Firewall Basics with Fireware for WSM v9.0
Download
Report
Transcript Firewall Basics with Fireware for WSM v9.0
Firewall
Basics
Firewall
Basics
with
with Fireware
Fireware
v9.1
for
WatchGuard
System Manager
v9.1
Course Introduction
Course
Introduction
2
Course Introduction
Objectives
• Understand and use the basic management and monitoring components
of WatchGuard System Manager
• Understand how to configure a WatchGuard Firebox X Core or Peak eSeries device for your network environment
• Understand how to create basic security policies for your Firebox to
enforce
• Understand how to use security services to expand Firebox functionality
3
Course Introduction
Audience
This course is intended for network administrators who have a Firebox
X Core or Peak. A basic understanding of TCP/IP networking is
required.
4
Course Introduction
Environment
To use this training presentation:
• It is helpful, but not necessary, for you to have WatchGuard System
Manager installed on your computer
• It is not necessary to have a Firebox X Core or Peak
• We recommend you view or print the instructor’s notes for this
presentation, as they contain additional details which may be helpful
5
Course Introduction
Outline
This course includes sections on:
• Getting Started with your Firebox X Core or Peak
• Introducing Policy Manager
• Using Policy Manager to Configure Network Settings
• Using Policy Manager to Configure Policies
• Working with Proxy Policies
• WebBlocker
• spamBlocker
• Gateway AV/IPS
• Policy Manager Intrusion Prevention
• Firebox Administration
• Working with Firebox Log Messages
6
Course Introduction
Exam
• The WatchGuard Certified System Professional exam is available for all
WatchGuard partners. The exam is based on the contents of this course.
Studying the information in this courseware can help you prepare to take
the exam.
• If you are a WCSP, you can find the exam at:
https://www.watchguard.com/training/CertCentral.asp
7
Getting Started with your
Getting Started with your Firebox X Core or
Firebox X Core or Peak
Peak
8
Getting Started
Management and Appliance Software
To configure a WatchGuard Firebox, you must install two software
packages:
• WatchGuard System Manager (WSM) – The management
software you use to configure, manage, and monitor your Firebox.
• Fireware Appliance Software – The software that is installed on
the Firebox itself.
9
Getting Started
Management Station
Your management station is a PC running Windows 2000, Windows XP,
Windows 2000 Server, or Windows 2003 Server.
• You install WSM on your management station to configure, manage, and
monitor your Firebox.
• You also install Fireware appliance software on your management
station. Use WSM to put Fireware on your Firebox.
10
Getting Started
Components of WSM
WSM includes a set of management and monitoring utilities:
• Policy Manager
• Firebox System Manager
• LogViewer
• HostWatch
• Historical Reports
11
Getting Started
Server Software
When you install WSM on your management station, you have the option
to install any or all of these server components:
• Management Server – Use to manage all firewall devices and create
VPN (virtual private network) tunnels using a simple drag-and-drop
function.
• Log Server – Collects log messages from each WatchGuard Firebox.
• WebBlocker Server – Operates with the Firebox HTTP proxy to deny
user access to specified categories of web sites.
• Quarantine Server – Collects and isolates mail confirmed as spam
by spamBlocker
12
Getting Started
Registering your Firebox
Before you can begin to configure your Firebox, you must register your
Firebox to your LiveSecurity account.
• If you have not created a LiveSecurity profile with a user name and
password, you must create it before you register your Firebox.
• You must have your Firebox serial number when you log in to
LiveSecurity to register your device.
13
Getting Started
Quick Setup Wizard
The Quick Setup Wizard works with a Firebox X Core or Peak e-Series
device and allows you to:
• Install Fireware appliance software on the Firebox
• Create and upload a basic configuration file
• Assign passphrases to control access to the Firebox
14
Getting Started
Preparing to use the Quick Setup Wizard
Before you start the Quick Setup Wizard, you must have:
• The feature key for your Firebox
When you register your Firebox with LiveSecurity, a feature key is
created that is unique to the serial number of the device. Save a copy of
the feature key to complete the Quick Setup Wizard.
• Installed WSM and Fireware on your management station
Download the latest versions from the LiveSecurity /software downloads
site. Note that WSM and Fireware are separate software downloads.
You must download and install both packages.
• Network information
You must know the IP address of your gateway router, and IP addresses
to give to the external and trusted interfaces of the Firebox.
15
Getting Started
Starting the Quick Setup Wizard
For the Quick Setup Wizard to operate correctly, you must:
• Assign a static IP address to your management workstation from the
same subnet that you plan to assign to the Trusted interface of the
Firebox.
• Connect the Firebox to a power source. Hold down the down arrow on the
front of the Firebox while you turn on the power switch. Hold the button
until the LCD display shows “WatchGuard Technologies.”
• Connect your management station’s Ethernet interface to the eth1
interface of the Firebox.
• Launch WatchGuard System Manager (WSM) and launch the Quick
Setup Wizard from the WSM > Tools menu.
16
Getting Started
Starting the Quick Setup Wizard
The QSW asks you to choose
which model of Firebox you are
configuring.
17
Getting Started
Starting the Quick Setup Wizard
If you have connected your workstation to the Firebox correctly, the QSW
will automatically detect the Firebox and identify its model and serial
number. Verify that this information is correct.
18
Getting Started
Naming Your Firebox
The name you assign to the Firebox in the wizard is used to:
• Identify the Firebox in WSM
• Identify the Firebox log file
• Identify the Firebox when you use Historical Reports
19
Getting Started
Adding a Feature Key
If you have purchased additional
options for your Firebox and
already registered them with
LiveSecurity, the feature key will
reflect those features.
You can register the features later
and update your feature key using
Policy Manager.
20
Getting Started
Configuring the External Interface
The IP address you give to the external
interface can be:
• A static IP address
• An IP address assigned with DHCP
• An IP address assigned with PPPoE
You must also add an IP address for the
Firebox default gateway. This is the IP
address of your gateway router.
21
Getting Started
Configuring Trusted and Optional Interface
To configure the trusted and optional interfaces,
you must select one of these configuration
options:
Routed Configuration – Each interface is
configured with an IP address on a different
subnet.
Drop-in Configuration – All Firebox interfaces
are configured with the same IP address. Use
drop-in mode when devices from the same
publicly addressed network are located on
more than one Firebox interface.
22
Getting Started
Understanding Drop-in configurations
In drop-in mode:
• You must assign the same primary IP
address to all interfaces on your Firebox
(external, trusted, and optional).
• You can assign secondary networks on
any interface.
• You can keep the same IP addresses and
default gateways for hosts on your trusted
and optional networks, and add a
secondary network address to the Firebox
interface so the Firebox can correctly send
traffic to the hosts on these networks.
23
Getting Started
Setting Passphrases
You define two passphrases for the
Firebox. Passphrases must be at least
8 characters long and different from
each other:
• Status passphrase – used for readonly connections to the Firebox.
• Configuration passphrase – used for
read-write connections to the Firebox.
24
Getting Started
Completing the Quick Setup Wizard
• The wizard is complete when it has
saved a basic configuration to the
Firebox.
• You are now ready to put your
Firebox in place on your network.
• Remember to reset your
management station to get its IP
address in its usual way.
25
Introduction
Policy
Manager
Introduction
to to
Policy
Manager
26
Introduction to Policy Manager
Launch WSM
Launch WSM from Windows Start > All Programs > WatchGuard
System Manager 9.1 > WatchGuard System Manager to monitor
and configure your Firebox.
From WSM, connect to the Firebox. Once connected, you can monitor
the device or launch Policy Manager to configure the device.
27
Introduction to Policy Manager
What is Policy Manager?
• Policy Manager is the off-line
editing tool used to modify the
configuration of your Firebox.
• Changes made in Policy
Manager do not take effect until
you save them to the Firebox.
• Launch Policy Manager from
WSM.
28
Introduction to Policy Manager
Navigating Policy Manager
Use drop-down menus to configure many basic and advanced Firebox
features.
29
Introduction to Policy Manager
Navigating Policy Manager
• Security policies controlling traffic through the Firebox are represented by
icons in the Policy Manager.
• To edit security policies, double-click on an icon.
• To display policies in list view, select View > Details.
30
UsingPolicy
PolicyManager
Manager
Using
totoConfigure
Configure
Network Settings
Network Settings
31
Network Settings
Beyond the Quick Setup Wizard
The Quick Setup Wizard
configures the Firebox
with an external,
trusted, and optional
network only.
32
Network Settings
Network Configuration Options
Use Policy Manager to:
• Modify a configured interface’s properties
• Change the interface type (from trusted to optional, etc.)
• Add secondary networks and addresses
• Enable DHCP server on the Firebox
• Configure additional interfaces
• Configure WINS/DNS settings for the Firebox
• Add network or host routes
• Configure NAT
33
Network Settings
Interface Types
You can identify each interface as external, trusted, or optional. In most
cases, these terms refer to:
• External – Connects to your gateway router.
• Trusted – Connects to your LAN of desktop computers or workstations,
not accessible from the public internet
• Optional – Connects to a network of servers that need to be physically
separate from the trusted network and accessible from the public
internet, such as web and mail servers.
34
Network Settings
Interface Independence
• You can change the interface
type of any interface configured
with the Quick Setup Wizard.
• You can choose the interface
type of any additional interface
you enable.
35
Network Settings
Secondary Networks
• A secondary network is a network that shares one of the same physical
networks as one of the Firebox interfaces.
• A secondary network adds an IP alias to the interface. This IP alias is the
default gateway for all the computers on the secondary network.
36
Network Settings
Secondary Addresses
• If your external interface is
configured with a static IP
address, you can add an IP
address on the same subnet as
a secondary network.
• For example, configure an
external secondary network with
a second public IP address if
you have two public SMTP
servers.
37
Network Settings
Enabling DHCP Server
• The Firebox can act as a DHCP
server for clients on any interface
configured as trusted or optional.
• To configure DHCP server on a
Firebox interface, identify the first
and last IP addresses in the range
you want the Firebox to assign.
38
Network Settings
WINS/DNS
The Firebox needs WINS/DNS
information to:
• Resolve names to IP
addresses for IPSec VPNs
and for the spamBlocker,
Gateway AV and IPS features
to operate correctly.
• Allow DHCP clients on the
trusted or optional networks,
MUVPN users, and PPTP
RUVPN users to resolve DNS
queries.
39
Network Settings
Network or Host Routes
• Create static routes to send traffic from a Firebox interface to a router.
The router can then send the traffic to the correct destination from the
specified route.
• If you do not add a route to a remote network or host, all traffic to that
network or host is sent to the Firebox default gateway.
40
Configuring
Using Policy
ManagerPolicies
to Configure Policies
41
Configuring Policies
What is a Policy?
• A rule to limit access through the Firebox
• Can be configured to allow traffic or deny traffic
• Can be enabled or disabled
• Applies to specific port(s) and protocols
• Applies to specific internal hosts or subnets and external hosts or
subnets
42
Network Settings
Firebox Dynamic NAT
Dynamic NAT:
• The Firebox applies its public IP
address to the outgoing packets
for all connections or for specified
services
• Is used to hide the IP addresses of
internal hosts when they get
access to public services
• Is enabled by default for valid RFC
1918 networks to any external
interface
43
Configuring Policies
Adding Policies
• To add a policy, select Edit > Add Policy.
• Add a policy from the pre-defined Packet Filters
list, the Proxies list, or create a Custom policy.
44
Configuring Policies
Changing Source and Destinations
You can:
• Select a pre-defined alias, then click Add.
• Click Add User to select an authentication user or group.
• Click Add Other to add a host IP address, network IP address, or host
range.
45
Configuring Policies
Packet Filters and Proxies
• Packet Filter – Examines the IP header of each packet. Works at the
network and transport protocol packet layers.
• Proxy – Examines the IP header AND the content of a packet (at the
application layer of a packet). If the content does not match the criteria
you set in your proxy policies, it denies the packet, or removes
disallowed content.
A proxy:
• Removes all the network data
• Examines the contents for RFC compliance and content type
• Adds the network data again
• Sends the packet to its destination
46
Configuring Policies
When do I use a custom policy?
Use a custom policy:
• If none of the pre-defined policies include the specific combination of
ports that you want.
• If you need to create a policy that uses a protocol other than TCP or
UDP.
• Note: A custom policy can be either a packet filter or proxy policy.
47
Configuring Policies
Modifying Policies
To edit a policy, double-click the
policy icon.
By default:
• A new policy is enabled and
allowed.
• It allows traffic on the port(s)
specified by the policy.
• It allows traffic from any trusted
source to any external destination.
48
Configuring Policies
Changing Source and Destinations
To modify the default source and destination, click Add and define a new
source or destination.
49
Configuring Policies
Policy Properties
The Policy Properties tab lets you:
• See the ports and protocols defined
in the policy.
• Set logging and notification rules for
the policy.
• Auto-block the source of denied
traffic (if the policy is configured to
deny traffic).
• Set a custom idle time out for the
policy.
50
Configuring Policies
Proxy Policy Properties
When you configure a proxy
policy, use the Policy Properties
tab to apply a proxy action to
the policy.
51
Configuring Policies
Advanced Policy Properties
Click the Advanced tab to
configure:
• Schedule
• QoS
• NAT rules
• Sticky connection settings (if
you use multi-WAN)
• ICMP error handling
52
Configuring Policies
Scheduling Policies
When you apply a schedule to a
policy, you set the times of day
you want a policy to be enabled.
For example:
If you only want users to surf the
Web between 10:00 am and 12:00
am, apply a schedule to your
HTTP policy that looks like this:
53
Configuring Policies
NAT
• You can customize NAT in each
policy.
• The settings in Network > NAT
apply unless you modify the
NAT settings in a policy.
• Use the Set Source IP option
when you want any traffic that
uses this policy to show a
specified address from your
public or external IP address
range as the source IP address.
54
Configuring Policies
QoS
• QoS (Quality of Service) is
available only for Fireware
Pro users.
• Use QoS to set the priority
for traffic in a policy.
55
Configuring Policies
What is Precedence?
• Precedence is used to decide which policy will control a connection when
more than one policy could control that connection.
• If you look at your policies in list view, the higher the policy appears in the
list, the greater its precedence. If two policies could apply to a
connection, the policy higher in the list will control that connection.
56
Configuring Policies
Changing Precedence
• Policy Manager automatically orders the policies when you add and
configure them.
• To manually order your policies:
1. Select View > Details.
2. Clear the View > Auto-Order Mode option.
3. Drag and drop policies to change the order the policies appear in
the list.
57
Configuring Policies
The WatchGuard Policy
The WatchGuard Policy:
• Controls management
connections to the Firebox.
• By default allows only local
administration of the Firebox.
You must edit the configuration
to allow remote administration.
58
Configuring Policies
The Outgoing Policy
• Added automatically by the Quick Setup Wizard.
• Includes all TCP and UDP ports.
• Allows all TCP and UDP traffic from any trusted or optional source to any
external source.
• Acts as a packet filter, not a proxy, and applies no content filtering
restrictions by default.
59
Configuring Policies
Find Policy Tool
Fireware now features a utility to find policies that match the search criteria
you specify.
With Find Policies you can quickly check for any and all matching policies
for addresses, port numbers, and protocols.
60
Working with Proxy Policies
Working with Proxy Policies
61
Proxies
What is a Proxy?
• A proxy is a powerful and highly customizable application inspection
engine and content filter.
• A packet filter looks at IP header information only; a proxy looks at
application data for content specific to the application being examined.
• A proxy looks beyond the header to the contents of the packet.
62
Proxies
What is a Proxy Action?
• A set of rules that tell the Firebox how to apply one of its proxies to traffic
of a specific type.
• You can apply a proxy action to one policy, or multiple policies.
63
Proxies
Fireware Proxies
• DNS
• FTP
• HTTP
• SMTP
• POP3
• TCP (applies the HTTP proxy to HTTP traffic on all TCP ports)
64
Proxies
Import/Export Proxy Actions
Entire proxy actions
• Only user-created; not predefined
Rulesets
• Must be in Advanced View to import/export
WebBlocker Exceptions
spamBlocker Exceptions
65
Proxies
Proxy Actions
• You can apply a predefined
proxy action, or clone a
predefined proxy action and
create a custom proxy action.
• You cannot modify the
settings of a predefined proxy
action.
• Each proxy action includes
multiple rulesets to give you
control over different
components of a proxied
connection.
66
Proxies
Proxy Actions
WatchGuard provides two predefined proxy actions for each type of proxy:
• Client/Outgoing proxy action – includes default settings to protect
clients connecting to servers external to the Firebox.
• Server/Incoming proxy action – includes default settings to protect
servers behind the Firebox.
67
Proxies
Quick Setup Wizard and Proxies
The Quick Setup Wizard does not include any proxy policies by default.
The Outgoing and FTP policies included by the Quick Setup Wizard use
packet filters only, not proxies, in Fireware v9.0 and higher.
Because no proxies are used by the Firebox by default, there are no
default restrictions on the types of files which users can download from
the Internet or the types of files they can upload. To add these types of
restrictions to the Firebox configuration, proxy policies must be added to
the Firebox configuration.
68
Proxies
Proxies and Logging
• Each ruleset includes its own option to
enable logging.
• To get detailed reporting on proxied
connections, you must enable Turn on
Logging For Historical Reports in the
general settings of each proxy action.
69
Proxies
DNS Proxy
• Protects your DNS server from malicious or malformed connection
requests and query types.
• Works with Intrusion Prevention Service.
70
Proxies
FTP Proxy
• Restricts the types of commands and files that can be sent through FTP.
• Works with the Gateway AV and the Intrusion Prevention Service
(Gateway AV/IPS).
71
Proxies
SMTP Proxy
• Highly customizable proxy to restrict the types and size of files sent and
received in email.
• Works with Gateway AV/IPS and spamBlocker.
72
Proxies
POP3 Proxy
73
•
Highly customizable
proxy to restrict the types
and size of files sent and
received in email.
•
Works with GAV/IPS and
spamBlocker.
Proxies
HTTP Proxy
• Highly customizable proxy to restrict commands, headers, and file types
that can be sent in an HTTP connection.
• Works with GAV/IPS and WebBlocker.
74
WebBlocker
WebBlocker
75
WebBlocker
What is WebBlocker?
WebBlocker is a tool to filter access to specific web sites.
• Install a WebBlocker database on local server(s) – the WebBlocker
Server.
• Configure your Firebox to query the WebBlocker Server.
• Works with the HTTP Proxy. If an HTTP client proxy action is not active,
you cannot use WebBlocker.
76
WebBlocker
The WebBlocker Database
• Database created and maintained by SurfControl™.
• Database updates keep filtering rules current.
• 40 categories of web sites that you can allow or deny for different groups
of users and different times of day.
77
WebBlocker
Advanced WebBlocker Settings
From the WebBlocker > Advanced tab, you can control what happens if
the Firebox cannot contact the WebBlocker Server. You can:
• Allow access to all web sites.
• Deny access to all web sites.
78
WebBlocker
WebBlocker Exceptions
• Add exceptions for web sites that WebBlocker denies and you want to
allow (white list).
• Add web sites that WebBlocker allows and you want to deny (black list).
79
spamBlocker
spamBlocker
80
spamBlocker
What is spamBlocker?
• Uses technology licensed from Commtouch™ to identify spam, bulk, or
suspect email.
• No local server to install. You can optionally install Quarantine Server, but
it is not necessary for spamBlocker to work correctly.
• Firebox queries external classification servers and caches results.
• Works with the SMTP proxy. You must have an SMTP proxy action
configured to use spamBlocker.
81
spamBlocker
spamBlocker Actions
For each category (spam, bulk, or
suspect email), configure the
action you want the Firebox to
take:
• Allow
• Add Subject Tag
• Quarantine
• Deny
• Drop
82
spamBlocker
spamBlocker Exceptions
You can configure exceptions for
specific senders or recipients
by:
• Individual email address
• Domain by pattern match
(*@xyz.com)
83
Quarantine
Server
Gateway
AntiVirus/
Intrusion Prevention Service (GAV/IPS)
84
Quarantine Server
Quarantine spam
• Works with spamBlocker and the SMTP proxy only (not POP3)
• Install with server components during WSM install
Launch from icon in
WatchGuard toolbar
85
Quarantine Server
Quarantine Server Configuration
WatchGuard Quarantine
Server is highly configurable.
You can set:
•Database size and admin
notification
•Server settings
•How long to keep messages
•For which domains the
Quarantine server will keep
mail
•Rules - Automatically
remove messages based on:
•From specific senders
•From specific domains
•With specific text in the
Subject
86
Gateway
Gateway AntiVirus/
AV/IPS
Intrusion Prevention Service (GAV/IPS)
87
Gateway AV/IPS
What is Gateway AV/IPS?
• Signature-based antivirus and intrusion prevention service.
• Firebox downloads signature databases at regular, frequent intervals.
• Gateway AV works with SMTP, HTTP, FTP, and TCP proxy.
• IPS works with all proxy actions when IPS is enabled in a policy.
88
Gateway AV/IPS
Wizards
• Gateway AV and IPS
can be enabled and
configured with wizards
you launch from the
Tasks menu.
• The wizards ask you to
select which proxy
policies you want to
configure Gateway AV
or IPS for.
89
Gateway AV/IPS
Gateway AV and the SMTP Proxy
When an email attachment contains a known virus signature, the Firebox
can:
• Allow – attachment goes through with no change.
• Lock – attachment can only be opened by administrator.
• Remove – attachment is stripped from the email.
• Drop – entire email is denied without acknowledgement.
• Block – email is denied and sending server is added to blocked sites list.
90
Gateway AV/IPS
Gateway AV and the HTTP proxy
The HTTP proxy applies Gateway AV settings:
• To requests to specific URL paths defined in your configuration.
• To responses that include specific file types defined in your configuration.
91
Gateway AV/IPS
Gateway AV and the HTTP proxy
When Gateway AV finds a known
virus signature in an HTTP
session, the Firebox can:
• Allow – file goes through with
no change.
• Drop – HTTP connection is
denied.
• Block – HTTP connection is
denied and web server is
added to blocked sites list.
92
Gateway AV/IPS
Gateway AV and the FTP Proxy
The FTP proxy applies Gateway AV settings:
• To downloaded files allowed in your configuration.
• To uploaded files allowed in your configuration.
93
Gateway AV/IPS
Gateway AV and the FTP Proxy
When Gateway AV finds a
known virus signature in an
FTP session, the Firebox can:
• Allow – file goes through with
no change.
• Deny - Denies the transaction
and sends a deny message.
• Drop – FTP connection is
dropped immediately.
• Block – FTP connection is
denied and offending IP is
added to blocked sites list.
94
Gateway AV/IPS
Gateway AV Settings
• Select if you want Gateway AV to decompress file formats such as .zip or
.tar and set the number of levels to scan.
• Gateway AV for SMTP now supports in-line scanning, so there is no need
to set the maximum size of email attachments to scan for viruses.
95
Gateway AV/IPS
Updates to Signatures and Engine
• To protect against latest viruses, enable automatic
updates to Gateway AV signatures at frequent
intervals.
• Automated Gateway AV engine updates assure you
latest functionality.
• You now have the option to send update requests
through a proxy server.
96
Gateway AV/IPS
Configuring IPS in a proxy policy
Signatures are divided into three severity levels: high, medium, and low
When an IPS signature is matched, the Firebox can:
• Allow – lets traffic pass.
• Deny – denies traffic and sends a deny message.
• Drop – drops the connection immediately without acknowledgement.
• Block – drops the connection and adds the source to the blocked sites
list.
97
Gateway AV/IPS
IPS and the HTTP Proxy
Protects your own web server, and
your trusted users making
connections to external web
servers
You can enable specific IPS
signature categories for:
• Instant Messaging clients
• Peer to peer clients
• Spyware categories
98
GAV/IPS
Updates to IPS Signatures and Engine
• To protect against latest intrusions, enable automatic updates to IPS
signatures at frequent intervals
• Automated IPS engine updates make sure you have latest functionality.
99
Gateway AV/IPS
Monitoring Gateway AV and IPS
From Firebox System Manager,
select the Security Services tab to
see status of Gateway AV and IPS
signatures and manually request
updates.
100
Policy Manager Intrusion Prevention
Policy Manager Intrusion Prevention
101
Intrusion Prevention
Blocking Sites and Ports
Policy Manager’s Blocked Sites and Ports features:
• Block all traffic from specific IP addresses, subnets, or on specific
ports.
• Take precedence over policy configuration.
• Allow you to take extra precaution against known security risks on
the Internet associated with specific IP addresses or ports, such as
the Blaster worm, which infected systems on TCP port 135.
102
Intrusion Prevention
Blocked Sites Configuration
• Static configuration – Add specific IP addresses or subnets to be
permanently blocked.
• Dynamic configuration – Enable auto-blocking as part of
configuration in many different places in Policy Manager, such as:
•
•
•
103
Proxy actions
Default packet handling settings
Policy configuration
Intrusion Prevention
Auto-blocking sites
• Each policy configured to deny
traffic has an active check box to
auto-block the source of denied
traffic. The source IP address of
any packet denied by the policy
is automatically added to the
Blocked Sites List.
104
Intrusion Prevention
Auto-blocking sites
• When you select a proxy action of
“Block”, the IP address denied by
the proxy action is automatically
added to the Blocked Sites List.
105
Intrusion Prevention
Configuring Auto-blocking
• Configure the amount of time to auto-block sites in
Policy Manager > Setup > Intrusion
Prevention > Blocked Sites > Autoblocked tab.
• You can add Blocked Sites Exceptions if there is
an IP address you want to make sure is never
auto-blocked.
106
Intrusion Prevention
Default Packet Handling
• A set of configurable
thresholds for the detection
of potentially hostile activity,
such as syn floods, IKE
floods, DDoS attacks, or
address probes.
• Any activity above the
threshold results in the
Firebox dropping
connections, or adding sites
to the Blocked Sites List.
• Default thresholds are
meant as a benchmark for
an average user and may
need to be adjusted for your
environment.
107
Firebox
Administration
Firebox
Administration
108
Firebox Administration
Changing your passphrases
• We recommend you change your
status and configuration passphrases
frequently.
• To change your passphrases in Policy
Manager, select File > Change
Passphrases.
109
Firebox Administration
Backing up your configuration
• Back up your configuration image before you make any major change to
your configuration and before you upgrade to a new WSM or Fireware
version.
• To back up your configuration image, from Policy Manager select File >
Backup.
110
Firebox Administration
Adding New Licensed Features
• If you purchase a new feature or
renew a subscription service, you
must activate your feature and get a
new feature key from the LiveSecurity
web site.
• To add your new feature key to Policy
Manager, select Setup > Feature
Keys > Add.
111
Firebox Administration
Upgrading your Firebox
To upgrade to a new version of Fireware, use these steps:
1. Back up your existing Firebox image.
2. Download and install the new version of Fireware on your
management station.
3. From Policy Manager, select File > Upgrade. Browse to the
location of .wgu upgrade file.
112
Firebox Administration
Fireware Web Server Certificate
Why does the user get
warnings from the
browser?
1. Name on certificate does
not match the URL.
•
•
Fix with Fireware web
server certificate.
Uses subject alt names
to match several
possible URLs.
2. Certificate is not trusted.
•
113
User still needs to
import the certificate to
trusted root store.
Firebox
LoggingLog Messages
Working
with Firebox
114
Firebox Logging
Introduction to Log Server
• You can install the Log Server on your management station, or another
Windows-based computer.
• Log Server is not required for Firebox operation, but we recommend you
configure a Log Server and regularly review log messages as part of
your security policy.
• The Firebox generates encrypted log messages in XML and sends them
to the Log Server. The Log Server decrypts and stores the messages in
log files.
• The Log Server can store log messages for more than one Firebox at the
same time, each in its own file.
115
Firebox Logging
Configuring Logging
For log messages to be correctly stored on the Log Server, you must:
1. Install the Log Server software.
2. Configure the Log Server.
3. Configure the Firebox to send log messages to the Log Server.
116
Firebox Logging
Installing the Log Server
From the WSM installer, select to install the Log Server component.
• The Log Server does not have to be installed on the same computer that
you use as your management station.
• The Log Server should be on a computer with a static IP address.
117
Firebox Logging
Configuring the Log Server
• To configure, right-click the Log Server icon on your Windows toolbar and
select Start service.
• Set a log encryption key. You will use this same key when you configure
the Firebox to send log messages to this Log Server.
118
Firebox Logging
Configuring the Firebox for Logging
• In Policy Manager, select Setup >
Logging to configure the Firebox
with a Log Server.
• You must have the same log
encryption key you entered in
your Log Server configuration.
• You can configure backup Log
Servers in case your primary Log
Server fails.
119
Firebox Logging
Log Server Status and Configuration
Right-click the Log Server option and select Status/Configuration to:
• See which Firebox devices are currently sending log messages to this
Log Server.
• Set interval for starting new log files based on time or size of file.
• Schedule automatic generation of Historical Reports.
• Configure notification options.
120
Firebox Logging
Setting Rules for Logging
• The Firebox generates log
messages for many different
types of activities.
• You control what log messages
are stored on the Log Server –
most features include options to
turn logging on or off.
121
Firebox Logging
Setting Rules for Logging
You can also configure
the Firebox to send
detailed diagnostic
logging if you are
troubleshooting a
specific problem.
122
Firebox Logging
Notification
When you turn on logging, you
can also enable notification or
trigger an SNMP trap.
Notification options include:
• Send email to specific email
address.
• Pop-up notification on Log
Server.
123
Firebox Logging
Default Logging Policy
• When you create a policy that allows traffic, logging is not enabled by
default for that policy.
• When you create a policy that denies traffic, logging is enabled by
default.
• If denied traffic does not match a specific policy, it is logged by default.
124
Firebox Logging
Logging and Proxies
• Proxy policies contain many more advanced options for logging than
packet filter policies.
• Each proxy category has its own check box to turn on logging.
125
Firebox Logging
Logging and Proxies
If you want detailed Historical Reports with information on packets handled
by proxy policies, make sure you select this option in each proxy action:
Turn on logging for Historical Reports
126
Firebox Logging
Viewing Log Messages
You can see log messages with two different tools:
• Traffic Monitor – Real-time monitoring from any computer running
WSM.
• LogViewer – Shows full log file stored on the Log Server.
127
Firebox Logging
Traffic Monitor
To see real-time traffic, select
Firebox System Manager
> Traffic Monitor
128
Firebox Logging
Traffic Monitor
From Traffic Monitor, right-click on
a log message to get more
information or take action.
129
Firebox Logging
LogViewer
• Launch LogViewer from WSM and open the log file you want to see.
• LogViewer includes search features to help you find specific log
messages.
130
Firebox Logging
Historical Reports
Historical Reports creates reports
from the log files that are
recorded on the Log Server. With
the advanced features of
Historical Reports, you can:
• Set a specified time period for a
report.
• Customize the report with data
filters.
• Consolidate different log files to
create a report for a group of
Fireboxes.
• Show the report data in different
formats.
131
Firebox Logging
Historical Reports
After you define a report, use the Log Server Status/Configuration dialog
box to automate your report on a schedule you select.
132
Firebox Logging
Historical Reports – Tips and Tricks
• If you do not see data that you expected to see, make sure you have
turned on the logging options in Policy Manager that control that data.
• Make sure the computer on which you are using Historical Reports has
access to the log files on the Log Server.
• When you use the HTML reporting option, make sure to check the option:
Execute Browser Upon Completion. This opens the report in your
default web browser when the report is generated.
• The HTTP Proxy report and Denied Packet Summary report are
particularly useful for new Firebox customers.
• If you select the option to resolve DNS in your reports (recommended),
you must be patient – this can take a long time.
133
Monitoring your Firebox
and your network
134
Monitoring your Firebox
Performance Console
With the Performance Console, users
can monitor and graph the following
information:
• System Information-Firebox
statistics such as total active
connections and cpu usage.
• Interfaces - total sent and received
packets through the firebox
interfaces.
• Policies – Total connections, current
connections, discards.
• VPN Peers – Inbound and outbound
SA’s, Inbound and outbound
packets.
• Tunnels – Inbound and outbound
packets, Auth errors, and replay
errors.
135
Monitoring your Firebox
Performance Console
After you create a counter, you see it graphed out in intervals that you set.
136
Monitoring your Firebox
Performance Console
You can monitor packets processed by policy name.
137
Monitoring your Firebox
HostWatch
HostWatch shows the connections through
a Firebox from the trusted network
(including VLAN’s) to the external
network.
Create any combination of interfaces to
monitor using regular expressions.
138
Thank You
139