Documentos de Académico
Documentos de Profesional
Documentos de Cultura
7
Updated for Fireware XTM v11.7.3
WatchGuard Training
WatchGuard Training
Training Objectives
Use the basic management and monitoring components of WatchGuard System Manager (WSM) Configure a WatchGuard XTM or XTMv device that runs Fireware XTM OS v11.7 or later for your network Create basic security policies for your XTM device to enforce Use security services to expand XTM device functionality
WatchGuard Training
Requirements
Necessary equipment and software:
Management computer WatchGuard System Manager and Fireware XTM OS Firewall configuration file XTM or XTMv devices running Fireware XTM OS v11.7 or later (optional) Basic knowledge of TCP/IP network functions and structure WatchGuard System Manager installed on your computer Access to a WatchGuard XTM device A printed copy of the instructors notes of this presentation, or a copy of the Fireware XTM Basics Student Guide
WatchGuard Training
Outline
Getting Started Work with XTM Device Configuration Files Configure XTM Device Interfaces Configure Logging Generate Reports of Network Activity Use FSM to Monitor XTM Device Activity Use NAT (Network Address Translation) Define Basic Network Security Policies Work with Proxy Policies Work with SMTP and POP3 Proxies Verify Users Identities
WatchGuard Training
Outline
Block Unwanted Email with spamBlocker Manage Web Traffic Defend Your Network From Intruders Use Gateway AntiVirus Use Intrusion Prevention Service Use Application Control Use Reputation Enabled Defense Explore the Fireware XTM Web UI
WatchGuard Training
Training Scenario
Fictional organization named the Successful Company Training partners may use different examples for exercises Try the exercises to implement your security policy
WatchGuard Training
WatchGuard Training
Learning Objectives
Use the Quick Setup Wizard to make a configuration file Start WatchGuard System Manager Connect to XTM devices and WatchGuard servers Launch other WSM applications
WatchGuard Training
Management Computer
Select a computer with Windows 8, Windows 7, Windows Vista, Windows XP SP2, or Windows Server 2003, 2008, or 2012 Install WatchGuard System Manager (WSM) to configure, manage, and monitor your devices Install Fireware XTM OS, then use WSM to install updates and make configuration changes on the device
WatchGuard Training
10
Server Software
When you install WSM, you have the option to install any or all of these WatchGuard servers:
Management Server Log Server Report Server WebBlocker Server Quarantine Server
Each server must use a supported version of Windows. There are access requirements between the management computer, the XTM device, and some servers.
WatchGuard Training
11
WatchGuard Training
12
Setup Wizards
There are two setup wizards you can use to create an initial functional configuration file for your XTM device.
Web Setup Wizard To start the Web Setup Wizard, in a web browser, type: https://10.0.1.1:8080 Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard.
To use either setup wizard, you must connect the management computer to the trusted interface (eth1) of the XTM device. The Web Setup Wizard can activate your XTM device and download the feature key from the WatchGuard web site, if you connect the external interface (eth0) to a network with Internet access.
WatchGuard Training
13
WatchGuard Training
14
WSM and Fireware XTM OS installed on the management computer Network information
It is a good idea to have the feature key for your device before you start the wizard. You can copy it from the LiveSecurity web site during registration.
WatchGuard Training
15
Prepare the device to be discovered by the Quick Setup Wizard (QSW). The QSW shows you how to prepare each device. Assign a static IP address to your management computer from the same subnet that you plan to assign to the Trusted interface of the XTM device. Alternatively, you can get a DHCP address from the device when it is in Safe Mode. Connect the Ethernet interface of your computer to interface #1 of the device. Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM Tools menu.
WatchGuard Training
16
WatchGuard Training
17
WatchGuard Training
18
Identify the device in WSM Identify the device in log files Identify the device in Log Manager and Report Manager
WatchGuard Training
19
When device feedback is enabled, the XTM device sends this information to WatchGuard once each day:
XTM device serial number Fireware XTM OS version and build number XTM device model XTM device uptime since the last restart
Clear the Send device feedback to WatchGuard check box. You can also configure this setting in Global Settings.
WatchGuard Training
20
A static IP address An IP address assigned with DHCP An IP address assigned with PPPoE
You must also add an IP address for the device default gateway. This is the IP address of your gateway router.
WatchGuard Training
21
WatchGuard Training
22
Configure each interface with an IP address on a different subnet. Assign secondary networks on any interface.
WatchGuard Training
23
Assign the same primary IP address to all interfaces on your device. Assign secondary networks on any interface. You can keep the same IP addresses and default gateways for devices on your trusted and optional networks, and add a secondary network address to the XTM device interface so the device can correctly send traffic to those devices.
WatchGuard Training
24
WatchGuard Training
25
Both passphrases must be at least 8 characters long and different from each other
WatchGuard Training
26
WatchGuard Training
27
WatchGuard Training
28
Components of WSM
WSM includes a set of management and monitoring tools:
Policy Manager Firebox System Manager HostWatch Log Manager Report Manager CA Manager Quarantine Server Client
To launch a tool, select it from the WSM Tools menu or click the tool icon
WatchGuard Training
29
WatchGuard Training
30
Learning Objectives
Start Policy Manager Open and save configuration files Configure the XTM device for remote administration Reset XTM device passphrases Back up and restore the XTM device configuration Add XTM device identification information
WatchGuard Training
31
Select a connected or managed device Click the Policy Manager icon on the toolbar
WatchGuard Training
32
Details View
WatchGuard Training
33
WatchGuard Training
34
WatchGuard Training
35
New configuration files include a basic set of policies. You can add more policies.
WatchGuard Training
36
WatchGuard Training
37
WatchGuard Training
38
WatchGuard Training
39
WatchGuard Training
40
WatchGuard Training
41
XTM 2500 Series: xtm800_1500_2500.sysa-dl XTM 2050: xtm2050_bc.sysa-dl XTM 1500 Series: xtm800_1500_2500.sysa-dl XTM 1050: xtm1050_bb.sysa-dl XTM 800 Series: xtm800_1500_2500.sysa-dl XTM 8 Series: xtm8_b5.sysa-dl XTM 5 Series: xtm5_b0.sysa-dl XTM 330: xtm330_bd.sysa-dl XTM 33: xtm3_aa.sysa-dl XTM 25, 26: xtm2_a6.sysa.dl XTMv: xtmv_c5.sysa-dl
WatchGuard Training
42
WatchGuard Training
43
Learning Objectives
Configure external network interfaces with a static IP address, DHCP and PPPoE Configure a trusted and optional network interface Use the XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address Understand Drop-In Mode and Bridge Mode
WatchGuard Training
44
External
203.0.113.2/24
Trusted Network
10.0.1.1/24
Optional Network
10.0.2.1/24
WatchGuard Training
45
WatchGuard Training
46
Change the interface type (from trusted to optional, etc.) Add secondary networks and addresses Enable the DHCP server
Configure additional interfaces Configure WINS/DNS settings for the device Add network or host routes Configure NAT
WatchGuard Training
47
Interface Independence
You can change the interface type of any interface configured with the Quick Setup Wizard. You can also choose the interface type of any additional interface you enable.
WatchGuard Training
48
WatchGuard Training
49
WatchGuard Training
50
WatchGuard Training
51
WatchGuard Training
52
Sales Force
10.0.4.1/24
Trusted
Finance
Optional
Trusted-Main
10.0.1.1/24
10.0.3.1/24
Public Servers
10.0.2.1/24
Conference
10.0.5.1/24
1.
2.
3.
WatchGuard Training
WatchGuard Training
54
Secondary Networks
Share one of the same physical networks as one of the device interfaces. Add an IP alias to the interface, which is the default gateway for computers on the secondary network.
Secondary
172.16.100.0/24
Trusted-Main
10.0.1.1/24
WatchGuard Training 55
If you do not specify a route to a remote network or host, all traffic to that network or host is sent to the device default gateway.
WatchGuard Training
56
Computers in this subnet can be on any device interface You can add a secondary address to any device interface to use an additional network on the interface You assign one IP address to the device for management connections Bridge Mode turns the device into a transparent Layer 2 bridge
To set the interface configuration mode, select Network > Configuration.
WatchGuard Training
57
WatchGuard Training
58
Learning Objectives
Set up a Log Server Configure the XTM device to send messages to a Log Server Configure logging and notification preferences Set the Diagnostic Log Level View log messages
WatchGuard Training
59
WatchGuard Training
60
WatchGuard Training
61
Configure Logging
For log messages to be correctly stored, you must:
Install the Log Server software Configure the Log Server Configure the XTM device to send log messages to the Log Server
WatchGuard Training
62
WatchGuard Training
63
WatchGuard Training
64
WatchGuard Training
65
WatchGuard Training
66
WatchGuard Training
67
WatchGuard Training
68
WatchGuard Training
69
Traffic Monitor Real-time monitoring in FSM from any computer with WSM
WatchGuard Training
70
WatchGuard Training
71
WatchGuard Training
72
Learning Objectives
Set up and configure a Report Server Generate and save reports at regular intervals Generate and view reports Change report settings Save, print, and share reports
WatchGuard Training
73
WatchGuard Training
74
WatchGuard Training
76
WatchGuard Training
77
WatchGuard Training
78
Learning Objectives
Interpret the information in the WSM display Use Firebox System Manager to monitor device status Change Traffic Monitor settings Use Performance Console to visualize device performance Use HostWatch to view network activity and block a site Add and remove sites from the Blocked Sites list
WatchGuard Training
79
WatchGuard Training
80
WatchGuard Training
81
Traffic Monitor
View log messages as they occur Set custom colors and fields Start traceroute or Ping to source and destination IP addresses Copy information to another application
WatchGuard Training
82
Performance Console
Monitor and graph XTM device activity Launch from Firebox System Manager System Information Firebox statistics, such as the number of total active connections and CPU usage Interfaces Total number of packets sent and received through the XTM device interfaces Policies Total connections, current connections, and discarded packets VPN Peers Inbound and outbound SAs and packets Tunnels Inbound and outbound packets, authentication errors, and replay errors
WatchGuard Training
83
WatchGuard Training
84
WatchGuard Training
85
WatchGuard Training
86
WatchGuard Training
87
Learning Objectives
Understand network address translation types Add dynamic NAT entries Use static NAT for public servers
WatchGuard Training
88
NAT Enabled
Your Network
WatchGuard Training
Internet sees only one public address (an External XTM device IP address)
89
WatchGuard Training
90
FTP server
Port 21 TCP
203.0.113.2
10.0.2.21
Email server
Port 25 TCP 10.0.2.25
Your Network
Web traffic One external IP to private static IP FTP traffic Same external IP to second, private static IP SMTP traffic Same external IP to third, private static IP
WatchGuard Training
91
NetMeeting
Ports 1720, 389, dynamic 10.0.2.11
IKE
Without NAT-T 10.0.2.12
Intel-Video-Phone
Ports 1720, 522 10.0.2.13
Your Network
WatchGuard Training
Configure Policies
You can customize 1-to1 NAT and Dynamic NAT settings in each policy Select Network > NAT to configure the settings The settings you specify apply unless you modify the NAT settings in a policy Select the Set Source IP option when you want any traffic that uses this policy to show a specified address from your public or external IP address range as the source IP address.
WatchGuard Training
93
Configure Policies
To configure a policy to use static NAT, click Add in the To section of the policy, then select Add SNAT. To add, edit, or delete SNAT actions, you can also select Setup > Actions > SNAT. To add an SNAT member, click Add.
WatchGuard Training
94
WatchGuard Training
95
Learning Objectives
Understand the difference between a packet filter policy and a proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter policy Set up logging and notification rules for a policy Use advanced policy properties Understand the function of the Outgoing policy Understand the function of the TCP-UDP proxy Understand the function of the WatchGuard policy Understand how the XTM device determines policy precedence
WatchGuard Training
96
What is a Policy?
A rule to limit access through the XTM device Can be configured to allow traffic or deny traffic Can be enabled or disabled Applies to specific port(s) and protocols Applies to traffic that matches From and To fields:
From Specific source hosts, subnets or users/groups To Specific destination hosts, subnets, or users/groups
WatchGuard Training
97
Packet Filter Examines the IP header of each packet, and operates at the network and transport protocol packet layers. Proxy & ALG (Application Layer Gateway)
Proxy Examines the IP header and the content of a packet at the application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content. ALG Completes the same functions as a proxy, but also provides transparent connection management. Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.
WatchGuard Training
98
Remove all the network data Examine the contents Add the network data again Send the packet to its destination
WatchGuard Training
99
Source
Destination Port(s)/Protocols
Packet body
Attachments RFC Compliance Commands
100
WatchGuard Training
1.
2.
3.
WatchGuard Training
101
Modify Policies
To edit a policy, double-click the policy By default, a new policy:
Is enabled and allowed Allows traffic on the port(s) specified by the policy Allows traffic from any trusted network to any external destination
WatchGuard Training
102
Select a pre-defined alias, then click Add. Click Add User to select an authentication user or group. Click Add Other to add a host IP address, network IP address, or host range.
WatchGuard Training
103
None of the pre-defined policies include the specific combination of ports that you want. You need to create a policy that uses a protocol other than TCP or UDP.
WatchGuard Training
104
WatchGuard Training
105
WatchGuard Training
106
What is Precedence?
Precedence is used to decide which policy controls a connection when more than one policy could control that connection In Details view, the higher the policy appears in the list, the greater its precedence. If two policies could apply to a connection, the policy higher in the list controls that connection
WatchGuard Training
107
What is Precedence?
Policies can be moved up or down in Manual Order mode to set precedence, or restored to the order assigned by Policy Manager with Auto-Order Mode.
WatchGuard Training
108
WatchGuard Training
109
Schedule Policies
Set the times of day when the policy is enabled
WatchGuard Training
110
WatchGuard Training
111
WatchGuard Training
112
WatchGuard Training
113
WatchGuard Training
114
WatchGuard Training
115
Proxy Policies: Use Proxy Policies and ALGs to Protect Your Network
WatchGuard Training
116
Learning Objectives
Understand the purpose and configuration of proxy policies and ALGs Configure the DNS-proxy to protect DNS server Configure an FTP-Server proxy action Configure an FTP-Client proxy action Enable logging for proxy actions
WatchGuard Training
117
WatchGuard Training
118
WatchGuard Training
119
DNS server
Your network
WatchGuard Training
120
Configuring DNS-Incoming
General OpCodes Query Types Query Name Intrusion Prevention Proxy Alarm
WatchGuard Training
121
DNS Proxy
Your Network
DNS server
WatchGuard Training
122
Use DNS-Outgoing
Use DNS-Outgoing to block DNS requests for services, such as queries for:
WatchGuard Training
123
WatchGuard Training
124
WatchGuard Training
125
Entire user-created proxy actions (not predefined proxy actions) Rulesets WebBlocker exceptions spamBlocker exceptions
WatchGuard Training
126
What is FTP?
File Transfer Protocol Often used to move files between two locations Client and server architecture Fireware XTM includes two methods to control:
WatchGuard Training
127
FTP-Proxy
Restricts the types of commands and files that can be sent through FTP Works with the Gateway AV Service
WatchGuard Training
128
WatchGuard Training
129
FTP Proxy
Anybody
WatchGuard Training
130
WatchGuard Training
132
WatchGuard Training
133
Learning Objectives
Understand the SMTP and POP3 proxies Understand the available actions for email Control incoming email Control outgoing email
WatchGuard Training
134
WatchGuard Training
135
Allow Email is allowed through your device Lock Email is allowed through your device; the attachment is encoded so only the XTM device administrator can open it AV Scan Gateway AntiVirus is used to scan the attachment Strip Email is allowed through your device, but the file attachment(s) are deleted Drop The SMTP connection is closed Block The SMTP connection is closed and the sender is added to the blocked sites list Quarantine Email is stored on the Quarantine Server (only with SMTP) and is not sent to the recipient
WatchGuard Training
136
SMTP Proxy
WatchGuard Training
137
WatchGuard Training
138
WatchGuard Training
139
Learning Objectives
Understand authentication and how it works with the XTM device List the types of third-party authentication servers you can use with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the XTM device to create a custom web server certificate
WatchGuard Training
140
WatchGuard Training
141
WatchGuard Authentication
The user browses to the XTM device interface IP address on TCP port 4100 The XTM device presents an authentication page The XTM device verifies that the credentials entered are correct, and allowed for the type of connection The XTM device allows access to resources valid for that authenticated user or group
WatchGuard Training
142
WatchGuard Training
143
WatchGuard Training
144
WatchGuard Training
145
WatchGuard Training
146
After users authenticate, they are redirected to the site they originally selected.
Specify the authentication server that appears at the top of the Domain list in the Authentication Portal Configure Terminal Services
WatchGuard Training 147
WatchGuard Training
148
WatchGuard Training
149
Name on the certificate does not match the URL Fix this problem with a custom certificate that has all of the XTM device IP addresses as possible name matches User must still import this certificate to trusted root stores
WatchGuard Training
150
WatchGuard Training
151
Learning Objectives
Activate and configure spamBlocker Specify the actions to take when suspected spam email is detected Block or allow email messages from specified sources Monitor spamBlocker activity Install and configure Quarantine Server
WatchGuard Training
152
What is spamBlocker?
Technology licensed from Mailshell to identify spam or suspected spam email No local server to install
You can install Quarantine Server, but it is not necessary for spamBlocker to work correctly.
XTM device sends information to external servers to classify email and caches the results Operates with the SMTP and POP3 proxies You must have an SMTP or POP3 proxy action configured to use spamBlocker
WatchGuard Training
153
Activate spamBlocker
A feature key is required to enable spamBlocker
Use Policy Manager or FSM to add the feature key Save the configuration to the XTM device
WatchGuard Training
154
WatchGuard Training
155
spamBlocker Actions
Spam is classified into two spam categories:
Confirmed spam Suspected spam Allow Add Subject Tag Quarantine (SMTP only) Deny (SMTP only) Drop (SMTP only)
WatchGuard Training
156
WatchGuard Training
157
spamBlocker Exceptions
You can configure exceptions for specific senders or recipients by:
WatchGuard Training
158
Customize spamBlocker
Use multiple SMTP or POP3 proxies
WatchGuard Training
159
WatchGuard Training
160
Quarantine Spam
Quarantine Server operates with spamBlocker for the SMTP-proxy only (not the POP3-proxy) Install with server components during WSM install, or from WatchGuard Server Center
WatchGuard Training
161
Database size and administrator notifications Server settings Length of time to keep messages The domains for which the Quarantine Server keeps mail Rules to automatically remove messages:
From specific senders From specific domains That contain specific text in the Subject field
WatchGuard Training
162
WatchGuard Training
163
Learning Objectives
Control outgoing HTTP traffic Protect your web server Use the HTTPS-proxy Set up WebBlocker Select categories of web sites to block Override WebBlocker rules for specified sites
WatchGuard Training
164
WatchGuard Training
165
HTTP Proxy
Your Network
WatchGuard Training 166
WatchGuard Training
167
Web Server
HTTP Proxy
Your Network
WatchGuard Training 168
WatchGuard Training
169
WatchGuard Training
170
What is WebBlocker?
Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify Reduces unproductive web surfing and potential liability Blocks access to IM/P2P download sites Blocks access to spyware sites Helps schools to attain CIPA compliance Two database options Global URL database English, German, Spanish, French, Italian, Dutch, Japanese, traditional Chinese, and simplified Chinese sites
WatchGuard Training
171
Uses a cloud-based URL categorization database with over 100 content categories, provided by Websense Does not use a locally installed WebBlocker Server URL categorization queries are sent over HTTP Uses a WatchGuard WebBlocker Server with 54 categories, provided by SurfControl Usually requires a locally installed WebBlocker Server
XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard
WebBlocker Server
WatchGuard Training
172
WatchGuard Training
173
Web Site
WatchGuard
176
Manually trigger an incremental update in WatchGuard Server Center. Use Windows Task Scheduler to run the updatedb.bat process, which is installed in the C:\Program Files\WatchGuard\wsm11\bin directory.
WatchGuard Training
177
Allow access to all web sites Deny access to all web sites
You can also set a password to use override WebBlocker when entered on individual computers.
WatchGuard Training
178
WebBlocker Exceptions
Add exceptions for web sites that WebBlocker denies and you want to allow (white list). Add web sites that WebBlocker allows and you want to deny (black list).
WatchGuard Training
179
WatchGuard Training
180
Learning Objectives
Understand the different types of intrusion protection Configure default packet handling to stop common attacks Block IP addresses and ports used by hackers Automatically block the sources of suspicious traffic
WatchGuard Training
181
Attack launched
WatchGuard Training
183
Log Server
Your Network
WatchGuard Training
Auto-Block Sites
Each policy configured to deny traffic has a check box you can select to auto-block the source of the denied traffic. If you select it, the source IP address of any packet denied by the policy is automatically added to the Blocked Sites List.
WatchGuard Training
185
WatchGuard Training
186
Get log messages Close traffic for unwanted services Add specific ports to block Add specific IP addresses or subnets to be permanently blocked
Static configuration
Dynamic configuration
This feature can be enabled from many different places in Policy Manager:
Proxy actions Default packet handling settings Policy configuration
WatchGuard Training
187
WatchGuard Training
188
Learning Objectives
Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus Configure proxies to use Gateway AntiVirus Set up and configure the Intrusion Prevention Service Set up and configure Application Control Enable IPS and Application Control in policies
WatchGuard Training
189
WatchGuard Training
190
Gateway AV Wizard
Gateway AntiVirus can be enabled and configured with the wizard that you launch from the Subscription Services menu In the wizard, you select the proxy policies to include in the Gateway AV configuration
WatchGuard Training
192
WatchGuard Training
193
Allow Attachment passes through with no change Lock Attachment can only be opened by an administrator Remove Attachment is stripped from the email Quarantine Message is sent to the Quarantine Server Drop The connection is denied Block The connection is denied, and the server is added to the Blocked Sites List
WatchGuard Training
194
Allow The file is allowed to pass through without changes Drop The HTTP connection is denied Block The HTTP connection is denied, and the web server is added to the Blocked Sites List
WatchGuard Training
195
Downloaded files allowed in your configuration Uploaded files allowed in your configuration
WatchGuard Training
196
Gateway AV Settings
Select this option if you want Gateway AV to decompress file formats such as .zip or .tar The number of levels to scan is the depth for which Gateway AV scans archive files inside archive files
WatchGuard Training
197
WatchGuard Training
198
WatchGuard Training
199
The deny message is not configurable For HTTPS or other content types, the deny message does not appear
WatchGuard Training
200
WatchGuard Training
201
WatchGuard Training
202
Application Control is not automatically enabled for policies For each policy, you select which Application Control action to use To monitor the use of applications, enable logging of allowed packets in the policies that have Application Control enabled When you enable IPS it is enabled for all policies by default You can enable or disable IPS for each policy
IPS
WatchGuard Training
203
Required for IPS to scan the HTTPS content Required for Application Control to detect applications over an HTTPS connection
WatchGuard Training
204
WatchGuard Training
205
WatchGuard Training
206
Reputation Enabled Defense: Improve the Performance and Security of Web Access
WatchGuard Training
207
Learning Objectives
Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense Monitor Reputation Enabled Defense
WatchGuard Training
208
The reputation score for a URL is based on AV scanning feedback and other URL reputation data collected from sources around the world.
When a user browses to a web site, RED looks up the score for the URL
For URLs with a good reputation score, local scanning is bypassed For URLs with a bad reputation score, the HTTP-proxy denies access without local scanning by Gateway AV For URLs with an inconclusive reputation score, local Gateway AV scanning is performed as configured
Eliminates the need to locally scan the content of web sites that have a known good or bad reputation and improves XTM device performance
WatchGuard Training 209
WatchGuard Training
High scores indicate a bad reputation Low scores indicate a good reputation If RED has no knowledge of a URL, it assigns a score of 50 The reputation score assigned to a URL increases based on:
Negative scan results for that URL Negative scan results for a referring link Negative information from other sources of malware data
RED continually updates the reputation scores for URLs based on:
Scan results from devices around the world by two leading anti-malware engines: Kaspersky and AVG Data from other leading sources of malware intelligence for the web
WatchGuard Training
210
The reputation score of a requested URL The locally configured reputation thresholds If score is higher than the Bad reputation threshold, Deny access If score is lower than the Good reputation threshold, Bypass local scanning Otherwise, perform local Gateway AV scanning as configured
RED Actions:
WatchGuard Training
211
Your device must a have Reputation Enabled Defense feature key You must have configured at least one HTTP-proxy policy
WatchGuard Training
WatchGuard Training
212
WatchGuard Training
WatchGuard Training
213
Immediately block the URL if it has a bad reputation Bypass any configured local virus scanning for a URL that has a good reputation
If neither of these RED actions occur, then any locally configured virus scanning proceeds as configured
WatchGuard Training
WatchGuard Training
214
WatchGuard Training
WatchGuard Training
215
WatchGuard Training
WatchGuard Training
216
WatchGuard Training
217
Learning Objectives
Log in to Fireware XTM Web UI Change the port that the XTM device uses for the Web UI Discuss limitations of the Web UI Manage timeouts for the Web UI management sessions
WatchGuard Training
218
WatchGuard Training
219
View or change the configuration of a device that is a member of a FireCluster Add or remove static ARP entries from the devices ARP table Change the name of a policy Change the logging of default packet handling options Enable or disable the notification of BOVPN events Add a custom address to a policy Use Host Name (DNS lookup) to add an IP address to the From or To section of a policy Create a .wgx file for Mobile VPN with IPSec client configuration (You can get only the equivalent, but unencrypted, .ini file) Export certificates stored on the device, or see their details (You can only import certificates) Some of the logging and reporting functions provided by HostWatch, Log Manger, Report Manager, and WSM are also not available
WatchGuard Training
220
Uses a self-signed certificate, so you must accept certificate warnings or replace the certificate with a trusted certificate You can change the port for the Web UI Status For read-only permission; uses the status passphrase Admin For read-write permission; uses the configuration passphrase
WatchGuard Training
221
WatchGuard Training
222
WatchGuard Training
223
Conclusion
This presentation provides an overview of basic Fireware XTM features For more information, see these training, documentation, and support resources available in the Support section of the WatchGuard web site:
WatchGuard System Manager Help Fireware XTM Web UI Help WatchGuard Knowledge Base Fireware XTM Training courseware
WatchGuard Training
224
Thank You
Thank You!
WatchGuard Training
225