firewall basics with fireware xtmdocshare01.docshare.tips/files/14787/147875334.pdf ·...

Firewall Basics

with Fireware XTM 11

Firewall Basics

with Fireware XTM 11.6

Course Introduction

Firewall Basics with Fireware XTM

Training Objectives

Use the basic management and monitoring components of WatchGuard

System Manager (WSM)

Configure a WatchGuard XTM 2050, 1050, 8 Series, 5 Series, 3 Series, 2

Series, or XTMv device for your network

Create basic security policies for your XTM device to enforce

Use security services to expand XTM device functionality

WatchGuard Training 3

Requirements

Necessary equipment and software:

• Management computer

• WatchGuard System Manager and Fireware XTM OS

• Firewall configuration file

• XTM 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, XTM 2050, or XTMv

devices (optional)

Prerequisites:

• Basic knowledge of TCP/IP network functions and structure

It is helpful, but not necessary, to have:

• WatchGuard System Manager installed on your computer

• Access to a WatchGuard XTM device

• A printed copy of the instructor’s notes of this presentation, or a copy of the

Fireware XTM Basics Student Guide

4 WatchGuard Training

Outline

Getting Started

Work with XTM Device Configuration Files

Configure XTM Device Interfaces

Set up Logging and Notification

Use FSM to Monitor XTM Device Activity

Use NAT (Network Address Translation)

Define Basic Network Security Policies

Work with Proxy Policies

Work with SMTP and POP3 Proxies

Verify Users’ Identities


Outline

Block Unwanted Email with spamBlocker

Manage Web Traffic

Defend Your Network From Intruders

Use Gateway AntiVirus

Use Intrusion Prevention Service

Use Application Control

Use Reputation Enabled Defense

Generate Reports of Network Activity

Explore the Fireware XTM Web UI


Training Scenario

Fictional organization called the Successful Company

Training partners may use different examples for exercises

Try out the exercises to implement your security policy


Getting Started

Set Up Your Management Computer

and XTM Device

Learning Objectives

Use the Quick Setup Wizard to make a configuration file

Start WatchGuard System Manager

Connect to XTM devices and WatchGuard servers

Launch other WSM applications


Management Computer

Select a computer with Windows 7, Windows

Vista, Windows XP SP2, or Windows Server

2003 or 2008

Install WatchGuard System Manager (WSM) to

configure, manage, and monitor your device

Install Fireware XTM OS,

then use WSM to install updates

and make configuration

changes on the device


Server Software

When you install WSM, you have the option to install any or all of these

WatchGuard servers:

• Management Server

• Log Server

• Report Server

• WebBlocker Server

• Quarantine Server

Servers can be installed on separate computers

• Each server must use a supported version of Windows.

• There are access requirements between the management computer, the

XTM device, and some servers.


Activate your XTM Device

You must have or create a WatchGuard account

You must activate the XTM device before you can fully configure it

Have your device serial number ready


Setup Wizards

There are two setup wizards you can use to create an initial functional

configuration file for your XTM device.

• Web Setup Wizard — To start the Web Setup Wizard, in a web browser, type: https://10.0.1.1:8080

• Quick Setup Wizard — To start the Quick Setup Wizard, in WatchGuard

System Manager, select Tools > Quick Setup Wizard.

To use either setup wizard, you must connect the management computer

to the trusted interface (eth1) of the XTM device.

The Web Setup Wizard can activate your XTM device and download the

feature key from the WatchGuard web site if you connect the external

interface (eth0) to a network with Internet access.


https://10.0.1.1:8080/

Quick Setup Wizard

Installs the Fireware XTM OS on the XTM device

Creates and uploads a basic configuration file

Assigns passphrases to

control access to the

XTM device


Prepare to Use the Quick Setup Wizard

Before you start, you must have:

• WSM and Fireware XTM OS installed on the management computer

• Network information

It is a good idea to have the feature key for your device before you start

the wizard. You can copy it from the LiveSecurity web site during

registration.


Launch the Quick Setup Wizard

For the Quick Setup Wizard to operate correctly, you must:

• Prepare the device to be discovered by the Quick Setup Wizard (QSW). The

QSW shows you how to prepare each device.

• Assign a static IP address to your management computer from the same

subnet that you plan to assign to the Trusted interface of the XTM device.

Alternatively, you can get a DHCP address from the device when it is in Safe

Mode.

• Connect the Ethernet interface of your computer to interface #1 of the device.

• Launch WatchGuard System Manager (WSM) and launch the Quick Setup

Wizard from the WSM Tools menu.


Quick Setup Wizard — Select Your Device

Choose which model of XTM device to configure.


Quick Setup Wizard — Verify the Device Details

Verify that the model and serial number are correct.


Quick Setup Wizard — Name Your XTM Device

The name you assign to the device in the wizard is used to:

• Identify the device in WSM

• Identify the device in log files

• Identify the device in Log and Report Manager


Quick Setup Wizard — Configure the External

Interface

The IP address you give to the external interface can be:

• A static IP address

• An IP address assigned with DHCP

• An IP address assigned with PPPoE

You must also add an

IP address for the device

default gateway. This is the

IP address of your gateway

router.


Quick Setup Wizard — Configure Interfaces

Configure the Trusted and Optional interfaces.

Select one of these configuration options:

• Mixed Routing Mode

(Use these IP addresses)

Each interface is configured

with an IP address on a

different subnet.

• Drop-in Mode

(Use the same IP address as

the external interface)

All XTM device

interfaces have the same

IP address. Use drop-in

mode when devices from the

same publicly addressed

network are located on more

than one device interface.


Understand Routed Configurations

In mixed routing mode (routed configuration):

• Configure each interface with an IP address on a different subnet.

• Assign secondary networks on any interface.


Understand Drop-in Configurations

In drop-in mode:

• Assign the same primary IP address to all interfaces on your device.

• Assign secondary networks on any interface.

• You can keep the same IP addresses and

default gateways for devices on your

trusted and optional networks, and add

a secondary network address to

the XTM device interface so the device

can correctly send traffic to those devices.


Quick Setup Wizard — Add a Feature Key

When you purchase additional options for your device, you must get a

new feature key to activate the new options. You can add feature keys in

the Quick Setup Wizard, or later in Policy Manager.


Quick Setup Wizard — Set Passphrases

You define two passphrases for connections to the device

• Status passphrase — Read-only connections

• Configuration passphrase — Read-write connections

Both passphrases must be at least 8 characters long and different from

each other


Quick Setup Wizard — Final Steps

Save a basic configuration to the device.

You are now ready to put your device in place on your network.

Remember to reset your management computer IP address.


WatchGuard System Manager

Start WSM

Connect to an XTM device or the Management Server

Display device status


Components of WSM

WSM includes a set of management and monitoring tools:

• Policy Manager

• Firebox System Manager

• HostWatch

• Log and Report Manager

• CA Manager

• Quarantine Server Client

To launch a tool, use the WSM Tools menu or click the tool icon


Firewall Basics with Fireware

Version 8.3

Administration

Work with Device Configuration Files

Learning Objectives

Start Policy Manager

Open and save configuration files

Configure the XTM device for remote administration

Reset XTM device passphrases

Back up and restore the XTM device configuration

Add XTM device identification information


What is Policy Manager?

A configuration tool that you can use to modify the settings of your XTM

device

Changes made in Policy Manager do not take effect until you save them

to the device

Launch Policy Manager from WSM

• Select a connected or managed device

• Click the Policy Manager icon on the toolbar


From the View menu,

select how policies are

displayed

Navigate Policy Manager


Details View Icon View


Use the menu bar to configure many device features.



Security policies that control traffic through the device are represented by

policies.

To edit a security policy, double-click a policy name.


Open and Save Configuration Files

Open a file from your local drive or from an XTM device

Save configuration files to your local drive or to the XTM device

Create new configuration files in Policy Manager

• New configuration files include a basic set of policies.

• You can add more policies.


Configure Your Device for Remote Administration

Connect from home to monitor device status

Change policies remotely to respond to new threats

Make the policy as restrictive as possible for security

Edit the WatchGuard policy to enable access from an external

IP address

You can also use Fireware XTM Web UI to configure a device

(over TCP port 8080)


Change XTM Device Passphrases

Minimum of eight characters

Change frequently

Restrict their use


Back Up the XTM Device Images

Create and restore an encrypted backup image

Backup includes feature key and certificate information

Encryption key is required to restore an image


Add XTM Device Identification Information

XTM device name and model

Contact information

Time zone for log files and reports


Upgrade Your XTM Device

To upgrade to a new version of Fireware XTM OS:

• Back up your existing device image.

• Download and install the new version of Fireware XTM OS on your

management computer.

• From Policy Manager, select File > Upgrade.

• Browse to the location of the OS upgrade file:

C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM

• Select the correct .sysa-dl file for your device:

XTM 2050: xtm2050_bc.sysa-dl

XTM 1050: xtm1050_bb.sysa-dl

XTM 8 Series: xtm8_b5.sysa-dl

XTM 5 Series: xtm5_b0.sysa-dl

XTMv: xtmv_c5.sysa-dl


XTM 330: xtm330_bd.sysa-dl

XTM 33: xtm3_aa.sysa-dl

XTM 25, 26: xtm2_a6.sysa.dl

XTM 21, 22, 23: xtm2_a0.sysa-dl

Network Settings

Configure XTM Device Interfaces

Learning Objectives

Configure external network interfaces with a static IP address, DHCP

and PPPoE

Configure a trusted and optional network interface

Use the XTM device as a DHCP server

Add WINS/DNS server locations to the device configuration

Add Dynamic DNS settings to the device configuration

Set up a secondary network or address

Understand Drop-In Mode and Bridge Mode


Interfaces on separate networks

Most users have at least one external and one trusted

Add a Firewall to Your Network


External 203.0.113.2/24

Trusted Network 10.0.1.1/24

Optional Network 10.0.2.1/24

Beyond the Quick Setup Wizard

The Quick Setup Wizard configures the device with external, trusted, and

optional networks by default:

eth0 = external

eth1 = trusted

eth2 = optional

You can change the

interface assignments.

In Policy Manager,

select Network >

Configuration.


Network Configuration Options

Modify the properties of an interface

• Change the interface type (from trusted to optional, etc.)

• Add secondary networks and addresses

• Enable the DHCP server

Configure additional interfaces

Configure WINS/DNS settings for the device

Add network or host routes

Configure NAT


Interface Independence

You can change the interface type of any interface configured with the

Quick Setup Wizard.

You can also choose the interface type of any additional interface you

enable.


Use a Dynamic IP Address for the External Interface

The XTM device can get a dynamic IP address for an external interface

with DHCP or PPPoE.


Use Dynamic DNS

Register the external IP address of the XTM device with the supported

dynamic DNS service, DynDNS.


Use a Static IP Address for the External Interface

The XTM device can use a static IP address given to you by your

Internet Service Provider.


Enable the Device DHCP Server

Can be used on a trusted or optional interface

Type the first and last IP addresses of the range for DHCP

Configure up to 6 IP address ranges

Reserve some

IP addresses for specified

MAC addresses


Configure Trusted and Optional Interfaces


Trusted-Main 10.0.1.1/24

Public Servers 10.0.2.1/24

1. Start with a

trusted

network.

2. Add an optional

network for public

servers.

Conference 10.0.5.1/24

Optional

3. As your business grows, add

more trusted and optional

networks.

Finance 10.0.3.1/24

Trusted

Sales Force 10.0.4.1/24

Optional

Add WINS/DNS Servers

All devices on the trusted and optional networks can use this server

Use an internal server or an external server

Used by the XTM device for DHCP, Mobile VPN, NTP time updates, and

Subscription Service updates


Share one of the same physical networks as one of the device

interfaces.

Add an IP alias to the interface, which is the default gateway for

computers on the secondary network.

Secondary Networks


Trusted-Main

10.0.1.1/24

Secondary 172.16.100.0/24

Network or Host Routes

Create static routes to send traffic from a device interface to a router

The router can then send the traffic to the correct destination from the specified

route.

If you do not specify a route to a remote network or host, all traffic to that

network or host is sent to the device default gateway.


Drop-In Mode and Bridge Mode

Use Drop-In Mode if you want to have the same logical network (subnet)

spread across all device interfaces.

• Computers in this subnet can be on any device interface

• You can add a secondary address to any device interface to use an additional

network on the interface

Use Bridge Mode when you want the device to be invisible.

• You assign one IP address to the device for management connections

• Bridge Mode turns the device into a transparent Layer 2 bridge


Select the interface configuration mode at Network > Configuration.

Logging

Set Up Logging and Notification

Learning Objectives

Set up a Log Server

Configure the XTM device to send messages to a Log Server

Configure logging and notification preferences

Set the Diagnostic Log Level

View log messages


Introduction to the Log Server


Log Message Types

Traffic — Allowed and denied packets

Alarm — An event you configure as important that requires a log

message or alert

Event — A device restart, or a VPN tunnel creation or failure

Debug — Additional messages with diagnostic information to help you

troubleshoot network or configuration problems

Statistic — Information about the performance of the XTM device


Configure Logging

For log messages to be correctly stored, you must:

• Install the Log Server software

• Configure the Log Server

• Configure the XTM device to send log messages to the Log Server


Install the Log Server

In the WSM installer, select to install the Log Server component

The Log Server does not have to be installed on the same computer that

you use as your

management computer

The Log Server should

be on a computer with

a static IP address


Configure the Log Server

Right-click the WatchGuard Server Center icon in your Windows system

tray to open WatchGuard Server Center The Server Center Setup Wizard starts

Create an administrator passphrase

Set the log encryption key


Configure Log Database Settings

Open WatchGuard Server Center to configure Log Server properties.

Type the administrator passphrase.

Select Log Server to configure Log Server settings.


Configure Log Database Settings

Server Settings — Database size and encryption key settings.

Database Maintenance — Specify database back up file settings, and

select to use the Built-in database or an External PostgreSQL database.

Notification — Configure

settings for event notification

and the SMTP Server.

Logging — Firebox Status

(which devices are currently

connected to the Log Server)

and where to send log

messages.


Configure the XTM Device to Send Log Messages

Use Policy Manager

Set the same log encryption

key that is used for the

Log Server

Backup Log Servers can be

used when the primary fails


Default Logging Policy

When you create a policy that allows traffic, logging is not enabled by

default

When you create a policy that denies traffic, logging is enabled by default

If denied traffic does not match a specific policy, it is logged by default


Set the Diagnostic Log Level

You can also configure the device to send detailed diagnostic log

messages to help you troubleshoot a specific problem.

From Policy Manager, select Setup > Logging.


View Log Messages

You can see log messages with two different tools:

• Traffic Monitor — Real-time monitoring in FSM from any computer with

WSM


View Log Messages

• Log and Report Manager — You can also use Log and Report Manager to

see any log messages stored on the Log Server. Use the search feature to

locate specific information in your log files.


Reports

Generate Reports of Network Activity

Learning Objectives

Set up and configure a Report Server

Generate and save reports at regular intervals

Generate and view reports

Change report settings

Save, print, and share reports


WSM Reporting Architecture


Configure the Report Server

Install on a Microsoft

Windows computer

Can be the same computer

as the Log Server

Configure the Report Server

from WatchGuard Server Center

Select to use the

Built-in database or

an External PostgreSQL

database

Add one or more Log Server

IP addresses

Set report interval,

report type, and notification

preferences


View Reports with Log and Report Manager

Log and Report

Manager is a

web UI that is

installed with the

Report Server

Add users in

WatchGuard Server

Center to enable

them to use

Log and Report

Manager

Connect to Log and

Report Manager

over port 4130 to

view and generate

reports


View Available Reports (scheduled reports)

Create On-Demand Reports and Per Client Reports

Launch Log and Report Manager from WSM

Save reports in PDF format

View Reports with Log and Report Manager


Monitor Your Firewall

Monitor Activity Through

the XTM Device

Learning Objectives

Interpret the information in the WSM display

Use Firebox System Manager to monitor device status

Change Traffic Monitor settings

Use Performance Console to visualize device performance

Use HostWatch to view network activity and block a site

Add and remove sites from the Blocked Sites list


WatchGuard System Manager Display


Firebox System Manager

Front Panel

Traffic Monitor

Bandwidth Meter

Service Watch

Status Report

Authentication List

Blocked Sites

Subscription Services


Traffic Monitor

View log messages

as they occur

Set custom colors

and fields

Start traceroute or

Ping to source

and destination

IP addresses

Copy information

to another

application


Performance Console

Monitor and graph XTM device activity

Launch from Firebox System Manager

System Information — Firebox statistics,

such as the number of total active

connections and CPU usage

Interfaces — Total number of packets sent and received through the

XTM device interfaces

Policies — Total connections, current connections, and discarded

packets

VPN Peers — Inbound and outbound SAs and packets

Tunnels — Inbound and outbound packets, authentication errors, and

replay errors


Use HostWatch to View Connections

Graphical display

of live connections

One-click access

to more details

on any connection

Temporarily

block sites


Use the Blocked Sites List

View sites added

temporarily by the

device as it blocks

the source of

denied packets

Change expiration

settings for

temporarily

blocked sites


NAT

Use Network Address Translation

Learning Objectives

Understand network address translation types

Add dynamic NAT entries

Use static NAT for public servers


Turns one public IP address into many

Protect the map of your network

What is Network Address Translation?


Your Network

Devices and users with

private IP addresses

NAT Enabled

Internet sees only one public address

(an External XTM device IP address)

Add Firewall Dynamic NAT Entries

Most frequently used form

of NAT

Changes the outgoing

source IP address to the

external IP address of the

XTM device

Enabled by default for

standard private network

IP addresses, such as

192.168.0.0/16


Static NAT for Public Servers


Your Network

Port 80 TCP

Web server

Port 21 TCP

FTP server

Port 25 TCP

Email server Web traffic — One external IP

to private static IP

FTP traffic — Same external IP

to second, private static IP

SMTP traffic — Same external

IP to third, private static IP

203.0.113.2

10.0.2.80

10.0.2.21

10.0.2.25

1-to-1 NAT for Public Servers


Your Network NetMeeting traffic — Dedicated

IP address on the external

IKE traffic — Second dedicated

public IP address

Intel Phone (H.323) — Another

external IP address

Ports 1720, 389, dynamic

10.0.2.11

NetMeeting

Without NAT-T

10.0.2.12

IKE

Ports 1720, 522

10.0.2.13

Intel-Video-Phone

Configure Policies

You can customize 1-to1 NAT and

Dynamic NAT settings in each

policy

The settings in Network > NAT

apply unless you modify the NAT

settings in a policy

Use the Set Source IP option

when you want any traffic that uses

this policy to show a specified

address from your public or

external IP address range as the

source IP address.


Configure Policies

To configure a policy to use static

NAT, click Add in the To section of

the policy, then select Add SNAT.

You can also select Setup >

Actions > SNAT to add, edit, or

delete SNAT actions.


Policies

Convert Network Policy to Device

Configuration

Learning Objectives

Understand the difference between a packet filter policy and a proxy

policy

Add a policy to Policy Manager and configure its access rules

Create a custom packet filter policy

Set up logging and notification rules for a policy

Use advanced policy properties

Understand the function of the Outgoing policy

Understand the function of the TCP-UDP proxy

Understand the function of the WatchGuard policy

Understand how the XTM device determines policy precedence


What is a Policy?

A rule to limit access through the XTM device

Can be configured to allow traffic or deny traffic

Can be enabled or disabled

Applies to specific port(s) and protocols

Applies to traffic that matches From and To fields:

• From — Specific source hosts, subnets or users/groups

• To — Specific destination hosts, subnets, or users/groups


Packet Filters, Proxies, and ALGs

Two types of policies:

• Packet Filter — Examines the IP header of each packet, and operates at the

network and transport protocol packet layers.

• Proxy & ALG (Application Layer Gateway)

Proxy — Examines the IP header and the content of a packet at the

application layer. If the content does not match the criteria you set in your

proxy policies, you can set the proxy to deny the packet. Some proxy

policies allow you to remove the disallowed content.

ALG — Completes the same functions as a proxy, but also provides

transparent connection management.

Proxy policies and ALGs examine the commands used in the connection

to make sure they are in the correct syntax and order, and use deep

packet inspection to make sure that connections are secure.


Packet Filters, Proxies, and ALGs

Proxies & ALGs:

• Remove all the network data

• Examine the contents

• Add the network data again

• Send the packet to its destination


What are Packet Filters, Proxies, and ALGs?


Packet Filter Proxy & ALG

Source

Destination

Port(s)/Protocols

Packet body

Attachments

RFC Compliance

Commands

Add a Policy in Policy Manager


2. Decide if the policy

allows or denies

traffic.

3. Configure the

source (From) and

destination (To).

1. Select a policy from a

pre-defined list.

Modify Policies

To edit a policy, double-click the policy

By default, a new policy:

• Is enabled and allowed

• Allows traffic on the port(s) specified by

the policy

• Allows traffic from any trusted network

to any external destination


Change Policy Sources and Destinations

You can:

• Select a pre-defined alias, then click Add.

• Click Add User to select an authentication user or group.

• Click Add Other to add a host IP address, network IP address, or host range.


When do I use a custom policy?

A custom policy can be either a packet filter or proxy policy.

Use a custom policy if:

• None of the pre-defined policies include the specific combination of ports that

you want.

• You need to create a policy that uses a protocol other than TCP or UDP.


Logging and Notification for Policies

When you enable logging in a policy, you can also select whether the

XTM device sends a notification message or triggers an SNMP trap.

Notification options include:

• Send email to a specified address

• A pop-up notification on the Log Server


Set Logging Rules for a Policy

The XTM device generates log messages

for many different types of activities

You enable logging for policies to specify

when log messages are generated and

sent to the Log Server


What is Precedence?

Precedence is used to decide which policy controls a connection when

more than one policy could control that connection

In Details view, the higher the policy appears in the list, the greater its

precedence.

If two policies could apply to a connection, the policy higher in the list

controls that connection


What is Precedence?

Policies can be moved up or down in Manual Order mode to set

precedence, or restored to the order assigned by Policy Manager with

Auto-Order Mode


Advanced Policy Properties

Schedules

Connection rate limits

Override NAT settings

QoS settings

ICMP error handling


Set the times of day when the policy is enabled

Schedule Policies


Understand the Outgoing policy

The Outgoing packet filter policy is added in the default configuration

Allows all outgoing TCP and UDP connections from trusted and optional

networks to external networks

Enables the XTM device to ―work out of the box‖ but could have security

problems

If you remove the Outgoing policy, you must add policies to allow

outgoing traffic


Understand the TCP-UDP proxy

Enables TCP and UDP

protocols for outgoing

traffic

Applies proxy rules to

traffic for the HTTP,

HTTPS, SIP, and FTP

protocols, regardless of

the port numbers

Blocks selected IM and

P2P applications,

regardless of port.


The WatchGuard Policy

Controls management connections

to the XTM device

By default, this policy allows only

local administration of the device.

You must edit the configuration to

allow remote administration.


Find Policy Tool

Fireware XTM features a utility to find policies that match the search

criteria you specify.

With Find Policies,

you can quickly

check for policies

that match user

or group names,

IP addresses,

port numbers,

and protocols.


Proxy Policies

Use Proxy Policies and ALGs to

Protect Your Network

Learning Objectives

Understand the purpose and configuration of proxy policies and ALGs

Configure the DNS-proxy to protect DNS server

Configure an FTP-Server proxy action

Configure an FTP-Client proxy action

Enable logging for proxy actions


What are Proxies and ALGs?

Proxy policies and ALGs (Application Layer Gateway) are powerful and

highly customizable application inspection engines and content filters.

A packet filter looks at IP header information only.

A proxy or ALG looks at the content of the network data. ALGs also

provide transparent connection management.


What is the DNS Proxy?

Domain Name System

Validates all DNS traffic

Blocks badly formed DNS packets

Fireware XTM includes two methods to control DNS traffic:

• DNS packet filter — IP headers only

• DNS-Proxy filter — content


Control Incoming Connections

Use the DNS-Incoming action as a template

You own the server

You decide who gets to

connect to the server


DNS server

DNS Proxy

Your network

Configuring DNS-Incoming

General

OpCodes

Query Types

Query Name

Intrusion Prevention

Proxy Alarm


Control Outgoing Connections

Use the DNS-Outgoing action as a template

Operates with Intrusion Prevention Service

Deny queries for specified

domain names


DNS server

DNS Proxy

Your Network

Use DNS-Outgoing

Use DNS-Outgoing to block DNS requests for services, such as

queries for:

• POP3 servers

• Advertising networks

• IM applications

• P2P applications


Fireware XTM Proxies

DNS

FTP

H323 and SIP (Application Layer Gateways)

HTTP and HTTPS

SMTP and POP3

TCP-UDP

Applies the proxies to traffic on all TCP ports


A set of rules that tell the XTM device how to apply one of the proxies to

traffic of a specific type.

You can

apply a

proxy action

to more than

one policy.

What is a Proxy Action?


Import/Export Proxy Actions

You can import and export:

• Entire user-created proxy actions (not predefined proxy actions)

• Rulesets

• WebBlocker exceptions

• spamBlocker exceptions


What is FTP?

File Transfer Protocol

Often used to move files between two locations

Client and server architecture

Fireware XTM includes two methods to control:

• FTP packet filter — IP headers only

• FTP-proxy — content and commands


FTP-Proxy

Restricts the types of commands and files that can be sent through FTP

Works with the

Gateway AV Service


FTP-Client Action Rulesets

General

Commands

Download

Upload

AntiVirus

Proxy and

AV alarms


Control Incoming Connections

Use the FTP-Server proxy action as a template

The FTP server must be protected by the XTM device

You decide who can connect to the FTP server


FTP Proxy

Anybody Your FTP server

Define FTP-Server Action Rulesets

General

Commands

Download

Upload

AntiVirus

Proxy alarms

The same options that are

available in the FTP-Client

proxy action are also

available in the FTP-Server

proxy action.

Smart defaults are used in

each ruleset to protect

clients (FTP-Client) and

servers (FTP-Server).


Logging and Proxies

Proxy policies contain

many more advanced

options for logging than

packet filter policies.

Each proxy category has

its own check box to

enable logging.

If you want detailed reports

with information on

packets handled by proxy

policies, make sure you

select the Enable logging

for reports check box in

each proxy action.


Email Proxies

Work with the SMTP and POP3 Proxies

Learning Objectives

Understand the SMTP and POP3 proxies

Understand the available actions for email

Control incoming email

Control outgoing email


SMTP and POP3 Proxies

Used to restrict the types and

size of files sent and received

in email

Operate with Gateway AV

and spamBlocker


Proxy Actions Available for Email

Default actions available:

• Allow — Email is allowed through your device

• Lock — Email is allowed through your device; the attachment is encoded so

only the XTM device administrator can open it

• AV Scan —Gateway AntiVirus is used to scan the attachment

• Strip — Email is allowed through your device, but the file attachment(s) are

deleted

• Drop — The SMTP connection is closed

• Block — The SMTP connection is closed and the sender is added to the

blocked sites list

Also available with Gateway AntiVirus and spamBlocker:

• Quarantine — Email is stored on the Quarantine Server (only with SMTP)

and is not sent to the recipient


Control Incoming Email

Use SMTP-Incoming and POP3-Server actions as a template

You decide what email you want to allow


SMTP Proxy

Anybody Your SMTP server

Your users

Control Outgoing Email

Use SMTP-Outgoing or POP3-Client action as a template

You know the users

You decide what they can send


SMTP Proxy

Your users

Their email server

Anybody

Authentication

Verify a User’s Identity

Learning Objectives

Understand authentication and how it works with the XTM device

List the types of third-party authentication servers you can use with

Fireware XTM

Use Firebox authentication users and groups

Add a Firebox authentication group to a policy definition

Modify authentication timeout values

Use the XTM device to create a custom web server certificate


What is User Authentication?

Identify each user as they connect to network resources

Restrict policies by user name


WatchGuard Authentication

The user browses to the XTM device interface IP address on

TCP port 4100

The XTM device presents an authentication page

The XTM device verifies that the credentials entered are correct, and

allowed for the type of connection

The XTM device allows access to resources valid for that authenticated

user or group


Supported Authentication Servers

Firebox

RADIUS

VASCO

SecurID

LDAP

Active Directory

Single Sign-On option


Use Firebox Authentication

To use the XTM device as an

authentication server:

• Make groups

• Define users

• Edit policies


Edit Policies for Authentication

Create users

and groups

Use the user

and group names

in policy

properties

Define From or

To information


Use Third-Party Servers

Set up a third-party authentication

server

Get configuration information,

such as secrets and

IP addresses

Make sure the

authentication server

can contact

the XTM device


Set Global Authentication Values

Session and idle timeout values

Number of concurrent connections

Enable Single Sign-On with

Active Directory authentication

Enable redirect to the

authentication page if the user

is not yet authenticated

• After users authenticate, they are

redirected to the site they

originally selected.

Specify the authentication server

that appears at the top of the

Domain list in the

Authentication Portal

Configure Terminal Services


Enable Single Sign-On

Transparent authentication, no need to open a web page

Available with Windows Active Directory

Install the SSO Agent on a Windows server with a static IP address

Install the SSO Client on all workstations

(Optional but highly recommended)

Install the Event Log Monitor

on the domain controller

SSO Agent passes user

credentials to the

XTM device

Use SSO exceptions for

IP addresses that cannot

authenticate (computers that

are not domain members, or

non-Windows PCs)


Enable Terminal Services

Enables users to authenticate

to your XTM device over a

Terminal Server or Citrix server

Enables your XTM device to

report the actual IP address

of each user logged in to the

device

Can use with any configured

authentication method

(e.g. Firebox authentication,

Active Directory, RADIUS, etc.)


Fireware XTM Web Server Certificate

Why does the user get warnings from

the browser?

• Name on the certificate does not match

the URL

• Fix this problem with a custom certificate

that has all of the XTM device

IP addresses as possible name matches

• User must still import

this certificate to

trusted root stores


Blocking Spam

Stop Unwanted Email

with spamBlocker

Learning Objectives

Activate and configure spamBlocker

Specify the actions to take when bulk email is detected

Block or allow email messages from specified sources

Monitor spamBlocker activity

Install and configure Quarantine Server


What is spamBlocker?

Technology licensed from Commtouch™ to identify spam, bulk, or

suspect email

No local server to install

You can install Quarantine Server, but it is not necessary for spamBlocker to work

correctly.

XTM device sends information to external servers to classify email and

caches the results

Operates with the SMTP and POP3 proxies

You must have an SMTP or POP3 proxy action configured to use

spamBlocker


Activate spamBlocker

A feature key is required to enable spamBlocker

• Use Policy Manager or FSM to add the feature key

• Save the configuration to the XTM device

Run the Activate spamBlocker Wizard


Configure a Policy for spamBlocker

Use the SMTP-proxy

or POP3-proxy

Choose the proxy

response to spam

categorization

Add exceptions


spamBlocker Actions

Spam is classified into three categories:

• Spam

• Bulk

• Suspect

For each category, you can configure the action taken:

• Allow

• Add Subject Tag

• Quarantine (SMTP only)

• Deny (SMTP only)

• Drop (SMTP only)


spamBlocker Exceptions

You can configure

exceptions for specific

senders or recipients by:

• Email address

• Domain by pattern

match (*@xyz.com)


Customize spamBlocker

Use multiple SMTP or POP3 proxies


Monitor spamBlocker Activity

Status visible in

Firebox System

Manager

Select the

Subscription

Services tab


Quarantine Spam

Quarantine Server operates with spamBlocker for the SMTP-proxy only

(not the POP3-proxy)

Install with server components during WSM install, or from WatchGuard

Server Center


Quarantine Server Configuration

You can configure:

• Database size and administrator notifications

• Server settings

• Length of time to keep messages

• The domains for which the Quarantine Server keeps mail

• Rules to automatically remove messages:

From specific senders

From specific domains

That contain specific text in the Subject field


Web Traffic

Manage Web Traffic

Through Your Firewall

Learning Objectives

Control outgoing HTTP traffic

Protect your web server

Use the HTTPS-proxy

Set up WebBlocker

Select categories of web sites to block

Override WebBlocker rules for specified sites


What is the HTTP-Proxy?

Fully configurable

HTTP requests and responses

Use URL paths to block complete URLs, or match a pattern you specify

Select header fields, protocol settings, and request/response methods

Allow or deny based on content types

Block the transfer of all or some attachments over port 80

Allow or deny cookies from specified domains

Enforce search engine Safe Search rules


Control Outgoing HTTP Traffic

Use the HTTP-Client proxy action as a template

You know the users

You decide where they go and what they can get access to

Enforce Safe Search rules


Your Network

HTTP Proxy

Settings for the HTTP-Client Proxy Action

HTTP Request

HTTP Response

Use Web Cache Server

HTTP Proxy Exceptions

WebBlocker

AntiVirus

Reputation Enabled

Defense

Deny Message

Proxy and AV Alarms


Protect Your Web Server

Use the HTTP-Server proxy action template

Block malformed packets

Prevent attacks on your server

Enforce Safe Search rules


Your Network

Web Server HTTP Proxy

Settings for the HTTP-Server Proxy Action

HTTP Request

HTTP Response

HTTP Proxy Exceptions

WebBlocker

AntiVirus

Reputation Enabled

Defense

Deny Message

Proxy and AV Alarms


When to Use the HTTPS-Proxy

HTTP on a secure, encrypted channel (SSL)

Can use Deep Packet Inspection (DPI) to examine content and re-sign

the original HTTPS site certificate

OCSP can confirm the validity of the original HTTPS site certificate

Use a certificate that all clients on your network automatically trust for

this purpose when possible

Can use WebBlocker to block categories of web sites

When DPI is not enabled, checks the certificate and blocks by domain

name


What is WebBlocker?

Reduces malicious web content that enters the network

Blocks URLs and IP addresses that you specify

Reduces unproductive web surfing and potential liability

Blocks access to IM/P2P download sites

Blocks access to spyware sites

Helps schools to attain CIPA compliance

Regular database updates

Global URL database — English, German, Spanish, French, Italian,

Dutch, Japanese, traditional Chinese, and simplified Chinese sites


Set Up WebBlocker


WebBlocker

Server

Your Network WatchGuard

WebBlocker

Updates

1.WebBlocker Server gets

WebBlocker database

from WatchGuard

2.When a user browses, the

XTM device checks the

WebBlocker Server

3.If the site is allowed, the

device allows the

connection

Web

Site

Web

Site

The WebBlocker Database

Database created and

maintained by Websense®

Database updates keep the

filtering rules up-to-date

Use multiple categories to

allow or deny different groups

of users at different times of

the day


Keep the WebBlocker Database Updated

The WebBlocker Server automatically downloads an incremental update

to the local WebBlocker database update at midnight.

To update the database at other times, you can:

• Manually trigger an incremental update in WatchGuard Server Center.

• Use Windows Task Scheduler to run the ―updatedb.bat‖ process, which is

installed in the C:\Program Files\WatchGuard\wsm11\bin directory.


Advanced WebBlocker Settings

On the WebBlocker

Configuration Advanced

tab, you can control what

happens if the device cannot

contact the WebBlocker Server.

You can:

• Allow access to all web sites

• Deny access to all web sites

You can also set a password

to use override WebBlocker

when entered on individual

computers.


WebBlocker Exceptions

Add exceptions for web sites

that WebBlocker denies and

you want to allow (white list).

Add web sites that WebBlocker

allows and you want to deny

(black list).


Threat Protection

Defend Your Network

From Intruders

Learning Objectives

Understand the different types of intrusion protection

Configure default packet handling to stop common attacks

Block IP addresses and ports used by hackers

Automatically block the sources of suspicious traffic


Intrusion Detection and Prevention


Hacker builds attack

that uses vulnerability

Attack launched

Attack signature developed

and distributed

Vendor builds patch

Vendor distributes

patch

IT admin installs patch

Proactively blocks many threats

Ongoing protection at higher performance

Firewall-based IPS supplies zero-day

protection

IT admin queues patch update based on severity

Vulnerability found and exposed

Default Packet Handling

Spoofing attacks

Port and address

space probes

Flood attacks

Denial of service

Options for logging

and automatic

blocking


Block the Source of Attacks


Your Network

Log

Server

Web

Server

Remote users use valid packets to

browse your web site.

Attacker runs a port space

probe on your network. XTM device blocks the probe and

adds the source to the temporary

list of blocked sites.

Now, even valid traffic from that

address is blocked by the XTM device.

Auto-Block Sites

Each policy configured to deny traffic has a check box you can select to

auto-block the source of the denied traffic.

If you select it, the source IP address of

any packet denied

by the policy is

automatically

added to the

Blocked Sites

List.


Use a Proxy Action to Block Sites

When you select the

Block action, the

IP address denied by

the proxy action is

automatically added to

the Blocked Sites List.


Block Known Attack Vectors

Protect sensitive services on your network

• Get log messages

• Close traffic for unwanted services

Static configuration

• Add specific ports to block

• Add specific IP addresses or subnets

to be permanently blocked

Dynamic configuration

• This feature can be enabled from many

different places in Policy Manager:

Proxy actions

Default packet handling settings

Policy configuration


Signature Services

Gateway AntiVirus, Intrusion

Prevention, and Application Control

Learning Objectives

Understand how signature-based security subscriptions work

Set up and configure Gateway AntiVirus

Configure proxies to use Gateway AntiVirus

Set up and configure the Intrusion Prevention Service

Set up and configure Application Control

Enable IPS and Application Control in policies


What is Gateway AV?

Signature-based antivirus subscription

The XTM device downloads signature database updates at regular,

frequent intervals

Gateway AV operates with the SMTP, HTTP, FTP, POP3, and

TCP-UDP proxies


Set Up Gateway AntiVirus


Gateway AntiVirus

database updates

XTM device downloads the initial

signature file

Gateway AV strips viruses and allows

valid email or web pages to load

Device gets new signatures and

updates at a regular interval

Your Network WatchGuard

Gateway AV Wizard

Gateway AV can be enabled and configured with a wizard you launch

from the Subscription Services menu

The wizard asks you to select which proxy policies you want to configure

Gateway AV for


Configure the Proxy with Gateway AntiVirus

Use the HTTP

and SMTP proxies

to enable Gateway

AV

Define actions

Define content

types to scan

Monitor Gateway

AV status


Gateway AV and the SMTP-Proxy

When an email attachment contains a known virus signature, the XTM

device can:


Allow — Attachment passes through with no change

Lock — Attachment can only be opened by an administrator

Remove — Attachment is stripped from the email

Quarantine — Message is sent to the Quarantine Server

Drop — The connection is denied

Block — The connection is denied, and the server is added to the

Blocked Sites list

Gateway AV and the HTTP-Proxy

When Gateway AV finds a known virus signature in an HTTP session,

the XTM device can:

• Allow —

The file is allowed

to pass through

without changes

• Drop —

The HTTP

connection is

denied

• Block —

The HTTP

connection is

denied, and the

web server is

added to the

Blocked Sites list


Gateway AV and the FTP-Proxy

The FTP-proxy applies

Gateway AV settings to:

• Downloaded files

allowed in your

configuration

• Uploaded files

allowed in your

configuration


Gateway AV Settings

Select this option if you want Gateway AV to decompress file formats

such as .zip or .tar

The number of levels

to scan is the depth for

which Gateway AV

scans archive files

inside archive files


Use Signature-Based IPS

Configure IPS to Allow, Drop,

or Block connections from

sources that match an IPS

signature

Action is set based on the

threat level of the matching

signature


Use Signature-Based IPS

Configure settings globally

Enable or disable per-policy

Can scan traffic for all policies

Blocks malicious threats before

they enter your network



Application Control is a Subscription Service

Monitor and control hundreds of applications based on signatures

Block or allow traffic for application categories, applications, and

application behaviors

When Application

Control blocks HTTP

content, a deny

message appears in

the browser

• The deny message

is not configurable

• For HTTPS or other

content types, the

deny message

does not appear



Click Select by Category to configure actions by application category


Apply Application Control to Policies

First configure Application Control actions

On the Policies tab, select one or more policies, then select the action to

apply


Enable Application Control and IPS in Policies

Application Control

• Application Control is not automatically

enabled for policies

• For each policy, you select which

Application Control action to use

• To monitor the use of applications,

enable logging of allowed packets in

the policies that have Application

Control enabled

IPS

• When you enable IPS it is enabled

for all policies by default

• You can enable or disable IPS for

each policy


Enable Automatic Signature Updates

To protect against latest viruses and

exploits, and to identify the latest

applications, make sure your device

is configured to get automatic updates

to Gateway AntiVirus, Intrusion

Prevention, and Application Control

signatures at regular intervals

Update requests can be routed

through a proxy server


Monitor Signature Update Status

In Firebox System

Manager, select the

Subscription Services

tab to see the status of

Gateway AV, IPS and

Application Control

signatures, or to

manually get

signature updates


Reputation Enabled Defense

Improve the Performance and

Security of Web Access

Learning Objectives

Understand how Reputation Enabled Defense works

Configure Reputation Enabled Defense

Monitor Reputation Enabled Defense


What is Reputation Enabled Defense (RED)?

Reputation-based HTTP anti-virus and anti-spyware prevention

subscription, available for WatchGuard XTM device models only

RED operates with the HTTP-proxy

RED uses a cloud-based reputation server that assigns a reputation

score between 1 and 100 to every URL

• The reputation score for a URL is based on AV scanning feedback and other

URL reputation data collected from sources around the world.

When a user browses to a web site, RED looks up the score for the URL

• For URLs with a good reputation score, local scanning is bypassed

• For URLs with a bad reputation score, the HTTP-proxy denies access without

local scanning by Gateway AV

• For URLs with an inconclusive reputation score, local Gateway AV scanning

is performed as configured

Eliminates the need to locally scan the content of web sites that have a

known good or bad reputation and improves XTM device performance


RED Reputation Scores

Reputation Scores:

• High scores indicate a bad reputation

• Low scores indicate a good reputation

• If RED has no knowledge of a URL, it assigns a score of 50.

• The reputation score assigned to a URL increases based on:

Negative scan results for that URL

Negative scan results for a referring link

Negative information from other sources of malware data

• The reputation score assigned to a URL decreases based on:

Multiple clean scans

Recent clean scans

RED continually updates the reputation scores for URLs based on:

• Scan results from devices around the world by two leading anti-malware

engines: Kaspersky and AVG.

• Data from other leading sources of malware intelligence for the web.

RED Reputation Thresholds and Actions

The action performed by

the HTTP-proxy depends on:

• The reputation score of a

requested URL

• The locally configured

reputation thresholds

RED Actions:

• If score is higher than the

Bad reputation threshold,

Deny access

• If score is lower than the

Good reputation threshold,

Bypass local scanning

• Otherwise, perform local

Gateway AV scanning as

configured

Before you enable RED:

• Your device must a have Reputation Enabled Defense feature key

• You must have configured at least one HTTP-proxy policy

Enable Reputation Enabled Defense


Configure Reputation Enabled Defense

Enable RED for the

HTTP-proxy

Define thresholds

Monitor RED status


Reputation Enabled Defense and the HTTP-Proxy

Based on the reputation score for a URL, the HTTP-Proxy can:

• Immediately block the URL if it has a bad reputation.

• Bypass any

configured local

virus scanning for

a URL that has a

good reputation.

If neither of these

RED actions occur,

then any locally

configured virus

scanning proceeds

as configured.


Reputation Enabled Defense and the HTTP-Proxy

The default reputation thresholds are set to balance security with

performance.

You can change the bad and good reputation thresholds in the

Advanced Settings dialog box.

We recommend that you use the default reputation thresholds.


Monitor Reputation Enabled Defense

RED status is visible in

Firebox System Manager

on the Subscription

Services tab.


Web UI

Explore Fireware XTM Web UI

Learning Objectives

Log in to Fireware XTM Web UI

Change the port that the XTM device uses for the Web UI

Discuss limitations of the Web UI

Manage timeouts for the Web UI management sessions


Introduction to Fireware XTM Web UI

Monitor and manage any device running Fireware XTM without installing

extra software

Real-time management tool

Easily find what you need and understand how the configuration options

work


Limitations of the Web UI

Things you can do with Policy Manager, but not with the Web UI:

• View or change the configuration of a device that is a member of a

FireCluster

• Add or remove static ARP entries from the device’s ARP table

• Change the name of a policy

• Change the logging of default packet handling options

• Enable or disable the notification of BOVPN events

• Add a custom address to a policy

• Use Host Name (DNS lookup) to add an IP address to the From or To

section of a policy

• Create a .wgx file for Mobile VPN with IPSec client configuration

(You can get only the equivalent—but unencrypted—.ini file)

• Export certificates stored on the device, or see their details

(You can only import certificates)

• Some of the logging and reporting functions provided by HostWatch, Log and

Report Manager, and WSM are also not available


Log in to the Web UI

You need only a browser with support for Adobe Flash

Real-time configuration tool, no option to store configuration changes

locally and save to device later

https://<XTM.device.IP.address>:8080

• Uses a self-signed certificate, so you must accept certificate warnings or

replace the certificate with a trusted certificate

• You can change the port for the Web UI

Log in with one of two accounts

• Status – For read-only permission; uses the status passphrase

• Admin – For read-write permission; uses the configuration passphrase



Multiple concurrent logins are allowed with the status account

Only one admin account can be logged in at a time

The last user to log in with the admin account is the only user that can

make changes

• Includes changes

from Policy Manager

and WSM


The user account name appears at the top of the screen

Navigation links are at the left side



Conclusion

This presentation provides an overview of basic Fireware XTM features.

For more information, see these training, documentation, and support

resources available in the Support section of the WatchGuard web site:

• WatchGuard System Manager Help

• Fireware XTM Web UI Help

• WatchGuard Knowledge Base

• Fireware XTM Training courseware


Thank You! Thank You

firewall basics with fireware xtmdocshare01.docshare.tips/files/14787/147875334.pdf ·...

Documents