slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Firewall Basics with Fireware for WatchGuard System Manager v9.1 PowerPoint Presentation
Download Presentation
Firewall Basics with Fireware for WatchGuard System Manager v9.1

Loading in 2 Seconds...

play fullscreen
1 / 139

Firewall Basics with Fireware for WatchGuard System Manager v9.1 - PowerPoint PPT Presentation


  • 482 Views
  • Uploaded on

Firewall Basics with Fireware for WatchGuard System Manager v9.1. Firewall Basics with Fireware v9.1. Course Introduction. Course Introduction. Course Introduction Objectives. Understand and use the basic management and monitoring components of WatchGuard System Manager

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewall Basics with Fireware for WatchGuard System Manager v9.1' - jessenia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Firewall Basics with Fireware

for

WatchGuard System Manager v9.1

Firewall Basics with Fireware v9.1

slide2

Course Introduction

Course Introduction

course introduction objectives
Course IntroductionObjectives
  • Understand and use the basic management and monitoring components of WatchGuard System Manager
  • Understand how to configure a WatchGuard Firebox X Core or Peak e-Series device for your network environment
  • Understand how to create basic security policies for your Firebox to enforce
  • Understand how to use security services to expand Firebox functionality
course introduction audience
Course Introduction Audience
  • This course is intended for network administrators who have a Firebox X Core or Peak. A basic understanding of TCP/IP networking is required.
course introduction environment
Course IntroductionEnvironment
  • To use this training presentation:
  • It is helpful, but not necessary, for you to have WatchGuard System Manager installed on your computer
  • It is not necessary to have a Firebox X Core or Peak
  • We recommend you view or print the instructor’s notes for this presentation, as they contain additional details which may be helpful
course introduction outline
Course Introduction Outline
  • This course includes sections on:
  • Getting Started with your Firebox X Core or Peak
  • Introducing Policy Manager
  • Using Policy Manager to Configure Network Settings
  • Using Policy Manager to Configure Policies
  • Working with Proxy Policies
  • WebBlocker
  • spamBlocker
  • Gateway AV/IPS
  • Policy Manager Intrusion Prevention
  • Firebox Administration
  • Working with Firebox Log Messages
course introduction exam
Course IntroductionExam
  • The WatchGuard Certified System Professional exam is available for all WatchGuard partners. The exam is based on the contents of this course. Studying the information in this courseware can help you prepare to take the exam.
  • If you are a WCSP, you can find the exam at:
  • https://www.watchguard.com/training/CertCentral.asp
slide8

Getting Started with your

Firebox X Core or Peak

Getting Started with your Firebox X Core or Peak

getting started management and appliance software
Getting StartedManagement and Appliance Software
  • To configure a WatchGuard Firebox, you must install two software packages:
  • WatchGuard System Manager (WSM) – The management software you use to configure, manage, and monitor your Firebox.
  • Fireware Appliance Software – The software that is installed on the Firebox itself.
getting started management station
Getting StartedManagement Station
  • Your management station is a PC running Windows 2000, Windows XP, Windows 2000 Server, or Windows 2003 Server.
  • You install WSM on your management station to configure, manage, and monitor your Firebox.
  • You also install Fireware appliance software on your management station. Use WSM to put Fireware on your Firebox.
getting started components of wsm
Getting StartedComponents of WSM
  • WSM includes a set of management and monitoring utilities:
    • Policy Manager
    • Firebox System Manager
    • LogViewer
    • HostWatch
    • Historical Reports
getting started server software
Getting StartedServer Software
  • When you install WSM on your management station, you have the option to install any or all of these server components:
  • Management Server – Use to manage all firewall devices and create VPN (virtual private network) tunnels using a simple drag-and-drop function.
  • Log Server – Collects log messages from each WatchGuard Firebox.
  • WebBlocker Server – Operates with the Firebox HTTP proxy to deny user access to specified categories of web sites.
  • Quarantine Server – Collects and isolates mail confirmed as spam by spamBlocker
getting started registering your firebox
Getting StartedRegistering your Firebox
  • Before you can begin to configure your Firebox, you must register your Firebox to your LiveSecurity account.
  • If you have not created a LiveSecurity profile with a user name and password, you must create it before you register your Firebox.
  • You must have your Firebox serial number when you log in to LiveSecurity to register your device.
getting started quick setup wizard
Getting StartedQuick Setup Wizard
  • The Quick Setup Wizard works with a Firebox X Core or Peak e-Series device and allows you to:
  • Install Fireware appliance software on the Firebox
  • Create and upload a basic configuration file
  • Assign passphrases to control access to the Firebox
getting started preparing to use the quick setup wizard
Getting StartedPreparing to use the Quick Setup Wizard
  • Before you start the Quick Setup Wizard, you must have:
  • The feature key for your FireboxWhen you register your Firebox with LiveSecurity, a feature key is created that is unique to the serial number of the device. Save a copy of the feature key to complete the Quick Setup Wizard.
  • Installed WSM and Fireware on your management stationDownload the latest versions from the LiveSecurity /software downloads site. Note that WSM and Fireware are separate software downloads. You must download and install both packages.
  • Network informationYou must know the IP address of your gateway router, and IP addresses to give to the external and trusted interfaces of the Firebox.
getting started starting the quick setup wizard
Getting StartedStarting the Quick Setup Wizard
  • For the Quick Setup Wizard to operate correctly, you must:
  • Assign a static IP address to your management workstation from the same subnet that you plan to assign to the Trusted interface of the Firebox.
  • Connect the Firebox to a power source. Hold down the down arrow on the front of the Firebox while you turn on the power switch. Hold the button until the LCD display shows “WatchGuard Technologies.”
  • Connect your management station’s Ethernet interface to the eth1 interface of the Firebox.
  • Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM > Tools menu.
getting started starting the quick setup wizard1
Getting StartedStarting the Quick Setup Wizard
  • The QSW asks you to choose which model of Firebox you are configuring.
getting started starting the quick setup wizard2
Getting StartedStarting the Quick Setup Wizard
  • If you have connected your workstation to the Firebox correctly, the QSW will automatically detect the Firebox and identify its model and serial number. Verify that this information is correct.
getting started naming your firebox
Getting StartedNaming Your Firebox
  • The name you assign to the Firebox in the wizard is used to:
  • Identify the Firebox in WSM
  • Identify the Firebox log file
  • Identify the Firebox when you use Historical Reports
getting started adding a feature key
Getting StartedAdding a Feature Key
  • If you have purchased additional options for your Firebox and already registered them with LiveSecurity, the feature key will reflect those features.
  • You can register the features laterand update your feature key using Policy Manager.
getting started configuring the external interface
Getting StartedConfiguring the External Interface
  • The IP address you give to the external interface can be:
  • A static IP address
  • An IP address assigned with DHCP
  • An IP address assigned with PPPoE
  • You must also add an IP address for the Firebox default gateway. This is the IP address of your gateway router.
getting started configuring trusted and optional interface
Getting StartedConfiguring Trusted and Optional Interface
  • To configure the trusted and optional interfaces, you must select one of these configuration options:
  • Routed Configuration – Each interface is configured with an IP address on a different subnet.
  • Drop-in Configuration – All Firebox interfaces are configured with the same IP address. Use drop-in mode when devices from the same publicly addressed network are located on more than one Firebox interface.
getting started understanding drop in configurations
Getting StartedUnderstanding Drop-in configurations
  • In drop-in mode:
  • You must assign the same primary IP address to all interfaces on your Firebox (external, trusted, and optional).
  • You can assign secondary networks on any interface.
  • You can keep the same IP addresses and default gateways for hosts on your trusted and optional networks, and add a secondary network address to the Firebox interface so the Firebox can correctly send traffic to the hosts on these networks.
getting started setting passphrases
Getting StartedSetting Passphrases
  • You define two passphrases for the Firebox. Passphrases must be at least 8 characters long and different from each other:
  • Status passphrase – used for read-only connections to the Firebox.
  • Configuration passphrase – used for read-write connections to the Firebox.
getting started completing the quick setup wizard
Getting StartedCompleting the Quick Setup Wizard
  • The wizard is complete when it has saved a basic configuration to the Firebox.
  • You are now ready to put your Firebox in place on your network.
  • Remember to reset your management station to get its IP address in its usual way.
slide26

Introduction to Policy Manager

Introduction to Policy Manager

introduction to policy manager launch wsm
Introduction to Policy ManagerLaunch WSM
  • Launch WSM from Windows Start > All Programs > WatchGuard System Manager 9.1 > WatchGuard System Manager to monitor and configure your Firebox.
  • From WSM, connect to the Firebox. Once connected, you can monitor the device or launch Policy Manager to configure the device.
introduction to policy manager what is policy manager
Introduction to Policy ManagerWhat is Policy Manager?
  • Policy Manager is the off-line editing tool used to modify the configuration of your Firebox.
  • Changes made in Policy Manager do not take effect until you save them to the Firebox.
  • Launch Policy Manager from WSM.
introduction to policy manager navigating policy manager
Introduction to Policy ManagerNavigating Policy Manager
  • Use drop-down menus to configure many basic and advanced Firebox features.
introduction to policy manager navigating policy manager1
Introduction to Policy ManagerNavigating Policy Manager
  • Security policies controlling traffic through the Firebox are represented by icons in the Policy Manager.
  • To edit security policies, double-click on an icon.
  • To display policies in list view, select View > Details.
slide31

Using Policy Manager

to Configure

Network Settings

Using Policy Manager

to Configure

Network Settings

network settings beyond the quick setup wizard
Network SettingsBeyond the Quick Setup Wizard
  • The Quick Setup Wizard configures the Firebox with an external, trusted, and optional network only.
network settings network configuration options
Network SettingsNetwork Configuration Options
  • Use Policy Manager to:
  • Modify a configured interface’s properties
    • Change the interface type (from trusted to optional, etc.)
    • Add secondary networks and addresses
    • Enable DHCP server on the Firebox
  • Configure additional interfaces
  • Configure WINS/DNS settings for the Firebox
  • Add network or host routes
  • Configure NAT
network settings interface types
Network SettingsInterface Types
  • You can identify each interface as external, trusted, or optional. In most cases, these terms refer to:
  • External – Connects to your gateway router.
  • Trusted – Connects to your LAN of desktop computers or workstations, not accessible from the public internet
  • Optional – Connects to a network of servers that need to be physically separate from the trusted network and accessible from the public internet, such as web and mail servers.
network settings interface independence
Network SettingsInterface Independence
  • You can change the interface type of any interface configured with the Quick Setup Wizard.
  • You can choose the interface type of any additional interface you enable.
network settings secondary networks
Network SettingsSecondary Networks
  • A secondary network is a network that shares one of the same physical networks as one of the Firebox interfaces.
  • A secondary network adds an IP alias to the interface. This IP alias is the default gateway for all the computers on the secondary network.
network settings secondary addresses
Network SettingsSecondary Addresses
  • If your external interface is configured with a static IP address, you can add an IP address on the same subnet as a secondary network.
  • For example, configure an external secondary network with a second public IP address if you have two public SMTP servers.
network settings enabling dhcp server
Network SettingsEnabling DHCP Server
  • The Firebox can act as a DHCP server for clients on any interface configured as trusted or optional.
  • To configure DHCP server on a Firebox interface, identify the first and last IP addresses in the range you want the Firebox to assign.
network settings wins dns
Network SettingsWINS/DNS
  • The Firebox needs WINS/DNS information to:
  • Resolve names to IP addresses for IPSec VPNs and for the spamBlocker, Gateway AV and IPS features to operate correctly.
  • Allow DHCP clients on the trusted or optional networks, MUVPN users, and PPTP RUVPN users to resolve DNS queries.
network settings network or host routes
Network SettingsNetwork or Host Routes
  • Create static routes to send traffic from a Firebox interface to a router. The router can then send the traffic to the correct destination from the specified route.
  • If you do not add a route to a remote network or host, all traffic to that network or host is sent to the Firebox default gateway.
slide41

Configuring Policies

Using Policy Manager to Configure Policies

configuring policies what is a policy
Configuring PoliciesWhat is a Policy?
  • A rule to limit access through the Firebox
  • Can be configured to allow traffic or deny traffic
  • Can be enabled or disabled
  • Applies to specific port(s) and protocols
  • Applies to specific internal hosts or subnets and external hosts or subnets
network settings firebox dynamic nat
Network SettingsFirebox Dynamic NAT
  • Dynamic NAT:
  • The Firebox applies its public IP address to the outgoing packets for all connections or for specified services
  • Is used to hide the IP addresses of internal hosts when they get access to public services
  • Is enabled by default for valid RFC 1918 networks to any external interface
configuring policies adding policies
Configuring PoliciesAdding Policies
  • To add a policy, select Edit > Add Policy.
  • Add a policy from the pre-defined Packet Filters list, the Proxies list, or create a Custom policy.
configuring policies changing source and destinations
Configuring PoliciesChanging Source and Destinations
  • You can:
  • Select a pre-defined alias, then click Add.
  • Click Add User to select an authentication user or group.
  • Click Add Other to add a host IP address, network IP address, or host range.
configuring policies packet filters and proxies
Configuring PoliciesPacket Filters and Proxies
  • Packet Filter – Examines the IP header of each packet. Works at the network and transport protocol packet layers.
  • Proxy – Examines the IP header AND the content of a packet (at the application layer of a packet). If the content does not match the criteria you set in your proxy policies, it denies the packet, or removes disallowed content.A proxy:
    • Removes all the network data
    • Examines the contents for RFC compliance and content type
    • Adds the network data again
    • Sends the packet to its destination
configuring policies when do i use a custom policy
Configuring PoliciesWhen do I use a custom policy?
  • Use a custom policy:
  • If none of the pre-defined policies include the specific combination of ports that you want.
  • If you need to create a policy that uses a protocol other than TCP or UDP.
  • Note: A custom policy can be either a packet filter or proxy policy.
configuring policies modifying policies
Configuring PoliciesModifying Policies
  • To edit a policy, double-click the policy icon.
  • By default:
  • A new policy is enabled and allowed.
  • It allows traffic on the port(s) specified by the policy.
  • It allows traffic from any trusted source to any external destination.
configuring policies changing source and destinations1
Configuring PoliciesChanging Source and Destinations
  • To modify the default source and destination, click Add and define a new source or destination.
configuring policies policy properties
Configuring PoliciesPolicy Properties
  • The Policy Properties tab lets you:
  • See the ports and protocols defined in the policy.
  • Set logging and notification rules for the policy.
  • Auto-block the source of denied traffic (if the policy is configured to deny traffic).
  • Set a custom idle time out for the policy.
configuring policies proxy policy properties
Configuring PoliciesProxy Policy Properties
  • When you configure a proxy policy, use the Policy Properties tab to apply a proxy action to the policy.
configuring policies advanced policy properties
Configuring PoliciesAdvanced Policy Properties
  • Click the Advanced tab to configure:
  • Schedule
  • QoS
  • NAT rules
  • Sticky connection settings (if you use multi-WAN)
  • ICMP error handling
configuring policies scheduling policies
Configuring PoliciesScheduling Policies
  • When you apply a schedule to a policy, you set the times of day you want a policy to be enabled.
  • For example:
  • If you only want users to surf the Web between 10:00 am and 12:00 am, apply a schedule to your HTTP policy that looks like this:
configuring policies nat
Configuring PoliciesNAT
  • You can customize NAT in each policy.
  • The settings in Network > NAT apply unless you modify the NAT settings in a policy.
  • Use the Set Source IP option when you want any traffic that uses this policy to show a specified address from your public or external IP address range as the source IP address.
configuring policies qos
Configuring PoliciesQoS
  • QoS (Quality of Service) is available only for Fireware Pro users.
  • Use QoS to set the priority for traffic in a policy.
configuring policies what is precedence
Configuring PoliciesWhat is Precedence?
  • Precedence is used to decide which policy will control a connection when more than one policy could control that connection.
  • If you look at your policies in list view, the higher the policy appears in the list, the greater its precedence. If two policies could apply to a connection, the policy higher in the list will control that connection.
configuring policies changing precedence
Configuring PoliciesChanging Precedence
  • Policy Manager automatically orders the policies when you add and configure them.
  • To manually order your policies:
    • Select View > Details.
    • Clear the View > Auto-Order Mode option.
    • Drag and drop policies to change the order the policies appear in the list.
configuring policies the watchguard policy
Configuring PoliciesThe WatchGuard Policy
  • The WatchGuard Policy:
  • Controls management connections to the Firebox.
  • By default allows only local administration of the Firebox. You must edit the configuration to allow remote administration.
configuring policies the outgoing policy
Configuring PoliciesThe Outgoing Policy
  • Added automatically by the Quick Setup Wizard.
  • Includes all TCP and UDP ports.
  • Allows all TCP and UDP traffic from any trusted or optional source to any external source.
  • Acts as a packet filter, not a proxy, and applies no content filtering restrictions by default.
configuring policies find policy tool
Configuring PoliciesFind Policy Tool
  • Fireware now features a utility to find policies that match the search criteria you specify.
  • With Find Policies you can quickly check for any and all matching policies for addresses, port numbers, and protocols.
slide61

Working with Proxy Policies

Working with Proxy Policies

proxies what is a proxy
ProxiesWhat is a Proxy?
  • A proxy is a powerful and highly customizable application inspection engine and content filter.
  • A packet filter looks at IP header information only; a proxy looks at application data for content specific to the application being examined.
  • A proxy looks beyond the header to the contents of the packet.
proxies what is a proxy action
Proxies What is a Proxy Action?
  • A set of rules that tell the Firebox how to apply one of its proxies to traffic of a specific type.
  • You can apply a proxy action to one policy, or multiple policies.
proxies fireware proxies
ProxiesFireware Proxies
  • DNS
  • FTP
  • HTTP
  • SMTP
  • POP3
  • TCP (applies the HTTP proxy to HTTP traffic on all TCP ports)
proxies import export proxy actions
ProxiesImport/Export Proxy Actions
  • Entire proxy actions
  • Only user-created; not predefined
  • Rulesets
  • Must be in Advanced View to import/export
  • WebBlocker Exceptions
  • spamBlocker Exceptions
proxies proxy actions
ProxiesProxy Actions
  • You can apply a predefined proxy action, or clone a predefined proxy action and create a custom proxy action.
  • You cannot modify the settings of a predefined proxy action.
  • Each proxy action includes multiple rulesets to give you control over different components of a proxied connection.
proxies proxy actions1
ProxiesProxy Actions
  • WatchGuard provides two predefined proxy actions for each type of proxy:
  • Client/Outgoing proxy action – includes default settings to protect clients connecting to servers external to the Firebox.
  • Server/Incoming proxy action – includes default settings to protect servers behind the Firebox.
proxies quick setup wizard and proxies
ProxiesQuick Setup Wizard and Proxies
  • The Quick Setup Wizard does not include any proxy policies by default. The Outgoing and FTP policies included by the Quick Setup Wizard use packet filters only, not proxies, in Fireware v9.0 and higher.
  • Because no proxies are used by the Firebox by default, there are no default restrictions on the types of files which users can download from the Internet or the types of files they can upload. To add these types of restrictions to the Firebox configuration, proxy policies must be added to the Firebox configuration.
proxies proxies and logging
ProxiesProxies and Logging
  • Each ruleset includes its own option to enable logging.
  • To get detailed reporting on proxied connections, you must enable Turn on Logging For Historical Reports in the general settings of each proxy action.
proxies dns proxy
ProxiesDNS Proxy
  • Protects your DNS server from malicious or malformed connection requests and query types.
  • Works with Intrusion Prevention Service.
proxies ftp proxy
ProxiesFTP Proxy
  • Restricts the types of commands and files that can be sent through FTP.
  • Works with the Gateway AV and the Intrusion Prevention Service (Gateway AV/IPS).
proxies smtp proxy
ProxiesSMTP Proxy
  • Highly customizable proxy to restrict the types and size of files sent and received in email.
  • Works with Gateway AV/IPS and spamBlocker.
proxies pop3 proxy
ProxiesPOP3 Proxy
  • Highly customizable proxy to restrict the types and size of files sent and received in email.
  • Works with GAV/IPS and spamBlocker.
proxies http proxy
ProxiesHTTP Proxy
  • Highly customizable proxy to restrict commands, headers, and file types that can be sent in an HTTP connection.
  • Works with GAV/IPS and WebBlocker.
slide75

WebBlocker

WebBlocker

webblocker what is webblocker
WebBlockerWhat is WebBlocker?
  • WebBlocker is a tool to filter access to specific web sites.
  • Install a WebBlocker database on local server(s) – the WebBlocker Server.
  • Configure your Firebox to query the WebBlocker Server.
  • Works with the HTTP Proxy. If an HTTP client proxy action is not active, you cannot use WebBlocker.
webblocker the webblocker database
WebBlockerThe WebBlocker Database
  • Database created and maintained by SurfControl™.
  • Database updates keep filtering rules current.
  • 40 categories of web sites that you can allow or deny for different groups of users and different times of day.
webblocker advanced webblocker settings
WebBlockerAdvanced WebBlocker Settings
  • From the WebBlocker > Advanced tab, you can control what happens if the Firebox cannot contact the WebBlocker Server. You can:
  • Allow access to all web sites.
  • Deny access to all web sites.
webblocker webblocker exceptions
WebBlockerWebBlocker Exceptions
  • Add exceptions for web sites that WebBlocker denies and you want to allow (white list).
  • Add web sites that WebBlocker allows and you want to deny (black list).
slide80

spamBlocker

spamBlocker

spamblocker what is spamblocker
spamBlockerWhat is spamBlocker?
  • Uses technology licensed from Commtouch™ to identify spam, bulk, or suspect email.
  • No local server to install. You can optionally install Quarantine Server, but it is not necessary for spamBlocker to work correctly.
  • Firebox queries external classification servers and caches results.
  • Works with the SMTP proxy. You must have an SMTP proxy action configured to use spamBlocker.
spamblocker spamblocker actions
spamBlockerspamBlocker Actions
  • For each category (spam, bulk, or suspect email), configure the action you want the Firebox to take:
  • Allow
  • Add Subject Tag
  • Quarantine
  • Deny
  • Drop
spamblocker spamblocker exceptions
spamBlockerspamBlocker Exceptions
  • You can configure exceptions for specific senders or recipients by:
  • Individual email address
  • Domain by pattern match (*@xyz.com)
slide84

Quarantine Server

Gateway AntiVirus/

Intrusion Prevention Service (GAV/IPS)

quarantine server quarantine spam
Quarantine ServerQuarantine spam
  • Works with spamBlocker and the SMTP proxy only (not POP3)
  • Install with server components during WSM install

Launch from icon in WatchGuard toolbar

quarantine server quarantine server configuration
Quarantine ServerQuarantine Server Configuration
  • WatchGuard Quarantine Server is highly configurable. You can set:
  • Database size and admin notification
  • Server settings
  • How long to keep messages
  • For which domains the Quarantine server will keep mail
  • Rules - Automatically remove messages based on:
    • From specific senders
    • From specific domains
    • With specific text in the Subject
slide87

Gateway AV/IPS

Gateway AntiVirus/

Intrusion Prevention Service (GAV/IPS)

gateway av ips what is gateway av ips
Gateway AV/IPSWhat is Gateway AV/IPS?
  • Signature-based antivirus and intrusion prevention service.
  • Firebox downloads signature databases at regular, frequent intervals.
  • Gateway AV works with SMTP, HTTP, FTP, and TCP proxy.
  • IPS works with all proxy actions when IPS is enabled in a policy.
gateway av ips wizards
Gateway AV/IPSWizards
  • Gateway AV and IPS can be enabled and configured with wizards you launch from the Tasks menu.
  • The wizards ask you to select which proxy policies you want to configure Gateway AV or IPS for.
gateway av ips gateway av and the smtp proxy
Gateway AV/IPSGateway AV and the SMTP Proxy
  • When an email attachment contains a known virus signature, the Firebox can:
  • Allow – attachment goes through with no change.
  • Lock – attachment can only be opened by administrator.
  • Remove – attachment is stripped from the email.
  • Drop – entire email is denied without acknowledgement.
  • Block – email is denied and sending server is added to blocked sites list.
gateway av ips gateway av and the http proxy
Gateway AV/IPSGateway AV and the HTTP proxy
  • The HTTP proxy applies Gateway AV settings:
  • To requests to specific URL paths defined in your configuration.
  • To responses that include specific file types defined in your configuration.
gateway av ips gateway av and the http proxy1
Gateway AV/IPSGateway AV and the HTTP proxy
  • When Gateway AV finds a known virus signature in an HTTP session, the Firebox can:
  • Allow – file goes through with no change.
  • Drop – HTTP connection is denied.
  • Block – HTTP connection is denied and web server is added to blocked sites list.
gateway av ips gateway av and the ftp proxy
Gateway AV/IPSGateway AV and the FTP Proxy
  • The FTP proxy applies Gateway AV settings:
  • To downloaded files allowed in your configuration.
  • To uploaded files allowed in your configuration.
gateway av ips gateway av and the ftp proxy1
Gateway AV/IPSGateway AV and the FTP Proxy
  • When Gateway AV finds a known virus signature in an FTP session, the Firebox can:
  • Allow – file goes through with no change.
  • Deny - Denies the transaction and sends a deny message.
  • Drop – FTP connection is dropped immediately.
  • Block – FTP connection is denied and offending IP is added to blocked sites list.
gateway av ips gateway av settings
Gateway AV/IPSGateway AV Settings
  • Select if you want Gateway AV to decompress file formats such as .zip or .tar and set the number of levels to scan.
  • Gateway AV for SMTP now supports in-line scanning, so there is no need to set the maximum size of email attachments to scan for viruses.
gateway av ips updates to signatures and engine
Gateway AV/IPSUpdates to Signatures and Engine
  • To protect against latest viruses, enable automatic updates to Gateway AV signatures at frequent intervals.
  • Automated Gateway AV engine updates assure you latest functionality.
  • You now have the option to send update requests through a proxy server.
gateway av ips configuring ips in a proxy policy
Gateway AV/IPSConfiguring IPS in a proxy policy
  • Signatures are divided into three severity levels: high, medium, and low
  • When an IPS signature is matched, the Firebox can:
  • Allow – lets traffic pass.
  • Deny – denies traffic and sends a deny message.
  • Drop – drops the connection immediately without acknowledgement.
  • Block – drops the connection and adds the source to the blocked sites list.
gateway av ips ips and the http proxy
Gateway AV/IPSIPS and the HTTP Proxy
  • Protects your own web server, and your trusted users making connections to external web servers
  • You can enable specific IPS signature categories for:
  • Instant Messaging clients
  • Peer to peer clients
  • Spyware categories
gav ips updates to ips signatures and engine
GAV/IPSUpdates to IPS Signatures and Engine
  • To protect against latest intrusions, enable automatic updates to IPS signatures at frequent intervals
  • Automated IPS engine updates make sure you have latest functionality.
gateway av ips monitoring gateway av and ips
Gateway AV/IPSMonitoring Gateway AV and IPS
  • From Firebox System Manager, select the Security Services tab to see status of Gateway AV and IPS signatures and manually request updates.
slide101

Policy Manager Intrusion Prevention

Policy Manager Intrusion Prevention

intrusion prevention blocking sites and ports
Intrusion PreventionBlocking Sites and Ports
  • Policy Manager’s Blocked Sites and Ports features:
  • Block all traffic from specific IP addresses, subnets, or on specific ports.
  • Take precedence over policy configuration.
  • Allow you to take extra precaution against known security risks on the Internet associated with specific IP addresses or ports, such as the Blaster worm, which infected systems on TCP port 135.
intrusion prevention blocked sites configuration
Intrusion PreventionBlocked Sites Configuration
  • Static configuration – Add specific IP addresses or subnets to be permanently blocked.
  • Dynamic configuration – Enable auto-blocking as part of configuration in many different places in Policy Manager, such as:
    • Proxy actions
    • Default packet handling settings
    • Policy configuration
intrusion prevention auto blocking sites
Intrusion PreventionAuto-blocking sites
  • Each policy configured to deny traffic has an active check box to auto-block the source of denied traffic. The source IP address of any packet denied by the policy is automatically added to the Blocked Sites List.
intrusion prevention auto blocking sites1
Intrusion PreventionAuto-blocking sites
  • When you select a proxy action of “Block”, the IP address denied by the proxy action is automatically added to the Blocked Sites List.
intrusion prevention configuring auto blocking
Intrusion PreventionConfiguring Auto-blocking
  • Configure the amount of time to auto-block sites in Policy Manager > Setup > Intrusion Prevention > Blocked Sites > Auto-blocked tab.
  • You can add Blocked Sites Exceptions if there is an IP address you want to make sure is never auto-blocked.
intrusion prevention default packet handling
Intrusion PreventionDefault Packet Handling
  • A set of configurable thresholds for the detection of potentially hostile activity, such as syn floods, IKE floods, DDoS attacks, or address probes.
  • Any activity above the threshold results in the Firebox dropping connections, or adding sites to the Blocked Sites List.
  • Default thresholds are meant as a benchmark for an average user and may need to be adjusted for your environment.
slide108

Firebox Administration

Firebox Administration

firebox administration changing your passphrases
Firebox AdministrationChanging your passphrases
  • We recommend you change your status and configuration passphrases frequently.
  • To change your passphrases in Policy Manager, select File > Change Passphrases.
firebox administration backing up your configuration
Firebox AdministrationBacking up your configuration
  • Back up your configuration image before you make any major change to your configuration and before you upgrade to a new WSM or Fireware version.
  • To back up your configuration image, from Policy Manager select File > Backup.
firebox administration adding new licensed features
Firebox AdministrationAdding New Licensed Features
  • If you purchase a new feature or renew a subscription service, you must activate your feature and get a new feature key from the LiveSecurity web site.
  • To add your new feature key to Policy Manager, select Setup > Feature Keys > Add.
firebox administration upgrading your firebox
Firebox AdministrationUpgrading your Firebox
  • To upgrade to a new version of Fireware, use these steps:
  • Back up your existing Firebox image.
  • Download and install the new version of Fireware on your management station.
  • From Policy Manager, select File > Upgrade. Browse to the location of .wgu upgrade file.
f irebox administration fireware web server certificate
Firebox AdministrationFireware Web Server Certificate
  • Why does the user get warnings from the browser?
  • Name on certificate does not match the URL.
    • Fix with Fireware web server certificate.
    • Uses subject alt names to match several possible URLs.
  • Certificate is not trusted.
    • User still needs to import the certificate to trusted root store.
slide114

Firebox Logging

Working with Firebox Log Messages

firebox logging introduction to log server
Firebox LoggingIntroduction to Log Server
  • You can install the Log Server on your management station, or another Windows-based computer.
  • Log Server is not required for Firebox operation, but we recommend you configure a Log Server and regularly review log messages as part of your security policy.
  • The Firebox generates encrypted log messages in XML and sends them to the Log Server. The Log Server decrypts and stores the messages in log files.
  • The Log Server can store log messages for more than one Firebox at the same time, each in its own file.
firebox logging configuring logging
Firebox LoggingConfiguring Logging
  • For log messages to be correctly stored on the Log Server, you must:
  • Install the Log Server software.
  • Configure the Log Server.
  • Configure the Firebox to send log messages to the Log Server.
firebox logging installing the log server
Firebox LoggingInstalling the Log Server
  • From the WSM installer, select to install the Log Server component.
  • The Log Server does not have to be installed on the same computer that you use as your management station.
  • The Log Server should be on a computer with a static IP address.
firebox logging configuring the log server
Firebox LoggingConfiguring the Log Server
  • To configure, right-click the Log Server icon on your Windows toolbar and select Start service.
  • Set a log encryption key. You will use this same key when you configure the Firebox to send log messages to this Log Server.
firebox logging configuring the firebox for logging
Firebox LoggingConfiguring the Firebox for Logging
  • In Policy Manager, select Setup > Logging to configure the Firebox with a Log Server.
  • You must have the same log encryption key you entered in your Log Server configuration.
  • You can configure backup Log Servers in case your primary Log Server fails.
firebox logging log server status and configuration
Firebox LoggingLog Server Status and Configuration
  • Right-click the Log Server option and select Status/Configuration to:
  • See which Firebox devices are currently sending log messages to this Log Server.
  • Set interval for starting new log files based on time or size of file.
  • Schedule automatic generation of Historical Reports.
  • Configure notification options.
firebox logging setting rules for logging
Firebox LoggingSetting Rules for Logging
  • The Firebox generates log messages for many different types of activities.
  • You control what log messages are stored on the Log Server – most features include options to turn logging on or off.
firebox logging setting rules for logging1
Firebox LoggingSetting Rules for Logging
  • You can also configure the Firebox to send detailed diagnostic logging if you are troubleshooting a specific problem.
firebox logging notification
Firebox LoggingNotification
  • When you turn on logging, you can also enable notification or trigger an SNMP trap. Notification options include:
  • Send email to specific email address.
  • Pop-up notification on Log Server.
firebox logging default logging policy
Firebox LoggingDefault Logging Policy
  • When you create a policy that allows traffic, logging is not enabled by default for that policy.
  • When you create a policy that denies traffic, logging is enabled by default.
  • If denied traffic does not match a specific policy, it is logged by default.
firebox logging logging and proxies
Firebox LoggingLogging and Proxies
  • Proxy policies contain many more advanced options for logging than packet filter policies.
  • Each proxy category has its own check box to turn on logging.
firebox logging logging and proxies1
Firebox LoggingLogging and Proxies
  • If you want detailed Historical Reports with information on packets handled by proxy policies, make sure you select this option in each proxy action:Turn on logging for Historical Reports
firebox logging viewing log messages
Firebox LoggingViewing Log Messages
  • You can see log messages with two different tools:
  • Traffic Monitor – Real-time monitoring from any computer running WSM.
  • LogViewer – Shows full log file stored on the Log Server.
firebox logging traffic monitor
Firebox LoggingTraffic Monitor
  • To see real-time traffic, select Firebox System Manager > Traffic Monitor
firebox logging traffic monitor1
Firebox LoggingTraffic Monitor
  • From Traffic Monitor, right-click on a log message to get more information or take action.
firebox logging logviewer
Firebox LoggingLogViewer
  • Launch LogViewer from WSM and open the log file you want to see.
  • LogViewer includes search features to help you find specific log messages.
firebox logging historical reports
Firebox LoggingHistorical Reports
  • Historical Reports creates reports from the log files that are recorded on the Log Server. With the advanced features of Historical Reports, you can:
  • Set a specified time period for a report.
  • Customize the report with data filters.
  • Consolidate different log files to create a report for a group of Fireboxes.
  • Show the report data in different formats.
firebox logging historical reports1
Firebox LoggingHistorical Reports
  • After you define a report, use the Log Server Status/Configuration dialog box to automate your report on a schedule you select.
firebox logging historical reports tips and tricks
Firebox LoggingHistorical Reports – Tips and Tricks
  • If you do not see data that you expected to see, make sure you have turned on the logging options in Policy Manager that control that data.
  • Make sure the computer on which you are using Historical Reports has access to the log files on the Log Server.
  • When you use the HTML reporting option, make sure to check the option: Execute Browser Upon Completion. This opens the report in your default web browser when the report is generated.
  • The HTTP Proxy report and Denied Packet Summary report are particularly useful for new Firebox customers.
  • If you select the option to resolve DNS in your reports (recommended), you must be patient – this can take a long time.
monitoring your firebox performance console
Monitoring your FireboxPerformance Console
  • With the Performance Console, users can monitor and graph the following information:
  • System Information-Firebox statistics such as total active connections and cpu usage.
  • Interfaces - total sent and received packets through the firebox interfaces.
  • Policies – Total connections, current connections, discards.
  • VPN Peers – Inbound and outbound SA’s, Inbound and outbound packets.
  • Tunnels – Inbound and outbound packets, Auth errors, and replay errors.
monitoring your firebox performance console1
Monitoring your FireboxPerformance Console
  • After you create a counter, you see it graphed out in intervals that you set.
monitoring your firebox performance console2
Monitoring your FireboxPerformance Console
  • You can monitor packets processed by policy name.
monitoring your firebox hostwatch
Monitoring your FireboxHostWatch
  • HostWatch shows the connections through a Firebox from the trusted network (including VLAN’s) to the external network.
  • Create any combination of interfaces to monitor using regular expressions.