WatchGuard XTMv

Setup Guide

All XTMv Editions

Copyright and Patent Information

Copyright 19982012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the Terms of Use portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners. Printed in the United States of America. Revised: February 3, 2012 U.S. Patent Nos. 6,493,752; 6,597,661; D473,879. Other Patents Pending. Complete copyright, trademark, patent, and licensing information can be found in the WatchGuard product documentation. You can find this document online at: http://www.watchguard.com/help/documentation/

Notice to Users
Information in this guide is subject to change without notice. Updates to this guide are posted at: http://www.watchguard.com/help/documentation/hardware.asp Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

ABOUT WATCHGUARD
WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, please call 206.613.6600 or visit www.watchguard.com.

ADDRESS
505 Fifth Avenue South Suite 500 Seattle, WA 98104

SUPPORT
www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575

SALES
U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895

ii

WatchGuard XTMv

XTMv Setup

WatchGuard XTM security appliances deliver unparalleled unified threat management, superior performance, ease of use, and value for your growing network. Our security subscriptions give you fully integrated protection from spyware, spam, viruses, worms, trojans, web-based exploits, and blended threats. From firewall and VPN protection to secure remote access, WatchGuard devices support a broad range of network environments. This guide introduces the WatchGuard XTMv, a security appliance that runs as a virtual machine on a VMware ESXi host.

Fireware XTM
WatchGuard XTMv supports WatchGuards next generation UTM OSFireware XTM. Each XTMv virtual machine includes Fireware XTM and delivers exceptional protection against today's sophisticated threats to make sure that your business stays connected. For more information about the features of Fireware XTM OS, see the v11.5.x Fireware XTM WatchGuard System Manager Help or Fireware XTM Web UI Help.

WatchGuard XTMv
A WatchGuard XTMv virtual machine runs on a VMware ESXi 4.1 host. You can use WatchGuard System Manager, Fireware XTM Web UI, and Command Line Interface (CLI) to manage an XTMv virtual machine, just as you manage any other WatchGuard XTM device. XTMv supports most features of Fireware XTM, except a few features that are hardware-dependent. Fireware XTM features not supported on Fireware XTMv include: o o o o FireCluster Hardware diagnostics CLIcommands Automatically save a support snapshot to a USB drive Automatically restore a saved backup image to a USB drive

XTMv Setup Guide

Installation Prerequisites

XTMv Licensing
XTMv devices are licensed in several different editions, which provide different levels of scalability and performance: o o o o Small Office Edition Medium Office Edition Large Office Edition Datacenter Edition

When you activate your XTMv device, a feature key is generated, to enable the Fireware XTM capabilities for the XTMv edition you have licensed. The feature key is installed on the XTMv virtual machine during setup. You can also use a feature key to upgrade from one XTMv edition to another. For a full description of the features and capabilities of each XTMv edition, see the Products & Services section of the WatchGuard web site at www.watchguard.com

Installation Prerequisites
You must install the XTMv virtual device in a VMware environment that meets these requirements.

VMware
To install an XTMv virtual device, you must have a VMware ESXi v4.1 host installed on any server hardware supported for ESXi v4.1. You must also install the VMware vSphere Client on a supported Windows computer. The setup procedures in this document use the vSphere Client to deploy and configure provision the XTMv virtual machine. You can also use vCenter Server v4.1 instead of the vSphere client.

Note
XTMv does not support vMotion for virtual machine migration between ESXi hosts.

Hardware
The hardware requirements for XTMv are the same as the hardware requirements for VMware ESXi v4.1. For information about VMware hardware compatibility, see the VMware Compatibility Guide at: http://www.vmware.com/resources/compatibility/search.php. Each XTMv virtual machine requires 3 GB of disk space.

WatchGuard XTMv

XTMv Installation

XTMv Installation
Before You Begin
To prepare for your installation, make sure you have these things: o VMware ESXi 4.1 host installed on a supported server platform o VMware vSphere 4.1 client installed on a Windows computer, or vCenter Server v4.1. o XTMv device serial number You receive the serial number when you purchase the XTMv virtual device. o WatchGuard XTMv virtual appliance Open Virtual Machine Format (OVF) file The file name is xtmv_<version>.ova, where <version> is the Fireware XTM version. o (optional) WatchGuard System Manager v11.5.2 or higher Download the XTMv .ovf template file and the WatchGuard System Manager software from the Articles and Software section of the WatchGuard Portal at www.watchguard.com.

Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections: 1. In the VMware vSphere 4.1 client, deploy the XTMv virtual appliance to the ESXi host and power on the XTMv virtual machine. 2. Connect to the XTMv virtual machine to run the Web Setup Wizard to set up a basic configuration. 3. Allocate additional resources to the XTMv virtual machine. This guide describes how to use the Web Setup Wizard to create your initial configuration. If WatchGuard System Manager is installed on a computer on the XTMv device trusted network, you can use the Quick Setup Wizard in WatchGuard System Manager instead of the Web Setup Wizard to discover the XTMv virtual machine and set up the basic device configuration.

Note
To activate your device in the Web Setup Wizard, you must have the device serial number. You cannot use the serial number V1C5000000000, which is the default serial number for an unactivated device.

Network Considerations
When you deploy the XTMv virtual appliance, it is initially configured with two active interfaces. External interface The external interface, Interface 0, is set up by default to request an IP address from a DHCP server. If you want to connect to this interface to do the initial device configuration, you must map this interface to a destination network that has a DHCP server. Trusted interface The trusted interface, Interface 1, has a default IP address of 10.0.1.1. When you deploy the XTMv virtual appliance to the ESXi device, you map each of these interfaces to a destination network. After you deploy the XTMv virtual machine, you can enable and configure additional XTMv network interfaces. For additional interfaces to operate, you must configure the XTMv virtual machine in the vSphere Client or vCenter Server to add the number of network adapters you want to enable in the XTMv configuration.

Setup Guide

XTMv Installation

Deploy the XTMv Virtual Appliance

You can use the vSphere Client or vCenter Server to deploy the XTMv virtual appliance (OVF template file). To use the vSphere Client: 1. Launch the vSphere Client and log in to the ESXi host with administrator credentials. 2. In the vSphere client, select File > Deploy OVF Template.

3. Browse to the location where you saved the WatchGuard XTMv OVF template file, xtmv_<version>.ova. Click Next. The XTMv OVF Template Details page appears. 4. Click Next. The End User License Agreement appears. 5. Review the End-User License Agreement. Click Accept. Click Next. The Name and Location page appears. 6. In the Name text box, type a name for this virtual device.

WatchGuard XTMv

XTMv Installation

7. Click Next. The Resource Pool page appears. If you selected a resource pool in the vSphere client inventory tree before you started to deploy the OVF template, the template is automatically deployed to the selected resource pool and you do not see this step.

8. Select a resource pool within which to deploy this template. 9. Click Next. The Disk Format page appears.

Setup Guide

XTMv Installation

10. Select the format to store the virtual disks. We recommend that you select Thick provisioned format to allocate all storage immediately. 11. Click Next. The Network Mapping page appears.

12. In the Destination Networks column, select the networks to map to Network 0 (eth0: External) and Network 1 (eth1: Trusted). 13. Click Next. The Ready to Complete page appears. 14. Review the settings. Click Back to change any settings, if necessary. 15. Click Finish to deploy the template. The virtual machine is created. This can take a few minutes.

WatchGuard XTMv

XTMv Installation

The deployed XTMv virtual machine appears in the vSphere Inventory in the selected resource pool.

Note
If you know what additional resources you want to allocate to this vitual machine, you can allocate those resources now, before you power on the virtual machine. Or you can do this step later. You do not need to do this to create a basic configuration. For more information about how to allocate additional resources, see ESXi Resource Allocation on page 12.

Power On the XTMv Virtual Machine

Next, you power on the XTMv virtual machine. When you initially power it on, the the XTMv virtual machine automatically sends a DHCP broadcast to request an IP address for the external interface. If a DHCP server is configured on the external network, the XTMv external interface receives an IP address. To power on the XTMv virtual machine: 1. In the vSphere Client Inventory tree, select the virtual device. 2. Click the Summary tab. 3. In the Commands section, select Power on. The XTMv virtual machine is powered on with factory default settings.

Setup Guide

XTMv Installation

4. After the virtual machine is powered on, the IP Addresses setting shows the IP address assigned to interface 0, if a DHCP server exists on the XTMv external network.

5. Click View all to see all assigned IP addresses.

XTMv Factory Default Settings

When you power on the XTMv virtual machine for the first time, it starts with factory default settings. o o o o The XTMv device has two active interfaces, external, and trusted. The trusted interface has the IP address 10.0.1.1. The external interface is configured to receive an IP address via DHCP. The trusted interface is not configured to assign IP addresses via DHCP. This is different than the default setting for other XTM devices. o Both the Trusted and External interfaces accept management connections. This is different than the default setting for other XTM devices. o The admin account passphrase is readwrite. o The serial number for an unactivated XTMv device is V1C5000000000. You configure the actual serial number during device activation.

Use the Web Setup Wizard to Create a Basic Configuration

The Fireware XTM Web Setup Wizard is almost the same for an XTMv virtual machine as it is for any other WatchGuard XTM device. One difference, is that for an XTMv virtual machine, you can connect to either the trusted interface or the external interface to run the Web Setup Wizard.

Note
If you do not complete all of the setup wizard steps within 15 minutes, the wizard does not save your settings, and you must log in and start again.

Use these steps to set up the basic configuration on an XTMv virtual machine. 1. Connect to the Fireware XTM Web UI on either the external or the trusted interface. Connect to the external interface If the external interface has been assigned an IP address, you can connect to that interface. From any computer on the XTMv external network, open a web browser and type this URL:
https://<External_IP_Address>:8080

For <External_IP_Address>, use the IP address you found in step 4 of the previous procedure. Connect to the trusted interface From any computer on the XTMv trusted network, open a web browser and type this URL:
https://10.0.1.1:8080

WatchGuard XTMv

XTMv Installation

2. Log in to the Fireware XTM Web UI with the default administrator account credentials. Username: admin Passphrase: readwrite 3. Click Next. The Web Setup Wizard Welcome page appears. 4. Select Create a new device configuration (this is the default). Click Next. The license agreement appears. 5. Read the license agreement. You must accept the license agreement to continue. Click Next. The external interface configuration page appears. 6. Select the method you want to use to assign yourXTMv device an external IP address. Choose one of these options: DHCP Select DHCP if you want to use DHCP to assign the IP address. This is the default. Click Next. Select Obtain an IP automatically, or select Use IP address, and type an IP address to use. Click Next. PPPoE Select PPPoE if you want to use PPPoE to assign the IP address. Click Next. Select Obtain an IP automatically, or select Use IP address, and type an IP address to use. Type th PPPoE User Name and Password. Click Next. Static Select Static if you want to assign a static IP address. Click Next. Type the IP address you want to use for the external interface, and the IP address of the gateway. Click Next. 7. On the Configure the DNS and WINS Servers page, type the Domain Name and the addresses of the DNS Servers, and WINS Servers you want the XTMv device to use. Click Next. The trusted interface configuration page appears. 8. There are two settings you can configure in the wizard for the trusted interface: IP Address Type the IP address that you want to use for the trusted network interface (interface 1). DHCP server You can optionally enable the DHCP server for the trusted interface. If you enable this, the XTMv device acts as the DHCP server for devices that connect to the virtual network for this interface. Do not enable the DHCP server on the XTMv device trusted interface If a DHCP server is already configured on that network. If you enable the DHCP server for the XTMv device trusted interface, specify the range of addresses the DHCP server can assign in the From and To text boxes. Click Next. 9. Type a passphrase for the status (read only) and admin (read/write) management accounts on the XTMv device. Click Next. 10. You can type a Device Name, Device Location, and Contact Person for this device. Only the device name is required. Click Next. 11. Select the Time Zone where the XTMv device is located. Click Next. The Online Activation page appears. 12. Online Activation is the step when you activate your XTMv device and download the feature key to enable all its functionality. Without a feature key, the device has limited functionality. The wizard provides three activation options. To activate the XTMv device, you must have the device serial number.

Setup Guide

XTMv Installation

If you have the serial number, but do not have the feature key Use Online Activation If the XTMv virtual machine has an Internet connection on the external interface, the wizard can activate the device and automatically download a feature key . To use online activation, you must provide this information: o Device Name A name to identify this device in your account on the WatchGuard web site o Serial Number The XTMv device serial number you received when you purchased the device - this is different from the default serial number, V1C5000000000, which is the serial number for an unactivated device. o User Name The user name you use to log in to the WatchGuard web site o Password The password you use to log in to the WatchGuard web site Click Next to start online activation. If you have already have the feature key Add the feature key manually If you have activated the XTMv device on the WatchGuard web site, and you have saved the feature key to a local file, you can paste the feature key into the Wizard. To add the feature key manually, select Skip Online Activation. Then select Add the feature key. Copy and paste the text from the local feature key file into the text box. Click Next. If you do not have the serial number or feature key Skip activation If you do not have the serial number or feature key, you can skip activation completely and finish the wizard. This saves your other configuration settings. If you skip activation, you must add the feature key later in the Fireware XTM Web UI or WatchGuard System Manager. Your device does not have full functionality until it has the feature key to enable the purchased feature set. To skip activation, select Skip Online Activation. Then select Skip this step. 13. Review and apply your settings. The summary page of the wizard shows the settings you chose. Click Next to apply the settings. The Setup is Complete page appears.

After the Setup Wizard Finishes

After you complete the Web Setup Wizard, the XTM virtual machine is configured with a basic configuration that allows outbound TCP, UDP, and ping traffic, and blocks all unrequested external traffic, except management connections. For an XTMv virtual machine, the default WatchGuard and WatchGuard Web UI policies allow management connections from any computer on the trusted, optional or external networks. This is different from the default configuration for other WatchGuard devices, which do not allow management connections from the external network. If you do not want to allow management connections from the external network, edit these policies, to remove the Any-External alias from the From list. To allow management from only a specific computer on the external network, you can add the address of that management computer to the From list in these policies. You can use Fireware XTM Web UI, WatchGuard System Manager, or the Fireware XTM Command Line Interface (CLI) to expand or change the configuration for your XTMv virtual machine. You can connect to either the trusted or external interface from any computer on the same network. If you changed the IP address of the interface you used to connect to the Fireware XTM Web Setup Wizard, you must use the new address to connect to manage the device.

Fireware XTM Web UI

To connect to your XTMv virtual machine with the Fireware XTM Web UI, in the web browser, type:
https://<interface_ip_address>:8080

Use the admin account and the admin passphrase you configured in the wizard.
10 WatchGuard XTMv

XTMv Installation

For more information about how to manage Fireware XTM with the Fireware XTM Web UI, see the Fireware XTM Web UI Help at: http://www.watchguard.com/help/documentation/

WatchGuard System Manager

To manage your XTMv virtual machine with WatchGuard System Manager, you must install the WatchGuard System Manager software on a Windows management computer located the XTMv external, trusted, or optional network. To connect to your XTMv virtual machine with WatchGuard System Manager: 1. In WatchGuard System Manager, select File > Connect to Device. The Connect to Firebox dialog box appears. 2. In the Name / IP Address text box, type the IP address of the XTMv interface you want to connect to. 3. Type the status passphrase you configured in the wizard. 4. Click Login. For information about how to install the WatchGuard System Manager and how to manage an XTM device with WatchGuard System Manager, see the Fireware XTM WSM Help, at http://www.watchguard.com/help/documentation/

Fireware XTM Command Line Interface (CLI)

You can manage your XTMv virtual machine with the Fireware XTM CLI, from the console in the vSphere client, or you can connect through a serial port. To use the CLI through a serial port, you must allocate a serial port to the XTMv virtual machine. You can use a physical serial port or connect over a network. To use the CLI in the console: 1. 2. 3. 4. In the vSphere Client Inventory tree, select the virtual device. Select the Summary tab. Click Open Console. Log in with the admin or status account credentials and the passphrase you configured in the wizard.

For more information about how to use the CLI to manage Fireware XTM, see the Command Line Interface Reference on the XTM Documentation page at http://www.watchguard.com/help/documentation/xtm.asp

Reset an XTMv Virtual Machine to Factory Default Settings

If you want to re-run the Web Setup wizard for an XTMv virtual machine, you can use the Fireware XTM CLI to reset the virtual machine to factory default settings. To reset the XTMv virtual machine to factory default settings, log in to the CLI with the admin account. Then use the Fireware XTM CLI command restore factory-default.

Setup Guide

11

ESXi Resource Allocation

ESXi Resource Allocation

To achieve the expected performance and scalability for each XTMv edition, we recommend that you allocate these resources to the XTMv virtual machine: Small Office Edition Virtual CPUs Memory 1 1 GB Medium Office Edition 2 2 GB Large Office Edition 4 4 GB Datacenter Edition 4 4 GB or more

You also allocate additional network adapters, up to a total of 10, that correspond to interfaces 0 - 9 in the Fireware XTM configuration.

Add Network Adapters

When you deployed the XTMv virtual appliance, you selected two networks to map to the default external and trusted XTMv network interfaces. To enable other network interfaces in the Fireware XTM network configuration, you must add network adapters to the XTMv virtual machine. All XTMv editions support a maximum of 10 network adapters. To add a network adapter: Launch the vSphere client and log in to the ESXi host with administrator credentials. In the vSphere inventory tree, right click the virtual machine. Select Power > Power Off. Right click the virtual machine, select Edit Settings. In the Hardware tab, click Add. Select Ethernet Adapter as the type of device you want to add. Click Next. From the Type drop-down list, select the type of virtual network adapter to use. The recommended type, Flexible, is selected by default. 7. From the Network label drop-down list, select the name of the virtual network to add. Click Next. 8. Review the selected options. Click Finish. Repeat these steps for each network adapter you want to add, up to a maximum of 10. 1. 2. 3. 4. 5. 6.

Configure Virtual Processors

By default, the XTMv virtual machine is allocated 1 virtual CPU. For optimal performance, configure the virtual machine to use the recommended number of CPUs for your XTMv edition. To configure CPU resources: 1. 2. 3. 4. 5. Launch the vSphere client and log in to the ESXi host with administrator credentials. In the vSphere inventory tree, right click the virtual machine. Select Power > Power Off. Right click the virtual machine, select Edit Settings. In the Hardware list select CPUs. From the Number of virtual processors drop-down list, select the number of virtual processors recommended for your XTMv edition.

12

WatchGuard XTMv

Other ESXi Configuration Options

Configure Memory Resources

By default the XTMv virtual machine is allocated 1 GB of memory. For optimal performance, configure the virtual machine to use the recommendednumber of CPUs for your XTMv edition. To configure Memory resources: 1. 2. 3. 4. 5. Launch the vSphere client and log in to the ESXi host with administrator credentials. In the vSphere inventory tree, right click the virtual machine. Select Power > Power Off. Right click the virtual machine, select Edit Settings. In the Hardware list select Memory. In the Memory Size text box, type or select the memory size recommended for your XTMv edition.

Other ESXi Configuration Options

The options in this section are necessary only if you want to use specific Fireware XTM features.

USB Drive
If you want to use a USB drive for system backup and restore, you must connect the USB drive to the server that your ESXi host is installed on. Then you must add the USB device to the XTMv virtual machine. You can add a USB drive to only one virtual device at a time. To add a USB drive to your XTMv device: 1. 2. 3. 4. 5. 6. 7. Connect a USB drive to the server that your ESXi host is installed on. Launch the vSphere client and log in to the ESXi host with administrator credentials. In the vSphere inventory tree, right click the XTMv virtual machine. Select Edit Settings. In the Hardware tab, click Add. Select USB device as the type of device you want to add. Click Next. Select the connected USB device. Click Next. Click Finish.

Serial Port
You can connect to the Fireware XTM CLI over a serial port, if you add a serial port to the XTMv virtual machine configuration. The serial port can use a physical serial port on the host, or you can connect through a network.

IPv6
If you want to enable IPv6 on an XTMv virtual machine network interface, you must enable IPv6 on the network adapter on the ESXi host. For information about IPv6 configuration in Fireware XTM, see the Fireware XTM WSM Help, or Fireware XTM WebUI Help at http://www.watchguard.com/help/documentation/

Setup Guide

13

Other ESXi Configuration Options

14

WatchGuard XTMv