Firewall Basics with Fireware XTM 11.

7
Updated for Fireware XTM v11.7.3

WatchGuard Training

2013 WatchGuard Technologies, Inc.

Course Introduction: Firewall Basics with Fireware XTM

WatchGuard Training

Training Objectives
Use the basic management and monitoring components of WatchGuard System Manager (WSM) Configure a WatchGuard XTM or XTMv device that runs Fireware XTM OS v11.7 or later for your network Create basic security policies for your XTM device to enforce Use security services to expand XTM device functionality

WatchGuard Training

Requirements
Necessary equipment and software:

Management computer WatchGuard System Manager and Fireware XTM OS Firewall configuration file XTM or XTMv devices running Fireware XTM OS v11.7 or later (optional) Basic knowledge of TCP/IP network functions and structure WatchGuard System Manager installed on your computer Access to a WatchGuard XTM device A printed copy of the instructors notes of this presentation, or a copy of the Fireware XTM Basics Student Guide

Prerequisites: It is helpful, but not necessary, to have:

WatchGuard Training

Outline
Getting Started Work with XTM Device Configuration Files Configure XTM Device Interfaces Configure Logging Generate Reports of Network Activity Use FSM to Monitor XTM Device Activity Use NAT (Network Address Translation) Define Basic Network Security Policies Work with Proxy Policies Work with SMTP and POP3 Proxies Verify Users Identities

WatchGuard Training

Outline
Block Unwanted Email with spamBlocker Manage Web Traffic Defend Your Network From Intruders Use Gateway AntiVirus Use Intrusion Prevention Service Use Application Control Use Reputation Enabled Defense Explore the Fireware XTM Web UI

WatchGuard Training

Training Scenario
Fictional organization named the Successful Company Training partners may use different examples for exercises Try the exercises to implement your security policy

WatchGuard Training

Getting Started: Set Up Your Management Computer and XTM Device

WatchGuard Training

Learning Objectives
Use the Quick Setup Wizard to make a configuration file Start WatchGuard System Manager Connect to XTM devices and WatchGuard servers Launch other WSM applications

WatchGuard Training

Management Computer
Select a computer with Windows 8, Windows 7, Windows Vista, Windows XP SP2, or Windows Server 2003, 2008, or 2012 Install WatchGuard System Manager (WSM) to configure, manage, and monitor your devices Install Fireware XTM OS, then use WSM to install updates and make configuration changes on the device

WatchGuard Training

10

Server Software
When you install WSM, you have the option to install any or all of these WatchGuard servers:

Management Server Log Server Report Server WebBlocker Server Quarantine Server

Servers can be installed on separate computers

Each server must use a supported version of Windows. There are access requirements between the management computer, the XTM device, and some servers.

WatchGuard Training

11

Activate your XTM Device

You must have or create a WatchGuard account You must activate the XTM device before you can fully configure it Have your device serial number ready

WatchGuard Training

12

Setup Wizards
There are two setup wizards you can use to create an initial functional configuration file for your XTM device.

Web Setup Wizard To start the Web Setup Wizard, in a web browser, type: https://10.0.1.1:8080 Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard.

To use either setup wizard, you must connect the management computer to the trusted interface (eth1) of the XTM device. The Web Setup Wizard can activate your XTM device and download the feature key from the WatchGuard web site, if you connect the external interface (eth0) to a network with Internet access.

WatchGuard Training

13

Quick Setup Wizard

Installs Fireware XTM OS on the XTM device Creates and uploads a basic configuration file Assigns passphrases to control access to the XTM device

WatchGuard Training

14

Prepare to Use the Quick Setup Wizard

Before you start, you must have:

WSM and Fireware XTM OS installed on the management computer Network information

It is a good idea to have the feature key for your device before you start the wizard. You can copy it from the LiveSecurity web site during registration.

WatchGuard Training

15

Launch the Quick Setup Wizard

For the Quick Setup Wizard to operate correctly, you must:

Prepare the device to be discovered by the Quick Setup Wizard (QSW). The QSW shows you how to prepare each device. Assign a static IP address to your management computer from the same subnet that you plan to assign to the Trusted interface of the XTM device. Alternatively, you can get a DHCP address from the device when it is in Safe Mode. Connect the Ethernet interface of your computer to interface #1 of the device. Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM Tools menu.

WatchGuard Training

16

Quick Setup Wizard Select Your Device

Choose which model of XTM device to configure.

WatchGuard Training

17

Quick Setup Wizard Verify the Device Details

Verify that the model and serial number are correct.

WatchGuard Training

18

Quick Setup Wizard Name Your XTM Device

The name you assign to the device in the wizard is used to:

Identify the device in WSM Identify the device in log files Identify the device in Log Manager and Report Manager

WatchGuard Training

19

Quick Setup Wizard Device Feedback

If your device uses Fireware XTM OS v11.7.3 or higher, the Quick Setup Wizard enables the device to send feedback to WatchGuard by default.

When device feedback is enabled, the XTM device sends this information to WatchGuard once each day:
XTM device serial number Fireware XTM OS version and build number XTM device model XTM device uptime since the last restart

To disable device feedback:

Clear the Send device feedback to WatchGuard check box. You can also configure this setting in Global Settings.

WatchGuard Training

20

Quick Setup Wizard Configure the External Interface

The IP address you give to the external interface can be:

A static IP address An IP address assigned with DHCP An IP address assigned with PPPoE

You must also add an IP address for the device default gateway. This is the IP address of your gateway router.

WatchGuard Training

21

Quick Setup Wizard Configure Interfaces

Configure the Trusted and Optional interfaces. Select one of these configuration options:

Mixed Routing Mode (Use these IP addresses)

Each interface is configured with an IP address on a different subnet.

Drop-in Mode (Use the same IP address as the external interface)

All XTM device interfaces have the same IP address. Use drop-in mode when devices from the same publicly addressed network are located on more than one device interface.

WatchGuard Training

22

Understand Routed Configurations

In mixed routing mode (routed configuration):

Configure each interface with an IP address on a different subnet. Assign secondary networks on any interface.

WatchGuard Training

23

Understand Drop-in Configurations

In drop-in mode:

Assign the same primary IP address to all interfaces on your device. Assign secondary networks on any interface. You can keep the same IP addresses and default gateways for devices on your trusted and optional networks, and add a secondary network address to the XTM device interface so the device can correctly send traffic to those devices.

WatchGuard Training

24

Quick Setup Wizard Add a Feature Key

When you purchase additional options for your device, you must get a new feature key to activate the new options. You can add feature keys in the Quick Setup Wizard or later in Policy Manager.

WatchGuard Training

25

Quick Setup Wizard Set Passphrases

You define two passphrases for connections to the device

Status passphrase Read-only connections Configuration passphrase Read-write connections

Both passphrases must be at least 8 characters long and different from each other

WatchGuard Training

26

Quick Setup Wizard Final Steps

Save a basic configuration to the device. You are now ready to put your device in place on your network. Remember to reset your management computer IP address.

WatchGuard Training

27

WatchGuard System Manager

Start WSM Connect to an XTM device or the Management Server Display device status

WatchGuard Training

28

Components of WSM
WSM includes a set of management and monitoring tools:

Policy Manager Firebox System Manager HostWatch Log Manager Report Manager CA Manager Quarantine Server Client

To launch a tool, select it from the WSM Tools menu or click the tool icon

WatchGuard Training

29

Administration: Work with Device Configuration Files

WatchGuard Training

30

Learning Objectives
Start Policy Manager Open and save configuration files Configure the XTM device for remote administration Reset XTM device passphrases Back up and restore the XTM device configuration Add XTM device identification information

WatchGuard Training

31

What is Policy Manager?

A configuration tool that you can use to modify the settings of your XTM device Changes made in Policy Manager do not take effect until you save them to the device Launch Policy Manager from WSM

Select a connected or managed device Click the Policy Manager icon on the toolbar

WatchGuard Training

32

Navigate Policy Manager

From the View menu, select how policies are displayed

Details View

Large Icons View

WatchGuard Training

33

Navigate Policy Manager

Use the menu bar to configure many device features.

WatchGuard Training

34

Navigate Policy Manager

Security policies that control traffic through the device are represented by policies. To edit a security policy, double-click the policy name.

WatchGuard Training

35

Open and Save Configuration Files

Open a file from your local drive or from an XTM device Save configuration files to your local drive or to the XTM device Create new configuration files in Policy Manager

New configuration files include a basic set of policies. You can add more policies.

WatchGuard Training

36

Configure Your Device for Remote Administration

Connect from home to monitor device status Change policies remotely to respond to new threats Make the policy as restrictive as possible for security Edit the WatchGuard policy to enable access from an external IP address You can also use Fireware XTM Web UI to configure a device (over TCP port 8080)

WatchGuard Training

37

Change XTM Device Passphrases

Minimum of eight characters Change frequently Restrict their use

WatchGuard Training

38

Back Up the XTM Device Images

Create and restore an encrypted backup image Backup includes feature key and certificate information Encryption key is required to restore an image

WatchGuard Training

39

Add XTM Device Identification Information

XTM device name and model Contact information Time zone for log files and reports

WatchGuard Training

40

Upgrade Your XTM Device

1. Back up your existing device image. 2. Download and install the new version of Fireware XTM OS on your management computer. 3. From Policy Manager, select File > Upgrade.

WatchGuard Training

41

Upgrade Your XTM Device

4. Browse to the location of the OS upgrade file: C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM 5. Select the correct .sysa-dl file for your device:

XTM 2500 Series: xtm800_1500_2500.sysa-dl XTM 2050: xtm2050_bc.sysa-dl XTM 1500 Series: xtm800_1500_2500.sysa-dl XTM 1050: xtm1050_bb.sysa-dl XTM 800 Series: xtm800_1500_2500.sysa-dl XTM 8 Series: xtm8_b5.sysa-dl XTM 5 Series: xtm5_b0.sysa-dl XTM 330: xtm330_bd.sysa-dl XTM 33: xtm3_aa.sysa-dl XTM 25, 26: xtm2_a6.sysa.dl XTMv: xtmv_c5.sysa-dl

WatchGuard Training

42

Network Settings: Configure XTM Device Interfaces

WatchGuard Training

43

Learning Objectives
Configure external network interfaces with a static IP address, DHCP and PPPoE Configure a trusted and optional network interface Use the XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address Understand Drop-In Mode and Bridge Mode

WatchGuard Training

44

Add a Firewall to Your Network

Interfaces on separate networks Most users have at least one external and one trusted

External
203.0.113.2/24

Trusted Network
10.0.1.1/24

Optional Network
10.0.2.1/24

WatchGuard Training

45

Beyond the Quick Setup Wizard

The Quick Setup Wizard configures the device with External, Trusted, and Optional networks by default: eth0 = external eth1 = trusted eth2 = optional (only if you provide an optional interface IP address in the wizard) You can change the interface assignments. In Policy Manager, select Network > Configuration.

WatchGuard Training

46

Network Configuration Options

Modify the properties of an interface

Change the interface type (from trusted to optional, etc.) Add secondary networks and addresses Enable the DHCP server

Configure additional interfaces Configure WINS/DNS settings for the device Add network or host routes Configure NAT

WatchGuard Training

47

Interface Independence
You can change the interface type of any interface configured with the Quick Setup Wizard. You can also choose the interface type of any additional interface you enable.

WatchGuard Training

48

Use a Dynamic IP Address for the External Interface

The XTM device can get a dynamic IP address for an external interface with DHCP or PPPoE.

WatchGuard Training

49

Use Dynamic DNS

Register the external IP address of the XTM device with the supported dynamic DNS service, DynDNS.

WatchGuard Training

50

Use a Static IP Address for the External Interface

The XTM device can use a static IP address given to you by your Internet Service Provider.

WatchGuard Training

51

Enable the Device DHCP Server

Can be used on a trusted or optional interface Type the first and last IP addresses of the range for DHCP Configure up to 6 IP address ranges Reserve some IP addresses for specified MAC addresses

WatchGuard Training

52

Configure Trusted and Optional Interfaces

Optional

Sales Force
10.0.4.1/24

Trusted
Finance

Optional
Trusted-Main
10.0.1.1/24

10.0.3.1/24

Public Servers
10.0.2.1/24

Conference
10.0.5.1/24

1.

Start with a trusted network.

2.

Add an optional network for public servers.

3.

As your business grows, add more trusted and optional networks.

53

WatchGuard Training

Add WINS/DNS Servers

All devices on the trusted and optional networks can use this server Use an internal server or an external server Used by the XTM device for DHCP, Mobile VPN, NTP time updates, and Subscription Service updates

WatchGuard Training

54

Secondary Networks
Share one of the same physical networks as one of the device interfaces. Add an IP alias to the interface, which is the default gateway for computers on the secondary network.

Secondary
172.16.100.0/24

Trusted-Main
10.0.1.1/24
WatchGuard Training 55

Network or Host Routes

Create static routes to send traffic from a device interface to a router
The router can then send the traffic to the correct destination from the specified route.

If you do not specify a route to a remote network or host, all traffic to that network or host is sent to the device default gateway.

WatchGuard Training

56

Drop-In Mode and Bridge Mode

Use Drop-In Mode if you want to have the same logical network (subnet) spread across all device interfaces.

Computers in this subnet can be on any device interface You can add a secondary address to any device interface to use an additional network on the interface You assign one IP address to the device for management connections Bridge Mode turns the device into a transparent Layer 2 bridge
To set the interface configuration mode, select Network > Configuration.

Use Bridge Mode when you want the device to be invisible.

WatchGuard Training

57

Logging: Set Up Logging and Notification

WatchGuard Training

58

Learning Objectives
Set up a Log Server Configure the XTM device to send messages to a Log Server Configure logging and notification preferences Set the Diagnostic Log Level View log messages

WatchGuard Training

59

Introduction to the Log Server

WatchGuard Training

60

Log Message Types

Traffic Allowed and denied packets Alarm An event you configure as important that requires a log message or alert Event A device restart, or a VPN tunnel creation or failure Debug Additional messages with diagnostic information to help you troubleshoot network or configuration problems Statistic Information about the performance of the XTM device

WatchGuard Training

61

Configure Logging
For log messages to be correctly stored, you must:

Install the Log Server software Configure the Log Server Configure the XTM device to send log messages to the Log Server

WatchGuard Training

62

Install the Log Server

In the WSM installer, select to install the Log Server component The Log Server does not have to be installed on the same computer that you use as your management computer The Log Server should be on a computer with a static IP address

WatchGuard Training

63

Configure the Log Server

Right-click the WatchGuard Server Center icon in your Windows system tray to open WatchGuard Server Center.
The Server Center Setup Wizard starts.

Set the administrator passphrase. Set the log encryption key.

WatchGuard Training

64

Configure Log Server Settings

Open WatchGuard Server Center to configure Log Server properties. Type the administrator passphrase. Select Log Server to configure Log Server settings.

WatchGuard Training

65

Configure Log Server Settings

Server Settings Database size and encryption key settings. Database Maintenance Specify database back up file settings, and select to use the Built-in database or an External PostgreSQL database. Notification Configure settings for event notification and the SMTP Server. Logging Firebox Status (which devices are currently connected to the Log Server) and where to send log messages.

WatchGuard Training

66

Configure the XTM Device to Send Log Messages

Use Policy Manager Set the same log encryption key that is used for the Log Server Backup Log Servers can be used when the primary fails Specify the port to connect to a syslog server

WatchGuard Training

67

Default Logging Policy

When you create a policy that allows traffic, logging is not enabled by default When you create a policy that denies traffic, logging is enabled by default If denied traffic does not match a specific policy, it is logged by default

WatchGuard Training

68

Set the Diagnostic Log Level

You can also configure the device to send detailed diagnostic log messages to help you troubleshoot a specific problem. From Policy Manager, select Setup > Logging, and click Diagnostic Log Level.

WatchGuard Training

69

View Log Messages

You can see log messages with two different tools:

Traffic Monitor Real-time monitoring in FSM from any computer with WSM

WatchGuard Training

70

View Log Messages

Log Manager From WatchGuard WebCenter, you can use Log Manager to see any log messages stored on the Log Server. Use the search feature to locate specific information in your log files.

WatchGuard Training

71

Reports: Generate Reports of Network Activity

WatchGuard Training

72

Learning Objectives
Set up and configure a Report Server Generate and save reports at regular intervals Generate and view reports Change report settings Save, print, and share reports

WatchGuard Training

73

WSM Reporting Architecture

WatchGuard Training

74

Configure the Report Server

Install on a Microsoft Windows computer Can be the same computer as the Log Server Configure the Report Server from WatchGuard Server Center Select to use the Built-in database or an External PostgreSQL database Add one or more Log Server IP addresses Set report interval, report type, and notification preferences
WatchGuard Training 75

View Reports with Report Manager

Report Manager is available in WatchGuard WebCenter, which is installed with the Report Server Add users in WatchGuard Server Center to enable them to use Report Manager

WatchGuard Training

76

View Reports with Report Manager

Connect to WatchGuard WebCenter over port 4130, and select Report Manager to view and generate reports View Available Reports (scheduled reports) Create On-Demand Reports and Per Client Reports Launch Report Manager from WSM Save reports in PDF format

WatchGuard Training

77

Monitor Your Firewall: Monitor Activity Through the XTM Device

WatchGuard Training

78

Learning Objectives
Interpret the information in the WSM display Use Firebox System Manager to monitor device status Change Traffic Monitor settings Use Performance Console to visualize device performance Use HostWatch to view network activity and block a site Add and remove sites from the Blocked Sites list

WatchGuard Training

79

WatchGuard System Manager Display

WatchGuard Training

80

Firebox System Manager

Front Panel Traffic Monitor Bandwidth Meter Service Watch Status Report Authentication List Blocked Sites Subscription Services Gateway Wireless Controller

WatchGuard Training

81

Traffic Monitor
View log messages as they occur Set custom colors and fields Start traceroute or Ping to source and destination IP addresses Copy information to another application

WatchGuard Training

82

Performance Console
Monitor and graph XTM device activity Launch from Firebox System Manager System Information Firebox statistics, such as the number of total active connections and CPU usage Interfaces Total number of packets sent and received through the XTM device interfaces Policies Total connections, current connections, and discarded packets VPN Peers Inbound and outbound SAs and packets Tunnels Inbound and outbound packets, authentication errors, and replay errors

WatchGuard Training

83

Use HostWatch to View Connections

Graphical display of live connections One-click access to more details on any connection Temporarily block sites

WatchGuard Training

84

Use the Blocked Sites List

View sites added temporarily by the device as it blocks the source of denied packets Change expiration settings for temporarily blocked sites

WatchGuard Training

85

Examine and Update Feature Keys

View the feature keys currently on your XTM device Add a new feature key to your XTM device

WatchGuard Training

86

NAT: Use Network Address Translation

WatchGuard Training

87

Learning Objectives
Understand network address translation types Add dynamic NAT entries Use static NAT for public servers

WatchGuard Training

88

What is Network Address Translation?

Changes one public IP address into many Protect the map of your network Devices and users with private IP addresses

NAT Enabled

Your Network
WatchGuard Training

Internet sees only one public address (an External XTM device IP address)
89

Add Firewall Dynamic NAT Entries

Most frequently used form of NAT Changes the outgoing source IP address to the external IP address of the XTM device Enabled by default for standard private network IP addresses, such as 192.168.0.0/16

WatchGuard Training

90

Static NAT for Public Servers

Web server
Port 80 TCP 10.0.2.80

FTP server
Port 21 TCP

203.0.113.2

10.0.2.21

Email server
Port 25 TCP 10.0.2.25

Your Network

Web traffic One external IP to private static IP FTP traffic Same external IP to second, private static IP SMTP traffic Same external IP to third, private static IP

WatchGuard Training

91

1-to-1 NAT for Public Servers

NetMeeting
Ports 1720, 389, dynamic 10.0.2.11

IKE traffic Second dedicated public IP address

IKE
Without NAT-T 10.0.2.12

Intel-Video-Phone
Ports 1720, 522 10.0.2.13

Intel Phone (H.323) Another external IP address

Your Network

NetMeeting traffic Dedicated IP address on the external

92

WatchGuard Training

Configure Policies
You can customize 1-to1 NAT and Dynamic NAT settings in each policy Select Network > NAT to configure the settings The settings you specify apply unless you modify the NAT settings in a policy Select the Set Source IP option when you want any traffic that uses this policy to show a specified address from your public or external IP address range as the source IP address.

WatchGuard Training

93

Configure Policies
To configure a policy to use static NAT, click Add in the To section of the policy, then select Add SNAT. To add, edit, or delete SNAT actions, you can also select Setup > Actions > SNAT. To add an SNAT member, click Add.

WatchGuard Training

94

Policies: Convert Network Policy to Device Configuration

WatchGuard Training

95

Learning Objectives
Understand the difference between a packet filter policy and a proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter policy Set up logging and notification rules for a policy Use advanced policy properties Understand the function of the Outgoing policy Understand the function of the TCP-UDP proxy Understand the function of the WatchGuard policy Understand how the XTM device determines policy precedence

WatchGuard Training

96

What is a Policy?
A rule to limit access through the XTM device Can be configured to allow traffic or deny traffic Can be enabled or disabled Applies to specific port(s) and protocols Applies to traffic that matches From and To fields:

From Specific source hosts, subnets or users/groups To Specific destination hosts, subnets, or users/groups

WatchGuard Training

97

Packet Filters, Proxies, and ALGs

Two types of policies:

Packet Filter Examines the IP header of each packet, and operates at the network and transport protocol packet layers. Proxy & ALG (Application Layer Gateway)
Proxy Examines the IP header and the content of a packet at the application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content. ALG Completes the same functions as a proxy, but also provides transparent connection management. Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.

WatchGuard Training

98

Packet Filters, Proxies, and ALGs

Proxies & ALGs:

Remove all the network data Examine the contents Add the network data again Send the packet to its destination

WatchGuard Training

99

What are Packet Filters, Proxies, and ALGs?

Packet Filter Proxy & ALG

Source
Destination Port(s)/Protocols

Packet body
Attachments RFC Compliance Commands

100

WatchGuard Training

Add a Policy in Policy Manager

1.

Select a policy from a pre-defined list.

2.

Decide if the policy allows or denies traffic.

3.

Configure the source (From) and destination (To).

WatchGuard Training

101

Modify Policies
To edit a policy, double-click the policy By default, a new policy:

Is enabled and allowed Allows traffic on the port(s) specified by the policy Allows traffic from any trusted network to any external destination

WatchGuard Training

102

Change Policy Sources and Destinations

You can:

Select a pre-defined alias, then click Add. Click Add User to select an authentication user or group. Click Add Other to add a host IP address, network IP address, or host range.

WatchGuard Training

103

When do I use a custom policy?

A custom policy can be either a packet filter or proxy policy. Use a custom policy if:

None of the pre-defined policies include the specific combination of ports that you want. You need to create a policy that uses a protocol other than TCP or UDP.

WatchGuard Training

104

Logging and Notification for Policies

When you enable logging in a policy, you can also select whether the XTM device sends a notification message or triggers an SNMP trap. Notification options include:

Send email to a specified address A pop-up notification on the Log Server

WatchGuard Training

105

Set Logging Rules for a Policy

The XTM device generates log messages for many different types of activities You enable logging for policies to specify when log messages are generated and sent to the Log Server

WatchGuard Training

106

What is Precedence?
Precedence is used to decide which policy controls a connection when more than one policy could control that connection In Details view, the higher the policy appears in the list, the greater its precedence. If two policies could apply to a connection, the policy higher in the list controls that connection

WatchGuard Training

107

What is Precedence?
Policies can be moved up or down in Manual Order mode to set precedence, or restored to the order assigned by Policy Manager with Auto-Order Mode.

WatchGuard Training

108

Advanced Policy Properties

Schedules Connection rate limits Override NAT settings QoS settings ICMP error handling

WatchGuard Training

109

Schedule Policies
Set the times of day when the policy is enabled

WatchGuard Training

110

Understand the Outgoing policy

The Outgoing packet filter policy is added in the default configuration Allows all outgoing TCP and UDP connections from trusted and optional networks to external networks Enables the XTM device to work out of the box but could have security problems If you remove the Outgoing policy, you must add policies to allow outgoing traffic

WatchGuard Training

111

Understand the TCP-UDP-Proxy

Enables TCP and UDP protocols for outgoing traffic Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP protocols, regardless of the port numbers Blocks selected IM and P2P applications, regardless of port

WatchGuard Training

112

The WatchGuard Policy

Controls management connections to the XTM device By default, this policy allows only local administration of the device; edit the configuration to allow remote administration

WatchGuard Training

113

Find Policy Tool

Fireware XTM includes a utility to find policies that match the search criteria you specify With the Find Policies tool, you can quickly locate policies that match user or group names, IP addresses, port numbers, and protocols.

WatchGuard Training

114

Policy Tags and Filters

Assign policy tags to policies to create policy groups Sort the policy list by policy tag to see the policy list by policy group Create and save policy filters to specify which policies appear in the policy list

WatchGuard Training

115

Proxy Policies: Use Proxy Policies and ALGs to Protect Your Network

WatchGuard Training

116

Learning Objectives
Understand the purpose and configuration of proxy policies and ALGs Configure the DNS-proxy to protect DNS server Configure an FTP-Server proxy action Configure an FTP-Client proxy action Enable logging for proxy actions

WatchGuard Training

117

What are Proxies and ALGs?

Proxy policies and ALGs (Application Layer Gateway) are powerful and highly customizable application inspection engines and content filters. A packet filter looks at IP header information only. A proxy or ALG looks at the content of the network data. ALGs also provide transparent connection management.

WatchGuard Training

118

What is the DNS Proxy?

Domain Name System Validates all DNS traffic Blocks badly formed DNS packets Fireware XTM includes two methods to control DNS traffic:

DNS packet filter IP headers only DNS-Proxy filter content

WatchGuard Training

119

Control Incoming Connections

Use the DNS-Incoming action as a template You own the server You decide who gets to DNS Proxy connect to the server

DNS server

Your network

WatchGuard Training

120

Configuring DNS-Incoming
General OpCodes Query Types Query Name Intrusion Prevention Proxy Alarm

WatchGuard Training

121

Control Outgoing Connections

Use the DNS-Outgoing action as a template Operates with Intrusion Prevention Service Deny queries for specified domain names

DNS Proxy

Your Network

DNS server

WatchGuard Training

122

Use DNS-Outgoing
Use DNS-Outgoing to block DNS requests for services, such as queries for:

POP3 servers Advertising networks IM applications P2P applications

WatchGuard Training

123

Fireware XTM Proxies

DNS FTP H323 and SIP (Application Layer Gateways) HTTP and HTTPS SMTP and POP3 TCP-UDP

Applies the proxies to traffic on all TCP ports

WatchGuard Training

124

What is a Proxy Action?

A set of rules that tell the XTM device how to apply one of the proxies to traffic of a specific type You can apply a proxy action to more than one policy

WatchGuard Training

125

Import & Export Proxy Actions

You can import and export:

Entire user-created proxy actions (not predefined proxy actions) Rulesets WebBlocker exceptions spamBlocker exceptions

WatchGuard Training

126

What is FTP?
File Transfer Protocol Often used to move files between two locations Client and server architecture Fireware XTM includes two methods to control:

FTP packet filter IP headers only FTP-proxy Content and commands

WatchGuard Training

127

FTP-Proxy
Restricts the types of commands and files that can be sent through FTP Works with the Gateway AV Service

WatchGuard Training

128

FTP-Client Action Rulesets

General Commands Download Upload AntiVirus Proxy and AV alarms

WatchGuard Training

129

Control Incoming Connections

Use the FTP-Server proxy action as a template The FTP server must be protected by the XTM device You decide who can connect to the FTP server

FTP Proxy

Anybody

Your FTP server

WatchGuard Training

130

Define FTP-Server Action Rulesets

General Commands Download Upload AntiVirus Proxy alarms Options that are available in the FTP-Client proxy action are also available in the FTP-Server proxy action Smart defaults are used in each ruleset to protect clients (FTP-Client) and servers (FTP-Server)
WatchGuard Training 131

Logging and Proxies

Proxy policies contain many more advanced options for logging than packet filter policies Each proxy category has its own check box to enable logging To generate detailed reports with information on packets handled by proxy policies, you must select the Enable logging for reports check box in each proxy action

WatchGuard Training

132

Email Proxies: Work with the SMTP and POP3 Proxies

WatchGuard Training

133

Learning Objectives
Understand the SMTP and POP3 proxies Understand the available actions for email Control incoming email Control outgoing email

WatchGuard Training

134

SMTP and POP3 Proxies

Used to restrict the types and size of files sent and received in email Operate with Gateway AV and spamBlocker

WatchGuard Training

135

Proxy Actions Available for Email

Default actions available:

Allow Email is allowed through your device Lock Email is allowed through your device; the attachment is encoded so only the XTM device administrator can open it AV Scan Gateway AntiVirus is used to scan the attachment Strip Email is allowed through your device, but the file attachment(s) are deleted Drop The SMTP connection is closed Block The SMTP connection is closed and the sender is added to the blocked sites list Quarantine Email is stored on the Quarantine Server (only with SMTP) and is not sent to the recipient

Also available with Gateway AntiVirus and spamBlocker:

WatchGuard Training

136

Control Incoming Email

Use SMTP-Incoming and POP3-Server actions as a template You decide what email you want to allow

SMTP Proxy

Your users Anybody Your SMTP server

WatchGuard Training

137

Control Outgoing Email

Use SMTP-Outgoing or POP3-Client action as a template You know the users You decide what they can send
SMTP Proxy

Anybody Your users

Their email server

WatchGuard Training

138

Authentication: Verify a Users Identity

WatchGuard Training

139

Learning Objectives
Understand authentication and how it works with the XTM device List the types of third-party authentication servers you can use with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the XTM device to create a custom web server certificate

WatchGuard Training

140

What is User Authentication?

Identify each user as they connect to network resources Restrict policies by user name

WatchGuard Training

141

WatchGuard Authentication
The user browses to the XTM device interface IP address on TCP port 4100 The XTM device presents an authentication page The XTM device verifies that the credentials entered are correct, and allowed for the type of connection The XTM device allows access to resources valid for that authenticated user or group

WatchGuard Training

142

Supported Authentication Servers

Firebox RADIUS VASCO SecurID LDAP Active Directory

Single Sign-On options

WatchGuard Training

143

Use Firebox Authentication

To use the XTM device as an authentication server:

Make groups Define users Edit policies

WatchGuard Training

144

Edit Policies for Authentication

Create users and groups Use the user and group names in policy properties Define From or To information

WatchGuard Training

145

Use Third-Party Servers

Set up a third-party authentication server Get configuration information, such as secrets and IP addresses Make sure the authentication server can contact the XTM device

WatchGuard Training

146

Set Global Authentication Values

Session and idle timeout values Number of concurrent connections Enable Single Sign-On with Active Directory authentication Enable redirect to the authentication page if the user is not yet authenticated

After users authenticate, they are redirected to the site they originally selected.

Specify the authentication server that appears at the top of the Domain list in the Authentication Portal Configure Terminal Services
WatchGuard Training 147

Enable Single Sign-On

Transparent authentication, no need to open a web page Available with Windows Active Directory Install the SSO Agent on a Windows server with a static IP address Install the SSO Client on all workstations (Optional) Install the Event Log Monitor on one computer in the domain (Clientless SSO) SSO Agent passes user credentials to the XTM device Use SSO exceptions for IP addresses that cannot authenticate (computers that are not domain members, or non-Windows PCs)

WatchGuard Training

148

Enable Terminal Services

Enables users to authenticate to your XTM device over a Terminal Server or Citrix server Enables your XTM device to report the actual IP address of each user logged in to the device Can be used with any configured authentication method (e.g. Firebox authentication, Active Directory, RADIUS, etc.)

WatchGuard Training

149

Fireware XTM Web Server Certificate

Why does the user get warnings from the browser?

Name on the certificate does not match the URL Fix this problem with a custom certificate that has all of the XTM device IP addresses as possible name matches User must still import this certificate to trusted root stores

WatchGuard Training

150

Blocking Spam: Stop Unwanted Email with spamBlocker

WatchGuard Training

151

Learning Objectives
Activate and configure spamBlocker Specify the actions to take when suspected spam email is detected Block or allow email messages from specified sources Monitor spamBlocker activity Install and configure Quarantine Server

WatchGuard Training

152

What is spamBlocker?
Technology licensed from Mailshell to identify spam or suspected spam email No local server to install

You can install Quarantine Server, but it is not necessary for spamBlocker to work correctly.

XTM device sends information to external servers to classify email and caches the results Operates with the SMTP and POP3 proxies You must have an SMTP or POP3 proxy action configured to use spamBlocker

WatchGuard Training

153

Activate spamBlocker
A feature key is required to enable spamBlocker

Use Policy Manager or FSM to add the feature key Save the configuration to the XTM device

Run the Activate spamBlocker Wizard

WatchGuard Training

154

Configure a Policy for spamBlocker

Use the SMTP-proxy or POP3-proxy Choose the proxy response to spam categorization Add exceptions

WatchGuard Training

155

spamBlocker Actions
Spam is classified into two spam categories:

Confirmed spam Suspected spam Allow Add Subject Tag Quarantine (SMTP only) Deny (SMTP only) Drop (SMTP only)

For each category, you can configure the action taken:

WatchGuard Training

156

spamBlocker Spam Thresholds

spamBlocker assigns each email message a spam score from 1 to 99. A message with a higher spam score is more likely to be spam. You can configure the spam thresholds in spamBlocker Settings.

Confirmed spam threshold:

If a message spam score is equal to or higher than this threshold, it is classified as confirmed spam.

Suspected spam threshold:

If a message spam score is equal to or higher than this threshold, but lower than the confirmed spam threshold, it is classified as suspected spam.

WatchGuard Training

157

spamBlocker Exceptions
You can configure exceptions for specific senders or recipients by:

Email address Domain by pattern match (*@xyz.com)

WatchGuard Training

158

Customize spamBlocker
Use multiple SMTP or POP3 proxies

WatchGuard Training

159

Monitor spamBlocker Activity

Status visible in Firebox System Manager Select the Subscription Services tab

WatchGuard Training

160

Quarantine Spam
Quarantine Server operates with spamBlocker for the SMTP-proxy only (not the POP3-proxy) Install with server components during WSM install, or from WatchGuard Server Center

WatchGuard Training

161

Quarantine Server Configuration

You can configure:

Database size and administrator notifications Server settings Length of time to keep messages The domains for which the Quarantine Server keeps mail Rules to automatically remove messages:
From specific senders From specific domains That contain specific text in the Subject field

WatchGuard Training

162

Web Traffic: Manage Web Traffic Through Your Firewall

WatchGuard Training

163

Learning Objectives
Control outgoing HTTP traffic Protect your web server Use the HTTPS-proxy Set up WebBlocker Select categories of web sites to block Override WebBlocker rules for specified sites

WatchGuard Training

164

What is the HTTP-Proxy?

Fully configurable HTTP requests and responses Use URL paths to block complete URLs, or match a pattern you specify Select header fields, protocol settings, and request/response methods Allow or deny based on content types Block the transfer of all or some attachments over port 80 Allow or deny cookies from specified domains Enforce search engine Safe Search rules

WatchGuard Training

165

Control Outgoing HTTP Traffic

Use the HTTP-Client proxy action as a template You know the users You decide where they go and what they can get access to Enforce Safe Search rules

HTTP Proxy

Your Network
WatchGuard Training 166

Settings for the HTTP-Client Proxy Action

HTTP Request HTTP Response Use Web Cache Server HTTP Proxy Exceptions WebBlocker AntiVirus Reputation Enabled Defense Deny Message Proxy and AV Alarms

WatchGuard Training

167

Protect Your Web Server

Use the HTTP-Server proxy action template Block malformed packets Prevent attacks on your server Enforce Safe Search rules

Web Server

HTTP Proxy

Your Network
WatchGuard Training 168

Settings for the HTTP-Server Proxy Action

HTTP Request HTTP Response HTTP Proxy Exceptions WebBlocker AntiVirus Reputation Enabled Defense Deny Message Proxy and AV Alarms

WatchGuard Training

169

When to Use the HTTPS-Proxy

HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-sign the original HTTPS site certificate OCSP can confirm the validity of the original HTTPS site certificate Use a certificate that all clients on your network automatically trust for this purpose when possible Can use WebBlocker to block categories of web sites When DPI is not enabled, checks the certificate and blocks by domain name

WatchGuard Training

170

What is WebBlocker?
Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify Reduces unproductive web surfing and potential liability Blocks access to IM/P2P download sites Blocks access to spyware sites Helps schools to attain CIPA compliance Two database options Global URL database English, German, Spanish, French, Italian, Dutch, Japanese, traditional Chinese, and simplified Chinese sites

WatchGuard Training

171

WebBlocker Server Options

Websense cloud

Uses a cloud-based URL categorization database with over 100 content categories, provided by Websense Does not use a locally installed WebBlocker Server URL categorization queries are sent over HTTP Uses a WatchGuard WebBlocker Server with 54 categories, provided by SurfControl Usually requires a locally installed WebBlocker Server
XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard

WebBlocker Server

URL categorization queries are sent over UDP 5003

WatchGuard Training

172

The WebBlocker Database

Database updates keep the filtering rules up-to-date Use multiple categories to allow or deny different groups of users at different times of the day

WatchGuard Training

173

WebBlocker Content Categories

The available categories depend on which type of server you choose.

Websense cloud 100+ categories

WatchGuard Training

WebBlocker Server 54 categories

174

WebBlocker Server with Websense Cloud

1.When a user browses, the

XTM device checks the Websense cloud

2.If the site is not in a

blocked category, the device allows the connection Web Site Web Site

Websense Cloud Your Network

WatchGuard Training 175

WebBlocker Server with Local WebBlocker Server

1.WebBlocker Server gets

WebBlocker database from WatchGuard. WebBlocker Server

2.When a user browses, the

XTM device checks the WebBlocker Server.

3.If the site is not in a

blocked category, the device allows the connection.

Web Site

WebBlocker Updates Your Network

WatchGuard Training

WatchGuard
176

Keep the WebBlocker Database Updated

The locally installed WebBlocker Server automatically downloads an incremental update to the local WebBlocker database update at midnight. To update the database at other times, you can:

Manually trigger an incremental update in WatchGuard Server Center. Use Windows Task Scheduler to run the updatedb.bat process, which is installed in the C:\Program Files\WatchGuard\wsm11\bin directory.

WatchGuard Training

177

Advanced WebBlocker Settings

On the WebBlocker Configuration Advanced tab, you can control what happens if the device cannot contact the WebBlocker Server. You can:

Allow access to all web sites Deny access to all web sites

You can also set a password to use override WebBlocker when entered on individual computers.

WatchGuard Training

178

WebBlocker Exceptions
Add exceptions for web sites that WebBlocker denies and you want to allow (white list). Add web sites that WebBlocker allows and you want to deny (black list).

WatchGuard Training

179

Threat Protection: Defend Your Network From Intruders

WatchGuard Training

180

Learning Objectives
Understand the different types of intrusion protection Configure default packet handling to stop common attacks Block IP addresses and ports used by hackers Automatically block the sources of suspicious traffic

WatchGuard Training

181

Intrusion Detection and Prevention

Vulnerability found and exposed

Hacker builds attack that uses vulnerability

Attack launched

Vendor builds patch

Vendor distributes patch

IT admin queues patch update based on severity

IT admin installs patch

Proactively blocks many threats

Firewallbased IPS supplies zero-day protection

Attack signature developed and distributed

Ongoing protection at higher performance

WatchGuard Training 182

Default Packet Handling

Spoofing attacks Port and address space probes Flood attacks Denial of service Options for logging and automatic blocking

WatchGuard Training

183

Block the Source of Attacks 3. XTM device blocks the probe

and adds the IP address of the source (the attacker) to the temporary list of blocked sites.

2. Attacker runs a port

space probe on your network.

4. Now, even valid traffic from the

Web Server

attackers IP address is blocked by the XTM device.

Log Server

Your Network
WatchGuard Training

1. Remote users use valid packets

to browse your web site.
184

Auto-Block Sites
Each policy configured to deny traffic has a check box you can select to auto-block the source of the denied traffic. If you select it, the source IP address of any packet denied by the policy is automatically added to the Blocked Sites List.

WatchGuard Training

185

Use a Proxy Action to Block Sites

When you select the Block action, the IP address denied by the proxy action is automatically added to the Blocked Sites List.

WatchGuard Training

186

Block Known Attack Vectors

Protect sensitive services on your network

Get log messages Close traffic for unwanted services Add specific ports to block Add specific IP addresses or subnets to be permanently blocked

Static configuration

Dynamic configuration

This feature can be enabled from many different places in Policy Manager:
Proxy actions Default packet handling settings Policy configuration

WatchGuard Training

187

Signature Services: Gateway AntiVirus, Intrusion Prevention, and Application Control

WatchGuard Training

188

Learning Objectives
Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus Configure proxies to use Gateway AntiVirus Set up and configure the Intrusion Prevention Service Set up and configure Application Control Enable IPS and Application Control in policies

WatchGuard Training

189

What is Gateway AV?

Signature-based antivirus subscription The XTM device downloads signature database updates at regular, frequent intervals Gateway AV operates with the SMTP, HTTP, FTP, POP3, and TCP-UDP proxies

WatchGuard Training

190

Set Up Gateway AntiVirus 1. XTM device downloads the

initial signature file

2. Device gets new signatures and

updates at a regular interval

3. Gateway AV strips viruses and

allows valid email or web pages to load

Gateway AntiVirus database updates

WatchGuard Your Network

WatchGuard Training 191

Gateway AV Wizard
Gateway AntiVirus can be enabled and configured with the wizard that you launch from the Subscription Services menu In the wizard, you select the proxy policies to include in the Gateway AV configuration

WatchGuard Training

192

Configure the Proxy with Gateway AntiVirus

Use the HTTP-proxy and SMTP-proxy to enable Gateway AV Define actions Define content types to scan Monitor Gateway AV status

WatchGuard Training

193

Gateway AV and the SMTP-Proxy

When an email attachment contains a known virus signature, the XTM device can take one of these actions:

Allow Attachment passes through with no change Lock Attachment can only be opened by an administrator Remove Attachment is stripped from the email Quarantine Message is sent to the Quarantine Server Drop The connection is denied Block The connection is denied, and the server is added to the Blocked Sites List

WatchGuard Training

194

Gateway AV and the HTTP-Proxy

When Gateway AV finds a known virus signature in an HTTP session, the XTM device can:

Allow The file is allowed to pass through without changes Drop The HTTP connection is denied Block The HTTP connection is denied, and the web server is added to the Blocked Sites List

WatchGuard Training

195

Gateway AV and the FTP-Proxy

The FTP-proxy applies Gateway AV settings to:

Downloaded files allowed in your configuration Uploaded files allowed in your configuration

WatchGuard Training

196

Gateway AV Settings
Select this option if you want Gateway AV to decompress file formats such as .zip or .tar The number of levels to scan is the depth for which Gateway AV scans archive files inside archive files

WatchGuard Training

197

Use Signature-Based IPS

Configure IPS to Allow , Drop, or Block connections from sources that match an IPS signature Action is set based on the threat level of the matching signature

WatchGuard Training

198

Use Signature-Based IPS

Configure settings globally Enable or disable per-policy Can scan traffic for all policies Blocks malicious threats before they enter your network

WatchGuard Training

199

Use Application Control

Application Control is a Subscription Service Monitor and control hundreds of applications based on signatures Block or allow traffic for application categories, applications, and application behaviors When Application Control blocks HTTP content, a deny message appears in the browser

The deny message is not configurable For HTTPS or other content types, the deny message does not appear

WatchGuard Training

200

Use Application Control

To configure actions by application category, click Select by Category

WatchGuard Training

201

Apply Application Control to Policies

First configure Application Control actions On the Policies tab, select one or more policies, then select the action to apply

WatchGuard Training

202

Enable Application Control and IPS in Policies

Application Control

Application Control is not automatically enabled for policies For each policy, you select which Application Control action to use To monitor the use of applications, enable logging of allowed packets in the policies that have Application Control enabled When you enable IPS it is enabled for all policies by default You can enable or disable IPS for each policy

IPS

WatchGuard Training

203

Application Control and IPS in HTTPS-Proxy Policies

If you enable Application Control or IPS for an HTTPS-proxy policy, you must also enable deep inspection of HTTPS content in the HTTPS-proxy action

Required for IPS to scan the HTTPS content Required for Application Control to detect applications over an HTTPS connection

WatchGuard Training

204

Enable Automatic Signature Updates

To protect against the latest viruses and exploits, and to identify the latest applications, make sure your device is configured to get automatic updates to Gateway AntiVirus, Intrusion Prevention, and Application Control signatures at regular intervals Update requests can be routed through a proxy server

WatchGuard Training

205

Monitor Signature Update Status

In Firebox System Manager, select the Subscription Services tab to see the status of Gateway AV, IPS and Application Control signatures, or to manually get signature updates

WatchGuard Training

206

Reputation Enabled Defense: Improve the Performance and Security of Web Access

WatchGuard Training

207

Learning Objectives
Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense Monitor Reputation Enabled Defense

WatchGuard Training

208

What is Reputation Enabled Defense (RED)?

Reputation-based HTTP anti-virus and anti-spyware prevention subscription, available for WatchGuard XTM device models only RED operates with the HTTP-proxy RED uses a cloud-based reputation server that assigns a reputation score between 1 and 100 to every URL

The reputation score for a URL is based on AV scanning feedback and other URL reputation data collected from sources around the world.

When a user browses to a web site, RED looks up the score for the URL

For URLs with a good reputation score, local scanning is bypassed For URLs with a bad reputation score, the HTTP-proxy denies access without local scanning by Gateway AV For URLs with an inconclusive reputation score, local Gateway AV scanning is performed as configured

Eliminates the need to locally scan the content of web sites that have a known good or bad reputation and improves XTM device performance
WatchGuard Training 209

WatchGuard Training

RED Reputation Scores

Reputation Scores:

High scores indicate a bad reputation Low scores indicate a good reputation If RED has no knowledge of a URL, it assigns a score of 50 The reputation score assigned to a URL increases based on:
Negative scan results for that URL Negative scan results for a referring link Negative information from other sources of malware data

The reputation score assigned to a URL decreases based on:

Multiple clean scans Recent clean scans

RED continually updates the reputation scores for URLs based on:

Scan results from devices around the world by two leading anti-malware engines: Kaspersky and AVG Data from other leading sources of malware intelligence for the web

WatchGuard Training

210

RED Reputation Thresholds and Actions

The action performed by the HTTP-proxy depends on:

The reputation score of a requested URL The locally configured reputation thresholds If score is higher than the Bad reputation threshold, Deny access If score is lower than the Good reputation threshold, Bypass local scanning Otherwise, perform local Gateway AV scanning as configured

RED Actions:

WatchGuard Training

211

Enable Reputation Enabled Defense

Before you enable RED:

Your device must a have Reputation Enabled Defense feature key You must have configured at least one HTTP-proxy policy

WatchGuard Training

WatchGuard Training

212

Configure Reputation Enabled Defense

Enable RED for the HTTP-proxy Define thresholds Monitor RED status

WatchGuard Training

WatchGuard Training

213

Reputation Enabled Defense and the HTTP-Proxy

Based on the reputation score for a URL, the HTTP-Proxy can:

Immediately block the URL if it has a bad reputation Bypass any configured local virus scanning for a URL that has a good reputation

If neither of these RED actions occur, then any locally configured virus scanning proceeds as configured

WatchGuard Training

WatchGuard Training

214

Reputation Enabled Defense and the HTTP-Proxy

Default reputation thresholds are set to balance security with performance Change bad and good reputation thresholds in the Advanced Settings dialog box WatchGuard recommends that you use the default reputation thresholds

WatchGuard Training

WatchGuard Training

215

Monitor Reputation Enabled Defense

RED status is visible in Firebox System Manager on the Subscription Services tab

WatchGuard Training

WatchGuard Training

216

Web UI: Explore Fireware XTM Web UI

WatchGuard Training

217

Learning Objectives
Log in to Fireware XTM Web UI Change the port that the XTM device uses for the Web UI Discuss limitations of the Web UI Manage timeouts for the Web UI management sessions

WatchGuard Training

218

Introduction to Fireware XTM Web UI

Monitor and manage any device running Fireware XTM without installing extra software Real-time management tool Easily find what you need and understand how the configuration options work

WatchGuard Training

219

Limitations of the Web UI

Things you can do with Policy Manager, but not with the Web UI:

View or change the configuration of a device that is a member of a FireCluster Add or remove static ARP entries from the devices ARP table Change the name of a policy Change the logging of default packet handling options Enable or disable the notification of BOVPN events Add a custom address to a policy Use Host Name (DNS lookup) to add an IP address to the From or To section of a policy Create a .wgx file for Mobile VPN with IPSec client configuration (You can get only the equivalent, but unencrypted, .ini file) Export certificates stored on the device, or see their details (You can only import certificates) Some of the logging and reporting functions provided by HostWatch, Log Manger, Report Manager, and WSM are also not available

WatchGuard Training

220

Log in to the Web UI

You need only a browser with support for Adobe Flash Real-time configuration tool, no option to store configuration changes locally and save to device later https://<XTM.device.IP.address>:8080

Uses a self-signed certificate, so you must accept certificate warnings or replace the certificate with a trusted certificate You can change the port for the Web UI Status For read-only permission; uses the status passphrase Admin For read-write permission; uses the configuration passphrase

Log in with one of two accounts

WatchGuard Training

221

Log in to the Web UI

Multiple concurrent logins are allowed with the status account Only one admin account can be logged in at a time The last user to log in with the admin account is the only user that can make changes

Includes changes from Policy Manager and WSM

WatchGuard Training

222

Log in to the Web UI

The user account name appears at the top of the screen Navigation menu links are at the left side

WatchGuard Training

223

Conclusion
This presentation provides an overview of basic Fireware XTM features For more information, see these training, documentation, and support resources available in the Support section of the WatchGuard web site:

WatchGuard System Manager Help Fireware XTM Web UI Help WatchGuard Knowledge Base Fireware XTM Training courseware

WatchGuard Training

224

Thank You

Thank You!

WatchGuard Training

225