Watchguard V10.0 Uživatelská příručka

Firebox® Vclass User Guide Vcontroller™ 4.0Notice to UsersInformation in this guide is subject to change without notice. Companies, names, and data us

x Vcontroller 4.01. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other

80 Vcontroller 4.0Before initiating a certificate request, you must obtain the following:• The encryption key cosigning authority’s name and web site

Certificate ConfigurationFirebox Vclass User Guide 813 Type the following information: NameThe name of the Firebox Vclass appliance. This is the same

82 Vcontroller 4.05 Fill in the following information and click Next.Subject NameThis field is automatically updated with processed data from your fir

Certificate ConfigurationFirebox Vclass User Guide 837 Select the text in the dialog box and then press Control+a.8 Click Copy.9 Open a Web browser an

84 Vcontroller 4.014 Review the information displayed in the Certificate Request dialog box, and then click Finish.The Certificate Request dialog box

Certificate ConfigurationFirebox Vclass User Guide 854 Click Copy/Close to return to the Review CSR dialog box.A copy of the CSR is sent to the clipbo

86 Vcontroller 4.05 When the certificate text is displayed, click Import Certificate.This imports the certificate into the Firebox Vclass appliance. A

LDAP Server ConfigurationFirebox Vclass User Guide 87LDAP Server ConfigurationUse the LDAP tab to set up a connection between a Firebox Vclass applian

88 Vcontroller 4.04 If the LDAP server is not using the default port number 389, type the correct port number in the appropriate field.When you have f

NTP Server ConfigurationFirebox Vclass User Guide 892 To enable NTP, click Yes.If you later decide to disable NTP, click No.3 Enter the IP address of

Firebox Vclass User Guide xiNONINFRINGEMENT, ANY WARRANTY THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERRO

90 Vcontroller 4.02 Click Yes to restart NTP.When you have finished configuring the NTP server settings, click one of the following options:ResetTo re

Advanced ConfigurationFirebox Vclass User Guide 91The following global policy settings are displayed:TCP Syn CheckingThis option enables the inspectio

92 Vcontroller 4.0 - To ignore a DF bit (Don’t Fragment) during an IPSec transmission, click the Ignore DF for IPSec checkbox. - To allow IPSec traffi

Hacker Prevention OptionsFirebox Vclass User Guide 932 You can customize and apply the following two groups of options at this time:“Denial-of-service

94 Vcontroller 4.0ICMP Flood AttackSafeguards your network from a sustained flood of ICMP pings. After clicking the checkbox, enter the threshold numb

CPM Management ConfigurationFirebox Vclass User Guide 95Per Client QuotaRestricts the number of connection requests from a single client within a seco

96 Vcontroller 4.02 Click the Enable CPM Management checkbox.3 Type the CPM server IP address in the appropriate field.4 Type the CPM server port in t

Managing Software LicensesFirebox Vclass User Guide 976 Type the new password and retype it in the appropriate fields.7 Click OK.When you have finishe

98 Vcontroller 4.0To import a new license, follow these steps:2 Click Add.The Import License dialog box appears.VclassUserGuide.book Page 98 Friday,

Managing Software LicensesFirebox Vclass User Guide 993 Click Load the license from a file.4 Locate and select the license file. NOTEIf you prefer, y

xii Vcontroller 4.0VclassUserGuide.book Page xii Friday, January 3, 2003 10:09 AM

100 Vcontroller 4.03 Review the license information.4 When you are finished, click Close.To see which features are currently active, follow these step

VLAN Forwarding OptionFirebox Vclass User Guide 101VLAN forwarding, you can create security policies for VLAN traffic, but you must activate the relat

102 Vcontroller 4.0 NOTEIf this tab is not visible, this Firebox Vclass appliance does not incorporate these VLAN-forwarding features.2 Click the che

High Availability ConfigurationFirebox Vclass User Guide 103High Availability ConfigurationUse the High Availability tab to configure all of the neces

104 Vcontroller 4.0VclassUserGuide.book Page 104 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 105CHAPTER 6 Using Account ManagerThis chapter shows you how to create three separate types of access accounts.Admin and sup

106 Vcontroller 4.0 NOTEVcontroller provides one default super admin account with primary master privileges. Only one user can be logged in as defaul

Configuring AccountsFirebox Vclass User Guide 1072 Click Add.The account settings become active.3 Type an account name in the appropriate field.The ac

108 Vcontroller 4.09 Repeat this process to add more accounts.10 When you have finished, click Close.End-user accounts for authenticationYou can confi

Configuring AccountsFirebox Vclass User Guide 109https://10.10.10.273 Press Return.A Security Alert dialog box should appear, according to the browser

Firebox Vclass User Guide xiiiContentsCHAPTER 1 Introduction ...1Welcome to WatchGuard® ...

110 Vcontroller 4.0This hides the list of accounts from view, and replaces the minus box with a plus box.If you need to see all those accounts at a la

External Access for Remote ManagementFirebox Vclass User Guide 1113 When you have finished, click Close to save your changes and close the Account Man

112 Vcontroller 4.0As for all other admin access accounts (which can only be used to check the status and clear new alarms), any number of account use

Firebox Vclass User Guide 113CHAPTER 7 About Security PoliciesThe purpose of a Firebox Vclass appliance is to determine whether data is to be passed o

114 Vcontroller 4.0Security policy componentsEvery security policy is composed of two basic components: the traffic specifications and an action.Traff

About Security PoliciesFirebox Vclass User Guide 115• Encrypt and authenticate your data for secure transmission through insecure networks.• Enable va

116 Vcontroller 4.0address behind an alias with SNAT, so that the alias is the only network ID visible to external users.Virtual IP load balancing use

Using Policy ManagerFirebox Vclass User Guide 117destination and then apply both an IPSec action and a load-balancing action.Not all actions can be co

118 Vcontroller 4.0• Click Address Group to view the list of defined entries.The Address Group dialog box appears. - To create a new Address Group, cl

Using Policy ManagerFirebox Vclass User Guide 119• Click QoS Action to view the list of defined entries.The QoS Action dialog box appears. - To create

xiv Vcontroller 4.0Assisted Support ... 13LiveSecurity® Program ...

120 Vcontroller 4.0• To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted, click OK.• To

Using Policy ManagerFirebox Vclass User Guide 121Follow these steps to apply system-wide QoS port shaping:1 Click System QoS.The System QoS dialog box

122 Vcontroller 4.02 Type the IP address of the external device from which the expected source traffic will arrive in the Source field.3 Type the IP a

Using Policy ManagerFirebox Vclass User Guide 123The Policy Checker starts at the top of the policy list and checks your test parameters against every

124 Vcontroller 4.0• Click the Up or Down arrow key, as shown above, depending on which direction the move is to occur.• Continue to click until the s

Defining a Security PolicyFirebox Vclass User Guide 125Defining a Security PolicyThe Insert Security Policy dialog box allows you to combine traffic s

126 Vcontroller 4.0DMZ_PORT_IPThe IP address of the DMZ interface.DMZ2_PORT_IPThe IP address of the second DMZ interface.INTERFACE_IPSThe IP addresses

Defining a Security PolicyFirebox Vclass User Guide 1274 From the Type drop list, select the category of members that will be the source or destinatio

128 Vcontroller 4.06 When you are finished, click Done.The new member name is displayed in the Address Group Members list of the New Address Group dia

Defining a Security PolicyFirebox Vclass User Guide 1292 Type a name and brief description for the service in the appropriate fields. The Description

Firebox Vclass User Guide xvCHAPTER 4 Firebox Vclass Basics ...45What is a Firebox Vclass Appliance? ...

130 Vcontroller 4.0 - Select Single Service from the Type drop list. -From the Protocol drop list, make the appropriate selection. -In the Server Port

Using TenantsFirebox Vclass User Guide 131Defining the incoming interfaceThe final component of a traffic specification is the incoming interface, whi

132 Vcontroller 4.0All Vclass security appliances support IEEE 802.1q VLAN packets, which allows a network administrator to create separate policies f

Using TenantsFirebox Vclass User Guide 133 NOTEThe current line of Firebox Vclass appliances recognize VLAN/802.1Q headers in data for routing purpos

134 Vcontroller 4.0Defining tenantsFollow these steps to create VLAN tenants:1 Click New next to the Tenant drop list.The New Tenant dialog box appear

Using TenantsFirebox Vclass User Guide 1352 Select the interface that connects to the VLAN network from the Interface drop list.3 In the VLAN IP field

136 Vcontroller 4.09 In the Secondary RADIUS Secret field, type the password used by this Firebox to gain access to any available backup RADIUS system

Using Quality of Service (QoS)Firebox Vclass User Guide 137PassPermits all qualifying external traffic through the firewall.BlockPrevents all qualifyi

138 Vcontroller 4.0For example, data exchanges between the corporate center and branch offices can be allotted a weight of 20 while Internet traffic i

Using Quality of Service (QoS)Firebox Vclass User Guide 1392 Type a name and brief description for the QoS action in the appropriate fields. The Descr

xvi Vcontroller 4.0Importing a certificate or CRL file ... 85LDAP Server Configuration ...

140 Vcontroller 4.02 Click one of the following TOS marking options: TOS Precedence, TOS Precedence and DTR, or DiffServe CodePoint.3 Enable either Fo

About NATFirebox Vclass User Guide 141elsewhere only see outgoing packets from the Firebox Vclass appliance itself. You can improve security by mappin

142 Vcontroller 4.0Dynamic NATIf you have a number of employees or other private network users whose client computers have been assigned IP addresses

Defining a NAT ActionFirebox Vclass User Guide 143Defining a NAT ActionTo create a Dynamic NAT action using a Public IP address:• Select Dynamic NAT f

144 Vcontroller 4.08 Type the publicly routable IP address in the IP Address field.9 Click Done to close the New Mapping dialog box and return to the

Defining a Load-Balancing ActionFirebox Vclass User Guide 145Defining a Load-Balancing ActionFollow these steps to define a load-balancing action:1 Cl

146 Vcontroller 4.02 Enable one of these options and follow these instructions:Address GroupSelect an option from the drop list.IP AddressType the IP

Using Policy SchedulesFirebox Vclass User Guide 147Defining a ScheduleFollow these steps to define a schedule:1 Click New from the right of the Schedu

148 Vcontroller 4.04 Click to select the checkbox labeled Period 1.5 Type the values in the From and To fields, or use the arrow buttons to adjust the

Using the Advanced SettingsFirebox Vclass User Guide 1492 Click Edit Day Schedule.The Edit Day Schedule dialog box appears.3 Click to select the check

Firebox Vclass User Guide xviiUsing Tenants ...131About VLANs and tenants ...

150 Vcontroller 4.02 Click one of the following options:Use Global SettingsSelecting this option enables the ICMP error handling global policy setting

Using the Advanced SettingsFirebox Vclass User Guide 1514 To enable the Firebox Vclass appliance to log for this particular security policy, click Ena

152 Vcontroller 4.0VclassUserGuide.book Page 152 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 153CHAPTER 8 Security Policy ExamplesThis chapter includes examples of Vclass Firewall policies, VLAN policies, Quality of S

154 Vcontroller 4.0You would meet this objective by doing the following:1 Create two firewall policies with these parameters: 2 Have all the users in

Firewall Policy ExamplesFirebox Vclass User Guide 155This example uses the pair of firewall policies created in Example 1. Dynamic NAT provides Intern

156 Vcontroller 4.02 Create a schedule with these parameters:NAME9 to 5, Monday - FridayDESCRIPTIONSchedule for 9:00am - 5:00pm, Monday - FridayENABLE

Firewall Policy ExamplesFirebox Vclass User Guide 157hours), only authorized users are allowed to gain external access. Unauthorized users are still b

158 Vcontroller 4.0Example 4: Allowing communication between branch officesAppleby Incorporated has two branch offices, each with a separate Firebox V

Firewall Policy ExamplesFirebox Vclass User Guide 159Address Group 1:Name: Branch_1, Member type: IP Network, Addresses: 128.100.1.0, Subnet mask: 255

xviii Vcontroller 4.0QoS Policy Examples ... 168Example 1: ...

160 Vcontroller 4.0Example 5: Defining policies for an ISPConnectYouUp.com is an ISP with a firewall that both protects all internal private network a

Firewall Policy ExamplesFirebox Vclass User Guide 1612 Reconfigure all of the computers in the private network to use a default gateway corresponding

162 Vcontroller 4.0• Everyone from the outside world can send email to the Mail server (accessible through interface 2).1 Open the System Configuratio

Firewall Policy ExamplesFirebox Vclass User Guide 163Member typeIP Network AddressesAddress126.20.20.0Subnet mask255.255.255.04 Create a schedule call

164 Vcontroller 4.0VLAN Policy ExamplesThe following figure shows how a Firebox Vclass appliance can manage traffic to and from a typical VLAN.This ex

VLAN Policy ExamplesFirebox Vclass User Guide 165Address groupsVLAN tenant entriesThe requisite VPN policies on “ASP” should have the following parame

166 Vcontroller 4.0Using a Firebox Vclass appliance in a VLAN setting If your SNMP management stations, DNS servers, OSPF routers, RADIUS servers, and

VLAN Policy ExamplesFirebox Vclass User Guide 167An example of a user-domain policy in useAs noted previously, the key element in user-domain tenant p

168 Vcontroller 4.0QoS Policy ExamplesWhen using QoS actions within your policies to prioritize your network traffic, remember that any traffic stream

Static NAT Policy ExamplesFirebox Vclass User Guide 169Static NAT Policy ExamplesThe following sections describe different examples of static NAT appl

Firebox Vclass User Guide xixCHAPTER 11 Monitoring the Firebox Vclass ...215Using the Real-Time Monitor ...

170 Vcontroller 4.0The static NAT action would reflect these entries:static NAT_1Internal = Internal_netExternal = AliasExample 2: Preventing conflict

Static NAT Policy ExamplesFirebox Vclass User Guide 171The policies in the Site A security appliance would include these settings:The policies in the

172 Vcontroller 4.0Load Balancing Policy ExamplesConfiguring Load Balancing for a Web Server1 After starting the Vcontroller application, click Securi

Load Balancing Policy ExamplesFirebox Vclass User Guide 1734 Type a name and brief description for the policy in the appropriate fields. The Descripti

174 Vcontroller 4.0challenge is to evenly distribute each new data request to a different server, although the requests originally expect 128.100.0.2

Load Balancing Policy ExamplesFirebox Vclass User Guide 1758 When the New Server dialog box appears, select IP Address and type “127.10.10.2” in the a

176 Vcontroller 4.0VclassUserGuide.book Page 176 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 177CHAPTER 9 Using Virtual Private Networks (VPN)The Internet is a technical and social development that puts a multitude of

178 Vcontroller 4.0Virtual private networking technology counters this threat by using the Internet’s vast capabilities while reducing its security ri

About VPN PoliciesFirebox Vclass User Guide 179policies that permit secure communications between a site and authorized clients.VPN policies and IPSec

ii Vcontroller 4.0Notice to UsersInformation in this guide is subject to change without notice. Companies, names, and data used in examples herein are

xx Vcontroller 4.0DHCP Server Information ... 262CHAPTER 15 Backing Up and Restoring Configurations...

180 Vcontroller 4.0About Authentication and EncryptionThe Firebox Vclass security appliance supports the following algorithms:Authentication Header (A

Defining an IKE PolicyFirebox Vclass User Guide 1812 Select an entry point among the list of policies and then click Insert.The Insert IKE Policy dial

182 Vcontroller 4.04 Select a preconfigured address group from the Peer Address Group drop list or click New to create a new address group. For infor

Defining an IKE PolicyFirebox Vclass User Guide 183 NOTEThis key will be shared among all participating peer IKE systems. If a remote peer does not u

184 Vcontroller 4.0MainA slower mode that provides greater security. This is the recommended mode.AggressiveA faster, less secure mode. If you choose

Defining a VPN Security PolicyFirebox Vclass User Guide 18512 Type the maximum size in kilobytes in the Life Length field. This field is optional.13 C

186 Vcontroller 4.0address group. For information on creating an address group, see “Defining an address group” on page 126.6 Select a preconfigured

Defining a VPN Security PolicyFirebox Vclass User Guide 1872 Type a name and brief description for the IPSec action in the appropriate fields. The Des

188 Vcontroller 4.04 If you selected Tunnel, you have two options: - Click the Peer Tunnel Address Group option and then select the address group that

Defining a VPN Security PolicyFirebox Vclass User Guide 189Defining an automatic keyAutomatic key mode requires use of the Internet Key Exchange proto

Firebox Vclass User Guide 1CHAPTER 1 IntroductionWelcome to WatchGuard®The WatchGuard Firebox Vclass series of security appliances brings high speed n

190 Vcontroller 4.02 Type a name and brief description for the IPSec proposal in the appropriate fields. The Description field is optional.3 Select an

Defining a VPN Security PolicyFirebox Vclass User Guide 1913 Type the number of hours or minutes a key will be in effect in the Lifetime field.If you

192 Vcontroller 4.011 When you are finished, click Done.Follow these steps to define an AH transform:1 Select the checkbox marked AH. Click New to ope

Defining a VPN Security PolicyFirebox Vclass User Guide 193Defining a manual key Follow these steps to define a manual key:1 Select Automatic (IKE) fr

194 Vcontroller 4.010 Click to select the AH checkbox.11 Type a unique number between 256 and 65535 in the Local SPI (Security Parameter Index) field.

Using Tunnel SwitchingFirebox Vclass User Guide 195A more efficient way to manage a complex corporate VPN with numbers of sites and remote users is to

196 Vcontroller 4.0To make such a hub-and-spoke topology effective and efficient, Firebox Vclass security appliances provide tunnel switching capabili

Using Tunnel SwitchingFirebox Vclass User Guide 197Enabling tunnel switchingBefore you set up individual VPN policies for site-to-site tunnel switchin

198 Vcontroller 4.0VclassUserGuide.book Page 198 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 199CHAPTER 10 Creating a Remote User VPN PolicyWith easy access to the Internet from home offices or on the road, employees

2 Vcontroller 4.0WatchGuard Firebox Vclass ComponentsAll Firebox Vclass models are fully IPSec-compliant, with built-in core software and management t

200 Vcontroller 4.0• Remote users can be associated with different user groups through which network administrators can establish group-wide parameter

Configuring Remote UsersFirebox Vclass User Guide 201• To complete the VPN policy, you’ll need to create the specific IKE policy that will be used by

202 Vcontroller 4.0To configure remote users, first define a user group profile:1 From the main Vcontroller page, click Remote Users.The RAS Configura

Configuring Remote UsersFirebox Vclass User Guide 203NoneRemote users belonging to this group will not be assigned an internal IP address when a conne

204 Vcontroller 4.014 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit.To con

Configuring Remote UsersFirebox Vclass User Guide 2054 Type the User Name in the appropriate field.User names are case-sensitive and must consist of 1

206 Vcontroller 4.011 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit.12 To

Configuring Remote UsersFirebox Vclass User Guide 207 NOTEDepending on how the RADIUS servers area is configured, you might encounter a situation whe

208 Vcontroller 4.0Reactivating an expired userAfter a remote user account has expired, you can reactivate it by resetting the account expiration.1 Cl

Defining a IKE and Security Policies for Remote UsersFirebox Vclass User Guide 209unavailable–temporarily or permanently. In this situation, you shoul

Minimum Requirements for the WatchGuard VcontrollerFirebox Vclass User Guide 3 NOTEFor the most current information on Vclass hardware and operating

210 Vcontroller 4.0•The Destination will be only those network resources accessible by remote access users.•The Services will be limited to those that

Monitoring Remote User ActivityFirebox Vclass User Guide 211Controlling a remote user’s access privilegesIn addition to authenticating remote users, F

212 Vcontroller 4.0You can also get a basic summary of a particular user’s recent connection history (not the current one) by opening the RAS Configur

Monitoring Remote User ActivityFirebox Vclass User Guide 213• You can click Active Users to monitor currently active users. The System Information dia

214 Vcontroller 4.0VclassUserGuide.book Page 214 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 215CHAPTER 11 Monitoring the Firebox VclassFor detailed status reports of the Firebox Vclass appliance you can use the Real-

216 Vcontroller 4.0From the main Vcontroller page, click Monitor.The Real-time Monitor window appears.The following categories of system activity can

Using the Real-Time MonitorFirebox Vclass User Guide 217InterfaceInterface probes observe and report on the activities of selected interfaces. For exa

218 Vcontroller 4.0monitor a specific policy, you may need to click Add to create an new probe.3 When the probe has been edited, you can test it. Clic

Using the Real-Time MonitorFirebox Vclass User Guide 2193 Click Start Monitoring.After a brief pause, which reflects the Interval times previously sel

4 Vcontroller 4.0Processor speed500 MHz or fasterMemory64 MB minimum (128 MB is recommended)Input deviceCD-ROM or DVDHard disk space10 MB minimumNetwo

220 Vcontroller 4.0To conserve system resources, you can temporarily disable any probes until the next time you want to monitor that particular system

A Catalog of Real-time Monitor Probe CountersFirebox Vclass User Guide 221Interface 1(Public)Recv.(Packets)Number of packets received from Interface 1

222 Vcontroller 4.0Interface 2(DMZ)Recv.(Bytes)Number of bytes received from Interface 2 (bytes)Interface 2(DMZ)Sent(Bytes)Number of bytes sent from I

A Catalog of Real-time Monitor Probe CountersFirebox Vclass User Guide 223Traffic Log Size (KB) Traffic log file size in KbytesAlarm Log Size (KB) Ala

224 Vcontroller 4.0Interface 1(Public)Stream Req./secRate of incoming stream requests from Interface 1Interface 0(Private)Stream Req./secRate of incom

A Catalog of Real-time Monitor Probe CountersFirebox Vclass User Guide 225Total IPSECTraffic (bytes)IPSEC traffic in bytesTotal IPSEC Packets IPSEC pa

226 Vcontroller 4.0 Aggregate counters for all VPN end-point pairs IPSec counters per VPN end-point pair Counter Name Description of Counter’s Functi

A Catalog of Real-time Monitor Probe CountersFirebox Vclass User Guide 227Policy counters for all policiesOutbound Pkts/sec Traffic rate through outbo

228 Vcontroller 4.0Policy counters per policyPackets Disc. at Interface 2(DMZ)(%)Percentage of packets discarded at Interface 2Packets Disc. by IPSEC

A Catalog of Real-time Monitor Probe CountersFirebox Vclass User Guide 229Decryption Error Rate (%) Decryption error rate of a policyAuthentication Er

WatchGuard Firebox Vclass Appliance OptionsFirebox Vclass User Guide 5• Adding new functionality through optional products• Increasing the capacity of

230 Vcontroller 4.0VclassUserGuide.book Page 230 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 231CHAPTER 12 Using Alarm ManagerThe Vcontroller Alarm Manager allows you to define alarms that can alert the appropriate pa

232 Vcontroller 4.02 Click the Alarm Definitions tab to view the current list of alarm definitions.This tab lists pre-defined default alarms along wit

Alarm DefinitionsFirebox Vclass User Guide 2334 Type a name for the alarm in the appropriate field.5 Click the Severity slider and move it to the poin

234 Vcontroller 4.02 Select the appropriate option from the Probe Category drop list: System, Policy, or VPN End-point Pairs.The display changes depen

Alarm DefinitionsFirebox Vclass User Guide 2355 Delete the text in the <threshold> field and type a number value for this counter. This value ca

236 Vcontroller 4.03 Click Add. The Select Condition dialog box appears.1 Click the text field where <counter> appears. This field acts as a but

Alarm DefinitionsFirebox Vclass User Guide 2375 Delete the text in the <threshold> field, type the value (either a whole number or a percentage)

238 Vcontroller 4.010 To activate email notification, enable the Email Notification response option. Type the email address in the appropriate field.

Responding to an Alarm NotificationFirebox Vclass User Guide 239To enable or disable an alarm:1 Open the Alarm Manager window. Click the Alarm Definit

6 Vcontroller 4.0About This GuideThe purpose of this guide is to help users of the WatchGuard Firebox Vclass appliance set up and configure a basic ne

240 Vcontroller 4.0To view outstanding alarms:1 From the Vcontroller main page, click the animated alarm bell or click the Alarm button.The Alarm Mana

Responding to an Alarm NotificationFirebox Vclass User Guide 2413 Review the information displayed. This includes important information such as time,

242 Vcontroller 4.0VclassUserGuide.book Page 242 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 243CHAPTER 13 Using Log ManagerThe Vcontroller can log an extensive array of system activities and save all logs into text f

244 Vcontroller 4.0Phase One SA and Phase Two SA logsRecords the creation and expiration histories for each phase of security associations pertaining

Viewing the LogsFirebox Vclass User Guide 2452 Click each tab to review the entries for that category.3 If the log has more than 500 entries, as noted

246 Vcontroller 4.0 - Move the slider to the desired number and then click outside of the pop-up to close it.Filtering a current logWhen viewing a log

Log SettingsFirebox Vclass User Guide 247Log SettingsYou can use four separate log files to monitor and record almost any level of Firebox Vclass syst

248 Vcontroller 4.04 To change the amount of information recorded in the Event log, click the Event Log Level options slider and move it to the loggin

Log SettingsFirebox Vclass User Guide 2494 Select the Facility and Priority from the drop lists for each log category. To use the default settings, cl

Firebox Vclass User Guide 7CHAPTER 2 Service and SupportNo Internet security solution is complete without systematic updates and security intelligence

250 Vcontroller 4.0Log ArchivingWhen your log files are sufficiently full, or if your organizational archiving policy dictates, you can archive your l

Log ArchivingFirebox Vclass User Guide 2514 Click Archive Now to archive a file to the default directory location: C:\WatchGuard\Log\ or click Browse

252 Vcontroller 4.0VclassUserGuide.book Page 252 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 253CHAPTER 14 System InformationThe System Information dialog box provides accurate and up-to-date information on your syste

254 Vcontroller 4.0This tab allows you to access some general information, such as the model number, current system software version, serial number, c

VPN Tunnel InformationFirebox Vclass User Guide 255By PoliciesDisplays a list of all policies you have created and the number of VPN tunnels establish

256 Vcontroller 4.0• Click Delete Tunnels to remove all established tunnels associated with this IPSec peer or policy and force the creation of new tu

Traffic InformationFirebox Vclass User Guide 257The following information is displayed on the Traffic tab:Total PacketsTotal number of packets process

258 Vcontroller 4.0• When you are finished, click Close.Route InformationTo view the routing table information, follow these steps:1 Click the Routes

RAS User InformationFirebox Vclass User Guide 2592 Click Disconnect to break the selected user connection, including any established tunnels. If an in

8 Vcontroller 4.0Threat alerts and expert adviceAfter a new threat is identified, you’ll receive a LiveSecurity broadcast via an email message from ou

260 Vcontroller 4.0The User Information and Statistics areas provide extensive information about this user and the current connection. The Tunnel List

Interface 1 (Public) InformationFirebox Vclass User Guide 261 - Click Refresh to update the Current SAs list with the most recent information. When yo

262 Vcontroller 4.0DHCP Server InformationIf you have configured the Firebox Vclass appliance to act as a DHCP server, you can use this tab to view th

Firebox Vclass User Guide 263CHAPTER 15 Backing Up and Restoring ConfigurationsThe WatchGuard Vcontroller offers an array of built-in archiving and da

264 Vcontroller 4.0Create a Backup File1 From the main Vcontroller page, click Back Up/Restore.The Backup/Restore dialog box appears.2 Click the Backu

Restoring an Archived ConfigurationFirebox Vclass User Guide 2655 Browse to the directory, type a file name of your choosing in the appropriate field,

266 Vcontroller 4.03 Select the appropriate backup file and then click Select.The backup file name appears in the File Name field.4 Click Restore Now.

Exporting and Importing Configuration FilesFirebox Vclass User Guide 2672 Read the displayed text. If you want to complete the process, click Restore

268 Vcontroller 4.0To export an XML file containing the complete configuration settings and policies:1 Click Export.A Save dialog box appears.2 Open t

Exporting and Importing Configuration FilesFirebox Vclass User Guide 269Importing a configuration file using Appliance DiscoveryInstead of the usual c

LiveSecurity® BroadcastsFirebox Vclass User Guide 9Threat ResponseAfter a newly discovered threat is identified, the Rapid Response Team transmits an

270 Vcontroller 4.08 When the Devices Found dialog box reappears, click Cancel to close it.9 You can now use the Login dialog box to log in to this ap

Exporting and Importing Configuration FilesFirebox Vclass User Guide 271<password>rsgnJUYuNVmbw</password><description></descript

272 Vcontroller 4.0Encryption algorithmDES Authentication algorithmMD5 Lifetime8 hours VclassUserGuide.book Page 272 Friday, January 3, 2003 10:09

Firebox Vclass User Guide 273CHAPTER 16 Using the Diagnostics/CLI FeatureThis chapter describes a variety of useful troubleshooting features that can

274 Vcontroller 4.02 Click the Connectivity tab.3 Type the IP address or DNS host name in the appropriate field.4 Click Ping.The Ping History table di

Using the Support FeaturesFirebox Vclass User Guide 2755 If this test has verified that the device is responding to Ping packets from the Firebox Vcla

276 Vcontroller 4.03 Click Configuration.The Debugging Support dialog box appears.4 Under the direction of technical support, move the sliders to the

Using the Support FeaturesFirebox Vclass User Guide 2777 Browse to the proper directory and then click Save.A confirmation dialog box appears.8 Click

278 Vcontroller 4.03 Click Save Policy.The Select the file dialog box appears.4 Browse to the proper directory and click Select.A confirmation dialog

Executing a CLI ScriptFirebox Vclass User Guide 2792 Click the CLI tab.3 Click Open.The Open dialog box appears.4 Browse to the proper directory and s

Firebox Vclass User Guide iiiThis product includes cryptographic software written by Eric Young ([email protected]). This product includes software w

10 Vcontroller 4.0To activate the LiveSecurity Service through the Web:1 Be sure that you have the Firebox Vclass serial number handy. You will need t

280 Vcontroller 4.06 Click OK.The appliance reboots.Saving Diagnostic InformationSaving diagnostic information is helpful in troubleshooting possible

Saving Diagnostic InformationFirebox Vclass User Guide 2814 Browse to the proper directory and select the appropriate file.5 Click Select.A confirmati

282 Vcontroller 4.0VclassUserGuide.book Page 282 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 283CHAPTER 17 Setting Up a High Availability SystemIn a WatchGuard High Availability (HA) system, two Firebox Vclass applian

284 Vcontroller 4.0provides a seamless transition if one of the boxes fails and the other must take over. System configuration, policies and firewall,

Connecting the AppliancesFirebox Vclass User Guide 285Connecting the AppliancesTo set up a high availability system, you must connect two Firebox Vcla

286 Vcontroller 4.03 Click the checkbox labeled Enable High Availability.4 Select the Active/Standby checkbox.The following HA options are displayed.V

Configuring a Standby ApplianceFirebox Vclass User Guide 287These default HA settings include the following: - All of the appliance’s interfaces will

288 Vcontroller 4.0 NOTEMake sure that the connection links both HA1 ports on the primary and secondary appliances, and that you are using a crossove

Customizing HA System ParametersFirebox Vclass User Guide 289 NOTEThe first time you perform an HA Sync, the standby appliance must be in factory def

LiveSecurity® Self Help ToolsFirebox Vclass User Guide 1111 Click Continue. The Confirmation Web page appears. Importing LiveSecurity Feature KeyTo im

290 Vcontroller 4.02 To activate monitoring through the HA ports, click to select the checkbox marked Enable HA on HA1 Port and/or Enable HA on HA2 Po

Customizing HA System ParametersFirebox Vclass User Guide 291that uniquely identifies this system within the network context. (The number can range be

292 Vcontroller 4.0Checking your HA System StatusThe HA monitor tells you which appliance you are logged into, whether it is Primary or Secondary, and

Additional Preparation for FailoverFirebox Vclass User Guide 293Additional Preparation for FailoverMake sure, in anticipation of a failover, that you

294 Vcontroller 4.0VclassUserGuide.book Page 294 Friday, January 3, 2003 10:09 AM

Firebox Vclass User Guide 295IndexAaccess accounts. See accountsaccess privilegesadding110for remote users 211removing 110Account button 52Account Man

296 Vcontroller 4.0configuration filesexporting, importing267importing using appliance discovery 269restoring 265context-sensitive help 13CPM-Vcontrol

Firebox Vclass User Guide 297Domain Name field 36dynamic NATdescribed142example firewall policy for 154dynamic NAT policiesuser-defined IP143dynamic r

298 Vcontroller 4.0Active/Activedescribed283Active/Standbydescribed283prerequisites for 284additional preparation for failover 293checking system stat

Firebox Vclass User Guide 299logschanging number displayed245filtering entries 246types of 243viewing 244MManagement Stationdescribed18setting up 18ma

12 Vcontroller 4.0Advanced FAQs (frequently asked questions) Detailed information about configuration options and interoperability.Known IssuesConfirm

300 Vcontroller 4.0examples of 168Quality-of-Service policies. See QoS policiesRRADIUS serverremoving appliance from backup208using for authentication

Firebox Vclass User Guide 301SNMP trap, setting alarm for 235, 237software requirements 2software upgrades, checking for 57Solaris, installing Vcontro

302 Vcontroller 4.0described 131, 132examples 164VPN Installation Services 15VPN policiesand IPSec actions179described 178encryption/authentication 17

Product DocumentationFirebox Vclass User Guide 13WatchGuard engineers and Technical Support personnel. However, this forum should not be used for repo

14 Vcontroller 4.0LiveSecurity® ProgramWatchGuard LiveSecurity Technical Support is included with every new Firebox Vclass. This support program is de

Training and CertificationFirebox Vclass User Guide 15We target a one-hour maximum response time for all new incoming cases. If a technician is not im

16 Vcontroller 4.0Using the Online HelpOnline help is available from almost all WatchGuard Vcontroller windows. Because the online help uses Web brows

Firebox Vclass User Guide 17CHAPTER 3 Getting StartedThe Firebox Vclass appliance acts as a barrier between your networks and the public Internet, pro

18 Vcontroller 4.0installation and configuration process on a new factory-default appliance. For more information, see “Importing a Profile into a New

Setting up the Management StationFirebox Vclass User Guide 19 NOTEReview the release notes included with this package for information about Windows-J

iv Vcontroller 4.0AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DI

20 Vcontroller 4.0To install the Vcontroller, follow these steps: 1 Insert the WatchGuard CD into the CD-ROM. (Under Solaris, the CD should automatica

Setting up the Management StationFirebox Vclass User Guide 21 NOTEBe sure to review the release notes that were included in this package for informat

22 Vcontroller 4.0 NOTESome versions of the JRE and JDK for Linux may display fonts incorrectly. In addition, you may encounter a “font not found” er

Using Appliance DiscoveryFirebox Vclass User Guide 23• The Power LED• The Ready LED • One of the Private, Public, and DMZ interface speed indicator li

24 Vcontroller 4.03 Click Find to start the process.If the Management Station has more than one NIC, you must select the IP address of the appropriate

Using Appliance DiscoveryFirebox Vclass User Guide 25 - Verify that the appliance has been properly connected to the network. - Verify that all cable

26 Vcontroller 4.0You set the IP address of the Interface 0 as described in the following section. This is the task you perform with a new appliance.

Running the Vcontroller Installation WizardFirebox Vclass User Guide 277 Click Yes to proceed.The Result window appears.8 Wait for the Result window t

28 Vcontroller 4.0• A domain name for this appliance• Any basic network routing information (static and dynamic)• The IP addresses of all DNS servers

Running the Vcontroller Installation WizardFirebox Vclass User Guide 296 Read the qualifications and instructions.Edit the General information1 Click

Firebox Vclass User Guide v of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take

30 Vcontroller 4.02 In the System Name field, type either the assigned DNS name for the appliance or another arbitrary name.3 In the System Location f

Running the Vcontroller Installation WizardFirebox Vclass User Guide 31Configure the Interfaces1 Click Next.The Interface Information screen appears.V

32 Vcontroller 4.02 Enter the IP address and network mask for interface 0 (Private) in the appropriate fields.3 If you want to enable the appliance as

Running the Vcontroller Installation WizardFirebox Vclass User Guide 337 To configure Interface 1 (Public) for Static, DHCP, or PPPoE addressing, enab

34 Vcontroller 4.0Configure Routing1 From the Interface Information window, click Next.The Routing screen appears. NOTEAll entries made to configure

Running the Vcontroller Installation WizardFirebox Vclass User Guide 353 Type the destination IP address, network mask, and gateway of the route in th

36 Vcontroller 4.0 NOTEAll entries made to configure DNS servers are optional for completing the Installation Wizard, and will differ based on your n

Running the Vcontroller Installation WizardFirebox Vclass User Guide 37Define a Default Firewall Policy1 When you have finished listing the DNS server

38 Vcontroller 4.0Allow ping to the deviceAllows ping traffic to the private interface of this appliance from other workstations within the network.Al

Running the Vcontroller Installation WizardFirebox Vclass User Guide 39Denial of service preventionsThese options safeguard your servers from Denial o

vi Vcontroller 4.0means either the Program or any derivative work under copyright law:that is to say, a work containing the Program or a portion of it

40 Vcontroller 4.0Per Client QuotaRestricts the number of connection requests from a single client in one second. Enable this option, then type the th

Running the Vcontroller Installation WizardFirebox Vclass User Guide 411 Type a new password in the appropriate field.Passwords must be between 6 and

42 Vcontroller 4.04 Click Finish.5 If you changed the IP address for interface 0 (Private), a window appears, asking if you want to restart the Firebo

Deploying the Firebox Vclass into your NetworkFirebox Vclass User Guide 43Deploying the Firebox Vclass into your NetworkAfter the appliance has reboot

44 Vcontroller 4.0• Turn on the power switch on the back of the appliance.When the appliance has fully powered up, the Ready LED blinks while the init

Firebox Vclass User Guide 45CHAPTER 4 Firebox Vclass BasicsThis chapter provides an overview of the Firebox Vclass hardware and the companion Vcontrol

46 Vcontroller 4.0are defined, you can set up one or more actions that the Firebox Vclass appliance should take with any qualifying data.Firebox Vclas

Where the Information is StoredFirebox Vclass User Guide 47Where the Information is StoredWhen you use the Vcontroller to connect to a Firebox Vclass

48 Vcontroller 4.0If you have used the Vcontroller before to access a Firebox Vclass appliance, the Server IP/Name field displays the IP address or ho

The Vcontroller Main PageFirebox Vclass User Guide 49The Vcontroller Main PageThis section describe the buttons displayed in the Vcontroller.Activitie

Firebox Vclass User Guide viiyour rights to work written entirely by you; rather, the intent is toexercise the right to control the distribution of de

50 Vcontroller 4.0view newly triggered alarms, diagnose alarm conditions, and clear resolved alarms. For more information, see “Using Alarm Manager” o

The Vcontroller Main PageFirebox Vclass User Guide 51IKE PolicyClick this button to open another view of the Policy Manager window that lists the curr

52 Vcontroller 4.0Install WizardClick this button to reopen the Installation Wizard, which you can use to reestablish the basic configuration for a Fi

The Vcontroller Main PageFirebox Vclass User Guide 53Page-top buttonsThe page-top title area includes the Log Out and Help buttons, as well as an alar

54 Vcontroller 4.0This panel is automatically refreshed every sixty seconds; however, you can click the blue star button to refresh manually.Logging o

Shutting Down and RebootingFirebox Vclass User Guide 553 To save the changes, click Yes.An Information dialog box appears indicating that the save was

56 Vcontroller 4.0 NOTEDo not disconnect the power before 30 seconds have elapsed. Disconnecting the appliance too quickly can cause serious damage.3

Upgrading and Downgrading the Software VersionFirebox Vclass User Guide 57• Click Reboot the system and then click Yes.A status dialog box appears and

58 Vcontroller 4.04 Click Check our Web site to verify whether a more recent version of the Vcontroller software is available.Your web browser appears

Upgrading and Downgrading the Software VersionFirebox Vclass User Guide 592 Read the instructions on the screen and then click Downgrade Now.A confirm

viii Vcontroller 4.0Program), you indicate your acceptance of this License to do so, andall its terms and conditions for copying, distributing or modi

60 Vcontroller 4.0Transferring from the Vcontroller to WatchGuard CPMIf you need to transfer the management of the Firebox Vclass from the Vcontroller

Firebox Vclass User Guide 61CHAPTER 5 System ConfigurationUse the System Configuration dialog box to enter or edit system settings. This dialog box, a

62 Vcontroller 4.0Configure the following system settings:System NameType a name to represent this appliance.System LocationType the location of your

Interface ConfigurationFirebox Vclass User Guide 63System TimeDisplays the current date and time. To change the date and time currently displayed, cli

64 Vcontroller 4.0• Click the Interface tab.The Interface settings are displayed. In this example, the interfaces for the V60 and V80 models are shown

Interface ConfigurationFirebox Vclass User Guide 65Interface 3Interface 3 should be assigned to any DMZ network traffic. This interface is not availab

66 Vcontroller 4.02 Type the IP address and network mask in the appropriate fields. The interface Hardware Address (MAC address) is displayed beneath

Interface ConfigurationFirebox Vclass User Guide 679 Click OK to close the Edit Interface dialog box and return to the Interface tab.Configuring Inter

68 Vcontroller 4.0DHCPType the host name or the IP address of your DHCP server in the Host ID field.This option is not available when using High Avail

Interface ConfigurationFirebox Vclass User Guide 69This option is not available when using High Availability.2 Type a MTU to determine the maximum siz

Firebox Vclass User Guide ixeither of that version or of any later version published by the FreeSoftware Foundation. If the Program does not specify

70 Vcontroller 4.02 Type the IP address and network mask in the appropriate fields.The interface Hardware Address (MAC address) is displayed beneath t

Interface ConfigurationFirebox Vclass User Guide 71To edit High Availability settings, follow these steps:1 Select the interface entry and then double

72 Vcontroller 4.0 - Click Yes to proceed.The appliance immediately restarts in order to apply the new interface configurations. The System Configurat

Routing ConfigurationFirebox Vclass User Guide 732 To configure a static route, click Add.The Add Route dialog box appears.3 Type the destination, net

74 Vcontroller 4.04 To modify an existing route, select the entry and click Edit.The Edit Route dialog box appears5 Click OK.Configuring dynamic routi

DNS ConfigurationFirebox Vclass User Guide 75ApplyTo immediately commit the settings to the Firebox Vclass appliance.A Warning dialog box appears. - C

76 Vcontroller 4.02 Type the domain name of the Firebox Vclass appliance in the appropriate field.To add a DNS server, follow these steps:1 Click Inse

SNMP ConfigurationFirebox Vclass User Guide 773 Click Add.The DNS Server dialog box closes and the new server IP address appears in the DNS Server lis

78 Vcontroller 4.0To configure SNMP traps, follow these steps:1 Click the SNMP tab.The SNMP settings are displayed.2 Click Add.The SNMP Management Sta

Log ConfigurationFirebox Vclass User Guide 795 Type the password that will identify the appliance to the Management Station or stations in the Communi