- DL manuals
- Watchguard
- Network Router
- Firebox X10E
- User Manual
Watchguard Firebox X10E User Manual
Summary of Firebox X10E
Page 1
Watchguard ® firebox ® x edge e-series user guide firebox x edge e-series - firmware version 8.6 all firebox x edge e-series standard and wireless models.
Page 2: Notice to Users
Ii firebox x edge e-series notice to users information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechan...
Page 3
User guide iii (a) use, copy, modify, merge or transfer copies of the software product or printed materials except as provided in this agreement ; (b) use any backup or archival copy of the software product (or allow someone else to use such a copy) for any purpose other than to replace the original...
Page 4
Iv firebox x edge e-series agreement ad/ / (c) this agreement and the performance of the entity’s obligations under this agreement do not violate any third-party agreement to which the entity is a party. No change or modification of this agreement will be valid unless it is in writing and is signed ...
Page 5: Contents
User guide v contents 1 introduction to network security network security .....................................................................................................1 about networks .......................................................................................................1 cli...
Page 6
Vi firebox x edge e-series navigating the firebox x edge user interface .....................................................22 system status page ...............................................................................................23 network page .............................................
Page 7
User guide vii method 2: installing software manually ...................................................................47 activating upgrade options ..................................................................................48 upgrade options ...................................................
Page 8
Viii firebox x edge e-series setting the fragmentation threshold ........................................................................83 setting the rts threshold ......................................................................................83 configuring wireless security settings .........
Page 9
User guide ix configuring the pop3 proxy ...............................................................................116 setting access control options ..............................................................................117 setting proxy limits .............................................
Page 10
X firebox x edge e-series 11 logging and certificates viewing log messages .......................................................................................147 logging to a watchguard log server ................................................................148 logging to a syslog host .........
Page 11
User guide xi blocking additional web sites ............................................................................182 bypassing webblocker .......................................................................................183 14 spamblocker understanding how spamblocker works ................
Page 12
Xii firebox x edge e-series installing and configuring the ipsec muvpn client ................................................218 connecting and disconnecting the ipsec muvpn client ........................................220 monitoring the ipsec muvpn client connection ................................
Page 13: Network Security
User guide 1 1 introduction to network security thank you for your purchase of the watchguard® firebox® x edge e-series. This security device helps protect your computer network from threat and attack. This chapter gives you basic information about networks and network security. This information can...
Page 14: Connecting to The Internet
Connecting to the internet 2 firebox x edge e-series clients and servers clients and servers are components of a network. A server makes its resources available to the network. Some of these resources are documents, printers, and programs. A client uses the resources made available by the server. A ...
Page 15: Ip Addresses
User guide 3 ip addresses order. To make sure that the packets get to the destination, address information is added to the pack- ets. Data packet the tcp and ip protocols are used to send and receive these packets. Tcp disassembles the data and assembles it again. Ip adds information to the packets,...
Page 16: Domain Name Service (Dns)
Domain name service (dns) 4 firebox x edge e-series network addressing isps (internet service providers) assign an ip address to each device on their network. The ip address can be static or dynamic. Each isp has a small number of ip addresses. Static ip addresses are permanently assigned to a devic...
Page 17: Ports
User guide 5 ports • email uses simple mail transfer protocol (smtp) or post office protocol (pop3 v3) • file transfer uses file transfer protocol (ftp) • resolving a domain name to an internet address uses domain name service (dns) • remote terminal access uses telnet or ssh (secure shell) when you...
Page 18: Firewalls
Firewalls 6 firebox x edge e-series firewalls a firewall separates your trusted computers on the internal network from the external network, or the internet, to decrease risk of an external attack. The figure below shows how a firewall divides the trusted computers from the internet. Firewalls use a...
Page 19
User guide 7 the firebox x edge and your network go through the firewall. The firewall examines each mes s age and denies those that do not match the security criteria or policies. In some closed, or “default-deny” firewalls, all network connections are denied unless there is a specific rule to allo...
Page 20
The firebox x edge and your network 8 firebox x edge e-series.
Page 21: Installation
User guide 9 2 installation to install the watchguard® firebox® x edge e-series in your network, you must complete these steps: • register your firebox and activate the livesecurity® service. • identify and record the tcp/ip properties for your internet connection. • disable the http proxy propertie...
Page 22: Service
Registering your firebox & activating livesecurity service 10 firebox x edge e-series • livesecurity® service activation card • hardware warranty card • ac power adapter (12 v/1.2a) with international plug kit • power cable clip use this clip to attach the cable to the side of the edge. This decreas...
Page 23
User guide 11 identifying your network settings 2 if you are a new customer, you must create a user profile. If you are an existing customer, log in with your livesecurity service user name and password. 3 follow the online instructions to register your firebox x edge. You must have the serial numbe...
Page 24
Identifying your network settings 12 firebox x edge e-series • pppoe: an isp also can use pppoe (point-to-point protocol over ethernet) to assign you an ip address. Usually, a pppoe address is dynamic. You must have a user name and a password to use pppoe. The isp assigns a subnet mask (also known a...
Page 25
User guide 13 web browser http proxy settings 2 at the command prompt, type ipconfig /all and press enter. 3 record the values that you see for the primary network adaptor. Finding your tcp/ip properties on macintosh os 9 1 select the apple menu > control panels > tcp/ip. The tcp/ip window appears. ...
Page 26
Web browser pop-up blocking settings 14 firebox x edge e-series 4 click the lan settings button. The local area network (lan) settings window appears. 5 clear the check box labeled use a proxy server for your lan. 6 click ok two times. Disabling the http proxy in firefox 2.X 1 open the browser softw...
Page 27
User guide 15 connecting the firebox x edge 3 click the content icon. 4 make sure the block pop-up windows option is not selected. 5 click ok. Disabling the pop-up blocker in netscape 8.1 1 open the browser software. 2 select tools > options. The options window appears. 3 click the site controls ico...
Page 28
Connecting the firebox x edge 16 firebox x edge e-series 3 find the ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the edge external interface (labeled wan 1). 4 find the green ethernet cable supplied with your edge. Connect this cable ...
Page 29
User guide 17 setting your computer to connect to the edge 5 connect an ethernet cable between each computer and one of the ports on the ethernet hub, and make sure the link lights are lit on the devices when they are turned on. 6 if you connect to the internet through a dsl modem or cable modem, co...
Page 30
Setting your computer to connect to the edge 18 firebox x edge e-series 6 select the obtain an ip address automatically and the obtain dns server address automatically options. 7 click ok to close the internet protocol (tcp/ip) properties dialog box. 8 click ok to close the local area network connec...
Page 31: Using The Quick Setup Wizard
User guide 19 using the quick setup wizard using the quick setup wizard the quick setup wizard starts after you type https://192.168.111.1 into the url or address field of your internet browser. If your browser blocks pop-up windows, you must disable that function to com- plete the quick setup wizar...
Page 32
Using the quick setup wizard 20 firebox x edge e-series.
Page 33: Navigation
User guide 21 3 navigation after you connect the watchguard® firebox® x edge e-series to your network, you must configure the edge. You can create firewall rules to enforce the security requirements of your company. You can also use the edge configuration pages to create a user account, look at netw...
Page 34
Navigating the firebox x edge user interface 22 firebox x edge e-series this warning will appear each time you use https to connect to the firebox x edge unless you permanently accept the certificate. 4 enter your user name and password to authenticate. The system status page appears. If necessary, ...
Page 35
User guide 23 navigating the firebox x edge user interface you must enable javascript in your browser to use the navigation bar. Each menu item contains secondary menus that you use to configure the properties of that feature. To see these secondary menus, click the plus sign (+) to the left of the ...
Page 36
Navigating the firebox x edge user interface 24 firebox x edge e-series firebox users page the firebox users page shows statistics on active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the muvpn clie...
Page 37
User guide 25 navigating the firebox x edge user interface administration page the administration page shows whether the firebox x edge uses http or https for its configuration pages, if the edge is configured as a managed firebox client, and which feature upgrades are enabled. It has buttons to cha...
Page 38
Navigating the firebox x edge user interface 26 firebox x edge e-series firewall page the firewall page shows incoming and outgoing policies and proxies, blocked web sites, and other firewall settings. This page also has buttons to change these settings. For more information, see chap- ter 7, “firew...
Page 39
User guide 27 navigating the firebox x edge user interface logging page the logging page shows the current event log, and the status of the log server and syslog logging. For more information, see chapter 11, “configuring logging.” webblocker page the webblocker page shows the webblocker settings, p...
Page 40
Navigating the firebox x edge user interface 28 firebox x edge e-series spamblocker page the spamblocker page shows the spamblocker settings and actions. It also has buttons to change the current settings. For more information, see the “spamblocker” chapter. Gav/ips page the gav/ips page shows the g...
Page 41
User guide 29 navigating the firebox x edge user interface vpn page the vpn page shows information on managed vpn gateways, manual vpn gateways, echo hosts, and buttons to change the configuration of vpn tunnels. You can add the firebox® x edge e-series to a watchguard system manager vpn network wit...
Page 42
Monitoring the firebox x edge 30 firebox x edge e-series monitoring the firebox x edge when you expand system status on the navigation bar, you see a list of monitoring categories. With these pages, you can monitor all the components of the edge and how they work. The firebox® x edge monitor pages a...
Page 43
User guide 31 monitoring the firebox x edge mask if a netmask is associated with the entry, it is listed here. If not, an asterisk (*) is shown. Device interface on the edge where the hardware address for that ip address was found. The linux kernel name for the interface is shown in parentheses. Aut...
Page 44
Monitoring the firebox x edge 32 firebox x edge e-series expires in (secs) number of seconds before the connection times out unless traffic is sent on the connection to restart the timer. Components list this status page shows the software that is installed on the edge. Each attribute is shown separ...
Page 45
User guide 33 monitoring the firebox x edge mounted on where the partition is mounted in the system. Dynamic dns this status page shows the state of the dynamic dns configuration. Last last time the dns was updated. Next next time the dns will be updated. Hostile sites this status page shows the amo...
Page 46
Monitoring the firebox x edge 34 firebox x edge e-series • maximum use - maximum number of users allowed by the license • reboot - shows if a reboot is necessary after a configuration change for that license • expiration - shows when the license expires • comment memory this status page shows the st...
Page 47
User guide 35 monitoring the firebox x edge gateway gateway that the network uses. Flg flags set for each route. Met metric set for this route in the routing table. Mask network mask for the route. Mtu tcp maximum transmission unit. Win tcp window size for connections on this route. Ref number of re...
Page 48
Monitoring the firebox x edge 36 firebox x edge e-series data sent number of bytes of data sent. Packets sent number of packets sent. Dropped number of packets dropped. Overlimits number of packets over the limit for each priority. Vpn statistics this status page shows vpn statistics such as: • sa (...
Page 49: Configuration and Management
User guide 37 4 configuration and management basics after your firebox® x edge e-series is installed on your network and operating with a basic configura- tion file, you can start to add custom configuration settings to meet the needs of your organization. This chapter describes some basic managemen...
Page 50: Restarting The Firebox
Restarting the firebox 38 firebox x edge e-series - all incoming policies are denied. - the outgoing policy allows all outgoing traffic. - ping requests received on the external network are denied. System security - the firebox x edge e-series administrator account is set to the default user name of...
Page 51: Setting The System Time
User guide 39 setting the system time local restart you can locally restart the firebox x edge e-series with one of two methods: use the web browser, or disconnect the power supply. Using the web browser 1 to connect to the system status page, type https:// in the browser address bar, and then the i...
Page 52
Setting the system time 40 firebox x edge e-series you can change the ntp server that the edge uses, or you can set the time manually. 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: htt...
Page 53
User guide 41 enabling the edge for snmp polling to the right of the date, set the time. - type the hours in the first field. - type the minutes in the second field. - type the seconds in the third field. - select am or pm from the drop-down list. 7 click submit. Enabling the edge for snmp polling s...
Page 54
Selecting http or https for management 42 firebox x edge e-series 5 click the enable snmp v3 check box if your snmp server uses snmp v3. You must type the user name and password the snmp server uses when it contacts the edge. 6 if the snmp server that polls the edge is located on the edge trusted ne...
Page 55
User guide 43 setting up watchguard system manager access 2 from the navigation bar, select administration > system security. The system security page appears. 3 select the use non-secure http instead of secure https for administrative web site check box. You will see a warning to make sure you chan...
Page 56
Setting up watchguard system manager access 44 firebox x edge e-series renaming the firebox x edge e-series when you use watchguard system manager to manage many different edge devices, you can rename the firebox x edge e-series so that it shows a unique name in watchguard system manager. 1 to conne...
Page 57
User guide 45 setting up watchguard system manager access do not select the use centralized management check box if you are using watchguard system manager only to manage vpn tunnels. 6 type a status passphrase for your firebox x edge and then type it again to confirm. 7 type a configuration passphr...
Page 58
Allowing traffic from a management server 46 firebox x edge e-series 3 select the enable remote management check box. 4 from the management type drop-down list, select vpn manager. 5 if you use vpn manager 7.3, select the vpn manager 7.3 check box. 6 select the enable vpn manager access check box to...
Page 59
User guide 47 updating the firebox x edge software from the navigation bar, select wizards. Then select the wizard set up services to allow traffic for wsm management of other fireboxes. Updating the firebox x edge software one advantage of your livesecurity® service is continuous software updates. ...
Page 60: Activating Upgrade Options
Activating upgrade options 48 firebox x edge e-series 3 type the name and location of the file that contains the new firebox x edge software in the select file box, or click browse to find the file on the network. 4 click update and follow the instructions. The firebox makes sure the software packag...
Page 61
User guide 49 activating upgrade options wan failover the wan failover feature adds redundant support for the external interface. For more information, see “using the wan failover option” on page 72. Adding a feature to your firebox x edge when you purchase an upgrade for your firebox x edge®, you r...
Page 62
Enabling the model upgrade option 50 firebox x edge e-series 10 paste in the new feature key. You can right-click and select paste or you can use ctrl-v. 11 click submit. 12 restart the edge. Enabling the model upgrade option a model upgrade gives the firebox® x edge e-series the same functions as a...
Page 63
User guide 51 viewing the configuration file 2 from the navigation bar, select administration > view configuration. The configuration file is shown..
Page 64
Viewing the configuration file 52 firebox x edge e-series.
Page 65: Network Settings
User guide 53 5 network settings a primary component of the watchguard® firebox® x edge e-series setup is the configuration of net- work interface ip addresses. At a minimum, you must configure the external network and the trusted network so that traffic can flow through the edge. You do this when y...
Page 66
Configuring the external network 54 firebox x edge e-series configure the external interface of your firebox select the procedure your isp uses to set your ip address. For detailed information, see the subsequent section in this guide, “configuring the external network” on page 54. You can choose on...
Page 67
User guide 55 configuring the external network 3 from the configuration mode drop-down list, select dhcp client. 4 if your isp makes you identify your computer to give you an ip address, type this name in the optional dhcp identifier field. 5 click release if you want to give up the current dhcp-ass...
Page 68
Configuring the external network 56 firebox x edge e-series 3 type the ip address, subnet mask, default gateway, primary dns, secondary dns, and dns domain suffix into the related fields. Get this information from your isp or corporate network administrator. These dns settings are used when the edge...
Page 69
User guide 57 configuring the external network 4 in the inactivity time-out field, type the number of minutes before the firebox x edge disconnects the active ppp0e connections. We recommend a value of 20. If you set this value to 0, no timeout will occur. Advanced pppoe settings the quick setup wiz...
Page 70
Configuring the external network 58 firebox x edge e-series changing link speed select automatic from the link speed drop-down list to have the edge select the best network speed, or select a static link speed that you know is compatible with your equipment. We recommend that you set the link speed ...
Page 71
User guide 59 configuring the trusted network if the override mac address field is cleared and the firebox x edge is restarted, the firebox x edge uses the default mac address for the external network. To decrease problems with mac addresses, the firebox x edge makes sure that the mac address you as...
Page 72
Configuring the trusted network 60 firebox x edge e-series using dhcp on the trusted network the dhcp server option allows the firebox x edge e-series to give ip addresses to the computers on the trusted network. When the edge receives a dhcp request from a computer on the trusted network, it gives ...
Page 73
User guide 61 configuring the trusted network setting trusted network dhcp address reservations you can manually give the same ip address to a specified computer on your trusted network each time that computer makes a request for a dhcp ip address. The firebox x edge identifies the computer by its m...
Page 74
Configuring the trusted network 62 firebox x edge e-series to configure the firebox x edge as a dhcp relay agent for the trusted interface: 1 use your browser to connect to the system status page. From the navigation bar, select network > trusted. The trusted network configuration page appears. 2 se...
Page 75
User guide 63 configuring the trusted network ethernet hubs or switches with rj-45 connectors to connect more than three computers. It is not nec- essary for the computers on the trusted network to use the same operating system. To add more than three computers to the trusted network: 1 make sure th...
Page 76
Configuring the trusted network 64 firebox x edge e-series 3 select the restrict access by hardware mac address check box. 4 click scan to have the edge find all known hardware addresses on the network. If you want the edge to try to resolve host names for all windows computers it finds during the s...
Page 77
User guide 65 configuring the optional network 6 to manually add a hardware address and its host name to your configuration, click add. The add allowed address control dialog box appears. 7 select the log attempted access from mac addresses not in the list check box if you want the edge to generate ...
Page 78
Configuring the optional network 66 firebox x edge e-series 3 select the enable optional network check box. If necessary, you can change the optional network address. By default, the optional interface ip address is set to 192.168.112.1, so the trusted network and the optional networks are on two di...
Page 79
User guide 67 configuring the optional network 5 if you have a wins or dns server, type the wins server address, dns server primary address, dns server secondary address, and dns domain suffix in the related fields. If you do not enter a value, the firebox x edge uses the same values as those used f...
Page 80
Configuring the optional network 68 firebox x edge e-series to configure the firebox x edge as a dhcp relay agent for the optional interface: 1 use your browser to connect to the system status page. From the navigation bar, select network > optional. The optional network configuration page appears. ...
Page 81: Making Static Routes
User guide 69 making static routes to configure the edge to allow wireless connections through the optional interface, see the “firebox x edge e-series wireless setup” chapter. Restricting access to the edge optional interface by mac address you can control access to the firebox® x edge e-series opt...
Page 82
Registering with the dynamic dns service 70 firebox x edge e-series the network ip 192.168.1.0 subnet mask 255.255.255.0 is represented on the edge as 192.168.1.0/24. Making a static route 1 to connect to the system status page, type https:// in the browser address bar, followed by the ip address of...
Page 83
User guide 71 registering with the dynamic dns service the firebox x edge gets the ip address of members.Dyndns.Org when it starts up. It makes sure the ip address is correct every time it restarts and at an interval of every twenty days. If you make any changes to your dyndns configuration on the e...
Page 85
User guide 73 using the wan failover option wan failover and dns when you use wan failover, it is a good idea to enter two dns server addresses when you configure dhcp settings for the trusted and optional networks. Some isps allow queries to their dns servers only if the query comes from that isp n...
Page 86
Using the wan failover option 74 firebox x edge e-series 2 select the enable failover using the ethernet (wan2) interface check box. 3 type the ip addresses of the hosts to ping for the wan1 (external) and wan2 (failover) interfaces. The firebox x edge will send pings to the ip addresses you type he...
Page 87
User guide 75 using the wan failover option configuring wan failover with a static connection 1 if you use a static connection to the internet, select manual configuration from the configuration mode drop-down list. 2 type the ip address, subnet mask, default gateway, primary dns, secondary dns, and...
Page 88
Using the wan failover option 76 firebox x edge e-series 3 enter a failover timeout in minutes. We recommend twenty minutes. 4 click submit. It is not necessary to enter advanced pppoe settings. For information on advanced pppoe settings, see “advanced pppoe settings” on page 57.” configuring advanc...
Page 89
User guide 77 using the wan failover option 2 select the enable failover using the ethernet (wan2)/modem (serial port) interface check box. 3 from the drop-down list, select modem (serial port). 4 the edge sends regular pings to an ip address you specify to check for interface connectivity. Type the...
Page 90
Using the wan failover option 78 firebox x edge e-series 5 select the enable modem and ppp debug trace only if you have problems with your connection. When this option is selected, the edge sends detailed logs for the serial modem failover feature to the event log file. 6 click submit, or select a d...
Page 91: Configuring Bids
User guide 79 configuring bids 5 click submit, or select a different tab to change more settings. Configuring bids telstra customers in australia must use client software to connect to the bigpond network. The firebox® x edge e-series uses bids to make this connection. If you do not connect to the b...
Page 92
Configuring bids 80 firebox x edge e-series.
Page 93: Setup
User guide 81 6 firebox x edge e-series wireless setup the firebox® x edge e-series wireless can be configured as a wireless access point with three different security zones. You can enable wireless devices to connect to the edge wireless as part of the trusted network or part of the optional networ...
Page 94
Understanding wireless configuration settings 82 firebox x edge e-series • it is a good idea to install the edge wireless away from other antennas or transmitters to decrease interference. • the default wireless authentication algorithm configured for each wireless security zone is not the most secu...
Page 95
User guide 83 configuring wireless security settings controlling ssid broadcasts computers with wireless network cards send requests to see whether there are wireless access points to which they can connect. To configure an edge wireless interface to send and answer these requests, select the broadc...
Page 96
Configuring wireless security settings 84 firebox x edge e-series setting the wireless authentication method five authentication methods are available in the firebox x edge e-series wireless. We recommend that you use wpa2 if possible because it is the most secure. The five available methods, from l...
Page 97
User guide 85 allowing wireless connections to the trusted interface allowing wireless connections to the trusted interface if you enable wireless connections to the trusted interface, we recommend that you enable and use the edge feature that allows you to restrict access to the trusted interface b...
Page 98
Allowing wireless connections to the optional interface 86 firebox x edge e-series allowing wireless connections to the optional interface 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is:...
Page 99
User guide 87 enabling a wireless guest network select an encryption option with pre-shared keys, a random pre-shared key is generated for you. You can use this key, or type your own. 10 click submit to save your configuration to the firebox x edge e-series wireless. Enabling a wireless guest networ...
Page 100
Configuring wireless radio settings 88 firebox x edge e-series 6 to configure the edge to send dhcp requests to a dhcp server external to the edge, select the enable dhcp relay check box. For more information about this feature, see the “network settings” chapter. 7 if you use webblocker and want to...
Page 101
User guide 89 configuring the wireless card on your computer setting the wireless mode of operation most wireless cards can operate only in 802.11b (up to 11 mb/second) or 802.11g (54 mb/second) mode. To set the operating mode for the firebox x edge e-series wireless, select an option from the wirel...
Page 102
Configuring the wireless card on your computer 90 firebox x edge e-series.
Page 103: Firewall Policies
User guide 91 7 firewall policies the firebox® x edge e-series uses policies and other firewall options to control the traffic between the trusted, optional, and external networks. Usually the external network is the internet. When your pri- vate network is connected to the internet, you must be abl...
Page 104
Understanding policies 92 firebox x edge e-series incoming and outgoing traffic traffic that comes from the external network is incoming traffic. Traffic that goes to the external net- work is outgoing traffic. By default, the firebox x edge e-series denies incoming traffic to protect your trusted a...
Page 105
User guide 93 enabling common packet filter policies enabling common packet filter policies you can control the traffic between the trusted, optional, and external networks using packet filter pol- icies. The firebox® x edge supplies a list of frequently used policies, called common policies, that y...
Page 106
Editing common packet filter policies 94 firebox x edge e-series 3 find the common policy you want to allow or deny. From the filter drop-down list adjacent to the policy name, select allow, deny,or no rule. If you select no rule, that policy is disabled and the edge uses the default behavior, which...
Page 107
User guide 95 editing common packet filter policies 2 from the navigation bar, select firewall > incoming or firewall > outgoing. You can edit both incoming and outgoing traffic from either page. The filter traffic page appears. 3 find the common packet filter policy you want to edit and click edit....
Page 108
Configuring custom packet filter policies 96 firebox x edge e-series 7 click submit. Outgoing settings 1 from the edit policies page, select the outgoing tab. 2 from the outgoing filter drop-down list, select the rule you want to apply. This rule affects only outgoing traffic. 3 to specify which com...
Page 109
User guide 97 configuring custom packet filter policies • you must create an additional packet filter for a policy. • you must change the port or protocol for a policy. You can add a custom packet filter policy using one or more of these: • tcp ports • udp ports • an ip protocol that is not tcp or u...
Page 110
Configuring custom packet filter policies 98 firebox x edge e-series 5 in the policy name text box, type the name for your policy. 6 from the protocol settings drop-down list, select tcp port, udp port, or protocol. 7 in the text box adjacent to the port/protocol drop-down list, type a port number o...
Page 111
User guide 99 configuring custom packet filter policies 5 in the address text boxes, type the host or network ip address, or type the range of ip addresses that identify the computers on the external network that can send traffic to the service host. Type network ip addresses in “slash” notation. Fo...
Page 112
Configuring policies for the optional network 100 firebox x edge e-series 11 click submit. Configuring policies for the optional network by default, the firebox® x edge e-series allows all traffic that starts in the trusted network and tries to go to the optional network, and denies all traffic that...
Page 113
User guide 101 configuring policies for the optional network 3 to allow all traffic from the trusted network, find the outgoing policy and select allow from the filter drop-down list. 4 to deny all traffic from the trusted network, find the outgoing policy and select deny from the filter drop-down l...
Page 114
Configuring policies for the optional network 102 firebox x edge e-series.
Page 115: Proxy Settings
User guide 103 8 proxy settings a proxy monitors and scans connections. It examines the commands used in the connection to make sure they are in the correct syntax and order. A proxy also looks at the content that is sent back and forth during the connection. If the content does not match the criter...
Page 116
Proxy policies 104 firebox x edge e-series files, images, and other content. When the http client starts a request, it establishes a transmission control protocol (tcp) connection on port 80. An http server listens for requests on port 80. When it receives the request from the client, the server rep...
Page 117: Using The Http Proxy
User guide 105 using the http proxy using the http proxy to enable the http proxy: 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: https://192.168.111.1 2 from the navigation bar, select...
Page 118
Configuring the http proxy 106 firebox x edge e-series setting access control options on the outgoing tab, you can set rules that filter ip addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See chapter 7, “firewall policies” for more inf...
Page 119
User guide 107 configuring the http proxy http requests when a user clicks on a hyperlink or types a url into the web browser, it sends an http request to a remote server to get the content. In most browsers, the status bar shows, "contacting site..." or a similar message. If the remote server does ...
Page 120
Configuring the http proxy 108 firebox x edge e-series http responses when the remote http server accepts the connection request from the http client, most browser sta- tus bars show, "site contacted. Waiting for reply..." then the http server sends the appropriate response to the http client. This ...
Page 121
User guide 109 configuring the http proxy access to the watchguard web site, http:// www.Watchguard.Com, type www.Watchguard.Com . If you want to allow all subdomains that contain “watchguard.Com” you can use the asterisk (*) as a wild card. For example, to allow “watchguard.Com” “www.Watchguard.Com...
Page 122
Configuring the http proxy 110 firebox x edge e-series content types when a web server sends http traffic, it usually adds a mime type, or content type, to the packet header that shows what kind of content is in the packet. The format of a mime type is type/subtype. For example, if you wanted to all...
Page 123: Using The Ftp Proxy
User guide 111 using the ftp proxy using the ftp proxy to enable the ftp proxy: 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: https://192.168.111.1 2 from the navigation bar, select fi...
Page 124
Configuring the ftp proxy 112 firebox x edge e-series setting access control options on the outgoing tab, you can set rules that filter ip addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See chapter 7, “firewall policies” for more info...
Page 125
User guide 113 configuring the ftp proxy set the maximum username length to sets a maximum length for user names on ftp sites. Set the maximum password length to sets a maximum length for passwords used to log in to ftp sites. Set the filename length to sets the maximum file name length for files to...
Page 126: Using The Pop3 Proxy
Using the pop3 proxy 114 firebox x edge e-series 2 in the downloads text box, select the deny these file types check box if you want to limit the types of files that a user can download. This check box is selected by default and restricts the types of files that users can download through the ftp pr...
Page 127: Configuring The Pop3 Proxy
User guide 115 configuring the pop3 proxy 2 from the navigation bar, select firewall > outgoing. The filter outgoing traffic page appears. 3 below common proxy policies, select allow from the drop-down list adjacent pop3 proxy. 4 click submit. Configuring the pop3 proxy to configure the pop3 proxy f...
Page 128
Configuring the pop3 proxy 116 firebox x edge e-series setting access control options on the outgoing tab, you can set rules that filter ip addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See chapter 7, “firewall policies” for more inf...
Page 129
User guide 117 configuring the pop3 proxy set the timeout to this setting limits the number of seconds that the email client tries to open a connection to the email server before the connection is closed. This prevents the proxy from using too many network resources when the email server is slow or ...
Page 130
Configuring the pop3 proxy 118 firebox x edge e-series filtering email content certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. On the pop3 content tab, you limit content types, and block specifie...
Page 131: Using The Smtp Proxy
User guide 119 using the smtp proxy card. For example, if you want to block all mp3 files, type *.Mp3. If you read about a vulnerability in a livesecurity service alert that affects powerpoint files and you want to deny them until you install the patch, type *.Ppt. 1 to add file name patterns to the...
Page 132
Configuring the smtp proxy 120 firebox x edge e-series setting access control options on the incoming tab, you can set rules that filter ip addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See chapter 7, “firewall policies” for more inf...
Page 133
User guide 121 configuring the smtp proxy as large as 1mb (1000kb) you must set this field to a minimum of 1.4mb (1400kb) to make sure all email messages and their attachments get through. Maximum line length set the maximum line length for lines in an smtp message. Very long line lengths can cause ...
Page 134
Configuring the smtp proxy 122 firebox x edge e-series filtering email by address pattern the options on the smtp addressing tab allow you to put limits on who can send email to your email server, and who can receive the email. Block email from unsafe senders select this check box if you want to put...
Page 135
User guide 123 configuring the smtp proxy types, and block specified path patterns and urls. You can use the asterisk (*) as a wild card. Allow only safe content types the headers for email messages include a content type header to show the mime type of the email and of any attachments. The content ...
Page 136: Adding A Custom Proxy Policy
Adding a custom proxy policy 124 firebox x edge e-series adding a custom proxy policy if you want one http, pop3, or ftp proxy policy for all users protected by your firebox x edge, use the common proxy policy selections. If you want different rules for different parts of your network, you must crea...
Page 137
User guide 125 using additional services for proxies adding a custom smtp proxy policy if you have a second smtp email server, you must have an additional external ip address to give to the edge. You can then enable 1-to-1 nat and make a custom incoming proxy policy for smtp. Using additional servic...
Page 138
Using additional services for proxies 126 firebox x edge e-series.
Page 139: Intrusion Prevention
User guide 127 9 intrusion prevention the firebox x edge e-series includes a set of default threat protection features designed to keep out network traffic from systems you know or think are a security risk. This set of features includes: permanently blocked site the blocked sites list is a list of ...
Page 140: Blocking Sites Temporarily
Blocking sites temporarily 128 firebox x edge e-series 2 from the navigation bar, click firewall > intrusion prevention. Click on the blocked sites tab. 3 use thedrop-down list to select whether you want to enter a host ip address, a network address, or a range of ip addresses. Type the value in the...
Page 141: Blocking Ports
User guide 129 blocking ports 3 select the auto-block hosts that send traffic that is denied by the default policy check box to add the ip addresses of any site denied by the edge’s default firewall policy to the temporary blocked sites list. To understand your edge’s default firewall policy, look a...
Page 142
Blocking ports 130 firebox x edge e-series x font server (port 7100) many versions of x-windows operate x font servers. The x font servers operate as the super- user on some hosts. Nfs (port 2049) nfs (network file system) is a frequently used tcp/ip service where many users use the same files on a ...
Page 143
User guide 131 preventing denial-of-service attacks 3 in the ports text box, type the name of the port you want to block. Click add. 4 if you want the edge to automatically block any external computer that tries to get access to a blocked port, select the auto-block sites that attempt to use blocked...
Page 144
Preventing denial-of-service attacks 132 firebox x edge e-series on the firewall > intrusion prevention page, select the dos defense tab and set the packet/second threshold for these types of dos flood attacks: ipsec flood attack a dos attack where the attacker overwhelms a computer system with a la...
Page 145: Configuring Firewall Options
User guide 133 configuring firewall options configuring firewall options you can use the firewall options page to configure rules that increase your network security. 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox® x edge trusted i...
Page 146
Configuring firewall options 134 firebox x edge e-series do not respond to ping requests you can configure the firebox x edge e-series to deny ping requests received on the trusted, external, or optional network. This option overrides all other edge settings. Do not allow ftp access to the edge you ...
Page 147: Traffic Management
User guide 135 10 traffic management the firebox® x edge e-series supplies many different ways to manage the traffic on your network. You can limit the rate of traffic sent to the external or ipsec interface using qos (quality of service) through traffic control. You can manage data transmission by ...
Page 148: Traffic Categories
Traffic categories 136 firebox x edge e-series traffic categories the firebox® x edge e-series allows you to limit data sent through policies and traffic control filters. A policy can allow or deny all data of a specified type. Traffic control does not allow or deny data, but cre- ates “filters” tha...
Page 149
User guide 137 traffic marking pose.The edge and other marking-capable external devices use these bits to control how a packet is handled as it is sent over a network. The use of marking procedures on a network requires that you do extensive planning. You can first identify theoretical bandwidth ava...
Page 150: Configuring Traffic Control
Configuring traffic control 138 firebox x edge e-series * scavenger class is intended for the lowest priority traffic such as media sharing or gaming applica- tions. This traffic has a lower priority than best-effort. Configuring traffic control the firebox® x edge e-series has many different traffi...
Page 151
User guide 139 configuring traffic control enabling traffic control for information on configuring vpn traffic control, see “vpn traffic control” on page 205. 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface....
Page 152
Configuring traffic control 140 firebox x edge e-series 7 if you want to use traffic control marking, select ip precedence or dscp from the marking type drop-down list. You can then select the mark you want applied for each traffic category with the mark drop-down list at the top of each traffic cat...
Page 153
User guide 141 configuring traffic control 2 in the name text box, type a name for the traffic control filter. This name is used on the traffic control page to identify the filter. 3 in the from text box, type the ip address or subnet of the traffic source or local network associated with this filte...
Page 154: Working With Firewall Nat
Working with firewall nat 142 firebox x edge e-series changing the priority of a traffic control filter 1 select an entry from any category. To select multiple entries, hold down the control or shift key. 2 to make the traffic more important, click the up button adjacent to the category list. To mak...
Page 155
User guide 143 working with firewall nat static nat static nat is usually known as “port forwarding.” when you use static nat, you use the primary exter- nal ip address of your firebox x edge e-series instead of the ip address of a public server. You could do this because you want to, or because you...
Page 156
Working with firewall nat 144 firebox x edge e-series 2 from the navigation bar, select firewall > nat. The nat (network address translation) page appears. 3 click add. The mapping page appears. 4 in the public address text box, type a secondary external ip address. The address must be on the extern...
Page 157
User guide 145 working with firewall nat 4 to add a custom packet filter policy, click add packet filter policy. To add a custom smtp proxy policy, click add incoming proxy policy. To add a custom http, pop3, or ftp proxy policy, click add outgoing proxy policy. 5 use the instructions in chapter 7, ...
Page 158
Working with firewall nat 146 firebox x edge e-series.
Page 159: Logging and Certificates
User guide 147 11 logging and certificates a log file is a list of all the events that occur on the firebox® x edge e-series, along with information about those events. The first part of this chapter describes how to view log messages and configure a log server. You can set up a connection to a watc...
Page 160
Logging to a watchguard log server 148 firebox x edge e-series logging to a watchguard log server the watchguard® log server (previously known as the watchguard system event processor, or wsep) is a component of watchguard system manager. If you have a firebox® iii, firebox x core, or firebox x peak...
Page 161: Logging to A Syslog Host
User guide 149 logging to a syslog host server installation must be wsm v8.3 or greater. If you select this option, the edge generates log messages in native xml, which includes more detail for each log message. This allows the wsm administrator to create historical reports that include these detail...
Page 162: About Certificates
About certificates 150 firebox x edge e-series this setting is useful if you have more than one firebox x edge that sends syslog messages to the same syslog host. 7 click submit. Because syslog traffic is not encrypted, syslog messages that are sent through the internet decrease the security of the ...
Page 163
User guide 151 using microsoft ca to create a certificate 4 when you are prompted for the x509 common name attribute information, type your fully- qualified domain name (fqdn). Use other information as appropriate. 5 follow the instructions from your certificate authority to send the csr. To create ...
Page 164
Using certificates on the firebox x edge 152 firebox x edge e-series downloading the certificate 1 open your web browser. In the location or address bar, type the ip address of the server where the certification authority is installed, followed by certsrv. Example: http://10.0.2.80/certsrv 2 click t...
Page 165
User guide 153 using certificates on the firebox x edge examining a certificate you can examine a certificate you have already imported to see its properties, including its expiration date, issuing authority, or other information. 1 from the system status page on the firebox x edge, select administr...
Page 166
Using certificates on the firebox x edge 154 firebox x edge e-series.
Page 167: User and Group Management
User guide 155 12 user and group management the firebox® x edge e-series includes tools you can use to manage your network and your users. You can create user accounts and manage access to the internet or to your vpn tunnels with user authenti- cation. Or, you can allow free access to the internet a...
Page 168: About User Authentication
About user authentication 156 firebox x edge e-series when a user license is used user licensing works differently depending on whether firebox user authentication is required to access the external network: when user authentication is not required to access the external network a user license is us...
Page 169
User guide 157 about user authentication 3 use the definitions below to help you change your parameters. Click submit. Require user authentication (enable local user accounts) when you select this check box, all hosts must authenticate to the firebox x edge to send or receive network traffic. If you...
Page 170
Using local firebox authentication 158 firebox x edge e-series using local firebox authentication when you create a local user for the firebox® x edge e-series, you select the administrative access level for that user. You select access control for the external network and the branch office vpn tunn...
Page 171
User guide 159 using local firebox authentication 6 in the description field, type a description for the user. This is for your information only. A user does not use this description during authentication. 7 in the password field, type a password with a minimum of eight characters. Mix eight letters...
Page 172
Using local firebox authentication 160 firebox x edge e-series the user must enter his or her user name and password to authenticate. If you are using local authentication, you must type your name as it appears in the firebox user list. If you use active directory or another ldap server for authenti...
Page 173
User guide 161 using local firebox authentication make sure you keep the administrator name and password in a safe location. You must have this infor- mation to see the configuration pages. If the system administrator name and password are not known, you must reset the firebox x edge to the factory ...
Page 174
Using ldap/active directory authentication 162 firebox x edge e-series 2 from the navigation bar, select firebox users. The firebox users page appears. 3 below local user accounts, click edit for the account to change the password for. The edit user page appears with the settings tab visible. 4 clic...
Page 175
User guide 163 using ldap/active directory authentication 3 select the enable ldap authentication check box. If user authentication is not enabled in the top section of this configuration page, the ldap authentication service section is not active. 4 in the domain name text box, type the name of the...
Page 176
Using ldap/active directory authentication 164 firebox x edge e-series directory. The group attribute name is the name of the group membership attribute of user entries in the ldap directory. 11 click submit. Using the ldap authentication test feature after the firebox x edge e-series is configured ...
Page 177
User guide 165 using ldap/active directory authentication 3 in the account name text box, type the name of the new group. This name must match the name of a group in the ldap directory. This name must contain only letters, numbers, and the underscore (_)or dash (-) characters. Spaces are not permitt...
Page 178
Seeing current sessions and users 166 firebox x edge e-series ldap authentication and muvpn because ipsec muvpn settings cannot be assigned at the group level, you must create a local firebox user account for the user and add muvpn settings for the user on the muvpn tab. See the mobile user vpn chap...
Page 179
User guide 167 seeing current sessions and users 2 from the navigation bar, select firebox users. The firebox users page appears. 3 in the active sessions list, click the close button adjacent to the session you want to stop. To stop all sessions, click the close all button. If user authentication i...
Page 180
Allowing internal devices to bypass user authentication 168 firebox x edge e-series allowing internal devices to bypass user authentication you can make a list of internal devices that bypass user authentication settings. If a device is on this list, a user at that device does not have to authentica...
Page 181: Webblocker
User guide 169 13 webblocker webblocker is an option for the firebox® x edge e-series that gives you control of the web sites that are available to your users. Some companies restrict access to some web sites to increase employee pro- ductivity. Other companies restrict access to offensive web sites...
Page 182
Configuring global webblocker settings 170 firebox x edge e-series to configure webblocker: 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: https://192.168.111.1 2 from the navigation ba...
Page 183: Creating Webblocker Profiles
User guide 171 creating webblocker profiles webblocker shows the http proxy deny message in the user browser when it blocks a site. You can customize this message when you configure the http proxy policy. For more information, see “configuring the http proxy” on page 105. Creating webblocker profile...
Page 184
Creating webblocker profiles 172 firebox x edge e-series 4 in the profile name field, type a familiar name. Use this name to identify the profile during configuration. For example, give the name “90day” to a group of employees that have worked at your company for less than 90 days. 5 in blocked cate...
Page 185: Webblocker Categories
User guide 173 webblocker categories webblocker categories the webblocker database contains nine groups of categories with 40 individual categories. A web site is added to a category when the contents of the web site meet the correct criteria. Web sites that give opinions or educational material abo...
Page 186
Webblocker categories 174 firebox x edge e-series computing and internet • reviews, information, computer buyer’s guides, computer parts and accessories, and software • computer/software/internet companies, industry news, and magazines • pay-to-surf sites • downloadable (non-streaming) movie, video,...
Page 187
User guide 175 webblocker categories finance & investment • stock quotes, stock tickers, and fund rates • online stock or equity trading • online banking and bill-pay services • investing advice or contacts for trading securities • money management/investment services or firms • general finances and...
Page 188
Webblocker categories 176 firebox x edge e-series hacking • promotion, instruction, or advice on the questionable or illegal use of equipment and/or software for purpose of hacking passwords, creating viruses, or gaining access to other computers and/or computerized communication systems • sites tha...
Page 189
User guide 177 webblocker categories health & medicine • general health such as fitness and well-being • alternative and complementary therapies, including yoga, chiropractic, and cranio-sacral • medical information and reference about ailments, conditions, and drugs • medical procedures, including ...
Page 190
Webblocker categories 178 firebox x edge e-series personals & dating • singles listings, matchmaking and dating services • advice for dating or relationships; romance tips and suggestions photo searches • sites that provide resources for photo and image searches • online photo albums/digital photo e...
Page 191
User guide 179 webblocker categories streaming media streaming media files or events (any live or archived audio or video file) internet tv and radio personal (non-explicit) webcam sites telephony sites that allow users to make calls by way of the internet voip services travel airlines and flight bo...
Page 192
Webblocker categories 180 firebox x edge e-series determining a category to see whether webblocker is blocking a web site as part of a category block, go to the filter testing and submissions form on the surfcontrol web site. 1 open a web browser and go to: http://mtas.Surfcontrol.Com/mtas/watchguar...
Page 193
User guide 181 allowing certain sites to bypass webblocker 2 select whether you want to add a site, delete a site, or change the category. 3 enter the site url. 4 if you want to request that the category assigned to a site is changed, select the new category from the drop-down menu. 5 click submit. ...
Page 194
Blocking additional web sites 182 firebox x edge e-series 3 type the host ip address or domain name of the web site to allow. 4 repeat step 3 for each additional host or domain name that you want to add to the allowed sites list. The domain (or host) name is the part of a url that ends with .Com, .N...
Page 195: Bypassing Webblocker
User guide 183 bypassing webblocker 2 from the drop-down list, select host ip address or domain name/url 3 type the host ip address or domain name of the denied web site. 4 repeat step 3 for each additional host, ip address, or domain name you want to add to the denied sites list. The domain (or hos...
Page 196
Bypassing webblocker 184 firebox x edge e-series 2 in the host ip address text box, type the ip address of the computer on your trusted or optional network to allow users to browse the internet without authentication restrictions. 3 click add. 4 repeat step 2 for other trusted computers. 5 click sub...
Page 197: Spamblocker
User guide 185 14 spamblocker unwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam decreases bandwidth, degrades employee productivity, and wastes network resources. Watch- guard® spamblocker™ uses industry-leading pattern detection technology fr...
Page 198: Configuring Spamblocker
Configuring spamblocker 186 firebox x edge e-series spamblocker categories spamblocker puts spam email into three categories: spam, bulk and suspect. Spamblocker assigns email messages to these categories using the spam score returned from a scoring request sent to the commtouch detection center. • ...
Page 199
User guide 187 configuring spamblocker settings enabling spamblocker 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: https://192.168.111.1 2 from the navigation bar, select spamblocker >...
Page 200
Configuring spamblocker settings 188 firebox x edge e-series 3 from the suspect drop-down list, select allow or add a subject tag. The default action is allow. The default tag is ***suspect*** . You can change this tag to some text you prefer. 4 use the when the spamblocker server is unavailable, ac...
Page 201
User guide 189 configuring rules for your email reader 6 you can highlight an exception and click remove to remove the exception. 7 you can change the precedence of the exception list. Select an exception, and then click up or down to adjust the precedence of that exception. 8 click submit. Adding t...
Page 202
Configuring rules for your email reader 190 firebox x edge e-series before you start, make sure that you set the action for spam and bulk email to add a subject tag. You can use the default tags, or create custom tags. The steps below describe how to create folders with the default tags. 1 from your...
Page 203: Prevention Service
User guide 191 15 gateway antivirus and intrusion prevention service there are many methods to attack computers on the internet. The two primary categories of attack are viruses and intrusions. Viruses, including worms and trojans, are malicious computer programs that self-replicate and put copies o...
Page 204: Configuring Gateway Av/ips
Understanding intrusion prevention service settings 192 firebox x edge e-series • if you enable gateway antivirus with the ftp proxy, it finds viruses in files that users try to download from the external network. If a virus is found, the file is blocked. You can view the name of a virus or infected...
Page 205
User guide 193 configuring gateway av/ips gateway antivirus settings 1 select the enable gateway antivirus for http check box to scan http content, which your users try to download, for viruses. 2 select the enable gateway antivirus for ftp check box to scan file transfer traffic for viruses. 3 sele...
Page 206: Updating Gateway Av/ips
Updating gateway av/ips 194 firebox x edge e-series gav does not scan archive file formats such as .Zip or packed executables. Intrusion prevention service settings 1 select the enable intrusion prevention for http check box to monitor and scan web traffic between your users and web servers for poss...
Page 207
User guide 195 updating gateway av/ips to update your gateway av/ips signatures manually: 1 select gav/ips > update from the navigation bar the gav/ips update page appears. 2 decide if you want automatic updates or manual updates. If you want manual updates, clear the enable automatic updates check ...
Page 208
Updating gateway av/ips 196 firebox x edge e-series.
Page 209: Networks
User guide 197 16 branch office virtual private networks a vpn (virtual private network) creates a secure connection between computers or networks in differ- ent locations. This connection is known as a tunnel. The networks and hosts on a vpn tunnel can be corporate headquarters, branch offices, rem...
Page 210: About Vpn Failover
About vpn failover 198 firebox x edge e-series • you must have two firebox x edge devices or one firebox x edge and a second device that uses ipsec standards. Examples of these devices are a firebox iii, firebox x core, firebox x peak, or a firebox soho 6. You must enable the vpn option on the other...
Page 211: Managed Vpns
User guide 199 managed vpns managed vpns you can configure a vpn tunnel on the firebox® x edge e-series with two procedures: managed vpn and manual vpn. For information on creating a manual vpn tunnel, see “manual vpn: setting up man- ual vpn tunnels” on page 199. The watchguard® management server (...
Page 212
Manual vpn: setting up manual vpn tunnels 200 firebox x edge e-series sample vpn address information table item description assigned by external ip address the ip address that identifies the ipsec- compatible device on the internet. Isp example: site a: 207.168.55.2 site b: 68.130.44.15 local networ...
Page 213
User guide 201 manual vpn: setting up manual vpn tunnels to create manual vpn tunnels on your edge 1 to connect to the system status page, type https:// in the browser address bar, and the ip address of the firebox x edge trusted interface. The default url is: https://192.168.111.1 2 from the naviga...
Page 214
Manual vpn: setting up manual vpn tunnels 202 firebox x edge e-series to change phase 1 configuration: 1 select the negotiation mode from the mode drop-down list. You can use main mode only when the two devices have static ip addresses. If one or both of the devices have external ip addresses that a...
Page 215
User guide 203 manual vpn: setting up manual vpn tunnels 5 type the number of kilobytes and the number of hours until the ike negotiation expires. To make the negotiation never expire, enter zero (0). For example, 24 hours and zero (0) kilobytes means that the phase 1 key is negotiated every 24 hour...
Page 216
Manual vpn: setting up manual vpn tunnels 204 firebox x edge e-series id. The remote device must identify your firebox x edge by domain name, and it must use the same public ip address as the domain name in its phase 1 setup. Phase 2 settings phase 2 negotiates the data management security associati...
Page 217: Vpn Traffic Control
User guide 205 vpn traffic control see this faq: http://www.Watchguard.Com/support/advancedfaqs/general_slash.Asp 7 click add. 8 repeat step 5 if you must add additional networks. 9 click submit. Vpn traffic control the firebox® x edge e-series includes a separate traffic control feature for ipsec b...
Page 218: Viewing Vpn Statistics
Viewing vpn statistics 206 firebox x edge e-series 2 from the navigation bar, select vpn > keep alive. The vpn keep alive page appears. 3 type the ip address of an echo host. Click add. 4 repeat step 3 to add additional echo hosts. 5 click submit. Viewing vpn statistics you can monitor firebox® x ed...
Page 219
User guide 207 frequently asked questions how do i troubleshoot the connection? If you can send a ping to the trusted interface of the remote firebox® x edge and the computers on the remote network, the vpn tunnel is up. The configuration of the network software or the software appli- cations are po...
Page 220
Frequently asked questions 208 firebox x edge e-series.
Page 221: Mobile User Virtual Private
User guide 209 17 mobile user virtual private networks mobile user vpn (muvpn) lets remote users connect to your internal network through a secure, encrypted channel. The firebox x edge supports two types of mobile user vpn: ipsec mobile user vpn the ipsec muvpn client is an optional software applic...
Page 222
Configuring ipsec mobile user vpn 210 firebox x edge e-series the same. Information about the features of the zonealarm personal firewall is also contained in this chapter. Using ipsec muvpn you must complete some procedures to make sure that ipsec muvpn operates correctly. • first, you must enable ...
Page 223
User guide 211 configuring ipsec mobile user vpn 1 you can choose to make the .Wgx file read-only so that the user cannot change the security policy file. To do this, select the make the muvpn client security policy read-only check box. 2 set how the virtual adapter operates on the client (disabled,...
Page 224
Configuring ipsec mobile user vpn 212 firebox x edge e-series names to ip addresses. The trusted interface of the edge must have access to these servers. Type a dns server and wins server ip address in the text boxes near the bottom of the mobile user page. Enabling muvpn access for a firebox user a...
Page 225
User guide 213 configuring ipsec mobile user vpn distributing the software and the .Wgx file you must give the remote user the muvpn software installer and the end-user profile, or .Wgx file. Get the muvpn installation files from the watchguard web site you must log in to the livesecurity® service a...
Page 226
Configuring ipsec mobile user vpn 214 firebox x edge e-series give these two files to the remote user give the muvpn software and the .Wgx file to the remote user. You also must give the user the shared key you used when you enabled the firebox user account to use ipsec muvpn. The user uses this sha...
Page 227
User guide 215 configuring ipsec mobile user vpn if the muvpn client does not use the virtual adapter, the remote computer must have your network’s private wins and dns server ip addresses listed in the advanced tcp/ip properties of the primary inter- net connection. Windows 2000 setup use this sect...
Page 228
Configuring ipsec mobile user vpn 216 firebox x edge e-series 3 select the client for microsoft networks network client and click ok. Configuring wins and dns settings on windows 2000 the remote computer must be able to connect to the wins and dns servers. These servers are on the trusted network pr...
Page 229
User guide 217 configuring ipsec mobile user vpn installing the internet protocol (tcp/ip) network component on windows xp from the connection window networking tab: 1 click install. The select network component type window appears. 2 double-click the protocol network component. The select network p...
Page 230
Configuring ipsec mobile user vpn 218 firebox x edge e-series 8 select the append these dns suffixes (in order) radio button. 9 below the radio button, click add . The tcp/ip domain suffix window appears. 10 enter the domain suffix for your network’s private domain and click add. 11 if you want to a...
Page 231
User guide 219 configuring ipsec mobile user vpn 13 the installshield wizard looks for a user profile. Use the browse button to find and select the folder containing the .Wgx file. Click next. You can click next at this step if you do not have the .Wgx file at this time. You can import the .Wgx file...
Page 232
Configuring ipsec mobile user vpn 220 firebox x edge e-series connecting and disconnecting the ipsec muvpn client the ipsec muvpn client software makes a secure connection from a remote computer to your pro- tected network on the internet. To start this connection, you must connect to the internet a...
Page 233
User guide 221 configuring ipsec mobile user vpn activated, connected, and transmitting both secured and unsecured data the ipsec muvpn client started one or more secure muvpn tunnels. The green and red bars on the right of the icon tell you that the client is sending either secure or not secure dat...
Page 234
Configuring ipsec mobile user vpn 222 firebox x edge e-series using connection monitor connection monitor shows statistical and diagnostic information for connections in the security policy. This window shows the security policy settings and the security association (sa) information. The mon- itor r...
Page 235
User guide 223 configuring ipsec mobile user vpn for more information about the features and configuration of zonealarm, use the zonealarm help sys- tem. To get access to the help system, select start > programs > zone labs > zonealarm help. Allowing traffic through zonealarm when a software applica...
Page 236
Configuring ipsec mobile user vpn 224 firebox x edge e-series 5 click finish. The remove shared component window can appear. During the initial installation of zonealarm, some files were installed that can be shared by other programs on the system. Click yes to all to completely remove all of these ...
Page 237
User guide 225 configuring ipsec mobile user vpn 3 right-click the zonealarm icon shown at right. 4 select shutdown zonealarm. The zonealarm dialog box appears. 5 click yes. I am asked for my network login information even when i am not connected to the network. When you start your computer, you mus...
Page 238
Configuring pptp mobile user vpn 226 firebox x edge e-series i am sometimes prompted for a password when i am browsing the company network. Because of a windows networking limitation, remote user vpn products can allow access only to a sin- gle network domain. If your company has more than one netwo...
Page 239
User guide 227 configuring pptp mobile user vpn 3 to enable pptp, select the activate remote user vpn with pptp check box. 4 select the enable drop from 128-bit to 40-bit check box to allow the tunnels to drop from 128- bit to 40-bit encryption for connections that are less reliable. The firebox x e...
Page 240
Configuring pptp mobile user vpn 228 firebox x edge e-series enabling pptp access for firewall users when you enable pptp on your edge, you must make sure to enable pptp access for each remote user who uses pptp to connect to the edge. 1 to connect to the system status page, type https:// in the bro...
Page 241
User guide 229 configuring pptp mobile user vpn 4 click virtual private network connection. Click next. 5 give the new connection a name, such as “connect with ruvpn.” click next. 6 select to not dial (for a broadband connection), or to automatically dial (for a modem connection) this connection. Cl...
Page 242
Configuring pptp mobile user vpn 230 firebox x edge e-series 15 type the user name and password for the connection and click connect. 16 the first time you connect you must select a network location. Select public location. Creating and connecting a pptp vpn from a windows 2000 client to prepare a w...
Page 243: Appendix A
User guide 231 appendix a firebox x edge e-series hardware the watchguard® firebox® x edge e-series is a firewall for small organizations and branch offices. The firebox x edge e-series product line includes: • firebox x edge e-series • firebox x edge e-series wireless package contents the firebox® ...
Page 244: Specifications
Specifications 232 firebox x edge e-series specifications the specifications for the firebox® x edge e-series and the firebox x edge e-series wireless are: processor x scale (arm) cpu 266 mhz memory: flash 64 mb memory: ram 128 mb ethernet interfaces 6 each 10/100 serial ports 1 db9 power supply 12v...
Page 245: Hardware Description
User guide 233 hardware description hardware description the firebox® x edge e-series has a simple hardware architecture. All indicator lights are on the front panel of the device, and all ports and connectors are on the rear panel. Front panel the front panel of the firebox x edge e-series has 18 i...
Page 246
Hardware description 234 firebox x edge e-series status the status indicator shows a management connection to the firebox x edge e-series. The light goes on when you use your browser to connect to the firebox x edge e-series configuration pages. The light goes off a short time after you close your b...
Page 247
User guide 235 about the firebox x edge e-series wireless. Ac power adapter the ac power adapter supplies power for the firebox x edge e-series. You must use the correct plug for the ac power adapter for the power source used in your country. The international plug kit includes four plugs: q-na (nor...
Page 248
About the firebox x edge e-series wireless. 236 firebox x edge e-series radiation pattern similar to a sphere that is squashed in the center. If the antenna points up, the gain is largest in the horizontal direction and less in the vertical direction. Signal attenuation signal attenuation refers to ...
Page 249: Appendix B
User guide 237 appendix b legal notifications copyright, trademark, and patent information general information copyright© 1998 - 2007 watchguard technologies, inc. All rights reserved. Watchguard, the watchguard logo, firebox, livesecurity, and any other mark listed as a trademark in the “terms of u...
Page 250
Copyright, trademark, and patent information 238 firebox x edge e-series version 2, june 1991 copyright © 1989, 1991 free software foundation, inc. 51 franklin street, fifth floor boston, ma 02110-1301, usa everyone is permitted to copy and distribute verbatim copies of this license document, but ch...
Page 251
User guide 239 copyright, trademark, and patent information program is covered only if its contents constitute a work based on the program (independent of having been made by running the program). Whether that is true depends on what the program does. 2 you may copy and distribute verbatim copies of...
Page 252
Copyright, trademark, and patent information 240 firebox x edge e-series received the program in object code or executable form with such an offer, in accord with subsection b above.) the source code for a work means the preferred form of the work for making modifications to it. For an executable wo...
Page 253
User guide 241 copyright, trademark, and patent information 8 if the distribution and/or use of the program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the program under this license may add an explicit geographical dist...
Page 254
Copyright, trademark, and patent information 242 firebox x edge e-series everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [this is the first released version of the library gpl. It is numbered 2 because it goes with version 2 of t...
Page 255
User guide 243 copyright, trademark, and patent information because of this blurred distinction, using the ordinary general public license for libraries did not effec- tively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promot...
Page 256
Copyright, trademark, and patent information 244 firebox x edge e-series - you must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. - you must cause the whole of the work to be licensed at no charge to all third parties under the ter...
Page 257
User guide 245 copyright, trademark, and patent information however, linking a "work that uses the library" with the library creates an executable that is a derivative of the library (because it contains portions of the library), rather than a "work that uses the library". The executable is therefor...
Page 258
Copyright, trademark, and patent information 246 firebox x edge e-series library, provided that the separate distribution of the work based on the library and of the other library facilities is otherwise permitted, and provided that you do these two things: - accompany the combined library with a co...
Page 259
User guide 247 copyright, trademark, and patent information 14 the free software foundation may publish revised and/or new versions of the library general public license from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new pro...
Page 260
Copyright, trademark, and patent information 248 firebox x edge e-series preamble the licenses for most software are designed to take away your freedom to share and change it. By con- trast, the gnu general public licenses are intended to guarantee your freedom to share and change free software--to ...
Page 261
User guide 249 copyright, trademark, and patent information allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the lesser gene...
Page 262
Copyright, trademark, and patent information 250 firebox x edge e-series - you must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. - you must cause the whole of the work to be licensed at no charge to all third parties under the ter...
Page 263
User guide 251 copyright, trademark, and patent information however, linking a "work that uses the library" with the library creates an executable that is a derivative of the library (because it contains portions of the library), rather than a "work that uses the library". The executable is therefor...
Page 264
Copyright, trademark, and patent information 252 firebox x edge e-series it may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the library to...
Page 265
User guide 253 copyright, trademark, and patent information 13 if the distribution and/or use of the library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the library under this license may add an explicit geographical dis...
Page 266
Copyright, trademark, and patent information 254 firebox x edge e-series 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software witho...
Page 267
User guide 255 copyright, trademark, and patent information spam, anti-virus and anti-phishing) are provisioned on the commtouch® detecommtouch.S oem partners using a single license key code. Most host applications come with their own license key and it is common for ctengine partners to their produ...
Page 268
Copyright, trademark, and patent information 256 firebox x edge e-series 3. Redistributions in any form must be accompanied by information on how to obtain complete source code for the db software and any accompanying software that uses the db software. The source code must either be included in the...
Page 269
User guide 257 copyright, trademark, and patent information 3. Neither the name of the internet software consortium nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. This software is provided by the inte...
Page 270
Copyright, trademark, and patent information 258 firebox x edge e-series the dns resolver code, taken from bind 4.9.5, is copyrighted both by uc berkeley and by digital equipment corporation. The dec portions are under the following license: portions copyright © 1993 by digital equipment corporation...
Page 271
User guide 259 copyright, trademark, and patent information the file if_ppp.H is under the following cmu license: redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must reta...
Page 272
Copyright, trademark, and patent information 260 firebox x edge e-series this software is provided by its authors and contributors “as is” and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaim...
Page 273
User guide 261 copyright, trademark, and patent information redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions...
Page 274
Copyright, trademark, and patent information 262 firebox x edge e-series - redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution. - neither the names o...
Page 275
User guide 263 copyright, trademark, and patent information intel hereby grants recipient and licensees a non-exclusive, worldwide, royalty-free patent license under licensed patents to make, use, sell, offer to sell, import and otherwise transfer the software, if any, in source code and object code...
Page 276
Copyright, trademark, and patent information 264 firebox x edge e-series jffs2 is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the gnu general public license for more details. A...
Page 277
User guide 265 copyright, trademark, and patent information no warranty this software is provided by the copyright holders and contributors ''as is'' and any express or implied warranties, including, but not limited to, the implied warranties of noninfringement, merchantibility and fitness for a par...
Page 278
Copyright, trademark, and patent information 266 firebox x edge e-series ncftp the clarified artistic license preamble the intent of this document is to state the conditions under which a package may be copied, such that the copyright holder maintains some semblance of artistic control over the deve...
Page 279
User guide 267 copyright, trademark, and patent information are the equivalent of input as in paragraph 6, provided these subroutines do not change the language in any way that would cause it to fail the regression tests for the language. 8. Aggregation of the standard version of the package with a ...
Page 280
Copyright, trademark, and patent information 268 firebox x edge e-series disclaimed. In no event shall the copyright holder be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss o...
Page 281
User guide 269 copyright, trademark, and patent information this software is provided by the copyright holders and contributors “as is” and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed....
Page 282
Copyright, trademark, and patent information 270 firebox x edge e-series copyright 1999-2003 the openldap foundation, redwood city, california, usa. All rights reserved. Permission to copy and distribute verbatim copies of this document is granted. Openntpd this is a summary of the licences for the ...
Page 283
User guide 271 copyright, trademark, and patent information redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions...
Page 284
Copyright, trademark, and patent information 272 firebox x edge e-series copyright remains eric young's, and as such any copyright notices in the code are not to be removed. If this package is used in a product, eric young should be given attribution as the author of the parts of the library used. T...
Page 285
User guide 273 copyright, trademark, and patent information cambridge, england. Phone: +44 1223 334714. Copyright © 1997-2005 university of cambridge. All rights reserved. The c++ wrapper functions contributed by: google inc. Copyright © 2005, google inc. All rights reserved. The "bsd" licence redis...
Page 286
Copyright, trademark, and patent information 274 firebox x edge e-series see the respective source files to find out which copyrights apply. Copyright © 2002 roaring penguin software inc. Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted,...
Page 287
User guide 275 copyright, trademark, and patent information copyright © 1995 eric rosenquist. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must ret...
Page 288
Copyright, trademark, and patent information 276 firebox x edge e-series 4. Neither the name of the university nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. This software is provided by the regents a...
Page 289
User guide 277 copyright, trademark, and patent information 3. The names of the authors of this software must not be used to endorse or promote products derived from this software without prior written permission. 4. Redistributions of any form whatsoever must retain the following acknowledgment: "t...
Page 290
Copyright, trademark, and patent information 278 firebox x edge e-series 1.5. "executable" means covered code in any form other than source code. 1.6. "initial developer" means the individual or entity identified as the initial developer in the source code notice required by exhibit a. 1.7. "larger ...
Page 291
User guide 279 copyright, trademark, and patent information version remains available even if the electronic distribution mechanism is maintained by a third party. You are responsible for notifying the initial developer of the modification and the location of the source if a contact means is provide...
Page 292
Copyright, trademark, and patent information 280 firebox x edge e-series 5. Application of this license this license applies to code to which the initial developer has attached the notice in exhibit a, and to related covered code. Red hat may include covered code in products without such additional ...
Page 293
User guide 281 copyright, trademark, and patent information the covered code is a "commercial item," as that term is defined in 48 c.F.R. 2.101 (oct. 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 c.F.R. 12.212 (sept...
Page 294
Copyright, trademark, and patent information 282 firebox x edge e-series of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this sof...
Page 295
User guide 283 copyright, trademark, and patent information copyright © 1988,1990,1992 dan nydick, carnegie-mellon university. Anyone may use this code for non-commercial purposes as long as my name and copyright remain attached. Viewlib copyright 2003, 2004 ian searle. All rights reserved. Redistri...
Page 296: Certifications and Notices
Certifications and notices 284 firebox x edge e-series certifications and notices weee statement: weee is a general set of requirements dictated in the eu directive 2002/96/ec. This directive mandated that member eu countries enact regulations governing the waste of electrical and electronic equip- ...
Page 297
User guide 285 certifications and notices fcc part 68 statement (dsl version) this equipment complies with part 68 of the fcc rules. A label is attached to the equipment that con- tains, among other information, its fcc registration number and ringer equivalence number. If requested, this informatio...
Page 298
Certifications and notices 286 firebox x edge e-series industry canada this class a digital apparatus meets all requirements of the canadian interference-causing equipment regulations. Cet appareil numerique de la classe a respecte toutes les exigences du reglement sur le materiel broulleur du canad...
Page 299
User guide 287 certifications and notices class a korean notice vcci notice class a ite taiwanese class a notice taiwanese wireless notice.
Page 300: Declaration of Conformity
Declaration of conformity 288 firebox x edge e-series declaration of conformity limited hardware warranty this limited hardware warranty (the "warranty") applies to the enclosed firebox hardware product, not including any associated software which is licensed pursuant to a separate end-user license ...
Page 301
User guide 289 limited hardware warranty this warranty does not apply to any product that has been: (i) altered, repaired or modified by any party other than watchguard except for the replacement or inclusion of specified components authorized in and performed in strict accordance with documentation...
Page 302
Limited hardware warranty 290 firebox x edge e-series.
Page 303: Index
User guide 291 index symbols .Wgx files described 210 distributing 213 viewing available 24 numerics 1-to-1 nat. See nat, 1-to-1 a abbreviations used in guide iv active directory authentication 162 – 165 add gateway page 201 add route page 70 add traffic control dialog box 140 administration page 25...
Page 304
292 firebox x edge e-series dhcp address reservations setting on the optional network 67 setting on the trusted network 61 dhcp address reservations page 61 , 67 dhcp leases used by edge, viewing 32 dhcp relay configuring the optional network 67 configuring the trusted network 61 dhcp server configu...
Page 305
User guide 293 enabling 111 filtering content 114 setting limits 113 g gateway antivirus and ftp proxy 192 and http proxy 191 configuring 192 described 126 , 191 settings for 191 updating 194 with pop3 proxy 191 with smtp proxy 191 gateway, default 4 gav/ips page 28 gav/ips update page 195 h hardwar...
Page 306
294 firebox x edge e-series management server, allowing traffic from 46 manual vpn page 201 manual vpns. See vpns, manual mibs, using 42 model upgrades 50 monitoring the edge 30 – 36 muvpn client allowing through personal firewall 221 configuring 210 – 222 connecting 220 described 209 disconnecting ...
Page 307
User guide 295 configuring 116 described 104 enabling 115 filtering email content 119 setting access control options 117 setting proxy limits 117 pop-up blockers 14 ports blocking 129 described 5 numbered 234 numbering 5 trusted network 234 wan 234 power adapter 235 power cable clip 10 , 231 power i...
Page 308
296 firebox x edge e-series making 69 removing 70 submit a site page 180 subnet mask 12 surfcontrol 169 syslog host, logging to 149 syslog logging page 149 syslog, described 149 system configuration pages. See configuration pages system status page described 21 information on 23 navigation bar 22 re...
Page 309
User guide 297 w wall mounting plate 234 wan failover and dns 73 configuring 73 configuring advanced settings for 76 described 49 , 72 wan failover page 73 wan ports 234 watchguard firebox system (wfs), enabling remote management with 45 , 46 watchguard logging page 148 watchguard security event pro...
Page 310
298 firebox x edge e-series.