This chapter describes the basic tasks you perform to set up and maintain a Firebox:
• Opening a configuration file
• Saving a configuration file to a local computer or the Firebox
• Resetting Firebox passphrases
• Setting the Firebox time zone
• Setting a Firebox friendly name
What is a Firebox?
A WatchGuard Firebox is a specially designed and optimized security appliance. The base model has three independent net-work interfaces which allow you to separate your protected office network from the Internet while providing an optional public interface for hosting Web, email, or FTP servers. Each network interface is independently monitored and visually dis-played on the front of the Firebox.
NOTE
There are no user-serviceable parts within the Firebox. If a user opens a Firebox case, it voids the limited hardware warranty.
The most common and effective location for a Firebox is directly behind the Internet router, as pictured below:
Other parts of the network are as follows:
Management station
The computer on which you install and run the WatchGuard System Manager software.
WatchGuard Security Event Processor
The computer that receives and stores log messages and sends alerts and notifications. You can configure the management station to also serve as the event processor.
Trusted network
The network behind the firewall that must be protected from the security challenge.
External network
The network presenting the security challenge, typically the Internet.
Optional network or networks
Networks protected by the firewall but still accessible from the trusted and the external networks. Typically, optional networks are used for public servers such as an FTP or Web server.
Opening a Configuration File
Policy Manager is a comprehensive software tool for creating, modifying, and saving configuration files. A configuration file, with the extension .cfg, contains all the settings, options, addresses, and other information that constitute your Firebox security policy. When you view the settings in Policy Manager, you are seeing a “user friendly” version of your configuration file.
This section describes how to open a configuration file after one has been created. This assumes you have already run the Quick-Setup Wizard and have a basic configuration file saved either on the Firebox or on your local hard drive. If you have not run the QuickSetup Wizard, see Chapter 5, “Using Policy Manager to Configure Your Network” for information on how to create a basic configuration from scratch.
1 Select Start => Programs => WatchGuard => Firebox System Manager.
2 If you are prompted to run the QuickSetup Wizard, click Continue.
3 If you are prompted to connect to the Firebox, click Cancel.
4 From the Firebox Manager, click the Policy Manager icon (shown at right).
You can now either open a configuration from the Firebox or from the local hard disk, as explained in the next two sections.
Opening a configuration from the Firebox
From Policy Manager:
1 Select File => Open => Firebox.
The Firebox drop-down list, as shown in the following figure, appears.
2 Use the Firebox drop-down list to select a Firebox.
You can also type in the IP address or host name.
3 In the Passphrase text box, type the Firebox status (read-only) passphrase. Click OK.
Use the status passphrase unless you are saving to the Firebox, which requires the configuration passphrase.
4 If you want, enter a value in the Timeout field to specify the duration in seconds that the management station waits for a response from the Firebox before returning a message indicating that the device is unreachable.
Opening a configuration from a local hard disk
1 Select File => Open => Configuration File.2 Locate and select the configuration file to open. Click Open.
Saving a Configuration File
After making changes to a configuration file, you can either save it directly to the Firebox or to a local hard disk. When you save a new configuration directly to the Firebox, Policy Manager might prompt you to reboot the Firebox so that it will use the new configuration. If the Firebox does need to be rebooted, the new policy is not active until the rebooting process completes.
Saving a configuration to the Firebox
From Policy Manager:
1 Select File => Save => To Firebox.
You can also use the shortcut Ctrl+T.
2 Use the Firebox drop-down list to select a Firebox.
You can also type the IP address or DNS name of the Firebox. When typing IP addresses, type the digits and periods in sequence. Do not use the TAB or arrow key to jump past the periods. For more information on entering IP addresses, see “Entering IP addresses” on page 37.
3 Enter the configuration (read/write) passphrase. Click OK.
The configuration file is saved first to the local hard disk and then to the primary area of the Firebox flash disk. This is the reason you are prompted to save and to overwrite the existing configuration when saving to the Firebox.
4 If you entered the IP address of a different Firebox, you are asked to confirm your choice. Click Yes.
The Firebox Flash Disk dialog box, as shown in the following figure, appears.
5 Select the checkbox marked Save To Firebox. If you want to make a backup of the current image, select the checkbox marked Make Backup of Current Flash Image before saving.
NOTE
It is not necessary to back up the flash image every time you make a change to the configuration file. However, if you do choose this option, you must provide an encryption key. It is especially important not to forget this key. If you rely on this file to recover from a corrupted flash image and do not remember the key, you will not be able to restore the entire flash image. Instead, you will need to reset the Firebox and then save a new or existing configuration file to it.
6 If you are not making a backup, click Continue. If you are making a backup, in the Encryption Key field, enter the encryption key for the Firebox. In the Confirm field, reenter it to confirm.
7 If you are making a backup, in the Backup Image field, enter the path where you want to save the backup of the current flash image. Click Continue.
Instead of entering the path, you can click Browse to specify the location of the backup.
8 Enter and confirm the status (read-only) and configuration (read/write) passphrases. Click OK.
The new image is saved to the Firebox.
NOTE
Making routine changes to a configuration file does not require a new flash image. Choosing the option marked Save Configuration File Only is normally sufficient.
Saving a configuration to the management station’s local drive
From Policy Manager:
1 Select File => SaveAs => File.
You can also use the shortcut Ctrl+S.
The Save dialog box appears.
2 Enter the name of the file.
The default is to save the file to the WatchGuard directory.
3 Click Save.
The configuration file is saved to the local hard disk.
Resetting Firebox Passphrases
WatchGuard recommends that you periodically change the Fire-box passphrases for optimum security. To do this, you must have the current configuration passphrase. From Policy Man-ager:
1 Open the configuration file running on the Firebox.
For more information, see “Opening a configuration from the Firebox” on page 44.
2 Select File => Save => To Firebox.
3 Use the Firebox drop-down list to select a Firebox or enter the Firebox IP address. Enter the configuration passphrase.
Click OK.
The Firebox Flash Disk dialog box appears.
4 Select the checkbox marked Save To Firebox and the radio button marked Save Configuration File and New Flash Image. Clear the checkbox marked Make Backup of Current Flash Image. Click Continue.
5 Enter and confirm the new status (read-only) and configuration (read/write) passphrases. The status and configuration passphrases must be different from one another. Click OK.
The new image, including the new passphrases, is saved to the Firebox, and the Firebox automatically restarts.
Tips for creating secure passphrases
Although a persistent attacker can crack any passphrase eventu-ally, you can toughen your passphrases using the following tips:
• Don’t use words in standard dictionaries, even if you use them backward or in a foreign language. Create your own acronyms instead.
• Don’t use proper names, especially company names or those of famous people.
• Use a combination of uppercase and lowercase characters, numerals, and special characters (such as Im4e@tiN9).
Setting the Firebox Model
Although you choose the Firebox model when you start a new configuration file or open an existing one, you can change the Firebox model at any time:
1 From the Setup menu, select Firebox Model.
The New Firebox Configuration dialog box appears.
2 Select the model of the Firebox you are connecting to.
The model of the Firebox entered appears at the lower-right corner of the Policy Manager window.
Setting the Time Zone
The Firebox time zone determines the date and time stamp that appear on logs and that are displayed by services such as Log-Viewer, Historical Reports, and WebBlocker. The default time zone is Greenwich Mean Time (Coordinated Universal Time).
From Policy Manager:
1 Select Setup => Time Zone.
2 Use the drop-down list to select a time zone. Click OK.
Setting a Firebox Friendly Name
You can give the Firebox a friendly name to be used in log files and reports. If you do not specify a name, the Firebox’s IP address is used. From Policy Manager:
1 Select Setup => Name.
The Firebox Name dialog box appears.
2 Enter the friendly name of the Firebox. Click OK.
All characters are allowed except blank spaces and forward or back slashes (/ or \).
This is typically set to the external IP address of the Firebox.
If left blank, some features may fail to function properly.