firewall basics with fireware for watchguard system manager v9.1
DESCRIPTION
Firewall Basics with Fireware for WatchGuard System Manager v9.1. Firewall Basics with Fireware v9.1. Course Introduction. Course Introduction. Course Introduction Objectives. Understand and use the basic management and monitoring components of WatchGuard System Manager - PowerPoint PPT PresentationTRANSCRIPT
Firewall Basics with Fireware
for
WatchGuard System Manager v9.1
Firewall Basics with Fireware v9.1
2
Course IntroductionCourse Introduction
3
Course Introduction Objectives
• Understand and use the basic management and monitoring components of WatchGuard System Manager
• Understand how to configure a WatchGuard Firebox X Core or Peak e-Series device for your network environment
• Understand how to create basic security policies for your Firebox to enforce
• Understand how to use security services to expand Firebox functionality
4
Course Introduction Audience
This course is intended for network administrators who have a Firebox X Core or Peak. A basic understanding of TCP/IP networking is required.
5
Course Introduction Environment
To use this training presentation:
• It is helpful, but not necessary, for you to have WatchGuard System Manager installed on your computer
• It is not necessary to have a Firebox X Core or Peak
• We recommend you view or print the instructor’s notes for this presentation, as they contain additional details which may be helpful
6
This course includes sections on:
• Getting Started with your Firebox X Core or Peak
• Introducing Policy Manager
• Using Policy Manager to Configure Network Settings
• Using Policy Manager to Configure Policies
• Working with Proxy Policies
• WebBlocker
• spamBlocker
• Gateway AV/IPS
• Policy Manager Intrusion Prevention
• Firebox Administration
• Working with Firebox Log Messages
Course Introduction Outline
7
Course Introduction Exam
• The WatchGuard Certified System Professional exam is available for all WatchGuard partners. The exam is based on the contents of this course. Studying the information in this courseware can help you prepare to take the exam.
• If you are a WCSP, you can find the exam at:
https://www.watchguard.com/training/CertCentral.asp
8
Getting Started with your Firebox X Core or Peak
Getting Started with your Firebox X Core or Peak
9
Getting Started Management and Appliance Software
To configure a WatchGuard Firebox, you must install two software packages:
•WatchGuard System Manager (WSM) – The management software you use to configure, manage, and monitor your Firebox.
•Fireware Appliance Software – The software that is installed on the Firebox itself.
10
Getting Started Management Station
Your management station is a PC running Windows 2000, Windows XP, Windows 2000 Server, or Windows 2003 Server.
• You install WSM on your management station to configure, manage, and monitor your Firebox.
• You also install Fireware appliance software on your management station. Use WSM to put Fireware on your Firebox.
11
Getting Started Components of WSM
WSM includes a set of management and monitoring utilities:
• Policy Manager
• Firebox System Manager
• LogViewer
•HostWatch
•Historical Reports
12
Getting Started Server Software
When you install WSM on your management station, you have the option to install any or all of these server components:
•Management Server – Use to manage all firewall devices and create VPN (virtual private network) tunnels using a simple drag-and-drop function.
•Log Server – Collects log messages from each WatchGuard Firebox.
•WebBlocker Server – Operates with the Firebox HTTP proxy to deny user access to specified categories of web sites.
•Quarantine Server – Collects and isolates mail confirmed as spam by spamBlocker
13
Getting Started Registering your Firebox
Before you can begin to configure your Firebox, you must register your Firebox to your LiveSecurity account.
• If you have not created a LiveSecurity profile with a user name and password, you must create it before you register your Firebox.
• You must have your Firebox serial number when you log in to LiveSecurity to register your device.
14
Getting Started Quick Setup Wizard
The Quick Setup Wizard works with a Firebox X Core or Peak e-Series device and allows you to:
• Install Fireware appliance software on the Firebox
• Create and upload a basic configuration file
• Assign passphrases to control access to the Firebox
15
Getting Started Preparing to use the Quick Setup Wizard
Before you start the Quick Setup Wizard, you must have:
•The feature key for your FireboxWhen you register your Firebox with LiveSecurity, a feature key is created that is unique to the serial number of the device. Save a copy of the feature key to complete the Quick Setup Wizard.
•Installed WSM and Fireware on your management stationDownload the latest versions from the LiveSecurity /software downloads site. Note that WSM and Fireware are separate software downloads. You must download and install both packages.
•Network informationYou must know the IP address of your gateway router, and IP addresses to give to the external and trusted interfaces of the Firebox.
16
Getting Started Starting the Quick Setup Wizard
For the Quick Setup Wizard to operate correctly, you must:
• Assign a static IP address to your management workstation from the same subnet that you plan to assign to the Trusted interface of the Firebox.
• Connect the Firebox to a power source. Hold down the down arrow on the front of the Firebox while you turn on the power switch. Hold the button until the LCD display shows “WatchGuard Technologies.”
• Connect your management station’s Ethernet interface to the eth1 interface of the Firebox.
• Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM > Tools menu.
17
Getting Started Starting the Quick Setup Wizard
The QSW asks you to choose which model of Firebox you are configuring.
18
Getting Started Starting the Quick Setup Wizard
If you have connected your workstation to the Firebox correctly, the QSW will automatically detect the Firebox and identify its model and serial number. Verify that this information is correct.
19
Getting Started Naming Your Firebox
The name you assign to the Firebox in the wizard is used to:
• Identify the Firebox in WSM
• Identify the Firebox log file
• Identify the Firebox when you use Historical Reports
20
Getting Started Adding a Feature Key
If you have purchased additional options for your Firebox and already registered them with LiveSecurity, the feature key will reflect those features.
You can register the features later and update your feature key using Policy Manager.
21
Getting Started Configuring the External Interface
The IP address you give to the external interface can be:
• A static IP address
• An IP address assigned with DHCP
• An IP address assigned with PPPoE
You must also add an IP address for the Firebox default gateway. This is the IP address of your gateway router.
22
Getting Started Configuring Trusted and Optional Interface
To configure the trusted and optional interfaces, you must select one of these configuration options:
Routed Configuration – Each interface is configured with an IP address on a different subnet.
Drop-in Configuration – All Firebox interfaces are configured with the same IP address. Use drop-in mode when devices from the same publicly addressed network are located on more than one Firebox interface.
23
Getting Started Understanding Drop-in configurations
In drop-in mode:
• You must assign the same primary IP address to all interfaces on your Firebox (external, trusted, and optional).
• You can assign secondary networks on any interface.
• You can keep the same IP addresses and default gateways for hosts on your trusted and optional networks, and add a secondary network address to the Firebox interface so the Firebox can correctly send traffic to the hosts on these networks.
24
Getting Started Setting Passphrases
You define two passphrases for the Firebox. Passphrases must be at least 8 characters long and different from each other:
• Status passphrase – used for read-only connections to the Firebox.
• Configuration passphrase – used for read-write connections to the Firebox.
25
Getting Started Completing the Quick Setup Wizard
• The wizard is complete when it has saved a basic configuration to the Firebox.
• You are now ready to put your Firebox in place on your network.
• Remember to reset your management station to get its IP address in its usual way.
26
Introduction to Policy ManagerIntroduction to Policy Manager
27
Introduction to Policy Manager Launch WSM
Launch WSM from Windows Start > All Programs > WatchGuard System Manager 9.1 > WatchGuard System Manager to monitor and configure your Firebox.
From WSM, connect to the Firebox. Once connected, you can monitor the device or launch Policy Manager to configure the device.
28
Introduction to Policy Manager What is Policy Manager?
• Policy Manager is the off-line editing tool used to modify the configuration of your Firebox.
• Changes made in Policy Manager do not take effect until you save them to the Firebox.
• Launch Policy Manager from WSM.
29
Introduction to Policy Manager Navigating Policy Manager
Use drop-down menus to configure many basic and advanced Firebox features.
30
Introduction to Policy Manager Navigating Policy Manager
• Security policies controlling traffic through the Firebox are represented by icons in the Policy Manager.
• To edit security policies, double-click on an icon.
• To display policies in list view, select View > Details.
31
Using Policy Manager to Configure
Network Settings
Using Policy Manager
to Configure
Network Settings
32
Network Settings Beyond the Quick Setup Wizard
The Quick Setup Wizard configures the Firebox with an external, trusted, and optional network only.
33
Network Settings Network Configuration Options
Use Policy Manager to:
• Modify a configured interface’s properties
•Change the interface type (from trusted to optional, etc.)
• Add secondary networks and addresses
• Enable DHCP server on the Firebox
• Configure additional interfaces
• Configure WINS/DNS settings for the Firebox
• Add network or host routes
• Configure NAT
34
Network Settings Interface Types
You can identify each interface as external, trusted, or optional. In most cases, these terms refer to:
• External – Connects to your gateway router.
• Trusted – Connects to your LAN of desktop computers or workstations, not accessible from the public internet
• Optional – Connects to a network of servers that need to be physically separate from the trusted network and accessible from the public internet, such as web and mail servers.
35
Network Settings Interface Independence
• You can change the interface type of any interface configured with the Quick Setup Wizard.
• You can choose the interface type of any additional interface you enable.
36
Network Settings Secondary Networks
• A secondary network is a network that shares one of the same physical networks as one of the Firebox interfaces.
• A secondary network adds an IP alias to the interface. This IP alias is the default gateway for all the computers on the secondary network.
37
Network Settings Secondary Addresses
• If your external interface is configured with a static IP address, you can add an IP address on the same subnet as a secondary network.
• For example, configure an external secondary network with a second public IP address if you have two public SMTP servers.
38
Network Settings Enabling DHCP Server
• The Firebox can act as a DHCP server for clients on any interface configured as trusted or optional.
• To configure DHCP server on a Firebox interface, identify the first and last IP addresses in the range you want the Firebox to assign.
39
Network Settings WINS/DNS
The Firebox needs WINS/DNS information to:
• Resolve names to IP addresses for IPSec VPNs and for the spamBlocker, Gateway AV and IPS features to operate correctly.
• Allow DHCP clients on the trusted or optional networks, MUVPN users, and PPTP RUVPN users to resolve DNS queries.
40
Network Settings Network or Host Routes
• Create static routes to send traffic from a Firebox interface to a router. The router can then send the traffic to the correct destination from the specified route.
• If you do not add a route to a remote network or host, all traffic to that network or host is sent to the Firebox default gateway.
41
Using Policy Manager to Configure PoliciesConfiguring Policies
42
Configuring Policies What is a Policy?
• A rule to limit access through the Firebox
• Can be configured to allow traffic or deny traffic
• Can be enabled or disabled
• Applies to specific port(s) and protocols
• Applies to specific internal hosts or subnets and external hosts or subnets
43
Network Settings Firebox Dynamic NAT
Dynamic NAT:
• The Firebox applies its public IP address to the outgoing packets for all connections or for specified services
• Is used to hide the IP addresses of internal hosts when they get access to public services
• Is enabled by default for valid RFC 1918 networks to any external interface
44
Configuring Policies Adding Policies
• To add a policy, select Edit > Add Policy.
• Add a policy from the pre-defined Packet Filters list, the Proxies list, or create a Custom policy.
45
Configuring Policies Changing Source and Destinations
You can:
• Select a pre-defined alias, then click Add.
• Click Add User to select an authentication user or group.
• Click Add Other to add a host IP address, network IP address, or host range.
46
Configuring Policies Packet Filters and Proxies
• Packet Filter – Examines the IP header of each packet. Works at the network and transport protocol packet layers.
• Proxy – Examines the IP header AND the content of a packet (at the application layer of a packet). If the content does not match the criteria you set in your proxy policies, it denies the packet, or removes disallowed content.A proxy:
•Removes all the network data
• Examines the contents for RFC compliance and content type
• Adds the network data again
• Sends the packet to its destination
47
Configuring Policies When do I use a custom policy?
Use a custom policy:
• If none of the pre-defined policies include the specific combination of ports that you want.
• If you need to create a policy that uses a protocol other than TCP or UDP.
• Note: A custom policy can be either a packet filter or proxy policy.
48
Configuring Policies Modifying Policies
To edit a policy, double-click the policy icon.
By default:
• A new policy is enabled and allowed.
• It allows traffic on the port(s) specified by the policy.
• It allows traffic from any trusted source to any external destination.
49
Configuring Policies Changing Source and Destinations
To modify the default source and destination, click Add and define a new source or destination.
50
Configuring Policies Policy Properties
The Policy Properties tab lets you:
• See the ports and protocols defined in the policy.
• Set logging and notification rules for the policy.
• Auto-block the source of denied traffic (if the policy is configured to deny traffic).
• Set a custom idle time out for the policy.
51
Configuring Policies Proxy Policy Properties
When you configure a proxy policy, use the Policy Properties tab to apply a proxy action to the policy.
52
Configuring Policies Advanced Policy Properties
Click the Advanced tab to configure:
• Schedule
• QoS
• NAT rules
• Sticky connection settings (if you use multi-WAN)
• ICMP error handling
53
Configuring Policies Scheduling Policies
When you apply a schedule to a policy, you set the times of day you want a policy to be enabled.
For example:
If you only want users to surf the Web between 10:00 am and 12:00 am, apply a schedule to your HTTP policy that looks like this:
54
Configuring Policies NAT
• You can customize NAT in each policy.
• The settings in Network > NAT apply unless you modify the NAT settings in a policy.
• Use the Set Source IP option when you want any traffic that uses this policy to show a specified address from your public or external IP address range as the source IP address.
55
Configuring Policies QoS
• QoS (Quality of Service) is available only for Fireware Pro users.
• Use QoS to set the priority for traffic in a policy.
56
Configuring Policies What is Precedence?
• Precedence is used to decide which policy will control a connection when more than one policy could control that connection.
• If you look at your policies in list view, the higher the policy appears in the list, the greater its precedence. If two policies could apply to a connection, the policy higher in the list will control that connection.
57
Configuring Policies Changing Precedence
• Policy Manager automatically orders the policies when you add and configure them.
• To manually order your policies:
1. Select View > Details.
2. Clear the View > Auto-Order Mode option.
3. Drag and drop policies to change the order the policies appear in the list.
58
Configuring Policies The WatchGuard Policy
The WatchGuard Policy:
• Controls management connections to the Firebox.
• By default allows only local administration of the Firebox. You must edit the configuration to allow remote administration.
59
Configuring Policies The Outgoing Policy
• Added automatically by the Quick Setup Wizard.
• Includes all TCP and UDP ports.
• Allows all TCP and UDP traffic from any trusted or optional source to any external source.
• Acts as a packet filter, not a proxy, and applies no content filtering restrictions by default.
60
Configuring PoliciesFind Policy Tool
Fireware now features a utility to find policies that match the search criteria you specify.
With Find Policies you can quickly check for any and all matching policies for addresses, port numbers, and protocols.
61
Working with Proxy Policies
Working with Proxy Policies
62
Proxies What is a Proxy?
• A proxy is a powerful and highly customizable application inspection engine and content filter.
• A packet filter looks at IP header information only; a proxy looks at application data for content specific to the application being examined.
• A proxy looks beyond the header to the contents of the packet.
63
Proxies What is a Proxy Action?
• A set of rules that tell the Firebox how to apply one of its proxies to traffic of a specific type.
• You can apply a proxy action to one policy, or multiple policies.
64
Proxies Fireware Proxies
• DNS
• FTP
• HTTP
• SMTP
• POP3
• TCP (applies the HTTP proxy to HTTP traffic on all TCP ports)
65
Proxies Import/Export Proxy Actions
Entire proxy actions
• Only user-created; not predefined
Rulesets
• Must be in Advanced View to import/export
WebBlocker Exceptions
spamBlocker Exceptions
66
Proxies Proxy Actions
• You can apply a predefined proxy action, or clone a predefined proxy action and create a custom proxy action.
• You cannot modify the settings of a predefined proxy action.
• Each proxy action includes multiple rulesets to give you control over different components of a proxied connection.
67
Proxies Proxy Actions
WatchGuard provides two predefined proxy actions for each type of proxy:
• Client/Outgoing proxy action – includes default settings to protect clients connecting to servers external to the Firebox.
• Server/Incoming proxy action – includes default settings to protect servers behind the Firebox.
68
Proxies Quick Setup Wizard and Proxies
The Quick Setup Wizard does not include any proxy policies by default. The Outgoing and FTP policies included by the Quick Setup Wizard use packet filters only, not proxies, in Fireware v9.0 and higher.
Because no proxies are used by the Firebox by default, there are no default restrictions on the types of files which users can download from the Internet or the types of files they can upload. To add these types of restrictions to the Firebox configuration, proxy policies must be added to the Firebox configuration.
69
Proxies Proxies and Logging
• Each ruleset includes its own option to enable logging.
• To get detailed reporting on proxied connections, you must enable Turn on Logging For Historical Reports in the general settings of each proxy action.
70
Proxies DNS Proxy
• Protects your DNS server from malicious or malformed connection requests and query types.
• Works with Intrusion Prevention Service.
71
Proxies FTP Proxy
• Restricts the types of commands and files that can be sent through FTP.
• Works with the Gateway AV and the Intrusion Prevention Service (Gateway AV/IPS).
72
Proxies SMTP Proxy
• Highly customizable proxy to restrict the types and size of files sent and received in email.
• Works with Gateway AV/IPS and spamBlocker.
73
Proxies POP3 Proxy
• Highly customizable proxy to restrict the types and size of files sent and received in email.
• Works with GAV/IPS and spamBlocker.
74
Proxies HTTP Proxy
• Highly customizable proxy to restrict commands, headers, and file types that can be sent in an HTTP connection.
• Works with GAV/IPS and WebBlocker.
75
WebBlockerWebBlocker
76
WebBlocker What is WebBlocker?
WebBlocker is a tool to filter access to specific web sites.
• Install a WebBlocker database on local server(s) – the WebBlocker Server.
• Configure your Firebox to query the WebBlocker Server.
• Works with the HTTP Proxy. If an HTTP client proxy action is not active, you cannot use WebBlocker.
77
WebBlocker The WebBlocker Database
• Database created and maintained by SurfControl™.
• Database updates keep filtering rules current.
• 40 categories of web sites that you can allow or deny for different groups of users and different times of day.
78
WebBlocker Advanced WebBlocker Settings
From the WebBlocker > Advanced tab, you can control what happens if the Firebox cannot contact the WebBlocker Server. You can:
• Allow access to all web sites.
• Deny access to all web sites.
79
WebBlocker WebBlocker Exceptions
• Add exceptions for web sites that WebBlocker denies and you want to allow (white list).
• Add web sites that WebBlocker allows and you want to deny (black list).
80
spamBlockerspamBlocker
81
spamBlocker What is spamBlocker?
• Uses technology licensed from Commtouch™ to identify spam, bulk, or suspect email.
• No local server to install. You can optionally install Quarantine Server, but it is not necessary for spamBlocker to work correctly.
• Firebox queries external classification servers and caches results.
• Works with the SMTP proxy. You must have an SMTP proxy action configured to use spamBlocker.
82
spamBlocker spamBlocker Actions
For each category (spam, bulk, or suspect email), configure the action you want the Firebox to take:
• Allow
• Add Subject Tag
• Quarantine
• Deny
• Drop
83
spamBlocker spamBlocker Exceptions
You can configure exceptions for specific senders or recipients by:
• Individual email address
• Domain by pattern match (*@xyz.com)
84
Gateway AntiVirus/Intrusion Prevention Service (GAV/IPS)
Quarantine Server
85
Quarantine ServerQuarantine spam
• Works with spamBlocker and the SMTP proxy only (not POP3)
• Install with server components during WSM install
Launch from icon in WatchGuard toolbar
86
Quarantine ServerQuarantine Server Configuration
WatchGuard Quarantine Server is highly configurable. You can set:
•Database size and admin notification
•Server settings
•How long to keep messages
•For which domains the Quarantine server will keep mail
•Rules - Automatically remove messages based on:
•From specific senders
•From specific domains
•With specific text in the Subject
87
Gateway AntiVirus/Intrusion Prevention Service (GAV/IPS)
Gateway AV/IPS
88
Gateway AV/IPS What is Gateway AV/IPS?
• Signature-based antivirus and intrusion prevention service.
• Firebox downloads signature databases at regular, frequent intervals.
• Gateway AV works with SMTP, HTTP, FTP, and TCP proxy.
• IPS works with all proxy actions when IPS is enabled in a policy.
89
Gateway AV/IPS Wizards
• Gateway AV and IPS can be enabled and configured with wizards you launch from the Tasks menu.
• The wizards ask you to select which proxy policies you want to configure Gateway AV or IPS for.
90
Gateway AV/IPS Gateway AV and the SMTP Proxy
When an email attachment contains a known virus signature, the Firebox can:
• Allow – attachment goes through with no change.
• Lock – attachment can only be opened by administrator.
• Remove – attachment is stripped from the email.
• Drop – entire email is denied without acknowledgement.
• Block – email is denied and sending server is added to blocked sites list.
91
Gateway AV/IPS Gateway AV and the HTTP proxy
The HTTP proxy applies Gateway AV settings:
• To requests to specific URL paths defined in your configuration.
• To responses that include specific file types defined in your configuration.
92
Gateway AV/IPS Gateway AV and the HTTP proxy
When Gateway AV finds a known virus signature in an HTTP session, the Firebox can:
• Allow – file goes through with no change.
• Drop – HTTP connection is denied.
• Block – HTTP connection is denied and web server is added to blocked sites list.
93
Gateway AV/IPSGateway AV and the FTP Proxy
The FTP proxy applies Gateway AV settings:
• To downloaded files allowed in your configuration.
• To uploaded files allowed in your configuration.
94
Gateway AV/IPSGateway AV and the FTP Proxy
When Gateway AV finds a known virus signature in an FTP session, the Firebox can:
• Allow – file goes through with no change.
• Deny - Denies the transaction and sends a deny message.
• Drop – FTP connection is dropped immediately.
• Block – FTP connection is denied and offending IP is added to blocked sites list.
95
Gateway AV/IPS Gateway AV Settings
• Select if you want Gateway AV to decompress file formats such as .zip or .tar and set the number of levels to scan.
• Gateway AV for SMTP now supports in-line scanning, so there is no need to set the maximum size of email attachments to scan for viruses.
96
Gateway AV/IPS Updates to Signatures and Engine
• To protect against latest viruses, enable automatic updates to Gateway AV signatures at frequent intervals.
• Automated Gateway AV engine updates assure you latest functionality.
• You now have the option to send update requests through a proxy server.
97
Gateway AV/IPS Configuring IPS in a proxy policy
Signatures are divided into three severity levels: high, medium, and low
When an IPS signature is matched, the Firebox can:
• Allow – lets traffic pass.
• Deny – denies traffic and sends a deny message.
• Drop – drops the connection immediately without acknowledgement.
• Block – drops the connection and adds the source to the blocked sites list.
98
Gateway AV/IPS IPS and the HTTP Proxy
Protects your own web server, and your trusted users making connections to external web servers
You can enable specific IPS signature categories for:
• Instant Messaging clients
• Peer to peer clients
• Spyware categories
99
GAV/IPS Updates to IPS Signatures and Engine
• To protect against latest intrusions, enable automatic updates to IPS signatures at frequent intervals
• Automated IPS engine updates make sure you have latest functionality.
100
Gateway AV/IPS Monitoring Gateway AV and IPS
From Firebox System Manager, select the Security Services tab to see status of Gateway AV and IPS signatures and manually request updates.
101
Policy Manager Intrusion PreventionPolicy Manager Intrusion Prevention
102
Intrusion Prevention Blocking Sites and Ports
Policy Manager’s Blocked Sites and Ports features:
• Block all traffic from specific IP addresses, subnets, or on specific ports.
• Take precedence over policy configuration.
• Allow you to take extra precaution against known security risks on the Internet associated with specific IP addresses or ports, such as the Blaster worm, which infected systems on TCP port 135.
103
Intrusion Prevention Blocked Sites Configuration
• Static configuration – Add specific IP addresses or subnets to be permanently blocked.
• Dynamic configuration – Enable auto-blocking as part of configuration in many different places in Policy Manager, such as:
• Proxy actions
• Default packet handling settings
• Policy configuration
104
Intrusion Prevention Auto-blocking sites
• Each policy configured to deny traffic has an active check box to auto-block the source of denied traffic. The source IP address of any packet denied by the policy is automatically added to the Blocked Sites List.
105
Intrusion Prevention Auto-blocking sites
• When you select a proxy action of “Block”, the IP address denied by the proxy action is automatically added to the Blocked Sites List.
106
Intrusion Prevention Configuring Auto-blocking
• Configure the amount of time to auto-block sites in Policy Manager > Setup > Intrusion Prevention > Blocked Sites > Auto-blocked tab.
• You can add Blocked Sites Exceptions if there is an IP address you want to make sure is never auto-blocked.
107
Intrusion Prevention Default Packet Handling
• A set of configurable thresholds for the detection of potentially hostile activity, such as syn floods, IKE floods, DDoS attacks, or address probes.
• Any activity above the threshold results in the Firebox dropping connections, or adding sites to the Blocked Sites List.
• Default thresholds are meant as a benchmark for an average user and may need to be adjusted for your environment.
108
Firebox AdministrationFirebox Administration
109
Firebox Administration Changing your passphrases
• We recommend you change your status and configuration passphrases frequently.
• To change your passphrases in Policy Manager, select File > Change Passphrases.
110
Firebox Administration Backing up your configuration
• Back up your configuration image before you make any major change to your configuration and before you upgrade to a new WSM or Fireware version.
• To back up your configuration image, from Policy Manager select File > Backup.
111
Firebox Administration Adding New Licensed Features
• If you purchase a new feature or renew a subscription service, you must activate your feature and get a new feature key from the LiveSecurity web site.
• To add your new feature key to Policy Manager, select Setup > Feature Keys > Add.
112
Firebox Administration Upgrading your Firebox
To upgrade to a new version of Fireware, use these steps:
1. Back up your existing Firebox image.
2. Download and install the new version of Fireware on your management station.
3. From Policy Manager, select File > Upgrade. Browse to the location of .wgu upgrade file.
113
Firebox AdministrationFireware Web Server Certificate
Why does the user get warnings from the browser?
1. Name on certificate does not match the URL.
• Fix with Fireware web server certificate.
• Uses subject alt names to match several possible URLs.
2. Certificate is not trusted.
• User still needs to import the certificate to trusted root store.
114
Working with Firebox Log MessagesFirebox Logging
115
Firebox Logging Introduction to Log Server
• You can install the Log Server on your management station, or another Windows-based computer.
• Log Server is not required for Firebox operation, but we recommend you configure a Log Server and regularly review log messages as part of your security policy.
• The Firebox generates encrypted log messages in XML and sends them to the Log Server. The Log Server decrypts and stores the messages in log files.
• The Log Server can store log messages for more than one Firebox at the same time, each in its own file.
116
Firebox Logging Configuring Logging
For log messages to be correctly stored on the Log Server, you must:
1. Install the Log Server software.
2. Configure the Log Server.
3. Configure the Firebox to send log messages to the Log Server.
117
Firebox Logging Installing the Log Server
From the WSM installer, select to install the Log Server component.
• The Log Server does not have to be installed on the same computer that you use as your management station.
• The Log Server should be on a computer with a static IP address.
118
Firebox Logging Configuring the Log Server
• To configure, right-click the Log Server icon on your Windows toolbar and select Start service.
• Set a log encryption key. You will use this same key when you configure the Firebox to send log messages to this Log Server.
119
Firebox Logging Configuring the Firebox for Logging
• In Policy Manager, select Setup > Logging to configure the Firebox with a Log Server.
• You must have the same log encryption key you entered in your Log Server configuration.
• You can configure backup Log Servers in case your primary Log Server fails.
120
Firebox Logging Log Server Status and Configuration
Right-click the Log Server option and select Status/Configuration to:
• See which Firebox devices are currently sending log messages to this Log Server.
• Set interval for starting new log files based on time or size of file.
• Schedule automatic generation of Historical Reports.
• Configure notification options.
121
Firebox Logging Setting Rules for Logging
• The Firebox generates log messages for many different types of activities.
• You control what log messages are stored on the Log Server – most features include options to turn logging on or off.
122
Firebox Logging Setting Rules for Logging
You can also configure the Firebox to send detailed diagnostic logging if you are troubleshooting a specific problem.
123
Firebox Logging Notification
When you turn on logging, you can also enable notification or trigger an SNMP trap. Notification options include:
• Send email to specific email address.
• Pop-up notification on Log Server.
124
Firebox Logging Default Logging Policy
• When you create a policy that allows traffic, logging is not enabled by default for that policy.
• When you create a policy that denies traffic, logging is enabled by default.
• If denied traffic does not match a specific policy, it is logged by default.
125
Firebox Logging Logging and Proxies
• Proxy policies contain many more advanced options for logging than packet filter policies.
• Each proxy category has its own check box to turn on logging.
126
Firebox Logging Logging and Proxies
If you want detailed Historical Reports with information on packets handled by proxy policies, make sure you select this option in each proxy action:Turn on logging for Historical Reports
127
Firebox Logging Viewing Log Messages
You can see log messages with two different tools:
• Traffic Monitor – Real-time monitoring from any computer running WSM.
• LogViewer – Shows full log file stored on the Log Server.
128
Firebox Logging Traffic Monitor
To see real-time traffic, select Firebox System Manager > Traffic Monitor
129
Firebox Logging Traffic Monitor
From Traffic Monitor, right-click on a log message to get more information or take action.
130
Firebox Logging LogViewer
• Launch LogViewer from WSM and open the log file you want to see.
• LogViewer includes search features to help you find specific log messages.
131
Firebox Logging Historical Reports
Historical Reports creates reports from the log files that are recorded on the Log Server. With the advanced features of Historical Reports, you can:
• Set a specified time period for a report.
• Customize the report with data filters.
• Consolidate different log files to create a report for a group of Fireboxes.
• Show the report data in different formats.
132
Firebox Logging Historical Reports
After you define a report, use the Log Server Status/Configuration dialog box to automate your report on a schedule you select.
133
Firebox Logging Historical Reports – Tips and Tricks
• If you do not see data that you expected to see, make sure you have turned on the logging options in Policy Manager that control that data.
• Make sure the computer on which you are using Historical Reports has access to the log files on the Log Server.
• When you use the HTML reporting option, make sure to check the option: Execute Browser Upon Completion. This opens the report in your default web browser when the report is generated.
• The HTTP Proxy report and Denied Packet Summary report are particularly useful for new Firebox customers.
• If you select the option to resolve DNS in your reports (recommended), you must be patient – this can take a long time.
134
Monitoring your Firebox and your network
135
Monitoring your FireboxPerformance Console
With the Performance Console, users can monitor and graph the following information:
• System Information-Firebox statistics such as total active connections and cpu usage.
• Interfaces - total sent and received packets through the firebox interfaces.
• Policies – Total connections, current connections, discards.
• VPN Peers – Inbound and outbound SA’s, Inbound and outbound packets.
• Tunnels – Inbound and outbound packets, Auth errors, and replay errors.
136
Monitoring your FireboxPerformance Console
After you create a counter, you see it graphed out in intervals that you set.
137
Monitoring your FireboxPerformance Console
You can monitor packets processed by policy name.
138
Monitoring your FireboxHostWatch
HostWatch shows the connections through a Firebox from the trusted network (including VLAN’s) to the external network.
Create any combination of interfaces to monitor using regular expressions.
139
Thank You