Firewall Basics with Fireware XTM 11.4.1 The course is a high-level overview of basic Fireware XTM functionality using WSM and Policy Manager. Although some advanced topics are mentioned, the focus is on core functionality of the WatchGuard XTM series devices. The slides in this presentation can be used to provide a structure for an instructor teaching WSM/Fireware XTM fundamentals. Study the instructor notes for training tips and pointers to more detailed information on the high-level content of the slides.

Firewall Basics with Fireware XTM Course Introduction Firewall Basics with Fireware XTM

Training Objectives Use the basic management and monitoring components of WatchGuard System Manager Configure a WatchGuard XTM 1050, 8 Series, 5 Series, or 2 Series device for your network Create basic security policies for your WatchGuard device to enforce Use security services to expand WatchGuard device functionality WatchGuard Training

Requirements Necessary equipment and software: Prerequisites: Management computer WSM and Fireware XTM software Firewall configuration file XTM 2 Series, 5 Series, 8 Series, or XTM 1050 devices (optional) Prerequisites: Basic knowledge of TCP/IP network functions and structure It is helpful, but not necessary, to have: WatchGuard System Manager installed on your computer Access to a WatchGuard XTM device A printed copy of the instructor’s notes of this presentation, or a copy of the Fireware XTM Basics Student Guide This training presentation does not teach fundamental TCP/IP knowledge, such as the concept of IP addresses and subnet masks. The instructor should carefully question students to assess their level of network technology expertise. If necessary, take the time to explain basic concepts like slash notation, default gateways, DNS lookups, or IP addresses before you continue. This training presentation does not explain advanced user features, such as dynamic routing, QoS, and multi-WAN. Most screenshots and procedures shown in the training presentation are from WSM/Policy Manager as this is the most comprehensive management interface for an XTM device. In an ideal classroom environment, each student has WSM and Fireware XTM installation files available on a nearby computer, as well as a WatchGuard XTM device to use. The student must have the device serial number to use the Quick Setup Wizard. We also recommend that the instructor have access to an XTM device. All XTM devices should have Internet access through a firewall which the instructor controls. To demonstrate proxy policies, for example, the instructor must know whether other firewall software could restrict network traffic between the Internet and the student XTM devices. You cannot install or run Fireware XTM v11.4 or later on Firebox X e-Series devices that are not part of XTM product line. This includes: Firebox X Edge e-Series X10e X20e X55e Firebox X Core e-Series X550e X750e X1250e Firebox X Peak e-Series X5500e X6500e X8500e WatchGuard Training

Outline Getting Started Work with XTM Device Configuration Files Configure XTM Device Interfaces Set up Logging and Notification Use FSM to Monitor XTM Device Activity Use NAT (Network Address Translation) Define Basic Network Security Policies Work with Proxy Policies Work with SMTP and POP3 Proxies Verify Users’ Identities WatchGuard Training

Outline Block Unwanted Email with spamBlocker Manage Web Traffic Defend Your Network From Intruders Use Gateway AntiVirus Use Intrusion Prevention Service Use Application Control Use Reputation Enabled Defense Generate Reports of Network Activity Explore the Fireware XTM Web UI WatchGuard Training

Training Scenario Fictional organization called the Successful Company Training partners may use different examples for exercises Try out the exercises to implement your security policy In this training presentation, we use a common fictional company called “Successful Company” for firewall and network configuration examples. You can complete many of the exercises with examples from your own network, or use a set of addresses and situations provided by your WatchGuard Certified Training Instructor. The examples used for “Successful Company” are entirely fictional. Any resemblance to network data from a real organization is coincidental. WatchGuard Training

Set Up Your Management Computer and Device Getting Started Set Up Your Management Computer and Device

Learning Objectives Use the Quick Setup Wizard to make a configuration file Start WatchGuard System Manager Connect to devices and servers Launch other WSM applications WatchGuard Training

Management Computer Select a computer with Windows Vista, Windows XP SP2, Windows Server 2003 or 2008, or Windows 7 Install WatchGuard System Manager to configure, manage, and monitor your device Install Fireware XTM OS, then use WSM to install updates and make configuration changes on the device Minimum Requirements for WatchGuard System Manager client software: - Microsoft Windows XP SP2, Windows Server 2003, Windows Server 2008, Vista (32-bit or 64bit), or Windows 7 (32-bit or 64-bit) - Intel Pentium IV 1GHz or higher - 1 GB of RAM Minimum Requirements if you install WatchGuard System Manager and WatchGuard Server software on the management computer: - Intel Pentium IV 2GHz or higher - 2 GB of RAM WatchGuard does not support WSM on: - Windows ME, 2000, 98, 95 or earlier - Mac OS X (any version) - Linux (any distribution or version) WatchGuard Training

Server Software When you install WSM, you have the option to install any or all of these WatchGuard servers: Management Server Log Server Report Server WebBlocker Server Quarantine Server Servers can be installed on separate computers Each server must use a supported version of Windows. There are access requirements between the management computer, the WatchGuard device, and some servers. We recommend that students install both the Management Server and Log Server. If real-time HTTP traffic will be used to demonstrate WebBlocker, it is a good idea to have a WebBlocker Server pre-configured in the training lab so that each student does not need to download the WebBlocker database. When you install WSM on your management computer, you have the option to install any or all of these server components: Management Server – Manage all firewall devices and create VPN (virtual private network) tunnels. Log Server – Collects log messages from each WatchGuard Firebox or XTM device. Report Server – Collects log messages from the Log Server. WebBlocker Server – Provides information for an HTTP-proxy to deny user access to specified categories of web sites. Quarantine Server – Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to have a virus by Gateway AntiVirus or by spamBlocker’s Virus Outbreak Detection feature. WatchGuard Training 11 11

Register your XTM Device You must have or create a LiveSecurity account You must register the XTM device with LiveSecurity before you can configure the device Have your device serial number ready The LiveSecurity Service provides alerts, threat responses, and expert advice to help you keep your Firebox or XTM device security up-to-date. When you subscribe to LiveSecurity, you also get access to the latest software upgrades for your device, and access to technical support and training resources. If each student has an XTM device in the classroom, the instructor must be sure that the feature keys used for each device contain all the necessary upgrades to teach the features included in this training presentation. The instructor must also make sure that none of these features have expired at the time of the class. It is usually easiest to have a text file on each student’s desktop with the feature key that matches their XTM device, so the student can use the feature key to complete the Quick Setup Wizard. If you do not add a feature key when you use the Quick Setup Wizard, only one user can access the Internet though the XTM device until a feature key is applied to the device. WatchGuard Training

Quick Setup Wizard Installs the Fireware XTM OS on the device Creates and uploads a basic configuration file Assigns passphrases to control access to the device This procedure shows how to use the WatchGuard System Manager Quick Setup Wizard. You must have a client computer which has both WSM and Fireware XTM OS installed. A web-based Quick Setup Wizard is also available. WatchGuard Training

Prepare to use the Quick Setup Wizard Before you start, you must have: WSM and Fireware XTM OS installed on the management computer Network information It is a good idea to have the feature key for your device before you start the wizard. You can copy it from the LiveSecurity web site during registration. If each student has a different XTM device for use in the training, we recommend that each student have a handout to guide them through the steps of the Quick Setup Wizard. This handout should have all the IP/network information that they need to configure their device with the QSW, such as: - Static IP address of student workstation - External default gateway IP address for the device - External interface IP address (eth0 for Core, Peak, 2 Series, 5 Series, 8 Series, and 1050 devices; WAN 1 for Edge) - Trusted interface IP address (eth1 for Core, Peak, 2 Series, 5 Series, 8 Series, and 1050 devices; LAN0, LAN1, or LAN2 for Edge) - DNS server information WatchGuard Training

Launch the Quick Setup Wizard For the Quick Setup Wizard to operate correctly, you must: Prepare the device to be discovered by the Quick Setup Wizard (QSW). The QSW shows you how to prepare each device. Assign a static IP address to your management computer from the same subnet that you plan to assign to the Trusted interface of the XTM device. Alternatively, you can get a DHCP address from the device when it is in Safe Mode. Connect the Ethernet interface of your computer to interface #1 of the device. Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM > Tools menu. When you assign a static IP address to the management computer, you can use an IP address from the subnet you plan to assign to the trusted interface, or an IP address from the default subnet of the trusted interface. The default trusted interface network is 10.0.1.0/24 for 2 Series, 5 Series, 8 Series and XTM1050. It is interface #1. It is often easier to use a static IP address from the default trusted network. This can help you troubleshoot connection issues when you run the Quick Setup Wizard. When the Quick Setup Wizard is complete, however, we recommend that you change the IP address of your management computer. WatchGuard Training

Quick Setup Wizard — Select Your Device Choose which model of WatchGuard device to configure. You see this dialog box if you select either “No, my device is not ready. Show me how to get my device ready for discovery” or “I don’t know. Show me how to get my device ready for discovery.” If you choose the first option, “Yes my device is ready to be discovered.”, then you do not see this dialog box. WatchGuard Training

Quick Setup Wizard — Verify the Device Details Verify that the model and serial number are correct. If there is more than one WatchGuard device on the network, select the device you want to configure from a list. WatchGuard Training

Quick Setup Wizard — Name Your XTM Device The name you assign to the device in the wizard is used to: Identify the device in WSM Identify the device in log files Identify the device in Report Manager The unique name of the XTM device is useful to remind the administrator which device is being configured or monitored. In a classroom environment, the student name can be used as the device name, but real configurations often use the geographic location of the device. Log file names start with the unique name of the device that generated the log file. WatchGuard Training

Quick Setup Wizard — Add a Feature Key When you purchase additional options for your device, you must get a new feature key to activate the new options. You can add feature keys in the Quick Setup Wizard, or later in Policy Manager. It is always preferable to have a feature key that allows the students to test out as many features as possible. If this is not practical, remember that even with only one device available, all students can connect with WSM and Policy Manager. In a classroom where only one device is available, the Quick Setup Wizard must be demonstrated by the instructor. Once the device is configured, students can be given the Status (read-only) password for the device so that they can connect to it. WatchGuard Training

Quick Setup Wizard — Configure the External Interface The IP address you give to the external interface can be: A static IP address An IP address assigned with DHCP An IP address assigned with PPPoE You must also add an IP address for the device default gateway. This is the IP address of your gateway router. The decision to use a static or dynamic address on the external interface of the device is usually an opportunity to discuss network environments with students. What kind of IP addresses do most networks use? Are static IP addresses available from their ISP? How much do they cost? Although most features in Fireware XTM and WSM operate correctly if the external IP address is dynamic or static, a device that protects a WatchGuard Management Server (a “gateway XTM device”) should always have a static IP address on its external interface. This allows managed devices to establish connections to the Management Server. WatchGuard Training

Quick Setup Wizard — Configure Interfaces Configure the Trusted and Optional interfaces. Select one of these configuration options: Mixed Routing Mode (Use these IP addresses) Each interface is configured with an IP address on a different subnet. Drop-in Mode (Use the same IP address as the external interface) All XTM device interfaces have the same IP address. Use drop-in mode when devices from the same publicly addressed network are located on more than one device interface. Many networks operate best with a routed configuration. However, we recommend drop-in mode if you have already assigned a large number of static IP addresses, or if you cannot configure some computers that have public IP addresses with private IP addresses. There is a third configuration option, Bridge mode, which is not available in the wizard but is described later in this presentation. In the typical training lab environment, routed configurations are almost exclusively used, because they are the most typical real-world configuration. WatchGuard Training

Understand Drop-in Configurations In drop-in mode: Assign the same primary IP address to all interfaces on your device Assign secondary networks on any interface You can keep the same IP addresses and default gateways for devices on your trusted and optional networks, and add a secondary network address to the XTM device interface so the device can correctly send traffic to those devices. WatchGuard Training

Quick Setup Wizard — Set Passphrases You define two passphrases for connections to the device Status passphrase — Read-only connections Configuration passphrase — Read-write connections Both passphrases must be at least 8 characters long and different from each other We do not require the use of strong passphrases. In the classroom, it is usually easiest to use the same passwords for every student device. We recommend that these passphrases be something easy for everyone to remember, such as “read-only” and “read-write”, which both meet the minimum length requirement. Students should be warned against using the same configuration passphrase for multiple WatchGuard devices in real-world deployments. In addition to the security risks, if two WatchGuard devices have the same configuration passphrase, it is always possible that the configuration meant for one device could be saved to another. This gives that device incorrect network interface settings and makes it impossible to restore management connections to the device. WatchGuard Training

Quick Setup Wizard — Final Steps Save a basic configuration to the device. You are now ready to put your device in place on your network. Remember to reset your management computer IP address. When the Quick Setup Wizard is completed, the set of basic policies on the WatchGuard device does not include any proxy policies. All outgoing TCP and UDP connections are allowed by the Outgoing policy created by the QSW. If this policy is deleted and you want to add it again later, use the policy called ‘TCP-UDP’ from the list of packet filter policies. WatchGuard Training

WatchGuard System Manager Start WSM Connect to an XTM device or the Management Server Display device status We recommend that you configure your Management Server with each type of Firebox or XTM device model used by the students. WatchGuard Training

Components of WSM WSM includes a set of management and monitoring tools: Policy Manager Firebox System Manager HostWatch LogViewer Report Manager CA Manager Quarantine Server Client To launch a tool, use the WSM Tools menu or click the tool icon WSM is software that allows you to monitor the status of one or many Firebox or XTM devices. From WSM, you can select an individual device and launch configuration tools (Policy Manager) or monitoring tools for that device. If students are familiar with the basic information in this training presentation, we recommend that you start and explain the purpose of additional programs such as HostWatch or Firebox System Manager. WatchGuard Training

Work with Device Configuration Files Administration Work with Device Configuration Files Firewall Basics with Fireware Version 8.3

Learning Objectives Start Policy Manager Open and save configuration files Configure the XTM device for remote administration Reset XTM device passphrases Back up and restore the XTM device configuration Add XTM device identification information WatchGuard Training

What is Policy Manager? A configuration tool that you can use to modify the settings of your XTM device Changes made in Policy Manager do not take effect until you save them to the device Launch Policy Manager from WSM Select a connected or managed device Click the Policy Manager icon on the toolbar When you discuss Policy Manager, you should consider “Best Practices” for how to edit a device configuration file. Although you can open a configuration file stored on your management computer, it is better to connect to the device with WSM and then launch Policy Manager. This way, you use the current configuration stored on the device and not a configuration file that may be older. Students who are familiar with a Web UI or terminal sessions with other products should be reminded that changes made in Policy Manager have no effect until the configuration is saved to the XTM device. WatchGuard Training

Navigate Policy Manager From the View menu, select how policies are displayed Details View Icon View The Large Icons view gives a quick look at which policies are enabled, and if they allow or deny traffic. This is good enough for many administrators in basic day-to-day operation. The Details view shows many more configuration settings for each policy, and is more useful to troubleshoot policies that do not provide the results intended by the administrator. WatchGuard Training

Navigate Policy Manager Use the menu bar to configure many device features. WatchGuard Training

Navigate Policy Manager Security policies that control traffic through the device are represented by policies. To edit security policies, double-click a policy name. WatchGuard Training

Open and Save Configuration Files Open a file from your local drive or from an XTM device Save configuration files to your local drive or to the XTM device Create new configuration files in Policy Manager New configuration files include a basic set of policies. You can add more policies. WatchGuard Training

Configure Your Device for Remote Administration Connect from home to monitor device status Change policies remotely to respond to new threats Make the policy as restrictive as possible for security Edit the WatchGuard policy to enable access from an external IP address You can also use Fireware XTM Web UI to configure a device (TCP port 8080) Many instructors find it useful to configure all the XTM devices used for instruction for remote administration by the instructor workstation. This allows you to restore the factory default settings for a device with less interruption to the class. WatchGuard Training

Change XTM Device Passphrases Minimum of eight characters Change frequently Restrict their use We recommend you change your status and configuration passphrases every few months. To change your passphrases in Policy Manager, select File > Change Passphrases. WatchGuard Training

Back Up the XTM Device Images Create and restore an encrypted backup image Backup includes feature key and certificate information Encryption key is required to restore an image Back up your configuration image before you make any major change to your configuration, and before you upgrade to a new WSM or Fireware XTM OS version. To back up your configuration image from Policy Manager, select File > Backup. WatchGuard Training

Add XTM Device Identification Information XTM device name and model Contact information Time zone for log files and reports We recommend that you give a different XTM device name to each student for management and reporting purposes. WatchGuard Training

Upgrade Your XTM Device To upgrade to a new version of Fireware XTM OS: Back up your existing device image. Download and install the new version of Fireware XTM OS on your management computer. From Policy Manager, select File > Upgrade. Browse to the location of the OS upgrade file: C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM Select the correct .sysa-dl file for your device: utm_xtm1050.sysa-dl utm_xtm8.sysa-dl utm_xtm5.sysa-dl utm_xtm2.sysa-dl You must uninstall the previous version of WSM on your WSM management computer if you used any of the server software, such as WebBlocker Server, Log Server, Report Server, Quarantine Server, and Management Server. You do not need to uninstall the previous version of WSM if you only used the client software components. WatchGuard Training

Configure XTM Device Interfaces Network Settings Configure XTM Device Interfaces

Learning Objectives Configure external network interfaces with a static IP address, DHCP and PPPoE Configure a trusted and optional network interface Use the XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address Understand Drop-In Mode and Bridge Mode WatchGuard Training

Add a Firewall to Your Network Interfaces on separate networks Most users have at least one external and one trusted External 50.50.50.10/24 Trusted Network 10.0.1.1/24 Optional Network 10.0.2.1/24 You can identify each interface as external, trusted, or optional. In most cases, these terms refer to: External – Connects to your gateway router. Trusted – Connects to a LAN of desktop computers or workstations that is not accessible from the Internet. Optional – Connects to a network of servers that need to be physically separate from the trusted network, but accessible from the Internet. This includes Web and mail servers. When you talk about the configuration of interfaces as either external, trusted, or optional, we recommend that you talk about the concept of “DMZ” networks. For example, where should the company mail server, Web server, FTP server, etc. be located? WatchGuard Training

Beyond the Quick Setup Wizard The Quick Setup Wizard configures the device with external, trusted, and optional networks by default: eth0 = external eth1 = trusted eth2 = optional You can change the interface assignments in Policy Manager > Network > Configuration. Although the QSW configures eth0 as External, eth1 as Trusted and eth2 as Optional, these settings can all be changed in Policy Manager. WatchGuard Training

Network Configuration Options Modify the properties of an interface Change the interface type (from trusted to optional, etc.) Add secondary networks and addresses Enable the DHCP server Configure additional interfaces Configure WINS/DNS settings for the device Add network or host routes Configure NAT You must configure DNS settings for the external interface for some features to operate correctly. For example, the XTM device uses these DNS settings to resolve the domain name of Gateway AV/IPS servers. Other features that require DNS to be configured for the external interface include VPN tunnel negotiation by domain name. WatchGuard Training

Interface Independence You can change the interface type of any interface configured with the Quick Setup Wizard. You can also choose the interface type of any additional interface you enable. There is no real difference between a trusted or optional interface. However you can use this setting to group interfaces into aliases, such as “Any-Trusted.” When you enable a second external interface, you get access to the multi-WAN feature. See the User Guide or Knowledge Base for more information on multi-WAN. WatchGuard Training

Use a Dynamic IP Address for the External Interface The XTM device can get a dynamic IP address for an external interface with DHCP or PPPoE. WatchGuard Training

Use Dynamic DNS Register the external IP address of the XTM device with the supported dynamic DNS service, DynDNS. WatchGuard Training

Use a Static IP Address for the External Interface The XTM device can use a static IP address given to you by your Internet Service Provider. You can walk through the DHCP and/or PPPoE configuration actually going through the steps. WatchGuard Training

Enable the Device DHCP Server Can be used on a trusted or optional interface Type the first and last IP addresses of the range for DHCP Configure up to 6 IP address ranges Reserve some IP addresses for specified MAC addresses In large networks, there is often a DHCP server already. However, the device can act as the DHCP server when another DHCP server is not available. WatchGuard Training

Configure Trusted and Optional Interfaces Sales Force 10.0.4.1/24 Optional Finance 10.0.3.1/24 Trusted Trusted-Main 10.0.1.1/24 Public Servers 10.0.2.1/24 Conference 10.0.5.1/24 Optional Start with a trusted network. Add an optional network for public servers. As your business grows, add more trusted and optional networks. WatchGuard Training

Add WINS/DNS Servers All devices on the trusted and optional networks can use this server Use an internal server or an external server Used by the XTM device for DHCP, Mobile VPN, NTP time updates, and Subscription Service updates WatchGuard Training

Secondary Networks Share one of the same physical networks as one of the device interfaces. Add an IP alias to the interface, which is the default gateway for computers on the secondary network. Trusted-Main 10.0.1.1/24 Secondary 172.16.100.1 172.16.100.0/24 Secondary networks can be used to create multiple networks on the same physical interface of an XTM device. This means that you can have more networks than the number of physical network interfaces on the device. You use secondary networks and addresses in two different scenarios: Add another subnet to an existing network. The interface is assigned another IP address as an alias (the secondary IP address.) Add another IP address from an existing subnet. You use this to make a static NAT rule in a policy. The new secondary network IP address is bound to the interface as an alias IP address. This is used only for external interfaces. WatchGuard Training

Network or Host Routes Create static routes to send traffic from a device interface to a router The router can then send the traffic to the correct destination from the specified route. If you do not specify a route to a remote network or host, all traffic to that network or host is sent to the device default gateway. Static routes are required when a WAN router with a dedicated connection to another site is located behind a local (Trusted or Optional) interface on the device. For a network route, use the WAN router’s internal interface IP address as the gateway for the route when you add it to your device configuration. This information is not part of the default Fireware Basics training modules. We recommend that you skip this information if you have a long presentation. For more information, see the Knowledge Base or the Fireware XTM Help systems. WatchGuard Training

Drop-In Mode and Bridge Mode Use Drop-In Mode if you want to have the same logical network (subnet) spread across all device interfaces. Computers in this subnet can be on any device interface You can add a secondary address to any device interface to use an additional network on the interface Use Bridge Mode when you want the device to be invisible. You assign one IP address to the device for management connections Bridge Mode turns the device into a transparent Layer 2 bridge Some network options are not available when you use Bridge Mode because the IP address you select could be unable to send traffic to other networks. These features include: VLANs Static routes FireCluster Secondary networks DHCP server or DHCP relay Serial modem failover (Firebox X Edge only) 1-to-1 NAT, dynamic NAT, or static NAT Dynamic routing (OSPF, BGP, or RIP) Any type of VPN for which the device is an endpoint or gateway (BOVPN; Mobile VPN with IPSec, PPTP, or SSL) Some proxy functions, including HTTP Web Cache Server In addition, the XTM device cannot be the gateway for any device on the network. Select the interface configuration mode at Network > Configuration. WatchGuard Training

Set Up Logging and Notification

Learning Objectives Set up a Log Server Configure the XTM device to send messages to a Log Server Configure logging and notification preferences Set the Diagnostic Log Level View log messages WatchGuard Training

Introduction to the Log Server Install the Log Server on the management computer or another Windows computer. We recommend you configure a Log Server and regularly review log messages as part of your security policy. The device generates encrypted log messages in XML and sends them to the Log Server. The Log Server decrypts and stores the messages in log files. WatchGuard Training

Log Message Types Traffic — Allowed and denied packets Alarm — An event you configure as important that requires a log message or alert Event — A device restart, or a VPN tunnel creation or failure Debug — Additional messages with diagnostic information to help you troubleshoot network or configuration problems Statistic — Information about the performance of the XTM device WatchGuard Training

Configure Logging For log messages to be correctly stored, you must: Install the Log Server software Configure the Log Server Configure the XTM device to send log messages to the Log Server WatchGuard Training

Install the Log Server In the WSM installer, select to install the Log Server component. The Log Server does not have to be installed on the same computer that you use as your management computer. The Log Server should be on a computer with a static IP address. It is assumed that the Log Server is installed on a computer before the training presentation begins. WatchGuard Training

Configure the Log Server Right-click the WatchGuard Server Center icon in your Windows system tray to open WatchGuard Server Center. The Server Center Setup Wizard starts. Create an administrator passphrase. Set the log encryption key. The Quick Setup Wizard configures your Firebox or XTM device to encrypt log messages with the Status Passphrase that you type in the wizard. We recommend that you create a unique log encryption key. Make sure to change the device logging configuration in Policy Manager to send log messages to the new Log Server, as shown on the subsequent slide. WatchGuard Training

Configure Log Database Settings Open WatchGuard Server Center to configure Log Server properties. Type the administrator passphrase. Select Log Server to configure Log Server settings. WatchGuard Training

Configure Log Database Settings Server Settings — Database size and encryption key settings. Database Maintenance —Specify database back up file settings, and select to use the Built-in database or an External PostgreSQL database. Notification — Configure settings for event notification and the SMTP Server. Logging — Firebox Status (which devices are currently connected to the Log Server) and where to send log messages. WatchGuard Training

Configure the XTM Device to Send Log Messages Use Policy Manager. Set the same log encryption key as used for the Log Server. Backup Log Servers can be used when the primary fails. WatchGuard Training

Default Logging Policy When you create a policy that allows traffic, logging is not enabled by default. When you create a policy that denies traffic, logging is enabled by default. If denied traffic does not match a specific policy, it is logged by default. We explore how to change the default logging rules for policies and proxies later in this presentation. WatchGuard Training

Set the Diagnostic Log Level You can also configure the device to send detailed diagnostic log messages to help you troubleshoot a specific problem. From Policy Manager, select Setup > Logging. WatchGuard Training

View Log Messages You can see log messages with two different tools: Traffic Monitor — Real-time monitoring in FSM from any computer running WSM. WatchGuard Training

View Log Messages LogViewer — You can also use LogViewer to see any log messages stored on the Log Server or archived in backup files. Use the advanced search features to locate information. WatchGuard Training

Monitor Activity Through the XTM Device Monitor Your Firewall Monitor Activity Through the XTM Device

Learning Objectives Interpret the information in the WSM display Use Firebox System Manager to monitor device status Change Traffic Monitor settings Use Performance Console to visualize device performance Use HostWatch to view network activity and block a site Add and remove sites from the Blocked Sites list WatchGuard Training

WatchGuard System Manager Display WatchGuard Training

Firebox System Manager Front Panel Traffic Monitor Bandwidth Meter Service Watch Status Report Authentication List Blocked Sites Subscription Services WatchGuard Training

Traffic Monitor View log messages as they occur Set custom colors and fields Start traceroute or Ping to source and destination IP addresses Copy information to another application WatchGuard Training

Performance Console Monitor and graph XTM device activity Launch from Firebox System Manager System Information — Firebox statistics, such as the number of total active connections and CPU usage Interfaces — Total number of packets sent and received through the XTM device interfaces Policies — Total connections, current connections, and discarded packets VPN Peers — Inbound and outbound SAs and packets Tunnels — Inbound and outbound packets, authentication errors, and replay errors WatchGuard Training

Use HostWatch to View Connections Graphical display of live connections One-click access to more details on any connection Temporarily block sites WatchGuard Training

Use the Blocked Sites List View sites added temporarily by the device as it blocks the source of denied packets Change expiration settings for temporarily blocked sites WatchGuard Training

Use Network Address Translation NAT Use Network Address Translation

Learning Objectives Understand network address translation types Add dynamic NAT entries Use static NAT for public servers WatchGuard Training

What is Network Address Translation? Turns one public IP address into many Protect the map of your network Devices and users with private IP addresses NAT Enabled Internet sees only one public address (an External XTM device IP address) Your Network WatchGuard Training

Add Firewall Dynamic NAT Entries Most frequently used form of NAT Changes the outgoing source IP address to the external IP address of the XTM device Enabled by default for standard private network IP addresses, such as 192.168.0.0/16 WatchGuard Training

Static NAT for Public Servers Your Network Port 80 TCP Web server Port 21 TCP FTP server Port 25 TCP Email server Web traffic — One external IP to private static IP FTP traffic — Same external IP to second, private static IP SMTP traffic — Same external IP to third, private static IP 50.50.50.10 10.0.2.80 10.0.2.21 10.0.2.25 WatchGuard Training

1-to-1 NAT for Public Servers IKE traffic — Second dedicated public IP address NetMeeting Ports 1720, 389, dynamic 10.0.2.11 50.50.50.11 50.50.50.12 IKE Without NAT-T 10.0.2.12 Intel Phone (H.323) — Another external IP address No exercise in student training manual. Slide for discussion only. 50.50.50.13 Intel-Video-Phone Ports 1720, 522 10.0.2.13 Your Network NetMeeting traffic — Dedicated IP address on the external WatchGuard Training

Configure Policies You can customize 1-to1 NAT and Dynamic NAT settings in each policy The settings in Network > NAT apply unless you modify the NAT settings in a policy Use the Set Source IP option when you want any traffic that uses this policy to show a specified address from your public or external IP address range as the source IP address. If you select the All traffic in this policy option and type an IP address in the Set source IP text box that is not the external interface primary IP address, make sure to add the address as a secondary address on the external interface. WatchGuard Training

Configure Policies To configure a policy to use static NAT, click Add in the To section of the policy, then select Add SNAT. You can also select Setup > Actions > SNAT to add, edit, or delete SNAT actions. If you select the All traffic in this policy option and type an IP address in the Set source IP text box that is not the external interface primary IP address, make sure to add the address as a secondary address on the external interface. WatchGuard Training

Convert Network Policy to Device Configuration Policies Convert Network Policy to Device Configuration

Learning Objectives Understand the difference between a packet filter policy and a proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter policy Set up logging and notification rules for a policy Use advanced policy properties Understand the function of the Outgoing policy Understand the function of the TCP-UDP proxy Understand the function of the WatchGuard policy Understand how the XTM device determines policy precedence WatchGuard Training

What is a Policy? A rule to limit access through the XTM device Can be configured to allow traffic or deny traffic Can be enabled or disabled Applies to specific port(s) and protocols Applies to traffic that matches From and To fields: From — specific source hosts, subnets or users/groups To — specific destination hosts, subnets, or users/groups For anyone that wants to upgrade from WFS or Edge to Fireware XTM, the policies configured in Fireware XTM operate differently. Policies no longer have separate “Incoming” and “Outgoing” properties. Instead, they filter traffic between the interfaces or networks specified in the policy configuration. The only connections allowed by default after the Quick Setup Wizard, include connections from trusted or optional networks to the external network. No external-to-trusted or -optional connections are enabled by default. For more information, see the Knowledge Base or Help systems. WatchGuard Training

Packet Filters and Proxies Two types of policies: Packet Filter — Examines the IP header of each packet, and operates at the network and transport protocol packet layers. Proxy — Examines the IP header and the content of a packet at the application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content. A proxy: Removes all the network data Examines the contents Adds the network data again Sends the packet to its destination WatchGuard Training

What are Packet Filter and Proxy Policies? Source  Destination Port(s)/Protocols Packet body Attachments RFC Compliance Commands WatchGuard Training

Add a Policy in Policy Manager Select a policy from a pre-defined list. Decide if the policy allows or denies traffic. Configure the source (From) and destination (To). To add a policy from Policy Manager, select Edit > Add Policy. You can add a policy from the pre-defined Packet Filters list, the Proxies list, or create a Custom policy. See the ports and protocols defined in the policy. Set logging and notification rules for the policy. You can automatically block the source of denied traffic if the policy is configured to deny traffic. Set a custom idle timeout for the policy. WatchGuard Training

Modify Policies To edit a policy, double-click the policy By default, a new policy: Is enabled and allowed Allows traffic on the port(s) specified by the policy Allows traffic from any trusted network to any external destination WatchGuard Training

Change Policy Sources and Destinations You can: Select a pre-defined alias, then click Add. Click Add User to select an authentication user or group. Click Add Other to add a host IP address, network IP address, or host range. Each policy is configured “from” a source, “to” a destination. The source and destination can be a host IP address, host range, host name, network address, user name, or alias. An alias is a shortcut that identifies a group of hosts, networks, or interfaces. These are some default aliases included in Policy Manager that you must understand: Any-Trusted This is an alias for all Firebox interfaces configured as “trusted” interfaces, and any network you can get access to through these interfaces. Any-External This is an alias for all Firebox interfaces of type “external”, and any network you can get access to through these interfaces. Any-Optional This alias is for all Firebox interfaces of type “optional”, and any network you can get access to through these interfaces. WatchGuard Training

When do I use a custom policy? A custom policy can be either a packet filter or proxy policy. Use a custom policy if: None of the pre-defined policies include the specific combination of ports that you want. You need to create a policy that uses a protocol other than TCP or UDP. Administrators are often not aware of the ports used by new software programs on their network, and you need this information to create a custom policy. An unsuccessful attempt to connect to an Internet-based service usually creates log messages for denied that show the ports numbers that the software attempts to use. This information can help you create a new custom policy. You can see these log messages in either Traffic Monitor (in Firebox System Manager) or with LogViewer. WatchGuard Training

Firebox Logging and Notification When you enable logging, you can also enable notification or trigger an SNMP trap. Notification options include: Send email to a specified address A pop-up notification on the Log Server WatchGuard Training

Set Rules for Logging The XTM device generates log messages for many different types of activities. You control what log messages are stored on the Log Server. Most features include options to enable or disable logging. If you enable logging “for everything”, the result can be very large log files. You should think about which protocols you really need to see allowed connections for, when you choose to create log messages for allowed connections. WatchGuard Training

What is Precedence? Precedence is used to decide which policy controls a connection when more than one policy could control that connection. In Details view, the higher the policy appears in the list, the greater its precedence. If two policies could apply to a connection, the policy higher in the list controls that connection. Policy Manager automatically orders the policies when you add and configure them. To manually order your policies: Select View > Details. Clear the View > Auto-Order Mode option. Drag and drop policies to change the order the policies appear in the list. When you change the precedence of policies manually, this can cause network traffic to be dropped in error. If custom precedence results in these problems, enable Auto-Order Mode again, and let the device order the policies automatically. WatchGuard Training

What is Precedence? Policies can be moved up or down in Manual Order mode to set precedence, or restored to the order assigned by Policy Manager with Auto-Order Mode. WatchGuard Training

Advanced Policy Properties Schedules Connection rate limits Override NAT settings QoS settings ICMP error handling Some advanced policy properties are available only to users of Fireware XTM with a Pro upgrade. Other properties, such as sticky connection settings, are visible only if you have configured your device with more than one external network. WatchGuard Training

Schedule Policies Set the times of day when the policy is enabled. WatchGuard Training

Understand the Outgoing policy The Outgoing packet filter policy is added in the default configuration Allows all outgoing TCP and UDP connections from trusted and optional networks to external networks Enables the XTM device to “work out of the box” but could have security problems If you remove the Outgoing policy, you must add policies to allow outgoing traffic The student guide does not include an exercise for this slide. The Outgoing policy is added automatically by the Quick Setup Wizard and it includes all TCP and UDP ports. It allows all TCP and UDP traffic from any trusted or optional source to any external source. The Outgoing policy acts as a packet filter, not a proxy policy. It does not filter any content by default. If the Outgoing policy is deleted, select the ‘TCP-UDP’ policy from the packet filters list of Policy Manager to add it again. WatchGuard Training

Understand the TCP-UDP proxy Enables TCP and UDP protocols for outgoing traffic Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP protocols, regardless of the port numbers Blocks selected IM and P2P applications, regardless of port. WatchGuard Training

The WatchGuard Policy Controls management connections to the XTM device By default, this policy allows only local administration of the device. You must edit the configuration to allow remote administration. We do not usually recommend that you change the configuration of the WatchGuard policy to allow remote management from the “Any-External” address. It is more secure to specify the IP address of remote computers which are authorized to establish management sessions to the device, or to set up User Authentication rules that require a remote administrator to authenticate with user credentials before they attempt to connect remotely to their device with WSM. WatchGuard Training

Find Policy Tool Fireware XTM features a utility to find policies that match the search criteria you specify. With Find Policies, you can quickly check for policies that match user or group names, IP addresses, port numbers, and protocols. There is no exercise in the Student Guide for this slide. WatchGuard Training

Use Proxy Policies and ALGs to Protect Your Network

Learning Objectives Understand the purpose and configuration of proxy policies Configure the DNS-proxy to protect DNS server Configure an FTP-Server proxy action Configure an FTP-Client proxy action Enable logging for proxy actions WatchGuard Training

What is a Proxy? A proxy is a powerful and highly customizable application inspection engine and content filter. A packet filter looks at IP header information only. A proxy looks at the content of the network data. You can add proxy policies to control which types of files users can download with HTTP or FTP, to enable Gateway Antivirus or Intrusion Prevention Service for some protocols, and to use WebBlocker to filter HTTP and HTTPS connections by category. A proxy requires more processor power on the Firebox, but should not affect the network performance for most users. WatchGuard Training

What is the DNS Proxy? Domain Name System Validates all DNS traffic Blocks badly formed DNS packets Fireware XTM includes two methods to control DNS traffic: DNS packet filter — IP headers only DNS-Proxy filter — content WatchGuard Training

Control Incoming Connections Use the DNS-Incoming action as a template You own the server You decide who gets to connect to the server DNS server DNS Proxy Your network WatchGuard Training

Configuring DNS-Incoming General OpCodes Query Types Query Name Intrusion Prevention Proxy Alarm WatchGuard Training

Control Outgoing Connections Use the DNS-Outgoing action as a template Operates with Intrusion Prevention Service Deny queries for specified domain names DNS Proxy Your Network DNS server WatchGuard Training

Use DNS-Outgoing Use DNS-Outgoing to block DNS requests for services, such as queries for: POP3 servers Advertising networks IM applications P2P applications WatchGuard Training

Fireware XTM Proxies DNS FTP H323 and SIP (Application Layer Gateways) HTTP and HTTPS SMTP and POP3 TCP-UDP Applies the proxies to traffic on all TCP ports WatchGuard Training

What is a Proxy Action? A set of rules that tell the XTM device how to apply one of the proxies to traffic of a specific type. You can apply a proxy action to more than one policy. WatchGuard Training

Import/Export Proxy Actions You can import and export: Entire user-created proxy actions (not predefined proxy actions) Rulesets WebBlocker exceptions spamBlocker exceptions You can use proxy actions to significantly reduce setup time when you add multiple policies of the same type, or use the same policy on multiple Firebox or XTM devices. To import or export a proxy action or ruleset, you must use the Advanced View. WatchGuard Training

What is FTP? File Transfer Protocol Often used to move files between two locations Client and server architecture Fireware XTM includes two methods to control: FTP packet filter — IP headers only FTP-proxy — content and commands WatchGuard Training

FTP-Proxy Restricts the types of commands and files that can be sent through FTP Works with the Gateway AV Service WatchGuard Training

FTP-Client Action Rulesets General Commands Download Upload AntiVirus Proxy and AV alarms WatchGuard Training

Control Incoming Connections Use the FTP-Server proxy action as a template The FTP server must be protected by the XTM device You decide who can connect to the FTP server FTP Proxy Anybody Your FTP server WatchGuard Training

Define FTP-Server Action Rulesets General Commands Download Upload AntiVirus Proxy alarms The same options that are available in the FTP-Client proxy action are also available in the FTP-Server proxy action. Smart defaults are used in each ruleset to protect clients (FTP-Client) and servers (FTP-Server). WatchGuard Training

Logging and Proxies Proxy policies contain many more advanced options for logging than packet filter policies. Each proxy category has its own check box to enable logging. If you want detailed reports with information on packets handled by proxy policies, make sure you select the Enable logging for reports check box in each proxy action. WatchGuard Training

Work with the SMTP and POP3 Proxies Email Proxies Work with the SMTP and POP3 Proxies

Learning Objectives Understand the SMTP and POP3 proxies Understand the available actions for email Control incoming email Control outgoing email WatchGuard Training

SMTP and POP3 Proxies Used to restrict the types and size of files sent and received in email Operate with Gateway AV and spamBlocker WatchGuard Training

Proxy Actions Available for Email Default actions available: Allow — Email is allowed through your device Lock — Email is allowed through your device; the attachment is encoded so only the XTM device administrator can open it AV Scan —Gateway AntiVirus is used to scan the attachment Strip — Email is allowed through your device, but the file attachment(s) are deleted Drop — The SMTP connection is closed Block — The SMTP connection is closed and the sender is added to the blocked sites list Also available with Gateway AntiVirus and spamBlocker: Quarantine — Email is stored on the Quarantine Server (only with SMTP) and is not sent to the recipient WatchGuard Training

Control Incoming Email Use SMTP-Incoming and POP3-Server actions as a template You decide what email you want to allow SMTP Proxy Your users Anybody Your SMTP server WatchGuard Training

Control Outgoing Email Use SMTP-Outgoing or POP3-Client action as a template You know the users You decide what they can send SMTP Proxy Your users Their email server Anybody WatchGuard Training

Verify a User’s Identity Authentication Verify a User’s Identity

Learning Objectives Understand authentication and how it works with the XTM device List the types of third-party authentication servers you can use with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the XTM device to create a custom web server certificate WatchGuard Training

What is User Authentication? Identify each user as they connect to network resources Restrict policies by user name WatchGuard Training

WatchGuard Authentication The user browses to the XTM device interface IP address on TCP port 4100 The XTM device presents an authentication page The XTM device verifies that the credentials entered are correct, and allowed for the type of connection The XTM device allows access to resources valid for that authenticated user or group WatchGuard Training

Supported Authentication Servers Firebox RADIUS VASCO SecurID LDAP Active Directory Single Sign-On option WatchGuard Training

Use Firebox Authentication To use the XTM device as an authentication server: Make groups Define users Edit policies Larger organizations will have an existing authentication server such as Active Directory or RADIUS. If your class is running late, you can skip this section if all your students agree that they use third-party authentication servers. WatchGuard Training

Edit Policies for Authentication Create users and groups Use the user and group names in policy properties Define From or To information WatchGuard Training

Use Third-Party Servers Set up a third-party authentication server Get configuration information, such as secrets and IP addresses Make sure the authentication server can contact the XTM device WatchGuard Training

Set Global Authentication Values Session and idle timeout values Number of concurrent connections Enable Single Sign-On with Active Directory authentication Enable redirect to the authentication page if the user is not yet authenticated After you authenticate, you are redirected to the site you originally selected. Specify the authentication server that appears at the top of the Domain list in the Authentication Portal Configure Terminal Services The automatic redirection to an authentication page feature operates only if there is not a policy that allows the user IP address for outgoing traffic, except a policy with his or her username or group name. This feature is used for HTTP and HTTPS traffic. WatchGuard Training

Enable Single Sign-On Transparent authentication, no need to bring up a web page Available with Windows Active Directory Install the SSO Agent on a Windows server with a static IP address You can also install the SSO Client on all workstations (Optional but highly recommended) SSO Agent passes user credentials to the XTM device Use SSO exceptions for IP addresses that cannot authenticate (computers that are not domain members, or non-Windows PCs) If you have an Active Directory server on your training network, give the configuration information to your students. WatchGuard Training

Enable Terminal Services Enables users to authenticate to your XTM device over a Terminal Server or Citrix server Enables your XTM device to report the actual IP address of each user logged in to the device Can use with any configured authentication method (e.g. Firebox authentication, Active Directory, RADIUS, etc.) If you have an Active Directory server on your training network, give the configuration information to your students. WatchGuard Training

Fireware XTM Web Server Certificate Why does the user get warnings from the browser? Name on the certificate does not match the URL Fix this problem with a custom certificate that has all of the XTM device IP addresses as possible name matches User must still import this certificate to trusted root stores It is important for administrators to import this certificate if they do not want their users to see the security warning when the users visit the Firebox authentication page. If clients on your network use the Firefox browser, you must also import the certificate into the Firefox browser certificate store. WatchGuard Training

Stop Unwanted Email with spamBlocker Blocking Spam Stop Unwanted Email with spamBlocker

Learning Objectives Activate and configure spamBlocker Specify the actions to take when bulk email is detected Block or allow email messages from specified sources Monitor spamBlocker activity Install and configure Quarantine Server WatchGuard Training

What is spamBlocker? Technology licensed from Commtouch™ to identify spam, bulk, or suspect email No local server to install You can install Quarantine Server, but it is not necessary for spamBlocker to work correctly. XTM device sends information to external servers to classify email and caches the results Operates with the SMTP and POP3 proxies You must have an SMTP or POP3 proxy action configured to use spamBlocker WatchGuard Training

Activate spamBlocker A feature key is required to enable spamBlocker Use Policy Manager or FSM to add the feature key Save the configuration to the XTM device Run the Activate spamBlocker Wizard You must have the spamBlocker feature key saved to the XTM device before you can do this exercise. WatchGuard Training

Configure a policy for spamBlocker Use the SMTP proxy or POP3 proxy Choose the proxy response to spam categorization Add exceptions WatchGuard Training

spamBlocker Actions Spam is classified into three categories: Bulk Suspect For each category, you can configure the action taken: Allow Add Subject Tag Quarantine (SMTP only) Deny (SMTP only) Drop (SMTP only) WatchGuard Training

spamBlocker Exceptions You can configure exceptions for specific senders or recipients by: Email address Domain by pattern match (*@xyz.com) WatchGuard Training

Customize spamBlocker Use multiple SMTP or POP3 proxies No exercise associated with this slide. For class discussion only. WatchGuard Training

Monitor spamBlocker Activity Status visible in Firebox System Manager Select the Subscription Services tab WatchGuard Training

Quarantine Spam Quarantine Server operates with spamBlocker for the SMTP-proxy only (not the POP3-proxy) Install with server components during WSM install, or from WatchGuard Server Center WatchGuard Training

Quarantine Server Configuration You can configure: Database size and administrator notifications Server settings Length of time to keep messages The domains for which the Quarantine Server keeps mail Rules to automatically remove messages: From specific senders From specific domains That contain specific text in the Subject field WatchGuard Training

Manage Web Traffic Through Your Firewall

Learning Objectives Control outgoing HTTP traffic Protect your web server Use the HTTPS-proxy Set up WebBlocker Select categories of web sites to block Override WebBlocker rules for specified sites WatchGuard Training

What is the HTTP-Proxy? Fully configurable HTTP requests and responses Use URL paths to block complete URLs, or match a pattern you specify Select header fields, protocol settings, and request/response methods Allow or deny based on content types Block the transfer of all or some attachments over port 80 Allow or deny cookies from specified domains Enforce search engine Safe Search rules WatchGuard Training

Control Outgoing HTTP Traffic Use the HTTP-Client proxy action as a template You know the users You decide where they go and what they can get access to Enforce Safe Search rules Your Network HTTP Proxy WatchGuard Training

Settings for the HTTP-Client Proxy Action HTTP Request HTTP Response Use Web Cache Server HTTP Proxy Exceptions WebBlocker AntiVirus Reputation Enabled Defense Deny Message Proxy and AV Alarms WatchGuard Training

Protect Your Web Server Use the HTTP-Server proxy action template Block malformed packets Prevent attacks on your server Enforce Safe Search rules Web Server HTTP Proxy Your Network WatchGuard Training

Settings for the HTTP-Server Proxy Action HTTP Request HTTP Response HTTP Proxy Exceptions WebBlocker AntiVirus Reputation Enabled Defense Deny Message Proxy and AV Alarms WatchGuard Training

When to Use the HTTPS-Proxy HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-sign the original HTTPS site certificate OCSP can confirm the validity of the original HTTPS site certificate Use a certificate that all clients on your network automatically trust for this purpose when possible Can use WebBlocker to block categories of web sites When DPI is not enabled, checks the certificate and blocks by domain name WatchGuard Training

What is WebBlocker? Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify Reduces unproductive web surfing and potential liability Blocks access to IM/P2P download sites Blocks access to spyware sites Helps schools to attain CIPA compliance Regular database updates Global URL database — English, German, Spanish, French, Italian, Dutch, Japanese, traditional Chinese, and simplified Chinese sites WatchGuard Training

Set Up WebBlocker WebBlocker Server gets WebBlocker database from WatchGuard When a user browses, the XTM device checks the WebBlocker Server If the site is allowed, the device allows the connection Web Site WebBlocker Server Web Site WebBlocker Updates WatchGuard Your Network WatchGuard Training

The WebBlocker Database Database created and maintained by SurfControl™ Database updates keep the filtering rules up-to-date Use multiple categories to allow or deny different groups of users at different times of the day WebBlocker database updates can be launched from WatchGuard Server Center. WatchGuard Training

Keep the WebBlocker Database Updated The WebBlocker database does not update automatically. To keep the WebBlocker database updated you can: Manually trigger an incremental update in WatchGuard Server Center. Use Windows Task Scheduler to run the “updatedb.bat” process, which is installed in the C:\Program Files\WatchGuard\wsm11.0\bin directory. WatchGuard Training

Advanced WebBlocker Settings On the WebBlocker > Advanced tab, you can control what happens if the device cannot contact the WebBlocker Server. You can: Allow access to all web sites Deny access to all web sites You can also set a password to use override WebBlocker when entered on individual computers. WatchGuard Training

WebBlocker Exceptions Add exceptions for web sites that WebBlocker denies and you want to allow (white list). Add web sites that WebBlocker allows and you want to deny (black list). WatchGuard Training

Defend Your Network From Intruders Threat Protection Defend Your Network From Intruders

Learning Objectives Understand the different types of intrusion protection Configure default packet handling to stop common attacks Block IP addresses and ports used by hackers Automatically block the sources of suspicious traffic WatchGuard Training

Intrusion Detection and Prevention Hacker builds attack that uses vulnerability Attack launched Attack signature developed and distributed Vendor builds patch distributes IT admin installs Proactively blocks many threats Ongoing protection at higher performance Firewall-based IPS supplies zero-day protection queues patch update based on severity Vulnerability found and exposed WatchGuard Training

Default Packet Handling Spoofing attacks Port and address space probes Flood attacks Denial of service Options for logging and automatic blocking Default Packet Handling is a set of configurable thresholds that allow your XTM device to detect potentially hostile activity, such as SYN floods, IKE floods, DDoS attacks, or address probes. The device drops connections above the threshold, and you can configure the device to add the sources to the Blocked Sites List. The default thresholds are configured for an average user and may need to be adjusted for your environment. The Auto-block source of packets not handled option blocks the source IP address of any connection that is denied because there was no rule to handle the connection. In general, this can be a very bad setting to enable for long periods of time. This setting can be used to help defeat DDoS attacks from many different source IP addresses, ports, and/or protocols for a limited duration. If the log messages from the device showed that such an attack was in progress, we recommend that you enable this option temporarily. WatchGuard Training

Block the Source of Attacks Attacker runs a port space probe on your network. XTM device blocks the probe and adds the source to the temporary list of blocked sites. Web Server Now, even valid traffic from that address is blocked by the XTM device. Log Server You can control the amount of time that an IP address is added to the Blocked Sites list. The default time is 20 minutes. Remote users use valid packets to browse your web site. Your Network WatchGuard Training

Auto-block sites Each policy configured to deny traffic has a check box you can select to auto-block the source of the denied traffic. If you select it, the source IP address of any packet denied by the policy is automatically added to the Blocked Sites List. WatchGuard Training

Use a Proxy Action to Block Sites When you select the Block action, the IP address denied by the proxy action is automatically added to the Blocked Sites List. WatchGuard Training

Block Known Attack Vectors Protect sensitive services on your network Get log messages Close traffic for unwanted services Static configuration Add specific ports to block Add specific IP addresses or subnets to be permanently blocked Dynamic configuration This feature can be enabled from many different places in Policy Manager: Proxy actions Default packet handling settings Policy configuration WatchGuard Training

Gateway AntiVirus, Intrusion Prevention, and Application Control Signature Services Gateway AntiVirus, Intrusion Prevention, and Application Control

Learning Objectives Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus Configure proxies to use Gateway AntiVirus Set up and configure the Intrusion Prevention Service Set up and configure Application Control Enable IPS and Application Control in policies WatchGuard Training

What is Gateway AV? Signature-based antivirus subscription The XTM device downloads signature database updates at regular, frequent intervals Gateway AV operates with the SMTP, HTTP, FTP, POP3, and TCP-UDP proxies WatchGuard Training

Set Up Gateway AntiVirus XTM device downloads the initial signature file Device gets new signatures and updates at a regular interval Gateway AV strips viruses and allows valid email or web pages to load Gateway AntiVirus database updates WatchGuard Your Network WatchGuard Training

Gateway AV Wizard Gateway AV can be enabled and configured with a wizard you launch from the Subscription Services menu. The wizard asks you to select which proxy policies you want to configure Gateway AV for. When you activate Gateway AV/IPS from the Subscription Services menu, the wizard allows you to configure Gateway AV/IPS in proxy policies you have already created. The wizard also suggests other proxy policies which can be added and configured to use Gateway AV/IPS. WatchGuard Training

Configure the Proxy with Gateway AntiVirus Use the HTTP and SMTP proxies to enable Gateway AV Define actions Define content types to scan Monitor Gateway AV status WatchGuard Training

Gateway AV and the SMTP-Proxy When an email attachment contains a known virus signature, the XTM device can: Allow — Attachment passes through with no change Lock — Attachment can only be opened by an administrator Remove — Attachment is stripped from the email Quarantine — Message is sent to the Quarantine Server Drop — The connection is denied. Block — The connection is denied, and the server is added to the Blocked Sites list WatchGuard Training

Gateway AV and the HTTP-Proxy When Gateway AV finds a known virus signature in an HTTP session, the XTM device can: Allow — The file is allowed to pass through without changes. Drop — The HTTP connection is denied. Block — The HTTP connection is denied, and the web server is added to the Blocked Sites list. WatchGuard Training

Gateway AV and the FTP-Proxy The FTP proxy applies Gateway AV settings to: Downloaded files allowed in your configuration. Uploaded files allowed in your configuration. When Gateway AV finds a known virus signature in an FTP session, the Firebox or XTM device can: Allow – the file goes through with no change. Deny - denies the transaction and sends a deny message. Drop – the FTP connection is dropped immediately. Block – the FTP connection is denied, and the IP address is added to the Blocked Sites list. WatchGuard Training

Gateway AV Settings Select this option if you want Gateway AV to decompress file formats such as .zip or .tar. The number of levels to scan is the depth for which Gateway AV scans archive files inside archive files. Most attachments that contain viruses are very small so they can be easily sent. You can limit the size of the files scanned to improve proxy performance. WatchGuard Training

Use Signature-based IPS Configure IPS to Allow, Drop, or Block connections from sources that match an IPS signature. Action is set based on the threat level of the matching signature. WatchGuard Training

Use Signature-based IPS Configure settings globally. Enable or disable per-policy. Can scan traffic for all policies. Blocks malicious threats before they enter your network. WatchGuard Training

Use Application Control Application Control is a Subscription Service. Monitor and control hundreds of applications based on signatures. Block or allow traffic for application categories, applications, and application behaviors. WatchGuard Training

Use Application Control Click Select by Category to configure actions by application category. WatchGuard Training

Apply Application Control to Policies First configure Application Control actions. On the Policies tab, select one or more policies, then select the action to apply. WatchGuard Training

Enable Application Control and IPS in Policies Application Control is not automatically enabled for policies. For each policy, you select which Application Control action to use. To monitor the use of applications, enable logging of allowed packets in the policies that have Application Control enabled. IPS When you enable IPS it is enabled for all policies by default. You can enable or disable IPS for each policy. WatchGuard Training

Enable Automatic Signature Updates To protect against latest viruses and exploits, and to identify the latest applications, make sure your device is configured to get automatic updates to Gateway AntiVirus, Intrusion Prevention, and Application Control signatures at regular intervals. Update requests can be routed through a proxy server. WatchGuard Training

Monitor Signature Update Status In Firebox System Manager, select the Subscription Services tab to see the status of Gateway AV, IPS and Application Control signatures, or to manually get signature updates. WatchGuard Training

Reputation Enabled Defense Improve the Performance and Security of Web Access 189

Learning Objectives Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense Monitor Reputation Enabled Defense WatchGuard Training

What is Reputation Enabled Defense (RED)? Reputation-based HTTP anti-virus and anti-spyware prevention subscription, available for WatchGuard XTM device models only. RED operates with the HTTP-proxy. RED uses a cloud-based reputation server that assigns a reputation score between 1 and 100 to every URL. The reputation score for a URL is based on AV scanning feedback collected from appliances around the world. It incorporates scan results from two leading anti-malware engines: Kaspersky and AVG. When a user browses to a web site, RED looks up the score for the URL. For URLs with a good reputation score, local scanning is bypassed. For URLs with a bad reputation score, the HTTP-proxy denies access without local scanning by Gateway AV. For URLs with an inconclusive reputation score, local Gateway AV scanning is performed as configured. Eliminates the need to locally scan the content of web sites that have a known good or bad reputation and improves XTM device performance. RED improves performance, because URLs with a BAD or GOOD reputation score do not need to be locally scanned by Gateway AV. WatchGuard Training 191 191

RED Reputation Scores Reputation Scores: High scores indicate a bad reputation Low scores indicate a good reputation RED continually updates the reputation scores for URLs based on scan results collected from devices around the world. If RED has no knowledge of a URL, it assigns a score of 50. The reputation score assigned to a URL increases based on: Negative scan results for that URL Negative scan results for a referring link The reputation score assigned to a URL decreases based on: Multiple clean scans Recent clean scans

RED Reputation Thresholds and Actions The action performed by the HTTP-proxy depends on: The reputation score of a requested URL. The locally configured reputation thresholds. RED Actions: If score is higher than the Bad reputation threshold, Deny access. If score is lower than the Good reputation threshold, Bypass local scanning. Otherwise, perform local Gateway AV scanning as configured. A score equal to the Good or Bad reputation threshold is treated as neutral, or inconclusive.

Enable Reputation Enabled Defense Before you enable RED: Your device must a have Reputation Enabled Defense feature key You must have configured at least one HTTP-proxy policy WatchGuard Training 194 194

Configure Reputation Enabled Defense Enable RED for the HTTP-proxy Define thresholds Monitor RED status WatchGuard Training 195 195

Reputation Enabled Defense and the HTTP-Proxy Based on the reputation score for a URL, the HTTP-Proxy can: Immediately block the URL if it has a bad reputation. Bypass any configured local virus scanning for a URL that has a good reputation. If neither of these RED actions occur, then any locally configured virus scanning proceeds as configured. WatchGuard Training 196 196

Reputation Enabled Defense and the HTTP-Proxy The default reputation thresholds are set to balance security with performance. You can change the bad and good reputation thresholds in the Advanced Settings dialog box. We recommend that you use the default reputation thresholds. WatchGuard Training 197 197

Monitor Reputation Enabled Defense RED status is visible in Firebox System Manager on the Subscription Services tab. WatchGuard Training 198 198

Generate Reports of Network Activity

Learning Objectives Set up and configure a Report Server Generate and save reports at regular intervals Generate and view reports Change report settings Save, print, and share reports WatchGuard Training

WSM Reporting Architecture Log Server Management Computer Report Server Report Manager WatchGuard Training

Configure the Report Server Install on a Microsoft Windows computer Can be the same computer as the Log Server Configure the Report Server from WatchGuard Server Center Select to use the Built-in database or an External PostgreSQL database Add one or more Log Server IP addresses Set report interval, report type, and notification preferences WatchGuard Training

Customize Reports with Report Manager View Available Reports (scheduled reports) Create On-Demand Reports Launch Report Manager from WSM Choose HTML or PDF format for reports WatchGuard Training

Output Reports from Report Manager One click to email the reports to another location Save reports as HTML, PDF, or CSV Print reports WatchGuard Training

View Reports with Reporting Web UI Reporting Web UI is installed with the Report Server Configure Reporting Web UI in WatchGuard Server Center Add users in WatchGuard Server Center to enable them to use Reporting Web UI Connect to Reporting Web UI over port 4122 to view and print reports When you configure the settings for your Report Server, you can also configure the settings for Reporting Web UI. You can customize the colors, banner, images, and URL for the Web UI, select which reports users can view, and set the maximum number of days users can include in a report. Users connect to Reporting Web UI at the IP address of the Report Server over port 4122. Users can view and print the reports you selected. WatchGuard Training

Explore Fireware XTM Web UI

Learning Objectives Log in to the Web UI Change the port that the XTM device uses for the Web UI Discuss limitations of the Web UI Manage timeouts for the Web UI management sessions WatchGuard Training

Introduction to Fireware XTM Web UI Monitor and manage any device running Fireware XTM without installing extra software Real-time management tool Easily find what you need and understand how the configuration options work WatchGuard Training

Limitations of the Web UI Things you can do with Policy Manager, but not with the Web UI: View or change the configuration of a device that is a member of a FireCluster Add or remove static ARP entries from the device’s ARP table Change the name of a policy Change the logging of default packet handling options Turn on or off the notification of BOVPN events Add a custom address to a policy Use Host Name (DNS lookup) to add an IP address to the From or To section of a policy WatchGuard Training

Limitations of the Web UI (cont.) Create a .wgx file for Mobile VPN with IPSec client configuration (You can get only the equivalent—but unencrypted—.ini file) Export certificates stored on the device, or see their details (You can only import certificates) The logging and reporting functions provided by HostWatch, LogViewer, Report Manager, and WSM are also not available WatchGuard Training

Log in to the Web UI Fireware XTM provides a Web UI You need only a browser with support for Adobe Flash Real-time configuration tool, no option to store configuration changes locally and save to device later https://<firebox.ip.address>:8080 Uses a self-signed certificate so you must accept certificate warnings or replace the certificate with a trusted certificate You can change the port for the Web UI Log in with one of two accounts Status – For read-only permission; uses the status passphrase Admin – For read-write permission; uses the configuration passphrase Because the Web UI requires a device to connect to, and because there are some things you cannot do with the Web UI, this slide is the only introduction to the Web UI in this training presentation. The rest of the training presentation requires that WSM be installed. The Web UI does NOT support configuration of these features: Some proxy configuration options Rename a policy Use custom addresses in policies Certificate export Some logging options Diagnostic logging Diagnostic log levels Default Packet Handling logging options .wgx file creation for Mobile VPN with IPSec FireCluster WatchGuard Training

Log in to the Web UI Multiple concurrent logins are allowed with the status account Only one admin account can be logged in at a time The last user to log in with the admin account is the only user that can make changes Includes changes from Policy Manager and WSM WatchGuard Training

Log in to the Web UI The user account name appears at the top of the screen Navigation links are at the left side WatchGuard Training

Conclusion This presentation provides an overview of basic Fireware XTM features. For more information, see these training, documentation, and support resources available in the Support section of the WatchGuard web site: WatchGuard System Manager Help Fireware XTM Web UI Help WatchGuard Knowledge Base Fireware XTM Training courseware To see the Fireware XTM Training courseware, you must log in to the WatchGuard web site. WatchGuard Training

Thank You Thank You!