XTMBasics

WatchGuard Certified Training
Fireware XTM Basics

Courseware: Fireware XTM WatchGuard System Manager v11.5

Revised: April 23, 2012
Updated for: Fireware XTM v11.5.3 with Virtual Lab Environment
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright 2012 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is
covered by one or more pending patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.

TRAINING SUPPORT
www.watchguard.com/training www.watchguard.com/support
training@watchguard.com support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456

ii WatchGuard Fireware XTM Basics
Table of Contents

Course Introduction ............................................................................................................. 1
Training Options ........................................................................................................... 1
Necessary Equipment and Software .......................................................................... 1
Training Scenario ......................................................................................................... 2
Prerequisites ................................................................................................................ 2
Certification ................................................................................................................. 3
Fireware XTM Web UI and Command Line Interface ................................................ 3
Additional Resources .................................................................................................. 3
Getting Started ..................................................................................................................... 5
What You Will Learn .................................................................................................... 5
Start with WatchGuard System Manager .................................................................. 5
WSM Components ..................................................................................................................... 5
Register and Subscribe to the LiveSecurity Service ................................................................ 6
Exercise 1: Create a Configuration File with the Quick Setup Wizard ........................ 7
Exercise 2: Open WSM and Connect to Devices and Servers .................................... 8
Connect to an XTM Device ........................................................................................................ 8
Connect to a Management Server ........................................................................................... 9
Exercise 3: Open Policy Manager ............................................................................... 11
Exercise 4: Set Up WatchGuard Server Center .......................................................... 13
Test Your Knowledge ................................................................................................. 14
Administration .................................................................................................................... 17
What You Will Learn .................................................................................................. 17
Manage Configuration Files and Device Properties ................................................ 17
Exercise 1: Open and Save Configuration Files ......................................................... 18
Exercise 2: Configure a Device for Remote Administration ...................................... 19
Exercise 3: Change the XTM Device Passphrases ..................................................... 20
Exercise 4: Create and Restore a Device Backup Image .......................................... 21
Create an XTM Device Backup Image .................................................................................... 21
Restore an XTM Device Backup Image .................................................................................. 21
Exercise 5: Add XTM Device Identification Information ............................................ 22
Network Settings ................................................................................................................ 25
Properties and Features of XTM Device Interfaces ................................................. 25
Requirements for XTM Device Interfaces .............................................................................. 26
About DHCP Server and DHCP Relay ..................................................................................... 26
About WINS/DNS ..................................................................................................................... 27
About Network Modes ............................................................................................................. 27
About Dynamic DNS ................................................................................................................ 27

iii
About Secondary Networks .................................................................................................... 28
About Network Bridges ........................................................................................................... 28
About Static Routes ................................................................................................................ 28
About VLANs ............................................................................................................................ 28
About Multi-WAN ..................................................................................................................... 29
About FireCluster ..................................................................................................................... 29
About IPv6 ............................................................................................................................... 30
Exercise 1: Use a Dynamic IP Address for an External Interface ............................. 31
Configure the External Interface for DHCP ........................................................................... 31
Configure the External Interface to Use PPPoE .................................................................... 32
Use Dynamic DNS ................................................................................................................... 33
Exercise 2: Configure an External Interface with a Static IP Address ...................... 35
Exercise 3: Configure a Trusted Interface as a DHCP Server ................................... 36
Exercise 4: Configure an Optional Interface .............................................................. 37
Exercise 5: Configure WINS/DNS Server Information .............................................. 38
Exercise 6: Configure a Secondary Network ............................................................. 39
Frequently Asked Questions ..................................................................................... 40
Logging and Reporting ....................................................................................................... 43
Logging and Reporting Setup Process Overview ..................................................... 43
Maintain a Record of Device Activity ........................................................................ 44
Logging and Notification Architecture ................................................................................... 44
See Log Messages .................................................................................................................. 45
Log Server ................................................................................................................................ 45
Log Messages ......................................................................................................................... 46
Log Files ................................................................................................................................... 46
Build Reports from Log Messages ........................................................................... 47
WatchGuard Reports .............................................................................................................. 48
View Reports with Log and Report Manager ........................................................................ 50
Exercise 1: Configure Where the Device Sends Log Messages ............................... 51
Exercise 2: Set Up the Log Server .............................................................................. 53
Set Up the Log Server ............................................................................................................. 53
Exercise 3: Control Database and Notification Properties ....................................... 54
Configure Database and Notification Settings ..................................................................... 54
Send Log Notifications to a Network Administrator .............................................................. 55
Change the Encryption Key .................................................................................................... 56
Exercise 4: Use Log and Report Manager to View Log Messages ........................... 57
Connect to Log and Report Manager to View Log Messages .............................................. 57
Run a Search ........................................................................................................................... 58
Export Log Messages .............................................................................................................. 60
Exercise 5: Configure a Report Server ....................................................................... 61
Add a Log Server ..................................................................................................................... 61
Select Reports and Timing ..................................................................................................... 62
Exercise 6: Use Log and Report Manager to View and Generate Reports .............. 65
Connect to Log and Report Manager to View Reports ......................................................... 65
View Reports ............................................................................................................................ 66
Exercise 7: Share Reports ................................................................................. ......... 67

iv WatchGuard Fireware XTM Basics
Monitor Your Firewall ......................................................................................................... 71
Regular Monitoring Improves Security ..................................................................... 71
Exercise 1: Review Network Status in WSM ............................................................. . 73
Interpret the Device Status Display ........................................................................................ 74
Exercise 2: Use Firebox System Manager .............................................................. .... 75
Connect to an XTM Device and Change the Display ............................................................. 75
Use Traffic Monitor .................................................................................................................. 77
Check Bandwidth Usage and Service Volume ....................................................................... 78
Exercise 3: Create a Performance Console Graph .................................................... 80
Exercise 4: Use HostWatch to View Network Activity ................................................ 82
Exercise 5: Use the Blocked Sites List ...................................................................... . 83
Exercise 6: Examine and Update Feature Keys ......................................................... 84
View Feature Keys For Your XTM device ................................................................................. 84
Add a Feature Key to the XTM Device .................................................................................... 85
NAT ...................................................................................................................................... 87
NAT Overview ............................................................................................................. 87
Dynamic NAT ............................................................................................................................ 87
1-to-1 NAT ................................................................................................................................. 88
Policy-based NAT ...................................................................................................................... 90
Static NAT ................................................................................................................................. 90
NAT Loopback .......................................................................................................................... 91
About SNAT Actions ................................................................................................................. 91
Exercise 1: Add Firewall Dynamic NAT Entries .......................................................... . 92
Exercise 2: Configure Static NAT to Allow Access to Public Servers ......................... 94
Exercise 3: Configure NAT Loopback to an Internal Web Server .............................. 96
Other Reasons to Use NAT ...................................................................................................... 97
Policies ................................................................................................................................ 99
Policies are Rules for Your Network Traffic .............................................................. 99
Add Policies ........................................................................................................................... 100
Configure Logging and Notification for a Policy ................................................................. 100
Advanced Policy Properties .................................................................................................. 100
Policy Precedence .................................................................................................................. 101
Exercise 1: Add a Packet Filter Policy and Configure Access Rules ...................... 101
Add a Predefined Policy ........................................................................................................ 101
Modify Policies to Restrict Traffic ........................................................................................ 103
Use a Policy to Allow Traffic ................................................................................................. 104
Exercise 2: Create a Custom Packet Filter Template ............................................. 105
Add and Configure the Custom Policy ................................................................................. 106
Exercise 3: Configure Logging and Notification for a Policy ................................... 108
Exercise 4: Change Policy Precedence .................................................................... 109
Override the Default Order of Policy Precedence ............................................................... 109
Exercise 5: Use Advanced Policy Properties ........................................................... 110
Test Your Knowledge .............................................................................................. 112

v
Proxy Policies .................................................................................................................... 113
What You Will Learn ................................................................................................ 113
Proxy Policies and ALGs .......................................................................................... 113
About the DNS Proxy ............................................................................................... 113
About the FTP Proxy ................................................................................................ 114
About H.323 and SIP ALGs ..................................................................................... 116
About the TCP-UDP Proxy ........................................................................................ 116
Exercise 1: Use the DNS-Outgoing Proxy Action ...................................................... 117
Add a DNS Outgoing Proxy Policy ......................................................................................... 117
Block a DNS Request by Query Name ................................................................................. 118
Exercise 2: Configure an FTP-Server Proxy Action ................................................... 119
Deny the Delete Command .................................................................................................. 119
Restrict FTP File Uploads to Text Only .................................................................................. 122
Exercise 3: Set Access Controls on H.323 Connections ........................................ 123
Test Your Knowledge ............................................................................................... 125
Email Proxies .................................................................................................................... 127
Control the Flow of Email In and Out of Your Network .......................................... 127
SMTP Rulesets ...................................................................................................................... 127
POP3 Rulesets ....................................................................................................................... 128
Exercise 1: Use the SMTP-Proxy to Protect Your Mail Server ................................. 129
Add an Incoming SMTP-Proxy Policy .................................................................................... 129
Decrease Maximum Message Size ...................................................................................... 130
Allow and Deny Content Types and Filenames ................................................................... 131
Control Mail Domain Use for Incoming Traffic .................................................................... 132
Exercise 2: Control Outgoing SMTP Connections .................................................... 134
Add an Outgoing SMTP-Proxy Policy .................................................................................... 134
Control Email Message Size ................................................................................................. 135
Control Mail Domain Use for Outbound SMTP .................................................................... 136
Restrict Email by Attachment Filename .............................................................................. 137
Exercise 3: Use a POP3-Client Policy ....................................................................... 139
Add a POP3 Client Policy ...................................................................................................... 139
Configure the POP3 Policy to Lock Attachments ................................................................ 141
Authentication .................................................................................................................. 145
Monitor and Control Network Traffic by User ........................................................ 145
How Firebox User Authentication Works ............................................................................. 146
Authentication Methods Available with Fireware XTM ....................................................... 146
Use the Firebox Authentication Server ................................................................................ 147
About Third-party Authentication Servers ........................................................................... 147
About Authentication Timeout Values ................................................................................. 148
Exercise 1: Add a Firebox User Group and Add Users ............................................ 149
Create a Firebox User Group ................................................................................................ 149
Add Firebox Users ................................................................................................................. 150
Exercise 2: Edit Policies to Use Firebox Authentication .......................................... 153
Exercise 3: Set Global Authentication Values ......................................................... 155
Set Global Timeout Values ................................................................................................... 155
Set Other Global Values ........................................................................................................ 155

vi WatchGuard Fireware XTM Basics
Exercise 4: Enable Single Sign-On for the XTM Device .......................................... 157
Use a Web Server Certificate ............................................................................................... 159
Blocking Spam ................................................................................................................. 163
What You Will Learn ............................................................................................... 163
Stop Unwanted Email at the Network Edge .......................................................... 163
spamBlocker Tags ................................................................................................................. 164
spamBlocker Categories ...................................................................................................... 164
spamBlocker Exceptions ...................................................................................................... 164
Global spamBlocker Settings ............................................................................................... 165
Exercise 1: Configure the Quarantine Server .......................................................... 166
Configure Quarantine Server Rules ..................................................................................... 166
Configure the XTM Device to Use the Quarantine Server .................................................. 167
Exercise 2: Activate spamBlocker ............................................................................ 168
Exercise 3: Configure the spamBlocker Service ..................................................... 168
Determine What Happens to spam Email ........................................................................... 169
Add spamBlocker Exceptions ............................................................................................... 169
Enable Alarms When a Virus is Detected ............................................................................. 170
Exercise 4: Monitor spamBlocker Activity ............................................................... 171
Web Traffic ........................................................................................................................ 173
Control Web Traffic Through Your Firewall ............................................................. 173
Control Outgoing HTTP Requests .......................................................................................... 174
Protect Your Web Server ........................................................................................................ 175
HTTP-Proxy Action Rulesets .................................................................................................. 175
Monitor Secured HTTP Traffic with the HTTPS proxy ............................................. 177
Restrict Web Access with WebBlocker ................................................................... 178
Exercise 1: Configure HTTP Connections from Trusted Users ............................... 180
Add an HTTP Client Proxy Policy .......................................................................................... 180
Enable a Log Message for Each HTTP Client Connection .................................................. 180
Block HTTP Client Connections by URL Path ...................................................................... 181
Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy ...................... 181
Customize the Deny Message .............................................................................................. 183
Exercise 2: Use HTTP-Proxy Exceptions to Allow Software Updates ...................... 184
Exercise 3: Configure an HTTP-Server Proxy Action ................................................ 185
Add the HTTP Server Proxy Policy ........................................................................................ 185
Create a New Proxy Policy Ruleset ...................................................................................... 186
Exercise 4: Selectively Block Web Sites with WebBlocker ..................................... 187
Add a WebBlocker Action ...................................................................................................... 187
Select Categories to Block .................................................................................................... 187
Create an Exception ............................................................................................................. 188
Enable WebBlocker Local Override ..................................................................................... 189
Frequently Asked Questions .................................................................................. 190
Threat Protection .............................................................................................................. 193
What You Will Learn ............................................................................................... 193
Default Threat Protection Measures Block Intruders .......................................... 193
Use Default Packet Handling Options ................................................................................. 194
Automatically Block the Source of Suspicious Traffic ........................................................ 195

vii
Block Ports Commonly Used by Attackers ........................................................................... 196
Exercise 1: Configure Default Packet Handling Options ......................................... 197
Exercise 2: Block Potential Sources of Attacks ....................................................... 198
Block a Site Permanently ..................................................................................................... 198
Create Exceptions to the Blocked Sites List ........................................................................ 198
Exercise 3: Block Sites Automatically ...................................................................... 200
Signature Services ........................................................................................................... 203
Identify and Stop Viruses at the Edge of Your Network ........................................ 203
AntiVirus Scans User Traffic for Viruses and Trojans ......................................................... 204
Intrusion Prevention Service Blocks Direct Attacks .............................................. 206
Control and Monitor Application Usage on Your Network ..................................... 207
Application Control Actions and Policies ............................................................................. 207
Configure Application Control .............................................................................................. 207
Application Control Actions and Proxy Actions ................................................................... 209
Exercise 1: Set Up Gateway AntiVirus ...................................................................... 210
Activate Gateway AntiVirus ................................................................................................... 210
Configure Gateway AntiVirus ................................................................................................ 211
Exercise 2: Configure an SMTP Proxy Policy for Gateway AntiVirus ....................... 213
Exercise 3: Configure the Intrusion Prevention Service ......................................... 215
Enable Intrusion Prevention ................................................................................................. 215
Exercise 4: Configure Application Control ................................................................ 217
Configure the Global Application Control Action ................................................................. 217
Apply the Global Application Control Action to Policies ...................................................... 220
Exercise 5: Use a Different Application Control Actions for Different Policies ...... 221
Reputation Enabled Defense .......................................................................................... 225
How Reputation Enabled Defense Works .............................................................. 225
Reputation Scores ................................................................................................................ 225
Reputation Thresholds ......................................................................................................... 226
Reputation Lookups .............................................................................................................. 226
Reputation Enabled Defense Feedback .............................................................................. 227
Monitor Reputation Enabled Defense ................................................................... 227
Exercise 1: Set up Reputation Enabled Defense .................................................... 228
Exercise 2: See Reputation Enabled Defense Statistics ........................................ 230
Web UI ............................................................................................................................... 233
Introduction to Fireware XTM Web UI ..................................................................... 233
Limitations of the Web UI ....................................................................................... 234
Connect to the Web UI ............................................................................................ 235
About Certificate Warnings ................................................................................................... 235
Navigate the Web UI .............................................................................................................. 237
Get Help ................................................................................................................................. 237
About the Status and Admin Accounts ................................................................................ 238
About Timeouts for Management Sessions ........................................................................ 239
Control Access to the Web UI ................................................................................. 241

viii WatchGuard Fireware XTM Basics
About the Port for the Web UI .............................................................................................. 243
Exercise 1: Connect to the Web UI with the Status Account .................................. 245
Exercise 2: Change the Port for the Web UI ............................................................ 247
Exercise 3: Configure an XTM device for Remote Web UI Administration ............ 251
Test Your Knowledge .............................................................................................. 254

ix

x WatchGuard Fireware XTM Basics
Fireware XTM Basics

Course Introduction
Firewall Basics with Fireware XTM 11.5.3

Training Options

If you use Fireware XTM and WatchGuard System Manager (WSM) for your WatchGuard XTM device,
there are several training options available to you:
Classroom training with a WatchGuard Certified Training Partner (WCTP)
WatchGuard maintains a worldwide network of certified training partners who offer regular training
courses. A list of training partners can be found on our web site at:
http://www.watchguard.com/training/partners_locate.asp
Online LIVE virtual classroom
The New Horizons Online LIVE platform effectively delivers our unrivaled classroom experience
directly to your home or office over the Internet. Online LIVE provides a rich, engaging virtual
classroom environment that allows you to easily interact with your instructors and fellow students.
Fireware XTM Basics with Fireware XTM Training Modules
Each training module available for WatchGuard System Manager and Fireware XTM focuses on a
specific feature or function of configuration and security management.
For more information, including configuration steps for advanced procedures, see the Fireware XTM
WatchGuard System Manager Help.

Virtual Lab Equipment and Software

The virtual lab environment provides access to all the hardware and software required to complete
the exercises.

In the training modules you will connect a Remote Desktop Connection to a Windows Server 2008
desktop which has both the WatchGuard System Manager and WatchGuard Server Center software
installed. From this server you will connect to and configure a dedicated XTM device.

Your instructor will provide you with the required information to access your lab server.

1
Devices WatchGuard XTM 2 Series / XTM 3 Series / XTM 5 Series / XTM 8 Series / XTM 1050 /
XTM 2050 / XTMv
Device OS versions Fireware XTM v11.5.3 and Fireware XTM v11.5.3 with a Pro upgrade
Management software versions WatchGuard System Manager v11.5.3
The components of the virtual lab are:
Management computer (WG-Server)
Your management computer is a Windows Server that has all the required software pre-installed.
Additionally this server is a domain controller for the wgtraining.com domain. It provides Active
Directory Authentication and DNS services.
Windows 7 client with standard user (Client1)
The desktop of the WG-Server includes a RDP shortcut to this client workstation. This system is
used to automatically generate random web traffic that will be used for logging and reporting,
authentication as well as policy verification.
XTMv virtual device (XTM-HQ)
You will be connecting to and configuring a dedicated XTMv device. It should be noted that from a
functionality standpoint as it relates to the modules and exercises there will be no noticeable
difference. The steps and procedures would be the same if you are using a XTM 2 Series, 3 Series,
8 Series, XTM 1050 or XTM 2050 device.

Training Scenario

Throughout the Fireware XTM Basics with Fireware XTM training modules, we use a fictional company
called Successful Company. While the modules build on a story of configuring a firewall and network
for Successful Company, you can complete many of the exercises using examples from your own
network or a set of addresses and situations provided by your WatchGuard Certified Training instructor.
Any resemblance between the situations described for Successful Company and a real company are
purely coincidental.

2 WatchGuard Fireware XTM Training
Certification

Certification

The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners.
The exam is based on the contents of this course, and we recommend that you study this training to
prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and
browse to the exam at:
https://www.watchguard.com/training/CertCentral.asp
For more information about how to become a WCSP, see the WatchGuard Training Technical
Certification web page at:
http://watchguard.com/training/technical_cert.asp

Fireware XTM Web UI and Command Line Interface

You can use the Fireware XTM Web UI (Web UI) and Command Line Interface (CLI) management
solutions to complete many of the same tasks that you perform in WatchGuard System Manager and
Policy Manager. Some advanced configuration options and features are not available with Fireware
XTM Web UI or Command Line Interface.
Because not all configuration options are available in the Web UI and CLI, and because the Web UI and
CLI are online configuration tools (you need a network connection to an XTM device to use them), the
exercises in the Fireware XTM Basics training modules do not use the Web UI and the CLI.

Additional Resources

For more information about how to install and configure WatchGuard System Manager see these
resources:
Fireware XTM WatchGuard System Manager Help
You can launch the Help system from your management computer after you install WSM. To view
more information about the features in a dialog box or application window, click Help or press the
F1 key. A topic that describes the features you see and provides links to additional information
appears in your default web browser.
For the most up-to-date information, browse to http://www.watchguard.com/help/
documentation/ and launch the Fireware XTM WatchGuard System Manager Help. You can also
download the Help system for offline use.
Fireware XTM WatchGuard System Manager User Guide
Browse to http://www.watchguard.com/help/documentation/ and download the Fireware XTM
WatchGuard System Manager User Guide.
WatchGuard Online Knowledge Base
Browse to http://customers.watchguard.com/.
For information about how to set up an XTMv virtual device in a VMware ESXi environment, see:
WatchGuard XTMv Setup Guide
Browse to http://www.watchguard.com/help/documentation/ and download the WatchGuard
XTMv Setup Guide.

Course Introduction 3

Fireware XTM Basics

Getting Started
Set Up Your Management Computer and Device

What You Will Learn

WatchGuard System Manager is the primary management software application used to monitor and
manage WatchGuard XTM devices and WatchGuard servers. In this training module, you learn how to:
Use the Quick Setup Wizard to make a basic device configuration file
Start WatchGuard System Manager
Connect to devices and servers
Start Policy Manager and open a device configuration file
Set up WatchGuard Server Center
Before you begin these exercises, make sure you read the Course Introduction module.

Start with WatchGuard System Manager

Most of the procedures you
complete in this training
module start from WatchGuard
System Manager (WSM), which
is the primary software
application you use to manage
all the XTM devices and
WatchGuard servers in your
network.
You can use WSM to connect to
any WatchGuard firewall
device. This includes all XTM
device models, as well as the
Firebox and SOHO device
models. In this training module,
we use only XTM devices.
WSM Components
WatchGuard System Manager
(WSM) includes several other
monitoring and configuration tools, including Policy Manager, Firebox System Manager, HostWatch, CA
Manager, and Log and Report Manager. You can start these tools after you open WSM. WatchGuard
Server Center is the application you use to set up, configure, and manage the five WatchGuard servers,
as well as configure users and groups for role-based administration.

5
This diagram shows the
components of
WatchGuard System
Manager and how you
can get access to them.
You install the WSM
management software
on a personal computer
running Microsoft
Windows XP or later. We
call this computer your
management computer.
When you install WSM
on your management
computer, you have the
option to install any or all of the WatchGuard servers. When you select to install any of the servers,
WatchGuard Server Center is automatically installed.
Management Server Manages multiple XTM devices at the same time and creates virtual
private network (VPN) tunnels with a simple drag-and-drop method.
Log Server Collects log messages from XTM devices and servers.
Report Server Periodically consolidates data collected by your Log Servers and uses this data to
generate the reports that you select.
Quarantine Server Collects and isolates SMTP email confirmed as spam by spamBlocker, or
confirmed to have a virus by Gateway Antivirus or by spamBlockers Virus Outbreak Detection
feature.
WebBlocker Server Provides information for an HTTP-proxy to deny user access to specified
categories of web sites.
You can install these servers on your management computer, or you can install them on other
computers on your network that are dedicated to these tasks. Each server has different requirements
and may need to be able to connect to other servers, the XTM device, or the management computer.
For more information, see the training module about each server.
Register and Subscribe to the LiveSecurity Service
The LiveSecurity Service provides WatchGuard customers with alerts, threat responses, and expert
advice to help you keep your network secure and up-to-date. When you subscribe to LiveSecurity, you
also get access to the latest software upgrades for your XTM device, as well as access to technical
support and training resources.
Your XTM device must be registered with LiveSecurity before you can configure the device. To register
the device, you must have:
A LiveSecurity account
The device serial number
To create a new LiveSecurity account, go to:
https://www.watchguard.com/account/registration_gate.asp
To register your device with an existing LiveSecurity account, log in to LiveSecurity. In the LiveSecurity
Service Subscribers section, click Activate a Product.

WatchGuard Fireware XTM Training
The servers are pre-
installed on the same
station as the
management computer.

6

Exercise 1: Create a Configuration File with the Quick Setup
Wizard
The quickest and easiest method to create a functional configuration file for your network is to use the
Quick Setup Wizard. However, you must be connected to an XTM device to use the Quick Setup Wizard.
Before you start the wizard, you must have:
A feature key You receive the feature key when you register your XTM device with the
LiveSecurity Service. A feature key is created that is unique to the serial number of the device. Save
a copy of the feature key to the management computer before you start the Quick Setup Wizard.
WSM and Fireware XTM installed on the management computer WSM is the software
installed on the management computer and WatchGuard servers. Fireware XTM is the operating
system (OS) installed with a configuration file on the XTM device. Download the latest versions the
software and XTM OS from the WatchGuard Portal.. WSM and Fireware XTM are separate software
downloads. You must download and install both packages on your management computer. The
management computer must be on the same network subnet as the device.
Your network information At a minimum, you must know the IP address of your gateway
router and the IP addresses to give to the external and trusted interfaces of the XTM device.
When you configure the XTM device with the Quick Setup Wizard, the wizard adds five basic policies:
Outgoing, FTP packet filter, Ping, WatchGuard WebUI, and WatchGuard. It also sets interface IP
addresses. In this exercise, we use the Quick Setup Wizard to create and install a basic configuration file
on the XTM device.
From the Windows desktop:
1. Select Start > All Programs > WatchGuard System Manager 11.5.3 > Quick Setup Wizard
11.5.3.
You can also click the Quick Setup Wizard icon on the WatchGuard System Manager toolbar.
The Quick Setup Wizard starts and attempts to detect an XTM device on the same network as your computer.

2. From the list of devices, select the XTM device that you are using for this training session.
3. Follow the step-by-step instructions in the wizard to create a basic configuration file.
When you are finished with the wizard, you will have an XTM device which allows all traffic from the trusted
and optional networks to the external network but blocks everything from the external to the protected
networks.

Getting Started
Your instructor will
provide you with any
additional information
you need to configure
your device for the
training environment.

Your instructor may
use the presentation
files to show these
steps instead of having
you do them yourself.

7
Exercise 2: Open WSM and Connect to Devices and Servers

When you open WatchGuard System Manager (WSM), you are not automatically connected to an XTM
device. You must manually connect to an XTM device or to a Management Server to use many WSM
features. You can connect to many devices and Management Servers at the same time.
Connect to an XTM Device
1. Select Start > All Programs > WatchGuard System Manager 11.5.3 > WatchGuard System
Manager 11.5.3.
WatchGuard System Manager appears.
2. On the main toolbar, click .
Or, you can select File > Connect To Device.
3. In the Name/IP Address text box, type the trusted IP address of the device.
Your device IP address is 10.0.1.1

4. In the Passphrase text box, type the Firebox status passphrase readonly.
Use the status passphrase to connect to a device and display status. If you save the configuration or add the
device as a managed device to the Management Server, you are prompted to type the configuration
passphrase.
5. If necessary, change the value in the Timeout text box.
This value sets the amount of time (in seconds) that WSM waits for an answer from the device
before WSM shows a message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value. If you
decrease the value, you decrease the time you must wait for a time out message if you try to connect to a
device that is not available.
6. Click Login.
WSM connects to the device and then shows its status on the Device Status tab.


7. On the Device Status tab, click the plus sign (+) to expand the device entry.
Information about the device appears.

Document the External
IP address of your
device here:
1.1.1.____

You will need to enter
this IP address in
Exercise 4.

Connect to a Management Server
A WatchGuard Management Server allows you to manage many XTM devices at the same time from a
single management computer. With a Management Server, you can quickly build virtual private
network (VPN) tunnels between devices and centrally manage a large number of devices.
When you connect to a Management Server, WSM shows the status of all the devices managed by that
Management Server. The VPN tunnels between the managed devices appear on the page for each
device.
In this exercise, you connect to a Management Server in WSM. Your instructor has pre-configured a
Management Server for the classroom, you will log in with a read-only user account.
In WatchGuard System Manager:
1. Click the Connect to Server icon.

Or, select File > Connect To Server.
The Connect to Management Server dialog box appears.
2. Type the IP address of the Management Server.
Use the device IP address of 1.2.3.4

Getting Started 9
3. Type the user name and passphrase for the Management Server.

The user name for a Management Server is monitor. The passphrase is viewonly.

4. Click Login.
The Device Management tab appears with the Management Server and the devices it manages.

5. When finished reviewing the Management Server click File>Disconnect.


Exercise 3: Open Policy Manager

Policy Manager is the tool you use to build the security rules your XTM device uses to protect your
network. You use Policy Manager to configure policies, set up VPNs, change device passphrases, and
configure logging and notification options.
A policy is a set of rules that defines how the device manages packets that come to its interfaces. The
policy identifies the source and destination of the packets. It also specifies the protocol and ports of the
traffic that the policy controls. It includes instructions for the device about how to identify the packet
and whether to allow, deny, drop, or block the connection. Policy Manager displays each policy as a
group of rules, or a ruleset. You can view these policies as icons, or in a list with detailed information
about each policy.
In WatchGuard System Manager:
1. On the Device Status tab, select your XTM device.
If there is no device visible in WSM, select File > Connect To Device, and then connect to your
device.
2. Click .
Or, select Tools > Policy Manager.
WSM checks the model and the OS (operating system) version used by the device. If you have multiple
versions of WSM software installed, WSM automatically opens the correct Policy Manager version. If you
launch Policy Manager for a device that uses an older version of Fireware XTM or Fireware, WSM may ask if
you want to upgrade the OS on that device.

Getting Started
You can have more
than one version of
WSM installed on your
computer.

However, you can
have only one version
of the server
components
(Management Server,
Log Server, Report
Server, Quarantine
Server, and
WebBlocker Server)
installed.
3. Select View > Details.
Policy Manager changes to the Details view.


Exercise 4: Set Up WatchGuard Server Center

Before you can configure your installed WatchGuard servers, you must complete the WatchGuard
Server Center Setup Wizard. The Setup Wizard creates the WatchGuard servers you selected to install
on your management computer. When you run the wizard, you only see the screens that correspond to
the server components you have installed. For example, if you install only the Log Server and Report
Server, but not the Quarantine Server, the pages used to create a domain list for Quarantine Server do
not appear in the wizard.
For more information about the different WatchGuard servers, see the training module for each server,
or the Fireware XTM WatchGuard System Manager Help or User Guide.
In this exercise, we will use the WatchGuard Server Center Setup Wizard to set up the Management
Server and the Log Server that we have installed on the management computer.
Before you run the wizard, make sure you have this information:
The passphrase you want the administrator to use (must be at least 8 characters)
The Management Server license key
The IP address of the Log Server
The encryption key you want to use for the Log Server (832 characters, no spaces or slashes)
The directory location where you want to keep your log files
To run the WatchGuard Server Center Setup Wizard:
1. In the Windows system tray, right-click and select Open WatchGuard Server Center.
The WatchGuard Server Center Setup Wizard starts.
2. Review the Welcome page to make sure you have all the information required to complete the
wizard. Click Next.
The General Settings Identify your organization name page appears.
3. Type WGtraining for your Organization name. Click Next.
The General Settings Set Administrator passphrase page appears.
4. Type and confirm adminpass as the Administrator passphrase. Click Next.
The Management Server Identify the gateway Firebox page appears.
5. Select Yes.
6. Type the external IP address and passphrases for your gateway Firebox. Click Next.
The Management Server Enter a license page appears. The key is in Desktop\WSM License Key.txt
7. Type the license key for your Management Server and click Add. Click Next.
The Log Server Set an Encryption key and database location page appears.
8. Type and confirm MyStongKey! as the Encryption key to use for the secure connection
between the XTM device and the Log Server.
9. Select Browse and Open to select the Database location for your Log Server database.
10. Click Next. Specify WGtraining.com click Add and click Next.
The WebBlocker Database Setup - Review Settings page appears.
11. Download the WebBlocker Database by selecting Yes and click Download twice.
The WebBlocker Database begins to download. When it is completed click OK.
12. Click Next. The Review Settings page appears. Click Next.
The WatchGuard Server Center Wizard is complete page appears.
13. Click Next and click Finish.
WatchGuard Server Center appears.

Getting Started
Use the External IP
address that you
documented earlier in
this lab.

Passphrases are:
Status readonly
Config readwrite
Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.
1. True or false? You must have a WatchGuard Management Server to use a simple drag-and-drop
function for VPN creation.
2. Circle the best tool for each task:
Task Tool
A) Monitor the status of one device WatchGuard System Manager Policy Manager
B) Change the device network interfaces WatchGuard System Manager Policy Manager
C) Configure a policy for web traffic WatchGuard System Manager Policy Manager

3. True or false? When connecting to your device, you should decrease the Timeout setting if you
have a slow network or Internet connection to your device.
4. Which of the following are required before you can use the Quick Setup Wizard to make a basic
device configuration file? (Select all that apply.)
A) A LiveSecurity Service account
B) The device model number
C) The IP address of your gateway router
D) A feature key
E) A live connection to the Internet
F) A personal computer running Macintosh OS 10 or later
G) A web browser
H) An IP address to give to the external and trusted interfaces of the device

5. Fill in the blank: A ________ is a set of rules that defines how the device manages packets that
come to its interfaces.
6. Which of the following are WatchGuard System Manager components? (Select all that apply.)
A) LogViewer
B) Router
C) Policy Manager
D) Appliance Monitor
E) Windows NT Server
F) Report Server
G) Management Computer

7. True or false? You must install all WatchGuard servers on one management computer.
8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center.

Test Your Knowledge

Getting Started 15

Fireware XTM Basics

Administration
Work with Device Configuration Files

What You Will Learn

After you install the XTM device in your network and use the Quick Setup Wizard to give it a basic
configuration file, you can add custom configuration settings to meet the needs of your organization.
You can save configuration files in a variety of locations.
In this training module, you learn how to:
Open and save configuration files
Configure the device for remote administration
Reset device passphrases
Backup and restore the device configuration
Add device identification information

Manage Configuration Files and Device Properties

A configuration file includes all configuration data, options, IP addresses, and other information for the
XTM device. On the device, the configuration file works with the OS to control the flow of traffic
through the device. The file extension for a device configuration file is .xml.
Fireware XTM Policy Manager is a WatchGuard software tool that you can use to create, change, and
save configuration files. When you use Policy Manager, you see a version of your configuration file that
is easy to examine and modify. Changes you make in Policy Manager have no effect on device
operation until you save them to the device.

17
Exercise 1: Open and Save Configuration Files

The Quick Setup Wizard makes a basic configuration file for your XTM device. We recommend that you
use this configuration file as the base for all your configuration files. You can also use Policy Manager to
make a new configuration file with only the default configuration properties.
To create a new configuration file:
1. Open Policy Manager.
2. Select File > New.
A new configuration file appears with the default policies and settings. Click Cancel.
Most of the time, when you want to manage your device configuration, you use WatchGuard System
Manager (WSM) to connect to the device and launch Policy Manager. When you do this, WSM loads the
current device configuration file in Policy Manager. You can save a copy locally and then open this local
copy in Policy Manager any time you want to work offline.
In this exercise, you open the current configuration file for your device and save it to your local hard
drive:
Open WatchGuard System Manager and connect to your device.
If you are not familiar with this procedure, see the 2 training module or ask your instructor.
Click
Or, select Tools > Policy Manager.
Policy Manager starts and loads the configuration file currently on your device.
Select File > Save > As File.
The Save dialog box appears.

In the File Name text box, type Basics-Start.
Click Save.
By default, configuration files are saved to the My
configuration file type is XML.
Documents\My WatchGuard\configs folder. The

.
1.

2.

3.

4.
5.
Policy Manager is an
offline configuration
tool. The Web UI and
the CLI are online
configuration tools.
An offline
configuration tool lets
you make many
changes to a
configuration file
without sending the
changes the to the
device.
An online
configuration tool is
designed to
immediately send all
changes to the device.

18

Exercise 2: Configure a Device for Remote Administration
When you use the Quick Setup Wizard to configure your XTM device, a policy that allows you to
connect to and administer the device from any computer on the trusted or optional networks is
automatically created. If you want to manage the device from a remote location (any location external
to the device), then you must change your configuration to allow administrative connections from your
remote location.
The packet filter policy that controls administrative connections to the device is WG-Firebox-Mgmt. The
Quick Setup Wizard adds this policy with the name WatchGuard. This policy controls access to the
device on these TCP ports: 4105, 4117, and 4118. When you allow connections in the WatchGuard
policy, you also allow connections to each of these ports.
Before you change a policy to allow connections to the device from a computer external to your
network, it is a good idea to consider these alternatives:
Is it possible to connect to the device with a VPN? This greatly increases the security of the
connection. If you can connect with a VPN, then you do not need to allow connections from a
computer external to your network. If it is not possible to connect to the device with a VPN, you
might want to consider using authentication as an additional layer of security.
It is more secure to limit access from the external network to the smallest number of computers
possible. For example, it is more secure to allow connections from a single computer than it is to
allow connections from the alias Any-External.
To restrict or expand access to the device, edit the From list in the WatchGuard policy.
You can allow connections to the device from external networks by adding the Any-External alias
(or an appropriate IP address).
You can restrict connections to the device from internal locations by removing the Any-Trusted
and Any-Optional aliases and replacing them with the specific IP addresses from which you want
to allow access.
You can remove all IP addresses and aliases, and replace them with user names or group names.
When you do this, you force users to authenticate before they are allowed to connect to the device.
If you decide to allow connections to the device from Any-External, it is especially important that you
set very strong device Status and Configuration passphrases. It is also a good idea to change your
passphrases at regular intervals.
To use Policy Manager to configure the WatchGuard policy to allow administrative access from an
external computer at a specific IP address:
1. Double-click the WatchGuard policy. Or, right-click the WatchGuard policy and select Edit.
The Edit Policy Properties dialog box appears.
The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is
specifically designed to be used for administration of the device.
2. In the From section, click Add.
3. To add the IP address of the external computer you want to use to connect to the device, click Add
Other.
4. From the Choose type drop-down list, make sure Host IP is selected.
5. In the Value text box, type the IP address of the remote administration computer.
6. Click OK to close each dialog box.

Administration
When working with
WatchGuard
Support, they may
have you add their
IP range to this
policy so that they
can remotely
connect to your
device to help
Troubleshoot.
If you need to
remotely manage
your device, you can
add the public IP of
the remote system
that you will be
connecting from.

Notice that Any-
External is listed in
the From section.
This is for lab
purposes only and
not recommended
for production
environments.
Exercise 3: Change the XTM Device Passphrases

In this exercise, you change the passphrases for your XTM device. An XTM device uses two passprases:
Status passphrase The read-only password that you use to see information about the device, but
not to make any changes to the configuration file.
Configuration passphrase The read-write password that the administrator uses to save a
configuration file to the device.
We recommend that you change your device passphrases at regular intervals as part of your companys
security policy. The passphrases we use in this exercise are examples of very simple passphrases. When
you develop each of your passphrases, it is important to choose strong passphrases. A strong
passphrase is one that contains at least eight characters, and includes a combination of letters,
numbers, and symbols.
To complete this exercise, you must have the current configuration passphrase for your device. If you
are using a device in a production network, and you do not have permission to change the
configuration passphrase of the device, do not complete this exercise.

1. Click .
Or, select File > Open > Firebox.
The Open Firebox dialog box appears.

2. In the Firebox IP Address or name text box, type or select the IP address or name of your XTM
device.
3. In the Status Passphrase text box, type the Status "readonly" passphrase for your device.
4. Click OK.
Policy Manager contacts the device and gets the configuration file.
5. Select File > Change Passphrases.
The Change Passphrases dialog box appears.
6. In the Configuration Passphrase text box, type the current configuration passphrase of
readwrite for your device.
7. In the Status Passphrase and Confirm Passphrase text boxes, type 33333333.
8. In the Configuration Passphrase and Confirm Passphrase text boxes, type 44444444.
9. Click OK.
The new passphrases are saved to the device.


Exercise 4: Create and Restore a Device Backup Image

An XTM device backup image is a saved copy of the working image from the device flash disk. The
backup image includes the device appliance software, configuration file, licenses, and certificates. You
can use Policy Manager to save an encrypted backup image to your management computer or to a
directory on your network.
We recommend that you regularly back up your device image. We also recommend that you create a
backup image of the device before you make significant changes to your device configuration file, or
upgrade your device or its OS.
Create an XTM Device Backup Image
1. Select File > Backup.
The Backup dialog box appears.

2. In the Configuration Passphrase text box, type the read-write passphrase for your device.
The configuration passphrase we used in this training module is 44444444.
The second Backup dialog box appears.
3. Type and confirm an Encryption Key.
For this exercise, type MyStrongKey!
This key is used to encrypt the backup file. If you lose or forget this encryption key, you cannot restore the
backup file. The encryption key is case-sensitive.
4. In the Back up image to text box, view the default backup location.
5. Click OK.
The default location for a backup file with an .fxi extension is:
Windows XP C:\Documents and Settings\All Users\Shared WatchGuard\backups\<device IP
address>-<date>.<wsm_version>.fxi.
Windows 7 C:\Users\Public\Shared WatchGuard\backups\<device IP
address>-<date>.<wsm_version>.fxi.
Restore an XTM Device Backup Image
1. Select File > Restore.
The Restore dialog box appears.

2. Type the Configuration Passphrase for your device.
The configuration passphrase we used in this training module is 44444444.
A warning message appears.

Administration
You can also use
Firebox System
Manager to create
and restore a device
backup image to a
USB drive connected
to the XTM device. For
more information, see
the Fireware XTM
WatchGuard System
Manager Help or User
Guide.

21
3. Click Yes to continue.
4. Type the Encryption Key you used when you created the backup image.
For this exercise, the value is MyStrongKey.
5. In the Restore image from text box, select the location of the backup image you want to restore.
The device restores the backup image and restarts. It uses the backup image on restart.

Exercise 5: Add XTM Device Identification Information

You can save information about the XTM device in the configuration file, which helps you to identify
the device in reports, log files, and WatchGuard management tools. The device model is particularly
important because some software features only function on certain models.
You can use Policy Manager to give the device a name to use in your log files and reports. If you do not
give your device a name, the log files and reports use the IP address of the devices external interface.
You can use a Fully Qualified Domain Name if you register it with your authoritative DNS server. You
must give the device a name if you use the Management Server to configure VPN tunnels and
certificates for the device.
The device time zone controls the date and time that appears in the log file and in management tools,
including LogViewer, Report Manager, and WebBlocker. Set the device time zone to match the time
zone for the physical location of the device. This time zone setting ensures the time appears correctly in
the log messages. A default configuration file sets the device system time to Greenwich Mean Time
(GMT).
In this exercise, you set the device information for your student device. If you are working alone, you
can use the example of our fictional organization: Successful Company. In other training modules, you
see this information in reports and WatchGuard System Manager.
From Policy Manager:
1. Select Setup > System.
The Device Configuration dialog box appears.
2. In the Name text box, type SuccessfulMain.
Your instructor might give you another name for your student device.
3. In the Location text box, type Seattle.
This identifies the physical location of the device.
4. In the Contact text box, type your name.
This is the name of the person in your organization who is responsible for the management of the device.
5. From the Time zone drop-down list, select your local time zone.
Select the time zone of the device itself. This enables you to synchronize reports from devices in multiple
timezones.

6. Click OK.

Test Your Knowledge

Test Your Knowledge

1. Circle the correct answer: To save a changed device configuration file to the XTM device, use the
[Status | Configuration] passphrase.
2. Select the correct answer: Corporate headquarters is in Detroit. The branch office XTM device is
located in Tokyo. You should set the branch office device time zone to:
A) (GM-06:00) Central Time (US & Canada)
B) (GMT+09:00) Osaka, Sapporo, Tokyo

3. True or false? You can save the device configuration file to a USB flash drive.
4. How frequently should you make a backup image of your device?
A) Daily
B) Weekly
C) Monthly
D) Each time you make a substantial change to the configuration
E) Never

5. Which of the following information is used by WatchGuard System Manager applications to
identify an XTM device? (Select all that apply.)
A) Firebox Name
B) System administrator name
C) Encryption key
D) Model number
E) External IP address

Administration 23

Fireware XTM Basics

Network Settings
Configure XTM Device Interfaces

What You Will Learn

An XTM device has three types of interfaces: external, trusted, and optional. To use your device in a
network, you must set the IP addresses of the interfaces. You can also enable routing features on some
interfaces. In this training module, you learn how to:
Configure external network interfaces using a static IP address, DHCP, or PPPoE
Configure trusted and optional network interfaces
Use the XTM device as a DHCP server
Add WINS/DNS server locations to the device configuration
Add Dynamic DNS settings to the device configuration
Set up a secondary network or address

Properties and Features of XTM Device Interfaces

A firewall physically separates the networks on your local area network (LAN) from those on a wide area
network (WAN) like the Internet. One of the basic functions of a firewall is to move packets from one
side of the firewall to the other. This is known as routing. To route packets correctly, the firewall must
know what networks are accessible through each of its interfaces.
The device provides additional functionality for some interfaces. External interfaces can be configured
to work with Dynamic DNS. Trusted and optional interfaces can be set up with the device as a DHCP
(Dynamic Host Configuration Protocol) server.
The device has three types of network interfaces:
External Interfaces
A device external interface connects to a wide area network (WAN), such as the Internet, and can
have either a static or dynamic IP address. The device gets a dynamic IP address for the external
interface from either a DHCP (Dynamic Host Configuration Protocol) server or PPPoE (Point-to-Point
Protocol over Ethernet) server. With DHCP, the device uses a DHCP server controlled by your
Internet Service Provider (ISP) to get an IP address for the external interface, a gateway IP address,
and a subnet mask. With PPPoE, the device connects to your ISPs PPPoE server to get the same
information. Fireware XTM supports both unnumbered and static PPPoE connections.
For more information about unnumbered PPPoE connections, see the Unnumbered Connections
article on Microsoft TechNet.
Trusted Interfaces
A trusted interface connects the private local area network (LAN) or internal network that you want
to secure. Because a trusted interface is a LAN interface, the IP address for a trusted interface is
static. Usually, trusted interfaces use private or reserved IP addresses that conform to RFC 1918.

25
Optional Interfaces
Optional interfaces connect to your optional networks, which are mixed trust or DMZ environments
separated from your trusted networks. Public web, FTP, and mail servers are usually found in
optional networks.
Most users configure at least one external and one trusted interface on their device. You can configure
any interface as trusted, optional, or external. You can have a maximum of four physical external
interfaces.
When you configure the IPv4 addresses for interfaces on a device, you must use slash notation to
denote the subnet mask. For example, you enter the network range 192.168.0.0 with subnet mask
255.255.255.0 as 192.168.0.0/24, and a trusted interface with the IP address of 10.0.1.1/16 has a subnet
mask of 255.255.0.0.
Requirements for XTM Device Interfaces
Each interface on the XTM device can connect to a different network. The computers and servers
protected by the device can use either private or public IP addresses. The device uses network address
translation (NAT) to route traffic from the external network to computers on the trusted and optional
networks.
All devices behind the trusted and optional interfaces must have an IP address from the network
assigned to that interface. To make this easy to remember, many administrators set the interface
address to the first or last IP address in the range used for that network. In the graphic below, for
example, the IPv4 address of the trusted interface could be 10.0.1.1/24 and the IPv4 address of optional
interface could be 10.0.2.254/24.

About DHCP Server and DHCP Relay
You can configure the XTM device to assign IP addresses automatically through DHCP to devices on the
trusted or optional networks. You can also configure the device for DHCP relay. When you use DHCP
relay, computers behind the device can use a DHCP server on a different network to get IP addresses.
The device sends the DHCP request to a DHCP server at a different location than the DHCP client. The
device sends the DHCP server reply to the computers on the trusted or optional network. This option
lets computers in more than one office use the same IP address range.

1.1.1.? /30

About WINS/DNS
Several XTM device features use Windows Internet Name Server (WINS) and Domain Name System
(DNS) server IP addresses. These servers must be accessible from the trusted interface of the device. For
example, this information is used by remote user virtual private networks. Make sure that you use only
an internal WINS and DNS server to make sure you do not create policies that have configuration
properties that prevent users and services from connecting to the DNS server.
About Network Modes
The XTM device can be configured in Mixed Routing, Drop-In, or Bridge mode.
Mixed Routing mode Drop-In mode Bridge mode
All of the XTM device interfaces All of the XTM device interfaces All of the XTM device interfaces
are on different networks. are on the same network and are on the same network. You
have the same IP address. specify an IP address to use to
manage the device.
Trusted and optional interfaces The computers on the trusted Traffic from all trusted or
must be on different networks. or optional interfaces can have optional interfaces is examined
Each interface has an IP a public IP address. and sent to the external
address on its network. interface. Inter face IP
addresses cannot be
configured.
Use static NAT (network The computers can have public NAT is not used in Bridge
address translation) or 1-to-1 IP addresses. NAT is not mode. Traffic sent or received
NAT to map public addresses necessary. through the device appears to
to private addresses behind come from its original source.
the trusted or optional
interfaces.

The most common configuration method is a routed configuration. We use a routed configuration to
explain most of the features and examples in this document.

About Dynamic DNS
You can use Dynamic DNS to make sure that the IP address associated with your domain name changes
when your ISP gives your XTM device a new IP address. DynDNS is the only dynamic DNS service
supported by your XTM device. For more information, go to the DynDNS web site:
http://www.dyndns.com.

Network Settings 27
About Secondary Networks
A secondary network is a network that shares one of the same physical networks as one of the XTM
device interfaces. When you add a secondary network, you make (or add) an IP alias to the interface.
This IP alias is the default gateway for all the computers on the secondary network. Secondary
networks can be used only in Mixed Routing or Drop-In mode.
If your device is configured with a static IP address, you can add an IP address that is on the same
subnet as your primary external interface as a secondary network. You can then configure static NAT
rules to send traffic to the appropriate devices on that network. For example, configure an external
secondary network with a second public IP address if you have two public web servers and you want to
configure a static NAT rule for each server.
You can also add secondary networks to the external interface of a device if the external interface is
configured to get its IP address through PPPoE or DHCP. You can add up to 255 secondary networks per
device interface.

About Network Bridges
You can use network bridges to merge two or more physical network interfaces on your XTM device. A
bridge operates in the same way as a normal network interface. For more information, see the Fireware
XTM WatchGuard System Manager Help or User Guide.
About Static Routes
You can use static routes to control how your XTM device sends traffic to other devices. For example,
you can create a static route to specify that all traffic that goes to a server at another company is sent
through a different external interface. For more information, see the Fireware XTM WatchGuard System
Manager Help or User Guide.
About VLANs
VLANs (Virtual Local Area Networks) are an advanced network feature that allow you to group devices
by traffic patterns instead of by physical network access. You can use VLANs to connect devices on
different networks so that they appear to be part of the same network. For more information, see the
advanced VLAN training course, or the Fireware XTM WatchGuard System Manager Help or User Guide.


About Multi-WAN
The multi-WAN feature allows you to send network traffic to up to four external interfaces. This is useful
when you want to have a backup Internet connection, or if you want to divide your outgoing network
traffic between multiple physical interfaces. Multi-WAN settings do not apply to incoming network
traffic, and you can only use this feature in Mixed Routing mode. For more information, see the
advanced Multi-WAN training course, or the Fireware XTM WatchGuard System Manager Help or User
Guide.
About FireCluster
If you have two XTM devices of the same model, and you use Fireware XTM with a Pro upgrade, you can
configure the two devices as a FireCluster for high availability and load sharing. You manage the cluster
as a single virtual device. You can use FireCluster with the WatchGuard XTM 5 Series, 8 Series, and XTM
1050 devices.
To set up FireCluster, connect the two cluster members to each other by a dedicated FireCluster
network interface. Then, connect the external, trusted, and optional network interfaces on each device
to a network switch. You must connect each pair of network interfaces to a different network switch.

You can configure the XTM devices as an active/active cluster for high availability and load sharing, or
as an active/passive cluster for high availability without load sharing.
An active/active FireCluster uses multicast MAC addresses. Most network routers and managed
switches ignore traffic from multicast MAC addresses by default. Before you enable an active/active
FireCluster, make sure your network routers and other devices are configured to properly route traffic
to/from the multicast MAC addresses. For an active/active FireCluster, you must also add static ARP
entries for your routers to the FireCluster configuration in Policy Manager.
For more information about network configuration requirements, see the FireCluster section of the
Fireware XTM WatchGuard System Manager Help or User Guide.

Network Settings 29
About IPv6
Fireware XTM v11.5.3 supports a limited set of IPv6 networking features.
XTM device interface addresses
You can add a static IPv6 address to the External, Trusted, or Optional interfaces when the device is
configured in mixed routing mode. Each interface still must have an IPv4 address configured.
DNS servers
You can use an IPv6 address to specify a DNS server
Static routes
You can add an IPv6 static route
Device management
You can use an IPv6 address to connect to the Fireware XTM Web UI or the CLI for device
management. You cannot use the static IPv6 address to connect to the XTM device from
WatchGuard System Manager.
Diagnostics logging
You can set the diagnostic log level for IPv6 advertisements.
Fireware XTM supports basic routing of IPv6 traffic. However, Fireware XTM security and advanced
networking features do not apply to IPv6 traffic. If you enable IPv6 on an interface, you should treat this
as a bridged connection. The Fireware XTM security features such as policies, proxies, default threat
protection and all security services to not apply to IPv6 traffic.
Features that do not apply to IPv6 traffic include:
Firewall policies and proxies
Default threat protection
Authentication
Security Services
Multi-WAN
VLAN interface
Bridge interface
Drop-in mode
Bridge mode
Dynamic routes
FireCluster
Any other feature not in the list of supported IPv6 features
WatchGuard continues to add more IPv6 support to Fireware XTM for all XTM device models. For
information about the WatchGuard IPv6 roadmap, see http://www.watchguard.com/ipv6/index.asp.
Because the IPv6 support is limited in this release, the exercises in this training focus on device
configuration in an IPv4-only environment.


Exercise 1: Use a Dynamic IP Address for an External Interface

The XTM device can get a dynamic IP address for an external interface with DHCP or Point-to-Point
Protocol over Ethernet (PPPoE). At the Successful Company, the network administrators start with an IP
address assigned by DHCP for their external interface. However, as their company grows, they change
this to a static IP address, and add a backup PPPoE connection.
Configure the External Interface for DHCP
In this exercise, we use Policy Manager to configure an external interface of the Successful Companys
XTM device to get its IP address from a DHCP server.
1. Select Network > Configuration.
The Network Configuration dialog box appears.

2. In the Interfaces list, select External (Interface 0). Click Configure.
The Interface Settings dialog box appears.
3. In the Interface Name text box, type InternetConnection.
4. In the Interface Description text box, type Connect to the Cloud.
5. Make sure that the Interface Type is set to External.
6. Select Use DHCP Client.

Network Settings 31
7. Select Obtain an IP Automatically.
For most DHCP connections, you do not need to configure any additional settings.

8. Click OK.
DHCP appears in the IP Address column in the Network Configuration dialog box.

Configure the External Interface to Use PPPoE
Another way to get a dynamically assigned address for an XTM device external interface is to use a
PPPoE server. When you do this, your ISP gives you the user name and password. In this exercise, we
configure a Successful Company interface to use PPPoE.
In the Network Configuration dialog box:
1. In the Interfaces list, select Optional-2 (Interface 3). Click Configure.
The Interface Settings dialog box opens.
2. In the Interface Type drop-down list, select External.
3. In the Interface Name text box, type BackupInternet.
4. In the Interface Description text box, type Use when primary account fails.
5. Select Use PPPoE.
6. In the User Name text box, type the PPPoE user name. For this exercise, type username.


7. Type and confirm the PPPoE passphrase. For this exercise, type passphrase.

8. Click OK.
PPPoE appears in the IP address field in the Network Configuration dialog box.

Use Dynamic DNS
When you use a dynamically assigned IP address for an external interface, it is important to maintain
the connection between your current IP address and your domain name. In this exercise, we configure
the Successful Company XTM device to use the DynDNS service.
In the Network Configuration dialog box:
1. Select the Dynamic DNS tab.
2. In the Interfaces list, select InternetConnection (0). Click Configure.
The Per Interface Dynamic DNS dialog box appears.
3. Select the Enable Dynamic DNS check box.
4. In the User Name text box, type successfulco.
5. In the Password and Confirm text boxes, type password.
6. In the Domain text box, type wgtraining.com.
7. In the Service Type drop-down list, make sure dyndns (Dynamic DNS) is selected.
This is the default option.
For more information on each option, see http://www.dyndns.com/services/.
8. Make sure the Options text box is clear.
You can also type dynamic DNS options in this text box.
For more information on options, see http://www.dyndns.com/developers/specs/syntax.html

Network Settings
dyndns sends
updates for a
Dynamic DNS host
name.
statdns sends
updates for a Static
DNS host name.
custom sends
updates for a Custom
DNS host name.

33
9. In the Forced Update text box, type or select a time interval (in days) to force an update of the
IP address.
For this exercise, keep the default number of 28 days.

10. Click OK.
The Dynamic DNS status appears as Enabled on the Network Configuration Dynamic DNS tab.

11. Click OK.


Exercise 2: Configure an External Interface with a Static IP
Address

To configure an external interface with a static IP address, you must know the IP address, the subnet
mask in slash notation, and the default gateway. In this exercise, you use Policy Manager to configure
the primary external IP address of the Successful Company network to use a static IP address.
2. Select the Interfaces tab.
3. In the Interfaces list, select InternetConnection (Interface 0). Click Configure.
4. Select Use Static IP.
5. In the IP Address text box, type the WatchGuard External IP address specified on your desktop.
This is the fictional IP address. With a real world static IP address, the Internet Service Provider (ISP) provides
the IP address, subnet and default gateway.
6. In the Default Gateway text box, type

7. Click OK.
The external IP address appears in the Network Configuration dialog box.

8. Click OK.

Network Settings
1.1.1.?
Your static IP
address
information will be
saved from the
previous
configuration.

35
Exercise 3: Configure a Trusted Interface as a DHCP Server

In this exercise, we use Policy Manager to configure a trusted interface on the Successful Company XTM
device as a DHCP server.
3. In the Interfaces list, select Trusted (Interface 1). Click Configure.
The Interface Settings dialog box opens.
4. In the Interface Name text box, type OurLAN.
5. In the Interface Type drop-down list, make sure that Trusted is selected.
6. In the IP address text box, keep the default selection of 10.0.1.1/24.
7. Select the Use DHCP Server radio button.
8. In the Address Pool section, select any existing address pool and click Delete.
9. Click Add.
The Add Address Range dialog box appears.
10. In the Starting address text box, type 10.0.1.100.
11. In the Ending address text box, type 10.0.1.200.
12. Click OK.
The new addresses appear in the Address Pool list.
13. From the Leasing Time drop-down list, select 24 hours.

14. Click OK.
15. Click OK.


Exercise 4: Configure an Optional Interface

Optional interfaces are commonly used for servers which are used by both the public and members of
your organization, such as HTTP and FTP servers. In this exercise, we configure an optional network that
Successful Company can use for their public servers.
3. In the Interfaces list, select Optional-1 (Interface 2). Click Configure.
4. In the Interface Type drop-down list select Optional.
5. In the Interface Description text box, type Servers used by customers and vendors.
6. In the Interface Name text box, type PublicServers.
7. In the IP Address text box, keep the default network IP address of 10.0.2.1/24.
8. Make sure Disable DHCP is selected.
Because this network does not use DHCP, no further configuration is necessary.

9. Click OK.
The new settings appear for Interface 2.

10. Click OK.

Network Settings 37
Exercise 5: Configure WINS/DNS Server Information
Several Fireware XTM features operate correctly only if you use a WINS/DNS server on your trusted
network. These features include Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, and
Mobile VPN (Virtual Private Networks). In this exercise, we use Policy Manager to configure the
Successful Company XTM device to use WINS/DNS servers on the OurLAN and WebServer networks.
2. Select the WINS/DNS tab.
3. In the Domain Name text box, type wgtraining.com.
4. In the DNS Servers text box, type 10.0.1.2 and click Add.
In the DNS Servers text box, type 10.0.2.2 and click Add.
These are the IP addresses of the internal DNS servers for this exercise.
You are not required to enter more than one DNS server. However, we recommend that you add more than
one DNS server to make sure that users can still get DNS name resolution when the primary server is not
available.
5. In the WINS Servers text boxes, type 10.0.1.2 and 10.0.2.2.
These are the IP addresses for the internal WINS servers for this exercise.

6. Click OK.

Your instructor may
provide a WINS/DNS
server on the training
network.

38

Exercise 6: Configure a Secondary Network

A secondary network is a network that shares one of the same physical networks as one of the XTM
device interfaces. In this exercise, we use Policy Manager to add a secondary network to the Successful
Company OurLAN trusted network.
3. In the Interfaces list, select OurLAN (Interface 1). Click Configure.
4. Click the Secondary tab.
5. Click Add.
The Add a secondary network dialog box appears.
6. In the IP Address text box, type 172.16.0.1/24. Click OK.

7. Click OK to close the Interface Settings dialog box.
8. Click OK to close the Network Configuration dialog box.
9. Save the configuration file. Name the file with todays date, revision number and your initials.
Example 03292012-1-jd.xml (March 29, 2012 Revision 1 by Jon Doe)

Network Settings 39
Frequently Asked Questions

Can I use any IPv4 address for my trusted and optional networks?
You can, but we suggest you only use only IP addresses specified in RFC 1918. These private
networks include any of these IP address ranges:
- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12
- 192.168.0.0 -192.168.255.255 (192.168.0.0/16)
If you use any other IP address range, you can have a conflict. For example, if you configure your
trusted network with the IP address 206.253.208.100/24, any user on the trusted network that tried
to go to the WatchGuard web site would fail because 206.253.208.100 is the IP address of the
WatchGuard web site. The XTM device would route 206.253.208.100 traffic to the trusted interface
instead of the external interface to get to the WatchGuard web site server.
What is slash notation?
Slash notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a shorter way to
write an IPv4 address and its subnet mask together.
To find the subnet mask number:
- Convert the IP address to binary.
- Count each 1 in the subnet mask.
Some of the most common network masks are:
Network mask Slash
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.125 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28

Test Your Knowledge

Test Your Knowledge

1. When you use a static IP address for the external interface, what information must you get from
your ISP? (Select all that apply).
A) An IP address
B) A default gateway address
C) A subnet mask
D) A password or passphrase
E) A user name

2. True or false? If you use DHCP on the external interface of the XTM device, you can configure a
secondary network for the external interface.
3. True or false? You can configure the XTM device as a DHCP server.
4. What features use the WINS/DNS settings in the Network Configuration dialog box?
(Select all that apply.)
A) Mobile VPN connections to the XTM device
B) Your ISP to route to the XTM device
C) Computers on your trusted and optional networks
D) Your WatchGuard Management Computer
E) DHCP

5. True or false? You can only add secondary networks in Bridge mode.
6. Which two interfaces are necessary to create a basic network configuration in Mixed Routing
mode? (Select one.)
A) External and optional
B) Trusted and optional
C) External and trusted

7. Which of these items is NOT a method used to assign an IP address to the external interface of a
XTM device? (Select one.)
A) Static addressing
B) DHCP
C) PPPoE
D) PPPoA

8. True or false? Only the trusted interface of a XTM device is able to assign IP addresses as a DHCP
Server.
9. True or false? Only an active/active FireCluster uses multicast MAC addresses.
10. True or false? Firewall policies apply to both IPv4 and IPv6 network traffic.

Network Settings 41

Fireware XTM Basics

Logging and Reporting
Set Up Logging and Reporting, View Logs, and Reports

What You Will Learn

Your WatchGuard XTM device sends log messages to a Log Server, which provides data for the Report
Server, and triggers notifications and alerts. The Report Server generates reports from your log
messages that you can use to troubleshoot problems on your network. You can use Log and Report
Manager to view the reports that your Report Server generates and to run other On-Demand Reports
and Per Client reports.
In this training module, you learn how to:
Set up a Log Server
Configure an XTM device to send messages to a Log Server
Configure logging and notification preferences
Use Log and Report Manager to search log messages
Export log messages in a CSV file
Set up and configure a Report Server
Generate and save reports at regular intervals
Change report settings
Save, print, and share reports
In this module, you will connect to one or more XTM devices and WatchGuard servers. If you take this
course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and
passphrases for the devices and servers used in the exercises.

Logging and Reporting Setup Process Overview

To setup logging and reporting for your network, you must configure the logging settings for your XTM
devices, and setup and configure your WatchGuard Log Server and Report Server.
The complete process includes:
1. Install the WatchGuard Log Server and Report Server on your management computer or another
computer in your network.
You can also install your Log Server and Report Server on different computers. You can install more than one
Log Server on your network, but you only install one Report Server.
2. Run the WatchGuard Server Center Setup Wizard to set up your Log Server and Report Server.
If your Log Server and Report Server are on different computers, you must run the wizard on each computer
to set up each server separately.
3. Configure the settings for your Log Server.
Specify database and notification settings.
4. Configure the settings for your Report Server.
Specify databases, notification, and logging settings, and create schedules for report generation.

43
5. Configure your XTM device to send log messages to your Log Server.
Specify the IP addresses of the Log Server where your device sends log messages, set the priority for your Log
Servers, and enable logging in your policies.
6. Use Log and Report Manager to review log messages and Available Reports, and generate new
On-Demand and Per Client reports.
For instructions to configure logging on your network, see the topic Quick Start Set Up Logging for
Your Network in the WatchGuard System Manager Help.
You can use role-based administration to enable users who do not have administrative rights to also
use Log and Report Manager to view log messages and see and generate reports. For more information
about how to use WatchGuard Server Center to add a user, see the topic Define or Remove Users or
Groups in the WatchGuard System Manager Help, and follow the instructions to add a user in
WatchGuard Server Center.

Maintain a Record of Device Activity

At its most basic level, logging is the process of recording the activity that occurs at a XTM device.
Notification is the process of telling an administrator when a specified activity has occurred.
For example, when the XTM device denies a packet, this event is recorded in the log file. When the
device determines that a set of events indicates a threat that you have configured for notification, such
as a port space probe, your network security administrator is alerted. The types of notification
messages you can receive include an email message, a pop-up message on the management
computer, or an SNMP trap. When the network security administrator receives a notification message
for a threat to the network, he can use that information to help him examine the log files and make
decisions about how to make the network more secure. He could decide to block the ports on which
the probe was used, block the IP address that sent the packets, or inform the ISP through which the
packets were sent.
Logging and Notification Architecture
To understand how logging and notification work, you must know the components of the WatchGuard
logging and notification system.
WatchGuard System Manager and Policy Manager
You use WatchGuard System Manager (WSM) and Policy Manager to set rules for the types of events
that prompt the XTM device to send log messages and notifications. WSM supplies the tools to see
the log messages the XTM device creates, and to generate reports of XTM device events. With Policy
Manager, you can configure Log Servers for your XTM devices.
XTM Device
The XTM device creates log messages for each event that occurs, including events for the device
itself, and sends the messages to the configured Log Server according to the rules you configure in
the devices security policy. If an event has a notification action associated with it, the device sends a
notification to the Log Server.

Maintain a Record of Device Activity

Log Server
The WatchGuard Log Server is the computer to which your XTM device sends all log messages. The
Log Server stores log messages in a PostgreSQL database. You can use your management computer
as the Log Server, or you can use a different computer. The device must be able to send traffic to the
Log Server computer..
(2) The XTM device generates log messages
and sends them to the Log Server

(3) The Log Server saves the
messages and sends notifications

See Log Messages
You can use two different WSM tools to see the log messages generated by the XTM device:
Log and Report Manager
To see log file data from WSM, you use the Log and Report Manager web UI. It can show the log data
page by page, or you can search log messages for specific details, such as key words or log fields.
Log and Report Manager is available to you after you install the Log Server software.
Traffic Monitor
For a quick look at the log messages generated by your XTM device, use the Firebox System
Manager Traffic Monitor. With Traffic Monitor, you can apply color to different types of messages,
and ping or traceroute to the IP addresses of computers included in the log messages.
Log Server
The Log Server collects log messages from your XTM devices and WatchGuard servers. The Log Server
also sends notification messages when it gets a notification request from the device. You can install the
Log Server software on your management computer, or on a different computer by selecting to install
only the Log Server component when you install WSM.
In addition to installing the software, you must configure the Log Server with a Log Server encryption
key. The XTM device uses this key to encrypt log messages sent to the Log Server. The same key must
be used on the device and on the Log Server. The encryption key must be no less than eight and no
more than 32 characters. You set the Log Server encryption key when you configure the Log Server
with the WatchGuard Server Center Setup Wizard. One Log Server can receive and store logs from
many XTM devices.
If you install the Log Server on a computer with a desktop firewall other than Windows Firewall, to
enable the WatchGuard Log Server to connect through the firewall you must open TCP ports 4107 and
4115 on that firewall. If you use the default Windows firewall, you do not have to change your
configuration.
Log Servers operate in failover mode, not redundancy mode. In other words, an XTM device can only
send messages to one WatchGuard Log Server at a time. The backup Log Server is used only when the
primary server becomes unavailable.

Logging and Reporting 45
(1) Set your logging rules and
save them to the XTM device
Log Messages
WatchGuard System Manager includes strong and flexible log message tools. An important feature of a
good network security policy is to collect log messages from your security systems, examine those
messages frequently, and keep them in an archive. You can use log files to monitor your network
security and activity, identify any security risks, and address them.
WatchGuard XTM devices send log messages to your WatchGuard Log Server. They can also send log
messages to a syslog server or keep a limited number of log messages locally on your XTM device. You
can choose to send log messages to one or more of these locations.
The XTM device sends five types of log messages: Traffic, Alarm, Event, Debug, and Statistic. Each log
message includes the name of the log type as part of the log message.
Traffic Log Messages
The XTM device sends traffic log messages as it applies packet filter and proxy policy rules to traffic
that goes through the device.
Alarm Log Messages
Alarm log messages are sent when an event occurs that causes the XTM device to send a
notification request.
Event Log Messages
The XTM device sends an event log message because of user activity. Actions that cause the device
to send an event log message include:
- Device start up and shut down
- Device and VPN authentication
- Process start up and shut down
- Problems with the XTM device hardware components
- Tasks completed by the XTM device administrator
Debug Log Messages
Debug log messages include information used to help troubleshoot problems. You can select the
level of debug log messages to see in Traffic Monitor or write to a log file.
Statistic Log Messages
Statistic log messages include information about the performance of the XTM device. By default,
the device sends log messages about external interface performance and VPN bandwidth statistics
to your log file. You can use these log messages to change your device settings as necessary to
improve performance.
Log Files
The XTM device sends log messages to a primary or backup Log Server. Log messages are stored in a
SQL database file in the location you specify when you run the setup wizard. We recommend that you
select the built-in directory location for your operating system:
Windows XP C:\Documents and Settings\WatchGuard\logs
Windows 7 C:\ProgramData\WatchGuard\logs

Build Reports from Log Messages


When you install WatchGuard System Manager, you have the option to install the WatchGuard Report
Server on either the management computer or another computer with Microsoft Windows. The Report
Server periodically collects data from one or more of your WatchGuard Log Servers. You can then use
Log and Report Manager to review the collected data and generate reports. Log and Report Manager is
automatically available when you install the Report Server.

The WatchGuard Web Services API for Reporting is also automatically installed with the Log Server or
Report Server. You can use the WatchGuard Web Services API to extract Log Server and Report Server
data for custom reports. For more information about this tool, see the Fireware XTM WatchGuard System
Manager Help.
To use Log and Report Manager from a computer that is external to your XTM device when your Report
Server is behind the XTM device, you must open a port to allow the Log and Report Manager traffic
between the Report Server and the IP address of your external computer. To open the correct port
(4130), add the WG-LogViewer-ReportMgr packet filter policy to your XTM device configuration.
For more information about how to add a policy to your configuration, see the module Policies, on
page 99 or the Fireware XTM WatchGuard System Manager Help.

WatchGuard Reports
WatchGuard Reports are summaries of the log data that you have selected to collect from your XTM
device log files. Log and Report Manager consolidates the log data into a variety of predefined reports
so you can quickly and easily locate and review the actions and events that occur at your XTM device.
The predefined reports include:
Report Type Report Name Description
Application Control Application Usage Summary Summary report of application usage
data
Top Applications by Summary of application usage data by user
user
Top Applications by Summary of application usage data by host
host
Top Users Blocked Summary of users blocked by Application
Control
Top Hosts blocked Summary of hosts blocked by Application
Control
Audit Reports Server Audit Details Detailed report of server activity
Server Audit Summary Summary of server activity
Server Authentication Summary of server authentication
Audit
BUM Report BUM Report Detailed report for all XTM devices and VPN
tunnels managed by your Management Server
Client Reports Top Client Repor ts Top client reports by application usage, blocked
applications, blocked categories, proxy
bandwidth, and proxy connection count
ConnectWise Reports ConnectWise Reports are only available if you
have a ConnectWise account and have
configured the ConnectWise settings for your
Report Server.
Firebox Statistics XTM device bandwidth statistics for all
interfaces.
Intrusion Prevention All intrusion prevention actions
Service Summary
Most Popular Top web sites visited by clients
Domains
WebBlocker Statistics and web sites blocked by WebBlocker
(Summary, by service
Category and by
Client)
Exceptions Alarms All alarm records
Denied packets detail Detailed report for each incoming or outgoing
action
Denied packets by Detailed report of all denied packets, grouped by
client detail client
Denied packets by Summary report of all denied packets, grouped
client summary by client
Firebox Reports Audit trail Detailed list of audited configuration changes
for an XTM device


Bandwidth/Transfer These reports are generated when a Bandwidth
Rate (for external report is scheduled.
interfaces and VPN They include information about the bandwidth/
tunnels transfer rate for external interfaces and VPN
tunnels.
The data sampling interval is based on the
report time range. The minimum interval is 1
minute. The published report samples data
every 10 minutes.
DHCP lease activity Detailed report of all activity for the DHCP lease
Firebox statistics XTM device bandwidth statistics for all
interfaces
User Authentication Detailed list of users authenticated. Includes
login time, logout time, and connection method
information
User Authentication Detailed list of users denied authentication.
Denied Includes date, time, and reason for
authentication failure
Gateway AntiVirus Detail by email sender Gateway AntiVirus action details by email
Reports sender. Available for SMTP or POP3
Detail by host (HTTP) Gateway AntiVirus action details by host
Detail by protocol Gateway AntiVirus action details by protocol
Detail by virus Gateway AntiVirus action details by virus
Gateway AntiVirus Gateway AntiVirus action summary
summary
Intrusion Prevention Detail by IP-spoofed Prevention summary details by IP-spoofed
Service Reports packets packets
Detail by protocol Prevention summary details by protocol
Detail by signature Prevention summary details by signature
Detail by source IP Prevention summary details by source IP
Detail by threat level Prevention summary details by severity
Intrusion Prevention All intrusion prevention actions
Service Summary
Packet-Filter Daily trend Summary of packet-filter data by time
Summaries
Host summary by Summary of packet-filter data for hosts by
source source
Host summary by Summary of packet-filter data for hosts by
destination destination
Service summary Summary of packet-filter data by service
Session summary Summary of packet-filter data by session
POP3 Proxy POP3 Server summary POP3 server activity summary
Recipient summary POP3 recipient activity
Proxy Traffic Proxy daily trend Proxied traffic summary by time
Proxy source by hits Proxied traffic summary of hits by host
Proxy source by Proxied traffic summary of bandwidth by host
bandwidth
Proxy destination by Proxied traffic summary of hits by destination
hits

Proxy destination by Proxied traffic summary of bandwidth by
bandwidth destination
Proxy session by hits Proxied traffic summary of hits by session
Proxy session by Proxied traffic summary of bandwidth by session
bandwidth
Proxy summary Proxied traffic summary by proxy
Reputation Enabled Reputation Enabled Summary of Reputation Enabled Defense
Defense Defense Summary actions
SMTP Proxy SMTP proxy detail SMTP proxy action records by time
SMTP server summary SMTP server activity summary (for internal and
external email accounts)
SMTP email summary SMTP email activity summary (for internal and
external servers)
spamBlocker spamBlocker Statistics by spam type, action, and spam
Summary summary senders and recipients
Web Audit Repor ts Web audit summary Trends, active clients, most popular domains,
WebBlocker information, and web sites blocked
by proxy rules.
Charts are included for the more detailed
reports. You can click a chart to see the detailed
report.
Web audit by category Web traffic details by category
Web audit by client Web traffic details by client
Web Traffic Reports Activity trend Hourly trend data
Most active clients Top web traffic clients by name and IP address
detail
Most popular domains Top web sites visited by clients
URL details by client All URLs in order by client
URL details by domain All URLs in order by domain
URL details by time All URLs in chronological order
WebBlocker Reports WebBlocker summary Statistics and web sites blocked by WebBlocker
service
WebBlocker by Web sites blocked by category
category
WebBlocker by client Web sites blocked by client
Wireless Intrusion Wireless Intrusion Summary of all Wireless Intrusion Detection
Detection Detection Summary actions

View Reports with Log and Report Manager
From any web browser, you can use Log and Report Manager to view the Available Reports that you
schedule your Report Server to generate, or to generate new On-Demand Reports and Per Client
reports. With Log and Report Manager, you can:
Select report parameters, such as date ranges and times for reports, and the XTM devices or servers
to include in reports.
View a report in HTML format or export it to a PDF file.
Print or save a report.


Exercise 1: Configure Where the Device Sends Log Messages

The Successful Company administrator must tell each XTM device in the network to send log messages
to the WatchGuard Log Server. When he configures the logging settings for the XTM device, he adds
the IP address of the Log Server where the device will send log messages and the Log Server
Encryption Key to the device configuration file, and save the configuration file to the XTM device. Then,
after he sets up the Log Server, the log Encryption Key on the device matches the log Encryption Key
on the Log Server, and the Log Server and XTM device can communicate. The XTM device waits until it
sends its first log message to establish a connection with the Log Server.
In this exercise, we use Policy Manager to configure the XTM device to send log messages to the Log
Server.
1. From the Policy Manager continue working on the configuration file.
2. Select Setup > Logging.
The Logging Setup dialog box appears.

3. Select the Send log messages to the log servers at these IP addresses check box. Click
Configure.
The Configure Log Servers dialog box appears.
4. Click Add.
The Add Event Processor dialog box appears.
5. In the Log Server Address text box, type 10.0.1.2 for the IP address.
6. In the Encryption Key text box, type mylogserverkey.

7. In the Confirm Key text box, type mylogserverkey again.
The Log Server is installed locally on your server.
8. Click OK to close the Add Event Processor dialog box.
The Log server appears in the Configure Log Servers dialog box.
9. Click OK again to close the Configure Log Servers dialog box.
10. Click OK to close the Logging Setup dialog box.
The XTM device does not establish a connection with the device until you save the configuration file to the
device and it tries to send the first log message.
11. Save the configuration file to the device. Update the revision number in the file name to 2.

If the XTM device and
Log Server do not
connect, enter the
encryption keys
again. The most
common cause of
connection problems
is encryption keys that
do not match.

52

Exercise 2: Set Up the Log Server

In this exercise, the Successful Company network administrator sets up a WatchGuard Log Server. In
most organizations, the Log Server is a dedicated computer on the trusted or optional network running
Microsoft Windows. The network administrator can also configure the Log Server on the external
network if he has many XTM devices and wants to store log files in a central location. The logging
channel is encrypted, so he does not need to use a VPN tunnel between the XTM device and the Log
Server. If necessary, the administrator can use NAT (network address translation) to route from the
external interface to the Log Server behind a firewall. Then, he can configure a WG-Logging policy to
open these ports:
TCP 4115 Used by devices with a Fireware XTM OS
TCP 4107 Used by devices with a WFS OS, and by all SOHO, SOHO 6, and older Edge devices
Set Up the Log Server
The first step after the Log Server is installed is to run the WatchGuard Server Center Setup Wizard. This
wizard completes the basic setup for all the WatchGuard servers you have installed on this computer.
After you set up WatchGuard Server Center, you can configure the Log Server.
Configure the Log Server
On the computer that has the Log Server software installed:

1. Right-click in the system tray and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. The Username is "admin" and Passphrase is "adminpass". Click Login.
The WatchGuard Server Center appears.
3. In the Servers tree, select Log Server.
The Log Server Server Settings page appears.

4. Select a tab to configure the settings for your network.
In the subsequent exercises, we use the Server Settings and Database Maintenance tabs.

If attending a class,
your instructor
installed the Log
Server on your local
system.

53
Exercise 3: Control Database and Notification Properties

In this exercise, we configure the Log Server to comply with the Successful Company document archive
policy. At Successful Company, the network administrator must back up critical network data, such as
log messages, to a secure drive at least once a week. Because the Log Server and Report Server are
installed on the same computer, they share a PostgreSQL database. We must make sure that the
combined maximum database sizse settings of both the Log Server and the Report Server do not
exceed 50% of the total disk space available on the primary operating system partition of the server
computer. This is to make sure the two servers do not use more disk space than is available on the
server computer. We will also select to use the Built-in PostgreSQL database that is installed with the
Log Server.
Configure Database and Notification Settings
We use Log Server database maintenance and notification settings to control how long we maintain
log messages, as well as when and where we back them up to a location other than the Log Server.
1. In the WatchGuard Server Center Servers tree, select Log Server.
The Log Server pages appear with the Server Settings tab selected.
2. In the Maximum Database size text box, type the maximum allowable size in gigabytes for the
Log Server database.
Make sure that this setting, combined with the maximum size you specify for the Report Server database,
does not exceed 50% of the disk space on the server computer. For this exercise set it to 10 GB
3. Click Apply to save your settings. Click OK twice.
4. Select the Database Maintenance tab.

5. In the Database Backup Settings section, select the Backup log messages automatically check
box.


6. In the Backup log data every text box, type or select 7.
This sets the frequency of backups to once a week.
7. In the Database Settings section, make sure Built-in database is selected.
This is the default setting.
8. Click Apply to save your settings. Click OK twice.
Send Log Notifications to a Network Administrator
We also need to configure the Log Server to use the Successful Company email server to send
messages to the network administrators group.
1. Select the Notification tab.
2. In the Events > Send an email notification section, select the When a failure event occurs on
this Log Server and the When an event notification is received from any device or server
check boxes.
3. In the SMTP Server Settings section, in the Outgoing email server (SMTP) text box, type
mail.wgtraining.com.
To change the port for connections to the SMTP server, type the SMTP server address in this format
<localhost>:<port number>.
4. Select the Send credentials to the email server check box.
5. In the User Name text box, type netadmingroup.
6. In the Password text box, type mailpassword.

7. In the Notification Setup section, in the Send email to text box, type
administrator@wgtraining.com.
8. In the Send email from text box, type WGlogserver@wgtraining.com.
9. In the Subject text box, type Log Server Notification.

10. Click Apply to save your changes. Click OK twice.


To use an existing
PostgreSQL database
on another computer,
select the External
PostgreSQL
database option.
If the SMTP server you
are using for this
training accepts
connections on a port
other than port 25
(the default port for
SMTP traffic), you can
change the port.
When you type the
domain name of a
mail host, the Log
Server tries to do a
DNS lookup on the
mail host.

55
Change the Encryption Key
When a network administrator at Successful Company moves to London to take a job with another
company, the remaining staff recognizes that they need to change all the firewall passwords. In this
exercise, we use WatchGuard Server Center to change their Log Server encryption key, and update the
encryption key for each XTM device logging to the WatchGuard Log Server.
1. In the Servers tree, select Log Server.
The Log Server pages appear, with the Server Settings tab selected.
2. In the Encryption Key Setting section, click Modify.
The Log Server Encryption Key dialog box appears.
3. In the New key text box, type myencryptionkey. Click OK.
The Log Server Encryption Key dialog box closes and the encryption key is changed.
4. Open Policy Manager for your XTM device.
5. Select Setup > Logging.
6. In the WatchGuard Log Server section, click Configure.
The Configure Log Servers dialog box appears.
7. Select the Log Server IP address in the list, and click Edit.
The Edit Event Processor dialog box appears.
8. In the Encryption Key and Confirm Key text boxes, type myencryptionkey.
9. Click OK to close the Edit Event Processor dialog box.
10. Click OK to close the Configure Log Servers dialog box.
11. Click OK to close the Logging Setup dialog box.
12. Save the configuration file to the XTM device. Save the file as NewKey.xml
13. You would need to repeat steps 412 for each XTM device that sends log messages
to this Log Server.

Logging must be enabled on each policy that you wish to capture statistics on. In order
to view log messages in the next exercise we will enable logging on 2 policies.
1. From the Policy Manager double click the Ping Policy. Select the Properties tab,
click Logging.
2. Check Send Log Message, click OK and OK again.
3. Repeat steps 1 & 2 with the Outgoing Policy.
4. Save the configuration to the device. Save the file as LoggingEnabled.xml

Now we must generate some traffic to log.
1. Double click the Client 1.RDP shortcut on your desktop. This will log you onto the Windows 7
Client as a user1. Verify that the Internet explorer is open and refresh the home page by
clicking the icon. You should see the web page refresh every 30 seconds.

2. Disconnect from the Client 1.RPD connection.
3. From your servers start menu, open a Command Prompt and type ping 1.2.3.4 t
4. Minimize the Command Prompt window.

Advice:
When changing
the encryption
key first open
note pad and
correctly type the
key. Then copy
and paste the
key into the
settings box.

56

Exercise 4: Use Log and Report Manager to View Log Messages

Log and Report Manager is the WatchGuard System Manager web UI tool that you can use to find
details about the traffic through your network. You can choose to see the data in your log files
page-by-page, or you can search by key words or specific log fields to find a particular log message.
This is helpful when you want to troubleshoot a problem on your network.
Log and Report Manager is available to you after you install either the Log Server or Report Server
software. If you install your Log Server and your Report Server on the same computer, you can use one
web UI to look at both your log messages and your reports. If you install them on separate computers,
you must connect to the Log and Report Manager for each server separately.
To use Log and Report Manager from a computer that is external to your XTM device when your Log
Server is behind the XTM device, you must open a port to allow the Log and Report Manager traffic
between the Log Server and the IP address of your external computer. To open the correct port, add
the WG-LogViewer-ReportMgr packet filter policy to the configuration file of the XTM device that is
your gateway Firebox.
For more information about how to add a policy to your configuration, see the Policies module.
In this exercise, we will enable certain Successful Company users to connect to Log and Report
Manager to view log messages and reports, use the Log and Report Manager Search tool to
troubleshoot a problem with email reception on the Successful Company network, and export log
messages to a CSV file.
Connect to Log and Report Manager to View Log Messages
There are two ways to connect to Log and Report Manager for your Log Server: directly to the web UI in
a web browser, or from WatchGuard System Manager.
To connect to Log and Report Manager in a web browser:
1. Open a web browser and go to https://10.0.1.2:4130.
The Log and Report Manager web UI login page appears.
2. Type your Username "admin" and Passphrase of "adminpass".
3. Click Log In.
Log and Report Manager appears, with the LOGS > Devices page selected.
4. In the Devices list, select your XTM device.
The Device page appears for your device, with all the Log Messages from this device from the last 60 minutes.
To connect to Log and Report Manager from WatchGuard System Manager:

1. Open WatchGuard System Manager and click .
Or, select Tools > Logs > Log Manager.
The Server Login dialog box appears.
2. Type your Username "admin" and Passphrase of "adminpass" and click OK.
3. Click Login.
Log and Report Manager appears, with the LOGS > Devices page selected.
4. Close the Command Prompt window.

View Log Messages
The Device page appears for your device, with all the log messages from this device from the last 60 minutes.
Traffic log messages are displayed by default.
2. Select a log message in the list.
The log message details dialog box appears with additional information about the log message you selected.
3. To sort the log messages by a column, click that column header.
The log messages are sorted by the column header you selected.
4. To view all log types, at the top of the page, select .
All of the log message types appear in the log messages list.
5. To view a specific log type, at the top of the page, select the tab for the log type.
The log messages list is updated to include only log messages of the type you selected.
Run a Search
The Successful Company support team manager has contacted you because the support team is not
receiving email requests from Big Client A. To find out what is happening to email from Big Client A,
you will run a search query to see if traffic from Big Client As email server is passing through your XTM
device to your email server.
You can use Log and Report Manager to search for any details included in the log messages for your
devices that are logging to your Log Server. You can start a search from either the main Logs > Search
page or from any Device page. From the Device page, when you specify the text to search on and click
Search, the web UI automatically switches to the Search page and populates the form with the text
you specified.
When you run a search, you can search the log messages for only one device at a time. You can save
your search parameters for each device so you can run them again for that device, but you cannot run
saved search parameters for a different device. Each time you want to run a new search for a different
device, you must specify the parameters to search on. To refine your search, you can specify the time
range and select a log type to search for.
By default, the Search page includes one search query block. To run a simple search, just type the text
to search on in one text box in the default search query block. To run a complex search with an
AND operator, specify text to search on in more than one text box in a single search query block. To run
a complex search that includes an OR operator, add another search query block. You can add up to nine
search query blocks to your search.
As part of your search parameters, you can specify the name of columns to search in. Though you can
search for any column included in your log files, some of the columns that are most often searched are:
policy, protocol, src_ip, src_port, dst_ip, dst_port, src_intf, dst_intf, app_name, and app_cat_name.
For more information about how to use Log and Report Manager, see the Logging and Reporting
topics in the Fireware XTM WatchGuard System Manager Help.
For this exercise, we will use Log and Report Manager to run a search query that inspects the traffic
from Big Client A that was not allowed through the firewall. To search the Traffic log messages on the
Log Server to find all traffic from Big Client As source IP address that was denied, we will include the
src_ip and the disp columns in the query text.


To run a search from the Log and Report Manager Search page:
1. Select LOGS > Search.
The Search page appears with a list of all the devices logging to your Log Server.
2. Select a device.
The Search page appears with the one search query block displayed.

3. From the Time Range drop-down list, select the amount of time to include in your search.
For this example, select Last 6 Hours.
4. In the Log Type drop-down list, Traffic is selected by default. Do not change this selection.
5. In the ANY of these words text box, type src_ip=10.1.1.3 for the IP address to search for.
6. In the ALL of these words text box, type the disposition of the traffic.
For this example, we want to find all traffic from the specified IP address that was denied, so we
type disp=Allow.
7. Click Search.
The Search results are refined to include only log messages for traffic from the specified source IP address that
was allowed access through the firewall.
Because the Successful Company Administrator might want to run this search again later, he decides to
save the search so he can run it again.
To save search parameters for a specific device:
1. From the LOGS > Search page for a device, click Save.
NOTE: You may need to allow this within the browser.
2. Select Save and click OK.
3. Save the search query file with a descriptive name for the search query file.
For this example, type AllowedSearch1.query.
Make sure to choose a file name that will make it easy to identify the search query when you want to run the
search again.
4. Click Save. Click Close.
The AllowedSearch1.query file is saved in the location you selected.

When the Successful Company Administrator wants to run a saved query for a device again, he simply
loads the search query file and runs the search again.
1. From the LOGS > Search page for a device, click Load.
The Load Search Query dialog box appears.
2. Click Browse to select the AllowedSearch1.query file and click Open.
The path to the AllowedSearch1.query file appears in the Load Search Query dialog box.
3. Click OK.
The Search page is refreshed to include the details specified in the search query file and the search results are
updated to include only those results that match the specified search query.
Export Log Messages
The network administrator from Successful Company wants to take the log messages from one of his
XTM devices that was not passing traffic correctly this morning and review them in a third-party
application. To do this, he can export the log messages from one device for a specific date and time
to a CSV file.
The file name of this CSV file is the date and time range for the log messages in the file. When you
export the CSV file, it is automatically added to a ZIP file. The ZIP file name is the serial number of the
device, as well as the date and time range for the log messages. If you choose to save the ZIP file to a
location on your computer, you can specify any file name.
1. Select LOGS > Devices.
The Devices list appears.
2. Select the Name of a device.
The log messages page for the selected device appears.
3. From the Actions drop-down list, select Custom Timerange.
The Custom Date-Time Range dialog box appears.
4. Select the Start date and time, and End date and time. For this exercise, select
today's date from 8:00 to 22:00.
5. Click OK.
The Log Messages page is updated with only the log messages for the specified date and time.
6. From the Actions drop-down list, select Export logs (.csv).
You may need to right click and download the file from within IE.
7. Select Save and Save it to the default location.
8. (Optional) Browse to select a location.
9. (Optional) Type a file name for the ZIP file.
10. Click Save.
The ZIP file is saved to the specified location on your computer.
11. Browse to the location where you saved the ZIP file, open the file, and extract the CSV file.
The Successful Company administrator can now open the CSV file and review the log messages, or
import the CSV file to another program or to the WatchGuard Log Server.


Exercise 5: Configure a Report Server

Successful Company network administrators decide that, for performance reasons, they are going to
install the Report Server on a different computer than the management computer. In this exercise, we
configure their Report Server. Before you configure the Report Server, you must run the WatchGuard
Server Center Setup Wizard, which sets up the Report Server. After the Report Server is set up, you can
use the WatchGuard Server Center Report Server pages to finish your Report Server configuration.
Add a Log Server
A Report Server can consolidate data from one or more Log Servers. You must add the IP address of
each Log Server to the Report Server configuration.
On the computer that has the Report Server software installed:

1. Right-click in the system tray and select Open WatchGuard Server Center.
2. Type your Username "admin" and Passphrase of "adminpass". Click Login.
3. In the Servers tree, select Report Server. Set the Maximum database size to 10GB.
The Report Server page appears, with the Server Settings tab selected.

4. In the Log Server Settings section, click Add.
The Add Log Server dialog box appears.
5. In the IP address text box, type the IP address 10.0.1.2
Note: This is the same IP address as your management computer.
6. In the Password text box, type "adminpass".
This must be the same passphrase you selected when you ran the WatchGuard Server Center Setup Wizard.
7. Click OK. Click Apply. Click OK Twice.
The IP address of the Log Server appears in the list of Log Servers. A single Report Server can consolidate data
from more than one Log Server. For this exercise remove 127.0.0.1 from the Log Server list.

Select Reports and Timing
To specify which reports are generated and when they are generated, the Successful Company network
administrator must create a Report Schedule and specify the reports to generate. By default, the Report
Server automatically includes 50 records in each summary report. The Successful Company network
administrator would prefer to include 75 records in summary reports and schedule the reports to be
generated every Monday. He also has not purchased the WatchGuard Gateway AntiVirus or Intrusion
Prevention Service options, so he disables those reports.
Finally, Successful Company network administrator wants to generate a PDF of the report that he can
send to senior management, so he configures the Advanced Settings to generate a PFDF file of the
report data.
1. Select the Report Generation tab.


2. In the Number of records included in each summary report text box, type 75.
3. In the Report Schedules section, click Add.
The New Schedule dialog box appears.

4. In the Schedule Name text box, type the name for this schedule.
For this example, type All Devices - No GAV-IPS.
5. In the Devices list, select the check box for each device to include in this report generation
schedule.
For this example, select the All Devices check box.
6. In the Report types list, select the check box for each report to include in this schedule.
For this example, clear the Gateway AntiVirus Reports and Intrusion Prevention Service
Reports check boxes.
7. In the Report Schedule section, select Run recurrently.
8. From the Run recurrently drop-down list, select Weekly.
9. From the Recur every week on drop-down list, select Monday.

10. In the Range of recurrence section, keep the default setting of No end date.
11. Select the Advanced Settings tab.
12. Select the Generate reports for external use check box.
13. Select an option to specify how reports are generated for device groups:
- One report for each device in the group
- One report with combined data for all devices in the group
For this exercise, select One report with combined data for all devices in the group.
14. Select a format: HTML or PDF.
For this exercise, select PDF.
15. From the Display dates and times using drop-down list, select the time zone you want to appear
in the reports: My local time zone or UTC.
16. Click OK.
The schedule appears in the Report Schedules list.
18. Click Apply to save your configuration changes to the Report Server. Click OK and OK again.


Exercise 6: Use Log and Report Manager to View and Generate
Reports

After you create a report schedule on your Report Server to generate specific reports, you can use Log
and Report Manager to review and share the reports created from log message data. You can review
the Available Reports that you configured your Report Server to generate on the Daily or Weekly tabs.
You can also generate real-time On-Demand or Per Client reports.
In this exercise, the Successful Company network administrator connects to Log and Report Manager
to review an Available Report and to generate an On-Demand report.
Connect to Log and Report Manager to View Reports
There are two ways to connect to Log and Report Manager for your Report Server: directly to the web
UI in a web browser, or from WatchGuard System Manager.
To connect to Log and Report Manager in a web browser:
1. Open a web browser and go to https://10.0.1.2:4130.
Note: You will need to logout/login to see the device. The Log and Report Manager login page appears.
2. Type your Username "admin" and Passphrase of "adminpass".
3. Click Log In.
Log and Report Manager appears. If your Log Server is installed on the same computer, the LOGS > Devices
page is selected. If your Log Server is not installed on the same computer, the REPORTS > Devices page is
selected.
4. If necessary, select REPORTS > Devices.
The Device page appears for your device, with all of the Available Reports that have been scheduled for this
device.
To connect to Log and Report Manager from WatchGuard System Manager:
1. Open WatchGuard System Manager and click .
Or, select Tools > Logs > Report Manager.
The Server Login dialog box appears.
2. Type your Username "admin" and Passphrase of "adminpass" and click OK.
3. Click Login.
Log and Report Manager appears. If your Log Server is installed on the same computer, the LOGS > Devices
page is selected. If your Log Server is not installed on the same computer, the REPORTS > Devices page is
selected.

View Reports
After you connect to Log and Report Manager, you can select the reports to view or generate.
1. Select REPORTS > Devices.
The Devices page appears.

2. From the Devices list, select a device.
The Available Reports page appears for the selected device, with the Daily tab selected and the report data
sorted by Users.


3. From the Daily calendar, select a date to see the Available Reports for that day.
4. From the Available Reports list, select a report to view.
The selected report appears.
5. To view the report data by hosts instead of by users, select Hosts.
6. If the report includes links to client data, you can click the client data detail to open a Per Client
report.
To generate an On-Demand report:
1. At the top right of the page, select On-Demand.
The On-Demand Reports page appears for the selected device.
2. Put your cursor in the Start text box to select the start date and time for the report.
The date and time selection calendar appears. Select today at 6:00 AM
3. Select a month and day from the calendar. Slide the time selectors to specify the hour and minute.
Or, click Now to select the current date and time.
4. Click Done.
The selected date and time appears in the Start text box.
5. Put your cursor in the End text box and select today at 6:00 pm for the report. Click Done.
6. From the Select a report type drop-down list, select Packet Filter Traffic - Daily Trend.
7. Click Run Report.
The selected report is generated.
It can take a few moments to generate the report. The longer the time range for the report, the longer
it takes to generate the report.

Exercise 7: Share Reports

In this exercise, the Successful Company network administrator uses Log and Report Manager to view a
weekly report, and then generates a PDF of the report to send to his manager. He also makes a hard
copy for the Sarbanes-Oxley auditors.
1. From any report page, at the top right of the page, click .
The Opening file dialog box appears.
2. Select the Save file option.
You may have to allow this in Internet Explorer.
3. Click OK.
4. Select a location to save the PDF file.
5. Click Save.
The PDF is saved in the selected location.
The network administrator can now send the PDF to his manager and print a copy for the auditors.

Test Your Knowledge

1. What is the default location for a WatchGuard log file?
2. True or false? The XTM device can send log messages only to one WatchGuard Log Server.
3. Which logging component is responsible for sending notification email messages when an event
occurs on the XTM device that triggers notification? (Select one.)
A) XTM device
B) Log Server
C) Policy Manager

Which of these log configuration settings are available in Policy Manager? (Select all that apply.)
A) Scheduling reports
B) Setting the maximum size for a log database file
C) Setting the log encryption key
D) Selecting a backup Log Server for log messages
E) Setting the mail host and email address for email notifications
F) Configuring email notification for denied SMTP packets

Which of these log configuration settings are available in WatchGuard Server Center in the Log
Server configuration pages? (Select all that apply.)
A) Scheduling reports
B) Setting the maximum size for a log database file
C) Setting the log encryption key
D) Selecting a backup server for log message database files
E) Setting the mail host and email address for email notifications
F) Configuring email notification for denied SMTP packets

True or false? Log files created by an XTM device with Fireware XTM OS are stored in a proprietary
format.
True or false? Log and Report Manager automatically saves the search queries you run.
True or false? When you run a search query, it applies to all the devices that are connected to your
Log Server.
True or false? You can export the log messages for more than one device at the same time.
10. True or false? You can use Log and Report Manager to generate an On-Demand Report about more
than one XTM device at the same time.
11. True or false? You can save a search query for a specific device to run it again for only that device.


4.

5.

6.

7.
8.

9.
Test Your Knowledge

12. Which tool is used in the WatchGuard reporting architecture? (Select all that apply.)
A) Report Server
B) Quarantine Server
C) Log Server
D) XTM device
E) Active Directory Server
F) Log and Report Manager

13. Circle the WatchGuard tool you use to configure each of the following:
Select Log Server used by an Policy Manager Report Server Log Server Log and Report
XTM device Manager
Set number of HTML records Policy Manager Report Server Log Server Log and Report
per report Manager
Select Log Server polled by Policy Manager Report Server Log Server Log and Report
Report Server Manager
Set the frequency reports Policy Manager Report Server Log Server Log and Report
are generated Manager
Generate a PDF of a report Policy Manager Report Server Log Server Log and Report
Manager
Set the date range for a Policy Manager Report Server Log Server Log and Report
report Manager
Select reports to run on a Policy Manager Report Server Log Server Log and Report
daily or weekly schedule Manager

14. True or false? You can use Log and Report Manager to configure any report and send it in an email.
15. True or false? To connect to Log and Report Manager, use the IP address of your XTM device.
16. True or false? You can email a PDF of a report directly from Log and Report Manager.


Fireware XTM Basics

Monitor Your Firewall
Monitor Activity Through the XTM Device

What You Will Learn

WatchGuard System Manager includes several tools to monitor the health of your XTM device and
network. In this training module, you are shown how to:
Interpret the information in the WatchGuard System Manager display
Modify the Security Traffic display to match your network configuration
Change Traffic Monitor settings and trace the source of a connection
Use Performance Console to create a graph that shows traffic to the external interface
Use HostWatch to view network activity and block a site
Add and remove sites from the Blocked Sites list
Add feature keys to the XTM device
In this module, you will connect to one or more WatchGuard XTM devices. If you take this course with a
WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for
devices used in the exercises. For self-instruction, you can safely connect to an XTM device on a
production network. You will not change the configuration files of any device.

Regular Monitoring Improves Security

As with any security product, regular monitoring of your firewall improves both performance and
security. When you use WatchGuard System Manager (WSM) to connect to an XTM device, you are
immediately presented with key information regarding the health of your firewall and the WatchGuard
servers on your network. WSM is particularly useful for networks with more than one XTM device
because you can see many devices at the same time. You can also monitor connections between XTM
devices.
With Firebox System Manager, you can quickly scan the configuration and status of a single XTM
device, spot unusual activity, and take immediate action. Firebox System Manger includes eight
methods to monitor your device, each presented on a separate tab:
Front Panel Displays the status of each device interface, along with information about active
VPN tunnels and Subscription Services.
Traffic Monitor Displays a color-coded list of the log messages from the device.
Bandwidth Meter Provides a real-time graphical display of network activities across a device.
Service Watch Shows a graph of the policies configured on a XTM device. The Y-axis (vertical)
shows the number of connections or bandwidth used per policy. The X-axis (horizontal) shows the
time. To get more information about a policy at a point in time, click a location on the chart.
Status Report Shows the technical details of the device.
If you change the view
from connections to
bandwidth, Firebox
System Manager
remembers the
setting the next time
you start the
application.

71
Authentication List Identifies the IP addresses and user names of all the users that are
authenticated to the device. Includes a Summary section with the number of users authenticated
for each authentication type, and the total number of authenticated users. To disconnect an
authenticated user, right-click the user name and close the authenticated session.
Blocked Sites Lists all the sites currently blocked by the device. From this tab, you can remove a
site from the temporary blocked sites list.
Subscription Services Shows the status of Gateway AntiVirus, Intrusion Prevention Service,
Application Control, spamBlocker, and Reputation Enabled Defense. From here, you can also
perform a manual update of the signature databases used by Gateway AV, IPS, and Application
Control. This tab is active only if you have purchased these services.
From the Firebox System Manager toolbar, you can also launch other XTM device monitoring tools,
including:
Performance Console Used to prepare graphs based on device performance counters to better
understand how your device is functioning.
HostWatch Shows the network connections between the selected networks.
If any of your Subscription Services have expired, an expired service warning appears on the Front
Panel tab for each expired service. The Renew Now button also appears at the top of Firebox System
Manager. To renew your subscription to the expired services, you can click Renew Now. You can also
choose to hide the expired service warnings. For more information, see the Fireware XTM WatchGuard
System Manager Help.


Exercise 1: Review Network Status in WSM

The Successful Company network administrator has now saved a basic configuration to his XTM device
and has installed and configured a Management Server Log Server, and Report Server. We can now
look at this network security infrastructure with WatchGuard System Manager (WSM).
1. Select Start > All Programs > WatchGuard System Manager 11.5.3 > WatchGuard System
Manager 11.5.3.
2. Click .

You can also select File > Connect To Device.
3. Type the trusted IP address of the XTM device you want to connect to.
Use your device IP address, or get the IP address from your instructor.

4. Type the XTM device Status Passphrase "33333333".
Use the status passphrase to connect to a XTM device and display the status. The XTM device appears in the
WSM display.

Monitor Your Firewall
For this exercise, your
instructor may have
you connect to the
training lab XTM
device to provide
more traffic for the
exercises.

73
Interpret the Device Status Display
Information about a device you connect to will appear in the WatchGuard System Manager Device
Status tab. The information that appears includes the status, IP address, and MAC address for each
Ethernet interface, and the installed certificates. It also includes the status of all virtual private network
(VPN) tunnels that are configured in WSM.

Expanded information for each XTM device includes the IP address and subnet mask of each device
interface. It also includes:
IP address and netmask of the default gateway (for external interfaces only).
Media Access Control (MAC) address of the interface.
Number of packets sent and received on each interface since the last device restart.
Each device can be in one of four possible operation modes. The current mode is shown by the
appearance of the device icon:
Usual operation. The device is successfully sending data to WatchGuard System Manager.
The device has a dynamic IP address and has not yet contacted the Management Server.
WatchGuard System Manager cannot make a network connection to the device at this time.
The device is being contacted for the first time or has not been contacted yet.
The Device Status tab also includes information on Branch Office VPN Tunnels and Mobile VPN
tunnels.


Exercise 2: Use Firebox System Manager

The Firebox System Manager Front Panel tab has a group of indicator lights in the shape of a triangle or
star to show the direction and volume of the traffic between the XTM device interfaces. The points of
the star and triangle show the traffic that flows through the interfaces. Each point shows incoming and
outgoing connections with different arrows. When traffic flows between the two interfaces, the arrows
show the direction of the traffic.
In the star figure, the location where the points come together can show one of two conditions:
Red (deny) The XTM device denied a connection on that interface.
Green (allow) Traffic flows between this interface and a different interface (but not the center)
on the star. When traffic flows from this interface to the center, the point between these interfaces
shows as green arrows.
In the triangle, the network traffic shows in the points of the triangle. The points show only the idle and
deny conditions.
If you use the star figure, you can customize which interface is in the center. The default star figure
shows the external interface in the center. When you put a different interface in the center, you can see
all traffic between that interface and the other interfaces. All allowed and denied traffic is relative to the
interface in the center of the diagram. You see no information about traffic between interfaces on the
perimeter of the star.
In this exercise, you start Firebox System Manager and change the status display.
Connect to an XTM Device and Change the Display
1. In WatchGuard System Manager, click to connect to your XTM device.
2. Type your XTM device trusted IP address and the status passphrase. Click OK.
3. On the Device Status tab, select the XTM device.

Monitor Your Firewall 75
4. Click .
Firebox System Manager appears. It contacts your XTM device and gets data about network traffic, interface
settings, and other status information.

5. As shown in the upper-left corner of the FSM window, the default mode shows the interfaces in a
star shape.

3 Port Star 6 Port Star 10 Port Star
To switch to the triangle display, click the triangle icon in the top-right corner above the star
display.
6. In star display, click the red ball next to eth2.
The eth2 interface moves to the center of the display. The other interfaces move in a clockwise direction.
7. Click the red ball next to eth0 to move it back to the center of the display.


Use Traffic Monitor
Traffic Monitor is an application that displays a continuous list of log messages. The messages are
refreshed every five seconds by default, which makes Traffic Monitor a good place to start
troubleshooting problems you have with your XTM device. A unique feature of Traffic Monitor is the
ability to ping or trace the source of a connection you see in the Traffic Monitor window.
In this exercise, you use Traffic Monitor to trace the source of a connection through an XTM device that
is accessible through the training lab.
1. Select the Traffic Monitor tab.

The Traffic Monitor
will display Event and
Debug information in
white. Allowed traffic
will be in green.
In the lab
environment we are
randomly generating
web traffic from the
client machine with
the IP address of
10.0.1.3.

2. Select an entry in Traffic Monitor and right-click it.
3. Review the menu options. Select Diagnostic Tasks, select Task drop down menu and review
the options. Select DNS Lookup, enter www.watchguard.com in the Address field and Run Task.
The Diagnostic Tasks dialog box appears with the results of the DNS Lookup.
4. Review the result of the DNS Lookup.
5. Click Close.

Change Traffic Monitor Settings
You can configure Traffic Monitor to use different colors to show different types of information. In this
exercise, we change the color of the source IP address for denied traffic to bright pink so that we can
see it better.
1. Select File > Settings.
The Settings dialog box appears.
2. Select the Traffic Allowed tab.
3. In the Traffic Allowed list, select policy.
4. Click the Text Color button.
The Text Color button shows the current color selected for source ip log messages.
5. Select bright pink and click OK.
The text color will change. All information for this message type now appears in the new color in Traffic
Monitor. A sample of how these messages will look in Traffic Monitor appears in the Sample window at the
bottom of the dialog box.
6. Click OK to close the Settings dialog box.
For log messages of allowed traffic, the policy is now a bright pink.

Check Bandwidth Usage and Service Volume
Firebox System Manager also has a way for you to quickly check your firewall bandwidth usage and the
volume of traffic for your primary proxies.
1. Select the Bandwidth Meter tab.
The list of XTM device interfaces appears on the left. Each interface is a different color. The central panel
shows the relative volume of traffic through each interface.

When you right click
in left window and
select settings to
customize the list of
interfaces shown in
the graph.


2. Select the Service Watch tab.
On the left is a list of policies configured for your XTM device. Each interface is a different color to identify
them. The central panel shows the relative volume of traffic examined by each proxy policy.

Exercise 3: Create a Performance Console Graph

Performance Console is a XTM device utility that you use to monitor different performance counters on
the device. With Performance Console, you define counters that identify the information that you want
to see. You can see the information displayed as a graph, or export it to a third-party application.
The Counter Configuration settings you see depend on the chart counter type that you select. Not all
settings are available for all chart types. Available settings include:
Chart Window
<New Window> opens the new chart in a new window. If there is a chart already open, you can
choose to show both charts in the same window.
Poll Interval
Set how frequently data is gathered from the XTM device.
Type
Use this drop-down list to select the type of graph to create: Rate, Difference, or Raw Value.
Suppose you want to graph value_1 and time_1, value_2 at time_2, and so on.
- Rate If you create a graph by rate, you use the value difference divided by the time
difference: (value_2-value_1)/(time_2-time_1), (value_3-value_2)/(time_3-time_2), and so
on.
- Difference If you specify difference, you use the increase from the previous value to the
new value: value_2-value_1, value_3-value_2, and so on.
- Raw Value If you specify raw value, you use the value only: value_1, value_2, and so on.
The raw values are generally counters of content such as bytes or packets. The raw values can
only increase, not decrease.
Policy
To view the data for the traffic that is passing through an individual policy, select that policy from
the drop-down list.
Save Chart Data to File
Select this check box to save the data collected by the Performance Console as an XML (Extensible
Markup Language) file or a CSV (comma-separated value) file. For example, you can open an XML
data file in Microsoft Excel to see the counter value recorded for each polling interval. You can use
other tools to merge data from more than one chart.
In this exercise, you use Firebox System Manager and your local XTM device to create a Performance
Console graph that shows the utilization of the device CPU.
1. Click .
The Add Chart dialog box appears.


2. In the Available Counters list, expand System Information and select CPU Utilization.

3. Set the Poll Interval to 5 Seconds. Click OK.
The CPU Utilization chart appears in the Configured Charts list.
4. In the Configured Charts list, double-click the Chart Name.
A performance graph appears, with the data collected for this counter.

5. Click Close.

Exercise 4: Use HostWatch to View Network Activity
HostWatch is an application that shows the network connections between the networks you select.
HostWatch also gives information about users, connections, and network address translation (NAT).
The top part of the HostWatch window has two sides. On the left side, you set the interface. The right
side has a list of all the other interfaces. HostWatch shows the connections to and from the interface
that appears on the left side.
In this exercise, you use HostWatch to view the activity on the training network.

1. Click .
The HostWatch window appears.

2. To select an interface, right-click the current interface name and select a new interface.
Or, select View > Interface and select a new interface.
3. As you view the connections through the XTM device, double-click an item on either side.
The Connections For dialog box appears and shows information on the connections for that item.
4. In the HostWatch window, to add the source IP address of any connection to the Blocked Sites list,
right-click it and select Block Site.
The Choose Expiration dialog box appears.
5. Set the time period to block the IP address. Click OK.
6. Type the configuration passphrase "44444444" when prompted. Click OK.
The IP address is added to the temporary blocked sites list for the period of time you set here.
7. Close HostWatch.

Domain name server
(DNS) resolution does
not occur
immediately when
you start HostWatch.
When HostWatch is
configured for DNS
resolution, it replaces
the IP addresses with
the host or user
names. If the XTM
device cannot identify
the host or user name,
the IP address is used
instead.

82

Exercise 5: Use the Blocked Sites List

The Blocked Sites list shows all the sites currently blocked as a result of the rules defined in Policy
Manager. On the Blocked Sites tab, you can add sites to the list, or remove blocked sites. In this
exercise, you remove the blocked site you added in the HostWatch exercise. You then add a site to the
list.
1. Select the Blocked Sites tab.

2. From the Blocked IP List, select the IP address you just blocked. Click Delete in the lower-right
corner.
The Delete Site(s) dialog box appears.
3. To remove the IP address from the Blocked Sites list, type the configuration passphrase and
click OK.
4. To add a site, click the Add button at the bottom of the dialog box.
The Add Temporary Blocked Site dialog box appears.
5. Add the site 10.1.2.3 and block it for 24 hours.
The site appears on the Blocked Sites list.

Exercise 6: Examine and Update Feature Keys

When you purchase an option for your XTM device, you add a new feature key to your configuration file.
You can use either Firebox System Manager or Policy Manager to see the current list of feature keys
currently for your XTM device. To add a new feature key to a device, you use Policy Manager.
View Feature Keys For Your XTM device
To view your feature keys in Firebox System Manager:
1. Select View > Feature Keys.
The Firebox Feature Keys dialog box appears.


2. To see more information about the feature key, click Detail.
The Feature Key Detail dialog box shows a list of the features in the feature key.

3. Click OK to close the Feature Key Details dialog box.
Add a Feature Key to the XTM Device
You use Policy Manager to add a feature key to your XTM device.
1. Open the configuration file you are editing for these exercises.
2. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
3. Click Import.
The Import Firebox Feature Key dialog box appears.
4. Click Browse and select dektop\XTM Feature Key.
Or, open your feature key file, copy the contents, and in the Import Firebox Feature Key
dialog box, click Paste.
You can purchase this key from WatchGuard. If you attend a WatchGuard Certified Training course, you will
receive this key from your instructor.
5. Click OK to close the Import Firebox Feature key dialog box.
6. Click OK to close the Firebox Feature Key dialog box.
7. Save the configuration file to the XTM device.
You cannot use an optional feature until you add the feature key to the configuration file and save it to your
XTM device.

Test Your Knowledge

1. True or false? Performance Console is used to prepare graphs that show various XTM device
functions based on performance counters.
2. Which of the following monitoring tools can be viewed directly in a Firebox System Manager tab?
(Select all that apply).
A) CA Manager
B) Bandwidth Meter
C) HostWatch
D) Policy Manager
E) Traffic Monitor

3. True or false? You can add a site to the Blocked Sites list from HostWatch.
4. True or false? Service Watch is a monitor that provides a real-time display of the bandwidth
consumed by policies on the XTM device.
5. Match the correct monitoring tool to each task:
1) Service Watch a. Ping the source of a denied packet
2) HostWatch b. Not a Fireware XTM monitoring tool
3) Log Server c. View a list of users connected through the XTM device
4) Subscription Services d. Add an IP address for the XTM device to block all traffic
5) Traf fic Monitor e. Learn the status of your IPS signature database
6) Blocked Sites List f. See the volume of traffic generated by each proxy policy

Fireware XTM Basics

NAT
Use Network Address Translation

What You Will Learn

As with many routing devices, your XTM device can use network address translation (NAT) to conceal
the IP address space of your network. In this training module, you learn how to:
Learn the forms of NAT available with the XTM device
Add more IP addresses to which the device will apply Dynamic NAT
Use Static NAT to protect public servers

NAT Overview

NAT is an important tool for todays network administrators. Fireware XTM gives you great flexibility for
controlling when and how NAT is applied. When a computer sends traffic through a XTM device
interface and the traffic flow matches a NAT rule, the device changes the IP address to an assigned
value before the traffic reaches its destination. When the XTM device sees the response, it restores the
original IP address to send the response to the computer that made the request.
In general, these rules can help you understand the different types of NAT:
Dynamic NAT is used for traffic that goes out to the Internet from behind the XTM device.
Static NAT is used for traffic that comes in to your network from the Internet.
1-to-1 NAT is used for traffic in both directions
Dynamic NAT
When Dynamic NAT is enabled, your XTM device changes the source IP address of each outgoing
connection to match the IP address of the device interface that the connection goes out through. For
traffic that goes to an external network, packets go out through the device External interface, so
Dynamic NAT changes the source IP address to the device External interface IP address. The XTM device
tracks the private source IP address and destination address, as well as other IP header information
such as source and destination ports, and protocol.
Dynamic NAT is also
known as IP
masquerading.

87
Dynamic NAT is normally applied to connections that start from behind the device. When Dynamic NAT
is applied to a packet, Fireware XTM tries to always keep the same source port that the requesting
client used. The source port is changed only if necessary. For example, if two internal clients use the
same source port to access the same web server. However, the source IP address is always changed
when Dynamic NAT is applied. When the response returns to the same device interface from which the
original connection exited, the firewall examines its connection state table and finds the original
source IP address. It reverses the NAT process to send the packet to the correct host.
With Fireware XTM, Dynamic NAT is enabled by default in the NAT Setup dialog box. By default,
Dynamic NAT is applied to any connection that starts from one of the three reserved private address
ranges and goes to an external network.
To see the default Dynamic NAT rules in Policy Manager, select Network > NAT.

Dynamic NAT is also enabled by default in each policy you create. You can override the global Dynamic
NAT settings in your individual policies.
1-to-1 NAT
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must
each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP
addresses to the internal servers, and you do not need to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, we give this example:
Successful Company has a group of three privately addressed servers behind the Optional interface of
their XTM device. These addresses are:
10.0.2.11
10.0.2.12
10.0.2.13

NAT Overview

The Successful Company administrator selects three public IP addresses from the same network
address as the External interface of their device, and creates DNS records for the servers to resolve to.
These addresses are:
203.0.113.11
203.0.113.12
203.0.113.13
Now the Successful Company administrator configures a 1-to-1 NAT rule for his servers. The 1-to-1 NAT
rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The
relationship looks like this:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the device creates the bidirectional routing and NAT relationship
between the pool of private IP addresses and the pool of public addresses.

To connect to a computer located on a different device interface that uses 1-to-1 NAT, you must use
the private (NAT base) IP address for that computer. If you have problems with this method, you can
disable 1-to-1 NAT and use Static NAT.
Define a 1-to-1 NAT rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. A 1-to-1 NAT rule always
has precedence over Dynamic NAT. You must also configure:
Interface
The name of the device Ethernet interface on which 1-to-1 NAT is applied. The device will apply
1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied
to the External interface.
NAT base
The NAT base IP address is the address that the real base IP address changes to when 1-to-1 NAT is
applied. In our example above, the NAT base is 50.50.50.11.
Real base
This is the IP address assigned to the physical Ethernet interface of the computer to which you will
apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the
interface specified, the 1-to-1 action is applied. In our example above, the real base is 10.0.2.11.

NAT 89
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP
address is translated to the first NAT base IP address when 1-to-1 NAT is applied. The second real
base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is
applied. This is repeated until the Number of hosts to NAT is reached. In our example above, the
number of hosts to apply NAT to is three.
Policy-based NAT
With policy-based Dynamic NAT, you can make an exception to the global NAT rules (the rules at
Network > NAT in Policy Manager). Normally, the XTM device uses the primary IP address of the
Outgoing interface when it applies Dynamic NAT to outgoing packets handled by a policy. Each policy
has Dynamic NAT enabled by default. You can disable Dynamic NAT for all traffic handled by a policy, or
you can configure the device to use a different IP address for Dynamic NAT handled by the policy.
To see the NAT settings for any policy:
1.
2.
With these policy-based NAT settings, the global rules can be changed for traffic handled by an
individual policy. To change the Dynamic NAT configuration in a policy:
1.
2. Select the Advanced tab.
3. Select the Dynamic NAT check box.
4. If you want to use the global Dynamic NAT rules set for the device, select Use Network NAT
Settings.
5. If you want to apply Dynamic NAT to all traffic handled by this policy, select All traffic in this
policy.
This setting applies even if the source and destination IP addresses of the traffic flow do not match the source
and destination ranges for any rule on the Dynamic NAT tab in Policy Manager (Network > NATthe global
Dynamic NAT rules).
6. If you select All traffic in this policy, you can also select the Set source IP check box to set a
different source IP address for traffic handled by this policy when Dynamic NAT is applied.
This makes sure that any traffic handled by this policy shows a specified address from your public or external
IP address range as the source. A common reason to do this is to force outgoing SMTP traffic to show the MX
record address for your domain when the IP address on the external interface for the device is not the same as
your MX record IP address.
Policy-based 1-to-1 NAT
With this type of NAT, the XTM device uses the private and public IP address ranges that you set when
you configured Global 1-to-1 NAT, but you can enable or disable the rules for each individual policy.
1-to-1 NAT is enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and
Dynamic NAT policies, the 1-to-1 NAT policy takes precedence.
Static NAT
Static NAT allows inbound connections on specific ports to one or more public servers from a single
external IP address. The XTM device changes the destination IP address of the packets and forwards
them based on the original destination port number. You can also translate the original destination
port to an alternative port on which the server is listening.
Static NAT is typically used for public services such as web sites and email. For example, you can use
Static NAT to designate a specific internal server to receive all email. Then, when someone sends email

Double-click a policy.
Select the Advanced tab.
Double-click a policy.
Both Dynamic NAT
and 1-to-1 NAT can
also be controlled at
the policy level. If
traffic matches both
1-to-1 NAT and
Dynamic NAT policies,
the 1-to-1 NAT policy
takes precedence.

If you have more than
one External interface
configured on your
device, we
recommend that you
do not select Set
source IP. If you select
this option, you must
add the specified IP
address as a
secondary IP address
to the interface that
the traffic goes out
through.

Static NAT is also
known as port
forwarding.

90
NAT Overview

to the XTM devices external IP address, the device can forward the connection to the private IP address
of the designated email (SMTP) server.

NAT Loopback
NAT loopback allows a user on the Trusted or Optional networks to use the public IP address or domain
name to get access to a public server that is on the same physical device interface. For example, you
could use NAT loopback if you have an internal Web server and you want to allow users on the same
network segment to access the Web server by its public domain name or IP address.
There are no configuration settings in the user interface to enable NAT loopback, however, you must
create a policy in your configuration to allow the traffic. The From section of the policy must list the
Trusted or Optional networks from which access is allowed. The To section of the policy must contain a
static NAT entry for each server to allow access with NAT loopback.
About SNAT Actions
When you configure static NAT, the static nat configuration is saved in an SNAT action. You can create or
edit an SNAT action when you create or edit a policy. Or you can select Setup > Actions > SNAT to add,
edit or delete SNAT actions. After you have created an SNAT action, you can use the same action in one
or more policies.

NAT 91
Exercise 1: Add Firewall Dynamic NAT Entries

The default configuration of Dynamic NAT enables Dynamic NAT for traffic that comes from any private
IP address and goes to any external network. The default entries are:
192.168.0.0/16 Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task
Force (IETF) and are typically used for the IP addresses on private LANs. To enable Dynamic NAT for
other traffic flows, you must add an entry for them. For example, you could add a Dynamic NAT rule for
traffic that comes from a trusted network and goes to an optional network. In that case, all traffic sent
from the trusted network and going to the optional network would appear to come from the Optional
interface IP address, because the Optional interface is the outgoing interface for that traffic. The XTM
device applies the Dynamic NAT rules in the sequence that they appear in the Dynamic NAT Entries
list.
In this exercise, we use Policy Manager to configure the Successful Company XTM device to use
Dynamic NAT for traffic coming from only their trusted network and going to any external network.
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. On the Dynamic NAT tab, select the 10.0.0.0/8 - Any-External Dynamic NAT rule.
3. Click Remove.
A warning message appears.
4. Click Yes.
5. Click Add.
The Add Dynamic NAT dialog box appears.
6. In the From text box, type 10.0.1.0/24.
The From field defines the source of the IP packets. In this exercise, the 10.0.1.0/24 network is the Successful
Company trusted network on interface #1. We have reduced the range of addresses from the larger 10.0.0.0/8
to only those addresses that are actually in the Successful Company network.
7. From the To drop-down list, select Any-External.
This sets the XTM device to dynamically NAT all traffic coming from the trusted network and going to any
external network.

NAT Overview

8. Click OK.
The new entry appears in the Dynamic NAT list.

9. Click OK.

NAT 93
Exercise 2: Configure Static NAT to Allow Access to Public Servers

In this exercise, you use Policy Manager to configure the Successful Company XTM device to use Static
NAT for their SMTP server.
1. Click .
Or, select Edit > Add Policy.
2. Expand the Proxies list and select SMTP-proxy. Click Add.
The New Policy Properties dialog box appears.
3. In the To section, click Add.
The Add Address dialog box appears.
4. Click Add SNAT.
The SNAT dialog box appears.
5. Click Add.
The Add SNAT dialog box appears.

6. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to SMTP-SNAT.
7. Click Add.
The Add Static NAT dialog box appears.
8. Make sure the External IP Address text box includes the External interface IP address of your
device.
9. In the Internal IP Address field, type 10.0.2.25.
This is the private IP address of the SMTP server located on the optional network.

In this example, we
create the SNAT
action from within the
policy. We could also
have created the
SNAT action before
we created the policy.
To create or edit SNAT
actions from outside
the policy, select
Setup >Actions >
SNAT. After you
configure an SNAT
action, you can select
the SNAT action from
the Add SNAT page in
the policy.

To change the packet
destination to a
specified internal host
and to a different
port, select the Set
internal port to a
different port check
box.

94

10. Click OK to close the Add Static NAT dialog box.
The static NAT mapping is added to the SNAT Members list for this SNAT action.

11. Click OK to close the Add SNAT dialog box.
12. Click OK to close the SNAT dialog box.
The selected SNAT action is added to the Selected Members and Addresses list.

13. Click OK to close the Add Address menu.
14. Click OK to close the New Policy Properties dialog box.
15. Click Close in the Add Policies dialog box.
The SMTP-proxy policy appears in the policy list. The Internal IP address you selected appears in the range in
the To column.

NAT
NAT Overview

If you have set Policy
Manager to use
Manual-order mode,
toggle the precedence
back to Auto-order
mode. Select View >
Auto-Order Mode
and click Yes.

95
Exercise 3: Configure NAT Loopback to an Internal Web Server

In this exercise, you use Policy Manager to configure an XTM device policy to allow users on the trusted
network to get access to a web server on the trusted network by its public domain name or public IP
address. You can create a separate policy for NAT loopback, or you can edit the policy that enables
static NAT to the web server to allow NAT loopback.
1. Click .
2. Expand the Proxies list and select HTTP-proxy. Click Add.
3. In the To list, select Any-External. Click Remove.
5. Click Add SNAT.
6. Click Add.
7. In the SNAT Name text box, you can edit the name for this SNAT action.
For example, change the name to NAT-Loopback.
8. Click Add.

9. Make sure the External IP Address text box includes the External interface IP address of your
Firebox or XTM device.
10. In the Internal IP Address text box, type 10.0.2.30.
This is the private IP address of the HTTP server located on the optional network.
The static NAT mapping is added to the SNAT Members list for this SNAT action.
The new SNAT action is automatically selected in the list of configured SNAT actions.

NAT Overview

The selected SNAT action is added to the Selected Members and Addresses list.

14. Click OK to close the Add Address dialog box.
16. Click Close in the Add Policies dialog box.
The HTTP-proxy policy appears in the policy list. The Internal IP address you selected appears in the range in
the To column.

Other Reasons to Use NAT
When you create a branch office VPN tunnel between two networks that use the same private IP
address range, an IP address conflict occurs. To prevent this, both networks must apply 1-to-1 NAT to
the VPN. This makes the IP addresses on your computers appear to be different from their true IP
addresses when traffic goes through the VPN. You would also use 1-to-1 NAT through a VPN if the
network to which you want to make a VPN already has a VPN to a network that uses the same private IP
addresses you use.

NAT 97
Test Your Knowledge

1. Fill in the blank: __________________ NAT conserves IP addresses and hides the internal topology
of your network.
2. Fill in the blank: __________________ NAT is often used for policies that require more than one
port or port numbers that change dynamically, such as for many messaging and video
conferencing applications.
3. Fill in the blank: NAT ___________________ allows a user on the trusted or optional networks to
get access to a public server that is on the same physical XTM device interface by its public IP
address or domain name.
4. Complete the missing entries:
The default Dynamic NAT entries in Policy Manager are:
___________/____ Any-External
172.16.0.0/12
___________/____ Any-External

5. Static NAT for a policy is also known as (select all that apply):
A) IP masquerading
B) Port forwarding
C) Tunnel swapping
D) Quality of Service
E) All the above

6. True or false? Dynamic NAT rewrites the source IP address of packets to use the IP addresses of the
outgoing interface.

Fireware XTM Basics

Policies
Convert Network Policy to Device Configuration

What You Will Learn

An XTM device controls traffic to and from your trusted, optional, and external networks. You define
what should be allowed and what should be denied through a set of rules called policies. In this training
module, you learn how to:
Understand the difference between a packet filter policy and a proxy policy
Add a policy to Policy Manager and configure its access rules
Create a custom packet filter
Set up logging and notification rules for a policy
Use advanced policy properties
Understand how the XTM device determines precedence

Policies are Rules for Your Network Traffic

When you add a policy to Policy Manager, you tell the XTM device what types of traffic to allow or deny.
You can set a policy to allow or deny traffic based on criteria such as the source and destination of the
packet, the TCP/IP port or protocol used to transmit the packet, or the time of day. You can use the
same policy to give the XTM device more instructions on how to handle the packet. For example, you
can define logging and notification parameters for the policy, or use network address translation (NAT).
There are two types of policies:
Packet Filter Policy
A packet filter examines the IP header of each packet to control the network traffic into and out of
your network. It is the most basic feature of a firewall. If the IP header information is valid, then the
XTM device allows the packet. If the packet header information is not valid, the device drops the
packet.
Proxy Policy
A proxy monitors and scans the entire connection, from the protocol commands to the data inside
the packet. It examines the commands used in the connection to make sure they are in the correct
syntax and order. It also examines the contents of each packet to make sure that connections are
secure. A proxy operates at the application layer, as well as the network and transport layers of a
TCP/IP packet, while a packet filter operates only at the network and transport protocol layers.
Packet filters are an easy way to allow or deny large amounts of traffic. Proxies can prevent potential
threats from reaching your network without blocking the entire connection. The device includes
default sets of rules, called proxy actions, for each type of proxy policy. You can use the default settings
for each type of proxy action, or you can customize them.
In this course, we refer
to packet filters and
proxies together as
policies. Unless
otherwise indicated,
the procedures refer
to both types of
policies.

99
Add Policies
Policy Manager uses icons or a list view to show the policies that you configure for your XTM device. For
each policy, you can:
Enable the policy
Set the allowed sources and destinations for traffic managed by the policy
Configure properties such as logging, notification, and advanced properties (described below)
The XTM device includes a default list of predefined packet filters and proxy policies for you to use. You
can add one of these predefined policies and then change the settings to meet the needs of your
organization, or just use the default settings. Based upon the access rules you configure, connections
can be allowed, denied, or denied with a reset connection.
To enable access through the device for an Internet protocol that is not included in the list of
predefined policies, you must create a custom policy template. A custom policy can match traffic
from one or more TCP or UDP ports, or other IP protocols such as GRE, AH, ESP, ICMP, IGMP, and OSPF.
A custom policy cannot match traffic from other protocol types, such as AppleTalk, ATM, Frame Relay,
or IPX.
Configure Logging and Notification for a Policy
You can set custom logging and notification rules for each policy. These rules tell the XTM device the
events for which it needs to create log messages or trigger a notification. Notifications can occur
through email, a pop-up window on your management computer, or with a Simple Network
Management Protocol (SNMP) trap. An SNMP trap is a notification event issued by a managed device to
the network SNMP manager when a significant event occurs.
Advanced Policy Properties
You can also use several advanced property settings for each of your policies:
Proxy Actions
Each time you add a proxy policy to Policy Manager, you select a set of rules used to protect either
clients or servers on your network. You can use the default proxy action settings, or you can modify
them to meet the needs of your organization.
Schedules
You can set policies to only be active at the times of the day that you specify. You can also create
schedule templates so that you can use the same schedule for more than one policy.
Traffic Management
A Traffic Management action can guarantee that a particular policy always has a certain amount of
bandwidth through the XTM device, or it can limit the amount of bandwidth that the policy can use.
Quality of Service (QoS) Marking
QoS marking allows you to mark network traffic with bits that identify it to other devices that
understand QoS. The XTM device and other QoS-capable devices can assign higher or lower
priorities to each type of traffic with QoS marking.
Network Address Translation (NAT)
You can enable or selectively disable 1-to-1 and dynamic NAT in any policy. You can also configure
incoming NAT properties to allow Internet connections to privately addressed servers protected by
the XTM device.
ICMP Error Handling
You can customize the method the XTM device uses to handle ICMP errors for each policy.
Custom Idle Timeout
Use this feature to set the amount of time the XTM device waits before it drops a connection.


Sticky Connections
A sticky connection is a connection that continues to use the same interface for a defined period of
time when your XTM device is configured with multiple WAN interfaces. Stickiness makes sure that,
if a packet goes out through one external interface, any future packets between the source and
destination address pair use the same external interface for a specified period of time.
Policy-based Routing
If your XTM device is configured with multi-WAN, you can configure a policy with a specific external
interface to use for all outbound traffic that matches that policy.
Policy Precedence
Precedence refers to the order in which the XTM device examines network traffic and applies a policy
rule. The XTM device sorts policies automatically, from the most specific to the most general. For
example, a highly specific policy could be a policy that matches only traffic on TCP port 25 from one IP
address, while a general policy could be one that matched all traffic on UDP ports 40,000-50,000. You
can also set the precedence of each policy manually.
For more information on policy precedence, including complete rules for specificity, see the Fireware
XTM WatchGuard System Manager Help or User Guide.
The XTM device uses the rules from the first policy that matches the traffic for routing. If no match is
found, the traffic is denied as an unhandled packet.

Exercise 1: Add a Packet Filter Policy and Configure Access Rules

Successful Companys network administrator was told to stop employees from using Internet Relay
Chat (IRC) at the office. The management team decided that IRC is too distracting for employees and a
potential security risk.
The administrator also wants to activate a Windows Terminal Services connection to the Successful
Company public web server on the optional interface of the XTM device. He routinely administers the
web server with a Remote Desktop connection. At the same time, he wants to make sure that no other
network users can use the Remote Desktop Protocol through the XTM device.
In this exercise, you open a basic XTM device configuration file in Policy Manager. You add two
predefined policies to the configuration and configure the access rules for each policy.
Add a Predefined Policy
First, add policies to the XTM device to control IRC and RDP traffic.
2. Click .
The Add Policies dialog box appears. From here, you can add a predefined packet filter policy, a proxy policy,
or a custom policy you have created. You can also create a new policy template.

Policies 101
3. Expand the Packet Filter list. Select IRC.

Policy icon
that appears
in Policy
Manager

List of por ts
and protocols
controlled by
the policy

Description of
how the policy
is used and for
what services

4. Click Add.
5. Click OK.
This adds a basic IRC policy to your configuration. If you do not change this policy, it allows all IRC traffic from
any trusted computer to any external computer.
6. In the packet filter list, select RDP. Click Add. Click OK.
This adds a basic RDP policy to your configuration. If you do not change this policy, it allows all RDP traffic
from any trusted computer to any external computer.
7. Click Close to close the Add Policies dialog box.
The IRC and RDP policies appear in Policy Manager.


Modify Policies to Restrict Traffic
By default, a new policy allows traffic from any trusted interface to any external interface. To block all
IRC traffic originating from computers on the Successful Companys trusted and optional networks, we
must modify the IRC policy.
1. Double-click the IRC policy.
2. Select the Policy tab.
3. In the IRC connections are drop-down list, select Denied.
The policy now denies traffic from any computer that connects through the trusted XTM device interface to
any external computer. To further restrict IRC traffic, you must also deny IRC from any computer on optional
device interfaces.
5. In the Available Members list, select Any-Optional . Click Add.
Any-Optional appears in the Selected Members and Addresses list.
6. Click OK.
Any-Optional appears in the New Policy Properties dialog box in the From list.
The rule now denies IRC traffic from all computers behind the device to any external computer. Traffic that
comes from the external interface is always denied by default unless you create a rule to allow it.

Policies 103
7. Click OK to close the Edit Policy Properties dialog box.
The policy is now marked with a red X in List View or a red top banner in Large Icon View. This indicates a
Deny policy.

Use a Policy to Allow Traffic
We also want to allow RDP traffic to the Successful Company web server on the optional network.
However, we want only our network administrator to be able to connect, so we will restrict this policy
to allow only the static IP address of his home office computer.
1. Double-click the RDP policy.
2. In the From list, select Any-Trusted. Click Remove.
The policy originally allowed all RDP traffic from any computer on trusted networks to any computer on an
external network.
4. Click Add Other.
The Add Member dialog box appears.
5. In the Value text box, type 40.30.20.10 as the IP address of the network administrators home
computer. Click OK.
The IP address appears in the Add Address dialog box Selected Members and Addresses list.

The New Policy Properties dialog box appears with the IP address appears in the From list.


7. In the To section, select Any-External. Click Remove.
9. Click Add SNAT.
10. Add a SNAT named RDP-SNAT from the external IP to 10.0.2.80.
This is the IP address of the Successful Company public web server on the PublicServers (Interface 3) optional
network.
11. Click OK.
The rule appears in the Add Address dialog box Selected Member and Address list. This allows RDP
connections from the IP address of the network administrators desktop computer to the IP address of the
public web server.
12. Click OK.
The New Policy Properties dialog box appears with the IP address in the To list. If the Outgoing policy is not
present in this configuration, there is no default rule to allow general outgoing TCP connections. All other
RDP traffic will be denied.

Exercise 2: Create a Custom Packet Filter Template

Successful Companys network administrator frequently troubleshoots their public servers from the
network server room. These public servers are all connected to the optional interface of the XTM
device. The network administrator would like to be able to use VNC to view the files on his trusted
desktop computer. To do this, he must create a custom VNC policy and allow access from any computer
on the optional network to his desktop computer on the trusted network (10.0.1.201). To create a
custom policy, we must know that VNC uses TCP port 5900. To find out which ports are used by
different network services, refer to the documentation that accompanies each software product.
In this exercise, you learn how to create a custom packet filter to solve a problem in the Successful
Company network.
Make a New Policy Template
1. Click .
The Add Policies dialog box appears.
2. Click New to create a new policy template.
The New Policy Template dialog box appears.
3. In the Name text box, type VNC.
4. In the Description text box, type Virtual Network Computing.
5. For the Type option, make sure that Packet Filter is selected.
6. To define a protocol and ports for the new policy template, click Add.
The Add Protocol dialog box appears.
7. From the Type drop-down list, select Single Port.
8. From the Protocol drop-down list, select TCP.

Policies 105
9. In the Server Port text box, type 5900.

10. Click OK to close the Add Protocol dialog box.
It is possible to create The TCP 5900 protocol appears in the list of Protocols controlled by this policy.
a new policy template
for a service that uses
a port range. After
you specify the Type
as Port Range instead
of Single Port, the
options to define a
port range are
available.

11. Click OK to close the New Policy Template dialog box.
The VNC Policy appears in the Custom list in the Add Policies dialog box.
Add and Configure the Custom Policy
Now that you have a custom policy template that controls VNC traffic, you can add it to the device
configuration.
1. In the Add Policies dialog box, expand the Custom folder.
2. Select VNC. Click Add.
The New Policy Properties dialog box appears with the VNC packet filter.
5. Double-click Any-Optional.
Any-Optional appears in the Selected Members and Addresses list.
The New Policy Properties dialog box appears with Any-Optional in the From list.
This enables the device to allow VNC traffic from any computer on an optional network.


9. Click Add Other.
10. From the Choose Type drop-down list, make sure that Host IP is selected.
11. In the Value text box, type 10.0.1.3.
This address restricts VNC traffic to only the desktop computer of the network administrator.
12. Click OK to close the Add Member dialog box.
The IP address 10.0.1.3 appears in the Selected Members and Addresses list.
The IP address appears in the To list.

The VNC policy appears in the list of configured policies.

Policies 107
Exercise 3: Configure Logging and Notification for a Policy

In this exercise, you make sure the XTM device creates a log message for any IRC connection denied by
the IRC policy we created earlier in the lesson.
2. Select the Properties tab.
3. Click Logging.
The Logging and Notification dialog box appears.
4. Select the Send log message check box.
5. Select the Send Notification check box and keep the default Email selection.
The XTM device will now send a log message to the WatchGuard Log Server each time an IRC packet is
denied. The device also sends a message to the Log Server that tells it to send an email notification to the
specified email address.
For more information, see the Logging and Reporting training module.

6. Click OK to close the Logging and Notification dialog box.
8. Save the configuration file your device as Policies-Configured.xml.


Exercise 4: Change Policy Precedence

When you define a new policy and configure the policy parameters, it is automatically sorted and
placed in the proper order within Policy Manager. To illustrate the policy auto-ordering process, add
the NetMeeting packet filter with the default properties and watch for the position in which it is placed.
To set Policy Manager to the Details view:
1. Select View > Details.
In this view, policies appear in the order the device will use to process traffic.
2. Click
3. Expand the Packet Filters folder and double-click NetMeeting.
4. Do not modify the policy.
5. Click OK. Click Close.
The device automatically places the NetMeeting policy in the correct position according to its ordering
criteria.

Override the Default Order of Policy Precedence
You can override the order in which the XTM device automatically puts policies. To change the order of
policies you switch to manual-order mode and select the policy whose order you want to change and
drag it to its new location. In this exercise, we move the NetMeeting policy so it has the lowest
precedence.
1. Select View > Auto-order Mode.
2. Click Yes to confirm that you want to switch from auto-order mode to manual-order mode.
The policy order numbers now have a gray background to indicate that you can move them.
3. Drag-and-drop the NetMeeting policy to the bottom of the list.

Policies
.
The Auto-order Mode
feature can be
enabled or disabled.
When the menu item
has an adjacent check
mark, Policy Manager
sets the precedence.
When the check mark
is missing, Policy
Manager uses
manual-order mode.

109
Exercise 5: Use Advanced Policy Properties

After a few weeks of blocking all outgoing IRC traffic, the Successful Company managers notice that
many of their engineering team are leaving at 5:00pm. A little research into the problem returns the
surprising result that the engineers are perfectly willing to work late as long as they can chat on IRC
with their friends outside the company. Productivity will increase if we schedule the IRC policy to let
them chat in the evenings.
2. Select the Advanced tab.

3. Adjacent to the Schedule drop-down list, click .
The Clone Schedule dialog box appears.
4. In the Name text box, type Evenings.
5. In the Description text box, type Disable the policy in the evenings.
You can use this schedule for other policies so you should describe it with the hours blocked or allowed rather
than the policy for which you are building it.


6. In the schedule grid, change the hours from 5:00 to 10:00 PM, Monday through Friday, to
Non-operational hour.

7. Click OK to save the schedule and apply it to the IRC policy.
9. Save the configuration file to the device as Policies-Done.

Policies 111
Test Your Knowledge

1. Choose the appropriate policy type(s) for each task. (Select all that apply.)
Packet Proxy
Filter
Examine the header information
Strip an attachment
Examine the application layer content
Check for RFC compliance
Block based on server command type
Check the source against a list of blocked sites
Verify that the destination is a valid location on the trusted
Send a log message if the packet is malformed
Generate a report on network traffic

2. True or false? You can use the same operating schedule for multiple policies.
3. Which of the following protocols can be used in a custom policy? (Select all that apply.)
A) TCP
B) Frame Relay
C) ATM
D) UDP
E) ICMP

4. True or false? Policies are ordered primarily by name.
5. True or false? You cannot use SNMP for policy event notifications.

Fireware XTM Basics

Proxy Policies
Use Proxy Policies and ALGs to Protect Your Network

What You Will Learn

You can use proxy policies to protect servers and clients from threats. With a proxy policy, the XTM
device examines the contents of each packet to determine whether the network traffic is safe. In this
training module, you learn how to:
Understand the purpose of each proxy policy or ALG (Application Layer Gateway)
Configure the DNS proxy to protect your DNS server
Prevent users from putting files on an external FTP server
Configure access control for VoIP calls

Proxy Policies and ALGs

A proxy policy is similar to a packet filter policy, except that it contains a set of additional rules called a
proxy action to examine traffic. Application Layer Gateways (ALGs) are very similar to proxy policies, but
also contain features that allow the XTM device to automatically manage some of the network
connections necessary for Voice-over-IP (VoIP) sessions to operate correctly.
There are nine proxy policies and ALGs that you can use: DNS, FTP, H.323, HTTP, HTTPS, POP3, SIP, SMTP,
and TCP-UDP. Each proxy policy or ALG has both a client and a server proxy action with different
options. When you configure a new proxy policy, select the Client or Outgoing proxy action to protect
users on your network, and the Server or Incoming proxy action to protect servers on your network.
In this module, we discuss the DNS, FTP, H.323, SIP, and TCP-UDP proxy policies and ALGs. The HTTP,
HTTPS, POP3, and SMTP proxy policies are discussed in other training modules.

About the DNS Proxy

The Domain Name System (DNS) is a network system of servers that translates numeric IP addresses
into readable, hierarchical Internet addresses, and vice versa. This is what allows your computer
network to understand that you want to reach the server at 200.253.208.100 or type the
www.watchguard.com domain name into your browser.
It is important to understand that the DNS proxy settings are useful only if the DNS request is routed
through the XTM device. For example, if your network clients use a static IP address to connect directly
to a DNS server on your network, the DNS proxy settings have no effect.
The DNS proxy includes six categories:

113
General
The General category includes the basic DNS protocol anomaly detection rules to deny malformed
and non-standard DNS queries. We recommend that you do not change the default settings for
these rules.
OpCodes
OPcodes (operational codes) are commands sent to a DNS server, such as query, update, or status
requests. They operate on items such as registers, values in memory, values stored on the stack, I/O
ports, and the bus. If you use Active Directory and your Active Directory configuration requires
dynamic updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules. This is a
security risk, but can be necessary for Active Directory to operate correctly. You use the OpCodes
ruleset to allow or deny specific DNS OPcodes.
Query Types
Use the Query Types category to allow or deny DNS connections based on the type of DNS query
sent in the connection.
Query Names
The Query Names category can be used to allow or deny DNS connections based on the fully
qualified domain name sent in the connection.
Proxy Alarm
The Proxy Alarm category lets you define the type of alarm that is sent any time a notification is
triggered by a DNS proxy action.

About the FTP Proxy

The FTP protocol is used to transfer files from clients to servers. Because the FTP protocol does not use
encryption, we recommend that you configure the FTP proxy to protect FTP servers on your network,
or secure the use of external FTP servers by users on your network. Each FTP session uses a control
channel to transmit commands and responses, and one or more optional data channels to send and
receive files.
The FTP proxy includes six categories:
General
These rules control basic FTP parameters such as maximum user name, password, file name, and
command line length. You can also configure the maximum number of times that a user can
attempt to authenticate, and automatically block connections that exceed these limits.
Commands
You can configure rules to put limits on some FTP commands. Use the FTP-Server proxy action to
put limits on commands that can be used on the FTP server protected by your XTM device. Use the
FTP-Client proxy action to put limits on commands that users protected by the XTM device can use
when they connect to external FTP servers. The default configuration of the FTP-Client is to allow all
FTP commands.


You generally should not block these commands, because they are necessary for the FTP protocol
to work correctly:
Protocol Client Description
Command Command
USER n/a Sent with login name
PASS n/a Sent with password
PASV pasv Select passive mode for data transfer
SYST syst Print the servers operating system and version. FTP clients
use this information to correctly interpret and display server
responses.

You can block these commands as necessary:
Protocol Client Description
Command Command
RETR get Retrieve a file from the server
STOR put Put a file on the server
DELE delete Delete a file on the server
RMD rmdir Delete a directory on the server
MDK mkdir Create a directory on the server
PWD pwd Print the Present Working Directory (PWD) path
LIST ls List the names in the current directory path
NLST dir Detailed list of files in the current directory path
CDUP cd.. Move up in the servers directory tree
CWD cd <path> Change to a specific directory on the server
SITE site <command> Send a server-specific command. This command is
associated with FTP denial of service attacks and is often
blocked for all FTP-Server proxy configurations.

Download
The Download ruleset controls the file names, extensions, or URL paths that users can download
with FTP. Use the FTP-Server proxy action to control download rules for the FTP server protected by
your XTM device. Use the FTP-Client proxy action to set download rules for users connecting to
external FTP servers.
Upload
The Upload ruleset controls the file names, extensions, or URL paths that users can use FTP to
upload. Use the FTP-Server proxy action to control upload rules for the FTP server protected by your
XTM device. Use the FTP-Client proxy action to set upload rules for users connecting to external FTP
servers. The default configuration of the FTP-Client is to allow all files to be uploaded.
Antivirus
If you have purchased and enabled the Gateway AntiVirus feature, you can configure the actions to
take if a virus is found in a file that is uploaded or downloaded. For more information, see the 15
training module.
Proxy and AV Alarms
An alarm is a mechanism to tell a network administrator when network traffic matches criteria for
suspicious traffic or content. When an alarm event occurs, the XTM device takes the action that you
configure. For example, you can set a threshold value for file length. If the file is larger than the
threshold value, the device can send a log message to the Log Server.

Proxy Policies
About the FTP Proxy

The user interface
allows or denies
based on protocol
commands and not
client commands. For
a full reference on FTP
protocol commands,
we recommend you
refer to RFC 959,
section 4.1.

115
About H.323 and SIP ALGs

Voice-over-IP (VoIP) software and devices use either the H.323 and SIP protocols to make network
connections and transmit data. You can use the H.323 or SIP ALGs to deny connections that use
unauthorized audio or video codecs, permit or deny specified users the ability to start or receive VoIP
calls, and set other general security settings.
The H.323 and SIP ALGs each have three categories:
General
The options in this category are used to prevent common VoIP attacks and ensure that VoIP
connections follow accepted standards. We recommend that you do not change these settings
unless it is necessary to operate with your VoIP devices, software, or service provider.
Access Control
Use the settings in this category to allow users on your network to start and/or receive VoIP calls.
You can configure a different access level for each user with a hostname, IP address, or email
address.
Denied Codecs
You can use this category to prevent users on your network from sending or receiving calls with a
VoIP service that you have not authorized, or a VoIP service that has known security problems. Any
connection that uses a codec from this list is automatically dropped.

About the TCP-UDP Proxy

The TCP-UDP proxy is used to examine and filter HTTP, HTTPS, SIP, and FTP traffic that does not use the
standard ports associated with those protocols. For example, when the TCP-UDP proxy recognizes
HTTP traffic on a port other than TCP port 80, it uses the proxy action you specify to examine that
traffic.
The TCP-UDP proxy has one proxy action category:
General
This category enables the XTM device to examine HTTP, HTTPS, SIP, and/or FTP traffic sent on
non-standard ports using the proxy actions you specify. You can also choose to allow or deny traffic
from other protocols.


Exercise 1: Use the DNS-Outgoing Proxy Action

Because of problems associated with adware accidently downloaded to their network, the Successful
Company network administrator would like to block DNS requests to messenger.yahoo.com. This site
has been associated with programs that also install malware, such as Gator. Malware refers to a group of
software applications that are usually installed without a users knowledge or consent. Most malware
programs are designed to capture private information or allow attackers to use resources on your
network.
Add a DNS Outgoing Proxy Policy
1. Click .
Or, select Edit > Add Policies.
2. Expand the Proxies folder and double-click DNS-proxy.
The New Policy Properties dialog box appears with the Policy tab selected.
3. In the Name text box, type DNS-Outgoing-Proxy.
You do not need to change the From and To settings because they are already set from your trusted networks
to any computer on the external network.
4. From the Proxy Action drop-down list, make sure DNS-Outgoing is selected.

Proxy Policies 117
Block a DNS Request by Query Name
1. Click .
The DNS Proxy Action Configuration dialog box appears for the DNS-Outgoing actions.
2. In the Categories list, select Query Names.
The Query Names list appears with messenger.yahoo.com already in the list, but it is not active. This rule was
included in the default configuration for your use, but is not yet active.
3. To activate the rule, click Change View.
The Rules (advanced view) page appears.
4. Select the messenger.yahoo.com check box.
The default DNS proxy configuration does not deny DNS requests that contain messenger.yahoo.com. To edit
the properties of this rule, click Edit.

5. Click OK to close the DNS Proxy Action Configuration dialog box.
The Clone Predefined or DVCP-created Object dialog box appears. Because DNS-Outgoing is a template, you
cannot change it. Instead, you must make a copy and use it for your policies. The default name for the cloned
policy is DNS-Outgoing.1.
6. In the Name text box, type a new name for this action.
For example, type DNS-Outgoing-Deny-Yahoo-Messenger.
7. Click OK to clone the template.
The proxy action appears in the New Policy Properties dialog box in the Proxy action drop-down list.

If the Enabled or
Action settings are
different for any of the
rules in the list, you
see a warning
message when you try
to select Simple View.

118

9. Click Close to close the Add Policy dialog box.
The DNS-Outgoing-Proxy policy appears in your policy list.

Exercise 2: Configure an FTP-Server Proxy Action

In this exercise, the Successful Company administrator uses Policy Manager to edit the predefined
FTP-Server proxy action to restrict the types of FTP connections to the Successful Company FTP server.
Specifically, the administrator will:
Make sure that users cannot delete a file from the Successful Company FTP server.
Restrict the type of files that users can upload to the FTP server to text files only, to help prevent
abuse of the Successful Company FTP server.
Deny the Delete Command
1. Click .
2. Expand the Proxies folder and double-click FTP-proxy.
3. In the Name text box, type FTP-Proxy-Server.
4. From the Proxy action drop-down list, select FTP-Server. Click .
The FTP Proxy Action Configuration dialog box appears.
5. From the Categories list, select Commands.

Proxy Policies 119
6. Click Change View.
The Rules (advanced view) page appears. In the advanced view, you can change command order as well as
add, remove, enable, and disable individual commands.

7. Select the Allow DELE* list item. Click Edit.
The Edit Command Rules dialog box appears for the DELE* rule.
8. From the Action drop-down list, select Deny.


9. Click OK to close the Edit Commands Rule dialog box.
The FTP Proxy Action Configuration dialog box appears again, with the Deny DELE* check box enabled.
This rule tells the device to deny any FTP connections that try to delete a file from the FTP server.

Proxy Policies 121
Restrict FTP File Uploads to Text Only
Now you configure settings to allow a user to save a text file to the Successful Company FTP server.
1. In the Categories list, select Upload.
2. In the Pattern text box, type *.txt. Click Add.
The *.txt item appears in the Upload list. This enables the device to allow text files to be uploaded to the
FTP server.

3. Click OK to close the FTP Proxy Configuration dialog box.
The Clone Predefined or DVCP-created Object dialog box appears. Because FTP-Server is a template, you
policy is FTP-Server.1
For example, type FTP-Server-Deny-Delete-Upload-TXT.
The FTP-Proxy-Server policy appears in Policy Manager.


Exercise 3: Set Access Controls on H.323 Connections

The Successful Company has recently invested in some VoIP devices as part of a network expansion.
These devices use the H.323 protocol. However, some employees in the Sales department have
installed their own VoIP software on their computers, and this has led to network congestion and other
problems. In this exercise, the administrator creates an H.323 ALG that allows a few employees to start
or receive VoIP calls, and prevents all other employees from using H.323 VoIP devices.

1. Click .
2. Expand the Proxies folder and double-click H323-ALG.
3. In the Name text box, type H323-VoIP-Limited.
4. From the Proxy Action drop-down list, make sure H.323-Client is selected.
5. Click .
The H323-ALG Action Configuration dialog box appears.
6. In the Categories list, select Access Control.
7. Select the Enable access control for VoIP check box.
8. In the Address of Record text box, type user1@wgtraining.com.
9. From the Access level drop-down list, select Start and receive calls.
10. Click Add.
user1@wgtraining.com appears in the Access Levels list. The Log check box is selected by default.
11. Repeat Steps 89 and add user2@wgtraining.com and user3@wgtraining.com to the Access
Levels list.

Proxy Policies 123
12. Click OK to close the H323-ALG Action Configuration dialog box.
The Clone Predefined or DVCP-created Object dialog box appears. Because H323-Client is a template, you
policy is H323-Client.1
For example, type H323-Client-VoIP-Limited.
15. Click OK to close the New Policy Properties dialog box
The H323-VoIP-Limited ALG appears in Policy Manager.

Test Your Knowledge

Test Your Knowledge

1. Fill in the blank: To protect your DNS server from attacks, you configure a DNS-proxy policy with
the _____________ proxy action.
2. What is the function of a DNS server? (Select one.)
A) Distribute IP addresses to computers when they connect to a network
B) Assign domain names to individual networks
C) Translate numeric IP address into readable Internet addresses
D) Distribute MAC addresses to computers when they connect to a network
E) Connect IP addresses to their associated MAC addresses

3. What is the best pattern match to block FTP uploads of Microsoft Excel spreadsheets? (Select one.)
A) *.xls
B) *XLS
D) .*ls
E) *.x*

4. True or false? An Application Layer Gateway (ALG) is the same as a packet filter policy.
5. What are some reasons to create a TCP-UDP-proxy? (Select all that apply.)
A) Examine DNS traffic that is not sent over TCP port 53
B) Examine HTTP traffic that is not sent over TCP port 80
C) Block instant messaging and peer-to-peer applications
D) Block email viruses in SMTP and POP3 traffic
E) Filter FTP traffic sent through data channels

Proxy Policies 125

Fireware XTM Basics

Email Proxies
Work with the SMTP and POP3 Proxies

What You Will Learn

Your XTM device uses two proxy policies to control email traffic: SMTP and POP3. In this training
module, you learn how to:
Restrict the types of connections to an SMTP server
Modify the allowable message size
Allow and deny different content types and filenames
Restrict email by attachment filename
Deny incoming SMTP traffic by domain
Restrict outgoing POP3 traffic and lock attachments
For more information about the protocols used for email and controlled by the SMTP and POP3 proxies,
see the RFC Archives:
SMTP RFC 821 at http://tools.ietf.org/html/rfc821
POP3 RFC 1939 at http://www.faqs.org/rfcs/rfc1939.html

Control the Flow of Email In and Out of Your Network

WatchGuard System Manager includes two proxy policy templates to manage email: SMTP (Simple
Mail Transfer Protocol) and POP3 (Post Office Protocol). There are significant differences between the
two protocols, so most organizations rely on either one or the other rather than using both in the same
network. For example, you can deny or quarantine SMTP messages. With POP3, however, you can only
strip or lock attachments but not stop the delivery of a message. This makes POP3 slightly less secure.
SMTP Rulesets
SMTP is a protocol used to send email messages between servers, or between clients and servers. The
default port for SMTP traffic is TCP port 25. You can use the SMTP-proxy to control email messages and
email content. The proxy scans SMTP messages and compares their contents to the rules in the proxy
configuration.
The SMTP-proxy checks the message for harmful content and RFC compliance. It examines the SMTP
headers, message recipients, senders, and content, as well as any attachments. The SMTP-proxy can
restrict traffic from specific user names or domains. It can also strip unwanted or dangerous SMTP
headers, filter attachments by filename or MIME content type, or deny the email based on an address
pattern. The ability to strip header information is particularly valuable to many network administrators.
The SMTP-proxy requires no additional configuration for either your email server or your network
clients.

127
When you create an SMTP-proxy policy, you can choose from two default proxy actions:
SMTP-Incoming
This proxy action includes rulesets to protect your SMTP email server from external traffic.
SMTP-Outgoing
This proxy action includes rulesets to control outgoing SMTP connections from users on your
trusted and optional networks.
POP3 Rulesets
POP3 is a protocol that moves email messages from an email server to an email client. The POP3
protocol operates on TCP port 110. Most Internet-based email accounts use POP3. With POP3, an email
client contacts the email server and checks for any new email messages. If it finds a new message, it
downloads the email message to the local email client. After the message is received by the email
client, the connection is closed.
When you create a POP3-proxy policy, you can choose from two default proxy actions:
POP3-Server
This proxy action includes rulesets to protect your POP3 email server from external traffic.
POP3-Client
This proxy action includes rulesets to control outgoing POP3 connections from users on your
trusted and optional networks to public POP3 servers.
You can use the default settings for the SMTP and POP3 proxy actions, or you can modify the proxy
action settings to match the needs of your organization. In this module, we will show you how to
modify the incoming and outgoing proxy action rulesets.


Exercise 1: Use the SMTP-Proxy to Protect Your Mail Server

Successful Company is growing. With all the new employees, incoming email is increasingly a potential
vector for malware. In this exercise, we use Policy Manager to configure an incoming SMTP-proxy policy
to protect their SMTP server.
Add an Incoming SMTP-Proxy Policy
In the NAT training module, we added an incoming SMTP-proxy policy so that we could use network
address translation (NAT) to protect the Successful Company SMTP server. If you did not complete that
exercise, you may need to add an SMTP-Incoming proxy policy.
If you want to use the policy created in the NAT training module, open that configuration file and continue
with Step 4.
2. Click .
3. Expand the Proxies folder.
4. Select SMTP-proxy and click Add.
5. In the Name text box, type SMTP-Incoming-Proxy.
6. From the Proxy Action drop-down list, select SMTP-Incoming.
8. Click Add SNAT.
9. Click Add.
10. In the SNAT Name text box, type SMTP-Incoming-SNAT.
11. Make sure the Static NAT option is selected.
12. Click Add.
This is the IP address of the Successful Company SMTP server on the trusted network.
The new Static NAT entry appears in the SNAT Members list.
The SMTP-Incoming-SNAT entry appears in the SNAT list.
The SMTP-Incoming-SNAT entry appears in the Selected Members and Addresses list.
18. Adjacent to the Proxy action drop-down list, click .
The SMTP Proxy Action Configuration dialog box appears.
19. In the Description text box, type Modified policy for email inbound.

Email Proxies 129
Decrease Maximum Message Size
The default maximum email message size is 10 MB. In the past, Successful Company employees used
email to exchange files with outside vendors. Now that Successful Company has a protected FTP server,
the network administrator wants to discourage using the email server for large attachments. In this
exercise we will reduce the maximum email size to 5 MB (5,000 kilobytes).
In the SMTP Proxy Action Configuration dialog box:
1. In the Categories list, expand General and select General Settings.
The General Settings page appears.
2. In the Limits section, select the Set the maximum email size to check box. In the adjacent text
box, type 5000.

Encoding can
increase the length of
files by up to
one-third.

130

Allow and Deny Content Types and Filenames
Successful Company employees complain that they cannot receive certain email attachments that they
need to do their jobs. By default, the SMTP incoming proxy is highly secure and allows very few types of
email attachments. Because the network administrator does not have a comprehensive list of the MIME
types that his organizations employees use on a regular basis, he decides to turn content type filtering
off but continue to filter email attachments by filename. He can do this until he understands better
what content types are used. He understands this is a temporary reduction in security, but he accepts
the business risk.
At the same time, the Successful Company network administrator realizes that it is very important to
carefully restrict email attachments by filename. He accepted the default list of filenames denied by the
SMTP-Incoming ruleset. Now he must make two changes to meet the needs of his organization. He
must configure the XTM device to allow Microsoft Access database files to go through the SMTP-proxy.
He must also configure the device to deny MP4 files because of a recent vulnerability announced by
Apple.
1. In the Categories list, expand Attachments and select Content Types.
The Content Types page appears with the Rules tab selected.
2. In the Actions to take section, from the None Matched drop-down list, select Allow.
This allows all content types through device to the SMTP server. After Successful Company is able to make a
list of the specific content types they want to allow, they set this parameter to strip all content types that do
not match their list of allowed content types.

3. In the Categories list, expand Attachments and select Filenames.
The Filenames page appears.
4. Click Change View to switch to Advanced View.

Email Proxies 131
5. In the Filenames list, double-click .mdb.
The Edit Filenames Rule dialog box appears for the .mdb filename extension. This filename extension is for
Microsoft Access databases.
6. From the Action drop-down list, select Allow. Click OK.
The SMTP Proxy Action Configuration dialog box appears.
7. Click Add.
The New Filenames Rule dialog box appears.
8. In the Rule Name text box, type mp4.
9. In the Rule Settings text box, type *.mp4.
10. In the Action drop-down list, select Strip. Click OK.
The SMTP proxy action is now configured to deny all files with the Apple iTunes .mp4 file extension sent to
the SMTP server.
Control Mail Domain Use for Incoming Traffic
Another way to protect your SMTP server is to restrict incoming traffic to only messages that use your
company domain. In this example, we use the wgtraining.com domain.
1. In the Categories list, expand Address and select Rcpt To.
The Rcpt To page appears.
2. In the Pattern text box, type *@wgtraining.com. Click Add.
*@wgtraining.com appears in the Rules list.
This denies any email messages sent to an address that does not match the company domain.


3. Click OK to close the SMTP Proxy Action Configuration dialog box.
The Clone Predefined or DVCP-created Object dialog box appears.
Because SMTP-Incoming is a template, you cannot change it. You can only make a copy and use it for your
policies.
4. In the Name text box, type.
The New Policy Properties dialog box appears, with SMTP-Incoming-Email in the Proxy action drop-down list.
The SMTP-Incoming-Proxy policy appears in your policy list.

Email Proxies 133
Exercise 2: Control Outgoing SMTP Connections

A network administrator at Successful Company has reviewed the default rule sets that are
included with the SMTP-Outgoing proxy action and wants to make these three changes:
Remove the restriction on email size
Make sure that all outgoing email is from the Successful Company domain
Prevent users from sending email with Microsoft Windows screensavers attached
Add an Outgoing SMTP-Proxy Policy
To configure all outgoing SMTP traffic, the Successful Company first adds an outgoing SMTP-proxy
policy.

1. Click .
2. Expand the Proxies folder and double-click SMTP-proxy.
3. In the Name text box, type SMTP-Server-Outgoing.
4. In the From list, select Any-External. Click Remove.
Any-External is removed from the From list.
5. Click Add.
6. Click Add Other.
The IP address appears in the Selected Members and Addresses list.
The IP address appears in the New Policy Properties dialog box in the From list. The Successful Company
SMTP server on the trusted network is now added to the policy.
11. In the Available Members list, double-click Any-External.
Any-External appears in the Selected Members and Addresses list.
12. Click OK.
The policy now controls all traffic from the SMTP server to any computer on the external networks.
13. From the Proxy action drop-down list, select SMTP-Outgoing.


Control Email Message Size
Successful Company management requests that there not be limits on the size of outgoing email. To
configure this setting, we will update the outgoing SMTP rulesets.
In the New Policy Properties dialog box:

1. On the Policy tab, adjacent to the Proxy action drop-down list, click .
2. In the Categories list, expand General and select General Settings.
The General Settings page appears.
The setting changes made for the SMTP incoming proxy do not appear here. This policy controls only
outgoing SMTP traffic.
3. In the Limits section, clear the Set the maximum e-mail size to check box.
This removes any restrictions on email size.

Email Proxies 135
Control Mail Domain Use for Outbound SMTP
Successful Companys network administrators want to make sure that only mail sent from addresses in
their domain is allowed out through the XTM device. This protects their mail server from abuse as a
relay.
Another way to keep your server from being used as a relay is to use the Rewrite Banner Domain and
Rewrite HELO Domain options included in the SMTP-proxy action General Settings. This enables your
XTM device to change the From and To components of your email address to a different value. This
feature is also known as SMTP masquerading.
1. In the Categories list, expand Address and select Mail From.
2. In the Pattern text box, type *wgtraining.com. Click Add.
*wgraining.com appears in the Rules list. This denies any email messages with a Mail From address that
does not match the company domain.

In this exercise, we use
the example.com
domain.

136

Restrict Email by Attachment Filename
The Successful Company network administrators are aware that Windows screensavers are sometimes
associated with viruses and have no positive effect on their business. These screensavers, with a
filename extension of .scr, are denied by default in the SMTP-Incoming proxy action. To make sure that
their users do not accidentally send out a virus-infected email message, and to make sure that no virus
forwards infected messages with the SCR filename as an attachment, they want to deny the .scr file
extension for outgoing email. They also want to make sure they are notified by email if anyone tries to
send a Windows screensaver with the .scr file extension.
1. In the Categories list, expand Attachments and select Filenames.
The Filenames page appears.
2. In the Pattern text box, type *.scr*. Click Add.
*.scr* appears in the Rules list.
The asterisk at the end of the pattern makes sure that Windows screensavers with a trailing filename
extension (such as *scr.txt) are also blocked.
3. From the If Matched drop-down list, select Strip.
This removes any attachment with .scr in the filename extension, but allows the rest of the email through.
4. Adjacent to the If matched drop-down list, select the Alarm and Log check boxes.

5. In the Categories list, select Proxy and AV Alarms.
The Proxy and AV Alarms page appears.

Email Proxies 137
6. Select the Send Notification check box and the Email option.

7. Click OK to close the SMTP Action Proxy Configuration dialog box.
8. (Optional) In the Name text box, type a unique name for the proxy action.
The default name for a clone is SMTP-Outgoing.1. You can also give it a friendly name to help you recognize it.
11. Click Close.
The new SMTP policy appears in the policies list.

You can export
custom proxy
configurations from
one configuration to
an XML file, and then
import the ruleset to
another XTM device
configuration file. You
can see the Import
and Export functions
when you look at a
proxy ruleset in the
Advanced view.

138

Exercise 3: Use a POP3-Client Policy

Successful Companys network policy is to prohibit connections to all external POP3 servers.
Unfortunately, the new CFO insists on downloading his personal mail from Impersonal ISP. He says he
absolutely cannot do business without this service, and the CEO concurs. However, the CEO insists that
the CFO cannot be able to download attachments with his POP3 account. In this exercise, we will use
the POP3-proxy to allow the CFO to connect to his service provider. While we cannot quarantine his
attachments, we can lock them. There is a small hope that this will prove so inconvenient, the CFO will
want to switch to the company Exchange server.
Add a POP3 Client Policy
1. Click .
3. Double-click POP3-proxy.
The New Policy Properties dialog box opens.
4. In the Name text box, type POP3-CFO.
Any-Trusted is removed from the From list.
6. Click Add.
7. Click Add Other.
The Add Address dialog box appears with the IP Address in the Selected Members and Addresses list.
These actions add the Successful Company CFOs desktop computer on the trusted network to the policy.
Any-External is removed from the To list.
12. Click Add.
13. Click Add Other.
14. From the Choose Type drop-down list, select Host Name (DNS lookup).
15. In the Value text box, type mail.yahoo.com.
The Add Address dialog box appears. Policy Manager does a one-time DNS lookup for the host name
mail.yahoo.com. The IP Address for mail.yahoo.com appears in the Selected Members and Addresses list.

Email Proxies 139
The New Policy Properties dialog box appears with the IP Address for mail.yahoo.com in the To list. Now the
policy controls all traffic from the CFO to the mail servers.


Configure the POP3 Policy to Lock Attachments
On the Policy tab:
1. From the Proxy action drop-down list, select POP3-Client.
The POP3 Proxy Action Configuration dialog box appears.
3. In the Categories list, expand Attachments and select Content Types.
The Content Types page appears. By default, Content Type auto-detection is enabled and attachments are
allowed.
4. From the If matched drop-down list, select Lock.
This setting enables the CFO to receive locked attachments that match the content types listed. All other
attachments are stripped.
5. Click OK to close the POP3 Proxy Action Configuration dialog box.
The default name for the clone is POP3-Client.1. You can also give it a friendly name to help you recognize it.
The POP3-CFO policy appears in your policy list.

10. Save the configuration file as EmailProxies-Done.

Email Proxies 141
Test Your Knowledge

Use the questions below to practice what you have learned and exercise new skills.
1. Which of the following can an SMTP-proxy check that an SMTP packet filter cannot?
(Select all that apply):
A) Source IP Address
B) Content
C) RFC compliance
D) Packet Header
E) Attachment

Use this image to answer questions 24.

Test Your Knowledge

2. True or false? The XTM device will deny uu-encoded attachments.
3. The XTM device will allow up to ____ bytes in one line of an email before it denies the message.
4. True or false? The XTM device will rewrite the Banner Domain.
5. Choose the most appropriate SMTP-proxy action for each task. (Select one.)
Task SMTP-Incom SMTP-Outgoi
ing ng
Protect your company network from the ILOVEYOU virus
Reduce the number of very large files sent by email to your users
Reduce spam
Prevent your network from being used as a spam relay
Block pornographic images being sent to your users
Keep your users from sending MP3s to their friends

6. True or false? Many free, public email servers use POP3.
7. True or false? You can use the POP3-Client proxy action to deny messages received from a POP3
server.

Email Proxies 143

Fireware XTM Basics

Authentication
Verify a Users Identity

What You Will Learn

User authentication is a process that allows a device to verify the identity of someone who connects to a
network resource. In this training module, you are shown how to:
Understand authentication and how it works with the XTM device
List the types of third-party authentication servers you can use with Fireware XTM
Use Firebox authentication users and groups
Add a Firebox authentication group to a policy definition
Modify authentication timeout values
Use the XTM device to create a custom web server certificate
For information about WatchGuard LiveSecurity Alerts & Advice, see:
Authentication and the Firebox:
http://www.watchguard.com/archive/showhtml.asp?pack=135056
Foundations: Cryptography 101: http://www.watchguard.com/archive/showhtml.asp?pack=1775
In this module, you will configure the XTM device to use third-party authentication servers. If you take
this course with a WatchGuard Certified Training Partner, your instructor may provide you with
configuration details for authentication servers on a local network. For self-instruction, we encourage
you to get the information needed to configure the XTM device for the authentication method used by
your organization.

Monitor and Control Network Traffic by User

Because all traffic into and out of your network
passes through the XTM device, you can use its
authentication features to monitor and control
connections on a user-by-user basis. The XTM
device has its own authentication server, and
can connect to several types of third-party
authentication servers.
Authentication is very important when you use
dynamic IP addressing (DHCP) for computers on
trusted or optional networks. It is also important
if you must identify your users before you let
them connect to resources on the external
network.

145
You can use WatchGuard System Manager to configure authentication differently for each policy. For
example, you can force some users to authenticate before they connect to an FTP server, but allow
them to browse the Internet without authenticating first.
How Firebox User Authentication Works
A special HTTPS server operates on the XTM device to accept authentication requests. To authenticate,
a user must connect to the authentication web page on the XTM device. The address is:
https://<trusted or optional device interface IP address>:4100/
The user must type a user name and password. The authentication page sends the name and password
to the selected authentication server using a challenge and response protocol (PAP). After the
authentication server responds that the user is authenticated, the user is allowed to use approved
network resources. The user can close the browser window after authentication is completed. By
default, each user stays authenticated for up to two hours after the last connection to a network
resource for which authentication is necessary.
A user can click Logout on the authentication web page to close their session before the two-hour
timeout elapses. If the web page was previously closed, the user must open it again and click Logout to
disconnect.
To prevent a user from authenticating, you must disable the account on the authentication server.
You can also require your users to authenticate to the authentication portal before they can get access
to the Internet. You can choose to automatically send users to the portal, or have them manually
navigate to the portal. This applies only to HTTP and HTTPS connections.
Use Authentication from the External Network
The primary function of the authentication tool is for outgoing traffic. You can also create policies that
require external users to authenticate before they can get access to protected network resources. You
must configure the WG-Auth policy to allow users on an external network to authenticate to the XTM
device. External users type this URL in their browser to connect to the XTM device for authentication:
https://<public IP address of a device external interface>:4100/
Use Authentication through a Gateway Firebox to Another XTM Device
To send an authentication request through a gateway Firebox to a different XTM device, you must add
a policy to allow the authentication traffic on the gateway Firebox. On the gateway Firebox, use Policy
Manager to add the WG-Auth policy, which controls traffic on TCP port 4100. Configure the policy to
allow traffic to the IP address of the destination XTM device.
Authentication Methods Available with Fireware XTM
Fireware XTM supports multiple authentication servers:
Firebox
RADIUS
SecurID
VASCO
Generic LDAP (Lightweight Directory Access Protocol)
Active Directory
When you use a third-party authentication server, follow the instructions from the manufacturer to
configure it correctly. The server must be accessible from the XTM device, which usually means that it is
installed on an optional network for greater security.


You can configure a primary and backup authentication server. If the XTM device cannot connect to the
primary authentication server after three attempts, the primary server is marked as dead and an alarm
message is generated. The device then attempts to connect to the backup authentication server. If the
device cannot connect to the backup authentication server, it waits ten minutes, and then tries to
connect to the primary authentication server again.
Use the Firebox Authentication Server
You can use the XTM device as an authentication server. This feature is often used by customers who do
not have a third-party authentication server and do not need to manage user accounts centrally for
multiple applications.
You must perform these steps to prepare your XTM device as an authentication server:
Divide your company into groups according to tasks people do and information they need
Create users for the groups
Assign groups and users to policies
About Third-party Authentication Servers
The procedure to configure the XTM device to use a third-party authentication server is similar for each
of the supported server types. Before you configure your authentication server:
You must have the configuration information for your server such as server port, IP address, and
shared secret. If you use Active Directory or LDAP, you must also know the group membership
attribute and Distinguished Name (DN) of the Organizational Unit (OU) that contains the user
accounts.
If it is available, you can configure the XTM device with a backup authentication server to contact if
it cannot connect to the primary authentication server.
The XTM device must be able to connect to the authentication server(s).
You must add the WatchGuard Authentication policy.
RADIUS Authentication Servers
Remote Authentication Dial-In User Service (RADIUS) authenticates the local and remote users on a
company network. RADIUS is a client/server system that keeps the authentication information for
users, remote access servers, VPN gateways, and other resources in one central database.
The authentication messages to and from the RADIUS server always use an authentication key. This
authentication key, or shared secret, must be the same on the RADIUS client and server. Without this
key, hackers cannot decrypt the authentication messages. Note that RADIUS sends a key, and not the
password the user typed, during authentication. For web and Mobile VPN authentication, RADIUS
supports only PAP (not CHAP) authentication. For authentication with PPTP, RADIUS supports only
MSCHAPv2.
To use RADIUS server authentication with the XTM device, you must:
Add the IP address of the XTM device to the RADIUS server, as described in the RADIUS vendor
documentation.
Enable and specify the RADIUS server in your device configuration.
Add RADIUS user names or group names to the policies in Policy Manager.
VASCO server authentication also uses the RADIUS configuration user interface.

Authentication 147
SecurID Authentication Servers
To use SecurID authentication, you must configure both the RADIUS and ACE/Server servers correctly.
Each user must also have an approved SecurID token and a PIN (personal identification number). Refer
to the RSA SecurID instructions for more information.
LDAP Authentication Servers
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate
your users to the XTM device. LDAP is an open standard protocol for using online directory services,
and it operates with Internet transport protocols, such as TCP. Before you configure your XTM device for
LDAP authentication, make sure you check your LDAP vendor documentation to see if your installation
requires case-sensitive attributes.
When you configure the device to use LDAP authentication, you must set a search base to limit the
server directories in which the device searches for an authentication match. The standard format for
the search base setting is: ou=organizational unit,dc=first part of distinguished server name,dc=any
part of the distinguished server name appearing after the dot. For example, if your user accounts are in
an OU (organizational unit) you refer to as accounts and your domain name is example.com, your search
base is ou=accounts,dc=example,dc=com.
Active Directory Authentication Servers
Configuring the device to use Active Directory authentication is similar to the process for LDAP
authentication. You must set a search base to limit the server directories in which the device searches
for an authentication match. The standard format for the search base setting is the same as the LDAP
format. You can add multiple Active Directory domains for user authentication, and add a primary and
a backup Active Directory server for each domain.
If you use Active Directory for your authentication server, you can also configure Single Sign-On (SSO).
SSO is a method of network access control that allows a user to enter credentials once to gain access to
many resources. The WatchGuard SSO solution includes the SSO Agent, the SSO Client, and the Event
Log Monitor. With SSO, when users try to connect to resources outside their own network, your XTM
device automatically sends authentication requests to the SSO Agent. The WatchGuard SSO Agent
caches the user name and password and then passes it to each network resource as needed. You can
install the WatchGuard SSO Agent behind the XTM device on the trusted network.
When you install the SSO Client software on your client computers, the SSO Client receives the call from
the SSO Agent and returns accurate information about the user who is currently logged in to the
workstation.
If you do not want to install the SSO Client on each client computer, you can instead install the Event
Log Monitor on your domain controller, and configure the SSO Agent to get user login information
from the Event Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor
collects login information from domain client computers and from the domain controller for users that
have already logged on to the domain and sends them to the SSO Agent.
In this training module, we do not go into great detail about how to install and configure the SSO
solution. For more information about how to configure SSO for your network, see the SSO topics in the
WatchGuard System Manager Help or the Active Directory Authentication advanced training module.
About Authentication Timeout Values
Users are authenticated for a period of time after they close their last authenticated connection. This
timeout is set either as a global setting in the Authentication Settings dialog box, or in the Setup
Firebox User dialog box. The global setting is used only if no Firebox User timeout value is set. For
users authenticated by third-party servers, the timeouts set on those servers also override the global
authentication timeouts.

Authentication
timeout values do not
apply to PPTP users.

148

Exercise 1: Add a Firebox User Group and Add Users

In this exercise, we learn that Successful Company does not yet have an authentication server. The
network administrator decides to use the XTM device for authentication. We will use Policy Manager to
configure a group for the Marketing department and add four of the department employees.
Create a Firebox User Group
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. The Firebox tab is selected by default.
2. In the User Groups section, click Add.
The Setup Firebox Group dialog box appears.
3. In the Name text box, type Marketing.
4. In the Description text box, type Marketing Department.

Authentication 149
5. Click OK.
The new group appears in the User Groups list.

Add Firebox Users
An authorized user is someone with access permission to your network. Each user must have a unique
user name. When you use the Firebox authentication server, this information is saved in a database that
is stored on the XTM device.
In the Authentication Servers dialog box, in the Users section, click Add.
The Setup Firebox User dialog box appears.
Type this information:
allison
Allison Grayson
allyscomputer
allyscomputer

When the passphrase is set, you cannot see the passphrase in plain text again. If the passphrase is
lost, you must set a new passphrase. A passphrase must contain a minimum of eight characters.

1.

2.

150
Name
Description
Passphrase
Confirm

3. To add Allison to the Marketing group, in the Available list, double-click Marketing.
Marketing appears in the Member list.

4. Click OK.
Allison is added to the User list.
5. Repeat Steps 14 to add these users to the Marketing group.
Name joe tim wyatt
Description Joe Uknalis Tim Warner Wyatt Hare
Passphrase joescomputer timscomputer wyattscomputer

Authentication 151
6. After you add all users to the Marketing group, click OK.
The Authentication Servers dialog box should look like this:

7. Click OK to close the Authentication Servers dialog box.


Exercise 2: Edit Policies to Use Firebox Authentication

After you have configured at least one authentication server with user names and groups, you can use
Policy Manager to add those users and groups to your policies. In this exercise, you give the Marketing
group permission to connect to an FTP server on the optional network that Successful Company uses
to share files with outside vendors. You also block all FTP connections from other users on the network.
1. Double-click the FTP policy.
The Edit Policy Properties dialog box appears. The default configuration of the FTP proxy policy allows
connections from any computer on the trusted or optional networks to any FTP server on the external
network.
2. In the From list, select Any-Trusted. Click Remove. Select Any-Optional . Click Remove.
With the Any-Trusted and Any-Optional entries, any user on your optional or trusted network is able to start
an FTP connection to the entries on the To list. When you remove these entries, you block FTP connections
from your optional and trusted networks.
With the Any-External entry, users on your network can connect to any FTP server on the external network.
5. Click Add User.
The Add Authorized Users or Groups dialog box appears.

6. From the Type drop-down lists, select Firewall and Group.
To open the Authorized Users and Groups dialog box to add more users and groups to the XTM device
database, click Add.
7. Select the Marketing (Firebox-DB) group and click Select.
The Add Address dialog box appears with the Marketing (Firebox-DB) group in the Selected Members and
Addresses list.
8. Click OK to add the entry to the FTP policy.
The Marketing group appears in the From list.
10. Click Add Other.
11. From the Choose Type drop-down, select Host IP.
This is the IP address of the FTP server on the optional network. In a real-world environment, you must
activate NAT for external users to be able to connect to this FTP server because it has a private IP address.
For more information, see the NAT training module.
The IP address of the FTP server appears in the To list.

Authentication 153
You have now configured the FTP policy to allow connections from anyone in the Marketing group to an FTP
server on the optional network. The Edit Policy Properties dialog box should look like this:



Exercise 3: Set Global Authentication Values

In this exercise, you use Policy Manager to manage the authentication settings that the XTM device
uses by default. If you set session and idle timeouts in the Setup Firebox User dialog box or on any
third-party server that you use for authentication, these values override the global settings you
configure in this exercise.
Set Global Timeout Values
1. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
2. In the Session Timeout text box, type or select 9. From the adjacent drop-down list, select Hours.
This is the maximum length of time the user can send traffic to the external network. If you set this field to
zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected
indefinitely.
3. In the Idle Timeout text box, type or select 45. From the adjacent drop-down list, select Minutes.
This is the maximum length of time the user can stay authenticated when idle (not passing any traffic to the
external network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and
the user can stay idle for any length of time.
Set Other Global Values
If you use the XTM device as an authentication server, you can allow more than one user to
authenticate with the same user credentials, at the same time, to one authentication server. This is
useful for guest accounts or in laboratory environments. This feature is enabled by default.
But, the Successful Company network administrator does not want users to be able to log in to multiple
computers at the same time. Instead, when a user tries to login to another computer, the network
administrator wants the first session to be logged off, and the user to be able to log in on the second
computer.
For more information about how to configure the device for Active Directory authentication, see the
Fireware XTM WatchGuard System Manager Help or User Guide.
In this exercise, we configure the Active Directory authentication server settings on the XTM device to
block concurrent authentication and set the browsers to automatically redirect users to the Successful
Company authentication portal and then to the intranet web server.

Authentication 155
In the Authentication Settings dialog box:
1. Select the Limit users to a single login session option.

2. From the Limit users to a single login session drop-down list, select Logoff first session, when
the user logs in the second time.
3. Select the Auto redirect users to authentication page for authentication check box.
All users who have not yet authenticated are automatically redirected to the authentication login portal
when they try to get access to the Internet. If you do not select this check box, unauthenticated users must
manually navigate to the authentication login portal.
4. Select the Send a redirect to the browser after successful authentication check box.
In the text box, type http://10.0.1.2/home.html.
This is the home page of the Successful Company intranet web server, which is located on the trusted
network.
5. Click OK to close the Authentication Settings dialog box.


Exercise 4: Enable Single Sign-On for the XTM Device

Successful Company is growing and adding employees. They need to shift to a system that allows them
to track users and groups in one location rather than both the XTM device and their Windows Active
Directory server. In this exercise, we use Policy Manager to configure the XTM device to use Active
Directory and set the IP address for server on which the Single Sign-On (SSO) Agent is installed.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the Active Directory tab.

Authentication 157
3. Click Add.
The Add Active Directory Domain dialog box appears.

4. In the Domain Name text box, type the domain name of this Active Directory authentication
server in the format .<root domain name>.
For example, wgtraining.com
5. Click Add.
The Add IP / DNS Name dialog box appears.
6. From the Choose Type drop-down list, select IP Address.
8. Click OK.
The IP address appears in the IP Address / DNS Name list.
9. In the Search Base text box, type the location on the Active Directory server to search for user
account information in this format:
ou= name of organizational unit, dc=first part of the distinguished server name, dc=any part of
the distinguished server name that appears after the dot.
For this example, type dc=wgtraining,dc=com.
10. Click OK.
The domain you added appears in the Active Directory domains list.
11. Click OK to close the Authentication Servers dialog box.
Policy Manager appears.
12. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
13. Select the Single Sign-On tab.
14. Select the Enable Single Sign-On (SSO) with Active Directory check box.
This enables the settings you use to configure SSO.
15. In the SSO Agent IP Address text box, type 10.0.1.2.


This is the IP address of the server on which the WatchGuard Single Sign-On Agent has been installed.
You can also install the SSO Agent on the computer where your Active Directory Server is installed.

Note
If multiple users share the same computer, you must also install the SSO Client software on that
computer or install the Event Log Monitor on your domain controller.

16. Click OK to close the Authentication Settings dialog box.
Use a Web Server Certificate
The WatchGuard authentication applet is a web page. If your organization uses a very strict browser
security policy, it will verify that the page certificate is from a trusted source. Each time the
authentication applet loads, the user is presented with a security alert to let them know that the
certificate is not from a trusted source.
You can avoid this problem by configuring the XTM device with a certificate to use for all secure HTTP
connections. Each user must then import the certificate into their browser or operating system
certificate stores. The device can either use the default self-signed certificate, use a third-party
certificate, or generate a custom self-signed certificate.
In this exercise, we use Policy Manager to configure the device to generate and use a custom
self-signed certificate:
1. Select Setup > Authentication > Web Server Certificate.
The Web Server Certificate dialog box appears.
2. Select Custom certificate signed by Firebox.
3. In the Common Name text box, type successfulco.
You should always choose a value that corresponds to your Firebox or XTM device, such as the domain name
of the URL.
4. In the Organization Name text box, type Successful Company, Inc.

Authentication
For instructions on
how to install the
WatchGuard SSO
agent, see the
Fireware XTM
WatchGuard System
Manager Help topics
on Authentication.

159
5. In the Organization Unit text box, type Corporate Headquarters.
You should always choose a value that helps the user verify that the certificate originates with your
organization.

6. Click OK.
The Web Server Certificate dialog box closes.
7. Save the configuration file to the device.
The certificate is not created until you save the configuration file to the device.
8. Save the configuration file as Authentication-Done.

Test Your Knowledge

Test Your Knowledge

Which of the following statements are good reasons to set up user authentication?
A) Monitor users who connect through your network
B) Restrict who can connect to resources on the Internet
C) Block incoming connections from specific Web sites
D) Identify connections in monitoring tools by IP address
E) Reduce the total number of public IP addresses you need
F) Prevent unauthorized users from accessing network resources
G) All of the above

True or false? Fireware XTM supports Windows NT authentication.
True or false? You can configure a policy to allow a single user.
Which of these Authentication Servers are compatible with the Fireware XTM OS?
A) Kerberos
B) SecurID
C) Linux Authentication
D) AppleTalk Authorization
E) Windows NT
F) Lightweight Directory Access Protocol (LDAP)
G) Active Director y
H) Firebox Users and Groups
I) RADIUS

What is the URL for the Firebox Authentication web page? (Select one.)
A) https://auth.watchguard.com:4100/
B) http://ip address of device interface:411/
https://gateway IP address of Firebox:4000/
https://<trusted or optional device interface IP address>:4100/

161

1.

2.
3.
4.

5.
Authentication

C)
D)

Fireware XTM Basics

Blocking Spam
Stop Unwanted Email with spamBlocker

What You Will Learn

You can use the optional WatchGuard spamBlocker service to block unwanted email messages at
your Internet gateway. In this training module, you learn how to:
Activate and configure spamBlocker
Specify the actions to take when spam is detected
Exclude email messages from certain sources
Monitor spamBlocker activity
In this module, you will configure an optional feature of your XTM device. To view these settings, you
must first purchase a License Key for spamBlocker. In addition, to activate the License Key you must
have access to a XTM device. If you take this course with a WatchGuard Certified Training Partner, your
instructor will provide you with both an XTM device and a License Key.

Stop Unwanted Email at the Network Edge

Unwanted email, also
known as spam, fills the
average Inbox at an
amazing rate. A large
volume of spam
decreases the bandwidth
available to other
applications, degrades
employee productivity,
and wastes network
resources. The
WatchGuard
spamBlocker service
uses industry-leading
pattern detection
technology from
Commtouch to block spam at your Internet gateway. spamBlocker looks for patterns in spam traffic,
instead of the contents of individual email messages. Because it looks for patterns, it can find spam in
any language, format, or encoding method.
WatchGuard spamBlocker works with SMTP and POP3 proxy policies to examine up to 20,000 bytes of
each inbound email message. You can configure the XTM device to take any of the following actions
when spamBlocker determines that an email message processed by the SMTP proxy is spam:

163
Deny Stops the spam email message from being delivered to the mail server. The XTM device
sends this message to the sending email server: Delivery not authorized, message refused.
Add subject tag Identifies the email message as spam or not spam and allow spam email
messages to go to the mail server. See the subsequent section for more information on
spamBlocker tags.
Allow Allows spam email messages to go through the XTM device without a tag.
Drop Drops the connection immediately. Unlike the Deny option, the XTM device does not give
any SMTP error messages to the sending server.
Quarantine Sends the message classified as spam to a Quarantine Server.
If you use spamBlocker with the POP3 proxy, you have only two actions to choose from: Add Subject
Tag and Allow. You cannot use the Quarantine Server with the POP3 proxy. You must configure at least
one DNS server so the XTM device can resolve the IP addresses of the Commtouch servers. If you do not
do this, spamBlocker will not operate.
spamBlocker Tags
The XTM device can add spamBlocker tags to the subject line of the email message. You can also
configure spamBlocker to customize the tag that it adds. This example shows the subject line of an
email message that was classified as spam. The tag added is the default tag: ***SPAM***.
Subject: ***SPAM*** Free auto insurance quote
Here are some examples of other possible spamBlocker tags:
Subject: (SPAM) You've been approved!
Subject: [POSSIBLE SPAM] Save 75%

Subject: [JUNK EMAIL] Free shipping

Subject: *SPAM/BULK* 10 lbs in 10 days!

spamBlocker Categories
spamBlocker puts potential spam email messages into these three categories based on the
classification of the mail envelope by the CommTouch classification server:
Confirmed Spam Includes email messages that come from known spammers. We recommend
you use the Deny action for this type of email if you use spamBlocker with the SMTP proxy, or the
Add subject tag if you use spamBlocker with the POP3 proxy.
Bulk Includes email messages that do not come from known spammers, but do match some
known spam structure patterns. We recommend that you use the Add subject tag action for this
type of email, or the Quarantine action if you use spamBlocker with the SMTP proxy.
Suspect Includes email messages that could be associated with a new spam attack. Frequently,
these messages are legitimate email messages. We recommend that you use the Allow action for
this type of email or the Quarantine action if you use spamBlocker with the SMTP proxy.
spamBlocker Exceptions
The XTM device might sometimes identify a message as spam when it is not spam. If you know the
address of the sender, you can configure the device with an exception that tells it not to examine
messages from that source address or domain.


Global spamBlocker Settings
You can use global spamBlocker settings to optimize spamBlocker for your own installation. Because
most of these parameters affect the amount of memory that spamBlocker uses on the XTM device, you
must balance spamBlocker performance with other device functions. To configure these settings, click
Settings in the spamBlocker dialog box.
Virus Outbreak Detection maximum file size to scan
Virus Outbreak Detection (VOD) is a technology that identifies email virus outbreaks worldwide
within minutes and then provides protection against those viruses. Provided by Commtouch, VOD
catches viruses even faster than signature-based systems. Select the Enable Virus Outbreak
Detection (VOD) check box to enable VOD. In the VOD maximum file size to scan text box, you
can set the number of bytes of an email message that will be scanned by VOD. VOD uses the larger
of the Maximum file size to scan andthe VOD maximum file size to scan.
Maximum file size to scan
In the Maximum file size to scan text box, you can set the number of bytes of an email message
that will pass to spamBlocker to be scanned. Usually, 2040K is sufficient for spamBlocker to
correctly detect spam. However, if image-based spam is a problem for your organization, you can
increase the maximum file size to block more image-based spam.
Cache size
In the Cache size text box, type or select the number of entries spamBlocker caches locally for
messages that have been categorized as spam and bulk. A local cache can improve performance
because no network traffic to Commtouch is required. Usually, you do not have to change this
value. You can set the Cache size value to 0 to force all email to be sent to Commtouch. This is
generally used only for troubleshooting.
Proactive Patterns
To disable the Commtouch CT Engine Proactive Patterns feature, clear the Enable proactive
patterns check box. The Proactive Patterns feature allows spamBlocker to identify and block new
spam messages even before the recurrent pattern is added to the Commtouch database. For
example, each day new types of spam tricks are introduced on the Internet. With Proactive Patterns
enabled, spamBlocker blocks email messages that use the newly identified spam methods. When
clear patterns are established for these new attacks, the pattern is added to the Commtouch
database. This feature is enabled by default. It requires large amounts of space while the local
database on the XTM device is updated. If your XTM device has limited memory or processor
resources, consider disabling this feature.
Connection string override
The Connection string override text box is used only when you must troubleshoot a spamBlocker
problem with a technical support representative. Do not change this value unless you are asked to
give additional debug information for a technical support problem.
Use an HTTP Proxy Server
To configure spamBlocker to use an HTTP proxy server to connect to the CommTouch server through
the Internet:
1. Click the HTTP Proxy Server tab.
2. Select the Contact the spamBlocker server using an HTTP proxy server check box.
3. In the remaining fields on this tab, select the parameters for the proxy server.
This includes the address of the proxy server, the port the XTM device must use to contact the proxy server,
and the authentication credentials the XTM device uses for proxy server connections (if required by the proxy
server).

Blocking Spam
spamBlocker does not
detect spam in
outgoing SMTP email.
To prevent spam from
originating from your
network and conserve
network resources,
you should disable
email relay
functionality on your
email server and
enable email relay
protection to inbound
email using the
incoming SMTP proxy.

165
Adding trusted email forwarders
The spam score for an email message is calculated in part using the IP address of the server from which
the message was received. If an email forwarding service is used, the IP address of the forwarding
server is used to calculate the spam score. Because the forwarding server is not the initial source email
server, the spam score can be inaccurate.
To improve spam scoring accuracy, you can add one or more host names or domain names of email
servers that you trust to forward email to your email server. With this feature, spamBlocker ignores the
trusted email forwarder in the email message headers. The spam score is then calculated using the IP
address of the source email server.

Exercise 1: Configure the Quarantine Server

The Successful Company network administrator decides to start putting suspected mail into
quarantine rather than simply locking and tagging it. He would also like to automatically remove
messages from the SpamKing domain that he knows produces nothing but spam.
Configure Quarantine Server Rules
You can install the Quarantine Server as an option when you install WatchGuard System Manager.
1. In the system tray, right-click and select Open WatchGuard Server Center.
2. Type the Username and Administrator Passphrase.
3. In the Servers tree, click Quarantine Server.
The Quarantine Server page appears.
4. Click the Rules tab.
5. Select the Auto-Remove messages from specific domains rule.
The Rule description appears. Notice the blue underlined text.
6. In the Rule Description, click the blue underlined text: specific domains.
The Edit Auto-Remove Rule dialog box appears
7. In the Enter text to match text box, type SpamKing.com. Click Add.


8. Click OK.
The blue underlined text in the Rule Description changes to SpamKing.com.

9. Click Apply to save your changes.
Configure the XTM Device to Use the Quarantine Server
The XTM device must be able to connect to the Quarantine Server. If the Quarantine Server and the
management computer are not on the same network, you must use Policy Manager to create a policy
that allows access from the management computer to the Quarantine Server.
1. Select Subscription Services > Quarantine Server.
The Quarantine Server dialog box appears.
2. In the IP Address text box, type 10.0.1.2.

3. Click OK.

Blocking Spam 167
Exercise 2: Activate spamBlocker
Successful Company decides to invest in spamBlocker to manage all the unwanted email its employees
are receiving. In this exercise, we use the spamBlocker Wizard in Policy Manager to activate the
spamBlocker service.
1. Select Subscription Services > spamBlocker > Activate.
The Activate spamBlocker Wizard appears.
2. Click Next.

3. Clear the POP3-CFO and SMTP-Server-Outgoing policy check boxes. Click Next.
4. Click Finish.
If you do not have an SMTP or POP3 proxy policy, the wizard prompts you to create one.

Exercise 3: Configure the spamBlocker Service

After you complete the activate spamBlocker wizard, you need to configure the spamBlocker settings
in your email proxy. In this exercise, you configure the spamBlocker service for SMTP. The procedure to
configure spamBlocker for POP3 is the same.

You must have the
spamBlocker feature
key saved to the XTM
device before you can
do this exercise. For
more information, see
Add a Feature Key to
the XTM Device in
the 6 module.

168

Determine What Happens to spam Email
In this exercise, the Successful Company network administrator is new to this type of service and is a
little nervous about losing valid messages. He decides to quarantine confirmed spam and tag the rest
as spam, but still send it to the intended recipients.
1. Select Subscription Services > spamBlocker > Configure.
The spamBlocker dialog box appears. The spamBlocker Policies list includes the current policies and whether
spamBlocker is active for each policy.

2. Select SMTP-Incoming-Proxy. Click Configure.
The spamBlocker configuration dialog box appears.
3. In the Confirmed Spam drop-down list, select Quarantine.
All email that spamBlocker confirms as spam will now be held in quarantine. The network administrator will
have to review these messages before they go to the final recipient.
4. In the Suspect drop-down list, select Add subject tag.
The text ***SUSPECT*** appears. You can replace this with any short text phrase.
5. Clear the Send a log message for each message classified as not spam check box.
This is a useful tool for troubleshooting, but receiving a log message for each email message sent to your
employees can significantly increase the size of your log database.

Add spamBlocker Exceptions
The network administration team at Successful Company all subscribe to the Security Now podcasts
from TWIT.tv. However, like many companies that send useful newsletters and announcements to their
customers, TWIT uses a bulk mail application. In this exercise, we configure the Successful Company
spamBlocker service to allow these messages as an exception.

Blocking Spam 169
In the spamBlocker Configuration dialog box:
1. Click the Exceptions tab.
spamBlocker is already configured to allow bulk messages from the WatchGuard LiveSecurity service. This
ensures that you can receive important announcements, security alerts, and threat responses.
2. Click Add.
The Add Exception Rule dialog box appears.
3. In the Action drop-down list, select Allow.
4. In the Sender text box, type *@twit.tv.
5. In the Recipient text box, type *.
This will exclude all messages that originate from the TWIT.tv domain from spamBlocker actions.

6. Click OK to close the Add Exception Rule dialog box.
Enable Alarms When a Virus is Detected
One selling point of spamBlocker for the security team at Successful Company was the ability to receive
alarms when a virus is detected. In this exercise, we enable the alarm feature.
1. In the spamBlocker Configuration dialog box, click the Virus Outbreak Detection tab.
2. In the When a virus is detected drop-down list, select Drop. Select the adjacent Alarm check box.

3. Click OK to close the spamBlocker Configuration dialog box.
4. Click OK to close the spamBlocker dialog box.

You must also enable
Virus Outbreak
Detection in the
global spamBlocker
settings, if you want
this feature to operate
in policies.

170

Exercise 4: Monitor spamBlocker Activity

You can use Firebox System Manager to monitor spamBlocker activity.
1. In WatchGuard System Manager, connect to the XTM device you want to monitor.
2. Click .
Or, select Tools > Firebox System Manager.
Firebox System Manager appears.
3. Click the Subscription Services tab.
The statistics for spamBlocker appear in the third section on this tab.

Blocking Spam 171
Test Your Knowledge

1. The actions spamBlocker can take when you configure spamBlocker to work with SMTP are (select
all that apply):
A) Deny Stop the spam message without a reply
B) Tag Add a spam tag to the email subject line and allow spam messages to
go to the recipient
C) Ignore Do not send the email to spamBlocker to process
D) Allow Let spam messages go through the XTM device without a tag
E) Drop Drop the connection immediately and send no error messages back to
sending email server.
F) Quarantine Isolate the email on a Quarantine Server

2. True or false? The Confirmed Spam category includes email messages that come from known
spammers.
3. Which proxy works with spamBlocker (select all that apply):
A) HTTP
B) SMTP
C) POP3
D) FTP

4. True or false? When you use spamBlocker with the POP3-proxy, the XTM device can deny, drop,
allow, or add a subject tag to any suspected spam message.
5. True or false? You must configure a Quarantine Server to use spamBlocker.

Fireware XTM Basics

Web Traffic
Manage the Web Traffic Through Your Firewall

What You Will Learn

The HTTP-proxy policy can protect your private and public web servers. It can also be used to protect
your users from viruses and restrict unauthorized Web use. In this module, you learn how to:
Create a log message for each HTTP client connection
Block HTTP client connections by URL path
Allow files through the HTTP-proxy by type
Customize the deny message a user receives
Strip headers that specify a certain type of authentication
Use HTTP-proxy exceptions to allow software updates
Activate WebBlocker
Select categories of web sites to block
Override WebBlocker rules for specific sites

Control Web Traffic Through Your Firewall

HTTP (Hypertext Transfer Protocol) is a protocol used to send and display text, images, sound, video,
and other multimedia files on the Internet. The WatchGuard HTTP-proxy is a high-performance content
filter. It examines web traffic to identify suspicious content, which can be spyware, malformed content,
or another type of attack. It can also protect your web server from attacks from the external network
using protocol anomaly detection rules to identify and deny suspicious packets.
The HTTP-proxy operates between a web server and a client web browser. It processes each HTTP
packet from the server for any potentially harmful content before sending it to the client. It can also act
as a buffer between your web server and potentially harmful web clients by enforcing compliance with
the HTTP protocol and preventing potential buffer overflow attacks.
When you add an HTTP-proxy policy to your XTM device configuration, you get access to two sets of
rules that are included with the product: an HTTP-Server proxy action and an HTTP-Client proxy action.
You can use the default proxy actions, or you can modify them. This module shows you how to
customize the settings in these two proxy actions.
HTTP-Client
The HTTP-Client proxy action is configured to give comprehensive protection to your network from
the content your trusted users download from web servers.
HTTP-Server
The HTTP-Server proxy action is configured to allow most HTTP connections through to your public
web server, but stops any attempts to upload or delete files.
To further protect your network, both the HTTP-Client and HTTP-Server proxy actions can use these
optional services:

173
WebBlocker
Controls the web sites trusted users are allowed to browse to at different times of the day.
WebBlocker is only available for the HTTP-Client proxy action.
Gateway AntiVirus (Gateway AV)
Scans HTTP traffic and can stop viruses before they connect to the client computers and HTTP
servers on your network.
Reputation Enabled Defense (RED)
Sends requested URLs to a cloud-based WatchGuard reputation server, that returns a reputation
score. The HTTP-proxy uses the reputation score to determine whether to drop the traffic, allow the
traffic and scan it locally, or allow the traffic without a local scan.
Control Outgoing HTTP Requests
You can control outgoing HTTP connections from HTTP client applications to prevent your user
community from downloading many of the dangerous file types that hackers use to introduce viruses,
trojans, and worms to your network.

The HTTP-Client proxy settings give you complete control over the HTTP connections of your trusted
users. You can strip files by file name or MIME content type. You can also restrict the use of cookies,
ActiveX, Java, and other potential sources of infection.

Control Web Traffic Through Your Firewall

Protect Your Web Server
Web servers are popular targets for attackers. Although vendors try to patch web server applications
quickly, attackers have a window of vulnerability between the time an attack is discovered and the
opportunity you have to patch it. You can use the HTTP-Server proxy action as a way to prevent the
attack until a patch is available.
If you have a public web server, you must also make sure that people can still get access to it after you
configure it to protect it against attacks. The default HTTP-Server ruleset allows most types of
connections through the XTM device while it blocks the most common attacks.

HTTP-Proxy Action Rulesets
The HTTP-Client and HTTP-Server proxy actions have the same sets of rules, but the default settings
are different. These rulesets appear in the Categories list in the HTTP Proxy Action Configuration
dialog box.
HTTP Request
General Settings
Use this ruleset to control the idle time out and maximum URL length HTTP parameters. You can
configure the XTM device to create a log message with summary information for each HTTP
connection request. Select the Enable logging for reports check box to see bandwidth usage
information in HostWatch, Report Manager, and Reporting Web UI. You can also enforce the
strictest Safe Search settings for web browser search engines.
Request Methods
The Request Method ruleset lets you control the types of HTTP request methods allowed through
the XTM device as part of an HTTP request. Some applications, such as Google Desktop and
Microsoft FrontPage, require additional request methods. webDAV is used for collaborative online
authoring and has a large number of additional request methods. The HTTP-proxy supports
webDAV request method extensions by default, according to the specifications in RFC 2518.
URL Paths
Use the URL Path ruleset to filter the content of the host and path of a URL. For best results, use URL
path filtering together with file header and content type filtering.

Web Traffic
Many web pages get
information from site
visitors, such as
location, email
address, and name. If
you disable the POST
command, the XTM
device denies all POST
operations to web
servers on the
external network. This
feature can prevent
your users from
sending information
to a web site on the
external network.

175
Header Fields
This ruleset supplies content filtering for the full HTTP header name and its value. By default, the
XTM device uses exact matching rules to strip Via and From headers, and allows all other headers.
The Via header can be added to a client request by a proxy server to track message forwards and
avoid request loops. Stripping the Via header can protect client privacy. The From header passes
the client users' email address to the server, which can be harvested by bulk mail recipient lists.
Stripping this header helps reduce the chance of receiving spam and maintains client anonymity
and privacy.
Authorization
This ruleset sets the criteria for content filtering of HTTP Request Header authorization fields. When
a web server starts a WWW-Authenticate challenge, it sends information about which
authentication methods it can use. The proxy puts limits on the type of authentication sent in a
request. With a default configuration, the XTM device allows Basic, Digest, NTLM, and Passport 1.4
authentication.
HTTP Response
General Settings
Use this ruleset to configure basic HTTP response parameters, including idle time out, maximum
line length, and maximum total length of an HTTP response header. If you set a value control to
zero (0) bytes, the XTM device ignores the size of HTTP response headers.
Header Fields
This ruleset controls which HTTP response header fields the XTM device allows. Response headers
can be used to specify cookies, supply modification dates for caching, instruct the browser to
reload the page after a specified time interval, and for several other tasks.
Content Types
This ruleset controls the types of MIME content allowed through the XTM device in HTTP response
headers. By default, the XTM device allows some safe content types and denies MIME content that
has no specified content type. This is a common way of restricting the types of files that users can
download from web sites.
Cookies
Use this ruleset to control cookies included in HTTP responses. The default ruleset allows all
cookies. HTTP cookies are used to track and store information about users who visit particular sites.
Body Content Types
This ruleset gives you control of the content in an HTTP response. The XTM device is configured to
deny Java applets, ZIP archives, Windows exe/dll files, and Windows cab files by default. It is a good
idea to examine the file types used in your organization and allow only necessary file types.
Use Web Cache Server
If you have an existing HTTP caching proxy server on your network, you can forward HTTP requests
from the XTM device to your proxy server. For more information, see the Fireware XTM WatchGuard
System Manager Help or User Guide.
HTTP-Proxy Exceptions
All traffic to or from a domain listed in this ruleset will bypass the proxy completely. Only trusted
sites that supply needed files that would be denied by other parts of the HTTP-proxy should be
listed here. By default, the Microsoft Windows Update web sites are ignored by the HTTP-proxy.
WebBlocker
See the subsequent section for more information on how to restrict Web access with a WebBlocker
profile.

Usually, if you filter
URLs with the HTTP
request URL path
ruleset, you must
configure a complex
pattern that uses
regular expression
syntax configured in
the Advanced View of
a ruleset. It is easier
and better to filter
header or body
content types than it
is to filter URL paths.

176
Monitor Secured HTTP Traffic with the HTTPS proxy

Antivirus
This ruleset sets the actions necessary if a virus is found. Although you can use the proxy definition
screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy
Manager to do this. For more information, see the 15 training module.
Reputation Enabled Defense
If you have purchased the Reputation Enabled Defense Service, this ruleset enables you to
immediately block URLs that have a bad reputation, and bypass any configured virus scanning for
URLs that have a good reputation. You can also change the Good and Bad reputation thresholds.
Deny Message
Use this feature to customize the default deny message that your trusted users will see if the XTM
device denies HTML content.
Proxy and AV Alarms
This ruleset lets you define the type of alarm that is sent any time a notification is triggered by an
HTTP ruleset.

Monitor Secured HTTP Traffic with the HTTPS proxy

The HTTPS proxy allows you to manage and filter secure HTTP (HTTPS) traffic on TCP port 443 to
protect your network clients, or an HTTPS server on your network. By default, the HTTPS proxy only
allows or denies connections to web sites you specify when the Issued To name on the sites HTTPS
certificate matches an item in the Certificate Names list. You can also specify a WebBlocker profile for
HTTPS traffic.
You can enable deep inspection of HTTPS content to decrypt secured HTTP traffic. When you enable
this feature, the rules of the HTTP-proxy action you specify are applied to that traffic. This means that
you can use all of the same features for HTTPS traffic that you already use in an HTTP-proxy, or create a
new proxy action specifically for HTTPS. After your XTM device examines the traffic and determines
that it can be allowed, it is re-encrypted, re-signed with a new certificate, and sent to its original
destination.
Because the HTTPS proxy configuration is considered an advanced feature, detailed configuration
options for the HTTPS proxy are not covered in this module. To use the deep content inspection
feature, you must configure the XTM device and either your network clients or your HTTPS server to
trust the same certificate. For more information, see the Certificates section in the Fireware XTM
WatchGuard System Manager Help system or User Guide.

Web Traffic 177
Restrict Web Access with WebBlocker

WebBlocker uses a database of web sites, organized into categories based on their content. This
database of web sites is maintained by WebSensean industry leader in web filtering software. You
download a copy of this database and store a this local copy on a Windows computer on your trusted
or optional network. This computer is known as the WebBlocker Server. You configure WebBlocker to
control which web site categories your users can see.
When a user on your network browses the Internet, the XTM device automatically checks the
WebBlocker Server to see if the site is allowed. If the site is on the block list, the user receives a message
that the site is not available.
To use WebBlocker you must:
Install and set up the WebBlocker Server
Activate a WebBlocker license
Configure an HTTP-proxy policy to use WebBlocker
WebBlocker Categories
The WebBlocker database is divided into 54 topic categories such as News, Gambling, or Adult/Sexually
Explicit. You can find a list and description of the categories when you configure WebBlocker, or in the
Fireware XTM WatchGuard System Manager User Guide. You can also select to block all WebBlocker
categories.
WebBlocker Exceptions
To override a WebBlocker action, you can add an exception to the WebBlocker categories to allow or
deny a particular web site. The exceptions are based on IP addresses or a pattern based on a URL. You
can configure the XTM device block a URL with an exact match. Usually, it is more convenient to
configure the device to look for URL patterns. To match a URL path on all web sites, the pattern must
have a trailing /*. The host in the URL can be the host name specified in the HTTP request, or the IP
address of the server.
To create WebBlocker exceptions, you can use of any part of a URL. You can set a port number, path
name, or string that must be blocked for a special web site. For example, if it is necessary to block only
www.sharedspace.com/~dave because it has inappropriate photographs, you type
www.sharedspace.com/~dave/*. This gives users the ability to browse to
www.sharedspace.com/~julia, which could contain content you want your users to see.
To block URLs that contain the word sex in the path, you can type */*sex*. To block URLs that contain
sex in the path or the host name, type *sex*. Such broad wildcards should be used cautiously,
however, since a rule like this would also unintentionally block access to a web site for the City of
Middlesex.
You can also block ports in a URL. For example, for http://www.hackerz.com/warez/
index.html:8080, the browser uses the HTTP protocol on TCP port 8080 instead of the default
method that uses TCP 80. You can block the port by matching *8080.
WebBlocker Local Override
If you want to allow certain users to temporarily override the WebBlocker rules, you can enable the
WebBlocker local override feature. WebBlocker local override allows end-users to see a web site
blocked by WebBlocker if they know the override passphrase. This feature operates only with
HTTP-proxy policies. In the WebBlocker configuration advanced settings, you can enable local override,
and configure a local override passphrase and inactivity timeout.

The web sites you
block with
WebBlocker
exceptions apply only
to HTTP traffic (not
HTTPS). They are not
added to the Blocked
Sites list.

178

When WebBlocker local override is enabled, if a user navigates to a web site that is blocked by
WebBlocker, the WebBlocker request denied page includes a place the user can type the WebBlocker
override password.

If the user types the correct password, WebBlocker allows access to the override destination. The user
can also edit the override destination using wildcards to allow override access to more than one site, or
to more pages in a site. You can use wildcards can in an override destination in the same way you use
them to define a WebBlocker exception. In effect, WebBlocker local override allows the user to define a
temporary WebBlocker exception. WebBlocker enables access to the override destination until the
WebBlocker local override inactivity timeout is reached or until the user logs out, if the user was
authenticated. The default inactivity timeout for local override is five minutes.
WebBlocker Schedules
You can set an operating schedule for a set of WebBlocker rules. You use time periods to set rules for
when to block different web sites. For example, you can block sports web sites during usual business
hours of operation, but allow users to browse at lunch time, evenings, and weekends. To do this, you
add a schedule to the HTTP-proxy policy that WebBlocker is assigned to. You can also configure two
HTTP policies, but create a schedule for only one of them. Each policy uses one of the HTTP-proxy
actions. Each of these HTTP-proxy actions points to one of at least two WebBlocker actions.
WebBlocker Server
You install and activate the WebBlocker Server when you install WatchGuard System Manager (WSM).
If you did not originally install the WebBlocker Server when you installed WSM, you can do so at any
time. Run the WSM installer again and select the check box for WebBlocker. Then, continue installation.

Web Traffic
If you are attending a
class, your instructor
installed the Web
Server on your
workstation.

179
Exercise 1: Configure HTTP Connections from Trusted Users

Successful Company network administrators are now ready to configure the XTM device to enforce the
companys policy on browsing the Web. In this exercise, you use Policy Manager to edit the predefined
HTTP-Client ruleset to limit the types of HTTP connections that Successful Company employees can
start. Specifically, you will:
Enable logging for HTTP client requests
Block HTTP client connections to YouTube
Enable the web download of Microsoft Word, Excel, and PowerPoint documents, as well as ZIP files
Customize the message that users see when some of the content in their web requests is denied
Add an HTTP Client Proxy Policy
The HTTP packet filter cannot meet all the Successful Company web policy criteria. First, we use Policy
Manager to add a HTTP-Client proxy policy.

1. Click .
3. Select HTTP-proxy and click Add.
The New Policy Properties dialog box appears, with the Policy tab selected.
4. In the Name text box, type HTTP-Employees.
By default, the HTTP-proxy policy is outgoing and controls traffic from any trusted network to any computer
on the external network.
5. In the Proxy action drop-down list, select HTTP-Client.

Enable a Log Message for Each HTTP Client Connection
Successful Companys network administrator wants to make sure that the XTM device records each
HTTP connection initiated by an employee. He plans to use this data to prove internal compliance with
the companys Internet usage policy. It can also help to troubleshoot bandwidth problems if they occur
in the future.
In the default HTTP-Client proxy action, as in other proxy rulesets, allowed connections do not create
log entries unless you activate the log option. If you do not activate the option to send a log message
for each HTTP client connection, you do not see any allowed HTTP traffic in the log file or in reports.
You also do not see HTTP connections in HostWatch.
On the Policy tab:

The HTTP Proxy Action Configuration dialog box appears.
2. Select the Enable logging for reports check box.


Block HTTP Client Connections by URL Path
Because of concerns about employee productivity and bandwidth use, Successful Companys network
administrator was asked to have the XTM device stop all HTTP client connection requests to YouTube.
To block all client connections that includes youtube.com in the URL path:
In the HTTP Proxy Action Configuration dialog box:
1. In the Categories list, expand HTTP Request and select URL Paths.
The URL Paths page appears. The default configuration for the HTTP-Client proxy action allows all URL paths.
2. In the Pattern text box, type *.youtube.com. Click Add.
*.youtube.com appears in the URL Paths list.
3. In the If matched drop-down list, select Deny.
4. To send a log message when this rule denies a connection, select the Log check box.

Allow Microsoft Office Documents and ZIP Files Through the HTTP-Proxy
Sometimes, Successful Company users must download certain Microsoft Office documents. Also,
employees often use their browser to download files compressed in the ZIP file format, even though it
is a security risk. After their network administrator educates users on the types of zipped files to avoid,
they decide to allow zipped content through the HTTP-proxy as well. To allow these types of content,
you must edit two of the HTTP Response rulesets:
1. In the Categories list, expand HTTP Response and select Content Types.
The Content Types page appears. The list of content types allowed by default includes PDF, XML, Flash, text,
and image files.
To see some of the common MIME types, click Predefined.
To find the MIME type for some of the content you want to allow or deny through the device, see
your vendor documentation or go to http://www.iana.org/assignments/media-types/.
The Content Types Rules (advanced view) page appears.

Web Traffic 181
3. Click Add.
The New Content Type Rule dialog box appears.
4. In the Rule Name text box, type Excel.
5. In the Rule Settings text box, type application/ms-excel.
6. In the Action drop-down list, select Allow.
7. Click OK.
Excel data sheets are now allowed by the HTTP-proxy.
8. Repeat Steps 27 for Microsoft PowerPoint (PPT) files. Use application/mspowerpoint as the
pattern.
PowerPoint presentations are now allowed by the HTTP-proxy.
9. Repeat Steps 27 for Microsoft Word (DOC) files. Use application/msword as the pattern.
Word documents are now allowed by the HTTP-proxy.
10. Repeat Steps 27 for zip archive (ZIP) files. Use application/zip as the pattern.
Zip archives are now allowed by the HTTP-proxy.
11. In the Rules (advanced view) list, select application/*. Click Edit.
The Edit Content Type Rule dialog box appears.
12. From the Action drop-down list, select Deny. Click OK.
All other content types not specifically allowed are denied by the HTTP-proxy.

13. In the Categories list, expand HTTP Responses and select Body Content Types.
The Body Content Types page appears.
The Rules (advanced view) page appears.
15. Select ZIP Archive. Click Edit.
The Edit Body Content Type Rule dialog box appears.
16. From the Action drop-down list, select Allow. Click OK.
This action allows zip archives as a body content type.


Customize the Deny Message
When a user on your network tries to browse to a web site or to download a file that the HTTP-proxy
blocks, that user sees a Deny Message. The default message includes the reason, method, host, and
path. In this exercise, you edit the message to also include the email address for the Successful
Company help desk.
1. In the Categories list, select Deny Message.
The Deny Message page appears. The Deny Message uses HTML. The device accepts most valid HTML code.
2. In the Deny Message text box, select the WatchGuard HTTP proxy phrase.
3. To replace the selected phrase, type Successful Company firewall.
4. At the end of the Path: %(url-path)% line, click to place your cursor and press
Enter on your keyboard.
5. On the new line, type:
For more information, contact Dustin and Nandi at
<a href="mailto:itsupport@wgtraining.com">itsupport@wgtraining.com</a>. 

6. Click OK to close the HTTP Proxy Action Configuration dialog box.
The default name for a clone is HTTP-Client.1. Give it the name HTTP-Client-Employees.
10. Click Close to close the Add Policy dialog box.
The HTTP-Employees policy appears in your policy list.

Web Traffic 183
Exercise 2: Use HTTP-Proxy Exceptions to Allow Software Updates

Frequently, software companies configure their software to contact one of their servers for software
updates. This traffic can occur over HTTP. The update session can include many content types, file
names and other properties that could cause the HTTP-proxy to deny the traffic. At Successful
Company, many employees use the Mozilla Firefox browser. To allow the clients to update their
browsers automatically, we use Policy Manager to add the Firefox servers to the list of HTTP-proxy
exceptions. All traffic to a domain listed in the HTTP Proxy Exceptions list is not examined by the
HTTP-proxy policy.
1. Double-click the HTTP-Employees policy.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
The Edit HTTP Proxy Action Configuration dialog box appears.
3. In the Categories list, select HTTP Proxy Exceptions.
The HTTP Proxy Exceptions page appears. The list already includes the domains used by Microsoft Windows
to distribute updates to their software.
4. In the text box below the HTTP Proxy Exceptions list, type *.mozilla.com and click Add.
*.mozilla.com appears in the list

5. Click OK to close the Edit HTTP Proxy Action Configuration dialog box.


Exercise 3: Configure an HTTP-Server Proxy Action

Successful Company has a web server on the optional network at 10.0.2.80. Initially, their network
administrators find the default settings of the HTTP-Server ruleset sufficiently robust to protect their
server. Later we will learn that sometimes you need to change that ruleset to provide additional
protection.
Add the HTTP Server Proxy Policy
First, we will protect the Successful Company public web server. We will use Policy Manager to
configure it to accept connections from both the trusted and external networks. This policy will use
static NAT.

1. Click .
2. Expand the Proxies list and select HTTP-proxy. Click Add.
The New Policy Properties dialog box appears, with the Policy tab selected.
3. In the Name text box, type HTTP-Public Server.
It is useful to have a separate policy for each web server on your network.
6. Click Add SNAT.
7. Click Add.
8. In the SNAT Name text box, type a name for this SNAT action.
9. Click Add.
The new Static NAT entry appears in the SNAT Members list.
12. Click OK to close the Add SNAT and the SNAT dialog boxes.
The IP address appears in the Add Address dialog box in the Selected Members and Addresses list.
This restricts the policy to the Successful Company public web server on the optional network.
15. Double-click Any-External.
Any-External appears in the Selected Members and Addresses dialog box.
16. Click OK.
Any-External appears in the From list. This expands the policy to include connections from the external as
well as the trusted network.
17. From the Proxy action drop-down list, select HTTP-Server.
Because we are going to accept the default ruleset, we do not need to edit the proxy action.
18. Click OK. Click Close to close the Add Policies dialog box.
The HTTP-Public-Server policy appears in the policy list.

Web Traffic 185
Create a New Proxy Policy Ruleset
Successful Company recently received a LiveSecurity alert that describes a vulnerability to Passport 1.4
authentication. In this exercise, you edit the HTTP-Server ruleset based upon this hypothetical
LiveSecurity alert. Use the HTTP-Server proxy action rulesets to strip headers that specify Passport 1.4
authentication. This additional precaution can remain on the server until the network administrator
applies and tests the patch the vendor provided, which was also described in the LiveSecurity Alert.
First, we use Policy Manager to clone the HTTP-Server ruleset and modify it to block the Passport 1.4
authentication. Then we apply it to our public server policy.
1. Select Setup > Actions > Proxies.
The Proxy Actions dialog box appears. This is a list of all the template rulesets available.
2. Select HTTP-Server and click Clone.
The Clone HTTP Proxy Action Configuration dialog box appears.
3. In the Name text box, type HTTP-Server-BlockPassport.
4. In the Categories list, expand HTTP Request and select Authorization.
The Authorization page appears.
The Rules (advanced view) page appears. In this view, we can change the settings for each rule rather than
apply a global setting to all of them.
6. In the Rules list, select Passport 1.4. Click Edit.
The Edit Authorization Rule dialog box appears.
7. From the Action drop-down list, select Strip. Select the Log check box.
This rule strips all headers that include Passport1.4 authentication requests and sends a log message.

8. Click OK to close the Edit Authorization Rule dialog box.
The Clone HTTP Proxy Action Configuration dialog box Authorization page appears. The updated rule
appears in the Rules list.
9. Click OK to close the Clone HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears with the cloned proxy action in the list.
10. Click Close.
This enables us to quickly apply this ruleset again in the future. You now have a ruleset which strips Passport
1.4 authorization requests.
11. Double-click the HTTP-Public-Server policy.
The Edit Policy Properties dialog box appears, with the Policy tab selected.

The first portion of the
list is in blue text and
consists of the default
policies. The second
portion of the list is in
black text and
includes the
templates we created
during our exercises.

186

12. From the Proxy Action drop-down list, select HTTP-Server-BlockPassport.


Exercise 4: Selectively Block Web Sites with WebBlocker
Successful Company is pleased with the results of their purchase of spamBlocker. The network
administrators decide to purchase the WebBlocker feature to enforce HR restrictions on what web
content can be viewed during work hours.
Add a WebBlocker Action
You can use Policy Manager to activate WebBlocker in two ways. The first is to use the global Actions
menu. The second is to use the HTTP-proxy. In this exercise, we use the first method to configure the
WebBlocker policy for the Successful Company network.
1. Select Setup > Actions > WebBlocker.
The WebBlocker Configurations dialog box appears.
2. Click Add.
The New WebBlocker Configuration dialog box appears, with the Servers tab selected.
3. In the Name text box, type GeneralEmployees.
4. In the Description text box, type Everyone but the Executives and IT.
5. Click Add.
The Add WebBlocker Server dialog box appears.
6. In the Server IP text box, type the IP address of 10.0.1.2. Click OK.
The IP address appears in the Servers list. When you use more than one WebBlocker Server, client computers
try to connect to a server in the order the servers appear in the list. They keep trying until they connect
successfully.
Select Categories to Block
Successful Company is very strict about sexual harassment, and about bias or intolerance regarding
race, religion, or political beliefs. Obviously, the network administrator should block the sexual and
hate speech categories. However, sites that belong to other categories might be a problem for the
company as well.
1. Select the Categories tab.
2. Select the Adult check box.
This blocks all the subcategories in the Adult list.
3. In the Crime list, select the Intolerance & Hate check box.

Web Traffic
You must have a
WebBlocker feature
key to complete these
exercises.

These operating
systems are
supported for the
WebBlocker Server:
Windows 7,
Windows Vista,
Windows 2003, and
Windows XP.

187
4. Scroll through the categories and select any others you think might be blocked at your company.
For example, you can also block Peer-to-Peer and spam URLs to help protect your network from malware.

Create an Exception
A web site about advertising principles that has a section on Ravels Bolero is in the Adult/Sexually
Explicit category. However, this is a useful site for the Successful Company Marketing department. The
network administrator wants to create a WebBlocker exception for this site.
In the New WebBlocker Configuration dialog box:
1. Select the Exceptions tab.
2. Click Add.
The New WebBlocker Exception dialog box appears.
3. In the Match Type drop-down list, keep the default setting.
4. From the Type drop-down list, select Host IP Address.
5. In the Host IP Address text box, type 23.23.36.223.
The Directory text box is automatically populated with /*. This unblocks all sites with the selected address.


6. Click OK.
The new exception appears in the list. WebBlocker now allows access to this site even though its IP address is
in the Adult/Sexually Explicit category.

7. Click OK to close the New WebBlocker Configuration dialog box.
The new configuration appears in the WebBlocker Configurations dialog box.
8. Click Close to close the WebBlocker Configurations dialog box.
Policy Manager appears. You can now apply the WebBlocker action to any policy that uses the HTTP-proxy.
You can apply the same WebBlocker action to more than one policy, or create different sets of WebBlocker
rules for different groups in your organization.
9. Select Setup > Actions > Proxies.
The Proxy Actions dialog box appears.
10. Select HTTP-Client-Employees. Click Edit.
The Edit HTTP Proxy Action Configuration dialog box appears. In this exercise, we will add the General
Employees WebBlocker action to our primary HTTP-Client ruleset.
11. In the Categories list, select WebBlocker.
The WebBlocker page appears.
12. From the WebBlocker drop-down list, select General employees.

13. Click OK to close the Edit HTTP Proxy Action Configuration dialog box.
The Proxy Actions dialog box appears.
14. Click CLose to close the Proxy Actions dialog box.
The change is automatically applied to all policies which use the HTTP-Client.1 proxy action ruleset.
15. Save the configuration file with the name WebTraffic-Done.
Enable WebBlocker Local Override
Successful Company has an employee who has a legitimate need to connect to web sites that are
blocked by the corporate WebBlocker policy. The network administrator decides to enable WebBlocker
local override and give this user the local override password.
1. Select Setup > Actions > WebBlocker.
2. Select the General Employees WebBlocker configuration you created. Click Edit.

Web Traffic 189
3. In the Edit WebBlocker Configuration dialog box, select the Advanced tab.

4. Select the Use this passphrase and inactivity timeout to control WebBlocker local override
check box.
5. Type and confirm the local override Passphrase.
The local override passphrase must be between eight and 32 characters.
6. Click OK to close the Edit WebBlocker Configuration dialog box.
7. Click Close to close the WebBlocker Configurations dialog box.
8. Save the configuration file.

Frequently Asked Questions

Can I get a report of HTTP traffic on my XTM device?
Yes. In the General Settings category for the HTTP-proxy, select the Enable logging for reports
check box. The XTM device creates a log message for each HTTP transaction. You can use Log and
Report Manager to get detailed reports on HTTP traffic.

Test Your Knowledge

Test Your Knowledge

1. Circle the proxy action to use for each task:
A Prevent users from downloading batch (*.bat) files from the HTTP-Client | HTTP-Server |
) Internet Other
B Strip .zip files from email messages HTTP-Client | HTTP-Server |
) Other
C Block incoming HTTP GET requests HTTP-Client | HTTP-Server |
) Other
D Apply WebBlocker to prevent users from browsing to web HTTP-Client | HTTP-Server |
) sites with nudity Other
E Configure the message users see when they attempt to HTTP-Client | HTTP-Server |
) browse to blocked URLs Other
F Resolve domain names for web sites HTTP-Client | HTTP-Server |
) Other

2. Fill in the blank: For better security, place your public web server on the __________ network.
3. In the screen shot below, all of URL Path entries are set to Deny if matched.

With this configuration, which web sites will the XTM device block? (Select all that apply.)
A) terrificsex.com
B) allthemusic.bittorrent.com
C) sex.thegoodstuff.com
D) www.trumpets.org
E) prevent.pornography.org
F) www.microsoft.com/porno/msupdate.asp
G) www.microsoft.com/patches/porno.exe
H) www.bittorrent.com
I) singing.napster.com
J) napster.communication.net
K) troubleshootingwinxp.hardcore.com

4. True or false? WebBlocker adds URL filtering to the SMTP-proxy.
5. How many WebBlocker categories are available?
A) 14
B) 24
C) 40
D) 54
E) None of the above

Web Traffic 191
6. True or false? An exception to the WebBlocker rules allows a site that is normally blocked to be
viewed, or a site that is normally viewed to be blocked.
7. Employees can view the web site 10.0.1.19, except for its pages on politics. If the sites pages on
politics all have the word politics somewhere in the path, what do you type in the Pattern text box?
8. True or false? You can create new WebBlocker categories.
9. True or false? You can create a WebBlocker exception that blocks a specific port in a URL.
10. True or false? You can allow a user to bypass the WebBlocker restrictions.

Fireware XTM Basics

Threat Protection
Defend Your Network From Intruders

What You Will Learn

Firewalls provide both signature-based and default threat protection measures. In this training module,
you learn how to:
Understand the different types of intrusion protection available for the XTM device
Configure Fireware XTM default packet handling options to stop many common attacks
Block IP addresses and ports used by hackers to attack your network
Automatically block IP addresses that send suspicious traffic

Default Threat Protection Measures Block Intruders

You can use Policy Manager to configure your XTM device to have strict control over access to your
network. While a detailed access policy helps to keep hackers out of your network, it cannot defeat
some other types of attacks.
An Intrusion Prevention Service (IPS) detects attacks from hackers. With Fireware XTM, you can use your
XTM device as an IPS device to detect and prevent attacks automatically. There are two categories of
IPS defenses:
Firewall-based IPS
With this type of IPS defense, the XTM device combines protocol anomaly detection with traffic
analysis to proactively block many common attacks. Protocol anomaly detection is the examination
of a packet for compliance with RFC guidelines. Attackers can make packets that are different from
RFC standards in ways that allow them to bypass standard packet filters and get access to your
network. If you block non-compliant packets, you can also block the attack. This allows your XTM
device to proactively protect you against attacks that are as yet unknown.
Traffic pattern analysis examines a series of packets over time and matches them against known
patterns of attack. For example, when an attacker launches a port space probe, they attempt to

193
send packets through each port number until they identify which ports your firewall allows. If you
can identify this pattern, you can block the source of the probe.
A firewall-based IPS can also protect your network from a zero-day threat. In other words, before the
network security community is even aware that the vulnerability exists, broad categories of attack
types are automatically identified and blocked by a strong firewall-based IPS.

Signature-based IPS
You can configure this type of IPS defense (such as the Fireware XTM Intrusion Prevention Service)
to compare the contents of packets against a database of character strings that are known to
appear in attacks. Each unique character string is called a signature. When there is a match, the XTM
device can block the traffic and notify the network administrator. To remain protected, you must
regularly update the signature database.
Signature-based approaches use less computer processing time than firewall-based IPS options,
however, to keep them current the database must be updated regularly. As a result,
signature-based IPS is good for maintaining efficient, high performance protection while
firewall-based IPS catches the zero-day threats.
The rest of this training module focuses on the firewall-based IPS options available with Fireware XTM.
For more information on signature-based options, see the 15 training module.
Use Default Packet Handling Options
Default packet handling is a set of pattern analysis rules to help protect your XTM device from attacks,
and to show the XTM device how to process packets when no other rules are specified. With default
packet handling, a firewall examines the source and destination of each packet it receives. The firewall
looks at the IP address and port number and monitors the packets for patterns that show your network
is at risk. If there is a risk and the device is properly configured, it automatically blocks the possible
attack.
The default configuration of the default packet handling options stops attacks such as SYN flood
attacks, spoofing attacks, and port or address space probes. We do not recommend that you change
the default packet handling settings in your XTM device configuration file. The default settings are
carefully chosen to maximize security. If a particular setting interferes with the function of your
network, or you want a more stringent defense, like that available with the Block source of packets
not handled option, you can change your device packet handling settings.


Default packet handling:
Rejects packets that could be used to get information about your network
Automatically blocks all traffic to and from a source IP address when a configured limit is reached
Adds an event to the log file
Sends an SNMP trap to the SNMP management server (when configured)
Sends a notification of possible security risks (when configured)
Unhandled Packets
Packets that are denied by the firewall because they do not match any of the firewall policies are
blocked as unhandled packets. The Default Packet Handling options give you the tools to block the
source of any unhandled packet. This is an extremely aggressive security setting and is not enabled by
default.
Automatically Block the Source of Suspicious Traffic
The Blocked Sites feature helps stop network traffic from systems that you know or think are a security
risk. After you identify the source of suspicious traffic, you can block all the connections to and from
that IP address. You can also configure the XTM device to send a log message each time that source
tries to connect to your network.
A blocked site is an IP address that cannot make a connection through the device, even if the IP address
is usually allowed to connect as part of your policy configuration. If a packet comes from, or is sent to, a
system that is blocked, it does not get through the device. There are two types of blocked IP addresses:
Permanent Blocked Sites These are IP addresses that you manually add to your device
configuration file because you want all connections to and from the IP address blocked. If an IP
address consistently and repeatedly tries to violate your security policies, you can add it to the
Permanent Blocked Sites list.
Auto-blocked sites These are IP addresses that the device adds to, and removes from, a list of
sites that are temporarily blocked based on the packet handling rules specified in your device
configuration. These IP addresses are blocked for a period of time you select. This feature is known
as the Temporary Blocked Sites list. For example, if you configure the auto-block option for a policy
set to deny traffic, the device can add the denied IP addresses to the Temporary Blocked Sites list. If
a connection is blocked by your default packet handling rules, the source IP address is also added
to the Temporary Blocked Sites list.
You can use the Temporary Blocked Sites list and your log messages to help make decisions about
which IP addresses to permanently block.

Threat Protection 195
Block Ports Commonly Used by Attackers
Another method you can use to protect your network is to block all traffic on ports commonly used by
attackers. As attackers become more creative, this method has become less effective, however, it can
still be used to protect against some of the most obvious vulnerabilities. Because a blocked port
overrides all other service configurations, it can protect you from errors in your device configuration. It
can also be used to make independent log entries for probes against sensitive services.
The default configuration of the device blocks some destination ports. This is a basic configuration that
you usually do not have to change. It blocks TCP and UDP packets for these ports:
Port(s) Service Reason
0 NONE XTM device always blocks this port and you cannot override this
default.
1 TCPmux Block to make it more difficult for port scanning tools.
(infrequently)
111 RPC Used by RPC Services to find out which ports an RPC server uses.
These are easy to attack through the Internet.
513, 514 rlogin, rsh, rcp Because they give remote access to other computers, many
attackers probe for these services.
2049 NFS New versions of NFS have important authentication and security
problems.
60006005 X Window Client connection is not encrypted and dangerous to use over the
System Internet.
7100 X Font Server X Font Servers operate as the super-user on some hosts.
8000 Used by many vendors whose software is vulnerable to a variety
of attacks.


Exercise 1: Configure Default Packet Handling Options
Successful Company just signed a sponsorship of the popular podcast Diggnation. Surprisingly, the
publicity generates an unusually high volume of traffic to their public web server. So high in fact that
the XTM device mistakenly interprets the requests as a Distributed Denial of Service (DDoS) attack. In
this exercise, we use Policy Manager to increase the Per Server Quota threshold to prevent this
problem.
1. Select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. In the Distributed Denial-of-Service Prevention section, in the Per Server Quota text box, type
or select 200.

This doubles the amount of connections that the XTM device allows before it triggers a DDoS block on
additional connections.
3. Click OK.

Threat Protection
This is sometimes
known as the Digg
effect.

197
Exercise 2: Block Potential Sources of Attacks

The network administrator at Successful Company is more and more confident that his XTM device
configuration policy is strong, strict, and effective at blocking most access to their network. However,
the log files suggest that more can be done to reduce the impact of direct attacks on the performance
of the firewall. He starts with blocking the potential sources of attacks.
Block a Site Permanently
The Successful Company network administrator has been overwhelmed by a script kiddy using
addresses in the 192.136.15.0/24 network to run probes of the Successful network. In this exercise, we
use Policy Manager to permanently block all connections from that network.
1. Select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog box opens.
2. On the Blocked Sites tab, click Add.
The Add Site dialog box opens.
3. In the Choose Type drop-down list, select Network IP.
4. In the Value text box, type 192.136.15.0/24.
5. (Optional) In the Comment text box, type a comment.
The member type shows if this is an IP address or a range of IP addresses. When you type an IP address, type
all the numbers and the periods.

6. Click OK.
The entry appears in the Blocked Sites list. With this configuration, the XTM device blocks all packets to and
from the 192.136.15.0/24 network range.
Create Exceptions to the Blocked Sites List
An exception is an entry for which all other rules do not apply. For blocked sites, an exception is an IP
address or network address that is never blocked. The automatic rules do not apply for this host. The
rule also takes precedence over the manually blocked sites list.
In this exercise, we will add an exception to the 192.136.15.0/24 network we blocked in the exercise
above. We will configure the XTM device to allow connections to and from the single IP address:
192.136.15.22.
In the Blocked Site Configuration dialog box:
1. Click the Blocked Sites Exceptions tab.
2. Click Add.
The Add Site dialog box appears.
3. In the Choose Type drop-down list, select Host IP.

Many XTM device
users add the IP
address of their own
DNS servers to the
Blocked Sites
exception list to make
sure connections are
not blocked by traffic
patterns that look like
an attack.

198

5. In the Comment text box, type Joes home IP.
The Comment is optional but it can be helpful to you (and other network administrators) when you later try
to figure out why an exception was made.
6. Select OK.

7. Click OK again to close the Blocked Sites Configuration dialog box.

Exercise 3: Block Sites Automatically

After reading a LiveSecurity Foundations article, the Successful Company network administrator
decides to deny all RSH (Remote Shell) connections. In addition, he would like to automatically block
the source of any incoming attempts to use RSH.

1. Click .
2. Expand the Packet Filters folder and select RSH. Click Add.
3. In the RSH Connections are drop-down list, select Denied.
4. Configure the policy to deny connections:
- In the From list, add Any-External
- In the To list, add Any-Trusted, Any-Optional, Any-BOVPN

5. Select the Properties tab.
6. Select the Auto-block sites that attempt to connect check box.

7. Click OK.
The XTM device now automatically adds the IP address of any source of RSH packets to the Blocked Sites list.
With a default configuration, the IP address stays on the Blocked Sites list for 20 minutes.

Test Your Knowledge

Test Your Knowledge

1. True or false? A firewall-based IPS maintains a database of character strings that match known
viruses and worms.
2. Select the type of intrusion prevention measure for each Fireware XTM feature:
A) Gateway AntiVirus Firewall-Based | Signature-Based
B) Default Packet Handling Firewall-Based | Signature-Based
C) Blocked Sites Firewall-Based | Signature-Based
D) IPS Service Firewall-Based | Signature-Based
E) Blocked Ports Firewall-Based | Signature-Based

3. Which of these actions can the XTM device perform when it looks for patterns that show if your
network is at risk? (Select all that apply.)
A) Looks for packets which are not RFC compliant
B) Automatically blocks all traffic to and from a source IP address
C) Sends a log message to the Log Server
D) Sends a notification of possible security risks
E) All of the above

4. True or false? An unhandled packet is a packet that does not match any rule created in Policy
Manager.
5. Fill in the blank: To block all traffic to and from a network, you add the address to the Blocked
________ list.


Fireware XTM Basics

Signature Services
AntiVirus, Intrusion Prevention, and Application Control

What You Will Learn

WatchGuard Gateway AntiVirus, Intrusion Prevention Service (IPS), and Application Control are
signature based services that identify and stop possible viruses and intrusions, and enable you to
monitor and control application usage on your network. In this module, you learn how to:
Understand how signature services work to protect your network
Set up and configure Gateway AntiVirus
Set up and configure the Intrusion Prevention Service
Set up and configure Application Control
In this module, you will configure optional features of the XTM device. To configure these services, you
must first purchase a feature key for Gateway AntiVirus, Intrusion Protection Service, and Application
Control. In addition, to activate the key you must have access to an XTM device. If you take this course
with a WatchGuard Certified Training Partner, your instructor will provide you with both an XTM device
and a feature key to enable these services.

Identify and Stop Viruses at the Edge of Your Network

In the 14 training module, we learned that the XTM device includes methods to secure your network
from zero-day threats using tools such as blocked sites, blocked ports, and default packet handling
options. Often, these threat protection measures protect your network, but at the cost of closing off an
entire port and protocol. In our example, we turned off all RSH traffic to protect the Successful
Company network from an RSH exploit. While this method is very effective, it is not generally a good
long term solution. Yet, it may be weeks, even months, before a vendor builds a patch to fix the
vulnerability.
In the interim, you can use a signature-based service to identify and block the exploit code while
otherwise allowing the traffic. Signature-based protection services are much quicker for a vendor to
update because they do not require a fix to the vulnerability itself. All an engineer must do is identify a
unique string of text or code that marks the exploit and then block it.

203

WatchGuard Gateway AntiVirus and Intrusion Prevention Service protect against two categories of
threats:
AntiVirus Identifies viruses and trojans brought into your network through email, web browsing,
TCP connections, or FTP downloads.
IPS Identifies direct attacks on your network applications or operating system.
AntiVirus Scans User Traffic for Viruses and Trojans
WatchGuard Gateway AntiVirus scans different types of traffic according to which proxy or proxies you
use the feature with:
Email With the SMTP or POP3 proxy, Gateway AntiVirus finds viruses encoded with frequently
used email attachment methods. These include base64, binary, 7-bit, 8-bit encoding, and
uuencoding.
Web With the HTTP proxy, Gateway AntiVirus scans web pages and any files that are
downloaded from web pages for viruses.
TCP With the TCP proxy, Gateway AntiVirus can scan HTTP traffic on dynamic ports. It recognizes
that traffic and forwards it to the default or user-defined HTTP proxy to perform antivirus scanning.
FTP With the FTP proxy, Gateway AntiVirus finds viruses in uploaded or downloaded files.
Configure Gateway AntiVirus Actions
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in
an email message (SMTP or POP3 proxies), web page (HTTP or TCP proxies), or uploaded or
downloaded files (FTP proxy). The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Deny (FTP proxy only)
Denies the file and sends a deny message to the sender.
Lock (SMTP and POP3 proxies only)
Locks the attachment. A file that is locked cannot be opened by the user. Only the administrator can
unlock the file. The administrator can use a different antivirus tool to scan the file and examine the
content of the attachment.
For more information, see the Fireware XTM WatchGuard System Manager User Guide.

Identify and Stop Viruses at the Edge of Your Network

Quarantine (SMTP proxy only)
If you use the SMTP proxy and a spamBlocker security subscription, you can send email messages
with a virus or possible virus to the Quarantine Server.
Remove (SMTP and POP3 proxies only)
Removes the attachment and allows the message and any other safe attachments to go to the
recipient.
Drop (not supported in POP3 proxy)
Drops the packet and drops the connection. No information is sent to the source of the message.
Block (not supported in POP3 proxy)
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
In addition, Gateway AntiVirus can scan traffic that matches rules in several categories in each proxy.
In the Proxy Configuration dialog box, in the Categories list, click one of these categories to get
access to the ruleset:
SMTP Proxy POP3 Proxy HTTP Proxy TCP-UDP Proxy
(HTTP on dynamic por ts)
Content Types Content Types Requests: URL Paths Requests: URL Paths
File names File names Responses: Content Responses: Content
Types Types
Responses: Body Responses: Body
Content Types Content Types

Use Gateway AntiVirus with Compressed Files
In the Gateway AntiVirus configuration settings, you can select the number of compression levels to
scan in a file during a virus scan. If you enable decompression, we recommend that you keep the
default setting of three levels, unless your organization must use a larger value. If you specify a larger
number, your XTM device could send traffic too slowly. Gateway AntiVirus supports the scanning of up
to six compression levels. If Gateway AntiVirus detects that the archive depth is greater than the value
set in this field, it generates a scan error for the content.
The XTM device cannot scan encrypted files or files that use a type of compression that we do not
support, such as password-protected ZIP files.

Signature Services 205
FTP
Proxy
Download
Upload
Intrusion Prevention Service Blocks Direct Attacks

An intrusion occurs when someone launches a direct attack on your computer. Usually the attack
exploits a vulnerability in an application or operating system. These attacks are intended to cause
damage to your network, get sensitive information, or use your computers to attack other networks.
The Intrusion Prevention Service includes a set of signatures associated with specific commands or text
found in commands that could be harmful. You configure the Intrusion Prevention Service globally,
and then you can enable or disable it for individual policies in your configuration.
IPS groups intruder threats into five threat levels: Critical, High, Medium, Low, and Information. When
you enable IPS, you can configure the action that the XTM device takes for content that matches IPS
signatures at different threat levels. The actions IPS can take for each threat level are:
Allow
Allows the content, even if the it matches an IPS signature.
Drop
Drops the content and drops the connection. No information is sent to the sender.
Block
Blocks the packet, and adds the source IP address to the Blocked Sites list.
IPS is enabled for all policies by default. You can selectively disable it for specific policies, if needed. You
can also configure exceptions, if an IPS signature blocks content that you want to allow.
Get Information About IPS Signatures
To get information about IPS signatures and the threats they protect against, you can look up the IPS
signature on the WatchGuard Intrusion Prevention Service (IPS) Security Portal at
http://www.watchguard.com/SecurityPortal/ThreatDB.aspx . On the IPS Security Portal you can search
for a signature by name or ID, and see links to additional information about the threat.

XTM 2 Series models
use the standard set
of IPS signatures.
Other XTM devices
use an extended set.

IPS threat levels,
signatures, and
configuration options
are different in
Fireware XTM v11.4
and v11.5 than they
were in earlier
versions of Fireware
XTM.

206
Control and Monitor Application Usage on Your Network


Application Control is a subscription service that enables you to monitor and control the use of
web-based applications on your network. Application Control uses signatures that can identify and
block over 1800 applications, organized by category. The Application Control signatures are updated
frequently to identify new applications and to stay current with changes to existing applications.
With Application Control, you can decide which applications to allow or block. You can block the use of
specific applications, and you can report on application usage and usage attempts. For some
applications, you can configure Application Control to selectively allow some application behaviors
(such as chat), but block others (such as file transfer).
When Application Control blocks HTTP content that matches an Application Control action, the user
who requested the content sees an Application Control deny message in the browser. The deny
message says that the content was blocked because the application was not allowed. The message is
not configurable. For HTTPS or other types of content blocked by Application Control, the content is
blocked, but the deny message is not displayed.
Application Control Actions and Policies
Application control is configured globally, but is not used by a policy unless you enable it. You can
define several Application Control actions, then apply each Application Control action to one or more
policies in your configuration. The flexibility offered by policy-based Application Control enables you to
exercise granular control over the use of applications on your corporate network. For example, you can:
Block usage of YouTube, Skype, and QQ
Block usage of P2P applications for users who are not part of the management team
Allow the marketing department access to social networking sites such as Facebook and Twitter
Allow use of Windows Live Messenger for instant messaging, but disallow file transfer over
Windows Live Messenger
Limit usage of streaming media application to specific hours
Report on the use (or attempted use) of applications by any individual in the company
In addition to the per-policy Application Control actions, you also define a Global Application Control
action that can be the default Application Control action if traffic does not match the Application
Control action applied to a policy. In this way, you can implement a tiered Application Control strategy,
with the Global Application Control action acting as the fall-back action to set policy for applications
that to not match another specific Application Control action.
Configure Application Control
When you define an Application Control action, you select which applications or application categories
to control. Then you select an action for each application, and a default action to use if Application
Control detects an application that does not have an action configured.
Per-Application Action
For each application or application category selected in an Application Control action, you can select
one of these actions:
Drop Block the use of the selected application.
Allow Allow the use of the selected application.

Signature Services
XTM 2 Series models
use the standard set
of Application Control
signatures. All other
device models use an
extended set.

207
Default Action
In each Application Control action, you also define a default action, to take if the application does not
match the applications configured in the Application Control action. Those actions are:
Drop Block the connection.
Allow Allow the connection.
Global Use the Global Application Control action.
When you set the default action to Global, if traffic does not match the applications specified in the
Application Control action, Application Control compares the traffic to the applications specified in the
Global Application Control action. If the traffic does not match the applications in the Global
Application Control action, Application Control uses the default action in the Global Application
Control action.
Apply the Application Control Action to a Policy
After you define your Application Control actions, you must apply it to one or more policies. You can
assign one Application Control action per policy. The specific policies you must apply an Application
Control action to depend on which policies exist in your configuration, and which types of applications
you want to block. To control many applications that use HTTP, you should apply the Application
Control action to an HTTP policy. To block application that you know uses FTP, you must apply the
Application Control action to the FTP policy.
We recommend that you enable Application Control for these types of policies:
Any outbound policy that handles HTTP or HTTPS traffic
VPN policies that use 0.0.0.0/0 routes (default-route VPNs)
Any outbound policy if you are not sure how the policy is used
Policies that use the Any protocol
Policies that use an Any-* alias, for example Allow Any-Trusted to Any-External, on a specific port/
protocol
It is not necessary to enable Application Control for a policy if you control the network on both sides of
a traffic flow the policy handles. Some examples of these types of policies include policies that handle
traffic for POS systems, Intranet web applications, or internal databases and traffic in a DMZ.
It also usually unnecessary to enable Application Control for policies that are restricted by port and
protocol and that only allow a known service. Some examples of these types of policies:
Default WatchGuard policies
DNS traffic
RDP
VoIP SIP and H.323 application layer gateways
Monitor Application Usage
When you enable Application Control for a policy, the XTM device always identifies and creates a log
message for applications dropped due to an Application Control action. If you want to monitor all
application use, you must configure the XTM device to create a log message for all identified
applications, even those that are not blocked. To do this, you must configure the policy to send a log
message for allowed packets.
After Application Control and logging of allowed packets have been enabled in your policies for a
period of time, you can use Log and Report Manager to run Application Control reports that summarize
information about the applications used on your network.


WatchGuard recommends that you first use Application Control to monitor application use for a period
of time to help you understand which applications are used on your network. Then you can decide
which applications you want to block.
Get Information About Applications
When you configure Application Control, or when you look at Application Control reports, you might
see application names you are not familiar with. To see information about any application that
Application Control can identify, you can look up the application on the WatchGuard Application
Control Security Portal at http://www.watchguard.com/SecurityPortal/AppDB.aspx.
Application Control Actions and Proxy Actions
Application Control actions and proxy actions both can control access to application content. If there is
a conflict between the action specified for application content in the Application Control action and
the proxy action, the more restrictive action controls whether the application traffic is blocked.
For example:
If you configure an Application Control action to block an application, and you create a proxy
action Content Types rule to allow the content type for that application, the content is blocked by
Application Control.
If you configure an Application Control action to allow an application, and you create a proxy
action Content Type rule to drop or deny that content type, the content is blocked by the Content
Type rule in the proxy action.

Exercise 1: Set Up Gateway AntiVirus
The Successful Company CIO decides to invest in signature-based intrusion prevention measures. The
network administrator recommends WatchGuard Gateway AntiVirus and IPS. Because the services are
both cost effective and the WatchGuard system is familiar, the expense is approved. In this exercise, we
will activate Gateway AntiVirus and configure it to automatically get updates.
Activate Gateway AntiVirus
After the network administrator adds the feature key and saves it to the XTM device, he opens Policy
Manager to activate the service.
1. Select Subscription Services > Gateway AntiVirus > Activate.
The Activate Gateway AntiVirus Wizard appears.
2. Click Next.
If you are completing the training modules sequentially, or taking the class with an instructor, you should
have several email, web, and FTP policies configured.

3. Clear the check box adjacent to the HTTP-Public-Servers policy. Click Next.
4. Click Finish.

You must have the
Gateway AntiVirus
feature key saved to
the XTM device before
you can do this
exercise. For more
information, see Add
a Feature Key to the
XTM Device in the 6
module.

210

Configure Gateway AntiVirus
Now, we enable decompression and configure the Gateway AntiVirus signature update settings.
1. When the wizard is complete, select Subscription Services > Gateway AntiVirus > Configure.
The Gateway AntiVirus dialog box appears and shows your proxy policies and whether Gateway AntiVirus is
enabled.

2. Click Settings.
The Gateway AV Decompression Settings dialog box appears.
3. Select the Enable Decompression check box.
4. Make sure the number of Levels to scan to is set to 3.

5. Click OK.
6. Click Update Server.
The Update Server dialog box appears.

7. Select the Enable automatic update check box. By default, the XTM device automatically updates
signature database files every hour. Increase the Interval to 2 hours.

8. Select the Gateway AntiVirus Signatures check box to enable automatic updates for Gateway AV.
9. Click OK.
10. Click OK to close the Gateway AntiVirus dialog box.
You must save your changes to the XTM device before they take effect.


Exercise 2: Configure an SMTP Proxy Policy for Gateway AntiVirus

Now that the Gateway AntiVirus service is activated for all email proxies and the signature database is
set to update every three hours, we must configure each of the actions we want the XTM device to take
when an exploit is detected. If you have more than one proxy policy, you must configure each policy.
In this exercise, we will configure the Successful Company SMTP-Incoming-Proxy policy to:
Drop email messages with attachments that contain viruses
Allow attachments that cannot be scanned
Enable the automatic content type detection feature
Before you begin, open Policy Manager and make sure there is an SMTP proxy policy present in your
configuration. If not, select Edit > Add Policies to add an SMTP proxy policy to your configuration.
1. Select Subscription Services > Gateway AntiVirus > Configure.
The Gateway AntiVirus dialog box appears.
2. Select the SMTP-Incoming-Proxy policy. Click Configure.
The Gateway AntiVirus Configuration of Policy: SMTP-Incoming-Proxy dialog box appears.
3. In the When a virus is detected drop-down list, select Remove.
4. In the When a scan error occurs drop-down list, select Allow.
5. Select the adjacent Alarm check box.

Signature Services
Automatic content
type detection can
improve virus
detection rates. Often,
the content type value
that appears in an
email header is set
incorrectly by email
clients. With this
feature enabled, the
SMTP proxy tries to
verify the content type
of email attachments
itself.

213
6. In the Categories list, select Attachments > Content Types.
The Content Types settings appear.

7. Make sure the Enable content type auto detection check box is selected.
If you do not select this check box, the SMTP proxy uses the value stated in the email header, which clients
sometimes set incorrectly. For example, an attached PDF file might have a content type stated as application/
octet-stream. If you enable content type auto detection, the SMTP proxy recognizes the PDF file and uses the
actual content type, application/pdf. If the proxy does not recognize the content type after it examines the
content, it uses the value stated in the email header, as it would if content type auto detection were not
enabled.
8. In the If matched drop-down list, select AV Scan.
9. Click OK to close the Gateway AntiVirus Configuration dialog box.
10. Click OK to close the Gateway AntiVirus dialog box.

Because hackers often
try to disguise
executable files as
other content types,
we recommend that
you enable content
type auto detection to
make your
installation more
secure.

214

Exercise 3: Configure the Intrusion Prevention Service

Now the Successful Company network administrator is ready to enable IPS in the device configuration.
Enable Intrusion Prevention
1. Select Subscription Services > Intrusion Prevention.
The Intrusion Prevention Service dialog box appears.

2. Select the Enable Intrusion Prevention check box.
By default, IPS drops and logs all traffic that matches an IPS signature at the Critical, High, Medium, or Low
threat level.
3. Select the Policies tab.
The IPS column shows that IPS has been automatically enabled for all policies.

4. Select the Settings tab.
5. Click Update Server.
Automatic updates are already enabled for Gateway AntiVirus Signatures signatures. So we just need to
enabled the IPS signature updates.

6. Select the Intrusion Prevention and Application Control Signatures check box. Click OK.
7. Click OK to close the Intrusion Prevention dialog box.


Exercise 4: Configure Application Control

The Successful Company network administrator is dismayed to learn that employees accidentally
downloaded a nasty bot virus through the file sharing features of the Yahoo messenger client. In this
exercise, we configure the Global Application Control action to block the use of Yahoo messenger and
several other instant messaging applications. Then we apply this action to the HTTP-proxy policy.
Note
The list of applications you can control is based on a set of application signatures that Application
Control uses to identify the applications. To make sure that Policy Manager has the most recent
Application Control signatures from the XTM device, connect to your device with WatchGuard
System Manager before you use Policy Manager to edit or update Application Control actions.

If you are completing the training modules sequentially, or taking the class with an instructor, you
should have several DNS, email, HTTP, and FTP policies configured.
Configure the Global Application Control Action
1. Select Subscription Services > Application Control.
The Application Control Actions dialog box appears.

The Global Application Control action is a predefined action. You configure the Global action to
block applications you do not want to allow for all or most users. In this example, we want to block
instant messaging applications for all users.

2. Click the Global action to select it. Click Edit to edit the Global action.
The Application Control Action (predefined) dialog box appears. By default all applications you can control
appear in the application list.

You can use the radio buttons to show all applications, or show only applications that have an
action configured.
3. To search for the Yahoo Messenger application by name, in the search text box, type messenger.
The application list shows all applications that contain the word messenger.

The Search feature is
the quickest way to
find a specific
application by name.
You can also use the
Category drop-down
list to filter the list by
category, such as
Instant Messaging.
Search is generally
quicker, since each
category contains
many applications,
and some application
may not be in the
category you expect.

218

Select the Yahoo Messenger application. Click Edit.
The Application Control Configuration dialog box appears.

For this exercise, the administrator wants to block all use of the Yahoo Messenger application. Click
OK to set the action for all behaviors to Drop.
The Drop action appears in the action column for this application.

Click OK.
The Global Application Control action now blocks Yahoo Messenger.
You can optionally repeat the steps above to add any other applications to the Global Application
Control action. Or, you can click Select by Category to set the action for all applications in an
application category.
To remove the action configured for an application, select the configured application in the list and
click Clear Action.

Signature Services
4.

5.

6.
To allow the use of
Yahoo Messenger for
instant messaging,
but block file
transfers, you could
select the Set the
action for specific
behaviors radio
button. Then set the
action for the
Transfer behavior to
Drop.

219
Apply the Global Application Control Action to Policies
After we define the Global Application Control action, we must apply this action to one or more
policies. In this part of the exercise, we apply this Application Control action to the HTTP policies.
1. In the Application Control Actions dialog box, select the Policies tab.
If you are completing the training modules sequentially, or taking the class with an instructor, you should
already have created the HTTP policies used in this exercise.

2. Select both of the HTTP policies.
Use the Ctrl key to select multiple policies.
3. From the drop-down list, select the Global action.
The Global action is applied to the selected policies.
4. Click OK.
The Global Application Control action is now applied to the HTTP policies.


Exercise 5: Use a Different Application Control Actions for
Different Policies

After the Successful Company administrator blocked Yahoo Messenger in the Global Application
Control rule, the management requested that employees be allowed to use Yahoo Messenger for chat,
but not for file transfers. In this exercise, we create a new Application Control action to control specific
application behaviors. Then we apply that Application Control action to the HTTP-Employees policy.
You created the HTTP-Employees policy in the Web Traffic training module. The HTTP-proxy policy
controls traffic from any trusted network to any computer on the external network.
the external network.
1. Select Subscription Services > Application Control.
The Application Control Actions dialog box appears.
2. Click Add to add a new Application Control action.
The New Application Control Action dialog box appears.
3. Double-click the Yahoo Messenger application to set the action.

4. Select Set the action for specific behaviors.
5. Select the Transfer check box. From the adjacent drop-down list, select the application behavior.
The default action is Drop.

6. Click OK.
The Action for Yahoo Messenger is set to Drop, just for the Transfer application behavior.

7. From the When application does not match drop-down list, make sure Use Global action is
selected. This is the default.
8. Click OK.
The new Application Control action appears in the Application Control Actions dialog box.
9. Select the Policies tab.

10. For the HTTP-Employees policy, change the Action to the new action you just created.
11. Click OK.


With this configuration:
The HTTP-Employees policy uses the AppControl.1 Application Control action as the primary
action to control application usage. For these users, Yahoo messenger application traffic is not
controlled, except for file transfer traffic, which is dropped.
If HTTP traffic handled by the HTTP-Employees policy does not match the applications listed in the
AppControl.1 action, the HTTP-Employees policy uses the Global Application Control action to
determine whether to allow or drop the application traffic.
For HTTP traffic handled by the HTTP-proxy policy, the Global Application Control action is used to
control application usage.

Test Your Knowledge

1. Match the proxy action with the correct description of the XTM device action:
A) Allow Delete the attachment, send nothing to the
sender or recipient, and add the sender to the
Blocked Sites list.
B) Lock Delete the attachment, send nothing to the
recipient, and send nothing to the sender.
C) Remove Do not accept the file and notify the sender.
D) Drop Let the attachment go to the recipient even if it
contains a virus.
E) Block Remove the attachment and delete it while
sending the message to the recipient.
F) Send Encode the attachment so that the recipient
cannot open it without a network administrator.
G) Deny Send the message to the Quarantine Server.
H) Quarantine Not a Fireware proxy action

2. True or false? Gateway AntiVirus can detect viruses in uuencoded email.
3. True or false? Gateway AntiVirus can detect viruses in password-protected ZIP files.
4. True or false? The Intrusion Prevention Service is only compatible with the HTTP and TCP proxies. It
cannot detect possible intrusions in the SMTP, POP3, DNS, or FTP proxies.
5. True or false? When you enable the Intrusion Prevention Service, IPS is automatically enabled for all
policies.
6. True or false? The Global Application Control Action applies to all policies in your configuration.
7. True or false? If you want to report on the usage of applications that are not blocked, you must
enable logging of allowed packets in each policy that has Application Control enabled.

Fireware XTM Basics

Improve the Performance and Security of Web Access

What You Will Learn

WatchGuard Reputation Enabled Defense is a service that improves the performance and security of
web browsing for users on your network. In this module, you learn how to:
Understand how Reputation Enabled Defense protects your network
Set up and configure Reputation Enabled Defense
See status and reports for Reputation Enabled Defense
In this module, you will configure an optional feature of the WatchGuard XTM device. To use this
feature, you must first get a feature key for the Reputation Enabled Defense service, which is included
in the UTM bundle. To activate the key you must have access to an XTM device. If you take this course
with a WatchGuard Certified Training Partner, your instructor will provide you with both an XTM device
and a feature key.

How Reputation Enabled Defense Works

In the 15 training module, we learned how the Gateway AntiVirus service scans web pages and any files
downloaded from web pages for viruses. When you enable the Reputation Enabled Defense (RED)
service, you can further improve performance and security of web browsing for users on your network.
WatchGuard RED uses cloud-based WatchGuard reputation servers that assign a reputation score
between 1 and 100 to every URL. When a user goes to a web site, RED sends the requested web address
(or URL) to the WatchGuard reputation server. The WatchGuard server responds with a reputation score
for that URL. Based on the reputation score, and on locally configured thresholds, RED determines
whether the XTM device should drop the traffic, allow the traffic and scan it locally with Gateway AV, or
allow the traffic without a local Gateway AV scan. This increases performance, because Gateway AV
does not need to scan URLs with a known good or bad reputation.
The reputation score for a URL is based on feedback collected from devices around the world. It
incorporates scan results from three leading anti-malware engines: MacAfee, Kaspersky and AVG.
Reputation Enabled Defense uses the collective intelligence of the cloud to keep Internet browsing
safe and to optimize performance at the gateway.
Reputation Scores
The WatchGuard reputation server assigns every URL a reputation score from 1 to 100. A reputation
score closer to 100 indicates that the URL is more likely to contain a threat. A score closer to 1 indicates
that the URL is less likely to contain a threat. If the RED server does not have feedback about a web
address, it assigns a neutral score of 50.

225
These factors can cause the reputation score of a URL to increase, or move toward a score of 100:
Negative scan results
Negative scan results for a referring link
These factors can cause the reputation score of a URL to decrease, or move toward a score of 1:
Multiple clean scans
Recent clean scans
Reputation scores change over time. For increased performance, the XTM device stores the reputation
scores for recently accessed web addresses in a local cache.
Reputation Thresholds
There are two reputation score thresholds you can configure:
Bad reputation threshold If the score for a URL is higher than the Bad reputation threshold, the
HTTP proxy denies access without any further inspection.
Good reputation threshold If the score for a URL is lower than the Good reputation threshold
and Gateway AntiVirus is enabled, the HTTP proxy bypasses the Gateway AV scan.

If the score for a URL is equal to or between the configured reputation thresholds and if you have
enabled Gateway AV, the content is scanned for viruses.
Reputation Lookups
The XTM device uses UDP port 10108 to send reputation queries to the WatchGuard reputation server.
Make sure this port is open between your XTM device and the Internet. UDP is a best-effort service. If
the XTM device does not receive a response to a reputation query soon enough to make a decision
based on the reputation score, the HTTP proxy does not wait for the response, but instead processes
the HTTP request normally. In this case the content is scanned locally if Gateway AV is enabled.
Reputation lookups are based on the domain and URL path, not just the domain. Parameters after
escape or operator characters, such as & and ? are ignored.

If the response comes
back late, it is possible
you will see the
reputation score
assigned as -1 in the
Traffic Monitor.

226
Monitor Reputation Enabled Defense

For example, for the URL:
http://www.example.com/example/default.asp?action=9&parameter=26
the reputation lookup is:
http://www.example.com/example/default.asp
Reputation Enabled Defense does not do a reputation lookup for sites that have been added to the HTTP
Proxy Exceptions list of the HTTP proxy action.
Reputation Enabled Defense Feedback
When you enable Reputation Enabled Defense, you can choose if you want to send the results of local
Gateway AV scans to the WatchGuard server. You can also choose to upload Gateway AV scan results to
WatchGuard even if Reputation Enabled Defense is not enabled or licensed on your device. All
communications between your network and the Reputation Enabled Defense server are encrypted.
We recommend that you enable the upload of local scan results to WatchGuard to improve overall
coverage and accuracy of Reputation Enabled Defense.


The Subscription Services tab of Firebox System Manager includes current statistics about Reputation
Enabled Defense activity that occurred after the last device restart. The statistics include reputation score
thresholds (based on your configuration settings) for each message type in these categories:
Local bypass (good)
The number and percentage of URL requests that bypassed local Gateway AV scanning because they
have a reputation score lower than the Good reputation threshold.
The number of URLs blocked (bad)
The number and percentage of URL requests that were blocked without scanning because they have
a reputation score higher than the Bad reputation threshold.
Normal processing (inconclusive scores)
The number and percentage of URL requests that were processed normally, because they have a
reputation score equal to or between the Good reputation and Bad reputation thresholds.
Local cache hits
The number and percentage of URL requests for which the reputation score was found in the local
cache, so no request to the Reputation Enabled Defense server was required.
Reputation lookups
The total number of reputation lookup attempts since the last system restart.
If you have installed Report Manager, you can also see a summary of Reputation Enabled Defense actions
in the Reputation Enabled Defense Summary report. This report shows a graphical representation of
the percentage of URLs that were bypassed, blocked or required local scanning.

Reputation Enabled Defense 227
Exercise 1: Set up Reputation Enabled Defense

Successful Company has been using Gateway AV, and now wants to install Reputation Enabled Defense
to further improve the performance and security of web browsing for their users. In this exercise you
enable Reputation Enabled Defense on the Successful Company XTM device.
Before you begin this exercise:
Make sure your device has a Reputation Enabled Defense feature key.
Make sure the device has at least one HTTP proxy policy configured.
After the network administrator adds the feature key and saves it to the XTM device, he opens the
device configuration in Policy Manager to enable the service.
1. Select Subscription Services > Reputation Enabled Defense.
The Reputation Enabled Defense dialog box appears.

2. Select an HTTP-proxy policy and click Enable.
Reputation Enabled Defense is enabled for this policy, with the default settings.


3. Click Configure.
The Reputation Enabled Defense settings for the selected policy appear.

When you enabled Reputation Enabled Defense for this policy, the Immediately block URLs that
have a bad reputation check box and the Bypass any configured virus scanning for URLs that
have a good reputation check box were both automatically selected.
4. Click Advanced.

You can change the
reputation thresholds,
but we recommend
that you keep them at
the default values
initially. After you
have used Reputation
Enabled Defense for a
period of time., you
can adjust the
thresholds, if you find
that either setting is
too aggressive.

229
5. Click OK to accept the default reputation thresholds.
6. Click OK.
The Reputation Enabled Defense dialog box closes.
You must save your changes to the XTM device before they take effect.

Exercise 2: See Reputation Enabled Defense Statistics

Successful Company has enabled Reputation Enabled Defense and wants monitor its effectiveness. In
this exercise you look at the statistics that show Reputation Enabled Defense activity since the last
system restart.
Make sure your XTM device can do queries over UDP port 10108 to the WatchGuard reputation server
in the cloud.

1. In WatchGuard System Manager, click to connect to your XTM device.
2. Type your XTM device trusted IP address and the status passphrase. Click OK.
The Firebox System Manager Front Panel tab appears.
3. Select the Subscription Services tab.
The Subscription Services statistics page appears. Reputation Enabled Defense statistics appear at the
bottom.

In this example, we can see that 91% of all requested URLs had a good reputation score, and did not
require local scanning by Gateway AV. We can also see that 67% of the URLs visited had a reputation
score stored in the local cache. This means that the RED service did not need to request the score from
the WatchGuard reputation server.
If Gateway AV is enabled, it scans the content of web sites that have an inconclusive reputation score.
Those scan results are then sent to the Reputation Enabled Defense server as input for updated
reputation scores for those URLs. This increases the likelihood that these URLs will have a more clearly
good or bad reputation score in the future.
In this example, you can see that the total number of Reputation lookups is greater than the
combined total number of URLs with good, bad or inconclusive scores. This is because the Reputation
lookups statistic counts all lookup attempts, even if a response was not received in time to avoid a local
AV scan. If The HTTP proxy does not receive a timely response to a reputation lookup request, it scans
the content locally. When this happens, the lookup is added to the Reputation lookup total, but is not
added to the total of good, bad, or inconclusive scores.
You can also see that the percentages shown in this example for good, bad and inconclusive scores do
not add up to 100%. This is because these scores are calculated as a percentage of the total number of
reputation lookups.
Note
If your statistics show that the number of good, bad and inconclusive scores are zero, but the
number of Reputation lookups is high, this means that the reputation lookup attempts did not result
in timely responses from the WatchGuard reputation server. Make sure your XTM device can send
queries over UDP port 10108 to the WatchGuard reputation servers.

Test Your Knowledge

Test Your Knowledge

1. True or false? You must install a Reputation Enabled Defense server to use the Reputation Enabled
Defense service.
2. The reputation score for a URL is based on which of the following? (Select all that apply.)
A) Results from Kaspersky anti-virus scans.
B) Results from AVG anti-virus scans.
C) Feedback from devices around the world.
D) URLs on the Reputation Enabled Defense black list.
E) Results of local Gateway AV scans on your XTM device.

3. Which of the following URL reputation scores indicates that a site is most likely to contain a threat?
(Select one.)
A) 95
B) 50
C) 5

4. True or false? Local Gateway AntiVirus scans are only done for URLs that have an inconclusive
reputation score (not good or bad).
5. Which of these factors can cause the reputation score of a URL to increase toward a score of 100?
A) Negative scan results
B) No scan results.
C) Negative scan results for a referring link
D) All of the above.

Reputation Enabled Defense 231

Fireware XTM Basics

Web UI
Explore Fireware XTM Web UI

What You Will Learn

You can use Fireware XTM Web UI for many monitoring and management tasks. In this training module,
you learn:
How to log in to the web UI
How to change the port the XTM device uses for the web UI
The limitations of the web UI
How to manage timeouts for web UI management sessions
Before you do the exercises, be sure to read and become familiar with the information in the 1 training
module available at:
http://www.watchguard.com/training/courses.asp
In this module, you will connect to one or more XTM devices. You will need a network connection to a
WatchGuard XTM device with Fireware XTM v11.4 installed.
If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP
address and passphrases for devices used in the exercises.
For self-instruction, you can safely connect to an XTM device on a production network with the status
passphrase. In some of the exercises, you will change the configuration on the device. Make sure that
you have the administrative rights to do this before you perform these exercises on a device connected
to a production network. It is helpful to conduct a portion of this exercise from a computer connected
to the external network.

Introduction to Fireware XTM Web UI

With Fireware XTM Web UI, you can monitor and manage any device running Fireware XTM without
installing any extra software on your computer. The only software you need is a web browser with the
Adobe Flash v9 player installed. This means you can manage your XTM device from a computer
running Windows, Linux, Mac OS, or any other platform.
The Web UI is a real-time management tool. This means that when you use the web UI to make changes
to a device, the changes you make generally take effect immediately. The Web UI does not let you build
a list of changes to a locally-stored configuration file so you can save many changes to the device all at
once. This is different from Fireware XTM Policy Manager, which is an offline configuration tool.
Changes you make to a locally-stored configuration file using Policy Manager do not take effect until
you save the configuration to the device.
The Web UI is designed so that if you are familiar with Policy Manager, you can easily find what you
need and understand how the configuration options work. In addition, if you are familiar with the web
management interface for Edge devices running v10.x and earlier versions, you can quickly learn how
to use Fireware XTM Web UI.
Adobe notes that
98-99% of all
computers have Flash
installed.
If your browser does
not have the Flash
player installed, you
will see a message
with a link to the
Adobe Flash
download site when
you try to connect to
the web UI.

233
Limitations of the Web UI

When you want to make changes to your XTM device configuration, you should know that there are
several device configuration changes you cannot make with the web UI. Here are some of the things
you can do with Policy Manager, but not with the web UI:
View or change the configuration of a device that is a member of a FireCluster
Add or remove static ARP entries from the devices ARP table
Change the name of a policy
Change the logging of default packet handling options
Enable or disable notification for BOVPN events
Add a Custom Address to a policy
Use Host Name (DNS lookup) to add an IP address to the From or To section of a policy
Create a .wgx file for Mobile VPN with IPSec client configuration
(You can get only the equivalent, but unencrypted, .ini file)
Export certificates stored on the device, or see their details
(You can only import certificates)
Some of the logging and reporting functions provided by HostWatch, LogViewer, Report Manager,
and WSM are also not available in the web UI.

Connect to the Web UI


Connections to the web UI are always encrypted with HTTPS, the same high-strength encryption used
by banking and shopping web sites. You must use https instead of http when you type the URL in the
address bar of your web browser.
By default, the port used for the web UI is 8080. The default URL used to connect to the web UI is:
https://<device-ip-address>:8080
The <device-ip-address> segment of the address is the IP address assigned to the trusted or optional
interface. When you make this connection, the Login page appears:

About Certificate Warnings
When you connect to Fireware XTM Web UI, you can see a warning from your web browser.
This is the warning you see with Internet Explorer 7.x:

You can safely click Continue to this website if you know that the IP address shown in your browser
address bar is correct.

Web UI 235
This is the warning you see with Mozilla Firefox 3.x:

If you know that the IP address shown in the browser address bar is correct, you can safely click Or you
can add an exception... and follow the prompts to add a certificate exception.
This certificate warning appears because your browser does not trust the certificate. There are two
reasons for this:
1. Your browser does not trust the entity that signed the device certificate.
Fireware XTM Web UI uses a self-signed certificate. Your browser trusts only certificates signed by a trusted
Certificate Authority, and certificates that you explicitly import into the browser as trusted certificates.
2. The Common Name on the certificate does not match what you typed into the browser address
bar.
For a certificate to be trusted automatically, its common name must match the server name.
To correct both problems you can manually import the certificate. For more information, see the
documentation from your browser or operating system vendor.
To avoid these warnings for all users, replace the certificate used by Fireware XTM Web UI with a
certificate trusted by all of your network clients. This could be a certificate you purchase from a
commercial vendor such as VeriSign or Thawte, or one you generate from a local CA used in your
organization such as Microsoft Certificate Services on a Windows server.
You can also create a custom certificate signed by the XTM device. This certificate can have multiple
names on it, so that users can type the device IP address or a domain name (if the domain name has a
record in the DNS system that resolves to the device IP address). Users must still import the certificate
into their operating system or browser certificate store, however, because this is a self-signed
certificate.
For more information on this process, see the Fireware XTM WatchGuard System Manager Help system or
User Guide.


Navigate the Web UI
At the left side of the web UI is a navigation bar that you can use to move between different
configuration areas. The heading items shown by default in this area automatically expand to show
additional options when you select them. You can select any item beneath a heading to see the
available configuration settings.

Get Help
There are two ways to get to the Help system from the web UI:
The header at the top of each page has a link that takes you to the main page of the Fireware XTM
Web UI Help.

For help with specific configuration tasks, each page in the web UI has its own Help link.

These Help links take you directly to the help topic that matches your current configuration page.

Web UI 237
About the Status and Admin Accounts
When you log in to Fireware XTM Web UI, there are two options in the Username drop-down list:
status
Use this account to log in to the web UI when you want to only monitor the device status or see
connection information. Multiple users can log in to the web UI with the status account at the same
time. You cannot make changes to the device configuration file with this account.
The passphrase for this account is the devices status, or read-only, passphrase. You can also use this
passphrase to connect to the device with Policy Manager.
admin
Use this account only when you want to make changes to the device configuration file. Only one
user at a time can log in to the web UI with this account. This prevents different users from
modifying the same property at the same time.
The passphrase for this account is the devices configuration, or read-write, passphrase. You also use
this passphrase to save your configuration file to the device with Policy Manager.
The header section of the web UI interface shows which account you used to log in:

To log out of the web UI, at the top of the page, click Logout.
Note
Because there are only two system accounts for the web UI, status and admin, you must be careful
about who gets access to these accounts. We recommend that you give the configuration
passphrase only to trusted and authorized device administrators.

When someone is
logged in to the web
UI with the admin
account, Fireware
XTM does not allow
changes to the device
configuration from
any other connection,
including Policy
Manager or the
Command Line
Interface.

238

About Timeouts for Management Sessions
While the admin account is logged in to the web UI, Fireware XTM prevents all other users from making
read-write connections to the device. Specifically, other users cannot:
Log in to the web UI with the admin account
Save configuration changes to the device with Policy Manager
Update the OS on the device
Log in to the CLI with the admin account; this includes console connections with the serial port
and SSH connections on port 4118
When you try to do any of the aforementioned tasks when another user is logged in with the admin
account, you see a message that shows the IP address of the current admin user.
Policy Manager:

Web UI:

CLI:

There are two timeout settings that control administrator account access. These settings help make
sure the admin account is not locked for a large amount of time.

Web UI 239

The Web UI sends a
keep-alive message to
the device every 20
seconds. If the device
does not receive this
message from your
browser for over 60
seconds, the device
closes your session.
However, the
keepalive message
does not reset the idle
timeout timer for
management
sessions.
This lets the device
close a management
session quickly if you
close the browser
without first logging
out of the web UI. The
device will keep a
management session
open for the full idle
timeout if you keep
the browser open but
you do nothing
with it.

240
To change these timeout settings in the web UI, select Authentication > Settings.

Or, from Policy Manager, select Setup > Authentication > Authentication Settings.
The timeout settings for management sessions include:
Session Timeout
The maximum amount of time that an administrator session can last.
Idle Timeout
The amount of time with no activity in the web UI.
Activity means that you do something in the browser that causes the browser to get data from the
XTM device, or causes the browser to send data to the XTM device.

Control Access to the Web UI


By default, the XTM device allows connections to the web UI from any computer on a trusted or
optional network. Access to the web UI is controlled by the WatchGuard Web UI policy. This policy is
automatically added to your device configuration when you run the Quick Setup Wizard.
To see the policy:
1. Select Firewall > Firewall Policies:

2. Select the WatchGuard Web UI policy.

Web UI 241
3. To edit the policy, click .
The policy appears.

You can restrict or expand access to the web UI by adding or removing entries in the From list:
You can allow access to the web UI from external networks by adding the Any-External alias (or an
appropriate IP address).
You can restrict access to the web UI from internal locations by removing the Any-Trusted and
Any-Optional aliases. Make sure to keep at least one IP address from which you want to allow
access so that you can manage the XTM device from that computer.
You can remove all IP addresses and aliases, and replace them with user names or group names.
When you do this, you force users to authenticate before they are allowed access to the web UI.


About the Port for the Web UI
You can change the port that Fireware XTM uses for the web UI. The port controlled by the
WatchGuard Web UI policy is automatically changed if you change the port for the web UI.
Note
If you change this port, the URL you use to access the web UI also changes.
For example, if you change the port to 8888, type https://<device-ip-address>:8888 in
your browser address bar.

In Policy Manager:
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. In the Web UI Port text box, type or select the port.

3. Click OK.

Web UI 243
In the web UI:
1. Select System > Global Settings.
2. In the Web UI Port text box, type or select the port.

3. To see which port this policy controls, select the Properties tab.

4. Click OK.


Exercise 1: Connect to the Web UI with the Status Account

In this exercise, you connect to the web UI with read-only permissions.
1. From a computer on the Trusted network, open a web browser and go to
https://10.0.1.1:8080.
Replace <device-ip-address> in the address with the IP address of your XTM device.
A certificate warning appears.
2. For Internet Explorer, click Continue to this website.
For Mozilla Firefox, add an exception as previously described.
The Web UI login dialog box appears.

3. From the Username drop-down list, select status.
4. In the Passphrase text box, type the status (read-only) passphrase. Click Login.
The Fireware XTM Web UI Dashboard appears.

Web UI 245
5. In the navigation bar, select Firewall > Firewall Policies.
The Firewall Policies configuration page appears.

Note that at the top of the page, the Disable button is not available.
6. Place your cursor over the Disable button.
A tooltip appears to tell you that you have read-only privileges.

7. Navigate to other pages in the web UI and note that you cannot change any settings.
8. At the top of the web UI, click Logout.
You are logged out of the web UI and the login dialog box appears again.


Exercise 2: Change the Port for the Web UI

By default, Fireware XTM devices listen on port 8080 for Web UI connections. It is possible you have a
network policy or firewall that blocks connections on this port. It is also possible that you use port 8080
in your network and you need to forward it from the external network to an internal Web server. If this
is the case, you cannot use port 8080 for connections to the web UI from the external network. The
XTM device cannot listen for port 8080 connections and forward connections from external networks
on the same interface.
In this exercise, you connect to the web UI, change the port for the web UI, and connect to the web UI
again using the new port.
Note
Remember that when you change the port for the web UI, you must use the new port the next time
you connect to the device.

From a computer on a trusted network:
1. Open a web browser and go to https://device-ip-address>:8080.
Replace <device-ip-address> in the address with the XTM device trusted interface IP address. (10.0.1.1) A
certificate warning appears.
2. For Internet Explorer 7, click Continue to this website.
The Fireware XTM Web UI Login page appears.

Web UI 247
3. From the Username drop-down list, select admin.
In the Passphrase text box, type the configuration passphrase.
The Fireware XTM Web UI Dashboard appears.


4. In the navigation bar, select System > Global Settings.

The Global Settings configuration appears.

Web UI 249
5. In the Web UI Port text box, type or select 8081. Click Save.
A warning message appears to explain that you must use the new port when you log in again.

6. Click Yes.
The logon prompt appears again with a message to log in again.
7. Click OK.

8. In your browser address bar, type https://<device-ip-address>:8081.
Replace <device-ip-address> in the address with the IP address of the XTM device trusted interface.
9. Accept the certificate warning (Internet Explorer) or add an exception (Firefox) and log in again
with the admin account credentials.
The Firewall Policies area appears.
11. Select the WatchGuard Web UI policy, then click Edit to view its properties.
12. Select the Properties tab for the policy.
The port for the policy was automatically changed to 8081.

13. Repeat Steps 45 to change the web UI port back to 8080.


Exercise 3: Configure an XTM device for Remote Web UI
Administration
When you configure a WatchGuard XTM device with the Quick Setup Wizard, a policy is created
automatically that allows you to connect to the web UI from any computer on the trusted or optional
networks. If you want to manage the XTM device from a remote location (any location on an external
network), then you must change your configuration to allow connections to the web UI from that
location.
Before you change a policy to allow connections to the XTM device from a computer external to your
network, it is a good idea to consider these alternatives:
Is it possible to connect to the XTM device using a VPN? This greatly increases the security of the
connection. If you can connect with a VPN, then you do not need to allow other connections. If it is
not possible to connect to the XTM device with a VPN, we recommend that you use authentication
for additional security.
It is more secure to limit access from the external network to the smallest number of computers
possible. For example, it is more secure to allow connections from a single computer than it is to
allow connections from the Any-External alias.
If you decide to allow connections to the XTM device from Any-External, it is especially important that
you set very strong status and configuration passphrases. It is also a good idea to change your
passphrases at regular intervals.
To configure the WatchGuard Web UI policy to allow access to the web UI from an external computer:
1. From a computer on the trusted network, open a Web browser and go to
https://<device-ip-address>:8080.
Replace <device-ip-address> in the address with the XTM device trusted interface IP address. (10.0.1.1) A
certificate warning appears.
2. For Internet Explorer 7, click Continue to this website.
The Fireware XTM Web UI Login page appears.

Web UI
This exercise is very
useful in situations
where an instructor
must connect to a
student XTM device
during a classroom
presentation.

If you are
self-instructed and do
not need to remotely
manage your XTM
device, you can skip
this exercise.

Your instructor may
ask that you complete
these steps. This will
enable your instructor
to troubleshoot
configuration issues
from his computer
later in the class.

251
3. From the Username drop-down list, select admin.
In the Passphrase text box, type the configuration passphrase.
The Web UI Dashboard appears.

The Firewall Policies page appears.
5. Double-click the WatchGuard Web UI policy to edit it.
7. From the Member Type drop-down list, select Alias.
8. Select Any-External and click OK.


Any-External is added to the From list in the policy definition.

9. Click Save at the bottom of the page to apply this change to your device.
10. From a computer on the external network, try to connect to the web UI.
Type https://<device-external-ip-address>:8080 in the browser address bar.
You should be able to connect to the device.

Web UI 253
Test Your Knowledge

Which account do you use to log in the web UI to change the configuration? (Select one.)
A) admin
B) status
C) configuration
D) administrator

What is the default port for the web UI? (Select one.)
A) 8100
B) 8088
C) 8080
D) 8000

True or false? You can save the XTM device configuration file to a local disk drive from the web UI.
True or false? You must install WSM software to use the web UI.
How many users can simultaneously log in to the web UI with the admin account? (Select one.)
A) 1
B) 2
C) 4
D) unlimited

How many users can simultaneously log in to the web UI with the status account? (Select one.)
A) 1
B) 2
C) 4
D) unlimited

COPYRIGHT 2011 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and/or other
countries.
1.

2.

3.
4.
5.

6.

TRAINING
www.watchguard.com/training
training@watchguard.com

XTMBasics

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

XTMBasics

Uploaded by

Copyright:

Available Formats

WatchGuard Certified Training

Fireware XTM Basics

You might also like