XCSV v10 0 Setupguide

WatchGuard
XCSv
Setup Guide
All XCSv Editions

Copyright and Patent Information
Copyright 20102013 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the Terms of Use portion of
the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies,
Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their
respective owners.
Printed in the United States of America.
Revised: October 15, 2013
Complete copyright, trademark, patent, and licensing information can be

found in the WatchGuard product documentation. You can find this
document online at:
http://www.watchguard.com/help/documentation/
Notice to Users
Information in this guide is subject to change without notice. Updates to this guide are posted at:
http://www.watchguard.com/help/documentation/
Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
ABOUT WATCHGUARD
WatchGuard offers affordable, all-in-one network and content security solutions that ADDRESS
provide defense-in-depth and help meet regulatory compliance requirements. The 505 Fifth Avenue South
WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL Suite 500
filtering to protect your network from spam, viruses, malware, and intrusions. The new Seattle, WA 98104
XCS line offers email and web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized security ranging from small
SUPPORT
www.watchguard.com/support
businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable,
U.S. and Canada +877.232.3531
and robust security appliances featuring fast implementation and comprehensive All Other Countries +1.206.521.3575
management and reporting tools. Enterprises throughout the world rely on our
signature red boxes to maximize security without sacrificing efficiency and SALES
productivity. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
For more information, please call 206.613.6600 or visit www.watchguard.com.
ii WatchGuard XCSv
WatchGuard XCSv Setup
The WatchGuard XCS is an easy-to-use, all-inclusive email and web appliance that provides security and
privacy of inbound and outbound traffic. The WatchGuard XCS provides content security that enables data
loss prevention, encryption, and content filtering with integrated threat prevention for viruses, spam,
spyware, phishing, and malware attacks, all in a secured appliance.
WatchGuard XCSv is a new email and web security solution that provides all the security features of our
WatchGuard XCS technology optimized for a VMware or Microsoft Hyper-V virtual machine environment.
You can use the WatchGuard XCS Web UI to manage an XCSv device just as you manage any other
WatchGuard XCS device.
This guide introduces the WatchGuard XCSv and provides detailed information on how to configure your
virtual environment and install the XCSv software.
WatchGuard XCSv Documentation

You can use the online help manual for the majority of your documentation needs. To access the online help,
from the Web UI, select Support > Online Manual.
You can view and download the most current documentation for the WatchGuard XCS on the WatchGuard
Product Documentation page:
http://www.watchguard.com/help/documentation
Setup Guide 1
WatchGuard XCSv Licensing

XCSv devices are licensed in several editions that provide different levels of scalability and performance:
Small Office Edition
Medium Office Edition
Large Office Edition
Large Office XC Edition
When you activate your XCSv device, you receive a feature key that enables the WatchGuard XCS capabilities
for the XCSv edition you have licensed. You can upgrade from one XCSv edition to another.
Note
To activate your device in the Setup Wizard, you must have the device serial number (V2C9xxxxx-
xxxx). You cannot use the serial number V2C900000-DC79, which is the default serial number for an
new unactivated device.
For a full description of the features and capabilities of each XCSv edition, see the Products & Services section
of the WatchGuard web site at www.watchguard.com.
Get a Feature Key from LiveSecurity

A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCSv.
You must register the device serial number on the WatchGuard LiveSecurity web site and retrieve your feature
key before adding it to the WatchGuard XCSv.
To retrieve a feature key from the LiveSecurity web site:
1. Open a web browser and go to: https://www.watchguard.com/activate.

2. If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.
You can create an account if this is your first time logging in.
3. Enter your LiveSecurity user name and password.
4. The Activate Products page appears.
5. Enter the serial number for the product, including the hyphens. For example, V2C9xxxxx-xxxx.
6. Click Continue.
7. Follow the prompts to activate your device.
8. Copy the feature key to a text file and save it on your computer.
9. Click Finish.
2 WatchGuard XCSv
Installation Prerequisites
These sections describe the installation prerequisites for XCSv on VMware and Microsoft Hyper-V.
VMware
You must install the XCSv virtual device in a VMware environment that meets these requirements.
VMware
To install an XCSv virtual device, you must have a VMware vSphere Hypervisor/ESXi v4.1 Update 2 (or
later version) host installed on any supported server hardware.
Note
Make sure your VMware vSphere/ESXi software is updated to the latest patch level.
You must also install the VMware vSphere Client on a supported Windows computer to manage the
virtual machines on your VMware host.
VMware Tools is installed by default with the XCSv virtual device. VMware Tools is a suite of utilities that
enhances and improves the performance and management of the virtual machine, and includes the
ability to cleanly power off or reset the guest operating system software from the host system.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for VMware vSphere
Hypervisor/ESXi. For information about VMware hardware compatibility, see the VMware
Compatibility Guide at: http://www.vmware.com/resources/compatibility/search.php
WatchGuard XCSv requires that your host hardware supports Intel Virtualization Technology (Intel VT)
or AMD Virtualization (AMD-V) and has these options enabled in the host system BIOS.
For more information about Intel VT compatibility, see the Intel Virtualization Technology List at:
http://ark.intel.com/VTList.aspx
AMD-V is supported in all K8 AMD (Athlon 64) processors from revision F, and all newer processors
support AMD-V technology.
Features Not Supported

These features are not supported for use with WatchGuard XCSv on VMware:
Network storage disks for the virtual host are not supported.
XCSv does not support vMotion for virtual device migration between VMware hosts.
XCSv console options:
Serial console This feature is redundant with the physical host system serial console.
UPS configuration UPS communications must be configured on the physical host system.
Setup Guide 3
Microsoft Hyper-V
You must install the XCSv virtual device in a Hyper-V environment that meets these requirements.
Hyper-V
Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V
Server 2008 R2 or Hyper-V Server 2012.
Make sure your Windows Server or Hyper-V Server software is updated to the latest patch level.
You can use the Hyper-V Manager on Windows Server 2012 to deploy, configure , and provision the
XCSv virtual machine in the Hyper-V environment. You can also use System Center Virtual Machine
Manager (VMM) interface, or a Hyper-V role on a client computer instead of Hyper-V Manager.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for Hyper-V on
Windows Server 2008 R2 or Windows Server 2012.
Network
You can configure a maximum of 8 interfaces.
Features Not Supported

These features are not supported for use with WatchGuard XCSv on Hyper-V:
XCSv does not support the dynamic memory setting on Hyper-V.
The Data Exchange and Volume Backup features are not supported.
Time synchronization is not supported. We recommend you use an NTP server in the XCSv network
configuration.
XCSv console options:
Serial console This feature is redundant with the physical host system serial console.
UPS configuration UPS communications must be configured on the physical host system.
4 WatchGuard XCSv
Recommended Resource Allocation

WatchGuard XCSv performance is heavily dependent on CPU, memory, and disk resources. Resources are
shared between all virtual machines on a virtual host, and you must make sure that enough resources are
available to the XCSv virtual machine. To enable all functionality and provide optimal performance for your
XCSv edition, you must allocate these resources to the XCSv virtual machine:
Small Office Medium Office Large Office Large Office XC

Edition Edition Edition Edition
Virtual CPUs 1 2 4 8
Memory 2 GB 2 GB 4 GB 8 GB
Network 2 3 4 4
Adapters
OS Disk space 24 GB 24 GB 24 GB 24 GB
(Fixed)
Data Disk 40 GB 80 GB 160 GB 256 GB
Space
For information about how to add resources for a VMware virtual machine, see VMware Virtual Machine
Resource Allocation on page 12.
For information on monitoring VMware resource usage, see Resource Monitoring on VMware on page 43.
For information about how to add resources for a Hyper-V virtual machine, see Hyper-V Virtual Machine
Resource Allocation on page 20.
For information on monitoring Hyper-V resource usage, see Resource Monitoring on Hyper-V on page 45.
Setup Guide 5
Deployment
The WatchGuard XCSv is designed to be situated between internal email servers and clients, and external
servers on the Internet so that there are no direct connections between external and internal systems.
The WatchGuard XCSv is typically installed in one of these locations:
On the DMZ (Demilitarized Zone) of a network firewall
Behind the existing firewall on the internal network
In parallel with a network firewall
Messaging traffic is redirected from either the external interface of the network firewall or from the external
router to the WatchGuard XCSv. When the WatchGuard XCSv accepts and processes a message, the device
initiates a connection to the internal mail servers to deliver the messages.
WatchGuard XCSv deployed on the DMZ of the network firewall

The secure architecture of the hardware appliance-based WatchGuard XCS eliminates the risk associated with
deploying a physical appliance on the perimeter of a network. Because the WatchGuard XCSv is installed as a
virtual machine on a host where the host operating system can be vulnerable to security issues, we
recommend you install the virtual host and XCSv virtual machine on the DMZ of your network firewall or
behind your network firewall for greater security.
See the WatchGuard XCS User Guide for detailed information on the advantages and disadvantages of each
type of deployment.
Cluster Support
Clustering provides a scalable, redundant messaging security infrastructure that enables two or more XCSv
devices to act as a single logical unit for processing messages for redundancy and high availability benefits.
You can use multiple instances of XCSv in a cluster.
To provide proper hardware redundancy, we recommend you run clustered XCSv devices on separate virtual
host systems. If you run multiple XCSv devices on the same virtual host hardware, you can provide software
redundancy in the event a specific XCSv device is unavailable, but this does not provide redundancy if the
virtual host hardware or software fails.
For more information on configuring XCSv clustering with a virtual host, see Cluster Configuration on
page 36.
6 WatchGuard XCSv
VMware Installation
Before You Begin

To prepare for your installation, make sure you have these items:
VMware vSphere Hypervisor/ESXi 4.1 Update 2 (or later version) host installed on a supported server
platform.
VMware vSphere 4.1 (or later version) client installed on a Windows computer
WatchGuard XCSv device serial number
You receive the serial number when you purchase the XCSv virtual device.
Your WatchGuard XCSv feature key
You receive the feature key when you activate your device on the LiveSecurity web site.
WatchGuard XCSv OVF template
The file name is xcsv-<version>.ova, where <version> is the XCS version.
Download the XCSv OVF template file from the Articles and Software section of the WatchGuard Portal at
www.watchguard.com.
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
1. In the VMware vSphere client, deploy the XCSv OVF template file to the VMware host.
2. Perform any resource allocation (CPU, memory, disk, network) modifications on the VMware host
based on your XCSv edition.
3. Power on the XCSv virtual device.
4. Connect to the XCSv device to run the Setup Wizard.
Network Considerations
When you deploy the XCSv OVF template to the VMware virtual device, it is initially configured for the Medium
Office Edition with three active interfaces. You must map each of these interfaces to a physical destination
network on your VMware host. After you configure the XCSv device, you can enable and configure additional
XCSv device interfaces or remove interfaces if you need fewer interfaces. The maximum number of interfaces
you can enable in VMware is 10. For information about how to add resources to the device, see VMware
Virtual Machine Resource Allocation on page 12.
Time Synchronization Considerations

The WatchGuard XCSv OVF template automatically installs the VMware Tools utility software. VMware Tools is
a suite of utilities for managing your virtual device, and includes a time synchronization service that
synchronizes with the host system time. This service is disabled by default.
We recommend that you use the WatchGuard XCSv NTP settings to configure an NTP server, and keep the
VMware Tools time synchronization service disabled. These services must not be enabled and running at the
same time.
Note
The WatchGuard XCSv NTP settings must be configured if you are setting up an XCSv cluster.
Setup Guide 7
Installation
Perform the following steps to install WatchGuard XCSv on a VMware host
Install the VMware vSphere Client

To install the vSphere client:
1. Launch a web browser on your computer and type the IP address or host name of the VMware host
server as the URL in the location bar.
2. To download and install the vSphere Client, click Download vSphere Client.
Connect to the VMware Host

To connect to the VMware host:
1. Launch the VMware vSphere Client.
2. Type the IP address, User name, and Password for the VMware host, then click Login.
8 WatchGuard XCSv
Deploy the XCSv OVF File

To create the XCSv virtual device, you must deploy the XCSv OVF template in the vSphere client.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. In the vSphere client, select File > Deploy OVF Template.
3. Browse to the location where you saved the WatchGuard XCSv OVF template file, xcsv-<version>.ova.
Click Next.
The XCSv OVF Template Details page appears.
4. Click Next.
The End User License Agreement appears.
5. Review the End-User License Agreement. Click Accept. Click Next.
The Name and Location page appears.
6. In the Name text box, type a name for this virtual device.
Setup Guide 9
7. Select a resource pool within which to deploy this template. Click Next.
The Disk Format page appears.
8. Select the format to store the virtual disks. We recommend that you select Thick provisioned format
to allocate all storage immediately.
9. Click Next.
The Network Mapping page appears.
10 WatchGuard XCSv
10. In the Destination Networks column, select the networks to map to each network interface.
11. Click Next.

The Ready to Complete page appears.
12. Review the settings. Click Back to change any settings, if necessary.
13. Click Finish to deploy the template.
The virtual appliance is deployed. This can take a few minutes.
The deployed virtual device appears in the vSphere Inventory in the selected resource pool.
Setup Guide 11
VMware Virtual Machine Resource Allocation

The default WatchGuard XCSv OVF template installation is configured for a Medium Office Edition resource
environment with two virtual CPUs, 2 GB memory, three network adapters, and 80 GB data disk space.
If your feature key is for a different edition, such as Small or Large edition, you must modify your VMware host
resources for virtual processors, memory, and disk space to properly support your licensed software edition.
For information on recommended resource settings for each XCSv edition, see Recommended Resource
Allocation on page 5.
Configure Virtual CPUs

By default, the XCSv virtual machine is allocated two virtual CPUs. For optimal performance, configure the
virtual machine to use the recommended number of CPUs for your XCSv edition.
To configure CPU resources:
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select CPUs.
6. From the Number of virtual sockets drop-down list, select the number of virtual processors
recommended for your XCSv edition.
7. Click OK.
Configure Memory Resources

By default the XCSv virtual machine is allocated 2 GB of memory. For optimal performance, configure the
virtual machine to use the recommended amount of memory for your XCSv edition.
To configure memory resources:
5. In the Hardware list, select Memory.
6. In the Memory Size text box, type or select the memory size recommended for your XCSv edition.
7. Click OK.
Configure Hard Disk Resources

By default the XCSv virtual device is allocated two hard drives, a primary fixed OS system disk (Hard Disk 1, 24
GB), and a data disk for messages, logs, reports, and any other data (Hard Disk 2, 80 GB for default XCSv
Medium Edition).
For optimal disk space allocation, configure the virtual machine to use the recommended amount of disk
space for your specific XCSv edition and allow for any requirements for additional data disk space for logs and
reports.
Caution
Do not modify the Hard Disk 1. This disk is a fixed size and contains the OS for the XCSv.
12 WatchGuard XCSv
To increase the size of the Hard Disk 2 data disk for other XCSv editions (160 GB Large and 256 GB Large XC):
5. In the Hardware list, select Hard disk 2.
6. In the Disk Provisioning section, modify the Provisioned Size setting to the required value (160 GB
Large or 256 GB Large XC).
7. Click OK.
To decrease the size of the Hard Disk 2 data disk for the XCSv Small Edition, you must remove Hard Disk 2 and
add a new hard disk with a recommended size of 40 GB.
5. In the Hardware list, select Hard disk 2.
6. Click Remove.
7. Select Remove from virtual machine and delete files from disk.
8. Click OK.
9. Right click the virtual machine, select Edit Settings.
10. Click Add.
11. Select Hard Disk and click Next.
12. Select Create a new virtual disk and click Next.
13. Set the Disk Size to 40 GB.
14. In the Disk Provisioning section, select Thick Provisioned Lazy Zeroed.
15. Select Store with the virtual machine and click Next.
16. In the Advanced Options, leave the default settings and click Next.
17. Click Finish.
18. Click OK.
Add Network Adapters

When you deployed the XCSv OVF template, you selected networks to map to the XCSv device interfaces that
are active by default. To enable other interfaces, you must add network adapters to the XCSv device.
To add a network adapter:
5. In the Hardware tab, click Add.
6. Select Ethernet Adapter as the type of device you want to add. Click Next.
7. From the Type drop-down list, select the type of virtual network adapter to use. The recommended
type, E1000, is selected by default.
8. From the Network label drop-down list, select the name of the virtual network to add.
9. Click Next.
Setup Guide 13
10. Review the selected options. Click Finish.

Repeat these steps for each network adapter you want to add.
When you power on the XCSv device the additional network adapter is connected.
Start your XCSv Virtual Device

1. In the vSphere Client Inventory tree, select the virtual device.
2. Click the Summary tab.
3. In the Commands section, select Power on.
The WatchGuard XCSv virtual device is powered on with factory default settings.
4. Click the Console tab to view the installation process.
Note
The WatchGuard XCSv performs an automatic installation. Do not interrupt the installation process.
14 WatchGuard XCSv
Microsoft Hyper-V Installation
Before You Begin

To prepare for your installation, make sure you have these items:
Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V
Server 2008 R2 or Hyper-V Server 2012.
WatchGuard XCSv device serial number
You receive the serial number when you purchase the XCSv virtual device.
Your WatchGuard XCSv feature key
You receive the feature key when you activate your device on the LiveSecurity web site.
WatchGuard XCSv Hyper-V package
The file name is XCSv-<version>-HyperV.zip where <version> is the XCS version. The file contains a EULA, a
README file, and two virtual hard disk (.vhd) files, xcs-1.vhd (system) and xcs-2.vhd (data).
Download the XCSv Hyper-V package from the Articles and Software section of the WatchGuard Portal at
www.watchguard.com.
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
1. In Hyper-V, create your virtual machine for the XCSv software.

2. Perform any resource allocation (Processors, memory, disk, network) modifications on the Hyper-V
host based on your XCSv edition.
3. Power on the XCSv virtual machine.
4. Connect to the XCSv virtual machine to run the Setup Wizard.
Network Considerations
When you deploy the XCSv software to the Hyper-V virtual device, it is initially configured with a single
network interface. You must add a network adapter for each XCSv network interface you require.
You must map each of these interfaces to a physical destination network on your Hyper-V virtual host.
After you configure the XCSv device, you can enable and configure additional XCSv device interfaces or
remove interfaces if you need fewer interfaces. The maximum number of interfaces you can enable in Hyper-
V is 8.
Time Synchronization Considerations

The use of the Hyper-V Time synchronization feature is not supported. We recommend you use an NTP server
in the XCSv network configuration. WatchGuard XCSv NTP settings must be configured if you are setting up
an XCSv cluster.
Setup Guide 15
Installation
Perform the following steps to install WatchGuard XCSv on a Hyper-V host.
Create the XCSv Virtual Machine

To create the XCSv virtual machine on the Hyper-V host:
1. Extract the contents of the Hyper-V zip file to a suitable location on your Hyper-V host where your
virtual hard disks are stored.
2. In Hyper-V Manager, select Action > New > Virtual Machine.
3. Type a Name for your virtual machine and specify a Location.
You can use the default location, or select a new location for the virtual machine on your Hyper-V host.
16 WatchGuard XCSv
4. Specify the amount of Startup memory to assign to the virtual machine.

This value must be a minimum of 2GB (2000 MB) and depends on which XCSv edition you want to
install and your available resources. (Small - 2GB, Medium - 2GB, Large - 4GB, Large XC - 8GB).
Caution
Do not enable the Use Dynamic Memory for this virtual machine option. This option is not
supported for XCSv.
Setup Guide 17
5. From the Connection drop-down list, select Not Connected.

Later in the installation you will configure virtual network adapters and map them to the network
interfaces on your Hyper-V host.
6. Select the Use an existing virtual hard disk option.

Click Browse, then select the location of the xcs-1.vhd file.
18 WatchGuard XCSv
7. Click Finish to complete the wizard.
Setup Guide 19
Hyper-V Virtual Machine Resource Allocation

You must now edit the settings of your XCSv virtual machine to configure the resources based on your XCSv
edition.
1. In Hyper-V Manager, select your virtual machine, then select Settings.

2. Select Processor, and configure the number of processors based on your XCSv edition.
(Small - 1, Medium - 2, Large - 4, Large XC - 8).
3. Select the IDE Controller 0 where the xcs-1.vhd hard drive is located.
20 WatchGuard XCSv
4. Select Hard Drive then click Add.
Setup Guide 21
5. If you want to use the default 80GB size as a data drive for XCSv Medium edition, select Virtual Hard
Disk, click Browse, then select the location of the xcs-2.vhd file.
You can also define a new drive with the proper size for your specific XCSv edition (Small - 40GB,
Medium - 80GB, Large - 160GB, Large XC - 256GB).
Caution
Do not adjust or delete the xcs-1.vhd hard drive as this is the system disk.
22 WatchGuard XCSv
6. Select the default Network Adapter and edit the settings.

Connect the adapter to the required network on your virtual host.
7. Click Add Hardware.
Setup Guide 23
8. Add additional Network Adaptors connected to the required networks on your virtual host.
9. Click OK to apply the settings to the virtual machine.

10. Power on the XCSv virtual machine.
For instructions on how to install XCSv, see Install WatchGuard XCSv on page 25.
24 WatchGuard XCSv
Install WatchGuard XCSv
Default Network Settings

The default network settings for the WatchGuard XCSv after installation are:
IP address: 10.0.0.1
Netmask: 255.255.255.0
Gateway: 10.0.0.2
If you want to connect to the XCSv device with the default IP address, go to Connect to the Setup Wizard on
page 27.
You can change the default IP address of the XCSv and assign the IP addresses of your additional network
interfaces before you connect to the Setup Wizard. This allows you to assign IP addresses to the XCSv based
on the networks already available on your virtual host system.
Note
The Setup Wizard will skip the first three steps (Introduction, Regional Settings, and Network
Configuration) if you modify the default network settings and IP address from the XCSv console.
To modify the default IP address of your XCSv before running the Setup Wizard:
1. In the vSphere Client Inventory tree, select the XCSv virtual device.
2. Click the Console tab.
3. Press Enter to display the login screen.
4. Type the default Username and Password.

When you access the system for the first time after installation, the default settings are admin for the
username, and admin for the password.
Setup Guide 25
5. On the XCSv console menu, select Admin > Configure Interfaces.
You can configure these options:

Hostname Type the hostname for the device.
For example, if your fully qualified domain name is hostname.example.com, type hostname.
Domain Type your domain.
For this example, type example.com.
Gateway Type the gateway (typically the router) for your network.
For this example, type 10.0.0.2.
DNS Server Type the IP address of your primary and secondary DNS Name Servers.
NTP Server Type the IP address or hostname of your primary and secondary NTP servers.
6. Select OK.
7. For each network interface, you can configure these options:
IP Address Type IP address for this interface.

Subnet Mask Type the netmask.
Admin Login Allow administrative access on this interface. You must set this option to ON for
the interface you will use to access the Setup Wizard.
8. Select OK.
9. Select Yes to reboot the system.
10. Select Yes to confirm.
26 WatchGuard XCSv
Connect to the Setup Wizard

Wait at least five minutes for the system to initialize before you try to connect to the WatchGuard XCSv with a
web browser. Ping is enabled on the configured network interface. You can ping the IP address of the XCSv to
check connectivity before you connect with a web browser.
Note
We recommend that you clear your web browser cache before you start the Setup Wizard.
1. Launch a web browser on your computer and type the IP address of the WatchGuard XCSv as the URL
in the location bar. For example, http://10.0.0.1
The login page appears.
Note
A security certificate notification appears in the browser because the system uses a self-signed
certificate. It is safe to ignore the warning (Internet Explorer) or to add a certificate exception (Mozilla
Firefox).
2. Type the default Username and Password.

When you access the system for the first time after installation, the default settings are admin for the
username, and admin for the password.
Setup Guide 27
3. The Setup Wizard introduction page appears. Click Continue to start the installation.
Make sure you register your device serial number with the WatchGuard LiveSecurity web site and
receive a feature key before you proceed with the installation process.
4. In the Regional Settings page, configure these options:

Time Settings Type the current Time and Date. For the time, use 24-hour format hh:mm:ss.
For the date, use this format, YYYY-MM-DD.
Time Zone Select the closest city to your location and time zone.
Keyboard Select the keyboard layout for your location.
5. Click Continue.
28 WatchGuard XCSv
6. On the Networks Settings page, configure the first network interface.
You can configure these options:

Hostname Type the hostname for the device.
For example, if your fully qualified domain name is hostname.example.com, type hostname.
Domain Type your domain.
For this example, type example.com.
Gateway Type the gateway (typically the router) for your network.
Name Server Type the IP address of your DNS Name Server.
Name Server 2 Type the IP address of a secondary DNS name server.
NTP Server Type the IP address or hostname of your NTP server.
IP Address Type the IP address for this interface.
Netmask Type the netmask.
External Proxy Server If your network uses a proxy server to access the Internet, you must set
this option to Enabled and enter your external proxy server configuration. The WatchGuard XCSv
requires access to the Internet through the proxy server to retrieve licensing information and
software updates. If you do not use an external proxy server, leave this option set to Disabled.
Setup Guide 29
Server Address Type the IP address of your external proxy server.

Server Port Type the server port used by the external proxy server. The default is TCP port 80.
User Name If your proxy server requires authentication, type the user name to login to the
proxy server.
Password Type and confirm a password.
7. Click Continue.
If you make any network changes, you must restart the device and reconnect to the WatchGuard XCSv
with the new IP address you assigned to the network interface.
Note
Make sure your computer is configured to access the new IP address settings on the WatchGuard
XCSv.
8. On the Customer Information page, type the Organization Name and Server Admin Email.
Device alerts and notifications are sent to the Server Admin Email address.
9. Click Continue.
10. On the Change Password page, type and confirm a new admin password.
We recommend that you choose a secure password of at least 8 characters in length and include a mixture of
upper and lowercase letters, numbers, and special characters.
11. Click Continue.
30 WatchGuard XCSv
12. On the Product Serial page, type your XCSv serial number.
Note
The serial number cannot be changed after it has been entered and saved. If you enter the wrong
serial number or need to enter a different one, you must reinstall the XCSv from the OVF template file.
13. On the Feature Key page, select one of these options to add your feature key:
Click Manual Update to manually add a feature key. You must paste your feature key into the text
box and click Apply.
Click Download to automatically download and apply your feature key from the WatchGuard
LiveSecurity service. This option requires an Internet connection and an existing LiveSecurity
account. Make sure you can access the Internet if the device is installed behind a network firewall
or connects through an external proxy server.
Click Enter Feature Key Later to manually add the feature key after the installation. To enter the
feature key manually, from the Web UI, select Administration > System > Feature Key.
If you encounter errors when you add your feature key, check the following:
For Automatic Update:
Make sure you have a valid LiveSecurity account and you have registered your device serial
number
You must have an Internet connection to retrieve your feature key
Make sure communications are not blocked by a network firewall
For Manual Update:
Make sure you cut and paste the entire feature key text
The first line must be Serial Number: V2C9xxxxx-xxxx
The last line is a long line starting with Signature:
Setup Guide 31
14. On the Mail Configuration page, enter your mail domain and server details, and the initial status of
the WatchGuard XCSv security scanning features.
In the Email Domain text box, type the domain for which the WatchGuard XCSv processes
messages. For example, example.com.
In the Internal Mail Server text box, type the IP address of the internal mail server that receives
and sends mail through the WatchGuard XCSv.
The WatchGuard XCSv automatically configures a mail route for the domain and internal mail server
you enter on this page. To configure additional domains for mail routing after the installation is
complete, from the Web UI, select Configuration > Mail > Routing.
The WatchGuard XCSv also automatically configures a Specific Access Pattern to trust your internal
mail server address to allow the mail server to relay mail outbound through the WatchGuard XCSv.
Mail originating from the internal mail server is also trusted for Anti-Spam processing. To configure
Specific Access Patterns after the installation is complete, from the Web UI, select Configuration >
Mail > Access.
15. Click Continue.
32 WatchGuard XCSv
16. In the Security Settings section of the Mail Configuration page, you can enable or disable Intercept
Anti-Spam, Anti-Virus, and the Attachment Control features.
If you enable these features in the setup wizard, mail scanning is active when the installation is
complete and mail processing is started.
This table describes the default Intercept settings when you enable Intercept Anti-Spam:
Feature Default Setting

Reject on ReputationAuthority Reputation Enabled
(Threshold: 90)
Reject on infection (ReputationAuthority) Enabled
Reject connections from dial-ups (ReputationAuthority)
Reject on DNSBL
Threat Prevention Enabled
Reject on unknown sender domain Enabled
Reject on missing sender MX
Reject on non FQDN sender Enabled
Reject on unauth pipelining Enabled
Reject on missing addresses
Reject on missing reverse DNS
This table describes the default settings for the Intercept Anti-Spam features:
Intercept Option Default Setting

Certainly Spam Reject
(Threshold: 99)
Probably Spam Modify Subject
Header: [SPAM]
(Threshold: 90)
Maybe Spam Just Log
(Threshold: 60)
Decision Strategy Heuristic 1
Spam Rules Enabled
Spam Words Enabled
Mail Anomalies Enabled
DNS/URL Block List Enabled
ReputationAuthority Enabled
Token Analysis Enabled
SPF Enabled
DKIM Disabled
DomainKeys Enabled
Backscatter Disabled
17. Click Continue.
Setup Guide 33
18. If you have purchased the Web Scanning option, a Web Configuration page appears.
From the HTTP/HTTPS drop-down list, enable or disable HTTP/HTTPS scanning.

In the Internal Mail Server text box, type the IP address of the internal mail server that receives
and sends mail through the WatchGuard XCS.
Note
The Internal Mail Server field only appears if you did not configure a mail server in the previous step.
In the Security Settings section of the Web Configuration page, you can enable or disable URL
Categorization, Reputation Enabled Defense, and the Anti-Virus features.
If you enable these features in the Installation Wizard, web scanning is active when the installation is
complete and message processing is started.
If you enable URL Categorization, the feature will not be enabled until after the initial control list is
downloaded.
19. Click Continue.
20. From the Messaging System drop-down list, select Enabled to start message traffic processing after
the installation is complete.
If you select Disabled, you can start message processing manually from Activity > Status > Status/
Utility after the installation is complete.
21. Click Continue.
34 WatchGuard XCSv
22. Click Done to complete the installation.

This process can take up to a minute to complete.
XCSv CPU Performance Settings

To make sure the XCSv software is configured properly for the number of CPU cores you have allocated to your
virtual machine, you must reboot the system after you complete the setup wizard.
This reboot is required to allow the XCSv to adjust its CPU performance settings according to your
configuration to provide optimal performance.
To reboot the XCSv, from the Web UI, select Administration > System > Reboot & Shutdown, then click
Reboot.
Update Anti-Virus Pattern Files

If licensed, the Anti-Virus service is automatically enabled and started.
After the initial installation of the WatchGuard XCSv, it may take up to the default of one hour to update your
Anti-Virus pattern files to the most recent version. We recommend you update your pattern files immediately
after installation.
To update your pattern files:
1. Select Security > Anti-Virus > Anti-Virus.

2. Go to the Virus Pattern Files section.
3. Click Get Pattern Now.
Setup Guide 35
Cluster Configuration
Clustering provides a highly scalable, redundant messaging security infrastructure that enables two or more
WatchGuard XCSv virtual devices to act as a single logical unit for processing messages for redundancy and
high availability benefits. When you configure multiple XCSv virtual devices in a cluster, message traffic flow
is never interrupted because of individual device failures.
Cluster Network
The XCSv virtual devices participating in the cluster communicate through a network interface connected to
a separate network called the Cluster Network. The Cluster Network is a dedicated, secure subnet, and the
devices communicate clustering information with each other through this network. You can add or remove
devices from the cluster network without interruption to message processing.
XCSv Cluster Deployment

To set up multiple XCSv virtual devices in a cluster, you must configure a dedicated virtual network switch on
the virtual host system to ensure that no data can leak to other virtual machines running on your virtual host.
This virtual switch must be mapped to actual physical network interfaces on the virtual host system if you are
clustering with XCSv devices on another physical virtual host.
We recommend that if you set up multiple XCSv devices in a cluster, you should install your XCSv virtual
devices on separate virtual hosts for hardware and software redundancy in the event an issue affects the
virtual host.
36 WatchGuard XCSv
If your clustered XCSv devices are hosted on the same virtual host system, the virtual switch does not have to
be mapped to physical network interfaces and you can configure the switch as an internal logical switch.
Note
If you install clustered XCSv devices on the same virtual host, this configuration only provides software
redundancy in the event one of the XCSv virtual devices fails. If a hardware or software issue affects
the virtual host, your entire XCSv cluster will be affected.
Setup Guide 37
Add a Virtual Switch on the Virtual Host

These sections describe how to add a virtual switch to a VMware or Hyper-V virtual host.
Add a Virtual Switch on the VMware Host

To add a virtual switch on your VMware host:
2. In the vSphere inventory tree, select your XCSv virtual machine.
3. Select the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Add Networking....
The Add Network wizard appears.
6. Select Virtual Machine, then click Next.
7. Select a physical network adapter to use with the virtual switch, or deselect all adapters to create a
logical virtual switch.
8. Click Next.
9. In the Network Label text box, type a name for this switch network.
For example, type Cluster Network.
10. Click Next, then click Finish.
38 WatchGuard XCSv
Add a Virtual Switch on Hyper-V

To add a virtual switch on your Hyper-V host:
1. Launch Hyper-V Manager.

2. Select Virtual Switch Manager.
3. Select New Virtual Network Switch.
4. Select Private , then click Create Virtual Switch.
5. Type a name for the virtual switch.

For example, type Cluster.
6. Click OK to apply the settings to virtual machine.
Setup Guide 39
Assign an XCSv Network Interface to the Virtual Cluster Switch

You must now map a network interface from the XCSv to the virtual cluster switch you created in the previous
step.
Assign a Cluster Interface on VMware

To assign a cluster interface to a virtual switch on VMware:
5. Select the Hardware tab.
6. Select the network adapter you want to use for the cluster.
7. From the Network Label: drop-down list, select Cluster Network, or the name you assigned to the
cluster network in the previous section.
40 WatchGuard XCSv
Assign a Cluster Interface on Hyper-V

To assign a cluster interface to a virtual switch on Hyper-V:

2. Select your virtual machine, and click Settings.
3. Select the Network Adapter that you want to connect to the cluster switch.
4. From the Virtual Switch drop-down list, select the cluster virtual switch you created in the previous
step.
Setup Guide 41
Configure Clustering on an XCSv Virtual Device

When you have setup the virtual switch for use with your cluster network, you can now enable clustering and
configure a network interface on each XCSv virtual device to connect to this cluster network.
To configure clustering on each XCSv device participating in the cluster:
1. Log in to the XCSv Web UI.

2. Select Configuration > Network > Interfaces.
3. Select the network interface connected to the cluster network.
This interface must not be configured with an IP address. The interface is automatically configured for
exclusive use on the cluster network.
4. From the Interface Mode drop-down list, select Cluster.
Note
Make sure that an NTP time server is configured on each device, and add additional NTP servers for
redundancy. You cannot enable clustering until you configure an NTP server. The time server
synchronizes all cluster devices from a common time source.
5. Click Apply.
You must restart the system.
More more details on cluster configuration, see the current WatchGuard XCS Help or User Guide.
42 WatchGuard XCSv
Resource Monitoring
Your virtual host system may host other virtual machines in addition to the WatchGuard XCSv. To ensure that
your virtual host resources are properly allocated, you must regularly monitor the resource usage and
performance of your virtual host system and your XCSv virtual machine.
Resource Monitoring on VMware

To monitor the resource usage of your VMware host and virtual machines:
2. In the vSphere inventory tree, select your VMware host system at the top of the list.
3. Select the Virtual Machines tab.
You can view the disk space, CPU usage, and memory utilization of each virtual machine hosted on
your VMware system.
4. Select the Resource Allocation tab.

5. You can switch between CPU, Memory, and Storage view for a more detailed examination of the
resources used by your virtual machines on the VMware host.
Setup Guide 43
6. Select the Performance tab for a customized chart view of the VMware host performance.

8. Select the Resource Allocation tab.
You can examine the resources in use specifically by the XCSv virtual machine.
9. Select the Performance tab for a customized chart view of the XCSv virtual machine performance.
44 WatchGuard XCSv
Resource Monitoring on Hyper-V

To monitor the resource usage of your Hyper-V host and virtual machines:

2. From the Virtual Machines list, you can view the current status of the virtual machine, the CPU usage,
assigned memory, and system uptime.
3. Select a specific virtual machine.

In the Summary section, you can view information including an overall summary of the virtual machine,
the original and assigned memory usage, and networking status.
Setup Guide 45
46 WatchGuard XCSv

XCSV v10 0 Setupguide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

XCSV v10 0 Setupguide

Hochgeladen von

Copyright:

Verfügbare Formate

WatchGuard

All XCSv Editions

Complete copyright, trademark, patent, and licensing information can be

WatchGuard XCSv Documentation

WatchGuard XCSv Licensing

Get a Feature Key from LiveSecurity

1. Open a web browser and go to: https://www.watchguard.com/activate.

Features Not Supported

Features Not Supported

Recommended Resource Allocation

Small Office Medium Office Large Office Large Office XC

WatchGuard XCSv deployed on the DMZ of the network firewall

Before You Begin

Time Synchronization Considerations

Install the VMware vSphere Client

Connect to the VMware Host

1. Launch the VMware vSphere Client.

Deploy the XCSv OVF File

11. Click Next.

VMware Virtual Machine Resource Allocation

Configure Virtual CPUs

Configure Memory Resources

Configure Hard Disk Resources

Add Network Adapters

10. Review the selected options. Click Finish.

Start your XCSv Virtual Device

Microsoft Hyper-V Installation

Before You Begin

1. In Hyper-V, create your virtual machine for the XCSv software.

Time Synchronization Considerations

Create the XCSv Virtual Machine

4. Specify the amount of Startup memory to assign to the virtual machine.

5. From the Connection drop-down list, select Not Connected.

6. Select the Use an existing virtual hard disk option.

7. Click Finish to complete the wizard.

Hyper-V Virtual Machine Resource Allocation

1. In Hyper-V Manager, select your virtual machine, then select Settings.

4. Select Hard Drive then click Add.

6. Select the default Network Adapter and edit the settings.

7. Click Add Hardware.

9. Click OK to apply the settings to the virtual machine.

Install WatchGuard XCSv

Default Network Settings

4. Type the default Username and Password.

5. On the XCSv console menu, select Admin > Configure Interfaces.

You can configure these options:

IP Address Type IP address for this interface.

Connect to the Setup Wizard

2. Type the default Username and Password.

4. In the Regional Settings page, configure these options:

6. On the Networks Settings page, configure the first network interface.

You can configure these options:

Server Address Type the IP address of your external proxy server.

11. Click Continue.

Feature Default Setting

Intercept Option Default Setting

17. Click Continue.

From the HTTP/HTTPS drop-down list, enable or disable HTTP/HTTPS scanning.

21. Click Continue.

22. Click Done to complete the installation.

XCSv CPU Performance Settings

Update Anti-Virus Pattern Files

1. Select Security > Anti-Virus > Anti-Virus.