xtm firewall basics ppt v11 6
TRANSCRIPT
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
1/216
Firewall Basicswith Fireware XTM 11
Firewall Basics
with Fireware XTM 11.6
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
2/216
Course Introduction
Firewall Basics with Fireware XTM
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
3/216
Training Objectives
Use the basic management and monitoring components of WatchGuard
System Manager (WSM)
Configure a WatchGuard XTM 2050, 1050, 8 Series, 5 Series, 3 Series, 2
Series, or XTMv device for your network
Create basic security policies for your XTM device to enforce Use security services to expand XTM device functionality
WatchGuard Training 3
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
4/216
Requirements
Necessary equipment and software:
Management computer WatchGuard System Manager and Fireware XTM OS Firewall configuration file
XTM 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, XTM 2050, or XTMvdevices (optional) Prerequisites:
Basic knowledge of TCP/IP network functions and structure
It is helpful, but not necessary, to have:
WatchGuard System Manager installed on your computer
Access to a WatchGuard XTM device
A printed copy of the instructors notes of this presentation, or a copy of the
Fireware XTM Basics Student Guide
4WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
5/216
Outline
Getting Started
Work with XTM Device Configuration Files
Configure XTM Device Interfaces
Set up Logging and Notification
Use FSM to Monitor XTM Device Activity
Use NAT (Network Address Translation)
Define Basic Network Security Policies
Work with Proxy Policies
Work with SMTP and POP3 Proxies
Verify Users Identities
5WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
6/216
Outline
Block Unwanted Email with spamBlocker
Manage Web Traffic
Defend Your Network From Intruders
Use Gateway AntiVirus
Use Intrusion Prevention Service
Use Application Control
Use Reputation Enabled Defense
Generate Reports of Network Activity
Explore the Fireware XTM Web UI
6WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
7/216
Training Scenario
Fictional organization called the Successful Company
Training partners may use different examples for exercises
Try out the exercises to implement your security policy
7WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
8/216
Getting Started
Set Up Your Management Computer
and XTM Device
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
9/216
Learning Objectives
Use the Quick Setup Wizard to make a configuration file
Start WatchGuard System Manager
Connect to XTM devices and WatchGuard servers
Launch other WSM applications
9WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
10/216
Management Computer
Select a computer with Windows 7, Windows
Vista, Windows XP SP2, or Windows Server
2003 or 2008
Install WatchGuard System Manager (WSM) to
configure, manage, and monitor your device
Install Fireware XTM OS,
then use WSM to install updates
and make configuration
changes on the device
10WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
11/216
Server Software
When you install WSM, you have the option to install any or all of these
WatchGuard servers:
Management Server
Log Server
Report Server
WebBlocker Server
Quarantine Server
Servers can be installed on separate computers
Each server must use a supported version of Windows.
There are access requirements between the management computer, the
XTM device, and some servers.
11WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
12/216
Activate your XTM Device
You must have or create a WatchGuard account
You must activate the XTM device before you can fully configure it
Have your device serial number ready
12WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
13/216
Setup Wizards
There are two setup wizards you can use to create an initial functional
configuration file for your XTM device.
Web Setup Wizard To start the Web Setup Wizard, in a web browser,type: https://10.0.1.1:8080
Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard
System Manager, select Tools > Quick Setup Wizard.
To use either setup wizard, you must connect the management computer
to the trusted interface (eth1) of the XTM device.
The Web Setup Wizard can activate your XTM device and download the
feature key from the WatchGuard web site if you connect the external
interface (eth0) to a network with Internet access.
13WatchGuard Training
https://10.0.1.1:8080/https://10.0.1.1:8080/ -
7/16/2019 Xtm Firewall Basics Ppt v11 6
14/216
Quick Setup Wizard
Installs the Fireware XTM OS on the XTM device
Creates and uploads a basic configuration file
Assigns passphrases to
control access to the
XTM device
14WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
15/216
Prepare to Use the Quick Setup Wizard
Before you start, you must have:
WSM and Fireware XTM OS installed on the management computer
Network information
It is a good idea to have the feature key for your device before you start
the wizard. You can copy it from the LiveSecurity web site duringregistration.
15WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
16/216
Launch the Quick Setup Wizard
For the Quick Setup Wizard to operate correctly, you must:
Prepare the device to be discovered by the Quick Setup Wizard (QSW). The
QSW shows you how to prepare each device.
Assign a static IP address to your management computer from the same
subnet that you plan to assign to the Trusted interface of the XTM device.
Alternatively, you can get a DHCP address from the device when it is in SafeMode.
Connect the Ethernet interface of your computer to interface #1 of the device.
Launch WatchGuard System Manager (WSM) and launch the Quick Setup
Wizard from the WSM Tools menu.
16WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
17/216
Quick Setup Wizard Select Your Device
Choose which model of XTM device to configure.
17WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
18/216
Quick Setup Wizard Verify the Device Details
Verify that the model and serial number are correct.
18WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
19/216
Quick Setup Wizard Name Your XTM Device
The name you assign to the device in the wizard is used to:
Identify the device in WSM
Identify the device in log files
Identify the device in Log and Report Manager
19WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
20/216
Quick Setup Wizard Configure the External
Interface
The IP address you give to the external interface can be:
A static IP address
An IP address assigned with DHCP
An IP address assigned with PPPoE
You must also add anIP address for the device
default gateway. This is the
IP address of your gateway
router.
20WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
21/216
Quick Setup Wizard Configure Interfaces
Configure the Trusted and Optional interfaces.
Select one of these configuration options:
Mixed Routing Mode
(Use these IP addresses)
Each interface is configured
with an IP address on adifferent subnet.
Drop-in Mode
(Use the same IP address as
the external interface)
All XTM device
interfaces have the sameIP address. Use drop-in
mode when devices from the
same publicly addressed
network are located on more
than one device interface.
21WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
22/216
Understand Routed Configurations
In mixed routing mode (routed configuration):
Configure each interface with an IP address on a different subnet.
Assign secondary networks on any interface.
22WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
23/216
Understand Drop-in Configurations
In drop-in mode:
Assign the same primary IP address to all interfaces on your device.
Assign secondary networks on any interface.
You can keep the same IP addresses and
default gateways for devices on your
trusted and optional networks, and adda secondary network address to
the XTM device interface so the device
can correctly send traffic to those devices.
23WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
24/216
Quick Setup Wizard Add a Feature Key
When you purchase additional options for your device, you must get a
new feature key to activate the new options. You can add feature keys in
the Quick Setup Wizard, or later in Policy Manager.
24WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
25/216
Quick Setup Wizard Set Passphrases
You define two passphrases for connections to the device
Status passphrase Read-only connections
Configuration passphrase Read-write connections
Both passphrases must be at least 8 characters long and different from
each other
25WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
26/216
Quick Setup Wizard Final Steps
Save a basic configuration to the device.
You are now ready to put your device in place on your network.
Remember to reset your management computer IP address.
26WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
27/216
WatchGuard System Manager
Start WSM
Connect to an XTM device or the Management Server
Display device status
27WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
28/216
Components of WSM
WSM includes a set of management and monitoring tools:
Policy Manager
Firebox System Manager
HostWatch
Log and Report Manager
CA Manager
Quarantine Server Client
To launch a tool, use the WSM Tools menu or click the tool icon
28WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
29/216
Firewall Basics with Fireware
Version 8.3
Administration
Work with Device Configuration Files
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
30/216
Learning Objectives
Start Policy Manager
Open and save configuration files
Configure the XTM device for remote administration
Reset XTM device passphrases
Back up and restore the XTM device configuration Add XTM device identification information
30WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
31/216
What is Policy Manager?
A configuration tool that you can use to modify the settings of your XTM
device
Changes made in Policy Manager do not take effect until you save them
to the device
Launch Policy Manager from WSM Select a connected or managed device
Click the Policy Manager icon on the toolbar
31WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
32/216
From the View menu,
select how policies are
displayed
Navigate Policy Manager
32WatchGuard Training
Details View Icon View
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
33/216
Navigate Policy Manager
Use the menu bar to configure many device features.
33WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
34/216
Navigate Policy Manager
Security policies that control traffic through the device are represented by
policies.
To edit a security policy, double-click a policy name.
34WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
35/216
Open and Save Configuration Files
Open a file from your local drive or from an XTM device
Save configuration files to your local drive or to the XTM device
Create new configuration files in Policy Manager
New configuration files include a basic set of policies.
You can add more policies.
35WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
36/216
Configure Your Device for Remote Administration
Connect from home to monitor device status
Change policies remotely to respond to new threats
Make the policy as restrictive as possible for security
Edit the WatchGuard policy to enable access from an external
IP address You can also use Fireware XTM Web UI to configure a device
(over TCP port 8080)
36WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
37/216
Change XTM Device Passphrases
Minimum of eight characters
Change frequently
Restrict their use
37WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
38/216
Back Up the XTM Device Images
Create and restore an encrypted backup image
Backup includes feature key and certificate information
Encryption key is required to restore an image
38WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
39/216
Add XTM Device Identification Information
XTM device name and model
Contact information
Time zone for log files and reports
39WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
40/216
Upgrade Your XTM Device
To upgrade to a new version of Fireware XTM OS:
Back up your existing device image.
Download and install the new version of Fireware XTM OS on your
management computer.
From Policy Manager, select File > Upgrade.
Browse to the location of the OS upgrade file:
C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM
Select the correct .sysa-dl file for your device:
XTM 2050: xtm2050_bc.sysa-dl
XTM 1050: xtm1050_bb.sysa-dl
XTM 8 Series: xtm8_b5.sysa-dl XTM 5 Series: xtm5_b0.sysa-dl
XTMv: xtmv_c5.sysa-dl
40WatchGuard Training
XTM 330: xtm330_bd.sysa-dl
XTM 33: xtm3_aa.sysa-dl
XTM 25, 26: xtm2_a6.sysa.dl XTM 21, 22, 23: xtm2_a0.sysa-dl
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
41/216
Network Settings
Configure XTM Device Interfaces
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
42/216
Learning Objectives
Configure external network interfaces with a static IP address, DHCP
and PPPoE
Configure a trusted and optional network interface
Use the XTM device as a DHCP server
Add WINS/DNS server locations to the device configuration
Add Dynamic DNS settings to the device configuration
Set up a secondary network or address
Understand Drop-In Mode and Bridge Mode
42WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
43/216
Interfaces on separate networks
Most users have at least one external and one trusted
Add a Firewall to Your Network
43WatchGuard Training
External203.0.113.2/24
Trusted Network10.0.1.1/24
Optional Network10.0.2.1/24
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
44/216
Beyond the Quick Setup Wizard
The Quick Setup Wizard configures the device with external, trusted, and
optional networks by default:
eth0 = external
eth1 = trusted
eth2 = optional
You can change the
interface assignments.
In Policy Manager,
select Network >
Configuration.
44WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
45/216
Network Configuration Options
Modify the properties of an interface
Change the interface type (from trusted to optional, etc.)
Add secondary networks and addresses
Enable the DHCP server
Configure additional interfaces
Configure WINS/DNS settings for the device
Add network or host routes
Configure NAT
45WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
46/216
Interface Independence
You can change the interface type of any interface configured with the
Quick Setup Wizard.
You can also choose the interface type of any additional interface you
enable.
46WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
47/216
Use a Dynamic IP Address for the External Interface
The XTM device can get a dynamic IP address for an external interface
with DHCP or PPPoE.
47WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
48/216
Use Dynamic DNS
Register the external IP address of the XTM device with the supported
dynamic DNS service, DynDNS.
48WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
49/216
Use a Static IP Address for the External Interface
The XTM device can use a static IP address given to you by your
Internet Service Provider.
49WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
50/216
Enable the Device DHCP Server
Can be used on a trusted or optional interface
Type the first and last IP addresses of the range for DHCP
Configure up to 6 IP address ranges
Reserve some
IP addresses for specifiedMAC addresses
50WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
51/216
Configure Trusted and Optional Interfaces
51WatchGuard Training
Trusted-Main10.0.1.1/24
Publ ic Servers10.0.2.1/24
1. Start with a
trusted
network.
2. Add an optional
network for public
servers.
Conference10.0.5.1/24
Opt ional
3. As your business grows, add
more trusted and optional
networks.
Finance10.0.3.1/24
Trusted
Sales Forc e10.0.4.1/24
Optional
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
52/216
Add WINS/DNS Servers
All devices on the trusted and optional networks can use this server
Use an internal server or an external server
Used by the XTM device for DHCP, Mobile VPN, NTP time updates, and
Subscription Service updates
52WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
53/216
Share one of the same physical networks as one of the device
interfaces.
Add an IP alias to the interface, which is the default gateway for
computers on the secondary network.
Secondary Networks
53WatchGuard Training
Trusted-Main10.0.1.1/24
Secondary172.16.100.0/24
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
54/216
Network or Host Routes
Create static routes to send traffic from a device interface to a router
The router can then send the traffic to the correct destination from the specified
route.
If you do not specify a route to a remote network or host, all traffic to that
network or host is sent to the device default gateway.
54WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
55/216
Drop-In Mode and Bridge Mode
Use Drop-In Mode if you want to have the same logical network (subnet)
spread across all device interfaces.
Computers in this subnet can be on any device interface
You can add a secondary address to any device interface to use an additional
network on the interface
Use Bridge Mode when you want the device to be invisible. You assign one IP address to the device for management connections
Bridge Mode turns the device into a transparent Layer 2 bridge
55WatchGuard Training
Select the interfaceconfiguration mode atNetwork > Configuration.
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
56/216
Logging
Set Up Logging and Notification
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
57/216
Learning Objectives
Set up a Log Server
Configure the XTM device to send messages to a Log Server
Configure logging and notification preferences
Set the Diagnostic Log Level
View log messages
57WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
58/216
Introduction to the Log Server
58WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
59/216
Log Message Types
Traffic Allowed and denied packets
Alarm An event you configure as important that requires a log
message or alert
Event A device restart, or a VPN tunnel creation or failure
Debug Additional messages with diagnostic information to help youtroubleshoot network or configuration problems
Statistic Information about the performance of the XTM device
59WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
60/216
Configure Logging
For log messages to be correctly stored, you must:
Install the Log Server software
Configure the Log Server
Configure the XTM device to send log messages to the Log Server
60WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
61/216
Install the Log Server
In the WSM installer, select to install the Log Server component
The Log Server does not have to be installed on the same computer that
you use as your
management computer
The Log Server should
be on a computer with
a static IP address
61WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
62/216
Configure the Log Server
Right-click the WatchGuard Server Center icon in your Windows system
tray to open WatchGuard Server CenterThe Server Center Setup Wizard starts
Create an administrator passphrase
Set the log encryption key
62WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
63/216
Configure Log Database Settings
Open WatchGuard Server Center to configure Log Server properties.
Type the administrator passphrase.
Select Log Serverto configure Log Server settings.
63WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
64/216
Configure Log Database Settings
Server Settings Database size and encryption key settings.
Database Maintenance Specify database back up file settings, and
select to use the Built-in database or an External PostgreSQL database.
Notification Configure
settings for event notification
and the SMTP Server.
Logging Firebox Status
(which devices are currently
connected to the Log Server)
and where to send log
messages.
64WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
65/216
Configure the XTM Device to Send Log Messages
Use Policy Manager
Set the same log encryption
key that is used for the
Log Server
Backup Log Servers can be
used when the primary fails
65WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
66/216
Default Logging Policy
When you create a policy that allows traffic, logging is not enabled by
default
When you create a policy that denies traffic, logging is enabled by default
If denied traffic does not match a specific policy, it is logged by default
66WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
67/216
Set the Diagnostic Log Level
You can also configure the device to send detailed diagnostic log
messages to help you troubleshoot a specific problem.
From Policy Manager, select Setup > Logging.
67WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
68/216
View Log Messages
You can see log messages with two different tools:
Traffic Monitor Real-time monitoring in FSM from any computer with
WSM
68WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
69/216
View Log Messages
Log and Report Manager You can also use Log and Report Manager to
see any log messages stored on the Log Server. Use the search feature to
locate specific information in your log files.
69WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
70/216
Reports
Generate Reports of Network Activity
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
71/216
Learning Objectives
Set up and configure a Report Server
Generate and save reports at regular intervals
Generate and view reports
Change report settings
Save, print, and share reports
71WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
72/216
WSM Reporting Architecture
72WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
73/216
Configure the Report Server
Install on a Microsoft
Windows computer
Can be the same computer
as the Log Server
Configure the Report Server
from WatchGuard Server Center
Select to use the
Built-in database or
an External PostgreSQL
database
Add one or more Log ServerIP addresses
Set report interval,
report type, and notification
preferences
73WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
74/216
View Reports with Log and Report Manager
Log and Report
Manager is a
web UI that is
installed with the
Report Server
Add users inWatchGuard Server
Center to enable
them to use
Log and Report
Manager
Connect to Log and
Report Manager
over port 4130 to
view and generate
reports
74WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
75/216
View Available Reports (scheduled reports)
Create On-Demand Reports and Per Client Reports
Launch Log and Report Manager from WSM
Save reports in PDF format
View Reports with Log and Report Manager
75WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
76/216
Monitor Your Firewall
Monitor Activity Through
the XTM Device
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
77/216
Learning Objectives
Interpret the information in the WSM display
Use Firebox System Manager to monitor device status
Change Traffic Monitor settings
Use Performance Console to visualize device performance
Use HostWatch to view network activity and block a site
Add and remove sites from the Blocked Sites list
77WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
78/216
WatchGuard System Manager Display
78WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
79/216
Firebox System Manager
Front Panel
Traffic Monitor
Bandwidth Meter
Service Watch
Status Report
Authentication List
Blocked Sites
Subscription Services
79WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
80/216
Traffic Monitor
View log messages
as they occur
Set custom colors
and fields
Start traceroute or
Ping to sourceand destination
IP addresses
Copy information
to another
application
80WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
81/216
Performance Console
Monitor and graph XTM device activity
Launch from Firebox System Manager
System Information Firebox statistics,
such as the number of total active
connections and CPU usage
Interfaces Total number of packets sent and received through the
XTM device interfaces
Policies Total connections, current connections, and discarded
packets
VPN Peers Inbound and outbound SAs and packets
Tunnels Inbound and outbound packets, authentication errors, andreplay errors
81WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
82/216
Use HostWatch to View Connections
Graphical display
of live connections
One-click access
to more details
on any connection
Temporarilyblock sites
82WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
83/216
Use the Blocked Sites List
View sites added
temporarily by the
device as it blocks
the source of
denied packets
Change expirationsettings for
temporarily
blocked sites
83WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
84/216
NAT
Use Network Address Translation
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
85/216
Learning Objectives
Understand network address translation types
Add dynamic NAT entries
Use static NAT for public servers
85WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
86/216
Turns one public IP address into many
Protect the map of your network
What is Network Address Translation?
86WatchGuard Training
Your Network
Devices and users with
private IP addresses
NAT Enabled
Internet sees only one public address
(an External XTM device IP address)
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
87/216
Add Firewall Dynamic NAT Entries
Most frequently used form
of NAT
Changes the outgoing
source IP address to the
external IP address of the
XTM device Enabled by default for
standard private network
IP addresses, such as
192.168.0.0/16
87WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
88/216
Static NAT for Public Servers
88WatchGuard Training
Your Network
Port 80 TCP
Web server
Port 21 TCPFTP server
Port 25 TCP
Email server Web traffic One external IP
to private static IP
FTP traffic Same external IPto second, private static IP
SMTP traffic Same external
IP to third, private static IP
203.0.113.2
10.0.2.80
10.0.2.21
10.0.2.25
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
89/216
1-to-1 NAT for Public Servers
89WatchGuard Training
Your Network NetMeeting traffic Dedicated
IP address on the external
IKE traffic Second dedicated
public IP address
Intel Phone (H.323) Another
external IP address
Ports 1720, 389, dynamic
10.0.2.11
NetMeeting
Without NAT-T
10.0.2.12
IKE
Ports 1720, 522
10.0.2.13
Intel-Video-Phone
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
90/216
Configure Policies
You can customize 1-to1 NAT and
Dynamic NAT settings in each
policy
The settings in Network > NAT
apply unless you modify the NAT
settings in a policy Use the Set Source IP option
when you want any traffic that uses
this policy to show a specified
address from your public or
external IP address range as the
source IP address.
90WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
91/216
Configure Policies
To configure a policy to use static
NAT, click Add in the To section of
the policy, then select Add SNAT.
You can also select Setup >
Actions > SNAT to add, edit, or
delete SNAT actions.
91WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
92/216
Policies
Convert Network Policy to Device
Configuration
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
93/216
Learning Objectives
Understand the difference between a packet filter policy and a proxy
policy
Add a policy to Policy Manager and configure its access rules
Create a custom packet filter policy
Set up logging and notification rules for a policy
Use advanced policy properties
Understand the function of the Outgoing policy
Understand the function of the TCP-UDP proxy
Understand the function of the WatchGuard policy
Understand how the XTM device determines policy precedence
93WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
94/216
What is a Policy?
A rule to limit access through the XTM device
Can be configured to allow traffic or deny traffic
Can be enabled or disabled
Applies to specific port(s) and protocols
Applies to traffic that matches From and To fields:
From Specific source hosts, subnets or users/groups
To Specific destination hosts, subnets, or users/groups
94WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
95/216
Packet Filters, Proxies, and ALGs
Two types of policies:
Packet Filter Examines the IP header of each packet, and operates at the
network and transport protocol packet layers.
Proxy & ALG (Application Layer Gateway)
Proxy Examines the IP header and the content of a packet at the
application layer. If the content does not match the criteria you set in yourproxy policies, you can set the proxy to deny the packet. Some proxy
policies allow you to remove the disallowed content.
ALG Completes the same functions as a proxy, but also provides
transparent connection management.
Proxy policies and ALGs examine the commands used in the connection
to make sure they are in the correct syntax and order, and use deep
packet inspection to make sure that connections are secure.
95WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
96/216
Packet Filters, Proxies, and ALGs
Proxies & ALGs:
Remove all the network data
Examine the contents
Add the network data again
Send the packet to its destination
96WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
97/216
What are Packet Filters, Proxies, and ALGs?
97WatchGuard Training
Packet Filter Proxy & ALG
Source Destination Port(s)/Protocols Packet body
Attachments RFC Compliance Commands
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
98/216
Add a Policy in Policy Manager
98WatchGuard Training
2. Decide if the policyallows or denies
traffic.
3. Configure thesource (From) and
destination (To).
1. Select a policy from apre-defined list.
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
99/216
Modify Policies
To edit a policy, double-click the policy
By default, a new policy:
Is enabled and allowed
Allows traffic on the port(s) specified by
the policy
Allows traffic from any trusted networkto any external destination
99WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
100/216
Change Policy Sources and Destinations
You can:
Select a pre-defined alias, then click Add.
Click Add Userto select an authentication user or group.
Click Add Otherto add a host IP address, network IP address, or host range.
100WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
101/216
When do I use a custom policy?
A custom policy can be either a packet filter or proxy policy.
Use a custom policy if:
None of the pre-defined policies include the specific combination of ports that
you want.
You need to create a policy that uses a protocol other than TCP or UDP.
101WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
102/216
Logging and Notification for Policies
When you enable logging in a policy, you can also select whether the
XTM device sends a notification message or triggers an SNMP trap.
Notification options include:
Send email to a specified address
A pop-up notification on the Log Server
102WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
103/216
Set Logging Rules for a Policy
The XTM device generates log messages
for many different types of activities
You enable logging for policies to specify
when log messages are generated and
sent to the Log Server
103WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
104/216
What is Precedence?
Precedence is used to decide which policy controls a connection when
more than one policy could control that connection
In Details view, the higher the policy appears in the list, the greater its
precedence.
If two policies could apply to a connection, the policy higher in the list
controls that connection
104WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
105/216
What is Precedence?
Policies can be moved up or down in Manual Order mode to set
precedence, or restored to the order assigned by Policy Manager with
Auto-Order Mode
105WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
106/216
Advanced Policy Properties
Schedules
Connection rate limits
Override NAT settings
QoS settings
ICMP error handling
106WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
107/216
Set the times of day when the policy is enabled
Schedule Policies
107WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
108/216
Understand the Outgoing policy
The Outgoing packet filter policy is added in the default configuration
Allows all outgoing TCP and UDP connections from trusted and optional
networks to external networks
Enables the XTM device to work out of the box but could have security
problems
If you remove the Outgoing policy, you must add policies to allowoutgoing traffic
108WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
109/216
Understand the TCP-UDP proxy
Enables TCP and UDP
protocols for outgoing
traffic
Applies proxy rules to
traffic for the HTTP,
HTTPS, SIP, and FTPprotocols, regardless of
the port numbers
Blocks selected IM and
P2P applications,
regardless of port.
109WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
110/216
The WatchGuard Policy
Controls management connections
to the XTM device
By default, this policy allows only
local administration of the device.
You must edit the configuration to
allow remote administration.
110WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
111/216
Find Policy Tool
Fireware XTM features a utility to find policies that match the search
criteria you specify.
With Find Policies,
you can quickly
check for policies
that match useror group names,
IP addresses,
port numbers,
and protocols.
111WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
112/216
Proxy Policies
Use Proxy Policies and ALGs to
Protect Your Network
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
113/216
Learning Objectives
Understand the purpose and configuration of proxy policies and ALGs
Configure the DNS-proxy to protect DNS server
Configure an FTP-Server proxy action
Configure an FTP-Client proxy action
Enable logging for proxy actions
113WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
114/216
What are Proxies and ALGs?
Proxy policies and ALGs (Application Layer Gateway) are powerful and
highly customizable application inspection engines and content filters.
A packet filter looks at IP header information only.
A proxy or ALG looks at the content of the network data. ALGs also
provide transparent connection management.
114WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
115/216
What is the DNS Proxy?
Domain Name System
Validates all DNS traffic
Blocks badly formed DNS packets
Fireware XTM includes two methods to control DNS traffic:
DNS packet filter IP headers only
DNS-Proxy filter content
115WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
116/216
Control Incoming Connections
Use the DNS-Incoming action as a template
You own the server
You decide who gets to
connect to the server
116WatchGuard Training
DNS server
DNS Prox y
Your n etwork
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
117/216
Configuring DNS-Incoming
General
OpCodes
Query Types
Query Name
Intrusion Prevention
Proxy Alarm
117WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
118/216
Control Outgoing Connections
Use the DNS-Outgoing action as a template
Operates with Intrusion Prevention Service
Deny queries for specified
domain names
118WatchGuard Training
DNS server
DNS Prox y
Your Network
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
119/216
Use DNS-Outgoing
Use DNS-Outgoing to block DNS requests for services, such as
queries for:
POP3 servers
Advertising networks
IM applications
P2P applications
119WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
120/216
Fireware XTM Proxies
DNS
FTP
H323 and SIP (Application Layer Gateways)
HTTP and HTTPS
SMTP and POP3
TCP-UDP
Applies the proxies to traffic on all TCP ports
120WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
121/216
A set of rules that tell the XTM device how to apply one of the proxies to
traffic of a specific type.
You can
apply a
proxy action
to more thanone policy.
What is a Proxy Action?
121WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
122/216
Import/Export Proxy Actions
You can import and export:
Entire user-created proxy actions (not predefined proxy actions)
Rulesets
WebBlocker exceptions
spamBlocker exceptions
122WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
123/216
What is FTP?
File Transfer Protocol
Often used to move files between two locations
Client and server architecture
Fireware XTM includes two methods to control:
FTP packet filter IP headers only
FTP-proxy content and commands
123WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
124/216
FTP-Proxy
Restricts the types of commands and files that can be sent through FTP
Works with the
Gateway AV Service
124WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
125/216
FTP-Client Action Rulesets
General
Commands
Download
Upload
AntiVirus
Proxy and
AV alarms
125WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
126/216
Control Incoming Connections
Use the FTP-Server proxy action as a template
The FTP server must be protected by the XTM device
You decide who can connect to the FTP server
126WatchGuard Training
FTP Prox y
AnybodyYour FTP server
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
127/216
Define FTP-Server Action Rulesets
General
Commands
Download
Upload
AntiVirus
Proxy alarms
The same options that are
available in the FTP-Client
proxy action are also
available in the FTP-Server
proxy action. Smart defaults are used in
each ruleset to protect
clients (FTP-Client) and
servers (FTP-Server).
127WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
128/216
Logging and Proxies
Proxy policies contain
many more advanced
options for logging than
packet filter policies.
Each proxy category has
its own check box toenable logging.
If you want detailed reports
with information on
packets handled by proxy
policies, make sure you
select the Enable loggingfor reports check box in
each proxy action.
128WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
129/216
Email Proxies
Work with the SMTP and POP3 Proxies
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
130/216
Learning Objectives
Understand the SMTP and POP3 proxies
Understand the available actions for email
Control incoming email
Control outgoing email
130WatchGuard Training
S O
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
131/216
SMTP and POP3 Proxies
Used to restrict the types andsize of files sent and received
in email
Operate with Gateway AV
and spamBlocker
131WatchGuard Training
P A ti A il bl f E il
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
132/216
Proxy Actions Available for Email
Default actions available:
Allow Email is allowed through your device
Lock Email is allowed through your device; the attachment is encoded so
only the XTM device administrator can open it
AV Scan Gateway AntiVirus is used to scan the attachment
Strip Email is allowed through your device, but the file attachment(s) aredeleted
Drop The SMTP connection is closed
Block The SMTP connection is closed and the sender is added to the
blocked sites list
Also available with Gateway AntiVirus and spamBlocker:
Quarantine Email is stored on the Quarantine Server (only with SMTP)and is not sent to the recipient
132WatchGuard Training
C t l I i E il
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
133/216
Control Incoming Email
Use SMTP-Incoming and POP3-Server actions as a template
You decide what email you want to allow
133WatchGuard Training
SMTP Prox y
AnybodyYour SMTP server
Your users
C t l O t i E il
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
134/216
Control Outgoing Email
Use SMTP-Outgoing or POP3-Client action as a template
You know the users
You decide what they can send
134WatchGuard Training
SMTP Prox y
Your users
Their email server
Anybody
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
135/216
Authentication
Verify a Users Identity
L i Obj ti
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
136/216
Learning Objectives
Understand authentication and how it works with the XTM device
List the types of third-party authentication servers you can use with
Fireware XTM
Use Firebox authentication users and groups
Add a Firebox authentication group to a policy definition
Modify authentication timeout values
Use the XTM device to create a custom web server certificate
136WatchGuard Training
Wh t i U A th ti ti ?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
137/216
What is User Authentication?
Identify each user as they connect to network resources
Restrict policies by user name
137WatchGuard Training
WatchG ard A thentication
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
138/216
WatchGuard Authentication
The user browses to the XTM device interface IP address onTCP port 4100
The XTM device presents an authentication page
The XTM device verifies that the credentials entered are correct, and
allowed for the type of connection
The XTM device allows access to resources valid for that authenticateduser or group
138WatchGuard Training
Supported Authentication Servers
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
139/216
Supported Authentication Servers
Firebox
RADIUS
VASCO
SecurID
LDAP
Active Directory
Single Sign-On option
139WatchGuard Training
Use Firebox Authentication
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
140/216
Use Firebox Authentication
To use the XTM device as anauthentication server:
Make groups
Define users
Edit policies
140WatchGuard Training
Edit Policies for Authentication
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
141/216
Edit Policies for Authentication
Create usersand groups
Use the user
and group names
in policy
properties Define From or
To information
141WatchGuard Training
Use Third Party Servers
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
142/216
Use Third-Party Servers
Set up a third-party authenticationserver
Get configuration information,
such as secrets and
IP addresses
Make sure theauthentication server
can contact
the XTM device
142WatchGuard Training
Set Global Authentication Values
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
143/216
Set Global Authentication Values
Session and idle timeout values
Number of concurrent connections
Enable Single Sign-On with
Active Directory authentication
Enable redirect to the
authentication page if the useris not yet authenticated
After users authenticate, they are
redirected to the site they
originally selected.
Specify the authentication server
that appears at the top of theDomain list in the
Authentication Portal
Configure Terminal Services
143WatchGuard Training
Enable Single Sign On
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
144/216
Enable Single Sign-On
Transparent authentication, no need to open a web page
Available with Windows Active Directory
Install the SSO Agent on a Windows server with a static IP address
Install the SSO Client on all workstations
(Optional but highly recommended)
Install the Event Log Monitoron the domain controller
SSO Agent passes user
credentials to the
XTM device
Use SSO exceptions forIP addresses that cannot
authenticate (computers that
are not domain members, or
non-Windows PCs)
144WatchGuard Training
Enable Terminal Services
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
145/216
Enable Terminal Services
Enables users to authenticateto your XTM device over a
Terminal Server or Citrix server
Enables your XTM device to
report the actual IP address
of each user logged in to the
device
Can use with any configured
authentication method
(e.g. Firebox authentication,
Active Directory, RADIUS, etc.)
145WatchGuard Training
Fireware XTM Web Server Certificate
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
146/216
Fireware XTM Web Server Certificate
Why does the user get warnings fromthe browser?
Name on the certificate does not match
the URL
Fix this problem with a custom certificate
that has all of the XTM device
IP addresses as possible name matches
User must still import
this certificate to
trusted root stores
146WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
147/216
Blocking Spam
Stop Unwanted Email
with spamBlocker
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
148/216
Learning Objectives
Activate and configure spamBlocker
Specify the actions to take when bulk email is detected
Block or allow email messages from specified sources
Monitor spamBlocker activity
Install and configure Quarantine Server
148WatchGuard Training
What is spamBlocker?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
149/216
What is spamBlocker?
Technology licensed from Commtouch to identify spam, bulk, orsuspect email
No local server to install
You can install Quarantine Server, but it is not necessary for spamBlocker to work
correctly.
XTM device sends information to external servers to classify email andcaches the results
Operates with the SMTP and POP3 proxies
You must have an SMTP or POP3 proxy action configured to use
spamBlocker
149WatchGuard Training
Activate spamBlocker
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
150/216
Activate spamBlocker
A feature key is required to enable spamBlocker Use Policy Manager or FSM to add the feature key
Save the configuration to the XTM device
Run the Activate spamBlocker Wizard
150WatchGuard Training
Configure a Policy for spamBlocker
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
151/216
Configure a Policy for spamBlocker
Use the SMTP-proxyor POP3-proxy
Choose the proxy
response to spam
categorization
Add exceptions
151WatchGuard Training
spamBlocker Actions
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
152/216
spamBlocker Actions
Spam is classified into three categories: Spam
Bulk
Suspect
For each category, you can configure the action taken:
Allow
Add Subject Tag
Quarantine (SMTP only)
Deny (SMTP only)
Drop (SMTP only)
152WatchGuard Training
spamBlocker Exceptions
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
153/216
spamBlocker Exceptions
You can configureexceptions for specific
senders or recipients by:
Email address
Domain by pattern
match (*@xyz.com)
153WatchGuard Training
Customize spamBlocker
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
154/216
Customize spamBlocker
Use multiple SMTP or POP3 proxies
154WatchGuard Training
Monitor spamBlocker Activity
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
155/216
Monitor spamBlocker Activity
Status visible inFirebox System
Manager
Select the
Subscription
Services tab
155WatchGuard Training
Quarantine Spam
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
156/216
Quarantine Spam
Quarantine Server operates with spamBlocker for the SMTP-proxy only(not the POP3-proxy)
Install with server components during WSM install, or from WatchGuard
Server Center
156WatchGuard Training
Quarantine Server Configuration
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
157/216
Q g
You can configure: Database size and administrator notifications
Server settings
Length of time to keep messages
The domains for which the Quarantine Server keeps mail
Rules to automatically remove messages: From specific senders
From specific domains
That contain specific text in the Subject field
157WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
158/216
Web Traffic
Manage Web Traffic
Through Your Firewall
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
159/216
g j
Control outgoing HTTP traffic Protect your web server
Use the HTTPS-proxy
Set up WebBlocker
Select categories of web sites to block
Override WebBlocker rules for specified sites
159WatchGuard Training
What is the HTTP-Proxy?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
160/216
y
Fully configurable HTTP requests and responses
Use URL paths to block complete URLs, or match a pattern you specify
Select header fields, protocol settings, and request/response methods
Allow or deny based on content types
Block the transfer of all or some attachments over port 80
Allow or deny cookies from specified domains
Enforce search engine Safe Search rules
160WatchGuard Training
Control Outgoing HTTP Traffic
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
161/216
g g
Use the HTTP-Client proxy action as a template You know the users
You decide where they go and what they can get access to
Enforce Safe Search rules
161WatchGuard Training
Your Network
HTTP Proxy
Settings for the HTTP-Client Proxy Action
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
162/216
g y
HTTP Request HTTP Response
Use Web Cache Server
HTTP Proxy Exceptions
WebBlocker
AntiVirus
Reputation Enabled
Defense
Deny Message
Proxy and AV Alarms
162WatchGuard Training
Protect Your Web Server
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
163/216
Use the HTTP-Server proxy action template Block malformed packets
Prevent attacks on your server
Enforce Safe Search rules
163WatchGuard Training
Your Network
Web ServerHTTP Prox y
Settings for the HTTP-Server Proxy Action
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
164/216
HTTP Request HTTP Response
HTTP Proxy Exceptions
WebBlocker
AntiVirus
Reputation EnabledDefense
Deny Message
Proxy and AV Alarms
164WatchGuard Training
When to Use the HTTPS-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
165/216
HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-sign
the original HTTPS site certificate
OCSP can confirm the validity of the original HTTPS site certificate
Use a certificate that all clients on your network automatically trust for
this purpose when possible Can use WebBlocker to block categories of web sites
When DPI is not enabled, checks the certificate and blocks by domain
name
165WatchGuard Training
What is WebBlocker?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
166/216
Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify
Reduces unproductive web surfing and potential liability
Blocks access to IM/P2P download sites
Blocks access to spyware sites
Helps schools to attain CIPA compliance
Regular database updates
Global URL database English, German, Spanish, French, Italian,
Dutch, Japanese, traditional Chinese, and simplified Chinese sites
166WatchGuard Training
Set Up WebBlocker
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
167/216
167WatchGuard Training
WebBlocker
Server
Your Network WatchGuard
WebBlocker
Updates
1.WebBlocker Server getsWebBlocker databasefrom WatchGuard
2.When a user browses, theXTM device checks the
WebBlocker Server
3.If the site is allowed, thedevice allows theconnection
Web
Site
Web
Site
The WebBlocker Database
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
168/216
Database created andmaintained by Websense
Database updates keep the
filtering rules up-to-date
Use multiple categories to
allow or deny different groupsof users at different times of
the day
168WatchGuard Training
Keep the WebBlocker Database Updated
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
169/216
The WebBlocker Server automatically downloads an incremental updateto the local WebBlocker database update at midnight.
To update the database at other times, you can:
Manually trigger an incremental update in WatchGuard Server Center.
Use Windows Task Scheduler to run the updatedb.bat process, which is
installed in the C:\Program Files\WatchGuard\wsm11\bin directory.
169WatchGuard Training
Advanced WebBlocker Settings
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
170/216
On the WebBlockerConfiguration Advanced
tab, you can control what
happens if the device cannot
contact the WebBlocker Server.
You can:
Allow access to all web sites
Deny access to all web sites
You can also set a password
to use override WebBlocker
when entered on individual
computers.
170WatchGuard Training
WebBlocker Exceptions
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
171/216
Add exceptions for web sitesthat WebBlocker denies and
you want to allow (white list).
Add web sites that WebBlocker
allows and you want to deny
(black list).
171WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
172/216
Threat Protection
Defend Your Network
From Intruders
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
173/216
Understand the different types of intrusion protection Configure default packet handling to stop common attacks
Block IP addresses and ports used by hackers
Automatically block the sources of suspicious traffic
173WatchGuard Training
Intrusion Detection and Prevention
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
174/216
174WatchGuard Training
Hackerbuilds attack
that usesvulnerability
Attacklaunched
Attacksignaturedeveloped
anddistributed
Vendorbuildspatch
Vendordistributes
patch
IT admininstallspatch
Proactivelyblocks many
threats
Ongoingprotection at higherperformance
Firewall-based IPSsupplieszero-day
protection
IT adminqueues patchupdate based
on severity
Vulnerabilityfound andexposed
Default Packet Handling
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
175/216
Spoofing attacks Port and address
space probes
Flood attacks
Denial of service
Options for loggingand automatic
blocking
175WatchGuard Training
Block the Source of Attacks
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
176/216
176WatchGuard Training
YourNetwork
Log
Server
Web
Server
Remote users use valid packets to
browse your web site.
Attacker runs a port spaceprobe on your network.
XTM device blocks the probe and
adds the source to the temporary
list of blocked sites.
Now, even valid traffic from that
address is blocked by the XTM device.
Auto-Block Sites
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
177/216
Each policy configured to deny traffic has a check box you can select toauto-block the source of the denied traffic.
If you select it, the source IP address of
any packet denied
by the policy is
automatically
added to theBlocked Sites
List.
177WatchGuard Training
Use a Proxy Action to Block Sites
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
178/216
When you select theBlock action, the
IP address denied by
the proxy action is
automatically added to
the Blocked Sites List.
178WatchGuard Training
Block Known Attack Vectors
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
179/216
Protect sensitive services on your network Get log messages
Close traffic for unwanted services
Static configuration
Add specific ports to block
Add specific IP addresses or subnets
to be permanently blocked
Dynamic configuration
This feature can be enabled from many
different places in Policy Manager:
Proxy actions
Default packet handling settings Policy configuration
179WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
180/216
Signature Services
Gateway AntiVirus, Intrusion
Prevention, and Application Control
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
181/216
Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus
Configure proxies to use Gateway AntiVirus
Set up and configure the Intrusion Prevention Service
Set up and configure Application Control
Enable IPS and Application Control in policies
181WatchGuard Training
What is Gateway AV?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
182/216
Signature-based antivirus subscription The XTM device downloads signature database updates at regular,
frequent intervals
Gateway AV operates with the SMTP, HTTP, FTP, POP3, and
TCP-UDP proxies
182WatchGuard Training
Set Up Gateway AntiVirus
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
183/216
183WatchGuard Training
Gateway AntiVirus
database updates
XTM device downloads the initial
signature file
Gateway AV strips viruses and allows
valid email or web pages to load
Device gets new signatures and
updates at a regular interval
Your NetworkWatchGuard
Gateway AV Wizard
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
184/216
Gateway AV can be enabled and configured with a wizard you launchfrom the Subscription Services menu
The wizard asks you to select which proxy policies you want to configure
Gateway AV for
184WatchGuard Training
Configure the Proxy with Gateway AntiVirus
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
185/216
Use the HTTPand SMTP proxies
to enable Gateway
AV
Define actions
Define content
types to scan
Monitor Gateway
AV status
185WatchGuard Training
Gateway AV and the SMTP-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
186/216
When an email attachment contains a known virus signature, the XTMdevice can:
186WatchGuard Training
Allow Attachment passes through with no change
Lock Attachment can only be opened by an administrator
Remove Attachment is stripped from the email
Quarantine Message is sent to the Quarantine Server
Drop The connection is denied
Block The connection is denied, and the server is added to the
Blocked Sites list
Gateway AV and the HTTP-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
187/216
When Gateway AV finds a known virus signature in an HTTP session,the XTM device can:
Allow
The file is allowed
to pass through
without changes
Drop The HTTP
connection is
denied
Block
The HTTP
connection is
denied, and the
web server is
added to the
Blocked Sites list
187WatchGuard Training
Gateway AV and the FTP-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
188/216
The FTP-proxy appliesGateway AV settings to:
Downloaded files
allowed in your
configuration
Uploaded files
allowed in yourconfiguration
188WatchGuard Training
Gateway AV Settings
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
189/216
Select this option if you want Gateway AV to decompress file formatssuch as .zip or .tar
The number of levels
to scan is the depth for
which Gateway AV
scans archive files
inside archive files
189WatchGuard Training
Use Signature-Based IPS
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
190/216
Configure IPS to Allow, Drop,or Block connections from
sources that match an IPS
signature
Action is set based on the
threat level of the matching
signature
190WatchGuard Training
Use Signature-Based IPS
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
191/216
Configure settings globally Enable or disable per-policy
Can scan traffic for all policies
Blocks malicious threats before
they enter your network
191WatchGuard Training
Use Application Control
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
192/216
Application Control is a Subscription Service Monitor and control hundreds of applications based on signatures
Block or allow traffic for application categories, applications, and
application behaviors
When Application
Control blocks HTTPcontent, a deny
message appears in
the browser
The deny message
is not configurable
For HTTPS or othercontent types, the
deny message
does not appear
192WatchGuard Training
Use Application Control
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
193/216
Click Select by Category to configure actions by application category
193WatchGuard Training
Apply Application Control to Policies
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
194/216
First configure Application Control actions On the Policies tab, select one or more policies, then select the action to
apply
194WatchGuard Training
Enable Application Control and IPS in Policies
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
195/216
Application Control Application Control is not automatically
enabled for policies
For each policy, you select which
Application Control action to use
To monitor the use of applications,
enable logging of allowed packets inthe policies that have Application
Control enabled
IPS
When you enable IPS it is enabled
for all policies by default
You can enable or disable IPS foreach policy
195WatchGuard Training
Enable Automatic Signature Updates
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
196/216
To protect against latest viruses andexploits, and to identify the latest
applications, make sure your device
is configured to get automatic updates
to Gateway AntiVirus, Intrusion
Prevention, and Application Control
signatures at regular intervals Update requests can be routed
through a proxy server
196WatchGuard Training
Monitor Signature Update Status
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
197/216
In Firebox SystemManager, select the
Subscription Services
tab to see the status of
Gateway AV, IPS and
Application Control
signatures, or tomanually get
signature updates
197WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
198/216
Reputation Enabled Defense
Improve the Performance and
Security of Web Access
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
199/216
Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense
Monitor Reputation Enabled Defense
199WatchGuard Training
What is Reputation Enabled Defense (RED)?
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
200/216
Reputation-based HTTP anti-virus and anti-spyware preventionsubscription, available for WatchGuard XTM device models only
RED operates with the HTTP-proxy
RED uses a cloud-based reputation server that assigns a reputation
score between 1 and 100 to every URL
The reputation score for a URL is based on AV scanning feedback and other
URL reputation data collected from sources around the world.
When a user browses to a web site, RED looks up the score for the URL
For URLs with a good reputation score, local scanning is bypassed
For URLs with a bad reputation score, the HTTP-proxy denies access without
local scanning by Gateway AV
For URLs with an inconclusive reputation score, local Gateway AV scanningis performed as configured
Eliminates the need to locally scan the content of web sites that have a
known good or bad reputation and improves XTM device performance
200WatchGuard Training
RED Reputation Scores
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
201/216
Reputation Scores: High scores indicate a bad reputation
Low scores indicate a good reputation
If RED has no knowledge of a URL, it assigns a score of 50.
The reputation score assigned to a URL increases based on:
Negative scan results for that URL
Negative scan results for a referring link
Negative information from other sources of malware data
The reputation score assigned to a URL decreases based on:
Multiple clean scans
Recent clean scans
RED continually updates the reputation scores for URLs based on: Scan results from devices around the world by two leading anti-malware
engines: Kaspersky and AVG.
Data from other leading sources of malware intelligence for the web.
RED Reputation Thresholds and Actions
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
202/216
The action performed bythe HTTP-proxy depends on:
The reputation score of a
requested URL
The locally configured
reputation thresholds
RED Actions: If score is higher than the
Bad reputation threshold,
Deny access
If score is lower than the
Good reputation threshold,
Bypass local scanning Otherwise, perform local
Gateway AV scanning as
configured
Enable Reputation Enabled Defense
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
203/216
Before you enable RED: Your device must a have Reputation Enabled Defense feature key
You must have configured at least one HTTP-proxy policy
203WatchGuard Training
Configure Reputation Enabled Defense
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
204/216
Enable RED for theHTTP-proxy
Define thresholds
Monitor RED status
204WatchGuard Training
Reputation Enabled Defense and the HTTP-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
205/216
Based on the reputation score for a URL, the HTTP-Proxy can: Immediately block the URL if it has a bad reputation.
Bypass any
configured local
virus scanning for
a URL that has a
good reputation. If neither of these
RED actions occur,
then any locally
configured virus
scanning proceeds
as configured.
205WatchGuard Training
Reputation Enabled Defense and the HTTP-Proxy
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
206/216
The default reputation thresholds are set to balance security withperformance.
You can change the bad and good reputation thresholds in the
Advanced Settings dialog box.
We recommend that you use the default reputation thresholds.
206WatchGuard Training
Monitor Reputation Enabled Defense
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
207/216
RED status is visible inFirebox System Manager
on the Subscription
Services tab.
207WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
208/216
Web UI
Explore Fireware XTM Web UI
Learning Objectives
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
209/216
Log in to Fireware XTM Web UI
Change the port that the XTM device uses for the Web UI
Discuss limitations of the Web UI
Manage timeouts for the Web UI management sessions
209WatchGuard Training
Introduction to Fireware XTM Web UI
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
210/216
Monitor and manage any device running Fireware XTM without installingextra software
Real-time management tool
Easily find what you need and understand how the configuration options
work
210WatchGuard Training
Limitations of the Web UI
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
211/216
Things you can do with Policy Manager, but not with the Web UI: View or change the configuration of a device that is a member of a
FireCluster
Add or remove static ARP entries from the devices ARP table
Change the name of a policy
Change the logging of default packet handling options
Enable or disable the notification of BOVPN events
Add a custom address to a policy
Use Host Name (DNS lookup) to add an IP address to the From orTo
section of a policy
Create a .wgx file for Mobile VPN with IPSec client configuration
(You can get only the equivalentbut unencrypted.ini file)
Export certificates stored on the device, or see their details
(You can only import certificates)
Some of the logging and reporting functions provided by HostWatch, Log and
Report Manager, and WSM are also not available
211WatchGuard Training
Log in to the Web UI
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
212/216
You need only a browser with support for Adobe Flash
Real-time configuration tool, no option to store configuration changes
locally and save to device later
https://:8080
Uses a self-signed certificate, so you must accept certificate warnings or
replace the certificate with a trusted certificate
You can change the port for the Web UI
Log in with one of two accounts
Status For read-only permission; uses the status passphrase
Admin For read-write permission; uses the configuration passphrase
212WatchGuard Training
Log in to the Web UI
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
213/216
Multiple concurrent logins are allowed with the status account
Only one admin account can be logged in at a time
The last user to log in with the admin account is the only user that can
make changes
Includes changes
from Policy Manager
and WSM
213WatchGuard Training
Log in to the Web UI
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
214/216
The user account name appears at the top of the screen
Navigation links are at the left side
214WatchGuard Training
Conclusion
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
215/216
This presentation provides an overview of basic Fireware XTM features.
For more information, see these training, documentation, and support
resources available in the Support section of the WatchGuard web site:
WatchGuard System Manager Help
Fireware XTM Web UI Help
WatchGuard Knowledge Base
Fireware XTM Training courseware
215WatchGuard Training
-
7/16/2019 Xtm Firewall Basics Ppt v11 6
216/216
Thank You!
Thank You