WatchGuard SSL Web UI 3.2 User Guide

(1)

WatchGuard SSL

Web UI

3.2 User Guide

(2)

releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific, task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard web site at:http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Guide revised: 8/8/2013

Copyright, Trademark, and Patent Information

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at:http://www.watchguard.com/help/documentation/.

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity.

For more information, call 206.613.6600 or go to www.watchguard.com.

Address

505 Fifth Avenue South Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575

Sales

(3)

Introduction to WatchGuard SSL 1

About the WatchGuard SSL solution 1

About the WatchGuard SSL Access Client 2

About the Application Portal 2

Getting Started 3

Verify Basic Components 3

Get a WatchGuard Device Feature Key 3

Install the WatchGuard SSL Device Behind a Firewall 3

Use the Quick Setup Wizard to Set Up a Basic Configuration 4

Run the Quick Setup Wizard 4

Connect the WatchGuard SSL Device to Your Network 5

Connect to WatchGuard SSL Web UI and Complete Initial Tasks 6

Connect to WatchGuard SSL Web UI 6

Upload the Feature Key File 6

Download and Install the Latest Software 6

Get a Feature Key 7

Find your Serial Number 7

Activate your Device and Get a Feature Key 7

Retrieve a Current Feature Key 7

About WatchGuard SSL Web UI 8

WatchGuard SSL Web UI Wizards 8

Publish Your Configuration 8

System Messages 9

Use the File Browser 9

Get Started with Common Tasks 9

Create User Accounts and Configure Authentication 10

Configure Resource Access 10

(4)

Start the WatchGuard SSL Device in Recovery Mode 12

Upload a New Software Image 12

Next Steps 12

About WatchGuard LiveSecurity Service 13

LiveSecurity Service 13

LiveSecurity Service Gold 14

Service expiration 14

Support Information 14

Online Resources 14

Telephone Numbers 15

Before You Call 15

Relevant Information 15

About Monitor System 17

About the System Status Page 18

View Status Information 19

Manage Settings 19

View Administrator Activities 20

System Overview 20 Network Status 23 Authentication 24 Events 25 Device Status 26 Network Tools 28 Manage Settings 29

View Administrator Activities 31

About User Sessions 31

Search for User Sessions 32

View a User Session 33

(5)

Add an Alert 36

Edit and Delete Alerts 41

Manage Global Alert Settings 42

Manage Logging 46

Edit Logging Settings 46

Set the Log Level Filter 48

Configure Log File Rotation 48

Debug Logs 49

Log File Information 49

Syslog 49

Manage Global Logging Settings 49

Use Log Viewer 51

About Log Viewer Search Criteria 52

About Reports 54 Available Reports 54 Generate a Report 55 Save a Report 56 Abolishment Report 57 Assessment Report 57

Session Trend Report 58

Session Trend Real-Time Report 58

Access Report 59

Authentication Report 59

Authorization Report 60

Account Statistics Report 61

User Policy Analysis Report 61

User Audit Report 61

(6)

Complete Report 64

Manage Report Database Settings 65

About the Diagnostics File 65

About the Feature Key 66

Feature key information 67

Upload a New Feature Key 69

Live Update 69

Configure Live Update Settings 70

Reboot after Engine Updates 71

Check for New Live Update Files 71

User Management 73

User accounts 74

User groups 74

External Directory Service 74

Self Service 75

About User Accounts 75

User Account Search Result List 75

Manually Add a User Account 76

Import User Accounts 79

Link to a User Account 83

Repair a Linked User Account 84

Edit User Accounts 86

Manage Global User Account Settings 87

About User Groups 91

About User Property Groups 91

About User Location Groups 91

About User Groups and Access Rules 91

Add a User Group 92

(7)

About User Groups and Access Rules 98

About Directory Mapping 98

Add an External Directory Service Location 98

Edit an External Directory Service Location 102

About Self Service 105

Use the wizard to enable Self Service 105

Manually enable and configure Self Service 106

Disable or restore Self Service 106

Manage Self Service Settings 107

Modify System Challenges 109

Configure and Enable Self Service 111

About Resource Access 119

Resources 119 Client firewall 119 Access rules 120 Application Portal 120 SSO domains 120 About Resources 120 Manage Resources 120

Manage Global Tunnel Resource Settings 185

Manage Global Resource Settings 187

About Client Firewalls 207

Disable routes for other network connections 207

Check the integrity of application connections 207

How the client firewall works 207

Configure client definitions 208

Firewall rules based on a device 208

(8)

Manage Global Access Rules 219

Assessment Access Rule Requirements 220

Configure an Access Rule to Require Anti-virus or Anti-spyware Software 227 Configure an Access Rule to Verify the Windows Client Logon Domain 229

Configure an Access Rule to Verify a Windows File is Found 230

Configure an Access Rule to Verify a Windows File Digest is Found 231

Configure an Access Rule to Verify a Directory is Found 234

Configure an Access Rule to Verify the Client Computer MAC Address 235

Configure an Access Rule to Combine Authentication Methods 236

About the Application Portal 238

About the Access Client 238

Manage Application Portal Items 238

Connect to the Application Portal 242

Customize your Web UI and Application Portal 242

Add Additional Application Portals 260

About SSO Domains 260

Domain type attributes 261

Manage SSO Domains 261

Configure SSO for Outlook Web Access (Form Based Authentication) 265 Configure SSO with Outlook Web Access (Basic Authentication) 270

Configure SSO for Microsoft Outlook Web App 2010 273

Configure SSO for File Share Resources 276

Configure SSO for Remote Control Resources 280

Configure SSO for a Citrix MetaFrame Presentation Server Resource 284

About Manage System 295

About Authentication Methods 296

Supported Authentication Methods 297

About WatchGuard SSL Authentication Methods 298

(9)

Manage RADIUS Configuration 317 Two-factor Authentication with Mobile ID and Mobile OTP iOS App 322 Configure Active Directory Authentication with LDAP over SSL 330

About Certificates 345

Certificate Lifetimes and CRLs 346

Certificate Authorities and Signing Requests 346

Default Certificate 346

Manage Certificates 346

Add a Certificate Authority 347

Add a Server Certificate 349

Edit or Delete a Server Certificate 350

Manage Client Certificate Settings 351

Create a CSR with OpenSSL 352

About Abolishment 358

Configure General Settings 360

Configure Cache Cleaner Settings 362

Configure Advanced Settings 363

Post-connection Cleanup with Abolishment 364

About Assessment 366

Configure General Settings for Assessment 368

Configure Advanced Settings 371

Pre-connection End-point Integrity Check 373

About Notification Settings 376

Notification Variables 377

Configure the Email Notification Channel 377

Configure the SMS Notification Channel 378

Manage SMS Plug-ins 392

(10)

Manage Administrative Roles 398

About the Administration Service 401

Manage Administration Service Settings 401

Change the Super Administrator Password 402

Manage Global Settings 403

Restart the Administration Service 405

Manage Device Settings 406

General Settings for the Application Portal 407

Performance Settings 410

Cipher Suite Settings 413

Advanced Settings 415

Update the Device 418

Update the OS 419

Configure the System Time and Time Zone 419

Restore Factory Default Configuration Settings 421

Reinitialize the Local User Database 421

Reboot the Device 422

Network Configuration 422

Configure the Network Type 422

Manage Global Tunnel Resource Settings 426

Configure Administration Service External Communication Settings 427

Confirm Network Configuration Settings 428

Configure Network Routes 429

Restore a Saved Configuration 430

Restore the Current Configuration 431

Restore a Saved Configuration 431

Add a Description to a Saved Configuration 432

Delete a Saved Configuration 432

(11)

Before You Begin 436

Enable your AD Server for LDAP over SSL 437

Configure Active Directory Authentication on your SSL device 439

Send One-Time Passwords (OTPs) to Users 445

Configure the SMS Channel to send email 445

Configure SMS Settings for each user account 446

Change the Directory Mapping Attribute for Notification SMS 447

Enable mobile text authentication for all users 448

Use the OTP to Authenticate 449

About the Access Client 451

Install the Access Client 452

Before You Begin 452

Run the Installer 452

Launch the Installed Access Client 452

After You Install 452

Connect to the Application Portal 453

Uninstall the Access Client 453

Set up the Access Client for a Standard User 454

Installation 454

Use the Access Client as a Standard User 456

Limitations 456

Launch the Access Client 456

Launch the On-demand Access Client 457

Launch the Installed Access Client 457

About the Access Client Menu 457

Edit Access Client Preferences 458

Manage Access Client Favorites 462

(12)

Use ESSP to Connect to a Resource 467

(13)

1

Introduction to WatchGuard SSL

Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote connectivity deployment as simple or as sophisticated as your business requirements dictate.

If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the security, flexibility, and breadth of options you need for secure remote access to your network. The WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides universal access to applications and network resources with no connectors, no modules, no client management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560 accommodates up to 500 concurrent users.

About the WatchGuard SSL solution

The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard SSL Application Portal, and the WatchGuard SSL Access Client.

n A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and WatchGuard servers for your solution.

n WatchGuard SSL Web UI is a Web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access to your resources, and manage your system settings.

n The WatchGuard SSL Application Portal is the web site where your users authenticate and get access to your network resources.

(14)

About the WatchGuard SSL Access Client

The WatchGuard SSL Access Client is an on-demand SSL VPN client. When a user selects a resource available through the tunnel, the Access Client automatically downloads and installs on the client computer through the web browser. The Access Client is available in two versions: the installed Access Client and the on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your configuration choices. To use the ActiveX client loader to install the client, users must have local

administrator rights on their computers. For your users who do not have local administrator rights, you can download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your network.

About the Application Portal

The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any files accessible with a web browser, or applications with a web interface such as Outlook Web Access or WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client.

(15)

2

Getting Started

Before you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections.

Verify Basic Components

Make sure that you have these items:

n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed n WatchGuard SSL device

n Ethernet cable n Power cable

Get a WatchGuard Device Feature Key

To enable all of the features on your WatchGuard SSL device, you must activate the device on the

WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device.

For more information, see Get a Feature Key.

Install the WatchGuard SSL Device Behind a

Firewall

(16)

If your WatchGuard SSL device has a private IP address

Configure the firewall with an HTTPS policy that uses static NAT. This policy must allow all traffic on port 443 from any external IP address to the private IP address of the WatchGuard SSL device. If your WatchGuard SSL device has a public IP address

Configure the firewall with an HTTPS policy that allows traffic on port 443 from any external IP address to the public IP address of the WatchGuard SSL device.

For detailed examples about how to configure these policies on a WatchGuard firewall, see the Policies topics in the latestFireware XTM documentation.

Use the Quick Setup Wizard to Set Up a Basic

Configuration

The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings.

Before you start the Quick Setup Wizard, make sure you:

n Register your WatchGuard SSL device with LiveSecurity Service

n Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract the feature key from the compressed file

For more information, see Getting Started.

Run the Quick Setup Wizard

1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network.

Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use

192.168.111.1 on your own computer.

2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device. 3. Plug the power cord into the WatchGuard device power input and into a power source. 4. Power on the WatchGuard SSL.

5. Open a web browser and type: https://192.168.111.1:8443

The Quick Setup Wizard begins.

Note Because the WatchGuard SSL device uses a self-signed certificate, you may see a

certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox).

6. Upload your feature key file, if you have it.

(17)

7. Set the time zone and system time settings.

Though the NTP server configuration is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not only for log file messages, but also for the SSL handshake.

8. Create the Super Administrator credentials. This is a local account on the SSL device. These credentials do not have to correspond to an existing user in a directory service.

The Super Administrator password must be at least six characters long and must include characters from at least three of these four categories:

n English uppercase characters (from A through Z) n English lowercase characters (from a through z) n Base-10 digits (from 0 through 9)

n Non-alphanumeric characters (for example: !, $, #, or %) 9. Select the network configuration mode. The choices are:

Single Interface mode (default)

Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active.

Dual Interface mode

Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active.

For more information about network interface modes, see Network Configuration. 10. Type the network address information for each interface you enabled.

The final page of the Quick Setup Wizard shows a summary of the configuration settings, and the interface and IP address you must use to connect after the device reboots. After you complete the wizard, the device restarts with the settings you configured.

Connect the WatchGuard SSL Device to Your Network

After you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network. 1. Connect the WatchGuard SSL device to your network.

n If you selected single interface mode, connect the device to your network with Eth0.

n If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1. 2. Reset the IP address on your computer to the original IP address.

3. Connect your computer to the network.

(18)

Connect to WatchGuard SSL Web UI and

Complete Initial Tasks

After you complete the basic configuration, you can use WatchGuard SSL Web UI to continue the configuration, management, and monitoring tasks. Before you get started, make sure that you have:

n Connected the WatchGuard SSL device to your network n Connected your computer to the network

n Reset the IP address of your computer

Connect to WatchGuard SSL Web UI

The interface that you use to connect to WatchGuard SSL Web UI is different depending on the deployment method you used for your device. WatchGuard SSL Web UI uses port 8443 by default.

If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for management.

1. Connect your computer to the Eth0 network.

2. In a web browser, typehttps://<Eth0 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UI appears.

If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for management.

1. Connect your computer to the Eth1 network.

2. In a web browser, typehttps://<Eth1 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UI appears.

Upload the Feature Key File

If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now.

1. Get your feature key file from LiveSecurity. For instructions, see Get a Feature Key.

2. In WatchGuard SSL Web UI, select Monitor System > Feature Key.

The Feature Key page appears.

3. Upload the feature key file to the device.

For more information, see Upload a New Feature Key.

Download and Install the Latest Software

(19)

1. Go towww.watchguard.com/archive/softwarecenter.asp. 2. Find and download the latest version of WatchGuard SSL OS. 3. From the Web UI, select Manage System > Device Update.

The Update the OS page appears.

4. Update the OS version on the device. For more information, see Update the OS.

Get a Feature Key

A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service.

Find your Serial Number

To activate your SSL device, retrieve a feature key, and activate support for your product, you need your device serial number.

The device serial number is located on a sticker attached to the rear panel of the device in this format: xxxxxxxxxx-xxxx.

Activate your Device and Get a Feature Key

To activate your device and get the device feature key:

1. Open a web browser and go tohttp://www.watchguard.com.

Note If you are new to WatchGuard, follow the instructions on the web site to create a

WatchGuard account profile.

2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click Activate a Product.

The Activate Products page appears.

4. Type the serial number of the device. Make sure to include any hyphens. 5. Click Continue.

6. Follow the instructions to register your device. 7. Save the feature key as a text file on your computer.

After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device.

Retrieve a Current Feature Key

You can retrieve a current feature key from the WatchGuard web site: 1. Open a web browser and go tohttp://www.watchguard.com. 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click My Products.

4. In the list of products, select your device.

(20)

For more information, see:

n Use the Quick Setup Wizard to Set Up a Basic Configuration n Upload a New Feature Key

About WatchGuard SSL Web UI

WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and manage your system settings.

WatchGuard SSL Web UI has two levels of menus: Main menu

Includes these sections:

n Monitor System — Monitor information about system status, user sessions, log files, reports, licenses, and alerts.

n User Management — Manage user accounts, user groups, and configure an external directory service.

n Resource Access — Create Application Portal items to give user access to applications, folders and files, and URLs.

n Manage System — See and manage the overall configuration of your WatchGuard SSL system. Left menu

Includes options to manage your configuration from the sections of the main menu.

Context-sensitive Help is integrated with WatchGuard SSL Web UI. To open the Help topic for a task, click .

WatchGuard SSL Web UI Wizards

All common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others.

n To start a wizard, click Add.

n To cancel a wizard at any time, select a different menu item or close your browser window or tab. n To return to the previous page in a wizard, click Previous.

n To save your changes, click Finish Wizard or Save.

Publish Your Configuration

After you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button at the top of the Web UI changes from white to blue when you make changes that must be saved.

To save your configuration changes:

Click Publish at the top of the Web UI.

You can later review or restore a configuration.

(21)

System Messages

When you use a wizard or make a change to your configuration, feedback messages appear in WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful.

Use the File Browser

You can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings (for example, with a script). To use the file browser:

1. At the top of the Web UI, click Browse.

The file browser opens in a separate window or tab.

2. Select a folder from the navigation tree on the left.

3. To change a current file, select a file to edit, download, delete, or rename. n To edit the file, click .

Make changes to the file contents, then click Save. n To download the file, click .

Select to Open or Save the file. n To delete the file, click .

In the Warning dialog box, click OK. n To rename the file, click .

In the Rename File text box, type a new name. Click Rename.

4. To upload a new file, adjacent to the Upload File text box, click Browse and select a file. Click Upload.

Get Started with Common Tasks

(22)

Create User Accounts and Configure Authentication

When a user connects to your SSL device portal, they are required to authenticate. The user account can be on an external directory service, or stored locally on the SSL device. The user will be presented with one or more authentication methods, such as a simple password request, or a more secure challenge-response or two-factor authentication.

SeeUser Managementfor details on how to add and manage user accounts. SeeAuthentication Methodsto configure user authentication.

About Active Directory

If you have configured the SSL device to use your Active Directory server as an External Directory service, you can use either the LDAP or the Active Directory authentication method. The Active Directory method requires LDAP over SSL which is a secure method of communicating with the Active Directory server. SeeAdd External Directory Servicefor information on how to add a directory service.

Configure Resource Access

The Application Portal is a web site on the WatchGuard SSL device where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click.

There are two main types of resources that users can access: n Web Resources

Web Resources are any files that you can connect to with a web browser, or applications with a web interface such as Outlook Web Access. You can connect to Web Resources without the Access Client.

n Tunnel Resources

Tunnel Resources are client-server applications or intranet sites. To connect to tunnel resources, you must use the Access Client. With Tunnel Resources, you can either use client-server applications or connect to network resources that are not web-enabled. You can also use Tunnel Resources to get access to files on network servers. If you have a file share resource, you can open, copy, rename, and delete files. You can also download and upload files from your local computer.

Examples of Tunnel Resources include Microsoft Outlook, Remote Desktop, or a Windows file share. SeeManage Resourcesfor information on how to create these resources.

Customize the Device Hostname

When the SSL device directs a user to a URL, such as a web resource or a Java-based tunnel resource, the URL provided includes the host name of the SSL device. To configure this hostname, select Manage System > Network Configuration.

(23)

Add a Certificate to the SSL Device

When your users connect to the SSL device, they will use a web browser to connect to the external public IP address of the device. If the device does not have a properly signed SSL certificate, your users will see a certificate warning.

SeeAbout Certificatesto add a certificate to the SSL device.

Note Make sure you perform a backup of your configuration before you import a new

certificate. If you import a certificate incorrectly, for example, if you do not enter the private key properly, further admin or client connections will be blocked. If this occurs, you must reset the device to factory install settings and reconfigure the device.

About the Access Client

When a user connects to the SSL device to access a tunnel resource, they will use the Access Client. The Access Client can be automatically installed and launched using Java or ActiveX in a supported web browser. Windows users can also install a downloadable access client on their computer.

SeeAbout the Access Clientfor details on how to install and use the Access Client.

Restore Factory Default Settings

There are two ways to reset your WatchGuard SSL device to the factory default settings: Use the WatchGuard SSL Web UI

If you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings. For more information, see Restore Factory Default Configuration Settings.

Use recovery mode

If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings.

Before You Begin

Before you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of.sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at

http://www.watchguard.com/archive/softwarecenter.asp.

Note The installation and reset process can take up to 10 minutes. Do not turn off the

(24)

Start the WatchGuard SSL Device in Recovery Mode

1. Power off the WatchGuard SSL device.

2. Press and hold the up arrow button on the front panel while you power on the device. 3. Continue to hold the up arrow button untilExecuting SysBappears on the LCD display.

WhenRecovery Mode Readyappears on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to 10.0.1.1.

Upload a New Software Image

You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled.

To upload a new software image to your WatchGuard SSL device:

1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device.

2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0 network).

3. Open the command line interface of your computer. For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP. 4. Change your working directory to the location where you saved the.sysa_dlfile. 5. At the command prompt, typeftp 10.0.1.1to connect to your WatchGuard SSL. 6. When requested, typeadminfor both the user and the password.

7. Typebinto change the transfer type to binary mode. 8. Typeput <filename>.

Make sure you replace<filename>in the command with the name of the .sysa-dl file you downloaded from the WatchGuard Software Downloads page.

The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears.

9. Typequitto close the FTP connection. 10. Exit the command line interface program.

After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts.

Note The installation and reset process can take up to 10 minutes. Do not turn off the

device before this process is complete.

Next Steps

(25)

Note After the reboot, the IP address of the Eth1 interface changes to 192.168.111.1.

You must change the IP address on your computer before you launch the Quick Setup Wizard.

For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration.

About WatchGuard LiveSecurity Service

WatchGuard knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device.

LiveSecurity Service

Your WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry. LiveSecurity Service comes with the following benefits:

Hardware Warranty with Advance Hardware Replacement

An active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware.

Software Updates

Your LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products.

Technical Support

When you need assistance, our expert teams are ready to help.

n Representatives available 12 hours a day, 5 days a week in your local time zone* n Four-hour targeted maximum initial response time

n Access to online user forums moderated by senior support engineers Support Resources and Alerts

Your LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products.

(26)

LiveSecurity Service Gold

LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage.

Service Features LiveSecurity Service LiveSecurity Service Gold

Technical Support hours 6 AM–6 PM, Monday–Friday* 24/7 Number of support incidents

(online or by phone)

5 per year Unlimited

Targeted initial response time 4 hours 1 hour

Interactive support forum Yes Yes

Software updates Yes Yes

Online self-help and training tools Yes Yes

LiveSecurity broadcasts Yes Yes

Installation Assistance Optional Optional

Three-incident support package Optional N/A

One-hour, single incident priority response upgrade

Optional N/A

Single incident after-hours upgrade Optional N/A

*In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).

Service expiration

We recommend that you keep your subscription active to secure your organization. When your LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular software updates, which can put your network at risk. Damage to your network is much more expensive than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement fee.

Support Information

WatchGuard offers a variety of technical support services for your purchased products and services. For more information, see theWatchGuard support web site.

Online Resources

Product documentation

(27)

Knowledge Base

http://customers.watchguard.com/

Training and courseware

http://www.watchguard.com/training/courses.asp WatchGuard Forum http://www.watchguard.com/forum/

Telephone Numbers

US & Canada +877.232.3531 International +1.206.613.0456

Before You Call

When you create an incident, make sure you include all information required. Ask yourself these questions to help you find what you must include:

1. What are you trying to do?

2. Were you able to perform this action previously without problems? 3. What behavior do you see?

4. What behavior would you expect to see if the problem was not occurring? 5. How often do the symptoms occur?

6. What troubleshooting steps, if any, have you taken?

Relevant Information

When you contact technical support, you are often asked for basic information about your WatchGuard SSL device and LiveSecurity account. It is helpful to save this information when you create your configuration in case your device does not operate correctly.

If possible, include these additional items when you call, so your technician can promptly resolve your issue: Logs

Log messages are important. If you have access to the Log Viewer at the time of the error, include a section of the logs.

Network diagrams

(28)

(29)

3

About Monitor System

You can use WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts. To monitor your WatchGuard SSL system, select Monitor System. The Monitor System menu includes:

System Status

You can see status information about your device. This includes the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities. For more information, see About the System Status Page.

User Sessions

You can see a list of the current user sessions, and you can search sessions by User ID. For more information, see About User Sessions.

Alerts

You can manage administrator alerts. For more information, see About Alerts. Logging

You can manage logging settings for all registered servers. For more information, see Manage Logging.

Log Viewer

(30)

For more information, see About Reports. Diagnostics File

You can create a compressed diagnostics file that contains configuration and log files for all services for a selected period.

For more information, see About the Diagnostics File. Feature Key

You can see information about the installed features. You can also upload a new feature key. For more information, see About the Feature Key.

Live Update

You can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules.

For more information, see Live Update.

About the System Status Page

When you first log in to WatchGuard SSL Web UI, the System Status page appears. From the System Status page, you can select a tab to see an overview of information about your system, check the status of your network, review current authentication settings, identify events that have occurred on your system, verify the status of your device, and run basic debug tools to help you troubleshoot issues on your network. You can also click a link to manage settings for event monitoring, change the Super Administrator password, and view information about the date and time of administrator activities.

To monitor the status of the WatchGuard SSL system: 1. Connect to WatchGuard SSL Web UI.

2. Select Monitor System > System Status.

(31)

3. To update the information that appears on the System Status page, click Refresh.

View Status Information

On the System Status page, select a tab to choose the status information type. For more information about each tab, see:

n System Overview n Network Status n Authentication n Events n Device Status n Network Tools

Manage Settings

(32)

For more information, see Manage Settings.

View Administrator Activities

To view the recent activities of administrators: Click View Administrator Activities.

The View Administrator Activities page appears.

For more information, see View Administrator Activities.

System Overview

The System Overview page includes basic information about your system. This includes the version of software on your device, the current feature key version, information about administrators and users, and the registered resources and domains for your system.

To see basic information about your WatchGuard SSL system: 1. Select Monitor System > System Status.

2. Select the System Overview tab.

(33)

The System Overview tab has four sections, which include basic information about your system, as described in the subsequent sections.

System Information

The System Information section shows information about the installed software and feature keys. Software version

The version and build number for the installed operating system software. Feature Key Version

The version number in the feature key. Feature Key Type

(34)

Current Server Time

The date and time on the WatchGuard SSL device.

System Services

The System Services section shows the services that are enabled on your SSL device. External Host

Shows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client.

Internal Host

Shows the IP addresses and port numbers used for communication between services on the device.

Administrators

The Administrators section shows information about administrative users. Administrator

The user name for the administrator account. Logged on Administrators

The number of administrators currently logged in.

Users

The Users section shows status information about users and user accounts. Concurrent Users

The number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses.

Registered User Accounts

The number of registered user accounts. The maximum number allowed by the feature key appears in parentheses.

Logged-on Users

The number of users currently logged in. Active Users

The number of active users currently logged in that have made a request within the last 15 minutes.

Resources

Registered Resources

(35)

Registered SSO domains

The number of registered Single Sign-On domains.

Network Status

The Network Status tab includes configuration and statistical information for the network interfaces enabled on the SSL device.

To see the status of the network interface configuration: 1. Select Monitor System > System Status.

2. Select the Network Status tab.

(36)

Eth1

Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode.

Routing Table

Shows the routing table for the device.

For more information about network configuration and interface modes, see Network Configuration.

Authentication

On the Authentication tab, you can review the configuration status of the enabled authentication methods, the status of notification channels, and configuration information for the databases used for authentication. To see the status of the authentication configuration:

1. Select Monitor System > System Status. 2. Select the Authentication tab.

(37)

Authentication Methods

Shows the IP address and port configured for each of the five WatchGuard authentication methods. RADIUS clients

Shows the number of registered RADIUS clients. Email Notification

Shows the status of email notification. If email notification is enabled, the email host information appears.

SMS Distribution

Shows the status of SMS distribution. If SMS distribution is configured, information about the primary and secondary SMS channels appears.

Local User Database

Shows the host IP address and account information for the local user database. External Directory Service

Shows the name, IP address, and account information for the configured external directory service.

Events

The Events tab includes a list of events related to the status of connections and services. To see recent system events:

1. Select Monitor System > System Status. 2. Select the Events tab.

For each event the Events tab shows: n The date and time of the event

(38)

If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to the local user database and external directory services.

For more information about the Manage Settings page, see Manage Settings.

Device Status

The Device Status tab includes information about your device (software version, connections, and resource use) and the SSL listener status for your device.

To see statistics and configuration information for your WatchGuard SSL device: 1. Select Monitor System > System Status.

2. Select the Device Status tab.

Device Overview

The Device Overview section shows information about the device software, connections, and resource use. Host

(39)

Current Server Time

Shows the current date and time for the SSL device. Server Started

Shows the date and time the device was last started. Version

The software version and build number. Client Connections

The current number of active clients. Server Connections

The current number of connections used to communicate with internal web sites, such as web resources. Some web applications require more than one connection per user.

Queued Connections

The current number of connections that are not yet processed Active Worker Threads

The number of active threads is shown first. The maximum number of active threads is shown in parentheses. When there is a large amount of client connections, some connections may be queued. In this case you can increase the maximum work thread number in the device performance settings in Manage System > Device Settings > Performance tab. Available Memory

The amount of available memory, in megabytes. Open SSL Version

The version of OpenSSL that the WatchGuard SSL device uses.

SSL Status for <IP address:port>

The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener.

n SSL Sessions in Cache n SSL Accepts

(40)

Network Tools

From the Network Tools tab, you can run some basic network commands. This can be helpful when you troubleshoot issues with your network.

The network tools available in WatchGuard SSL Web UI are: ping

A command to detect whether a connection to a specified hostname or IP address is possible. tcpdump

A program to intercept and examine TCP/IP packets for diagnostic purposes. traceroute

A command to show the routing path taken from the device to a hostname or IP address. nslookup

A program that shows the information from the DNS records of a domain or hostname. To use the network tools:

(41)

3. From the Command Type drop-down list, select a command.

The command appears in the Prepared Command list.

4. In the Extended Parameters text box, type the command line parameters for the command you selected.

For example, if you selected ping, type the hostname or IP address to ping.

The parameters appear in the Prepared Command list, after the command.

5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run.

6. To run the command shown in the Prepared Command list, click Run.

The result of the command appears in the Result section.

7. To stop the command, click Stop. 8. To clear the Result section, click Clear.

Manage Settings

You can select whether to monitor the connection to the Local User Database or External Directory Service, change the Super Administrator password, and enable the password policy.

Event Monitoring Settings

When you enable event monitoring, the connection between your device and the Local User Database or External Directory Service is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab of the System Status page. This option is selected by default. To increase the performance of your system, disable this option.

To enable event monitoring:

1. Select Monitor System > System Status. 2. Click Manage Settings.

(42)

3. Select the Monitor connections to the local user database and external directory service check box. 4. Click Save.

Change the Super Administrator Password

When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards:

n The password must be at least six characters long

n The password must include characters from at least three of these four categories:

o _{English uppercase characters (from A through Z)} o _{English lowercase characters (from a through z)} o _{Base-10 digits (0 through 9)}

o _{Non-alphanumeric characters (for example, !, $, #, or %)}

To enable or disable the password policy, or change the password: 1. Select Monitor System > System Status.

2. Click Manage Settings.

(43)

3. Select the Enable password policy check box.

4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password.

6. Click Save.

You can also change the password settings from the Manage System > Administration Service page, as described in Change the Super Administrator Password.

View Administrator Activities

You can use WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator.

1. Select Monitor System > System Status. 2. Click View Administrator Activities.

The Administrator Activities page appears.

About User Sessions

You can search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions.

(44)

Search for User Sessions

By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method.

On the User Sessions page:

1. In the Search by User ID text box, type a user name. To see all users, type only the*wildcard character.

To search for partial user names, type the*wildcard character with the other characters. For example, typeWil*or*amto find the user name William.

2. From the Search by User ID drop-down list, select an authentication method. Select All to include all authentication methods in your search.

3. Click Search.

The user names that match your search parameters appear in the User Sessions list.

The User Sessions list shows summary information for each active session: Session ID

The unique ID number assigned to the user session. User ID

The user name assigned to the user in the directory service. Authentication Method

The authentication method used to log in. IP Address

The client and virtual IP addresses of the client computer. Life Time

(45)

View a User Session

In the search results list:

1. Click a Session ID to see details about that user session.

The View User Session page appears, with this information for each session: Session ID

The unique ID number assigned to the user session. User ID

The user name assigned to the user in the directory service. Display Name

The display name assigned to the user. Authentication Method

The authentication method used to log in to the Application Portal. IP Address

The client and virtual IP addresses of the client computer. Login time

The date and time the user session began. Life Time

(46)

The number of minutes until the user session timeout limit is reached. 2. Click Previous to return to the User Sessions page.

End a User Session

You can stop or close an active user session at any time. On the User Sessions page:

1. Select the Delete check box for each user session you want to end. 2. At the bottom of the Delete column, click Delete.

Note The selected user sessions are stopped, but the user accounts are not deleted. The

users can log on to the Application Portal again.

Manage Search and Display Settings

By default, the User Sessions search results include a maximum of 200 results, and show 20 results per page. To change these settings:

1. Select Monitor System > User Sessions.

The User Sessions page appears.

2. Click Manage Search and Display Settings.

(47)

3. In the Search Limit text box, type the maximum number of user sessions to appear in the User Sessions search results.

4. In the Results Per Page text box, type the number of user sessions to appear on each page of the User Sessions search results.

5. Click Save.

The User Settings page appears.

About Alerts

Alerts are messages the system sends to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by email or as an SMS message. Alert messages contain information specific to the event. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify.

Manage Alerts

You can add, edit, and delete alerts from the Manage Alerts page. 1. Select Monitor System > Alerts.

The Manage Alerts page appears.

2. Configure alerts: n Add an Alert

n Edit and Delete Alerts n Manage Global Alert Settings

Predefined Alert Event Types

You can use these predefined alert events to configure Registered Alerts: n User Accounts

(48)

n Local User Database n Authentication Servers

For more information about alert event types, see About Alert Event Types.

Add an Alert

When you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an email message, an SMS message, or both. You must configure the email and SMS notification channels before you can use them in an alert.

For more information about notification channel configuration, see About Notification Settings. You can configure alert notification messages to be sent to delegated administrative roles, or directly to email addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the email or SMS address of each administrator assigned to that role. For information about delegated roles, see About Delegated Management.

To add an alert:

1. Select Monitor System > Alerts.

2. Click Add Alert.

(49)

3. In the Display Name text box, type a name for the alert.

4. In the Description text box, type the description that you want to appear with the alert in the Registered Alerts list.

5. Make sure the Enable Alert check box is selected.

6. In the Notification section, select the check box for each notification method for this alert. You can select Email, SMS, or both.

7. Click Next.

(50)

8. Select the check box for each alert event type you want to trigger this alert. For more information about the alert event types, see About Alert Event Types. 9. Click Next.

(51)

10. To send the alert message to a set of people for which you have defined a delegated role, select the role in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you select each role name.

11. Click Add.

The selected roles appear in the Selected Roles list.

12. If you selected Email as a notification channel in Step 6, you can send the alert to a specific email address. Click Add Email address. Type the email address and click Next.

The email address appears on the Registered Email Addresses list.

13. If you selected SMS as a notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next.

The cell phone number appears in the Registered Cell Phone Numbers list.

14. After you add all recipients for this alert, click Finish Wizard.

(52)

About Alert Event Types

When you define an alert, you can select from these pre-defined alert event types:

User Accounts Event Types

Locked for Access

Access is locked for a user. Unlocked for Access

Administrator unlocks access for a user. Locked for Authentication

Authentication is locked for a user. Unlocked for Authentication

The administrator unlocks authentication for a user. Time-lock Locked

A time-lock is activated for a user. Time-lock Unlocked

The administrator disables a time-lock for a user.

Resource Host Event Types

Lost Connection

The connection to a resource host is unavailable. Restored Connection

The connection to a resource host is restored.

Services event types

Lost Connection

The connection to a service is unavailable. Restored Connection

The connection to a service is restored.

Local User Database Event Types

Lost Connection

(53)

Restored Connection

The connection to the local user database is restored.

Authentication Service Event Types

Lost Connection

The connection to the authentication method service is unavailable. Restored Connection

The connection to the authentication method service is restored.

Edit and Delete Alerts

The Registered Alerts list includes all the currently configured alerts. You can select an alert to review or change any of the settings, or delete an alert that you no longer want to use.

Review and Edit Registered Alerts

2. Select a Display Name in the Registered Alerts list to see the details of that alert.

(54)

3. On the General Settings tab, you can change the Display Name, Description and Notification channel.

4. On the Alert Events tab, you can edit the types of alert events to include in this alert. 5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save.

Delete Registered Alerts

2. Select a Display Name in the Registered Alerts list to see the details of that alert.

The Edit Alerts page appears.

3. Click Delete.

The Delete Alert page appears.

4. Click Yes to delete the alert.

The Manage Alerts page appears with a message that the alert was deleted.

Manage Global Alert Settings

(55)

Edit the Alert Messages

The Manage Alert page appears.

2. Click Manage Global Alert Settings.

(56)

3. In the Subject text box, edit the subject line for all alert messages.

(57)

Note If you use SMS as your notification channel for alerts, we recommend you keep the

alert messages short. SMS messages are limited to 160 characters on most mobile networks.

Alert Message Variables

Alert messages use two variables, {0} and {1}.

n {0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser.

n {1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource.

Example alert message:

{0}: User {1} has been locked for authentication.

When this alert is sent, the alert message substitutes the user name for the variable {1}:

2005-09-01 09:11:31: User Joe Smith has been locked for authentication.

Alert Message Defaults

User Accounts

Alert Event Type Default alert message

Locked for Access {0}: User {1} has been locked for access Unlocked for Access {0}: User {1} has been unlocked for access Locked for Authentication {0}: User {1} has been locked for authentication Time-lock Locked {0}: User {1} has been Time-lock locked until {2} Time-lock Unlocked {0}: User {1} has been Time-lock unlocked

Resource Host

(58)

Services

Lost Connection {0}: Lost connection to {1} Restored Connection {0}: Restored connection to {1}

Local User Database

Lost Connection {0}: Lost connection to Local User Database{1} Restored Connection {0}: Restored connection to Local User Database{1}

Authentication Method Servers

Lost Connection {0}: Lost connection to Authentication Method Server used by Authentication Method {1}

Restored Connection {0}: Restored connection to Authentication Method Server used by Authentication Method {1}

Manage Logging

You can configure logging settings, such as log level, log file rotation, and the types of information to include in the log messages for each registered service. You can configure logging for two registered services:

n accesspoint — This includes all services related to the operation of the Application Portal. n Administrator — This includes all the services related to administration of your device.

Edit Logging Settings

1. Select Monitor System > Logging.

(59)

2. To edit the logging settings for a registered service, click the Display Name.

The Edit Logging Settings page for the service appears, with a separate tab for each log type.

3. Select a tab to configure the settings for each type of log.

The available configuration settings on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page.

For more information about these settings, see the subsequent sections.

For more information about global logging settings, see Manage Global Logging Settings.

(60)

Set the Log Level Filter

For each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify.

In the Log Level Filter drop-down list, select a log level filter. Available log level filters include: Off

Disables logging for that service. Fatal

Logs only fatal messages. Warning

Logs only fatal and warning messages. Info

Logs all levels of messages. This is the default setting.

Configure Log File Rotation

For each service, you can configure log file rotation for each type of log file.

In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include: Create a new log file every day

The service creates a new log file every day. Max Files in Rotation

This option prevents excessive log files from filling up your disk space. This is set to 90 for each log type by default. You can enter a value between 2 and 20000.

Disable log file rotation. Save all log messages in the same file The service logs all messages to the same file.

Max File Size

This option prevents excessive log file size. This is set to 10000 KB by default for each log type. Rotate log files based on size

The service creates a new log file based on the Max File Size you type.