Firewall Basics

with Fireware XTM 11.8

WatchGuard
Training

2013 WatchGuard Technologies,

Inc.

Course Introduction:
Firewall Basics with Fireware XTM

WatchGuard
Training

Training Objectives
Use the basic management and monitoring components of
WatchGuard System Manager (WSM)
Configure a WatchGuard XTM or XTMv device that runs Fireware
XTM OS v11.8 or later for your network
Create basic security policies for your XTM device to enforce
Use security services to expand XTM device functionality

WatchGuard
Training

Requirements
Necessary equipment and software:

Management computer
WatchGuard System Manager and Fireware XTM OS
Firewall configuration file
XTM or XTMv devices running Fireware XTM OS v11.8 or later (optional)

Prerequisites:

Basic knowledge of TCP/IP network functions and structure

It is helpful, but not necessary, to have:

WatchGuard
Training

WatchGuard System Manager installed on your computer

Access to a WatchGuard XTM device
A printed copy of the instructors notes of this presentation, or a copy
of the Fireware XTM Basics Student Guide

Outline

Getting Started
Work with XTM Device Configuration Files
Configure XTM Device Interfaces
Configure Logging
Generate Reports of Network Activity
Use FSM to Monitor XTM Device Activity
Use NAT (Network Address Translation)
Define Basic Network Security Policies
Work with Proxy Policies
Work with SMTP and POP3 Proxies
Verify Users Identities

WatchGuard
Training

Outline

Block Unwanted Email with spamBlocker

Manage Web Traffic
Defend Your Network From Intruders
Use Gateway AntiVirus
Use Data Loss Prevention
Use Intrusion Prevention Service
Use Application Control
Use Reputation Enabled Defense
Explore the Fireware XTM Web UI and FireWatch

WatchGuard
Training

Training Scenario
Fictional organization named the Successful Company
Training partners may use different examples for exercises
Try the exercises to implement your security policy

WatchGuard
Training

Getting Started:
Set Up Your Management Computer
and XTM Device

WatchGuard
Training

Learning Objectives

Use the Quick Setup Wizard to make a configuration file

Start WatchGuard System Manager
Connect to XTM devices and WatchGuard servers
Launch other WSM applications

WatchGuard
Training

Management Computer
Select a computer with Windows 8, Windows 7,
Windows Vista, Windows XP SP2, or
Windows Server 2003, 2008, or 2012
Install WatchGuard System Manager (WSM)
to configure, manage, and monitor
your devices
Install Fireware XTM OS,
then use WSM to install updates
and make configuration
changes on the device

WatchGuard
Training

10

Server Software
When you install WSM, you have the option to install any or all of
these WatchGuard servers:

Management Server
Log Server
Report Server
WebBlocker Server
Quarantine Server

Servers can be installed on separate computers

WatchGuard
Training

Each server must use a supported version of Windows.

There are access requirements between the management computer,
the XTM device, and some servers.

11

Activate your XTM Device

You must have or create a WatchGuard account
You must activate the XTM device before you can fully configure it
Have your device serial number ready

WatchGuard
Training

12

Setup Wizards
There are two setup wizards you can use to create an initial
functional configuration file for your XTM device.

Web Setup Wizard To start the Web Setup Wizard, in a web

browser, type: https://10.0.1.1:8080
Quick Setup Wizard To start the Quick Setup Wizard, in
WatchGuard System Manager, select Tools > Quick Setup Wizard.

To use either setup wizard, you must connect the management

computer to the trusted interface (eth1) of the XTM device.
The Web Setup Wizard can activate your XTM device and
download the feature key from the WatchGuard web site, if you
connect the external interface (eth0) to a network with Internet
access.

WatchGuard
Training

13

Quick Setup Wizard

Installs Fireware XTM OS on the XTM device
Creates and uploads a basic configuration file
Assigns passphrases to control access to the XTM device

WatchGuard
Training

14

Prepare to Use the Quick Setup Wizard

Before you start, you must have:

WSM and Fireware XTM OS installed on the management computer

Network information

It is a good idea to have the feature key for your device before you
start the wizard. You can copy it from the LiveSecurity web site
during registration.

WatchGuard
Training

15

Launch the Quick Setup Wizard

For the Quick Setup Wizard to operate correctly, you must:

WatchGuard
Training

Prepare the device to be discovered by the Quick Setup Wizard (QSW).

The QSW shows you how to prepare each device.
Assign a static IP address to your management computer from the
same subnet that you plan to assign to the Trusted interface of the XTM
device. Alternatively, you can get a DHCP address from the device
when it is in Safe Mode.
Connect the Ethernet interface of your computer to interface #1 of the
device.
Launch WatchGuard System Manager (WSM) and launch the Quick
Setup Wizard from the WSM Tools menu.

16

Quick Setup Wizard Select Your Device

Choose which model of XTM device to configure.

WatchGuard
Training

17

Quick Setup Wizard Verify the Device Details

Verify that the model and serial number are correct.

WatchGuard
Training

18

Quick Setup Wizard Name Your XTM Device

The name you assign to the device in the wizard is used to:

WatchGuard
Training

Identify the device in WSM

Identify the device in log files
Identify the device in Log Manager and Report Manager

19

Quick Setup Wizard Device Feedback

The Quick Setup Wizard enables the device to send feedback to
WatchGuard by default.

When device feedback is enabled, the XTM device sends this

information to WatchGuard once each day:
XTM device serial number
Fireware XTM OS version and
build number
XTM device model
XTM device uptime since the
last restart

To disable device feedback:

WatchGuard
Training

Clear the Send device feedback

to WatchGuard check box.
You can also change this setting
in Global Settings.

20

Quick Setup Wizard Configure the External

Interface
The IP address you give to the external interface can be:

A static IP address
An IP address assigned with DHCP
An IP address assigned with PPPoE

You must also add an

IP address for the device
default gateway. This is the
IP address of your gateway
router.

WatchGuard
Training

21

Quick Setup Wizard Configure Interfaces

Configure the Trusted and Optional interfaces.
Select one of these configuration options:

Mixed Routing Mode (Use these IP addresses)

Drop-in Mode (Use the same IP address as the external interface)

WatchGuard
Training

Each interface is configured with an IP address on a different subnet.

All XTM device interfaces have
the same IP address. Use drop-in
mode when devices from the
same publicly addressed
network are located on more
than one device interface.

22

Understand Routed Configurations

In mixed routing mode (routed configuration):

WatchGuard
Training

Configure each interface with an IP address on a different subnet.

Assign secondary networks on any interface.

23

Understand Drop-in Configurations

In drop-in mode:

WatchGuard
Training

Assign the same primary IP address to all interfaces on your device.

Assign secondary networks on any interface.
You can keep the same IP addresses and
default gateways for devices on your
trusted and optional networks, and add
a secondary network address to
the XTM device interface so the device
can correctly send traffic to those devices.

24

Quick Setup Wizard Add a Feature Key

When you purchase additional options for your device, you must
get a new feature key to activate the new options. You can add
feature keys in the Quick Setup Wizard or later in Policy Manager.

WatchGuard
Training

25

Quick Setup Wizard Set Passphrases

You define two passphrases for connections to the device

Status passphrase Read-only connections

Configuration passphrase Read-write connections

Both passphrases must be at least 8 characters long and different

from each other

WatchGuard
Training

26

Quick Setup Wizard Final Steps

Save a basic configuration to the device.
You are now ready to put your device in place on your network.
Remember to reset your management computer IP address.

WatchGuard
Training

27

WatchGuard System Manager

Start WSM
Connect to an XTM device or the Management Server
Display device status

WatchGuard
Training

28

Components of WSM
WSM includes a set of management and monitoring tools:

Policy Manager
Firebox System Manager
HostWatch
Log Manager
Report Manager
CA Manager
Quarantine Server Client

To launch a tool, select it from the WSM Tools menu or click the
tool icon

WatchGuard
Training

29

Administration:
Work with Device Configuration Files

WatchGuard
Training

30

Learning Objectives

Start Policy Manager

Open and save configuration files
Configure the XTM device for remote administration
Reset XTM device passphrases
Back up and restore the XTM device configuration
Add XTM device identification information

WatchGuard
Training

31

What is Policy Manager?

A configuration tool that you can use to modify the settings of
your XTM device
Changes made in Policy Manager do not take effect until you save
them to the device
Launch Policy Manager from WSM

WatchGuard
Training

Select a connected or managed device

Click the Policy Manager icon on the toolbar

32

Navigate Policy Manager

From the View menu,
select how policies are
displayed

Details View

WatchGuard
Training

Large Icons View

33

Navigate Policy Manager

Use the menu bar to configure many device features.

WatchGuard
Training

34

Navigate Policy Manager

Security policies that control traffic through the device are
represented by policies.
To edit a security policy, double-click the policy name.

WatchGuard
Training

35

Open and Save Configuration Files

Open a file from your local drive or from an XTM device
Save configuration files to your local drive or to the XTM device
Create new configuration files in Policy Manager

WatchGuard
Training

New configuration files include a basic set of policies.

You can add more
policies.

36

Configure Your Device for Remote Administration

Connect from home to monitor device status
Change policies remotely to respond to new threats
Make the policy as restrictive as possible for security
Edit the WatchGuard policy to enable access from an external
IP address
You can also
use Fireware
XTM Web UI
to configure a
device
(over TCP
port 8080)

WatchGuard
Training

37

Change XTM Device Passphrases

Minimum of eight characters
Change frequently
Restrict their use

WatchGuard
Training

38

Back Up the XTM Device Images

Create and restore an encrypted backup image
Backup includes feature key and certificate information
Encryption key is required to restore an image

WatchGuard
Training

39

Add XTM Device Identification Information

XTM device name and model
Contact information
Time zone for log files and reports

WatchGuard
Training

40

Upgrade Your XTM Device

1. Back up your existing device image.
2. Download and install the new version of Fireware XTM OS on your
management computer.
3. From Policy Manager, select File > Upgrade.

WatchGuard
Training

41

Upgrade Your XTM Device

4. Browse to the location of the OS upgrade file:
C:\Program Files\Common Files\WatchGuard\Resources\Fireware
XTM
5. Select the correct .sysa-dl file for your device:

WatchGuard
Training

XTM 2500 Series: xtm800_1500_2500.sysa-dl

XTM 2050: xtm2050_bc.sysa-dl
XTM 1500 Series: xtm800_1500_2500.sysa-dl
XTM 1050: xtm1050_bb.sysa-dl
XTM 800 Series: xtm800_1500_2500.sysa-dl
XTM 8 Series: xtm8_b5.sysa-dl
XTM 5 Series: xtm5_b0.sysa-dl
XTM 330: xtm330_bd.sysa-dl
XTM 33: xtm3_aa.sysa-dl
XTM 25, 26: xtm2_a6.sysa.dl
XTMv: xtmv_c5.sysa-dl

42

Network Settings:
Configure XTM Device Interfaces

WatchGuard
Training

43

Learning Objectives
Configure external network interfaces with a static IP address,
DHCP and PPPoE
Configure a trusted and optional network interface
Use the XTM device as a DHCP server
Add WINS/DNS server locations to the device configuration
Add Dynamic DNS settings to the device configuration
Set up a secondary network or address
Understand Drop-In Mode and Bridge Mode

WatchGuard
Training

44

Add a Firewall to Your Network

Interfaces on separate networks
Most users have at least one external and one trusted

External

Trusted Network

Optional Network

203.0.113.2/24

10.0.1.1/24

10.0.2.1/24

WatchGuard
Training

45

Beyond the Quick Setup Wizard

The Quick Setup Wizard configures the device with External,
Trusted, and Optional networks by default:
eth0 = external
eth1 = trusted
eth2 = optional (only if you
provide an optional interface
IP address in the wizard)
You can change the
interface assignments.
In Policy Manager, select
Network > Configuration.

WatchGuard
Training

46

Network Configuration Options

Modify the properties of an interface

Change the interface type (from trusted to optional, etc.)

Add secondary networks and addresses
Enable the DHCP server

Configure additional interfaces

Configure WINS/DNS settings for the device
Add network or host routes
Configure NAT

WatchGuard
Training

47

Interface Independence
You can change the interface type of any interface configured with
the Quick Setup Wizard.
You can also choose the interface type of any additional interface
you enable.

WatchGuard
Training

48

Use a Dynamic IP Address for the External Interface

The XTM device can get a dynamic IP address for an external
interface with DHCP or PPPoE.

WatchGuard
Training

49

Use Dynamic DNS

Register the external IP address of the XTM device with the
supported dynamic DNS service, DynDNS.

WatchGuard
Training

50

Use a Static IP Address for the External Interface

The XTM device can use a static IP address given to you by your
Internet Service Provider.

WatchGuard
Training

51

Enable the Device DHCP Server

Can be used on a trusted or optional interface

Type the first and last IP addresses of the range for DHCP
Configure up to 6 IP address ranges
Reserve some
IP addresses for specified
MAC addresses

WatchGuard
Training

52

Configure Trusted and Optional Interfaces

Optional
Sales Force
10.0.4.1/24

Trusted
Finance

Optiona
l
Trusted-Main
10.0.1.1/24

1. Start with a
trusted
network.
WatchGuard
Training

Public Servers

Conference

10.0.2.1/24

10.0.5.1/24

2. Add an optional
network for public
servers.

10.0.3.1/24

3. As your business grows,

add more trusted and
optional networks.
53

Add WINS/DNS Servers

All devices on the trusted and optional networks can use this
server
Use an internal server or an external server
Used by the XTM device for DHCP, Mobile VPN, NTP time updates,
and Subscription Service updates

WatchGuard
Training

54

Secondary Networks
Share one of the same physical networks as one of the device
interfaces.
Add an IP alias to the interface, which is the default gateway for
computers on the secondary network.

Secondary
172.16.100.0/2
4

2
17

.1

00
1
.
6

.1

Trusted-Main
10.0.1.1/24
WatchGuard
Training

55

Network or Host Routes

Create static routes to send traffic from a device interface to a
router
The router can then send the traffic to the correct destination from the
specified route.

If you do not specify a route to a remote network or host, all traffic

to that network or host is sent to the device default gateway.

WatchGuard
Training

56

Drop-In Mode and Bridge Mode

Use Drop-In Mode if you want to have the same logical network
(subnet) spread across all device interfaces.

Computers in this subnet can be on any device interface

You can add a secondary address to any device interface to use an
additional network on the interface

Use Bridge Mode when you want the device to be invisible.

You assign one IP address to the device for management connections

Bridge Mode turns the device into a transparent Layer 2 bridge
To set the interface
configuration mode, select
Network > Configuration.

WatchGuard
Training

57

Logging:
Set Up Logging and Notification

WatchGuard
Training

58

Learning Objectives

Set up a Log Server

Configure the XTM device to send messages to a Log Server
Configure logging and notification preferences
Set the Diagnostic Log Level
View log messages

WatchGuard
Training

59

Introduction to the Log Server

WatchGuard
Training

60

Log Message Types

Traffic Allowed and denied packets
Alarm An event you configure as important that requires a log
message or alert
Event A device restart, or a VPN tunnel creation or failure
Debug Additional messages with diagnostic information to help
you troubleshoot network or configuration problems
Statistic Information about the performance of the XTM device

WatchGuard
Training

61

Configure Logging
For log messages to be correctly stored, you must:

WatchGuard
Training

Install the Log Server software

Configure the Log Server
Configure the XTM device to send log messages to the Log Server

62

Install the Log Server

In the WSM installer, select to install the Log Server component
The Log Server does not have to be installed on the same
computer that you use as your
management computer
The Log Server should
be on a computer with
a static IP address

WatchGuard
Training

63

Configure the Log Server

Right-click the WatchGuard Server Center icon in your Windows
system tray to open WatchGuard Server Center.
The Server Center Setup Wizard starts.

Set the administrator passphrase.

Set the log encryption key.

WatchGuard
Training

64

Configure Log Server Settings

Open WatchGuard Server Center to configure Log Server
properties.
Type the administrator passphrase.
Select Log Server to configure Log Server settings.

WatchGuard
Training

65

Configure Log Server Settings

Server Settings Database size and encryption key settings.
Database Maintenance Specify database back up file settings,
and select to use the Built-in database or an External PostgreSQL
database.
Notification
Configure settings for
event notification
and the SMTP Server.
Logging
Firebox Status
(which devices are
currently connected to
the Log Server)
and where to send
log messages.
WatchGuard
Training

66

Configure the XTM Device to Send Log Messages

Use Policy Manager
Set the same log encryption
key that is used for the
Log Server
Backup Log Servers can be
used when the primary fails
Specify the port to connect
to a syslog server

WatchGuard
Training

67

Default Logging Policy

When you create a policy that allows traffic, logging is not enabled
by default
When you create a policy that denies traffic, logging is enabled by
default
If denied traffic does not match a specific policy, it is logged by
default

WatchGuard
Training

68

Set the Diagnostic Log Level

You can also configure the device to send detailed diagnostic log
messages to help you troubleshoot a specific problem.
From Policy Manager, select
Setup > Logging, and click
Diagnostic Log Level.

WatchGuard
Training

69

View Log Messages

You can see log messages with two different tools:

WatchGuard
Training

Traffic Monitor Real-time monitoring in FSM from any computer

with WSM

70

View Log Messages

WatchGuard
Training

Log Manager From WatchGuard WebCenter, you can use Log

Manager to see any log messages stored on the Log Server. Use the
search feature to locate specific information in your log files.

71

Reports:
Generate Reports of Network Activity

WatchGuard
Training

72

Learning Objectives

Set up and configure a Report Server

Generate and save reports at regular intervals
Generate and view reports
Change report settings
Save, print, and share reports

WatchGuard
Training

73

WSM Reporting Architecture

WatchGuard
Training

74

Configure the Report Server

Install on a Microsoft
Windows computer
Can be the same computer
as the Log Server
Configure the Report Server
from WatchGuard Server
Center
Select to use the Built-in
database or an External
PostgreSQL database
Add one or more Log Server
IP addresses
Set report interval,
report type, and notification
preferences
WatchGuard
Training

75

View Reports with Report Manager

Report Manager is
available in
WatchGuard
WebCenter, which is
installed with the
Report Server
Add users in
WatchGuard Server
Center to enable
them to use
Report Manager

WatchGuard
Training

76

View Reports with Report Manager

Connect to WatchGuard
WebCenter over port 4130,
and select Report Manager
to view and generate reports
View Available Reports
(scheduled reports)
Create On-Demand Reports
and Per Client Reports
Launch Report Manager
from WSM
Save reports in PDF
format

WatchGuard
Training

77

Monitor Your Firewall:

Monitor Activity Through
the XTM Device

WatchGuard
Training

78

Learning Objectives

Interpret the information in the WSM display

Use Firebox System Manager to monitor device status
Change Traffic Monitor settings
Use Performance Console to visualize device performance
Use HostWatch to view network activity and block a site
Add and remove sites from the Blocked Sites list

WatchGuard
Training

79

WatchGuard System Manager Display

WatchGuard
Training

80

Firebox System Manager

Front Panel
Traffic Monitor
Bandwidth Meter
Service Watch
Status Report
Authentication List
Blocked Sites
Subscription
Services
Gateway Wireless
Controller

WatchGuard
Training

81

Traffic Monitor
View log messages
as they occur
Set custom colors
and fields
Start traceroute or
Ping to source
and destination
IP addresses
Copy information
to another
application

WatchGuard
Training

82

Performance Console
Monitor and graph XTM device activity
Launch from Firebox System Manager
System Information Firebox statistics,
such as the number of total active
connections and CPU usage
Interfaces Total number of packets sent and received through
the XTM device interfaces
Policies Total connections, current connections, and discarded
packets
VPN Peers Inbound and outbound SAs and packets
Tunnels Inbound and outbound packets, authentication errors,
and replay errors

WatchGuard
Training

83

Use HostWatch to View Connections

Graphical display
of live connections
One-click access
to more details
on any connection
Temporarily
block sites

WatchGuard
Training

84

Use the Blocked Sites List

View sites added temporarily by the device as it blocks the source
of denied packets
Change expiration settings for temporarily blocked sites

WatchGuard
Training

85

Examine and Update Feature Keys

View the feature keys
currently on your XTM device
Add a new feature key to
your XTM device

WatchGuard
Training

86

NAT:
Use Network Address Translation

WatchGuard
Training

87

Learning Objectives
Understand network address translation types
Add dynamic NAT entries
Use static NAT for public servers

WatchGuard
Training

88

What is Network Address Translation?

Changes one public IP address into many
Protect the map of your network
Devices and users with
private IP addresses

NAT Enabled

Your Network
WatchGuard
Training

Internet sees only one public address

(an External XTM device IP address)
89

Add Firewall Dynamic NAT Entries

Most frequently used form of NAT
Changes the outgoing source IP address to the external IP address
of the XTM device
Enabled by default for standard
private network IP addresses,
such as 192.168.0.0/16

WatchGuard
Training

90

Static NAT for Public Servers

Web server
Port 80 TCP
10.0.2.80

FTP server
Port 21 TCP

203.0.113.2

10.0.2.21

Email server
Port 25 TCP
10.0.2.25

Your Network

WatchGuard
Training

Web traffic One external IP

to private static IP
FTP traffic Same external IP
to second, private static IP
SMTP traffic Same external
IP to third, private static IP
91

1-to-1 NAT for Public Servers

NetMeeting
Ports 1720, 389, dynamic
10.0.2.11

203

.0.1

13.

11

203.0.113.12

IKE
Without NAT-T
10.0.2.12

Intel-Video-Phone
Ports 1720, 522
10.0.2.13

Your Network
WatchGuard
Training

IKE traffic Second dedicated

public IP address

Intel Phone
(H.323) Another
3
1
3. external IP address
11

.
.0
3
20

NetMeeting traffic Dedicated

IP address on the external
92

Configure Policies
You can customize 1-to1 NAT and
Dynamic NAT settings in each policy
Select Network > NAT to configure
the settings
The settings you specify apply unless
you modify the NAT settings
in a policy
Select the Set Source IP option when
you want any traffic that uses this policy
to show a specified address from your
public or external IP address range
as the source IP address.

WatchGuard
Training

93

Configure Policies
To configure a policy to use static NAT,
click Add in the To section of the policy,
then select Add SNAT.
To add, edit, or delete SNAT actions,
you can also select
Setup > Actions > SNAT.
To add an SNAT member, click Add.

WatchGuard
Training

94

Policies:
Convert Network Policy to Device
Configuration

WatchGuard
Training

95

Learning Objectives
Understand the difference between a packet filter policy and a
proxy policy
Add a policy to Policy Manager and configure its access rules
Create a custom packet filter policy
Set up logging and notification rules for a policy
Use advanced policy properties
Understand the function of the Outgoing policy
Understand the function of the TCP-UDP proxy
Understand the function of the WatchGuard policy
Understand how the XTM device determines policy precedence

WatchGuard
Training

96

What is a Policy?

A rule to limit access through the XTM device

Can be configured to allow traffic or deny traffic
Can be enabled or disabled
Applies to specific port(s) and protocols
Applies to traffic that matches From and To fields:

WatchGuard
Training

From Specific source hosts, subnets or users/groups

To Specific destination hosts, subnets, or users/groups

97

Packet Filters, Proxies, and ALGs

Two types of policies:

WatchGuard
Training

Packet Filter Examines the IP header of each packet, and operates at

the network and transport protocol packet layers.
Proxy & ALG (Application Layer Gateway)
Proxy Examines the IP header and the content of a packet at the
application layer. If the content does not match the criteria you set in your
proxy policies, you can set the proxy to deny the packet. Some proxy
policies allow you to remove the disallowed content.
ALG Completes the same functions as a proxy, but also provides
transparent connection management.
Proxy policies and ALGs examine the commands used in the connection to
make sure they are in the correct syntax and order, and use deep packet
inspection to make sure that connections are secure.

98

Packet Filters, Proxies, and ALGs

Proxies & ALGs:

WatchGuard
Training

Remove all the network data

Examine the contents
Add the network data again
Send the packet to its destination

99

What are Packet Filters, Proxies, and ALGs?

Source
Destination
Port(s)/Protocols
Packet body
Attachments
RFC Compliance
Commands

WatchGuard
Training

Packet Filter

Proxy & ALG

100

Add a Policy in Policy Manager

1. Select a policy

from a pre-defined
list.

WatchGuard
Training

2. Decide if the

policy allows or
denies traffic.

3. Configure the

source (From)
and destination
(To).

101

Modify Policies
To edit a policy, double-click the policy
By default, a new policy:

WatchGuard
Training

Is enabled and allowed

Allows traffic on the port(s) specified by
the policy
Allows traffic from any trusted network to
any external destination

102

Change Policy Sources and Destinations

You can:

WatchGuard
Training

Select a pre-defined alias, then click Add.

Click Add User to select an authentication user or group.
Click Add Other to add a host IP address, network IP address, or host
range.

103

When do I use a custom policy?

A custom policy can be either a packet filter or proxy policy.
Use a custom policy if:

WatchGuard
Training

None of the pre-defined policies include the specific combination of

ports that you want.
You need to create a policy that uses a protocol other than TCP or UDP.

104

Logging and Notification for Policies

When you enable logging in a policy, you can also select whether
the XTM device sends a notification message or triggers an SNMP
trap. Notification options include:

WatchGuard
Training

Send email to a specified address

A pop-up notification on the Log Server

105

Set Logging Rules for a Policy

The XTM device generates log messages
for many different types of activities
You enable logging for policies to specify
when log messages are generated and
sent to the Log Server

WatchGuard
Training

106

What is Precedence?
Precedence is used to decide which policy controls a connection
when more than one policy could control that connection
In Details view, the higher the policy appears in the list, the
greater its precedence.
If two policies could apply to a connection, the policy higher in the
list controls that connection

WatchGuard
Training

107

What is Precedence?
Policies can be moved up or down in Manual Order mode to set
precedence, or restored to the order assigned by Policy Manager
with Auto-Order Mode.

WatchGuard
Training

108

Advanced Policy Properties

Schedules
Connection rate limits
Override NAT settings
QoS settings
ICMP error handling
Override Multi-WAN sticky connection
setting

WatchGuard
Training

109

Schedule Policies
Set the times of day when the policy is enabled

WatchGuard
Training

110

Understand the Outgoing policy

The Outgoing packet filter policy is added in the default
configuration
Allows all outgoing TCP and UDP connections from trusted and
optional networks to external networks
Enables the XTM device to work out of the box but could have
security problems
If you remove the Outgoing policy, you must add policies to allow
outgoing traffic

WatchGuard
Training

111

Understand the TCP-UDP-Proxy

Enables TCP and UDP protocols for outgoing traffic
Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP
protocols, regardless of the port numbers
Blocks selected IM and P2P
applications, regardless of port

WatchGuard
Training

112

The WatchGuard Policy

Controls management connections to
the XTM device
By default, this policy allows only
local administration of the device;
edit the configuration to
allow remote administration

WatchGuard
Training

113

Find Policy Tool

Fireware XTM includes a utility to find policies that match the
search criteria you specify
With the Find Policies tool, you can quickly locate policies that
match user
or group names, IP addresses, port numbers, and protocols.

WatchGuard
Training

114

Policy Tags and Filters

Assign policy tags to policies to create policy groups
Sort the policy list by policy tag to see the policy list by policy
group
Create and save policy filters to specify which policies appear in
the
policy list

WatchGuard
Training

115

Proxy Policies:
Use Proxy Policies and ALGs to Protect
Your Network

WatchGuard
Training

116

Learning Objectives
Understand the purpose and configuration of proxy policies and
ALGs
Configure the DNS-proxy to protect DNS server
Configure an FTP-Server proxy action
Configure an FTP-Client proxy action
Enable logging for proxy actions

WatchGuard
Training

117

What are Proxies and ALGs?

Proxy policies and ALGs (Application Layer Gateway) are powerful
and highly customizable application inspection engines and
content filters.
A packet filter looks at IP header information only.
A proxy or ALG looks at the content of the network data. ALGs also
provide transparent connection management.

WatchGuard
Training

118

What is the DNS Proxy?

Domain Name System

Validates all DNS traffic
Blocks badly formed DNS packets
Fireware XTM includes two methods to control DNS traffic:

WatchGuard
Training

DNS packet filter IP headers only

DNS-Proxy filter content

119

Control Incoming Connections

Use the DNS-Incoming action as a template
You own the server
You decide who gets to
DNS Proxy
connect to the server

DNS server

Your network

WatchGuard
Training

120

Configuring DNS-Incoming

General
OpCodes
Query Types
Query Name
Proxy Alarm

WatchGuard
Training

121

Control Outgoing Connections

Use the DNS-Outgoing action as a template
Operates with Intrusion Prevention Service
Deny queries for specified
domain names

DNS Proxy

Your Network

DNS server

WatchGuard
Training

122

Use DNS-Outgoing
Use DNS-Outgoing to block DNS requests for services, such as
queries for:

WatchGuard
Training

POP3 servers
Advertising networks
IM applications
P2P applications

123

Fireware XTM Proxies

DNS
FTP
H323 and SIP (Application Layer Gateways)
HTTP and HTTPS
SMTP and POP3
TCP-UDP

WatchGuard
Training

Applies the proxies to traffic on all TCP ports

124

What is a Proxy Action?

A set of rules that tell the XTM device how to apply one of the
proxies to traffic of a specific type
You can apply a proxy action to more than one policy

WatchGuard
Training

125

Import & Export Proxy Actions

You can import and export:

WatchGuard
Training

Entire user-created proxy actions (not predefined proxy actions)

Rulesets
WebBlocker exceptions
spamBlocker exceptions

126

What is FTP?

File Transfer Protocol

Often used to move files between two locations
Client and server architecture
Fireware XTM includes two methods to control:

WatchGuard
Training

FTP packet filter IP headers only

FTP-proxy Content and commands

127

FTP-Proxy
Restricts the types
of commands and
files that can be
sent through FTP
Works with the
Gateway AV Service
Works with the

WatchGuard
Training

128

FTP-Proxy
Restricts the types
of commands and
files that can be
sent through FTP
Works with the
Gateway AV Service
Works with the Data
Loss Prevention
Service

WatchGuard
Training

129

FTP-Client Action Rulesets

General
Commands
Download
Upload
AntiVirus
Data Loss Prevention
Proxy and
AV alarms

WatchGuard
Training

130

Control Incoming Connections

Use the FTP-Server proxy action as a template
The FTP server must be protected by the XTM device
You decide who can connect to the FTP server

FTP Proxy

Anybody

WatchGuard
Training

Your FTP server

131

Define FTP-Server Action Rulesets

General
Commands
Download
Upload
AntiVirus
Data Loss Prevention
Proxy alarms
Options available in the
FTP-Client proxy action are
also available in the
FTP-Server proxy action
Smart defaults are used in
each ruleset to protect
clients (FTP-Client) and
servers (FTP-Server)

WatchGuard
Training

132

Logging and Proxies

Proxy policies contain
many more advanced
options for logging than
packet filter policies
Each proxy category has
its own check box to
enable logging
To generate detailed reports
with information on
packets handled by proxy
policies, you must select
the Enable logging
for reports check box in
each proxy action

WatchGuard
Training

133

Email Proxies:
Work with the SMTP and POP3 Proxies

WatchGuard
Training

134

Learning Objectives

Understand the SMTP and POP3 proxies

Understand the available actions for email
Control incoming email
Control outgoing email

WatchGuard
Training

135

SMTP and POP3 Proxies

Used to restrict the types and
size of files sent and received
in email
Operate with Gateway AV
and spamBlocker
Operate with Data Loss Prevention
(SMTP-proxy only)

WatchGuard
Training

136

Proxy Actions Available for Email

Default actions available:

Allow Email is allowed through your device

Lock Email is allowed through your device; the attachment is
encoded so only the XTM device administrator can open it
AV Scan Gateway AntiVirus is used to scan the attachment
Strip Email is allowed through your device, but the file attachment(s)
are deleted
Drop The SMTP connection is closed
Block The SMTP connection is closed and the sender is added to the
blocked sites list

Also available with Gateway AntiVirus, spamBlocker, and Data

Loss Prevention:

WatchGuard
Training

Quarantine Email is stored on the Quarantine Server (only with

SMTP) and is not sent to the recipient

137

Control Incoming Email

Use SMTP-Incoming and POP3-Server actions as a template
You decide what email you want to allow

SMTP Proxy

Your users
Anybody

WatchGuard
Training

Your SMTP server

138

Control Outgoing Email

Use SMTP-Outgoing or POP3-Client action as a template
You know the users
You decide what they can send
SMTP Proxy

Anybody
Your users
Their email server

WatchGuard
Training

139

Authentication:
Verify a Users Identity

WatchGuard
Training

140

Learning Objectives
Understand authentication and how it works with the XTM device
List the types of third-party authentication servers you can use
with Fireware XTM
Use Firebox authentication users and groups
Add a Firebox authentication group to a policy definition
Modify authentication timeout values
Use the XTM device to create a custom web server certificate

WatchGuard
Training

141

What is User Authentication?

Identify each user as they connect to network resources
Restrict policies by user name

WatchGuard
Training

142

WatchGuard Authentication
The user browses to the XTM device interface IP address on
TCP port 4100
The XTM device presents an authentication page
The XTM device verifies that the credentials entered are correct,
and allowed for the type of connection
The XTM device allows access to resources valid for that
authenticated user or group

WatchGuard
Training

143

Supported Authentication Servers

Firebox
RADIUS
VASCO
SecurID
LDAP
Active Directory

WatchGuard
Training

Single Sign-On options

144

Use Firebox Authentication

To use the XTM device as an
authentication server:

WatchGuard
Training

Make groups
Define users
Edit policies

145

Edit Policies for Authentication

Create users
and groups
Use the user
and group names
in policy
properties
Define From or
To information

WatchGuard
Training

146

Use Third-Party Servers

Set up a third-party authentication
server
Get configuration information,
such as secrets and
IP addresses
Make sure the
authentication server
can contact
the XTM device

WatchGuard
Training

147

Set Global Authentication Values

Session and idle timeout values
Number of concurrent connections
Enable Single Sign-On with
Active Directory authentication
Enable redirect to the
authentication page if the user
is not yet authenticated

After users authenticate, they are

redirected to the site they
originally selected.

Specify the authentication server

that appears at the top of the
Domain list in the
Authentication Portal
Configure Terminal Services
WatchGuard
Training

148

Enable Single Sign-On

Transparent authentication, no need to open a web page
Available with Windows Active Directory
Install the SSO Agent on a Windows server with a static IP address
Install the SSO Client on all workstations (Optional)
Install the Event Log Monitor on one computer in the domain
(Clientless SSO)
SSO Agent passes user
credentials to the
XTM device
Use SSO exceptions for
IP addresses that cannot
authenticate (computers that
are not domain members, or
non-Windows PCs)

WatchGuard
Training

149

Enable Terminal Services

Enables users to authenticate
to your XTM device over a
Terminal Server or Citrix server
Enables your XTM device to
report the actual IP address
of each user logged in to the
device
Can be used with any configured
authentication method
(e.g. Firebox authentication,
Active Directory, RADIUS, etc.)

WatchGuard
Training

150

Fireware XTM Web Server Certificate

Why does the user get warnings from
the browser?

WatchGuard
Training

Name on the certificate does not match

the URL
Fix this problem with a custom certificate
that has all of the XTM device
IP addresses as possible name matches
User must still
import this
certificate to
trusted root stores

151

Blocking Spam:
Stop Unwanted Email with spamBlocker

WatchGuard
Training

152

Learning Objectives
Activate and configure spamBlocker
Specify the actions to take when suspected spam email is
detected
Block or allow email messages from specified sources
Monitor spamBlocker activity
Install and configure Quarantine Server

WatchGuard
Training

153

What is spamBlocker?
Technology licensed from Commtouch to identify spam, bulk, or
suspect email
No local server to install
You can install Quarantine Server, but it is not necessary for spamBlocker
to work correctly.

XTM device sends information to external servers to classify email

and caches the results
Operates with the SMTP and POP3 proxies
You must have an SMTP or POP3 proxy action configured to use
spamBlocker

WatchGuard
Training

154

Activate spamBlocker
A feature key is required to enable spamBlocker

Use Policy Manager or FSM to add the feature key

Save the configuration to the XTM device

Run the Activate spamBlocker Wizard

WatchGuard
Training

155

Configure a Policy for spamBlocker

Use the SMTP-proxy
or POP3-proxy
Choose the proxy
response to spam
categorization
Add exceptions

WatchGuard
Training

156

spamBlocker Actions
Spam is classified into three categories:

Spam
Bulk
Suspect

For each category, you can configure the action taken:

WatchGuard
Training

Allow
Add Subject Tag
Quarantine (SMTP only)
Deny (SMTP only)
Drop (SMTP only)

157

spamBlocker Exceptions
You can configure
exceptions for specific
senders or recipients by:

WatchGuard
Training

Email address
Domain by pattern
match (*@xyz.com)

158

Customize spamBlocker
Use multiple SMTP or POP3 proxies

WatchGuard
Training

159

Monitor spamBlocker Activity

Status visible in
Firebox System
Manager
Select the Subscription
Services tab

WatchGuard
Training

160

Quarantine Spam
Quarantine Server operates with spamBlocker for the SMTP-proxy
only
(not the POP3-proxy)
Install with server components during WSM install, or from
WatchGuard Server Center

WatchGuard
Training

161

Quarantine Server Configuration

You can configure:

WatchGuard
Training

Database size and administrator notifications

Server settings
Length of time to keep messages
The domains for which the Quarantine Server keeps mail
Rules to automatically remove messages:
From specific senders
From specific domains
That contain specific text in the Subject field

162

Web Traffic:
Manage Web Traffic Through Your
Firewall

WatchGuard
Training

163

Learning Objectives

Control outgoing HTTP traffic

Protect your web server
Use the HTTPS-proxy
Set up WebBlocker
Select categories of web sites to block
Override WebBlocker rules for specified sites

WatchGuard
Training

164

What is the HTTP-Proxy?

Fully configurable
HTTP requests and responses
Use URL paths to block complete URLs, or match a pattern you
specify
Select header fields, protocol settings, and request/response
methods
Allow or deny based on content types
Block the transfer of all or some attachments over port 80
Allow or deny cookies from specified domains
Enforce search engine Safe Search rules

WatchGuard
Training

165

Control Outgoing HTTP Traffic

Use the HTTP-Client proxy action as a template

You know the users
You decide where they go and what they can get access to
Enforce Safe Search rules

HTTP Proxy

Your Network
WatchGuard
Training

166

Settings for the HTTP-Client Proxy Action

HTTP Request
HTTP Response
Use Web Cache Server
HTTP Proxy Exceptions
Data Loss Prevention
WebBlocker
AntiVirus
Reputation Enabled
Defense
Deny Message
Proxy and AV Alarms

WatchGuard
Training

167

Protect Your Web Server

Use the HTTP-Server proxy action template

Block malformed packets
Prevent attacks on your server
Enforce Safe Search rules

Web Server

WatchGuard
Training

HTTP Proxy

Your Network
168

Settings for the HTTP-Server Proxy Action

HTTP Request
HTTP Response
HTTP Proxy Exceptions
Data Loss Prevention
WebBlocker
AntiVirus
Reputation Enabled
Defense
Deny Message
Proxy and AV Alarms

WatchGuard
Training

169

When to Use the HTTPS-Proxy

HTTP on a secure, encrypted channel (SSL)
Can use Deep Packet Inspection (DPI) to examine content and resign the original HTTPS site certificate
OCSP can confirm the validity of the original HTTPS site certificate
Use a certificate that all clients on your network automatically
trust for this purpose when possible
Can use WebBlocker to block categories of web sites
When DPI is not enabled, checks the certificate and blocks by
domain name

WatchGuard
Training

170

What is WebBlocker?

Reduces malicious web content that enters the network

Blocks URLs and IP addresses that you specify
Reduces unproductive web surfing and potential liability
Blocks access to IM/P2P download sites
Blocks access to spyware sites
Helps schools to attain CIPA compliance
Two database options
Global URL database English, German, Spanish, French, Italian,
Dutch, Japanese, traditional Chinese, and simplified Chinese sites

WatchGuard
Training

171

WebBlocker Server Options

Websense cloud

Uses a cloud-based URL categorization database with over 100 content

categories, provided by Websense
Does not use a locally installed WebBlocker Server
URL categorization queries are sent over HTTP

WebBlocker Server

Uses a WatchGuard WebBlocker Server with 54 categories, provided by

SurfControl
Usually requires a locally installed WebBlocker Server

URL categorization queries are sent over UDP 5003

WatchGuard
Training

XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by

WatchGuard

172

The WebBlocker Database

Database updates keep the
filtering rules up-to-date
Use multiple categories to
allow or deny different groups
of users at different times of
the day

WatchGuard
Training

173

WebBlocker Content Categories

The available categories depend on which type of server you
choose.

Websense cloud 100+ categories

WatchGuard
Training

WebBlocker Server 54 categories

174

WebBlocker Server with Websense Cloud

1. When a user browses,

the XTM device checks

the Websense cloud

2. If the site is not in a

blocked category, the

device allows the
connection

Web
Site
Web
Site

Websense Cloud
Your Network
WatchGuard
Training

175

WebBlocker Server with Local WebBlocker Server

1. WebBlocker Server
WebBlocker
Server

gets WebBlocker
database from
WatchGuard.

2. When a user browses,

the XTM device checks

the WebBlocker Server.

Web
Site

3. If the site is not in a

blocked category, the

device allows the
connection.

WebBlocker
Updates
Your Network
WatchGuard
Training

WatchGuard
176

Keep the WebBlocker Database Updated

The locally installed WebBlocker Server automatically downloads
an incremental update to the local WebBlocker database update at
midnight.
To update the database at other times, you can:

WatchGuard
Training

Manually trigger an incremental update in WatchGuard Server Center.

Use Windows Task Scheduler to run the updatedb.bat process, which
is installed in the C:\Program Files\WatchGuard\wsm11\bin directory.

177

Advanced WebBlocker Settings

On the WebBlocker
Configuration Advanced
tab, you can control what
happens if the device cannot
contact the WebBlocker Server.
You can:

Allow access to all web sites

Deny access to all web sites

You can also set a password

to use override WebBlocker
when entered on individual
computers.

WatchGuard
Training

178

WebBlocker Exceptions
Add exceptions for web sites that
WebBlocker denies and you want
to allow (white list).
Add web sites that WebBlocker
allows and you want to deny
(black list).

WatchGuard
Training

179

Threat Protection:
Defend Your Network From Intruders

WatchGuard
Training

180

Learning Objectives

Understand the different types of intrusion protection

Configure default packet handling to stop common attacks
Block IP addresses and ports used by hackers
Automatically block the sources of suspicious traffic

WatchGuard
Training

181

Intrusion Detection and Prevention

Vulnerabilit
y
found and
exposed

Hacker
builds
attack
that uses
vulnerabilit
y

Proactively
blocks many
threats

Attack
launche
d

Firewallbased
IPS
supplies
zero-day
protecti
on

Vendo
r
builds
patch

Vendor
distribute
s
patch

IT admin
queues
patch
update
based
on severity

IT
admin
install
s
patch

Attack
signature
develope
d
and
distribute
d

Ongoing
protection at higher
performance
WatchGuard
Training

182

Default Packet Handling

Spoofing attacks
Port and address
space probes
Flood attacks
Denial of service
Options for logging
and automatic
blocking

WatchGuard
Training

183

Block the Source of Attacks

3. XTM device blocks the

Web
Server

probe and adds the IP

address of the source (the
attacker) to the temporary
list of blocked sites.
4. Now, even valid traffic from
the attackers IP address is
blocked by the XTM device.

2. Attacker runs a

port space probe

on your network.

Log
Server

Your Network
WatchGuard
Training

1. Remote users use valid

packets to browse your web

site.

184

Auto-Block Sites
Each policy configured to deny traffic has a check box you can
select to auto-block the source of the denied traffic.
If you select it, the source IP address of
any packet denied
by the policy is
automatically
added to the
Blocked Sites List.

WatchGuard
Training

185

Use a Proxy Action to Block Sites

When you select the
Block action, the
IP address denied by
the proxy action is
automatically added to
the Blocked Sites List.

WatchGuard
Training

186

Block Known Attack Vectors

Protect sensitive services on your network

Get log messages

Close traffic for unwanted services

Static configuration

Add specific ports to block

Add specific IP addresses or subnets
to be permanently blocked

Dynamic configuration

This feature can be enabled from many

different places in Policy Manager:

WatchGuard
Training

Proxy actions
Default packet handling settings
Policy configuration

187

Signature Services:
Gateway AntiVirus, Data Loss
Prevention, Intrusion Prevention, and
Application Control

WatchGuard
Training

188

Learning Objectives

Understand how signature-based security subscriptions work

Set up and configure Gateway AntiVirus
Configure proxies to use Gateway AntiVirus
Set up and configure Data Loss Prevention
Set up and configure the Intrusion Prevention Service
Set up and configure Application Control
Enable IPS and Application Control in policies

WatchGuard
Training

189

What is Gateway AV?

Signature-based antivirus subscription
The XTM device downloads signature database updates at regular,
frequent intervals
Gateway AV operates with the SMTP, HTTP, FTP, POP3, and
TCP-UDP proxies

WatchGuard
Training

190

Set Up Gateway AntiVirus

1. XTM device downloads the
initial signature file

2. Device gets new signatures

and updates at a regular
interval

3. Gateway AV strips viruses

and allows valid email or
web pages to load

Gateway AntiVirus
database updates

WatchGuard
Your Network
WatchGuard
Training

191

Gateway AV Wizard
Gateway AntiVirus can be enabled and configured with the wizard
that you launch from the Subscription Services menu
In the wizard, you select the proxy policies to include in the
Gateway AV configuration

WatchGuard
Training

192

Configure the Proxy with Gateway AntiVirus

Use the HTTP-proxy
and SMTP-proxy
to enable
Gateway AV
Define actions
Define content
types to scan
Monitor Gateway
AV status

WatchGuard
Training

193

Gateway AV and the SMTP-Proxy

When an email attachment contains a known virus signature, the
XTM device can take one of these actions:

WatchGuard
Training

Allow Attachment passes through with no change

Lock Attachment can only be opened by an administrator
Remove Attachment is stripped from the email
Quarantine Message is sent to the Quarantine Server
Drop The connection is denied
Block The connection is denied, and the server is added to the
Blocked Sites List

194

Gateway AV and the HTTP-Proxy

When Gateway AV finds a known virus signature in an HTTP
session, the XTM device can:

WatchGuard
Training

Allow The file is

allowed to pass through
without changes
Drop The HTTP
connection is denied
Block The HTTP
connection is denied,
and the web server is
added to the
Blocked Sites List

195

Gateway AV and the FTP-Proxy

The FTP-proxy applies Gateway AV settings to:

WatchGuard
Training

Downloaded files
allowed in your
configuration
Uploaded files
allowed in your
configuration

196

Gateway AV Settings
Select this option if you want Gateway AV to decompress file
formats such as .zip or .tar
The number of levels
to scan is the depth for
which Gateway AV
scans archive files
inside archive files

WatchGuard
Training

197

What is Data Loss Prevention?

Data Loss Prevention (DLP) is a signature-based security service
that can help you control the loss of confidential data from your
network.
DLP uses content control rules to identify sensitive data, such as

Bank routing numbers

Credit card numbers
Confidential document markers
National identity numbers
Drivers license numbers
Medical records
Postal addresses and telephone numbers
Email addresses

DLP scans outbound traffic over proxied SMTP, FTP, HTTP, and
HTTPS connections.

WatchGuard
Training

198

DLP Sensors
To configure DLP, you define a DLP sensor.
For each DLP sensor, you configure:

Rules enable one or more of the predefined content rules

Actions define the action to take if data matches the selected rules
By default, a sensor has two types of actions:
Action for email traffic
Action for non-email traffic

Settings scan limit, and actions for items that cannot be scanned
Scan limit controls how much of a file or object to scan
Actions control what happens when:
Content is larger than the scan limit
A scan error occurs
Content is password protected

WatchGuard
Training

199

DLP Actions
Actions you can configure in a DLP sensor are:

WatchGuard
Training

Allow Allows the connection or email

Drop Denies the request and drops the connection. No information is
sent to the source of the content.
Block Denies the request, drops the connection, and adds the IP
address of the content source or sender to the Blocked Sites list.
Lock (email content only) Locks the email attachment. A file that is
locked cannot be opened easily by the user. Only the administrator can
unlock the file.
Remove (email content only) Removes the attachment and allows
the message to be sent to the recipient.
Quarantine (email content only) Send the email message to the
Quarantine Server.

200

DLP Text Extraction

DLP can extract and scan text from these file types:

WatchGuard
Training

Adobe PDF, RTF

Microsoft PowerPoint 2000, 2003, 2007, 2010
Microsoft Excel 2000, 2003, 2007, 2010
Microsoft Word 2000, 2003, 2007, 2010
Microsoft Project 2000, 2003, 2007, 2010
Microsoft Visio 2000, 2003, 2007, 2010
Microsoft Outlook .MSG
Microsoft Outlook Express .EML
OpenOffice Calc, Impress, Writer
LibreOffice Calc, Impress, Writer
HTML

201

Enable DLP
Enable Data Loss Prevention
Add a DLP Sensor using the wizard

WatchGuard
Training

Apply sensor to proxy policies

Select content control rules
Select actions to take when
content is detected in email and
non-email traffic

202

Edit a DLP Sensor

Enable/disable rules
Configure sensor actions
by source and destination

Action for email traffic

Action for non-email

Configure sensor settings

WatchGuard
Training

Set actions for items that

cannot be scanned due to:
Size exceeds scan limit
Scan error
File is password protected
Set the file scan limit

203

Assign DLP Sensors to Policies

When you add a DLP sensor, you select which proxy policies it
applies to.
You can also configure this on the Policies tab in the Data Loss
Prevention configuration.
And when you edit an FTP, HTTP, or SMTP proxy action.

WatchGuard
Training

204

Use Signature-Based IPS

Configure IPS to Allow, Drop,
or Block connections from
sources that match an IPS
signature
Action is set based on the
threat level of the matching
signature

WatchGuard
Training

205

Use Signature-Based IPS

Configure settings globally

Enable or disable per-policy
Can scan traffic for all policies
Blocks malicious threats before
they enter your network

WatchGuard
Training

206

Use Application Control

Application Control is a Subscription Service
Monitor and control hundreds of applications based on signatures
Block or allow traffic for application categories, applications, and
application behaviors
When Application
Control blocks HTTP
content, a deny
message appears in
the browser

WatchGuard
Training

The deny message

is not configurable
For HTTPS or other
content types, the
deny message
does not appear

207

Use Application Control

To configure actions by application category, click Select by
Category

WatchGuard
Training

208

Apply Application Control to Policies

First configure Application Control actions
On the Policies tab, select one or more policies, then select the
action to apply

WatchGuard
Training

209

Enable Application Control and IPS in Policies

Application Control

Application Control is not automatically

enabled for policies
For each policy, you select which
Application Control action to use
To monitor the use of applications,
enable logging of allowed packets in
the policies that have Application
Control enabled

IPS

WatchGuard
Training

When you enable IPS it is enabled

for all policies by default
You can enable or disable IPS for
each policy

210

Application Control, IPS, and DLP in HTTPS-Proxy

Policies
If you enable Application Control, IPS, or DLP for an HTTPS-proxy
policy, you must also enable deep inspection of HTTPS content in
the HTTPS-proxy action

WatchGuard
Training

Required for IPS to scan the HTTPS content

Required for Application Control to detect applications over an HTTPS
connection
Required for DLP to scan content

211

Enable Automatic Signature Updates

To protect against the latest viruses and
exploits, and to identify the latest
applications, make sure your device
is configured to get automatic updates
to Gateway AntiVirus, Intrusion
Prevention, and Application Control
signatures at regular intervals
Update requests can be routed
through a proxy server

WatchGuard
Training

212

Monitor Signature Update Status

In Firebox System Manager,
select the Subscription
Services tab to see the
status of Gateway AV, IPS,
DLP, and Application Control
signatures, or to manually
get signature updates

WatchGuard
Training

213

Reputation Enabled Defense:

Improve the Performance and Security
of Web Access

WatchGuard
Training

214

Learning Objectives
Understand how Reputation Enabled Defense works
Configure Reputation Enabled Defense
Monitor Reputation Enabled Defense

WatchGuard
Training

215

What is Reputation Enabled Defense (RED)?

Reputation-based HTTP anti-virus and anti-spyware prevention
subscription, available for WatchGuard XTM device models only
RED operates with the HTTP-proxy
RED uses a cloud-based reputation server that assigns a
reputation score between 1 and 100 to every URL

The reputation score for a URL is based on AV scanning feedback and

other URL reputation data collected from sources around the world.

When a user browses to a web site, RED looks up the score for the
URL

For URLs with a good reputation score, local scanning is bypassed

For URLs with a bad reputation score, the HTTP-proxy denies access
without local scanning by Gateway AV
For URLs with an inconclusive reputation score, local Gateway AV
scanning is performed as configured

Eliminates the need to locally scan the content of web sites that
have a known good or bad reputation and improves XTM device
performance

WatchGuard
Training

WatchGuard Training

216

RED Reputation Scores

Reputation Scores:

High scores indicate a bad reputation

Low scores indicate a good reputation
If RED has no knowledge of a URL, it assigns a score of 50
The reputation score assigned to a URL increases based on:

The reputation score assigned to a URL decreases based on:

Negative scan results for that URL

Negative scan results for a referring link
Negative information from other sources of malware data
Multiple clean scans
Recent clean scans

RED continually updates the reputation scores for URLs based on:

WatchGuard
Training

Scan results from devices around the world by two leading antimalware engines: Kaspersky and AVG
Data from other leading sources of malware intelligence for the web

217

RED Reputation Thresholds and Actions

The action performed by
the HTTP-proxy depends on:

The reputation score of a

requested URL
The locally configured
reputation thresholds

RED Actions:

WatchGuard
Training

If score is higher than the

Bad reputation threshold,
Deny access
If score is lower than the
Good reputation threshold,
Bypass local scanning
Otherwise, perform local
Gateway AV scanning as
configured

218

Enable Reputation Enabled Defense

Before you enable RED:

WatchGuard
Training

Your device must a have Reputation Enabled Defense feature key

You must have configured at least one HTTP-proxy policy

WatchGuard Training

219

Configure Reputation Enabled Defense

Enable RED for the HTTP-proxy
Define thresholds
Monitor RED status

WatchGuard
Training

WatchGuard Training

220

Reputation Enabled Defense and the HTTP-Proxy

Based on the reputation score for a URL, the HTTP-Proxy can:

Immediately block the URL if it has a bad reputation

Bypass any
configured local
virus scanning for
a URL that has a
good reputation

If neither of these RED

actions occur, then
any locally configured
virus scanning proceeds
as configured

WatchGuard
Training

WatchGuard Training

221

Reputation Enabled Defense and the HTTP-Proxy

Default reputation thresholds are set to balance security with
performance
Change bad and good reputation thresholds in the Advanced
Settings dialog box
WatchGuard recommends that you use the default reputation
thresholds

WatchGuard
Training

WatchGuard Training

222

Monitor Reputation Enabled Defense

RED status is visible in
Firebox System Manager
on the Subscription
Services tab

WatchGuard
Training

WatchGuard Training

223

Web UI:
Explore Fireware XTM Web UI

WatchGuard
Training

224

Learning Objectives

Log in to Fireware XTM Web UI

Change the port that the XTM device uses for the Web UI
Discuss limitations of the Web UI
Manage timeouts for the Web UI management sessions

WatchGuard
Training

225

Introduction to Fireware XTM Web UI

Monitor and manage any device running Fireware XTM without
installing extra software
Real-time management tool
Easily find what you need and understand how the configuration
options work

WatchGuard
Training

226

Limitations of the Web UI

Things you can do with Policy Manager, but not with the Web UI:

WatchGuard
Training

View or change the configuration of a device that is a member of a

FireCluster
Add or remove static ARP entries from the devices ARP table
Change the name of a policy
Change the logging of default packet handling options
Enable or disable the notification of BOVPN events
Add a custom address to a policy
Use Host Name (DNS lookup) to add an IP address to the From or To
section of a policy
Create a .wgx file for Mobile VPN with IPSec client configuration
(You can get only the equivalent, but unencrypted, .ini file)
Export certificates stored on the device, or see their details
(You can only import certificates)
Some of the logging and reporting functions provided by HostWatch,
Log Manger, Report Manager, and WSM are also not available
227

Log in to the Web UI

You need only a browser
Real-time configuration tool, no option to store configuration
changes locally and save to device later
https://<XTM.device.IP.address>:8080

Uses a self-signed certificate, so you must accept certificate warnings

or replace the certificate with a trusted certificate
You can change the port for the Web UI

Log in with one of two accounts

WatchGuard
Training

status For read-only permission; uses the status passphrase

admin For read-write permission; uses the configuration passphrase

228

Log in to the Web UI

The Username must be status or admin. It is case sensitive.

Multiple concurrent logins are allowed with the status account
Only one admin account can be logged in at a time
The last user to log in with the admin account is the only user that
can make changes

WatchGuard
Training

Includes changes
from Policy Manager
and WSM

229

Log in to the Web UI

The user account name appears at the top of the screen
Navigation menu links are at the left side

WatchGuard
Training

230

Web UI Dashboards
The dashboards appear at the top of the Web UI navigation bar

WatchGuard
Training

Front Panel Summary of current system status and activity

Subscription Services Summary of activity for all subscription
services
FireWatch Treemap visualization of current traffic through the XTM
device
Interfaces Status of network interfaces
Traffic Monitor Log messages from the XTM device
Gateway Wireless Controller Shows WatchGuard AP device activity
and clients

231

FireWatch
FireWatch provides a treemap view to help you visualize your
network traffic

Blocks in each tab

are proportionately
sized to represent
the data in that tab
Place your cursor
over an item in the
treemap to see more
details about it
Select the data type
from the drop-down
list at the top right
of the page

WatchGuard
Training

Rate
Bytes
Connections
Duration
232

FireWatch
You can use FireWatch to see:

WatchGuard
Training

Who uses the most bandwidth on your network

Which is the most popular site that users visit
Which sites use the most bandwidth
Which applications use the most bandwidth
Which sites has a particular user visited
Which applications are most used by a particular user

233

Conclusion
This presentation provides an overview of basic Fireware XTM
features
For more information, see these training, documentation, and
support resources available in the Support section of the
WatchGuard web site:

WatchGuard
Training

WatchGuard System Manager Help

Fireware XTM Web UI Help
WatchGuard Knowledge Base
Fireware XTM Training courseware

234

Thank You!

WatchGuard
Training

235