You are on page 1of 262

WatchGuard

Training
2014 WatchGuard Technologies,
Inc.
Firewall Basics
with Fireware XTM 11.9
WatchGuard
Training
2
Course Introduction:
Firewall Basics with Fireware XTM
2
WatchGuard
Training
3
Training Objectives
Use the basic management and monitoring components of
WatchGuard System Manager (WSM)
Configure a Firebox or XTM device, or a XTMv device that runs
Fireware XTM OS v11.9 or later for your network
Create basic security policies for your Firebox or XTM device to
enforce
Use security services to expand XTM device functionality
3
WatchGuard
Training
4
Requirements
Necessary equipment and software:
Management computer
WatchGuard System Manager and Fireware XTM OS
Firewall configuration file
Firebox, XTM, or XTMv devices running Fireware XTM OS v11.9 or
later (optional)
Prerequisites:
Basic knowledge of TCP/IP network functions and structure
It is helpful, but not necessary, to have:
WatchGuard System Manager installed on your management
computer
Access to a Firebox or XTM device
A printed copy of the instructors notes of this presentation, or a copy
of the Fireware XTM Basics Student Guide
4
WatchGuard
Training
5
Outline
Product Overview
Getting Started
Work with Device Configuration Files
Configure Device Interfaces
Configure Logging
Generate Reports of Network Activity
Use FSM to Monitor XTM Device Activity
Use NAT (Network Address Translation)
Define Basic Network Security Policies
Work with Proxy Policies
Work with SMTP and POP3 Proxies
Verify Users Identities
5
WatchGuard
Training
6
Outline
Block Unwanted Email with spamBlocker
Manage Web Traffic
Defend Your Network From Intruders
Use Gateway AntiVirus
Use Data Loss Prevention
Use Intrusion Prevention Service
Use Application Control
Use APT Blocker
Use Reputation Enabled Defense
Explore Fireware XTM Web UI and FireWatch
6
WatchGuard
Training
7
Training Scenario
Fictional organization named the Successful Company
Training partners may use different examples for exercises
Try the exercises to implement your security policy
7
WatchGuard
Training
8
Product Overview
8
WatchGuard
Training
9
Fireware XTM is the robust operating system that forms the backbone of
WatchGuard integrated UTM security solutions.
Advanced networking features
Zero Day protection
UTM Security Subscriptions
Available security subscriptions include:
Fireware OS v11.9
9
Application Control
Intrusion Prevention Service
Web Blocker
Gateway AntiVirus
spamBlocker
Reputation Enabled Defense
Data Loss Prevention (DLP)
APT Blocker
XTM 1050
1500 Series
Firebox and XTM Hardware Models
8 Series
5 Series
800 Series
XTM 2520
XTM 2050
Firebox T10
XTM 2 Series
Small, medium, large,
and datacenter editions
For midsize to large businesses
For enterprise headquarters
and datacenters
For virtual network
environments
For small businesses, branch offices,
and wireless hotspots
XTM 3 Series
10
WatchGuard
Training
Management Software
Three ways to manage your device:
WatchGuard System Manager
Fireware XTM Web UI
Command Line
This training focuses primarily on
WatchGuard System Manager
11
WatchGuard
Training
Getting Started:
Set Up Your Management Computer
and Firebox or XTM Device
12
WatchGuard
Training
13
Learning Objectives
Use the Quick Setup Wizard to make a configuration file
Start WatchGuard System Manager
Connect to Firebox or XTM devices and WatchGuard servers
Launch other WSM applications
13
WatchGuard
Training
14
Select a computer with Windows 8,
Windows 7, Windows XP SP2, Windows
Server 2003, 2008, or 2012, or Windows Vista
Install WatchGuard System Manager (WSM)
to configure, manage, and monitor
your devices
Install Fireware XTM OS,
then use WSM to install updates
and make configuration
changes on the device
Management Computer
14
WatchGuard
Training
15
Server Software
When you install WSM, you have the option to install any or all of
these WSM servers:
Management Server
Log Server
Report Server
WebBlocker Server
Quarantine Server
Servers can be installed on separate computers
Each server must use a supported version of Windows.
There are access requirements between the management computer,
the Firebox or XTM device, and some servers.
15
WatchGuard
Training
Activate your XTM Device
You must have or create a WatchGuard account
You must activate the Firebox or XTM device before you can fully
configure it
Have your device serial number ready
16
WatchGuard
Training
17
Setup Wizards
There are two setup wizards you can use to create an initial
functional configuration file for your Firebox or XTM device.
Web Setup Wizard
To start the Web Setup Wizard, in a web browser, type:
https://10.0.1.1:8080
Quick Setup Wizard
To start the Quick Setup Wizard, in WatchGuard System Manager,
select
Tools > Quick Setup Wizard.
To use either setup wizard, you must connect the management
computer to the trusted interface (eth1) of the Firebox or XTM device.
The Web Setup Wizard can activate your Firebox or XTM device and
download the feature key from the WatchGuard web site, if you
connect the external interface (eth0) to a network with Internet
access.
17
WatchGuard
Training
Quick Setup Wizard
18
Installs Fireware XTM OS on
the Firebox or XTM device
Creates and uploads a basic
configuration file
Assigns passphrases to the
default Device Management
user accounts to control access
to the Firebox or XTM device
WatchGuard
Training
19
Prepare to Use the Quick Setup Wizard
Before you start, you must have:
WSM and Fireware XTM OS installed on the management computer
Network information
It is a good idea to have the feature key for your device before
you start the wizard. You can copy it from the LiveSecurity web
site during registration.
19
WatchGuard
Training
20
Launch the Quick Setup Wizard
For the Quick Setup Wizard to operate correctly, you must:
Prepare the device to be discovered by the Quick Setup Wizard (QSW).
The QSW shows you how to prepare each device.
Assign a static IP address to your management computer from the
same subnet that you plan to assign to the Trusted interface of the
Firebox or XTM device. Alternatively, you can get a DHCP address
from the device when it is in Safe Mode.
Connect the Ethernet interface of your computer to interface #1 of
the device.
Launch WatchGuard System Manager (WSM) and launch the Quick
Setup Wizard from the WSM Tools menu.
20
WatchGuard
Training
21
Quick Setup Wizard Select Your Device
Choose which model of Firebox or XTM device to configure.
21
WatchGuard
Training
22
Quick Setup Wizard Verify the Device Details
Verify that the model and serial number are correct.
22
WatchGuard
Training
23
Quick Setup Wizard Name Your XTM Device
The name you assign to the device in the wizard is used to:
Identify the device in WSM
Identify the device in log files
Identify the device in Log Manager and Report Manager
23
WatchGuard
Training
24
Quick Setup Wizard Device Feedback
The Quick Setup Wizard enables the device to send feedback to
WatchGuard by default.
If this option is enabled, the device sends feedback to WatchGuard
once a day and when the device reboots.
The information includes information about how your device is used
and any issues you encounter with your
device, but does not include
information about your company,
or company data.
All device feedback sent to
WatchGuard is encrypted.
To disable device feedback:
Clear the Send device feedback
to WatchGuard check box.
You can also change this setting
in the Global Settings.
24
WatchGuard
Training
25
Quick Setup Wizard Configure the External
Interface
The IP address you give to the external interface can be:
A static IP address
An IP address assigned with DHCP
An IP address assigned with PPPoE
You must also add an
IP address for the device
default gateway. This is the
IP address of your gateway
router.
25
WatchGuard
Training
26
Quick Setup Wizard Configure Interfaces
Configure the Trusted and Optional interfaces.
Select one of these configuration options:
Mixed Routing Mode (Use these IP addresses)
Each interface is configured with an IP address on a different subnet.
Drop-in Mode (Use the same IP address as the external interface)
All XTM device interfaces have
the same IP address. Use drop-in
mode when devices from the
same publicly addressed
network are located on more
than one device interface.
26
WatchGuard
Training
27
Understand Routed Configurations
In mixed routing mode (routed configuration):
Configure each interface with an IP address on a different subnet.
Assign secondary networks on any interface.
27
WatchGuard
Training
28
Understand Drop-in Configurations
28
In drop-in mode:
Assign the same primary IP
address to all interfaces on
your device.
Assign secondary networks on
any interface.
You can keep the same IP
addresses and default
gateways for devices on your
trusted and optional networks,
and add a secondary network
address to
the Firebox or XTM device
interface so the device can
correctly send traffic to those
devices.
WatchGuard
Training
29
Quick Setup Wizard Add a Feature Key
When you purchase additional options for your device, you must
get a new feature key to activate the new options. You can add
the feature key in the Quick Setup Wizard or later in Policy
Manager.
29
WatchGuard
Training
30
Quick Setup Wizard Set Passphrases
30
Specify the passphrases for the
two default user accounts to
use for connections to the
device:
Status passphrase
For read-only connections
with the default status user
account
Configuration passphrase
For read-write connections
with the default admin user
account
Both passphrases must be
unique and include 832
characters
WatchGuard
Training
31
Quick Setup Wizard Final Steps
Save a basic configuration to the device.
You are now ready to put your device in place on your network.
Remember to reset your management computer IP address.
31
WatchGuard
Training
32
WatchGuard System Manager
32
Start WSM
Connect to a Firebox or XTM
device or the Management
Server
Display device status
WatchGuard
Training
33
Components of WSM
WSM includes a set of management and monitoring tools:
Policy Manager
Firebox System Manager
HostWatch
Log Manager (WebCenter)
Report Manager (WebCenter)
CA Manager
Quarantine Server Client
To launch a tool, select it from the WSM Tools menu or click the
tool icon
33
WatchGuard
Training
34
Administration:
Work with Device Configuration Files
34
WatchGuard
Training
35
Learning Objectives
Start Policy Manager
Open and save configuration files
Configure the device for remote administration
Add Device Management user accounts
Change user account passphrases
Back up and restore the device configuration
Add device identification information
35
WatchGuard
Training
36
What is Policy Manager?
A configuration tool that you can use to modify the settings of
your Firebox or XTM device
Changes made in Policy Manager do not take effect until you save
them to the device
Launch Policy Manager from WSM
Select a connected or managed device
Click the Policy Manager icon on the toolbar
36
WatchGuard
Training
37
Navigate Policy Manager
From the View menu,
select how policies are
displayed
37
Details View Large Icons View
WatchGuard
Training
38
Navigate Policy Manager
Use the menu bar to configure many device features.
38
WatchGuard
Training
39
Navigate Policy Manager
Security policies that control traffic through the device are
represented by policies.
To edit a security policy, double-click the policy name.
39
WatchGuard
Training
40
OS Compatibility Version
Policy Manager can manage devices that use different versions of
Fireware XTM OS. Each device configuration has an OS
Compatibility setting that controls which options are available for
some features.
If you use Policy Manager to open the configuration from a device, the
Fireware XTM version is automatically set based on the OS version the
device uses.
For a new configuration file, you must select the Fireware XTM
version before you can configure some features, such as network
settings and Traffic Management.
To see or set the OS Compatibility version, in Policy Manager
select
Setup > OS Compatibility.
To configure all of the features described in this training, you
must select 11.9 or higher.
40
WatchGuard
Training
Open and Save Configuration Files
Open a file from your local drive or from a Firebox or XTM device
Save configuration files to your local drive or to the Firebox or
XTM device
Create new configuration files in Policy Manager
New configuration files include a basic set of policies.
You can add more policies.
41
WatchGuard
Training
42
Configure Your Device for Remote Administration
Connect from home to monitor device status
Change policies remotely to respond to new threats
Make the policy as restrictive as possible for security
Edit the WatchGuard policy to enable access from an external
IP address
You can also use Fireware XTM Web UI to configure a device (over
TCP port 8080)
42
WatchGuard
Training
43
Add Device Management User Accounts
Use role-based administration on your Firebox or XTM device to
share the configuration and monitoring responsibilities among
several individuals in your organization
Run audit reports to monitor which administrators make which
changes to your device configuration
Default user accounts:
43
Default User Account Default Role Default Passphrase
admin Device Administrator (read-write permissions) readwrite
status Device Monitor (read-only permissions) readonly
wgsupport Disabled
WatchGuard
Training
Add Device Management User Accounts
Use the default user accounts for initial Device Administrator and
Device Monitor connections to the device
Enable the wgsupport user account only as directed by
WatchGuard Technical Support
Use these authentication servers for Device Management user
accounts on your device:
Firebox-DB (default user account authentication server)
Active Directory
LDAP
RADIUS
44
WatchGuard
Training
Add Device Management User Accounts
Add, edit, and remove Device Management user accounts in
Policy Manager or Fireware XTM Web UI
1. In Policy Manager, select File > Manage Users and Roles.
45
WatchGuard
Training
Add Device Management User Accounts
2. Specify the user account credentials for a user account with
Device Administrator privileges.
(The default user account credentials are admin/readwrite.)
46
WatchGuard
Training
Add Device Management User Accounts
3. Add, edit, or remove new Device Management user accounts.
You cannot delete the default user accounts (admin, status,
wgsupport)
47
WatchGuard
Training
Change User Account Passphrases
Passphrases must use 832 characters
Change frequently
Restrict use of the default user accounts
Use individual user accounts for all users
48
WatchGuard
Training
49
Back Up the Device Images
Create and restore an encrypted backup image
Backup includes feature key and certificate information
Encryption key is required to restore an image
49
WatchGuard
Training
50
Firebox or XTM device name and model
Contact information
Time zone for log files and reports
Add Device Identification Information
50
WatchGuard
Training
51
Upgrade Your Device
1. Back up your existing device image.
2. Download and install the new version of Fireware XTM OS on
your management computer.
3. From Policy Manager, select File > Upgrade.
51
WatchGuard
Training
52
Upgrade Your Device
4. Browse to the location of the OS upgrade file:
C:\Program Files\Common Files\WatchGuard\Resources\Fireware
XTM
5. Select the correct .sysa-dl file for your device:
XTM 2500 Series: xtm800_1500_2500.sysa-dl
XTM 2050: xtm2050_bc.sysa-dl
XTM 1500 Series: xtm800_1500_2500.sysa-dl
XTM 1050: xtm1050_bb.sysa-dl
XTM 800 Series: xtm800_1500_2500.sysa-dl
XTM 8 Series: xtm8_b5.sysa-d
XTM 5 Series: xtm5_b0.sysa-dl
XTM 330: xtm330_bd.sysa-dl
XTM 33: xtm3_aa.sysa-dl
XTM 25, 26: xtm2_a6.sysa-dl
XTMv: xtmv_c5.sysa-dl
Firebox T10: T10.sysa-dl
52
WatchGuard
Training
53
Network Settings:
Configure Firebox or XTM Device
Interfaces
53
WatchGuard
Training
54
Learning Objectives
Configure external network interfaces with a static IP address,
DHCP and PPPoE
Configure a trusted and optional network interface
Use the Firebox or XTM device as a DHCP server
Add WINS/DNS server locations to the device configuration
Add Dynamic DNS settings to the device configuration
Set up a secondary network or address
Understand Drop-In Mode and Bridge Mode
54
WatchGuard
Training
55
Add a Firewall to Your Network
Interfaces on separate networks
Most configurations have at least one external and one trusted
55
External
203.0.113.2/24
Trusted Network
10.0.1.1/24
Optional Network
10.0.2.1/24
WatchGuard
Training
56
Beyond the Quick Setup Wizard
The Quick Setup Wizard configures the device with External,
Trusted, and Optional networks by default:
eth0 = external
eth1 = trusted
eth2 = optional (only if you
provide an optional interface
IP address in the wizard)
You can change the
interface assignments.
In Policy Manager, select
Network > Configuration.
56
WatchGuard
Training
57
Network Configuration Options
Modify the properties of an interface
Change the interface type (from trusted to optional, etc.)
Add secondary networks and addresses
Enable the DHCP server
Configure additional interfaces
Configure WINS/DNS settings for the device
Add network or host routes
Configure NAT
57
WatchGuard
Training
58
Interface Independence and Interface Types
You can change the interface type of any interface configured
with the Quick Setup Wizard, or any other interface.
Some interface types correspond to a network security zone:
External External interface, member of the Any-External alias
Trusted Internal interface, member of the Any-Trusted alias
Optional Internal interface, member of the Any-Optional alias
Custom Internal interface, not a
member of any alias by default.
Other types configure the interface as
a member of a virtual interface:
Bridge
VLAN
Link Aggregation
58
WatchGuard
Training
59
Use a Dynamic IP Address for the External
Interface
The Firebox or XTM device can use DHCP or PPPoE to get a
dynamic IP address.
59
WatchGuard
Training
60
Use Dynamic DNS
If you want to maintain a public association between a domain
name and the assigned dynamic IP address, you can register the
external IP address of the Firebox or XTM device with the
supported dynamic DNS service, DynDNS.
60
WatchGuard
Training
61
Use a Static IP Address for the External Interface
The Firebox or XTM device can use a static IP address given to
you by your Internet Service Provider.
61
WatchGuard
Training
62
Enable the Device DHCP Server
Can be used on a trusted, optional, or custom interface
Type the first and last IP addresses of the range for DHCP
Configure up to 6 IP address ranges
Reserve some
IP addresses for specified
MAC addresses
62
WatchGuard
Training
63
Configure Trusted and Optional Interfaces
Trusted-Main
10.0.1.1/24
Public Servers
10.0.2.1/24
1. Start with a
trusted
network.
2. Add an optional
network for public
servers.
Conference
10.0.5.1/24
Optional
3. As your business grows, add
more trusted and optional
networks.
Finance
10.0.3.1/24
Trusted
Sales Force
10.0.4.1/24
Optional
63
WatchGuard
Training
64
Add WINS/DNS Servers
All devices on the trusted, optional, and custom networks can use
this server
Use an internal server or an external server
Used by the Firebox or XTM device for DHCP, Mobile VPN, NTP
time updates, and Subscription Service updates
64
WatchGuard
Training
65
Secondary Networks
Share one of the same physical networks as one of the device
interfaces.
Add an IP alias to the interface, which is the default gateway for
computers on the secondary network.
Trusted-Main
10.0.1.1/24
Secondary
1
7
2
.
1
6
.
1
0
0
.
1
172.16.100.0/24
65
WatchGuard
Training
66
Network or Host Routes
Create static routes to send traffic from a device interface to a
router
The router can then send the traffic to the correct destination from the
specified route.
If you do not specify a route to a remote network or host, all
traffic to that network or host is sent to the device default
gateway.
66
WatchGuard
Training
67
Routes Table
The routes for your Firebox or XTM device appear in the Routes
section of the Status Report in Firebox System Manager.
The default route is the gateway IP address configured for the
external interface. It is used when a more specific route to a
destination is not defined.
67
WatchGuard
Training
Drop-In Mode and Bridge Mode
Use Drop-In Mode if you want to have the same logical network
(subnet) spread across all device interfaces.
Computers in this subnet can be on any device interface
You can add a secondary address to any device interface to use an
additional network on the interface
Use Bridge Mode when you want the device to be invisible.
You assign one IP address to the device for management connections
Bridge Mode turns the device into a transparent Layer 2 bridge
To set the interface configuration mode, select Network > Configuration.
68
WatchGuard
Training
69
Logging:
Set Up Logging and Notification
69
WatchGuard
Training
70
Learning Objectives
Set up a WSM Log Server
Configure the device to send messages to a WSM or Dimension
Log Server
Configure logging and notification preferences
Set the Diagnostic Log Level
View log messages
70
WatchGuard
Training
71
Introduction to the WSM Log Server
71
WatchGuard
Training
72
Introduction to the Dimension Log Server
72
WatchGuard
Training
73
Log Message Types
Traffic Allowed and denied packets
Alarm An event you configure as important that requires a log
message or alert
Event A device restart, or a VPN tunnel creation or failure
Debug Additional messages with diagnostic information to help
you troubleshoot network or configuration problems
Statistic Information about the performance of the Firebox or
XTM device
73
WatchGuard
Training
74
Configure Logging
For log messages to be correctly stored, you must:
Install the WSM Log Server software or deploy a Dimension VM
Configure the WSM or Dimension Log Server settings
Configure the Firebox or XTM device to send log messages to the WSM
or Dimension Log Server
74
WatchGuard
Training
75
Install the WSM Log Server
In the WSM installer, select to install the Log Server component
The Log Server does not have to be installed on the same
computer that you use as your
management computer
The Log Server should
be on a computer with
a static IP address
75
WatchGuard
Training
76
Configure the WSM Log Server Settings
Right-click the WatchGuard Server Center icon in your Windows
system tray to open WatchGuard Server Center.
The Server Center Setup Wizard starts.
Set the administrator passphrase.
Set the log encryption key.
76
WatchGuard
Training
77
Configure the WSM Log Server Settings
Open WatchGuard Server Center to configure Log Server
properties.
Type the administrator passphrase.
From the Servers tree, select Log Server to configure Log Server
settings.
77
WatchGuard
Training
78
Configure the WSM Log Server Settings
Server Settings Database size and encryption key settings.
Database Maintenance Specify database back up file settings,
and select to use the Built-in database or an External
PostgreSQL database.
Notification
Configure settings for
event notification
and the SMTP Server.
Logging
Firebox Status
(which devices are
currently connected to
the Log Server)
and where to send
log messages.
78
WatchGuard
Training
79
Deploy the Dimension VM & Set Up Dimension
In a VMWare or Hyper-V environment, deploy the Dimension VM.
VMWare ESXi 5.x Dimension OVA installation file
Use only the vSphere client to provision and install the OVA file.
Hyper-V Dimension VHD installation file
Use Hyper-V Manager on Microsoft Server, or another Hyper-V
environment, to deploy the VHD file.
Dimension must be deployed on a 64-bit platform
Use the public IP address to connect to Dimension and run the
Dimension Setup Wizard, and specify these settings:
Host name for Dimension
IPv4 settings for the Eth0 interface
Log Encryption Key
Administrator passphrase
To send log messages to Dimension, specify the public IP address
and the Log Encryption Key for Dimension in the devices logging
settings
79
WatchGuard
Training
Configure the Device to Send Log Messages
80
Use Policy Manager
Set the same log encryption
key that is used for the WSM
or Dimension Log Server
Backup Log Servers can be
used when the primary fails
Specify the port to connect to
a syslog server
WatchGuard
Training
81
Default Logging Policy
When you create a policy that allows traffic, logging is not
enabled by default
When you create a policy that denies traffic, logging is enabled by
default
If denied traffic does not match a specific policy, it is logged by
default
81
WatchGuard
Training
82
Set the Diagnostic Log Level
You can also configure the device to send detailed diagnostic log
messages to help you troubleshoot a specific problem.
From Policy Manager, select
Setup > Logging, and click
Diagnostic Log Level.
82
WatchGuard
Training
83
You can see log messages with these WSM tools:
Traffic Monitor Real-time monitoring in FSM from any computer
with WSM
View Log Messages
83
WatchGuard
Training
84
WebCenter Log Manager From WatchGuard WebCenter, you can
use Log Manager to see any log messages stored on the Log Server.
Use the search feature to locate specific information in your log files.
View Log Messages
84
WatchGuard
Training
85
View Log Messages
85
You can also see log
messages in Dimension:
Use Log Manager to
see any log messages
stored on the
Dimension Log Server
for a specific device or
group of devices.
Use the search feature
to locate specific
information in your
log files.
WatchGuard
Training
86
Reports:
View Reports of Network Activity
86
WatchGuard
Training
87
Learning Objectives
Set up and configure a WSM Report Server
Generate and save reports at regular intervals
Generate and view reports
Change report settings
Save, print, and share reports
View reports in Dimension
87
WatchGuard
Training
88
WSM Reporting Architecture
88
WatchGuard
Training
89
Configure the WSM Report Server
Install on a Microsoft
Windows computer
Can be the same computer
as the Log Server
Configure the Report Server
from WatchGuard Server
Center
Select to use the Built-in
database or an External
PostgreSQL database
Add one or more Log Server
IP addresses
Set report interval,
report type, and notification
preferences
89
WatchGuard
Training
90
View Reports with Report Manager
Report Manager is
available in
WatchGuard
WebCenter, which is
installed with the
Report Server
Add users in
WatchGuard Server
Center to enable
them to use
Report Manager
90
WatchGuard
Training
91
View Reports with Report Manager
Connect to WatchGuard
WebCenter over port 4130,
and select Report Manager
to view and generate reports
View Available Reports
(scheduled reports)
Create On-Demand Reports
and Per Client Reports
Launch Report Manager
from WSM
Save reports in PDF
format
91
WatchGuard
Training
92
View Reports in Dimension
92
When you send log
messages to Dimension,
the reports for the log
messages sent to
Dimension are
automatically
generated.
1. Connect to Dimension
in a web browser at
the IP address you
specified for
Dimension.
2. Log in with the
administrator
credentials you
specified in the Setup
Wizard.
WatchGuard
Training
View Reports in Dimension
93
3. From the Home page:
Select the Devices tab
and select a device.
OR
Select the Groups tab
and select a group of
devices.
WatchGuard
Training
View Reports in Dimension
94
4. To view the
available reports,
select the Reports
tab for the device
or group.
5. To export a report
as a PDF file,
click .
6. To export a report
as a CSV file,
click .
The available export
option depends on
the type of report.
WatchGuard
Training
Monitor Your Firewall:
Monitor Activity Through
the Device with WSM Tools
95
WatchGuard
Training
96
Learning Objectives
Interpret the information in the WSM display
Use Firebox System Manager to monitor device status
Change Traffic Monitor settings
Use Performance Console to visualize device performance
Use HostWatch to view network activity and block a site
Add and remove sites from the Blocked Sites list
96
WatchGuard
Training
97
WatchGuard System Manager Display
97
WatchGuard
Training
98
Firebox System Manager
Front Panel
Traffic Monitor
Bandwidth Meter
Service Watch
Status Report
Authentication List
Blocked Sites
Subscription
Services
Gateway Wireless
Controller
98
WatchGuard
Training
99
Traffic Monitor
View log messages
as they occur
Set custom colors
and fields
Start traceroute or
Ping to source
and destination
IP addresses
Copy information
to another
application
99
WatchGuard
Training
100
Performance Console
Monitor and graph XTM device activity
Launch from Firebox System Manager
System Information Firebox statistics,
such as the number of total active
connections and CPU usage
Interfaces Total number of packets sent and received through
the Firebox or XTM device interfaces
Policies Total connections, current connections, and discarded
packets
VPN Peers Inbound and outbound SAs and packets
Tunnels Inbound and outbound packets, authentication errors,
and replay errors
100
WatchGuard
Training
101
Use HostWatch to View Connections
Graphical display
of live connections
One-click access
to more details
on any connection
Temporarily
block sites
101
WatchGuard
Training
102
Use the Blocked Sites List
View sites added temporarily by the device as it blocks the source
of denied packets
Change expiration settings for temporarily blocked sites
102
WatchGuard
Training
103
Examine and Update Feature Keys
View the feature keys
currently on your Firebox or XTM device
Add a new feature key to
your Firebox or XTM device
103
WatchGuard
Training
104
NAT:
Use Network Address Translation
104
WatchGuard
Training
105
Learning Objectives
Understand network address translation types
Add dynamic NAT entries
Use static NAT for public servers
105
WatchGuard
Training
106
What is Network Address Translation?
Network Address Translation (NAT) is a term used to describe
any of several forms of IPaddress and port translation.
At its most basic level, NAT changes the IP address of a packet
from one value to a different value.
The primary purposes of NAT are:
to increase the number of computers that can operate off a single
publicly routable IP address
to hide the private IP addresses of hosts on your LAN.
Fireware XTM supports three types of NAT:
Dynamic NAT applies to outbound traffic
Static NAT applies to inbound traffic
1-to-1 NAT applies to traffic in both directions
106
WatchGuard
Training
107
Dynamic NAT
Changes the source IP addresses for outbound traffic to a single
IP address
Protect the map of your network
Your Network
Devices and users with
private IP addresses
NAT Enabled
Internet sees only one public address
(the external interface IP address)
107
WatchGuard
Training
108
Add Firewall Dynamic NAT Entries
Most frequently used form of NAT
Changes the outgoing source IP address to the external IP address
of the Firebox or XTM device
Enabled by default for standard
private network IP addresses,
such as 192.168.0.0/16
108
WatchGuard
Training
109
Changes the inbound destination IP address based on the port
number.
Static NAT for Public Servers
Your Network
Port 80 TCP
Web server
Port 21 TCP
FTP server
Port 25 TCP
Email server Web traffic One external IP
to private static IP
FTP traffic Same external IP
to second, private static IP
SMTP traffic Same external
IP to third, private static IP
203.0.113.2
10.0.2.80
10.0.2.21
10.0.2.25
109
WatchGuard
Training
110
1-to-1 NAT for Public Servers
Your Network NetMeeting traffic Dedicated
IP address on the external
IKE traffic Second dedicated
public IP address
Intel Phone (H.323) Another
external IP address
Ports 1720, 389, dynamic
10.0.2.11
NetMeeting
Without NAT-T
10.0.2.12
IKE
Ports 1720, 522
10.0.2.13
Intel-Video-Phone
2
0
3
.
0
.
1
1
3
.
1
1
203.0.113.12
2
0
3
.
0
.
1
1
3
.
1
3
110
Translates one range of IP addresses to a different range of
addresses for incoming and outgoing traffic.
WatchGuard
Training
111
Configure Policies
You can customize 1-to1 NAT and
Dynamic NAT settings in each policy
Select Network > NAT to configure
the settings
The settings you specify apply unless
you modify the NAT settings
in a policy
Select the Set Source IP option when
you want any traffic that uses this policy
to show a specified address from your
public or external IP address range
as the source IP address.
111
WatchGuard
Training
112
Configure Policies
To configure a policy to use static NAT,
click Add in the To section of the policy,
then select Add SNAT.
To add, edit, or delete SNAT actions,
you can also select
Setup > Actions > SNAT.
To add an SNAT member, click Add.
112
WatchGuard
Training
113
Policies:
Convert Network Policy to Device
Configuration
113
WatchGuard
Training
114
Learning Objectives
Understand the difference between a packet filter policy and a
proxy policy
Add a policy to Policy Manager and configure its access rules
Create a custom packet filter policy
Set up logging and notification rules for a policy
Use advanced policy properties
Understand the function of the Outgoing policy
Understand the function of the TCP-UDP proxy
Understand the function of the WatchGuard policy
Understand how the Firebox or XTM device determines policy
precedence
114
WatchGuard
Training
115
What is a Policy?
A rule to limit access through the Firebox or XTM device
Can be configured to allow traffic or deny traffic
Can be enabled or disabled
Applies to specific port(s) and protocols
Applies to traffic that matches From and To fields:
From Specific source hosts, subnets or users/groups
To Specific destination hosts, subnets, or users/groups
115
WatchGuard
Training
116
Packet Filters, Proxies, and ALGs
Two types of policies:
Packet Filter Examines the IP header of each packet, and operates
at the network and transport protocol packet layers.
Proxy & ALG (Application Layer Gateway)
Proxy Examines the IP header and the content of a packet at the
application layer. If the content does not match the criteria you set in your
proxy policies, you can set the proxy to deny the packet. Some proxy
policies allow you to remove the disallowed content.
ALG Completes the same functions as a proxy, but also provides
transparent connection management.
Proxy policies and ALGs examine the commands used in the connection to
make sure they are in the correct syntax and order, and use deep packet
inspection to make sure that connections are secure.
116
WatchGuard
Training
117
Packet Filters, Proxies, and ALGs
Proxies & ALGs:
Remove all the network data
Examine the contents
Add the network data again
Send the packet to its destination
117
WatchGuard
Training
118
What are Packet Filters, Proxies, and ALGs?
Packet Filter Proxy & ALG
Source

Destination

Port(s)/Protocols

Packet body

Attachments

RFC Compliance

Commands

118
WatchGuard
Training
119
Add a Policy in Policy Manager
119
2. Decide if the policy
allows or denies
traffic.
3. Configure the
source (From) and
destination (To).
1. Select a policy from a
pre-defined list.
WatchGuard
Training
120
Modify Policies
To edit a policy, double-click the policy
By default, a new policy:
Is enabled and allowed
Allows traffic on the port(s) specified by
the policy
Allows traffic from any trusted network to
any external destination
120
WatchGuard
Training
121
Change Policy Sources and Destinations
You can:
Select a pre-defined alias, then click Add.
Click Add User to select an authentication user or group.
Click Add Other to add a host IP address, network IP address, or host
range.
121
WatchGuard
Training
122
When do I use a custom policy?
A custom policy can be either a packet filter or proxy policy.
Use a custom policy if:
None of the pre-defined policies include the specific combination of
ports that you want.
You need to create a policy that uses a protocol other than TCP or
UDP.
122
WatchGuard
Training
123
Logging and Notification for Policies
When you enable logging in a policy, you can also select whether
the Firebox or XTM device sends a notification message or
triggers an SNMP trap. Notification options include:
Send email to a specified address
A pop-up notification on the Log Server
123
WatchGuard
Training
124
Set Logging Rules for a Policy
the Firebox or XTM device generates log messages
for many different types of activities
You enable logging for policies to specify
when log messages are generated and
sent to the Log Server
124
WatchGuard
Training
125
What is Precedence?
Precedence is used to decide which policy controls a connection
when more than one policy could control that connection
In Details view, the higher the policy appears in the list, the
greater its precedence.
If two policies could apply to a connection, the policy higher in
the list controls that connection
125
WatchGuard
Training
126
What is Precedence?
Policies can be moved up or down in Manual Order mode to set
precedence, or restored to the order assigned by Policy Manager
with Auto-Order Mode.
126
WatchGuard
Training
127
Advanced Policy Properties
Schedules
Connection rate limits
Override NAT settings
QoS settings
ICMP error handling
Override Multi-WAN sticky connection
setting
127
WatchGuard
Training
128
Schedule Policies
Set the times of day when the policy is enabled
128
WatchGuard
Training
129
Understand the Outgoing policy
The Outgoing packet filter policy is added in the default
configuration
Allows all outgoing TCP and UDP connections from trusted and
optional networks to external networks
Enables the Firebox or XTM device to work out of the box but
could have security problems
If you remove the Outgoing policy, you must add policies to allow
outgoing traffic
129
WatchGuard
Training
130
Understand the TCP-UDP-Proxy
Enables TCP and UDP protocols for outgoing traffic
Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP
protocols, regardless of the port numbers
Blocks selected IM and P2P
applications, regardless of port
130
WatchGuard
Training
131
The WatchGuard Policy
Controls management connections to
the Firebox or XTM device
By default, this policy allows only
local administration of the device;
edit the configuration to
allow remote administration
131
WatchGuard
Training
132
Find Policy Tool
Fireware XTM includes a utility to find policies that match the
search criteria you specify
With the Find Policies tool, you can quickly locate policies that
match user
or group names, IP addresses, port numbers, and protocols.
132
WatchGuard
Training
133
Policy Tags and Filters
Assign policy tags to policies to create policy groups
Sort the policy list by policy tag to see the policy list by policy
group
Create and save policy filters to specify which policies appear in
the
policy list
133
WatchGuard
Training
134
Proxy Policies:
Use Proxy Policies and ALGs to Protect
Your Network
134
WatchGuard
Training
135
Learning Objectives
Understand the purpose and configuration of proxy policies and
ALGs
Configure the DNS-proxy to protect DNS server
Configure an FTP-Server proxy action
Configure an FTP-Client proxy action
Enable logging for proxy actions
135
WatchGuard
Training
136
What are Proxies and ALGs?
Proxy policies and ALGs (Application Layer Gateway) are
powerful and highly customizable application inspection engines
and content filters.
A packet filter looks at IP header information only.
A proxy or ALG looks at the content of the network data. ALGs
also provide transparent connection management.
136
WatchGuard
Training
137
What is the DNS Proxy?
Domain Name System
Validates all DNS traffic
Blocks badly formed DNS packets
Fireware XTM includes two methods to control DNS traffic:
DNS packet filter IP headers only
DNS-Proxy filter content
137
WatchGuard
Training
138
Control Incoming Connections
Use the DNS-Incoming action as a template
You own the server
You decide who gets to
connect to the server
138
DNS server
DNS Proxy
Your network
WatchGuard
Training
139
Configuring DNS-Incoming
General
OpCodes
Query Types
Query Name
Proxy Alarm
139
WatchGuard
Training
140
Control Outgoing Connections
Use the DNS-Outgoing action as a template
Operates with Intrusion Prevention Service
Deny queries for specified
domain names
140
DNS server
DNS Proxy
Your Network
WatchGuard
Training
141
Use DNS-Outgoing
Use DNS-Outgoing proxy action to block DNS requests for
services, such as queries for:
POP3 servers
Advertising networks
IM applications
P2P applications
141
WatchGuard
Training
142
Fireware XTM Proxy Policies
DNS
FTP
H323 and SIP (Application Layer Gateways)
HTTP and HTTPS
SMTP and POP3
TCP-UDP
Applies the proxies to traffic on all TCP ports
142
WatchGuard
Training
143
What is a Proxy Action?
A set of rules that tell the Firebox or XTM device how to apply
one of the proxies to traffic of a specific type
You can apply a proxy action to more than one proxy policy
143
WatchGuard
Training
144
Import & Export Proxy Actions
You can import and export:
Entire user-created proxy actions (not predefined proxy actions)
Rulesets
WebBlocker exceptions
spamBlocker exceptions
144
WatchGuard
Training
145
What is FTP?
File Transfer Protocol
Often used to move files between two locations
Client and server architecture
Fireware XTM includes two methods to control:
FTP packet filter IP headers only
FTP-proxy Content and commands
145
WatchGuard
Training
146
FTP-Proxy
Restricts the types
of commands and
files that can be
sent through FTP
Works with the
Gateway AV Service
Works with the Data
Loss Prevention
Service
Works with the APT
Blocker Service
146
WatchGuard
Training
147
FTP-Client Proxy Action Rulesets
General
Commands
Download
Upload
AntiVirus
Data Loss Prevention
Proxy and
AV alarms
APT Blocker
147
WatchGuard
Training
148
Control Incoming Connections
Use the FTP-Server proxy action as a template
The FTP server must be protected by the Firebox or XTM device
You decide who can connect to the FTP server
148
Anybody
Your FTP server
FTP Proxy
WatchGuard
Training
149
Define FTP-Server Proxy Action Rulesets
General
Commands
Download
Upload
AntiVirus
Data Loss Prevention
Proxy and AV alarms
APT Blocker
Options available in the
FTP-Client proxy action are
also available in the
FTP-Server proxy action
Smart defaults are used in
each ruleset to protect
clients (FTP-Client) and
servers (FTP-Server)
149
WatchGuard
Training
150
Logging and Proxies
Proxy policies contain
many more advanced
options for logging than
packet filter policies
Each proxy category has
its own check box to
enable logging
To generate detailed reports
with information on
packets handled by proxy
policies, you must select
the Enable logging
for reports check box in
each proxy action
150
WatchGuard
Training
151
Email Proxies:
Work with the SMTP and POP3
Proxies
151
WatchGuard
Training
152
Learning Objectives
Understand the SMTP and POP3 proxies
Understand the available actions for email
Control incoming email
Control outgoing email
152
WatchGuard
Training
153
SMTP and POP3 Proxies
Used to restrict the types and
size of files sent and received
in email
Operate with Gateway AV
and spamBlocker
Operate with Data Loss Prevention
(SMTP-proxy only)
Operate with APT Blocker
(SMTP-proxy only)
153
WatchGuard
Training
154
Proxy Actions Available for Email
Default actions available:
Allow Email is allowed through your device
Lock Email is allowed through your device; the attachment is
encoded so only the Firebox or XTM device administrator can open it
AV Scan Gateway AntiVirus is used to scan the attachment
Strip Email is allowed through your device, but the file
attachment(s) are deleted
Drop The SMTP connection is closed
Block The SMTP connection is closed and the sender is added to
the blocked sites list
Also available with Gateway AntiVirus, spamBlocker, APT Blocker,
and Data Loss Prevention:
Quarantine Email is stored on the Quarantine Server (only with
SMTP) and is not sent to the recipient
154
WatchGuard
Training
155
Control Incoming Email
Use SMTP-Incoming and POP3-Server actions as a template
You decide what email you want to allow
155
Anybody
Your SMTP server
Your users
SMTP Proxy
WatchGuard
Training
156
Control Outgoing Email
Use SMTP-Outgoing or POP3-Client action as a template
You know the users
You decide what they can send
156
SMTP Proxy
Your users
Their email server
Anybody
WatchGuard
Training
157
Authentication:
Verify a Users Identity
157
WatchGuard
Training
158
Learning Objectives
Understand authentication and how it works with the Firebox or
XTM device
List the types of third-party authentication servers you can use
with Fireware XTM
Use Firebox authentication users and groups
Add a Firebox authentication group to a policy definition
Modify authentication timeout values
Use the Firebox or XTM device to create a custom web server
certificate
158
WatchGuard
Training
159
What is User Authentication?
Identify each user as they connect to network resources
Restrict policies by user name
159
WatchGuard
Training
160
WatchGuard Authentication
The user browses to the Firebox or XTM device interface IP
address on
TCP port 4100
the Firebox or XTM device presents an authentication page
The XTM device verifies that the credentials entered are correct,
and allowed for the type of connection
The XTM device allows access to resources valid for that
authenticated user or group
160
WatchGuard
Training
161
Supported Authentication Servers
Firebox
RADIUS
VASCO
SecurID
LDAP
Active Directory
Single Sign-On options
161
WatchGuard
Training
162
Use Firebox Authentication
16
2
To use the Firebox or XTM
device as an
authentication server:
Make groups
Define users
Edit policies
WatchGuard
Training
163
Edit Policies for Authentication
Create users
and groups
Use the user
and group names
in policy
properties
Define From or
To information
163
WatchGuard
Training
164
Use Third-Party Servers
Set up a third-party authentication
server
Get configuration information,
such as secrets and
IP addresses
Make sure the
authentication server
can contact
the Firebox or XTM device
164
WatchGuard
Training
165
Set Global Authentication Values
Session and idle timeout values
Number of concurrent connections
Enable Single Sign-On with
Active Directory authentication
Enable redirect to the
authentication page if the user
is not yet authenticated
After users authenticate, they are
redirected to the site they
originally selected.
Specify the authentication server
that appears at the top of the
Domain list in the
Authentication Portal
Configure Terminal Services
165
WatchGuard
Training
166
Enable Single Sign-On
Transparent authentication, no need to open a web page
Available with Windows Active Directory
Install the SSO Agent on a Windows server with a static IP
address
Install the SSO Client on all workstations (Optional)
Install the Event Log Monitor on one computer in the domain
(Clientless SSO)
SSO Agent passes user
credentials to the
XTM device
Use SSO exceptions for
IP addresses that cannot
authenticate (computers that
are not domain members, or
non-Windows PCs)
166
WatchGuard
Training
167
Enable Terminal Services
16
7
Enables users to authenticate
to your Firebox or XTM device
over a
Terminal Server or Citrix
server
Enables your Firebox or XTM
device to report the actual IP
address of each user logged in
to the device
Can be used with any
configured
authentication method (e.g.
Firebox authentication, Active
Directory, RADIUS, etc.)
WatchGuard
Training
168
Fireware XTM Web Server Certificate
Why does the user get warnings from
the browser?
Name on the certificate does not match
the URL
Fix this problem with a custom certificate
that has all of the Firebox or XTM device
IP addresses as possible name matches
User must still
import this
certificate to
trusted root stores
168
WatchGuard
Training
169
Blocking Spam:
Stop Unwanted Email with
spamBlocker
169
WatchGuard
Training
170
Learning Objectives
Activate and configure spamBlocker
Specify the actions to take when suspected spam email is
detected
Block or allow email messages from specified sources
Monitor spamBlocker activity
Install and configure Quarantine Server
170
WatchGuard
Training
171
What is spamBlocker?
Technology licensed from CYREN (formerly Commtouch) to
identify spam, bulk, or suspect email
No local server to install
You can install Quarantine Server, but it is not necessary for spamBlocker
to work correctly.
XTM device sends information to external servers to classify email
and caches the results
Operates with the SMTP and POP3 proxies
You must have an SMTP or POP3 proxy action configured to use
spamBlocker
171
WatchGuard
Training
172
Activate spamBlocker
A feature key is required to enable spamBlocker
Use Policy Manager or FSM to add the feature key
Save the configuration to the Firebox or XTM device
Run the Activate spamBlocker Wizard
172
WatchGuard
Training
173
Configure a Policy for spamBlocker
Use the SMTP-proxy
or POP3-proxy
Choose the proxy
response to spam
categorization
Add exceptions
173
WatchGuard
Training
174
spamBlocker Actions
Spam is classified into three categories:
Spam
Bulk
Suspect
For each category, you can configure the action taken:
Allow
Add Subject Tag
Quarantine (SMTP only)
Deny (SMTP only)
Drop (SMTP only)
174
WatchGuard
Training
175
spamBlocker Exceptions
You can configure
exceptions for specific
senders or recipients by:
Email address
Domain by pattern
match (*@xyz.com)
175
WatchGuard
Training
176
Customize spamBlocker
Use multiple SMTP or POP3 proxies
176
WatchGuard
Training
177
Monitor spamBlocker Activity
Status visible in
Firebox System
Manager
Select the Subscription
Services tab
177
WatchGuard
Training
178
Quarantine Spam
Quarantine Server operates with spamBlocker for the SMTP-
proxy only
(not the POP3-proxy)
Install with server components during WSM install, or from
WatchGuard Server Center
178
WatchGuard
Training
179
Quarantine Server Configuration
You can configure:
Database size and administrator notifications
Server settings
Length of time to keep messages
The domains for which the Quarantine Server keeps mail
Rules to automatically remove messages:
From specific senders
From specific domains
That contain specific text in the Subject field
179
WatchGuard
Training
180
Web Traffic:
Manage Web Traffic Through Your
Firewall
180
WatchGuard
Training
181
Learning Objectives
Control outgoing HTTP traffic
Protect your web server
Use the HTTPS-proxy
Set up WebBlocker
Select categories of web sites to block
Override WebBlocker rules for specified sites
181
WatchGuard
Training
182
What is the HTTP-Proxy?
Fully configurable
HTTP requests and responses
Use URL paths to block complete URLs, or match a pattern you
specify
Select header fields, protocol settings, and request/response
methods
Allow or deny based on content types
Block the transfer of all or some attachments over port 80
Allow or deny cookies from specified domains
Enforce search engine Safe Search rules
182
WatchGuard
Training
183
Control Outgoing HTTP Traffic
Use the HTTP-Client proxy action as a template
You know the users
You decide where they go and what they can get access to
Enforce Safe Search rules
183
Your Network
HTTP Proxy
WatchGuard
Training
184
Settings for the HTTP-Client Proxy Action
HTTP Request
HTTP Response
Use Web Cache Server
HTTP Proxy Exceptions
Data Loss Prevention
WebBlocker
AntiVirus
Reputation Enabled
Defense
Deny Message
Proxy and AV Alarms
APT Blocker
184
WatchGuard
Training
185
Protect Your Web Server
Use the HTTP-Server proxy action template
Block malformed packets
Prevent attacks on your server
Enforce Safe Search rules
185
Your Network
Web Server
HTTP Proxy
WatchGuard
Training
186
Settings for the HTTP-Server Proxy Action
HTTP Request
HTTP Response
HTTP Proxy Exceptions
Data Loss Prevention
WebBlocker
AntiVirus
Reputation Enabled
Defense
Deny Message
Proxy and AV Alarms
APT Blocker
186
WatchGuard
Training
187
When to Use the HTTPS-Proxy
HTTP on a secure, encrypted channel (SSL)
Can use Deep Packet Inspection (DPI) to examine content and re-
sign the original HTTPS site certificate
OCSP can confirm the validity of the original HTTPS site
certificate
Use a certificate that all clients on your network automatically
trust for this purpose when possible
Can use WebBlocker to block categories of web sites
When DPI is not enabled, checks the certificate and blocks by
domain name
187
WatchGuard
Training
188
What is WebBlocker?
Reduces malicious web content that enters the network
Blocks URLs and IP addresses that you specify
Reduces unproductive web surfing and potential liability
Blocks access to IM/P2P download sites
Blocks access to spyware sites
Helps schools to attain CIPA compliance
Two database options
Global URL database English, German, Spanish, French, Italian,
Dutch, Japanese, traditional Chinese, and simplified Chinese sites
188
WatchGuard
Training
189
WebBlocker Server Options
Websense cloud
Uses a cloud-based URL categorization database with over 100
content categories, provided by Websense
Does not use a locally installed WebBlocker Server
URL categorization queries are sent over HTTP
WebBlocker Server
Uses a WatchGuard WebBlocker Server with 54 categories, provided
by SurfControl
Usually requires a locally installed WebBlocker Server
XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by
WatchGuard
URL categorization queries are sent over UDP 5003
189
WatchGuard
Training
190
The WebBlocker Database
Database updates keep the
filtering rules up-to-date
Use multiple categories to
allow or deny different groups
of users at different times of
the day
190
WatchGuard
Training
191
WebBlocker Content Categories
The available categories depend on which type of server you
choose.
191
Websense cloud 100+ categories
WebBlocker Server 54 categories
WatchGuard
Training
WebBlocker Server with Websense Cloud
192
Your Network
1. When a user browses, the
Firebox or XTM device
checks the Websense
cloud
2. If the site is not in a
blocked category, the
device allows the
connection
Web
Site
Web
Site
Websense Cloud
WatchGuard
Training
193
WebBlocker Server with Local WebBlocker Server
193
WebBlocker
Server
Your Network
WatchGuard
WebBlocker
Updates
1. WebBlocker Server gets
WebBlocker database
from WatchGuard.
2. When a user browses, the
Firebox or XTM device
checks the WebBlocker
Server.
3. If the site is not in a
blocked category, the
device allows the
connection.
Web
Site
WatchGuard
Training
194
Keep the WebBlocker Database Updated
The locally installed WebBlocker Server automatically downloads
an incremental update to the local WebBlocker database update
at midnight.
To update the database at other times, you can:
Manually trigger an incremental update in WatchGuard Server Center.
Use Windows Task Scheduler to run the updatedb.bat process,
which is installed in the C:\Program Files\WatchGuard\wsm11\bin
directory.
194
WatchGuard
Training
195
Advanced WebBlocker Settings
On the WebBlocker
Configuration Advanced
tab, you can control what
happens if the device cannot
contact the WebBlocker Server.
You can:
Allow access to all web sites
Deny access to all web sites
You can also set a password
to use override WebBlocker
when entered on individual
computers.
195
WatchGuard
Training
196
WebBlocker Exceptions
Add exceptions for web sites that
WebBlocker denies and you want
to allow (white list).
Add web sites that WebBlocker
allows and you want to deny
(black list).
196
WatchGuard
Training
197
Threat Protection:
Defend Your Network From Intruders
197
WatchGuard
Training
198
Learning Objectives
Understand the different types of intrusion protection
Configure default packet handling to stop common attacks
Block IP addresses and ports used by hackers
Automatically block the sources of suspicious traffic
198
WatchGuard
Training
199
Intrusion Detection and Prevention
199
IT
admin
installs
patch
Attack
signature
developed
and
distributed
Proactively
blocks many
threats
Ongoing
protection at higher
performance
Hacker
builds attack
that uses
vulnerability
Attack
launched
Vendor
builds
patch
Vendor
distributes
patch
Firewall-
based IPS
supplies
zero-day
protection
IT admin
queues patch
update based
on severity
Vulnerability
found and
exposed
WatchGuard
Training
200
Default Packet Handling
Spoofing attacks
Port and address
space probes
Flood attacks
Denial of service
Options for logging
and automatic
blocking
200
WatchGuard
Training
201
Block the Source of Attacks
201
Your Network
Log
Server
Web
Server
Remote users use valid packets to
browse your web site.
2. Attacker runs a port
space probe on your
network.
3. XTM device blocks the probe and
adds the IP address of the source
(the attacker) to the temporary
list of blocked sites.
4. Now, even valid traffic from the
attackers IP address is blocked by
the Firebox or XTM device.
WatchGuard
Training
202
Auto-Block Sites
Each policy configured to deny traffic has a check box you can
select to auto-block the source of the denied traffic.
If you select it, the source IP address of
any packet denied
by the policy is
automatically
added to the
Blocked Sites List.
202
WatchGuard
Training
203
Use a Proxy Action to Block Sites
When you select the
Block action, the
IP address denied by
the proxy action is
automatically added to
the Blocked Sites List.
203
WatchGuard
Training
204
Block Known Attack Vectors
Protect sensitive services on your network
Get log messages
Close traffic for unwanted services
Static configuration
Add specific ports to block
Add specific IP addresses or subnets
to be permanently blocked
Dynamic configuration
This feature can be enabled from many
different places in Policy Manager:
Proxy actions
Default packet handling settings
Policy configuration
204
WatchGuard
Training
205
Signature Services:
Gateway AntiVirus, Data Loss
Prevention, Intrusion Prevention, and
Application Control
205
WatchGuard
Training
206
Learning Objectives
Understand how signature-based security subscriptions work
Set up and configure Gateway AntiVirus
Configure proxies to use Gateway AntiVirus
Set up and configure Data Loss Prevention
Set up and configure the Intrusion Prevention Service
Set up and configure Application Control
Enable IPS and Application Control in policies
206
WatchGuard
Training
207
What is Gateway AV?
Signature-based antivirus subscription
the Firebox or XTM device downloads signature database updates
at regular, frequent intervals
Gateway AV operates with the SMTP, HTTP, FTP, POP3, and
TCP-UDP proxies
207
WatchGuard
Training
208
Set Up Gateway AntiVirus
208
Gateway AntiVirus
database updates
1. XTM device downloads the
initial signature file
2. Device gets new signatures and
updates at a regular interval
3. Gateway AV strips viruses and
allows valid email or web pages to
load
Your Network
WatchGuard
WatchGuard
Training
209
Gateway AV Wizard
Gateway AntiVirus can be enabled and configured with the
wizard that you launch from the Subscription Services menu
In the wizard, you select the proxy policies to include in the
Gateway AV configuration
209
WatchGuard
Training
210
Configure the Proxy with Gateway AntiVirus
Use the HTTP-proxy
and SMTP-proxy
to enable
Gateway AV
Define actions
Define content
types to scan
Monitor Gateway
AV status
210
WatchGuard
Training
211
Gateway AV and the SMTP-Proxy
When an email attachment contains a known virus signature, the
Firebox or XTM device can take one of these actions:
Allow Attachment passes through with no change
Lock Attachment can only be opened by an administrator
Remove Attachment is stripped from the email
Quarantine Message is sent to the Quarantine Server
Drop The connection is denied
Block The connection is denied, and the server is added to the
Blocked Sites List
211
WatchGuard
Training
212
Gateway AV and the HTTP-Proxy
When Gateway AV finds a known virus signature in an HTTP
session, the Firebox or XTM device can:
Allow The file is
allowed to pass through
without changes
Drop The HTTP
connection is denied
Block The HTTP
connection is denied,
and the web server is
added to the
Blocked Sites List
212
WatchGuard
Training
213
Gateway AV and the FTP-Proxy
The FTP-proxy applies Gateway AV settings to:
Downloaded files
allowed in your
configuration
Uploaded files
allowed in your
configuration
213
WatchGuard
Training
214
Gateway AV Settings
Select this option if you want Gateway AV to decompress file
formats such as .zip or .tar
The number of levels
to scan is the depth for
which Gateway AV
scans archive files
inside archive files
214
WatchGuard
Training
215
What is Data Loss Prevention?
Data Loss Prevention (DLP) is a signature-based security service
that can help you control the loss of confidential data from your
network.
DLP uses content control rules to identify sensitive data, such as
Bank routing numbers
Credit card numbers
Confidential document markers
National identity numbers
Drivers license numbers
Medical records
Postal addresses and telephone numbers
Email addresses
DLP scans outbound traffic over proxied SMTP, FTP, HTTP, and
HTTPS connections.
215
WatchGuard
Training
216
DLP Custom Rule
You can add a custom rule to
your DLP configuration.
Allows you to customize your
DLPconfiguration beyond
the predefined rules.
You can scan your network
traffic for special phrases
specific to your organization.
For example, use email and
document security
classifications with your
custom rule to prevent
sensitive messages and
documents from leaving your
network.
216
WatchGuard
Training
DLP Sensors
To configure DLP, you define a DLP sensor.
For each DLP sensor, you configure:
Rules enable one or more of the predefined or custom content rules
Actions define the action to take if data matches the selected rules
By default, a sensor has two types of actions:
Action for email traffic
Action for non-email traffic
Settings scan limit, and actions for items that cannot be scanned
Scan limit controls how much of a file or object to scan
Actions control what happens when:
Content is larger than the scan limit
A scan error occurs
Content is password protected
217
WatchGuard
Training
218
DLP Actions
Actions you can configure in a DLP sensor are:
Allow Allows the connection or email
Drop Denies the request and drops the connection. No information
is sent to the source of the content.
Block Denies the request, drops the connection, and adds the IP
address of the content source or sender to the Blocked Sites list.
Lock (email content only) Locks the email attachment. A file that
is locked cannot be opened easily by the user. Only the administrator
can unlock the file.
Remove (email content only) Removes the attachment and allows
the message to be sent to the recipient.
Quarantine (email content only) Send the email message to the
Quarantine Server.
218
WatchGuard
Training
DLP Text Extraction
DLP can extract and scan text from these file types:
Adobe PDF, RTF
Microsoft PowerPoint 2000, 2003, 2007, 2010
Microsoft Excel 2000, 2003, 2007, 2010
Microsoft Word 2000, 2003, 2007, 2010
Microsoft Project 2000, 2003, 2007, 2010
Microsoft Visio 2000, 2003, 2007, 2010
Microsoft Outlook .MSG
Microsoft Outlook Express .EML
OpenOffice Calc, Impress, Writer
LibreOffice Calc, Impress, Writer
HTML
219
WatchGuard
Training
220
Enable DLP
Enable Data Loss Prevention
Add a DLP Sensor using the wizard
Apply sensor to proxy policies
Select content control rules
Select actions to take when
content is detected in email and
non-email traffic
220
WatchGuard
Training
221
Edit a DLP Sensor
Enable/disable rules
Configure sensor actions
by source and destination
Action for email traffic
Action for non-email
Configure sensor settings
Set actions for items that
cannot be scanned due to:
Size exceeds scan limit
Scan error
File is password protected
Set the file scan limit
221
WatchGuard
Training
Assign DLP Sensors to Policies
When you add a DLP sensor, you select which proxy policies it
applies to.
You can also configure this on the Policies tab in the Data Loss
Prevention configuration.
And when you edit an FTP, HTTP, or SMTP proxy action.
222
WatchGuard
Training
Use Signature-Based IPS
Configure IPS to Allow, Drop,
or Block connections from
sources that match an IPS
signature
Action is set based on the
threat level of the matching
signature
223
WatchGuard
Training
224
Use Signature-Based IPS
Configure settings globally
Enable or disable per-policy
Can scan traffic for all policies
Blocks malicious threats before
they enter your network
224
WatchGuard
Training
225
Use Application Control
Application Control is a Subscription Service
Monitor and control hundreds of applications based on signatures
Block or allow traffic for application categories, applications, and
application behaviors
If you have created Traffic Management actions, you can also use Traffic
Management actions to control the bandwidth used for allowed application
traffic.
When Application
Control blocks HTTP
content, a deny
message appears in
the browser
The deny message
is not configurable
For HTTPS or other
content types, the
deny message
does not appear
225
WatchGuard
Training
226
Use Application Control
To configure actions by application category, click Select by
Category
226
WatchGuard
Training
227
Apply Application Control to Policies
First configure Application Control actions
On the Policies tab, select one or more policies, then select the
action to apply
227
WatchGuard
Training
228
Enable Application Control and IPS in Policies
Application Control
Application Control is not automatically
enabled for policies
For each policy, you select which
Application Control action to use
To monitor the use of applications,
enable logging of allowed packets in
the policies that have Application
Control enabled
IPS
When you enable IPS it is enabled
for all policies by default
You can enable or disable IPS for
each policy
228
WatchGuard
Training
229
Application Control, IPS, and DLP in HTTPS-Proxy
Policies
If you enable Application Control, IPS, or DLP for an HTTPS-
proxy policy, you must also enable deep inspection of HTTPS
content in the HTTPS-proxy action
Required for IPS to scan the HTTPS content
Required for Application Control to detect applications over an
HTTPS connection
Required for DLP to scan content
229
WatchGuard
Training
230
Enable Automatic Signature Updates
To protect against the latest viruses and
exploits, and to identify the latest
applications, make sure your device
is configured to get automatic updates
to Gateway AntiVirus, Intrusion
Prevention, and Application Control
signatures at regular intervals
Update requests can be routed
through a proxy server
230
WatchGuard
Training
231
Monitor Signature Update Status
In Firebox System Manager,
select the Subscription
Services tab to see the
status of Gateway AV, IPS,
DLP, and Application Control
signatures, or to manually
get signature updates
231
WatchGuard
Training
232
APT Blocker:
Block Advanced Malware in Email, FTP,
and Web Traffic
232
WatchGuard
Training
APT Blocker
233
What is an APT (Advanced Persistent Threat)?
APTs leverage the latest targeted malware techniques and
zero-day exploits (flaws which software vendors have not
yet discovered or fixed) to infect and spread within a
network.
Designed to gain access to networks and access confidential
data over extended periods of time.
APTs are highly sophisticated and often target specific high-
profile institutions such as government or financial-sector
companies
APT use has now expanded to target smaller networks and
lower profile organizations.
Traditional signature-based scan techniques do not provide
adequate protection against APTs.
WatchGuard
Training
APT Blocker
234
APT Blocker is a subscription service that uses best-of-breed
full-system emulation analysis by our solution partner Lastline.
Lastline cloud performs file analysis in a sandbox environment
to identify the characteristics and behavior of
advancedmalware in files and email attachments.
Includes full system emulation that goes beyond simple
detection techniques to simulate a physical and software
environment to analyze the deepest level of advanced malware
activity.
Full system emulation ensures that advanced malware does not
detect and evade the analysis.
WatchGuard
Training
APT Blocker How Does it Work
235
Files that enter your network are scanned and an MD5 hash of
the file is generated.
This MD5 hash is submitted to the Lastline cloud-based data
center over HTTPS where it is compared to a database of
analyzed files and results are returned immediately.
If the analysis results in a match to a known malware threat,
you can take immediate action on the file.
If there is no match with the available data center analysis
results, this means the specific file has never been seen or
analyzed before.
In this case the actual file is submitted to the Lastline data center
where the file undergoes deep analysis for advanced
malwareactivity.
This analysis occurs at the same time as the file transfer and the
connection is passed though while the device waits for the result of
the analysis.
The result is returned in minutes, and if there is evidence of
malware activity in the file, your WatchGuard Firebox or XTM
device can generate an alarm notification.
WatchGuard
Training
APT Blocker Supported Proxies and File Types
236
APT Blocker can scan files for the HTTP, FTP, and SMTP
proxies.
APTBlocker can scan these file types:
Windows PE (Portable Executable) files.
Includes Windows XP and Windows 7/8 files
with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions.
Adobe PDF documents
Microsoft Office documents
Rich Text Format (RTF) documents
Android executable files (.apk)
APTBlocker can also examine files within these compressed
archives:
gzip
tar
zip
WatchGuard
Training
APT Blocker & Gateway Anti-Virus
237
APTBlocker utilizes the same scanning process as Gateway
Anti-Virus.
You must have Gateway Anti-Virus enabled to enable
APTBlocker on a specific proxy.
Files are scanned by Gateway Anti-Virus before they are
scanned by APT Blocker.
Only files that have been scanned and processed as clean by
Gateway AntiVirus are scanned by APT Blocker.
You can customize which file types you want scanned by APT in
the Gateway Anti-Virus configuration.
If the Gateway Anti-Virus scan is enabled on a specific
file/content type in the configuration, APT will scan the file as
long as the file type is supported by APT.
WatchGuard
Training
Enable APT Blocker
Before you enable APT Blocker:
Your device must have an APT Blocker feature key
Gateway AntiVirus must be enabled
238
WatchGuard Training
WatchGuard
Training
APT Blocker Configuration
239
APTBlocker categorizes APTactivity
based on the severity of the threat:
High
Medium
Low
All threat levels are considered
malware.
Higher levels have more significant
indicators of malware.
For each threat level, you can assign an
action:
Allow
Drop (SMTP proxy strips attachment)
Block (SMTP proxy strips attachment)
Quarantine (SMTP only, HTTP/FTP
drops connection)
Enable notification and log settings to
make sure you are notified of malware
activity.
WatchGuard
Training
APT Blocker Enable in a Policy
240
You can enable or disable APTBlocker for a specific policy in
the APTBlocker configuration or when you edit a proxy
action.
WatchGuard
Training
Reputation Enabled Defense:
Improve the Performance and Security
of Web Access
241
WatchGuard
Training
Learning Objectives
Understand how Reputation Enabled Defense works
Configure Reputation Enabled Defense
Monitor Reputation Enabled Defense
242
WatchGuard
Training
243
What is Reputation Enabled Defense (RED)?
Reputation-based HTTP anti-virus and anti-spyware prevention
subscription, available for WatchGuard XTM device models only
RED operates with the HTTP-proxy
RED uses a cloud-based reputation server that assigns a
reputation score between 1 and 100 to every URL
The reputation score for a URL is based on AV scanning feedback and
other URL reputation data collected from sources around the world.
When a user browses to a web site, RED looks up the score for
the URL
For URLs with a good reputation score, local scanning is bypassed
For URLs with a bad reputation score, the HTTP-proxy denies access
without local scanning by Gateway AV
For URLs with an inconclusive reputation score, local Gateway AV
scanning is performed as configured
Eliminates the need to locally scan the content of web sites that
have a known good or bad reputation and improves XTM device
performance
WatchGuard Training
243
WatchGuard
Training
RED Reputation Scores
Reputation Scores:
High scores indicate a bad reputation
Low scores indicate a good reputation
If RED has no knowledge of a URL, it assigns a score of 50
The reputation score assigned to a URL increases based on:
Negative scan results for that URL
Negative scan results for a referring link
Negative information from other sources of malware data
The reputation score assigned to a URL decreases based on:
Multiple clean scans
Recent clean scans
RED continually updates the reputation scores for URLs based on:
Scan results from devices around the world by two leading anti-
malware engines: Kaspersky and AVG
Data from other leading sources of malware intelligence for the web
244
WatchGuard
Training
RED Reputation Thresholds and Actions
The action performed by
the HTTP-proxy depends on:
The reputation score of a
requested URL
The locally configured
reputation thresholds
RED Actions:
If score is higher than the
Bad reputation threshold,
Deny access
If score is lower than the
Good reputation threshold,
Bypass local scanning
Otherwise, perform local
Gateway AV scanning as
configured
245
WatchGuard
Training
Enable Reputation Enabled Defense
Before you enable RED:
Your device must have a Reputation Enabled Defense feature key
You must have configured at least one HTTP-proxy policy
246
WatchGuard Training
WatchGuard
Training
Configure Reputation Enabled Defense
Enable RED for the HTTP-proxy
Define thresholds
Monitor RED status
WatchGuard Training
247
WatchGuard
Training
Reputation Enabled Defense and the HTTP-Proxy
Based on the reputation score for a URL, the HTTP-Proxy can:
Immediately block the URL if it has a bad reputation
Bypass any
configured local
virus scanning for
a URL that has a
good reputation
If neither of these RED
actions occur, then
any locally configured
virus scanning proceeds
as configured
WatchGuard Training
248
WatchGuard
Training
Reputation Enabled Defense and the HTTP-Proxy
Default reputation thresholds are set to balance security with
performance
Change bad and good reputation thresholds in the Advanced
Settings dialog box
WatchGuard recommends that you use the default reputation
thresholds
WatchGuard Training
249
WatchGuard
Training
Monitor Reputation Enabled Defense
RED status is visible in
Firebox System Manager
on the Subscription
Services tab
250
WatchGuard Training
WatchGuard
Training
Web UI:
Explore Fireware XTM Web UI
251
WatchGuard
Training
252
Learning Objectives
Log in to Fireware XTM Web UI
Change the port that the Firebox or XTM device uses for the Web
UI
Discuss limitations of the Web UI
Manage timeouts for the Web UI management sessions
252
WatchGuard
Training
253
Introduction to Fireware XTM Web UI
Monitor and manage any device running Fireware XTM without
installing extra software
Real-time management tool
Easily find what you need and understand how the configuration
options work
253
WatchGuard
Training
254
Limitations of the Web UI
Things you can do with Policy Manager, but not with the Web UI:
Change the name of a policy
Change the logging of default packet handling options
Enable or disable the notification of BOVPN events
Add a custom address to a policy
Use Host Name (DNS lookup) to add an IP address to the From or To
section of a policy
Create a .wgx file for Mobile VPN with IPSec client configuration
(You can get only the equivalent, but unencrypted, .ini file)
Export certificates stored on the device, or see their details
(You can only import certificates)
Enable FireCluster or change the cluster configuration.
(You can monitor a cluster and update policies and other
configuration settings)
Some of the logging and reporting functions provided by HostWatch,
Log Manger, Report Manager, and WSM are also not available
254
WatchGuard
Training
255
Log in to the Web UI
You need only a web browser
Real-time configuration tool, no option to store configuration
changes locally and save to device later
https://<XTM.device.IP.address>:8080
Uses a self-signed certificate, so you must accept certificate warnings
or replace the certificate with a trusted certificate
You can change the port for the Web UI
Log in with one of two default Device Management user accounts
status For read-only permission; uses the status passphrase
admin For read-write permission; uses the configuration
passphrase
Or, log in with another Device Management user account you
have added
255
WatchGuard
Training
256
Log in to the Web UI
25
6
To log in with the default
Device Management user
accounts, the Username must
be status or admin. It is case
sensitive.
Multiple concurrent logins are
allowed with a Device Monitor
user account (such as the
status user account)
Only one Device Administrator
user account can be logged in
at a time
The last user to log in with a
Device Administrator user
account is the only user that
can make changes
Includes changes from Policy
Manager and WSM
WatchGuard
Training
257
Log in to the Web UI
The user account name appears at the top of the screen
The navigation menu is at the left side
257
WatchGuard
Training
258
Web UI Dashboards
The Dashboard pages appear at the top of the Web UI navigation
menu:
Front Panel Summary of current system status and activity
Subscription Services Summary of activity for all subscription
services
FireWatch Treemap visualization of current traffic through the
Firebox or XTM device
Interfaces Status of network interfaces
Traffic Monitor Log messages from the Firebox or XTM device
Gateway Wireless Controller Shows WatchGuard AP device activity
and clients
258
WatchGuard
Training
FireWatch
FireWatch provides a treemap view to help you visualize your
network traffic
Blocks in each tab
are proportionately
sized to represent
the data in that tab
Place your cursor
over an item in the
treemap to see more
details about it
Select the data type
from the drop-down
list at the top-right
of the page
Rate
Bytes
Connections
Duration
259
WatchGuard
Training
FireWatch
You can use FireWatch to see:
Who uses the most bandwidth on your network
Which is the most popular site that users visit
Which sites use the most bandwidth
Which applications use the most bandwidth
Which sites has a particular user visited
Which applications are most used by a particular user
260
WatchGuard
Training
Conclusion
This presentation provides an overview of basic Fireware XTM
features
For more information, see these training, documentation, and
support resources available in the Support section of the
WatchGuard web site:
WatchGuard System Manager Help
Fireware XTM Web UI Help
WatchGuard Dimension Help
WatchGuard Knowledge Base
Fireware XTM Training courseware
261
WatchGuard
Training
262
Thank You!
262