1. DL manuals
  2. Watchguard
  3. Network Router
  4. Firebox SOHO 6 Wireless
  5. User Manual

Watchguard Firebox SOHO 6 Wireless User Manual

Summary of Firebox SOHO 6 Wireless

  • Page 1

    Watchguard ® firebox ® soho 6 user guide soho 6.1.

  • Page 2

    Ii watchguard firebox soho 6.1 using this guide to use this guide you need to be familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual. The following conventions are used in this guide. Conventio...

  • Page 3

    User guide iii certifications and notices fcc certification this appliance has been tested and found to comply with limits for a class a digital appliance, pursuant to part 15 of the fcc rules. Operation is subject to the following two conditions: • this appliance may not cause harmful interference....

  • Page 4

    Iv watchguard firebox soho 6.1 vcci notice class a ite.

  • Page 5

    User guide v declaration of conformity.

  • Page 6

    Vi watchguard firebox soho 6.1 watchguard soho software end-user license agreement watchguard soho software end-user license agreement important - read carefully before accessing watchguard software this watchguard soho software end-user license agreement ("eula") is a legal agreement between you (e...

  • Page 7

    User guide vii archival purposes only. 3. Prohibited uses. You may not, without express written permission from watchguard: (a) reverse engineer, disassemble or decompile the software product; (b) use, copy, modify, merge or transfer copies of the software product or printed materials except as prov...

  • Page 8

    Viii watchguard firebox soho 6.1 limitation of liability. Watchguard's liability (whether in contract, tort, or otherwise; and notwithstanding any fault, negligence, strict liability or product liability) with regard to the software product will in no event exceed the purchase price paid by you for ...

  • Page 9

    User guide ix no change or modification of this eula will be valid unless it is in writing, and is signed by watchguard. Notice to users information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of...

  • Page 10

    X watchguard firebox soho 6.1 5. Products derived from this software may not be called "openssl" nor may "openssl" appear in their names without prior written permission of the openssl project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "this product includes...

  • Page 11

    User guide xi the mod_ssl package falls under the open-source software label because it's distributed under a bsd-style license. The detailed license information follows. Copyright (c) 1998-2001 ralf s. Engelschall. All rights reserved. Redistribution and use in source and binary forms, with or with...

  • Page 12

    Xii watchguard firebox soho 6.1 5. Products derived from this software may not be called "apache", nor may "apache" appear in their name, without prior written permission of the apache software foundation. This software is provided ``as is'' and any expressed or implied warranties, including, but no...

  • Page 13

    User guide xiii contents chapter 1 introduction ..................................................1 the package contents ..............................................2 how does a firewall work? ......................................3 how does information travel on the internet? .........4 ip addres...

  • Page 14

    Xiv watchguard firebox soho 6.1 disable the http proxy setting of your web browser ............................................................ 14 enable your computer for dhcp .............................16 physically connect the soho 6 .............................. 18 cabling the soho 6 for one ...

  • Page 15

    User guide xv configure the dynamic dns service ......................43 configure opt port upgrades ................................ 44 configure dual isp port ......................................... 44 configure vpnforce™ port ....................................47 chapter 5 administrative optio...

  • Page 16

    Xvi watchguard firebox soho 6.1 chapter 7 configure logging ....................................75 view soho 6 log messages .................................. 76 set up logging to a watchguard security event processor log host ............................................. 77 set up logging to a sysl...

  • Page 17

    User guide xvii webblocker categories ........................................ 103 chapter 10 support resources ..................................107 troubleshooting tips ............................................ 107 general ..............................................................107 config...

  • Page 18

    Xviii watchguard firebox soho 6.1.

  • Page 19

    User guide 1 chapter 1 introduction welcome congratulations on purchasing the ideal solution for providing secure access to the internet–the watchguard ® firebox ® soho 6 or soho 6tc security appliance..

  • Page 20

    Chapter 1: introduction 2 watchguard firebox soho 6.1 this user guide is for both the soho 6 and the soho 6tc–the name soho 6 refers to both these appliances throughout this guide. The only difference between them is the ability to create and use a virtual private network (vpn). The vpn option is ad...

  • Page 21

    User guide 3 how does a firewall work? How does a firewall work? Fundamentally, a firewall is a way of distinguishing between, as well as protecting, “us” and “them”. On the external side of your soho 6 firewall is the entire internet. The internet offers many resources such as the web, email, and v...

  • Page 22

    Chapter 1: introduction 4 watchguard firebox soho 6.1 and the trusted network (your computer) and blocks any suspicious activity. How does information travel on the internet? All information transported over the internet is packaged in a special manner to ensure that it travels from one computer to ...

  • Page 23

    User guide 5 how does the soho 6 process information? Port numbers the port numbers are used by computers at both the sending and receiving end to determine the particular program or application for each connection. How does the soho 6 process information? Services a service is the combination of pr...

  • Page 24: Faster Processor

    Chapter 1: introduction 6 watchguard firebox soho 6.1 the external address of the soho 6. When a hacker tries to violate the computer, they are stopped at the soho 6, never learning the true address of your computer. The soho 6 hardware description the soho 6 has significant improvements to the hard...

  • Page 25: Status

    User guide 7 the soho 6 hardware description status when illuminated, this light indicates that a management connection has been made. Link the link indicator illuminates when there is a good physical connection to any of the numbered (0-3) interfaces of the trusted network. The link indicator blink...

  • Page 26: Opt Port

    Chapter 1: introduction 8 watchguard firebox soho 6.1 the soho 6 has six ethernet ports, a reset button, and a power input located on the rear of the appliance. The following photograph shows the entire rear view. Opt port this ethernet port corresponds to the optional interface. This interface is a...

  • Page 27: Reset Button

    User guide 9 the soho 6 hardware description n ote the opt port is only available if you purchase the dual isp port or vpnforce port upgrades. You can not use the opt port as another ethernet port on the trusted network. Reset button using the reset button, you can return to the soho 6 to the factor...

  • Page 28

    Chapter 1: introduction 10 watchguard firebox soho 6.1.

  • Page 29

    User guide 11 chapter 2 installation this chapter explains how to install the soho 6 into your network. You must complete the following steps: • review and record your current tcp/ip settings • disable the http proxy setting of your web browser • enable your computer for dhcp • physically connect th...

  • Page 30

    Chapter 2: installation 12 watchguard firebox soho 6.1 before you begin before installing your new soho 6, be certain that you have the following items:. • a 10/100baset ethernet i/o network card installed in your computer. • a cable or dsl modem with a 10/100baset port or an isdn router. This is un...

  • Page 31: , Then Press Enter.

    User guide 13 before you begin 2 at the default prompt, type ipconfig/all , then press enter. 3 enter the tcp/ip settings in the chart provided below. 4 click cancel. Microsoft windows nt 1 click start => programs => command prompt. 2 at the default prompt, type ipconfig/all , then press enter. 3 en...

  • Page 32

    Chapter 2: installation 14 watchguard firebox soho 6.1 3 exit the tcp/ip configuration screen. N ote if you are connecting more than one computer to the trusted network behind the soho 6, determine the tcp/ip settings for each computer. Disable the http proxy setting of your web browser to configure...

  • Page 33: Click Proxies.

    User guide 15 before you begin to disable the http proxy in three commonly used browsers, see the instructions below. If your browser is not listed, see your browser help menus to learn how to disable the http proxy settings. Netscape 4.7 1 open netscape. 2 click edit => preferences. The preferences...

  • Page 34: Click The Advanced Tab.

    Chapter 2: installation 16 watchguard firebox soho 6.1 internet explorer 5.0, 5.5, and 6.0 1 open internet explorer. 2 click tools => internet options. The internet options window appears. 3 click the advanced tab. 4 scroll down the page to http 1.1 settings. 5 disable all checkboxes. 6 click ok to ...

  • Page 35: Click Properties.

    User guide 17 before you begin 4 click properties. The network connection properties dialog box appears. 5 double click the internet protocol (tcp/ip) component. The internet protocol (tcp/ip) properties dialog box appears..

  • Page 36

    Chapter 2: installation 18 watchguard firebox soho 6.1 6 select obtain an ip address automatically. Select obtain dns server address automatically. 7 click ok to close the internet protocol (tcp/ip) properties dialog box. Click ok again to close the network connection properties dialog box. Click cl...

  • Page 37

    User guide 19 physically connect the soho 6 cabling the soho 6 for one to four appliances each of the trusted network ports (numbered 0-3) is able to connect to a variety of appliances. These include computers, printers, scanners, or other network peripherals. Use your soho 6 to replace an existing ...

  • Page 38

    Chapter 2: installation 20 watchguard firebox soho 6.1 numbered, ethernet ports (labeled 0-3) on the soho 6. Connect the other end into the ethernet port of your computer. The soho 6 is now connected to the internet and your computer. 4 if you connect to the internet using a dsl/cable modem, restore...

  • Page 39

    User guide 21 physically connect the soho 6 the soho 6 ships with a “10-seat” license. In other words, the soho 6 allows up to ten computers on a network behind the soho 6 to access the internet. More than ten computers can exist on the network and communicate with each other, but only the first ten...

  • Page 40

    Chapter 2: installation 22 watchguard firebox soho 6.1 2 disconnect the ethernet cable that runs from your dsl/cable modem or other internet connection to your computer and connect it to the wan port on the soho 6. The soho 6 is now connected directly to the modem or other internet connection. 3 con...

  • Page 41

    User guide 23 chapter 3 soho 6 basics once you have physically installed the soho 6, you can connect to it using your web browser. The soho 6 includes a web server that provides a configuration, web page interface. The soho 6 home page—system status with your web browser, go to the system status pag...

  • Page 42

    Chapter 3: soho 6 basics 24 watchguard firebox soho 6.1 the system status page appears. The system status page is effectively the home page of the soho 6. A variety of information is revealed in an effort to provide a comprehensive display of the soho 6 configuration. This information includes: • th...

  • Page 43: External Network

    User guide 25 default factory settings - pass through • upgrade options and their status • configuration information for both the trusted and external networks n ote when the external network is configured to use the pppoe client, the page also displays a connect or disconnect button in order to ter...

  • Page 44: Firewall Settings

    Chapter 3: soho 6 basics 26 watchguard firebox soho 6.1 firewall settings all incoming services are blocked. An outgoing service allowing all outbound traffic. None of the firewall options are enabled. The dmz pass-through is disabled. System security system security is disabled and no system admini...

  • Page 45

    User guide 27 register your soho 6 and activate the livesecurity service finally, the pwr indicator light should remain illuminated. Your soho 6 is now reset to factory defaults. The base model soho 6 the base model soho 6 comes with a ten-seat license; that is, ten computers have access to the inte...

  • Page 46

    Chapter 3: soho 6 basics 28 watchguard firebox soho 6.1 n ote you must have javascript enabled on your browser to be able to activate livesecurity service. If you are a returning customer, log in with your user name and password then choose your product and continue by following the instructions on ...

  • Page 47: Reboot.

    User guide 29 reboot the soho 6 the default ip address, go to: http://192.168.111.1. Click reboot. • unplug the soho 6 and reconnect it to a power source. To reboot a soho 6 located on a remote system, you must set the soho 6 to allow either incoming http (web) or ftp traffic to the trusted address ...

  • Page 48

    Chapter 3: soho 6 basics 30 watchguard firebox soho 6.1.

  • Page 49

    User guide 31 chapter 4 configure the network interfaces configure your external network when you configure the external network, you establish how the soho 6 communicates with your isp. This configuration depends upon how your isp distributes network addresses–using dhcp or pppoe. Network addressin...

  • Page 50

    Chapter 4: configure the network interfaces 32 watchguard firebox soho 6.1 the most common method to distribute ip addresses is dynamically using dhcp (dynamic host configuration protocol). When your computer is connected to the network, a dhcp server at your isp automatically assigns it a network i...

  • Page 51: Network => External.

    User guide 33 configure your external network configure the soho 6 external network for static addressing if you are assigned a static address, then you must transfer the permanent address assignment from your computer to the soho 6. Instead of communicating directly to your computer, the isp now co...

  • Page 52: Click Submit.

    Chapter 4: configure the network interfaces 34 watchguard firebox soho 6.1 4 enter the tcp/ip settings you recorded from your computer during the installation process. Refer to the table in, “review and record your current tcp/ip settings” on page 12. 5 click submit. The configuration change is save...

  • Page 53: 10 Click Submit.

    User guide 35 configure your external network 4 from the configuration mode drop list, select pppoe client. The page refreshes. 5 enter the pppoe login name and domain supplied by your isp. 6 enter the pppoe password supplied by your isp. 7 enter how long you want the system to wait before it disabl...

  • Page 54: Network =>  Trusted.

    Chapter 4: configure the network interfaces 36 watchguard firebox soho 6.1 configure the trusted network by default, the soho 6 uses dhcp to assign addresses to computers on your trusted network. In other words, every time you connect a computer to the soho 6, either directly or through a hub, it au...

  • Page 55: Trusted Network.

    User guide 37 configure the trusted network the trusted network configuration page appears. 3 enter the ip address and the subnet mask in the appropriate fields. 4 enable the checkbox labeled enable dhcp server on the trusted network. 5 enter the first ip address the dhcp server will hand out to com...

  • Page 56

    Chapter 4: configure the network interfaces 38 watchguard firebox soho 6.1 2 enter the ip address of the dhcp relay server. 3 click submit and reboot the soho 6 as necessary. The soho 6 will now send all dhcp requests to the specified, remote dhcp server and relay the resulting ip addresses to the c...

  • Page 57: Network =>  Trusted.

    User guide 39 configure the trusted network configure the trusted network with static addresses to disable the soho 6 dhcp server and assign addresses statically, follow these steps: 1 with your web browser, go to the system status page using the trusted ip address of the soho 6. For example, if usi...

  • Page 58: Trusted Network.

    Chapter 4: configure the network interfaces 40 watchguard firebox soho 6.1 4 disable the checkbox labeled enable dhcp server on the trusted network. 5 click submit and reboot the soho 6 as necessary. 6 configure your computers and other devices on the trusted network with static addresses. Configure...

  • Page 59: Click Add.

    User guide 41 configure static routes the routes page appears. 3 click add. The add route page appears. 4 from the type drop list, select either host or network..

  • Page 60: Click Submit.

    Chapter 4: configure the network interfaces 42 watchguard firebox soho 6.1 5 enter the ip address and the gateway of the route in the appropriate field. The gateway of the route is the local interface of the router. 6 click submit. To remove a route, select the appropriate entry and click remove. Vi...

  • Page 61: Network =>  Dynamicdns.

    User guide 43 configure the dynamic dns service configure the dynamic dns service this feature allows you to register the external, ip address of the soho 6 with a dynamic dns (domain name server) service (www.Dyndns.Org). This service allows customers to bind their dns record in the event that thei...

  • Page 62: Click Submit.

    Chapter 4: configure the network interfaces 44 watchguard firebox soho 6.1 n ote the soho 6 receives the ip of members.Dyndns.Org when it connects to the time server. 5 click submit. Configure opt port upgrades the optional port, opt port, on the soho 6 supports two new upgrades: • dual isp port upg...

  • Page 63

    User guide 45 configure opt port upgrades the soho 6 uses two methods to determine if the external port connection is down: • the link to the nearest router • a ping to a specified location. The soho pings the default gateway or other location designated by the administrator. If there is no response...

  • Page 64: Network =>  Dual Isp.

    Chapter 4: configure the network interfaces 46 watchguard firebox soho 6.1 once you have upgraded to the soho 6 to activate this features, follow these instructions to configure dual isp port: 1 connect one end of a straight-through ethernet cable into the opt port, and connect the other end into th...

  • Page 65: 10 Click Submit.

    User guide 47 configure opt port upgrades 9 enter the number of times the system will ping the interface before timeout. 10 click submit. Configure vpnforce™ port the vpnforce port upgrade activates the soho 6 optional port for use on the trusted side. It’s main function is to provide a remote offic...

  • Page 66: Network =>  Optional.

    Chapter 4: configure the network interfaces 48 watchguard firebox soho 6.1 2 from the navigation bar on the left side, select network => optional. The optional network configuration page appears. 3 to enable vpnforce, select the enable optional network checkbox. 4 enter the configuration information...

  • Page 67: Interface Checkbox.

    User guide 49 configure opt port upgrades 6 to require encrypted muvpn connections on this interface, enable the require encrypted muvpn connections on this interface checkbox. 7 click submit..

  • Page 68

    Chapter 4: configure the network interfaces 50 watchguard firebox soho 6.1.

  • Page 69

    User guide 51 chapter 5 administrative options the soho 6 administration page is where you configure access to the soho 6–using system security, enabling soho 6 remote management, or providing vpn manager access. You can also update the firmware, enter the feature key for any upgrade options you hav...

  • Page 70

    Chapter 5: administrative options 52 watchguard firebox soho 6.1 the system security page the system security configuration page allows you to create secure settings to protect the configuration of the soho 6. Setting a system administrator name and system passphrase allows you to protect the soho 6...

  • Page 71

    User guide 53 the system security page recommends that the passphrase contain at least one special character, number, and a mixture of upper and lower case letters for increased security. Follow these steps to setup the soho 6 system passphrase: 1 with your web browser, go to the system status page ...

  • Page 72: Click Submit.

    Chapter 5: administrative options 54 watchguard firebox soho 6.1 5 enter the system administrator name. 6 enter the system passphrase and confirm it. 7 click submit. Soho remote management this page also allows you to create a secure connection, using internet protocol security (ipsec), to the soho ...

  • Page 73: Click Submit.

    User guide 55 set up vpn manager access 2 from the navigation bar on the left side, select administration => vpn manager access. The vpn manager access page appears. 3 select enable vpn manager access. 4 enter the status passphrase and confirm it. 5 enter the configuration passphrase and confirm it....

  • Page 74: Administration => Update.

    Chapter 5: administrative options 56 watchguard firebox soho 6.1 update your firmware as new firmware is released, you should update the version running on your soho 6. New updates are located on the watchguard web site at: http://support.Watchguard.Com/sohoresources/ download the new firmware file ...

  • Page 75: Click Update.

    User guide 57 redeem your soho 6 upgrade options 4 enter the location of the firmware files located on your computer. 5 if you do not know the location of the firmware files, click browse to browse your computer’s directories and select them. 6 click update. Follow the instructions provided by the u...

  • Page 76: Administration => Upgrade.

    Chapter 5: administrative options 58 watchguard firebox soho 6.1 3 follow the instructions provided on the site to redeem your upgrade license key. 4 copy the feature key displayed at the livesecurity service web site. 5 with your web browser, go to the system status page using the trusted ip addres...

  • Page 77: Dual Isp Port

    User guide 59 redeem your soho 6 upgrade options dual isp port this upgrade to the soho 6 activates the optional port as a fail-over support for the external interface. This license key is purchased separately. Vpnforce port this upgrade to the soho 6 activates the optional port as a separate secure...

  • Page 78

    Chapter 5: administrative options 60 watchguard firebox soho 6.1 http://www.Watchguard.Com/renew/ follow the instructions at the site to activate or purchase the renewal. View the configuration file from this configuration page, the soho 6 configuration file appears in text format. 1 with your web b...

  • Page 79

    User guide 61 chapter 6 configure the firewall settings firewall settings the flow of incoming and outgoing traffic is controlled by the configuration setting you make. These decisions are made in accordance with a sound security policy that defines the kinds of risks that are acceptable to you or y...

  • Page 80

    Chapter 6: configure the firewall settings 62 watchguard firebox soho 6.1 configure incoming and outgoing services by default, the security stance of the soho 6 is to deny incoming packets to computers on the trusted network protected by the soho 6 firewall. You can selectively open your network to ...

  • Page 81: Click Submit.

    User guide 63 configure incoming and outgoing services 2 locate a pre-configured service, such as ftp, web, or telnet, then select either allow or deny from the drop list. In our example, the http service is set to allow enabling web traffic incoming. 3 enter the trusted network ip address of the co...

  • Page 82

    Chapter 6: configure the firewall settings 64 watchguard firebox soho 6.1 2 from the navigation bar on the left side, select firewall => custom service. The custom service page appears. 3 define a name for the service in the appropriate field. 4 beneath the protocol settings fields, select either tc...

  • Page 83: Fields And Click Add.

    User guide 65 block external sites 5 enter the port number (or numbers if creating a range of ports) or enter the ip protocol number to allow in the appropriate fields and click add. After creating a custom service, you need to specify a filter rule as well as define the incoming and outgoing proper...

  • Page 84: Click Add.

    Chapter 6: configure the firewall settings 66 watchguard firebox soho 6.1 the blocked sites page appears. 2 select either host ip address, network ip address, or host range from the drop list. The blocked sites page refreshes. 3 enter either a single host ip address, a network ip address, or the sta...

  • Page 85

    User guide 67 firewall options firewall options the soho 6 firewall feature includes a few rule settings that are less specific then the service settings discussed previously and are used to provide further security for your private network. These options are found on the firewall options page. 1 wi...

  • Page 86: Network.

    Chapter 6: configure the firewall settings 68 watchguard firebox soho 6.1 ping requests received on the external network you can configure the soho 6 to deny all ping packets that it receives on the external interface. 1 select do not respond to ping requests received on external network. 2 click su...

  • Page 87

    User guide 69 firewall options • soho 6 supports socks version 5 only. • it is a limited version of socks and does not support authentication. N ote configure the particular application so that it does not attempt to make dns look-ups with socks. Some applications use only dns through socks and ther...

  • Page 88: Click Submit.

    Chapter 6: configure the firewall settings 70 watchguard firebox soho 6.1 • for the socks proxy, enter the url or ip address of the soho 6 trusted network. The default ip address is 192.168.111.1. Disabling socks on the soho 6 once you use a socks-compliant application through the soho 6, the primar...

  • Page 89: Click Submit.

    User guide 71 firewall options follow these steps: 1 select log all allowed outbound access. 2 click submit. Enable override mac address for the external network a soho administrator is able to assign a second mac address to the soho 6 external network making it easier to register with an isp that r...

  • Page 90: Firewall => Pass Through.

    Chapter 6: configure the firewall settings 72 watchguard firebox soho 6.1 create an unrestricted pass through the soho 6 is able to allow traffic to be passed through to a dedicated machine with a public ip address separated from the rest of the trusted network. Follow these steps to configure a pas...

  • Page 91

    User guide 73 create an unrestricted pass through and trusted network computers are not protected from potential threats, do not use the pass through feature.

  • Page 92

    Chapter 6: configure the firewall settings 74 watchguard firebox soho 6.1.

  • Page 93

    User guide 75 chapter 7 configure logging what is logging? Logging is the act of recording “events” that occur at the soho 6 interfaces. An event is any single activity, such as communication with the watchguard webblocker database or incoming traffic passing through the soho 6. Logging is intended ...

  • Page 94

    Chapter 7: configure logging 76 watchguard firebox soho 6.1 view soho 6 log messages the watchguard soho 6 generates an ongoing activity log stored on the soho 6: the event log. This log stores a maximum of 150 messages. When it reaches this limit, the oldest message is deleted. The log messages inc...

  • Page 95: Logging => Wsep Logging.

    User guide 77 set up logging to a watchguard security event processor log host to have your log messages synchronize with your computer: • click sync time with browser now. The soho 6 synchronizes the time at startup. Set up logging to a watchguard security event processor log host the wsep (watchgu...

  • Page 96: Click Submit.

    Chapter 7: configure logging 78 watchguard firebox soho 6.1 the watchguard security event processor page appears. 3 select enable watchguard security event processor logging. 4 enter the ip address of the wsep server that is your log host in the appropriate field. In our example, 192.168.111.5. 5 in...

  • Page 97: Logging => Syslog Logging.

    User guide 79 set up logging to a syslog host set up logging to a syslog host the soho 6 also sends log entries to a syslog host. Follow these steps to setup a syslog host: 1 with your web browser, go to the system status page using the trusted ip address of the soho 6. For example, if using the def...

  • Page 98: Logging => System Time.

    Chapter 7: configure logging 80 watchguard firebox soho 6.1 to adjust your syslog messages to your browsers local time: • select include local time in syslog message. N ote syslog traffic is not encrypted and use of this option creates a potential security risk when the information is sent over the ...

  • Page 99: Submit.

    User guide 81 set the system time the system time page appears. If you have decided to use the watchguard time server: 3 select get time from watchguard time server. Or, to use a tcp port 37 time server: 4 select get time from tcp port 37 time server at. 5 enter the ip address of the time server in ...

  • Page 100

    Chapter 7: configure logging 82 watchguard firebox soho 6.1.

  • Page 101

    User guide 83 chapter 8 vpn—virtual private networking this chapter describes an optional feature of the watchguard soho 6, virtual private networking (vpn) with ipsec. Why create a virtual private network? Virtual private networking (vpn) tunnels enable you to securely connect computers in two loca...

  • Page 102

    Chapter 8: vpn—virtual private networking 84 watchguard firebox soho 6.1 what you need • one watchguard soho 6 with vpn and an ipsec- compliant appliance. N ote while you can create a soho 6 to soho 6 vpn, you can also create a vpn with a watchguard firebox ii/iii, firebox vclass, or other ipsec- co...

  • Page 103

    User guide 85 what you need ip address table (example): item description assigned by external ip address the ip address that identifies the soho 6 to the internet. Isp site a: 207.168.55.2 site b: 68.130.44.15 external subnet mask the overlay of bits that determines which part of the ip address iden...

  • Page 104

    Chapter 8: vpn—virtual private networking 86 watchguard firebox soho 6.1 enable the vpn upgrade you must first redeem the vpn upgrade license key before configuring vpn. Activating the vpn upgrade requires: • an installed soho 6 • internet connectivity • a vpn upgrade license key step-by-step instru...

  • Page 105

    User guide 87 frequently asked questions special considerations consider the following before configuring your watchguard soho 6 vpn network: • you can connect up to six soho 6 appliances together. To set up more vpn tunnels, you need at least one watchguard firebox ii/iii configured with the watchg...

  • Page 106

    Chapter 8: vpn—virtual private networking 88 watchguard firebox soho 6.1 this feature to discourage users from creating web servers. These providers usually offer a static ip address option. How do i troubleshoot the connection? If you are able to ping the remote soho 6 and computers behind it, your...

  • Page 107: Vpn => Manual Vpn.

    User guide 89 set up multiple soho-soho vpn tunnels set up multiple soho-soho vpn tunnels with this release, a soho administrator has the ability to manually define up to six vpn tunnels to other soho 6 devices. Vpn manager’s ability to set up a larger number of soho 6 to soho 6 tunnels remains. To ...

  • Page 108

    Chapter 8: vpn—virtual private networking 90 watchguard firebox soho 6.1 the add gateway page appears. 4 enter the name, ipsec gateway address, and shared key for soho 6 you want to set up a vpn tunnel. The shared key is used by the local and remote soho to encrypt and decrypt the data going across ...

  • Page 109

    User guide 91 set up multiple soho-soho vpn tunnels steps. Make sure that the phase 1 settings on this device are the same as on the peer device. 6 select the type of negotiation for phase 1. The two mode types are main and aggressive. If your external ip address is dynamic, you must use aggressive ...

  • Page 110: Forward Secrecy.

    Chapter 8: vpn—virtual private networking 92 watchguard firebox soho 6.1 13 in the diffie-hellman group drop list, specify the group. Watchguard supports 1 & 2. Diffie-hellman refers to a mathematical technique for securely negotiating secret keys over a public medium. Diffie-hellman groups are coll...

  • Page 111: Vpn => Manual Vpn.

    User guide 93 configure split tunneling configure split tunneling another new feature in this release is split tunneling that allows the administrator to specify all internet traffic originating from the trusted interface of the soho 6 to go through the vpn tunnel. Previously, only traffic headed sp...

  • Page 112: Statistics.

    Chapter 8: vpn—virtual private networking 94 watchguard firebox soho 6.1 terminating at the local soho 6. The soho 6 also allows users on the trusted network to access networks on branch office vpn tunnels terminating at the local soho 6. If you purchase the vpnforce port, you receive one muvpn conn...

  • Page 113

    User guide 95 chapter 9 soho 6 webblocker webblocker is an optional feature of the soho 6 that provides web site filtering capabilities. It gives you precise control over the types of web sites users on your trusted network are allowed to view. How webblocker works webblocker relies on a url databas...

  • Page 114

    Chapter 9: soho 6 webblocker 96 watchguard firebox soho 6.1 soho 6 queries the watchguard database and determines whether or not to block the site. The soho 6 considers the following conditions in determining whether or not to block the site: web site not in the webblocker database if the site is no...

  • Page 115: Groups

    User guide 97 purchase and activate soho 6 webblocker webblocker users and groups groups a group is a collection of individuals or users of the system. Users these are individual members of a particular group. Bypass the soho 6 webblocker occasionally, you may want to allow select individuals to byp...

  • Page 116: Webblocker => Settings.

    Chapter 9: soho 6 webblocker 98 watchguard firebox soho 6.1 configure the soho 6 webblocker use the watchguard soho 6 configuration pages to activate webblocker, create a full access password for bypassing webblocker, define an inactivity timeout that sets the duration of the full access password, d...

  • Page 117: Select Enable Webblocking.

    User guide 99 configure the soho 6 webblocker 3 select enable webblocking. 4 enter the full access password. The full access password allows a user a to bypasses otherwise blocked sites. 5 enter the inactivity timeout in minutes. For example, setting the inactivity timeout at 15 minutes ensures that...

  • Page 118

    Chapter 9: soho 6 webblocker 100 watchguard firebox soho 6.1 the webblocker groups page appears. 3 click new to create a group name and profile..

  • Page 119: Click Submit.

    User guide 101 configure the soho 6 webblocker 4 define a group name and select the blocked categories for this group. 5 click submit. A new groups page appears indicating the configuration changes were accepted and are providing access..

  • Page 120

    Chapter 9: soho 6 webblocker 102 watchguard firebox soho 6.1 6 to the right of the users field, click new. The new user page appears. 7 enter a unique user name and passphrase (remember to confirm the passphrase). Use the group drop list to assign the new user to a given group..

  • Page 121: Click Submit.

    User guide 103 webblocker categories 8 click submit. N ote you can delete users or groups at any time by selecting them and clicking delete. Webblocker categories webblocker relies on a url database, which is a service of surfcontrol. The webblocker database contains thousands of ip addresses and di...

  • Page 122: Militant/extremist

    Chapter 9: soho 6 webblocker 104 watchguard firebox soho 6.1 (using someone’s phone lines without permission), and software piracy. Also includes text advocating gambling relating to lotteries, casinos, betting, numbers games, online sports, or financial betting, including non-monetary dares. Milita...

  • Page 123: Gross Depictions

    User guide 105 webblocker categories or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. Gross depictions pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civi...

  • Page 124: Sexual Acts

    Chapter 9: soho 6 webblocker 106 watchguard firebox soho 6.1 sexual acts pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people...

  • Page 125

    User guide 107 chapter 10 support resources troubleshooting tips the following information is offered to help overcome any difficulties that might occur when installing and setting up your soho 6. General what do the pwr, status, and mode lights signify on the soho 6? When the pwr light is lit, the ...

  • Page 126: Click Reboot.

    Chapter 10: support resources 108 watchguard firebox soho 6.1 four, numbered, ethernet ports (labeled 0-3) and reload the configuration. If the mode light is blinking: the soho 6 requires a dhcp assigned ip address for the external interface, but did not receive it. The wan port is not connected to ...

  • Page 127

    User guide 109 troubleshooting tips n ote you can also reboot by removing the power source for ten seconds, and then restoring power. How do i reset my system security password, if i forgot or lost it? If you forgot your password, you must reset the soho 6 to its factory default. For instructions, s...

  • Page 128

    Chapter 10: support resources 110 watchguard firebox soho 6.1 a dsl router, set the nat feature of the dsl router to bridge-only mode. How do i install and configure the soho 6 using a macintosh (or other) operating system? Installation instructions for the macintosh and other operating systems are ...

  • Page 129: Network => Trusted.

    User guide 111 troubleshooting tips how can i see the mac address of my soho 6? A mac (media access control) address is a unique number used to identify the actual physical hardware of an ethernet appliance. 1 with your web browser, go to the soho 6 configuration settings page using the trusted ip a...

  • Page 130: Network => Trusted.

    Chapter 10: support resources 112 watchguard firebox soho 6.1 how do i change to a static, trusted ip address? Before you can use a static ip address, you must have a base trusted ip address and subnet mask. The following ip address ranges and subnet masks are set aside for private networks in compl...

  • Page 131: Firewall => Incoming.

    User guide 113 troubleshooting tips to disable webblocker, deselect enable webblocker. How do i allow incoming services such as pop3, telnet, and web (http)? 1 with your web browser, go to the system status page using the trusted ip address of the soho 6. For example, if using the default ip address...

  • Page 132: Click Submit.

    Chapter 10: support resources 114 watchguard firebox soho 6.1 5 enter the protocol number to allow in the protocol field. 6 click submit. 7 from the navigation bar on the left side, select firewall => incoming. The firewall incoming traffic page appears. 8 near the bottom of the page, under the cust...

  • Page 133

    User guide 115 troubleshooting tips how do i set up my soho 6 for vpn manager access? This requires the add-on product, watchguard vpn manager software, which is purchased separately and used with the watchguard firebox system software. To purchase vpn manager, use your web browser to go to: https:/...

  • Page 134

    Chapter 10: support resources 116 watchguard firebox soho 6.1 contact technical support online documentation and in-depth faqs watchguard maintains an extensive knowledge base consisting of product documentation in the form of printer friendly .Pdf files, tutorials, in-depth faqs, and more. This inf...

  • Page 135

    User guide 117 index numerics 100 indicator 7 a add route page 41 b blocked sites configuring 65 blocked sites page 66 browsers, supported 12 button, reset 8 c cables correct setup 110 included in package 2 required 12 configuration file, viewing 24, 60 custom incoming services, creating 63 custom s...

  • Page 136

    Index 118 watchguard firebox soho 6.1 h hardware description 6 http proxy settings, disabling 14 i incoming service, creating custom 63 indicators 100 7 link 7 mode 7 wan 7 installation cabling 19 cabling for multiple computers 20 determining tcp/ip settings 12 disabling tcp/ip proxy settings 14 ite...

  • Page 137

    User guide 119 blocked sites 66 custom service 64, 113 dynamic dns client 43 filter traffic 62 firewall incoming traffic 114 firewall options 67 groups 101 logging 76 network statistics 42 new user 102 routes 41, 46, 48 soho 6 administration 51 syslog logging 79 system security 52, 53 system status ...

  • Page 138

    Index 120 watchguard firebox soho 6.1 configuring for pppoe 34 configuring for static addressing 33 configuring vpn tunnel with 86 connecting to 23 default factory settings 25 described 2 firewall feature 67 front view 6 function of 3 hardware 6 installing 11–22 mac address of 111 muvpn clients opti...

  • Page 139

    User guide 121 vpnforce™ port 47 vpns and soho 6, soho 6 tc 2 and static ip addresses 87 between two soho 6s 115 configuring with soho 6 86–88 described 83 enabling tunnels 88 encryption for 87 license key for 59 requirements for 84, 114 special considerations for 87 troubleshooting connections 88 v...

  • Page 140

    Index 122 watchguard firebox soho 6.1.