Beruflich Dokumente
Kultur Dokumente
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
SUPPORT www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456
ii
Table of Contents
Course Introduction ............................................................................................................. Training Options ........................................................................................................... Necessary Equipment and Software .......................................................................... Training Scenario ......................................................................................................... Prerequisites ................................................................................................................ Certification ................................................................................................................. Fireware XTM Web UI and Command Line Interface ................................................ Additional Resources .................................................................................................. Getting Started ..................................................................................................................... What You Will Learn .................................................................................................... Start with WatchGuard System Manager ..................................................................
1 1 1 2 2 3 3 3 5 5 5
WSM Components ..................................................................................................................... 6 Activate your Device .................................................................................................................. 7 Use the Setup Wizards .............................................................................................................. 7
Exercise 1: Create a Configuration File with the Quick Setup Wizard ........................ 8 Exercise 2: Open WSM and Connect to Devices and Servers .................................... 9
Connect to an XTM Device ........................................................................................................ 9 Connect to a Management Server ......................................................................................... 10
Exercise 3: Open Policy Manager ............................................................................... 12 Exercise 4: Set Up WatchGuard Server Center .......................................................... 14 Test Your Knowledge ................................................................................................. 15 Administration .................................................................................................................... 17 What You Will Learn .................................................................................................. 17 Manage Configuration Files and Device Properties ................................................ 17 Exercise 1: Open and Save Configuration Files ......................................................... 18 Exercise 2: Configure a Device for Remote Administration ...................................... 19 Exercise 3: Change the XTM Device Passphrases ..................................................... 20 Exercise 4: Create and Restore a Device Backup Image .......................................... 21
Create an XTM Device Backup Image .................................................................................... 21 Restore an XTM Device Backup Image .................................................................................. 22
Exercise 5: Add XTM Device Identification Information ............................................ 23 Test Your Knowledge ................................................................................................. 24 Network Settings ................................................................................................................ 25 What You Will Learn .................................................................................................. 25 Properties and Features of XTM Device Interfaces ................................................. 25
Requirements for XTM Device Interfaces .............................................................................. 26 About DHCP Server and DHCP Relay ..................................................................................... 26 About WINS/DNS ..................................................................................................................... 27 About Network Modes ............................................................................................................. 27
iii
About Dynamic DNS ................................................................................................................ About Secondary Networks .................................................................................................... About Network Bridges ........................................................................................................... About Static Routes ................................................................................................................ About VLANs ............................................................................................................................ About Multi-WAN ..................................................................................................................... About FireCluster ..................................................................................................................... About IPv6 ...............................................................................................................................
28 28 28 28 28 29 29 29
Exercise 2: Configure an External Interface with a Static IP Address ...................... Exercise 3: Configure a Trusted Interface as a DHCP Server ................................... Exercise 4: Configure an Optional Interface .............................................................. Exercise 5: Configure WINS/DNS Server Information .............................................. Exercise 6: Configure a Secondary Network ............................................................. Frequently Asked Questions ..................................................................................... Test Your Knowledge ................................................................................................. Logging and Reporting ....................................................................................................... What You Will Learn .................................................................................................. Logging and Reporting Setup Process Overview ..................................................... Maintain a Record of Device Activity ........................................................................
Logging and Notification Architecture ................................................................................... See Log Messages .................................................................................................................. Log Server ................................................................................................................................ Log Messages ......................................................................................................................... Log Files ...................................................................................................................................
34 35 36 37 38 39 40 43 43 43 44
44 45 45 46 46
Exercise 1: Configure Where the Device Sends Log Messages ............................... 51 Exercise 2: Set Up the Log Server .............................................................................. 53
Set Up the Log Server ............................................................................................................. 53
Exercise 4: Use Log and Report Manager to View Log Messages ........................... 57
Connect to Log and Report Manager to View Log Messages .............................................. 57 Run a Search ........................................................................................................................... 58 Export Log Messages .............................................................................................................. 60
Exercise 6: Use Log and Report Manager to View and Generate Reports .............. 65
Connect to Log and Report Manager to View Reports ......................................................... 65 View Reports ............................................................................................................................ 66
Monitor Your Firewall ......................................................................................................... 71 What You Will Learn .................................................................................................. 71 Regular Monitoring Improves Security ..................................................................... 71 Exercise 1: Review Network Status in WSM .............................................................. 73
Interpret the Device Status Display ........................................................................................ 74
Create a Performance Console Graph .................................................... Use HostWatch to View Network Activity ................................................ Use the Blocked Sites List ....................................................................... Examine and Update Feature Keys .........................................................
82 84 85 86
View Feature Keys For Your XTM Device ................................................................................ 86 Add a Feature Key to the XTM Device .................................................................................... 87
Test Your Knowledge ................................................................................................. 88 NAT ...................................................................................................................................... 89 What You Will Learn .................................................................................................. 89 NAT Overview ............................................................................................................. 89
Dynamic NAT ............................................................................................................................ 89 1-to-1 NAT ................................................................................................................................. 90 Policy-based NAT ...................................................................................................................... 92 Static NAT ................................................................................................................................. 92 About SNAT Actions ................................................................................................................. 93 NAT Loopback .......................................................................................................................... 93
Exercise 1: Add Firewall Dynamic NAT Entries ........................................................... 94 Exercise 2: Configure Static NAT to Allow Access to Public Servers ......................... 96 Exercise 3: Configure NAT Loopback to an Internal Web Server .............................. 98
Other Reasons to Use NAT ...................................................................................................... 99
Test Your Knowledge .............................................................................................. 100 Policies .............................................................................................................................. 101 What You Will Learn ................................................................................................ 101 Policies are Rules for Your Network Traffic ............................................................ 101
Add Policies ........................................................................................................................... Configure Logging and Notification for a Policy ................................................................. Advanced Policy Properties .................................................................................................. Policy Precedence ................................................................................................................. 102 102 102 103
Exercise 1: Add a Packet Filter Policy and Configure Access Rules ...................... 104
Add a Predefined Policy ....................................................................................................... 104 Modify Policies to Restrict Traffic ........................................................................................ 105 Use a Policy to Allow Traffic .................................................................................................. 107
Exercise 3: Configure Logging and Notification for a Policy ................................... 111 Exercise 4: Change Policy Precedence .................................................................... 112
Override the Default Order of Policy Precedence ............................................................... 112
Exercise 5: Use Advanced Policy Properties ........................................................... 113 Test Your Knowledge .............................................................................................. 115
Proxy Policies .................................................................................................................... 117 What You Will Learn ................................................................................................ 117 Proxy Policies and ALGs .......................................................................................... 117 About the DNS Proxy ............................................................................................... 117 About the FTP Proxy ................................................................................................ 118 About H.323 and SIP ALGs ..................................................................................... 120 About the TCP-UDP Proxy ........................................................................................ 120 Exercise 1: Use the DNS-Outgoing Proxy Action ...................................................... 121
Add a DNS Outgoing Proxy Policy ......................................................................................... 121 Block a DNS Request by Query Name ................................................................................. 122
Exercise 3: Set Access Controls on H.323 Connections ........................................ 127 Test Your Knowledge ............................................................................................... 129 Email Proxies .................................................................................................................... 131 What You Will Learn ................................................................................................ 131 Control the Flow of Email In and Out of Your Network .......................................... 131
SMTP Rulesets ...................................................................................................................... 131 POP3 Rulesets ....................................................................................................................... 132
Exercise 1: Use the SMTP-Proxy to Protect Your Mail Server ................................. 133
Add an Incoming SMTP-Proxy Policy .................................................................................... Decrease Maximum Message Size ...................................................................................... Allow and Deny Content Types and Filenames ................................................................... Control Mail Domain Use for Incoming Traffic .................................................................... Add an Outgoing SMTP-Proxy Policy .................................................................................... Control Email Message Size ................................................................................................. Control Mail Domain Use for Outbound SMTP .................................................................... Restrict Email by Attachment Filename .............................................................................. 133 134 135 136 138 139 140 141
Test Your Knowledge ............................................................................................... 146 Authentication .................................................................................................................. 149 What You Will Learn ................................................................................................ 149 Monitor and Control Network Traffic by User ........................................................ 150
How Firebox User Authentication Works ............................................................................. Authentication Methods Available with Fireware XTM ....................................................... Use the Firebox Authentication Server ................................................................................ About Third-party Authentication Servers ........................................................................... About Authentication Timeout Values ................................................................................. 150 151 151 151 153
Exercise 1: Add a Firebox User Group and Add Users ............................................ 154
Create a Firebox User Group ................................................................................................ 154 Add Firebox Users ................................................................................................................. 155
Exercise 2: Edit Policies to Use Firebox Authentication .......................................... 158 Exercise 3: Set Global Authentication Values ......................................................... 160
Set Global Timeout Values ................................................................................................... 160 Set Other Global Values ........................................................................................................ 160
vi
Exercise 4: Enable Single Sign-On for the XTM Device .......................................... 162
Use a Web Server Certificate ............................................................................................... 164
Test Your Knowledge .............................................................................................. Blocking Spam ................................................................................................................. What You Will Learn ............................................................................................... Stop Unwanted Email at the Network Edge ..........................................................
spamBlocker Tags ................................................................................................................. spamBlocker Categories ...................................................................................................... spamBlocker Exceptions ...................................................................................................... Global spamBlocker Settings ...............................................................................................
Exercise 2: Activate spamBlocker ............................................................................ 172 Exercise 3: Configure the spamBlocker Service ..................................................... 173
Determine What Happens to spam Email ............................................................................ 173 Add spamBlocker Exceptions ................................................................................................ 174 Enable Alarms When a Virus is Detected ............................................................................. 174
Exercise 4: Monitor spamBlocker Activity ............................................................... 175 Test Your Knowledge ............................................................................................... 176 Web Traffic ........................................................................................................................ 177 What You Will Learn ................................................................................................ 177 Control Web Traffic Through Your Firewall ............................................................. 177
Control Outgoing HTTP Requests .......................................................................................... 178 Protect Your Web Server ........................................................................................................ 179 HTTP-Proxy Action Rulesets .................................................................................................. 179
Monitor Secured HTTP Traffic with the HTTPS-Proxy ............................................. 181 Restrict Web Access with WebBlocker .................................................................. 182 Exercise 1: Configure HTTP Connections from Trusted Users ............................... 184
Add an HTTP Client Proxy Policy .......................................................................................... 184 Enable a Log Message for Each HTTP Client Connection .................................................. 184 Block HTTP Client Connections by URL Path ...................................................................... 185 Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy ...................... 186 Customize the Deny Message ............................................................................................... 187
Exercise 2: Use HTTP-Proxy Exceptions to Allow Software Updates ...................... 189 Exercise 3: Configure an HTTP-Server Proxy Action ................................................ 190
Add the HTTP-Server Proxy Policy ........................................................................................ 190 Create a New Proxy Policy Ruleset ....................................................................................... 191
Frequently Asked Questions .................................................................................. Test Your Knowledge .............................................................................................. Threat Protection .............................................................................................................. What You Will Learn ............................................................................................... Default Threat Protection Measures Block Intruders ..........................................
Use Default Packet Handling Options ................................................................................. 200 Automatically Block the Source of Suspicious Traffic ........................................................ 201
vii
Exercise 1: Configure Default Packet Handling Options ......................................... 203 Exercise 2: Block Potential Sources of Attacks ....................................................... 204
Block a Site Permanently ..................................................................................................... 204 Create Exceptions to the Blocked Sites List ........................................................................ 204
Exercise 3: Block Sites Automatically ...................................................................... 206 Test Your Knowledge ............................................................................................... 207 Signature Services ........................................................................................................... 209 What You Will Learn ................................................................................................ 209 Identify and Stop Viruses at the Edge of Your Network ........................................ 209
AntiVirus Scans User Traffic for Viruses and Trojans ......................................................... 210
Intrusion Prevention Service Blocks Direct Attacks .............................................. 212 Control and Monitor Application Usage on Your Network ..................................... 213
Application Control Actions and Policies ............................................................................. 213 Configure Application Control .............................................................................................. 213 Application Control Actions and Proxy Actions ................................................................... 215
Exercise 2: Configure an SMTP Proxy Policy for Gateway AntiVirus ....................... 219 Exercise 3: Configure the Intrusion Prevention Service ......................................... 221
Enable Intrusion Prevention ................................................................................................. 221
Exercise 5: Use a Different Application Control Actions for Different Policies ...... 227 Test Your Knowledge ............................................................................................... 230 Reputation Enabled Defense .......................................................................................... 231 What You Will Learn ................................................................................................ 231 How Reputation Enabled Defense Works .............................................................. 231
Reputation Scores ................................................................................................................ Reputation Thresholds ......................................................................................................... Reputation Lookups .............................................................................................................. Reputation Enabled Defense Feedback .............................................................................. 231 232 232 233
Monitor Reputation Enabled Defense ................................................................... 233 Exercise 1: Set up Reputation Enabled Defense .................................................... 234 Exercise 2: See Reputation Enabled Defense Statistics ........................................ 236 Test Your Knowledge ............................................................................................... 237 Web UI ............................................................................................................................... 239 What You Will Learn ................................................................................................ 239 Introduction to Fireware XTM Web UI ..................................................................... 239 Limitations of the Web UI ....................................................................................... 240 Connect to the Web UI ............................................................................................ 241
About Certificate Warnings ................................................................................................... Navigate the Web UI .............................................................................................................. Get Help ................................................................................................................................. About the Status and Admin Accounts ................................................................................ About Timeouts for Management Sessions ........................................................................ 241 243 243 244 245
Exercise 1: Connect to the Web UI with the Status Account .................................. Exercise 2: Change the Port for the Web UI ............................................................ Exercise 3: Configure an XTM Device for Remote Web UI Administration ............ Test Your Knowledge ..............................................................................................
ix
Course Introduction
Firewall Basics with Fireware XTM 11.6
WatchGuard XTM 2 Series / XTM 3 Series / XTM 5 Series / XTM 8 Series / XTM 1050 / XTM 2050 / XTMv Fireware XTM v11.6 and Fireware XTM v11.6 with a Pro upgrade WatchGuard System Manager v11.6
Training Options
If you use Fireware XTM and WatchGuard System Manager (WSM) for your WatchGuard XTM device, there are several training options available to you: Classroom training with a WatchGuard Certified Training Partner (WCTP) WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list of training partners can be found on our web site at: http://www.watchguard.com/training/partners_locate.asp Quick review presentation You can download and review the Firewall Basics presentation. This PowerPoint presentation gives an overview of WatchGuard System Manager and Fireware XTM Policy Manager. Students learn how to install a XTM device with the Quick Setup Wizard, create basic security policies, and get more information about additional subscription services. Fireware XTM Basics with Fireware XTM Training Modules Each training module available for WatchGuard System Manager and Fireware XTM focuses on a specific feature or function of configuration and security management. For more information, including configuration steps for advanced procedures, see the Fireware XTM WatchGuard System Manager Help.
To complete the majority of the Fireware XTM Basics with Fireware XTM training modules, you must have this hardware and software: Management computer Your management computer must be a personal computer with the Microsoft Windows XP, Microsoft Windows Vista, or Microsoft Windows 7 operating system installed. For more information about management computer system requirements for WSM and Fireware XTM v11.6, see the Fireware XTM WatchGuard System Manager User Guide or Help system. WSM software and Fireware XTM OS If you have a LiveSecurity Service account, you can download the v11.6 WatchGuard System Manager software and Fireware XTM OS from the WatchGuard web site through the Software Downloads page. The software is also available from your instructor during classes delivered by WatchGuard Certified Training Partners. Firewall configuration file During the training exercises, you will open, modify, and save XTM device configuration files. You can use Policy Manager to create new configuration files. You can also open the configuration file of your production XTM device and save it to your local hard drive. We recommend that you do not save any configuration files you make during the training exercises to an XTM device in use on your network. XTM 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, XTM 2050 device or an XTMv device (optional) For some exercises, particularly the exercises which introduce logging, monitoring, and reports, it is useful to connect to a real XTM device on a production network. You do not need to change the configuration properties of this device. You can complete the exercises without access to an XTM device installed on a production network, but it is much easier to grasp some concepts when you can see log messages and information from a real network.
Training Scenario
Throughout the Fireware XTM Basics with Fireware XTM training modules, we use a fictional company called Successful Company. While the modules build on a story of configuring a firewall and network for Successful Company, you can complete many of the exercises using examples from your own network or a set of addresses and situations provided by your WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard hardware devices is required.
Certification
Certification
The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners. The exam is based on the contents of this course, and we recommend that you study this training to prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and browse to the exam at: https://www.watchguard.com/training/CertCentral.asp For more information about how to become a WCSP, see the WatchGuard Training Technical Certification web page at: http://watchguard.com/training/technical_cert.asp
Additional Resources
For more information about how to install and configure WatchGuard System Manager see these resources: Fireware XTM WatchGuard System Manager Help You can launch the Help system from your management computer after you install WSM. To view more information about the features in a dialog box or application window, click Help or press the F1 key. A topic that describes the features you see and provides links to additional information appears in your default web browser. For the most up-to-date information, browse to http://www.watchguard.com/help/ documentation/ and launch the Fireware XTM WatchGuard System Manager Help. You can also download the Help system for offline use. Fireware XTM WatchGuard System Manager User Guide Browse to http://www.watchguard.com/help/documentation/ and download the Fireware XTM WatchGuard System Manager User Guide. WatchGuard Online Knowledge Base Browse to http://customers.watchguard.com/. For information about how to set up an XTMv virtual device in a VMware ESXi environment, see: WatchGuard XTMv Setup Guide Browse to http://www.watchguard.com/help/documentation/ and download the WatchGuard XTMv Setup Guide.
Course Introduction
Getting Started
Set Up Your Management Computer and Device
What You Will Learn
WatchGuard System Manager is the primary management software application used to monitor and manage WatchGuard XTM devices and WatchGuard servers. In this training module, you learn how to: Use the Quick Setup Wizard to make a basic device configuration file Start WatchGuard System Manager Connect to devices and servers Start Policy Manager and open a device configuration file Set up WatchGuard Server Center
Before you begin these exercises, make sure you read the Course Introduction module.
WSM Components
WatchGuard System Manager (WSM) includes several other monitoring and configuration tools, including Policy Manager, Firebox System Manager, HostWatch, CA Manager, and Log and Report Manager. You can start these tools after you open WSM. WatchGuard Server Center is the application you use to set up, configure, and manage the five WatchGuard servers, as well as configure users and groups for role-based administration.
If you take this course with a training partner, the servers are installed on the same station as the management computer.
This diagram shows the components of WatchGuard System Manager and how you can get access to them. You install the WSM management software on a personal computer running Microsoft Windows XP or later. We call this computer your management computer. When you install WSM on your management computer, you have the option to install any or all of the WatchGuard servers. When you select to install any of the servers, WatchGuard Server Center is automatically installed. Management Server Manages multiple XTM devices at the same time and creates virtual private network (VPN) tunnels with a simple drag-and-drop method. Log Server Collects log messages from XTM devices and servers. Report Server Periodically consolidates data collected by your Log Servers and uses this data to generate the reports that you select. Quarantine Server Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to have a virus by Gateway Antivirus or by spamBlockers Virus Outbreak Detection feature. WebBlocker Server Provides information for an HTTP-proxy to deny user access to specified categories of web sites. You can install these servers on your management computer, or you can install them on other computers on your network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect to other servers, the XTM device, or the management computer. For more information, see the training module about each server.
Getting Started
Exercise 1:
Your instructor will provide you with the information you need to configure your device for the training environment. For an XTMv device, Fireware XTM OS is included in the XTMv virtual appliance Open Virtual Machine Format (OVF) file. For more information , see the WatchGuard XTMv Setup Guide at www.watchguard. com/help/ documentation/
The quickest and easiest method to create a functional configuration file for your network is to use the Quick Setup Wizard. However, you must be connected to an XTM device to use the Quick Setup Wizard. Before you start the wizard, you must have: A feature key You receive the feature key when you activate your XTM device on the WatchGuard web site. Each feature key is unique to the serial number of the device. Save a copy of the feature key to the management computer before you start the Quick Setup Wizard. WSM and Fireware XTM installed on the management computer WSM is the software installed on the management computer and WatchGuard servers. Fireware XTM is the operating system (OS) installed with a configuration file on the XTM device. Download the latest versions the software and XTM OS from the WatchGuard Portal. WSM and Fireware XTM are separate software downloads. You must download and install both packages on your management computer. The management computer must be on the same network subnet as the device. Your network information At a minimum, you must know the IP address of your gateway router and the IP addresses to give to the external and trusted interfaces of the XTM device. When you configure the XTM device with the Quick Setup Wizard, the wizard adds five basic policies: Outgoing, FTP packet filter, Ping, WatchGuard WebUI, and WatchGuard. It also sets interface IP addresses. In this exercise, we use the Quick Setup Wizard to create and install a basic configuration file on the XTM device. From the Windows desktop:
Your instructor may use the presentation files to show these steps instead of having you do them yourself.
1. Select Start > All Programs > WatchGuard System Manager > Quick Setup Wizard. You can also click the Quick Setup Wizard icon on the WatchGuard System Manager toolbar.
The Quick Setup Wizard starts and attempts to detect an XTM device on the same network as your computer.
2. From the list of devices, select the XTM device that you are using for this training session. 3. Follow the step-by-step instructions in the wizard to create a basic configuration file.
When you are finished with the wizard, you will have an XTM device which allows all traffic from the trusted and optional networks to the external network but blocks everything from the external to the protected networks.
Exercise 2:
When you open WatchGuard System Manager (WSM), you are not automatically connected to an XTM device. You must manually connect to an XTM device or to a Management Server to use many WSM features. You can connect to many devices and Management Servers at the same time.
1. Select Start > All Programs > WatchGuard System Manager > WatchGuard System Manager.
WatchGuard System Manager appears.
2. On the main toolbar, click . Or, you can select File > Connect To Device. 3. In the Name/IP Address text box, type the trusted IP address of the device.
Use your device IP address, or get the IP address from your instructor.
4. In the Passphrase text box, type the Firebox status (read-only) passphrase.
Use the status passphrase to connect to a device and display status. If you save the configuration or add the device as a managed device to the Management Server, you are prompted to type the configuration passphrase.
5. If necessary, change the value in the Timeout text box. This value sets the amount of time (in seconds) that WSM waits for an answer from the device before WSM shows a message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the value, you decrease the time you must wait for a time out message if you try to connect to a device that is not available.
6. Click Login.
WSM connects to the device and then shows its status on the Device Status tab.
Getting Started
7. On the Device Status tab, click the plus sign (+) to expand the device entry.
Information about the device appears.
10
3. Type the user name and passphrase for the Management Server.
The default user name for a Management Server is admin. Your instructor may give you different credentials to use.
4. Click Login.
The Device Management tab appears with the Management Server and the devices it manages.
Getting Started
11
Exercise 3:
Policy Manager is the tool you use to build the security rules your XTM device uses to protect your network. You use Policy Manager to configure policies, set up VPNs, change device passphrases, and configure logging and notification options. A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the connection. Policy Manager displays each policy as a group of rules, or a ruleset. You can view these policies in a list with detailed information about each policy, or as icons. In WatchGuard System Manager:
1. On the Device Status tab, select your XTM device. If there is no device visible in WSM, select File > Connect To Device, and then connect to your device.
You can have more than one version of WSM installed on your computer. However, you can have only one version of the server components (Management Server, Log Server, Report Server, Quarantine Server, and WebBlocker Server) installed.
12
Getting Started
13
Exercise 4:
Before you can configure your installed WatchGuard servers, you must complete the WatchGuard Server Center Setup Wizard. The Setup Wizard creates the WatchGuard servers you selected to install on your management computer. When you run the wizard, you only see the screens that correspond to the server components you have installed. For example, if you install only the Log Server and Report Server, but not the Quarantine Server, the pages used to create a domain list for Quarantine Server do not appear in the wizard. For more information about the different WatchGuard servers, see the training module for each server, or the Fireware XTM WatchGuard System Manager Help or User Guide. In this exercise, we will use the WatchGuard Server Center Setup Wizard to set up the Management Server and the Log Server that we have installed on the management computer. Before you run the wizard, make sure you have this information: The passphrase you want the administrator to use (must be at least 8 characters) The Management Server license key The IP address of the Log Server The encryption key you want to use for the Log Server (832 characters, no spaces or slashes) The directory location where you want to keep your log files
2. Review the Welcome page to make sure you have all the information required to complete the wizard. Click Next.
The General Settings - Identify your organization name page appears.
5. Select Yes. 6. Type the external IP address and passphrases for your gateway Firebox. Click Next.
The Management Server - Enter a license key page appears.
7. Type the license key for your Management Server and click Add. Click Next.
The Log Server - Set an encryption key and database location page appears.
8. Type and confirm the Encryption key to use for the secure connection between the XTM device and the Log Server. 9. Select the Database location for your Log Server database. 10. Click Next.
The Review Settings page appears.
14
1. True or false? You must have a WatchGuard Management Server to use a simple drag-and-drop function for VPN creation. 2. Circle the best tool for each task: Task
A) B) C) Monitor the status of one device Change the device network interfaces Configure a policy for web traffic
Tool
WatchGuard System Manager WatchGuard System Manager WatchGuard System Manager Policy Manager Policy Manager Policy Manager
3. True or false? When connecting to your device, you should decrease the Timeout setting if you have a slow network or Internet connection to your device. 4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device configuration file? (Select all that apply.)
A) B) C) D) E) F) G) H) An account on the WatchGuard web site The device model number The IP address of your gateway router A feature key A live connection to the Internet A personal computer running Mac OS 10 or later A web browser An IP address to give to the external and trusted interfaces of the device
5. Fill in the blank: A ________ is a set of rules that defines how the device manages packets that come to its interfaces. 6. Which of the following are WatchGuard System Manager components? (Select all that apply.)
A) B) C) D) E) F) G) LogViewer Router Policy Manager Appliance Monitor Windows NT Server Report Server Management Computer
7. True or false? You must install all WatchGuard servers on one management computer. 8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.
Getting Started
15
ANSWERS 1. True. You cannot centrally manage a device unless you configure a WatchGuard Management Server. 2. A, WatchGuard System Manager; B, Policy Manager; C, Policy Manager 3. False. You should increase the Timeout setting if you have a slow network or Internet connection to the device. 4. A, C, D, and H 5. policy 6. A, C, F, and G 7. False 8. False
16
Administration
Work with Device Configuration Files
What You Will Learn
After you install the XTM device in your network and use the Quick Setup Wizard to give it a basic configuration file, you can add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety of locations. In this training module, you learn how to: Open and save configuration files Configure the device for remote administration Reset device passphrases Back up and restore the device configuration Add device identification information
Before you begin these exercises, make sure you read the Course Introduction module.
17
Exercise 1:
The Quick Setup Wizard makes a basic configuration file for your XTM device. We recommend that you use this configuration file as the base for all your configuration files. You can also use Policy Manager to make a new configuration file with only the default configuration properties. To create a new configuration file:
Most of the time, when you want to manage your device configuration, you use WatchGuard System Manager (WSM) to connect to the device and launch Policy Manager. When you do this, WSM loads the current device configuration file in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to work offline. In this exercise, you open the current configuration file for your device and save it to your local hard drive:
18
Exercise 2:
When you use the Quick Setup Wizard to configure your XTM device, a policy that allows you to connect to and administer the device from any computer on the trusted or optional networks is automatically created. If you want to manage the device from a remote location (any location external to the device), then you must change your configuration to allow administrative connections from your remote location. The packet filter policy that controls administrative connections to the device is WG-Firebox-Mgmt. The Quick Setup Wizard adds this policy with the name WatchGuard. This policy controls access to the device on these TCP ports: 4105, 4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these ports. Before you change a policy to allow connections to the device from a computer external to your network, it is a good idea to consider these alternatives: Is it possible to connect to the device with a VPN? This greatly increases the security of the connection. If you can connect with a VPN, then you do not need to allow connections from a computer external to your network. If it is not possible to connect to the device with a VPN, you might want to consider using authentication as an additional layer of security. It is more secure to limit access from the external network to the smallest number of computers possible. For example, it is more secure to allow connections from a single computer than it is to allow connections from the alias Any-External. To restrict or expand access to the device, edit the From list in the WatchGuard policy. You can allow connections to the device from external networks by adding the Any-External alias (or an appropriate IP address). You can restrict connections to the device from internal locations by removing the Any-Trusted and Any-Optional aliases and replacing them with the specific IP addresses from which you want to allow access. You can remove all IP addresses and aliases, and replace them with user names or group names. When you do this, you force users to authenticate before they are allowed to connect to the device. If you decide to allow connections to the device from Any-External, it is especially important that you set very strong device Status and Configuration passphrases. It is also a good idea to change your passphrases at regular intervals. To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at a specific IP address:
1. Double-click the WatchGuard policy. Or, right-click the WatchGuard policy and select Edit.
The Edit Policy Properties dialog box appears. The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is specifically designed to be used for administration of the device.
Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.
2. In the From section, click Add. 3. To add the IP address of the external computer you want to use to connect to the device, click Add Other. 4. From the Choose type drop-down list, make sure Host IP is selected. 5. In the Value text box, type the IP address of the remote administration computer. 6. Click OK to close each dialog box.
Administration
19
Exercise 3:
In this exercise, you change the passphrases for your XTM device. An XTM device uses two passprases: Status passphrase The read-only password that you use to see information about the device, but not to make any changes to the configuration file. Configuration passphrase The read-write password that the administrator uses to save a configuration file to the device. We recommend that you change your device passphrases at regular intervals as part of your companys security policy. The passphrases we use in this exercise are examples of very simple passphrases. When you develop each of your passphrases, it is important to choose strong passphrases. A strong passphrase is one that contains at least eight characters, and includes a combination of letters, numbers, and symbols. To complete this exercise, you must have the current configuration passphrase for your device. If you are using a device in a production network, and you do not have permission to change the configuration passphrase of the device, do not complete this exercise.
2. In the Firebox IP Address or name text box, type or select the IP address or name of your XTM device. 3. In the Status Passphrase text box, type the Status (read-only) passphrase for your device. 4. Click OK.
Policy Manager contacts the device and gets the configuration file.
6. In the Configuration Passphrase text box, type the current configuration (read-write) passphrase for your device. 7. In the Status Passphrase and Confirm Passphrase text boxes, type 33333333. 8. In the Configuration Passphrase and Confirm Passphrase text boxes, type 44444444. 9. Click OK.
The new passphrases are saved to the device.
20
Exercise 4:
An XTM device backup image is a saved copy of the working image from the device flash disk. The backup image ncludes the XTM device OS, configuration file, feature keys, passphrases, DHCPleases, and certificates. The backup image also includes any event notification settings that you configured in Traffic Monitor. You can use Policy Manager to save an encrypted backup image to your management computer or to a directory on your network or other connected storage device. We recommend that you regularly back up your device image. We also recommend that you create a backup image of the device before you make significant changes to your device configuration file, or upgrade your device or its OS.
2. In the Configuration Passphrase text box, type the read-write passphrase for your device.
The configuration passphrase we used in this training module is 44444444. The second Backup dialog box appears.
4. In the Back up image to text box, select the location to save the backup file. 5. Click OK.
The default location for a backup file with a .fxi extension is: Windows XP C:\Documents and Settings\All Users\Shared WatchGuard\backups\<device IP address>-<date>.<wsm_version>.fxi. Windows 7 C:\Users\Public\Shared WatchGuard\backups\<device IP address>-<date>.<wsm_version>.fxi.
Administration
21
2. Type the Configuration Passphrase for your device. The configuration passphrase we used in this training module is 44444444.
A warning message appears.
3. Click Yes to continue. 4. Type the Encryption Key you used when you created the backup image.
For this exercise, the value is MyStrongKey.
5. In the Restore image from text box, select the location of the backup image you want to restore.
The device restores the backup image and restarts. It uses the backup image on restart.
22
Exercise 5:
You can save information about the XTM device in the configuration file, which helps you to identify the device in reports, log files, and WatchGuard management tools. The device model is particularly important because some software features only function on certain models. You can use Policy Manager to give the device a name to use in your log files and reports. If you do not give your device a name, the log files and reports use the IP address of the devices external interface. You can use a Fully Qualified Domain Name if you register it with your authoritative DNS server. You must give the device a name if you use the Management Server to configure VPN tunnels and certificates for the device. The device time zone controls the date and time that appears in the log file and in management tools, including LogViewer, Report Manager, and WebBlocker. Set the device time zone to match the time zone for the physical location of the device. This time zone setting ensures the time appears correctly in the log messages. A default configuration file sets the device system time to Greenwich Mean Time (GMT). In this exercise, you set the device information for your student device. If you are working alone, you can use the example of our fictional organization: Successful Company. In other training modules, you see this information in reports and WatchGuard System Manager. From Policy Manager:
5. From the Time zone drop-down list, select your local time zone.
Select the time zone of the device itself. This enables you to synchronize reports from devices in multiple timezones.
6. Click OK.
Administration
23
1. Circle the correct answer: To save a changed device configuration file to the XTM device, use the [Status | Configuration] passphrase. 2. Select the correct answer: Corporate headquarters is in Detroit. The branch office XTM device is located in Tokyo. You should set the branch office device time zone to:
A) B) (GM-05:00) Eastern Time (US & Canada) (GMT+09:00) Osaka, Sapporo, Tokyo
3. True or false? You can save the device configuration file to a USB flash drive. 4. How frequently should you make a backup image of your device?
A) B) C) D) E) Daily Weekly Monthly Each time you make a substantial change to the configuration Never
5. Which of the following information is used by WatchGuard System Manager applications to identify an XTM device? (Select all that apply.)
A) B) C) D) E) Firebox Name System administrator name Encryption key Model number External IP address
24
5. A, D 4. D 3. True You can save the device configuration file to any local disk drive including a USB flash drive or a network share. 2. B (GMT+09:00) Osaka, Sapporo, Tokyo Set the XTM device time zone to its physical location 1. Configuration ANSWERS
Network Settings
Configure XTM Device Interfaces
What You Will Learn
An XTM device has three types of interfaces: external, trusted, and optional. To use your device in a network, you must set the IP addresses of the interfaces. You can also enable routing features on some interfaces. In this training module, you learn how to: Configure external network interfaces using a static IP address, DHCP, or PPPoE Configure trusted and optional network interfaces Use the XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address
Before you begin these exercises, make sure you read the Course Introduction module.
25
Optional Interfaces Optional interfaces connect to your optional networks, which are mixed trust or DMZ environments separated from your trusted networks. Public web, FTP, and mail servers are usually found in optional networks. Most users configure at least one external and one trusted interface on their device. You can configure any interface as trusted, optional, or external. You can have a maximum of four physical external interfaces. When you configure the IPv4 addresses for interfaces on a device, you must use slash notation to denote the subnet mask. For example, you enter the network range 192.168.0.0 with subnet mask 255.255.255.0 as 192.168.0.0/24, and a trusted interface with the IP address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.
26
About WINS/DNS
Several XTM device features use Windows Internet Name Server (WINS) and Domain Name System (DNS) server IP addresses. These servers must be accessible from the trusted interface of the device. For example, this information is used by remote user virtual private networks. Make sure that you use only an internal WINS and DNS server to make sure you do not create policies that have configuration properties that prevent users and services from connecting to the DNS server.
Drop-In mode
All of the XTM device interfaces are on the same network and have the same IP address. The computers on the trusted or optional interfaces can have a public IP address.
Bridge mode
All of the XTM device interfaces are on the same network. You specify an IP address to use to manage the device. Traffic from all trusted or optional interfaces is examined and sent to the external interface. Interface IP addresses cannot be configured. NAT is not used in Bridge mode. Traffic sent or received through the device appears to come from its original source.
The most common configuration method is a routed configuration. We use a routed configuration to explain most of the features and examples in this document.
When you use the Web Setup Wizard to create your initial network configuration, the device is automatically configured in a routed configuration. When you use the Quick Setup Wizard in WatchGuard System Manager to create your initial network configuration, you can choose to configure the device in a routed or drop-in configuration.
Network Settings
27
About VLANs
VLANs (Virtual Local Area Networks) are an advanced network feature that allow you to group devices by traffic patterns instead of by physical network access. You can use VLANs to connect devices on different networks so that they appear to be part of the same network. For more information, see the advanced VLAN training course, or the Fireware XTM WatchGuard System Manager Help or User Guide.
28 WatchGuard Fireware XTM Training
About Multi-WAN
The multi-WAN feature allows you to send network traffic to up to four external interfaces. This is useful when you want to have a backup Internet connection, or if you want to divide your outgoing network traffic between multiple physical interfaces. Multi-WAN settings do not apply to incoming network traffic, and you can only use this feature in Mixed Routing mode. For more information, see the Advanced Networking training course, or the Fireware XTM WatchGuard System Manager Help or User Guide.
About FireCluster
If you have two XTM devices of the same model, and you use Fireware XTM with a Pro upgrade, you can configure the two devices as a FireCluster for high availability and load sharing. FireCluster is supported for all XTM device models except XTM 33 and XTM 2 Series. For more information, see the Advanced Networking training course, or the Fireware XTM WatchGuard System Manager Help or User Guide.
About IPv6
Fireware XTM supports a limited set of IPv6 networking features. XTM device interface addresses You can add a static IPv6 address to the External, Trusted, or Optional interfaces when the device is configured in mixed routing mode. Each interface still must have an IPv4 address configured. DNS servers You can use an IPv6 address to specify a DNS server Static routes You can add an IPv6 static route Device management You can use an IPv6 address to connect to the Fireware XTM Web UI or the CLI for device management. You cannot use the static IPv6 address to connect to the XTM device from WatchGuard System Manager. Diagnostic logging You can set the diagnostic log level for IPv6 advertisements. Fireware XTM supports basic routing of IPv6 traffic. However, Fireware XTM security and advanced networking features do not apply to IPv6 traffic. If you enable IPv6 on an interface, you should treat this as a bridged connection. The Fireware XTM security features such as policies, proxies, default threat protection and security services to not apply to IPv6 traffic. For more information, see the Fireware XTM WatchGuard System Manager Help or User Guide. WatchGuard continues to add more IPv6 support to Fireware XTM for all XTM device models. For information about the WatchGuard IPv6 roadmap, see http://www.watchguard.com/ipv6/index.asp. Because the IPv6 support is limited, the exercises in this training focus on device configuration in an IPv4-only environment.
Network Settings
29
Exercise 1:
The XTM device can get a dynamic IP address for an external interface with DHCP or Point-to-Point Protocol over Ethernet (PPPoE). At the Successful Company, the network administrators start with an IP address assigned by DHCP for their external interface. However, as their company grows, they change this to a static IP address, and add a backup PPPoE connection.
3. In the Interface Name text box, type InternetConnection. 4. In the Interface Description text box, type Connect to the Cloud. 5. Make sure that the Interface Type is set to External. 6. Select Use DHCP Client.
30
8. Click OK.
DHCP appears in the IP Address column in the Network Configuration dialog box.
2. In the Interface Name text box, type BackupInternet. 3. In the Interface Description text box, type Use when primary account fails. 4. In the Interface Type drop-down list, select External. 5. Select Use PPPoE. 6. In the User Name text box, type the PPPoE user name. For this exercise, type username.
Network Settings
31
7. Type and confirm the PPPoE passphrase. For this exercise, type passphrase.
8. Click OK.
PPPoE appears in the IP address field in the Network Configuration dialog box.
1. Select the Dynamic DNS tab. 2. In the Interfaces list, select InternetConnection (0). Click Configure.
The Per Interface Dynamic DNS dialog box appears.
3. Select the Enable Dynamic DNS check box. 4. In the User Name text box, type successfulco. 5. In the Password and Confirm text boxes, type password.
dyndns sends updates for a Dynamic DNS host name. statdns sends updates for a Static DNS host name. custom sends updates for a Custom DNS host name.
6. In the Domain text box, type example.com. 7. In the Service Type drop-down list, make sure dyndns (Dynamic DNS) is selected.
This is the default option. For more information on each option, see http://www.dyndns.com/services/.
32
9. In the Forced Update text box, type or select a time interval (in days) to force an update of the IP address.
For this exercise, keep the default number of 28 days.
Network Settings
33
Exercise 2:
To configure an external interface with a static IP address, you must know the IP address, the subnet mask in slash notation, and the default gateway. In this exercise, you use Policy Manager to configure the primary external IP address of the Successful Company network to use a static IP address.
2. Select the Interfaces tab. 3. In the Interfaces list, select InternetConnection (Interface 0). Click Configure.
The Interface Settings dialog box appears.
4. Select Use Static IP. 5. In the IP Address text box, type 203.0.113.10/24.
If you are in a classroom, get the address information from your instructor.
This is the fictional IP address. With a real world static IP address, the Internet Service Provider (ISP) provides the IP address, subnet and default gateway.
7. Click OK.
The external IP address appears in the Network Configuration dialog box.
34
Exercise 3:
In this exercise, we use Policy Manager to configure a trusted interface on the Successful Company XTM device as a DHCP server.
2. Select the Interfaces tab. 3. In the Interfaces list, select Trusted (Interface 1). Click Configure.
The Interface Settings dialog box opens.
4. In the Interface Name text box, type OurLAN. 5. In the Interface Type drop-down list, make sure that Trusted is selected. 6. In the IP address text box, keep the default selection of 10.0.1.1/24. 7. Select the Use DHCP Server radio button. 8. In the Address Pool section, select the existing address pool and click Delete. 9. Click Add.
The Add Address Range dialog box appears.
10. In the Starting address text box, type 10.0.1.100. 11. In the Ending address text box, type 10.0.1.200. 12. Click OK.
The new addresses appear in the Address Pool list.
Network Settings
35
Exercise 4:
Optional interfaces are commonly used for servers which are used by both the public and members of your organization, such as HTTP and FTP servers. In this exercise, we configure an optional network that Successful Company can use for their public servers.
2. Select the Interfaces tab. 3. In the Interfaces list, select Optional-1 (Interface 2). Click Configure.
The Interface Settings dialog box appears.
4. In the Interface Name text box, type PublicServers. 5. In the Interface Description text box, type Servers used by customers and vendors. 6. In the Interface Type drop-down list, select Optional. 7. In the IP Address text box, keep the default network IP address of 10.0.2.1/24. 8. Make sure Disable DHCP is selected.
Because this network does not use DHCP, no further configuration is necessary.
9. Click OK.
The new settings appear for Interface 2.
36
Exercise 5:
Several Fireware XTM features operate correctly only if you use a WINS/DNS server on your trusted network. These features include Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, and Mobile VPN (Virtual Private Networks). In this exercise, we use Policy Manager to configure the Successful Company XTM device to use WINS/DNS servers on the OurLAN and WebServer networks.
2. Select the WINS/DNS tab. 3. In the Domain Name text box, type example.com. 4. In the DNS Servers text box, type 10.0.1.53 and click Add. In the DNS Servers text box, type 10.0.2.53 and click Add.
These are the IP addresses of the internal DNS servers for this exercise. You are not required to enter more than one DNS server. However, we recommend that you add more than one DNS server to make sure that users can still get DNS name resolution when the primary server is not available.
6. Click OK.
Network Settings
37
Exercise 6:
A secondary network is a network that shares one of the same physical networks as one of the XTM device interfaces. In this exercise, we use Policy Manager to add a secondary network to the Successful Company OurLAN trusted network.
2. Select the Interfaces tab. 3. In the Interfaces list, select OurLAN (Interface 1). Click Configure.
The Interface Settings dialog box appears.
7. Click OK to close the Interface Settings dialog box. 8. Click OK to close the Network Configuration dialog box. 9. Save the configuration file.
38
Network mask
255.0.0.0 255.255.0.0 255.255.255.0 255.255.255.125 255.255.255.192 255.255.255.224 255.255.255.240
Slash
/8 /16 /24 /25 /26 /27 /28
Network Settings
39
1. When you use a static IP address for the external interface, what information must you get from your ISP? (Select all that apply).
A) B) C) D) E) An IP address A default gateway address A subnet mask A password or passphrase A user name
2. True or false? If you use DHCP on the external interface of the XTM device, you can configure a secondary network for the external interface. 3. True or false? You can configure the XTM device as a DHCP server. 4. What features use the WINS/DNS settings in the Network Configuration dialog box? (Select all that apply.)
A) B) C) D) E) Mobile VPN connections to the XTM device Your ISP to route to the XTM device Computers on your trusted and optional networks Your WatchGuard Management Computer DHCP
5. True or false? You can only add secondary networks in Bridge mode. 6. Which two interfaces are necessary to create a basic network configuration in Mixed Routing mode? (Select one.)
A) B) C) External and optional Trusted and optional External and trusted
7. Which of these items is NOT a method used to assign an IP address to the external interface of a XTM device? (Select one.)
A) B) C) D) Static addressing DHCP PPPoE PPPoA
8. True or false? Only the trusted interface of a XTM device is able to assign IP addresses as a DHCP Server. 9. True or false? Firewall policies apply to both IPv4 and IPv6 network traffic.
40
Network Settings
41
42
Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will connect to one or more XTM devices and WatchGuard servers. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for the devices and servers used in the exercises.
1. Install the WatchGuard Log Server and Report Server on your management computer or another computer in your network.
You can also install your Log Server and Report Server on different computers. You can install more than one Log Server on your network, but you only install one Report Server.
2. Run the WatchGuard Server Center Setup Wizard to set up your Log Server and Report Server.
If your Log Server and Report Server are on different computers, you must run the wizard on each computer to set up each server separately.
43
5. Configure your XTM device to send log messages to your Log Server.
Specify the IP addresses of the Log Server where your device sends log messages, set the priority for your Log Servers, and enable logging in your policies.
6. Use Log and Report Manager to review log messages and Available Reports, and generate new On-Demand and Per Client reports.
For instructions to configure logging on your network, see the topic Quick Start Set Up Logging for Your Network in the WatchGuard System Manager Help. You can use role-based administration to enable users who do not have administrative rights to also use Log and Report Manager to view log messages and see and generate reports. For more information about how to use WatchGuard Server Center to add a user, see the topic Define or Remove Users or Groups in the WatchGuard System Manager Help, and follow the instructions to add a user in WatchGuard Server Center.
44
Log Server The WatchGuard Log Server is the computer to which your XTM device sends all log messages. The Log Server stores log messages in a PostgreSQL database. You can use your management computer as the Log Server, or you can use a different computer. The device must be able to send traffic to the Log Server computer..
(2) The XTM device generates log messages and sends them to the Log Server
(1) Set your logging rules and save them to the XTM device
(3) The Log Server saves the messages and sends notifications
Log Server
The Log Server collects log messages from your XTM devices and WatchGuard servers. The Log Server also sends notification messages when it gets a notification request from the device. You can install the Log Server software on your management computer, or on a different computer by selecting to install only the Log Server component when you install WSM. In addition to installing the software, you must configure the Log Server with a Log Server encryption key. The XTM device uses this key to encrypt log messages sent to the Log Server. The same key must be used on the device and on the Log Server. The encryption key must be no less than eight and no more than 32 characters. You set the Log Server encryption key when you configure the Log Server with the WatchGuard Server Center Setup Wizard. One Log Server can receive and store logs from many XTM devices. If you install the Log Server on a computer with a desktop firewall other than Windows Firewall, to enable the WatchGuard Log Server to connect through the firewall you must open TCP ports 4107 and 4115 on that firewall. If you use the default Windows firewall, you do not have to change your configuration. Log Servers operate in failover mode, not redundancy mode. In other words, an XTM device can only send messages to one WatchGuard Log Server at a time. The backup Log Server is used only when the primary server becomes unavailable.
45
Log Messages
WatchGuard System Manager includes strong and flexible log message tools. An important feature of a good network security policy is to collect log messages from your security systems, examine those messages frequently, and keep them in an archive. You can use log files to monitor your network security and activity, identify any security risks, and address them. WatchGuard XTM devices send log messages to your WatchGuard Log Server. They can also send log messages to a syslog server or keep a limited number of log messages locally on your XTM device. You can choose to send log messages to one or more of these locations. The XTM device sends five types of log messages: Traffic, Alarm, Event, Debug, and Statistic. Each log message includes the name of the log type as part of the log message. Traffic Log Messages The XTM device sends traffic log messages as it applies packet filter and proxy policy rules to traffic that goes through the device. Alarm Log Messages Alarm log messages are sent when an event occurs that causes the XTM device to send a notification request. Event Log Messages The XTM device sends an event log message because of user activity. Actions that cause the device to send an event log message include: Device start up and shut down Device and VPN authentication Process start up and shut down Problems with the XTM device hardware components Tasks completed by the XTM device administrator
Debug Log Messages Debug log messages include information used to help troubleshoot problems. You can select the level of debug log messages to see in Traffic Monitor or write to a log file. Statistic Log Messages Statistic log messages include information about the performance of the XTM device. By default, the device sends log messages about external interface performance and VPN bandwidth statistics to your log file. You can use these log messages to change your device settings as necessary to improve performance.
Log Files
The XTM device sends log messages to a primary or backup Log Server. Log messages are stored in a SQL database file in the location you specify when you run the setup wizard. We recommend that you select the built-in directory location for your operating system: Windows XP C:\Documents and Settings\WatchGuard\logs Windows 7 C:\ProgramData\WatchGuard\logs
46
The WatchGuard Web Services API for Reporting is also automatically installed with the Log Server or Report Server. You can use the WatchGuard Web Services API to extract Log Server and Report Server data for custom reports. For more information about this tool, see the Fireware XTM WatchGuard System Manager Help. To use Log and Report Manager from a computer that is external to your XTM device when your Report Server is behind the XTM device, you must open a port to allow the Log and Report Manager traffic between the Report Server and the IP address of your external computer. To open the correct port (4130), add the WG-LogViewer-ReportMgr packet filter policy to your XTM device configuration. For more information about how to add a policy to your configuration, see the module Policies, on page 101 or the Fireware XTM WatchGuard System Manager Help.
47
WatchGuard Reports
WatchGuard Reports are summaries of the log data that you have selected to collect from your XTM device log files. Log and Report Manager consolidates the log data into a variety of predefined reports so you can quickly and easily locate and review the actions and events that occur at your XTM device. The predefined reports include:
Report Type
Application Control
Report Name
Application Usage Top Applications by user Top Applications by host Top Users Blocked Top Hosts blocked
Description
Summary Summary report of application usage data Summary of application usage data by user Summary of application usage data by host Summary of users blocked by Application Control Summary of hosts blocked by Application Control Detailed report of server activity Summary of server activity Summary of server authentication Detailed report for all XTM devices and VPN tunnels managed by your Management Server Top client reports by application usage, blocked applications, blocked categories, proxy bandwidth, and proxy connection count The Compliance Reports group gives you information about the traffic on your network that relates to HIPAAand PCIcompliance
Audit Reports
Alarm Summary Report Audit Trail User Authentication Denied Gateway AntiVirus Summary ConnectWise Reports
Summary report of alarm records on the XTMdevice Detailed list of audited configuration changes for an XTMdevice Detailed list of users denied authenticationIncludes date, time, and reason for authentication failure Gateway AntiVirus action summary ConnectWise Reports are only available if you have a ConnectWise account and have configured the ConnectWise settings for your Report Server.
Firebox Statistics Intrusion Prevention Service Summary Most Popular Domains WebBlocker (Summary, by Category and by Client)
XTM device bandwidth statistics for all interfaces. All intrusion prevention actions Top web sites visited by clients Statistics and web sites blocked by WebBlocker service
48
Report Type
Exceptions
Report Name
Alarms Denied packets detail Denied packets by client detail Denied packets by client summary
Description
All alarm records Detailed report for each incoming or outgoing action Detailed report of all denied packets, grouped by client Summary report of all denied packets, grouped by client Detailed list of audited configuration changes for an XTM device These reports are generated when a Bandwidth report is scheduled. They include information about the bandwidth/ transfer rate for external interfaces and VPN tunnels. The data sampling interval is based on the report time range. The minimum interval is 1 minute. The published report samples data every 10 minutes. Detailed report of all activity for the DHCP lease XTM device bandwidth statistics for all interfaces Detailed list of users authenticated. Includes login time, logout time, and connection method information Detailed list of users denied authentication. Includes date, time, and reason for authentication failure Gateway AntiVirus action details by email sender. Available for SMTP or POP3 Gateway AntiVirus action details by host Gateway AntiVirus action details by protocol Gateway AntiVirus action details by virus Gateway AntiVirus action summary Prevention summary details by IP-spoofed packets Prevention summary details by protocol Prevention summary details by signature Prevention summary details by source IP Prevention summary details by severity All intrusion prevention actions Summary of packet-filter data by time Summary of packet-filter data for hosts by source Summary of packet-filter data for hosts by destination Summary of packet-filter data by service Summary of packet-filter data by session
Firebox Reports
Audit trail Bandwidth/Transfer Rate (for external interfaces and VPN tunnels
DHCP lease activity Firebox statistics User Authentication User Authentication Denied Gateway AntiVirus Reports Detail by email sender Detail by host (HTTP) Detail by protocol Detail by virus Gateway AntiVirus summary Intrusion Prevention Service Reports Detail by IP-spoofed packets Detail by protocol Detail by signature Detail by source IP Detail by threat level Intrusion Prevention Service Summary Packet-Filter Summaries Daily trend Host summary by source Host summary by destination Service summary Session summary
49
Report Type
POP3 Proxy Proxy Traffic
Report Name
POP3 Server summary Recipient summary Proxy daily trend Proxy source by hits Proxy source by bandwidth Proxy destination by hits Proxy destination by bandwidth Proxy session by hits Proxy session by bandwidth Proxy summary
Description
POP3 server activity summary POP3 recipient activity Proxied traffic summary by time Proxied traffic summary of hits by host Proxied traffic summary of bandwidth by host Proxied traffic summary of hits by destination Proxied traffic summary of bandwidth by destination Proxied traffic summary of hits by session Proxied traffic summary of bandwidth by session Proxied traffic summary by proxy Summary of Reputation Enabled Defense actions SMTP proxy action records by time SMTP server activity summary (for internal and external email accounts) SMTP email activity summary (for internal and external servers) Statistics by spam type, action, and spam senders and recipients Trends, active clients, most popular domains, WebBlocker information, and web sites blocked by proxy rules. Charts are included for the more detailed reports. You can click a chart to see the detailed report. Web traffic details by category Web traffic details by client Hourly trend data Top web traffic clients by name and IP address Top web sites visited by clients All URLs in order by client All URLs in order by domain All URLs in chronological order Statistics and web sites blocked by WebBlocker service Web sites blocked by category Web sites blocked by client Summary of all Wireless Intrusion Detection actions
Reputation Enabled Defense Summary SMTP proxy detail SMTP server summary SMTP email summary
Web audit by category Web audit by client Web Traffic Reports Activity trend Most active clients detail Most popular domains URL details by client URL details by domain URL details by time WebBlocker Reports WebBlocker summary WebBlocker by category WebBlocker by client Wireless Intrusion Detection Wireless Intrusion Detection Summary
50
Exercise 1:
The Successful Company administrator must tell each XTM device in the network to send log messages to the WatchGuard Log Server. When he configures the logging settings for the XTM device, he adds the IP address of the Log Server where the device will send log messages and the Log Server Encryption Key to the device configuration file, and save the configuration file to the XTM device. Then, after he sets up the Log Server, the log Encryption Key on the device matches the log Encryption Key on the Log Server, and the Log Server and XTM device can communicate. The XTM device waits until it sends its first log message to establish a connection with the Log Server. In this exercise, we use Policy Manager to configure the XTM device to send log messages to the Log Server.
51
Your instructor may ask you to configure your XTM device to send log messages to a Log Server in the training lab.
3. Select the Send log messages to the log servers at these IP addresses check box. Click Configure.
The Configure Log Servers dialog box appears.
4. Click Add.
The Add Event Processor dialog box appears.
5. In the Log Server Address text box, type your workstation IP address. 6. In the Encryption Key text box, type mylogserverkey.
If the XTM device and Log Server do not connect, enter the encryption keys again. The most common cause of connection problems is encryption keys that do not match.
11. If you have access to an XTM device for this lesson, save the configuration file to the device.
52
Exercise 2:
In this exercise, the Successful Company network administrator sets up a WatchGuard Log Server. In most organizations, the Log Server is a dedicated computer on the trusted or optional network running Microsoft Windows. The network administrator can also configure the Log Server on the external network if he has many XTM devices and wants to store log files in a central location. The logging channel is encrypted, so he does not need to use a VPN tunnel between the XTM device and the Log Server. If necessary, the administrator can use NAT (network address translation) to route from the external interface to the Log Server behind a firewall. Then, he can configure a WG-Logging policy to open these ports: TCP 4115 Used by devices with a Fireware XTM OS TCP 4107 Used by devices with a WFS OS, and by all SOHO, SOHO 6, and older Edge devices
1. Right-click
Exercise 3:
In this exercise, we configure the Log Server to comply with the Successful Company document archive policy. At Successful Company, the network administrator must back up critical network data, such as log messages, to a secure drive at least once a week. Because the Log Server and Report Server are installed on the same computer, they share a PostgreSQL database. We must make sure that the combined maximum database sizse settings of both the Log Server and the Report Server do not exceed 50% of the total disk space available on the primary operating system partition of the server computer. This is to make sure the two servers do not use more disk space than is available on the server computer. We will also select to use the Built-in PostgreSQL database that is installed with the Log Server.
2. In the Maximum Database size text box, type the maximum allowable size in gigabytes for the Log Server database.
Make sure that this setting, combined with the maximum size you specify for the Report Server database, does not exceed 50% of the disk space on the server computer.
3. Click Apply to save your settings. 4. Select the Database Maintenance tab.
5. In the Database Backup Settings section, select the Backup log messages automatically check box.
54
To use an existing PostgreSQL database on another computer, select the External PostgreSQL database option.
1. Select the Notification tab. 2. In the Events > Send an email notification section, select the When a failure event occurs on this Log Server and the When an event notification is received from any device or server check boxes. 3. In the SMTP Server Settings section, in the Outgoing email server (SMTP) text box, type mail.myexample.com. To change the port for connections to the SMTP server, type the SMTP server address in this format <localhost>:<port number>. 4. Select the Send credentials to the email server check box. 5. In the User Name text box, type netadmingroup. 6. In the Password text box, type mailpassword.
If the SMTP server you are using for this training accepts connections on a port other than port 25 (the default port for SMTP traffic), you can change the port. When you type the domain name of a mail host, the Log Server tries to do a DNS lookup on the mail host. In this exercise, the DNS lookup fails because myexample is a fictitious domain.
7. In the Notification Setup section, in the Send email to text box, type administrator@myexample.com. 8. In the Send email from text box, type netadmin@myexample.com. 9. In the Subject text box, type Log Server Notification.
55
4. Open Policy Manager for your XTM device. 5. Select Setup > Logging.
The Logging Setup dialog box appears.
7. Select the Log Server IP address in the list, and click Edit.
The Edit Event Processor dialog box appears.
8. In the Encryption Key and Confirm Key text boxes, type myencryptionkey. 9. Click OK to close the Edit Event Processor dialog box. 10. Click OK to close the Configure Log Servers dialog box. 11. Click OK to close the Logging Setup dialog box. 12. Save the configuration file to the XTM device. 13. Repeat Steps 412 for each XTM device that sends log messages to this Log Server.
56
Exercise 4:
Log and Report Manager is the WatchGuard System Manager web UI tool that you can use to find details about the traffic through your network. You can choose to see the data in your log files page-by-page, or you can search by key words or specific log fields to find a particular log message. This is helpful when you want to troubleshoot a problem on your network. Log and Report Manager is available to you after you install either the Log Server or Report Server software. If you install your Log Server and your Report Server on the same computer, you can use one web UI to look at both your log messages and your reports. If you install them on separate computers, you must connect to the Log and Report Manager for each server separately. To use Log and Report Manager from a computer that is external to your XTM device when your Log Server is behind the XTM device, you must open a port to allow the Log and Report Manager traffic between the Log Server and the IP address of your external computer. To open the correct port, add the WG-LogViewer-ReportMgr packet filter policy to the configuration file of the XTM device that is your gateway Firebox. For more information about how to add a policy to your configuration, see the Policies module. In this exercise, we will enable certain Successful Company users to connect to Log and Report Manager to view log messages and reports, use the Log and Report Manager Search tool to troubleshoot a problem with email reception on the Successful Company network, and export log messages to a CSV file.
1. Open WatchGuard System Manager and click Or, select Tools > Logs > Log Manager.
The Server Login dialog box appears.
2. Type the Server IP address, Port, User Name, and Passphrase for your Log Server. 3. Click Login.
Log and Report Manager appears, with the LOGS > Devices page selected.
If you are attending a class, your instructor will provide the credentials for the Log Server.
57
5. To view a specific log type, at the top of the page, select the tab for the log type.
The log messages list is updated to include only log messages of the type you selected.
Run a Search
The Successful Company support team manager has contacted you because the support team is not receiving email requests from Big Client A. To find out what is happening to email from Big Client A, you will run a search query to see if traffic from Big Client As email server is passing through your XTM device to your email server. You can use Log and Report Manager to search for any details included in the log messages for your devices that are logging to your Log Server. You can start a search from either the main Logs > Search page or from any Device page. From the Device page, when you specify the text to search on and click Search, the Web UI automatically switches to the Search page and populates the form with the text you specified. When you run a search, you can search the log messages for only one device at a time. You can save your search parameters for each device so you can run them again for that device, but you cannot run saved search parameters for a different device. Each time you want to run a new search for a different device, you must specify the parameters to search on. To refine your search, you can specify the time range and select a log type to search for. By default, the Search page includes one search query block. To run a simple search, just type the text to search on in one text box in the default search query block. To run a complex search with an ANDoperator, specify text to search on in more than one text box in a single search query block. To run a complex search that includes an ORoperator, add another search query block. You can add up to nine search query blocks to your search. As part of your search parameters, you can specify the name of columns to search in. Though you can search for any column included in your log files, some of the columns that are most often searched are: policy, protocol, src_ip, src_port, dst_ip, dst_port, src_intf, dst_intf, app_name, and app_cat_name. For more information about how to use Log and Report Manager, see the Logging and Reporting topics in the Fireware XTM WatchGuard System Manager Help. For this exercise, we will use Log and Report Manager to run a search query that inspects the traffic from Big Client A that was not allowed through the firewall. To search the Traffic log messages on the Log Server to find all traffic from Big Client As source IP address that was denied, we will include the src_ip and the disp columns in the query text.
58
To run a search from the Log and Report Manager Search page:
2. Select a device.
The Search page appears with the one search query block displayed.
3. From the Time Range drop-down list, select the amount of time to include in your search. For this example, select Last 6 Hours. 4. In the Log Type drop-down list, Traffic is selected by default. Do not change this selection. 5. In the ANY of these words text box, type the IP address to search for. For this example, we type the column to search in and the IP address to search for in this format: src_ip=<IP address>. 6. In the ALL of these words text box, type the disposition of the traffic. For this example, we want to find all traffic from the specified IP address that was denied, so we type disp=Deny. 7. Click Search.
The Search results are refined to include only log messages for traffic from the specified source IP address that was denied access through the firewall.
If you are attending a class, your instructor will provide the source IP address for your search. If you want to test this outside of a class, you can search on any IP address in the Source column.
Because the Successful Company Administrator might want to run this search again later, he decides to save the search so he can run it again. To save search parameters for a specific device:
1. From the LOGS > Search page for a device, click Save.
The Opening search.query dialog box appears.
2. Select Save File and click OK. 3. Browse to select a location to save the search query file and type a descriptive name for the search query file. For this example, type search1.query.
Make sure to choose a file name that will make it easy to identify the search query when you want to run the search again.
4. Click Save.
The search1.query file is saved in the location you selected.
59
When the Successful Company Administrator wants to run a saved query for a device again, he simply loads the search query file and runs the search again.
1. From the LOGS > Search page for a device, click Load.
The Load Search Query dialog box appears.
3. Click OK.
The Search page is refreshed to include the details specified in the search query file and the search results are updated to include only those results that match the specified search query.
4. Select the Start date and time, and End date and time. For this exercise, select last Monday from 12:00 to 22:00. 5. Click OK.
The Log Messages page is updated with only the log messages for the specified date and time.
7. Select whether to open the ZIP file or save it to a location on your computer. Click OK. 8. If you save the file, browse to select a location. 9. (Optional) Type a file name for the ZIP file. 10. Click Save.
The ZIP file is saved to the specified location on your computer.
11. Browse to the location where you saved the ZIPfile, open the file, and extract the CSV file.
The Successful Company administrator can now open the CSV file and review the log messages, or import the CSV file to another program or to the WatchGuard Log Server.
60
Exercise 5:
Successful Company network administrators decide that, for performance reasons, they are going to install the Report Server on a different computer than the management computer. In this exercise, we configure their Report Server. Before you configure the Report Server, you must run the WatchGuard Server Center Setup Wizard, which sets up the Report Server. After the Report Server is set up, you can use the WatchGuard Server Center Report Server pages to finish your Report Server configuration.
1. Right-click
61
5. In the IP address text box, type the IP address of your Log Server.
In most training environments, this is the same IP address as your management computer.
7. Click OK.
The IP address of the Log Server appears in the list of Log Servers. A single Report Server can consolidate data from more than one Log Server.
62
2. In the Number of records included in each summary report text box, type 75. 3. In the Report Schedules section, click Add.
The New Schedule dialog box appears.
4. In the Schedule Name text box, type the name for this schedule. For this example, type All Devices - No GAV-IPS. 5. In the Devices list, select the check box for each device to include in this report generation schedule. For this example, select the All Devices check box. 6. In the Report types list, select the check box for each report to include in this schedule. For this example, clear the Gateway AntiVirus Reports and Intrusion Prevention Service Reports check boxes. 7. In the Report Schedule section, select Run recurrently. 8. From the Run recurrently drop-down list, select Weekly. 9. From the Recur every week on drop-down list, select Monday.
Logging and Reporting 63
10. In the Range of recurrence section, keep the default setting of No end date. 11. Select the Advanced Settings tab. 12. Select the Generate reports for external use check box. 13. Select an option to specify how reports are generated for device groups: - One report for each device in the group - One report with combined data for all devices in the group For this exercise, select One report with combined data for all devices in the group. 14. Select a format: HTML or PDF. For this exercise, select PDF. 15. From the Display dates and times using drop-down list, select the time zone you want to appear in the reports: My local time zone or UTC. 16. (Optional) From the Location drop-down list, select the location where you want the report to be saved. 17. Click OK.
The schedule appears in the Report Schedules list.
18. Click Apply to save your configuration changes to the Report Server.
64
Exercise 6:
After you create a report schedule on your Report Server to generate specific reports, you can use Log and Report Manager to review and share the reports created from log message data. You can review the Available Reports that you configured your Report Server to generate on the Daily or Weekly tabs. You can also generate real-time On-Demand or Per Client reports. In this exercise, the Successful Company network administrator connects to Log and Report Manager to review an Available Report and to generate an On-Demand report.
4. If necessary, select REPORTS > Devices. 5. In the Devices list, select your XTM device.
The Device page appears for your device, with all of the Avaialble Reports that have been scheduled for this device.
1. Open WatchGuard System Manager and click Or, select Tools > Logs > Report Manager.
The Server Login dialog box appears.
2. Type the Server IP address, Port, User Name, and Passphrase for your Report Server. 3. Click Login.
Log and Report Manager appears. If your Log Server is installed on the same computer, the LOGS > Devices page is selected. If your Log Server is not installed on the same computer, the REPORTS > Devices page is selected.
If you are attending a class, your instructor will provide the credentials for the Report Server.
65
View Reports
After you connect to Log and Report Manager, you can select the reports to view or generate.
3. From the Daily calendar, select a date to see the Available Reports for that day. 4. From the Available Reports list, select a report to view.
The selected report appears.
66 WatchGuard Fireware XTM Training
5. To view the report data by hosts instead of by users, select Hosts. 6. If the report includes links to client data, you can click the client data detail to open a Per Client report.
To generate an On-Demand report:
2. Put your cursor in the Start text box to select the start date and time for the report.
The date and time selection calendar appears.
3. Select a month and day from the calendar. Slide the time selectors to specify the hour and minute. Or, click Now to select the current date and time. 4. Click Done.
The selected date and time appears in the Start text box.
5. Put your cursor in the End text box and select the end date and time for the report. Click Done. 6. From the Select a report type drop-down list, select the type of report to generate. 7. Click Run Report.
The selected report is generated.
It can take a few moments to generate the report. The longer the time range for the report, the longer it takes to generate the report.
Exercise 7:
Share Reports
In this exercise, the Successful Company network administrator uses Log and Report Manager to view a weekly report, and then generates a PDF of the report to send to his manager. He also makes a hard copy for the Sarbanes-Oxley auditors.
1. From any report page, at the top right of the page, click
The Opening file dialog box appears.
2. Select the Save file option. 3. Click OK. 4. Select a location to save the PDF file. 5. Click Save.
The PDF is saved in the selected location.
The network administrator can now send the PDF to his manager and print a copy for the auditors.
67
1. What is the default location for a WatchGuard log file? 2. True or false? The XTM device can send log messages only to one WatchGuard Log Server. 3. Which logging component is responsible for sending notification email messages when an event occurs on the XTM device that triggers notification? (Select one.)
A) B) C)
4. Which of these log configuration settings are available in Policy Manager? (Select all that apply.)
A) B) C) D)
Scheduling reports Setting the maximum size for a log database file Setting the log encryption key Selecting a backup Log Server for log messages Setting the mail host and email address for email notifications Configuring email notification for denied SMTP packets
E) F)
5. Which of these log configuration settings are available in WatchGuard Server Center in the Log Server configuration pages? (Select all that apply.)
A) B) C) D) E) F)
Scheduling reports Setting the maximum size for a log database file Setting the log encryption key Selecting a backup server for log message database files Setting the mail host and email address for email notifications Configuring email notification for denied SMTP packets
6. True or false? Log files created by an XTM device with Fireware XTM OS are stored in a proprietary format. 7. True or false? Log and Report Manager automatically saves the search queries you run. 8. True or false? When you run a search query, it applies to all the devices that are connected to your Log Server. 9. True or false? You can export the log messages for more than one device at the same time. 10. True or false? You can use Log and Report Manager to generate an On-Demand Report about more than one XTM device at the same time. 11. True or false? You can save a search query for a specific device to run it again for only that device.
68
12. Which tool is used in the WatchGuard reporting architecture? (Select all that apply.)
A) B) C) D) E) F) Report Server Quarantine Server Log Server XTM device Active Directory Server Log and Report Manager
13. Circle the WatchGuard tool you use to configure each of the following:
Select Log Server used by an XTM device Set number of HTML records per report Select Log Server polled by Report Server Set the frequency reports are generated Generate a PDF of a report Set the date range for a report Select reports to run on a daily or weekly schedule Policy Manager Policy Manager Policy Manager Policy Manager Policy Manager Policy Manager Policy Manager Report Server Report Server Report Server Report Server Report Server Report Server Report Server Log Server Log Server Log Server Log Server Log Server Log Server Log Server Log and Report Manager Log and Report Manager Log and Report Manager Log and Report Manager Log and Report Manager Log and Report Manager Log and Report Manager
14. True or false? You can use Log and Report Manager to configure any report and send it in an email. 15. True or false? To connect to Log and Report Manager, use the IP address of your XTM device. 16. True or false? You can email a PDF of a report directly from Log and Report Manager.
69
ANSWERS 1. Documents and Settings\WatchGuard\logs 2. False. The XTM device can send log messages to one or more WatchGuard Log Servers, a syslog server, or the XTM device internal database. 3. B. Log Server. The Log Server sends a notification email in response to the log message it receives from the XTM device. 4. C, D, F 5. B, C, E 6. False. Log messages are stored in a SQL database file. 7. False. You cannot save a search query to run it again later.
8. False. You can only run a search query on one device at a time. 9. False. You can export the log messages for only one device at a time. 10. False. From Log and Report Manager, you can only generate an On-Demand report for one device at a time. 11. True. You can save a search query for a device to run it again later for the same device. You cannot save search query parameters to run the same search for a different device. 12. A, C, D, F 13. Select Log Server used by an XTM device Policy Manager Set number of HTML records per report Report Server Select Log Server polled by Report Server Report Server Set the frequency reports are generated Report Server Generate a PDF of a report Report Server, Log and Report Manager Set the date range for a report Report Server, Log and Report Manager Select the reports to run on a daily or weekly schedule Report Server 14. False. You can run On-Demand and Per Client reports from Log and Report Manager and generate a PDF of each report, but Log and Report Manager cannot connect to your email program to open an email message and attach the PDF the message. 15. False. Use the IP address of your Log Server or Report Server to connect to Log and Report Manager over port 4130. 16. False. You can generate a PDF of a report from Log and Report Manager, but you must save it and attach it to an email message in your own email editor.
70
Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will connect to one or more WatchGuard XTM devices. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to an XTM device on a production network. You will not change the configuration files of any device.
If you change the view from connections to bandwidth, Firebox System Manager remembers the setting the next time you start the application. 71
Authentication List Identifies the IP addresses and user names of all the users that are authenticated to the device. Includes a Summary section with the number of users authenticated for each authentication type, and the total number of authenticated users. To disconnect an authenticated user, right-click the user name and close the authenticated session. Blocked Sites Lists all the sites currently blocked by the device. From this tab, you can remove a site from the temporary blocked sites list. Subscription Services Shows the status of Gateway AntiVirus, Intrusion Prevention Service, Application Control, spamBlocker, and Reputation Enabled Defense. From here, you can also perform a manual update of the signature databases used by Gateway AV, IPS, and Application Control. This tab is active only if you have purchased these services. From the Firebox System Manager toolbar, you can also launch other XTM device monitoring tools, including: Performance Console Used to prepare graphs based on device performance counters to better understand how your device is functioning. HostWatch Shows the network connections between the selected networks. If any of your Subscription Services have expired, an expired service warning appears on the Front Panel tab for each expired service. The Renew Now button also appears at the top of Firebox System Manager. To renew your subscription to the expired services, you can click Renew Now. You can also choose to hide the expired service warnings. For more information, see the Fireware XTM WatchGuard System Manager Help.
72
Exercise 1:
The Successful Company network administrator has now saved a basic configuration to his XTM device and has installed and configured a Management Server Log Server, and Report Server. We can now look at this network security infrastructure with WatchGuard System Manager (WSM). From the Windows desktop:
1. Select Start > All Programs > WatchGuard System Manager 11.5.2 > WatchGuard System Manager 11.5.2. 2. Click
.
3. Type the trusted IP address of the XTM device you want to connect to.
Use your device IP address, or get the IP address from your instructor.
For this exercise, your instructor may have you connect to the training lab XTM device to provide more traffic for the exercises.
73
Expanded information for each XTM device includes the IP address and subnet mask of each device interface. It also includes: IP address and netmask of the default gateway (for external interfaces only). Media Access Control (MAC) address of the interface. Number of packets sent and received on each interface since the last device restart. Each device can be in one of four possible operation modes. The current mode is shown by the appearance of the device icon: Usual operation. The device is successfully sending data to WatchGuard System Manager. The device has a dynamic IP address and has not yet contacted the Management Server. WatchGuard System Manager cannot make a network connection to the device at this time. The device is being contacted for the first time or has not been contacted yet.
The Device Status tab also includes information on Branch Office VPN Tunnels and Mobile VPN tunnels.
74
Exercise 2:
The Firebox System Manager Front Panel tab has a group of indicator lights in the shape of a triangle or star to show the direction and volume of the traffic between the XTM device interfaces. The points of the star and triangle show the traffic that flows through the interfaces. Each point shows incoming and outgoing connections with different arrows. When traffic flows between the two interfaces, the arrows show the direction of the traffic. In the star figure, the location where the points come together can show one of two conditions: Red (deny) The XTM device denied a connection on that interface. Green (allow) Traffic flows between this interface and a different interface (but not the center) on the star. When traffic flows from this interface to the center, the point between these interfaces shows as green arrows. In the triangle, the network traffic shows in the points of the triangle. The points show only the idle and deny conditions. If you use the star figure, you can customize which interface is in the center. The default star figure shows the external interface in the center. When you put a different interface in the center, you can see all traffic between that interface and the other interfaces. All allowed and denied traffic is relative to the interface in the center of the diagram. You see no information about traffic between interfaces on the perimeter of the star. In this exercise, you start Firebox System Manager and change the status display.
2. Type your XTM device trusted IP address and the status passphrase. Click OK. 3. On the Device Status tab, select the XTM device.
75
4. Click
Firebox System Manager appears. It contacts your XTM device and gets data about network traffic, interface settings, and other status information.
5. As shown in the upper-left corner of the FSM window, the default mode shows the interfaces in a star shape.
3 Port Star
6 Port Star
10 Port Star
To switch to the triangle display, click the triangle icon in the top-right corner above the star display.
7. Click the red ball next to eth0 to move it back to the center of the display.
76
2. Select an entry in Traffic Monitor and right-click it. 3. In the Source IP address menu, select traceroute. This executes the tracert command against the IP address identified as the source of the packet.
The Diagnostic Tasks dialog box appears with the results of the traceroute. Traceroute is a utility that traces a packet from your computer to an Internet host. This shows how many hops the packet needs to reach the host and how long each hop takes.
The number of hops and the response time of each hop determines how long it will take for the results to appear. The results do not appear until the trace route is complete.
77
From Traffic Monitor, you ran run a variety of diagnostic tasks. In the previous exercise, we ran a traceroute task directly from Traffic Monitor to find how many hops a packet took and how much time each hop took to reach the destination IP address. In addition to traceroute tasks, you can also run Ping, DNS Lookup, and TCP Dump tasks. When you run a task, in addition to the standard parameters for each task, you can include arguments to help refine the search results. To help you diagnose problems with the traffic on your network, you can complete a TCP dump task and download a packet capture (PCAP) file, which includes the results of the last TCP dump task that you ran. You can then open the PCAP file in a third-party tool, such as WireShark, and review the protocols in the PCAP file to find any issues in your network configuration. To run a TCP dump and export a PCAP file:
1. In Traffic Monitor, right-click anywhere and select Diagnostic Tasks. Or, select Tools > Diagnostic Tasks.
The Diagnostic Tasks dialog box appears, with the Network tab selected.
78
5. When the TCP dump has collected enough results, click Stop Task.
The TCP dump task stops and the Save Pcap file button appears.
7. Specify a file name and a location to save the PCAP file. 8. Open the PCAP file in a tool such as Wireshark, and review the protocols to diagnose the issues on your network.
When you specify the task details to search on, you can also incude detailed arguments in your search parameters. We did not use this feature in this exercise, but this feature is helpful if you want to narrow your search results.
79
1. Select the Advanced Options check box. 1. In the Arguments text box that appears, type the parameters to include in the search.
The -w argument is not available.
2. Select the Traffic Denied tab. 3. In the Traffic Denied list, select source ip. 4. Click the Text Color button.
The Text Color button shows the current color selected for source ip log messages.
80
81
Exercise 3:
Performance Console is a XTM device utility that you use to monitor different performance counters on the device. With Performance Console, you define counters that identify the information that you want to see. You can see the information displayed as a graph, or export it to a third-party application. The Counter Configuration settings you see depend on the chart counter type that you select. Not all settings are available for all chart types. Available settings include: Chart Window <New Window> opens the new chart in a new window. If there is a chart already open, you can choose to show both charts in the same window. Poll Interval Set how frequently data is gathered from the XTM device. Type Use this drop-down list to select the type of graph to create: Rate, Difference, or Raw Value. Suppose you want to graph value_1 and time_1, value_2 at time_2, and so on. - Rate If you create a graph by rate, you use the value difference divided by the time difference: (value_2-value_1)/(time_2-time_1), (value_3-value_2)/(time_3-time_2), and so on. - Difference If you specify difference, you use the increase from the previous value to the new value: value_2-value_1, value_3-value_2, and so on. - Raw Value If you specify raw value, you use the value only: value_1, value_2, and so on. The raw values are generally counters of content such as bytes or packets. The raw values can only increase, not decrease. Policy To view the data for the traffic that is passing through an individual policy, select that policy from the drop-down list. Save Chart Data to File Select this check box to save the data collected by the Performance Console as an XML (Extensible Markup Language) file or a CSV (comma-separated value) file. For example, you can open an XML data file in Microsoft Excel to see the counter value recorded for each polling interval. You can use other tools to merge data from more than one chart.
82
In this exercise, you use Firebox System Manager and your local XTM device to create a Performance Console graph that shows the utilization of the device CPU.
1. Click
2. In the Available Counters list, expand System Information and select CPU Utilization.
3. Click OK.
The CPU Utilization chart appears in the Configured Charts list.
5. Click Close.
83
Exercise 4:
Domain name server (DNS) resolution does not occur immediately when you start HostWatch. When HostWatch is configured for DNS resolution, it replaces the IP addresses with the host or user names. If the XTM device cannot identify the host or user name, the IP address is used instead.
HostWatch is an application that shows the network connections between the networks you select. HostWatch also gives information about users, connections, and network address translation (NAT). The top part of the HostWatch window has two sides. On the left side, you set the interface. The right side has a list of all the other interfaces. HostWatch shows the connections to and from the interface that appears on the left side. In this exercise, you use HostWatch to view the activity on the training network.
1. Click
2. To select an interface, right-click the current interface name and select a new interface. Or, select View > Interface and select a new interface. 3. As you view the connections through the XTM device, double-click an item on either side.
The Connections For dialog box appears and shows information on the connections for that item.
4. In the HostWatch window, to add the source IP address of any connection to the Blocked Sites list, right-click it and select Block Site.
The Choose Expiration dialog box appears.
5. Set the time period to block the IP address. Click OK. 6. Type the configuration passphrase when prompted. Click OK.
The IP address is added to the temporary blocked sites list for the period of time you set here.
7. Close HostWatch.
84
Exercise 5:
The Blocked Sites list shows all the sites currently blocked as a result of the rules defined in Policy Manager. On the Blocked Sites tab, you can add sites to the list, or remove blocked sites. In this exercise, you remove the blocked site you added in the HostWatch exercise. You then add a site to the list.
2. From the Blocked IP List, select the IP address you just blocked. Click Delete in the lower-right corner.
The Delete Site(s) dialog box appears.
3. To remove the IP address from the Blocked Sites list, type the configuration passphrase and click OK. 4. To add a site, click the Add button at the bottom of the dialog box.
The Add Temporary Blocked Site dialog box appears.
85
Exercise 6:
When you purchase an option for your XTM device, you add a new feature key to your configuration file. You can use either Firebox System Manager or Policy Manager to see the current list of feature keys currently for your XTM device. To add a new feature key to a device, you use Policy Manager.
86
1. Open the configuration file you are editing for these exercises. 2. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
3. Click Import.
The Import Firebox Feature Key dialog box appears.
Complete this exercise in class only if your instructor requests that you do so and provides you with an updated feature key.
4. Click Browse and select your feature key file. Or, open your feature key file, copy the contents, and in the Import Firebox Feature Key dialog box, click Paste.
You can purchase this key from WatchGuard. If you attend a WatchGuard Certified Training course, you will receive this key from your instructor.
5. Click OK to close the Import Firebox Feature key dialog box. 6. Click OK to close the Firebox Feature Key dialog box. 7. Save the configuration file to the XTM device.
You cannot use an optional feature until you add the feature key to the configuration file and save it to your XTM device.
87
1. True or false? Performance Console is used to prepare graphs that show various XTM device functions based on performance counters. 2. Which of the following monitoring tools can be viewed directly in a Firebox System Manager tab? (Select all that apply).
A) B) C) D) E) CA Manager Bandwidth Meter HostWatch Policy Manager Traffic Monitor
3. True or false? A PCAP file includes packet information about the protocols that manage traffic on your network. 4. True or false? You can save a PCAP file and open it later in Traffic Monitor. 5. True or false? You can add a site to the Blocked Sites list from HostWatch. 6. True or false? Service Watch is a monitor that provides a real-time display of the bandwidth consumed by policies on the XTM device. 7. Match the correct monitoring tool to each task:
1) 2) 3) 4) 5) 6) Service Watch HostWatch Log Server Subscription Services Traffic Monitor Blocked Sites List a. Ping the source of a denied packet b. Not a Fireware XTM monitoring tool c. View a list of users connected through the XTM device d. Add an IP address for the XTM device to block all traffic e. Learn the status of your IPS signature database f. See the volume of traffic generated by each proxy policy
88
7.
6. True 5. True 4. False. You can save a PCAP file and open it in a third-part tool, such as Wireshark. 3. True 2. B and E 1. True ANSWERS
1: f, 2: c 3: b 4: e 5: a 6: d
NAT
Use Network Address Translation
What You Will Learn
As with many routing devices, your XTM device can use network address translation (NAT) to conceal the IP address space of your network. In this training module, you learn how to: Learn the forms of NAT available with the XTM device Add more IP addresses to which the device will apply dynamic NAT Use static NAT to protect public servers Before you begin these exercises, make sure you read the Course Introduction module.
NAT Overview
NAT is an important tool for todays network administrators. Fireware XTM gives you great flexibility for controlling when and how NAT is applied. When a computer sends traffic through a XTM device interface and the traffic flow matches a NAT rule, the device changes the IP address to an assigned value before the traffic reaches its destination. When the XTM device sees the response, it restores the original IP address to send the response to the computer that made the request. In general, these rules can help you understand the different types of NAT: Dynamic NAT is used for traffic that goes out to the Internet from behind the XTM device. Static NAT is used for traffic that comes in to your network from the Internet. 1-to-1 NAT is used for traffic in both directions
Dynamic NAT
When dynamic NAT is enabled, your XTM device changes the source IP address of each outgoing connection to match the IP address of the device interface that the connection goes out through. For traffic that goes to an external network, packets go out through the device external interface, so dynamic NAT changes the source IP address to the device external interface IP address. The XTM device tracks the private source IP address and destination address, as well as other IP header information such as source and destination ports, and protocol.
Dynamic NAT is also known as IP masquerading.
89
Dynamic NAT is normally applied to connections that start from behind the device. When dynamic NAT is applied to a packet, Fireware XTM tries to always keep the same source port that the requesting client used. The source port is changed only if necessary. For example, if two internal clients use the same source port to access the same web server. However, the source IP address is always changed when dynamic NAT is applied. When the response returns to the same device interface from which the original connection exited, the firewall examines its connection state table and finds the original source IP address. It reverses the NAT process to send the packet to the correct host. With Fireware XTM, dynamic NAT is enabled by default in the NAT Setup dialog box. By default, dynamic NAT is applied to any connection that starts from one of the three reserved private address ranges and goes to an external network. To see the default dynamic NAT rules in Policy Manager, select Network > NAT.
Dynamic NAT is also enabled by default in each policy you create. You can override the global dynamic NAT settings in your individual policies.
1-to-1 NAT
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. Consider a situation in which you have a group of internal servers with private IP addresses that must each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP addresses to the internal servers, and you do not need to change the IP addresses of your internal servers. To understand how to configure 1-to-1 NAT, we give this example: Successful Company has a group of three privately addressed servers behind the Optional interface of their XTM device. These addresses are: 10.0.2.11 10.0.2.12 10.0.2.13
90
NAT Overview
The Successful Company administrator selects three public IP addresses from the same network address as the external interface of their device, and creates DNS records for the servers to resolve to. These addresses are: 203.0.113.11 203.0.113.12 203.0.113.13 Now the Successful Company administrator configures a 1-to-1 NAT rule for his servers. The 1-to-1 NAT rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this: 10.0.2.11 <--> 203.0.113.11 10.0.2.12 <--> 203.0.113.12 10.0.2.13 <--> 203.0.113.13 When the 1-to-1 NAT rule is applied, the device creates the bidirectional routing and NAT relationship between the pool of private IP addresses and the pool of public addresses.
To connect to a computer located on a different device interface that uses 1-to-1 NAT, you must use the private (NAT base) IP address for that computer. If you have problems with this method, you can disable 1-to-1 NAT and use Static NAT.
Number of hosts to NAT (for ranges only) The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In our example above, the number of hosts to apply NAT to is three.
Policy-based NAT
Both dynamic NAT and 1-to-1 NAT can also be controlled at the policy level. If traffic matches both 1-to-1 NAT and dynamic NAT policies, the 1-to-1 NAT policy takes precedence.
With policy-based dynamic NAT, you can make an exception to the global NAT rules (the rules at Network > NAT in Policy Manager). Normally, the XTM device uses the primary IP address of the Outgoing interface when it applies dynamic NAT to outgoing packets handled by a policy. Each policy has dynamic NAT enabled by default. You can disable dynamic NAT for all traffic handled by a policy, or you can configure the device to use a different IP address for dynamic NAT handled by the policy. To see the NAT settings for any policy:
1. Double-click a policy. 2. Select the Advanced tab. 3. Select the Dynamic NAT check box. 4. If you want to use the global dynamic NAT rules set for the device, select Use Network NAT Settings. 5. If you want to apply dynamic NAT to all traffic handled by this policy, select All traffic in this policy.
This setting applies even if the source and destination IP addresses of the traffic flow do not match the source and destination ranges for any rule on the Dynamic NAT tab in Policy Manager (Network > NATthe global dynamic NAT rules).
If you have more than one external interface configured on your device, we recommend that you do not select Set source IP. If you select this option, you must add the specified IP address as a secondary IP address to the interface that the traffic goes out through.
6. If you select All traffic in this policy, you can also select the Set source IP check box to set a different source IP address for traffic handled by this policy when dynamic NAT is applied.
This makes sure that any traffic handled by this policy shows a specified address from your public or external IP address range as the source. A common reason to do this is to force outgoing SMTP traffic to show the MX record address for your domain when the IP address on the external interface for the device is not the same as your MX record IP address.
Static NAT
Static NAT is also known as port forwarding.
Static NAT allows inbound connections on specific ports to one or more public servers from a single external IP address. The XTM device changes the destination IP address of the packets and forwards them based on the original destination port number. You can also translate the original destination port to an alternative port on which the server is listening. Static NAT is typically used for public services such as web sites and email. For example, you can use Static NAT to designate a specific internal server to receive all email. Then, when someone sends email
92
NAT Overview
to the XTM devices external IP address, the device can forward the connection to the private IP address of the designated email (SMTP) server.
NAT Loopback
NAT loopback allows a user on the Trusted or Optional networks to use the public IP address or domain name to get access to a public server that is on the same physical device interface. For example, you could use NAT loopback if you have an internal Web server and you want to allow users on the same network segment to access the Web server by its public domain name or IP address. There are no configuration settings in the user interface to enable NAT loopback, however, you must create a policy in your configuration to allow the traffic. The From section of the policy must list the Trusted or Optional networks from which access is allowed. The To section of the policy must contain a static NAT entry for each server to allow access with NAT loopback.
NAT
93
Exercise 1:
The default configuration of dynamic NAT enables dynamic NAT for traffic that comes from any private IP address and goes to any external network. The default entries are: 192.168.0.0/16 Any-External 172.16.0.0/12 Any-External 10.0.0.0/8 Any-External These three network addresses are the private networks reserved by the Internet Engineering Task Force (IETF) and are typically used for the IP addresses on private LANs. To enable dynamic NAT for other traffic flows, you must add an entry for them. For example, you could add a dynamic NAT rule for traffic that comes from a trusted network and goes to an optional network. In that case, all traffic sent from the trusted network and going to the optional network would appear to come from the Optional interface IP address, because the Optional interface is the outgoing interface for that traffic. The XTM device applies the dynamic NAT rules in the sequence that they appear in the Dynamic NAT Entries list. In this exercise, we use Policy Manager to configure the Successful Company XTM device to use dynamic NAT for traffic coming from only their trusted network and going to any external network.
2. On the Dynamic NAT tab, select the 10.0.0.0/8 - Any-External dynamic NAT rule. 3. Click Remove.
A warning message appears.
94
NAT Overview
8. Click OK.
The new entry appears in the Dynamic NAT list.
9. Click OK.
NAT
95
Exercise 2:
In this exercise, you use Policy Manager to configure the Successful Company XTM device to use Static NAT for their SMTP server.
1. Click . Or, select Edit > Add Policy. 2. Expand the Proxies list and select SMTP-proxy. Click Add.
The New Policy Properties dialog box appears.
5. Click Add.
The Add SNAT dialog box appears.
6. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to SMTP-SNAT.
7. Click Add.
The Add Static NAT dialog box appears.
To change the packet destination to a specified internal host and to a different port, select the Set internal port to a different port check box.
8. Make sure the External IP Address text box includes the external interface IP address of your device. 9. In the Internal IP Address field, type 10.0.2.25.
This is the private IP address of the SMTP server located on the optional network.
96
NAT Overview
11. Click OK to close the Add SNAT dialog box. 12. Click OK to close the SNAT dialog box.
The selected SNAT action is added to the Selected Members and Addresses list.
13. Click OK to close the Add Address menu. 14. Click OK to close the New Policy Properties dialog box. 15. Click Close in the Add Policies dialog box.
The SMTP-proxy policy appears in the policy list. The Internal IP address you selected appears in the range in the To column.
If you have set Policy Manager to use Manual-order mode, toggle the precedence back to Auto-order mode. Select View > Auto-Order Mode and click Yes.
NAT
97
Exercise 3:
In this exercise, you use Policy Manager to configure an XTM device policy to allow users on the trusted network to get access to a web server on the trusted network by its public domain name or public IP address. You can create a separate policy for NAT loopback, or you can edit the policy that enables static NAT to the web server to allow NAT loopback.
1. Click . Or, select Edit > Add Policy. 2. Expand the Proxies list and select HTTP-proxy. Click Add.
The New Policy Properties dialog box appears.
3. In the To list, select Any-External. Click Remove. 4. In the To section, click Add.
The Add Address dialog box appears.
6. Click Add.
The Add SNAT dialog box appears.
7. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to NAT-Loopback.
8. Click Add.
The Add Static NAT dialog box appears.
9. Make sure the External IP Address text box includes the External interface IP address of your Firebox or XTM device. 10. In the Internal IP Address text box, type 10.0.2.30.
This is the private IP address of the HTTP server located on the optional network.
98
NAT Overview
14. Click OK to close the Add Address dialog box. 15. Click OK to close the New Policy Properties dialog box. 16. Click Close in the Add Policies dialog box.
The HTTP-proxy policy appears in the policy list. The Internal IP address you selected appears in the range in the To column.
NAT
99
1. Fill in the blank: __________________ NAT conserves IP addresses and hides the internal topology of your network. 2. Fill in the blank: __________________ NAT is often used for policies that require more than one port or port numbers that change dynamically, such as for many messaging and video conferencing applications. 3. Fill in the blank: NAT ___________________ allows a user on the trusted or optional networks to get access to a public server that is on the same physical XTM device interface by its public IP address or domain name. 4. Complete the missing entries: The default dynamic NAT entries in Policy Manager are:
___________/____ 172.16.0.0/12 ___________/____ Any-External ___________ Any-External
5. Static NAT for a policy is also known as (select all that apply):
A) B) C) D) E) IP masquerading Port forwarding Tunnel swapping Quality of Service All the above
6. True or false? Dynamic NAT rewrites the source IP address of packets to use the IP addresses of the outgoing interface.
100
6. True 5. B 4. 192.168.0.0/16 Any-External 172.16.0.0/12 Any-External 10.0.0.0/8 Any-External 3. Loopback 2. 1-to-1 1. Dynamic ANSWERS
Policies
Convert Network Policy to Device Configuration
What You Will Learn
Your XTM device controls traffic to and from your trusted, optional, and external networks. You use a set of rules called policies to define which traffic should be allowed or denied passage through your network. In this training module, you learn how to: Understand the difference between a packet filter policy and a proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter Set up logging and notification rules for a policy Use advanced policy properties Understand how the XTM device determines precedence
Before you begin these exercises, make sure you read the Course Introduction module.
101
Add Policies
Policy Manager uses either a list view or an icon view to show the policies that you configure for your XTM device. For each policy, you can: Enable the policy Set the allowed sources and destinations for traffic managed by the policy Configure properties such as logging, notification, and advanced properties (described below) The XTM device includes a default list of predefined packet filter and proxy policies for you to use. You can add one of these predefined policies and then change the settings to meet the needs of your organization, or just use the default settings. Based upon the access rules you configure, connections can be allowed, denied, or denied with a reset connection. To enable access through the device for an Internet protocol that is not included in the list of predefined policies, you must create a custom policy template. A custom policy can match traffic from one or more TCP or UDP ports, or other IP protocols such as GRE, AH, ESP, ICMP, IGMP, and OSPF. A custom policy cannot match traffic from other protocol types, such as AppleTalk, ATM, Frame Relay, or IPX.
Sticky Connections A sticky connection is a connection that continues to use the same interface for a defined period of time when your XTM device is configured with multiple WAN interfaces. Stickiness makes sure that, if a packet goes out through one external interface, any future packets between the source and destination address pair use the same external interface for a specified period of time. Policy-based Routing If your XTM device is configured with multi-WAN, you can configure a policy with a specific external interface to use for all outbound traffic that matches that policy.
Policy Precedence
Precedence refers to the order in which the XTM device examines network traffic and applies a policy rule. The XTM device sorts policies automatically, from the most specific to the most general. For example, a highly specific policy could be a policy that matches only traffic on TCP port 25 from one IP address, while a general policy could be one that matched all traffic on UDP ports 40,000-50,000. You can also set the precedence of each policy manually. For more information on policy precedence, including complete rules for specificity, see the Fireware XTM WatchGuard System Manager Help or User Guide. The XTM device uses the rules from the first policy that matches the traffic for routing. If no match is found, the traffic is denied as an unhandled packet.
Policies
103
Exercise 1:
Successful Companys network administrator was told to stop employees from using Internet Relay Chat (IRC) at the office. The management team decided that IRC is too distracting for employees and a potential security risk. The administrator also wants to activate a Windows Terminal Services connection to the Successful Company public web server on the optional interface of the XTM device. He routinely administers the web server with a Remote Desktop connection. At the same time, he wants to make sure that no other network users can use the Remote Desktop Protocol through the XTM device. In this exercise, you open a basic XTM device configuration file in Policy Manager. You add two predefined policies to the configuration and configure the access rules for each policy.
1. Open the configuration file you are editing for these exercises. 2. Click . Or, select Edit > Add Policy.
The Add Policies dialog box appears. From here, you can add a predefined packet filter policy, a proxy policy, or a custom policy you have created. You can also create a new policy template.
List of ports and protocols controlled by the policy Description of how the policy is used and for what services
4. Click Add.
The New Policy Properties dialog box appears.
5. Click OK.
This adds a basic IRC policy to your configuration. If you do not change this policy, it allows all IRC traffic from any trusted computer to any external computer.
104 WatchGuard Fireware XTM Training
6. In the packet filter list, select RDP. Click Add. Click OK.
This adds a basic RDP policy to your configuration. If you do not change this policy, it allows all RDP traffic from any trusted computer to any external computer.
2. Select the Policy tab. 3. In the IRC connections are drop-down list, select Denied.
The policy now denies traffic from any computer that connects through the trusted XTM device interface to any external computer. To further restrict IRC traffic, you must also deny IRC from any computer on optional device interfaces.
Policies
105
6. Click OK.
Any-Optional appears in the New Policy Properties dialog box in the From list. The rule now denies IRC traffic from all computers behind the device to any external computer. Traffic that comes from the external interface is always denied by default unless you create a rule to allow it.
106
5. In the Value text box, type 50.51.200.22 as the IP address of the network administrators computer. Click OK.
The IP address appears in the Add Address dialog box Selected Members and Addresses list.
7. In the To section, select Any-External. Click Remove. 8. In the To section, click Add.
The Add Address dialog box appears.
Policies
107
Exercise 2:
Successful Companys network administrator frequently troubleshoots their public servers from the network server room. These public servers are all connected to the optional interface of the XTM device. The network administrator would like to be able to use VNC to view the files on his trusted desktop computer. To do this, he must create a custom VNC policy and allow access from any computer on the optional network to his desktop computer on the trusted network (10.0.1.201). To create a custom policy, we must know that VNC uses TCP port 5900. To find out which ports are used by different network services, refer to the documentation that accompanies each software product. In this exercise, you learn how to create a custom packet filter to solve a problem in the Successful Company network.
3. In the Name text box, type VNC. 4. In the Description text box, type Virtual Network Computing. 5. For the Type option, make sure that Packet Filter is selected. 6. To define a protocol and ports for the new policy template, click Add.
The Add Protocol dialog box appears.
7. From the Type drop-down list, select Single Port. 8. From the Protocol drop-down list, select TCP. 9. In the Server Port text box, type 5900.
108
1. In the Add Policies dialog box, expand the Custom folder. 2. Select VNC. Click Add.
The New Policy Properties dialog box appears with the VNC packet filter.
3. In the From list, select Any-Trusted. Click Remove. 4. In the From section, click Add.
The Add Address dialog box appears.
5. Double-click Any-Optional.
Any-Optional appears in the Selected Members and Addresses list.
7. In the To list, select Any-External. Click Remove. 8. In the To section, click Add.
The Add Address dialog box appears.
10. From the Choose Type drop-down list, make sure that Host IP is selected. 11. In the Value text box, type 10.0.1.201.
This address restricts VNC traffic to only the desktop computer of the network administrator.
Policies
109
14. Click OK to close the New Policy Properties dialog box. 15. Click Close to close the Add Policies dialog box.
The VNC policy appears in the list of configured policies.
110
Exercise 3:
In this exercise, you make sure the XTM device creates a log message for any IRC connection denied by the IRC policy we created earlier in the lesson.
4. Select the Send log message check box. 5. Select the Send Notification check box and keep the default Email selection.
The XTM device will now send a log message to the WatchGuard Log Server each time an IRC packet is denied. The device also sends a message to the Log Server that tells it to send an email notification to the specified email address. For more information, see the Logging and Reporting training module.
6. Click OK to close the Logging and Notification dialog box. 7. Click OK to close the Edit Policy Properties dialog box. 8. Save the configuration file to your local hard drive as Policies-Configured.xml.
Policies
111
Exercise 4:
When you define a new policy and configure the policy parameters, it is automatically sorted and placed in the proper order within Policy Manager. To illustrate the policy auto-ordering process, add the NetMeeting packet filter with the default properties and watch for the position in which it is placed. To set Policy Manager to the Details view:
2. Click
1. Select View > Auto-order Mode. 2. Click Yes to confirm that you want to switch from auto-order mode to manual-order mode.
The policy order numbers now have a gray background to indicate that you can move them.
112
Exercise 5:
After a few weeks of blocking all outgoing IRC traffic, the Successful Company managers notice that many of their engineering team are leaving at 5:00pm. A little research into the problem returns the surprising result that the engineers are perfectly willing to work late as long as they can chat on IRC with their friends outside the company. Productivity will increase if we schedule the IRC policy to let them chat in the evenings.
4. In the Name text box, type Evenings. 5. In the Description text box, type Disable the policy in the evenings.
You can use this schedule for other policies so you should describe it with the hours blocked or allowed rather than the policy for which you are building it.
Policies
113
6. In the schedule grid, change the hours from 5:00 to 10:00 PM, Monday through Friday, to Non-operational hour.
7. Click OK to save the schedule and apply it to the IRC policy. 8. Click OK to close the Edit Policy Properties dialog box. 9. Save the configuration file as Policies-Done.
You can compare your results with the Policies-Finish file included with the training.
114
1. Choose the appropriate policy type(s) for each task. (Select all that apply.) Packet Filter
Examine the header information Strip an attachment Examine the application layer content Check for RFC compliance Block based on server command type Check the source against a list of blocked sites Verify that the destination is a valid location on the trusted Send a log message if the packet is malformed Generate a report on network traffic
Proxy
2. True or false? You can use the same operating schedule for multiple policies. 3. Which of the following protocols can be used in a custom policy? (Select all that apply.)
A) B) C) D) E) TCP Frame Relay ATM UDP ICMP
4. True or false? Policies are ordered primarily by name. 5. True or false? You cannot use SNMP for policy event notifications.
Policies
115
ANSWERS 1. Filter Examine the header information Strip an attachment Examine the application layer content Check for RFC compliance Block based on server command type Check the source against a list of blocked sites Verify that the destination is a real location on the trusted Send a log message if the packet is malformed Generate a report on network traffic 2. True 3. A, D, and E 4. False 5. False Proxy
116
Proxy Policies
Use Proxy Policies and ALGs to Protect Your Network
What You Will Learn
You can use proxy policies to protect servers and clients from threats. With a proxy policy, the XTM device examines the contents of each packet to determine whether the network traffic is safe. In this training module, you learn how to: Understand the purpose of each proxy policy or ALG (Application Layer Gateway) Configure the DNS proxy to protect your DNS server Prevent users from putting files on an external FTP server Configure access control for VoIP calls
Before you begin these exercises, make sure you read the Course Introduction module.
117
The DNS proxy includes six categories: General The General category includes the basic DNS protocol anomaly detection rules to deny malformed and non-standard DNS queries. We recommend that you do not change the default settings for these rules. OpCodes OPcodes (operational codes) are commands sent to a DNS server, such as query, update, or status requests. They operate on items such as registers, values in memory, values stored on the stack, I/O ports, and the bus. If you use Active Directory and your Active Directory configuration requires dynamic updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules. This is a security risk, but can be necessary for Active Directory to operate correctly. You use the OpCodes ruleset to allow or deny specific DNS OPcodes. Query Types Use the Query Types category to allow or deny DNS connections based on the type of DNS query sent in the connection. Query Names The Query Names category can be used to allow or deny DNS connections based on the fully qualified domain name sent in the connection. Proxy Alarm The Proxy Alarm category lets you define the type of alarm that is sent any time a notification is triggered by a DNS proxy action.
118
You generally should not block these commands, because they are necessary for the FTP protocol to work correctly:
Protocol Command
USER PASS PASV SYST
Client Command
n/a n/a pasv syst
Description
Sent with login name Sent with password Select passive mode for data transfer Print the servers operating system and version. FTP clients use this information to correctly interpret and display server responses.
The user interface allows or denies based on protocol commands and not client commands. For a full reference on FTP protocol commands, we recommend you refer to RFC 959, section 4.1.
Protocol Command
RETR STOR DELE RMD MDK PWD LIST NLST CDUP CWD SITE
Client Command
get put delete rmdir mkdir pwd ls dir cd.. cd <path> site <command>
Description
Retrieve a file from the server Put a file on the server Delete a file on the server Delete a directory on the server Create a directory on the server Print the Present Working Directory (PWD) path List the names in the current directory path Detailed list of files in the current directory path Move up in the servers directory tree Change to a specific directory on the server Send a server-specific command. This command is associated with FTP denial of service attacks and is often blocked for all FTP-Server proxy configurations.
Download The Download ruleset controls the file names, extensions, or URL paths that users can download with FTP. Use the FTP-Server proxy action to control download rules for the FTP server protected by your XTM device. Use the FTP-Client proxy action to set download rules for users connecting to external FTP servers. Upload The Upload ruleset controls the file names, extensions, or URL paths that users can use FTP to upload. Use the FTP-Server proxy action to control upload rules for the FTP server protected by your XTM device. Use the FTP-Client proxy action to set upload rules for users connecting to external FTP servers. The default configuration of the FTP-Client is to allow all files to be uploaded. AntiVirus If you have purchased and enabled the Gateway AntiVirus feature, you can configure the actions to take if a virus is found in a file that is uploaded or downloaded. For more information, see the Signature Services training module. Proxy and AV Alarms An alarm is a mechanism to tell a network administrator when network traffic matches criteria for suspicious traffic or content. When an alarm event occurs, the XTM device takes the action that you configure. For example, you can set a threshold value for file length. If the file is larger than the threshold value, the device can send a log message to the Log Server.
Proxy Policies
119
120
Exercise 1:
Because of problems associated with adware accidently downloaded to their network, the Successful Company network administrator would like to block DNS requests to messenger.yahoo.com. This site has been associated with programs that also install malware, such as Gator. Malware refers to a group of software applications that are usually installed without a users knowledge or consent. Most malware programs are designed to capture private information or allow attackers to use resources on your network.
4. From the Proxy Action drop-down list, make sure DNS-Outgoing is selected.
Proxy Policies
121
The DNS Proxy Action Configuration dialog box appears for the DNS-Outgoing actions.
6. In the Name text box, type a new name for this action. For example, type DNS-Outgoing-Deny-Yahoo-Messenger. 7. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
122
Proxy Policies
123
Exercise 2:
In this exercise, the Successful Company administrator uses Policy Manager to edit the predefined FTP-Server proxy action to restrict the types of FTP connections to the Successful Company FTP server. Specifically, the administrator will: Make sure that users cannot delete a file from the Successful Company FTP server. Restrict the type of files that users can upload to the FTP server to text files only, to help prevent abuse of the Successful Company FTP server.
3. In the Name text box, type FTP-Proxy-Server. 4. From the Proxy action drop-down list, select FTP-Server. Click
The FTP Proxy Action Configuration dialog box appears.
124
Proxy Policies
125
1. In the Categories list, select Upload. 2. In the Pattern text box, type *.txt. Click Add.
The .txt item appears in the Upload list. This enables the device to allow text files to be uploaded to the FTP server.
4. In the Name text box, type a new name for this action. For example, type FTP-Server-Deny-Delete-Upload-TXT. 5. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
6. Click OK to close the New Policy Properties dialog box. 7. Click Close to close the Add Policies dialog box.
The FTP-Proxy-Server policy appears in Policy Manager.
126
Exercise 3:
The Successful Company has recently invested in some VoIP devices as part of a network expansion. These devices use the H.323 protocol. However, some employees in the Sales department have installed their own VoIP software on their computers, and this has led to network congestion and other problems. In this exercise, the administrator creates an H.323 ALG that allows a few employees to start or receive VoIP calls, and prevents all other employees from using H.323 VoIP devices.
3. In the Name text box, type H323-VoIP-Limited. 4. From the Proxy Action drop-down list, make sure H.323-Client is selected. 5. Click
.
The H323-ALG Action Configuration dialog box appears.
6. In the Categories list, select Access Control. 7. Select the Enable access control for VoIP check box. 8. In the Address of Record text box, type jsmith@example.com. 9. From the Access level drop-down list, select Start and receive calls. 10. Click Add.
jsmith@example.com appears in the Access Levels list. The Log check box is selected by default.
11. Repeat Steps 89 and add sjones@example.com and hwatkins@example.com to the Access Levels list.
Proxy Policies
127
13. In the Name text box, type a new name for this action. For example, type H323-Client-VoIP-Limited. 14. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.
128
1. Fill in the blank: To protect your DNS server from attacks, you configure a DNS-proxy policy with the _____________ proxy action. 2. What is the function of a DNS server? (Select one.)
A) B) C) D) E) Distribute IP addresses to computers when they connect to a network Assign domain names to individual networks Translate numeric IP address into readable Internet addresses Distribute MAC addresses to computers when they connect to a network Connect IP addresses to their associated MAC addresses
3. What is the best pattern match to block FTP uploads of Microsoft Excel spreadsheets? (Select one.)
A) B) D) E) *.xls *XLS .*ls *.x*
4. True or false? An Application Layer Gateway (ALG) is the same as a packet filter policy. 5. What are some reasons to create a TCP-UDP-proxy? (Select all that apply.)
A) B) C) D) E) Examine DNS traffic that is not sent over TCP port 53 Examine HTTP traffic that is not sent over TCP port 80 Block instant messaging and peer-to-peer applications Block email viruses in SMTP and POP3 traffic Filter FTP traffic sent through data channels
Proxy Policies
129
ANSWERS 1. DNS-Incoming. 2. C 3. A 4. False An ALG is similar to a proxy policy and also manages some network connections used by that protocol. 5. B and E
130
Email Proxies
Work with the SMTP and POP3 Proxies
What You Will Learn
Your XTM device uses two proxy policies to control email traffic: SMTP and POP3. In this training module, you learn how to: Restrict the types of connections to an SMTP server Modify the allowable message size Allow and deny different content types and filenames Restrict email by attachment filename Deny incoming SMTP traffic by domain Restrict outgoing POP3 traffic and lock attachments
Before you begin these exercises, make sure you read the Course Introduction module. For more information about the protocols used for email and controlled by the SMTP and POP3 proxies, see the RFC Archives: SMTP RFC 821 at http://tools.ietf.org/html/rfc821 POP3 RFC 1939 at http://www.faqs.org/rfcs/rfc1939.html
SMTP Rulesets
SMTP is a protocol used to send email messages between servers, or between clients and servers. The default port for SMTP traffic is TCP port 25. You can use the SMTP-proxy to control email messages and email content. The proxy scans SMTP messages and compares their contents to the rules in the proxy configuration. The SMTP-proxy checks the message for harmful content and RFC compliance. It examines the SMTP headers, message recipients, senders, and content, as well as any attachments. The SMTP-proxy can restrict traffic from specific user names or domains. It can also strip unwanted or dangerous SMTP headers, filter attachments by filename or MIME content type, or deny the email based on an address pattern. The ability to strip header information is particularly valuable to many network administrators. The SMTP-proxy requires no additional configuration for either your email server or your network clients.
131
When you create an SMTP-proxy policy, you can choose from two default proxy actions: SMTP-Incoming This proxy action includes rulesets to protect your SMTP email server from external traffic. SMTP-Outgoing This proxy action includes rulesets to control outgoing SMTP connections from users on your trusted and optional networks.
POP3 Rulesets
POP3 is a protocol that moves email messages from an email server to an email client. The POP3 protocol operates on TCP port 110. Most Internet-based email accounts use POP3. With POP3, an email client contacts the email server and checks for any new email messages. If it finds a new message, it downloads the email message to the local email client. After the message is received by the email client, the connection is closed. When you create a POP3-proxy policy, you can choose from two default proxy actions: POP3-Server This proxy action includes rulesets to protect your POP3 email server from external traffic. POP3-Client This proxy action includes rulesets to control outgoing POP3 connections from users on your trusted and optional networks to public POP3 servers. You can use the default settings for the SMTP and POP3 proxy actions, or you can modify the proxy action settings to match the needs of your organization. In this module, we will show you how to modify the incoming and outgoing proxy action rulesets.
132
Exercise 1:
Successful Company is growing. With all the new employees, incoming email is increasingly a potential vector for malware. In this exercise, we use Policy Manager to configure an incoming SMTP-proxy policy to protect their SMTP server.
1. Open the configuration file you are editing for these exercises. If you want to use the policy you created in the NAT training module, open that configuration file, double-click the SMTP-proxy policy to edit it, and continue with Step 5. 2. Click . Or, select Edit > Add Policy.
The Add Policies dialog box appears.
5. In the Name text box, type SMTP-Incoming-Proxy. 6. From the Proxy Action drop-down list, select SMTP-Incoming. 7. In the To section, click Add.
The Add Address dialog box appears.
9. Click Add.
The Add SNAT dialog box appears.
10. In the SNAT Name text box, type SMTP-Incoming-SNAT. 11. Make sure the Static NAT option is selected. 12. Click Add.
The Add Static NAT dialog box appears.
19. In the Description text box, type Modified policy for email inbound.
Email Proxies
133
The default maximum email message size is 10 MB. In the past, Successful Company employees used email to exchange files with outside vendors. Now that Successful Company has a protected FTP server, the network administrator wants to discourage using the email server for large attachments. In this exercise we will reduce the maximum email size to 5 MB (5,000 kilobytes). In the SMTP Proxy Action Configuration dialog box:
2. In the Limits section, select the Set the maximum email size to check box. In the adjacent text box, type 5000.
134
2. In the Actions to take section, from the None Matched drop-down list, select Allow.
This allows all content types through device to the SMTP server. After Successful Company is able to make a list of the specific content types they want to allow, they set this parameter to strip all content types that do not match their list of allowed content types.
7. Click Add.
The New Filenames Rule dialog box appears.
8. In the Rule Name text box, type mp4. 9. In the Rule Settings text box, type *.mp4. 10. In the Action drop-down list, select Strip. Click OK.
The SMTP proxy action is now configured to deny all files with the Apple iTunes .mp4 file extension sent to the SMTP server.
136
4. In the Name text box, type SMTP-Incoming-Email. 5. Click OK to clone the template.
The New Policy Properties dialog box appears, with SMTP-Incoming-Email in the Proxy action drop-down list.
6. Click OK to close the New Policy Properties dialog box. 7. Click Close to close the Add Policies dialog box.
The SMTP-Incoming-Proxy policy appears in your policy list.
Email Proxies
137
Exercise 2:
A network administrator at Successful Company has reviewed the default rulesets that are included with the SMTP-Outgoing proxy action and wants to make these three changes: Remove the restriction on email size Make sure that all outgoing email is from the Successful Company domain Prevent users from sending email with Microsoft Windows screensavers attached
3. In the Name text box, type SMTP-Server-Outgoing. 4. In the From list, select Any-External. Click Remove.
Any-External is removed from the From list.
5. Click Add.
The Add Address dialog box appears.
7. In the Value text box, type 10.0.1.25. 8. Click OK to close the Add Member dialog box.
The IP address appears in the Selected Members and Addresses list.
138
1. On the Policy tab, adjacent to the Proxy action drop-down list, click 2. In the Categories list, expand General and select General Settings.
The General Settings page appears. The setting changes made for the SMTP incoming proxy do not appear here. This policy controls only outgoing SMTP traffic.
3. In the Limits section, clear the Set the maximum e-mail size to check box.
This removes any restrictions on email size.
Email Proxies
139
Successful Companys network administrators want to make sure that only mail sent from addresses in their domain is allowed out through the XTM device. This protects their mail server from abuse as a relay. Another way to keep your server from being used as a relay is to use the Rewrite Banner Domain and Rewrite HELO Domain options included in the SMTP-proxy action General Settings. This enables your XTM device to change the From and To components of your email address to a different value. This feature is also known as SMTP masquerading. In the SMTP Proxy Action Configuration dialog box:
1. In the Categories list, expand Address and select Mail From. 2. In the Pattern text box, type *example.com. Click Add.
*example.com appears in the Rules list. This denies any email messages with a Mail From address that does not match the company domain.
140
4. Adjacent to the If matched drop-down list, select the Alarm and Log check boxes.
Email Proxies
141
6. Select the Send Notification check box and the Email option.
8. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for a clone is SMTP-Outgoing.1. You can also give it a friendly name to help you recognize it.
142
Exercise 3:
Successful Companys network policy is to prohibit connections to all external POP3 servers. Unfortunately, the new CFO insists on downloading his personal mail from Impersonal ISP. He says he absolutely cannot do business without this service, and the CEO concurs. However, the CEO insists that the CFO cannot be able to download attachments with his POP3 account. In this exercise, we will use the POP3-proxy to allow the CFO to connect to his service provider. While we cannot quarantine his attachments, we can lock them. There is a small hope that this will prove so inconvenient, the CFO will want to switch to the company Exchange server.
4. In the Name text box, type POP3-CFO. 5. In the From list, select Any-Trusted. Click Remove.
Any-Trusted is removed from the From list.
6. Click Add.
The Add Address dialog box appears.
8. In the Value text box, type 10.0.1.202. 9. Click OK to close the Add Member dialog box.
The Add Address dialog box appears with the IP Address in the Selected Members and Addresses list.
14. From the Choose Type drop-down list, select Host Name (DNS lookup). 15. In the Value text box, type mail.yahoo.com. 16. Click OK to close the Add Member dialog box.
The Add Address dialog box appears. Policy Manager does a one-time DNS lookup for the host name mail.yahoo.com. The IP Address for mail.yahoo.com appears in the Selected Members and Addresses list.
Email Proxies
143
144
1. From the Proxy action drop-down list, select POP3-Client. 2. Adjacent to the Proxy action drop-down list, click
The POP3 Proxy Action Configuration dialog box appears.
6. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for the clone is POP3-Client.1. You can also give it a friendly name to help you recognize it.
7. Click OK to clone the template. 8. Click OK to close the New Policy Properties dialog box. 9. Click Close to close the Add Policies dialog box.
The POP3-CFO policy appears in your policy list.
Email Proxies
145
1. Which of the following can an SMTP-proxy check that an SMTP packet filter cannot? (Select all that apply):
A) B) C) D) E) Source IP Address Content RFC compliance Packet Header Attachment
146
2. True or false? The XTM device will deny uu-encoded attachments. 3. The XTM device will allow up to ____ bytes in one line of an email before it denies the message. 4. True or false? The XTM device will rewrite the Banner Domain. 5. Choose the most appropriate SMTP-proxy action for each task. (Select one.) Task
Protect your company network from the ILOVEYOU virus Reduce the number of very large files sent by email to your users Reduce spam Prevent your network from being used as a spam relay Block pornographic images being sent to your users Keep your users from sending MP3s to their friends
SMTP-Incoming
SMTP-Outgoing
6. True or false? Many free, public email servers use POP3. 7. True or false? You can use the POP3-Client proxy action to deny messages received from a POP3 server.
Email Proxies
147
ANSWERS 1. B, C, E 2. True 3. 1000 4. False 5. Task Protect your company network from the ILOVEYOU virus Reduce the number of very large files sent by email to your users Reduce spam Prevent your network from being used as a spam relay Block pornographic images being sent to your users Keep your users from sending MP3s to their friends 6. True 7. False SMTP-Incoming SMTP-Outgoing
148
Authentication
Verify a Users Identity
What You Will Learn
User authentication is a process that allows a device to verify the identity of someone who connects to a network resource. In this training module, you learn how to: Understand authentication and how it works with your XTM device List the types of third-party authentication servers you can use with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the XTM device to create a custom web server certificate
Before you begin these exercises, make sure you read the Course Introduction module. For information about WatchGuard LiveSecurity Alerts & Advice, see: Authentication and the Firebox: http://www.watchguard.com/archive/showhtml.asp?pack=135056 Foundations: Cryptography 101: http://www.watchguard.com/archive/showhtml.asp?pack=1775 In this module, you will configure the XTM device to use third-party authentication servers. If you take this course with a WatchGuard Certified Training Partner, your instructor may provide you with configuration details for authentication servers on a local network. For self-instruction, we encourage you to get the information needed to configure the XTM device for the authentication method used by your organization.
149
150
When you use a third-party authentication server, follow the instructions from the manufacturer to configure it correctly. The server must be accessible from the XTM device, which usually means that it is installed on an optional network for greater security. You can configure a primary and backup authentication server. If the XTM device cannot connect to the primary authentication server after three attempts, the primary server is marked as dead and an alarm message is generated. The device then attempts to connect to the backup authentication server. If the device cannot connect to the backup authentication server, it waits ten minutes, and then tries to connect to the primary authentication server again.
Authentication
151
When you install the SSO Client software on your client computers, the SSO Client receives the call from the SSO Agent and returns accurate information about the user who is currently logged in to the workstation. If you do not want to install the SSO Client on each client computer, you can instead install the Event Log Monitor on your domain controller, and configure the SSO Agent to get user login information from the Event Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor collects login information from domain client computers and from the domain controller for users that have already logged on to the domain and sends them to the SSO Agent. In this training module, we do not go into great detail about how to install and configure the SSO solution. For more information about how to configure SSO for your network, see the SSO topics in the WatchGuard System Manager Help or the Active Directory Authentication advanced training module.
Authentication
153
Exercise 1:
In this exercise, we learn that Successful Company does not yet have an authentication server. The network administrator decides to use the XTM device for authentication. We will use Policy Manager to configure a group for the Marketing department and add four of the department employees.
3. In the Name text box, type Marketing. 4. (Optional) In the Description text box, type Marketing Department.
154
5. Click OK.
The new group appears in the User Groups list.
1. In the Authentication Servers dialog box, in the Users section, click Add.
The Setup Firebox User dialog box appears.
When the passphrase is set, you cannot see the passphrase in plain text again. If the passphrase is lost, you must set a new passphrase. A passphrase must contain a minimum of eight characters.
Authentication
155
3. To add Allison to the Marketing group, in the Available list, double-click Marketing.
Marketing appears in the Member list.
4. Click OK.
Allison is added to the User list.
156
6. After you add all users to the Marketing group, click OK.
The Authentication Servers dialog box should look like this:
Authentication
157
Exercise 2:
After you have configured at least one authentication server with user names and groups, you can use Policy Manager to add those users and groups to your policies. In this exercise, you give the Marketing group permission to connect to an FTP server on the optional network that Successful Company uses to share files with outside vendors. You also block all FTP connections from other users on the network.
2. In the From list, select Any-Trusted. Click Remove. Select Any-Optional. Click Remove.
With the Any-Trusted and Any-Optional entries, any user on your optional or trusted network is able to start an FTP connection to the entries on the To list. When you remove these entries, you block FTP connections from your optional and trusted networks.
11. From the Choose Type drop-down, list select Host IP. 12. In the Value text box, type 10.0.2.21.
This is the IP address of the FTP server on the optional network. In a real-world environment, you must activate NAT for external users to be able to connect to this FTP server because it has a private IP address. For more information, see the NAT training module.
158
Authentication
159
Exercise 3:
In this exercise, you use Policy Manager to manage the authentication settings that the XTM device uses by default. If you set session and idle timeouts in the Setup Firebox User dialog box or on any third-party server that you use for authentication, these values override the global settings you configure in this exercise.
2. In the Session Timeout text box, type or select 4. From the adjacent drop-down list, select Hours.
This is the maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected indefinitely.
3. In the Idle Timeout text box, type or select 10. From the adjacent drop-down list, select Minutes.
This is the maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time.
160
2. From the Limit users to a single login session drop-down list, select Logoff first session, when the user logs in the second time. 3. Select the Auto redirect users to authentication page for authentication check box.
All users who have not yet authenticated are automatically redirected to the authentication login portal when they try to get access to the Internet. If you do not select this check box, unauthenticated users must manually navigate to the authentication login portal.
4. Select the Redirect traffic sent to the IP address of the XTM device to this host name check box. In the text box, type the host name to use for the XTM device.
Make sure the host name matches the Common Name from the web server certificate and the host name specified in the DNS settings for your organization.
5. Select the Send a redirect to the browser after successful authentication check box. In the text box, type http://10.0.1.80/home.html.
This is the home page of the Successful Company intranet web server, which is located on the trusted network.
You can also choose to redirect traffic sent to the XTM devices IP address to a host name. To do this, you select the Redirect traffic sent to the IP address of the XTM device to this host name check box and type the host name in the text box..
Exercise 4:
Successful Company is growing and adding employees. They need to shift to a system that allows them to track users and groups in one location rather than in both the XTM device and their Windows Active Directory server. In this exercise, we use Policy Manager to configure the XTM device to use Active Directory and set the IP address for the server on which the Single Sign-On (SSO) Agent is installed.
162
3. Click Add.
The Add Active Directory Domain dialog box appears.
4. In the Domain Name text box, type the domain name of this Active Directory authentication server in the format <sub domain name>.<root domain name>.
For example, example.com.
5. Click Add.
The Add IP / DNS Name dialog box appears.
6. From the Choose Type drop-down list, select IP Address. 7. In the Value text box, type 10.0.1.89. 8. Click OK.
The IP address appears in the IP Address / DNS Name list.
9. In the Search Base text box, type the location on the Active Directory server to search for user account information in this format: ou= name of organizational unit,dc=first part of the distinguished server name,dc=any part of the distinguished server name that appears after the dot.
For this example, type dc=example,dc=com.
If you add information about your Active Directory server in other places in the device configuration (such as when you configure SSO or Terminal Services), you must make sure to type the domain name exactly as you enter it here. The Active Directory domain name is case sensitive within the device configuration.
13. Select the Single Sign-On tab. 14. Select the Enable Single Sign-On (SSO) with Active Directory check box.
This enables the settings you use to configure SSO.
Authentication
163
This is the IP address of the server on which the WatchGuard Single Sign-On Agent has been installed. You can also install the SSO Agent on the computer where your Active Directory Server is installed.
Note
If multiple users share the same computer, you must also install the SSO Client software on that computer or install the Event Log Monitor on your domain controller.
2. Select Custom certificate signed by Firebox. 3. In the Common Name text box, type successfulco.
You should always choose a value that corresponds to your Firebox or XTM device, such as the domain name of the URL.
164
6. Click OK.
The Web Server Certificate dialog box closes.
Authentication
165
1. Which of the following statements are good reasons to set up user authentication? (Select all that apply.)
A)
B) C) D) E) F) G)
Monitor users who connect through your network Restrict who can connect to resources on the Internet Block incoming connections from specific Web sites Identify connections in monitoring tools by IP address Reduce the total number of public IP addresses you need Prevent unauthorized users from accessing network resources All of the above
2. True or false? Fireware XTM supports Windows NT authentication. 3. True or false? You can configure a policy to allow a single user. 4. Which of these Authentication Servers are compatible with the Fireware XTM OS? (Select all that apply.)
A) B) C) D) E) F) G) H) I)
Kerberos SecurID Linux Authentication AppleTalk Authorization Windows NT Lightweight Directory Access Protocol (LDAP) Active Directory Firebox Users and Groups RADIUS
5. What is the URL for the Firebox Authentication web page? (Select one.)
A) B) C) D)
https://auth.watchguard.com:4100/ http://ip address of device interface:411/ https://gateway IP address of Firebox:4000/ https://<trusted or optional device interface IP address>:4100/
166
Blocking Spam
Stop Unwanted Email with spamBlocker
What You Will Learn
You can use the optional WatchGuard spamBlocker service to block unwanted email messages at your Internet gateway. In this training module, you learn how to: Activate and configure spamBlocker Specify the actions to take when spam is detected Exclude email messages from certain sources Monitor spamBlocker activity
Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will configure an optional feature of your XTM device. To view these settings, you must first purchase a License Key for spamBlocker. In addition, to activate the License Key you must have access to a XTM device. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide you with both an XTM device and a License Key.
167
Deny Stops the spam email message from being delivered to the mail server. The XTM device sends this message to the sending email server: Delivery not authorized, message refused. Add subject tag Identifies the email message as spam or not spam and allow spam email messages to go to the mail server. See the subsequent section for more information on spamBlocker tags. Allow Allows spam email messages to go through the XTM device without a tag. Drop Drops the connection immediately. Unlike the Deny option, the XTM device does not give any SMTP error messages to the sending server. Quarantine Sends the message classified as spam to a Quarantine Server. If you use spamBlocker with the POP3 proxy, you have only two actions to choose from: Add Subject Tag and Allow. You cannot use the Quarantine Server with the POP3 proxy. You must configure at least one DNS server so the XTM device can resolve the IP addresses of the Commtouch servers. If you do not do this, spamBlocker will not operate.
spamBlocker Tags
The XTM device can add spamBlocker tags to the subject line of the email message. You can also configure spamBlocker to customize the tag that it adds. This example shows the subject line of an email message that was classified as spam. The tag added is the default tag: ***SPAM***.
Subject: ***SPAM*** Free auto insurance quote
spamBlocker Categories
spamBlocker puts potential spam email messages into these three categories based on the classification of the mail envelope by the CommTouch classification server: Confirmed Spam Includes email messages that come from known spammers. We recommend you use the Deny action for this type of email if you use spamBlocker with the SMTP proxy, or the Add subject tag if you use spamBlocker with the POP3 proxy. Bulk Includes email messages that do not come from known spammers, but do match some known spam structure patterns. We recommend that you use the Add subject tag action for this type of email, or the Quarantine action if you use spamBlocker with the SMTP proxy. Suspect Includes email messages that could be associated with a new spam attack. Frequently, these messages are legitimate email messages. We recommend that you use the Allow action for this type of email or the Quarantine action if you use spamBlocker with the SMTP proxy.
spamBlocker Exceptions
The XTM device might sometimes identify a message as spam when it is not spam. If you know the address of the sender, you can configure the device with an exception that tells it not to examine messages from that source address or domain.
168
1. Click the HTTP Proxy Server tab. 2. Select the Contact the spamBlocker server using an HTTP proxy server check box. 3. In the remaining fields on this tab, select the parameters for the proxy server.
This includes the address of the proxy server, the port the XTM device must use to contact the proxy server, and the authentication credentials the XTM device uses for proxy server connections (if required by the proxy server).
Blocking Spam
169
Exercise 1:
The Successful Company network administrator decides to start putting suspected mail into quarantine rather than simply locking and tagging it. He would also like to automatically remove messages from the SpamKing domain that he knows produces nothing but spam.
4. Click the Rules tab. 5. Select the Auto-Remove messages from specific domains rule.
The Rule description appears. Notice the blue underlined text.
6. In the Rule Description, click the blue underlined text: specific domains.
The Edit Auto-Remove Rule dialog box appears
7. In the Enter text to match text box, type SpamKing.com. Click Add.
170
8. Click OK.
The blue underlined text in the Rule Description changes to SpamKing.com.
Blocking Spam
171
Exercise 2:
You must have the spamBlocker feature key saved to the XTM device before you can do this exercise. For more information, see Add a Feature Key to the XTM Device on page 87.
Activate spamBlocker
Successful Company decides to invest in spamBlocker to manage all the unwanted email its employees are receiving. In this exercise, we use the spamBlocker Wizard in Policy Manager to activate the spamBlocker service.
2. Click Next.
If you are working through the training modules sequentially, or taking the class with an instructor, you should have three email proxy policies configured.
3. Clear the POP3-CFO and SMTP-Server-Outgoing policy check boxes. Click Next. 4. Click Finish.
If you do not have an SMTP or POP3 proxy policy, the wizard prompts you to create one.
172
Exercise 3:
After you complete the activate spamBlocker wizard, you need to configure the spamBlocker settings in your email proxy. In this exercise, you configure the spamBlocker service for SMTP. The procedure to configure spamBlocker for POP3 is the same.
5. Clear the Send a log message for each message classified as not spam check box.
This is a useful tool for troubleshooting, but receiving a log message for each email message sent to your employees can significantly increase the size of your log database.
Blocking Spam
173
2. Click Add.
The Add Exception Rule dialog box appears.
3. In the Action drop-down list, select Allow. 4. In the Sender text box, type *@twit.tv. 5. In the Recipient text box, type *.
This will exclude all messages that originate from the TWIT.tv domain from spamBlocker actions.
1. In the spamBlocker Configuration dialog box, click the Virus Outbreak Detection tab. 2. In the When a virus is detected drop-down list, select Drop. Select the adjacent Alarm check box.
3. Click OK to close the spamBlocker Configuration dialog box. 4. Click OK to close the spamBlocker dialog box. 5. Save the configuration file to the XTM device.
174 WatchGuard Fireware XTM Training
Exercise 4:
1. In WatchGuard System Manager, connect to the XTM device you want to monitor. 2. Click . Or, select Tools > Firebox System Manager.
Firebox System Manager appears.
Blocking Spam
175
2. True or false? The Confirmed Spam category includes email messages that come from known spammers. 3. Which proxy works with spamBlocker (select all that apply):
A) B) C) D) HTTP SMTP POP3 FTP
4. True or false? When you use spamBlocker with the POP3-proxy, the XTM device can deny, drop, allow, or add a subject tag to any suspected spam message. 5. True or false? You must configure a Quarantine Server to use spamBlocker.
176
5. False The Quarantine Server is optional. 4. False Only the SMTP proxy can deny a message.
Web Traffic
Manage the Web Traffic Through Your Firewall
What You Will Learn
The HTTP-proxy policy can protect your private and public web servers. It can also be used to protect your users from viruses and restrict unauthorized Web use. In this module, you learn how to: Create a log message for each HTTP client connection Block HTTP client connections by URL path Allow files through the HTTP-proxy by type Customize the deny message a user receives Strip headers that specify a certain type of authentication Use HTTP-proxy exceptions to allow software updates Activate WebBlocker Select categories of web sites to block Override WebBlocker rules for specific sites
Before you begin these exercises, make sure you read the Course Introduction module.
177
To further protect your network, both the HTTP-Client and HTTP-Server proxy actions can use these optional services: WebBlocker Controls the web sites trusted users are allowed to browse to at different times of the day. WebBlocker is only available for the HTTP-Client proxy action. Gateway AntiVirus (Gateway AV) Scans HTTP traffic and can stop viruses before they connect to the client computers and HTTP servers on your network. Reputation Enabled Defense (RED) Sends requested URLs to a cloud-based WatchGuard reputation server, that returns a reputation score. The HTTP-proxy uses the reputation score to determine whether to drop the traffic, allow the traffic and scan it locally, or allow the traffic without a local scan.
The HTTP-Client proxy settings give you complete control over the HTTP connections of your trusted users. You can strip files by file name or MIME content type. You can also restrict the use of cookies, ActiveX, Java, and other potential sources of infection.
178
Web Traffic
179
Usually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex pattern that uses regular expression syntax configured in the Advanced View of a ruleset. It is easier and better to filter header or body content types than it is to filter URL paths.
Header Fields This ruleset supplies content filtering for the full HTTP header name and its value. By default, the XTM device uses exact matching rules to strip Via and From headers, and allows all other headers. The Via header can be added to a client request by a proxy server to track message forwards and avoid request loops. Stripping the Via header can protect client privacy. The From header passes the client users' email address to the server, which can be harvested by bulk mail recipient lists. Stripping this header helps reduce the chance of receiving spam and maintains client anonymity and privacy. Authorization This ruleset sets the criteria for content filtering of HTTP Request Header authorization fields. When a web server starts a WWW-Authenticate challenge, it sends information about which authentication methods it can use. The proxy puts limits on the type of authentication sent in a request. With a default configuration, the XTM device allows Basic, Digest, NTLM, and Passport 1.4 authentication. HTTP Response General Settings Use this ruleset to configure basic HTTP response parameters, including idle time out, maximum line length, and maximum total length of an HTTP response header. If you set a value control to zero (0) bytes, the XTM device ignores the size of HTTP response headers. Header Fields This ruleset controls which HTTP response header fields the XTM device allows. Response headers can be used to specify cookies, supply modification dates for caching, instruct the browser to reload the page after a specified time interval, and for several other tasks. Content Types This ruleset controls the types of MIME content allowed through the XTM device in HTTP response headers. By default, the XTM device allows some safe content types and denies MIME content that has no specified content type. This is a common way of restricting the types of files that users can download from web sites. Cookies Use this ruleset to control cookies included in HTTP responses. The default ruleset allows all cookies. HTTP cookies are used to track and store information about users who visit particular sites. Body Content Types This ruleset gives you control of the content in an HTTP response. The XTM device is configured to deny Java applets, ZIP archives, Windows exe/dll files, and Windows cab files by default. It is a good idea to examine the file types used in your organization and allow only necessary file types. Use Web Cache Server If you have an existing HTTP caching proxy server on your network, you can forward HTTP requests from the XTM device to your proxy server. For more information, see the Fireware XTM WatchGuard System Manager Help or User Guide. HTTP-Proxy Exceptions All traffic to or from a domain listed in this ruleset will bypass the proxy completely. Only trusted sites that supply needed files that would be denied by other parts of the HTTP-proxy should be listed here. By default, the Microsoft Windows Update web sites are ignored by the HTTP-proxy. WebBlocker See the subsequent section for more information on how to restrict Web access with a WebBlocker profile.
180
Antivirus This ruleset sets the actions necessary if a virus is found. Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For more information, see the Signature Services training module. Reputation Enabled Defense If you have purchased the Reputation Enabled Defense Service, this ruleset enables you to immediately block URLs that have a bad reputation, and bypass any configured virus scanning for URLs that have a good reputation. You can also change the Good and Bad reputation thresholds. Deny Message Use this feature to customize the default deny message that your trusted users will see if the XTM device denies HTML content. Proxy and AV Alarms This ruleset lets you define the type of alarm that is sent any time a notification is triggered by an HTTP ruleset.
Web Traffic
181
WebBlocker Categories
The WebBlocker database is divided into 54 topic categories such as News, Gambling, or Adult/Sexually Explicit. You can find a list and description of the categories when you configure WebBlocker, or in the Fireware XTM WatchGuard System Manager User Guide. You can also select to block all WebBlocker categories.
WebBlocker Exceptions
To override a WebBlocker action, you can add an exception to the WebBlocker categories to allow or deny a particular web site. The exceptions are based on IP addresses or a pattern based on a URL. You can configure the XTM device block a URL with an exact match. Usually, it is more convenient to configure the device to look for URL patterns. To match a URL path on all web sites, the pattern must have a trailing /*. The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.
The web sites you block with WebBlocker exceptions apply only to HTTP traffic (not HTTPS). They are not added to the Blocked Sites list.
To create WebBlocker exceptions, you can use of any part of a URL. You can set a port number, path name, or string that must be blocked for a special web site. For example, if it is necessary to block only www.sharedspace.com/~dave because it has inappropriate photographs, you type www.sharedspace.com/~dave/*. This gives users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see. To block URLs that contain the word sex in the path, you can type */*sex*. To block URLs that contain sex in the path or the host name, type *sex*. Such broad wildcards should be used cautiously, however, since a rule like this would also unintentionally block access to a web site for the City of Middlesex. You can also block ports in a URL. For example, for http://www.hackerz.com/warez/ index.html:8080, the browser uses the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching *8080.
182
When WebBlocker local override is enabled, if a user navigates to a web site that is blocked by WebBlocker, the WebBlocker request denied page includes a place the user can type the WebBlocker override password.
If the user types the correct password, WebBlocker allows access to the override destination. The user can also edit the override destination using wildcards to allow override access to more than one site, or to more pages in a site. You can use wildcards can in an override destination in the same way you use them to define a WebBlocker exception. In effect, WebBlocker local override allows the user to define a temporary WebBlocker exception. WebBlocker enables access to the override destination until the WebBlocker local override inactivity timeout is reached or until the user logs out, if the user was authenticated. The default inactivity timeout for local override is five minutes.
WebBlocker Schedules
You can set an operating schedule for a set of WebBlocker rules. You use time periods to set rules for when to block different web sites. For example, you can block sports web sites during usual business hours of operation, but allow users to browse at lunch time, evenings, and weekends. To do this, you add a schedule to the HTTP-proxy policy that WebBlocker is assigned to. You can also configure two HTTP policies, but create a schedule for only one of them. Each policy uses one of the HTTP-proxy actions. Each of these HTTP-proxy actions points to one of at least two WebBlocker actions.
WebBlocker Server
You in stall and activate the WebBlocker Server when you install WatchGuard System Manager (WSM). If you did not originally install the WebBlocker Server when you installed WSM, you can do so at any time. Run the WSM installer again and select the check box for WebBlocker. Then, continue installation.
If you are attending a class, your instructor installed the Web Server on your workstation.
Web Traffic
183
Exercise 1:
Successful Company network administrators are now ready to configure the XTM device to enforce the companys policy on browsing the Web. In this exercise, you use Policy Manager to edit the predefined HTTP-Client ruleset to limit the types of HTTP connections that Successful Company employees can start. Specifically, you will: Enable logging for HTTP client requests Block HTTP client connections to YouTube Enable the web download of Microsoft Word, Excel, and PowerPoint documents, as well as ZIP files Customize the message that users see when some of the content in their web requests is denied
184
1. In the Categories list, expand HTTP Request and select URL Paths.
The URL Paths page appears. The default configuration for the HTTP-Client proxy action allows all URL paths.
3. In the If matched drop-down list, select Deny. 4. To send a log message when this rule denies a connection, select the Log check box.
Web Traffic
185
Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy
Sometimes, Successful Company users must download certain Microsoft Office documents. Also, employees often use their browser to download files compressed in the ZIP file format, even though it is a security risk. After their network administrator educates users on the types of zipped files to avoid, they decide to allow zipped content through the HTTP-proxy as well. To allow these types of content, you must edit two of the HTTP Response rulesets: In the HTTP Proxy Action Configuration dialog box:
1. In the Categories list, expand HTTP Response and select Content Types.
The Content Types page appears. The list of content types allowed by default includes PDF, XML, Flash, text, and image files.
To see some of the common MIME types, click Predefined. To find the MIME type for some of the content you want to allow or deny through the device, see your vendor documentation or go to http://www.iana.org/assignments/media-types/.
3. Click Add.
The New Content Type Rule dialog box appears.
4. In the Rule Name text box, type Excel. 5. In the Rule Settings text box, type application/ms-excel. 6. In the Action drop-down list, select Allow. 7. Click OK.
Excel data sheets are now allowed by the HTTP-proxy.
8. Repeat Steps 27 for Microsoft PowerPoint (PPT) files. Use application/mspowerpoint as the pattern.
PowerPoint presentations are now allowed by the HTTP-proxy.
9. Repeat Steps 27 for Microsoft Word (DOC) files. Use application/msword as the pattern.
Word documents are now allowed by the HTTP-proxy.
10. Repeat Steps 27 for zip archive (ZIP) files. Use application/zip as the pattern.
Zip archives are now allowed by the HTTP-proxy.
11. In the Rules (advanced view) list, select application/*. Click Edit.
The Edit Content Type Rule dialog box appears.
186
12. From the Action drop-down list, select Deny. Click OK.
All other content types not specifically allowed are denied by the HTTP-proxy.
13. In the Categories list, expand HTTP Responses and select Body Content Types.
The Body Content Types page appears.
16. From the Action drop-down list, select Allow. Click OK.
This action allows zip archives as a body content type.
2. In the Deny Message text box, select the WatchGuard HTTP proxy phrase. 3. To replace the selected phrase, type Successful Company firewall. 4. At the end of the <b> Path: </b> %(url-path)% </p> line, click to place your cursor and press Enter on your keyboard. 5. On the new line, press the space bar to align the new text with the text in the previous line.
Web Traffic
187
8. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for a clone is HTTP-Client.1. You can also give it a friendly name to help you recognize it.
10. Click OK to close the New Policy Properties dialog box. 11. Click Close to close the Add Policy dialog box.
The HTTP-Employees policy appears in your policy list.
188
Exercise 2:
Frequently, software companies configure their software to contact one of their servers for software updates. This traffic can occur over HTTP. The update session can include many content types, file names and other properties that could cause the HTTP-proxy to deny the traffic. At Successful Company, many employees use the Mozilla Firefox browser. To allow the clients to update their browsers automatically, we use Policy Manager to add the Firefox servers to the list of HTTP-proxy exceptions. All traffic to a domain listed in the HTTP Proxy Exceptions list is not examined by the HTTP-proxy policy.
4. In the text box below the HTTP Proxy Exceptions list, type *.mozilla.com and click Add.
*.mozilla.com appears in the list
5. Click OK to close the Edit HTTP Proxy Action Configuration dialog box. 6. Click OK to close the Edit Policy Properties dialog box.
Web Traffic
189
Exercise 3:
Successful Company has a web server on the optional network at 10.0.2.80. Initially, their network administrators find the default settings of the HTTP-Server ruleset sufficiently robust to protect their server. Later we will learn that sometimes you need to change that ruleset to provide additional protection.
4. In the To list, select Any-External. Click Remove. 5. In the To section, click Add.
The Add Address dialog box appears.
7. Click Add.
The Add SNAT dialog box appears.
8. In the SNAT Name text box, type a name for this SNAT action. 9. Click Add.
The Add Static NAT dialog box appears.
10. In the Internal IP Address text box, type 10.0.2.80. 11. Click OK to close the Add Static NAT dialog box.
The new Static NAT entry appears in the SNAT Members list.
12. Click OK to close the Add SNAT and the SNAT dialog boxes.
The IP address appears in the Add Address dialog box in the Selected Members and Addresses list.
18. Click OK. Click Close to close the Add Policies dialog box.
The HTTP-Public-Server policy appears in the policy list.
190
3. In the Name text box, type HTTP-Server-BlockPassport. 4. In the Categories list, expand HTTP Request and select Authorization.
The Authorization page appears.
The first portion of the list is in blue text and consists of the default policies. The second portion of the list is in black text and includes the templates we created during our exercises.
7. From the Action drop-down list, select Strip. Select the Log check box.
This rule strips all headers that include Passport1.4 authentication requests and sends a log message.
9. Click OK to close the Clone HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears with the cloned proxy action in the list.
This enables us to quickly apply this ruleset again in the future. You now have a ruleset which strips Passport 1.4 authorization requests.
Web Traffic
191
Exercise 4:
You must have a WebBlocker feature key to complete these exercises.
Successful Company is pleased with the results of their purchase of spamBlocker. The network administrators decide to purchase the WebBlocker feature to enforce HR restrictions on what web content can be viewed during work hours.
2. Click Add.
The New WebBlocker Configuration dialog box appears, with the Servers tab selected.
4. In the Description text box, type Everyone but the Executives and IT. 5. Click Add.
The Add WebBlocker Server dialog box appears.
6. In the Server IP text box, type the IP address of your computer. Click OK.
The IP address appears in the Servers list. When you use more than one WebBlocker Server, client computers try to connect to a server in the order the servers appear in the list. They keep trying until they connect successfully.
3. In the Crime list, select the Intolerance & Hate check box.
192
4. Scroll through the categories and select any others you think might be blocked at your company.
For example, you can also block Peer-to-Peer and spam URLs to help protect your network from malware.
Create an Exception
A web site about advertising principles that has a section on Ravels Bolero is in the Adult/Sexually Explicit category. However, this is a useful site for the Successful Company Marketing department. The network administrator wants to create a WebBlocker exception for this site. In the New WebBlocker Configuration dialog box:
3. In the Match Type drop-down list, keep the default setting. 4. From the Type drop-down list, select Host IP Address. 5. In the Host IP Address text box, type 23.23.36.223.
The Directory text box is automatically populated with /*. This unblocks all sites with the selected address.
Web Traffic
193
6. Click OK.
The new exception appears in the list. WebBlocker now allows access to this site even though its IP address is in the Adult/Sexually Explicit category.
13. Click OK to close the Edit HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears.
194
1. Select Setup > Actions > WebBlocker. 2. Select the General Employees WebBlocker configuration you created. Click Edit. 3. In the Edit WebBlocker Configuration dialog box, select the Advanced tab.
4. Select the Use this passphrase and inactivity timeout to control WebBlocker local override check box. 5. Type and confirm the local override Passphrase.
The local override passphrase must be between eight and 32 characters.
6. Click OK to close the Edit WebBlocker Configuration dialog box. 7. Click Close to close the WebBlocker Configurations dialog box. 8. Save the configuration file.
Web Traffic
195
2. Fill in the blank: For better security, place your public web server on the __________ network. 3. In the screen shot below, all of the URL Path entries are set to Deny if matched.
With this configuration, which web sites will the XTM device block? (Select all that apply.)
A) B) C) D) E) F) G) H) I) J) K) terrificsex.com allthemusic.bittorrent.com sex.thegoodstuff.com www.trumpets.org prevent.pornography.org www.microsoft.com/porno/msupdate.asp www.microsoft.com/patches/porno.exe www.bittorrent.com singing.napster.com napster.communication.net troubleshootingwinxp.hardcore.com
4. True or false? WebBlocker adds URL filtering to the SMTP-proxy. 5. How many WebBlocker categories are available?
A) B) C) D) E) 14 24 40 54 None of the above
196
6. True or false? An exception to the WebBlocker rules allows a site that is normally blocked to be viewed, or a site that is normally viewed to be blocked. 7. Employees can view the web site 10.0.1.19, except for its pages on politics. If the sites pages on politics all have the word politics somewhere in the path, what do you type in the Pattern text box? 8. True or false? You can create new WebBlocker categories. 9. True or false? You can create a WebBlocker exception that blocks a specific port in a URL. 10. True or false? You can allow a user to bypass the WebBlocker restrictions.
Web Traffic
197
ANSWERS 1. A. HTTP-Client; B. Other; C. HTTP-Server; D. HTTP-Client E. HTTP-Client; F. Other 2. Optional (also known as a DMZ) 3. B, C, E, F, G, H, I, K 4. False 5. D 6. True 7. 10.0.1.19/*politics* 8. False 9. True 10. True
198
Threat Protection
Defend Your Network From Intruders
What You Will Learn
Firewalls provide both signature-based and default threat protection measures. In this training module, you learn how to: Understand the different types of intrusion protection available for the XTM device Configure Fireware XTM default packet handling options to stop many common attacks Block IP addresses and ports used by hackers to attack your network Automatically block IP addresses that send suspicious traffic
Before you begin these exercises, make sure you read the Course Introduction module.
199
A firewall-based IPS can also protect your network from a zero-day threat. In other words, before the network security community is even aware that the vulnerability exists, broad categories of attack types are automatically identified and blocked by a strong firewall-based IPS.
Signature-based IPS You can configure this type of IPS defense (such as the Fireware XTM Intrusion Prevention Service) to compare the contents of packets against a database of character strings that are known to appear in attacks. Each unique character string is called a signature. When there is a match, the XTM device can block the traffic and notify the network administrator. To remain protected, you must regularly update the signature database. Signature-based approaches use less computer processing time than firewall-based IPS options, however, to keep them current the database must be updated regularly. As a result, signature-based IPS is good for maintaining efficient, high performance protection while firewall-based IPS catches the zero-day threats. The rest of this training module focuses on the firewall-based IPS options available with Fireware XTM. For more information on signature-based options, see the Signature Services training module.
200
Default packet handling: Rejects packets that could be used to get information about your network Automatically blocks all traffic to and from a source IP address when a configured limit is reached Adds an event to the log file Sends an SNMP trap to the SNMP management server (when configured) Sends a notification of possible security risks (when configured)
Unhandled Packets
Packets that are denied by the firewall because they do not match any of the firewall policies are blocked as unhandled packets. The Default Packet Handling options give you the tools to block the source of any unhandled packet. This is an extremely aggressive security setting and is not enabled by default.
Threat Protection
201
Port(s)
0 1 111 513, 514 2049 60006005 7100 8000
Service
NONE TCPmux RPC rlogin, rsh, rcp NFS X Window System X Font Server
Reason
XTM device always blocks this port and you cannot override this default. Block to make it more difficult for port scanning tools. Used by RPC Services to find out which ports an RPC server uses. These are easy to attack through the Internet. Because they give remote access to other computers, many attackers probe for these services. New versions of NFS have important authentication and security problems. Client connection is not encrypted and dangerous to use over the Internet. X Font Servers operate as the super-user on some hosts. Used by many vendors whose software is vulnerable to a variety of attacks.
(infrequently)
202
Exercise 1:
Successful Company just signed a sponsorship of the popular podcast Diggnation. Surprisingly, the publicity generates an unusually high volume of traffic to their public web server. So high in fact that the XTM device mistakenly interprets the requests as a Distributed Denial of Service (DDoS) attack. In this exercise, we use Policy Manager to increase the Per Server Quota threshold to prevent this problem.
1. Select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. In the Distributed Denial-of-Service Prevention section, in the Per Server Quota text box, type or select 200.
This doubles the amount of connections that the XTM device allows before it triggers a DDoS block on additional connections.
3. Click OK.
Threat Protection
203
Exercise 2:
The network administrator at Successful Company is more and more confident that his XTM device configuration policy is strong, strict, and effective at blocking most access to their network. However, the log files suggest that more can be done to reduce the impact of direct attacks on the performance of the firewall. He starts with blocking the potential sources of attacks.
3. In the Choose Type drop-down list, select Network IP. 4. In the Value text box, type 192.136.15.0/24. 5. (Optional) In the Comment text box, type a comment.
The member type shows if this is an IP address or a range of IP addresses. When you type an IP address, type all the numbers and the periods.
6. Click OK.
The entry appears in the Blocked Sites list. With this configuration, the XTM device blocks all packets to and from the 192.136.15.0/24 network range.
In this exercise, we will add an exception to the 192.136.15.0/24 network we blocked in the exercise above. We will configure the XTM device to allow connections to and from the single IP address: 192.136.15.22. In the Blocked Site Configuration dialog box:
3. In the Choose Type drop-down list, select Host IP. 4. In the Value text box, type 192.136.15.22.
204
6. Select OK.
Threat Protection
205
Exercise 3:
After reading a LiveSecurity Foundations article, the Successful Company network administrator decides to deny all RSH (Remote Shell) connections. In addition, he would like to automatically block the source of any incoming attempts to use RSH.
2. Expand the Packet Filters folder and select RSH. Click Add.
The New Policy Properties dialog box appears.
3. In the RSH Connections are drop-down list, select Denied. 4. Configure the policy to deny connections: - In the From list, add Any-External - In the To list, add Any-Trusted, Any-Optional, Any-BOVPN
5. Select the Properties tab. 6. Select the Auto-block sites that attempt to connect check box.
7. Click OK.
The XTM device now automatically adds the IP address of any source of RSH packets to the Blocked Sites list. With a default configuration, the IP address stays on the Blocked Sites list for 20 minutes.
206
1. True or false? A firewall-based IPS maintains a database of character strings that match known viruses and worms. 2. Select the type of intrusion prevention measure for each Fireware XTM feature:
A) B) C) D) E) Gateway AntiVirus Default Packet Handling Blocked Sites IPS Service Blocked Ports Firewall-Based | Signature-Based Firewall-Based | Signature-Based Firewall-Based | Signature-Based Firewall-Based | Signature-Based Firewall-Based | Signature-Based
3. Which of these actions can the XTM device perform when it looks for patterns that show if your network is at risk? (Select all that apply.)
A) B) C) D) E) Looks for packets which are not RFC compliant Automatically blocks all traffic to and from a source IP address Sends a log message to the Log Server Sends a notification of possible security risks All of the above
4. True or false? An unhandled packet is a packet that does not match any rule created in Policy Manager. 5. Fill in the blank: To block all traffic to and from a network, you add the address to the Blocked ________ list.
Threat Protection
207
ANSWERS 1. False A signature-based IPS maintains a database. 2. Gateway AntiVirus Signature; Default Packet Handling - Firewall; Blocked Sites - Firewall; IPS Service - Signature; Blocked ports - Firewall 3. All the above 4. True 5. Sites
208
Signature Services
AntiVirus, Intrusion Prevention, and Application Control
What You Will Learn
WatchGuard Gateway AntiVirus, Intrusion Prevention Service (IPS), and Application Control are signature based services that identify and stop possible viruses and intrusions, and enable you to monitor and control application usage on your network. In this module, you learn how to: Understand how signature services work to protect your network Set up and configure Gateway AntiVirus Set up and configure the Intrusion Prevention Service Set up and configure Application Control
Before you begin these exercises, make sure you read the Course Introduction module. In this module, you will configure optional features of the XTM device. To configure these services, you must first purchase a feature key for Gateway AntiVirus, Intrusion Protection Service, and Application Control. In addition, to activate the key you must have access to an XTM device. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide you with both an XTM device and a feature key to enable these services.
209
WatchGuard Gateway AntiVirus and Intrusion Prevention Service protect against two categories of threats: AntiVirus Identifies viruses and trojans brought into your network through email, web browsing, TCP connections, or FTP downloads. IPS Identifies direct attacks on your network applications or operating system.
210
Quarantine (SMTP proxy only) If you use the SMTP proxy, you can send email messages with a virus or possible virus to the Quarantine Server. Remove (SMTP and POP3 proxies only) Removes the attachment and allows the message and any other safe attachments to go to the recipient. Drop (not supported in POP3 proxy) Drops the packet and drops the connection. No information is sent to the source of the message. Block (not supported in POP3 proxy) Blocks the packet, and adds the IP address of the sender to the Blocked Sites list. In addition, Gateway AntiVirus can scan traffic that matches rules in several categories in each proxy. In the Proxy Configuration dialog box, in the Categories list, click one of these categories to get access to the ruleset:
FTP Proxy
Download Upload
SMTP Proxy
Content Types File names
POP3 Proxy
Content Types File names
HTTP Proxy
Requests: URL Paths Responses: Content Types Responses: Body Content Types
TCP-UDP Proxy
Requests: URL Paths Responses: Content Types Responses: Body Content Types
Signature Services
211
The Intrusion Prevention Service includes a set of signatures associated with specific commands or text found in commands that could be harmful. You configure the Intrusion Prevention Service globally, and then you can enable or disable it for individual policies in your configuration. IPS groups intruder threats into five threat levels: Critical, High, Medium, Low, and Information. When you enable IPS, you can configure the action that the XTM device takes for content that matches IPS signatures at different threat levels. The actions IPS can take for each threat level are: Allow Allows the content, even if the it matches an IPS signature. Drop Drops the content and drops the connection. No information is sent to the sender. Block Blocks the packet, and adds the source IP address to the Blocked Sites list. IPS is enabled for all policies by default. You can selectively disable it for specific policies, if needed. You can also configure exceptions, if an IPS signature blocks content that you want to allow.
IPS threat levels, signatures, and configuration options are different in Fireware XTM v11.4 and v11.5 than they were in earlier versions of Fireware XTM.
212
Per-Application Action
For each application or application category selected in an Application Control action, you can select one of these actions: Drop Block the use of the selected application. Allow Allow the use of the selected application.
Signature Services
213
Default Action
In each Application Control action, you also define a default action, to take if the application does not match the applications configured in the Application Control action. Those actions are: Drop Block the connection. Allow Allow the connection. Global Use the Global Application Control action. When you set the default action to Global, if traffic does not match the applications specified in the Application Control action, Application Control compares the traffic to the applications specified in the Global Application Control action. If the traffic does not match the applications in the Global Application Control action, Application Control uses the default action in the Global Application Control action.
It is not necessary to enable Application Control for a policy if you control the network on both sides of a traffic flow the policy handles. Some examples of these types of policies include policies that handle traffic for POS systems, Intranet web applications, or internal databases and traffic in a DMZ. It also usually unnecessary to enable Application Control for policies that are restricted by port and protocol and that only allow a known service. Some examples of these types of policies: Default WatchGuard policies DNS traffic RDP VoIP SIP and H.323 application layer gateways
214
Signature Services
215
Exercise 1:
You must have the Gateway AntiVirus feature key saved to the XTM device before you can do this exercise. For more information, see Add a Feature Key to the XTM Device on page 87.
The Successful Company CIO decides to invest in signature-based intrusion prevention measures. The network administrator recommends WatchGuard Gateway AntiVirus and IPS. Because the services are both cost effective and the WatchGuard system is familiar, the expense is approved. In this exercise, we will activate Gateway AntiVirus and configure it to automatically get updates.
2. Click Next.
If you are completing the training modules sequentially, or taking the class with an instructor, you should have several email, web, and FTP policies configured.
3. Clear the check box adjacent to the HTTP-Public-Servers policy. Click Next. 4. Click Finish.
216
1. When the wizard is complete, select Subscription Services > Gateway AntiVirus > Configure.
The Gateway AntiVirus dialog box appears and shows your proxy policies and whether Gateway AntiVirus is enabled.
2. Click Settings.
The Gateway AV Decompression Settings dialog box appears.
3. Select the Enable Decompression check box. 4. Make sure the number of Levels to scan to is set to 3.
Signature Services
217
7. Select the Enable automatic update check box. By default, the XTM device automatically updates signature database files every hour. Increase the Interval to 2 hours.
8. Select the Gateway AntiVirus Signatures check box to enable automatic updates for Gateway AV. 9. Click OK. 10. Click OK to close the Gateway AntiVirus dialog box.
You must save your changes to the XTM device before they take effect.
218
Exercise 2:
Now that the Gateway AntiVirus service is activated for all email proxies and the signature database is set to update every two hours, we must configure each of the actions we want the XTM device to take when an exploit is detected. If you have more than one proxy policy, you must configure each policy. In this exercise, we will configure the Successful Company SMTP-Incoming-Proxy policy to: Drop email message attachments that contain viruses Allow attachments that cannot be scanned Enable the automatic content type detection feature Before you begin, open Policy Manager and make sure there is an SMTP proxy policy present in your configuration. If not, select Edit > Add Policies to add an SMTP proxy policy to your configuration.
Automatic content type detection can improve virus detection rates. Often, the content type value that appears in an email header is set incorrectly by email clients. With this feature enabled, the SMTP proxy tries to verify the content type of email attachments itself.
3. In the When a virus is detected drop-down list, select Remove. 4. In the When a scan error occurs drop-down list, select Allow. 5. Select the adjacent Alarm check box.
Signature Services
219
Because hackers often try to disguise executable files as other content types, we recommend that you enable content type auto detection to make your installation more secure.
7. Make sure the Enable content type auto detection check box is selected.
If you do not select this check box, the SMTP proxy uses the value stated in the email header, which clients sometimes set incorrectly. For example, an attached PDF file might have a content type stated as application/ octet-stream. If you enable content type auto detection, the SMTP proxy recognizes the PDF file and uses the actual content type, application/pdf. If the proxy does not recognize the content type after it examines the content, it uses the value stated in the email header, as it would if content type auto detection were not enabled.
8. In the If matched drop-down list, select AV Scan. 9. Click OK to close the Gateway AntiVirus Configuration dialog box. 10. Click OK to close the Gateway AntiVirus dialog box.
220
Exercise 3:
Now the Successful Company network administrator is ready to enable IPS in the device configuration.
Signature Services
221
6. Select the Intrusion Prevention and Application Control Signatures check box. Click OK. 7. Click OK to close the Intrusion Prevention dialog box.
222
Exercise 4:
The Successful Company network administrator is dismayed to learn that employees accidentally downloaded a nasty bot virus through the file sharing features of the Yahoo messenger client. In this exercise, we configure the Global Application Control action to block the use of Yahoo messenger and several other instant messaging applications. Then we apply this action to the HTTP-proxy policy. Note
The list of applications you can control is based on a set of application signatures that Application Control uses to identify the applications. To make sure that Policy Manager has the most recent Application Control signatures from the XTM device, connect to your device with WatchGuard System Manager before you use Policy Manager to edit or update Application Control actions.
If you are completing the training modules sequentially, or taking the class with an instructor, you should have several DNS, email, HTTP, and FTP policies configured.
The Global Application Control action is a predefined action. You configure the Global action to block applications you do not want to allow for all or most users. In this example, we want to block instant messaging applications for all users.
Signature Services
223
2. Click the Global action to select it. Click Edit to edit the Global action.
The Application Control Action (predefined) dialog box appears. By default all applications you can control appear in the application list.
You can use the radio buttons to show all applications, or show only applications that have an action configured.
The Search feature is the quickest way to find a specific application by name. You can also use the Category drop-down list to filter the list by category, such as Instant Messaging. Search is generally quicker, since each category contains many applications, and some application may not be in the category you expect.
3. To search for the Yahoo Messenger application by name, in the search text box, type messenger.
The application list shows all applications that contain the word messenger.
224
5. For this exercise, the administrator wants to block all use of the Yahoo Messenger application. Click OK to set the action for all behaviors to Drop.
The Drop action appears in the action column for this application.
To allow the use of Yahoo Messenger for instant messaging, but block file transfers, you could select the Set the action for specific behaviors radio button. Then set the action for the Transfer behavior to Drop.
6. Click OK.
The Global Application Control action now blocks Yahoo Messenger.
You can optionally repeat the steps above to add any other applications to the Global Application Control action. Or, you can click Select by Category to set the action for all applications in an application category. To remove the action configured for an application, select the configured application in the list and click Clear Action.
Signature Services
225
1. In the Application Control Actions dialog box, select the Policies tab.
If you are completing the training modules sequentially, or taking the class with an instructor, you should already have created the HTTP policies used in this exercise.
4. Click OK. The Global Application Control action is now applied to the HTTP policies.
226
Exercise 5:
After the Successful Company administrator blocked Yahoo Messenger in the Global Application Control rule, the management requested that employees be allowed to use Yahoo Messenger for chat, but not for file transfers. In this exercise, we create a new Application Control action to control specific application behaviors. Then we apply that Application Control action to the HTTP-Employees policy. You created the HTTP-Employees policy in the Web Traffic training module. The HTTP-proxy policy controls traffic from any trusted network to any computer on the external network. the external network.
4. Select Set the action for specific behaviors. 5. Select the Transfer check box. From the adjacent drop-down list, select the application behavior.
The default action is Drop.
Signature Services
227
6. Click OK.
The Action for Yahoo Messenger is set to Drop, just for the Transfer application behavior.
7. From the When application does not match drop-down list, make sure Use Global action is selected. This is the default. 8. Click OK.
The new Application Control action appears in the Application Control Actions dialog box.
10. For the HTTP-Employees policy, change the Action to the new action you just created. 11. Click OK.
228
With this configuration: The HTTP-Employees policy uses the AppControl.1 Application Control action as the primary action to control application usage. For these users, Yahoo messenger application traffic is not controlled, except for file transfer traffic, which is dropped. If HTTP traffic handled by the HTTP-Employees policy does not match the applications listed in the AppControl.1 action, the HTTP-Employees policy uses the Global Application Control action to determine whether to allow or drop the application traffic. For HTTP traffic handled by the HTTP-proxy policy, the Global Application Control action is used to control application usage.
Signature Services
229
2. True or false? Gateway AntiVirus can detect viruses in uuencoded email. 3. True or false? Gateway AntiVirus can detect viruses in password-protected ZIP files. 4. True or false? The Intrusion Prevention Service is only compatible with the HTTP and TCP proxies. It cannot detect possible intrusions in the SMTP, POP3, DNS, or FTP proxies. 5. True or false? When you enable the Intrusion Prevention Service, IPS is automatically enabled for all policies. 6. True or false? The Global Application Control Action applies to all policies in your configuration. 7. True or false? If you want to report on the usage of applications that are not blocked, you must enable logging of allowed packets in each policy that has Application Control enabled.
230
7.
6. False 5. True 4. False 3. False 2. True 1. A) Allow Let the attachment go to the recipient even if it contains a virus B) Lock Encode the attachment so that the recipient cannot open it without a network administrator. C) Remove Remove the attachment and delete it while sending the message to the recipient. D) Drop Delete the attachment, send nothing to the recipient and send nothing to the sender. E) Block Delete the attachment, send nothing to the sender or recipient, and add the sender to the Blocker Sites list. F) Send Not a Fireware proxy action. G) Deny Do not accept the file and notify the sender. H) Quarantine Send the message to the Quarantine Server. ANSWERS
True
Reputation Scores
The WatchGuard reputation server assigns every URL a reputation score from 1 to 100. A reputation score closer to 100 indicates that the URL is more likely to contain a threat. A score closer to 1 indicates that the URL is less likely to contain a threat. If the RED server does not have feedback about a web address, it assigns a neutral score of 50.
231
These factors can cause the reputation score of a URL to increase, or move toward a score of 100: Negative scan results Negative scan results for a referring link These factors can cause the reputation score of a URL to decrease, or move toward a score of 1: Multiple clean scans Recent clean scans Reputation scores change over time. For increased performance, the XTM device stores the reputation scores for recently accessed web addresses in a local cache.
Reputation Thresholds
There are two reputation score thresholds you can configure: Bad reputation threshold If the score for a URL is higher than the Bad reputation threshold, the HTTP proxy denies access without any further inspection. Good reputation threshold If the score for a URL is lower than the Good reputation threshold and Gateway AntiVirus is enabled, the HTTP proxy bypasses the Gateway AV scan.
If the score for a URL is equal to or between the configured reputation thresholds and if you have enabled Gateway AV, the content is scanned for viruses.
Reputation Lookups
If the response comes back late, it is possible you will see the reputation score assigned as -1 in the Traffic Monitor.
The XTM device uses UDP port 10108 to send reputation queries to the WatchGuard reputation server. Make sure this port is open between your XTM device and the Internet. UDP is a best-effort service. If the XTM device does not receive a response to a reputation query soon enough to make a decision based on the reputation score, the HTTP proxy does not wait for the response, but instead processes the HTTP request normally. In this case the content is scanned locally if Gateway AV is enabled. Reputation lookups are based on the domain and URL path, not just the domain. Parameters after escape or operator characters, such as & and ? are ignored.
232
Reputation Enabled Defense does not do a reputation lookup for sites that have been added to the HTTP Proxy Exceptions list of the HTTP proxy action.
233
Exercise 1:
Successful Company has been using Gateway AV, and now wants to install Reputation Enabled Defense to further improve the performance and security of web browsing for their users. In this exercise you enable Reputation Enabled Defense on the Successful Company XTM device. Before you begin this exercise: Make sure your device has a Reputation Enabled Defense feature key. Make sure the device has at least one HTTP proxy policy configured. After the network administrator adds the feature key and saves it to the XTM device, he opens the device configuration in Policy Manager to enable the service.
234
3. Click Configure.
The Reputation Enabled Defense settings for the selected policy appear.
When you enabled Reputation Enabled Defense for this policy, the Immediately block URLs that have a bad reputation check box and the Bypass any configured virus scanning for URLs that have a good reputation check box were both automatically selected.
4. Click Advanced.
You can change the reputation thresholds, but we recommend that you keep them at the default values initially. After you have used Reputation Enabled Defense for a period of time., you can adjust the thresholds, if you find that either setting is too aggressive.
235
Exercise 2:
Successful Company has enabled Reputation Enabled Defense and wants monitor its effectiveness. In this exercise you look at the statistics that show Reputation Enabled Defense activity since the last system restart. Make sure your XTM device can do queries over UDP port 10108 to the WatchGuard reputation server in the cloud.
2. Type your XTM device trusted IP address and the status passphrase. Click OK.
The Firebox System Manager Front Panel tab appears.
In this example, we can see that 91% of all requested URLs had a good reputation score, and did not require local scanning by Gateway AV. We can also see that 67% of the URLs visited had a reputation score stored in the local cache. This means that the RED service did not need to request the score from the WatchGuard reputation server. If Gateway AV is enabled, it scans the content of web sites that have an inconclusive reputation score. Those scan results are then sent to the Reputation Enabled Defense server as input for updated reputation scores for those URLs. This increases the likelihood that these URLs will have a more clearly good or bad reputation score in the future. In this example, you can see that the total number of Reputation lookups is greater than the combined total number of URLs with good, bad or inconclusive scores. This is because the Reputation lookups statistic counts all lookup attempts, even if a response was not received in time to avoid a local AV scan. If The HTTP proxy does not receive a timely response to a reputation lookup request, it scans the content locally. When this happens, the lookup is added to the Reputation lookup total, but is not added to the total of good, bad, or inconclusive scores. You can also see that the percentages shown in this example for good, bad and inconclusive scores do not add up to 100%. This is because these scores are calculated as a percentage of the total number of reputation lookups. Note
If your statistics show that the number of good, bad and inconclusive scores are zero, but the number of Reputation lookups is high, this means that the reputation lookup attempts did not result in timely responses from the WatchGuard reputation server. Make sure your XTM device can send queries over UDP port 10108 to the WatchGuard reputation servers.
236
1. True or false? You must install a Reputation Enabled Defense server to use the Reputation Enabled Defense service. 2. The reputation score for a URL is based on which of the following? (Select all that apply.)
A) B) C) D) E) Results from Kaspersky anti-virus scans. Results from AVG anti-virus scans. Feedback from devices around the world. URLs on the Reputation Enabled Defense black list. Results of local Gateway AV scans on your XTM device.
3. Which of the following URL reputation scores indicates that a site is most likely to contain a threat? (Select one.)
A) B) C) 95 50 5
4. True or false? Local Gateway AntiVirus scans are only done for URLs that have an inconclusive reputation score (not good or bad). 5. Which of these factors can cause the reputation score of a URL to increase toward a score of 100? (Select all that apply.)
A) B) C) D) Negative scan results No scan results. Negative scan results for a referring link All of the above.
237
ANSWERS 1. False WatchGuard hosts the reputation server in the cloud. 2. A, B, C, E 3. A 4. True 5. A and C
238
Web UI
Explore Fireware XTM Web UI
What You Will Learn
You can use Fireware XTM Web UI for many monitoring and management tasks. In this training module, you learn: How to log in to the Web UI How to change the port the XTM device uses for the Web UI The limitations of the Web UI How to manage timeouts for web UI management sessions
Before you begin these exercises, make sure you read the Course Introduction module.
239
240
You can safely click Continue to this website if you know that the IP address shown in your browser address bar is correct.
Web UI
241
If you know that the IP address shown in the browser address bar is correct, you can safely click I Understand the Risks and follow the prompts to add a certificate exception. This certificate warning appears because your browser does not trust the certificate. There are two reasons for this:
1. Your browser does not trust the entity that signed the device certificate.
Fireware XTM Web UI uses a self-signed certificate. Your browser trusts only certificates signed by a trusted Certificate Authority, and certificates that you explicitly import into the browser as trusted certificates.
2. The Common Name on the certificate does not match what you typed into the browser address bar.
For a certificate to be trusted automatically, its common name must match the server name.
To correct both problems you can manually import the certificate. For more information, see the documentation from your browser or operating system vendor. To avoid these warnings for all users, replace the certificate used by Fireware XTM Web UI with a certificate trusted by all of your network clients. This could be a certificate you purchase from a commercial vendor such as VeriSign or Thawte, or one you generate from a local CA used in your organization such as Microsoft Certificate Services on a Windows server. You can also create a custom certificate signed by the XTM device. This certificate can have multiple names on it, so that users can type the device IP address or a domain name (if the domain name has a record in the DNS system that resolves to the device IP address). Users must still import the certificate into their operating system or browser certificate store, however, because this is a self-signed certificate. For more information on this process, see the Fireware XTM WatchGuard System Manager Help or User Guide.
242
Get Help
There are two ways to get to the Help system from the Web UI: The header at the top of each page has a link that takes you to the main page of the Fireware XTM Web UI Help.
For help with specific configuration tasks, each page in the Web UI has its own Help link.
These Help links take you directly to the help topic that matches your current configuration page.
Web UI
243
admin Use this account only when you want to make changes to the device configuration file. Only one user at a time can log in to the Web UI with this account. This prevents different users from modifying the same property at the same time. The passphrase for this account is the devices configuration, or read-write, passphrase. You also use this passphrase to save your configuration file to the device with Policy Manager. The header section of the Web UI interface shows which account you used to log in:
To log out of the Web UI, at the top of the page, click Logout. Note
Because there are only two system accounts for the Web UI, status and admin, you must be careful about who gets access to these accounts. We recommend that you give the configuration passphrase only to trusted and authorized device administrators.
244
When you try to do any of these tasks when another user is logged in with the admin account, you see a message that shows the IP address of the current admin user. Policy Manager:
Web UI:
CLI:
There are two timeout settings that control administrator account access. These settings help make sure the admin account is not locked for a large amount of time.
Web UI
245
To change these timeout settings in the Web UI, select Authentication > Settings.
Or, from Policy Manager, select Setup > Authentication > Authentication Settings. The timeout settings for management sessions include: Session Timeout The maximum amount of time that an administrator session can last. Idle Timeout The amount of time with no activity in the Web UI. Activity means that you do something in the browser that causes the browser to get data from the XTM device, or causes the browser to send data to the XTM device. The Web UI sends a keep-alive message to the device every 20 seconds. If the device does not receive this message from your browser for over 60 seconds, the device closes your session. However, the keepalive message does not reset the idle timeout timer for management sessions. This lets the device close a management session quickly if you close the browser without first logging out of the Web UI. The device will keep a management session open for the full idle timeout if you keep the browser open but you do nothing with it.
246
2. To edit the WatchGuard Web UI policy, select the policy and click Or, double-click the WatchGuard Web UI policy.
The policy appears.
Web UI
247
You can restrict or expand access to the Web UI by adding or removing entries in the From list: You can allow access to the Web UI from external networks by adding the Any-External alias (or an appropriate IP address). You can restrict access to the Web UI from internal locations by removing the Any-Trusted and Any-Optional aliases. Make sure to keep at least one IP address from which you want to allow access so that you can manage the XTM device from that computer. You can remove all IP addresses and aliases, and replace them with user names or group names. When you do this, you force users to authenticate before they are allowed access to the Web UI. To see which port and protocol the WatchGuard Web UI policy controls, select the Properties tab.
248
In Policy Manager:
3. Click OK.
Web UI
249
1. Select System > Global Settings. 2. In the Web UI Port text box, type or select the port.
3. Click Save.
250
Exercise 1:
1. From a computer on the Trusted network, open a web browser and go to https://<device-ip-address>:8080.
Replace <device-ip-address> in the address with the IP address of your XTM device.
2. If a certificate warning appears: - For Internet Explorer, click Continue to this website. - For Mozilla Firefox, add an exception as previously described.
The Web UI login dialog box appears.
3. From the Username drop-down list, select status. 4. In the Passphrase text box, type the status (read-only) passphrase. Click Login.
The Fireware XTM Web UI Dashboard System page appears.
Web UI
251
Note that at the top of the page, the Disable button is not available.
7. Navigate to other pages in the Web UI and note that you cannot change any settings. 8. At the top of the Web UI, click Logout.
You are logged out of the Web UI and the login dialog box appears again.
252
Exercise 2:
By default, Fireware XTM devices listen on port 8080 for Web UI connections. It is possible you have a network policy or firewall that blocks connections on this port. It is also possible that you use port 8080 in your network and you need to forward it from the external network to an internal Web server. If this is the case, you cannot use port 8080 for connections to the Web UI from the external network. The XTM device cannot listen for port 8080 connections and forward connections from external networks on the same interface. In this exercise, you connect to the Web UI, change the port for the Web UI, and use the new port to connect to the Web UI again. Note
Remember that when you change the port for the Web UI, you must use the new port the next time you connect to the device.
2. If a certificate warning appears: - For Internet Explorer, click Continue to this website. - For Mozilla Firefox, add an exception as previously described.
The Fireware XTM Web UI Login page appears.
Web UI
253
3. From the Username drop-down list, select admin. In the Passphrase text box, type the configuration passphrase.
The Fireware XTM Web UI Dashboard System page appears.
254
Web UI
255
5. In the Web UI Port text box, type or select 8081. Click Save.
A warning message appears to explain that you must use the new port when you log in again.
6. Click Yes.
The logon prompt appears again with a message to log in again.
7. Click OK.
9. Accept the certificate warning (Internet Explorer) or add an exception (Firefox) and log in again with the admin account credentials. 10. In the navigation bar, select Firewall > Firewall Policies.
The Firewall Policies area appears.
11. Double-click the WatchGuard Web UI policy to view its properties. 12. Select the Properties tab.
The port for the policy was automatically changed to 8081.
256
Exercise 3:
When you configure a WatchGuard XTM device with the Quick Setup Wizard, a policy is created automatically that allows you to connect to the Web UI from any computer on the trusted or optional networks. If you want to manage the XTM device from a remote location (any location on an external network), then you must change your configuration to allow connections to the Web UI from that location. Before you change a policy to allow connections to the XTM device from a computer external to your network, it is a good idea to consider these alternatives: Is it possible to connect to the XTM device with a VPN? This greatly increases the security of the connection. If you can connect with a VPN, then you do not need to allow other connections. If it is not possible to connect to the XTM device with a VPN, we recommend that you use authentication for additional security. It is more secure to limit access from the external network to the smallest number of computers possible. For example, it is more secure to allow connections from a single computer than it is to allow connections from the Any-External alias. If you decide to allow connections to the XTM device from Any-External, it is especially important that you set very strong status and configuration passphrases. It is also a good idea to change your passphrases at regular intervals. To configure the WatchGuard Web UI policy to allow access to the Web UI from an external computer:
1. From a computer on the trusted network, open a web browser and go to https://<device-ip-address>:8080.
Replace <device-ip-address> in the address with the XTM device trusted interface IP address.
2. If a certificate warning appears: - For Internet Explorer, click Continue to this website. - For Mozilla Firefox, add an exception as previously described.
The Fireware XTM Web UI Login page appears.
Your instructor may ask that you complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.
Web UI
257
3. From the Username drop-down list, select admin. In the Passphrase text box, type the configuration passphrase.
The Web UI Dashboard System page appears.
5. Double-click the WatchGuard Web UI policy to edit it. 6. In the From section, click Add.
The Add Member dialog box appears.
7. From the Member Type drop-down list, select Alias. 8. Select Any-External and click OK.
258
9. Click Save at the bottom of the page to apply this change to your device. 10. From a computer on the external network, try to connect to the Web UI. Type https://<device-external-ip-address>:8080 in the browser address bar. You should be able to connect to the device.
Web UI
259
1. Which account do you use to log in the Web UI to change the configuration? (Select one.)
A) B) C) D) admin status configuration administrator
2. What is the default port for the Web UI? (Select one.)
A) B) C) D) 8100 8088 8080 8000
3. True or false? You can save the XTM device configuration file to a local disk drive from the Web UI. 4. True or false? You must install WSM software to use the Web UI. 5. How many users can simultaneously log in to the Web UI with the admin account? (Select one.)
A) B) C) D) 1 2 4 unlimited
6. How many users can simultaneously log in to the Web UI with the status account? (Select one.)
A) B) C) D) 1 2 4 unlimited
COPYRIGHT 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.