xtm firewall basics ppt v11 6

7/16/2019 Xtm Firewall Basics Ppt v11 6

1/216

Firewall Basicswith Fireware XTM 11

Firewall Basics

with Fireware XTM 11.6


2/216

Course Introduction

Firewall Basics with Fireware XTM


3/216

Training Objectives

Use the basic management and monitoring components of WatchGuard

System Manager (WSM)

Configure a WatchGuard XTM 2050, 1050, 8 Series, 5 Series, 3 Series, 2

Series, or XTMv device for your network

Create basic security policies for your XTM device to enforce Use security services to expand XTM device functionality

WatchGuard Training 3


4/216

Requirements

Necessary equipment and software:

Management computer WatchGuard System Manager and Fireware XTM OS Firewall configuration file

XTM 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, XTM 2050, or XTMvdevices (optional) Prerequisites:

Basic knowledge of TCP/IP network functions and structure

It is helpful, but not necessary, to have:

WatchGuard System Manager installed on your computer

Access to a WatchGuard XTM device

A printed copy of the instructors notes of this presentation, or a copy of the

Fireware XTM Basics Student Guide

4WatchGuard Training


5/216

Outline

Getting Started

Work with XTM Device Configuration Files

Configure XTM Device Interfaces

Set up Logging and Notification

Use FSM to Monitor XTM Device Activity

Use NAT (Network Address Translation)

Define Basic Network Security Policies

Work with Proxy Policies

Work with SMTP and POP3 Proxies

Verify Users Identities



6/216

Outline

Block Unwanted Email with spamBlocker

Manage Web Traffic

Defend Your Network From Intruders

Use Gateway AntiVirus

Use Intrusion Prevention Service

Use Application Control

Use Reputation Enabled Defense

Generate Reports of Network Activity

Explore the Fireware XTM Web UI



7/216

Training Scenario

Fictional organization called the Successful Company

Training partners may use different examples for exercises

Try out the exercises to implement your security policy



8/216

Getting Started

Set Up Your Management Computer

and XTM Device


9/216

Learning Objectives

Use the Quick Setup Wizard to make a configuration file

Start WatchGuard System Manager

Connect to XTM devices and WatchGuard servers

Launch other WSM applications



10/216

Management Computer

Select a computer with Windows 7, Windows

Vista, Windows XP SP2, or Windows Server

2003 or 2008

Install WatchGuard System Manager (WSM) to

configure, manage, and monitor your device

Install Fireware XTM OS,

then use WSM to install updates

and make configuration

changes on the device



11/216

Server Software

When you install WSM, you have the option to install any or all of these

WatchGuard servers:

Management Server

Log Server

Report Server

WebBlocker Server

Quarantine Server

Servers can be installed on separate computers

Each server must use a supported version of Windows.

There are access requirements between the management computer, the

XTM device, and some servers.



12/216

Activate your XTM Device

You must have or create a WatchGuard account

You must activate the XTM device before you can fully configure it

Have your device serial number ready



13/216

Setup Wizards

There are two setup wizards you can use to create an initial functional

configuration file for your XTM device.

Web Setup Wizard To start the Web Setup Wizard, in a web browser,type: https://10.0.1.1:8080

Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard

System Manager, select Tools > Quick Setup Wizard.

To use either setup wizard, you must connect the management computer

to the trusted interface (eth1) of the XTM device.

The Web Setup Wizard can activate your XTM device and download the

feature key from the WatchGuard web site if you connect the external

interface (eth0) to a network with Internet access.

https://10.0.1.1:8080/https://10.0.1.1:8080/


14/216

Quick Setup Wizard

Installs the Fireware XTM OS on the XTM device

Creates and uploads a basic configuration file

Assigns passphrases to

control access to the

XTM device



15/216

Prepare to Use the Quick Setup Wizard

Before you start, you must have:

WSM and Fireware XTM OS installed on the management computer

Network information

It is a good idea to have the feature key for your device before you start

the wizard. You can copy it from the LiveSecurity web site duringregistration.



16/216

Launch the Quick Setup Wizard

For the Quick Setup Wizard to operate correctly, you must:

Prepare the device to be discovered by the Quick Setup Wizard (QSW). The

QSW shows you how to prepare each device.

Assign a static IP address to your management computer from the same

subnet that you plan to assign to the Trusted interface of the XTM device.

Alternatively, you can get a DHCP address from the device when it is in SafeMode.

Connect the Ethernet interface of your computer to interface #1 of the device.

Launch WatchGuard System Manager (WSM) and launch the Quick Setup

Wizard from the WSM Tools menu.



17/216

Quick Setup Wizard Select Your Device

Choose which model of XTM device to configure.



18/216

Quick Setup Wizard Verify the Device Details

Verify that the model and serial number are correct.



19/216

Quick Setup Wizard Name Your XTM Device

The name you assign to the device in the wizard is used to:

Identify the device in WSM

Identify the device in log files

Identify the device in Log and Report Manager



20/216

Quick Setup Wizard Configure the External

Interface

The IP address you give to the external interface can be:

A static IP address

An IP address assigned with DHCP

An IP address assigned with PPPoE

You must also add anIP address for the device

default gateway. This is the

IP address of your gateway

router.



21/216

Quick Setup Wizard Configure Interfaces

Configure the Trusted and Optional interfaces.

Select one of these configuration options:

Mixed Routing Mode

(Use these IP addresses)

Each interface is configured

with an IP address on adifferent subnet.

Drop-in Mode

(Use the same IP address as

the external interface)

All XTM device

interfaces have the sameIP address. Use drop-in

mode when devices from the

same publicly addressed

network are located on more

than one device interface.



22/216

Understand Routed Configurations

In mixed routing mode (routed configuration):

Configure each interface with an IP address on a different subnet.

Assign secondary networks on any interface.



23/216

Understand Drop-in Configurations

In drop-in mode:

Assign the same primary IP address to all interfaces on your device.

Assign secondary networks on any interface.

You can keep the same IP addresses and

default gateways for devices on your

trusted and optional networks, and adda secondary network address to

the XTM device interface so the device

can correctly send traffic to those devices.



24/216

Quick Setup Wizard Add a Feature Key

When you purchase additional options for your device, you must get a

new feature key to activate the new options. You can add feature keys in

the Quick Setup Wizard, or later in Policy Manager.



25/216

Quick Setup Wizard Set Passphrases

You define two passphrases for connections to the device

Status passphrase Read-only connections

Configuration passphrase Read-write connections

Both passphrases must be at least 8 characters long and different from

each other



26/216

Quick Setup Wizard Final Steps

Save a basic configuration to the device.

You are now ready to put your device in place on your network.

Remember to reset your management computer IP address.



27/216

WatchGuard System Manager

Start WSM

Connect to an XTM device or the Management Server

Display device status



28/216

Components of WSM

WSM includes a set of management and monitoring tools:

Policy Manager

Firebox System Manager

HostWatch

Log and Report Manager

CA Manager

Quarantine Server Client

To launch a tool, use the WSM Tools menu or click the tool icon



29/216

Firewall Basics with Fireware

Version 8.3

Administration

Work with Device Configuration Files


30/216

Learning Objectives

Start Policy Manager

Open and save configuration files

Configure the XTM device for remote administration

Reset XTM device passphrases

Back up and restore the XTM device configuration Add XTM device identification information



31/216

What is Policy Manager?

A configuration tool that you can use to modify the settings of your XTM

device

Changes made in Policy Manager do not take effect until you save them

to the device

Launch Policy Manager from WSM Select a connected or managed device

Click the Policy Manager icon on the toolbar



32/216

From the View menu,

select how policies are

displayed

Navigate Policy Manager


Details View Icon View


33/216


Use the menu bar to configure many device features.



34/216


Security policies that control traffic through the device are represented by

policies.

To edit a security policy, double-click a policy name.



35/216

Open and Save Configuration Files

Open a file from your local drive or from an XTM device

Save configuration files to your local drive or to the XTM device

Create new configuration files in Policy Manager

New configuration files include a basic set of policies.

You can add more policies.



36/216

Configure Your Device for Remote Administration

Connect from home to monitor device status

Change policies remotely to respond to new threats

Make the policy as restrictive as possible for security

Edit the WatchGuard policy to enable access from an external

IP address You can also use Fireware XTM Web UI to configure a device

(over TCP port 8080)



37/216

Change XTM Device Passphrases

Minimum of eight characters

Change frequently

Restrict their use



38/216

Back Up the XTM Device Images

Create and restore an encrypted backup image

Backup includes feature key and certificate information

Encryption key is required to restore an image



39/216

Add XTM Device Identification Information

XTM device name and model

Contact information

Time zone for log files and reports



40/216

Upgrade Your XTM Device

To upgrade to a new version of Fireware XTM OS:

Back up your existing device image.

Download and install the new version of Fireware XTM OS on your

management computer.

From Policy Manager, select File > Upgrade.

Browse to the location of the OS upgrade file:

C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM

Select the correct .sysa-dl file for your device:

XTM 2050: xtm2050_bc.sysa-dl

XTM 1050: xtm1050_bb.sysa-dl

XTM 8 Series: xtm8_b5.sysa-dl XTM 5 Series: xtm5_b0.sysa-dl

XTMv: xtmv_c5.sysa-dl


XTM 330: xtm330_bd.sysa-dl

XTM 33: xtm3_aa.sysa-dl

XTM 25, 26: xtm2_a6.sysa.dl XTM 21, 22, 23: xtm2_a0.sysa-dl


41/216

Network Settings

Configure XTM Device Interfaces


42/216

Learning Objectives

Configure external network interfaces with a static IP address, DHCP

and PPPoE

Configure a trusted and optional network interface

Use the XTM device as a DHCP server

Add WINS/DNS server locations to the device configuration

Add Dynamic DNS settings to the device configuration

Set up a secondary network or address

Understand Drop-In Mode and Bridge Mode



43/216

Interfaces on separate networks

Most users have at least one external and one trusted

Add a Firewall to Your Network


External203.0.113.2/24

Trusted Network10.0.1.1/24

Optional Network10.0.2.1/24


44/216

Beyond the Quick Setup Wizard

The Quick Setup Wizard configures the device with external, trusted, and

optional networks by default:

eth0 = external

eth1 = trusted

eth2 = optional

You can change the

interface assignments.

In Policy Manager,

select Network >

Configuration.



45/216

Network Configuration Options

Modify the properties of an interface

Change the interface type (from trusted to optional, etc.)

Add secondary networks and addresses

Enable the DHCP server

Configure additional interfaces

Configure WINS/DNS settings for the device

Add network or host routes

Configure NAT



46/216

Interface Independence

You can change the interface type of any interface configured with the

Quick Setup Wizard.

You can also choose the interface type of any additional interface you

enable.



47/216

Use a Dynamic IP Address for the External Interface

The XTM device can get a dynamic IP address for an external interface

with DHCP or PPPoE.



48/216

Use Dynamic DNS

Register the external IP address of the XTM device with the supported

dynamic DNS service, DynDNS.



49/216

Use a Static IP Address for the External Interface

The XTM device can use a static IP address given to you by your

Internet Service Provider.



50/216

Enable the Device DHCP Server

Can be used on a trusted or optional interface

Type the first and last IP addresses of the range for DHCP

Configure up to 6 IP address ranges

Reserve some

IP addresses for specifiedMAC addresses



51/216

Configure Trusted and Optional Interfaces


Trusted-Main10.0.1.1/24

Publ ic Servers10.0.2.1/24

1. Start with a

trusted

network.

2. Add an optional

network for public

servers.

Conference10.0.5.1/24

Opt ional

3. As your business grows, add

more trusted and optional

networks.

Finance10.0.3.1/24

Trusted

Sales Forc e10.0.4.1/24

Optional


52/216

Add WINS/DNS Servers

All devices on the trusted and optional networks can use this server

Use an internal server or an external server

Used by the XTM device for DHCP, Mobile VPN, NTP time updates, and

Subscription Service updates



53/216

Share one of the same physical networks as one of the device

interfaces.

Add an IP alias to the interface, which is the default gateway for

computers on the secondary network.

Secondary Networks


Trusted-Main10.0.1.1/24

Secondary172.16.100.0/24


54/216

Network or Host Routes

Create static routes to send traffic from a device interface to a router

The router can then send the traffic to the correct destination from the specified

route.

If you do not specify a route to a remote network or host, all traffic to that

network or host is sent to the device default gateway.



55/216

Drop-In Mode and Bridge Mode

Use Drop-In Mode if you want to have the same logical network (subnet)

spread across all device interfaces.

Computers in this subnet can be on any device interface

You can add a secondary address to any device interface to use an additional

network on the interface

Use Bridge Mode when you want the device to be invisible. You assign one IP address to the device for management connections

Bridge Mode turns the device into a transparent Layer 2 bridge


Select the interfaceconfiguration mode atNetwork > Configuration.


56/216

Logging

Set Up Logging and Notification


57/216

Learning Objectives

Set up a Log Server

Configure the XTM device to send messages to a Log Server

Configure logging and notification preferences

Set the Diagnostic Log Level

View log messages



58/216

Introduction to the Log Server



59/216

Log Message Types

Traffic Allowed and denied packets

Alarm An event you configure as important that requires a log

message or alert

Event A device restart, or a VPN tunnel creation or failure

Debug Additional messages with diagnostic information to help youtroubleshoot network or configuration problems

Statistic Information about the performance of the XTM device



60/216

Configure Logging

For log messages to be correctly stored, you must:

Install the Log Server software

Configure the Log Server

Configure the XTM device to send log messages to the Log Server



61/216

Install the Log Server

In the WSM installer, select to install the Log Server component

The Log Server does not have to be installed on the same computer that

you use as your

management computer

The Log Server should

be on a computer with

a static IP address



62/216

Configure the Log Server

Right-click the WatchGuard Server Center icon in your Windows system

tray to open WatchGuard Server CenterThe Server Center Setup Wizard starts

Create an administrator passphrase

Set the log encryption key



63/216

Configure Log Database Settings

Open WatchGuard Server Center to configure Log Server properties.

Type the administrator passphrase.

Select Log Serverto configure Log Server settings.



64/216

Configure Log Database Settings

Server Settings Database size and encryption key settings.

Database Maintenance Specify database back up file settings, and

select to use the Built-in database or an External PostgreSQL database.

Notification Configure

settings for event notification

and the SMTP Server.

Logging Firebox Status

(which devices are currently

connected to the Log Server)

and where to send log

messages.



65/216

Configure the XTM Device to Send Log Messages

Use Policy Manager

Set the same log encryption

key that is used for the

Log Server

Backup Log Servers can be

used when the primary fails



66/216

Default Logging Policy

When you create a policy that allows traffic, logging is not enabled by

default

When you create a policy that denies traffic, logging is enabled by default

If denied traffic does not match a specific policy, it is logged by default



67/216

Set the Diagnostic Log Level

You can also configure the device to send detailed diagnostic log

messages to help you troubleshoot a specific problem.

From Policy Manager, select Setup > Logging.



68/216

View Log Messages

You can see log messages with two different tools:

Traffic Monitor Real-time monitoring in FSM from any computer with

WSM



69/216

View Log Messages

Log and Report Manager You can also use Log and Report Manager to

see any log messages stored on the Log Server. Use the search feature to

locate specific information in your log files.



70/216

Reports

Generate Reports of Network Activity


71/216

Learning Objectives

Set up and configure a Report Server

Generate and save reports at regular intervals

Generate and view reports

Change report settings

Save, print, and share reports



72/216

WSM Reporting Architecture



73/216

Configure the Report Server

Install on a Microsoft

Windows computer

Can be the same computer

as the Log Server

Configure the Report Server

from WatchGuard Server Center

Select to use the

Built-in database or

an External PostgreSQL

database

Add one or more Log ServerIP addresses

Set report interval,

report type, and notification

preferences



74/216

View Reports with Log and Report Manager

Log and Report

Manager is a

web UI that is

installed with the

Report Server

Add users inWatchGuard Server

Center to enable

them to use

Log and Report

Manager

Connect to Log and

Report Manager

over port 4130 to

view and generate

reports



75/216

View Available Reports (scheduled reports)

Create On-Demand Reports and Per Client Reports

Launch Log and Report Manager from WSM

Save reports in PDF format

View Reports with Log and Report Manager



76/216

Monitor Your Firewall

Monitor Activity Through

the XTM Device


77/216

Learning Objectives

Interpret the information in the WSM display

Use Firebox System Manager to monitor device status

Change Traffic Monitor settings

Use Performance Console to visualize device performance

Use HostWatch to view network activity and block a site

Add and remove sites from the Blocked Sites list



78/216

WatchGuard System Manager Display



79/216

Firebox System Manager

Front Panel

Traffic Monitor

Bandwidth Meter

Service Watch

Status Report

Authentication List

Blocked Sites

Subscription Services



80/216

Traffic Monitor

View log messages

as they occur

Set custom colors

and fields

Start traceroute or

Ping to sourceand destination

IP addresses

Copy information

to another

application



81/216

Performance Console

Monitor and graph XTM device activity

Launch from Firebox System Manager

System Information Firebox statistics,

such as the number of total active

connections and CPU usage

Interfaces Total number of packets sent and received through the

XTM device interfaces

Policies Total connections, current connections, and discarded

packets

VPN Peers Inbound and outbound SAs and packets

Tunnels Inbound and outbound packets, authentication errors, andreplay errors



82/216

Use HostWatch to View Connections

Graphical display

of live connections

One-click access

to more details

on any connection

Temporarilyblock sites



83/216

Use the Blocked Sites List

View sites added

temporarily by the

device as it blocks

the source of

denied packets

Change expirationsettings for

temporarily

blocked sites



84/216

NAT

Use Network Address Translation


85/216

Learning Objectives

Understand network address translation types

Add dynamic NAT entries

Use static NAT for public servers



86/216

Turns one public IP address into many

Protect the map of your network

What is Network Address Translation?


Your Network

Devices and users with

private IP addresses

NAT Enabled

Internet sees only one public address

(an External XTM device IP address)


87/216

Add Firewall Dynamic NAT Entries

Most frequently used form

of NAT

Changes the outgoing

source IP address to the

external IP address of the

XTM device Enabled by default for

standard private network

IP addresses, such as

192.168.0.0/16



88/216

Static NAT for Public Servers


Your Network

Port 80 TCP

Web server

Port 21 TCPFTP server

Port 25 TCP

Email server Web traffic One external IP

to private static IP

FTP traffic Same external IPto second, private static IP

SMTP traffic Same external

IP to third, private static IP

203.0.113.2

10.0.2.80

10.0.2.21

10.0.2.25


89/216

1-to-1 NAT for Public Servers


Your Network NetMeeting traffic Dedicated

IP address on the external

IKE traffic Second dedicated

public IP address

Intel Phone (H.323) Another

external IP address

Ports 1720, 389, dynamic

10.0.2.11

NetMeeting

Without NAT-T

10.0.2.12

IKE

Ports 1720, 522

10.0.2.13

Intel-Video-Phone


90/216

Configure Policies

You can customize 1-to1 NAT and

Dynamic NAT settings in each

policy

The settings in Network > NAT

apply unless you modify the NAT

settings in a policy Use the Set Source IP option

when you want any traffic that uses

this policy to show a specified

address from your public or

external IP address range as the

source IP address.



91/216

Configure Policies

To configure a policy to use static

NAT, click Add in the To section of

the policy, then select Add SNAT.

You can also select Setup >

Actions > SNAT to add, edit, or

delete SNAT actions.



92/216

Policies

Convert Network Policy to Device

Configuration


93/216

Learning Objectives

Understand the difference between a packet filter policy and a proxy

policy

Add a policy to Policy Manager and configure its access rules

Create a custom packet filter policy

Set up logging and notification rules for a policy

Use advanced policy properties

Understand the function of the Outgoing policy

Understand the function of the TCP-UDP proxy

Understand the function of the WatchGuard policy

Understand how the XTM device determines policy precedence



94/216

What is a Policy?

A rule to limit access through the XTM device

Can be configured to allow traffic or deny traffic

Can be enabled or disabled

Applies to specific port(s) and protocols

Applies to traffic that matches From and To fields:

From Specific source hosts, subnets or users/groups

To Specific destination hosts, subnets, or users/groups



95/216

Packet Filters, Proxies, and ALGs

Two types of policies:

Packet Filter Examines the IP header of each packet, and operates at the

network and transport protocol packet layers.

Proxy & ALG (Application Layer Gateway)

Proxy Examines the IP header and the content of a packet at the

application layer. If the content does not match the criteria you set in yourproxy policies, you can set the proxy to deny the packet. Some proxy

policies allow you to remove the disallowed content.

ALG Completes the same functions as a proxy, but also provides

transparent connection management.

Proxy policies and ALGs examine the commands used in the connection

to make sure they are in the correct syntax and order, and use deep

packet inspection to make sure that connections are secure.



96/216

Packet Filters, Proxies, and ALGs

Proxies & ALGs:

Remove all the network data

Examine the contents

Add the network data again

Send the packet to its destination



97/216

What are Packet Filters, Proxies, and ALGs?


Packet Filter Proxy & ALG

Source Destination Port(s)/Protocols Packet body

Attachments RFC Compliance Commands


98/216

Add a Policy in Policy Manager


2. Decide if the policyallows or denies

traffic.

3. Configure thesource (From) and

destination (To).

1. Select a policy from apre-defined list.


99/216

Modify Policies

To edit a policy, double-click the policy

By default, a new policy:

Is enabled and allowed

Allows traffic on the port(s) specified by

the policy

Allows traffic from any trusted networkto any external destination



100/216

Change Policy Sources and Destinations

You can:

Select a pre-defined alias, then click Add.

Click Add Userto select an authentication user or group.

Click Add Otherto add a host IP address, network IP address, or host range.



101/216

When do I use a custom policy?

A custom policy can be either a packet filter or proxy policy.

Use a custom policy if:

None of the pre-defined policies include the specific combination of ports that

you want.

You need to create a policy that uses a protocol other than TCP or UDP.



102/216

Logging and Notification for Policies

When you enable logging in a policy, you can also select whether the

XTM device sends a notification message or triggers an SNMP trap.

Notification options include:

Send email to a specified address

A pop-up notification on the Log Server



103/216

Set Logging Rules for a Policy

The XTM device generates log messages

for many different types of activities

You enable logging for policies to specify

when log messages are generated and

sent to the Log Server



104/216

What is Precedence?

Precedence is used to decide which policy controls a connection when

more than one policy could control that connection

In Details view, the higher the policy appears in the list, the greater its

precedence.

If two policies could apply to a connection, the policy higher in the list

controls that connection



105/216

What is Precedence?

Policies can be moved up or down in Manual Order mode to set

precedence, or restored to the order assigned by Policy Manager with

Auto-Order Mode



106/216

Advanced Policy Properties

Schedules

Connection rate limits

Override NAT settings

QoS settings

ICMP error handling



107/216

Set the times of day when the policy is enabled

Schedule Policies



108/216

Understand the Outgoing policy

The Outgoing packet filter policy is added in the default configuration

Allows all outgoing TCP and UDP connections from trusted and optional

networks to external networks

Enables the XTM device to work out of the box but could have security

problems

If you remove the Outgoing policy, you must add policies to allowoutgoing traffic



109/216

Understand the TCP-UDP proxy

Enables TCP and UDP

protocols for outgoing

traffic

Applies proxy rules to

traffic for the HTTP,

HTTPS, SIP, and FTPprotocols, regardless of

the port numbers

Blocks selected IM and

P2P applications,

regardless of port.



110/216

The WatchGuard Policy

Controls management connections

to the XTM device

By default, this policy allows only

local administration of the device.

You must edit the configuration to

allow remote administration.



111/216

Find Policy Tool

Fireware XTM features a utility to find policies that match the search

criteria you specify.

With Find Policies,

you can quickly

check for policies

that match useror group names,

IP addresses,

port numbers,

and protocols.



112/216

Proxy Policies

Use Proxy Policies and ALGs to

Protect Your Network


113/216

Learning Objectives

Understand the purpose and configuration of proxy policies and ALGs

Configure the DNS-proxy to protect DNS server

Configure an FTP-Server proxy action

Configure an FTP-Client proxy action

Enable logging for proxy actions



114/216

What are Proxies and ALGs?

Proxy policies and ALGs (Application Layer Gateway) are powerful and

highly customizable application inspection engines and content filters.

A packet filter looks at IP header information only.

A proxy or ALG looks at the content of the network data. ALGs also

provide transparent connection management.



115/216

What is the DNS Proxy?

Domain Name System

Validates all DNS traffic

Blocks badly formed DNS packets

Fireware XTM includes two methods to control DNS traffic:

DNS packet filter IP headers only

DNS-Proxy filter content



116/216

Control Incoming Connections

Use the DNS-Incoming action as a template

You own the server

You decide who gets to

connect to the server


DNS server

DNS Prox y

Your n etwork


117/216

Configuring DNS-Incoming

General

OpCodes

Query Types

Query Name

Intrusion Prevention

Proxy Alarm



118/216

Control Outgoing Connections

Use the DNS-Outgoing action as a template

Operates with Intrusion Prevention Service

Deny queries for specified

domain names


DNS server

DNS Prox y

Your Network


119/216

Use DNS-Outgoing

Use DNS-Outgoing to block DNS requests for services, such as

queries for:

POP3 servers

Advertising networks

IM applications

P2P applications



120/216

Fireware XTM Proxies

DNS

FTP

H323 and SIP (Application Layer Gateways)

HTTP and HTTPS

SMTP and POP3

TCP-UDP

Applies the proxies to traffic on all TCP ports



121/216

A set of rules that tell the XTM device how to apply one of the proxies to

traffic of a specific type.

You can

apply a

proxy action

to more thanone policy.

What is a Proxy Action?



122/216

Import/Export Proxy Actions

You can import and export:

Entire user-created proxy actions (not predefined proxy actions)

Rulesets

WebBlocker exceptions

spamBlocker exceptions



123/216

What is FTP?

File Transfer Protocol

Often used to move files between two locations

Client and server architecture

Fireware XTM includes two methods to control:

FTP packet filter IP headers only

FTP-proxy content and commands



124/216

FTP-Proxy

Restricts the types of commands and files that can be sent through FTP

Works with the

Gateway AV Service



125/216

FTP-Client Action Rulesets

General

Commands

Download

Upload

AntiVirus

Proxy and

AV alarms



126/216

Control Incoming Connections

Use the FTP-Server proxy action as a template

The FTP server must be protected by the XTM device

You decide who can connect to the FTP server


FTP Prox y

AnybodyYour FTP server


127/216

Define FTP-Server Action Rulesets

General

Commands

Download

Upload

AntiVirus

Proxy alarms

The same options that are

available in the FTP-Client

proxy action are also

available in the FTP-Server

proxy action. Smart defaults are used in

each ruleset to protect

clients (FTP-Client) and

servers (FTP-Server).



128/216

Logging and Proxies

Proxy policies contain

many more advanced

options for logging than

packet filter policies.

Each proxy category has

its own check box toenable logging.

If you want detailed reports

with information on

packets handled by proxy

policies, make sure you

select the Enable loggingfor reports check box in

each proxy action.



129/216

Email Proxies

Work with the SMTP and POP3 Proxies


130/216

Learning Objectives

Understand the SMTP and POP3 proxies

Understand the available actions for email

Control incoming email

Control outgoing email


S O


131/216

SMTP and POP3 Proxies

Used to restrict the types andsize of files sent and received

in email

Operate with Gateway AV

and spamBlocker


P A ti A il bl f E il


132/216

Proxy Actions Available for Email

Default actions available:

Allow Email is allowed through your device

Lock Email is allowed through your device; the attachment is encoded so

only the XTM device administrator can open it

AV Scan Gateway AntiVirus is used to scan the attachment

Strip Email is allowed through your device, but the file attachment(s) aredeleted

Drop The SMTP connection is closed

Block The SMTP connection is closed and the sender is added to the

blocked sites list

Also available with Gateway AntiVirus and spamBlocker:

Quarantine Email is stored on the Quarantine Server (only with SMTP)and is not sent to the recipient


C t l I i E il


133/216

Control Incoming Email

Use SMTP-Incoming and POP3-Server actions as a template

You decide what email you want to allow


SMTP Prox y

AnybodyYour SMTP server

Your users

C t l O t i E il


134/216

Control Outgoing Email

Use SMTP-Outgoing or POP3-Client action as a template

You know the users

You decide what they can send


SMTP Prox y

Your users

Their email server

Anybody


135/216

Authentication

Verify a Users Identity

L i Obj ti


136/216

Learning Objectives

Understand authentication and how it works with the XTM device

List the types of third-party authentication servers you can use with

Fireware XTM

Use Firebox authentication users and groups

Add a Firebox authentication group to a policy definition

Modify authentication timeout values

Use the XTM device to create a custom web server certificate


Wh t i U A th ti ti ?


137/216

What is User Authentication?

Identify each user as they connect to network resources

Restrict policies by user name


WatchG ard A thentication


138/216

WatchGuard Authentication

The user browses to the XTM device interface IP address onTCP port 4100

The XTM device presents an authentication page

The XTM device verifies that the credentials entered are correct, and

allowed for the type of connection

The XTM device allows access to resources valid for that authenticateduser or group


Supported Authentication Servers


139/216

Supported Authentication Servers

Firebox

RADIUS

VASCO

SecurID

LDAP

Active Directory

Single Sign-On option


Use Firebox Authentication


140/216

Use Firebox Authentication

To use the XTM device as anauthentication server:

Make groups

Define users

Edit policies


Edit Policies for Authentication


141/216

Edit Policies for Authentication

Create usersand groups

Use the user

and group names

in policy

properties Define From or

To information


Use Third Party Servers


142/216

Use Third-Party Servers

Set up a third-party authenticationserver

Get configuration information,

such as secrets and

IP addresses

Make sure theauthentication server

can contact

the XTM device


Set Global Authentication Values


143/216

Set Global Authentication Values

Session and idle timeout values

Number of concurrent connections

Enable Single Sign-On with

Active Directory authentication

Enable redirect to the

authentication page if the useris not yet authenticated

After users authenticate, they are

redirected to the site they

originally selected.

Specify the authentication server

that appears at the top of theDomain list in the

Authentication Portal

Configure Terminal Services


Enable Single Sign On


144/216

Enable Single Sign-On

Transparent authentication, no need to open a web page

Available with Windows Active Directory

Install the SSO Agent on a Windows server with a static IP address

Install the SSO Client on all workstations

(Optional but highly recommended)

Install the Event Log Monitoron the domain controller

SSO Agent passes user

credentials to the

XTM device

Use SSO exceptions forIP addresses that cannot

authenticate (computers that

are not domain members, or

non-Windows PCs)


Enable Terminal Services


145/216

Enable Terminal Services

Enables users to authenticateto your XTM device over a

Terminal Server or Citrix server

Enables your XTM device to

report the actual IP address

of each user logged in to the

device

Can use with any configured

authentication method

(e.g. Firebox authentication,

Active Directory, RADIUS, etc.)


Fireware XTM Web Server Certificate


146/216

Fireware XTM Web Server Certificate

Why does the user get warnings fromthe browser?

Name on the certificate does not match

the URL

Fix this problem with a custom certificate

that has all of the XTM device

IP addresses as possible name matches

User must still import

this certificate to

trusted root stores



147/216

Blocking Spam

Stop Unwanted Email

with spamBlocker

Learning Objectives


148/216

Learning Objectives

Activate and configure spamBlocker

Specify the actions to take when bulk email is detected

Block or allow email messages from specified sources

Monitor spamBlocker activity

Install and configure Quarantine Server


What is spamBlocker?


149/216

What is spamBlocker?

Technology licensed from Commtouch to identify spam, bulk, orsuspect email

No local server to install

You can install Quarantine Server, but it is not necessary for spamBlocker to work

correctly.

XTM device sends information to external servers to classify email andcaches the results

Operates with the SMTP and POP3 proxies

You must have an SMTP or POP3 proxy action configured to use

spamBlocker


Activate spamBlocker


150/216

Activate spamBlocker

A feature key is required to enable spamBlocker Use Policy Manager or FSM to add the feature key

Save the configuration to the XTM device

Run the Activate spamBlocker Wizard


Configure a Policy for spamBlocker


151/216

Configure a Policy for spamBlocker

Use the SMTP-proxyor POP3-proxy

Choose the proxy

response to spam

categorization

Add exceptions


spamBlocker Actions


152/216

spamBlocker Actions

Spam is classified into three categories: Spam

Bulk

Suspect

For each category, you can configure the action taken:

Allow

Add Subject Tag

Quarantine (SMTP only)

Deny (SMTP only)

Drop (SMTP only)


spamBlocker Exceptions


153/216

spamBlocker Exceptions

You can configureexceptions for specific

senders or recipients by:

Email address

Domain by pattern

match (*@xyz.com)


Customize spamBlocker


154/216

Customize spamBlocker

Use multiple SMTP or POP3 proxies


Monitor spamBlocker Activity


155/216

Monitor spamBlocker Activity

Status visible inFirebox System

Manager

Select the

Subscription

Services tab


Quarantine Spam


156/216

Quarantine Spam

Quarantine Server operates with spamBlocker for the SMTP-proxy only(not the POP3-proxy)

Install with server components during WSM install, or from WatchGuard

Server Center


Quarantine Server Configuration


157/216

Q g

You can configure: Database size and administrator notifications

Server settings

Length of time to keep messages

The domains for which the Quarantine Server keeps mail

Rules to automatically remove messages: From specific senders

From specific domains

That contain specific text in the Subject field



158/216

Web Traffic

Manage Web Traffic

Through Your Firewall

Learning Objectives


159/216

g j

Control outgoing HTTP traffic Protect your web server

Use the HTTPS-proxy

Set up WebBlocker

Select categories of web sites to block

Override WebBlocker rules for specified sites


What is the HTTP-Proxy?


160/216

y

Fully configurable HTTP requests and responses

Use URL paths to block complete URLs, or match a pattern you specify

Select header fields, protocol settings, and request/response methods

Allow or deny based on content types

Block the transfer of all or some attachments over port 80

Allow or deny cookies from specified domains

Enforce search engine Safe Search rules


Control Outgoing HTTP Traffic


161/216

g g

Use the HTTP-Client proxy action as a template You know the users

You decide where they go and what they can get access to

Enforce Safe Search rules


Your Network

HTTP Proxy

Settings for the HTTP-Client Proxy Action


162/216

g y

HTTP Request HTTP Response

Use Web Cache Server

HTTP Proxy Exceptions

WebBlocker

AntiVirus

Reputation Enabled

Defense

Deny Message

Proxy and AV Alarms


Protect Your Web Server


163/216

Use the HTTP-Server proxy action template Block malformed packets

Prevent attacks on your server

Enforce Safe Search rules


Your Network

Web ServerHTTP Prox y

Settings for the HTTP-Server Proxy Action


164/216

HTTP Request HTTP Response

HTTP Proxy Exceptions

WebBlocker

AntiVirus

Reputation EnabledDefense

Deny Message

Proxy and AV Alarms


When to Use the HTTPS-Proxy


165/216

HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-sign

the original HTTPS site certificate

OCSP can confirm the validity of the original HTTPS site certificate

Use a certificate that all clients on your network automatically trust for

this purpose when possible Can use WebBlocker to block categories of web sites

When DPI is not enabled, checks the certificate and blocks by domain

name


What is WebBlocker?


166/216

Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify

Reduces unproductive web surfing and potential liability

Blocks access to IM/P2P download sites

Blocks access to spyware sites

Helps schools to attain CIPA compliance

Regular database updates

Global URL database English, German, Spanish, French, Italian,

Dutch, Japanese, traditional Chinese, and simplified Chinese sites


Set Up WebBlocker


167/216


WebBlocker

Server

Your Network WatchGuard

WebBlocker

Updates

1.WebBlocker Server getsWebBlocker databasefrom WatchGuard

2.When a user browses, theXTM device checks the

WebBlocker Server

3.If the site is allowed, thedevice allows theconnection

Web

Site

Web

Site

The WebBlocker Database


168/216

Database created andmaintained by Websense

Database updates keep the

filtering rules up-to-date

Use multiple categories to

allow or deny different groupsof users at different times of

the day


Keep the WebBlocker Database Updated


169/216

The WebBlocker Server automatically downloads an incremental updateto the local WebBlocker database update at midnight.

To update the database at other times, you can:

Manually trigger an incremental update in WatchGuard Server Center.

Use Windows Task Scheduler to run the updatedb.bat process, which is

installed in the C:\Program Files\WatchGuard\wsm11\bin directory.


Advanced WebBlocker Settings


170/216

On the WebBlockerConfiguration Advanced

tab, you can control what

happens if the device cannot

contact the WebBlocker Server.

You can:

Allow access to all web sites

Deny access to all web sites

You can also set a password

to use override WebBlocker

when entered on individual

computers.


WebBlocker Exceptions


171/216

Add exceptions for web sitesthat WebBlocker denies and

you want to allow (white list).

Add web sites that WebBlocker

allows and you want to deny

(black list).



172/216

Threat Protection

Defend Your Network

From Intruders

Learning Objectives


173/216

Understand the different types of intrusion protection Configure default packet handling to stop common attacks

Block IP addresses and ports used by hackers

Automatically block the sources of suspicious traffic


Intrusion Detection and Prevention


174/216


Hackerbuilds attack

that usesvulnerability

Attacklaunched

Attacksignaturedeveloped

anddistributed

Vendorbuildspatch

Vendordistributes

patch

IT admininstallspatch

Proactivelyblocks many

threats

Ongoingprotection at higherperformance

Firewall-based IPSsupplieszero-day

protection

IT adminqueues patchupdate based

on severity

Vulnerabilityfound andexposed

Default Packet Handling


175/216

Spoofing attacks Port and address

space probes

Flood attacks

Denial of service

Options for loggingand automatic

blocking


Block the Source of Attacks


176/216


YourNetwork

Log

Server

Web

Server

Remote users use valid packets to

browse your web site.

Attacker runs a port spaceprobe on your network.

XTM device blocks the probe and

adds the source to the temporary

list of blocked sites.

Now, even valid traffic from that

address is blocked by the XTM device.

Auto-Block Sites


177/216

Each policy configured to deny traffic has a check box you can select toauto-block the source of the denied traffic.

If you select it, the source IP address of

any packet denied

by the policy is

automatically

added to theBlocked Sites

List.


Use a Proxy Action to Block Sites


178/216

When you select theBlock action, the

IP address denied by

the proxy action is

automatically added to

the Blocked Sites List.


Block Known Attack Vectors


179/216

Protect sensitive services on your network Get log messages

Close traffic for unwanted services

Static configuration

Add specific ports to block

Add specific IP addresses or subnets

to be permanently blocked

Dynamic configuration

This feature can be enabled from many

different places in Policy Manager:

Proxy actions

Default packet handling settings Policy configuration



180/216

Signature Services

Gateway AntiVirus, Intrusion

Prevention, and Application Control

Learning Objectives


181/216

Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus

Configure proxies to use Gateway AntiVirus

Set up and configure the Intrusion Prevention Service

Set up and configure Application Control

Enable IPS and Application Control in policies


What is Gateway AV?


182/216

Signature-based antivirus subscription The XTM device downloads signature database updates at regular,

frequent intervals

Gateway AV operates with the SMTP, HTTP, FTP, POP3, and

TCP-UDP proxies


Set Up Gateway AntiVirus


183/216


Gateway AntiVirus

database updates

XTM device downloads the initial

signature file

Gateway AV strips viruses and allows

valid email or web pages to load

Device gets new signatures and

updates at a regular interval

Your NetworkWatchGuard

Gateway AV Wizard


184/216

Gateway AV can be enabled and configured with a wizard you launchfrom the Subscription Services menu

The wizard asks you to select which proxy policies you want to configure

Gateway AV for


Configure the Proxy with Gateway AntiVirus


185/216

Use the HTTPand SMTP proxies

to enable Gateway

AV

Define actions

Define content

types to scan

Monitor Gateway

AV status


Gateway AV and the SMTP-Proxy


186/216

When an email attachment contains a known virus signature, the XTMdevice can:


Allow Attachment passes through with no change

Lock Attachment can only be opened by an administrator

Remove Attachment is stripped from the email

Quarantine Message is sent to the Quarantine Server

Drop The connection is denied

Block The connection is denied, and the server is added to the

Blocked Sites list

Gateway AV and the HTTP-Proxy


187/216

When Gateway AV finds a known virus signature in an HTTP session,the XTM device can:

Allow

The file is allowed

to pass through

without changes

Drop The HTTP

connection is

denied

Block

The HTTP

connection is

denied, and the

web server is

added to the

Blocked Sites list


Gateway AV and the FTP-Proxy


188/216

The FTP-proxy appliesGateway AV settings to:

Downloaded files

allowed in your

configuration

Uploaded files

allowed in yourconfiguration


Gateway AV Settings


189/216

Select this option if you want Gateway AV to decompress file formatssuch as .zip or .tar

The number of levels

to scan is the depth for

which Gateway AV

scans archive files

inside archive files


Use Signature-Based IPS


190/216

Configure IPS to Allow, Drop,or Block connections from

sources that match an IPS

signature

Action is set based on the

threat level of the matching

signature


Use Signature-Based IPS


191/216

Configure settings globally Enable or disable per-policy

Can scan traffic for all policies

Blocks malicious threats before

they enter your network




192/216

Application Control is a Subscription Service Monitor and control hundreds of applications based on signatures

Block or allow traffic for application categories, applications, and

application behaviors

When Application

Control blocks HTTPcontent, a deny

message appears in

the browser

The deny message

is not configurable

For HTTPS or othercontent types, the

deny message

does not appear




193/216

Click Select by Category to configure actions by application category


Apply Application Control to Policies


194/216

First configure Application Control actions On the Policies tab, select one or more policies, then select the action to

apply


Enable Application Control and IPS in Policies


195/216

Application Control Application Control is not automatically

enabled for policies

For each policy, you select which

Application Control action to use

To monitor the use of applications,

enable logging of allowed packets inthe policies that have Application

Control enabled

IPS

When you enable IPS it is enabled

for all policies by default

You can enable or disable IPS foreach policy


Enable Automatic Signature Updates


196/216

To protect against latest viruses andexploits, and to identify the latest

applications, make sure your device

is configured to get automatic updates

to Gateway AntiVirus, Intrusion

Prevention, and Application Control

signatures at regular intervals Update requests can be routed

through a proxy server


Monitor Signature Update Status


197/216

In Firebox SystemManager, select the

Subscription Services

tab to see the status of

Gateway AV, IPS and

Application Control

signatures, or tomanually get

signature updates



198/216

Reputation Enabled Defense

Improve the Performance and

Security of Web Access

Learning Objectives


199/216

Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense

Monitor Reputation Enabled Defense


What is Reputation Enabled Defense (RED)?


200/216

Reputation-based HTTP anti-virus and anti-spyware preventionsubscription, available for WatchGuard XTM device models only

RED operates with the HTTP-proxy

RED uses a cloud-based reputation server that assigns a reputation

score between 1 and 100 to every URL

The reputation score for a URL is based on AV scanning feedback and other

URL reputation data collected from sources around the world.

When a user browses to a web site, RED looks up the score for the URL

For URLs with a good reputation score, local scanning is bypassed

For URLs with a bad reputation score, the HTTP-proxy denies access without

local scanning by Gateway AV

For URLs with an inconclusive reputation score, local Gateway AV scanningis performed as configured

Eliminates the need to locally scan the content of web sites that have a

known good or bad reputation and improves XTM device performance


RED Reputation Scores


201/216

Reputation Scores: High scores indicate a bad reputation

Low scores indicate a good reputation

If RED has no knowledge of a URL, it assigns a score of 50.

The reputation score assigned to a URL increases based on:

Negative scan results for that URL

Negative scan results for a referring link

Negative information from other sources of malware data

The reputation score assigned to a URL decreases based on:

Multiple clean scans

Recent clean scans

RED continually updates the reputation scores for URLs based on: Scan results from devices around the world by two leading anti-malware

engines: Kaspersky and AVG.

Data from other leading sources of malware intelligence for the web.

RED Reputation Thresholds and Actions


202/216

The action performed bythe HTTP-proxy depends on:

The reputation score of a

requested URL

The locally configured

reputation thresholds

RED Actions: If score is higher than the

Bad reputation threshold,

Deny access

If score is lower than the

Good reputation threshold,

Bypass local scanning Otherwise, perform local

Gateway AV scanning as

configured

Enable Reputation Enabled Defense


203/216

Before you enable RED: Your device must a have Reputation Enabled Defense feature key

You must have configured at least one HTTP-proxy policy


Configure Reputation Enabled Defense


204/216

Enable RED for theHTTP-proxy

Define thresholds

Monitor RED status


Reputation Enabled Defense and the HTTP-Proxy


205/216

Based on the reputation score for a URL, the HTTP-Proxy can: Immediately block the URL if it has a bad reputation.

Bypass any

configured local

virus scanning for

a URL that has a

good reputation. If neither of these

RED actions occur,

then any locally

configured virus

scanning proceeds

as configured.


Reputation Enabled Defense and the HTTP-Proxy


206/216

The default reputation thresholds are set to balance security withperformance.

You can change the bad and good reputation thresholds in the

Advanced Settings dialog box.

We recommend that you use the default reputation thresholds.


Monitor Reputation Enabled Defense


207/216

RED status is visible inFirebox System Manager

on the Subscription

Services tab.



208/216

Web UI

Explore Fireware XTM Web UI

Learning Objectives


209/216

Log in to Fireware XTM Web UI

Change the port that the XTM device uses for the Web UI

Discuss limitations of the Web UI

Manage timeouts for the Web UI management sessions


Introduction to Fireware XTM Web UI


210/216

Monitor and manage any device running Fireware XTM without installingextra software

Real-time management tool

Easily find what you need and understand how the configuration options

work


Limitations of the Web UI


211/216

Things you can do with Policy Manager, but not with the Web UI: View or change the configuration of a device that is a member of a

FireCluster

Add or remove static ARP entries from the devices ARP table

Change the name of a policy

Change the logging of default packet handling options

Enable or disable the notification of BOVPN events

Add a custom address to a policy

Use Host Name (DNS lookup) to add an IP address to the From orTo

section of a policy

Create a .wgx file for Mobile VPN with IPSec client configuration

(You can get only the equivalentbut unencrypted.ini file)

Export certificates stored on the device, or see their details

(You can only import certificates)

Some of the logging and reporting functions provided by HostWatch, Log and

Report Manager, and WSM are also not available


Log in to the Web UI


212/216

You need only a browser with support for Adobe Flash

Real-time configuration tool, no option to store configuration changes

locally and save to device later

https://:8080

Uses a self-signed certificate, so you must accept certificate warnings or

replace the certificate with a trusted certificate

You can change the port for the Web UI

Log in with one of two accounts

Status For read-only permission; uses the status passphrase

Admin For read-write permission; uses the configuration passphrase




213/216

Multiple concurrent logins are allowed with the status account

Only one admin account can be logged in at a time

The last user to log in with the admin account is the only user that can

make changes

Includes changes

from Policy Manager

and WSM




214/216

The user account name appears at the top of the screen

Navigation links are at the left side


Conclusion


215/216

This presentation provides an overview of basic Fireware XTM features.

For more information, see these training, documentation, and support

resources available in the Support section of the WatchGuard web site:

WatchGuard System Manager Help

Fireware XTM Web UI Help

WatchGuard Knowledge Base

Fireware XTM Training courseware



216/216

Thank You!

Thank You

xtm firewall basics ppt v11 6

Documents