WatchGuard® Made Simple

This site is for common setup practices as well as tips and tricks for WatchGuard® Firewall products and contain editorial content.  While every effort is made to ensure all information is correct and concise, no warranty of any kind is expressed or implied, and all information is provided on an "as is" basis.

WatchGuard® is not affiliated with this site and all trademarks and graphics referenced are the property of WatchGuard Technologies Inc. or their respective owners.  All other content is the property of Fireboxsupport.com and may not be reproduced without permission.
 

                                       PLEASE REFRESH THE  PAGES IF YOU HAVE VISITED PREVIOUSLY! - NEW CONTENT ADDED!  01/02/2007

Common Practices

Fireware Pro

Configurations and examples

Firebox SSL VPN

Firebox Core SSL VPN

Firebox X Core/Edge

Setup -

Branch Office VPN (IPSec) - Firebox/Soho

Proxy Configuration

Webblocker Configuration

Remote User configuration using MUVPN & PPTP

Spamscreen®

High Availability

Troubleshooting -

Firebox X Resetting

Rebuilding your configuration

Backing Up/Restoring your Firebox Image.

 

WatchGuard Support Programs

Top

                                                 

MoneyCentral Stock Quote
Enter (WGRD) 

 

 

Initial TCP proxy configuration with Fireware Pro

 

 

 

If you have just configured your Firebox with Fireware Pro using the Quick Setup Wizard, you will find that the default configuration is very restrictive for outgoing traffic.  This is often undesirable unless you have completely configured the TCP outgoing proxy for your network.  Locating all the necessary headers, content types, and files to allow is not an easy task. 

 

If you have not done this and need to get your network up and running now with the least difficulty, the following example will show you how to “turn down” the default configuration to allow your outgoing traffic.  Then as you learn the capabilities of the Fireware Pro system, you can customize the TCP proxy as needed while not hindering your users from needed network access.  Doing this will not “open” your system to a vulnerability and you still maintain the security of any standard packet filtering firewall for outgoing traffic.

 

 

After running the Quick Setup Wizard, using the WatchGuard System Manager, select “connect to Device” and enter the trusted IP of your Firebox and its readonly passphrase.

 

 

After the device is shown in the WatchGuard System Manager display, select the device and click the “Policy Manager” icon.

 

 

Policy Manager will open showing you the policies as in the screen displayed below.

 

 

 

Double click on “Outgoing” and click on the Properties tab.  Then select “View/Edit Proxy”.

 

 

 

 

Next select “View Edit HTTP Proxy”.

 

 

 

 

Here you have all the options for the outgoing TCP proxy.

 

Go to the HTTP Response section and go through each and change “None Matched” to “Allow” which is set to “Deny” by default.

 

 

 

Do the same for Content Types

 

 

 

You can set this in the same manner for all these fields as desired.

 

Review ALL of the settings here.  If you are inexperienced with what these do, you can set them all to “None matched” : Allow and “If matched” : Allow.

 

Changing all of these to Allow will cause the TCP proxy to function more as a packet filter, but it will allow your traffic out without having to pick them one by one.  This can be a problem in a live environment or where you are rushed to get the system online with the basics.

 

Also ensure you have set the Body Content types as below.

 

 

If you do not set “if matched” to Allow, then .zip files, exe files, Java, and .cab files will be blocked.  You have the option of removing .zip and Java bytecode from the list and the same results will be seen.  But remember this section as this is where you can choose to deny file types from being downloaded via HTTP.  But for initial install, you need to allow it or you may be blocked from doing very simple things on the internet you could do prior to installing Fireware Pro.

 

 

Once you have done these edits, click OK

 

 

Now the system will prompt you to name your edited proxy service.  The default named one in the system can’t be changed.  This will enable you go to back to the defaults when desired to make a new proxy setting.  Give it a name such as “OutgoingHTTP” and click OK and you will see the screen below.

 

 

 

Click OK, and you are prompted to change the name of this TCP Proxy.

 

 

Type in “OutgoingTCPproxy” and click OK.

 

You will then see your newly renamed settings as below.

 

 

Now that you have done this once, you can return later and make edits to the settings just reviewed, but will not have to rename the proxy settings again as you have now created your own instead of the system defaults.

 

Click OK and save the configuration to the Firebox.    If after changing this, your outgoing traffic is still getting denied.  Connect to the Firebox and open the Firebox System Manager so you can view the traffic monitor for information on why traffic is being denied.

 

 

 

 

 

In the Firebox System Manager, watch Traffic Monitor for info about denied traffic.

 

 

If you see Deny messages, take note of the last line item, if it says “Default” in the last line, the traffic is being denied because no rule exists to allow the traffic.  Otherwise it will put the name of the policy denying the traffic in the last line item of a traffic monitor entry.

 

 

 

 

Top      User Forum