Watchguard Firebox X4500 Guide de l'utilisateur

WatchGuard Firebox X Edge e-Series User GuideFirebox X Edge e-Series version 10All Firebox X Edge e-Series Standard and Wireless Models

x Firebox X Edge e-SeriesAdd, remove, or change a category ...

Network Settings88 Firebox X Edge e-SeriesAbout using multiple external interfacesWith the Firebox, you can have redundant support for the external in

User Guide 89Network SettingsAbout multiple external interfaces and DNSWhen you configure more than one external interface on your Edge, it is a good

Network Settings90 Firebox X Edge e-SeriesConfigure advanced WAN2 settingsYou can configure additional settings for your second WAN interface (WAN2) o

User Guide 91Network SettingsConfigure the Edge to use round-robin load balancing1. From the navigation bar, select Network > External. If you have

Network Settings92 Firebox X Edge e-SeriesConfigure WAN failoverIf you have an Edge Pro license, you can configure your Firebox X Edge with a WAN fail

User Guide 93Network Settings3. Type the IP addresses of the hosts to ping for the WAN1 (external) and WAN2 (failover) interfaces.The Firebox X Edge w

Network Settings94 Firebox X Edge e-SeriesConfigure your modem for WAN failoverUse the settings available in the Modem (Serial Port) Configuration are

User Guide 95Network SettingsEnter your DNS settingsIf your dial-up ISP does not give DNS server IP addresses, or if you must use a different DNS serv

Network Settings96 Firebox X Edge e-SeriesAbout virtual local area networks (VLANs)An 802.1Q VLAN (virtual local area network) is a collection of comp

User Guide 97Network SettingsAdd a VLAN tag to the Trusted or Optional InterfaceTo mark traffic sent to the trusted or optional interface on your Edge

User Guide xiChapter 17 Gateway AntiVirus and Intrusion Prevention Service ...239About Gateway An

Network Settings98 Firebox X Edge e-Series

User Guide 996Wireless SetupAbout wireless setupThe Firebox X Edge e-Series Wireless can be configured as a wireless access point with three different

Wireless Setup100 Firebox X Edge e-SeriesAbout wireless configuration settingsWhen you enable wireless access to the trusted, optional, or wireless gu

User Guide 101Wireless SetupLog authentication eventsAn authentication event occurs when a wireless computer tries to connect to an Edge wireless inte

Wireless Setup102 Firebox X Edge e-SeriesAbout wireless security settingsThe Firebox X Edge e-Series Wireless uses three security protocol standards t

User Guide 103Wireless SetupOpen system and shared key authenticationEncryption options for open system and shared key authentication are WEP 64-bit h

Wireless Setup104 Firebox X Edge e-SeriesAllow wireless connections to the trusted interface1. To connect to the System Status page, type https:// in

User Guide 105Wireless SetupAllow wireless connections to the optional interface1. To connect to the System Status page, type https:// in the browser

Wireless Setup106 Firebox X Edge e-Series8. From the Authentication drop-down list, select the type of authentication to enable for wireless connectio

User Guide 107Wireless Setup3. On the Settings tab, select the Enable Wireless Guest Network check box to allow wireless connections through the Edge

xii Firebox X Edge e-SeriesMobile User VPN client icon ...

Wireless Setup108 Firebox X Edge e-SeriesAbout wireless radio settingsThe Firebox X Edge e-Series Wireless uses radio frequency signals to send and re

User Guide 109Wireless SetupConfigure the wireless card on your computerThese instructions are for the Windows XP with Service Pack 2 operating system

Wireless Setup110 Firebox X Edge e-Series

User Guide 1117Firewall PoliciesAbout policiesThe security policy of your organization is a set of definitions for protecting your computer network an

Firewall Policies112 Firebox X Edge e-SeriesAbout adding policies to your FireboxThe Firebox includes many pre-configured packet filters and proxies t

User Guide 113Firewall PoliciesCommon policies for the Firebox X EdgeCommon Proxy PoliciesCommon Packet Filter PoliciesPolicy FunctionFTP-Proxy Used t

Firewall Policies114 Firebox X Edge e-SeriesPolicy rulesA Firebox X Edge policy is one or more rules that together monitor and control traffic. These

User Guide 115Firewall PoliciesAbout policy-based routingTo send network traffic, a router usually examines the destination address in the packet and

Firewall Policies116 Firebox X Edge e-SeriesAbout using common packet filter policiesYou can control the traffic between the trusted, optional, and ex

User Guide 117Firewall PoliciesEditing common packet filter policiesYou can edit some default settings of a common packet filter policy.On the Incomin

User Guide 11Introduction to Network SecurityAbout networks and network securityA network is a group of computers and other devices that are connected

Firewall Policies118 Firebox X Edge e-SeriesSet access control options (outgoing)1. From the Edit Policies page, select the Outgoing tab.2. From the O

User Guide 119Firewall PoliciesAbout custom policiesYou must define a custom policy for traffic if you need to allow for a protocol that is not includ

Firewall Policies120 Firebox X Edge e-SeriesAdd a custom packet filter policy manuallyYou can add a custom policy without the wizard.1. To connect to

User Guide 121Firewall PoliciesFilter outgoing traffic for a custom policyThese steps restrict outgoing traffic through the Firebox X Edge. For inform

Firewall Policies122 Firebox X Edge e-SeriesAbout policies for the optional networkBy default, the Firebox X Edge e-Series allows all traffic that sta

User Guide 123Firewall PoliciesDisable traffic filters between trusted and optional networksTo allow network traffic from the optional network to the

Firewall Policies124 Firebox X Edge e-Series

User Guide 1258Proxy SettingsAbout proxy policiesAll WatchGuard policies, whether they are packet filter policies or proxy policies, are important too

Proxy Settings126 Firebox X Edge e-SeriesAbout adding and configuring proxy policies When you add a proxy policy to your Firebox configuration, you sp

User Guide 127Proxy SettingsTo add or edit a custom proxy policy:1. To connect to the System Status page, type https:// in the browser address bar, an

Introduction to Network Security2 Firebox X Edge e-SeriesAbout protocolsA protocol is a group of rules that allow computers to connect across a networ

Proxy Settings128 Firebox X Edge e-SeriesAbout the HTTP proxyHyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and se

User Guide 129Proxy SettingsHTTP requests: General settingsIdle connection timeoutThis setting controls how long the HTTP proxy waits for the client t

Proxy Settings130 Firebox X Edge e-SeriesHTTP proxy: Deny messageThe Firebox gives a default deny message that replaces the content that is denied. Yo

User Guide 131Proxy SettingsHTTP proxy exceptionsYou use HTTP proxy exceptions to bypass HTTP proxy rules for certain web sites without bypassing the

Proxy Settings132 Firebox X Edge e-SeriesAdd, delete, or modify content types1. Select the HTTP Content tab.2. Select the Allow only safe content type

User Guide 133Proxy SettingsAbout the FTP proxyFTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP

Proxy Settings134 Firebox X Edge e-SeriesFTP proxy: Proxy limitsOn the FTP Settings tab, you can set the maximum user name length, password length, fi

User Guide 135Proxy SettingsFTP proxy: Upload and download contentYou can control the type of files that the FTP proxy allows for downloads and upload

Proxy Settings136 Firebox X Edge e-SeriesSet access control optionsOn the Outgoing or Incoming tab, you can set rules that filter IP addresses, networ

User Guide 137Proxy SettingsMaximum email line lengthThis setting prevents some types of buffer overflow attacks. It is unlikely that you will need to

User Guide 3Introduction to Network SecurityAbout IP addressesTo send ordinary mail to a person, you must know his or her street address. For one comp

Proxy Settings138 Firebox X Edge e-SeriesPOP3 proxy: Content typesCertain kinds of content embedded in email can be a security threat to your network.

User Guide 139Proxy SettingsPOP 3 proxy: Deny unsafe file name patterns If you want to deny certain file name attachments, select the Deny unsafe file

Proxy Settings140 Firebox X Edge e-SeriesEdit the SMTP proxyTo change the default settings of the SMTP proxy, select Firewall > Incoming from the n

User Guide 141Proxy SettingsSMTP proxy: Proxy limitsOn the SMTP Settings tab, you can adjust timeout, email size, and line length limits. This stops t

Proxy Settings142 Firebox X Edge e-SeriesSMTP proxy: Deny messageIn the Deny Message field, you can write a custom plain text message that will appear

User Guide 143Proxy SettingsSMTP proxy: Email contentCertain kinds of content embedded in email can be a security threat to your network. Other kinds

Proxy Settings144 Firebox X Edge e-SeriesDeny unsafe file name patternsIf you want to deny certain file name attachments, select the Deny unsafe file

User Guide 145Proxy SettingsAbout the H.323 proxyIf you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation

Proxy Settings146 Firebox X Edge e-SeriesAbout the SIP proxyIf you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiatio

User Guide 147Proxy SettingsAbout the Outgoing ProxyThe Outgoing policy applies to all outgoing network traffic, including traffic managed by other co

Introduction to Network Security4 Firebox X Edge e-SeriesThis table shows common network masks and their equivalents in slash notation.About entering

Proxy Settings148 Firebox X Edge e-Series

User Guide 1499Default Threat ProtectionAbout intrusion preventionThe Firebox X Edge e-Series includes a set of default threat protection features des

Default Threat Protection150 Firebox X Edge e-SeriesAbout blocked sitesA blocked site is an IP address that cannot make a connection through the Fireb

User Guide 151Default Threat ProtectionBlock a site permanently1. To connect to the System Status page, type https:// in the browser address bar, and

Default Threat Protection152 Firebox X Edge e-SeriesBlock sites temporarilyFollow these steps to configure your Firebox to automatically block sites t

User Guide 153Default Threat ProtectionAbout blocked portsYou can block the ports that you know can be used to attack your network. This stops specifi

Default Threat Protection154 Firebox X Edge e-SeriesBlock a port1. To connect to the System Status page, type https:// in the browser address bar, and

User Guide 155Default Threat ProtectionAbout denial-of-service attacksThe Firebox X Edge e-Series includes an integrated denial-of-service (DoS) prote

Default Threat Protection156 Firebox X Edge e-SeriesOn the Firewall > Intrusion Prevention page, select the DoS Defense tab and set the packet/seco

User Guide 157Default Threat ProtectionConfigure firewall optionsYou can use the Firewall Options page to configure rules that increase your network s

User Guide 5Introduction to Network SecurityAbout Domain Name Service (DNS)If you do not know the address of a person, you can frequently find it in t

Default Threat Protection158 Firebox X Edge e-SeriesLog all allowed outbound access If you use the standard property settings, the Firebox X Edge e-Se

User Guide 15910Traffic ManagementAbout Traffic ManagementThe Firebox X Edge e-Series supplies many different ways to manage the traffic on your netwo

Traffic Management160 Firebox X Edge e-SeriesTraffic CategoriesThe Firebox X Edge e-Series allows you to limit data sent through policies and Traffic

User Guide 161Traffic ManagementTraffic MarkingIf your Firebox X Edge is part of a larger network that uses Quality of Service (QoS) and your upstream

Traffic Management162 Firebox X Edge e-SeriesThe following table shows the DSCP values you can select, the corresponding IP Precedence value (which is

User Guide 163Traffic ManagementEnable Traffic ControlYou must have at least one packet filter policy, proxy policy, or VPN tunnel enabled to add traf

Traffic Management164 Firebox X Edge e-Series4. In the Upstream bandwidth limit text box, type the upstream bandwidth limit of your external network c

User Guide 165Traffic ManagementAbout Network Address Translation (NAT)Network Address Translation (NAT) is a term used to describe any of several for

Traffic Management166 Firebox X Edge e-SeriesAbout dynamic NATDynamic NAT is the most frequently used type of NAT. It changes the source IP address of

User Guide 167Traffic ManagementCompany ABC selects five public IP addresses from the same network address as the external interface of their Firebox,

Introduction to Network Security6 Firebox X Edge e-SeriesAbout portsAlthough computers have hardware ports you use as connection points, ports are als

Traffic Management168 Firebox X Edge e-SeriesAdd a secondary external IP address for 1-to1 NAT mapping1. To connect to the System Status page, type ht

User Guide 16911LoggingAbout logging and log filesAn important feature of a good network security policy is to gather messages from your security syst

Logging170 Firebox X Edge e-SeriesEvent Log and System Status SyslogYou can see the Event Log on the Logging page. The event log contains data on the

User Guide 171LoggingAbout logging to a WatchGuard Log ServerThe WatchGuard Log Server (previously known as the WatchGuard System Event Processor, or

Logging172 Firebox X Edge e-Series4. Select the Send logs in native XML format check box to have the Edge log messages sent to the WatchGuard Log Serv

User Guide 173LoggingAbout SyslogSyslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Fir

Logging174 Firebox X Edge e-Series

User Guide 17512CertificatesAbout certificatesWhen you use local authentication to connect to your Firebox over secure HTTP, the Firebox uses a certif

Certificates176 Firebox X Edge e-SeriesCreate a certificateUse OpenSSL to generate a CSROpenSSL is installed with most GNU/Linux distributions. To dow

User Guide 177CertificatesIssue the certificate1. Connect to the server where the Certification Authority is installed, if necessary. 2. From the Star

User Guide 7Introduction to Network SecurityAbout FirewallsA firewall separates your trusted computers on the internal network from the external netwo

Certificates178 Firebox X Edge e-SeriesRemove a certificate1. From the System Status page on the Firebox X Edge, select Administration > Certificat

User Guide 17913User and Group ManagementAbout user licensesYour Firebox X Edge firewall is enabled with a set number of user licenses (also called no

User and Group Management180 Firebox X Edge e-SeriesWhen a user license is not usedA user license is not used when:  Traffic is passed between the tr

User Guide 181User and Group ManagementAbout user authenticationUser authentication is the process of finding whether a user is who he or she is decla

User and Group Management182 Firebox X Edge e-SeriesSet authentication options for all usersSome authentication options have an effect on all users. T

User Guide 183User and Group ManagementAbout user accountsWhen you create a local user for the Firebox X Edge e-Series, you select the administrative

User and Group Management184 Firebox X Edge e-Series4. In the Account Name field, type a name for the account. The user types this name to authenticat

User Guide 185User and Group ManagementAuthenticate a session without administrative accessIf you require authentication to the Edge for the user to a

User and Group Management186 Firebox X Edge e-SeriesUse the built-in administrator accountThe Firebox X Edge e-Series has a built-in administrator acc

User Guide 187User and Group ManagementChange a user account name or passwordYou can change an account name or account password. If you change the acc

ii Firebox X Edge e-SeriesADDRESS505 Fifth Avenue SouthSuite 500Seattle, WA 98104SUPPORTwww.watchguard.com/supportU.S. and Canada +877.232.3531All Oth

Introduction to Network Security8 Firebox X Edge e-SeriesThe Firebox X Edge and your NetworkThe Firebox X Edge controls all traffic between the extern

User and Group Management188 Firebox X Edge e-SeriesAbout LDAP/Active Directory authenticationIf you use LDAP authentication, you do not have to keep

User Guide 189User and Group ManagementConfigure the LDAP/Active Directory authentication serviceWhen you enable LDAP authentication, you define one a

User and Group Management190 Firebox X Edge e-Series9. Use the LDAP Timeout drop-down list to select the number of seconds to use as a timeout for any

User Guide 191User and Group ManagementAdd a group for LDAP authentication1. To connect to the System Status page, type https:// in the browser addres

User and Group Management192 Firebox X Edge e-Series10. Select the Allow remote access with Mobile VPN with PPTP check box to allow the members of thi

User Guide 193User and Group ManagementTo use SSO, you must install the WatchGuard Authentication Gateway software, also known as the SSO agent softwa

User and Group Management194 Firebox X Edge e-SeriesEnable Single Sign-On1. To connect to the System Status page, type https:// in the browser address

User Guide 195User and Group ManagementBefore you installThe SSO agent service must be run as a user. We recommend that you create a new user account

User and Group Management196 Firebox X Edge e-SeriesEnable RADIUS authenticationWhen you enable RADIUS authentication, you define one authentication s

User Guide 197User and Group ManagementSee active sessions and usersOn the Firebox Users page, you see information about the users who are online. 1.

User Guide 92InstallationBefore you beginTo install the WatchGuard Firebox X Edge e-Series in your network, you must complete these steps:  Verify ba

User and Group Management198 Firebox X Edge e-SeriesStop a sessionThe Firebox X Edge e-Series monitors and records the properties of each user session

User Guide 199User and Group ManagementEditing a user accountTo edit a user account, click the Edit icon. For descriptions of the fields you can confi

User and Group Management200 Firebox X Edge e-Series

User Guide 20114WebBlockerAbout WebBlockerIf you give users unlimited web site access, your company can suffer lost productivity and reduced bandwidth

WebBlocker202 Firebox X Edge e-SeriesConfigure global WebBlocker settingsThe first WebBlocker page in the Firebox X Edge e-Series configuration pages

User Guide 203WebBlocker5. Type a number, in minutes, in the Inactivity Timeout field. The Inactivity Timeout field shows the length of time the full

WebBlocker204 Firebox X Edge e-SeriesInstall the Quarantine Server and WebBlocker ServerTo use the quarantine feature of spamBlocker or Gateway AntiVi

User Guide 205WebBlockerCreate a WebBlocker profile1. To connect to the System Status page, type https:// in the browser address bar, and the IP addre

WebBlocker206 Firebox X Edge e-Series4. In the Profile Name field, type a familiar name. Use this name to identify the profile during configuration. F

User Guide 207WebBlockerAbout WebBlocker categoriesThe WebBlocker database contains nine category groups, with 54 website categories.A web site is add

Installation10 Firebox X Edge e-SeriesCheck package contentsMake sure that the package for your Firebox X Edge e-Series includes these items: Firebox

WebBlocker208 Firebox X Edge e-SeriesAdd, remove, or change a categoryIf you receive a message that the URL you entered is not in the SurfControl list

User Guide 209WebBlockerAbout allowing sites to bypass WebBlockerWebBlocker might deny a web site that is necessary for your business. You can overrid

WebBlocker210 Firebox X Edge e-SeriesAdd a denied site1. From the navigation bar, select WebBlocker > Denied Sites.The WebBlocker Denied Sites page

User Guide 211WebBlockerAllow internal hosts to bypass WebBlockerYou can make a list of internal hosts that bypass WebBlocker. The internal hosts that

WebBlocker212 Firebox X Edge e-Series

User Guide 21315spamBlockerAbout spamBlockerUnwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam

spamBlocker214 Firebox X Edge e-SeriesAbout Virus Outbreak Detection (VOD)Virus Outbreak Detection (VOD) is a technology that identifies email virus o

User Guide 215spamBlockerspamBlocker categoriesThe Commtouch Recurrent-Pattern Detection (RPD) solution classifies spam attacks in its Anti-Spam Detec

spamBlocker216 Firebox X Edge e-Series3. By default, VOD scans inbound email messages up to a 40 kilobyte limit. You can increase or decrease this lim

User Guide 217spamBlockerSet POP3 email actions1. From the Confirmed drop-down list, select Allow or Add a subject tag. The default action is Allow. I

User Guide 11InstallationNetwork Addressing RequirementsSpeak with your ISP or corporate network administrator to learn how your computer receives its

spamBlocker218 Firebox X Edge e-SeriesAbout spamBlocker exceptionsYou can create an exception list to the general spamBlocker actions that is based on

User Guide 219spamBlockerAbout using spamBlocker with multiple proxiesYou can configure more than one SMTP or POP3 proxy service to use spamBlocker. T

spamBlocker220 Firebox X Edge e-Series8. The wizard asks what you want to do with the message. Select the move it to the specified folder check box. T

User Guide 221spamBlockerUse RefID record instead of message textIf you want to send a report to Commtouch send but cannot send the initial email mess

spamBlocker222 Firebox X Edge e-SeriesAdd trusted email forwarders to improve spam score accuracyPart of the spam score for an email message is calcul

User Guide 22316Quarantine ServerAbout the Quarantine ServerThe WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanism for a

Quarantine Server224 Firebox X Edge e-SeriesInstall the Quarantine Server and WebBlocker ServerTo use the quarantine feature of spamBlocker or Gateway

User Guide 225Quarantine ServerStart the Quarantine ServerTo start the Quarantine Server, you must: Install Quarantine Server  Run the Setup Wizard

Quarantine Server226 Firebox X Edge e-SeriesConfigure the Quarantine ServerWhen you configure the Quarantine Server, you have these options: Set gene

User Guide 227Quarantine ServerChange expiration settings and user domains1. To open the Quarantine Server Configuration dialog box, right-click and

Installation12 Firebox X Edge e-SeriesFinding your TCP/IP properties on Macintosh OS 91. Select the Apple menu > Control Panels > TCP/IP. The TC

Quarantine Server228 Firebox X Edge e-SeriesAdd or remove user domainsThe Expiration Settings tab of the Quarantine Server Configuration dialog box sh

User Guide 229Quarantine Server3. From the Quarantine Server Configuration dialog box, click the User Notification Settings tab.4. To enable or disabl

Quarantine Server230 Firebox X Edge e-SeriesChange logging settingsYou can enable or disable logging for the server, and define where the server will

User Guide 231Quarantine ServerChange Quarantine Server rulesYou set up rules to automatically remove certain messages if they come from a specific do

Quarantine Server232 Firebox X Edge e-Series5. Click the underlined words in the rule to add a specific domain, sender, or text string in the subject

User Guide 233Quarantine ServerManage messagesYou can see all messages on the Quarantine Server in a dialog box. You can sort messages by user, quaran

Quarantine Server234 Firebox X Edge e-SeriesSet viewing optionsYou can use the Filter By drop-down list to see all messages or only those with a parti

User Guide 235Quarantine ServerOpen the messages dialog box1. Right-click the Quarantine Server icon and select Manage Messages.2. Type the server ma

Quarantine Server236 Firebox X Edge e-SeriesAbout managing usersYou add, delete, and configure users from the Users tab of the Quarantine Server Messa

User Guide 237Quarantine ServerAdd usersUsers are automatically added when messages are sent to the Quarantine Server for them. Use this procedure to

User Guide 13InstallationRegister your Firebox and activate LiveSecurity ServiceTo enable all of the features on your Firebox X Edge, you must registe

Quarantine Server238 Firebox X Edge e-SeriesGet statistics on Quarantine Server activityQuarantine Server statistics include those messages that have

User Guide 23917Gateway AntiVirus and Intrusion Prevention ServiceAbout Gateway AntiVirus and Intrusion PreventionHackers use many methods to attack c

Gateway AntiVirus and Intrusion Prevention Service240 Firebox X Edge e-SeriesAbout Gateway AntiVirus settingsWatchGuard Gateway AntiVirus (Gateway AV)

User Guide 241Gateway AntiVirus and Intrusion Prevention ServiceConfigure Gateway AV1. To connect to the System Status page, type https:// in the brow

Gateway AntiVirus and Intrusion Prevention Service242 Firebox X Edge e-Series9. Select the Limit Scanning check box if you want the Gateway AV service

User Guide 243Gateway AntiVirus and Intrusion Prevention ServiceConfigure the Intrusion Prevention Service1. To connect to the System Status page, typ

Gateway AntiVirus and Intrusion Prevention Service244 Firebox X Edge e-SeriesUpdate Gateway AV/IPSNew viruses and intrusion methods appear on the Inte

User Guide 24518Branch Office Virtual Private NetworksA VPN (Virtual Private Network) creates a secure connection between computers or networks in dif

Branch Office Virtual Private Networks246 Firebox X Edge e-SeriesWhat you need to create a VPNBefore you configure your WatchGuard Firebox X Edge VPN

User Guide 247Branch Office Virtual Private NetworksAbout managed VPNsYou can configure a VPN tunnel on the Firebox X Edge e-Series with two procedure

Installation14 Firebox X Edge e-SeriesDisable the HTTP proxy in Firefox 2.x1. Open the browser software.2. Select Tools > Options.The Options windo

Branch Office Virtual Private Networks248 Firebox X Edge e-SeriesSample VPN address information tableItem Description Assigned byExternal IP Address T

User Guide 249Branch Office Virtual Private NetworksCreate Manual VPN tunnels on your Edge1. To connect to the System Status page, type https:// in th

Branch Office Virtual Private Networks250 Firebox X Edge e-SeriesPhase 1 settingsInternet Key Exchange (IKE) is a protocol used with VPN tunnels to ma

User Guide 251Branch Office Virtual Private NetworksTo change Phase 1 configuration:1. Select the negotiation mode from the Mode drop-down list. You c

Branch Office Virtual Private Networks252 Firebox X Edge e-SeriesIf your Edge is behind a device that does NATThe Firebox X Edge e-Series can use NAT

User Guide 253Branch Office Virtual Private NetworksPhase 2 settingsPhase 2 negotiates the data management security association for the tunnel. The tu

Branch Office Virtual Private Networks254 Firebox X Edge e-Series6. Type the IP address of the local network and the remote networks that will send en

User Guide 255Branch Office Virtual Private NetworksConfigure VPN Keep AliveTo keep the VPN tunnel open when there are no connections through it, you

Branch Office Virtual Private Networks256 Firebox X Edge e-SeriesRelated questionsWhy do I need a static external address?To make a VPN connection, ea

User Guide 25719About Mobile VPN with PPTPYou can configure the Firebox X Edge e-Series as a PPTP VPN endpoint and allow up to 10 users to make simult

User Guide 15InstallationConnect the Firebox X EdgeMany people configure their Firebox X Edge e-Series on one computer before they put it on the netwo

About Mobile VPN with PPTP258 Firebox X Edge e-SeriesEnable PPTP on the Edge1. To connect to the System Status page, type https:// and the IP address

User Guide 259About Mobile VPN with PPTP6. When a PPTP user connects to the Edge, the Edge must assign that user’s computer an available IP address fr

About Mobile VPN with PPTP260 Firebox X Edge e-SeriesEnable PPTP access for firewall usersWhen you enable Mobile VPN with PPTP on your Edge, you must

User Guide 261About Mobile VPN with PPTPPrepare the client computersYou must make sure each remote user’s computer is prepared to use PPTP. Each compu

About Mobile VPN with PPTP262 Firebox X Edge e-SeriesCreate and connect a PPTP Mobile VPN for Windows XPTo prepare a Windows XP client computer, you m

User Guide 263About Mobile VPN with PPTPCreate and connect a PPTP Mobile VPN for Windows 2000To prepare a Windows 2000 remote host, you must configure

About Mobile VPN with PPTP264 Firebox X Edge e-SeriesOptions for Internet access through a Mobile VPN with PPTP tunnelYou can enable remote users to a

User Guide 26520About Mobile VPN with IPSecThe WatchGuard Mobile VPN with IPSec client is a software application that is installed on a remote compute

About Mobile VPN with IPSec266 Firebox X Edge e-SeriesEnable Mobile VPN for a Firebox user account1. To connect to the Edge System Status page, type h

User Guide 267About Mobile VPN with IPSec10. Select Mobile User in the VPN Client Type drop-down list. This selection is required if you use a Windows

Installation16 Firebox X Edge e-SeriesAdd computers to the trusted networkYou can connect as many as three computers to the trusted interface of the F

About Mobile VPN with IPSec268 Firebox X Edge e-SeriesAbout Mobile VPN Client configuration filesWith Mobile VPN with IPSec, the Firebox X Edge admini

User Guide 269About Mobile VPN with IPSecWINS/DNS Settings for Mobile VPN with IPSecMobile VPN clients use shared Windows Internet Naming Service (WIN

About Mobile VPN with IPSec270 Firebox X Edge e-SeriesDistribute the software and profilesWatchGuard recommends distributing end-user profiles by encr

User Guide 271About Mobile VPN with IPSecAbout the Mobile VPN with IPSec clientThe WatchGuard Mobile VPN with IPSec client is installed on a user’s co

About Mobile VPN with IPSec272 Firebox X Edge e-Series4. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same nam

User Guide 273About Mobile VPN with IPSecConnect and disconnect the Mobile VPN clientThe WatchGuard Mobile VPN with IPSec client software makes a secu

About Mobile VPN with IPSec274 Firebox X Edge e-SeriesControl connection behaviorFor each profile you import, you can control the action the Mobile VP

User Guide 275About Mobile VPN with IPSecMobile User VPN client iconThe Mobile User VPN icon appears in the Windows desktop system tray to show the st

About Mobile VPN with IPSec276 Firebox X Edge e-Series3. From the left pane, select Link Firewall.4. From the Stateful Inspection drop-down list, sele

User Guide 277About Mobile VPN with IPSecEnable the desktop firewallTo enable the full-featured desktop firewall:1. From the WatchGuard Mobile VPN Con

User Guide 17InstallationAbout user licensesYour Firebox X Edge firewall is enabled with a set number of user licenses. The total number of available

About Mobile VPN with IPSec278 Firebox X Edge e-SeriesDefine friendly networksYou can generate a firewall rule set for specific known networks that yo

User Guide 279About Mobile VPN with IPSecGeneral tabYou can define the basic properties of your firewall rules on the General tab of the Firewall Rule

About Mobile VPN with IPSec280 Firebox X Edge e-SeriesLocal tabYou can define any local IP addresses and ports that are controlled by your firewall ru

User Guide 281About Mobile VPN with IPSecRemote tabYou can define any remote IP addresses and ports that are controlled by this rule on the Remote tab

About Mobile VPN with IPSec282 Firebox X Edge e-SeriesApplications tabYou can limit your firewall rule so that it applies only when a specific applica

User Guide 28321About Mobile VPN with SSLThe WatchGuard Mobile VPN with SSL client is installed on a user’s computer, whether the user travels or work

About Mobile VPN with SSL284 Firebox X Edge e-SeriesClient requirementsThe WatchGuard Mobile VPN with SSL product supplies a VPN client for all Firebo

User Guide 285About Mobile VPN with SSLEnable Mobile VPN with SSL for a groupWhen you enable Mobile VPN with SSL on your Edge, you must make sure to e

About Mobile VPN with SSL286 Firebox X Edge e-Series9. If you want the users in this group to have access to computers on the other side of a Branch O

User Guide 287About Mobile VPN with SSLEnable the Edge to use Mobile VPN with SSL1. To connect to the System Status page, type https:// in the browser

User Guide iiiTable of ContentsChapter 1 Introduction to Network Security ...

Installation18 Firebox X Edge e-SeriesUse a static IP addressThis procedure configures a computer with the Windows XP operating system to use a static

About Mobile VPN with SSL288 Firebox X Edge e-SeriesVirtual IP Address Range When a Mobile VPN user connects to the Edge, the Edge must assign that us

User Guide 289About Mobile VPN with SSLDNS and WINS ServersThe Domain Name Service (DNS) changes host names into IP addresses. WINS changes NetBIOS na

About Mobile VPN with SSL290 Firebox X Edge e-SeriesAbout the Mobile VPN with SSL clientThe WatchGuard Mobile VPN with SSL client is installed on a us

User Guide 291About Mobile VPN with SSLInstall the Mobile VPN with SSL client software (Mac OS X)After Mobile VPN with SSL has been enabled on the Fir

About Mobile VPN with SSL292 Firebox X Edge e-SeriesMobile VPN with SSL client controlsWhen the Mobile VPN with SSL client is running, the WatchGuard

User Guide 19InstallationRun the Quick Setup WizardThe Quick Setup Wizard starts after you type https://192.168.111.1 into the URL or address field of

Installation20 Firebox X Edge e-Series

User Guide 213Configuration Pages OverviewAbout Edge Configuration PagesAfter you connect the WatchGuard Firebox X Edge e-Series to your network, you

Configuration Pages Overview22 Firebox X Edge e-SeriesFor example: 1. Start your web browser. 2. Select File > Open, type https://192.168.111.1 in

User Guide 23Configuration Pages OverviewNavigating the Firebox X Edge User InterfaceOn the left side of the System Status page is the navigation bar

Configuration Pages Overview24 Firebox X Edge e-SeriesNetwork pageThe Network page shows the current configuration of the trusted, optional, and exter

User Guide 25Configuration Pages OverviewFirebox Users pageThe Firebox Users page shows statistics on active sessions and local user accounts. It also

Configuration Pages Overview26 Firebox X Edge e-SeriesAdministration pageThe Administration page shows whether the Firebox X Edge uses HTTP or HTTPS f

User Guide 27Configuration Pages OverviewFirewall pageThe Firewall page shows incoming and outgoing policies and proxies, blocked web sites, and other

iv Firebox X Edge e-SeriesSet your computer to connect to the Edge...

Configuration Pages Overview28 Firebox X Edge e-SeriesLogging pageThe Logging page shows the current event log, and the status of the Log Server and s

User Guide 29Configuration Pages OverviewWebBlocker pageThe WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites.

Configuration Pages Overview30 Firebox X Edge e-SeriesspamBlocker pageThe spamBlocker page shows spamBlocker status and settings, including actions fo

User Guide 31Configuration Pages OverviewGateway AV/IPS pageThe Gateway AV/IPS page shows the Gateway AntiVirus and Intrusion Prevention Service statu

Configuration Pages Overview32 Firebox X Edge e-SeriesVPN pageThe VPN page shows information on managed VPN gateways, manual VPN gateways, echo hosts,

User Guide 33Configuration Pages OverviewMonitoring the Firebox X Edge The System Status page is the primary configuration page of the Firebox X Edge.

Configuration Pages Overview34 Firebox X Edge e-SeriesMask If a netmask is associated with the entry, it is listed here. If not, an asterisk (*) is sh

User Guide 35Configuration Pages OverviewUDP is a stateless protocol. For UDP, the connection shows as: o REPLIED - there have been packets sent in bo

Configuration Pages Overview36 Firebox X Edge e-SeriesDisk usageThis status page shows the current state of the flash memory on the Edge. Filesystem N

User Guide 37Configuration Pages OverviewMTU TCP maximum transmission unit. Metric Metric of the interface. RX packets Statistics of received packets.

User Guide vGet a feature key ...

Configuration Pages Overview38 Firebox X Edge e-SeriesSTATE State of the process: R — runningS — sleeping D,Z — inactive RSS Total number of kilobytes

User Guide 39Configuration Pages OverviewSecurity ServicesThis status page shows basic reports on the activity of any enabled security subscription: G

Configuration Pages Overview40 Firebox X Edge e-SeriesVPN statisticsThis status page shows VPN statistics such as: SA (Security Association)  Traffi

User Guide 414Configuration and Management BasicsAbout basic configuration and management tasksAfter your Firebox X Edge e-Series is installed on your

Configuration and Management Basics42 Firebox X Edge e-SeriesBefore You Begin Do not edit your configuration file manually. Always use a WatchGuard M

User Guide 43Configuration and Management BasicsBack up your Edge configurationAfter you have configured your Firebox X Edge e-Series, you can save yo

Configuration and Management Basics44 Firebox X Edge e-SeriesReconnect the Firebox X Edge to a management serverIf your Firebox was managed by a Watch

User Guide 45Configuration and Management Basics8. In the Management Server Address text box, type the IP address of the Management Server if it has a

Configuration and Management Basics46 Firebox X Edge e-SeriesAbout factory default settingsThe term factory default settings refers to the configurati

User Guide 47Configuration and Management BasicsRestore the Firebox to the factory default settingsIf you cannot correct a configuration problem and m

vi Firebox X Edge e-SeriesAbout the Dynamic DNS service ...

Configuration and Management Basics48 Firebox X Edge e-SeriesGet a feature keyBefore you activate a new feature, you must have a license key certifica

User Guide 49Configuration and Management BasicsAbout Restarting the FireboxYou can restart the Firebox X Edge e-Series from a computer on the trusted

Configuration and Management Basics50 Firebox X Edge e-SeriesRestart the Firebox remotelyIf you want to be able to connect to the Edge to manage it or

User Guide 51Configuration and Management BasicsAbout using NTP to set system timeTo set the system time for Edge, you can specify a NTP server to set

Configuration and Management Basics52 Firebox X Edge e-Series4. To set the system time automatically, select the Use NTP to periodically automatically

User Guide 53Configuration and Management BasicsAbout SNMPSimple Network Management Protocol (SNMP) is a set of tools for monitoring and managing netw

Configuration and Management Basics54 Firebox X Edge e-SeriesAbout selecting HTTP or HTTPS for managementHTTP (Hypertext Transfer Protocol) is the lan

User Guide 55Configuration and Management BasicsChange the HTTP server portHTTPS typically uses TCP port 443 and HTTP typically uses TCP port 80. By d

Configuration and Management Basics56 Firebox X Edge e-SeriesEnable centralized management with WSMUse these instructions to configure remote access f

User Guide 57Configuration and Management Basics8. In the Management Server Address text box, type the IP address of the Management Server if it has a

User Guide viiFilter outgoing traffic for a custom policy ...

Configuration and Management Basics58 Firebox X Edge e-Series4. From the Management Type drop-down list, select VPN Manager.5. If you use VPN Manager

User Guide 59Configuration and Management BasicsConfigure the Edge to forward HTTPS connectionsYou must do this procedure from a computer that is conn

Configuration and Management Basics60 Firebox X Edge e-SeriesAbout updating the Firebox X Edge softwareOne advantage of your LiveSecurity Service is c

User Guide 61Configuration and Management BasicsAbout upgrade optionsYou use two items to add upgrades to your Firebox X Edge: a feature key and a lic

Configuration and Management Basics62 Firebox X Edge e-Series5. From the navigation bar on the left side, select Administration > Upgrade.The Upgra

User Guide 635Network SettingsAbout network interface setupA primary component of the WatchGuard Firebox setup is the configuration of network interfa

Network Settings64 Firebox X Edge e-SeriesChange the Firebox IP addresses with the Network Setup WizardThe easiest method to change the network IP add

User Guide 65Network SettingsConfigure external interfacesYou must configure your external network manually if you do not use the Network Setup Wizard

Network Settings66 Firebox X Edge e-SeriesIf your ISP uses static IP addressesIf your ISP uses static IP addresses, you must enter the address informa

User Guide 67Network SettingsIf your ISP uses PPPoEIf your ISP uses PPPoE, you must enter the PPPoE information into your Firebox X Edge before it can

viii Firebox X Edge e-SeriesAbout blocked ports...

Network Settings68 Firebox X Edge e-SeriesAdvanced PPPoE settingsThe Quick Setup Wizard allows you to set up basic PPPoE settings. If necessary, you c

User Guide 69Network SettingsConfigure your external interface as a wireless interfaceYou can configure your primary external interface (WAN1) for you

Network Settings70 Firebox X Edge e-SeriesAbout advanced external network settingsOn the Network > External configuration page, select the Advanced

User Guide 71Network SettingsTo change the MAC address of the external interface:1. Connect to the System Status page. Type https:// in the browser ad

Network Settings72 Firebox X Edge e-SeriesAbout changing the IP address of the trusted networkIf necessary, you can change the trusted network IP addr

User Guide 73Network SettingsEnable DHCP server on the trusted networkThe DHCP Server option allows the Firebox X Edge e-Series to give IP addresses t

Network Settings74 Firebox X Edge e-SeriesSet trusted network DHCP address reservationsYou can manually give the same IP address to a specified comput

User Guide 75Network SettingsAbout DHCP relay agentsOne way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP

Network Settings76 Firebox X Edge e-SeriesUse static IP addresses for trusted computersYou can use static IP addresses for some or all of the computer

User Guide 77Network SettingsRestrict access to the trusted interface by MAC address1. To connect to the System Status page, type https:// in the brow

User Guide ixUse Microsoft CA to create a certificate... 1

Network Settings78 Firebox X Edge e-Series6. To manually add a hardware address and its host name to your configuration, click Add. The Add Allowed Ad

User Guide 79Network SettingsAbout configuring the optional networkThe optional network is an isolated network for less secure public resources. By de

Network Settings80 Firebox X Edge e-SeriesEnable the optional network1. To connect to the System Status page, type https:// in the browser address bar

User Guide 81Network SettingsEnable DHCP server on the optional networkThe DHCP Server option sets the Firebox X Edge to give IP addresses to the comp

Network Settings82 Firebox X Edge e-SeriesSet optional network DHCP address reservationsYou can manually assign an IP address to a specified computer

User Guide 83Network SettingsMake the Firebox a DHCP relay agent for the optional interfaceTo configure the Firebox X Edge as a DHCP Relay Agent for t

Network Settings84 Firebox X Edge e-SeriesAbout restricting access to an interface by MAC addressYou can control access to a Firebox X Edge e-Series i

User Guide 85Network SettingsAdd a static route1. To connect to the System Status page, type https:// in the browser address bar, followed by the IP a

Network Settings86 Firebox X Edge e-SeriesAbout the Dynamic DNS serviceYou can register the external IP address of the Firebox with the dynamic Domain

User Guide 87Network Settingso The option statdns sends updates for a Static DNS host name. A Static DNS host is a dynamically acquired IP address tha