Fireware Essentials Student Guide (en US) v11 12

(1)

Fireware

v11.12 Training

Fireware Essentials Student Guide

WatchGuard Fireboxes

Guide Revised For: Fireware v11.12 & Dimension v2.1.1 Revision Date: January 2017

(2)

(3)

About the Fireware Essentials Student Guide

Disclaimer

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information

WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications.

All other trademarks and trade names are the property of their respective owners.

Complete copyright, trademark, and licensing information can be found in the Copyright and Licensing Guide, available online at http://www.watchguard.com/wgrd-help/documentation/overview.

(4)

(5)

Course Introduction

Firewall Essentials with Fireware v11.12

Devices WatchGuard Fireboxes

DeviceO Sv ersions Fireware®v 11.12

Managements oftwareve rsions WatchGuard® SystemMan ager v11.12

Training Options

If you use Fireware OS and WatchGuard System Manager (WSM) for your Firebox, there are several training options available to you:

Classroom training with a WatchGuard Certified Training Partner (WCTP)

WatchGuard maintains a worldwide network of certified training partners who offer regular training courses. A list of training partners can be found on our website at:

http://www.watchguard.com/training/partners_locate.asp

Quick review presentation

You can download and review the Firewall Essentials presentation. This PowerPoint presentation gives an overview of WatchGuard System Manager and Policy Manager. Students learn how to install a Firebox with the Quick Setup Wizard, create basic security policies, and get more information about additional subscription services.

Fireware Essentials Online Course

Each training module available for WatchGuard System Manager and Fireware OS focuses on a specific feature or function of configuration and security management.

(14)

Necessary Equipment and Software

For the majority of the training modules, you only need a default WatchGuard Fireware configuration file that you view and modify locally. You do not need to connect to a device to complete most of the exercises. The few modules that require additional hardware include instructions on what is needed and how to set it up.

In some training modules, you will connect to one or more Fireboxes or a Management Server. If you take this course with a WatchGuard Certified Training Partner, your instructor will provide the IP address and passphrases for devices used in the exercises. For self-instruction, you can safely connect to a Firebox or Management Server on a production network.

To complete the majority of the training modules, you must have this hardware and software: Management computer

Your management computer must be a personal computer with the Microsoft® Windows XP, Microsoft Windows Vista, Microsoft Windows 7, or Microsoft Windows 8 operating system installed. For more information about management computer system requirements for WSM and Fireware v11.12, see the Fireware Help. WSM software and Fireware OS

If you have a WatchGuard Support service account, you can download the WatchGuard System Manager software and Fireware OS from the WatchGuard website through the Software Downloads page. The software is also available from your instructor during classes delivered by WatchGuard Certified Training Partners. Firewall configuration file

During the training exercises, you will open, modify, and save device configuration files. You can use Policy Manager to create new configuration files. You can also open the configuration file of your production Firebox and save it to your local hard drive. We recommend that you do not save any configuration files you make during the training exercises to a device in use on your network.

Firebox (required for some exercises)

For some exercises, particularly the exercises which introduce logging, monitoring, and reporting, it is useful to connect to a real Firebox on a production network. You do not need to change the configuration properties of this device. You can complete the exercises without access to a Firebox installed on a production network, but it is much easier to grasp some concepts when you can see log messages and information from a real network. For the branch office VPN and Mobile VPN exercises, to configure and demonstrate a working VPN tunnel, you must have access to Fireboxes.

If you choose to connect to a Firebox, you can connect to any Firebox that supports Fireware OS v11.7 and higher. You cannot use an XTM 21, XTM 22, or XTM 23 device (these models only support Fireware OS v11.7 and lower).

(15)

Course Introduction

Training Scenario

Throughout these training modules, we refer to the fictional company, Successful Company. Each module in this course builds on a story of configuring a firewall and network for Successful Company, but you can complete many of the exercises using examples from your own network or a set of addresses and situations provided by your

WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental.

Prerequisites

This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP networking is required. No previous experience with network security, WatchGuard System Manager, or WatchGuard hardware devices is required.

(16)

Training Network Configuration

Most of the exercises in this courseware use the RFC 5737 documentation IP addresses to represent public network IP addresses. Most of the information in the training modules, as well as the VPN exercises, in this courseware use this network configuration:

To support all of the exercises in this course, your training environment must include this network equipment:

n

n One Firebox per student, and one for the instructor.

n

n One network hub or switch with enough interfaces to connect the instructor and all of the student Fireboxes.

n

n A management computer for each student and for the instructor. Course Introduction

(17)

Course Introduction

St

Stude

udent

nt Fi

Fire

rebox

box IP

IP A

Addr

ddresse

esses

s

Students may be assigned a number (10, 20, 30, etc.) to identify the last IP address octet for their external addresses, and the third octet for internal addresses in relation to their Fireboxes. This allows for similar configuration among devices and prevents IP address conflicts and subnet overlap.

Each student will configure a device with these addresses, where X is the student number:

n

n Eth0 – External — 203.0.113. X /24, Default Gateway 203.0.113.1

n

n Eth1 – Trusted — 10.0. X .1/24

In most of the exercises, y our external interface and trusted interface IP addresses are determined by your student number. Replace theXX in the exercises with your student number.

In

Instr

struc

ucto

torr Fi

Fire

rebox

box IP

IP A

Addr

ddresse

esses

s

Eth1 of the instructor Firebox must be connected to the switch and configured to act as the default gateway for the external network for student Fireboxes. The instructor Firebox must be configured with these addresses:

n

n Eth0 (External) — Use appropriate addressing for a training environment with an Internet connection. (This is optional. Internet access is not required for these exercises.)

n

n Eth1 (Trusted) — 203.0.113.1/24

This is the default gateway for the primary external interface on student Fireboxes.

To allow DNS to operate from the training environment, you must also configure a DNS server, in the Network > Configuration > WINS/DNS

Network > Configuration > WINS/DNS tab.

For DNS to function for students, the student devices and computers must also be configured to use the DNS server.

(18)

Conf

Configu

igura

rati

tion

on Cha

Changes for

nges for the Inst

the Instru

ruct

ctor

or Fi

Firebo

rebox

x

To make the training network functional for these exercises, the instructor must make two more configuration changes to the instructor’s device.

1. Create an AnyAny policy to allow traffic between the trusted interfaces.

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NATNetwork > NAT > Dynamic NAT to add a dynamic entry for Any-Any-TrusTrustedted -- Any-Any-ExteExternarnall.

Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic NAT rule for 203.0.113.0/24 – Any-External)

(19)

Course Introduction

Fireware Web UI and Command Line Interface

You can use Fireware Web UI (Web UI) and the WatchGuard Command Line Interface (CLI) to complete many of the same tasks that y ou perform in WatchGuard System Manager and Policy Manager. Some advanced configuration options and features are not available with Fireware Web UI or the Command Line Interface.

Because not all configuration options are available in the Web UI and CLI, and because the Web UI and CLI are online configuration tools (you need a network connection to a Firebox to use them), most of the exercises in the training modules for this course do not use the Web UI, and none use the CLI.

Additional Resources

For more information about how to install and configure WatchGuard System Manager see these resources: Fireware Help

You can launch the Help system from your management computer after you install WSM. To view more information about the features in a dialog box or application window, click Help Help or press the F1F1 key. A topic that describes the features you see and provides links to additional information appears in your default web browser. For the most up to date information, browse tohttp://www.watchguard.com/help/documentation/ and launch the Fireware Help. You can also download the Help system for offline use.

WatchGuard Online Knowledge Base Browse tohttp://customers.watchguard.com/.

For information about how to set up an XTMv virtual machine, see: WatchGuard XTMv Setup Guide

Browse to http://www.w atchguard.com/help/documentation/ and download the WatchGuard XTMv Setup Guide.

(20)

(21)

Getting Started

Set Up Your Firebox and Management Computer

What You Will Learn

WatchGuard System Manager is the primary management software application used to monitor and manage Fireboxes and WatchGuard servers. In addition to the many management and monitoring tools available in WatchGuard System Manager, you can use WatchGuard Dimension to monitor your Firebox and see deep into the activity on your network. In this training module, you learn how to:

n

n Use the Web Setup Wizard to configure a Firebox

n

n Quick Setup Wizard to make a basic Firebox configuration file

n

n Start WatchGuard System Manager and connect to Fireboxes and servers n

n Start Policy Manager and open a device configuration file

Before you begin the exercises in this module, make sure you read the Course Introduction module.

Management, Monitoring, and Visibility Tools

For all of your Fireboxes, you can use the rich suite of management, configuration, monitoring, and visibility tools available from WatchGuard. This includes W atchGuard System Manager (WSM) and all the WSM tools, WatchGuard Server Center and the WSM servers, and the many WatchGuard Dimension tools. These tools are described in the subsequent sections.

(22)

St

Star

artt wi

with

th W

Wat

atchG

chGua

uard Sy

rd System

stem Ma

Mana

nager

ger

Most of the procedures you complete in this training module start from WatchGuard System Manager (WSM), which is the primary software application you use to manage all the Fireboxes and WatchGuard servers in your network. You can use WSM to connect to any

WatchGuard Firebox. This includes all Firebox and XTM device models. In this training module, we use only the latest Firebox models.

WS

WSM

M Compo

Component

nents

s

WatchGuard System Manager (WSM) includes several monitoringand configuration tools, including Policy Manager, Firebox System Manager, HostWatch, Log Manager, Report Manager, and CA Manager. You can start these tools after you open WSM. WatchGuard Server Center is the application you use to set up, configure, and manage the five WatchGuard servers, as well as configure users and groups for role-based administration.

This diagram shows the components of

WatchGuard System Manager and how you can get access to them. Getting Started

(23)

Getting Started

You install the WSM management software on a personal computer running Microsoft Windows 7 or higher. We refer to this computer as your management computer . When you install WSM on your management computer, you have the option to install any or all of the WatchGuard System Manager servers. When you select to install any of the servers, WatchGuard Server Center is automatically installed.

n

n ManagemenManagement Server t Server — Manages multiple Fireboxes at the same time and creates virtual private network (VPN)

tunnels with a simple drag-and-drop method.

n

n Log SerLog Server ver — Collects log messages from Fireboxes and servers.

n

n Report SeReport Server rver — Periodically consolidates data collected by your WSM Log Servers and uses this data to generate the reports that you select.

n

n QuaranQuarantine Server tine Server — Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed to have a virus by Gateway AntiVirus or by spamBlocker’s Virus Outbreak Detection feature.

n

n WebBlocker ServWebBlocker Server er — Provides information for an HTTP-proxy to deny user access to specified categories of

websites.

You can install these servers on your management computer, or you can install them on other computers on your network that are dedicated to these tasks. Each server has different requirements and may need to be able to connect to other servers, the Firebox, or the management computer.

WatchGuard WebCenter is the web UI that is installed with your WSM servers, where you can view Log Manager, Report Manager, and CA Manager. When you install the Log Server, Report Server, or Management Server,

WatchGuard WebCenter is automatically available at the IP address where each server is installed. You can connect to WebCenter at the IP address of your Log Server, Report Server, or Management Server, over port 4130.

For more information, see the training module related to each server.

WatchGuard Dimension

WatchGuard Dimension™ is a virtual solution you can use to capture the log data from your Fireboxes, FireClusters, and WatchGuard servers, generate reports of that data, and to manage your Fireboxes and FireClusters. You can use Dimension to see log data in real-time, track it across your network, view the source and destination of the traffic, view log message details of the traffic, monitor threats to your network, and view or generate reports of the traffic. From Dimension, you can open Fireware Web UI for Fireboxes and FireClusters that are managed by Dimension, take action on the information you see in the log messages, tools, and reports available in Dimension, and create managed hub-and-spoke VPN tunnels between the Fireboxes managed by Dimension.

After you install Dimension, you run the WatchGuard Dimension Setup wizard to complete the initial configuration of Dimension. Then, you configure your Fireboxes and WatchGuard servers to send log messages to Dimension and add Fireboxes to Dimension for management.

In this training course, we only discuss the logging and reporting aspects of Dimension. For more information, see

(24)

Activate Your Firebox

You must activate your Firebox on the WatchGuard website before you can configure some Firebox features. When you activate the Firebox, you start the Support subscription for the Firebox. The Support subscription provides alerts, threat responses, and expert advice to help you keep your network secure and up-to-date. When you subscribe to Support, you also get the ability to install the latest software upgrades to your Firebox.

If you take this course with a training partner, your Firebox will already be activated and include the feature keys you need for the course.

To activate the Firebox, you must have:

n

n Anaccount on the WatchGuard website

n

n The Firebox serial number

To create a new WatchGuard account, go to:

https://www.watchguard.com/account/registration_gate.asp

To activate your Firebox with an existing WatchGuard account, log in to the WatchGuard website. In the WatchGuard Support Center, click Activate Products.

(25)

Getting Started

Configure Your Firebox

Your Firebox ships with factory-default settings that enable you connect to it for initial configuration, and for the Firebox to connect to the Internet to download its feature key. You connect to the Firebox and run a setup wizard to configure the Firebox with network settings and administrative passphrases you choose. If the Firebox uses Fireware v11.12 or higher, the setup wizards also add proxy policies and enable most security services with recommended settings.

Abo

About

ut Fa

Facto

ctory-

ry-Def

Defau

ault

lt Set

Setti

tings

ngs

Before you set up your new Firebox, it uses factory-default settings. You can also reset a Firebox to factory-default settings. When a Firebox uses factory-default settings, these interfaces are active:

Interface 0 (Eth0)

Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If you use the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network that has a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Firebox feature key.

To use RapidDeploy to configure your Firebox, you must connect Interface 0 to a network with Internet access. For more information about RapidDeploy, see Fireware Help.

Interface 1 (Eth1)

Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, and is configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1 or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard. To connect to the device when you use either setup wizard, your computer must have an IP address on the 10.0.1.0/24 subnet. If your computer uses DHCP, it will get a new IP address automatically after you connect to interface 1. If your computer does not use DHCP, you must change the IP address to an IP address on the same subnet as the IP address of Interface 1. For example, 10.0.1.2.

Interface 32 (Eth32) — Firebox M5600 only

The Firebox M5600 has only one built-in interface, interface 32. Interface 32 is c onfigured as a Trusted interface with the IP address 10.0.32.1. This interface has a DHCP Server enabled, and is configured to assign IP addresses on the 10.0.32.0/24 subnet. You must connect your computer to interface 32 or to a network connected to interface 32 when you run the Web Setup Wizard or Quick Setup Wizard to configure a Firebox M5600.

(26)

About

About Setu

Setup W

p Wizar

izards

ds

There are two setup wizards you can use to quickly create a functional configuration for your Firebox. To use either setup wizard, you must connect y our management computer to the trusted interface of the Firebox.

Web Setup Wizard

When a Firebox is started with factory-default settings, you can connect to the Firebox and use the Web Setup Wizard to set up the Firebox. You can use the Web Setup wizard to set up a Firebox from any computer that has a web browser. To start the Web Setup Wizard, in a web browser, type https://10.0.1.1:8080. The Web Setup wizard can activate the Firebox and download the required feature key, if the external interface is connected to a network with Internet access.

Quick Setup Wizard

The Quick Setup Wizard is a component of WatchG uard System Manager that you can use to discover and set up your Firebox. To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Tools > Quick Setup Wizard

Setup Wizard.

The Quick Setup Wizard does not help you with device activation, but does provide a couple of additional network configuration options (drop-in mode and optional interface configuration) that are not supported by the Web Setup Wizard.

Both setup wizards help you to set up your device with a secure policy configuration and basic network settings. The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox.

Setup Wi

Setup Wizard Default

zard Default Polici

Policies and Services Configura

es and Services Configuration

tion

The default policies and services that the setup wizards configure depend on the version of Fireware installed on the Firebox.

n

n In Fireware v11.12 and higher, the Web Setup Wizard creates proxy policies and automatically enables most licensed subscription services with recommended settings.

n

n In Fireware v11.11.x and lower, the Web Setup Wizard creates packet filter policies and enables the Firebox to operate as a basic firewall. It does not enable licensed subscription services.

The setup wizards were improved in Fireware v11.12 to enable most licensed security services. This reduces the amount of manual configuration required to take advantage of the licensed services on the Firebox.

(27)

Getting Started

Setup Wizard Defaults Setup Wizard Defaults

Fireware v11.12 and Fireware v11.12 and Higher Higher Fireware v11.11.x Fireware v11.11.x and Lower and Lower

Default Policies nn FTP-proxy,

n n HTTP-proxy n n HTTPS-proxy n n WatchGuard Web UI n n Ping n n DNS n n WatchGuard n n_Outgoing n n FTP n n WatchGuard Web UI n n Ping n n WatchGuard n n Outgoing Configured Services (if licensed in the feature key)

n n WebBlocker n n Gateway AntiVirus n n Intrusion Prevention n n Application Control n n Reputation Enabled Defense n n APT Blocker None

Proxy Actions used by default policies to enable recommended settings and services

n n Default-FTP-Client n n Default-HTTP-Client n n Default-HTTPS-Client None

For all Fireware versions, the default policies configured by the setup wizards allow outgoing FTP, Ping, TCP and UDP connections, and do not allow incoming connections. With Fireware v11.12 and higher, the default FTP, HTTP, and HTTPS proxy actions enable services and enable logging for reports.

When you set up a new Firebox manufactured with Fireware v11.11.x or lower, the setup wizards do not enable subscription services, even if they are licensed in the feature key. To enable the security services and proxy policies with recommended settings, upgrade the Firebox to Fireware v11.12 or higher, reset it to factory-default settings, and then run the setup wizard again.

(28)

Exercises — Before You Begin

Your instructor will provide you with the information and files you need to configure your Firebox for the trainingenvironment.

For the exercises in this module, you need:

n

n A featurA feature keye key — You receive the feature key when you activate your Firebox on the WatchGuard website. Each

feature key is unique to the serial number of the Firebox. Save a copy of the feature key to the management computer before you start either setup wizard. You can finish the wizard without the feature key, but the feature key is required to enable all device functionality. If the Firebox does not have a feature key, it allows only one connection to the Internet. For this exercise it is best to use a feature key with Total Security Suite so that the setup wizards can configure security s ervices .

It is especially important to have the feature key before you run the setup wizards if your Firebox has licensed subscription services. The setup wizards do not configure licensed subscription services if there is no feature key that enables them.

n

n WSM WSM and Fireware Oand Fireware OS on the management computS on the management computer er — WSM is the software installed on the management computer and WatchGuard servers. Firewareis the operating system (OS) installed with a configuration file on the Firebox. Download the latest versions the software and Fireware OS from the WatchGuard Portal. WSM and Fireware are separate software downloads. You must download and install both packages on your management computer. The management computer must be on the same network subnet as the device.

n

n_{Your netw}_{Your network informat}_{ork information}_{ion — At a minimum, you must know the IP address of your gateway router and the IP}

addresses to give to the external and trusted interfaces of the Firebox. For the training environment, use 203.0.113.1 as the default gateway.

n

n A Firebox A Firebox — You need a Firebox that has factory-default settings. This can be a new Firebox, or a Firebox that

has been reset to factory-default settings. Getting Started

(29)

Getting Started

Exercise 1 — Use the Web Setup Wizard

In this exercise, you use the Web Setup Wizard to set up a new Firebox. This is the procedure recommended in the printedQuick Start Guidethat ships with every Firebox. For this exercise, the Firebox must be in a factory-default state. The steps to reset a Firebox vary by device model. For information about reset, seeReset a Firebox in Fireware Help. Make sure your computer is configured to get an IP address through DHCP.

To run the Web Setup Wizard:

1. Connect interface 0 of the Firebox to a network with Internet access. 2. Power on the Firebox.

The Firebox attem pts to contact WatchGuard to download its feature key.

3. Connect your computer to interface 1 of the Firebox.

The DHCP server on the Firebox assigns your computer an IP address on the 10.0.1.0/24 subnet.

4. In a web browser, type https://10.0.1.1:8080.

The Fireware We b UI Login page appears.

5. Type the default administrator credentials for the Firebox

n

n User name: admin

n

n Passphrase: readwrite

6. On the Welcome page, click Next Next to create a new device configuration.

(30)

7. Accept the License Agreement and click Next Next.

8. SelectStaticStatic to configure the External interface with a static IP address. Click Next Next.

9. Configure the external interface with these settings. Replace X with your student number. Getting Started

(31)

Getting Started

11. Because this Firebox uses a static IP address, it is important to specify at least one DNS server. Type the IP address of a DNS server in the DNS Servers text box. Click NextNext.

The trusted interface sett ings appear.

12. Configure the trusted interface, with these settings: Replace X with your student number.

n

n_{IP address: 10.0.}_X_.1/24 n

(32)

13. Click Next Next.

14. Set the passphrases for the status and admin accounts on your Firebox. click Next Next.

The Enable Remot e Management page appears.

15. For this exercise, do not enable remote management. Click Next Next.

The contact information and device feedback sett ings appear.

16. For this exercise, click Next Next to accept the default settings.

The time zone setting appears.

17. Select the time zone for this Firebox. Click Next Next.

If the Firebox does not have a feature key, the Onli ne Acfiv ation page provides opt ions to get a featur e key.

If the Firebox was already activated and successfully downloaded the feature key from WatchGuard, the wizard skips the feature key steps and goes to the Subscription ServicesSubscription Servicespage. If the Feature key does not include services, it goes directly to the SummarySummary page.

18. For this exercise, the Firebox is already activated and you have a feature key to manually add in the wizard. To manually paste in the feature key, select Skip Online Activation Skip Online Activation.

19. Select Add the feature key Add the feature keyand click Next Next. Getting Started

(33)

Getting Started

20. Paste the feature key for your Firebox. Click Next Next.

If the feature key includes subscription serv ices, the Subscription Services page appears.

21. Click Next Next to continue.

(34)

22. Select the WebBlocker categories to block. Recommended categories are selected by default. Click Next Next.

The Summary page appe ars with a summary of the configurat ion settings and enabled sub scription services.

(35)

Getting Started

When you are finished with the wizard, the Firebox allows all FTP, Ping, TCP, and UDP connections from the trusted network to the external network and blocks connections from the external network to the protected networks. If licensed in the feature key, Gateway AntiVirus, WebBlocker, Intrusion Prevention, Application Control, Reputation Enabled Defense, and APT Blocker are all enabled and configured.

Because you changed the IP address of the trusted interface, the DHCP server on the Firebox will assign your computer a new IP address in the DHCP address pool you configured. It may take a few minutes for your computer to get a new IP address on the right network so that you can connect to Fireware Web UI.

Log in to Fireware Web UI

1. To log in to Fireware Web UI, click the link at the bottom of the last page of the Wizard. or, in your browser, type https://10.0.1.1:8080.

(36)

Exercise 2 — Use the Quick Setup Wizard

In this exercise you use the Quick Setup Wizard, which is part of WatchGuard System Manager to set up a new Firebox. This results in a similar configuration to Exercise 1.

Befor

Before Y

e You

ou Begi

Begin

n

If you previously used the Web Setup Wizard to set up the Firebox, reset the Firebox to factory-default settings before you start this exercise. The steps to reset a Firebox vary by device model. For information about reset, seeReset a Firebox in Fireware Help.

Use the Qui

Use the Quick

ck Setu

Setup Wiza

p Wizard:

rd:

1. Connect your computer to interface 1 of the Firebox.

2. From the Windows desktop, select Start Start> All Programs All Programs > WatchGuard System Manager WatchGuard System Manager > Quick Setup Quick Setup Wizard

Wizard.

You can also click the Quick Setup WizardQuick Setup Wizard icon on the WatchGuard System Manager toolbar.

The Quick Setup Wizard start s and attempts to detect a Firebox on the same network as your computer.

3. From the list of devices, select the Firebox that you are using for this training session. 4. Configure the device name, location, and contact person.

5. Configure the external interface, Eth0, with these settings. Replace X with your student number. IP address: 203.0.113. X /24

Default Gateway: 203.0.113.1

6. Configure the trusted interface, Eth1, with these settings: Replace X with your student number. IP address: 10.0. X .1/24

DHCP enabled, address pool: 10.0. X .2 - 10.0. X .254

7. Inth e Activate the softwareActivate the softwarestep, browse to the feature key file saved on your computer.

8. The Security Services page shows the security services in the feature key that the wizard will configure. 9. On the WebBlocker Settings page, select the WebBlocker categories to block.

10. Set the Status and Configurationpassphrases for your Firebox.

You use the Status passphraseto connect to the device with the default Device Monitor user account, status. You use the Configuration passphrase to connect to the device with the default Device Management user account, admin.

When you are finished with the wizard, you will have a Firebox which allows all traffic from the trusted and optional networks to the external network but blocks ever ything from the external network to the protected networks. Getting Started

(37)

Getting Started

Exercise 3 — Open WSM and Connect to Devices and

Servers

When you open WatchGuard System Manager (WSM), you are not automatically connected to a Firebox. You must manually connect to a Firebox or to a Management Server to use many WSM features. You can connect to many Fireboxes and Management Servers at the same time.

Before you start this exercise use the steps in Exercise 1 or Exercise 2 to configure your Firebox To connect to a Firebox in WSM:

1. From the Windows desktop, select Start > All Programs > WatchGuard System Manager > WatchGuard Start > All Programs > WatchGuard System Manager > WatchGuard System

System ManageManager r .

WatchGuard System Manager a ppears.

2. On the main toolbar, click .

Or, you can select File > Connect To Device File > Connect To Device.

3. Inth e IP Address or NameIP Address or Name text box, type the trusted IP address of the Firebox. Use your Firebox IP address, or get the IP address from your instructor.

To connect to a Firebox with read-only privileges, you use a Device Monitor user account. You can use the default status Device Monitor user account for this purpose. If you save the configuration file or add the Firebox to the Management Server as a managed device, you are prompted to type the credentials for a user account with Device Administrator privileges. The default Device Administrator user account for your device is the admin user account.

(38)

4. Inth e User NameUser Name and PassphrasePassphrasetext boxes, type the credentials for a Device Management user account with a Device Monitor (read-only) role on your Firebox. The default status account is specified by default.

5. From the AuthenticaAuthentication tion Server Server drop-down list, select the authentication server for the user you specified. If you select an Active Directory server, you must also specify the DomainDomain for the server you selected. 6. If necessary, change the value in the TimeoutTimeout text box.

This value sets t he amount of time (in seconds) t hat WSM waits for an answer fr om the Firebox befor e WSM shows a message that it cannot connect.

If you have a slow network or I nternet connection to th e device, you can increas e the timeout value. If you decreas e the value, you decr ease the time you mus t wait for a time out message if you try to connect to a device that is not available.

7. Click Login Login.

WSM connects to the Fir ebox and shows the stat us of the Firebox on the Device Status t ab.

8. On the Device StatusDevice Statustab, click the plus sign (+) to expand the Firebox entry.

Information about the Firebox appears.

(39)

Getting Started

Exercise 3 — Start Policy Manager

Policy Manager is the WSM tool you use to build the security rules your Firebox uses to protect your network. You use Policy Manager to configure policies, set up VPNs, change Device Management user account passphrases, and configure logging and notification options.

A policy is a set of rules that defines how the device manages packets that come to its interfaces. The policy identifies the source and destination of the packets. It also specifies the protocol and ports of the traffic that the policy controls. It includes instructions for the device about how to identify the packet and whether to allow, deny, drop, or block the connection. Policy Manager displays each policy as a group of rules, or a ruleset . You can view these policies in a list with detailed information about each policy, or as icons.

You can have more than one version of WSM installed on your computer. However, you can have only one version of the server components (Management Server, Log Server, Report Server, Quarantine Server, and WebBlocker Server) installed.

In WatchGuard System Manager:

1. On the Device StatusDevice Statustab, select your Firebox.

If there is no device visible in WSM, select File > Connect To Device File > Connect To Device, and then connect to your device. 2. Click .

Or, select Tools > Policy Manager Tools > Policy Manager .

WSM checks the model and the OS (operat ing system) ver sion used by the device. If you have multiple versions of WSM software installed , WSM automatically opens the correct version of Policy Manager. If you launch Policy Manager f or a device that uses an older vers ion of Fireware OS , WSM might ask if you want to upgrade t he OS on th at device.

(40)

Policy Manager opens in Details view by default.

3. Select Setup > OS Compatibility Setup > OS Compatibility.

The OS Compatibility dialog box appears.

4. Make sure that the selected version is 11.9 or higher. 11.9 or higher.

If you open the configuration file from a device, the OS Compatibility version is automatically set to match the OS version on the device. If you use Policy Manager to create a new configuration file, you must configure this setting before you can configure features that require a specific OS version.

5. Click OK OK. Getting Started

(41)

Getting Started

Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.

1. True or false? You must have a WSM Management Server to use a simple drag-and-drop function for VPN creation.

2. Circle the best tool for each task: T

Taassk k TTooooll

A) Monitor the status of one device WatchGuard System Manager Policy Manager B) Change the device network interfaces WatchGuard System Manager Policy Manager C) Configure a policy for web traffic WatchGuard System Manager Policy Manager 3. True or false? You must install WatchGuard System Manager to set up and manage a new Firebox. 4. Which of the following are required before you can use the Quick Setup Wizard to make a basic device

configuration file that allows more than one connection to the Internet? (Select all that apply.)

o

o A) An account on the WatchGuard website

o

o B) The Firebox model number

o

o C) The IP address of the gateway router this device will connect to

o

o D) A feature key

o

o E) A live connection to the Internet

o

o F) A web browser

o

o G) An IP address to give to the external and trusted interfaces of the Firebox

5. Fill in the blank: A ________ is a set of rules that defines how the Firebox manages packets that come to its interfaces.

(42)

6. Which of the following are WatchGuard System Manager components? (Select all that apply.) o o A) Log Manager o o B) Router o o C) Policy Manager o o D) Appliance Monitor o o E) Windows Server o o F) Report Server o o G) Management Computer

7. True or false? You must install all WatchGuard servers on one management computer. 8. True or false? You do not have to install a WatchGuard server to use WatchGuard Server Center. Getting Started

(43)

Getting Started

ANSWERS

1. True

You can only use the drag-and-drop method to create a VPN tunnel between two Fireboxes managed by your WSM Management Server.

2. A) WatchGuard System Manager B) Policy Manager

C) Policy Manager 3. False

You can also use Fireware Web UI to set up and manage a Firebox. 4. A, C, D, and G

5. policy 6. A, C, and F 7. False 8. False

(44)

Notes

(45)

Administration

Manage the Firebox Configuration

What You Will Learn

After you install the Firebox in your network and use the Quick Setup Wizard to give it a basic configuration file, you can add custom configuration settings to meet the needs of your organization. You can save configuration files in a variety of locations.

In this training module, you learn how to:

n

n Open and save configuration files

n

n Configure the Firebox for remote administration

n

n Add Device Management user accounts n

n Add feature keys to the Firebox

n

n Back up and restore the device configuration

n

n Add Firebox identification information

Before you begin these exercises, make sure you read the Course Introduction module.

Manage Configuration Files and Device Properties

A device configuration file includes all configuration data, options, IP addresses, and other information for the Firebox.

On the Firebox, the configuration file works with the OS to control the flow of traffic through the Firebox. The file extension for a device configuration file is .xml .xml.

Policy Manager is a WatchGuard® software tool that you can use to create, change, and save configuration files. W hen you use Policy Manager, you see a version of your configuration file that is easy to examine and modify.

(46)

Policy Manager is an offline configuration tool. When you connect to a Firebox and open the device configuration file with Policy Manager, you are editing a local copy of the configuration file. Changes you make in Policy Manager have no effect on Firebox operation until you save them to the Firebox.

Abo

About

ut the OS

the OS Compa

Compati

tibili

bility Ver

ty Versio

sion

n

Policy Manager can manage Fireboxes that use different versions of Fireware OS. Each device configuration has an OS Compatibility setting that controls which configuration options are available for some features.

n

n If you connect to a Firebox and use Policy Manager to open the configuration file for the Firebox, the Fireware OS

version in the file is automatically set based on the OS version the Firebox uses.

n

n_{If you use Policy Manager to create a new configuration file, you must select the Fireware OS version before you}

can configure some features, such as network settings and Traffic Management. To set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility Setup > OS Compatibility.

About

About the F

the Featu

eature K

re Key

ey

When you activate a Firebox or activate add-on services or features for a Firebox, a feature key is generated to enable features on your Firebox. You can download the feature key from the WatchGuard website when you activate your Firebox. You can then add this feature key to your Firebox from the Quick Setup Wizard, Web Setup Wizard, Policy Manager, or the Fireware Web UI. If you use the Web Setup Wizard, the Firebox can download the feature key automatically.

You must install a feature key on your Firebox to enable full functionality. If your Firebox does not have a feature key, it allows only one user to connect to the Internet. The feature key contains a list of licensed features and capacities for your Firebox. For WatchGuard Support, and security services, t he feature key contains the service expiration date. For you to install updates to Fireware OS, the Firebox must have a feature key with an active Support subscription, which is called LiveSecurity Service in the feature key.

To manage the feature key, in Policy Manager select Setup > Feature Key Setup > Feature Key.

When you renew subscription services, you must update the feature key on the Firebox for the subscription to remain active. To make sure that the feature key on the Firebox stays up to date, we recommend that you enable automatic feature key synchronization in the Feature Key settings. When automatic feature key synchronization is enabled, the Firebox automatically checks the expiration status of services once per day and downloads a new feature key from WatchGuard if a feature is expired or is within three days of expiration.

When you save the configuration to a local file, the feature key is sto red as a separate file, in the same directory as the configuration file. For example, if you save a device configuration with the file name Administration

(47)

Administration

Savi

Saving a

ng a Configu

Configura

ratio

tion

n

Because Policy Manager is an offline configuration tool, you can save the device configuration to a local file, and you can save it to a Firebox. Each time you save a configuration to a Firebox, Policy Manager does several checks to make sure that the settings in the configuration are valid for the Firebox. If any setting is not compatible, Policy Manager displays a message and does not save the configuration to the Firebox. This could occur, for example, if the OS Compatibility setting in the file does not match the OS version on the Firebox, or if features are configured in a way that is not compatible with the OS version on the Firebox.

Configu

Configura

ratio

tion

n Mi

Migrat

gration

ion

You can use Policy Manager to save the configuration file that was originally created for one Firebox to a different Firebox. To do this, you must remove the existing feature key from the configuration, and add the feature key for the new Firebox. When you add the new feature key, Policy Manager automatically updates the model number in the configuration file. Before you can save the configuration to a different Firebox, you might also need to change other settings to make the configuration compatible with the new Firebox. For example, you might need to change the OS Compatibility setting, or modify the Network settings, if the new Firebox has a different number of network interfaces.

For a video demonstration of configuration migration, see the Configuration Migration video available in the Product Documentation section of the WatchGuard website.

Manage Users and Roles on Your Firebox

You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the Firebox among several individuals in your organization. This enables you to run audit reports to monitor which administrators make which changes to your device configuration file.

By default, your Firebox includes these default user accounts and roles: D

Deeffaauullt t UUsseer r AAccccoouunnt t DDeeffaauullt t RRoolle e DDeeffaauullt t PPaasssspphhrraassee admin DeviceAd ministrator (read-writepe rmissions) readwrite status DeviceMo nitor( read-only permissions) readonly

wgsupport Disabled

When you add Device Management user accounts, you can use the two, predefined roles to create new user accounts to monitor and manage your Firebox. User accounts that are assigned the Device Monitor role can connect to the Firebox with read-only permissions to monitor the Firebox, but cannot change the configuration file. User accounts that are assigned the Device Administrator role can connect to the Firebox to change the configuration file and monitor the Firebox. More than one Device Monitor can always connect to the Firebox at the same time. But, you must enable the option to allow more than one Device Administrator to log in to the Firebox at the same time. If you do not enable this

(48)

The wgsupport useraccount is disabled by default. This account is for WatchGuard Technical Support access to your Firebox. You can enable it and specify a passphrase for it if you need to enable access to your Firebox for WatchGuard Technical Support. We will not enable or modify this user account in this course.

You can use these authentication servers for Device Management user accounts on your Firebox:

n n Firebox-DB n n ActiveDirectory n n LDAP n n RADIUS

The default Device Management user accounts use the Firebox-DB authentication server.

For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your Firebox. The user account credentials that you specify for the user accounts on your Firebox are case-sensitive and must match the user credentials as they are specified on the external

authentication server. Administration

(49)

Administration

Exercise 1 — Open and Save Configuration Files

The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this configuration file as the base for all your configuration files. You can also use Policy Manager to make a new configuration file with only the default configuration properties.

To create a new configuration file: 1. Open Policy Manager. 2. Select File > New File > New .

A ne w co nfiguration file appe ars w ith the default poli cies and settings.

Policy Manager is an offline configuration tool. Fireware Web UI and the CLI are online configuration tools.

An offline configuration tool lets you make many changes to a configuration file without sending the changes to the Firebox.

An online configuration tool is designed to immediately send all changes to the Firebox.

Most of the time, when you want to manage your Firebox configuration, you use WatchGuard System Manager (WSM) to connect to the Firebox and launch Policy Manager. When you do this, WSM loads the current device configuration file in Policy Manager. You can save a copy locally and then open this local copy in Policy Manager any time you want to work offline.

In this exercise, you open the current configuration file for your Firebox and save it to your local hard drive: 1. Open WatchGuard System Manager and connect to your Firebox.

If you are not familiar wit h this proc edure, see the Getting Started module, or ask your instructor.

2. Click .

Or, select Tools > Policy Manager Tools > Policy Manager .

(50)

3. Select File > Save > As File File > Save > As File .

The Save dialog box appears.

4. Inth e File NameFile Name text box, type Basics-Start. 5. Click Save Save.

By default, configuration files are saved to the My Documents\My WatchGuard\configs folder. The configuration file type is XML.

6. To save an updated configuration file to the Firebox and to a local file, select File > Save > To Firebox File > Save > To Firebox.

To save the file to th e Firebox, you must specify a user name and passphrase for a user account with Device Adminis trator privi lege s. When you save a co nfiguration file to the Firebox, you can also save it to a local file .

If you lose the passphrase for the admin account, and you do not know the passphrase for any other account with Device Administrator privileges, you cannot save configuration changes to the Firebox.

If you have lost the admin passphrase and you have a saved configuration file, you can regain administrative access to the Firebox without losing the configuration settings. To do this you must reset the Firebox to factory-default settings, and then use the default admin admin account, with the default passphrase readwritereadwriteto save the configuration to the Firebox from Policy Manager.

(51)

Administration

Exercise 2 — Configure a Firebox for Remote

Administration

This exercise is most useful for an instructor to connect to a student Firebox during a classroom session. If you are self-instructed and do not need to remotely manage your Firebox, you can skip to the next exercise.

When you use the Quick Setup Wizard to configure your Firebox, a policy tha t allows you to connect to and administer the Firebox from any computer on the trusted or optional networks is automatically created. If you want to manage the Firebox from a remote location (any location external to the Firebox), then you must change your configuration file to allow administrative connections from your remote location.

The packet filter policy that controls administrative connections to the Firebox is WG-Firebox-Mgmt . The Quick Setup Wizard adds this policy with the name WatchGuard . This policy controls access to the Firebox on TCP ports 4105, 4117, and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these ports.

Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good idea to consider these alternatives:

n

n Is it possible to connect to the Firebox with a VPN? This greatly increases the security of the connection. If you can connect with a VPN, then you do not need to allow connections from a computer external to your network. If it is not possible to connect to the Firebox with a VPN, you might want to consider using authentication as an additional layer of security.

n

n_{It is more secure to limit access from the external network to the smallest number of computers possible. For}

example, it is more secure to allow connections from a single computer than it is to allow connections from the alias Any-External .

To restrict or expand access to the Firebox, edit the FromFrom list in the WatchGuard policy.

n

n You can allow connections to the Firebox from external networks by adding the Any-ExternalAny-External alias (or a specific

IP address, user name or group name).

n

n You can restrict connections to the Firebox from internal locations by removing the Any-TrustedAny-Trustedand Any- Any-Optional

Optional aliases and replacing them with the specific IP addresses from which you want to allow access.

n

n You can remove all IP addresses and aliases, and replace them with user names or group names. When you do this, you force users to authenticate before they are allowed to connect to the Firebox.

If you decide to allow connections to the Firebox from Any-ExternalAny-External, it is especially important that you set very strong Device Management passphrases. It is also a good idea to change your passphrases at regular intervals.

Your instructor might ask you to complete these steps. This will enable your instructor to troubleshoot configuration issues from his computer later in the class.

(52)

To use Policy Manager to configure the WatchGuard policy to allow administrative access from an external computer at a specific IP address:

1. Double-click the WatchGuardWatchGuardpolicy.

Or, right-click theWatchGuardWatchGuardpolicy and select Edit Edit.

The Edit Policy Propert ies dialog box appears.

The name of this policy is Watc hGuard, but the packet filter type is WG-Firebox- Mgmt. This policy is specific ally designed to be used for administrat ion of the Firebox.

2. Inth e FromFrom section, click Add Add.

3. To add the IP address of the external computer you want to use to connect to the Firebox, click Add Other Add Other . 4. From the Choose typeChoose typedrop-down list, make sure Host IPHost IP is selected.

5. Inth e ValueValue text box, type the IP address of the remote administration computer. 6. Click OK OK to close each dialog box.

(53)

Administration

Exercise 3 — Add Device Management Users

To share the configuration and monitoring responsibilities for the Successful Company Firebox among several individuals in the Successful Company organization, in this exercise, you add two new Device Management users to the Firebox: a Device Administrator and a Device Monitor.

When you add a Device Management user, you specify the authentication server where the user account is stored. If you specify an external authentication server, the user account credentials you specify in your Firebox configuration must match the user account credentials as they are specified on the authentication server. User account credentials are case-sensitive.

For this exercise, you add user accounts to the internal Firebox authentication server, Firebox-DB. From Policy Manager:

1. Select File File > Manage Users and Roles Manage Users and Roles.

The Login dialog box appears with the admin user specified by default.

2. Inth e AdminiAdministratstrator or PassphraPassphrasese text box, type the default passphrase for the default admin user account, readwrite.

3. Click OK OK.

(54)

4. Click Add Add.

The Add User dialog box appears.

5. Inth e User NameUser Name text box, type a name for the new Device Administrator user account, example-co_admin. 6. From the AuthenticaAuthentication tion Server Server drop-down list, keep the default selection, Firebox-DB Firebox-DB.

7. From the RoleRole drop-down list, select Device Administrator. Device Administrator.

8. Inth e PassphrasePassphraseand Confirm PassphraseConfirm Passphrasetext boxes, type the passphrase for the new Device Administrator user account, passphrase.

9. Click OK OK.

The example-co_admin user appears in the Manage Users and Roles list.

10. Click Add Add.

The Add User dialog box appears.

11. In the User NameUser Name text box, typ e a name for the new Device Monitor user account, example-co_monitor. 12. From the AuthenticaAuthentication tion Server Server drop-down list, keep the default selection, Firebox-DB Firebox-DB.

13. From the RoleRole drop-down list, select Device Monitor. Device Monitor.

14. In the PassphrasePassphraseand Confirm PassphraseConfirm Passphrasetext boxes, type the passphrase for the new Device Administrator user account, passphrase

15. Click OK OK.

The example-co_monitor user appears in the Manage Users and Roles list.

16. Click OK OK to close the Manage Users and RolesManage Users and Rolesdialog box.

The new user accounts are automatically saved to the Firebox.

17. Close Policy Manager for the Firebox and disconnect from the Firebox in WSM.

18. In WSM, connect to your Firebox with the new example-co_adminuser account credentials. 19. Start Policy Manager.

Now that your are connected to the Firebox with the new Device Administrator user account, example-co_admin, when you make changes to your Firebox configuration file, t he audit trail will show that the example-co_adminuser account made the changes to the configuration.

Fireware Essentials Student Guide (en US) v11 12

Fireware

Fireware

v11.12 Training

v11.12 Training