WatchGuard SSL
Web UI
3.1.3 User Guide
releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard web site at:http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Guide revised: 6/21/2012
Copyright, Trademark, and Patent Information
Copyright © 1998-2012 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at:http://www.watchguard.com/help/documentation/.
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10, 000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity.
For more information, call 206.613.6600 or go to www.watchguard.com.
Address
505 Fifth Avenue South Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575
Sales
Introduction to WatchGuard SSL 1
About the WatchGuard SSL solution 1
About the WatchGuard SSL Access Client 2
About the Application Portal 2
Getting Started 3
Verify Basic Components 3
Get a WatchGuard Device Feature Key 3
Install the WatchGuard SSL Device Behind a Firewall 3
Use the Quick Setup Wizard to Set Up a Basic Configuration 4
Run the Quick Setup Wizard 4
Connect the WatchGuard SSL Device to Your Network 5
Connect to WatchGuard SSL Web UI and Complete Initial Tasks 6
Connect to WatchGuard SSL Web UI 6
Upload the Feature Key File 6
Download and Install the Latest Software 6
Get a Feature Key 7
Activate your Device and Get a Feature Key 7
Retrieve a Current Feature Key 7
Restore Factory Default Settings 7
Before You Begin 8
Start the WatchGuard SSL Device in Recovery Mode 8
Upload a New Software Image 8
Next Steps 9
About WatchGuard SSL Web UI 9
WatchGuard SSL Web UI Wizards 10
Publish Your Configuration 10
Support Information 13
Online Resources 13
Telephone Numbers 13
Before You Call 13
Relevant Information 13
About Monitor System 15
About the System Status Page 16
View Status Information 17
Manage Settings 17
View Administrator Activities 18
System Overview 18 Network Status 21 Authentication 22 Events 23 Device Status 24 Network Tools 26 Manage Settings 27
View Administrator Activities 29
About User Sessions 29
Search for User Sessions 30
View a User Session 31
End a User Session 32
Manage Search and Display Settings 32
About Alerts 33
Manage Alerts 33
Add an Alert 34
Edit and Delete Alerts 39
Manage Global Alert Settings 40
Debug Logs 46
Log File Information 47
Syslog 47
Manage Global Logging Settings 47
Use Log Viewer 49
About Log Viewer Search Criteria 50
About Reports 52 Available Reports 52 Generate a Report 53 Save a Report 54 Abolishment Report 55 Assessment Report 55
Session Trend Report 56
Session Trend Real-Time Report 56
Access Report 57
Authentication Report 57
Authorization Report 58
Account Statistics Report 59
User Policy Analysis Report 59
User Audit Report 59
Configure Live Update Settings 68
Reboot after Engine Updates 69
Check for New Live Update Files 69
User Management 71
User accounts 72
User groups 72
External Directory Service 72
Self Service 73
About User Accounts 73
User Account Search Result List 73
Manually Add a User Account 74
Import User Accounts 77
Link to a User Account 80
Repair a Linked User Account 82
Edit User Accounts 83
Manage Global User Account Settings 85
About User Groups 88
About user property groups 88
About user location groups 88
Add a User Group 89
Search, Edit, or Delete User Groups 90
About the External Directory Service 92
About Search Rules 92
About Directory Mapping 93
Add an External Directory Service Location 93
Edit an External Directory Service Location 96
About Self Service 99
Use the wizard to enable Self Service 99
Configure and Enable Self Service 105
About Resource Access 113
Resources 113 Client firewall 113 Access rules 114 Application Portal 114 SSO domains 114 About Resources 114 Manage Resources 114
Manage Global Tunnel Resource Settings 166
Manage Global Resource Settings 168
About Client Firewalls 187
Disable routes for other network connections 187
Check the integrity of application connections 187
How the client firewall works 187
Configure client definitions 188
Firewall rules based on a device 188
Incoming Firewall Rules 189
Outgoing firewall rules 189
Manage Internet Firewall Configurations 190
About Access Rules 195
Manage Access Rules 195
Manage Global Access Rules 199
Assessment Access Rule Requirements 200
About the Access Client 218
Manage Application Portal Items 218
Connect to the Application Portal 222
Customize your Web UI and Application Portal 222
About SSO Domains 240
Domain type attributes 240
Manage SSO Domains 241
Configure SSO for Outlook Web Access (Form Based Authentication) 245 Configure SSO with Outlook Web Access (Basic Authentication) 250
Configure SSO for Microsoft Outlook Web App 2010 253
Configure SSO for File Share Resources 256
Configure SSO for Remote Control Resources 260
Configure SSO for a Citrix MetaFrame Presentation Server Resource 264
About Manage System 275
About Authentication Methods 276
Supported Authentication Methods 277
About WatchGuard SSL Authentication Methods 278
About Other Authentication Methods 279
Add an Authentication Method 280
Manage an Authentication Method 282
Manage Global Authentication Service Settings 291
Manage RADIUS Configuration 297
Two-factor Authentication with Mobile ID 302
Configure Active Directory Authentication with LDAP over SSL 308
About Certificates 323
Certificate Lifetimes and CRLs 324
Certificate Authorities and Signing Requests 324
Manage Certificates 324
Create a CSR with OpenSSL 330
About Abolishment 336
Configure General Settings 338
Configure Cache Cleaner Settings 339
Configure Advanced Settings 340
Post-connection Cleanup with Abolishment 342
About Assessment 344
Configure General Settings for Assessment 346
Configure Advanced Settings 348
Pre-connection End-point Integrity Check 351
About Notification Settings 354
Configure the Email Notification Channel 354
Configure the SMS Notification Channel 355
Manage SMS Plug-ins 369
Manage Client Definitions 370
Add Client Definitions 372
Edit or Delete Client Definitions 372
About Delegated Management 373
About Administrative Privileges 374
Manage Administrative Roles 375
About the Administration Service 378
Manage Administration Service Settings 378
Change the Super Administrator Password 379
Manage Global Settings 380
Restart the Administration Service 382
Configure the System Time and Time Zone 395
Restore Factory Default Configuration Settings 397
Reinitialize the Local User Database 397
Reboot the Device 398
Network Configuration 398
Configure the Network Type 398
Manage Global Tunnel Resource Settings 402
Configure Administration Service External Communication Settings 403
Confirm Network Configuration Settings 404
Configure Network Routes 405
Restore a Saved Configuration 406
Restore the Current Configuration 407
Restore a Saved Configuration 407
Add a Description to a Saved Configuration 408
Delete a Saved Configuration 408
Lock or Unlock a Saved Configuration 409
Manage Saved Configuration Settings 409
Import or Export the Configuration 410
Configure Active Directory Authentication on your SSL Device 411
Before You Begin 412
Enable your AD Server for LDAP over SSL 413
Configure Active Directory Authentication on your SSL device 415
Send One-Time Passwords (OTPs) to Users 421
Configure the SMS Channel to send email 421
Configure SMS Settings for each user account 422
Change the Directory Mapping Attribute for Notification SMS 423
Enable mobile text authentication for all users 424
Use the OTP to Authenticate 425
Launch the Installed Access Client 428
After You Install 428
Connect to the Application Portal 429
Uninstall the Access Client 429
Set up the Access Client for a Standard User 430
Installation 430
Use the Access Client as a Standard User 432
Limitations 432
Launch the Access Client 432
Launch the On-demand Access Client 432
Launch the Installed Access Client 432
About the Access Client Menu 433
Edit Access Client Preferences 434
Manage Access Client Favorites 437
Check Access Client Status 439
Close a Tunnel 439
End Your SSL VPN Session 440
Use ESSP to Link Directly to a Resource 440
Register the ESSP Protocol Handler 441
Use ESSP to Connect to a Resource 441
1
Introduction to WatchGuard SSL
Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote connectivity deployment as simple or as sophisticated as your business requirements dictate.
If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the security, flexibility, and breadth of options you need for secure remote access to your network. The WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides universal access to applications and network resources with no connectors, no modules, no client management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560 accommodates up to 500 concurrent users.
About the WatchGuard SSL solution
The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard SSL Application Portal, and the WatchGuard SSL Access Client.
n A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and WatchGuard servers for your solution.
n WatchGuard SSL Web UI is a Web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access to your resources, and manage your system settings.
n The WatchGuard SSL Application Portal is the web site where your users authenticate and get access to your network resources.
About the WatchGuard SSL Access Client
The WatchGuard SSL Access Client is an on-demand SSL VPN client. When a user selects a resource available through the tunnel, the Access Client automatically downloads and installs on the client computer through the web browser. The Access Client is available in two versions: the installed Access Client and the on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your configuration choices. To use the ActiveX client loader to install the client, users must have local
administrator rights on their computers. For your users who do not have local administrator rights, you can download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your network.
About the Application Portal
The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any files accessible with a web browser, or applications with a web interface such as Outlook Web Access or WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client.
2
Getting Started
Before you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections.
Verify Basic Components
Make sure that you have these items:
n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed n WatchGuard SSL device
n Ethernet cable n Power cable
Get a WatchGuard Device Feature Key
To enable all of the features on your WatchGuard SSL device, you must activate the device on the
WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device.
For more information, see Get a Feature Key.
Install the WatchGuard SSL Device Behind a
Firewall
If your WatchGuard SSL device has a private IP address
Configure the firewall with an HTTPS policy that uses static NAT. This policy must allow all traffic on port 443 from any external IP address to the private IP address of the WatchGuard SSL device.
If your WatchGuard SSL device has a public IP address
Configure the firewall with an HTTPS policy that allows traffic on port 443 from any external IP address to the public IP address of the WatchGuard SSL device.
For detailed examples about how to configure these policies on a WatchGuard firewall, see the Policies topics in the latestFireware XTM documentation.
Use the Quick Setup Wizard to Set Up a Basic
Configuration
The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings.
Before you start the Quick Setup Wizard, make sure you:
n Register your WatchGuard SSL device with LiveSecurity Service
n Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract the feature key from the compressed file
For more information, see Getting Started.
Run the Quick Setup Wizard
1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network. Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use
192.168.111.1 on your own computer.
2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device. 3. Plug the power cord into the WatchGuard device power input and into a power source. 4. Power on the WatchGuard SSL.
5. Open a web browser and type: https://192.168.111.1:8443
The Quick Setup Wizard begins.
Note Because the WatchGuard SSL device uses a self-signed certificate, you may see a
certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox).
6. Upload your feature key file, if you have it.
7. Set the time zone and system time settings.
Though the NTP server configuration is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not only for log file messages, but also for the SSL handshake.
8. Create the Super Administrator credentials. This is a local account on the SSL device. These credentials do not have to correspond to an existing user in a directory service.
The Super Administrator password must be at least six characters long and must include characters from at least three of these four categories:
n English uppercase characters (from A through Z) n English lowercase characters (from a through z) n Base-10 digits (from 0 through 9)
n Non-alphanumeric characters (for example: !, $, #, or %) 9. Select the network configuration mode. The choices are:
Single Interface mode (default)
Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active.
Dual Interface mode
Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active.
For more information about network interface modes, see Network Configuration. 10. Type the network address information for each interface you enabled.
The final page of the Quick Setup Wizard shows a summary of the configuration settings, and the interface and IP address you must use to connect after the device reboots. After you complete the wizard, the device restarts with the settings you configured.
Connect the WatchGuard SSL Device to Your Network
After you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network. 1. Connect the WatchGuard SSL device to your network.
n If you selected single interface mode, connect the device to your network with Eth0.
n If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1. 2. Reset the IP address on your computer to the original IP address.
3. Connect your computer to the network.
Connect to WatchGuard SSL Web UI and
Complete Initial Tasks
After you complete the basic configuration, you can use WatchGuard SSL Web UI to continue the configuration, management, and monitoring tasks. Before you get started, make sure that you have:
n Connected the WatchGuard SSL device to your network n Connected your computer to the network
n Reset the IP address of your computer
Connect to WatchGuard SSL Web UI
The interface that you use to connect to WatchGuard SSL Web UI is different depending on the deployment method you used for your device. WatchGuard SSL Web UI uses port 8443 by default.
If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for management.
1. Connect your computer to the Eth0 network.
2. In a web browser, typehttps://<Eth0 IP address>:8443.
3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
WatchGuard SSL Web UI appears.
If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for management.
1. Connect your computer to the Eth1 network.
2. In a web browser, typehttps://<Eth1 IP address>:8443.
3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
WatchGuard SSL Web UI appears.
Upload the Feature Key File
If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now.
1. Get your feature key file from LiveSecurity. For instructions, see Get a Feature Key.
2. In WatchGuard SSL Web UI, select Monitor System > Feature Key.
The Feature Key page appears.
3. Upload the feature key file to the device.
For more information, see Upload a New Feature Key.
Download and Install the Latest Software
1. Go towww.watchguard.com/archive/softwarecenter.asp. 2. Find and download the latest version of WatchGuard SSL OS. 3. From the Web UI, select Manage System > Device Update.
The Update the OS page appears.
4. Update the OS version on the device. For more information, see Update the OS.
Get a Feature Key
A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service.
Activate your Device and Get a Feature Key
To activate your device and get the device feature key:
1. Open a web browser and go tohttp://www.watchguard.com.
Note If you are new to WatchGuard, follow the instructions on the web site to create a
WatchGuard account profile.
2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number of the device. Make sure to include any hyphens. 5. Click Continue.
6. Follow the instructions to register your device. 7. Save the feature key as a text file on your computer.
After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device.
Retrieve a Current Feature Key
You can retrieve a current feature key from the WatchGuard web site: 1. Open a web browser and go tohttp://www.watchguard.com. 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click My Products.
4. In the list of products, select your device.
5. Use the on-screen instructions to obtain the feature key. 6. Save the feature key to a text file on your computer. For more information, see:
Use the WatchGuard SSL Web UI
If you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings. For more information, see Restore Factory Default Configuration Settings.
Use recovery mode
If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings.
Before You Begin
Before you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of.sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at
http://www.watchguard.com/archive/softwarecenter.asp.
Start the WatchGuard SSL Device in Recovery Mode
1. Power off the WatchGuard SSL device.
2. Press and hold the up arrow button on the front panel while you power on the device. 3. Continue to hold the up arrow button untilExecuting SysBappears on the LCD display.
WhenRecovery Mode Readyappears on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to 10.0.1.1.
Upload a New Software Image
You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled.
To upload a new software image to your WatchGuard SSL device:
1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device.
2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0 network).
3. Open the command line interface of your computer. For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP. 4. Change your working directory to the location where you saved the.sysa_dlfile. 5. At the command prompt, typeftp 10.0.1.1to connect to your WatchGuard SSL. 6. When requested, type adminfor both the user and the password.
8. Typeput <filename>.
Make sure you replace<filename>in the command with the name of the .sysa-dl file you downloaded from the WatchGuard Software Downloads page.
The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears.
9. Typequitto close the FTP connection. 10. Exit the command line interface program.
After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts.
Note The installation and reset process can take up to 10 minutes. Do not turn off the
device before this process is complete.
Next Steps
After you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again.
Note After the reboot, the IP address of the Eth1 interface changes to 192.168.111.1.
You must change the IP address on your computer before you launch the Quick Setup Wizard.
For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration.
About WatchGuard SSL Web UI
WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and manage your system settings.
WatchGuard SSL Web UI has two levels of menus:
Main menu
Includes these sections:
n Monitor System — Monitor information about system status, user sessions, log files, reports, licenses, and alerts.
n User Management — Manage user accounts, user groups, and configure an external directory service.
n Resource Access — Create Application Portal items to give user access to applications, folders and files, and URLs.
n Manage System — See and manage the overall configuration of your WatchGuard SSL system.
WatchGuard SSL Web UI Wizards
All common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others.
n To start a wizard, click Add.
n To cancel a wizard at any time, select a different menu item or close your browser window or tab. n To return to the previous page in a wizard, click Previous.
n To save your changes, click Finish Wizard or Save.
Publish Your Configuration
After you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button at the top of the Web UI changes from white to blue when you make changes that must be saved.
To save your configuration changes:
Click Publish at the top of the Web UI.
You can later review or restore a configuration.
For more information about configurations, see Restore a Saved Configuration.
System Messages
When you use a wizard or make a change to your configuration, feedback messages appear in WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful.
Use the File Browser
You can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings (for example, with a script). To use the file browser:
1. At the top of the Web UI, click Browse.
2. Select a folder from the navigation tree on the left.
3. To change a current file, select a file to edit, download, delete, or rename. n To edit the file, click .
Make changes to the file contents, then click Save. n To download the file, click .
Select to Open or Save the file. n To delete the file, click .
In the Warning dialog box, click OK. n To rename the file, click .
In the Rename File text box, type a new name. Click Rename.
4. To upload a new file, adjacent to the Upload File text box, click Browse and select a file. Click Upload.
About WatchGuard LiveSecurity Service
WatchGuard knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device.
LiveSecurity Service
Your WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry. LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help.
n Representatives available 12 hours a day, 5 days a week in your local time zone* n Four-hour targeted maximum initial response time
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you can do to address each new menace. You can customize your alert preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage.
Service Features LiveSecurity Service LiveSecurity Service Gold
Technical Support hours 6 AM–6 PM, Monday–Friday* 24/7 Number of support incidents
(online or by phone)
5 per year Unlimited
Targeted initial response time 4 hours 1 hour
Interactive support forum Yes Yes
Software updates Yes Yes
Online self-help and training tools Yes Yes
LiveSecurity broadcasts Yes Yes
Installation Assistance Optional Optional
Three-incident support package Optional N/A
One-hour, single incident priority response upgrade
Optional N/A
Single incident after-hours upgrade Optional N/A
*In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).
Service expiration
fee.
Support Information
WatchGuard offers a variety of technical support services for your purchased products and services. For more information, see theWatchGuard support web site.
Online Resources
Product documentation
http://www.watchguard.com/help/documentation/
Knowledge Base
http://customers.watchguard.com/
Training and courseware
http://www.watchguard.com/training/courses.asp WatchGuard Forum http://www.watchguard.com/forum/
Telephone Numbers
US & Canada +877.232.3531 International +1.206.613.0456Before You Call
When you create an incident, make sure you include all information required. Ask yourself these questions to help you find what you must include:
1. What are you trying to do?
2. Were you able to perform this action previously without problems? 3. What behavior do you see?
4. What behavior would you expect to see if the problem was not occurring? 5. How often do the symptoms occur?
6. What troubleshooting steps, if any, have you taken?
If possible, include these additional items when you call, so your technician can promptly resolve your issue:
Logs
Log messages are important. If you have access to the Log Viewer at the time of the error, include a section of the logs.
Network diagrams
3
About Monitor System
You can use WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts. To monitor your WatchGuard SSL system, select Monitor System. The Monitor System menu includes:
System Status
You can see status information about your device. This includes the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities. For more information, see About the System Status Page.
User Sessions
You can see a list of the current user sessions, and you can search sessions by User ID. For more information, see About User Sessions.
Alerts
You can manage administrator alerts. For more information, see About Alerts.
Logging
You can manage logging settings for all registered servers. For more information, see Manage Logging.
Log Viewer
Diagnostics File
You can create a compressed diagnostics file that contains configuration and log files for all services for a selected period.
For more information, see About the Diagnostics File.
Feature Key
You can see information about the installed features. You can also upload a new feature key. For more information, see About the Feature Key.
Live Update
You can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules.
For more information, see Live Update.
About the System Status Page
When you first log in to WatchGuard SSL Web UI, the System Status page appears. From the System Status page, you can select a tab to see an overview of information about your system, check the status of your network, review current authentication settings, identify events that have occurred on your system, verify the status of your device, and run basic debug tools to help you troubleshoot issues on your network. You can also click a link to manage settings for event monitoring, change the Super Administrator password, and view information about the date and time of administrator activities.
To monitor the status of the WatchGuard SSL system: 1. Connect to WatchGuard SSL Web UI.
2. Select Monitor System > System Status.
3. To update the information that appears on the System Status page, click Refresh.
View Status Information
On the System Status page, select a tab to choose the status information type. For more information about each tab, see:
For more information, see Manage Settings.
View Administrator Activities
To view the recent activities of administrators: Click View Administrator Activities.
The View Administrator Activities page appears.
For more information, see View Administrator Activities.
System Overview
The System Overview page includes basic information about your system. This includes the version of software on your device, the current feature key version, information about administrators and users, and the registered resources and domains for your system.
To see basic information about your WatchGuard SSL system: 1. Select Monitor System > System Status.
2. Select the System Overview tab.
The System Overview tab has four sections, which include basic information about your system, as described in the subsequent sections.
System Information
The System Information section shows information about the installed software and feature keys.
Software version
The version and build number for the installed operating system software.
Feature Key Version
The version number in the feature key.
System Services
The System Services section shows the services that are enabled on your SSL device.
External Host
Shows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client.
Internal Host
Shows the IP addresses and port numbers used for communication between services on the device.
Administrators
The Administrators section shows information about administrative users.
Administrator
The user name for the administrator account.
Logged on Administrators
The number of administrators currently logged in.
Users
The Users section shows status information about users and user accounts.
Concurrent Users
The number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses.
Registered User Accounts
The number of registered user accounts. The maximum number allowed by the feature key appears in parentheses.
Logged-on Users
The number of users currently logged in.
Active Users
The number of active users currently logged in that have made a request within the last 15 minutes.
Resources
Registered Resources
The number of registered resources on the Resources page.
Registered SSO domains
Network Status
The Network Status tab includes configuration and statistical information for the network interfaces enabled on the SSL device.
To see the status of the network interface configuration: 1. Select Monitor System > System Status.
2. Select the Network Status tab.
The Network Status tab includes these sections:
Eth1
Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode.
Routing Table
Shows the routing table for the device.
For more information about network configuration and interface modes, see Network Configuration.
Authentication
On the Authentication tab, you can review the configuration status of the enabled authentication methods, the status of notification channels, and configuration information for the databases used for authentication. To see the status of the authentication configuration:
1. Select Monitor System > System Status. 2. Select the Authentication tab.
Authentication Methods
Shows the IP address and port configured for each of the five WatchGuard authentication methods.
RADIUS clients
Shows the number of registered RADIUS clients.
Email Notification
Shows the status of email notification. If email notification is enabled, the email host information appears.
SMS Distribution
Shows the status of SMS distribution. If SMS distribution is configured, information about the primary and secondary SMS channels appears.
Local User Database
Shows the host IP address and account information for the local user database.
External Directory Service
Shows the name, IP address, and account information for the configured external directory service.
Events
The Events tab includes a list of events related to the status of connections and services. To see recent system events:
1. Select Monitor System > System Status. 2. Select the Events tab.
If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to the local user database and external directory services.
For more information about the Manage Settings page, see Manage Settings.
Device Status
The Device Status tab includes information about your device (software version, connections, and resource use) and the SSL listener status for your device.
To see statistics and configuration information for your WatchGuard SSL device: 1. Select Monitor System > System Status.
2. Select the Device Status tab.
Device Overview
The Device Overview section shows information about the device software, connections, and resource use.
Host
Current Server Time
Shows the current date and time for the SSL device.
Server Started
Shows the date and time the device was last started.
Version
The software version and build number.
Client Connections
The current number of active clients.
Server Connections
The current number of connections used to communicate with internal web sites, such as web resources. Some web applications require more than one connection per user.
Queued Connections
The current number of connections that are not yet processed
Active Worker Threads
The number of active threads is shown first. The maximum number of active threads is shown in parentheses.
Available Memory
The amount of available memory, in megabytes.
Open SSL Version
The version of OpenSSL that the WatchGuard SSL device uses.
SSL Status for <IP address:port>
The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener.
n SSL Sessions in Cache n SSL Accepts
n Finished SSL Accepts n Renegotiates n Session Cache Hits n Session Cache Misses n Session Cache Timeouts n Callback Cache Hits n Cache Full Overflows
Network Tools
From the Network Tools tab, you can run some basic network commands. This can be helpful when you troubleshoot issues with your network.
The network tools available in WatchGuard SSL Web UI are:
ping
A command to detect whether a connection to a specified hostname or IP address is possible.
tcpdump
A program to intercept and examine TCP/IP packets for diagnostic purposes.
traceroute
A command to show the routing path taken from the device to a hostname or IP address.
nslookup
A program that shows the information from the DNS records of a domain or hostname. To use the network tools:
3. From the Command Type drop-down list, select a command.
The command appears in the Prepared Command list.
4. In the Extended Parameters text box, type the command line parameters for the command you selected.
For example, if you selected ping, type the hostname or IP address to ping.
The parameters appear in the Prepared Command list, after the command.
5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run.
6. To run the command shown in the Prepared Command list, click Run.
The result of the command appears in the Result section.
7. To stop the command, click Stop. 8. To clear the Result section, click Clear.
Manage Settings
You can select whether to monitor the connection to the Local User Database or External Directory Service, change the Super Administrator password, and enable the password policy.
Event Monitoring Settings
When you enable event monitoring, the connection between your device and the Local User Database or External Directory Service is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab of the System Status page. This option is selected by default. To increase the performance of your system, disable this option.
To enable event monitoring:
1. Select Monitor System > System Status. 2. Click Manage Settings.
3. Select the Monitor connections to the local user database and external directory service check box. 4. Click Save.
Change the Super Administrator Password
When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards:
n The password must be at least six characters long
n The password must include characters from at least three of these four categories:
o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (0 through 9)
o Non-alphanumeric characters (for example, !, $, #, or %) To enable or disable the password policy, or change the password:
1. Select Monitor System > System Status. 2. Click Manage Settings.
3. Select the Enable password policy check box.
4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password.
6. Click Save.
You can also change the password settings from the Manage System > Administration Service page, as described in Change the Super Administrator Password.
View Administrator Activities
You can use WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator.
1. Select Monitor System > System Status. 2. Click View Administrator Activities.
The Administrator Activities page appears.
About User Sessions
Search for User Sessions
By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method.
On the User Sessions page:
1. In the Search by User ID text box, type a user name. To see all users, type only the*wildcard character.
To search for partial user names, type the*wildcard character with the other characters. For example, typeWil*or*amto find the user name William.
2. From the Search by User ID drop-down list, select an authentication method. Select All to include all authentication methods in your search.
3. Click Search.
The user names that match your search parameters appear in the User Sessions list.
The User Sessions list shows summary information for each active session:
Session ID
The unique ID number assigned to the user session.
User ID
The user name assigned to the user in the directory service.
Authentication Method
The authentication method used to log in.
IP Address
The client and virtual IP addresses of the client computer.
Life Time
View a User Session
In the search results list:
1. Click a Session ID to see details about that user session.
The View User Session page appears, with this information for each session:
Session ID
The unique ID number assigned to the user session.
User ID
The user name assigned to the user in the directory service.
Display Name
The display name assigned to the user.
Authentication Method
The authentication method used to log in to the Application Portal.
IP Address
The client and virtual IP addresses of the client computer.
Login time
The date and time the user session began.
Life Time
The number of minutes until the user session timeout limit is reached. 2. Click Previous to return to the User Sessions page.
End a User Session
You can stop or close an active user session at any time. On the User Sessions page:
1. Select the Delete check box for each user session you want to end. 2. At the bottom of the Delete column, click Delete.
Note The selected user sessions are stopped, but the user accounts are not deleted. The
users can log on to the Application Portal again.
Manage Search and Display Settings
By default, the User Sessions search results include a maximum of 200 results, and show 20 results per page. To change these settings:
1. Select Monitor System > User Sessions.
The User Sessions page appears.
2. Click Manage Search and Display Settings.
3. In the Search Limit text box, type the maximum number of user sessions to appear in the User Sessions search results.
4. In the Results Per Page text box, type the number of user sessions to appear on each page of the User Sessions search results.
5. Click Save.
The User Settings page appears.
About Alerts
Alerts are messages the system sends to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by email or as an SMS message. Alert messages contain information specific to the event. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify.
Manage Alerts
You can add, edit, and delete alerts from the Manage Alerts page. 1. Select Monitor System > Alerts.
The Manage Alerts page appears.
2. Configure alerts: n Add an Alert
n Edit and Delete Alerts n Manage Global Alert Settings
Predefined Alert Event Types
n Local User Database n Authentication Servers
For more information about alert event types, see About Alert Event Types.
Add an Alert
When you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an email message, an SMS message, or both. You must configure the email and SMS notification channels before you can use them in an alert.
For more information about notification channel configuration, see About Notification Settings. You can configure alert notification messages to be sent to delegated administrative roles, or directly to email addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the email or SMS address of each administrator assigned to that role. For information about delegated roles, see About Delegated Management.
To add an alert:
1. Select Monitor System > Alerts.
The Manage Alerts page appears.
2. Click Add Alert.
3. In the Display Name text box, type a name for the alert.
4. In the Description text box, type the description that you want to appear with the alert in the Registered Alerts list.
5. Make sure the Enable Alert check box is selected.
6. In the Notification section, select the check box for each notification method for this alert. You can select Email, SMS, or both.
7. Click Next.
8. Select the check box for each alert event type you want to trigger this alert. For more information about the alert event types, see About Alert Event Types. 9. Click Next.
10. To send the alert message to a set of people for which you have defined a delegated role, select the role in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you select each role name.
11. Click Add.
The selected roles appear in the Selected Roles list.
12. If you selected Email as a notification channel in Step 6, you can send the alert to a specific email address. Click Add Email address. Type the email address and click Next.
The email address appears on the Registered Email Addresses list.
13. If you selected SMS as a notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next.
About Alert Event Types
When you define an alert, you can select from these pre-defined alert event types:
User Accounts Event Types
Locked for Access
Access is locked for a user.
Unlocked for Access
Administrator unlocks access for a user.
Locked for Authentication
Authentication is locked for a user.
Unlocked for Authentication
The administrator unlocks authentication for a user.
Time-lock Locked
A time-lock is activated for a user.
Time-lock Unlocked
The administrator disables a time-lock for a user.
Resource Host Event Types
Lost Connection
The connection to a resource host is unavailable.
Restored Connection
The connection to a resource host is restored.
Services event types
Lost Connection
The connection to a service is unavailable.
Restored Connection
The connection to a service is restored.
Local User Database Event Types
Lost Connection
Restored Connection
The connection to the local user database is restored.
Authentication Service Event Types
Lost Connection
The connection to the authentication method service is unavailable.
Restored Connection
The connection to the authentication method service is restored.
Edit and Delete Alerts
The Registered Alerts list includes all the currently configured alerts. You can select an alert to review or change any of the settings, or delete an alert that you no longer want to use.
Review and Edit Registered Alerts
1. Select Monitor System > Alerts.
The Manage Alerts page appears.
2. Select a Display Name in the Registered Alerts list to see the details of that alert.
3. On the General Settings tab, you can change the Display Name, Description and Notification channel.
4. On the Alert Events tab, you can edit the types of alert events to include in this alert. 5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save.
Delete Registered Alerts
1. Select Monitor System > Alerts.
The Manage Alerts page appears.
2. Select a Display Name in the Registered Alerts list to see the details of that alert.
The Edit Alerts page appears.
3. Click Delete.
The Delete Alert page appears.
4. Click Yes to delete the alert.
The Manage Alerts page appears with a message that the alert was deleted.
Manage Global Alert Settings
Edit the Alert Messages
1. Select Monitor System > Alerts.
The Manage Alert page appears.
2. Click Manage Global Alert Settings.
3. In the Subject text box, edit the subject line for all alert messages.
Note If you use SMS as your notification channel for alerts, we recommend you keep the
alert messages short. SMS messages are limited to 160 characters on most mobile networks.
Alert Message Variables
Alert messages use two variables, {0} and {1}.
n {0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser.
n {1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource.
Example alert message:
{0}: User {1} has been locked for authentication.
When this alert is sent, the alert message substitutes the user name for the variable {1}:
2005-09-01 09:11:31: User Joe Smith has been locked for authentication.
Alert Message Defaults
User Accounts
Alert Event Type Default alert message
Locked for Access {0}: User {1} has been locked for access Unlocked for Access {0}: User {1} has been unlocked for access Locked for Authentication {0}: User {1} has been locked for authentication Time-lock Locked {0}: User {1} has been Time-lock locked until {2} Time-lock Unlocked {0}: User {1} has been Time-lock unlocked
Resource Host
Alert Event Type Default alert message
Services
Alert Event Type Default alert message
Lost Connection {0}: Lost connection to {1} Restored Connection {0}: Restored connection to {1}
Local User Database
Alert Event Type Default alert message
Lost Connection {0}: Lost connection to Local User Database{1} Restored Connection {0}: Restored connection to Local User Database{1}
Authentication Method Servers
Alert Event Type Default alert message
Lost Connection {0}: Lost connection to Authentication Method Server used by Authentication Method {1}
Restored Connection {0}: Restored connection to Authentication Method Server used by Authentication Method {1}
Manage Logging
You can configure logging settings, such as log level, log file rotation, and the types of information to include in the log messages for each registered service. You can configure logging for two registered services:
n accesspoint — This includes all services related to the operation of the Application Portal. n Administrator — This includes all the services related to administration of your device.
Edit Logging Settings
1. Select Monitor System > Logging.
2. To edit the logging settings for a registered service, click the Display Name.
The Edit Logging Settings page for the service appears, with a separate tab for each log type.
3. Select a tab to configure the settings for each type of log.
The available configuration settings on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page.
For more information about these settings, see the subsequent sections.
For more information about global logging settings, see Manage Global Logging Settings.
Set the Log Level Filter
For each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify.
In the Log Level Filter drop-down list, select a log level filter. Available log level filters include:
Off
Disables logging for that service.
Fatal
Logs only fatal messages.
Warning
Logs only fatal and warning messages.
Info
Logs all levels of messages. This is the default setting.
Configure Log File Rotation
For each service, you can configure log file rotation for each type of log file.
In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include:
Create a new log file every day
The service creates a new log file every day.
Disable log file rotation. Save all log messages in the same file
The service logs all messages to the same file.
Rotate log files based on size
The service creates a new log file based on the Max File Size you type.
In the Max Files in Rotation field, you must select the maximum number of concurrent log files. When the maximum number of log files is reached, the system removes the oldest log file and creates a new log file.
Debug Logs
If you enabled debug logs on the Manage Global Logging Settings page, you can specify the IP address for the HTTP traffic you want to include in the Diagnostics File.
Client IP Address
Log File Information
These settings are only available for the accesspoint service. On the Audit Log and HTTP Log tabs, select the check box for each type of information you want to include in your log file. The available options are different for each type of log file.
Syslog
To configure syslog settings, you must first enable syslog on the Manage Global Logging Settings page. In the Log Level Filter drop-down list, select a log level filter for logging to a remote syslog server. Available log level filters include:
Off
Disables logging for that service.
Fatal
Logs only fatal messages.
Warning
Logs only fatal and warning messages.
Info
Logs all levels of messages. This is the default setting.
If you set the syslog log level filter to Fatal, Warning, or Info, make sure that you configure the syslog server IP address in the Manage Global Logging Settings page.
For more information, see Manage Global Logging Settings.
Manage Global Logging Settings
Global logging settings apply to all log files created by all services. To manage global logging settings: 1. Select Monitor System > Logging.
2. Click Manage Global Logging Settings.
3. In the Time Zone section, you can change the time zone to use in log file messages. You can select Local Time or GMT. The default setting is Local Time.
4. In the Log collection interval text box, type the number of seconds between the collection of log messages. Log collection controls how often log messages are collected by the Administration service from other services. The default setting is 5 seconds.
5. Click Save.
Note Alerts and reports both depend on log collection. If you set the log collection
interval too high, you reduce your ability to see real-time report data., and you cause a delay for delivery of alerts.
Enable Debug Logging
To troubleshoot a problem with your WatchGuard SSL device, you can enable an additional level of logging. Select the Enable debug logging check box to enable debug logging. When you enable debug logging, several debug log files are created for the accesspoint service:
n Raw Proxy Interchange log file n Hyper Links log file
n Form Based log file
For the Administrator service, an additional debug log file is created.
You cannot see the debug log files in the WatchGuard SSL Web UI. To see the debug log files, you must download the diagnostics zip file that contains all log files.
For information about the diagnostics file, see About the Diagnostics File.
Enable Logging to a Remote Syslog Server
You can also send syslog log file messages to a remote syslog server. When you enable syslog, the syslog messages from each service are sent to the syslog server at the IP address you specify.
To enable syslog logging:
1. From the Manage Global Logging Settings page, select the Enable Syslog check box. 2. In the Log Facility text box, type the IP address of your syslog server.
3. Click Save.
For information about how to set the syslog log level for each type of log file, see Manage Logging.
Use Log Viewer
You can use Log Viewer to see log messages from the configured services. You can specify search criteria to filter search results. The Log Viewer System Log only includes the severity levels INFO, WARNING, and FATAL. To search for log events:
1. Select Monitor System > Log Viewer.
