Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright © 2015 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications.
All other trademarks and trade names are the property of their respective owners.
Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available online athttp://www.watchguard.com/wgrd-help/documentation/overview.
About the Fireware Essentials Student Guide iii
Table of Contents v
Course Introduction 1
Training Options 1
Necessary Equipment and Software 2
Training Scenario 3
Prerequisites 3
Training Network Configuration 4
Student Firebox IP Addresses 5
Instructor Firebox IP Addresses 5
Configuration Changes for the Instructor Firebox 6
Fireware Web UI and Command Line Interface 7
Additional Resources 7
Getting Started 9
What You Will Learn 9
Management, Monitoring, and Visibility Tools 9
Start with WatchGuard System Manager 10
WSM Components 10
WatchGuard Dimension 11
Activate Your Device 12
Use the Setup Wizards 12
About Factory-Default Settings 13
Exercise 1 — Create a Configuration File with the Quick Setup Wizard 14
Exercise 2 — Open WSM and Connect to Devices and Servers 16
Connect to a Firebox 16
Exercise 3 — Start Policy Manager 19
Administration 25
What You Will Learn 25
Manage Configuration Files and Device Properties 25
About the OS Compatibility Version 26
About the Feature Key 26
Saving a Configuration 27
Configuration Migration 27
Manage Users and Roles on Your Firebox 27
Exercise 1 — Open and Save Configuration Files 29
Exercise 2 — Configure a Firebox for Remote Administration 31
Exercise 3 — Add Device Management Users 33
Exercise 4 — Examine and Update Feature Keys 35
View Feature Keys For Your Firebox 35
Add a Feature Key to the Firebox 37
Exercise 5 — Create a Device Backup Image 38
Exercise 6 — Add Firebox Identification Information 40
Test Your Knowledge 41
ANSWERS 42
Notes 43
Network Settings 44
What You Will Learn 44
Properties and Features of Device Interfaces 45
Interface Types and Aliases 46
Requirements for Device Interfaces 46
About DHCP Server and DHCP Relay 46
IPv6 53
Exercise 1 — Configure the External Interface 54
Exercise 1A — Configure the External Interface with a Static IP Address 54
Exercise 1B — Configure the External Interface for DHCP 55
Exercise 1C — Configure the External Interface to Use PPPoE 57
Exercise 2 — Configure a Trusted Interface as a DHCP Server 58
Exercise 3 — Configure an Optional Interface 60
Exercise 4 — Configure WINS/DNS Server Information 61
Exercise 5 — Configure a Secondary Network 62
Frequently Asked Questions 63
Test Your Knowledge 64
ANSWERS 66
Notes 67
Set Up Logging & Servers 68
What You Will Learn 68
Logging and Reporting Setup Process Overview 69
Maintain a Record of Device Activity 70
Logging and Notification Architecture 70
Log Server 72
Log Messages 72
Log Files 73
Exercise 1 — Set Up WatchGuard Server Center 74
Exercise 2 — Set Up a WSM Log Server 75
Set Up the Log Server 75
Configure the Log Server 76
Exercise 3 — Control Database and Notification Properties 77
Configure Database and Notification Settings 77
Send Log Notifications to a Network Administrator 79
Change the Encryption Key 80
Exercise 4 — Configure Where the Firebox Sends Log Messages 81
Select Reports and Timing 87
Test Your Knowledge 90
ANSWERS 92
Notes 93
Monitor Your Firewall 94
What You Will Learn 94
Regular Monitoring Improves Security 95
Exercise 1 — Review Network Status in WSM 97
Interpret the Device Status Display 98
Exercise 2 — Use Firebox System Manager 100
Connect to a Firebox and Change the Display 101
Use Traffic Monitor 103
Run a TCP Dump Diagnostic Task and Download a PCAP File 104
Change Traffic Monitor Settings 107
Check Bandwidth Usage and Service Volume 108
Exercise 3 — Create a Performance Console Graph 110
Exercise 4 — Use HostWatch to View Network Activity 113
Exercise 5 — Use the Blocked Sites List 114
Test Your Knowledge 115
ANSWERS 116
Notes 117
NAT 118
What You Will Learn 118
NAT Overview 119
Dynamic NAT 119
Exercise 1 — Add Firewall Dynamic NAT Entries 126 Exercise 2 — Configure Static NAT to Allow Access to Public Servers 128 Exercise 3 — Configure NAT Loopback to an Internal Web Server 131
Other Reasons to Use NAT 133
Test Your Knowledge 134
ANSWERS 135
Notes 136
Threat Protection 137
What You Will Learn 137
Default Threat Protection Measures Block Intruders 137
Use Default Packet Handling Options 138
Unhandled Packets 139
Automatically Block the Source of Suspicious Traffic 139
Block Ports Commonly Used by Attackers 140
Exercise 1 — Configure Default Packet Handling Options 141
Exercise 2 — Block Potential Sources of Attacks 142
Block a Site Permanently 142
Create Exceptions to the Blocked Sites List 143
Exercise 3 — Block Sites Automatically 144
Test Your Knowledge 145
ANSWERS 146
Notes 147
Policies 148
What You Will Learn 148
Policies are Rules for Your Network Traffic 149
Add Policies 149
Predefined Policies and Custom Policy Templates 151
Configure Logging and Notification for a Policy 151
Advanced Policy Properties 151
About the Outgoing Policy 152
Exercise 1 — Add a Packet Filter Policy and Configure Access Rules 154
Add a Predefined Policy 154
Modify Policies to Restrict Traffic 156
Use a Policy to Allow Traffic 157
Exercise 2 — Use FQDN in a Policy 159
Exercise 3 — Create a Custom Packet Filter Template 161
Make a New Policy Template 161
Add and Configure the Custom Policy 162
Exercise 4 — Configure Logging and Notification for a Policy 166
Exercise 5 — Change Policy Precedence 167
Override the Default Order of Policy Precedence 168
Exercise 6 — Use Advanced Policy Properties 169
Exercise 7 — Use Policy Tags and Filters to Group and Sort Policies 171
Create and Apply a Policy Tag 171
Filter the Policy List 173
Test Your Knowledge 174
ANSWERS 175
Notes 176
Proxy Policies 177
What You Will Learn 177
Proxy Policies and ALGs 177
About the DNS Proxy 178
About the FTP Proxy 179
About H.323 and SIP ALGs 181
About the TCP-UDP Proxy 181
Test Your Knowledge 191
ANSWERS 192
Notes 193
Email Proxies and Blocking Spam 194
What You Will Learn 194
Control the Flow of Email In and Out of Your Network 195
SMTP Rulesets 195
POP3 Rulesets 195
Stop Unwanted Email at the Network Edge 196
spamBlocker and DNS 197
spamBlocker Tags 197
spamBlocker Categories 197
spamBlocker Exceptions 197
Global spamBlocker Settings 198
Use an HTTP Proxy Server 199
Adding Trusted Email Forwarders 199
Exercise 1 — Use the SMTP-Proxy to Protect Your Mail Server 200
Add an Incoming SMTP-Proxy Policy 200
Decrease Maximum Message Size 201
Allow and Deny Content Types and Filenames 203
Control Mail Domain Use for Incoming Traffic 205
Exercise 2 — Control Outgoing SMTP Connections 207
Add an Outgoing SMTP-Proxy Policy 207
Control Email Message Size 208
Control Mail Domain Use for Outbound SMTP 209
Restrict Email by Attachment Filename 211
Exercise 3 — Use a POP3-Client Policy 213
Add a POP3 Client Policy 213
Configure the POP3 Policy to Lock Attachments 214
Exercise 4 — Activate spamBlocker 216
Add spamBlocker Exceptions 218
Enable Alarms When a Virus is Detected 219
Exercise 6 — Monitor spamBlocker Activity 220
Test Your Knowledge 221
ANSWERS 223
Notes 224
Web Traffic 225
What You Will Learn 225
Control Web Traffic Through Your Firewall 226
Control Outgoing HTTP Requests 227
Protect Your Web Server 227
HTTP-Proxy Action Rulesets 228
Monitor Secured HTTP Traffic with the HTTPS-Proxy Policy 231
Bandwidth and Time Quotas 231
Restrict Web Access with WebBlocker 231
WebBlocker Server Options 232
WebBlocker Categories 232
WebBlocker Exceptions 232
WebBlocker Local Override 233
WebBlocker Schedules 234
WebBlocker Server 234
About Reputation Enabled Defense 235
Reputation Scores 236
Reputation Thresholds 236
Reputation Lookups 237
Customize the Deny Message 244 Exercise 2 — Use HTTP-Proxy Exceptions to Allow Software Updates 245
Exercise 3 — Configure an HTTP-Server Proxy Action 246
Add the HTTP-Server Proxy Policy 246
Create a New Proxy Policy Ruleset 247
Exercise 4 — Enable Bandwidth and Time Quotas 248
Exercise 5 — Selectively Block Websites with WebBlocker 252
Add a WebBlocker Action 252
Select Categories to Block 253
Create an Exception 254
Enable WebBlocker Local Override 255
Exercise 6 — Set Up Reputation Enabled Defense 256
Exercise 7 — See Reputation Enabled Defense Statistics 258
Frequently Asked Questions 259
Test Your Knowledge 260
ANSWERS 263
Notes 264
Signature Services and APT Blocker 265
What You Will Learn 265
Identify and Stop Viruses at the Edge of Your Network 266
AntiVirus Scans User Traffic for Viruses and Trojans 267
Configure Gateway AntiVirus Actions 267
Use Gateway AntiVirus with Compressed Files 268
Block Advanced Malware with APT Blocker 268
APT Blocker and Gateway AntiVirus 269
Supported File Types 269
APT Blocker Threat Levels 269
Configure APT Blocker Actions 270
APT Blocker Notifications and Alarms 270
Control the Loss of Sensitive Data 271
DLP Text Extraction and File Types 272
DLP and Proxy Actions 273
DLP Sensors 273
Content Control Rules 273
DLP Actions 274
DLP Settings 274
Intrusion Prevention Service Blocks Direct Attacks 275
IPS Scan Modes 275
IPS Threat Levels and Actions 275
IPS and Policies 276
Get Information About IPS Signatures 276
Control and Monitor Application Usage on Your Network 276
Application Control Actions and Policies 277
Configure Application Control 277
Per-Application Action 277
Default Action 277
Apply the Application Control Action to a Policy 278
Monitor Application Usage 278
Get Information About Applications 279
Application Control Actions and Proxy Actions 279
Exercise 1 — Set Up Gateway AntiVirus 280
Activate Gateway AntiVirus 280
Configure Gateway AntiVirus 281
Exercise 2 — Configure the SMTP-Proxy Policy for Gateway AntiVirus 283
Exercise 3 — Use APT Blocker with the SMTP-Proxy Policy 285
Apply the Global Application Control Action to Policies 299 Exercise 7 — Use Different Application Control Actions for Different Policies 300
Test Your Knowledge 303
ANSWERS 304
Notes 305
Authentication 306
What You Will Learn 306
Monitor and Control Network Traffic by User 307
How Firebox User Authentication Works 307
Use Authentication from the External Network 307
Use Authentication through a Gateway Firebox to Another Device 308
Authentication Methods Available with Fireware 308
Use the Firebox Authentication Server 308
About Third-Party Authentication Servers 309
RADIUS Authentication Servers 309
SecurID Authentication Servers 309
LDAP Authentication Servers 310
Active Directory Authentication Servers & Single Sign-On 310
About Authentication Timeout Values 311
Exercise 1 — Add a Firebox User Group and Add Users 312
Create a Firebox User Group 312
Add Firebox Users 313
Exercise 2 — Edit Policies to Use Firebox Authentication 316
Exercise 3 — Set Global Authentication Values 318
Set Global Timeout Values 318
Set Other Global Values 318
Exercise 4 — Use a Web Server Certificate 321
Test Your Knowledge 322
ANSWERS 324
Notes 325
Review Log Messages 327
About Log Messages 329
Build Reports from Log Messages 330
WSM Report Manager 330
WatchGuard Reports 331
View Reports with Report Manager 335
Dimension Reports 336
View Reports with Dimension 336
Dimension Report List 337
Exercise 1 — Use WSM Log Manager to View Log Messages 349
Connect to WebCenter to View Log Messages 349
View Log Messages 350
Run a Search 350
Export Log Messages 352
Exercise 2 — Use Report Manager to View and Run Reports 354
Connect to WSM Report Manager to View Reports 354
View Reports 355
Exercise 3 — Share Reports from Report Manager 358
Exercise 4 — Send Log Messages to Dimension 359
Exercise 5 — View Log Messages in Dimension 360
Connect to Dimension 360
View Log Messages 361
Exercise 6 — Search Log Messages in Dimension 362
Run a Simple Search 362
Run a Complex Search 362
ANSWERS 371
Notes 372
Branch Office VPN Tunnels 373
What You Will Learn 373
BOVPN Overview 373
Benefits of a Branch Office VPN 373
Branch Office VPN Types 375
Select a VPN Type 376
VPN Tunnel Capacity 377
IPSec VPN Algorithms and Protocols 377
Encryption Algorithms 377
Authentication Algorithms 378
Diffie-Hellman Key Exchange Algorithms 378
AH (Authentication Header) 378
ESP (Encapsulating Security Payload) 379
VPN Negotiations 379
What Happens During Phase 1 Negotiations 379
What Happens During Phase 2 Negotiations 381
Policies and VPN Traffic 382
Automatically Add Policies That Allow All Traffic 382
Use the BOVPN Policy Wizard 382
Manually Add Policies 382
Use a Tunnel Alias in Policies 382
Global VPN Settings 383
VPN Monitoring and Troubleshooting 384
Monitor VPN Tunnel Status 384
Troubleshoot a VPN 385
VPN Diagnostic Report 387
Filter Log Messages by Gateway IP Address 389
IKE Log Messages 390
Necessary Equipment And Software 393
Management Computer Configuration 393
Network Topology 393
Network Configuration 394
Exercise 1 — Configure a BOVPN Gateway and Tunnel 395
Before You Begin 395
Configure Device A 395
Add a Branch Office Gateway to the Site A Device Configuration 395
Add a Branch Office Tunnel to the Device A Configuration 399
Configure Device B 401
Add a Branch Office Gateway to the Device B Configuration 401
Add a Branch Office Tunnel to the Device B Configuration 403
Test the Tunnel Configuration 404
Ping From One Management Computer to Another Through the Tunnel 405 Ping From a Device Interface to the Trusted Interface on the Other Device 405
Check Tunnel Status 406
Exercise 2 — Use VPN Diagnostics 406
Exercise 3 — Use 1-to-1 NAT Through a BOVPN Tunnel 408
Before You Begin 408
Configure Duplicate Local Network IP Addresses 408
Add a Tunnel Route with 1-to-1 NAT Enabled 409
Configure Device A 409
Configure Device B 410
Test the VPN 411
Verify the Tunnel Status 412
What You Will Learn 418
Connect Remote Users Securely to the Network 419
Mobile VPN Types 419
Select the Mobile VPN Type 421
Encryption Support 421
Authentication Server Compatibility 421
VPN Tunnel Capacity 421
Client OS Support and VPN Client Installation 422
Other Considerations 423
Mobile VPN Setup Overview 423
Mobile VPN Client Configuration Files 424
Mobile VPN with IPSec 424
Mobile VPN with SSL 425
Mobile VPN with L2TP 425
Mobile VPN with PPTP 425
Mobile VPN Network and Resource Settings 426
Default Route VPN and Split Tunnel VPN 426
Virtual IP Address Pool 426
Allowed Resources 427
Mobile VPN with IPSec Policies 427
Mobile VPN with SSL Firewall Policies 428
Mobile VPN with L2TP Firewall Policies 428
Mobile VPN with PPTP Firewall Policies 429
Before You Begin 429
Training Environment 429
Necessary Equipment And Software 430
Management Computer Configuration 430
Network Topology 430
Network Configuration 431
BOVPN Configuration 431
Review and Edit the Mobile VPN with IPSec Profile 438
Exercise 2 — Get the Mobile VPN Client Configuration Files 440
Enable Remote Management 440
Get the Client Configuration Files 441
Exercise 3 — Use an IPSec VPN Client 442
Before You Begin 442
Required Files 442
Other Important Information 442
Exercise 3A — Use the Shrew Soft IPSec VPN Client 443
Install the Shrew Soft VPN Client 443
Import the Mobile VPN Client Configuration File 443
Connect and Disconnect 444
Exercise 3B — Use the WatchGuard Mobile VPN with IPSec Client 445
Install the Mobile VPN Client 445
Import the Mobile VPN Client Configuration File and Connect 446
Connect and Disconnect 448
Exercise 4 — Set Up Mobile VPN with SSL 449
Activate the Device for SSL VPN 449
Add Users to the SSLVPN-Users Group 452
Exercise 5 — Use the Mobile VPN with SSL Client 453
Install the Mobile VPN with SSL Client 453
Connect with the Mobile VPN with SSL Client 454
Other Client Authentication Options 455
Test Your Knowledge 456
ANSWERS 458
Log In 464
Navigate Fireware Web UI 465
About the Dashboard Pages 466
Get Help 466
About the Status and Admin User Accounts 467
About Timeouts for Management Sessions 468
Control Access to the Web UI 471
About the Port for the Web UI 473
Exercise 1 — Connect to the Web UI with the Status User Account 475 Exercise 2 — Configure a Device for Remote Web UI Administration 478
Exercise 3 — Use FireWatch 482
Test Your Knowledge 486
ANSWERS 487
Firewall Essentials with Fireware v11.10
Devices WatchGuard Firebox devices Device OS versions Fireware® v11.10
Management software versions WatchGuard® System Manager v11.10
Training Options
If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options available to you:
Classroom training with a WatchGuard Certified Training Partner (WCTP)
WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list of training partners can be found on our website at:
http://www.watchguard.com/training/partners_locate.asp
Quick review presentation
You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the Quick Setup Wizard, create basic security policies, and get more information about additional subscription services.
Fireware Essentials Online Course
Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature or function of configuration and security management.
Necessary Equipment and Software
For the majority of the training modules, you only need a default WatchGuard Fireware configuration file that you view and modify locally. You do not need to connect to a device to complete most of the exercises. The few modules that require additional hardware include instructions on what is needed and how to set it up.
In some training modules, you will connect to one or more Firebox devices or a Management Server. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to a Firebox or Management Server on a production network.
To complete the majority of the training modules, you must have this hardware and software:
Management computer
Your management computer must be a personal computer with the Microsoft® Windows XP, Microsoft
Windows Vista, Microsoft Windows 7, or Microsoft Windows 8 operating system installed. For more information about management computer system requirements for WSM and Fireware v11.10, see the Fireware Help.
WSM software and Fireware OS
If you have a WatchGuard Support service account, you can download the WatchGuard System Manager software and Fireware OS from the WatchGuard website through the Software Downloads page. The software is also available from your instructor during classes delivered by WatchGuard Certified Training Partners.
Firewall configuration file
During the training exercises, you will open, modify, and save device configuration files. You can use Policy Manager to create new configuration files. You can also open the configuration file of your production Firebox and save it to your local hard drive. We recommend that you do not save any configuration files you make during the training exercises to a device in use on your network.
Firebox (required for some exercises)
For some exercises, particularly the exercises which introduce logging, monitoring, and reporting, it is useful to connect to a real Firebox on a production network. You do not need to change the configuration properties of this device. You can complete the exercises without access to a Firebox installed on a production network, but it is much easier to grasp some concepts when you can see log messages and information from a real network. For the branch office VPN and Mobile VPN exercises, to configure and demonstrate a working VPN tunnel, you must have access to Firebox devices.
If you choose to connect to a Firebox, you can connect to any Firebox that supports Fireware OS v11.7 and higher. You cannot use an XTM 21, XTM 22, or XTM 23 device (these models only support Fireware OS v11.7
Training Scenario
Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of the exercises using examples from your own network or a set of addresses and situations provided by your
WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP
networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard hardware devices is required.
Training Network Configuration
Most of the exercises in this courseware use the RFC 5737 documentation IP addresses to represent public network IP addresses. Most of the information in the training modules, as well as the VPN exercises, in this courseware use this network configuration:
To support all of the exercises in this course, your training environment must include this network equipment:
n One Firebox per student, and one for the instructor.
n One network hub or switch with enough interfaces to connect the instructor and all of the student Firebox
devices.
Student Firebox IP Addresses
Students may be assigned a number (10, 20, 30, etc.) to identify the last IP address octet for their external addresses, and the third octet for internal addresses in relation to their Firebox devices. This allows for similar configuration among devices and prevents IP address conflicts and subnet overlap.
Each student will configure a device with these addresses, whereXis the student number:
n Eth0 – External — 203.0.113.X/24, Default Gateway 203.0.113.1 n Eth1 – Trusted — 10.0.X.1/24
In most of the exercises, your external interface and trusted interface IP addresses are determined by your student number. Replace theXin the exercises with your student number.
Instructor Firebox IP Addresses
Eth1 of the instructor Firebox must be connected to the switch and configured to act as the default gateway for the external network for student Firebox devices. The instructor Firebox must be configured with these addresses:
n Eth0 (External) — Use appropriate addressing for a training environment with an Internet connection. (This is
optional. Internet access is not required for these exercises.)
n Eth1 (Trusted) — 203.0.113.1/24
This is the default gateway for the primary external interface on student Firebox devices.
To allow DNS to operate from the training environment, you must also configure a DNS server, in the Network > Configuration > WINS/DNS tab.
For DNS to function for students, the student devices and computers must also be configured to use the DNS server.
Configuration Changes for the Instructor Firebox
To make the training network functional for these exercises, the instructor must make two more configuration changes to the instructor’s device.
1. Create an Any policy to allow traffic between the trusted interfaces.
2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic NAT rule for 203.0.113.0/24 – Any-External)
Fireware Web UI and Command Line Interface
You can use Fireware Web UI (Web UI) and the WatchGuard Command Line Interface (CLI) to complete many of the same tasks that you perform in WatchGuard System Manager and Policy Manager. Some advanced configuration options and features are not available with Fireware Web UI or the Command Line Interface.
Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online configuration tools (you need a network connection to a Firebox to use them), most of the exercises in the training modules for this course do not use the Web UI, and none use the CLI.
Additional Resources
For more information about how to install and configure WatchGuard System Manager see these resources:
Fireware Help
You can launch the Help system from your management computer after you install WSM. To view more information about the features in a dialog box or application window, click Help or press the F1 key. A topic that describes the features you see and provides links to additional information appears in your default web browser. For the most up to date information, browse tohttp://www.watchguard.com/help/documentation/and launch the
Fireware Help. You can also download the Help system for offline use.
WatchGuard Online Knowledge Base
Browse tohttp://customers.watchguard.com/.
For information about how to set up an XTMv virtual machine, see:
WatchGuard XTMv Setup Guide
Browse to http://www.watchguard.com/help/documentation/and download the WatchGuard XTMv Setup
Set Up Your Management Computer and Device
What You Will Learn
WatchGuard System Manager is the primary management software application used to monitor and manage Firebox devices and WatchGuard servers. In addition to the many management and monitoring tools available in WatchGuard System Manager, you can use WatchGuard Dimension to monitor your device and see deep into the activity on your network.
In this training module, you learn how to:
n Use the Quick Setup Wizard to make a basic Firebox device configuration file n Start WatchGuard System Manager and connect to Firebox devices and servers n Start Policy Manager and open a device configuration file
Before you begin the exercises in this module, make sure you read the Course Introduction module.
Management, Monitoring, and Visibility Tools
For all of your Firebox devices, you can use the rich suite of management, configuration, monitoring, and visibility tools available from WatchGuard. This includes WatchGuard System Manager (WSM) and all the WSM tools, WatchGuard Server Center and the WSM servers, and the many WatchGuard Dimension tools. These tools are described in the subsequent sections.
Start with WatchGuard System Manager
Most of the procedures you complete in this training module start from WatchGuard System Manager (WSM), which is the primary software application you use to manage all the Firebox devices and WatchGuard servers in your network. You can use WSM to connect to any
WatchGuard Firebox. This includes all Firebox and XTM device models, as well as the SOHO device models. In this training module, we use only the latest Firebox devices.
WSM Components
WatchGuard System Manager (WSM) includes several monitoring and configuration tools, including Policy Manager, Firebox System Manager, HostWatch, Log Manager, Report Manager, and CA Manager. You can start these tools after you open WSM.
WatchGuard Server Center is the application you use to set up, configure, and manage the five WatchGuard servers, as well as configure users and groups for role-based administration.
You install the WSM management software on a personal computer running Microsoft Windows XP or later. We refer to this computer your management computer. When you install WSM on your management computer, you have the option to install any or all of the WatchGuard servers. When you select to install any of the servers, WatchGuard Server Center is automatically installed.
n Management Server — Manages multiple Firebox devices at the same time and creates virtual private network
(VPN) tunnels with a simple drag-and-drop method.
n Log Server — Collects log messages from Firebox devices and servers.
n Report Server — Periodically consolidates data collected by your Log Servers and uses this data to generate
the reports that you select.
n Quarantine Server — Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to
have a virus by Gateway AntiVirus or by spamBlocker’s Virus Outbreak Detection feature.
n WebBlocker Server — Provides information for an HTTP-proxy to deny user access to specified categories of websites.
You can install these servers on your management computer, or you can install them on other computers on your network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect to other servers, the Firebox, or the management computer.
WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager, Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server,
WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130.
For more information, see the training module related to each server.
WatchGuard Dimension
WatchGuard Dimension™ is a virtual solution you can use to capture the log data from your Firebox devices,
FireClusters, and WatchGuard servers and create a management connection to your Firebox devices and FireClusters. You can use Dimension to see log data in real-time, track it across your network, view the source and destination of the traffic, view log message details of the traffic, monitor threats to your network, and view or generate reports of the traffic. From Dimension, you can open Fireware Web UI for Firebox devices and FireClusters that are managed by Dimension and also take action on the information you see in the log messages, tools, and reports available in Dimension.
After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of Dimension. Then, you configure your Firebox devices and WatchGuard servers to send log messages to Dimension and add Firebox devices to Dimension for management.
In this training course, we only discuss the logging and reporting aspects of Dimension. For more information about Dimension, seeLogging & Reporting on page 326.
Activate Your Device
You must activate your Firebox on the WatchGuard website before you can configure the device. When you activate the Firebox, you start the Support subscription for the Firebox. The Support subscription provides alerts, threat responses, and expert advice to help you keep your network secure and up-to-date. When you subscribe to Support, you also get access to the latest software upgrades for your Firebox, as well as access to technical support and training resources.
If you take this course with a training partner, your Firebox will already be activated and include the feature keys you need for the course.
To activate the Firebox, you must have:
n An account on the WatchGuard website n The Firebox serial number
To create a new WatchGuard account, go to:
https://www.watchguard.com/account/registration_gate.asp
To activate your device with an existing WatchGuard account, log in to the WatchGuard website. In the WatchGuard Support Center, clickActivate a Product.
Use the Setup Wizards
There are two setup wizards you can use to quickly create a functional configuration file for your Firebox. To use either setup wizard, you must connect your management computer to the trusted interface (eth1) of the Firebox.
Quick Setup Wizard
You can use the Quick Setup Wizard to discover and set up your Firebox. To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard.
Web Setup Wizard
You can use the Web Setup wizard to set up a Firebox from any computer that has a web browser. To start the Web Setup Wizard, in a web browser, type https://10.0.1.1:8080.
About Factory-Default Settings
Each new Firebox uses factory-default settings. You can also reset a Firebox to factory-default settings. When a Firebox uses factory-default settings, only two interfaces are active:
Interface 0 (Eth0)
Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If you use the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network that has a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Firebox feature key.
To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with Internet access. For more information about RapidDeploy, see Fireware Help.
Interface 1 (Eth1)
Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1 or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard.
To connect to the device when you use either setup wizard, your computer must have an IP address on the 10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same subnet as the IP address of Interface 1. For example, 10.0.1.2.
Exercise 1 — Create a Configuration File with the Quick
Setup Wizard
You can use either the Web Setup Wizard or the Quick Setup Wizard to create a basic configuration file for a new Firebox, or a Firebox that has been reset to factory-default settings. The Quick Start Guide that ships with your Firebox describes how to use the Web Setup Wizard. In this exercise you use the Quick Setup Wizard, which is part of Firebox System Manager.
Your instructor will provide you with the information and files you need to configure your Firebox for the training environment.
For this exercise you need:
n A feature key — You receive the feature key when you activate your Firebox on the WatchGuard website. Each
feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management computer before you start the Quick Setup Wizard. You can finish the wizard without the feature key, but the feature key is required to enable all device functionality.
If the Firebox does not have a feature key, it allows only one connection to the Internet.
n WSM and Fireware OS on the management computer — WSM is the software installed on the management
computer and WatchGuard servers. Fireware is the operating system (OS) installed with a configuration file on the Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and Fireware are separate software downloads. You must download and install both packages on your management computer. The management computer must be on the same network subnet as the device.
n Your network information — At a minimum, you must know the IP address of your gateway router and the IP
addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use 203.0.113.1 as the default gateway.
n A Firebox — You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that
Your instructor may use the presentation files to show these steps instead of having you do them yourself.
To use the Quick Setup Wizard:
1. Connect your computer to interface 1 of the Firebox.
2. From the Windows desktop, select Start > All Programs > WatchGuard System Manager > Quick Setup Wizard.
You can also click the Quick Setup Wizard icon on the WatchGuard System Manager toolbar.
The Quick Setup Wizard starts and attempts to detect a Firebox on the same network as your computer.
3. From the list of devices, select the Firebox that you are using for this training session. 4. Configure the device name, location, and contact person.
5. Configure the external interface, Eth0, with these settings. ReplaceXwith your student number. IP address: 203.0.113.X/24
Default Gateway: 203.0.113.1
6. Configure the trusted interface, Eth1, with these settings: ReplaceXwith your student number. IP address: 10.0.X.1/24
DHCP enabled, address pool: 10.0.X.2 - 10.0.X.254
7. In the Activate the software step, browse to the feature key file saved on your computer. 8. Set the Status and Configuration passphrases for your device.
You use the Status passphrase to connect to the device with the default Device Monitor user account, status. You use the Configuration passphrase to connect to the device with the default Device Management user account, admin.
When you are finished with the wizard, you will have a Firebox which allows all traffic from the trusted and optional networks to the external network but blocks everything from the external network to the protected networks.
Because you changed the IP address of the trusted interface, the DHCP server on the device will assign your computer a new IP address in the DHCP address pool you configured. It may take a few minutes for your computer to get a new IP address.
Exercise 2 — Open WSM and Connect to Devices and
Servers
When you open WatchGuard System Manager (WSM), you are not automatically connected to a Firebox. You must manually connect to a Firebox or to a Management Server to use many WSM features. You can connect to many devices and Management Servers at the same time.
Connect to a Firebox
From the Windows desktop:
1. Select Start > All Programs > WatchGuard System Manager > WatchGuard System Manager. WatchGuard System Manager appears.
2. On the main toolbar, click .
Or, you can select File > Connect To Device.
3. In the IP Address or Name text box, type the trusted IP address of the Firebox. Use your Firebox IP address, or get the IP address from your instructor.
To connect to a device with read-only privileges, you use a Device Monitor user account. You can use the default status Device Monitor user account for this purpose. If you save the configuration file or add the Firebox to the Management Server as a managed device, you are prompted to type the credentials for a user account with Device Administrator privileges. The default Device Administrator user account for your device is the admin user account.
4. In the User Name and Passphrase text boxes, type the credentials for a Device Management user account with a Device Monitor (read-only) role on your Firebox. The default status account is specified by default.
5. From the Authentication Server drop-down list, select the authentication server for the user you specified. If you select an Active Directory server, you must also specify the Domain for the server you selected. 6. If necessary, change the value in the Timeout text box.
This value sets the amount of time (in seconds) that WSM waits for an answer from the Firebox before WSM shows a message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the value, you decrease the time you must wait for a time out message if you try to connect to a device that is not available. 7. Click Login.
WSM connects to the Firebox and shows the status of the Firebox on the Device Status tab. 8. On the Device Status tab, click the plus sign (+) to expand the Firebox entry.
Exercise 3 — Start Policy Manager
Policy Manager is the WSM tool you use to build the security rules your Firebox uses to protect your network. You use Policy Manager to configure policies, set up VPNs, change Device Management user account passphrases, and configure logging and notification options.
A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the connection. Policy Manager displays each policy as a group of rules, or a ruleset. You can view these policies in a list with detailed information about each policy, or as icons.
You can have more than one version of WSM installed on your computer. However, you can have only one version of the server components (Management Server, Log Server, Report Server, Quarantine Server, and WebBlocker Server) installed.
In WatchGuard System Manager:
1. On the Device Status tab, select your Firebox.
If there is no device visible in WSM, select File > Connect To Device, and then connect to your device. 2. Click .
Or, select Tools > Policy Manager.
WSM checks the model and the OS (operating system) version used by the device. If you have multiple versions of WSM software installed, WSM automatically opens the correct version of Policy Manager. If you launch Policy
Manager for a device that uses an older version of Fireware OS , WSM might ask if you want to upgrade the OS on that device.
Policy Manager opens in Details view by default.
3. Select Setup > OS Compatibility. The OS Compatibility dialog box appears.
4. Make sure that the selected version is 11.9 or higher.
If you open the configuration file from a device, the OS Compatibility version is automatically set to match the OS version on the device. If you use Policy Manager to create a new configuration file, you must configure this setting before you can configure features that require a specific OS version.
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or false? You must have a WatchGuard Management Server to use a simple drag-and-drop function for VPN creation.
2. Circle the best tool for each task:
Task Tool
A) Monitor the status of one device WatchGuard System Manager Policy Manager B) Change the device network interfaces WatchGuard System Manager Policy Manager C) Configure a policy for web traffic WatchGuard System Manager Policy Manager
3. True or false? When connecting to your Firebox, you should decrease the Timeout setting if you have a slow network or Internet connection to your Firebox.
4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device configuration file that allows more than one connection to the Internet? (Select all that apply.)
o
A) An account on the WatchGuard websiteo
B) The Firebox model numbero
C) The IP address of the gateway router this device will connect too
D) A feature keyo
E) A live connection to the Interneto
F) A web browsero
G) An IP address to give to the external and trusted interfaces of the Firebox5. Fill in the blank: A ________ is a set of rules that defines how the Firebox manages packets that come to its interfaces.
6. Which of the following are WatchGuard System Manager components? (Select all that apply.)
o
A) LogViewero
B) Routero
C) Policy Managero
D) Appliance Monitoro
E) Windows NT Servero
F) Report Servero
G) Management Computer7. True or false? You must install all WatchGuard servers on one management computer.
ANSWERS
1. True
You cannot centrally manage a device unless you configure a WatchGuard Management Server. 2. A) WatchGuard System Manager
B) Policy Manager C) Policy Manager 3. False
You should increase the Timeout setting if you have a slow network or Internet connection to the Firebox. 4. A, C, D, and G
5. policy
6. A, C, F, and G 7. False
Manage the Device Configuration
What You Will Learn
After you install the Firebox in your network and use the Quick Setup Wizard to give it a basic configuration file, you can add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety of locations.
In this training module, you learn how to:
n Open and save configuration files
n Configure the Firebox for remote administration n Add Device Management user accounts n Add feature keys to the Firebox
n Back up and restore the device configuration n Add Firebox identification information
Before you begin these exercises, make sure you read the Course Introduction module.
Manage Configuration Files and Device Properties
A device configuration file includes all configuration data, options, IP addresses, and other information for the Firebox. On the Firebox, the configuration file works with the OS to control the flow of traffic through the Firebox. The file extension for a device configuration file is.xml.
Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no effect on Firebox operation until you save them to the Firebox.
About the OS Compatibility Version
Policy Manager can manage Firebox devices that use different versions of Fireware OS. Each device configuration has an OS Compatibility setting that controls which configuration options are available for some features.
n If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS
version in the file is automatically set based on the OS version the Firebox uses.
n If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you
can configure some features, such as network settings and Traffic Management. To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.
About the Feature Key
When you activate a Firebox or activate add-on services or features for a Firebox, a feature key is generated to enable features on your Firebox. You can download the feature key from the WatchGuard website when you activate your Firebox. You can then add this feature key to your Firebox from the Quick Setup Wizard, Web Setup Wizard, Policy Manager, or the Fireware Web UI. If you use the Web Setup Wizard, the Firebox can download the feature key automatically.
You must install a feature key on your Firebox to enable full functionality. If your Firebox does not have a feature key, it allows only one user to connect to the Internet. The feature key contains a list of licensed features and capacities for your Firebox. For the LiveSecurity Service, and security services, the feature key contains the service expiration date. To manage the feature key, in Policy Manager select Setup > Feature Key.
When you renew subscription services, you must update the feature key on the Firebox for the subscription to remain active. To make sure that the feature key on the Firebox stays up to date, we recommend that you enable automatic feature key synchronization in the Feature Key settings. When automatic feature key synchronization is enabled, the Firebox automatically checks the expiration status of services once per day and downloads a new feature key from WatchGuard if a feature is expired or is within three days of expiration.
When you save the configuration to a local file, the feature key is stored as a separate file, in the same directory as the configuration file. For example, if you save a device configuration with the file name
Saving a Configuration
Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OS Compatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that is not compatible with the OS version on the Firebox.
Configuration Migration
You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the configuration file. Before you can save the configuration to a different Firebox, you might also need to change other settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.
For a video demonstration of configuration migration, see the Configuration Migration video available in the Product Documentation section of the WatchGuard website.
Manage Users and Roles on Your Firebox
You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the Firebox among several individuals in your organization. This enables you to run audit reports to monitor which
administrators make which changes to your device configuration file. By default, your Firebox includes these default user accounts and roles:
Default User Account Default Role Default Passphrase admin Device Administrator (read-write permissions) readwrite
status Device Monitor (read-only permissions) readonly
wgsupport Disabled
When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the
The wgsupport user account is disabled by default. This account is for WatchGuard Technical Support access to your Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard Technical Support. We will not enable or modify this user account in this course.
You can use these authentication servers for Device Management user accounts on your Firebox:
n Firebox-DB n Active Directory
n LDAP n RADIUS
The default Device Management user accounts use the Firebox-DB authentication server.
For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on your Firebox are case-sensitive and must match the user credentials as they are specified on the external
Exercise 1 — Open and Save Configuration Files
The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this configuration file as the base for all your configuration files. You can also use Policy Manager to make a new configuration file with only the default configuration properties.
To create a new configuration file: 1. Open Policy Manager. 2. Select File > New.
A new configuration file appears with the default policies and settings.
Policy Manager is an offline configuration tool. The Web UI and the CLI are online configuration tools. An offline configuration tool lets you make many changes to a configuration file without sending the changes to the Firebox.
An online configuration tool is designed to immediately send all changes to the Firebox.
Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM) to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to work offline.
In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive: 1. Open WatchGuard System Manager and connect to your Firebox.
If you are not familiar with this procedure, see theGetting Startedor ask your instructor. 2. Click .
Or, select Tools > Policy Manager.
3. Select File > Save > As File. The Save dialog box appears.
4. In the File Name text box, type Basics-Start. 5. Click Save.
By default, configuration files are saved to the My Documents\My WatchGuard\configs folder. The configuration file type is XML.
6. To save an updated configuration file to the Firebox and to a local file, select File > Save > To Firebox. To save the file to the Firebox, you must specify a user name and passphrase for a user account with Device Administrator privileges. When you save a configuration file to the Firebox, you can also save it to a local file. If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with Device Administrator privileges, you cannot save configuration changes to the Firebox.
If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings, and then use the default admin account, with the default passphrase readonly to save the configuration to the Firebox from Policy Manager.
Exercise 2 — Configure a Firebox for Remote
Administration
This exercise is most useful for an instructor to connect to a student Firebox during a classroom session. If you are self-instructed and do not need to remotely manage your Firebox, you can skip to the next exercise.
When you use the Quick Setup Wizard to configure your Firebox, a policy that allows you to connect to and administer the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to allow administrative connections from your remote location.
The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt. The Quick Setup Wizard adds this policy with the name WatchGuard. This policy controls access to the Firebox on TCP ports 4105, 4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these ports.
Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good idea to consider these alternatives:
n Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you
can connect with a VPN, then you do not need to allow connections from a computer external to your network. If it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an additional layer of security.
n It is more secure to limit access from the external network to the smallest number of computers possible. For
example, it is more secure to allow connections from a single computer than it is to allow connections from the alias Any-External.
To restrict or expand access to the Firebox, edit the From list in the WatchGuard policy.
n You can allow connections to the Firebox from external networks by adding the Any-External alias (or an
appropriate IP address).
n You can restrict connections to the Firebox from internal locations by removing the Trusted and
Any-Optional aliases and replacing them with the specific IP addresses from which you want to allow access.
n You can remove all IP addresses and aliases, and replace them with user names or group names. When you do
this, you force users to authenticate before they are allowed to connect to the Firebox.
If you decide to allow connections to the Firebox from Any-External, it is especially important that you set very strong Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.
Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.
To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at a specific IP address:
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Edit. The Edit Policy Properties dialog box appears.
The name of this policy is WatchGuard, but the packet filter type is WG-Firebox-Mgmt. This policy is specifically designed to be used for administration of the Firebox.
2. In the From section, click Add.
3. To add the IP address of the external computer you want to use to connect to the Firebox, click Add Other. 4. From the Choose type drop-down list, make sure Host IP is selected.
5. In the Value text box, type the IP address of the remote administration computer. 6. Click OK to close each dialog box.
Exercise 3 — Add Device Management Users
To share the configuration and monitoring responsibilities for the Successful Company Firebox among several individuals in the Successful Company organization, in this exercise, you add two new Device Management users to the Firebox: a Device Administrator and a Device Monitor.
When you add a Device Management user, you specify the authentication server where the user account is stored. If you specify an external authentication server, the user account credentials you specify in your Firebox configuration must match the user account credentials as they are specified on the authentication server. User account credentials are case-sensitive.
For this exercise, you add user accounts to the internal Firebox authentication server, Firebox-DB. From Policy Manager:
1. Select File > Manage Users and Roles.
The Login dialog box appears with the admin user specified by default.
2. In the Administrator Passphrase text box, type the default passphrase for the default admin user account, readwrite.
3. Click OK.
4. Click Add.
The Add User dialog box appears.
5. In the User Name text box, type a name for the new Device Administrator user account, example-co_admin. 6. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
7. From the Role drop-down list, select Device Administrator.
8. In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator user account, passphrase.
9. Click OK.
The example-co_admin user appears in the Manage Users and Roles list. 10. Click Add.
The Add User dialog box appears.
11. In the User Name text box, type a name for the new Device Monitor user account, example-co_monitor. 12. From the Authentication Server drop-down list, keep the default selection, Firebox-DB.
13. From the Role drop-down list, select Device Monitor.
14. In the Passphrase and Confirm Passphrase text boxes, type the passphrase for the new Device Administrator user account, passphrase
15. Click OK.
The example-co_monitor user appears in the Manage Users and Roles list. 16. Click OK to close the Manage Users and Roles dialog box.
The new user accounts are automatically saved to the Firebox.
17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM.
18. In WSM, connect to your Firebox with the new example-co_admin user account credentials. 19. Start Policy Manager.
Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when you make changes to your Firebox configuration file, the audit trail will show that the example-co_admin user account made the changes to the configuration.
Exercise 4 — Examine and Update Feature Keys
When you purchase an option for your Firebox, you add a new feature key to your configuration file. You can use either Firebox System Manager or Policy Manager to see the current list of feature keys currently on your Firebox. To add a new feature key to a Firebox, you use Policy Manager.
View Feature Keys For Your Firebox
To view your feature keys in Firebox System Manager: 1. Select View > Feature Keys.
2. To see more information about the feature key, click Details.
The Feature Key Detail dialog box shows a list of the features in the feature key.
Add a Feature Key to the Firebox
You use Policy Manager to add a feature key to your Firebox.
Complete this exercise in class only if your instructor requests that you do so and provides you with an updated feature key.
To add a feature key to your Firebox:
1. Open the configuration file you are editing for these exercises. 2. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears. 3. Click Import.
The Import Firebox Feature Key dialog box appears. 4. Click Browse and select your feature key file.
Or, open your feature key file, copy the contents, and in the Import Firebox Feature Key dialog box, click Paste.
You can purchase this key from WatchGuard. If you attend a WatchGuard Certified Training course, you will receive this key from your instructor.
5. Click OK to close the Import Firebox Feature key dialog box. 6. Click OK to close the Firebox Feature Key dialog box. 7. Save the configuration file to the Firebox.
Exercise 5 — Create a Device Backup Image
A Firebox backup image is a saved copy of the working image from the Firebox flash disk. The backup image includes the Firebox OS, configuration file, feature keys, passphrases, DHCP leases, and certificates. The backup image also includes any event notification settings that you configured in Traffic Monitor. You can use Policy Manager to save an encrypted backup image to your management computer or to a directory on your network or other connected storage device.
We recommend that you create a backup image of the Firebox before you make significant changes to your device configuration file, or upgrade your Firebox OS. It is especially important to save a device backup image before you upgrade the version of Fireware OS on the Firebox. The backup image is the easiest way to downgrade the Firebox, if you ever need to.
You can also use Firebox System Manager to create and restore a device backup image to a USB drive connected to the Firebox. For more information, see Fireware Help.
To create a device backup: 1. Select File > Backup.
The Backup dialog box appears. Because you connected to your Firebox with the example-co_admin user account, the Administrator User Name that appears in the Backup dialog box is example-co_admin. If you connect with a Device Monitor user account, the default Device Administrator user account, admin, appears in the Administrator User Name text box.
n Windows 8 and Windows 7 — C:\Users\Public\Shared WatchGuard\backups\<Firebox IP
address>-<date>.<wsm_version>.fxi.
n Windows XP — C:\Documents and Settings\All Users\Shared WatchGuard\backups\<Firebox IP address>-<date>.<wsm_version>.fxi.
When you restore the backup image, you must specify a name and passphrase for a user with administrative privileges, and you must type the encryption key you specified when you created the backup image. For this exercise, do not restore the backup image to the Firebox.
Restoring a saved backup image is the only method to downgrade a Firebox without first resetting the Firebox to factory-default settings.