WatchGuard Technologies SOHO 6.1 Network Card User Manual
Contents
1. 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising2. nn U DU x WatchGuard Firebox SOHO 6 1 The mod_ssl package falls under the Open Source Software label because it s distributed under a BSD style license The detailed license information follows Copyright c 1998 2001 Ralf S Engelschall All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by Ralf S Engelschall lt rse engelschall com gt for use in the mod_ssl project http Amww modssl org 4 The names mod_ssl must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact rse engelschall com 5 Products derived from this software may not be called mod_ssl nor may mod_ssl appear in their names without prior written permission of Ralf S Engelschall 6 Redistributions of any form whatsoever must retain
3. Index H hardware description 6 HTTP proxy settings disabling 14 incoming service creating custom 63 indicators 100 7 link 7 Mode 7 WAN 7 installation cabling 19 cabling for multiple computers 20 determining TCP IP settings 12 disabling TCP IP proxy settings 14 items required for 12 Internet how information travels on 4 problems browsing 110 IP addresses described 4 disguising 5 dynamic 31 in networks 31 maintaining table of 85 L license keys redeeming 57 licenses upgrading 21 lights 100 7 link 7 MODE 107 Mode 7 power 6 PWR 107 Status 7 107 108 WAN 7 link indicator 7 LiveSecurity Service registering with 27 renewing subscription 59 log host setting WSEP 77 log messages contents of 76 synchronizing with computer 77 viewing 76 logging described 75 to a WSEP host 77 to Syslog host 79 Logging page 76 M MAC address of SOHO 6 111 MacIntosh operating system 110 Mode indicator 7 MODE light 107 MUVPN clients option 93 MUVPN license keys for 59 N NAT 5 Network Address Translation NAT 5 Network Statistics page 42 network statistics viewing 42 New User page 102 numbered ports 9 O OPT port 8 P pages Add Route 41 118 WatchGuard Firebox SOHO 6 1 Blocked Sites 66 Custom Service 64 113 Dynamic DNS client 43 Filter Traffic 62 Firewall Incoming Traffic 114 Firewall Options 67 Groups 101 Logging 76 Network Statistics 42 New User 102 Routes
4. The Package Contents First things first check the package contents to make sure you have the following e Firebox SOHO 6 QuickStart Guide e User documentation e AC adapter 12v 1 0 1 2A e Straight through Ethernet cable e SOHO 6 security appliance 2 WatchGuard Firebox SOHO 6 1 How Does a Firewall Work How Does a Firewall Work Fundamentally a firewall is a way of distinguishing between as well as protecting us and them On the external side of your SOHO 6 firewall is the entire Internet The Internet offers many resources such as the Web email and video audio conferencing It also presents dangers to the privacy and security of your computer On the trusted side of your SOHO 6 firewall are all the appliances you want to protect from these dangers As is illustrated in the image below the SOHO 6 physically separates your trusted network from the Internet INTERNET PROTECTED CPUs Using rules or policies outlined in Chapter 3 Configure Incoming and Outgoing Services on page 62 the WatchGuard SOHO 6 evaluates all traffic between the external network the Internet User Guide 3 Chapter 1 Introduction and the trusted network your computer and blocks any suspicious activity How Does Information Travel on the Internet All information transported over the Internet is packaged in a special manner to ensure that it travels from one computer to the next The progra
5. To create an IPSec tunnel between appliances you must add information to the configuration files of each that is specific to the site such as external and trusted IP addresses It is imperative to keep these addresses accurate WatchGuard recommends making a table of IP addresses such as the one outlined below 84 WatchGuard Firebox SOHO 6 1 What You Need IP Address Table example Item Description Assigned By External IP The IP address that identifies the SOHO 6 to the Internet ISP Address Site A 207 168 55 2 Site B 68 130 44 15 External The overlay of bits that determines which part of the IP ISP Subnet address identifies your network For example a Class C Mask address licenses 256 addresses and has a netmask of 255 255 255 0 Site A 255 255 255 0 Site B 255 255 255 0 Local A private network address used by an organization s local You Network network for identifying itself within the network A local Address network address cannot be used as an external IP address WatchGuard recommends using an address from one of the reserved ranges 10 0 0 0 8 172 16 0 0 12 255 240 0 0 192 168 0 0 16 255 255 0 0 Site A 192 168 111 0 24 Site B 192 168 222 0 24 Shared A phrase stored at both ends of the tunnel to authenticate You Secret the transmission as being from the claimed origin The secret can be any phrase but mixing numerical special alphabetical and uppercase characters improves
6. Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Logging System Time 80 WatchGuard Firebox SOHO 6 1 Set the System Time The System Time page appears System Status Network External Trusted Optional Routes Time Source Network Statistics Get Time From TCP Port 37 Time Server at Enel Get Time From WatchGuard Time Server Administration System Security EL Time Zone adjustments are only applied when using the WatchGuard time Update server Upgrade GMT 12 00 Eniwetok Kwajalein E view Configuration File Firewall Incoming n Outgoing _Submit _Reset Custom Service If you have decided to use the WatchGuard Time Server 3 Select Get Time From WatchGuard Time Server Or to use a TCP Port 37 Time Server 4 Select Get Time From TCP Port 37 Time Server at 5 Enter the IP address of the time server in the appropriate field 6 Click Submit To adjust your log messages for daylight savings time or set the time zone Logging System Time Time Zone mj Adjust for daylight savings time e Select Adjust for daylight savings time e Select a time zone from the drop list Time Zone adjustments are only applied when using the WatchGuard time server User Guide 81 Chapter 7 Configure Logging 82 WatchGuard Firebox SOHO 6 1 crames VPN Virtual Private Networ
7. Installation 7 Disconnect the Ethernet cable that runs from your DSL cable modem or other Internet connection to your computer and connect it to the WAN port on the SOHO 6 The SOHO 6 is now connected directly to the modem or other Internet connection Connect one end of the straight through Ethernet cable supplied with your SOHO 6 into any one of the four numbered Ethernet ports labeled 0 3 on the SOHO 6 Connect the other end into the uplink port of the hub The SOHO 6 is now connected to the Internet and your hub Connect Ethernet cables to the uplink ports of the hub and to the Ethernet ports of each of your computers If you connect to the Internet using a DSL cable modem restore the power to this device When the indicator lights of the modem stop flashing the modem is ready for use Attach the AC adapter to the SOHO 6 and connect it to a power source Restart your computer For information on the factory default configuration options see Default Factory Settings on page 25 For specialized configurations see Configure Your External Network on page 31 as well as Configure the Trusted Network on page 36 22 WatchGuard Firebox SOHO 6 1 chars SOHO 6 Basics Once you have physically installed the SOHO 6 you can connect to it using your Web browser The SOHO 6 includes a Web server that provides a configuration Web page interface The SOHO 6 Home Page System Status With you
8. User Guide xiii Disable the HTTP proxy setting of your Web BOMBE lt sts Dao adi Tea ti ate 0 ai a ab d 14 Enable your computer for DACP sasi ate oua aaa ta aaa 16 Physically connect the SOHO 6 stone rca aia cae 18 Cabling the SOHO 6 for one to four appliances 19 Cabling the SOHO 6 for more than four computers 20 CHAPTER 3 SOHO 6 Basics imminaeat vol pina aia taiate 23 The SOHO 6 Home Page System Status 23 Default Factory Settings nenea 25 Reset a SOHO 6 to factory default 26 The base model SQHO G sasea taiate dala ala 27 Register your SOHO 6 and Activate the LiveSecurity Service sa cea za ae sri ao ol pi 27 Reboot the SOHO 6 coase sea e dea a aes 28 CHAPTER 4 Configure the Network Interfaces 31 Configure Your External Network eeeeeeeteees 31 Network addressing sto ata te boa ne a al aa 31 Configure the SOHO 6 External Network for dynamic addressing ve sa ere ct ea a lata ee 32 Configure the SOHO 6 External Network for static addressing 7 sine ae ela aa dont a lia la 33 Configure the SOHO 6 External Network for PPPoE 34 Configure the Trusted Network misi seceta oa tata ae a 36 Configure DHCP Server and DHCP Relay 36 Configure additional computers on the Trusted Network ceruse tolea pda i ien ea dada ne we 38 Configure the Trusted Network with static addresses 39 Configure Static Routes sajcuracevss veal ea aa n la 40 View Network Statistics ssa soci
9. VPN Manager Access Network gt Routes Add Route 4 From the Type drop list select either Host or Network User Guide 41 Chapter 4 Configure the Network Interfaces 6 Enter the IP address and the Gateway of the route in the appropriate field The gateway of the route is the local interface of the router Click Submit To remove a route select the appropriate entry and click Remove View Network Statistics The SOHO 6 has a configuration page that displays a variety of network statistics to assist in monitoring data traffic as well as troubleshooting potential problems Follow these instructions to view this page 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 From the navigation bar on the left side select Network gt Network Statistics The Network Statistics page appears TS Network Network External Statistics Trusted Optional Routes Dual ISP Up for 1 hour 26 seconds Network Buffers Allocated Total 2 40 Memory Total Largest Block 10764224 1062771 DynamicDNS Sockets Allocated Total 12 80 NAT Ports Avail 1000 RAM Disk 58880 Administration Tx packets 7136 Systern Security Rx packets 8049 hdr Err 87 delivered 3851 VPN Manager Access forward 4111 Update Upgrade Niemen EALE External Network Firewall etho Link e
10. computers connect to the Trusted network 6 Enter the WINS Server address DNS Server address primary and secondary and DNS Domain server suffix 7 Click Submit and reboot the SOHO 6 as necessary To configure the DHCP Relay Server 1 From the Trusted Network Configuration page enable the checkbox labeled Enable DHCP Relay User Guide 37 Chapter 4 Configure the Network Interfaces Enter the IP address of the DHCP relay server Click Submit and reboot the SOHO 6 as necessary The SOHO 6 will now send all DHCP requests to the specified remote DHCP server and relay the resulting IP addresses to the computers connected to the Trusted Network If the SOHO 6 is unable to contact the specified remote DHCP server in 30 second it will revert to using its own DHCP server to respond to computer on the Trusted network Configure additional computers on the Trusted Network The SOHO 6 accepts connections from up to four computers Network a larger number of computers together using one or more 10BaseT Ethernet hubs with RJ 45 connectors The SOHO 6 system coexists with other systems over the same LAN Local Area Network If you mix computers with different operating systems on your network they pass traffic through the SOHO 6 to access the Internet Follow these steps to add one or more computers to your Trusted network 1 Verify that each additional computer has an Ethernet card installed Shut the computer down connec
11. go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 Towards the bottom of the System Status page you see the External network header on the right side Two MAC addresses are often listed Please note these addresses and have them ready if you need Technical Support Configuration Where are the SOHO 6 settings stored The configuration parameters are stored in memory on the SOHO 6 How do I set up DHCP on the trusted network of the SOHO 6 1 Make sure your computer is set up to use DHCP For instructions see Enable your computer for DHCP on page 16 2 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 3 From the navigation bar on the left side select Network Trusted 4 Select Enable DHCP Server and then click Submit User Guide 111 Chapter 10 Support Resources How do change to a static trusted IP address Before you can use a static IP address you must have a base Trusted IP address and subnet mask The following IP address ranges and subnet masks are set aside for private networks in compliance with RFC 1918 Replace the Xs in the network IP address with a number between 1 and 254 The subnet addresses do not need to be changed Network IP range Subnet mask 10 x x x 25
12. or higher e The SOHO 6 serial number Review and record your current TCP IP settings For your reference record the computer s current TCP IP settings in the chart at the end of this section Access to this information depends on your computer operating system Microsoft Windows 2000 and Windows XP 1 Click Start gt Programs Accessories gt Command Prompt 12 WatchGuard Firebox SOHO 6 1 Before You Begin 2 Atthe default prompt type ipconfig all then press Enter 3 Enter the TCP IP settings in the chart provided below 4 Click Cancel Microsoft Windows NT 1 Click Start Programs Command Prompt 2 At the default prompt type ipconfig all then press Enter 3 Enter the TCP IP settings in the chart provided below 4 Click Cancel Microsoft Windows 95 or 98 or ME 1 Click Start Run 2 Type winipcfg Click OK 3 Select the Ethernet Adapter 4 Enter the TCP IP settings in the chart provided below 5 Click Cancel Macintosh 1 Click the Apple menu Control Panels TCP IP 2 Enter the TCP IP settings in the chart provided below 3 Close the window Other operating systems Unix Linux 1 Consult your operating system guide to locate the TCP IP screen 2 Enter the settings in the chart provided below User Guide 13 Chapter 2 Installation 3 Exit the TCP IP configuration screen TCP IP Setting Value IP Address Subnet Mask Default Gateway DHCP Enabl
13. 41 46 48 SOHO 6 Administration 51 Syslog Logging 79 System Security 52 53 System Status 23 28 System Time 81 Unrestricted Pass Through IP Address 72 Update 56 Upgrade 58 View Configuration File 60 VPN Manager Access 55 VPN Statistics 94 WatchGuard Security Event Processor 78 WebBlocker Groups 100 WebBlocker Settings 98 Pass Through feature 72 passphrases described 52 setting up 53 54 ping packets denying all 68 Point to Point Protocol over Ethernet See PPPoE ports numbered 9 numbers 5 OPT 8 WAN 9 power input 9 PPPoE configuring for 34 described 32 pre configured services adding 62 protocols allowing incoming 113 described 4 PWR light 6 107 R rebooting 28 rebooting on remote system 29 registration 27 Remote Management 54 RESET button 8 resetting to factory default 26 Routes page 41 46 48 routes configuring static 40 S seat licenses upgrading 58 seat limitation 109 serial number viewing 24 services adding incoming 62 adding pre configured 62 allowing incoming 113 and security risks 62 creating custom 63 65 creating custom incoming 63 described 5 61 preconfigured 62 specifying filter rule for 65 sites blocking 65 SOCKS configuring application 69 configuring for SOHO 6 68 described 68 disabling 70 SOHO 6 28 29 and DSL modems 109 and MacIntosh operating system 110 and SOCKS 68 base model 27 configuring access to 51 configuring for dynamic addresses 32 User Guide
14. 6 configuration file appears in text format 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration View Configuration File The View Configuration File page appears 60 WatchGuard Firebox SOHO 6 1 carrere Configure the Firewall Settings Firewall Settings The flow of incoming and outgoing traffic is controlled by the configuration setting you make These decisions are made in accordance with a sound security policy that defines the kinds of risks that are acceptable to you or your firm WatchGuard identifies several commonly used services that are used to define incoming and outgoing access A service is the combination of protocol and port numbers associated with a specific application or communication type User Guide 61 Chapter 6 Configure the Firewall Settings Configure Incoming and Outgoing Services By default the security stance of the SOHO 6 is to deny incoming packets to computers on the trusted network protected by the SOHO 6 firewall You can selectively open your network to certain types of Internet connectivity For example to set up a Web server behind the SOHO 6 you add an incoming Web service It is important to remember that each service you add opens a small window into your trusted network and marginally
15. IP address your ISP assigns each computer a different address each time it connects to the server When you power down the computer you release that IP address allowing it to be reassigned A static IP address is assigned to your computer at all times whether or not you are currently using it No other computer on the network shares that address User Guide 31 Chapter 4 Configure the Network Interfaces The most common method to distribute IP addresses is dynamically using DHCP Dynamic Host Configuration Protocol When your computer is connected to the network a DHCP server at your ISP automatically assigns it a network IP address This relieves the ISP of the responsibility to manually assign and manage individual IP addresses Another method of dynamically assigning IP addresses is called PPPoE Point to Point Protocol over Ethernet PPPoE combines some of the advantages of Ethernet and PPP by simulating a standard dial up connection It is popular among many ISPs because it allows them to use their existing dial up infrastructure such as billing authentication and security for DSL and cable modems When configured to use PPPoE the connection can be manually connected or disconnected from the System Status page Contact your ISP to determine which method they use to assign your IP address Configure the SOHO 6 External Network for dynamic addressing The SOHO 6 is configured to obtain its external address information a
16. Inc Copyright Trademark and Patent Information Copyright 1998 2002 WatchGuard Technologies Inc All rights reserved AppLock AppLock Web Designing peace of mind Firebox Firebox 1000 Firebox 2500 Firebox 4500 Firebox II Firebox II Plus Firebox II FastVPN Firebox III Firebox SOHO Firebox SOHO 6 Firebox SOHO tc Firebox SOHO tc Firebox V100 Firebox V80 Firebox V60 Firebox V10 LiveSecurity LockSolid RapidStream RapidCore ServerLock WatchGuard WatchGuard Technologies Inc DVCP technology Enforcer MUVPN FireChip HackAdmin HostWatch Make Security Your Strength RapidCare SchoolMate ServiceWatch Smart Security Simply Done Vcontroller VPNforce are either registered trademarks or trademarks of WatchGuard Technologies Inc in he United States and or other countries Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending icrosoft Internet Explorer Windows 95 Windows 98 Windows NT and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries etscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries RC2 Symmetric Block Cipher RC4 Symmetric Stream Cipher RC5 Symmetric Block Cipher B
17. Local ID and Remote ID box specify the name of the local or remote network The default is LocalID and RemotelD In the Type box specify IP Address or Domain Name If you are in Main Mode both the Local and Remote IDs must be IP Address If you are in Aggressive Mode and have a static IP address the Local ID must be IP Address and the Remote ID can be either IP Address or Domain Name If you are in Aggressive Mode and have a dynamic IP address the Local ID must be Domain Name and the Remote ID can be either IP Address or Domain Name In the Authentication Algorithm drop list specify the authentication MD5 HMAC 128 bit authentication or SHA1 HMCA 160 bit authentication In the Encryption Algorithm drop list specify the type of encryption DES CBC or 3DES CBC Enter how many kilobytes until negotiation expiration Enter how many hours until negotiation expiration User Guide 91 Chapter 8 VPN Virtual Private Networking 13 14 15 16 17 18 19 20 21 22 In the Diffie Hellman Group drop list specify the group WatchGuard supports 1 amp 2 Diffie Hellman refers to a mathematical technique for securely negotiating secret keys over a public medium Diffie Hellman groups are collections of parameters used to achieve this Group 2 is more secure than group 1 but requires more time to compute the keys If you choose select the checkbox marked Enable Perfect Forward Secrecy When this option i
18. Online Documentation and In Depth FAQs WatchGuard maintains an extensive knowledge base consisting of product documentation in the form of printer friendly pdf files tutorials In Depth FAQs and more This information is available at https support watchguard com AdvancedFaqs 116 WatchGuard Firebox SOHO 6 1 Index Numerics 100 indicator 7 A Add Route page 41 blocked sites configuring 65 Blocked Sites page 66 browsers supported 12 button RESET 8 C cables correct setup 110 included in package 2 required 12 configuration file viewing 24 60 custom incoming services creating 63 Custom Service page 64 113 D default factory settings 25 26 DHCP described 32 setting up on Trusted Network 111 DNS service dynamic 43 DSL modems and SOHO 6 109 Dual ISP Port 44 Dynamic DNS client page 43 dynamic DNS service configuring 43 44 47 Dynamic Host Configuration Protocol See DHCP dynamic IP addresses configuring for 32 described 31 events described 75 logging See logging External Network denying ping packets received on 68 F FAQs 116 feature keys 57 109 filter rules specifying for custom services 65 Filter Traffic page 62 Firewall Incoming Traffic page 114 Firewall Options page 67 firewall specifying miscellaneous options 67 firmware updating 56 viewing version of 24 FTP access denying to the Trusted interface 68 G Groups page 101 User Guide 117
19. Options Dual ISP Port This upgrade to the SOHO 6 activates the Optional port as a fail over support for the external interface This license key is purchased separately VPNforce Port This upgrade to the SOHO 6 activates the Optional port as a separate secure connection to a corporate network for a remote office or telecommuter This license key is purchased separately IPSec Virtual Private Networking VPN The SOHO 6tc comes with a VPN upgrade license key You must activate the VPN upgrade in order to configure virtual private networking The SOHO 6 does not come with the VPN upgrade license key This license key is purchased separately WebBlocker The SOHO 6 has a Web filtering option This license key is purchased separately MUVPN Clients With this upgrade the SOHO 6 allows remote users to securely connect to it through an IPSec VPN and access network resources on the Trusted network These license keys are purchased separately LiveSecurity Service Subscription Renewals Subscription renewals are available for a period of one or two years and may be purchased from your reseller or from the WatchGuard online store To purchase renewals online or activate a renewal certificate visit User Guide 59 Chapter 5 Administrative Options http Avww watchguard com renew Follow the instructions at the site to activate or purchase the renewal View the Configuration File From this configuration page the SOHO
20. and users select Require Web users to authenticate 7 Click Submit to register your changes Create WebBlocker Groups and Users Follow these instructions to create WebBlocker Groups 1 With your Web browser go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select WebBlocker Groups User Guide 99 Chapter 9 SOHO 6 WebBlocker The WebBlocker Groups page appears Sena WebBlocker Network Groups External Trusted Routes Network Statistics Group Default Group New DynamicDNS Users All Users Administration System Security Blocked Categories i e pia TO Alcohol and Tobacco I Violence Profanity pdate lea TO Illegal Gambling IO Search Engines View Configuration File IO MilitanvExtremist IO Sports and Leisure Firewall IO Drug Culture IO Sex Education Incomi da I satanicicult IT Sex Acts Sita ea SEI IO Intolerance TO Full Nudity Blocked Sites I Gross Depictions J PartialiArtistic Nudity Firewall Options Pass Through Reset 3 Click New to create a group name and profile 100 WatchGuard Firebox SOHO 6 1 Configure the SOHO 6 WebBlocker scara WebBlocker gt Groups New Group External Trusted Routes Network Statistics Group Name chicosmalos zel Lit Blocked Categories cm seg IO Alcohol and Tobacco Violence Profanity ystem Security VPN Manag
21. database contains thousands of IP addresses and directories These addresses are divided into categories based on content such as drug culture intolerance or sexual acts SurfControl constantly searches the Internet to update the list of blocked sites The WebBlocker database contains the following 14 categories NOTE All the categories of sites to be blocked are selected by advocacy rather than opinion or educational material For example the drugs drug culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana Alcohol tobacco Pictures or text advocating the sale consumption or production of alcoholic beverages and tobacco products Illegal Gambling Pictures or text advocating materials or activities of a dubious nature that may be illegal in any or all jurisdictions such as illegal business schemes chain letters copyright infringement computer hacking phreaking User Guide 103 Chapter 9 SOHO 6 WebBlocker using someone s phone lines without permission and software piracy Also includes text advocating gambling relating to lotteries casinos betting numbers games online sports or financial betting including non monetary dares Militant extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures Topic includes groups that advocate violence as a mean
22. either directly or through a hub it automatically attempts to obtain its addresses from the SOHO 6 If you use a cerntralized DHCP server to hand out IP addresses the SOHO 6 has a DHCP Relay feature that forwards the DHCP request to the specified DHCP server Configure DHCP Server and DHCP Relay To configure DHCP server 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network Trusted 36 WatchGuard Firebox SOHO 6 1 Configure the Trusted Network The Trusted Network Configuration page appears System Status Network External Network Trusted Network Configuration Optional Routes IP Address fi 92 168 111 1 RE EE Subnet Mask 255 255 255 0 Network Statistics DynamicDNS M Enable DHCP Server on Trusted Network Administration First address for DHCP server fiszieaiii2 System Security VPN Manager Access WINS Server Address Update DNS Server Address Upgrade View Configuration File Secondary DNS Server Address Firewall DNS Domain sufix tolea CA a IT Enable DHCP Relay Outgoing Custom Service DHCP relay server Blocked Sites _ 3 Enter the IP address and the Subnet Mask in the appropriate fields 4 Enable the checkbox labeled Enable DHCP Server on the Trusted Network 5 Enter the first IP address the DHCP server will hand out to
23. fields User Guide 39 Chapter 4 Configure the Network Interfaces 4 Disable the checkbox labeled Enable DHCP Server on the Trusted Network 5 Click Submit and reboot the SOHO 6 as necessary 6 Configure your computers and other devices on the trusted network with static addresses Configure Static Routes The SOHO 6 allows you to configure static routes in order to pass traffic to networks on separate segments This means that the SOHO 6 can route data packets to additional networks connected to a router or switch behind the SOHO 6 Follow these instructions to configure static routes 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network gt Routes 40 WatchGuard Firebox SOHO 6 1 Configure Static Routes The Routes page appears System Status Network External Trusted Optional Network Routes Dual ISP Network Statistics DynamicDNS Administration System Security VPN Manager Access Update Upgrade View Configuration File Firewall Incoming Outgoing Add Remove 3 Click Add The Add Route page appears System Status Network External Trusted Optional Routes Type Host 7 Dual ISP Address Network Statistics DynamicDNS Gateway Administration System Security Submit Reset Cancel
24. is able to record all allowed outbound traffic NOTE This option will record an extensive amount of log entries For this reason WatchGuard recommends that you use it for diagnostic purposes only 70 WatchGuard Firebox SOHO 6 1 Firewall Options Follow these steps 1 Select Log All Allowed Outbound Access 2 Click Submit Enable override MAC address for the External Network A SOHO administrator is able to assign a second MAC address to the SOHO 6 External Network making it easier to register with an ISP that requires a separate MAC for registration 1 Select Enable override MAC address for the External Network 2 Enter the MAC address that will be assigned to the SOHO 6 External Network NOTE If the External Network override MAC address text box is cleared and the SOHO 6 is rebooted the SOHO 6 will automatically go back to the factory default External MAC address 3 Click Submit As a guard against MAC address collisions the SOHO 6 will look for the External Network override MAC address periodically If the SOHO 6 finds two devices on the local network with the same MAC address the SOHO 6 will automatically reset itself to the factory default External MAC address and reboot User Guide 71 Chapter 6 Configure the Firewall Settings Create an Unrestricted Pass Through The SOHO 6 is able to allow traffic to be passed through to a dedicated machine with a public IP address separated f
25. materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF ERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT HALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL PECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO ROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR USINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY HETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publicly available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence
26. reduces your security This is the inherent trade off between access and security Pre configured Services Each service is defined by a combination of Internet protocols and port numbers to uniquely identify the connection type to applications and servers on the Internet The SOHO 6 configuration pages include several of the most common types Follow these steps to add an Incoming service 1 From the navigation bar on the left side select Firewall Incoming or Outgoing The Filter Traffic page appears 62 WatchGuard Firebox SOHO 6 1 Configure Incoming and Outgoing Services System Status Network External Trusted Optional Routes rommon Ser Services Network Statistics DynamicDNS No a 5 Administration Pa System Security VPN Manager Access No Rule Update No Rule x Upgrade No Rule v view Configuration File Firewall No Rule x i No Rule z Outgoing NoPule z Custom Service No Pule Ji Blocked Sites No Rule Firewall Filter Incoming Traffic Service Host cuseeme 0 0 0 0 ns fa cc FTP po HTTP oo HTTPS pooo ILS pooo IPSec pooo NetMeeting po NNTP po Li PRS ppg 2 Locate a pre configured service such as FTP Web or Telnet then select either Allow or Deny from the drop list In our example the HTTP service is set to Allow enabling Web traffic incoming 3 Enter the trusted network IP address of the computer to
27. refreshes NOTE In addition to TCP and UDP ports there are several other types of Internet protocols To create a service for one of these protocols you must define the protocol number you cannot specify a port number 64 WatchGuard Firebox SOHO 6 1 Block External Sites 5 Enter the port number or numbers if creating a range of ports or enter the IP protocol number to allow in the appropriate fields and click Add After creating a custom service you need to specify a filter rule as well as define the incoming and outgoing properties 6 At the Incoming and Outgoing Filter drop lists select either Allow or Deny 7 Select either Host IP Address Network IP Address or Host Range from the appropriate drop list The Custom Service page refreshes 8 Enter either a single host IP address a network IP address or the start and end of a range of host IP addresses for this custom service in the appropriate fields 9 Click Add Repeat the last three steps until all the appropriate address information for this custom service appears in the appropriate fields 10 Click Submit Block External Sites By default the security stance of the SOHO 6 is to deny all incoming traffic to the trusted network but to allow all outgoing traffic However you can selectively block access to particular Internet sites entirely Follow these steps to configure blocked sites 1 From the navigation bar on the left side
28. security For example Gu4c4mo 3 is better than guacamole Site A OurLittleSecret Site B OurLittleSecret Encryption Encryption method determines the length in bits of the You Method key used to encrypt and decrypt communication packets DES is a 56 bit encryption 3DES is 168 bit and much more secure It is also slower Select either 3DES or DES as long as both sides use the same method Site A 3DES Site B 3DES User Guide 85 Chapter 8 VPN Virtual Private Networking Authenticati Both sides must use the same method You on Site A MD5 or SHA1 Site B MD5 or SHA1 Enable the VPN Upgrade You must first redeem the VPN upgrade license key before configuring VPN Activating the VPN upgrade requires e An installed SOHO 6 e Internet connectivity e A VPN upgrade license key Step by step Instructions for Configuring a SOHO 6 VPN Tunnel WatchGuard has developed a series of step by step instructions to facilitate configuration for a SOHO 6 VPN tunnel to any of several other IPSec compliant appliances To download these instructions using your Web browser go to https support watchguard com AdvancedFaqs sointerop_main asp 86 WatchGuard Firebox SOHO 6 1 Frequently Asked Questions Special Considerations Consider the following before configuring your WatchGuard SOHO 6 VPN network e You can connect up to six SOHO 6 appliances together To set up more VPN tunnels you need at least
29. select Firewall Blocked Sites User Guide 65 Chapter 6 Configure the Firewall Settings The Blocked Sites page appears System Status Network External Trusted Optional Routes Network Statistics DynamicDNS Administration System Security PEES VPN Manager Access Update Upgrade View Configuration File Firewall Incoming HostIP Address z IP Address pooo 0 0 Ad Outgoing Custom Service Submit Reset 2 Select either Host IP Address Network IP Address or Host Range from the drop list The Blocked Sites page refreshes 3 Enter either a single host IP address a network IP address or the start and end of a range of host IP addresses in the appropriate fields In our example Host IP Address is selected and the IP address entered is 207 68 172 246 4 Click Add The addressing appears in the Blocked Sites field 5 Click Submit Firewall Blocked Sites Blocked Sites 66 WatchGuard Firebox SOHO 6 1 Firewall Options Firewall Options The SOHO 6 firewall feature includes a few rule settings that are less specific then the service settings discussed previously and are used to provide further security for your private network These options are found on the Firewall Options page 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigati
30. watchguard com sohoresources How do I know whether the cables are connected correctly to my SOHO 6 There are fourteen lights on the front of the SOHO 6 grouped in pairs The link light labeled WAN tells you if your SOHO 6 is connected to your modem If this light is not lit the SOHO 6 is not connected to your modem Check to make sure that both sides of the cable are connected and that your Internet connection is active The link lights labeled 0 through 3 correspond to the four numbered Ethernet ports of the trusted network They tell you if the SOHO 6 is connected to a computer or hub If the lights are not lit the SOHO 6 is not connected to the computer or hub Check to make sure that both sides of the cable are connected and that the computer or hub has power can connect to the configuration screen why can t browse the Internet This means that the SOHO 6 is on but something is wrong with the connection from the SOHO 6 to the Internet Make sure the cable or DSL modem is connected correctly and has power Also check the link light on your modem as well as the WAN link light on the SOHO 6 If you continue to have trouble connecting to the Internet call your ISP 110 WatchGuard Firebox SOHO 6 1 Troubleshooting Tips How can I see the MAC address of my SOHO 6 A MAC Media Access Control address is a unique number used to identify the actual physical hardware of an Ethernet appliance 1 With your Web browser
31. which this rule applies In our example 192 168 111 2 4 Click Submit Create a Custom Service In addition to the pre configured services provided by the SOHO 6 configuration page you can create custom services using either a TCP port UDP port or specifying an IP protocol Follow these steps to create a custom service 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 User Guide 63 Chapter 6 Configure the Firewall Settings 2 From the navigation bar on the left side select Firewall gt Custom Service The Custom Service page appears System Status Network External Trusted Optional Routes Network Statistics Service Name DynamicDNS Protocol Settings Protocol Port Administration System Security VPN Manager Access Remave Update Firewall Custom Service Upgrade View Configuration File TCP Port z To Ad Firewall Incoming Incoming Filter No Pule z Outgoing Service Host 0 0 0 0 Blocked Sites From Any Firewall Options Pass Through _Remove Logging WSEP Logging Syslog Logging Host IP Address z foooo Add System Time WebBlocker Outgoing Filter No Rule z 3 Define a name for the service in the appropriate field Beneath the Protocol Settings fields select either TCP Port UDP Port or Protocol from the drop list The Custom Service page
32. 0 3 is able to connect to a variety of appliances These include computers printers scanners or other network peripherals Use your SOHO 6 to replace an existing hub if you have no more than four appliances to connect CABLE OR DSL MODEM H INTERNET EA CABLE OR TELEPHONE DSL LINE ETHERNET CABLE ETHERNET CABLE FIREBOX SOHO 6 PERSONAL COMPUTER 1 Shut down your computer If you connect to the Internet using a DSL cable modem disconnect the power from this device 2 Disconnect the Ethernet cable that runs from your DSL cable modem or other Internet connection to your computer and connect it to the WAN port on the SOHO 6 The SOHO 6 is now connected directly to the modem or other Internet connection 3 Connect one end of the straight through Ethernet cable supplied with your SOHO 6 into any one of the four User Guide 19 Chapter 2 Installation numbered Ethernet ports labeled 0 3 on the SOHO 6 Connect the other end into the Ethernet port of your computer The SOHO 6 is now connected to the Internet and your computer 4 If you connect to the Internet using a DSL cable modem restore the power to this device When the indicator lights of the modem stop flashing the modem is ready for use 5 Attach the AC adapter to the SOHO 6 and connect it to a power source 6 Restart your computer For information on the factory default configuration options see Default Factory Setting
33. 119 Index configuring for PPPoE 34 configuring for static addressing 33 configuring VPN tunnel with 86 connecting to 23 default factory settings 25 described 2 firewall feature 67 front view 6 function of 3 hardware 6 installing 11 22 MAC address of 111 MUVPN clients option 93 package contents 2 ports 6 8 rear view 8 registering 27 resetting to factory default 26 seat limitation 109 setting passphrase 53 setting up VPNs between 115 troubleshooting 107 115 upgrading 57 upgrading user license 21 viewing log messages for 76 SOHO 6 Administration page 51 SOHO Remote Management 54 Split Tunneling 93 static IP addresses and VPNs 87 obtaining 87 static IP addressing configuring for 33 static routes configuring 40 Status light 7 107 108 Syslog Logging page 79 System Security page 52 53 System Status page 23 28 System Time page 81 system time setting 80 7 TCP IP settings determining 12 14 technical support 116 time setting 80 traffic crearing unrestricted pass through 72 logging all outbound 70 traffic monitoring 42 troubleshooting 107 115 Trusted Network configuring additional computers on 38 denying FTP access to 68 Trusted Network Configuration page 37 39 U Unrestricted Pass Through IP Address page 72 Update page 56 Update Wizard 57 upgrade license keys redeeming 57 types of 58 Upgrade page 58 upgrading seat licenses 58 user licenses 21 VPNs 59 V View Configuration File pa
34. 4 Configure the Network Interfaces Enter the TCP IP settings you recorded from your computer during the installation process Refer to the table in Review and record your current TCP IP settings on page 12 Click Submit The configuration change is saved to the SOHO 6 Configure the SOHO 6 External Network for PPPoE While less common PPPoE is another method for an ISP to assign IP addresses Check the information and manuals sent to you by your ISP to see if they use PPPoE If you cannot find this information contact your ISP and ask them You need your PPPoE login name and password To configure the SOHO 6 for PPPoE 1 Open your Web browser and click Stop At this point the Internet connection is not fully configured and the computer cannot load your home page from the Internet However the computer can access the configuration Web pages installed on the SOHO 6 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 From the navigation bar on the left side select Network gt External The External Network configuration page appears 34 WatchGuard Firebox SOHO 6 1 Configure Your External Network 4 10 From the Configuration Mode drop list select PPPoE Client The page refreshes System Status Network Network External Network Configuration Trusted Optional Rou
35. 5 0 0 0 172 16 x x 255 240 0 0 192 168 x x 255 255 0 0 To change to a static trusted IP address 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network Trusted 3 Disable Enable DHCP Server and then click Submit 4 Enter the information Click Submit How do I set up and disable Webblocker 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select WebBlocker Settings The WebBlocker Settings page appears 3 Select Enable WebBlocker Enter a full access password and an inactivity timeout in minutes 112 WatchGuard Firebox SOHO 6 1 Troubleshooting Tips To disable WebBlocker deselect Enable WebBlocker How do allow incoming services such as POP3 Telnet and Web HTTP 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Firewall Incoming The Filter Incoming Traffic page appears 3 Locate the pre configured service you wish to allow in and select Allow from the drop list 4 Enter the Trusted network IP ad
36. AGREED REMEDY 5 United States Government Restricted Rights The enclosed SOFTWARE PRODUCT and documentation are provided with Restricted Rights Use duplication or disclosure by the U S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or in subdivision c 1 and 2 of the Commercial Computer Software Restricted Rights Clause at 48 C F R 52 227 19 as applicable Manufacturer is WatchGuard Technologies Incorporated 505 5th Ave South Suite 500 Seattle WA 98104 6 Export Controls You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U S Export Ad 7 Termination ministration Act and the regulations issued thereunder This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this EULA destroy all copies of the SOFTWARE PRODUCT in your possession or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession 8 Miscellaneous Prov isions This EULA will be governed by and construed in accordance with the substantive laws of Washingt
37. ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information on the Apache Software Foundation please see lt http Awww apache org gt Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications University of Illinois Urbana Champaign All other trademarks or trade names mentioned herein if any are the property of their respective owners Part No 0814 000 xii WatchGuard Firebox SOHO 6 1 Contents CHAPTER 1 Introduction saszisat ao al uta la a 1 The Package Contents painea vale n tate ta 2 How Does a Firewall Work cccu eee 3 How Does Information Travel on the Internet 4 IP ddr ses arina al d 4 PEOTOCOL o cina n an aa a e ul el dl pl pla 4 POE GINA EEE ss sutat tari tit e iii palat le tea relata held te 5 How Does the SOHO 6 Process Information 5 Services aeaee ni atatea dan das Pasta ta cota D deo ba 5 Network Address Translation eee 5 The SOHO 6 Hardware Description 0 6 The SOHO 6 front and rear views ccccecccesecceeseeeeeees 6 CHAPTER 2 Installation css coco a ca cc o aa cc cc a ba 11 Before YOUBEGIN gdanio la i ws 12 Review and record your current TCP IP settings 12
38. DY FOR T ora full refund at their LICE NCO so FO e ESS ROM CO RE PROD UPTED 0 T CLAIM LIGENC FOR U WARRANTY LITIES OF WATCHGUARD AND HS 4 4 A AND 4 B ABOVE HEREBY WAIVE ER WARRANTIES OBLIGATIONS CENSORS AND ALL OT ER RIGHTS CLAIMS AND RS EXPRESS OR IMPLIED RMANCE ED A RSE OF UCT WILL R OR E CHGUAR LOSS OR D AND User Guide vii Limitation of Liability AND NOTWITHSTAN EVEN IN THE EVE N NO EVENT WILL WHETHER ARISING LIABILITY AND FAU BUSINESS PROFITS WATCHGUARD S LIABILITY WHETHER INCLUDING ACTIVE PASSIVE OR IMPUTED NEGLIGENCE AND STRICT N gt CONTRACT TORT OR OTHERWISE DING ANY FAULT NEGLIGENCE STRICT LIABILITY OR PRODUCT LIABILITY WITH REGARD TO THE SOFTWARE PRODUCT WILL IN O EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT THIS WILL BE TRUE T OF THE FAILURE OF AN AGREED REMEDY WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY IN CONTRACT INCLUDING WARRANTY TORT LT FOR ANY INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS INTERRUPTION OR LOSS OF BUSINESS NFORMATION ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT EVEN IF WATCHGUARD HAS EVEN IN THE EVEN BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THIS WILL BE TRUE T OF THE FAILURE OF AN
39. O 6 receives the IP of members dyndns org when it connects to the time server 5 Click Submit Configure OPT Port Upgrades The optional port OPT port on the SOHO 6 supports two new upgrades e Dual ISP Port upgrade e VPNforce Port upgrade To activate these upgrades you need to buy an additional license and then Upgrade the SOHO 6 to activate the new feature For more information on how to Upgrade the SOHO 6 see Redeem your SOHO 6 Upgrade Options on page 57 NOTE The OPT port is only available if you purchase a software upgrades You can not use the OPT port as another internet port on the Trusted network Configure Dual ISP Port The Dual ISP Port upgrade adds fail over support for the External interface This means that when the primary external port connections fails the firewall will initiate a connection through the optional port No new policy definitions are needed The optional port uses the same set of policies as the external port 44 WatchGuard Firebox SOHO 6 1 Configure OPT Port Upgrades The SOHO 6 uses two methods to determine if the external port connection is down e The link to the nearest router e A ping to a specified location The SOHO pings the default gateway or other location designated by the administrator If there is no response fail over takes place When this feature is activated these actions automatically occur e If the external port EXT connectio
40. RODUCT fails to y you may as your sole and exclusive remedy return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it along with a dated proof of purchase specifying the proble with a new version of the SOFTWARE election THE YOU ARE AND RE PER OF ERR RE WH ANY DA PRO DISC ARIS ORD TO A PARTICULA EET YOU OR FREE EDY INT ETHER ACTIVE PASSIVE OR IMPUTED OBLIGAT AGE TO OR CAUSED BY OR CONTRIBUTED TO BY THE SOFTWARE Disclaimer and Release WARRA EXCLUS LAIMA LIABILI EDIES NG BY EFECT I Y IMP R FORMAN ONINFR R DUCT R REMED YO PRODU TIES OBLIGATIONS AND LIA ES SET FORTH IN PA VE AND IN SUBSTITUI D RELEASE ANY AND ALL OT ES OF WATCHGUARD AND IT LAW OR OTHERWISE WITH R N THE SOFTWARE PRODUCT LIED WARRANTY OF MERCHA PURPOSE ANY IMPLIED WA CE COURSE OF DEALING OR NGEMENT ANY WARRANTY 1 OPERATION ANY OBLIGATIO ms and t RAGRAP TION FO U MAY HAVE AGAINST WATC REQUIREMENTS ANY WARRANTY OF U ABILITY RIGHT hey will p C1 B TH TS L HG ESP NCLU TAB RRA USAG THAT UARD DI EO THIS L TORT WHETHER OR NOT ARIS TION LIABILITY RIGHT CLAI NG FROM R AND YOU G rovide you AND ITS ECT TO ANY NO BUT NOT LI ILITY OR FIT TY AR SING F F TRADE ANY S N OFTWA NTERR THE NEG OR FAULT OF WAT OR RE E
41. SAFE TIPEM RSA Public Key Cryptosystem MD MD2 MD4 and MD5 are either trademarks or registered trademarks of RSA Data Security Inc Certain materials herein are Copyright 1992 1999 RSA Data Security Inc All rights reserved RealNetworks RealAudio and RealVideo are either a registered trademark or trademark of RealNetworks Inc in the United States and or other countries Java and all Jave based marks are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries All right reserved 1995 1998 Eric Young eay cryptsoft All rights reserved 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or pr
42. SOHO models Faster Processor The SOHO 6 has a new network processor running at a speed of 150MHz It also includes built in Ethernet and encryption technology Ethernet ports The SOHO 6 has six 10 100 Base TX ports labeled OPT WAN and numbered 0 3 The SOHO 6 front and rear views The SOHO 6 has fourteen indicator lights on the front panel of the appliance The following photograph shows the entire front view LinO WAN Link cigs baw Sage PT 100 OMode 1000 VU oi uad er ar FIREBOX SOHO 6 PWR When illuminated this light indicates that the SOHO 6 is currently powered up 6 WatchGuard Firebox SOHO 6 1 The SOHO 6 Hardware Description Status When illuminated this light indicates that a management connection has been made Link The link indicator illuminates when there is a good physical connection to any of the numbered 0 3 interfaces of the trusted network The link indicator blinks when traffic is passing through the interface 100 When a trusted network interface runs at 10Mb the 100 indicator is not illuminated When the network interface runs at 100 Mb the 100 indicator is yellow WAN Indicates a good physical connection to the external WAN port The indicator blinks when traffic is passing through the interface Mode Indicates that the SOHO 6 is operational and has connected to the Internet when illuminated User Guide 7 Chapter 1 Introduction
43. The SOHO 6 has six Ethernet ports a reset button and a power input located on the rear of the appliance The following photograph shows the entire rear view OPT port This Ethernet port corresponds to the Optional interface This interface is activated when you purchase the Dual ISP Port upgrade or VPNforce Port Upgrade For more information on the Dual ISP Port and VPNforce Port upgrade see Configure OPT Port Upgrades on page 44 8 WatchGuard Firebox SOHO 6 1 The SOHO 6 Hardware Description NOTE The OPT port is only available if you purchase the Dual ISP Port or VPNforce Port upgrades You can not use the OPT port as another Ethernet port on the Trusted network RESET button Using the reset button you can return to the SOHO 6 to the factory defaults For more information on performing this function see Reset a SOHO 6 to factory default on page 26 NOTE The OPT port is only available if you purchase the software upgrades You can not use the OPT port as another internet port on the Trusted network WAN port This Ethernet port corresponds to the external interface 4 numbered ports 0 3 These Ethernet ports correspond to the trusted interface Power input Accepts the 12 volt AC adapter supplied with the SOHO 6 User Guide 9 Chapter 1 Introduction 10 WatchGuard Firebox SOHO 6 1 CHAPTER 2 Installation This chapter explains how to install the SOHO 6 into yo
44. WatchGuard Firebox SOHO 6 User Guide SOHO 6 1 oni d Using this Guide To use this guide you need to be familiar with your computer s operating system If you have questions about navigating in your computer s environment please refer to your system user manual The following conventions are used in this guide Convention Indication Bold type Menu commands dialog box options Web page options Web page names For example On the System Information page select Disabled NOTE Important information a helpful tip or additional instructions ii WatchGuard Firebox SOHO 6 1 Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance pursuant to Part 15 of the FCC Rules Operation is subject to the following two conditions e This appliance may not cause harmful interference e This appliance must accept any interference received including interference that may cause undesired operation CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility EMC directive and the Low Voltage Directive LVD of the European Union EU CE Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference Causing Equipment Regulations Cet appareil numerique de la classe A respecte toutes les
45. al Routes IO Enable syslog output Network Statistics Address of syslog host 0 0 0 0 DynamicDNS Administration System Security 2 VPN Manager Access _Submit Reset 3 Select Enable syslog output IO Include local time in syslog message 4 Enter the IP address of the Syslog server In our example 206 253 208 100 5 Click Submit User Guide 79 Chapter 7 Configure Logging To adjust your syslog messages to your browsers local time e Select Include local time in syslog message NOTE Syslog traffic is not encrypted and use of this option creates a potential security risk when the information is sent over the Internet However if this traffic is sent through a VPN tunnel the traffic is encrypted with IPSec technology and therefore less of a security risk Set the System Time The SOHO 6 stamps each log entry with the time that the event occurred Event Log Time Category Message Packet allowed from 192 168 42 204 port 2002 05 23 17 16 09 IP 3577 to 192 168 42 160 port 80 TCP allow by HTTP Administrator access allowed from 192 168 42 204 Packet allowed fram 192 168 42 204 port 2002 05 23 17 16 08 IP 3576 to 192 168 42 160 port 80 TCP allow by HTTP 2002 05 23 17 16 08 MONITOR The log entry time stamp displays the time of day according to the settings for the system time To set the system time 1 With your Web browser go to the System Status page using the
46. als and sites devoted to selling pornographic CD ROMs and videos Full Nudity Pictures exposing any or all portions of human genitalia Topic does not include sites categorized as Partial Artistic Nudity containing partial nudity of a wholesome nature For example it does not include Web sites for publications such as National Geographic or Smithsonian magazine nor sites hosted by museums such as the Guggenheim the Louvre or the Museum of Modern Art Partial artistic Nudity Pictures exposing the female breast or full exposure of either male or female buttocks except when exposing genitalia which is handled under the Full Nudity category Topic does not include swimsuits including thongs 106 WatchGuard Firebox SOHO 6 1 carer o0 Support Resources Troubleshooting Tips The following information is offered to help overcome any difficulties that might occur when installing and setting up your SOHO 6 General What do the PWR Status and Mode lights signify on the SOHO 6 When the PWR light is lit the SOHO 6 has power When the Status light is lit there is a management connection to the SOHO 6 When the MODE light is lit the SOHO 6 is operational If the PWR light is blinking The SOHO 6 is running from its backup flash memory You are able to connect to the SOHO 6 from a computer on one of the User Guide 107 Chapter 10 Support Resources four numbered Ethernet ports labeled 0 3 and reload t
47. ardware product and may include associated media printed materials and on line or electronic documentation and any updates or modifications thereto including those received through the WatchGuard LiveSecurity service or its equivalent the SOFTWARE PRODUCT WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this EULA Please read this EULA carefully By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA WATCHGUARD will not license the SOFTWARE PRODUCT to you and you will not have any rights in the SOFTWARE PRODUCT In that case promptly return the SOFTWARE PRODUCT along with proof of payment to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid 1 Ownership and License The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties This is a license agreement and NOT an agreement for sale All title and copyrights in and to the SOFTWARE PRODUCT including but not limited to any images photographs animations video audio music text and applets incorporated into the SOFTWARE PRODUCT the accompanying printed materials and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors Your rights to use th
48. ass Through Reset Logging SEP Logging 3 Verify that the HTTP Server Port is set at 80 4 Select the System Security checkbox User Guide 53 Chapter 5 Administrative Options 5 Enter the System Administrator Name 6 Enter the System Passphrase and confirm it 7 Click Submit SOHO Remote Management This page also allows you to create a secure connection using Internet Protocol Security IPSec to the SOHO from a remote location SOHO Remote Management This feature is discussed at length in the Firebox SOHO 6 Remote Management Guide located on our Web site at http help watchguard com documentation soho asp Set up VPN Manager Access The SOHO 6 works with WatchGuard VPN Manager software access in order to configure and manage Branch Office VPN tunnels from a remote location VPN Manager software is purchased separately and must run ona WatchGuard Firebox II III For more information regarding the VPN Manager product use your Web browser to go to https Awww watchguard com products vpnmanager asp Follow these steps to setup VPN Manager access 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 54 WatchGuard Firebox SOHO 6 1 Set up VPN Manager Access 2 From the navigation bar on the left side select Administration VPN Manager Access The VPN Manager Access page appear
49. ategories srsccseccjovaccdatsvsasesortecesdancenes 103 CHAPTER 10 Support Resources nenea aeeaeeeceaeae 107 Troubleshooting Tips upaonaniea plen tei P net 107 Gener l sass ateu nara alba da 05 pu ala 107 Contiguratiom Soci p rea aia tau oleaca get ale 111 VPN Management 21 deocac aleea ata 0 als ai mii dada d 114 Contact Technical support sinaia an atnaiaa deasa iata ae 116 Online Documentation and In Depth FAQs 116 Special Notices intii n ta i tie ta der 116 ae AID IEI REPERE IE RER Re IE IE E Re Ia AR ee 117 User Guide xvii xviii WatchGuard Firebox SOHO 6 1 CHAPTER 1 Introduction Welcome Congratulations on purchasing the ideal solution for providing secure access to the Internet the WatchGuard Firebox SOHO 6 or SOHO 6tc security appliance User Guide Chapter 1 Introduction This User Guide is for both the SOHO 6 and the SOHO 6tc the name SOHO 6 refers to both these appliances throughout this guide The only difference between them is the ability to create and use a Virtual Private Network VPN The VPN option is added to the SOHO 6 while the SOHO 6 tc comes with the VPN option pre installed Your new SOHO 6 provides peace of mind when connecting to the Internet using a high speed cable or DSL modem a leased line or ISDN The most current installation and user information is available at the WatchGuard Web site http support watchguard com sohoresources
50. ations being used Why is ping not working If you cannot ping the local network address of the remote SOHO 6 follow these steps to classify the problem 1 Ping the external address of the remote SOHO 6 For example at Site A ping 68 130 44 15 Site B You should get a reply If not verify the External network settings of Site B If they are correct verify that computers at Site B have access to the internet If you are still having trouble contact your ISP 2 Once you are able to ping the external address of each SOHO 6 try pinging a local address From Site A ping 192 168 111 1 If the tunnel is up you should get a reply from the remote SOHO 6 If not re check the local settings page Make sure that the local DHCP address ranges do not overlap That is IP addresses on either side of the tunnel must not be the same How do obtain a VPN upgrade license key You can purchase them online Using your Web browser go to http Awww watchguard com sales buyonline asp How do I enable a VPN Tunnel Full instructions for enabling a VPN tunnel are located at https support watchguard com AdvancedFaqs sointerop_main asp 88 WatchGuard Firebox SOHO 6 1 Set Up Multiple SOHO SOHO VPN Tunnels Set Up Multiple SOHO SOHO VPN Tunnels With this release a SOHO administrator has the ability to manually define up to six VPN tunnels to other SOHO 6 devices VPN Manager s ability to set up a larger number of SOHO 6 to SOHO 6 t
51. ave the VPN option activated e The static external IP address the network address and the subnet masks of both appliances The base trusted IP address of each SOHO 6 must be static and unique e The DNS and WINS server IP address if used e The shared key passphrase for the tunnel e The same encryption method for each end of the tunnel DES or 3DES e The same authentication method for each end MD 5 or SHA 1 114 WatchGuard Firebox SOHO 6 1 Troubleshooting Tips How do set up my SOHO 6 for VPN Manager Access This requires the add on product WatchGuard VPN Manager software which is purchased separately and used with the WatchGuard Firebox System software To purchase VPN Manager use your Web browser to go to https Awww watchguard com products vpnmanager asp For more information on how to allow VPN Manager access to a SOHO 6 see the VPN Guide How do I set up VPN to a SOHO 6s For detailed information on how to configure a VPN tunnel between a SOHO 6 and another IPSec compliant appliance use your Web browser to go to https support watchguard com AdvancedFagqs sointerop_main asp Log in to the site Download the file you need Follow the instructions to configure your VPN tunnel User Guide 115 Chapter 10 Support Resources Contact Technical support 877 232 3531 U S End user support 206 521 8375 U S Authorized Reseller support 360 482 1083 International support
52. d port numbers associated with a specific program or application type To simplify configuration of your SOHO 6 WatchGuard configured versions of several common services are available for your use Network Address Translation All outgoing connections through a SOHO 6 automatically use a feature called dynamic NAT Network Address Translation Without dynamic NAT your trusted private addresses are passed along the Internet to their destination In addition the SOHO 6 protects your trusted network by disguising private IP addresses During an Internet connection all traffic passed between computers includes IP address information However because of the dynamic NAT feature applications and servers on the Internet only see the public external IP address of the SOHO 6 itself and are never aware of the addresses in your trusted network address range Imagine that you install a computer behind the SOHO 6 with the IP address 206 253 208 100 If this address were broadcast to the Internet hackers could easily direct an attack on the computer itself Instead the SOHO 6 converts the address automatically to User Guide 5 Chapter 1 Introduction the external address of the SOHO 6 When a hacker tries to violate the computer they are stopped at the SOHO 6 never learning the true address of your computer The SOHO 6 Hardware Description The SOHO 6 has significant improvements to the hardware platform from those of previous
53. dress of the computer hosting the service 5 Click Submit How do allow incoming IP or uncommon TCP and UDP protocols You need the IP address of the computer that is receiving the incoming data and the IP protocol number that corresponds to the specific incoming IP protocol To allow an incoming IP protocol 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Firewall Custom Service The Custom Service page appears 3 Beneath the Protocol Settings fields select TCP Port UDP Port or Protocol from the drop list The Custom Service page refreshes 4 Enter a name for the service User Guide 113 Chapter 10 Support Resources Enter the protocol number to allow in the Protocol field Click Submit From the navigation bar on the left side select Firewall Incoming The Firewall Incoming Traffic page appears 8 Near the bottom of the page under the Custom Service header locate the service you created and select Allow from the drop list 9 Under the header Service Host enter the IP address of the computer to which this traffic is allowed 10 Click Submit VPN Management Before setting up VPN you must have e Two properly configured and working SOHO 6s or one SOHO 6 with the latest version of firmware and one Firebox I II Each SOHO 6 must h
54. e SOFTWARE PRODUCT are as specified in this EULA and WATCHGUARD retains all rights not expressly granted to you in this EULA Nothing in this EULA constitutes a waiver of our rights under U S copyright law or any other law or treaty 2 Permitted Uses You are granted the following rights to the SOFTWARE PRODUCT A You may use the SOFTWARE PRODUCT solely for the purpose of operating the SOHO hardware product in accordance with the SOHO or user documentation If you are accessing the SOFTWARE PRODUCT via a Web based installer program you are granted the following additional rights to the SOFTWARE PRODUCT A You may install and use the SOFTWARE PRODUCT on any computer with an associated connection to the SOHO hardware product in accordance with the SOHO user documentation B You may install and use the SOFTWARE PRODUCT on more than one computer at once without licensing an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want to use it provided that each computer on which you install the SOFTWARE PRODUCT has an associated connection to the same SOHO hardware product and C You may make a single copy of the SOFTWARE PRODUCT for backup or vi WatchGuard Firebox SOHO 6 1 archival purposes only 3 Prohibi You may n A Reverse engi p C Use any bac amp rinted ma Ise to use ed Uses ot witl terials except as provided in tl up or archival copy of the su hout ex
55. ebox SOHO 6 1 carer Configure Logging What is logging Logging is the act of recording events that occur at the SOHO 6 interfaces An event is any single activity such as communication with the WatchGuard WebBlocker database or incoming traffic passing through the SOHO 6 Logging is intended to record the kinds of activities that indicate security concerns most importantly denied packets Certain patterns of denied packets can indicate the type of attack that is being attempted Remember that if power to the SOHO 6 is removed the messages are lost User Guide 75 Chapter 7 Configure Logging View SOHO 6 Log Messages The WatchGuard SOHO 6 generates an ongoing activity log stored on the SOHO 6 the Event Log This log stores a maximum of 150 messages When it reaches this limit the oldest message is deleted The log messages include time synchronizations between the SOHO 6 and the WatchGuard Time Server discarded packets for a packet handling violation duplicate messages or return error messages and IPSec messages To view these messages 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Logging The Logging page appears and the Event Log is displayed in the lower portion of the page System Status Network External Trusted Loggi
56. ed Yes No DNS Server s Primary Secondary NOTE If you are connecting more than one computer to the trusted network behind the SOHO 6 determine the TCP IP settings for each computer Disable the HTTP proxy setting of your Web browser To configure a SOHO 6 after it is installed you must access the special configuration pages that reside on the SOHO 6 If the HTTP proxy setting in your browser is enabled you cannot access these pages making it impossible to complete the configuration process With the HTTP proxy enabled the browser automatically points itself to Web pages located on the Internet and you cannot direct the browser to Web pages located in other places Disabling the HTTP does not prevent you from accessing your favorite Web sites but it does allow you to access the configuration pages that reside on the SOHO 6 14 WatchGuard Firebox SOHO 6 1 Before You Begin To disable the HTTP proxy in three commonly used browsers see the instructions below If your browser is not listed see your browser Help menus to learn how to disable the HTTP proxy settings Netscape 4 7 1 2 3 6 Open Netscape Click Edit Preferences The Preferences window appears From among the categories listed on the left hand side of the window click the symbol before the Advanced heading to expand the list Click Proxies Verify that the Direct Connection to the Internet option is enabled Clic
57. ed on a local system use one of these methods e With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using 28 WatchGuard Firebox SOHO 6 1 Reboot the SOHO 6 the default IP address go to http 192 168 111 1 Click Reboot e Unplug the SOHO 6 and reconnect it to a power source To reboot a SOHO 6 located on a remote system you must set the SOHO 6 to allow either incoming HTTP Web or FTP traffic to the trusted address of the SOHO 6 For information on configuring a SOHO 6 to allow incoming traffic see Configure Incoming and Outgoing Services on page 62 You then use one of these methods e With your Web browser go to the System Status page using the external IP address of the SOHO 6 Click Reboot e Send an FTP command to the remote SOHO 6 Use an FTP application to connect to the SOHO 6 then enter the command quote rebt User Guide 29 Chapter 3 SOHO 6 Basics 30 WatchGuard Firebox SOHO 6 1 carrera Configure the Network Interfaces Configure Your External Network When you configure the external network you establish how the SOHO 6 communicates with your ISP This configuration depends upon how your ISP distributes network addresses using DHCP or PPPoE Network addressing Each networked computer must have an IP address to identify itself to other computers IP address assignments are either dynamic or static With a dynamic
58. em Users These are individual members of a particular group Bypass the SOHO 6 WebBlocker Occasionally you may want to allow select individuals to bypass the filtering functions of SOHO 6 WebBlocker For example if you are using the SOHO 6 at a remote office as a telecommuter you may want to block a particular category from your children while still retaining access to that information for the adults in the household The SOHO 6 WebBlocker configuration page includes a full access password field Provide this password to those members of your trusted network allowed to bypass WebBlocker When a site is blocked or unavailable the user has the option of entering the full access password With the password entered the browser displays the otherwise blocked site After the password is entered the user is able to browse any site on the Internet until either the password expires or the browser is closed Purchase and Activate SOHO 6 WebBlocker To use WatchGuard SOHO 6 WebBlocker you must first purchase and enable the WebBlocker upgrade license key For information on redeeming upgrade license keys see Redeem your SOHO 6 Upgrade Options on page 57 User Guide 97 Chapter 9 SOHO 6 WebBlocker Configure the SOHO 6 WebBlocker Use the WatchGuard SOHO 6 Configuration pages to activate WebBlocker create a full access password for bypassing WebBlocker define an inactivity timeout that sets the duration of the ful
59. er Access TO Illegal Gambling O Search Engines Update M MilitantExtremist I Sports and Leisure Upgrade M Drug Culture IO Sex Education view Configuration File Firewall IO sataniciCult M Sex Acts Incoming IO Intolerance IV Full Nudity Outgoing M Gross Depictions 7 PartialiArtistic Nudity Custom Service Blocked Sites z A Submit set Cancel Firewall Options _Submit Reset Cancel 4 Define a Group Name and select the blocked categories for this group 5 Click Submit A new Groups page appears indicating the configuration changes were accepted and are providing access User Guide 101 Chapter 9 SOHO 6 WebBlocker VWebBlocker Groups Configuration changes have been accepted Group chicosmalos gt Delete New Users Delete New 6 To the right of the Users field click New The New User page appears WebBlocker gt Groups New User Username Rodolfo Passphrase pe Confirm Passphrase ao Group chicosmalos gt Submit Reset Cancel 7 Enter a unique user name and passphrase remember to confirm the passphrase Use the Group drop list to assign the new user to a given group 102 WatchGuard Firebox SOHO 6 1 WebBlocker Categories 8 Click Submit NOTE You can delete users or groups at any time by selecting them and clicking Delete WebBlocker Categories WebBlocker relies on a URL database which is a service of SurfControl The WebBlocker
60. erance or sexual acts WatchGuard updates the Webblocker server with a new database at regular intervals Once you purchase and activate WebBlocker every time a user on your trusted network attempts to reach an Internet Web site the User Guide 95 Chapter 9 SOHO 6 WebBlocker SOHO 6 queries the WatchGuard database and determines whether or not to block the site The SOHO 6 considers the following conditions in determining whether or not to block the site Web site not in the WebBlocker database If the site is not in the WatchGuard WebBlocker database the Web browser opens the page for viewing Web site in the WebBlocker database If the site is in the WatchGuard WebBlocker database the SOHO 6 checks whether or not to block that type or category of site When the category is blocked the browser displays a page informing the user that the site is unavailable for viewing If the category is not blocked the Web browser opens the page for viewing WatchGuard WebBlocker database unavailable If for any reason the WatchGuard WebBlocker database is unavailable for example if there is briefly a problem between your ISP and the nearest WatchGuard server the browser displays a page informing the user that the site is unavailable for viewing 96 WatchGuard Firebox SOHO 6 1 Purchase and Activate SOHO 6 WebBlocker WebBlocker users and groups Groups A group is a collection of individuals or users of the syst
61. ess networks on Branch Office VPN tunnels terminating at the local SOHO 6 If you purchase the VPNforce Port you receive one MUVPN connection to the Optional network as well Additional VPNforce Port user licenses can be purchase separately Complete documentation on configuring your SOHO 6 once this upgrade option is purchased and redeemed are at http support watchguard com sohoresources View the VPN Statistics The SOHO 6 has a configuration page that displays a variety of VPN statistics to assist you in monitoring VPN traffic as well as troubleshooting potential problems To view the VPN Statistics page 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select VPN VPN Statistics The VPN Statistics page appears 94 WatchGuard Firebox SOHO 6 1 cartero SOHO 6 WebBlocker WebBlocker is an optional feature of the SOHO 6 that provides Web site filtering capabilities It gives you precise control over the types of Web sites users on your trusted network are allowed to view How WebBlocker Works WebBlocker relies on a URL database service which is owned and maintained by SurfControl The WebBlocker database contains many thousands of IP addresses and directories These addresses are divided into categories based upon content such as drug culture intol
62. eties 42 xiv WatchGuard Firebox SOHO 6 1 Configure the Dynamic DNS Service 43 Configure OPT Port Upgrades acetic sa sa pie ana 44 Configure Dual ISP Port apei neta 2053 et a alla 44 Configure VPNforce Port scene ze cra iama esa ee aaa 47 CHAPTER 5 Administrative Options ow 51 The System Security Page nenea 52 System management sania atiaae aaa aaa a dan at 52 SOHO Remote Management eeeeneeeeee 54 Setup VPN Manager Access scisccsessisessaessisactacsoveiss 54 Update Your Firmware saca oa taca tac aaa oala ca cuss 56 Redeem your SOHO 6 Upgrade Options 57 View the Configuration File zoo ati aa ati 60 CHAPTER 6 Configure the Firewall Settings 61 Firewall Settings sossantataits roi piano an ta it la al a ai 61 Configure Incoming and Outgoing Services 62 Pre configured Services somnul aaa aaa a 62 Create a Custom Service Vice ee te dicta dp ta 63 Block External Sites snurre ate tote Bea tal apasa 65 Firewall Options vestea iezi 0 al aellea aia 67 Ping requests received on the External Network 68 Denying FTP access to the Trusted Network interface retreton lia a gari dea 0 Sea 68 SOCKS implementation for the SOHO 6 68 Logging all allowed outbound traffic 70 Enable override MAC address for the External PET WOM aoe ces cutecnteatae ccav san vaca DR NA cash Aone 71 Create an Unrestricted Pass Through i 72 User Gu
63. exigences du Reglement sur le materiel broulleur du Canada User Guide iii VCCI Notice Class A ITE CORE RURAR E ERS EI El RS VCODO ELE EDIZ A ERE ii CI TORET REAREA CRA FOCBRMSE SHOT CEMHVIET TORATI RAB WINGATE SEIBRKSNSCEMHVET WatchGuard Firebox SOHO 6 1 Declaration of Conformity DECLARATION OF CONFORMITY WatchGuard Technologies Inc 505 Fifth Ave S Suite 500 Seattle WA 98104 3892 USA WatchGuard Technologies Inc hereby declares that the product s listed below conform to the European Union directives and standards identified in this declaration Product s Internet Firewall Model BOF4S16E6 EU Directive s Low Voltage 73 23 EEC Electromagnetic Compatibility 89 336 EEC Standard s This product has no safety requirements per the LVD EN50022 1998 Class A Emissions for ITE EN50024 1998 Immunity for ITE User Guide WATCHGUARD SOHO SOFTWARE END USER LICENSE AGREEMENT WATCHGUARD SOHO SOFTWARE END USER LICENSE AGREEMENT IMPORTANT READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End User License Agreement EULA is a legal agreement between you either an individual or a single entity and WatchGuard Technologies Inc WATCHGUARD for the WATCHGUARD SOHO software product which includes computer software whether installed separately on a computer workstation or on the WatchGuard h
64. figured Upgrade Options No upgrade options are enabled until the license keys are redeemed Reset a SOHO 6 to factory default Firmware corruptions or other unforeseen events such as a lost System Security passphrase require you to reset the SOHO 6 to its factory default settings To do this first disconnect the power supply Then find the reset button located at the rear of the SOHO 6 Press and hold the reset button At the same time reconnect the power supply Continue pressing the reset button while the SOHO 6 reboots approximately 15 seconds The PWR indicator light should blink in a steady pattern once the reboot is complete When this occurs reboot the SOHO 6 again by disconnecting the power supply 26 WatchGuard Firebox SOHO 6 1 Register your SOHO 6 and Activate the LiveSecurity Service Finally the PWR indicator light should remain illuminated Your SOHO 6 is now reset to factory defaults The base model SOHO 6 The base model SOHO 6 comes with a ten seat license that is ten computers have access to the Internet through the SOHO 6 Remember while only four appliances connect directly to the four numbered 0 3 Ethernet ports one or more of these appliances can be a hub or router Please see Cabling the SOHO 6 for more than four computers on page 20 Register your SOHO 6 and Activate the LiveSecurity Service Once the SOHO 6 is installed and configured you need to register the unit and act
65. ge 60 VPN Manager described 54 purchasing 115 setting up access to 54 55 setting up SOHO 6 for 115 VPN Manager Access page 55 VPN Statistics page 94 VPN upgrade enabling 86 obtaining 88 120 WatchGuard Firebox SOHO 6 1 VPNforce Port 47 VPNs and SOHO 6 SOHO 6tc 2 and static IP addresses 87 between two SOHO 6s 115 configuring with SOHO 6 86 88 described 83 enabling tunnels 88 encryption for 87 license key for 59 requirements for 84 114 special considerations for 87 troubleshooting connections 88 viewing statistics 94 W WAN indicator 7 WAN port 9 WatchGuard Security Event Processor 77 WatchGuard Security Event Processor page 78 WebBlocker activating 98 categories 103 configuring 98 creating users and groups for 99 database 95 described 95 enabling and disabling 112 purchasing and activating 97 users and groups 97 WebBlocker Groups page 100 WebBlocker Settings page 98 WebBlocker upgrade purchasing 97 WebBlocker license key for 59 WSEP 77 User Guide 121 Index 122 WatchGuard Firebox SOHO 6 1
66. he configuration If the Mode light is blinking The SOHO 6 requires a DHCP assigned IP address for the external interface but did not receive it The WAN port is not connected to another appliance the physical connection is faulty or the other appliance is not operating properly How do register my SOHO 6 with the LiveSecurity Service Register online by activating your bundled LiveSecurity Service subscription Activation entitles you to receive threat alert notifications expert security advice free anti virus protection software updates technical support by web or phone and access to extensive online help resources To activate make a note of your SOHO serial number then use your Web browser to go to http Awww watchguard com activate For more information see Register your SOHO 6 and Activate the LiveSecurity Service on page 27 How do restart my SOHO 6 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 Click Reboot 3 Wait for the SOHO 6 to complete the process The MODE light on the front of the SOHO 6 will turn off then back on The SOHO 6 takes 30 seconds to boot up 108 WatchGuard Firebox SOHO 6 1 Troubleshooting Tips NOTE You can also reboot by removing the power source for ten seconds and then restoring power How do reset my System Security pass
67. ide xV CHAPTER 7 Configure Logging cecene 75 View SOHO 6 Log Messages eeeeeessrnreeeeeeees 76 Set up Logging to a WatchGuard Security Event Processor Log Host see iaca au ile an dn a la aa dat a a 77 Set up Logging to a Syslog Host sosea ceai re aaa 79 Setthe System Time oeren a a aaa ad a Oe 80 CHAPTER 8 VPN Virtual Private Networking 83 Why Create a Virtual Private Network eeeeeeeeeeee 83 What You Nesdi oseiro ern nei IRI a 84 Enable the VPN Upgrade sasea cacata pa ta tata d ones 86 Step by step Instructions for Configuring a SOHO 6 VPN Tunnel sess creeat i ai 86 Special Considerations ss iuni tnt a alt sa alba doit il ai 87 Frequently Asked Questions 87 Set Up Multiple SOHO SOHO VPN Tunnels 89 Configure Split Tunneling sisasa cocteil atatia aia 93 MUVPN Clients soacre ea ra ind aa Pai a di Sa 93 View the VPN Statistics sivasanara itojeipaezoi zale sarate ai 94 CHAPTER 9 SOHO 6 WebBlocker emee eee 95 How WebBlocker Works aci atzi i tg sudat 95 Web site not in the WebBlocker database 96 Web site in the WebBlocker database 96 WatchGuard WebBlocker database unavailable 96 WebBlocker users and groups nana eee 97 Bypass the SOHO 6 WebBlocker ssseessssseeeeees 97 Purchase and Activate SOHO 6 WebBlocker 97 Configure the SOHO 6 WebBlocker oo 98 xvi WatchGuard Firebox SOHO 6 1 WebBlocker C
68. inistrator to specify all Internet traffic originating from the Trusted interface of the SOHO 6 to go through the VPN tunnel Previously only traffic headed specifically for the other end of the VPN tunnel was sent through the tunnel Traffic destined for other Internet addresses was sent directly to the Internet Split tunneling allows a company to centrally enforce an Internet access policy To set up split tunneling 1 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select VPN gt Manual VPN The Manual VPN page appears 3 Click Add The Add Gateway page appears 4 Enter the information to add the gateway For instructions on completing the Add Gateway page see Set Up Multiple SOHO SOHO VPN Tunnels on page 89 Type the network IP address of the Local Network Type 0 0 0 0 0 as the IP address of the Remote Network Click Submit MUVPN Clients The SOHO 6 can be upgraded to use the MUVPN clients option This feature allows remote users to securely connect to the SOHO 6 through an IPSec VPN tunnel The remote user gains access to the local trusted network and networks on Branch Office VPN tunnels User Guide 93 Chapter 8 VPN Virtual Private Networking terminating at the local SOHO 6 The SOHO 6 also allows users on the Trusted network to acc
69. ivate your bundled LiveSecurity Service subscription Activation entitles you to receive threat alert notifications expert security advice free anti virus protection software updates technical support by web or phone and access to extensive online help resources and our user forum You must also activate to retrieve feature keys for any upgrades you have purchased Be sure that you have the SOHO 6 serial number handy You will need this during the registration process To register with the LiveSecurity Service 1 Using your Web browser go to http Awww watchguard com activate User Guide 27 Chapter 3 SOHO 6 Basics NOTE You must have JavaScript enabled on your browser to be able to activate LiveSecurity Service If you are a returning customer log in with your user name and password then choose your product and continue by following the instructions on screen If you are a new WatchGuard customer begin by creating a profile then follow the instructions on screen for activating a product Please use the table below to record your LiveSecurity Service identification information Serial Number LiveSecurity User Name Password The SOHO 6 serial number is located on the bottom of the appliance You create a LiveSecurity Service user name and password when you register your SOHO 6 Please keep this information in a secure place Reboot the SOHO 6 To reboot a SOHO 6 locat
70. k OK to save the settings Netscape 6 x 1 2 Open Netscape Click Edit Preferences The Preferences window appears From among the categories listed on the left side of the window click the arrow symbol before the Advanced heading to expand the list Click Proxies Verify that the Direct Connection to the Internet option is active Click OK to save the settings User Guide 15 Chapter 2 Installation Internet Explorer 5 0 5 5 and 6 0 1 Open Internet Explorer 2 Click Tools Internet Options The Internet Options window appears Click the Advanced tab Scroll down the page to HTTP 1 1 Settings Disable all checkboxes Click OK to save the settings o oO Fe W Enable your computer for DHCP In order to access the special configuration pages on the SOHO 6 after you have physically connected it your computer must be configured to receive it s network IP address by DHCP For more information regarding network addressing as well as DHCP see Network addressing on page 31 NOTE The configuration instructions in this section are for the Windows 2000 operating system 1 Click Start Settings Control Panel The Control Panel window appears 2 Double click the Network amp Dial up Connections icon 3 Double click on the connection you use to access the Internet The network connection dialog box appears 16 WatchGuard Firebox SOHO 6 1 Before You Begin 4 Clic
71. k Properties The network connection Properties dialog box appears haring for Microsoft Networks TCP IP 5 Double click the Internet Protocol TCP IP component The Internet Protocol TCP IP Properties dialog box appears User Guide 17 Chapter 2 Installation Internet Protocol TCP IP Properties 2 x General You can get IP settings assigned automatically if pour network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings C Use the following IP address IP address Subnet mask Default gateway Obtain DNS server address automatically C Use the following DNS server addresses Preferred DNS server Altemate DNS server Advanced 6 Select Obtain an IP address automatically Select Obtain DNS 7 server address automatically Click OK to close the Internet Protocol TCP IP Properties dialog box Click OK again to close the network connection Properties dialog box Click Close to close the network connection dialog box Close the Control Panel window Physically connect the SOHO 6 Your SOHO 6 protects a single computer or a multi computer network It also functions as a hub to connect a variety of other appliances 18 WatchGuard Firebox SOHO 6 1 Physically connect the SOHO 6 Cabling the SOHO 6 for one to four appliances Each of the Trusted Network ports numbered
72. king This chapter describes an optional feature of the WatchGuard SOHO 6 Virtual Private Networking VPN with IPSec Why Create a Virtual Private Network Virtual Private Networking VPN tunnels enable you to securely connect computers in two locations without requiring expensive dedicated point to point data connections With VPN you use low cost connections to the Internet to create a virtual connection between two branch offices Unlike a simple unencrypted Internet connection a VPN connection eliminates any significant risk of data being read or altered by outside users as it traverses the Internet User Guide 83 Chapter 8 VPN Virtual Private Networking What You Need e One WatchGuard SOHO 6 with VPN and an IPSec compliant appliance NOTE While you can create a SOHO 6 to SOHO 6 VPN you can also create a VPN with a WatchGuard Firebox II III Firebox Vclass or other IPSec compliant appliances e The following information from your Internet service provider for both appliances Static IP address Primary DNS Domain Name Service IP address optional If available a secondary DNS address Domain name optional e Network addresses and subnet mask for networks By default the Trusted network address of the SOHO 6 is 192 168 111 0 and the subnet mask is 255 255 255 0 NOTE The internal networks on either end of the VPN tunnel must use different network addresses
73. l access password define the categories you want to block and configure WebBlocker groups and users Activate WebBlocker Follow these instructions to activate WebBlocker create a full access password define the inactivity timeout value and require that your Web users authenticate if your are using the groups and users feature option 1 With your Web browser go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select WebBlocker Settings The WebBlocker Settings page appears uite WebBlocker Heoi Settings External Trusted Routes Network Statistics DynamicDNS IO Enable WebBlocker Administration Full Access Password System Security VPN Manager Access Fondin ma Saw ori Update Inactivity Timeout minutes Upgrade View Configuration File Firewall Incoming Submit I Require Web users to authenticate 98 WatchGuard Firebox SOHO 6 1 Configure the SOHO 6 WebBlocker 3 Select Enable WebBlocking Enter the full access password The full access password allows a user a to bypasses otherwise blocked sites 5 Enter the inactivity timeout in minutes For example setting the inactivity timeout at 15 minutes ensures that unattended Web browsers are disconnected after sitting idle for 15 minutes 6 If you intend to use WebBlocker groups
74. m a computer running an operating system other than Windows such as a Macintosh or Linux OS you must update your firmware from this configuration page as firmware versions are released This is because WatchGuard installation applications are only built for Windows platforms 3 Read through the End User License Agreement then select the I accept the above license agreement checkbox at the bottom of the page ICI accept the above license agreement Select file Browse 56 WatchGuard Firebox SOHO 6 1 Redeem your SOHO 6 Upgrade Options 4 Enter the location of the firmware files located on your computer 5 If you do not know the location of the firmware files click Browse to browse your computer s directories and select them 6 Click Update Follow the instructions provided by the Update Wizard NOTE The Update Wizard will request a User name and Password These values correspond System Administrator Name and System Passphrase configured at the System Security page The default values are User and Pass Redeem your SOHO 6 Upgrade Options When you purchase a SOHO 6 the software for all upgrade options is provided with the unit regardless of whether you have actually purchased any of those options The Feature Key that enables these software options is stored within the SOHO 6 Once you purchase an upgrade option and redeem it at the LiveSecurity Service Web site you will receive a Feature Key which
75. m responsible for this task is known as TCP IP TCP Transmission Control Protocol manages the assembly and reassembly of data for example an email message or program file into smaller chunks of data called packets IP Internet Protocol takes these packets and wraps them up with a header identifying both where the information is going and how it is handled en route IP addresses An IP address defines the specific computer on the Internet that sends or receives a packet Every computer on the Internet has a unique address including your SOHO 6 When defining a service behind a firewall you need to include the trusted network address for the computer hosting the application On the Internet IP addresses are identified using a string of numbers that have been translated from a URL Uniform Resource Locator name such as www watchguard com Protocol A protocol defines how a packet is bundled and packaged for shipment across a network The most commonly used protocols are TCP and UDP User Datagram Protocol In addition there are a variety of IP protocols that are less frequently used 4 WatchGuard Firebox SOHO 6 1 How Does the SOHO 6 Process Information Port numbers The port numbers are used by computers at both the sending and receiving end to determine the particular program or application for each connection How Does the SOHO 6 Process Information Services A service is the combination of protocol s an
76. n fails the optional port OPT connection is initiated and used e If the optional port OPT connection fails the external port EXT connection is opened and used If both connections fail the SOHO 6 repeatedly tries both external and optional ports until a connection is made There is no automatic return to the external port EXT if this port comes back online unless you use PPPoE to assign IP addresses Once the fail over has switched to the optional port OPT the administrator has to change the configuration back to the external port EXT when it comes back online If you use PPPoE you can set an inactivity timeout which disables any inactive TCP connections until traffic resumes For information on setting up PPPoE see Configure the SOHO 6 External Network for PPPoE on page 34 If your external port EXT connection fails the optional port OPT connection is initiated and used The optional port OPT stays connected until the TCP connection is not active timeout When traffic resumes the SOHO attempts to connect with the external port EXT first If this connection is active the external port EXT becomes the active port again If the external port EXT is still unavailable the SOHO attempts to connect with the optional port OPT User Guide 45 Chapter 4 Configure the Network Interfaces Once you have upgraded to the SOHO 6 to activate this features follow these instructions to configure Dual ISP P
77. ncap Ethernet HWaddr 00 90 7 12 75 39 inet addr 66 235 9 181 RX packets 2346 errors 0 beast 43004 disc 0 unk 11293 TX packets 1825 errors 0 bcast 2 Incoming Outgoing Custom Service Blocked Sites Firewall Options Pass Through Trusted Network 42 WatchGuard Firebox SOHO 6 1 Configure the Dynamic DNS Service Configure the Dynamic DNS Service This feature allows you to register the external IP address of the SOHO 6 with a dynamic DNS Domain Name Server service www dyndns org This service allows customers to bind their DNS record in the event that their dynamically assigned IP address is reassigned 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 NOTE WatchGuard is not affiliated with dyndns org 2 From the navigation bar on the left side select Network DynamicDNS The Dynamic DNS client page appears System Status Network Network Dynamic DNS client External Trusted Optional Routes IO Enable Dynamic DNS client Dual ISP Domain Network Statistics Name Administration Password System Security VPN Manager Access 7 Update Submit Reset 3 Select the Enable Dynamic DNS client checkbox 4 Enter the domain name and password in the appropriate fields User Guide 43 Chapter 4 Configure the Network Interfaces NOTE The SOH
78. ndent application the rest of the configuration tasks is done with the SOCKS dependent application Different applications may have variations in their settings but you configure the SOCKS dependent application using the application user interface to certain parameters allowing the SOHO 6 to pass SOCKS applications e If different services or versions of SOCKS are available select SOCKS version 5 e Select port 1080 for the application User Guide 69 Chapter 6 Configure the Firewall Settings e For the SOCKS proxy enter the URL or IP address of the SOHO 6 trusted network The default IP address is 192 168 111 1 Disabling SOCKS on the SOHO 6 Once you use a SOCKS compliant application through the SOHO 6 the primary SOCKS port is available to anyone on your trusted network You can close this security gap between uses of SOCKS applications 1 Enable the checkbox labeled Disable SOCKS proxy This disables the SOHO 6 from acting as a SOCKS proxy 2 Click Submit When you need to use SOCKS again follow this procedure 1 Disable the checkbox labeled Disable SOCKS proxy This enables the SOHO 6 to act as a SOCKS proxy 2 Click Submit The SOHO 6 is enabled again as a Proxy server and ready to pass SOCKS packets Logging all allowed outbound traffic By default the SOHO 6 logs only particular events and not all traffic passing through it For the most part the SOHO 6 records denied traffic However the SOHO 6
79. ng Options Optional WSEP Logging Disabled WSEP Log Host 0 0 0 0 Configure Routes Network Statistics DynamicDNS Syslog Logging Disabled Syslog Host 0 0 0 0 Configure Administration System Security Ve Sistem Time Configure Update Time Zone DST Disabled View Configuratian File Time Source WatchGuard Time Server Firewall Current Time 2002 11 23 00 27 15 Incoming Sync Time With Browser Now Logging Upgrade NOTE The SOHO 6 displays the latest entry at the top of the Event Log 76 WatchGuard Firebox SOHO 6 1 Set up Logging to a WatchGuard Security Event Processor Log Host To have your log messages synchronize with your computer e Click Sync Time with Browser now The SOHO 6 synchronizes the time at startup Set up Logging to a WatchGuard Security Event Processor Log Host The WSEP WatchGuard Security Event Processor is an application available with the WatchGuard Firebox System software used by a Firebox II III The WSEP application runs on a dedicated log host and records log messages generated by the Firebox II II If you have a Firebox II III and have configured the WSEP to accept logs from your SOHO 6 then follow these instructions to send your event logs to the WSEP 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the lef
80. nt depiction of bodily functions Violence profanity Pictures or text exposing extreme cruelty or profanity Cruelty is defined as physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain Topic includes obscene words phrases and profanity in either audio text or pictures Search Engines Search engine sites such as AltaVista InfoSeek Yahoo and WebCrawler Sports and Leisure Pictures or text describing sporting events sports figures or other entertainment activities Sex Education Pictures or text advocating the proper use of contraceptives Topic includes sites devoted to the explanation and description of condoms oral contraceptives intrauterine appliances and other types of contraceptives It also includes discussion sites devoted to conversations with partners about sexually transmitted diseases pregnancy and sexual boundaries Not included in this category are commercial sites selling sexual paraphernalia topics included under Sexual Acts User Guide 105 Chapter 9 SOHO 6 WebBlocker Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and or lewd and lascivious behavior Topic includes masturbation copulation pedophilia as well as intimacy involving nude or partially nude people in heterosexual bisexual lesbian or homosexual encounters It also includes phone sex advertisements dating services adult person
81. omote products derived from this software without prior written permission For written permission please contact openssl core openssl org User Guide ix 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http Awww openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR PLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF ERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT NCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT TED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR ROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY HETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE OSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com U r U gt
82. on bar on the left side select Firewall Firewall Options The Firewall Options page appears System Status Network External Trusted Optional Routes T Do not respond to PING requests received on External Network Network Statistics IO Do not allow FTP access to Trusted Network interface DynamicDNS O Disable SOCKS proxy Administration IO Log All Allowed Outbound Access Firewall Firewall Options System Security EE EA T Enable override MAC address far the External Network eg External Network override MAC address Upgrade View Configuration File Firewall _Reset Incoming Outgoing Custom Service Blocked Sites User Guide 67 Chapter 6 Configure the Firewall Settings Ping requests received on the External Network You can configure the SOHO 6 to deny all ping packets that it receives on the external interface 1 Select Do not respond to PING requests received on External Network 2 Click Submit Denying FTP access to the Trusted Network interface You can configure the SOHO 6 to deny FTP access to the Trusted interface 1 Select Do not allow FTP access to Trusted Network 2 Click Submit SOCKS implementation for the SOHO 6 SOCKS is a network proxy filter that works with SOCKS aware applications A typical SOCKS dependent application requires that several sockets be opened and made available to the Internet When a SOCKS aware application ICQ is an example registers with the SOCKS ser
83. on excluding the 1980 AND BY USING THE PRODUCT IS BEING ACCEPT THIS EULA EULA AND PERFOR United National Convention on Contracts for the International Sale of Goods as amended This is the entire EULA between us relating to the contents of his package and supersedes any prior purchase order communications advertising or representations concerning the SOFTWARE PRODUCT SOFTWARE PRODUCT YOU AGREE TO THESE TERMS IF THE SOFTWARE USED BY AN ENTITY THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT A SUCH INDIVIDUAL IS DULY AUTHORIZED TO ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS EULA B THE ENTITY HAS THE FULL POWER CORPORATE OR OTHERWISE TO ENTER INTO THIS M ITS OBLIGATIONS UNDER THIS EULA AND C THIS EULA AND THE PERFORMANCE OF THE ENTITY S OBLIGATIONS UNDER THIS EULA DO NOT VIOLATE ANY THIRD PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY viii WatchGuard Firebox SOHO 6 1 No change or modification of this EULA will be valid unless it is in writing and is signed by WATCHGUARD Notice to Users Information in this guide is subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted No part of this guide may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of WatchGuard Technologies
84. on the trusted side It s main function is to provide a remote office or telecommuter a separate network behind the SOHO 6 firewall one with secure access to the corporate network while the other connection is used for non corporate functions When the optional port is activated with this upgrade a separate subnet is defined that is distinct from that used by the Trusted ports By default the subnet for the optional port is 192 168 112 0 Once you have upgraded to the SOHO 6 to activate this feature follow these instructions to configure VPNforce Port 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 User Guide 47 Chapter 4 Configure the Network Interfaces 2 From the navigation bar on the left side select Network gt Optional The Optional Network Configuration page appears System Status Network External Trusted Routes Network Statistics DynamicDNS Administration System Security VPN Manager Access Update Upgrade View Configuration File Firewall Incoming Outgoing Custom Service Blocked Sites Firewall Options Pass Through Logging WSEP Logging Syslog Logging System Time WebBlocker VPN Network Optional Network Configuration O Enable Optional Network IP Address foooo Subnet Mask foooo I Enable DHCP Server on Optional Network First address for DHCP
85. one WatchGuard Firebox II II configured with the WatchGuard VPN Manager Each appliance must be able to send messages to the other If either appliance has a dynamically assigned IP address see Network addressing on page 31 for an explanation of dynamic IP addresses that appliance cannot find its remote counterpart Both appliances must use the same encryption method The two choices are DES or 3DES When connecting two Microsoft Windows NT networks the two networks must be in the same Microsoft Windows domain or be trusted domains This is a Microsoft Networking design implementation and not a limitation of the SOHO 6 Frequently Asked Questions Why do need a static external address To create a VPN connection one SOHO 6 must be able to find its partner appliance If the addresses are allowed to change the SOHO 6 will not find its remote computer How do get a static external IP address Contact your ISP Many systems use dynamically assigned addresses to simplify basic installations Some providers also use User Guide 87 Chapter 8 VPN Virtual Private Networking this feature to discourage users from creating Web servers These providers usually offer a static IP address option How do I troubleshoot the connection If you are able to ping the remote SOHO 6 and computers behind it your VPN tunnel is up and running Any remaining problems are probably caused by the MS Networking or the applic
86. ort 1 Connect one end of a straight through Ethernet cable into the OPT port and connect the other end into the source of the secondary or fail over External network connection This can be either a DSL cable modem or Hub 2 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 3 From the navigation bar on the left side select Network gt Dual ISP The Dual ISP Options page appears System Status Network sete Dual ISP Options Trusted i Optional 7 Enable Dual ISP Hostto ping on External frat 68 5 33 Network Statistics DynamicDNS Host to ping on Optional fi92 168 203 1 Administration gt g System Security Ping interval in seconds 3600 EEE Reply Timeout in seconds io Update Uparade No reply limit F View Configuration File Firewall Incoming Submit Reset Outaning Select the Enable Dual ISP checkbox Enter the IP address for the External Interface Enter the IP address for the Optional or Failover Interface Enter how many seconds between pings o N D UI A Enter how long in seconds to wait for a reply 46 WatchGuard Firebox SOHO 6 1 Configure OPT Port Upgrades 9 Enter the number of times the system will ping the Interface before timeout 10 Click Submit Configure VPNforce Port The VPNforce port upgrade activates the SOHO 6 optional port for use
87. press written permission from WATCH neer disassemble or decompile the SOFTWA B Use copy modify merge or transfer co copy in the event it is destroyed or becomes defective D Sublicense E i ci iii 4 L days authorized A al con doc Trans the i the you d er tl ran hir imited from Media nd wo form umen o not retain any copies of the SO end lease or rent the SOFT his license to another party unless sfer is permanent party recipient agrees to the ter d Warranty WATCHGUARD makes the following limited warranties for a he date you obtained the SOFTWARE dealer The disks and documentation will be free rkmanship under normal use If the dis o this warranty you may as your sole and exclusive remedy obtain a replacement free of charge if you return ation to us with a dated proof of purchase and TWARE P FTWARE ms of PRO rom RODUCT his EU PRODUCT ce the o 7 or LA and defects in GUARD RE PRODUCT pies of the SOFTWARE PRODUCT or his EULA SOFTWARE PRO ch a copy for any purpose other than to repla riginal materials ks or documentation fail to the defective disk or DUCT or allow someone period of ninety 90 DUCT from WATCHGUARD or an B SOFTWARE PRODUCT The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it operate in accordance with this warran f the SOFTWARE P
88. r Web browser go to the System Status page of the SOHO 6 using the default IP address of the Trusted Network http 192 168 111 1 User Guide 23 Chapter 3 SOHO 6 Basics The System Status page appears SOHO 6 Configuration t sc System Status Welcome to he SOHO comfigurabon sia The standard configuration provides basi protecton against network security attacks Through Pus sie you can customize the SOHO to meet your specifie security needs you need assistance Click Help for information about what each of the canfigurabon options mean Component Version Feature Status Firewall 6134 WEEP Logging Disabled Dec 10 2002 _Contgure BootROM 414 YPN Manager Access Disabled Contgure Piationn WatenGuard SOHO 6 TC Sica Orsabled Configure PARR Serial Number 6052015654082 g _Contgure_ Pass Through Disabied Configure ipdate Ipgrade Option Status View Configuration Fite User Licenses 10 _Upgrade Fireveall Mangaed VPN Disabled Configure Manual YPN 0 configured ma 6 Configure MUYPN Clients Not installed Upgrade WenBiocker Oisadled Contgure J Dual ISP Not Installed _Upgrade YENA Not Installed Upgrade The System Status page is effectively the home page of the SOHO 6 A variety of information is revealed in an effort to provide a comprehensive display of the SOHO 6 configuration This information includes e The firmware version e The serial number of the appliance e A few of the SOHO 6 featu
89. res and their status WSEP Logging VPN Manager Access Syslog 24 WatchGuard Firebox SOHO 6 1 Default Factory Settings Pass Through e Upgrade options and their status Configuration information for both the Trusted and External networks NOTE When the External network is configured to use the PPPoE Client the page also displays a connect or disconnect button in order to terminate or initiate the PPPoE connection e Configuration information on firewall settings Incoming and Outgoing services e A reboot button to restart the SOHO 6 Default Factory Settings Your SOHO 6 has the following default network and configuration settings External Network External network settings use DHCP Trusted Network The trusted network IP address is 192 168 111 1 All computers on the trusted network automatically receive their addresses using DHCP User Guide 25 Chapter 3 SOHO 6 Basics Firewall Settings All incoming services are blocked An outgoing service allowing all outbound traffic None of the Firewall Options are enabled The DMZ pass through is disabled System Security System Security is disabled and no System Administrator name or passphrase is set the configuration pages are available to all on the trusted network SOHO 6 Remote Management is disabled VPN Manager Access is disabled No remote logging is configured WebBlocker WebBlocker is disabled and no settings are con
90. rom the rest of the Trusted network Follow these steps to configure a pass through 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 From the navigation bar on the left side select Firewall Pass Through The Unrestricted Pass Through IP Address page appears System Status Network External Trusted Optional Routes Firewall Unrestricted Pass Through IP Address Network Statistics M Enable pass through address DynamicDNS Address to pass through 208 253 208 1 03 Administration System Security Submit Reset VPN Manager Access Select Enable pass through address Enter the IP address to the pass through machine in the appropriate field This must be a public IP address In our example 208 253 208 103 Click Submit NOTE Use of the Pass Through feature increases the security risk to computers on the Trusted network This is because the computer using the Pass Through resides on the same Ethernet segment as the Trusted network If you are not completely and thoroughly familiar with the risks involved 72 WatchGuard Firebox SOHO 6 1 Create an Unrestricted Pass Through and Trusted network computers are not protected from potential threats do not use the Pass Through feature User Guide 73 Chapter 6 Configure the Firewall Settings 74 WatchGuard Fir
91. s System Status Network External Trusted Administration VPN Manager Access Optional Routes O Enable VPN Manager Access Network Statistics Status Passphrase DynamicDNS Administration Confirm Status Passphrase System Security Configuration Passphrase Update Confirm Configuration Passphrase l Upgrade Ae EAA Submit Reset Firewall 3 Select Enable VPN Manager Access 4 Enter the status passphrase and confirm it 5 Enter the configuration passphrase and confirm it NOTE These two settings must exactly match the passphrases used in the VPN Manager or the connection will fail 6 Click Submit User Guide 55 Chapter 5 Administrative Options Update Your Firmware As new firmware is released you should update the version running on your SOHO 6 New updates are located on the WatchGuard Web site at http support watchguard com sohoresources Download the new firmware file from the Web site and save it to a known location on your management station Once you have downloaded the firmware follow these steps to update the version running on your SOH O 6 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration Update The Update page appears NOTE If you are managing your SOHO 6 fro
92. s on page 25 For specialized configurations see Configure Your External Network on page 31 as well as Configure the Trusted Network on page 36 Cabling the SOHO 6 for more than four computers While there are only four numbered Ethernet ports labeled 0 3 on the back of the SOHO 6 it is possible to connect more appliances to your SOHO 6 using network hubs 20 WatchGuard Firebox SOHO 6 1 Physically connect the SOHO 6 sem GABYEOR TELEPHONE DSH UNE INTERNET ETHERNET CABLE ETHERNET HUB ETHERNET CABLE 5 Ms piu pt a PROTECTED CPUs FIREBOX SOHO 6 The SOHO 6 ships with a 10 seat license In other words the SOHO 6 allows up to ten computers on a network behind the SOHO 6 to access the Internet More than ten computers can exist on the network and communicate with each other but only the first ten that attempt to access the Internet are allowed through the SOHO 6 A seat is taken when a computer connects to the Internet To upgrade your SOHO 6 user license please visit http Awww watchguard com sales buyonline asp You need these additional items e One or more Ethernet hubs e An Ethernet cable with RJ 45 connectors for each computer to connect to the SOHO 6 e An Ethernet cable to connect each hub to the SOHO 6 1 Shut down your computer If you connect to the Internet using a DSL cable modem disconnect the power from this device User Guide 21 Chapter 2
93. s selected each new key that is negotiated is derived by a new Diffie Hellman exchange instead of from only one Diffie Hellman exchange Enabling this option provides more security but requires more time because of the additional exchange Enable the Generate IKE Keep Alive Messages checkbox to keep a VPN tunnel from going down because of time out conditions A small amount of traffic is sent across the VPN tunnel to keep it alive and functioning If the tunnel fails for any reason the SOHO 6 initiates a rekey of the tunnel to restore it This checkbox is enabled by default Phase 2 setting can be left at the defaults shown or modified as desired To modify Phase 2 settings complete the following steps Make sure that the Phase 2 settings on this device are the same as on the peer device In the Authentication Algorithm drop list specify the authentication None no authentication MD5 HMAC 128 bit authentication or SHA1 HMCA 160 bit authentication In the Encryption Algorithm drop list specify the type of encryption None no authentication DES CBC or 3DES CBC Enter how many kilobytes until key expiration Enter how many hour until key expiration Add the IP address of the local and remote network that will use Phase 2 negotiation Click Submit 92 WatchGuard Firebox SOHO 6 1 Configure Split Tunneling Configure Split Tunneling Another new feature in this release is split tunneling that allows the adm
94. s to achieve their goals It also includes pages devoted to how to information on the making of weapons for both lawful and unlawful reasons ammunition and pyrotechnics Drug Culture Pictures or text advocating the illegal use of drugs for entertainment This category includes substances that are used for other than their primary purpose to alter the individual s state of mind such as glue sniffing This does not include that is if selected these sites would not be WebBlocked under this category currently illegal drugs legally prescribed for medicinal purposes such as drugs used to treat glaucoma or cancer Satanic cult Pictures or text advocating devil worship an affinity for evil wickedness or the advocacy to join a cult A cult is defined as a closed society that is headed by a single individual where loyalty is demanded and leaving is punishable Intolerance Pictures or text advocating prejudice or discrimination against any race color national origin religion disability 104 WatchGuard Firebox SOHO 6 1 WebBlocker Categories or handicap gender or sexual orientation Any picture or text that elevates one group over another Also includes intolerant jokes or slurs Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar grossly deficient in civility or behavior or shows scatological impropriety Topic includes depictions of maiming bloody figures and indece
95. server for t WINS Server Address 4 DNS Server Address II Secondary DNS Server Address DNS Domains Enable DHCP Relay on Optional Network DHCP relay server IO Allow traffic between Optional Network and Trusted Network mj Require encrypted MUVPN connections on this interface Submit Reset 3 To enable VPNforce select the Enable Optional Network 4 checkbox Enter the configuration information IP address DHCP Server and DHCP Relay for the Optional Interface which is the same process as configuring the Trusted network For specific instructions on these fields see Configure the Trusted Network on page 36 To allow traffic between the Optional and Trusted network enable the Allow traffic between Optional Network and Trusted Network checkbox 48 WatchGuard Firebox SOHO 6 1 Configure OPT Port Upgrades 6 To require encrypted MUVPN connections on this interface enable the Require Encrypted MUVPN connections on this interface checkbox 7 Click Submit User Guide 49 Chapter 4 Configure the Network Interfaces 50 WatchGuard Firebox SOHO 6 1 carters Administrative Options The SOHO 6 Administration page is where you configure access to the SOHO 6 using System Security enabling SOHO 6 Remote Management or providing VPN Manager Access You can also update the firmware enter the feature key for any upgrade options you have purchased and have redeemed at the LiveSec
96. t it to the network the same way you did in Cabling the SOHO 6 for more than four computers on page 20 Restart the computer 2 Set the computers to obtain their addresses using DHCP For instructions see Enable your computer for DHCP on page 16 3 Turn off and restart each computer 38 WatchGuard Firebox SOHO 6 1 Configure the Trusted Network Configure the Trusted Network with static addresses To disable the SOHO 6 DHCP server and assign addresses statically follow these steps 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 From the navigation bar on the left side select Network gt Trusted The Trusted Network Configuration page appears S Network ead Trusted Network Configuration External Optional Routes IP Address EA 68 111 1 Network Statistics Subnet Mask 255 255 255 0 DynamicDNS Administration I Enable DHCP Server on Trusted Network System Security First address for DHCP server VPN Manager Access WINS Server Address Update Upgrade DNS Server Address View Configuration File 3 Secondary DNS Server Address Firewall Incoming DNS Domain sufix puron Aaa I Enable DHCP Relay Custom Service Blocked Sites DHCP relay server Firewall Options Pass Through Reset Logging 3 Enter the IP address and the Subnet Mask in the appropriate
97. t side select Logging WSEP Logging User Guide 77 Chapter 7 Configure Logging The WatchGuard Security Event Processor page appears System Status Network External Trusted Optional Routes Network Statistics IT Enable WatchGuard Security Event Processor Logging DynamicDNS Log Host IP Address 0 0 0 0 Administration System Security Log Encryption Key VPN Manager Access Confirm Key Update Upar z pg aon pre Submit Reset View Configuration File 3 Select Enable WatchGuard Security Event Processor Logging 4 Enter the IP address of the WSEP server that is your log host in the appropriate field In our example 192 168 111 5 5 Inthe Log Encryption Key field enter a passphrase and confirm it 6 Click Submit Logging WatchGuard Security Event Processor Logging NOTE This encryption key must be identical to the one used in the WSEP 78 WatchGuard Firebox SOHO 6 1 Set up Logging to a Syslog Host Set up Logging to a Syslog Host The SOHO 6 also sends log entries to a Syslog host Follow these steps to setup a Syslog Host 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Logging Syslog Logging The Syslog Logging page appears System Status Logging Henori Syslog Logging External Trusted Option
98. tatistics Key expiration in kilobytes ar 92 Key expiration in hours fea Local Network Remote Network Remove I Enable Perfect Forward Secrecy 4 Enter the Name IPSec Gateway Address and Shared Key for SOHO 6 you want to set up a VPN tunnel The shared key is used by the local and remote SOHO to encrypt and decrypt the data going across the tunnel The shared key is the same on both ends of the tunnel The gateways can encrypt and decrypt the data correctly only if they share the same key Phase 1 setting can be left at the defaults shown or modified as desired To modify Phase 1 settings complete the following 90 WatchGuard Firebox SOHO 6 1 Set Up Multiple SOHO SOHO VPN Tunnels 10 11 12 steps Make sure that the Phase 1 settings on this device are the same as on the peer device Select the type of negotiation for Phase 1 The two Mode Types are Main and Aggressive If your external IP address is dynamic you must use Aggressive Mode otherwise you may use either option Enter the local and remote ID types These must match the settings used on the remote gateway If you are using Main Mode the Local and Remote ID Type must be an IP Address If you are using Aggressive Mode the Remote ID Type may be either IP Address or Domain Name If your external IP address is fixed the Local ID Type must be IP address otherwise your Local ID Type may be either Domain Name or IP Address In the
99. tes Configuration Made PPPoE Client Dual ISP ae Name Network Statistics DynamicDNS Domain Administration Password System Security GATE Inactivity Timeout minutes fo Update Upgrade View Configuration File Firewall Submit Reset Incoming IO Automatically restore lost connections I Enable pppoe debug trace Enter the PPPoE login name and domain supplied by your ISP Enter the PPPoE password supplied by your ISP Enter how long you want the system to wait before it disables an inactive TCP connections Click Automatically restore lost connections This enables a constant flow of heartbeat traffic between the SOHO 6 and the PPPoE server In the event of routine packet loss this option allows the SOHO 6 to maintain the PPPoE connection The SOHO 6 may reboot to recover this connection if the heartbeat fails This provides for a more consistent Internet connection and is seen as continuous traffic by the ISP and regulated and in some cases billed as such This option is also used for Technical Support debugging purposes Click Enable pppoe debug trace to activate PPPoE debug trace Click Submit The configuration change is saved to the SOHO 6 User Guide 35 Chapter 4 Configure the Network Interfaces Configure the Trusted Network By default the SOHO 6 uses DHCP to assign addresses to computers on your trusted network In other words every time you connect a computer to the SOHO 6
100. the following acknowledgment This product includes software developed by Ralf S Engelschall lt rse engelschall com gt for use in the mod_ssl project http www modssl org THIS SOFTWARE IS PROVIDED BY RALF S ENGELSCHALL AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL RALF S ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The Apache Software License Version 1 1 Copyright c 2000 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documenta
101. tion and or other materials provided with the distribution 3 The end user documentation included with the redistribution if any must include the following acknowledgment This product includes software developed by the Apache Software Foundation http www apache org Alternately this acknowledgment may appear in the software itself if and wherever such third party acknowledgments normally appear 4 The names Apache and Apache Software Foundation must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact apache apache org User Guide xi 5 Products derived from this software may not be called Apache nor may Apache appear in their name without prior written permission of the Apache Software Foundation THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES NCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT NCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN
102. unnels remains To define multiple VPN tunnels to other SOHO 6 appliances 1 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select VPN gt Manual VPN The Manual VPN page appears 3 Click Add User Guide 89 Chapter 8 VPN Virtual Private Networking The Add Gateway page appears Ste ata VPN gt Manual VPN Network Add Gateway External Trusted Optional Routes Dual ISP Name Network Statistics Shared Key Ll DynamicDNS Administration Phase 4 Settings Seat Biol Because your external IP address is not fixed you must use Aggressive Mode and the WED es Local ID type must be Domain Name oale Local ID LocallD Type Domain Name Upgrade View Configuration File Remote ID RematelD Type Domain Name z Firewall Authentication SHAT HMAC LE Incoming Algorithm SHAT HMAC 2 Outgoing Encryption Algorithm DES cBC z Custom Service PRPS PES Negotiation expiration p Blocked Sites in kilobytes 0 Firewall Options Negotiation expiration ea Pass Through in hours 124 Logging Diffie Helman Group fi WSEP Logging Syslog Logging System Time I Generate IKE Keep Alive Messages WebBlocker 7 VPN Phase 2 Settings Managed VPN Authentication Algorithm MD5 HMAC x Manual VPN Encryption Algorithm 3DES cBC z MUYPN Clients r i VPN S
103. ur network You must complete the following steps e Review and record your current TCP IP settings e Disable the HTTP proxy setting of your Web browser e Enable your computer for DHCP e Physically connect the SOHO 6 to your network For a quick summary of this information see the Firebox SOHO 6 QuickStart Guide included with your SOHO 6 User Guide 11 Chapter 2 Installation Before You Begin Before installing your new SOHO 6 be certain that you have the following items e A 10 100BaseT Ethernet I O network card installed in your computer e A cable or DSL modem with a 10 100BaseT port or an ISDN router This is unnecessary if you connect to the Internet using a LAN connection e Two Ethernet network cables with RJ45 connectors These must not be crossover cables often red or orange One cable is furnished with your SOHO 6 Make certain that both cables are long enough to comfortably connect the modem or router to the SOHO 6 and the SOHO 6 to your computer e A functioning Internet connection If your connection does not work please contact your ISP Internet Service Provider Call your ISP to find out which method they use to issue your network addressing static addresses DHCP or PPPoE You need this information later in the installation process see Configure Your External Network on page 31 e An installed Web browser either Netscape Navigator 4 77 or higher or Internet Explorer 5 0
104. ur SOHO 6 to its factory settings see Reset a SOHO 6 to factory default on page 26 you will then need to reconfigure your SOHO 6 Change the system passphrase at least monthly A passphrase eight characters long is a combination of letters numbers and symbols that do not spell out common words WatchGuard 52 WatchGuard Firebox SOHO 6 1 The System Security Page recommends that the passphrase contain at least one special character number and a mixture of upper and lower case letters for increased security Follow these steps to setup the SOHO 6 System Passphrase 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Administration System Security The System Security page appears oem gala Administration System Securi External ty Trusted Optional Routes HTTP Server Portf80 Network Statistics I Enable System Security DynamicDNS Administration System Administrator Name Mm Oaie cub System Passphrase VPN Manager Access aan cere Update onfirm System Passphrase Upgrade I Enable SOHO Remote Management la cl el Virtual IP Address 0 0 0 0 Firewall Incoming Authentication Algorithm MD5 HMAC Outgoing Encryption Algorithm DES CBC x Custom Service Blocked Sites PN Client Type fist ERE Firewall Options CO P
105. urity Service Web site as well as see the SOHO 6 configuration file in a text format User Guide 51 Chapter 5 Administrative Options The System Security Page The System Security configuration page allows you to create secure settings to protect the configuration of the SOHO 6 Setting a system administrator name and system passphrase allows you to protect the SOHO 6 by using a simple authentication method This page also allows you to create a secure connection using IPSec Internet Protocol Security to the SOHO 6 from a remote location System management Passphrases are a barrier between your computer and anyone trying to break in They are the first line of defense in computer security They are unfortunately the most frequently overlooked of all security measures The SOHO 6 system administrator name and system passphrase are designed to protect the SOHO 6 configuration from alteration by someone on your trusted network In other words when you configure a SOHO 6 system administrator name and system passphrase no one in your office is able to change deliberately or accidentally your firewall settings without the proper passphrase NOTE Make certain that you do not lose this name and passphrase Once system security protection is activated there is no other means of accessing your SOHO 6 settings Should you forget your name or passphrase the only means of accessing the appliance requires reverting yo
106. utomatically using DHCP If your ISP supports this method the SOHO 6 obtains all necessary address information when it powers on and attempts to connect to the Internet No further configuration of the SOHO 6 is required 32 WatchGuard Firebox SOHO 6 1 Configure Your External Network Configure the SOHO 6 External Network for static addressing If you are assigned a static address then you must transfer the permanent address assignment from your computer to the SOHO 6 Instead of communicating directly to your computer the ISP now communicates through the SOHO 6 1 With your Web browser go to the System Status page using the trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 2 From the navigation bar on the left side select Network gt External The External Network Configuration page appears 3 From the Configuration Mode drop list select Manual Configuration The page refreshes System Status Network Network External Network Configuration Trusted Optional Routes Configuration Mode Manual Configuration x Dual ISP IP Add 0 0 Network Statistics ross 0 0 0 0 DynamicDNS Subnet Mask 255 255 255 0 campeao Default Gateway 0 0 0 0 System Security VPN Manager Access Primary DNS 66 235 632 anala Secondary DNS 656 235 63 4 Upgrade E EAE DNS Domain Sufix Firewall Incoming Submit Reset Outgoing User Guide 33 Chapter
107. ver SOCKS is able to manage the need of the application to have many ports open To use an application with SOCKS configure the application with the SOCKS server information Setting up your SOCKS application for use with the SOHO 6 requires no reconfiguration of the SOHO 6 appliance itself Your SOHO 6 acts as the SOCKS proxy You must however configure your application to be compliant with the SOHO 6 implementation of SOCKS version 5 The SOHO 6 SOCKS feature has the following characteristics and limitations 68 WatchGuard Firebox SOHO 6 1 Firewall Options e SOHO 6 supports SOCKS version 5 only e It is a limited version of SOCKS and does not support authentication NOTE Configure the particular application so that it does not attempt to make DNS look ups with SOCKS Some applications use only DNS through SOCKS and therefore do not function properly with the SOHO 6 e Compatible SOCKS aware applications that are used through the SOHO 6 include ICQ IRC and AOL Messenger e When you open a SOCKS application it opens a hole in the SOHO 6 firewall making the computer running the application available to anyone on your trusted network SOCKS applications therefore pose a significant security risk To disable the port and close the security risk see Disabling SOCKS on the SOHO 6 on page 70 Configuring your SOCKS application Other than making certain that port 1080 is open to run a SOCKS depe
108. word if forgot or lost it If you forgot your password you must reset the SOHO 6 to its factory default For instructions see Reset a SOHO 6 to factory default on page 26 How does the seat limitation on the SOHO 6 work The default user license on the SOHO 6 allows for ten users The first ten computers on the network behind the SOHO 6 to access the Internet are allowed through the SOHO 6 To clear the list of these first ten computers you must reboot the SOHO 6 What is a SOHO 6 Feature Key The Feature Key is an encrypted mask that tells the SOHO 6 which features are active It is obtained by redeeming an upgrade option license key at the LiveSecurity Service Web site You copy the Feature Key into a SOHO 6 configuration page and it is then stored in memory For further instruction see Redeem your SOHO 6 Upgrade Options on page 57 I can t get a certain SOHO 6 feature to work with a DSL modem Some DSL routers implement NAT firewalls Running NAT in front of the SOHO 6 causes problems with WebBlocker and the performance of IPSec When a SOHO 6 is used in conjunction with User Guide 109 Chapter 10 Support Resources a DSL router set the NAT feature of the DSL router to bridge only mode How do install and configure the SOHO 6 using a Macintosh or other operating system Installation instructions for the Macintosh and other operating systems are on the WatchGuard Web site at https support
109. you can then copy and paste into a SOHO 6 configuration page to activate the software upgrade For information on registering your SOHO 6 with the LiveSecurity Service see Register your SOHO 6 and Activate the LiveSecurity Service on page 27 Follow these steps to redeem your upgrade option license key 1 With your Web browser go to http Avww watchguard com upgrade 2 Log into the site by entering your User Name and Password User Guide 57 Chapter 5 Administrative Options 3 Follow the instructions provided on the site to redeem your upgrade license key 4 Copy the Feature Key displayed at the LiveSecurity Service Web site 5 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 For example if using the default IP address go to http 192 168 111 1 6 From the navigation bar on the left side select Administration gt Upgrade The Upgrade page appears System Status Network External Trusted Optional Routes Feature Key Network Statistics DynamicDNS m Administration _Submit _Reset System Security VPN Manager Access Administration Upgrade View Configuration File Paste the Feature Key in the appropriate field 8 Click Submit Upgrade options Seat Licenses This upgrade to the SOHO 6 provides more seats than the base model offers for example the 25 seat license 58 WatchGuard Firebox SOHO 6 1 Redeem your SOHO 6 Upgrade
Download Pdf Manuals
Related Search