages 330
WSM Report Manager 330
WatchGuard Reports 331
View Reports with Report Manager 335
Dimension Reports 336
View Reports with Dimension 336
Dimension Report List 337
Exercise 1 — Use WSM Log Manager to View Log Messages 349
Connect to WebCenter to View Log Messages 349
View Log Messages 350
Run a Search 350
Export Log Messages 352
Exercise 2 — Use Report Manager to View and Run Reports 354
Connect to WSM Report Manager to View Reports 354
View Reports 355
Exercise 3 — Share Reports from Report Manager 358
Exercise 4 — Send Log Messages to Dimension 359
Exercise 5 — View Log Messages in Dimension 360
Connect to Dimension 360
View Log Messages 361
Exercise 6 — Search Log Messages in Dimension 362
Run a Simple Search 362
Run a Complex Search 362
Exercise 7 — Export Log Messages from Dimension 364
Exercise 8 — Create Device Groups in Dimension 365
Exercise 9 — View Reports in Dimension 366
Exercise 10 — Export Reports from Dimension 367
Export a Report as a PDF File 367
Export a Report as a CSV File 369
Test Your Knowledge 370
Table of Contents
xvi WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
17/509
Table of Contents
Fireware Essentials Student Guide xvii
ANSWERS 371
Notes 372
Branch Office VPN Tunnels 373
What You Will Learn 373
BOVPN Overview 373
Benefits of a Branch Office VPN 373
Branch Office VPN Types 375
Select a VPN Type 376
VPN Tunnel Capacity 377
IPSec VPN Algorithms and Protocols 377
Encryption Algorithms 377
Authentication Algorithms 378
Diffie-Hellman Key Exchange Algorithms 378
AH (Authentication Header) 378
ESP (Encapsulating Security Payload) 379
VPN Negotiations 379
What Happens During Phase 1 Negotiations 379
What Happens During Phase 2 Negotiations 381
Policies and VPN Traffic 382
Automatically Add Policies That Allow All Traffic 382
Use the BOVPN Policy Wizard 382
Manually Add Policies 382
Use a Tunnel Alias in Policies 382
Global VPN Settings 383
VPN Monitoring and Troubleshooting 384
Monitor VPN Tunnel Status 384
Troubleshoot a VPN 385
VPN Diagnostic Report 387
Filter Log Messages by Gateway IP Address 389
IKE Log Messages 390
Requirements for VPN Exercises 392
Training Environment 392
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
18/509
Necessary Equipment And Software 393
Management Computer Configuration 393
Network Topology 393
Network Configuration 394
Exercise 1 — Configure a BOVPN Gateway and Tunnel 395
Before You Begin 395
Configure Device A 395
Add a Branch Office Gateway to the Site A Device Configuration 395
Add a Branch Office Tunnel to the Device A Configuration 399
Configure Device B 401
Add a Branch Office Gateway to the Device B Configuration 401
Add a Branch Office Tunnel to the Device B Configuration 403
Test the Tunnel Configuration 404
Ping From One Management Computer to Another Through the Tunnel 405
Ping From a D evice I nterface t o the Trusted I nterface on t he Other D evice 405
Check Tunnel Status 406
Exercise 2 — Use VPN Diagnostics 406
Exercise 3 — Use 1-to-1 NAT Through a BOVPN Tunnel 408
Before You Begin 408
Configure Duplicate Local Network IP Addresses 408
Add a Tunnel Route with 1-to-1 NAT Enabled 409
Configure Device A 409
Configure Device B 410
Test the VPN 411
Verify the Tunnel Status 412
Additional VPN Resources 413
VPN Configuration Examples 413
VPN Interoperability with Third-Party Devices 413
Test Your Knowledge 414
ANSWERS 416
Notes 417
Mobile VPN 418
Table of Contents
xviii WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
19/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
20/509
Review and Edit the Mobile VPN with IPSec Profile 438
Exercise 2 — Get the Mobile VPN Client Configuration Files 440
Enable Remote Management 440
Get the Client Configuration Files 441
Exercise 3 — Use an IPSec VPN Client 442
Before You Begin 442
Required Files 442
Other Important Information 442
Exercise 3A — Use the Shrew Soft IPSec VPN Client 443
Install the Shrew Soft VPN Client 443
Import the Mobile VPN Client Configuration File 443
Connect and Disconnect 444
Exercise 3B — Use the WatchGuard Mobile VPN with IPSec Client 445
Install the Mobile VPN Client 445
Import the Mobile VPN Client Configuration File and Connect 446
Connect and Disconnect 448
Exercise 4 — Set Up Mobile VPN with SSL 449
Activate the Device for SSL VPN 449
Add Users to the SSLVPN-Users Group 452
Exercise 5 — Use the Mobile VPN with SSL Client 453
Install the Mobile VPN with SSL Client 453
Connect with the Mobile VPN with SSL Client 454
Other Client Authentication Options 455
Test Your Knowledge 456
ANSWERS 458
Notes 459
Fireware Web UI 460
What You Will Learn 460
Introduction to Fireware Web UI 460
Limitations of Fireware Web UI 461
Connect to Fireware Web UI 461
About Certificate Warnings 462
Table of Contents
xx WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
21/509
Table of Contents
Fireware Essentials Student Guide xxi
Log In 464
Navigate Fireware Web UI 465
About the Dashboard Pages 466
Get Help 466
About the Status and Admin User Accounts 467
About Timeouts for Management Sessions 468
Control Access to the Web UI 471
About the Port for the Web UI 473
Exercise 1 — Connect to the Web UI with the Status User Account 475
Exercise 2 — Configure a Device for Remote Web UI Administration 478
Exercise 3 — Use FireWatch 482
Test Your Knowledge 486
ANSWERS 487
Notes 488
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
22/509
Fireware Essentials Student Guide xxii
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
23/509
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
Course IntroductionFirewall Essentials with Fireware v11.10
Devices WatchGuard Firebox devices
Device OS versions Fireware® v11.10
Managementsoftwareversions WatchGuard® SystemManager v11.10
Training Options
If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options
available to you:
Classroom training with a WatchGuard Certified Training Partner (WCTP)
WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list
of training partners can be found on our website at:
http://www.watchguard.com/training/partners_locate.asp
Quick review presentation
You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an
overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the
Quick Setup Wizard, create basic security policies, and get more information about additional subscription
services.
Fireware Essentials Online Course
Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature
or function of configuration and security management.
For more information, including configuration steps for advanced procedures, see Fireware Help.
http://www.watchguard.com/training/partners_locate.asphttp://www.watchguard.com/training/partners_locate.asp
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
24/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
25/509
Course Introduction
Fireware Essentials Student Guide 3
Training Scenario
Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this
course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of
the exercises using examples from your own network or a set of addresses and situations provided by your
WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company
and a real company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP
networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard
hardware devices is required.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
26/509
Training Network Configuration
Most of the exercises in this courseware use the RFC 5737 documentation IP addresses to represent public network IP
addresses. Most of the information in the training modules, as well as the VPN exercises, in this courseware use this
network configuration:
To support all of the exercises in this course, your training environment must include this network equipment:
n One Firebox per student, and one for the instructor.
n One network hub or switch with enough interfaces to connect the instructor and all of the student Firebox
devices.
n A management computer for each student and for the instructor.
Course Introduction
4 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
27/509
Course Introduction
Fireware Essentials Student Guide 5
Student Firebox IP Addresses
Students may be assigned a number (10, 20, 30, etc.) to identify the last IP address octet for their external addresses,
and the third octet for internal addresses in relation to their Firebox devices. This allows for similar configuration among
devices and prevents IP address conflicts and subnet overlap.
Each student will configure a device with these addresses, where X is the student number:
n Eth0 – External — 203.0.113. X /24, Default Gateway 203.0.113.1
n Eth1 – Trusted — 10.0. X .1/24
In most of the exercises, your external interface and trusted interface IP addresses are determined by your student
number. Replace the X in the exercises with your student number.
Instructor Firebox IP Addresses
Eth1 of the instructor Firebox must be connected to the switch and configured to act as the default gateway for the
external network for student Firebox devices. The instructor Firebox must be configured with these addresses:
n Eth0 (External) — Use appropriate addressing for a training environment with an Internet connection. (This is
optional. Internet access is not required for these exercises.)
n Eth1 (Trusted) — 203.0.113.1/24
This is the default gateway for the primary external interface on student Firebox devices.
To allow DNS to operate from the training environment, you must also configure a DNS server, in the
Network > Configuration > WINS/DNS tab.
For DNS to function for students, the student devices and computers must also be configured to use
the DNS server.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
28/509
Configuration Changes for the Instructor Firebox
To make the training network functional for these exercises, the instructor must make two more configuration changes
to the instructor’s device.
1. Create an Any policy to allow traffic between the trusted interfaces.
2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic
entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic
NAT rule for 203.0.113.0/24 – Any-External)
Course Introduction
6 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
29/509
Course Introduction
Fireware Essentials Student Guide 7
Fireware Web UI and Command Line Interface
You can use Fireware Web UI (Web UI) and the WatchGuard Command Line Interface (CLI) to complete many of the
same tasks that you perform in WatchGuard System Manager and Policy Manager. Some advanced configuration
options and features are not available with Fireware Web UI or the Command Line Interface.
Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online
configuration tools (you need a network connection to a Firebox to use them), most of the exercises in the training
modules for this course do not use the Web UI, and none use the CLI.
Additional Resources
For more information about how to install and configure WatchGuard System Manager see these resources:
Fireware Help
You can launch the Help system from your management computer after you install WSM. To view more
information about the features in a dialog box or application window, click Help or press the F1 key. A topic that
describes the features you see and provides links to additional information appears in your default web browser.
For the most up to date information, browse to http://www.watchguard.com/help/documentation/ and launch the
Fireware H elp. You can also download the Help system for offline use.
WatchGuard Online Knowledge Base
Browse to http://customers.watchguard.com/ .
For information about how to set up an XTMv virtual machine, see:
WatchGuard XTMv Setup GuideBrowse to http://www.watchguard.com/help/documentation/ and download theWatchGuard XTMv Setup
Guide.
http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/http://customers.watchguard.com/https://www.watchguard.com/help/documentation/https://www.watchguard.com/help/documentation/http://customers.watchguard.com/
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
30/509
Fireware Essentials Student Guide 8
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
31/509
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
Getting StartedSet Up Your Management Computer and Device
What You Will Learn
WatchGuard System Manager is the primary management software application used to monitor and manage Firebox
devices and WatchGuard servers. In addition to the many management and monitoring tools available in WatchGuard
System Manager, you can use WatchGuard Dimension to monitor your device and see deep into the activity on your
network.
In this training module, you learn how to:
n
Use the Quick Setup Wizard to make a basic Firebox device configuration filen Start WatchGuard System Manager and connect to Firebox devices and servers
n Start Policy Manager and open a device configuration file
Before you begin the exercises in this module, make sure you read the Course Introduction module.
Management, Monitoring, and Visibility Tools
For all of your Firebox devices, you can use the rich suite of management, configuration, monitoring, and visibility tools
available from WatchGuard. This includes WatchGuard System Manager (WSM) and all the WSM tools, WatchGuard
Server Center and the WSM servers, and the many WatchGuard Dimension tools. These tools are described in the
subsequent sections.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
32/509
Start with WatchGuard System Manager
Most of the procedures you complete in this training module start from WatchGuard System Manager (WSM), which is
the primary software application you use to manage all the Firebox devices and WatchGuard servers in your network.
You can use WSM to connect to any
WatchGuard Firebox. This includes all
Firebox and XTM device models, as well as
the SOHO device models. In this training
module, we use only the latest Firebox
devices.
WSM Components
WatchGuard System Manager (WSM)
includes several monitoring and
configuration tools, including Policy
Manager, Firebox System Manager,
HostWatch, Log Manager, Report
Manager, and CA Manager. You can start
these tools after you open WSM.
WatchGuard Server Center is the
application you use to set up, configure,
and manage the five WatchGuard servers,
as well as configure users and groups for
role-based administration.
This diagram shows the components of WatchGuard System Manager and how you can get access to them.
If you take this course with a training partner, the servers are installed on the management computer.
Getting Started
10 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
33/509
Getting Started
Fireware Essentials Student Guide 11
You install the WSM management software on a personal computer running Microsoft Windows XP or later. We refer to
this computer your management computer . When you install WSM on your management computer, you have the option
to install any or all of the WatchGuard servers. When you select to install any of the servers, WatchGuard Server
Center is automatically installed.
n Management Server — Manages multiple Firebox devices at the same time and creates virtual private network
(VPN) tunnels with a simple drag-and-drop method.n Log Server — Collects log messages from Firebox devices and servers.
n Report Server — Periodically consolidates data collected by your Log Servers and uses this data to generate
the reports that you select.
n Quarantine Server — Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to
have a virus by Gateway AntiVirus or by spamBlocker’s Virus Outbreak Detection feature.
n WebBlocker Server — Provides information for an HTTP-proxy to deny user access to specified categories of
websites.
You can install these servers on your management computer, or you can install them on other computers on your
network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect
to other servers, the Firebox, or the management computer.
WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager,
Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server,
WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to
WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130.
For more information, see the training module related to each server.
WatchGuard Dimension
WatchGuard Dimension™ is a virtual solution you can use to capture the log data from your Firebox devices,
FireClusters, and WatchGuard servers and create a management connection to your Firebox devices and FireClusters.
You can use Dimension to see log data in real-time, track it across your network, view the source and destination of thetraffic, view log message details of the traffic, monitor threats to your network, and view or generate reports of the
traffic. From Dimension, you can open Fireware Web UI for Firebox devices and FireClusters that are managed by
Dimension and also take action on the information you see in the log messages, tools, and reports available in
Dimension.
After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of
Dimension. Then, you configure your Firebox devices and WatchGuard servers to send log messages to Dimension
and add Firebox devices to Dimension for management.
In this training course, we only discuss the logging and reporting aspects of Dimension. For more information about
Dimension, see Logging & Reporting on page 326.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
34/509
Activate Your Device
You must activate your Firebox on the WatchGuard website before you can configure the device. When you activate the
Firebox, you start the Support subscription for the Firebox. The Support subscription provides alerts, threat responses,
and expert advice to help you keep your network secure and up-to-date. When you subscribe to Support, you also get
access to the latest software upgrades for your Firebox, as well as access to technical support and training resources.
If you take this course with a training partner, your Firebox will already be activated and include the
feature keys you need for the course.
To activate the Firebox, you must have:
n An account on the WatchGuard website
n The Firebox serial number
To create a new WatchGuard account, go to:
https://www.watchguard.com/account/registration_gate.asp
To activate your device with an existing WatchGuard account, log in to the WatchGuard website. In the WatchGuard
Support Center, click Activate a Product.
Use the Setup Wizards
There are two setup wizards you can use to quickly create a functional configuration file for your Firebox. To use either
setup wizard, you must connect your management computer to the trusted interface (eth1) of the Firebox.
Quick Setup Wizard
You can use the Quick Setup Wizard to discover and set up your Firebox. To start the Quick Setup Wizard, in
WatchGuard System Manager, select Tools > Quick Setup Wizard.
Web Setup Wizard
You can use the Web Setup wizard to set up a Firebox from any computer that has a web browser. To start the
Web Setup Wizard, in a web browser, type https://10.0.1.1:8080.
Both setup wizards help you to set up your device with a secure policy configuration and basic network settings. The
Web Setup wizard can also activate the device and download the required feature key, if the external interface is
connected to a network with Internet access. The Quick Setup Wizard does not help you with device activation, but
does provide a couple of additional network configuration options (drop-in mode and optional interface configuration).
The Quick Setup Wizard also includes an option to install software on a device started in recovery mode. The main
reason to use the Quick Setup Wizard with a device in recovery mode is to install an older version of software if you do
not have a device backup. If you use recovery mode to install an older OS version, you must first uninstall any newer
versions of Fireware OS from your management computer.
See Fireware Help for more information about how to use recovery mode with the Quick Setup Wizard.
Getting Started
12 WatchGuard Technologies, Inc.
https://www.watchguard.com/account/registration_gate.asphttps://www.watchguard.com/activate/activationtype.asphttps://www.watchguard.com/activate/activationtype.asphttps://www.watchguard.com/account/registration_gate.asp
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
35/509
Getting Started
Fireware Essentials Student Guide 13
About Factory-Default Settings
Each new Firebox uses factory-default settings. You can also reset a Firebox to factory-default settings. When a
Firebox uses factory-default settings, only two interfaces are active:
Interface 0 (Eth0)
Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If you
use the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network that
has a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Firebox
feature key.
To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with
Internet access. For more information about RapidDeploy, see Fireware Help.
Interface 1 (Eth1)
Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and
is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1
or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard.
To connect to the device when you use either setup wizard, your computer must have an IP address on the
10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to
interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same
subnet as the IP address of Interface 1. For example, 10.0.1.2.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
36/509
Exercise 1 — Create a Configuration File with the Quick
Setup Wizard
You can use either the Web Setup Wizard or the Quick Setup Wizard to create a basic configuration file for a new
Firebox, or a Firebox that has been reset to factory-default settings. The Quick Start Guide that ships with your Firebox
describes how to use the Web Setup Wizard. In this exercise you use the Quick Setup Wizard, which is part of Firebox
System Manager.
Your instructor will provide you with the information and files you need to configure your Firebox for the
training environment.
For this exercise you need:
n A feature key — You receive the feature key when you activate your Firebox on the WatchGuard website. Each
feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management
computer before you start the Quick Setup Wizard. You can finish the wizard without the feature key, but the
feature key is required to enable all device functionality.
If the Firebox does not have a feature key, it allows only one connection to the Internet.
n WSM and Fireware OS on the management computer — WSM is the software installed on the management
computer and WatchGuard servers. Fireware is the operating system (OS) installed with a configuration file onthe Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and
Fireware are separate software downloads. You must download and install both packages on your management
computer. The management computer must be on the same network subnet as the device.
n Your network information — At a minimum, you must know the IP address of your gateway router and the IP
addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use
203.0.113.1 as the default gateway.
n A Firebox— You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that
has been reset to factory-default settings.
For an XTMv device, Fireware OS is included in the XTMv virtual appliance Open Virtual MachineFormat (OVF) file. For more information, see the WatchGuard XTMv Setup Guide at
www.watchguard.com/help/documentation/
When you configure the Firebox with the Quick Setup Wizard or Web Setup Wizard, the wizard adds five basic policies:
Outgoing, FTP packet filter, Ping, WatchGuard WebUI, and WatchGuard. It also sets interface IP addresses.
Getting Started
14 WatchGuard Technologies, Inc.
https://www.watchguard.com/help/documentation/https://www.watchguard.com/help/documentation/
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
37/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
38/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
39/509
Getting Started
Fireware Essentials Student Guide 17
To connect to a device with read-only privileges, you use a Device Monitor user account. You can use
the default status Device Monitor user account for this purpose. If you save the configuration file or
add the Firebox to the Management Server as a managed device, you are prompted to type the
credentials for a user account with Device Administrator privileges. The default Device Administrator
user account for your device is the admin user account.
4. Inthe User Name and Passphrase text boxes, type the credentials for a Device Management user account with
a Device Monitor (read-only) role on your Firebox. The default status account is specified by default.
5. From the Authentication Server drop-down list, select the authentication server for the user you specified.
If you select an Active Directory server, you must also specify the Domain for the server you selected.
6. If necessary, change the value in the Timeout text box.
This value sets the amount of time (in seconds) that WSM waits for an answer from the Firebox before WSM shows a
message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the
value, you decrease the time you must wait for a time out message if you try to connect to a device that is not available.7. Click Login.
WSM connects to the Firebox and shows the status of the Firebox on the D evice Status tab.
8. On the Device Status tab, click the plus sign (+) to expand the Firebox entry.
Information about the Firebox appears.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
40/509
Getting Started
18 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
41/509
Getting Started
Fireware Essentials Student Guide 19
Exercise 3 — Start Policy Manager
Policy Manager is the WSM tool you use to build the security rules your Firebox uses to protect your network. You use
Policy Manager to configure policies, set up VPNs, change Device Management user account passphrases, and
configure logging and notification options.
A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies
the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It
includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the
connection. Policy Manager displays each policy as a group of rules, or a ruleset . You can view these policies in a list
with detailed information about each policy, or as icons.
You can have more than one version of WSM installed on your computer. However, you can have only
one version of the server components (Management Server, Log Server, Report Server, Quarantine
Server, and WebBlocker Server) installed.
In WatchGuard System Manager:
1. On the Device Status tab, select your Firebox.
If there is no device visible in WSM, select File > Connect To Device, and then connect to your device.
2. Click .
Or, select Tools > Policy Manager .
WSM checks the model and the OS (operating system) version used by the device. If you have multiple versions of
WSM software installed, WSM automatically opens the correct version of Policy Manager. If you launch Policy
Manager for a device that uses an older version of Fireware OS , WSM might ask if you want to upgrade the OS on that
device.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
42/509
Policy Manager opens in Details view by default.
3. Select Setup > OS Compatibility.
The OS Compatibility dialog box appears.
4. Make sure that the selected version is 11.9 or higher.
If you open the configuration file from a device, the OS Compatibility version is automatically set to match the
OS version on the device. If you use Policy Manager to create a new configuration file, you must configure this
setting before you can configure features that require a specific OS version.
5. Click OK.
Getting Started
20 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
43/509
Getting Started
Fireware Essentials Student Guide 21
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or false? You must have a WatchGuard Management Server to use a simple drag-and-drop function for
VPN creation.2. Circle the best tool for each task:
Task Tool
A) Monitor the status of one device WatchGuard System Manager Policy Manager
B) Change the device network interfaces WatchGuard System Manager Policy Manager
C) Configure a policy for web traffic WatchGuard System Manager Policy Manager
3. True or false? When connecting to your Firebox, you should decrease the Timeout setting if you have a slow
network or Internet connection to your Firebox.
4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device
configuration file that allows more than one connection to the Internet? (Select all that apply.)
o A) An account on the WatchGuard website
o B) The Firebox model number
o C) The IP address of the gateway router this device will connect to
o D) A feature key
o E) A live connection to the Internet
o F) A web browser
o G) An IP address to give to the external and trusted interfaces of the Firebox
5. Fill in the blank: A ________ is a set of rules that defines how the Firebox manages packets that come to its
interfaces.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
44/509
6. Which of the following are WatchGuard System Manager components? (Select all that apply.)
o A) LogViewer
o B) Router
o C) Policy Manager
o D) Appliance Monitor
o E) Windows NT Server
o F) Report Server
o G) Management Computer
7. True or false? You must install all WatchGuard servers on one management computer.
8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.
Getting Started
22 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
45/509
Getting Started
Fireware Essentials Student Guide 23
ANSWERS
1. True
You cannot centrally manage a device unless you configure a WatchGuard Management Server.
2. A) WatchGuard System Manager
B) Policy Manager C) Policy Manager
3. False
You should increase the Timeout setting if you have a slow network or Internet connection to the Firebox.
4. A, C, D, and G
5. policy
6. A, C, F, and G
7. False
8. False
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
46/509
Notes
Fireware Essentials Student Guide 24
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
47/509
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
AdministrationManage the Device Configuration
What You Will Learn
After you install the Firebox in your network and use the Quick Setup Wizard to give it a basic configuration file, you can
add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety
of locations.
In this training module, you learn how to:
n Open and save configuration files
n Configure the Firebox for remote administration
n Add Device Management user accounts
n Add feature keys to the Firebox
n Back up and restore the device configuration
n Add Firebox identification information
Before you begin these exercises, make sure you read the Course Introduction module.
Manage Configuration Files and Device Properties
A device configuration file includes all configuration data, options, IP addresses, and other information for the Firebox.
On the Firebox, the configuration file works with the OS to control the flow of traffic through the Firebox. The file
extension for a device configuration file is .xml.
Policy Manager is a WatchGuard® software tool that you can use to create, change, and save configuration files. When
you use Policy Manager, you see a version of your configuration file that is easy to examine and modify.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
48/509
Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file
with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no
effect on Firebox operation until you save them to the Firebox.
About the OS Compatibility Version
Policy Manager can manage Firebox devices that use different versions of Fireware OS. Each device configuration has
an OS Compatibility setting that controls which configuration options are available for some features.
n If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS
version in the file is automatically set based on the OS version the Firebox uses.
n If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you
can configure some features, such as network settings and Traffic Management.
To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.
About the Feature Key
When you activate a Firebox or activate add-on services or features for a Firebox, a feature key is generated to enable
features on your Firebox. You can download the feature key from the WatchGuard website when you activate your
Firebox. You can then add this feature key to your Firebox from the Quick Setup Wizard, Web Setup Wizard, Policy
Manager, or the Fireware Web UI. If you use the Web Setup Wizard, the Firebox can download the feature key
automatically.
You must install a feature key on your Firebox to enable full functionality. If your Firebox does not have a feature key, it
allows only one user to connect to the Internet. The feature key contains a list of licensed features and capacities for
your Firebox. For the LiveSecurity Service, and security services, the feature key contains the service expiration date.
To manage the feature key, in Policy Manager select Setup > Feature Key.
When you renew subscription services, you must update the feature key on the Firebox for the subscription to remainactive. To make sure that the feature key on the Firebox stays up to date, we recommend that you enable automatic
feature key synchronization in the Feature Key settings. When automatic feature key synchronization is enabled, the
Firebox automatically checks the expiration status of services once per day and downloads a new feature key from
WatchGuard if a feature is expired or is within three days of expiration.
When you save the configuration to a local file, the feature key is stored as a separate file, in the same
directory as the configuration file. For example, if you save a device configuration with the file name
Example, the configuration file is saved as a file named Example.xml and the feature key is saved in a
file named Example_lic.tgz .
Administration
26 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
49/509
Administration
Fireware Essentials Student Guide 27
Saving a Configuration
Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you
can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make
sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager
displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OSCompatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that
is not compatible with the OS version on the Firebox.
Configuration Migration
You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different
Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the
new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the
configuration file. Before you can save the configuration to a different Firebox, you might also need to change other
settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS
Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.
For a video demonstration of configuration migration, see the Configuration Migration video available
in the Product Documentation section of the WatchGuard website.
Manage Users and Roles on Your Firebox
You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the
Firebox among several individuals in your organization. This enables you to run audit reports to monitor which
administrators make which changes to your device configuration file.
By default, your Firebox includes these default user accounts and roles:
Default User Account Default Role Default Passphrase
admin DeviceAdministrator (read-writepermissions) readwrite
status Device Monitor (read-only permissions) readonly
wgsupport Disabled
When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts
to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the
Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that
are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the
Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the
option to allow more than one Device Administrator to log in to the Firebox at the same time. If you do not enable this
option, only one Device Administrator can log in to the Firebox at a time.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
50/509
The wgsupport user account is disabled by default. This account is for WatchGuard Technical Support access to your
Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard
Technical Support. We will not enable or modify this user account in this course.
You can use these authentication servers for Device Management user accounts on your Firebox:
n Firebox-DB
n Active Directory
n LDAP
n RADIUS
The default Device Management user accounts use the Firebox-DB authentication server.
For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server
before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on
your Firebox are case-sensitive and must match the user credentials as they are specified on the external
authentication server.
Administration
28 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
51/509
Administration
Fireware Essentials Student Guide 29
Exercise 1 — Open and Save Configuration Files
The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this
configuration file as the base for all your configuration files. You can also use Policy Manager to make a new
configuration file with only the default configuration properties.
To create a new configuration file:
1. Open Policy Manager.
2. Select File > New.
A ne w co nfiguration file appears with the default poli cies and settings.
Policy Manager is an offline configuration tool. The Web UI and the CLI are online configuration tools.
An offline configuration tool lets you make many changes to a configuration file without sending the
changes to the Firebox.
An online configuration tool is designed to immediately send all changes to the Firebox.
Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM)
to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file
in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to
work offline.
In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive:
1. Open WatchGuard System Manager and connect to your Firebox.
If you are not familiar with this procedure, see the Getting Started or ask your instructor.
2. Click .
Or, select Tools > Policy Manager .
Policy Manager starts and loads the configuration file currently on your Firebox.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
52/509
3. Select File > Save > As File.
The Save dialog box appears.
4. Inthe File Name text box, type Basics-Start.
5. Click Save.
By default, configuration files are saved to the My Documents\My WatchGuard\configs folder. The
configuration file type is XML.
6. To save an updated configuration file to the Firebox and to a local file, select File > Save > To Firebox.
To save the file to the Firebox, you must specify a user name and passphrase for a user account with Device
Administrator privi leges. When you save a configuration file to the Firebox, you can also save it to a local file.
If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with
Device Administrator privileges, you cannot save configuration changes to the Firebox.
If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to
the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings,
and then use the default admin account, with the default passphrase readonly to save the configuration to the Firebox
from Policy Manager.
Administration
30 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
53/509
Administration
Fireware Essentials Student Guide 31
Exercise 2 — Configure a Firebox for Remote
Administration
This exercise is most useful for an instructor to connect to a student Firebox during a classroom
session. If you are self-instructed and do not need to remotely manage your Firebox, you can skip to
the next exercise.
When you use the Quick Setup Wizard to configure your Firebox, a policy that allows you to connect to and administer
the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the
Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to
allow administrative connections from your remote location.
The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt . The Quick Setup
Wizard adds this policy with the name WatchGuard . This policy controls access to the Firebox on TCP ports 4105,
4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these
ports.
Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good
idea to consider these alternatives:
n Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you
can connect with a VPN, then you do not need to allow connections from a computer external to your network. If
it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an
additional layer of security.
n It is more secure to limit access from the external network to the smallest number of computers possible. For
example, it is more secure to allow connections from a single computer than it is to allow connections from thealias Any-External .
To restrict or expand access to the Firebox, edit the From list in the WatchGuard policy.
n You can allow connections to the Firebox from external networks by adding theAny-External alias (or an
appropriate IP address).
n You can restrict connections to the Firebox from internal locations by removing theAny-Trusted and Any-
Optional aliases and replacing them with the specific IP addresses from which you want to allow access.
n You can remove all IP addresses and aliases, and replace them with user names or group names. When you do
this, you force users to authenticate before they are allowed to connect to the Firebox.
If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong
Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.
Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot
configuration issues from his computer later in the class.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
54/509
To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at
a specific IP address:
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Edit.
The Edit Policy Properties dialog box appears.
The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is specifically designed to be used for administration of the Firebox.
2. Inthe From section, click Add.
3. To add the IP address of the external computer you want to use to connect to the Firebox, click Add Other .
4. From the Choose type drop-down list, make sure Host IP is selected.
5. Inthe Value text box, type the IP address of the remote administration computer.
6. Click OK to close each dialog box.
Administration
32 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
55/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
56/509
4. Click Add.
The Add User dialog box appears.
5. Inthe User Name text box, type a name for the new Device Administrator user account, example-co_admin.
6. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
7. From the Role drop-down list, select Device Administrator.
8. Inthe Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator
user account, passphrase.
9. Click OK.
The example-co_admin user appears in the Manage Users and Roles list.
10. Click Add.
The Add User dialog box appears.
11. In the User Name text box, type a name for the new Device Monitor user account, example-co_monitor.
12. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
13. From the Role drop-down list, select Device Monitor.
14. In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator
user account, passphrase
15. Click OK.
The example-co_monitor user appears in the Manage Users and Roles list.
16. Click OK to close theManage Users and Roles dialog box.
The new user accounts are automatically saved to the Firebox.
17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM.
18. In WSM, connect to your Firebox with the new example-co_adminuser account credentials.
19. Start Policy Manager.
Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when
you make changes to your Firebox configuration file, the audit trail will show that the example-co_admin user account
made the changes to the configuration.
Administration
34 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
57/509
Administration
Fireware Essentials Student Guide 35
Exercise 4 — Examine and Update Feature Keys
When you purchase an option for your Firebox, you add a new feature key to your configuration file. You can use either
Firebox System Manager or Policy Manager to see the current list of feature keys currently on your Firebox. To add a
new feature key to a Firebox, you use Policy Manager.
View Feature Keys For Your Firebox
To view your feature keys in Firebox System Manager:
1. Select View > Feature Keys.
The Firebox Feature Keys dialog box appears.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
58/509
2. To see more information about the feature key, click Details.
The Feature Key Detail dialog box shows a list of the features in the feature key.
3. Click OK to close the Feature Key Details dialog box.
Administration
36 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
59/509
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
60/509
Exercise 5 — Create a Device Backup Image
A Firebox backup image is a saved copy of the working image from the Firebox flash disk. The backup image includes
the Firebox OS, configuration file, feature keys, passphrases, DHCP leases, and certificates. The backup image also
includes any event notification settings that you configured in Traffic Monitor. You can use Policy Manager to save an
encrypted backup image to your management computer or to a directory on your network or other connected storage
device.
We recommend that you create a backup image of the Firebox before you make significant changes to your device
configuration file, or upgrade your Firebox OS. It is especially important to save a device backup image before you
upgrade the version of Fireware OS on the Firebox. The backup image is the easiest way to downgrade the Firebox, if
you ever need to.
You can also use Firebox System Manager to create and restore a device backup image to a USB
drive connected to the Firebox. For more information, see Fireware Help.
To create a device backup:
1. Select File> Backup.
The Backup dialog box app ears. Because you connected to your Firebox with the example-co_admin user account,
the Administrator User Name that appears in the Backup dialog box is example-co_admin. If you connect with a
Device Monitor user account, the default Device Administrator user account, admin, appears in the Administrator User
Name text box.
2. Inthe Administrator Passphrase text box, type Example4, the read-write passphrase for the example-co_
admin user account.
3. Click OK.The second Backup dialog box appears.
4. Type and confirm an Encryption Key. For this exercise, type MyStrongKey.
This key is used to encrypt the backup file. If you lose or forget this encryption key, you cannot restore the backup file.
The encryption key is case-sensitive.
5. Inthe Back up image to text box, select the location to save the backup file.
6. Click OK.
The default location for a backup file with a .fxi extension is:
Administration
38 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
61/509
Administration
Fireware Essentials Student Guide 39
n Windows 8 and Windows 7 — C:\Users\Public\Shared WatchGuard\backups\-
..fxi.
n Windows XP — C:\Documents and Settings\All Users\Shared WatchGuard\backups\-
..fxi.
When you restore the backup image, you must specify a name and passphrase for a user with administrative privileges,
and you must type the encryption key you specified when you created the backup image. For this exercise, do notrestore the backup image to the Firebox.
Restoring a saved backup image is the only method to downgrade a Firebox without first resetting the
Firebox to factory-default settings.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
62/509
Exercise 6 — Add Firebox Identification Information
You can save information about the Firebox in the configuration file, which helps you to identify the Firebox in reports,
log messages, and WatchGuard management tools. The Firebox model is particularly important because some
software features only function on certain models.
You can use Policy Manager to give the Firebox a descriptive name to use in your log files and reports. You can use a
Fully Qualified Domain Name if you register it with your authoritative DNS server. A descriptive Firebox name is also
helpful if you use the Management Server to configure VPN tunnels and certificates for the Firebox. Though the external
IP address of the Firebox appears in WSM tools, log messages, and reports for the Firebox, a descriptive name for the
Firebox makes it easier to quickly identify each Firebox.
The Firebox time zone controls the date and time that appears in the log messages and in management tools, including
Log Manager, Report Manager, WatchGuard Dimension, and WebBlocker. Set the Firebox time zone to match the time
zone for the physical location of the Firebox. This time zone setting ensures the time appears correctly in the log
messages. A default configuration file sets the Firebox system time to Greenwich Mean Time (GMT).
In this exercise, you set the Firebox device identification information for your student Firebox. If you are working alone,
you can use the example of our fictional organization: Successful Company . In other training modules, you see this
information in reports and WatchGuard System Manager.
From Policy Manager:
1. Select Setup > System.
The Device Configuration dialog box appears.
2. Inthe Name text box, type SuccessfulMain.
Your instructor might give you another name for your student Firebox.
3. Inthe Location text box, type Seattle.
This identifies the physical location of the Firebox.
4. Inthe Contact text box, type your name.
This is the name of the person in your organization who is responsible for the management of the Firebox.5. From the Time zone drop-down list, select your local time zone.
Select the time zone of the Firebox itself. This enables you to synchronize reports from Firebox devices in multiple
timezones.
6. Click OK.
Administration
40 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
63/509
Administration
Fireware Essentials Student Guide 41
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or false? You can add only one Device Administrator user account to your Firebox.
2. Circle the correct answer: To save a device configuration file to your Firebox, you must use an account with the[Device Monitor | Device Administrator] role.
3. Select the correct answer: Corporate headquarters is in Detroit. The branch office Firebox is located in Tokyo.
You should set the branch office Firebox time zone to:
o A) (GM-05:00) Eastern Time (US & Canada)
o B) (GMT+09:00) Osaka, Sapporo, Tokyo
4. True or false? You can save the Firebox configuration file to a USB flash drive.
5. How frequently should you make a backup image of your Firebox?
o A) Daily
o B) Weekly
o C) Monthly
o D) Each time you make a substantial change to the configuration
o E) Never
6. Which of the following information is used by WatchGuard System Manager applications to identify a Firebox?
(Select all that apply.)
o A) Firebox Name
o B) System administrator name
o C) Encryption key
o D) Model number
o E) External IP address
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
64/509
ANSWERS
1. False.
You can add many Device Administrator user accounts to your Firebox.
2. Device Administrator
3. B (GMT+09:00) Osaka, Sapporo, Tokyo — Set the Firebox time zone to its physical location4. True — You can save the device configuration file to any local disk drive including a USB flash drive or a network
share.
5. D
6. A, D, E
Administration
42 WatchGuard Technologies, Inc.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
65/509
Notes
Fireware Essentials Student Guide 43
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
66/509
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
Network SettingsConfigure Firebox Interfaces
What You Will Learn
A Firebox has four types of interfaces: external, trusted, optional, and custom. To use your device in a network, you
must configure the interface types and set the IP addresses of the interfaces. You can also enable routing features on
some interfaces. In this training module, you learn how to:
n Configure external network interfaces using a static IP address, DHCP, or PPPoE
n Configure trusted and optional network interfaces
n
Use the Firebox device as a DHCP server n Add WINS/DNS server locations to the device configuration
n Set up a secondary network or address
n Add a static route
Before you begin these exercises, make sure you read the Course Introduction module.
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
67/509
Properties and Features of Device Interfaces
A firewall physically separates the networks on your local area network (LAN) from those on a wide area network
(WAN) like the Internet. One of the basic functions of a firewall is to move packets from one side of the firewall to the
other. This is known as routing . To route packets correctly, the firewall must know what networks are accessible
through each of its interfaces.
The device provides additional functionality for some interfaces. External interfaces can be configured to work with
Dynamic DNS. Trusted, optional and custom interfaces can be set up with the device as a DHCP (Dynamic Host
Configuration Protocol) server.
The device has four types of network interfaces:
External Interfaces
A device external interface connects to a wide area network (WAN), such as the Internet, and can have either a
static or dynamic IP address. The device gets a dynamic IP address for the external interface from either a
DHCP (Dynamic Host Configuration Protocol) server or PPPoE (Point-to-Point Protocol over Ethernet) server.
With DHCP, the device uses a DHCP server controlled by your Internet Service Provider (ISP) to get an IPaddress for the external interface, a gateway IP address, and a subnet mask. With PPPoE, the device connects
to your ISP’s PPPoE server to get the same information.
Trusted Interfaces
A trusted interface connects the private local area network (LAN) or internal network that you want to secure.
User workstations and private servers which cannot be accessed from outside the network are usually found in
trusted networks.
Optional Interfaces
Optional interfaces connect to your optional networks, which are mixed trust or DMZ environments separated
from your trusted networks. Public web, FTP, and mail servers are usually found in optional networks. Thesettings for an optional interface are the same as for a trusted interface. The only difference is that optional
interfaces are members of the alias Any-Optional.
Custom Interfaces
A custom interface defines a custom internal security zone that has a level of trust different from trusted or
optional. A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External,
so traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies to
allow it. A custom interface is included in alias All.
Most users configure at least one external and one trusted interface on their device. You can configure any interface as
trusted, optional, external, or custom.
Trusted, Optional, and Custom interfaces are all internal interfaces, and all have the same configurable settings. The IP
address for an internal interface must be static. Usually, internal interfaces use private or reserved IP addresses that
conform to RFC 1918.
When you configure the IPv4 addresses for interfaces on a device, you must use slash notation to denote the subnet
mask. For example, you enter the network range 192.168.0.0 with subnet mask 255.255.255.0 as 192.168.0.0/24, and a
trusted interface with the IP address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.
Network Settings
45 WatchGuard Technologies, Inc.
http://www.ietf.org/rfc/rfc1918.txthttp://www.ietf.org/rfc/rfc1918.txt
-
8/16/2019 Fireware Essentials Student Guide (en US) v11!10!1
68/509
Network Settings
Fireware Essentials Student Guide 46
Interface Types and Aliases
For each interface, the interface name is an alias used to refer to that interface in policies. Each interface is also a
member of one or more built-in aliases, which refer to network security zones. When you select an interface type, the
interface becomes a member of one or more of the built-in aliases.
The built-in aliases for interfaces are:
n Any-External — An alias for all external interface
n Any-Trusted — An alias for all trusted interfaces
n Any-Optional — An alias for all optional interfaces
n Any— An alias for all users, groups, interfaces, addresses,and tunnels, including custom interfaces.
The only difference between trusted, optional, and custom interfaces is which aliases the interface is a member of.
Requirements for Device Interfaces
Each Firebox interface can connect to a different network. The computers and servers protected by the device can use
either private or public IP addresses. The device uses network address translation (NAT) to route traffic from the
external network to computers on the trusted and optional networks.
All devices behind the trusted and optional interfaces must have an IP address from the network assigned to that
interface. To make this easy to remember, many administrators set the interface address to the first or last IP address
in the range used for that network. In the image below, for example, the IPv4 address of the trusted interface could be
10.0.1.1/24 and the IPv4 address of optional interface could be 10.0.2.1/24.
About DHCP Server and DHCP Relay
You can configure the Firebox to assign IP addresses automatically through DHCP to devices on the trusted or optional
networks. When you enable the DHCP server, you