Watchguard Firebox X5000 User's Guide

WatchGuard®Fireware Migration GuideWatchGuard Fireware v8.0WatchGuard System Manager v8.0

Comparing WFS and Fireware Pro6 WatchGuard System ManagerAuthentication Radius Yes No Almost No UI integration with the authentication server. D oes

Fireware Migration Guide 7Comparing WFS and Fireware ProIPSec P ass-throughYes Off by defaultYes • Turned off by default to push people towards using

Comparing WFS and Fireware Pro8 WatchGuard System ManagerTunnel Display/MonitorYes Yes Yes • Only tunnels that are “up” will display in the front pane

Fireware Migration Guide 9Planning Your MigrationPlanning Your MigrationAs with any major software migration, a well-designed plan for your upgrade fr

Planning Your Migration10 WatchGuard System Manager

Migration Guide 11Documenting Your Security PolicyCHAPTER 2 Installing the WatchGuard System Manager softwareBefore you can operate a Firebox with Wat

Installing the management station software12 WatchGuard System ManagerInstallation requirementsBefore you install WatchGuard System Manager, make sure

Migration Guide 13Installing the management station softwareSaving the configuration fileYou can save the configuration file of a Firebox on the devic

Setting Up the Management Server14 WatchGuard System Manager2 Type the configuration passphrase. Click OK.3Select Make backup of current flash image b

Migration Guide 15Setting Up the Management ServerWith WSM 8.0, we move the DVCP off the Firebox and on to a computer using the Windows operating syst

2 WatchGuard FirewareADDRESS:505 Fifth Avenue SouthSuite 500Seattle, WA 98104SUPPORT:www.watchguard.com/[email protected]. and Canada +

Setting Up the Management Server16 WatchGuard System ManagerYou use the Management Server Setup Wizard to configure your Management Server. If you use

Migration Guide 17Migrating Basic DVCP Tunnels while setting up a Management ServerMigrating Basic DVCP Tunnels while setting up a Management ServerWa

Migrating Basic DVCP Tunnels while setting up a Management Server18 WatchGuard System ManagerViewing the network with WatchGuard System ManagerAfter y

Migration Guide 19Migrating Basic DVCP Tunnels while setting up a Management Server4 Expand the Management Server entry to see the Firebox clients man

Setting Up the Log Server20 WatchGuard System ManagerSetting Up the Log ServerYou must also use Policy Manager define the Log Servers for each Firebox

Migration Guide 21Setting Up the WebBlocker ServerMerging log files from WFS 7.3 and before into the new XML formatWhen you migrate from a previous ve

Setting Up the WebBlocker Server22 WatchGuard System ManagerThe first time you connect to the WebBlocker Server, it downloads the WebBlocker database.

Migration Guide 23Putting Fireware on the Firebox CHAPTER 3 Putting Fireware on the FireboxThere are two methods to put Fireware on a Firebox which ha

Using the Quick Setup Wizard24 WatchGuard Firewarestation. Then make the cable connections you select. When you complete the connections, click Next.3

Migration Guide 25Putting Fireware on the Firebox 5 If your management station has more than one interface, you must select the interface you use to c

User GuideiContentsCHAPTER 1 Introducing WatchGuard System Manager with Fireware Pro .1What is Fireware Pro? ...

Using the Quick Setup Wizard26 WatchGuard Fireware7 Type the identifying information for the FireboxClick Next8 Add the license. Click Next.

Migration Guide 27Putting Fireware on the Firebox 9 Select Static IP Addressing for this example. Click Next.10 Type the IP address and default gatewa

Using the Quick Setup Wizard28 WatchGuard Fireware11 Type the tristed interface IP address and the optiona interface address if you use one. Click Nex

Migration Guide 29Putting Fireware on the Firebox 13 Type and repeat the passphrases for the Firebox. Click Next.14 A temporary IP address is listed.

Using the Quick Setup Wizard30 WatchGuard Fireware15 This information screen appears while the wizard configures the Firebox.16 The process is complet

Migration Guide 31Putting Fireware on the Firebox Connecting to the Firebox1 Open WatchGuard System Manager2 Click the connect to Device icon3 Type th

Using the Quick Setup Wizard32 WatchGuard Fireware4 Click the Policy Manager icon.5 The Fireware Policy Manager is where you make the configuration ch

Migration Guide 33Putting Fireware on the Firebox Using fbxinstall.exeYou can also use the Fbxinstall.exe utility to install Fireware 8.0. fbxinstall.

Using fbxinstall.exe34 WatchGuard Fireware10 The installation completes. WFS 8.0 is installed. You now create a new configuration file using the Qui

Migration Guide 35Making a Fireware Configuration CHAPTER 4 Making a Fireware ConfigurationAt this time, there is no configuration tool which automati

User GuideiiCHAPTER 3 Putting Fireware on the Firebox ...23Using the Quick Setup Wizard ...

Basic Configuration Properties36 WatchGuard FirewareBasic Configuration PropertiesConnecting to a Firebox with Fireware Pro1 From WSM, click the Polic

Migration Guide 37Making a Fireware Configuration entry in Fireware Policy Manager by selecting the appropriate interface entry and clicking Configure

Basic Configuration Properties38 WatchGuard FirewareConfiguring your Network1 Select an interface from Fireware Policy Manager Network > Configurat

Migration Guide 39Making a Fireware Configuration 4 Select the interface type of truster, external, optional or disabled.5 Select static, DHCP pr PPPo

Basic Configuration Properties40 WatchGuard Fireware3 Select the DHCP radio button and type the Host ID.4 Click OK.Note that with Fireware you must en

Migration Guide 41Making a Fireware Configuration Intrusion Prevention/Default Packet HandlingMany of the same options are available in WFS Policy M

Intrusion Prevention/Default Packet Handling42 WatchGuard Firewarethese (such as via a supernet), make certain to add a Blocked Sites Exceptions entry

Migration Guide 43Making a Fireware Configuration Network Address Translation (NAT)Dynamic NAT1-to-1 NAT Setup (Advanced)1 Select the 1-to-1 NAT tab f

Network Address Translation (NAT)44 WatchGuard Fireware2 To add an entry click Add.3 Type the information and click OK.LoggingThe logging setup dialog

Migration Guide 45Making a Fireware Configuration 2 To add a log host click Configure.3 Type an encryption key and then confirm it.Encryption keys are

Fireware Migration Guide 1What is Fireware Pro?CHAPTER 1 Introducing WatchGuard System Manager with Fireware ProWatchGuard® System Manager (WSM) v8.0

Virtual Private Networking46 WatchGuard FirewareVirtual Private NetworkingFirebox Managed ClientsThe DVCP client only communicates with a WSM 8.0 mana

Migration Guide 47Making a Fireware Configuration Policies within Fireware are split into three sets, or arenas. The arenas are associated with either

Virtual Private Networking48 WatchGuard FirewareTunnelsFrom Policy Manager select VPN > Branch Office Tunnels. IPSec Routing Policies1 Adjust the A

Migration Guide 49Making a Fireware Configuration 2 Click Add. 3 In the Addresses section of the New Tunnel dialog box click Add.4 Complete the inform

Services50 WatchGuard FirewareServicesFireware handles services in a completely different manner than in WFS. The biggest change is the lack of Incomi

Migration Guide 51Making a Fireware Configuration differently than those provided by the global NAT tables, modify the Global NAT Rules on the Advance

Services52 WatchGuard Fireware

Migration Guide 53Working with Proxies CHAPTER 5 Working with ProxiesFireware 8.0 proxy configuration offers new choices and more configuration possib

Proxy Migration54 WatchGuard FirewareWith the removal of directionality, the default proxy actions are named so that they represent typical situations

Migration Guide 55Working with Proxies The categories are typically separated into areas for general settings, some protocol specific items, and then

What’s New with WatchGuard System Manager?2 WatchGuard System ManagerUsing Fireware appliance software toolsWhen you install WatchGuard System Manager

Configuring the HTTP Proxy56 WatchGuard FirewareWFS 7.x Fireware 8.0Settings > Remove client connection info HTTP Request > Header Fields, strip

Migration Guide 57Working with Proxies WFS 7.x Fireware 8.0Settings > Deny submissions In HTTP Request > Request Methods, deny or allow the patt

Configuring the HTTP Proxy58 WatchGuard FirewareWFS 7.x Fireware 8.0Settings > Deny ActiveX applets In HTTP Response > Body Content Types, deny

Migration Guide 59Working with Proxies WFS 7.x Fireware 8.0Settings > Log accounting/auditing informationIn HTTP Request > General Setting

Configuring the HTTP Proxy60 WatchGuard Fireware WFS 7.x Fireware 8.0Settings > Idle timeout In HTTP Request > General Settings, adjust the &q

Migration Guide 61Working with Proxies Configuring the Incoming SMTP ProxyThis section illustrates how various parameters are configured in the incomi

Configuring the Incoming SMTP Proxy62 WatchGuard FirewareClone the SMTP-Incoming Proxy ActionGeneralSome of this information is available in General &

Migration Guide 63Working with Proxies Address PatternsIf there is a mixture of allowed and denied entries, you must change the ruleset view and apply

Configuring the Incoming SMTP Proxy64 WatchGuard FirewareHeadersLoggingWFS 7.x Fireware 8.0WFS 7.x Fireware 8.0

Migration Guide 65Working with Proxies “Log accounting/auditing information" is the "Send a log message for each connection request" in

Fireware Migration Guide 3What’s New with WatchGuard System Manager?• Interface independence• Signature-based intrusion prevention with stateful signa

Outoing SMTP66 WatchGuard FirewareOutoing SMTPThis section illustrates how various parameters are configured in the outgoing SMTP proxy in WFS 7.x and

Migration Guide 67Working with Proxies MasqueradingBuild Any patterns in the Address > Mail From ruleset under the "advanced view" (click

Outoing SMTP68 WatchGuard Fireware"Masquerade Message IDs" is not fully available in Fireware. You can rewrite the user ID portion of the Me

Migration Guide 69Working with Proxies "Log domain masquerading" is available via the "Log" checkbox in the "Rule actions&quo

FTP Proxy70 WatchGuard FirewareFTP ProxyThis section illustrates how various parameters are configured in the FTP proxy in WFS 7.x and Fireware 8.0. U

Migration Guide 71Working with Proxies WFS 7.x Fireware 8.0Make connections ready only Make connections ready onlyWFS 7.x Fireware 8.0Deny incoming SI

FTP Proxy72 WatchGuard FirewareForce FTP session timeout is not available in Fireware. You cannot migrarte this option.“Log incoming accounting/auditi

Migration Guide 73Working with Proxies WFS 7.x Fireware 8.0

FTP Proxy74 WatchGuard Fireware

Comparing WFS and Fireware Pro4 WatchGuard System Manager• Centralized management of VPN tunnel configurations• Certificate authority for distributing

Fireware Migration Guide 5Comparing WFS and Fireware ProDynam ic Routing Yes No N/A Basically sam e UI as in Vclass. We intend to make this user-frie